Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot use join KQL for Analytics Rules #9484

Closed
jeffrywu28 opened this issue Nov 27, 2023 · 6 comments
Closed

Cannot use join KQL for Analytics Rules #9484

jeffrywu28 opened this issue Nov 27, 2023 · 6 comments
Assignees
@v-sudkharat @v-muuppugund
Labels
Analytic Rules

Comments

@jeffrywu28
Copy link

Describe the bug
why i cannot use detection rules that correlated with ThreatIntelIndicator join table ?

To Reproduce
Steps to reproduce the behavior:

  1. Go to Analytics Rules
  2. Create analytics rules
  3. use the query :

_Im_NetworkSession
| where ipv4_is_private(SrcIpAddr) == False
| where SrcIpAddr !in ("127.0.0.1", "::1")
| summarize
AttemptedPortsCount = dcount(DstPortNumber),
AttemptedPorts = make_set(DstPortNumber),
ReportedBy = make_set(strcat(EventVendor, "/", EventProduct)),
LastTimeGenerated = max(TimeGenerated)
by SrcIpAddr
| where AttemptedPortsCount > PortScanThreshold
| join kind=inner (
ThreatIntelligenceIndicator
| summarize ThreatTypes = make_set(ThreatType) by NetworkSourceIP // Aggregate ThreatTypes for each NetworkSourceIP
)
on $left.SrcIpAddr == $right.NetworkSourceIP
| project
SrcIpAddr,
LastTimeGenerated,
AttemptedPortsCount,
AttemptedPorts,
ReportedBy,
ThreatTypes

  1. See error

Expected behavior
It's running and showing the test result clearly

Screenshots
image
@github-actions GitHub Actions
Copy link
Contributor

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

@v-rbajaj
Copy link
Contributor

Hi @jeffrywu28, thanks for flagging this issue, we will get back to you by 30 Nov 2023.

@v-sudkharat
Copy link
Contributor

Hi @jeffrywu28, just want to know, have you declaired the "let PortScanThreshold = 50;" in the query?
We have run your provided query in our workspace we are got below result. -
image

If we declare the "let PortScanThreshold = 50;" in query and re-run it, then query executed successfully and start getting the result -

image

FYI. we have defined the "let PortScanThreshold = 50;" as 50 at the beginning of the query. This means that the query will only consider source IP addresses (SrcIpAddr) that have attempted to connect to more than 50 different ports (AttemptedPortsCount > PortScanThreshold).

Could you please check with "let PortScanThreshold = 50;" and let us know if your issue still persists.
Thanks!

@v-sudkharat
Copy link
Contributor

Hi @jeffrywu28, we are waiting for your response on above comment. Thanks!

@v-sudkharat
Copy link
Contributor

Hi @jeffrywu28, Gentle Reminder: We are waiting for your response on this issue. If you still need to keep this issue active, please respond to it in the next 2 days. If we don't receive a response by 08-12-2023 date, we will be closing this issue.
Thanks!

@v-sudkharat
Copy link
Contributor

Hi @jeffrywu28, since we have not received a response in the last 5 days, we are closing your issue- #9484 as per our standard operating procedures. If you still need support for this issue, feel free to re-open at any time. Thank you for your co-operation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@v-sudkharat v-sudkharat

@v-muuppugund v-muuppugund

Labels
Analytic Rules
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jeffrywu28 @v-rbajaj @v-sudkharat @v-muuppugund