Azure-Sentinel icon indicating copy to clipboard operation
Azure-Sentinel copied to clipboard
verified publisher icon Azure

Excessive number of failed connections from a single source (ASIM Network Session schema) default analytics rule -- results contain no src IP address

Open mbell85 opened this issue 1 year ago • 0 comments

Describe the bug The analytics rule "Excessive number of failed connections from a single source (ASIM Network Session schema)" is giving me results that contain a count with no source IP addresses listed. I have deployed the ASIM parsers and other analytics rules are working as expected.

To Reproduce Steps to reproduce the behavior:

  1. Go to Azure Sentinel and configure the analytics rule (after deploying ASIM parsers).
  2. Wait for analytics rule to generate an alert and then click on the results. For more details, click on "Link to LA" under event overview.
  3. See issue.

Expected behavior Expect to be able to see the source IP which is causing the count to go over the programmed threshold limit.

Screenshots count-no-source

mbell85 avatar Jun 26 '24 17:06 mbell85