Forum Discussion

JBUB_Accelerynt's avatar
JBUB_Accelerynt
Brass Contributor
Jul 07, 2020

TiIndicators not showing up in ThreatIntelligenceIndicator Logs

It seems that around July 2nd, 7/2/2020, 9:17:26.272 PM UTC, all of our custom TiIndicators stopped showing up in our 

ThreatIntelligenceIndicator logs. All of the logic apps are running successfully and POSTing to the SecGraphApi - with the correct responses. We can also send a GET to the API with the newly created TiIndicator ID and verify that the indicator exists. When searching the logs we are not seeing anything, however.
 
The indicators retrieved by the built in TAXII data connector are still in the logs.
 
We have tested this with the standard POST method the to API as well as the new MS Graph Security -  Create TiIndicator/Create Multiple TiIndicator actions in the LogicApps. We have also tested in a separate tenant.   
 
  • majo01's avatar
    majo01
    Brass Contributor

    JBUB_Accelerynt 

    We experienced the same issue and on the same date. I already opened a support ticket with microsoft support. But they haven't yet identified that there was an issue

    • RijutaKapoor's avatar
      RijutaKapoor
      Icon for Microsoft rankMicrosoft

      majo01 : The issue is now resolved. Are you still seeing the issue persisting? 

      Please make sure that the TIP Connector in Sentinel is turned on.

      • JBUB_Accelerynt's avatar
        JBUB_Accelerynt
        Brass Contributor

        RijutaKapoor 

         

        We are still seeing this issue.  It works for a few days then breaks again. I have attached an image with our baseline. You can see when the issue starts to ramp up and then totally stop.

  • JBUB_Accelerynt 

     

    Not sure who put this fix in, but we are seeing positive results now in both tenants. Nothing changed on our end. Any post-fix info would be great. Thanks again MS Sentinel Team!

    • Ofer_Shezaf's avatar
      Ofer_Shezaf
      Icon for Microsoft rankMicrosoft

      JBUB_Accelerynt : While we monitor for issues and try to preempt, I do recommend opening a support ticket in such a case. Whether instead of or in addition to a community post. While the community interaction is lively and quite fast, if something disrupts your service, we want to make sure we resolve it as soon as possible.

      • JBUB_Accelerynt's avatar
        JBUB_Accelerynt
        Brass Contributor

        Ofer_Shezaf Thank you Ofer 😃

         

        We have opened a ticket and I can confirm it is broken again. 3 separate tenants and the last threat intel entry that shows up in the logs is on the 10th. The logic apps run and I can return threat intel, but it's just not in the logs for use in analytic rules. 

         

        I encourage others to check their logs and make sure their rules are working. Or at least be aware log entries are missing.  

Resources