Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Cases not being created when rules fire

Brass Contributor

I have a handful of rules that I've created with the intention of creating cases. I know that they're firing because I get email notifications. However, I'm not seeing cases generated, nor does alert counter incrementing in the Overview dashboard, or anywhere else for that matter. 

 

My intention is to write a bullet proof procedure for creating a test alert. Has anybody out there already written one? I'm not sure if the query is where I'm going wrong, if I'm getting the alert configuration wrong or if I've stumbled upon a bug....or if there's something I've overlooked.

3 Replies

@PeterSchawacker

@Ofer_Shezaf: Perhaps this maybe related to the previous topic of "Default Sentinel Overview dashboard widgets indicate no data. Where is the query for the map".

 

@Valon_KolicaThis seems to be completely different. Maybe an example of an email notification where the alert is failing to create a case would work. I have hundreds of them. Here's one:

 

Copy of NotificationSample11.pngCopy of NotificationSample12.png

Here are the alert configs...

configs.png

@Valon_Kolicaand @Ofer_Shezaf , I'm pretty sure user error is at issue here. (Just a hunch.) What am I doing wrong? I'd be grateful for your advice. 

 

Peter

@Valon_KolicaThis seems to be completely different. Maybe an example of an email notification where the alert is failing to create a case would work. I have hundreds of them. Here's one:

 

Copy of NotificationSample11.pngCopy of NotificationSample12.png

Here are the alert configs...

configs.png

@Valon_Kolicaand @Ofer_Shezaf , I'm pretty sure user error is at issue here. (Just a hunch.) What am I doing wrong? I'd be grateful for your advice. 

 

Peter