Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Azure Sentinel Incidents

Copper Contributor

Hello,

 

I have Azure Sentinel deployed with about 85 analytic rules enabled. I noticed that I have several analytic rules triggering, but incidents are not coming in. I had incidents come in until yesterday, but now I don't see any incidents coming in, even though there are alerts coming in. 

7 Replies

@akhalili What 'Time Range' is your Incidents blade set to display?

@Rod_Trent: The blade is for the last 24 hours. I know that if i change it to 48 hours, I will see the older incidents. The issue here is that I know that there definitely should have been incidents in the last 24 hours, but there is nothing coming in. I even created a test analytic rule that would generate an incident for any logs coming in, but still no incidents. 

@akhalili Wow...very strange, indeed.

 

What do you get back from the following?

 

SecurityAlert
| where TimeGenerated > ago(1d)
| distinct DisplayName

@akhalili Probably a silly question but could the Analytic rules have been changed to *not* create an incident, only an alert?

@Rod_Trent I get a bunch of alerts from the different connectors I have. This is how I figured out that alerts were coming in, but no incidents were being generated.

@Gary Bushey No there was not any changes made to any analytic rules.

@akhalili Wanted to check back. Has this resolved itself today, by any chance?