Sentinel analytics health #9170
Comments
|
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal. |
|
Hi @shipothana, Thanks for flagging this issue, we will investigate this issue and get back to you with some updates by 11-10-2023. Thanks! |
|
Hi @shipothana, based on the issue description, we are sharing the query -
Hope this help, |
|
Hi thanks for sharing the query!. |
|
Hi @shipothana, just want to know, the above shared query work for you? |
|
Working for me.. but I want to know which use cases have not triggered an incident in the last 90 days query |
|
Hi @shipothana, thanks for sharing response, we are checking the KQL query, and we will update you by 13-10-2023 Thanks! |
|
Hi @shipothana, we are sharing the query in which if you want more details for use cases(AlertName), please refer below query - Thanks! |
|
Hi, thanks for sharing the query! , |
|
Hi @shipothana, all the Incidents that are triggered saved under SecurityIncident table, could you please explain what are the use cases which is not trigger? |
|
Hi, RunningRAT request parameters |
|
Hi @shipothana, thanks for sharing the use cases with us, we are investigating the issue, and we'll let you know by 18-10-2023 Thanks! |
|
Hi @shipothana, we are working on the KQL query, and we will update you by 20-10-2023. Thanks! |
|
Hi @shipothana, could you please check the below query and let us know you got the result. we have different use cases in our workspace. |
|
Thanks for your query. I'm looking here for no incident triggered in sentinel use case details |
|
Hi @shipothana, thanks for response, we will check the query and share with you. Thanks! |
|
Hi @shipothana, thank you for being with us. could you please run the below KQL query in your workspace and let us know you got the result which you are expecting. Actually, we have different use cases in our workspace. Please let us know if the issue persists so that we can set up a call. Thanks! |
|
Please set up a call.
From: v-sudkharat ***@***.***>
Sent: Friday, October 27, 2023 2:59 PM
To: Azure/Azure-Sentinel ***@***.***>
Cc: Sivaramakrishna, Pothana ***@***.***>; Mention ***@***.***>
Subject: Re: [Azure/Azure-Sentinel] Sentinel analytics health (Issue #9170)
CAUTION: This email originated from outside of Alcon. Always verify the sending address and use caution when opening links or opening attachments unless you recognize the sender and know the content is safe.
…____________________________________
Hi @shipothana<https://github.com/shipothana>, thank you for being with us. could you please run the below KQL query in your workspace and let us know you got the result which you are expecting. Actually, we have different use cases in our workspace.
SecurityAlert
| join kind=fullouter (SecurityIncident) on Status
| where TimeGenerated > ago(90d)
| where IsIncident == "True"
| project IncidentNumber, AlertName , AlertSeverity ,TimeGenerated, Description, Title
Please let us know if the issue persists so that we can set up a call.
Thanks!
-
Reply to this email directly, view it on GitHub<#9170 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/A6QAT5RCTOBLB4VDB42UU4TYBN5HBAVCNFSM6AAAAAA5V5LELOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTOOBSGU4TMOJRGE>.
You are receiving this because you were mentioned.Message ID: ***@***.******@***.***>>
|
|
Hi @shipothana, could you please let us know your convenient time so we can set up a call. Thanks! |
|
Hi @shipothana, We are waiting for your response. Thanks! |
|
Hi |
|
@shipothana, Could you please share your mail id with us? so, we can send a meeting invitation. Thanks! |
|
I am free now please send me the meeting invite: Pothana.Sivaramakrishna@alcon.com |
|
Hi @shipothana, we sent an invite, please check. Thanks |
|
Hi @shipothana, Could you please run the below query and check you got the expected results . We tested this query in our workspace, in which an analytic rule is created but we disabled the Incident creation for query testing - After running the query, we got the Analytic rule which is created but not triggered an Incident. Earlier, same analytic rule the incident is triggered. Thanks! |
|
Hi @shipothana, could you please have a look on above comment? and share response with us. Thanks! |
|
Hi,
Still not working as for exapted.
Regards
Siva Pothana
Senior SOC Engineer ,IT Security Service Operations
Alcon Laboratories (India) Private Limited
M: +91-9177313529
***@***.******@***.***>
***@***.***<https://www.alcon.com/> ***@***.***
From: v-sudkharat ***@***.***>
Sent: Monday, November 6, 2023 1:54 PM
To: Azure/Azure-Sentinel ***@***.***>
Cc: Sivaramakrishna, Pothana ***@***.***>; Mention ***@***.***>
Subject: Re: [Azure/Azure-Sentinel] Sentinel analytics health (Issue #9170)
CAUTION: This email originated from outside of Alcon. Always verify the sending address and use caution when opening links or opening attachments unless you recognize the sender and know the content is safe.
…____________________________________
Hi @shipothana<https://github.com/shipothana>, could you please have a look on above comment? and share response with us. Thanks!
-
Reply to this email directly, view it on GitHub<#9170 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/A6QAT5WZPH7WQBXFXV7HKCDYDCNB3AVCNFSM6AAAAAA5V5LELOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTOOJUGI4TMMZSGU>.
You are receiving this because you were mentioned.Message ID: ***@***.******@***.***>>
|
|
@shipothana, what result you got? after running below query - Could you please share the query result with us? Thanks! |
|
Hi @shipothana, Could you please share the screenshot of what issue you are facing in Please let us know still you are getting same issue. Thanks! |
|
Hi @shipothana ,Could you please check the above mentioned steps and update issue as resolved or not? |
|
Hi @shipothana, Gentle Reminder: We are waiting for your response on this issue. If you still need to keep this issue active, please respond to it in the next 2 days. If we don't receive a response by 22-11-2023 date, we will be closing this issue. |
|
Thanks for supporting us! could you please elaborate more details about SOC Handbook solution for Microsoft Sentinel? |
|
Hi @shipothana, Sure, we are pleased to elaborate on this SOC Handbook solution. with the reference of solution description, The SOC Handbook Microsoft Sentinel solution is a collection of resources designed to assist SOC Analysts. and these resources help to a analysts gain a better understanding of the security status of an organization's resources at any given time. For Example - the SOC Handbook solution includes an
We hope this provides a satisfactory answer to your question. If you are facing any issue in that workbook, please let us know, so we can connect via call. It would be helpful for us to understand the issue. Thanks! |
|
Hi @shipothana, Could you please have a look at above comment? and share response with us. Thanks! |
|
Hi @shipothana, Gentle Reminder: We are waiting for your response on this issue. If you still need to keep this issue active, please respond to it in the next 2 days. If we don't receive a response by 28-11-2023 date, we will be closing this issue. |
|
Hi @shipothana, since we have not received a response in the last 5 days, we are closing your issue #9170 as per our standard operating procedures. If you still need support for this issue, feel free to re-open at any time. Thank you for your co-operation. |
Hi,
Please provide me with KQL queries for no incidents triggered in the last 90 days in the incident tab.
Thanks,
The text was updated successfully, but these errors were encountered: