Palo Alto Workbooks Error / no results showing with correct configs and data logs

[johnB007]

@devikamehra
Describe the bug
A clear and concise description of what the bug is.
To Reproduce
Steps to reproduce the behavior:

1. Go to - Microsoft Sentinel, activate Palo Alto Data Network Firewall Connector, deploy Palo Alto Workbooks (Palo Alto Overview/Network Threat) in content hub and follow all directions.
2. Click on Workbooks and then (1) Palo Alto Overview and open.
3. Scroll down to Web Filter, Top 5 allowed URLs, and everything below it. All say "query returned no results". All products that require data/graphs in this workbook have been verified on network. ( 2nd Workbook), Palo Alto Network Threat, Entire workbook has "query returned no results" except Top correlation events section at bottom
4. See error: "query returned no results" with attached screenshots

Expected behavior
Both workbooks show all graphics, data, etc in each section as all products have licenses and confirmed in logs and setup correctly per connectors.

Screenshots
See attacched

Desktop (please complete the following information):

• OS: WIN 11 , 22H2
• Browser Edge
• Version 118.0.2060.0

Smartphone (please complete the following information):

• Device: NA
• OS: NA
• Browser NA
• Version NA

Additional context

Several other customer environments to include Microsoft demo environment, reproduces the exact same exact behavior and result with no graphics or data in both workbooks.

[github-actions]

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

[v-sudkharat]

Hi @johnB007, thanks for flagging this issue, we will soon get back to you on this. Thanks!

[v-sudkharat]

1. Hi @johnB007, please run the below query in your workspace and share the results to check for the Activity, DeviceEventClassID, DeviceAction details.

2. As the query for web filter is on activity as threat that must be the reason the data is not rendering, please check for the activity type for your data by below query, thanks.

CommonSecurityLog
| where DeviceProduct has 'PAN-OS'
| where DeviceVendor =~ 'Palo Alto Networks'
| distinct Activity, DeviceEventClassID, DeviceAction

[johnB007]

@v-sudkharat - I ran the query and it doesn't have threat for activity type but wildfire is active with the license and showing in wildfire GUI. Some data is shown in the workbooks but a majority is not. Not sure why Threat would populate in "some places" in workbook, with some graphics/data but not the rest. If you have an explanation or if the workbook needs updating, it would be most helpful. Thanks.

[v-sudkharat]

Hello @johnB007, we are checking this issue, and we will get back to you. Thanks.

[johnB007]

Further inspection, break / inspect on logs isnt formatted thus no wildfire alerts/logs