Forum Discussion

akshay250692's avatar
akshay250692
Brass Contributor
Aug 10, 2022

Playbook is not running

Hi Team, Please help me to resolve this issue. We have created one playbook for outbound traffic to ThreatIntel. But after sometime it is giving blank excel sheet. Before it provide 2-3 times result...
playbooks
GaryBushey's avatar
GaryBushey
Bronze Contributor
Aug 10, 2022
I take it you are trying to do a union with 5 different Microsoft Sentinel instances? Those unions are not cheap in terms of processing and will take a long to time run since you are getting all the information and then doing a filter. I would suggest filtering the data on each union command so that only the information you need is actually being sent with the union command.
akshay250692's avatar
akshay250692
Brass Contributor
Aug 11, 2022
may you re write my query ?so i can understand easily and i will apply to get result
  • Clive_Watson's avatar
    Clive_Watson
    Bronze Contributor
    Aug 11, 2022
    As you dont summarize the results returned, you could be getting 100-30k rows per workspace, that takes time and isn't easily human readable.

    Maybe reduce the results using a bin or arg_max (you may in the investigation have to get the specific time range) but for the Alert this should be good enough to get focus on the rough time and details.

    e.g. Add one of these lines

    ..
    | where Computer !in (deviceIP)
    | extend CommonSecurityLog_TimeGenerated = TimeGenerated
    // use this
    | summarize count(), make_set(SourceIP) by Computer, DeviceAction, bin(CommonSecurityLog_TimeGenerated,1d)
    //or maybe this
    //| summarize count(), make_set(SourceIP), arg_max(CommonSecurityLog_TimeGenerated, Computer) by DeviceAction
    • akshay250692's avatar
      akshay250692
      Brass Contributor
      Aug 11, 2022
      where we hv to add these line because expression getting failed
      • Clive_Watson's avatar
        Clive_Watson
        Bronze Contributor
        Aug 11, 2022

        akshay250692 

         

        Here you can see the two lines above the arrow that match you query, then you can add either of my suggestions where the arrow is.  Later lines will fail as the columns needed wont be there so, you should removed for testing lines after the join 

        I'd do some testing with a reduce set of KQL, something like this to get this section optimized

        let deviceIP = dynamic (['fakeComputer']);
CommonSecurityLog
| where TimeGenerated > ago(7d)
| where DeviceVendor =~ "Palo Alto Networks" and DeviceProduct =~ "PAN-OS" //and Activity =~ "traffic"
| where DeviceAction !in ("reset-both", "deny", "reset-server", "reset-client")
//| where DeviceCustomString5 in~ ("outside","Outside","Outside-ISP2", "untrust", "PRISMA_INSIDE")
| where Computer !in (deviceIP)
| extend CommonSecurityLog_TimeGenerated = TimeGenerated
// use this
//| summarize count(), make_set(SourceIP) by Computer, DeviceAction, bin(CommonSecurityLog_TimeGenerated,1d)
//or maybe this
| summarize count(), make_set(SourceIP), arg_max(CommonSecurityLog_TimeGenerated, Computer) by DeviceAction



Resources