Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sentinel Central Workbook in correctly counting incidents #10465

Open
melatonein5 opened this issue May 10, 2024 · 3 comments
Open

Sentinel Central Workbook in correctly counting incidents #10465

melatonein5 opened this issue May 10, 2024 · 3 comments
Assignees
@v-rusraut @v-sudkharat
Labels
Workbook Workbook specialty review needed

Comments

@melatonein5
Copy link
Contributor

Describe the bug
When viewing the "Sentinel Central" workbook, all queries returning incident counts are returning incorrect numbers.

To Reproduce
Steps to reproduce the behavior:

  1. Open a saved "Sentinel Central" workbook.
  2. Note down the number of incidents in a workspace and the timeframe of the workbooks
  3. Navigate the the "Incidents" tab in the Sentinel of the workspace that was noted down
  4. Open the "Security Efficiency Workbook" in the top navigation bar.
  5. Change the timeframe parameter of the workbook to match the timeframe noted.
  6. The number of incidents will be different to Sentinel Central if incidents in the workspace have been modified

Expected behavior
Both incident counts should match.

Additional context
Opening this bug to reference the issue in the changelog. Adding | summarise arg_max(TimeGenerated, *) by IncidentName to affected queries fixes the issue. This is because every time an incident is modified, it creates a new log entry, which is not being accounted for in these queries.
melatonein5 added a commit to melatonein5/Azure-Sentinel that referenced this issue May 10, 2024
@melatonein5
Fixed issue Azure#10465
347c1e0 
Fixed issue Azure#10465 where incidents were not being counted correctly.
@melatonein5 melatonein5 mentioned this issue May 10, 2024
Merged
melatonein5 added a commit to melatonein5/Azure-Sentinel that referenced this issue May 10, 2024
@melatonein5
Merge pull request #1 from melatonein5/melatonein5-SentinelCentralPatch
ea6b2f1 
ISSUE Azure#10465 Fix - Sentinel Central Workbook now counting incidents correctly
@melatonein5 melatonein5 mentioned this issue May 10, 2024
Merged
@v-sudkharat v-sudkharat added the Workbook Workbook specialty review needed label May 10, 2024
@v-rusraut
Copy link
Contributor

Hi @melatonein5,
Thanks for flagging this issue, we will investigate this issue and get back to you with some updates by 17 May 2024. Thanks!

@v-rusraut
Copy link
Contributor

Hi @melatonein5,
We need more time to check and investigate into this issue. Thanks!

@v-rusraut
Copy link
Contributor

Hi @melatonein5,
As you already raised PR #10466 for this issue, our team is validating changes, our team will provide update on PR.
Thanks

v-atulyadav added a commit that referenced this issue May 24, 2024
@v-atulyadav
Merge pull request #10466 from melatonein5/melatonein5-SentinelCentra…
c894ae7 
…lPatch

Fixed ISSUE #10465 - Sentinel Central Workbook Patch
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@v-rusraut v-rusraut

@v-sudkharat v-sudkharat

Labels
Workbook Workbook specialty review needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@melatonein5 @v-rusraut @v-sudkharat