Forum Discussion
Azure Sentinel false positive incidents due to duplicate logs in SigninLogs
Hello, I've been searching for a way to fix this for the last 2 weeks but I couldn't find anything that works. We have recently deployed Azure Sentinel, and we're getting frequent false positive ...
Hi alexandrub
1. I can see the duplicates - so will ask about why that is. Obviously you can use a summarize or distinct to remove them.
2. That Incident query makes use of multiple summarize operators and (for me, doing a simple test) that removes the duplicates. Just to confirm, the full unaltered query using your data shows duplicates?
Thanks Clive
Hello,
Thanks for your quick response. I would love to get rid of the duplicates in the table without having to use summarize/distinct to filter them out. From what I've read in the Azure documentation, I've noticed that it's quite difficult to avoid duplicates and using summarize and/or distinct is a common workaround. Do you think this is the same case here?
For the second topic, I'm not sure what to answer here. I did notice that some Incident queries use summarize, but I'm not exactly sure if the built-in incident queries are validated in order to treat/get rid of duplicates.
Thanks for your quick response. I would love to get rid of the duplicates in the table without having to use summarize/distinct to filter them out. From what I've read in the Azure documentation, I've noticed that it's quite difficult to avoid duplicates and using summarize and/or distinct is a common workaround. Do you think this is the same case here?
For the second topic, I'm not sure what to answer here. I did notice that some Incident queries use summarize, but I'm not exactly sure if the built-in incident queries are validated in order to treat/get rid of duplicates.