Mar 15 2021 08:32 AM
We are seeing "Some Windows events are not being analyzed" health alert getting generated and auto-closed in our tenant. Would like to understand what the threshold is for windows events passing a sensor. The Microsoft documentation available here (https://docs.microsoft.com/en-us/defender-for-identity/health-alerts#some-windows-events-are-not-bei...) does not provide a clue. Hoping to get an answer soon! @Eli Ofek Any ideas are appreciated!
Mar 15 2021 09:13 AM
Solution@mesaqee For now, the alert trigger is a certain percentage of events loss.
The number is not really that important also because it can change without notice, we see it as implementation detail. We are also experimenting with ML code that (if eventually works well) will alert for each customer in a different way.
The main take from this alert is that you are losing detection data, and that's need to be fixed.
The main thing to check is that your spec is in line with what was estimated in the sizing tool, if it's not, fix it first... them make sure you are optimized correctly as described in the docs (power plan, Hyper threading, VM resource reservation etc). Once you have covered all those "basics", go with a support ticket. for some cases additional resources might be needs on top of the sizing tool estimation due to traffic/data mix. The support engineer also has additional telemetry that can be checked from the backend that might give more clues...
Mar 15 2021 09:25 AM
Mar 15 2021 09:13 AM
Solution@mesaqee For now, the alert trigger is a certain percentage of events loss.
The number is not really that important also because it can change without notice, we see it as implementation detail. We are also experimenting with ML code that (if eventually works well) will alert for each customer in a different way.
The main take from this alert is that you are losing detection data, and that's need to be fixed.
The main thing to check is that your spec is in line with what was estimated in the sizing tool, if it's not, fix it first... them make sure you are optimized correctly as described in the docs (power plan, Hyper threading, VM resource reservation etc). Once you have covered all those "basics", go with a support ticket. for some cases additional resources might be needs on top of the sizing tool estimation due to traffic/data mix. The support engineer also has additional telemetry that can be checked from the backend that might give more clues...