Data Stream not found in Data Views

sakib3833 · October 21, 2022, 5:14pm

I use Microsoft Defender Endpoint integration to collect logs. The agent installed perfectly and the other ID and secret key put accordingly.
In the Index management section it shows that it creates Data Stream.

But in Data Views section, I couldn't find the Data Stream and eventually I wasn't able to navigate any MS defender endpoint data in Discover Section.

Previously I did the same process for MS365 Defender log. That works fine.
So I am not sure what exactly the issue is. Any suggestions?
Thank you.

andrewkroh · October 27, 2022, 2:22pm

If you run this in the Dev Tool console in Kibana, do you have any indices?

GET _cat/indices/*microsoft_defender*?v

The data stream exists when the integration is setup, but the indices are not created until some data is generated. So if there are no indices yet then I would check the logs for the Agent to see if there are any errors relating to microsoft_defender.

You can check the logs for the Agent in Kibana with a query for data_stream.dataset:"elastic_agent.filebeat" .

system · November 24, 2022, 2:23pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Index not found in Logs Elasticsearch	3	169	January 30, 2024
Integrate Microsoft Defender with Elastic Elastic Security	3	234	April 24, 2024
No agents under endpoint or host section in security Endpoint Security fleet	2	607	March 17, 2022
Security overview doesn't show any data Elastic Security	6	617	November 4, 2022
ElasticAgent not creating new index Elastic Agent	2	191	November 15, 2023

Data Stream not found in Data Views

Related topics