Anomaly found in Network Session Traffic Analytics Rule Generating Blank Incidents #9983
Comments
|
Hi @NickNicolaou2129, Thanks for flagging this issue, we will investigate this issue and get back to you with some updates by 26-02-2024. Thanks! |
|
Hi @NickNicolaou2129, Could you please run below shared query once and check for the result - query.txt Thanks! |
|
Hi @NickNicolaou2129, We are waiting for your response from on above comment. Thanks! |
|
Hi @v-sudkharat NetworkCustomAnalytics_protocol_CL does not refer to a know table: |
|
Hi @NickNicolaou2129, Could you please check the Rule is compliant with required given data sources - Thanks! |
|
Hi,
Yes it is company, otherwise the incident would not trigger in the first place.
Many thanks,
Nicholas
…On Fri, Mar 1, 2024 at 09:13, v-sudkharat ***@***.***(mailto:On Fri, Mar 1, 2024 at 09:13, v-sudkharat <<a href=)> wrote:
Hi ***@***.***(https://github.com/NickNicolaou2129), Could you please check the Rule is compliant with required given data sources -
[image.png (view on web)](https://github.com/Azure/Azure-Sentinel/assets/132428394/760eae94-8936-4037-bfbe-fa4f162194b1)
[image.png (view on web)](https://github.com/Azure/Azure-Sentinel/assets/132428394/c24b7db4-92b6-4d75-8521-5989d08b2a59)
Thanks!
—
Reply to this email directly, [view it on GitHub](#9983 (comment)), or [unsubscribe](https://github.com/notifications/unsubscribe-auth/AHOM2BOCNUJOXETQ7OATABDYWA2CLAVCNFSM6AAAAABDPUX75GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNZSG4YTAMZWGE).
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
|
@NickNicolaou2129, will check on it and if required will schedule a call for it. Thanks! |
|
Hi @NickNicolaou2129, Can we have a call? We need few more details about the incident. Thanks! |
|
Hi @NickNicolaou2129, Hope you're doing good. As you have raised the support case for this same issue, our team is working on your ticket. So could you please let us know can we close this issue from GitHub? as other team is checking on this. Thanks! |
|
Hi, I would like to keep this GitHub ticket. I have just sent you the documents you requested from me in yesterdays call. Let me know if you have any further news, thanks! |
|
@NickNicolaou2129, Sure. we will check it from our end and update you. And please let us know if you get update on this from our support team. Thanks! |
|
Hey @NickNicolaou2129, Our support team still working on this issue and will communicate with you for required details. Thanks! |
|
Hi @NickNicolaou2129 ,As the ICM is raised for this issue and so this is duplicate issue and Please let me any work needs to be done will reopen it and closing as per process and will discuss in detail in tomorrow call |
|
Hello, I'm facing the same issue for table NetworkCustomAnalytics_protocol_CL which is not present in the LA. Were you able to fix it ? |
|
Yes, there is too much data in that table for the query to process, causing it to generate blank incidents.
Try running the analytics rule in the logs section, gradually changing it to optimise the query. You can check the CPU in the query details section after it finishes running.
…On Tue, Aug 6, 2024 at 13:53, ikkarakashev ***@***.***(mailto:On Tue, Aug 6, 2024 at 13:53, ikkarakashev <<a href=)> wrote:
Hello, I'm facing the same issue for table NetworkCustomAnalytics_protocol_CL which is not present in the LA. Were you able to fix it ?
—
Reply to this email directly, [view it on GitHub](#9983 (comment)), or [unsubscribe](https://github.com/notifications/unsubscribe-auth/AHOM2BLV7WHGBVLNP4PI3ELZQC2KJAVCNFSM6AAAAABDPUX75GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENZRGEYDMNJWGQ).
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
|
The Same Problem here. Did anyone find the Solution? |
Describe the bug
A clear and concise description of what the bug is.
To Reproduce
When running the "Anomaly found in Network Session Traffic" it does not load any query results, this is because we have so much data coming in that it cannot read it all back. Even if I set the lookback to 1 second, it still does not load any data:
This results in incidents being created that are empty because the query cannot load the data:
Expected behavior
We expect to see the incident information appear when it is generated.
The text was updated successfully, but these errors were encountered: