Forum Discussion
Solved
Some sign-in logs are missing.
Greetings, I have a technical question about log gathering in Sentinel.
I am currently setting up an alarm for when there has been attempted more than 5 login attempts for users against the azure portal. I have then gone ahead and failed the login 5 times for a user and can see these logs in AAD sign-in logs.
However, in Azure Sentinel sign-in logs i have only 3 events of this happening. Not 5, so the alarm wont go off. Is there some setting i need to tweak for it to send over all the logs and not just parts of it?
- Have you written this yourself, or used one of the Github examples, like this one? https://github.com/Azure/Azure-Sentinel/blob/45da87dec250017c0fd45cb55842e6d6cde8f1ee/Detections/SecurityEvent/gte_6_FailedLogons_10m.yaml
If you have 3 rows, its likely the other two rows of data are delayed, or the query needs altering to detect them, can you share the query?
- CliveWatson
Microsoft
Have you written this yourself, or used one of the Github examples, like this one? https://github.com/Azure/Azure-Sentinel/blob/45da87dec250017c0fd45cb55842e6d6cde8f1ee/Detections/SecurityEvent/gte_6_FailedLogons_10m.yaml
If you have 3 rows, its likely the other two rows of data are delayed, or the query needs altering to detect them, can you share the query?- It seems they were, as you said, delayed.
