Bugs on Microsoft Azure Sentinel since this 25/08 UK morning

Question

Bugs on Microsoft Azure Sentinel since this 25/08 UK morning

Prashanthkumar Basalahalli V 1

Hi Microsoft Team,

Various bugs on Microsoft Azure sentinel are noticed since morning 25/08.

Entity mappings are broken and logic apps not able to retrieve values for sentinel incident trigger (private preview) that use methods GetHost, GetIP, Get URL, Getfile hash etc.
when editing a workbook and saving it.. instead of saving the existing workbook its just creating duplicate workbook.

Azure Sentinel Team - Can you look into this issue as this must be affecting globally.

Thanks

JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2021-08-25T21:53:56.02+00:00

@Prashanthkumar Basalahalli V
Than you for your post and for reporting this!

Are you able to share some screenshots of what you're seeing so I can gain a better understanding of your issue, and to see if I can replicate this within my environment as well.

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
Olivier 1 Reputation point

2021-08-26T07:22:13.26+00:00

Hello i have the same probleme since yesterday. logic app whith "when azure sentinel incident creation rule was triggered" trigger shows no entities. So it wont work All my logicApp are down ![126664-problem.jpg][1] [1]: /api/attachments/126664-problem.jpg?platform=QnA
Olivier 1 Reputation point

2021-08-26T07:50:10.58+00:00

is there a way to declare this incident ?

2 answers

Your answer

JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2021-08-25T21:53:56.02+00:00

@Prashanthkumar Basalahalli V
Than you for your post and for reporting this!

Are you able to share some screenshots of what you're seeing so I can gain a better understanding of your issue, and to see if I can replicate this within my environment as well.

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
Olivier 1 Reputation point

2021-08-26T07:22:13.26+00:00

Hello i have the same probleme since yesterday. logic app whith "when azure sentinel incident creation rule was triggered" trigger shows no entities. So it wont work All my logicApp are down ![126664-problem.jpg][1] [1]: /api/attachments/126664-problem.jpg?platform=QnA
Olivier 1 Reputation point

2021-08-26T07:50:10.58+00:00

is there a way to declare this incident ?

Answer 1

JamesTran-MSFT 36,911 Microsoft Employee Moderator

@Prashanthkumar Basalahalli V , anonymous user, @Olivier
Thank you all for reaching out and posting to this thread!

I've reached out to our Azure Sentinel team and will update as soon as possible. Additionally, I was able to find some Known issues and limitations with the Azure Sentinel (Preview) Connector which I'll post below.

Cannot trigger a Logic App called by an Azure Sentinel trigger using the "Run Trigger" button
A user cannot use the Run trigger button on the Overview blade of the Logic Apps service to trigger an Azure Sentinel playbook.

Azure Logic Apps are triggered by a POST REST call, whose body is the input for the trigger. Logic Apps that start with Azure Sentinel triggers expect to see the content of an Azure Sentinel alert or incident in the body of the call. When the call comes from the Logic Apps Overview blade, the body of the call is empty, and therefore an error is generated.

These are the only proper ways to trigger Azure Sentinel playbooks:

Manual trigger in Azure Sentinel
Automated response of an analytics rule (directly or through an automation rule) in Azure Sentinel
Use "Resubmit" button in an existing Logic Apps run blade
Call the Logic Apps endpoint directly (attaching an alert/incident as the body)

Thank you for your time and patience throughout this issue.

JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2021-08-27T16:32:40.98+00:00

@Prashanthkumar Basalahalli V , anonymous user, @Olivier
Thank you all for your time and patience throughout this issue!

I received an update from our engineering team, and there was a bug in playbooks triggered by an incident in Europe regions. Entities weren't sent to the playbook as expected. This issue should be resolved and if you're still having issues, please let me know.

If you have any other questions, please let me know.
Thank you again for your time and patience throughout this issue.

----------

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
Debac Manikandan 16 Reputation points MVP

2021-08-29T12:57:04.507+00:00

Hi @JamesTran-MSFT

Any progress on the second issue regarding the workbooks?

Description:
Any custom made workbook in Azure Sentinel appears to duplicate itself, but with the same name and ID. Any change made to one of the workbook reflects in the other as well. Likewise, deleting one workbook deletes the other workbook as well.

Would be keen to have this sorted out at the earliest, please.

Thanks. :)
JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2021-08-30T18:15:30.187+00:00

@DebacManikandan-8212
Thank you for the follow up on this!

I've reached out to our engineering team and will update as soon as possible.

Thank you for your time and patience throughout this issue.
Dave Anderson 1 Reputation point

2021-08-31T08:41:47.247+00:00

From the instances of Sentinel we make use of, i can confirm can also see the same symptoms across multiple tenants with the customer defined workbooks. If they have been updated in the last week or so, the duplication visibility seems to show. For workbooks which haven't been updated for over a month do not appear to have this symptom.
JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2021-09-01T17:26:30.807+00:00

@Prashanthkumar Basalahalli V
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?

Answer 2

JamesTran-MSFT 36,911 Microsoft Employee Moderator

@DebacManikandan-8212, and @Dave Anderson
Thank you both for following up on this!

I received an update from our engineering team, and this is a known issue on the duplicate entry of workbooks, and is being worked on with no ETA yet. The workaround for now, would be to ignore the duplicate saved workbook(s).

Thank you all for your time and patience throughout this issue.

----------

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2021-09-02T19:54:09.257+00:00

@DebacManikandan-8212, and @Dave Anderson
Thank you both for your time and patience throughout this issue!

I received an update from our engineering team and the fix for this has been deployed, if you can verify this from your end.

If you have any other questions, please let me know.
Thank you!
Debac Manikandan 16 Reputation points MVP

2021-09-02T21:32:40.003+00:00

Hi @JamesTran-MSFT ,

I can confirm that the fix works fine on our workspaces.

Thank you so much for the assistance. :)
JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2021-09-02T21:34:58.573+00:00

@DebacManikandan-8212
Thank you for the quick follow up and I'm glad that I was able to help resolve your issue!

Share via

Bugs on Microsoft Azure Sentinel since this 25/08 UK morning

2 answers

Your answer