Slow performance after connected to multi threat feeds

%3CLINGO-SUB%20id%3D%22lingo-sub-1351958%22%20slang%3D%22en-US%22%3ESlow%20performance%20after%20connected%20to%20multi%20threat%20feeds%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1351958%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20folks%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20understand%20Threat%20Intelligence%20connector%20is%20still%20in%20(Preview)%20mood.%20however%2C%20I%20would%20like%20to%20share%20my%20experience%20with%20slow%20performance%2F%20unstable%20workbooks.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20connected%2010%20feeds%20from%20Limo%20(Anomali)%2C%20after%2024hrs%2C%20I%20can%20see%2061k%20feed%20events.%20which%20is%20something%20normal.%20after%20that%2C%20I%20could%20not%20query%2C%20run%20a%20workbook%20or%20edit%20the%20configurations%2C%20I%20was%20seeing%20error%20in%20the%20dashboards.%20I%20end%20up%20deleting%20my%20log-analytics%20workspace%20and%20shift%20to%20new%20instance.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPlease%20let%20me%20know%20how%20to%20avoid%20such%20thing%20in%20the%20future.%3C%2FP%3E%3CP%3EThank%20you%26nbsp%3B%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Fhtml%2Fimages%2Femoticons%2Fsmile_40x40.gif%22%20alt%3D%22%3Asmile%3A%22%20title%3D%22%3Asmile%3A%22%20%2F%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1352282%22%20slang%3D%22en-US%22%3ERe%3A%20Slow%20performance%20after%20connected%20to%20multi%20threat%20feeds%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1352282%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F643874%22%20target%3D%22_blank%22%3E%40nafejeries%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHi%2C%20when%20did%20you%20have%20the%20issue%2C%20was%20it%20about%2024hrs%20ago%20(yesterday%20morning)%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20you%20have%20deleted%20the%20workspace%2C%20its%20hard%20to%20help%20but%20did%20you%20get%20an%20access%20denied%20or%20was%20the%20data%20missing%3F%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1352466%22%20slang%3D%22en-US%22%3ERe%3A%20Slow%20performance%20after%20connected%20to%20multi%20threat%20feeds%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1352466%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3BHi%3CBR%20%2F%3EIt%20was%20around%20after-noon.%20No%2C%20not%20access%20denied%2C%3C%2FP%3E%3CP%3E-%20showing%20%22Error%22%20in%20the%20workbooks%3C%2FP%3E%3CP%3E-%20configuring%20analytics%20rules%20slow%3C%2FP%3E%3CP%3E-%20writing%20some%20KQL%20was%20taking%20long%2C%20%2B40%20seconds%2C%20then%20I%20stopped%20it.%3C%2FP%3E%3CP%3Esimply%2C%20It%20was%20a%20performance%20issue%20and%20that%20was%20my%20lab.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESimply%2C%20my%20configurations%20were%3A%3C%2FP%3E%3CP%3E1-%20connect%20to%2010%20feeds%20from%20Limo%20Anomali%2C%20using%20the%20STIX%20connector%2C%20around%2061k%20log%20alerts%20from%20these%20feeds%20within%2024hrs%3C%2FP%3E%3CP%3E2-%20enable%20most%20of%20the%20analytics%20rules%20for%20TI%2C%20most%20of%20them%20to%20run%20every%201%20hours%20for%20logs%20from%2014%20days.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20Engineering%20team%20can%20replicate%20these%20config%20and%20see%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hi folks,

 

I understand Threat Intelligence connector is still in (Preview) mood. however, I would like to share my experience with slow performance/ unstable workbooks.

 

I have connected 10 feeds from Limo (Anomali), after 24hrs, I can see 61k feed events. which is something normal. after that, I could not query, run a workbook or edit the configurations, I was seeing error in the dashboards. I end up deleting my log-analytics workspace and shift to new instance.

 

Please let me know how to avoid such thing in the future.

Thank you :smile:

 

 

 

 

2 Replies
Highlighted

@nafejeries 

 

Hi, when did you have the issue, was it about 24hrs ago (yesterday morning)?

 

As you have deleted the workspace, its hard to help but did you get an access denied or was the data missing? 

 

Thanks 

Highlighted

@Clive Watson Hi
It was around after-noon. No, not access denied,

- showing "Error" in the workbooks

- configuring analytics rules slow

- writing some KQL was taking long, +40 seconds, then I stopped it.

simply, It was a performance issue and that was my lab.

 

Simply, my configurations were:

1- connect to 10 feeds from Limo Anomali, using the STIX connector, around 61k log alerts from these feeds within 24hrs

2- enable most of the analytics rules for TI, most of them to run every 1 hours for logs from 14 days.

 

The Engineering team can replicate these config and see :)