Why Analytic rule won't generate incidents?

LXF 205 Reputation points
2023-11-10T03:01:03.1466667+00:00

I built an Analytics rule with the below KQL, but unfortunately the Analytics Rule won't generate any Incidents.

I am pretty sure that there are IP addresses that can be found from both ThreatIntelligenceIndicator and testSuricataLog_CL. The testing of the KQL alone can generate the expected results. But the analytics rule won't generate anything after ingesting the data into ‘testSuricataLog_CL’.

Really appreciate for any help!

ThreatIntelligenceIndicator

| extend TI_ipEntity = NetworkIP

| join (testSuricataLog_CL)

on $left.TI_ipEntity == $right.dest_ip_s

| project Description, NetworkIP

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,123 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Clive Watson 6,351 Reputation points MVP
    2023-11-10T09:44:40.5533333+00:00

    Hi, assuming this does work when you manually run it, have you:

    1. Tried it in the Results simulation, did that work?
      User's image
    2. Added in a specific time check in the KQL? e.g.
    | where TimeGenerated >= ago(1d)
    
    1. Check the Query Scheduling settings, are they set too short to see the data? Go back to step 2, if 1d works, make sure these settings are at 1day rather than n minutes.

    enter image description here

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.