v-rusraut
commented
2 months ago Hi @ksinghd09, Thanks for flagging this issue, we will investigate this issue and get back to you with some updates by 15-06-2024 Thanks!
Closed ksinghd09 closed 1 week ago
v-rusraut
commented
2 months ago Hi @ksinghd09, Thanks for flagging this issue, we will investigate this issue and get back to you with some updates by 15-06-2024 Thanks!
v-rusraut
commented
2 months ago Hi @ksinghd09, We are working on reproduce the issue, we will update you
v-sudkharat
commented
1 month ago Hi @ksinghd09, We had a discussion with concern team for this issue, And team want to check, In your environment only this rule has been configured - https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/AuthenticationMethodsChangedforPrivilegedAccount.yaml And not this one, which having same name - https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Business%20Email%20Compromise%20-%20Financial%20Fraud/Analytic%20Rules/AuthenticationMethodChangedforPrivilegedAccount.yaml
Due to the name collision of both the rule it may have duplicate incident, but could you please confirm and let us know, so we can share this update with team. Thanks!
v-sudkharat
commented
1 month ago Hi @ksinghd09, Waiting for your response on above comment. Thanks!
v-sudkharat
commented
1 month ago Hi @ksinghd09, Gentle Reminder: We are waiting for your response on this issue. If you still need to keep this issue active, please respond to it in the next 2 days. If we don't receive a response by 22-07-2024 date, we will be closing this issue.
Thanks!
ksinghd09
commented
1 month ago Thanks for getting back, we have created custom analytic rule for our environment, It would trigger an alert by searching Audit logs table instead of IdentityInfo table.
v-sudkharat
commented
3 weeks ago Hey @ksinghd09, The audit logs table are used in rule -https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Business%20Email%20Compromise%20-%20Financial%20Fraud/Analytic%20Rules/AuthenticationMethodChangedforPrivilegedAccount.yaml, So could you please check and confirm if the created customer rule is using above rule, and not the one which you have mentioned into the issue title itself- https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/AuthenticationMethodsChangedforPrivilegedAccount.yaml As mentioned in comment https://github.com/Azure/Azure-Sentinel/issues/10617#issuecomment-2225075304, if both the rule gets configured then, due to name collision the duplicates incident gets created. Thanks!
v-sudkharat
commented
2 weeks ago @ksinghd09, waiting for your response. Thanks!
v-sudkharat
commented
2 weeks ago Hi @ksinghd09 , Gentle Reminder: We are waiting for your response on this issue. If you still need to keep this issue active, please respond to it in the next 2 days. If we don't receive a response by 09-08-2024 date, we will be closing this issue.
Thanks!
v-sudkharat
commented
1 week ago Hi @ksinghd09, since we have not received a response in the last 5 days, we are closing your issue as per our standard operating procedures. If you still need support for this issue, feel free to re-open at any time. Thank you for your co-operation.
See the path for code in title of this issue. This query generates duplicate incidents every 2 hours when analytic rule runs. please suggest the fix for it.