cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Some Windows events are not being analyzed

mesaqee
Copper Contributor

‎Mar 15 2021 08:32 AM

‎Mar 15 2021 08:32 AM

Some Windows events are not being analyzed

We are seeing "Some Windows events are not being analyzed" health alert getting generated and auto-closed in our tenant. Would like to understand what the threshold is for windows events passing a sensor. The Microsoft documentation available here (https://docs.microsoft.com/en-us/defender-for-identity/health-alerts#some-windows-events-are-not-bei...) does not provide a clue. Hoping to get an answer soon! @Eli Ofek Any ideas are appreciated!

Preview file
24 KB
2,844 Views
1 Like
2 Replies
Reply
2 Replies
best response confirmed by mesaqee (Copper Contributor)
Eli Ofek

‎Mar 15 2021 09:13 AM

‎Mar 15 2021 09:13 AM

Solution

Re: Some Windows events are not being analyzed

@mesaqee For now, the alert trigger is a certain percentage of events loss.

The number is not really that important also because it can change without notice, we see it as implementation detail. We are also experimenting with ML code that (if eventually works well) will alert for each customer in a different way.

 

The main take from this alert is that you are losing detection data, and that's need to be fixed.

The main thing to check is that your spec is in line with what was estimated in the sizing tool, if it's not, fix it first... them make sure you are optimized  correctly as described in the docs (power plan, Hyper threading, VM resource reservation etc). Once you have covered all those "basics", go with a support ticket. for some cases additional resources might be needs on top of the sizing tool estimation due to traffic/data mix. The support engineer also has additional telemetry that can be checked from the backend that might give more clues...

0 Likes
Reply
mesaqee

‎Mar 15 2021 09:25 AM

‎Mar 15 2021 09:25 AM

Re: Some Windows events are not being analyzed

Thanks for a quick response! Will check what sizing tool has to say further around this.
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by mesaqee (Copper Contributor)
Eli Ofek

‎Mar 15 2021 09:13 AM

‎Mar 15 2021 09:13 AM

Solution

Re: Some Windows events are not being analyzed

@mesaqee For now, the alert trigger is a certain percentage of events loss.

The number is not really that important also because it can change without notice, we see it as implementation detail. We are also experimenting with ML code that (if eventually works well) will alert for each customer in a different way.

 

The main take from this alert is that you are losing detection data, and that's need to be fixed.

The main thing to check is that your spec is in line with what was estimated in the sizing tool, if it's not, fix it first... them make sure you are optimized  correctly as described in the docs (power plan, Hyper threading, VM resource reservation etc). Once you have covered all those "basics", go with a support ticket. for some cases additional resources might be needs on top of the sizing tool estimation due to traffic/data mix. The support engineer also has additional telemetry that can be checked from the backend that might give more clues...

View solution in original post

0 Likes
Reply