Forum Discussion

gsk256's avatar
gsk256
Copper Contributor
Jan 09, 2023
Solved

Duplicate incidents created by NRT rule

I'm hoping this is the right place to post this (if not please let me know / delete)   I have an NRT rule that started creating multiple incidents for a single Azure AD PIM event.  The rule has bee...
alerts
analytics
  • ep3p's avatar
    ep3p
    Jan 13, 2023

    Disabling and enabling the rule worked for me.

sam_mnt's avatar
sam_mnt
Copper Contributor
Jan 11, 2023

Also experiencing the same thing with NRT MFA Rejected by User and NRT New access credential added to Application or Service Principal. Seems to have started since the 3rd Jan for us, there can be one or two entries in Log Analytics but there will be an alert firing every minute for over an hour. As a temp solution we added grouping for 12 hours because last week we had ~150 incidents generate for one event. Tried looking for some kind of change that may have occured in github but not seeing anything obvious. Why are NRTs suddenly firing repeat alerts on the same historical logs?

 

Note the timeframe vs created time, this is because the logs are the same.

 

  • AO53KWAsdf's avatar
    AO53KWAsdf
    Copper Contributor
    Jan 11, 2023

    I had the same issue, see https://github.com/Azure/Azure-Sentinel/issues/7062

Resources