Azure-Sentinel icon indicating copy to clipboard operation
Azure-Sentinel copied to clipboard

Published 20 hours ago verified publisher icon Azure

Anomaly found in Network Session Traffic Analytics Rule Generating Blank Incidents

Open NickNicolaou2129 opened this issue 1 year ago • 12 comments

Describe the bug A clear and concise description of what the bug is.

To Reproduce When running the "Anomaly found in Network Session Traffic" it does not load any query results, this is because we have so much data coming in that it cannot read it all back. Even if I set the lookback to 1 second, it still does not load any data: image

This results in incidents being created that are empty because the query cannot load the data: image

Expected behavior We expect to see the incident information appear when it is generated.

NickNicolaou2129 avatar Feb 19 '24 15:02 NickNicolaou2129

Hi @NickNicolaou2129, Thanks for flagging this issue, we will investigate this issue and get back to you with some updates by 26-02-2024. Thanks!

v-sudkharat avatar Feb 20 '24 04:02 v-sudkharat

Hi @NickNicolaou2129, Could you please run below shared query once and check for the result - query.txt If query not showing any result, then please check the data availability into the table - NetworkCustomAnalytics_protocol_CL

Thanks!

v-sudkharat avatar Feb 26 '24 09:02 v-sudkharat

Hi @NickNicolaou2129, We are waiting for your response from on above comment. Thanks!

v-sudkharat avatar Feb 28 '24 10:02 v-sudkharat

Hi @v-sudkharat NetworkCustomAnalytics_protocol_CL does not refer to a know table: image

NickNicolaou2129 avatar Feb 29 '24 13:02 NickNicolaou2129

Hi @NickNicolaou2129, Could you please check the Rule is compliant with required given data sources - image image

Thanks!

v-sudkharat avatar Mar 01 '24 08:03 v-sudkharat

Hi,

Yes it is company, otherwise the incident would not trigger in the first place.

Many thanks, Nicholas

On Fri, Mar 1, 2024 at 09:13, v-sudkharat @.***(mailto:On Fri, Mar 1, 2024 at 09:13, v-sudkharat < wrote:

Hi @.***(https://github.com/NickNicolaou2129), Could you please check the Rule is compliant with required given data sources - image.png (view on web) image.png (view on web)

Thanks!

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.Message ID: @.***>

NickNicolaou2129 avatar Mar 01 '24 08:03 NickNicolaou2129

@NickNicolaou2129, will check on it and if required will schedule a call for it. Thanks!

v-sudkharat avatar Mar 01 '24 08:03 v-sudkharat

Hi @NickNicolaou2129, Can we have a call? We need few more details about the incident. Thanks!

v-sudkharat avatar Mar 11 '24 12:03 v-sudkharat

Hi @NickNicolaou2129, Hope you're doing good. As you have raised the support case for this same issue, our team is working on your ticket. So could you please let us know can we close this issue from GitHub? as other team is checking on this. Thanks!

v-sudkharat avatar Mar 14 '24 08:03 v-sudkharat

Hi, I would like to keep this GitHub ticket. I have just sent you the documents you requested from me in yesterdays call. Let me know if you have any further news, thanks!

NickNicolaou2129 avatar Mar 14 '24 09:03 NickNicolaou2129

@NickNicolaou2129, Sure. we will check it from our end and update you. And please let us know if you get update on this from our support team. Thanks!

v-sudkharat avatar Mar 14 '24 09:03 v-sudkharat

Hey @NickNicolaou2129, Our support team still working on this issue and will communicate with you for required details. Thanks!

v-sudkharat avatar Mar 20 '24 10:03 v-sudkharat

Hi @NickNicolaou2129 ,As the ICM is raised for this issue and so this is duplicate issue and Please let me any work needs to be done will reopen it and closing as per process and will discuss in detail in tomorrow call

v-muuppugund avatar Apr 10 '24 15:04 v-muuppugund