Analytic rule not working properly #11125
Comments
|
Hi @UNOBeheer, Thanks for flagging this issue, we will investigate this issue and get back to you with some updates. Thanks! |
|
Hi @UNOBeheer, please provide more details about the issue. You mentioned that it created an incident with the Microsoft IP address; please provide more information about this as well. |
|
Hi @UNOBeheer, |
|
Hi @UNOBeheer , Gentle Reminder: We are waiting for your response on this issue. If you still need to keep this issue active, please respond to it in the next 2 days. If we don't receive a response by 05-10-2024 date, we will be closing this issue. |
|
Hello @v-rusraut, The rule detects 95% off the time sign-ins within the non-interactive sign-in logs from Microsoft IP's. Within the screenshot that I previously submitted you see the events off 1 incident and it shows the Microsoft ip addresses. We running de following analytic rule template version: 1.1.2 Do you need more information or is this enough for you? Yours sincerely, |
|
Hi @UNOBeheer, |
|
Hello @v-rusraut |
|
Hi @UNOBeheer, |
|
Hi @praveenthepro , please help on this issue . |
|
@v-rusraut , Started working on it, will keep you updated |
|
The service tags json file used for exceptions in this alert was outed which is the root cause of this false positives, Raised the PR for updating the json, microsoft/mstic#33, Which will fix the issue. |
|
Hi @UNOBeheer , The PR raised by Praveen has been merged. Please check if your issue is resolved so we can close it. |
The rule "Detections/SigninLogs/AuthenticationAttemptfromNewCountry.yaml" detects sign-ins from microsoft ip addresses and creates a incident. But the correct ip subnet with prefix is mention in the included JSON file. Sentinel wil create a incident with the microsoft ip addresses.
create a sign-in from a microsoft ip and run the rule.
The text was updated successfully, but these errors were encountered: