TiIndicators not showing up in ThreatIntelligenceIndicator Logs

%3CLINGO-SUB%20id%3D%22lingo-sub-1507418%22%20slang%3D%22en-US%22%3ETiIndicators%20not%20showing%20up%20in%20ThreatIntelligenceIndicator%20Logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1507418%22%20slang%3D%22en-US%22%3E%3CP%3EIt%20seems%20that%20around%20July%202nd%2C%20%3CSPAN%3E7%2F2%2F2020%2C%209%3A17%3A26.272%20PM%20UTC%3C%2FSPAN%3E%2C%20all%20of%20our%20custom%20TiIndicators%20stopped%20showing%20up%20in%20our%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3EThreatIntelligenceIndicator%20logs.%20All%20of%20the%20logic%20apps%20are%20running%20successfully%20and%20POSTing%20to%20the%20SecGraphApi%20-%20with%20the%20correct%20responses.%20We%20can%20also%20send%20a%20GET%20to%20the%20API%20with%20the%20newly%20created%20TiIndicator%20ID%20and%20verify%20that%20the%20indicator%20exists.%20When%20searching%20the%20logs%20we%20are%20not%20seeing%20anything%2C%20however.%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3EThe%20indicators%20retrieved%20by%20the%20built%20in%20TAXII%20data%20connector%20are%20still%20in%20the%20logs.%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3EWe%20have%20tested%20this%20with%20the%20standard%20POST%20method%20the%20to%20API%20as%20well%20as%20the%20new%20MS%20Graph%20Security%20-%26nbsp%3B%20Create%20TiIndicator%2FCreate%20Multiple%20TiIndicator%20actions%20in%20the%20LogicApps.%20We%20have%20also%20tested%20in%20a%20separate%20tenant.%26nbsp%3B%20%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1507941%22%20slang%3D%22en-US%22%3ERe%3A%20TiIndicators%20not%20showing%20up%20in%20ThreatIntelligenceIndicator%20Logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1507941%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F552625%22%20target%3D%22_blank%22%3E%40JBUB_Arbala%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENot%20sure%20who%20put%20this%20fix%20in%2C%20but%20we%20are%20seeing%20positive%20results%20now%20in%20both%20tenants.%20Nothing%20changed%20on%20our%20end.%20Any%20post-fix%20info%20would%20be%20great.%20Thanks%20again%20MS%20Sentinel%20Team!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1517287%22%20slang%3D%22en-US%22%3ERe%3A%20TiIndicators%20not%20showing%20up%20in%20ThreatIntelligenceIndicator%20Logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1517287%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F552625%22%20target%3D%22_blank%22%3E%40JBUB_Arbala%3C%2FA%3E%20%3A%20While%20we%20monitor%20for%20issues%20and%20try%20to%20preempt%2C%20I%20do%20recommend%20opening%20a%20support%20ticket%20in%20such%20a%20case.%20Whether%20instead%20of%20or%20in%20addition%20to%20a%20community%20post.%20While%20the%20community%20interaction%20is%20lively%20and%20quite%20fast%2C%20if%20something%20disrupts%20your%20service%2C%20we%20want%20to%20make%20sure%20we%20resolve%20it%20as%20soon%20as%20possible.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1521959%22%20slang%3D%22en-US%22%3ERe%3A%20TiIndicators%20not%20showing%20up%20in%20ThreatIntelligenceIndicator%20Logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1521959%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%26nbsp%3BThank%20you%20Ofer%20%3D)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20opened%20a%20ticket%20and%20I%20can%20confirm%20it%20is%20broken%20again.%203%20separate%20tenants%20and%20the%20last%20threat%20intel%20entry%20that%20shows%20up%20in%20the%20logs%20is%20on%20the%2010th.%20The%20logic%20apps%20run%20and%20I%20can%20return%20threat%20intel%2C%20but%20it's%20just%20not%20in%20the%20logs%20for%20use%20in%20analytic%20rules.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20encourage%20others%20to%20check%20their%20logs%20and%20make%20sure%20their%20rules%20are%20working.%20Or%20at%20least%20be%20aware%20log%20entries%20are%20missing.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1524976%22%20slang%3D%22en-US%22%3ERe%3A%20TiIndicators%20not%20showing%20up%20in%20ThreatIntelligenceIndicator%20Logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1524976%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F552625%22%20target%3D%22_blank%22%3E%40JBUB_Arbala%3C%2FA%3E%26nbsp%3B-%20Can%20you%20please%20send%20me%20the%20link%20to%20the%20support%20ticket%3F%20We%20would%20need%20the%20Tenant%20ID%20and%20Workspace%20ID%20in%20order%20to%20investigate%20the%20issue%20further.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1525233%22%20slang%3D%22en-US%22%3ERe%3A%20TiIndicators%20not%20showing%20up%20in%20ThreatIntelligenceIndicator%20Logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1525233%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F552625%22%20target%3D%22_blank%22%3E%40JBUB_Arbala%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20experiencing%20the%20same%20issues%20.%20I%20have%20logged%20a%20MS%20support%20ticket.%20Waiting%20for%20themfind%20resolution.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1526805%22%20slang%3D%22en-US%22%3ERe%3A%20TiIndicators%20not%20showing%20up%20in%20ThreatIntelligenceIndicator%20Logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1526805%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F729092%22%20target%3D%22_blank%22%3E%40mboppe%3C%2FA%3E%26nbsp%3B-%20Can%20you%20please%20provide%20the%20support%20ticket%20link%3F%20We%20would%20need%26nbsp%3B%20the%20workspace%20id%20and%20tenant%20id%20to%20further%20investigate%20the%20issue.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1537026%22%20slang%3D%22en-US%22%3ERe%3A%20TiIndicators%20not%20showing%20up%20in%20ThreatIntelligenceIndicator%20Logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1537026%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20issue%20should%20now%20be%20resolved.%20Please%20let%20me%20know%20if%20you%20still%20see%20the%20issue%20persisting.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1537091%22%20slang%3D%22en-US%22%3ERe%3A%20TiIndicators%20not%20showing%20up%20in%20ThreatIntelligenceIndicator%20Logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1537091%22%20slang%3D%22en-US%22%3EThank%20you!%20We%20received%20notice%20yesterday%20that%20there%20was%20an%20ongoing%20issue.%20I%20will%20update%20in%20a%20few%20days.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1537976%22%20slang%3D%22en-US%22%3ERe%3A%20TiIndicators%20not%20showing%20up%20in%20ThreatIntelligenceIndicator%20Logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1537976%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F552625%22%20target%3D%22_blank%22%3E%40JBUB_Arbala%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20experienced%20the%20same%20issue%20and%20on%20the%20same%20date.%20I%20already%20opened%20a%20support%20ticket%20with%20microsoft%20support.%20But%20they%20haven't%20yet%20identified%20that%20there%20was%20an%20issue%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1538560%22%20slang%3D%22en-US%22%3ERe%3A%20TiIndicators%20not%20showing%20up%20in%20ThreatIntelligenceIndicator%20Logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1538560%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F540154%22%20target%3D%22_blank%22%3E%40majo01%3C%2FA%3E%26nbsp%3B%3A%20The%20issue%20is%20now%20resolved.%20Are%20you%20still%20seeing%20the%20issue%20persisting%3F%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPlease%20make%20sure%20that%20the%20TIP%20Connector%20in%20Sentinel%20is%20turned%20on.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1539911%22%20slang%3D%22en-US%22%3ERe%3A%20TiIndicators%20not%20showing%20up%20in%20ThreatIntelligenceIndicator%20Logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1539911%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F730046%22%20target%3D%22_blank%22%3E%40RijutaKapoor%3C%2FA%3EThe%26nbsp%3B%20ticket%20number%20is%26nbsp%3B120070623000858%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1549158%22%20slang%3D%22en-US%22%3ERe%3A%20TiIndicators%20not%20showing%20up%20in%20ThreatIntelligenceIndicator%20Logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1549158%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F730046%22%20target%3D%22_blank%22%3E%40RijutaKapoor%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20still%20seeing%20this%20issue.%26nbsp%3B%20It%20works%20for%20a%20few%20days%20then%20breaks%20again.%20I%20have%20attached%20an%20image%20with%20our%20baseline.%20You%20can%20see%20when%20the%20issue%20starts%20to%20ramp%20up%20and%20then%20totally%20stop.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1550950%22%20slang%3D%22en-US%22%3ERe%3A%20TiIndicators%20not%20showing%20up%20in%20ThreatIntelligenceIndicator%20Logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1550950%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F552625%22%20target%3D%22_blank%22%3E%40JBUB_Arbala%3C%2FA%3E%26nbsp%3B%20-%20Can%20you%20please%20confirm%20if%20the%20TIP%20Connector%20is%20enabled%20for%20you%3F%20Are%20you%20also%20using%20the%20TAXII%20Data%20connector%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1551645%22%20slang%3D%22en-US%22%3ERe%3A%20TiIndicators%20not%20showing%20up%20in%20ThreatIntelligenceIndicator%20Logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1551645%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F552625%22%20target%3D%22_blank%22%3E%40JBUB_Arbala%3C%2FA%3E%26nbsp%3B%20-%20Also%2C%20can%20we%20get%20on%20a%20quick%20call%20to%20investigate%20and%20explain%20the%20issue%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1551668%22%20slang%3D%22en-US%22%3ERe%3A%20TiIndicators%20not%20showing%20up%20in%20ThreatIntelligenceIndicator%20Logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1551668%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F730046%22%20target%3D%22_blank%22%3E%40RijutaKapoor%3C%2FA%3E%26nbsp%3BYes%2C%20we%20have%20TIP%20and%20TAXII%20enabled.%20Among%20many%20other%20sources.%20I%20can%20send%20you%20my%20number%20in%20messages.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1551695%22%20slang%3D%22en-US%22%3ERe%3A%20TiIndicators%20not%20showing%20up%20in%20ThreatIntelligenceIndicator%20Logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1551695%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F552625%22%20target%3D%22_blank%22%3E%40JBUB_Arbala%3C%2FA%3E%26nbsp%3B-That%20would%20really%20help.%20My%20email%20is%20%22%3CA%20href%3D%22mailto%3Arikapoo%40microsoft.com%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Erikapoo%40microsoft.com%22.%20Please%20drop%20me%20an%20email%20and%20I%20will%20schedule%20a%20call%20with%20you%20sometime%20this%20week.%26nbsp%3B%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1552189%22%20slang%3D%22en-US%22%3ERe%3A%20TiIndicators%20not%20showing%20up%20in%20ThreatIntelligenceIndicator%20Logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1552189%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F730046%22%20target%3D%22_blank%22%3E%40RijutaKapoor%3C%2FA%3E%26nbsp%3B%20I%20think%20the%20issue%20has%20been%20resolved%20now.%20I%20was%20told%20by%20teh%20MS%20engineer%20that%20the%20issue%20impacted%20the%20Australia%20region.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1554616%22%20slang%3D%22en-US%22%3ERe%3A%20TiIndicators%20not%20showing%20up%20in%20ThreatIntelligenceIndicator%20Logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1554616%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F729092%22%20target%3D%22_blank%22%3E%40mboppe%3C%2FA%3E%26nbsp%3B-%20Yes%20the%20issue%20was%20affecting%20Australian%20customers%20and%20now%20it%20has%20been%20resolved.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

It seems that around July 2nd, 7/2/2020, 9:17:26.272 PM UTC, all of our custom TiIndicators stopped showing up in our 

ThreatIntelligenceIndicator logs. All of the logic apps are running successfully and POSTing to the SecGraphApi - with the correct responses. We can also send a GET to the API with the newly created TiIndicator ID and verify that the indicator exists. When searching the logs we are not seeing anything, however.
 
The indicators retrieved by the built in TAXII data connector are still in the logs.
 
We have tested this with the standard POST method the to API as well as the new MS Graph Security -  Create TiIndicator/Create Multiple TiIndicator actions in the LogicApps. We have also tested in a separate tenant.   
 
18 Replies
Highlighted

@JBUB_Arbala 

 

Not sure who put this fix in, but we are seeing positive results now in both tenants. Nothing changed on our end. Any post-fix info would be great. Thanks again MS Sentinel Team!

Highlighted

@JBUB_Arbala : While we monitor for issues and try to preempt, I do recommend opening a support ticket in such a case. Whether instead of or in addition to a community post. While the community interaction is lively and quite fast, if something disrupts your service, we want to make sure we resolve it as soon as possible.

Highlighted

@Ofer_Shezaf Thank you Ofer =)

 

We have opened a ticket and I can confirm it is broken again. 3 separate tenants and the last threat intel entry that shows up in the logs is on the 10th. The logic apps run and I can return threat intel, but it's just not in the logs for use in analytic rules. 

 

I encourage others to check their logs and make sure their rules are working. Or at least be aware log entries are missing.  

Highlighted

@JBUB_Arbala - Can you please send me the link to the support ticket? We would need the Tenant ID and Workspace ID in order to investigate the issue further. 

Highlighted

@JBUB_Arbala 

We are experiencing the same issues . I have logged a MS support ticket. Waiting for themfind resolution.

Highlighted

@MalliBoppe - Can you please provide the support ticket link? We would need  the workspace id and tenant id to further investigate the issue.

Highlighted

This issue should now be resolved. Please let me know if you still see the issue persisting. 

Highlighted
Thank you! We received notice yesterday that there was an ongoing issue. I will update in a few days.
Highlighted

@JBUB_Arbala 

We experienced the same issue and on the same date. I already opened a support ticket with microsoft support. But they haven't yet identified that there was an issue

Highlighted

@majo01 : The issue is now resolved. Are you still seeing the issue persisting? 

Please make sure that the TIP Connector in Sentinel is turned on.

Highlighted

@RijutaKapoorThe  ticket number is 120070623000858

Highlighted

@RijutaKapoor 

 

We are still seeing this issue.  It works for a few days then breaks again. I have attached an image with our baseline. You can see when the issue starts to ramp up and then totally stop.

Highlighted

@JBUB_Arbala  - Can you please confirm if the TIP Connector is enabled for you? Are you also using the TAXII Data connector? 

Highlighted

@JBUB_Arbala  - Also, can we get on a quick call to investigate and explain the issue?

Highlighted

@RijutaKapoor Yes, we have TIP and TAXII enabled. Among many other sources. I can send you my number in messages.

Highlighted

@RijutaKapoor  I think the issue has been resolved now. I was told by teh MS engineer that the issue impacted the Australia region.

Highlighted

@MalliBoppe - Yes the issue was affecting Australian customers and now it has been resolved.