Some sign-in logs are missing.

stianhoydal · ‎Jul 15 2021

Greetings, I have a technical question about log gathering in Sentinel.

I am currently setting up an alarm for when there has been attempted more than 5 login attempts for users against the azure portal. I have then gone ahead and failed the login 5 times for a user and can see these logs in AAD sign-in logs.

However, in Azure Sentinel sign-in logs i have only 3 events of this happening. Not 5, so the alarm wont go off. Is there some setting i need to tweak for it to send over all the logs and not just parts of it?

stianhoydal · ‎Jul 15 2021

Have you written this yourself, or used one of the Github examples, like this one? https://github.com/Azure/Azure-Sentinel/blob/45da87dec250017c0fd45cb55842e6d6cde8f1ee/Detections/Sec...

If you have 3 rows, its likely the other two rows of data are delayed, or the query needs altering to detect them, can you share the query?

stianhoydal · ‎Jul 16 2021

It seems they were, as you said, delayed.

stianhoydal · ‎Jul 15 2021

Have you written this yourself, or used one of the Github examples, like this one? https://github.com/Azure/Azure-Sentinel/blob/45da87dec250017c0fd45cb55842e6d6cde8f1ee/Detections/Sec...

If you have 3 rows, its likely the other two rows of data are delayed, or the query needs altering to detect them, can you share the query?

View solution in original post

Some sign-in logs are missing.

Some sign-in logs are missing.

Re: Some sign-in logs are missing.

Re: Some sign-in logs are missing.

Re: Some sign-in logs are missing.

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Some sign-in logs are missing.

Some sign-in logs are missing.

Re: Some sign-in logs are missing.

Re: Some sign-in logs are missing.

Re: Some sign-in logs are missing.