Apr 30 2020 11:07 PM
Hi folks,
I understand Threat Intelligence connector is still in (Preview) mood. however, I would like to share my experience with slow performance/ unstable workbooks.
I have connected 10 feeds from Limo (Anomali), after 24hrs, I can see 61k feed events. which is something normal. after that, I could not query, run a workbook or edit the configurations, I was seeing error in the dashboards. I end up deleting my log-analytics workspace and shift to new instance.
Please let me know how to avoid such thing in the future.
Thank you
May 01 2020 02:51 AM
Hi, when did you have the issue, was it about 24hrs ago (yesterday morning)?
As you have deleted the workspace, its hard to help but did you get an access denied or was the data missing?
Thanks
May 01 2020 04:58 AM
@CliveWatson Hi
It was around after-noon. No, not access denied,
- showing "Error" in the workbooks
- configuring analytics rules slow
- writing some KQL was taking long, +40 seconds, then I stopped it.
simply, It was a performance issue and that was my lab.
Simply, my configurations were:
1- connect to 10 feeds from Limo Anomali, using the STIX connector, around 61k log alerts from these feeds within 24hrs
2- enable most of the analytics rules for TI, most of them to run every 1 hours for logs from 14 days.
The Engineering team can replicate these config and see :)