Forum Discussion
akhalili
Jul 08, 2020Copper Contributor
Azure Sentinel Incidents
Hello, I have Azure Sentinel deployed with about 85 analytic rules enabled. I noticed that I have several analytic rules triggering, but incidents are not coming in. I had incidents come in until...
akhalili
Jul 08, 2020Copper Contributor
Rod_Trent: The blade is for the last 24 hours. I know that if i change it to 48 hours, I will see the older incidents. The issue here is that I know that there definitely should have been incidents in the last 24 hours, but there is nothing coming in. I even created a test analytic rule that would generate an incident for any logs coming in, but still no incidents.
- GaryBusheyJul 08, 2020Bronze Contributor
akhalili Probably a silly question but could the Analytic rules have been changed to *not* create an incident, only an alert?
- akhaliliJul 08, 2020Copper Contributor
GaryBushey No there was not any changes made to any analytic rules.
- Rod_TrentJul 08, 2020Microsoft
akhalili Wow...very strange, indeed.
What do you get back from the following?
SecurityAlert| where TimeGenerated > ago(1d)| distinct DisplayName