-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Analytic rule not working properly #11125
Comments
Hi @UNOBeheer, Thanks for flagging this issue, we will investigate this issue and get back to you with some updates. Thanks! |
Hi @UNOBeheer, please provide more details about the issue. You mentioned that it created an incident with the Microsoft IP address; please provide more information about this as well. |
Hi @UNOBeheer, |
Hi @UNOBeheer , Gentle Reminder: We are waiting for your response on this issue. If you still need to keep this issue active, please respond to it in the next 2 days. If we don't receive a response by 05-10-2024 date, we will be closing this issue. |
Hello @v-rusraut, The rule detects 95% off the time sign-ins within the non-interactive sign-in logs from Microsoft IP's. Within the screenshot that I previously submitted you see the events off 1 incident and it shows the Microsoft ip addresses. We running de following analytic rule template version: 1.1.2 Do you need more information or is this enough for you? Yours sincerely, |
Hi @UNOBeheer, |
Hello @v-rusraut |
Hi @UNOBeheer, |
Hi @praveenthepro , please help on this issue . |
@v-rusraut , Started working on it, will keep you updated |
The service tags json file used for exceptions in this alert was outed which is the root cause of this false positives, Raised the PR for updating the json, microsoft/mstic#33, Which will fix the issue. |
Hi @UNOBeheer , The PR raised by Praveen has been merged. Please check if your issue is resolved so we can close it. |
The rule "Detections/SigninLogs/AuthenticationAttemptfromNewCountry.yaml" detects sign-ins from microsoft ip addresses and creates a incident. But the correct ip subnet with prefix is mention in the included JSON file. Sentinel wil create a incident with the microsoft ip addresses.
create a sign-in from a microsoft ip and run the rule.
The text was updated successfully, but these errors were encountered: