Sentinel Analytics Rule not creating incident

Question

Sentinel Analytics Rule not creating incident

Conor Bateman (Alcom IT) 5

I have worked with Microsoft Support and created an Analytics rule to raise an incident when 5 or more failed login attempts are detected, followed by a success.

This worked originally but has now stopped working.

Nothing has changed. I cannot figure out why this could have stopped working.

Raja Pothuraju 47,420 Reputation points Microsoft External Staff Moderator

2025-02-26T16:46:24.09+00:00

Hello @Conor Bateman (Alcom IT),

Thank you for posting your query on Microsoft Q&A.

Based on the information you provided, I understand that you have created a rule in Microsoft Sentinel to trigger an incident when five or more failed login attempts are detected. It was working fine earlier but has suddenly stopped generating incidents.

I recommend reviewing the following troubleshooting guide to check for potential issues: Troubleshoot analytics rules in Microsoft Sentinel

If the issue persists, please send your contact details in a private message so we can take this offline for further investigation.
Raja Pothuraju 47,420 Reputation points Microsoft External Staff Moderator

2025-02-27T12:23:40.7666667+00:00

Hello @Conor Bateman (Alcom IT),

Just checking in to see if the issue still persists. If it does, please let me know—I’d be happy to look into it further.
Raja Pothuraju 47,420 Reputation points Microsoft External Staff Moderator

2025-02-28T13:13:59.7733333+00:00

Hello @Conor Bateman (Alcom IT),

Please refer the below action plan shared by Andrew on this and please feel free to reach out if you have any further questions.

1 answer

Your answer

Raja Pothuraju 47,420 Reputation points Microsoft External Staff Moderator

2025-02-26T16:46:24.09+00:00

Hello @Conor Bateman (Alcom IT),

Thank you for posting your query on Microsoft Q&A.

Based on the information you provided, I understand that you have created a rule in Microsoft Sentinel to trigger an incident when five or more failed login attempts are detected. It was working fine earlier but has suddenly stopped generating incidents.

I recommend reviewing the following troubleshooting guide to check for potential issues: Troubleshoot analytics rules in Microsoft Sentinel

If the issue persists, please send your contact details in a private message so we can take this offline for further investigation.
Raja Pothuraju 47,420 Reputation points Microsoft External Staff Moderator

2025-02-27T12:23:40.7666667+00:00

Hello @Conor Bateman (Alcom IT),

Just checking in to see if the issue still persists. If it does, please let me know—I’d be happy to look into it further.
Raja Pothuraju 47,420 Reputation points Microsoft External Staff Moderator

2025-02-28T13:13:59.7733333+00:00

Hello @Conor Bateman (Alcom IT),

Please refer the below action plan shared by Andrew on this and please feel free to reach out if you have any further questions.

Answer 1

Andrew Blumhardt 10,071 Microsoft Employee

Agreed. We will need more information to assist. I recommend copying the rule query into Log Analytics to run or use the test option 'runs' on the rule. When testing the query independently, try commenting out the threshold, any parameters, and possibly the project statement. Look to verify that the underlying data is present. Verify that the lookback timespan is sufficient.

0 comments

Share via

Sentinel Analytics Rule not creating incident

1 answer

Your answer