Azure Sentinel Incidents

%3CLINGO-SUB%20id%3D%22lingo-sub-1509906%22%20slang%3D%22en-US%22%3EAzure%20Sentinel%20Incidents%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1509906%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20Azure%20Sentinel%20deployed%20with%20about%2085%20analytic%20rules%20enabled.%20I%20noticed%20that%20I%20have%20several%20analytic%20rules%20triggering%2C%20but%20incidents%20are%20not%20coming%20in.%20I%20had%20incidents%20come%20in%20until%20yesterday%2C%20but%20now%20I%20don't%20see%20any%20incidents%20coming%20in%2C%20even%20though%20there%20are%20alerts%20coming%20in.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1509940%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20Incidents%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1509940%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F714692%22%20target%3D%22_blank%22%3E%40akhalili%3C%2FA%3E%26nbsp%3BWhat%20'Time%20Range'%20is%20your%20Incidents%20blade%20set%20to%20display%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1509994%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20Incidents%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1509994%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F324945%22%20target%3D%22_blank%22%3E%40rodtrent%3C%2FA%3E%3A%20The%20blade%20is%20for%20the%20last%2024%20hours.%20I%20know%20that%20if%20i%20change%20it%20to%2048%20hours%2C%20I%20will%20see%20the%20older%20incidents.%20The%20issue%20here%20is%20that%20I%20know%20that%20there%20definitely%20should%20have%20been%20incidents%20in%20the%20last%2024%20hours%2C%20but%20there%20is%20nothing%20coming%20in.%20I%20even%20created%20a%20test%20analytic%20rule%20that%20would%20generate%20an%20incident%20for%20any%20logs%20coming%20in%2C%20but%20still%20no%20incidents.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1510019%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20Incidents%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1510019%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F714692%22%20target%3D%22_blank%22%3E%40akhalili%3C%2FA%3E%26nbsp%3BWow...very%20strange%2C%20indeed.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhat%20do%20you%20get%20back%20from%20the%20following%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CDIV%3E%0A%3CDIV%3E%3CSPAN%3ESecurityAlert%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%20TimeGenerated%20%26gt%3B%20ago%3C%2FSPAN%3E%3CSPAN%3E(%3C%2FSPAN%3E%3CSPAN%3E1%3C%2FSPAN%3E%3CSPAN%3Ed%3C%2FSPAN%3E%3CSPAN%3E)%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Edistinct%3C%2FSPAN%3E%3CSPAN%3E%20DisplayName%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1510022%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20Incidents%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1510022%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F714692%22%20target%3D%22_blank%22%3E%40akhalili%3C%2FA%3E%26nbsp%3BProbably%20a%20silly%20question%20but%20could%20the%20Analytic%20rules%20have%20been%20changed%20to%20*not*%20create%20an%20incident%2C%20only%20an%20alert%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1510026%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20Incidents%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1510026%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F324945%22%20target%3D%22_blank%22%3E%40rodtrent%3C%2FA%3E%26nbsp%3BI%20get%20a%20bunch%20of%20alerts%20from%20the%20different%20connectors%20I%20have.%20This%20is%20how%20I%20figured%20out%20that%20alerts%20were%20coming%20in%2C%20but%20no%20incidents%20were%20being%20generated.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1510030%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20Incidents%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1510030%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E%26nbsp%3BNo%20there%20was%20not%20any%20changes%20made%20to%20any%20analytic%20rules.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1511575%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20Incidents%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1511575%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F714692%22%20target%3D%22_blank%22%3E%40akhalili%3C%2FA%3E%26nbsp%3BWanted%20to%20check%20back.%20Has%20this%20resolved%20itself%20today%2C%20by%20any%20chance%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hello,

 

I have Azure Sentinel deployed with about 85 analytic rules enabled. I noticed that I have several analytic rules triggering, but incidents are not coming in. I had incidents come in until yesterday, but now I don't see any incidents coming in, even though there are alerts coming in. 

7 Replies

@akhalili What 'Time Range' is your Incidents blade set to display?

@rodtrent: The blade is for the last 24 hours. I know that if i change it to 48 hours, I will see the older incidents. The issue here is that I know that there definitely should have been incidents in the last 24 hours, but there is nothing coming in. I even created a test analytic rule that would generate an incident for any logs coming in, but still no incidents. 

@akhalili Wow...very strange, indeed.

 

What do you get back from the following?

 

SecurityAlert
| where TimeGenerated > ago(1d)
| distinct DisplayName

@akhalili Probably a silly question but could the Analytic rules have been changed to *not* create an incident, only an alert?

@rodtrent I get a bunch of alerts from the different connectors I have. This is how I figured out that alerts were coming in, but no incidents were being generated.

@Gary Bushey No there was not any changes made to any analytic rules.

@akhalili Wanted to check back. Has this resolved itself today, by any chance?