Azure Sentinel Hunting Livestream

%3CLINGO-SUB%20id%3D%22lingo-sub-1213014%22%20slang%3D%22en-US%22%3EAzure%20Sentinel%20Hunting%20Livestream%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1213014%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Community%2C%3C%2FP%3E%3CP%3Ewe%20are%20working%20on%20a%20custom%20Hunting%20Query%20based%20on%20a%20failed%20login%20by%20expired%20account%20in%20Azure%20Sentinel.%20The%20Query%20runs%20properly%20but%20when%20we%20try%20to%20add%20it%20to%20livestream%2C%20we%20noticed%20that%20the%20query%20pauses%20by%20itself%20after%20some%20time.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Francesco47_0-1583485580045.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F175609i75B612AEFCD6380A%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22Francesco47_0-1583485580045.png%22%20alt%3D%22Francesco47_0-1583485580045.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20Microsoft%20Docs%20we%20found%20that%20the%20query%20added%20to%20livestream%20is%20supposed%20to%20run%20until%20it%20is%20stopped%20intentionally.%20Could%20you%20please%20tell%20us%20how%20to%20solve%20this%20issue%3F%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20for%20your%20support!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1213465%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20Hunting%20Livestream%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1213465%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F574242%22%20target%3D%22_blank%22%3E%40Francesco47%3C%2FA%3E%26nbsp%3BCould%20you%20post%20the%20query%20so%20we%20can%20take%20a%20look%20at%20it%20to%20make%20sure%20there's%20no%20thresholds%20built%20into%20it%3F%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAdditionally%2C%20the%20Live%20Stream%26nbsp%3B%3CSPAN%3Esession%20will%20continue%20unless%20you%20sign%20out%20of%20the%20Azure%20portal.%20So%2C%20an%20active%20Azure%20portal%20session%20is%20also%20required.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hello Community,

we are working on a custom Hunting Query based on a failed login by expired account in Azure Sentinel. The Query runs properly but when we try to add it to livestream, we noticed that the query pauses by itself after some time. 

 

Francesco47_0-1583485580045.png

 

 

In Microsoft Docs we found that the query added to livestream is supposed to run until it is stopped intentionally. Could you please tell us how to solve this issue? 

Thank you for your support!

1 Reply
Highlighted

@Francesco47 Could you post the query so we can take a look at it to make sure there's no thresholds built into it? 

 

Additionally, the Live Stream session will continue unless you sign out of the Azure portal. So, an active Azure portal session is also required.