Azure-Sentinel
Azure-Sentinel copied to clipboard
Azure
Playbook is not running.
Hi Team,
Please help me to resolve this issue. We have created one playbook for outbound traffic to ThreatIntel. But after sometime it is giving blank excel sheet. Before it provide 2-3 times result in a week but now we are not getting any output from this playbook from long time. If we run this query then msg will show " The query couldn’t be processed in less than 10 minutes, which might happen when large volumes of old data are retrieved. Try running the query again". This is scheduled on daily basis.
Please find query for this.
let deviceIP = (_GetWatchlist('manufacturingFirewalls') | project SearchKey); ThreatIntelligenceIndicator | where ExpirationDateTime > now() | where Active == true | where isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkDestinationIP) | extend entity_threat_IP = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP) | extend entity_threat_IP = iff(isnotempty(entity_threat_IP) and isnotempty(NetworkSourceIP), NetworkSourceIP, entity_threat_IP) | join( workspace(".....").CommonSecurityLog |union workspace("....").CommonSecurityLog, workspace("..........").CommonSecurityLog, workspace("...........").CommonSecurityLog, workspace("..........").CommonSecurityLog | where TimeGenerated > now()-7d | where DeviceVendor =~ "Palo Alto Networks" and DeviceProduct =~ "PAN-OS" and Activity =~ "traffic" | where DeviceAction !in ("reset-both", "deny", "reset-server", "reset-client") | where DeviceCustomString5 in~ ("outside","Outside","Outside-ISP2", "untrust", "PRISMA_INSIDE") | where Computer !in (deviceIP) | extend CommonSecurityLog_TimeGenerated = TimeGenerated ) on $left.entity_threat_IP == $right.DestinationIP | where CommonSecurityLog_TimeGenerated > TimeGenerated and CommonSecurityLog_TimeGenerated < ExpirationDateTime | project TrafficTimestamp = CommonSecurityLog_TimeGenerated, SourceIP, SourceTranslatedAddress, Source_Port=strcat(SourcePort), SourceUserName, DestinationIP, Destination_port=strcat(DestinationPort), ApplicationProtocol, Firewall_Action = DeviceAction, Packets= DeviceCustomNumber2, Rule= DeviceCustomString1, Firewall =Computer, IOC_Tag = Tags, IOC_Expiration = ExpirationDateTime, IOC_Source = Description
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.
@Akshay250692 - Can you please elaborate your issue. The same query when you are running in Azure LogicApp you are not getting results??
@Akshay250692 - Can you please elaborate your issue. The same query when you are running in Azure LogicApp you are not getting results??
yes
Hi @Akshay250692, Thank you for flagging this. Apologies for the delayed response. If you still need assistance on this, please reply here within 5 business days. Thanks
Hi @Akshay250692, Since we have not received response from last 7 days, we are closing your issue per our standard operating procedures. If you still need support for this issue you can re-open the PR at any time. If you do re-open, we simply request that you ensure the PR has response to the last request. Thank you for your cooperation.
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.