Excessive number of failed connections from a single source (ASIM Network Session schema) default analytics rule -- results contain no src IP address #10713
Describe the bug
The analytics rule "Excessive number of failed connections from a single source (ASIM Network Session schema)" is giving me results that contain a count with no source IP addresses listed. I have deployed the ASIM parsers and other analytics rules are working as expected.
To Reproduce
Steps to reproduce the behavior:
Go to Azure Sentinel and configure the analytics rule (after deploying ASIM parsers).
Wait for analytics rule to generate an alert and then click on the results. For more details, click on "Link to LA" under event overview.
See issue.
Expected behavior
Expect to be able to see the source IP which is causing the count to go over the programmed threshold limit.
Describe the bug The analytics rule "Excessive number of failed connections from a single source (ASIM Network Session schema)" is giving me results that contain a count with no source IP addresses listed. I have deployed the ASIM parsers and other analytics rules are working as expected.
To Reproduce Steps to reproduce the behavior:
Expected behavior Expect to be able to see the source IP which is causing the count to go over the programmed threshold limit.
Screenshots