Mar 24 2020
- last edited on
Apr 08 2022
Hello, I've been searching for a way to fix this for the last 2 weeks but I couldn't find anything that works.
We have recently deployed Azure Sentinel, and we're getting frequent false positive incidents. While investigating that, I've noticed that in the SigninLogs table, some entries are duplicated, and this triggers some rules, for example rules related to "Multiple failed authentication" or "Multiple password reset attempts".
I've checked the duplicated rows and they have the exact same values in all columns, so not exactly sure how to proceed from here. I'd like to get rid of the duplicates first, instead of having to apply a workaround to all the Analytics rules we have in place.
I'd also like to mention that the rules we have enabled are the built-in ones provided by Microsoft.
One example would be the one below.
Any ideas on how to proceed from here?
Mar 25 2020 04:31 AM
1. I can see the duplicates - so will ask about why that is. Obviously you can use a summarize or distinct to remove them.
2. That Incident query makes use of multiple summarize operators and (for me, doing a simple test) that removes the duplicates. Just to confirm, the full unaltered query using your data shows duplicates?
Mar 25 2020 04:56 AM