This article covers troubleshooting the Microsoft Sentinel Destination.
Troubleshooting
Issue: Sentinel shows no data in a custom table, but the data collection rule (DCR) metrics show bytes received.
Possible Causes:
- Using the wrong stream name in the URL field for the Destination will cause Sentinel to drop events due to a schema mismatch
Potential Resolutions:
- Confirm the stream name and URL are correctly entered
Issue: Fields are missing in Sentinel when searching the data.
Possible Causes:
- Fields may be mismatched or are not being sent out of Cribl Stream
Potential Resolutions:
- Confirm fields are being sent out by doing a data capture at stage 4 (before the destination)
- Check field types match the expected schema (eg: Common Security Log); for example, make sure a field is set as a number and not a string by looking at the symbol next to the field if that is the expected type