Why Analytic rule won't generate incidents?

LXF 0 Reputation points

I built an Analytics rule with the below KQL, but unfortunately the Analytics Rule won't generate any Incidents.

I am pretty sure that there are IP addresses that can be found from both ThreatIntelligenceIndicator and testSuricataLog_CL. The testing of the KQL alone can generate the expected results. But the analytics rule won't generate anything after ingesting the data into ‘testSuricataLog_CL’.

Really appreciate for any help!


| extend TI_ipEntity = NetworkIP

| join (testSuricataLog_CL)

on $left.TI_ipEntity == $right.dest_ip_s

| project Description, NetworkIP

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
868 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Clive Watson 4,341 Reputation points MVP

    Hi, assuming this does work when you manually run it, have you:

    1. Tried it in the Results simulation, did that work?
      User's image
    2. Added in a specific time check in the KQL? e.g.
    | where TimeGenerated >= ago(1d)
    1. Check the Query Scheduling settings, are they set too short to see the data? Go back to step 2, if 1d works, make sure these settings are at 1day rather than n minutes.

    enter image description here

    0 comments No comments