-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Solutions/Microsoft Entra ID/Analytic Rules/AuthenticationMethodsChangedforPrivilegedAccount.yaml #10617
Comments
Hi @ksinghd09, Thanks for flagging this issue, we will investigate this issue and get back to you with some updates by 15-06-2024 Thanks! |
Hi @ksinghd09, |
Hi @ksinghd09, We had a discussion with concern team for this issue, And team want to check, In your environment only this rule has been configured - https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/AuthenticationMethodsChangedforPrivilegedAccount.yaml And not this one, which having same name - https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Business%20Email%20Compromise%20-%20Financial%20Fraud/Analytic%20Rules/AuthenticationMethodChangedforPrivilegedAccount.yaml Due to the name collision of both the rule it may have duplicate incident, but could you please confirm and let us know, so we can share this update with team. Thanks! |
Hi @ksinghd09, Waiting for your response on above comment. Thanks! |
Hi @ksinghd09, Gentle Reminder: We are waiting for your response on this issue. If you still need to keep this issue active, please respond to it in the next 2 days. If we don't receive a response by 22-07-2024 date, we will be closing this issue. |
Thanks for getting back, we have created custom analytic rule for our environment, It would trigger an alert by searching Audit logs table instead of IdentityInfo table. |
Hey @ksinghd09, The audit logs table are used in rule -https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Business%20Email%20Compromise%20-%20Financial%20Fraud/Analytic%20Rules/AuthenticationMethodChangedforPrivilegedAccount.yaml, So could you please check and confirm if the created customer rule is using above rule, and not the one which you have mentioned into the issue title itself- https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/AuthenticationMethodsChangedforPrivilegedAccount.yaml |
@ksinghd09, waiting for your response. Thanks! |
Hi @ksinghd09 , Gentle Reminder: We are waiting for your response on this issue. If you still need to keep this issue active, please respond to it in the next 2 days. If we don't receive a response by 09-08-2024 date, we will be closing this issue. |
Hi @ksinghd09, since we have not received a response in the last 5 days, we are closing your issue as per our standard operating procedures. If you still need support for this issue, feel free to re-open at any time. Thank you for your co-operation. |
See the path for code in title of this issue.
This query generates duplicate incidents every 2 hours when analytic rule runs. please suggest the fix for it.
The text was updated successfully, but these errors were encountered: