Custom rule triggered but need to refresh event query multiple times to get results

Mariana Wolter 1 Reputation point
2021-02-03T01:32:24.047+00:00

I have a custom rule that is triggered when one or more identical entities are mapped due a certain time, and it works always, but sometimes when I click in the events, I don't see results and I have to refresh a couple of times to see the data. Any idea why this could be?

Example of incident generated:

63262-ruleevents.png

When clicking the events, nothing is shown:

63150-query.png

If I click run multiple times (in this example I did it 5 times) I get the result:

63271-query-on-refresh.png

Good request details:

63253-image.png

Bad request details:
63252-image.png

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,210 questions
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.