![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 37%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESK%3C/text%3E%3C/svg%3E)
1,299 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Are you seeing logs in the Sentinel workspace? If so, it's possible that everything is configured correctly except the data connector. The Sophos connector has a parser to ensure the data is parsed for easily leveraging in Microsoft Sentinel workbooks and other features. The data connector depends on the parser based on a Kusto Function to work as expected. Can you check if you have installed the Kusto Function for this data connector at SophosEPEvent ?
If you've already done this, you can also confirm the following:
- Check that the workspace ID and shared key are correct. I noticed in your screenshot that they seem to be getting stripped?
- Make sure the API Access URL and Header are copied correctly from Sophos Central.
- Confirm that the Azure Function app is running and that there aren't any errors or warnings in the Azure Portal logs.
- Verify that the logs are being sent to the correct Log Analytics table.
Let me know if this helps and if you still face this issue.
If the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching similar questions. Otherwise let me know if you have further questions.