search

Azure / Azure-Sentinel

Cloud-native SIEM for intelligent security analytics for your entire enterprise.
https://azure.microsoft.com/en-us/services/azure-sentinel/
MIT License
4.63k stars 3.04k forks source link

InfobloxNIOS Parser - Performance Degradation #3300

Closed jernesto87 closed 2 years ago

jernesto87 commented 3 years ago

There is a performance degradation once the function is defined within a given workspace and data is progressively being ingested. Several errors are shown on the AS Connector page and when it is able to load, it takes at least more than 5 minutes to do so. Also, the associated Workbook is extremely slow when attempting to load data.

There were also some potential errors in the code in the following lines:

Many thanks in advance for the help. Regards.

github-actions[bot] commented 3 years ago

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

github-actions[bot] commented 3 years ago

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

github-actions[bot] commented 3 years ago

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

github-actions[bot] commented 3 years ago

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

oshezaf commented 3 years ago

@v-jayakal : note that I believe this related to https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/InfobloxNIOS/InfobloxNIOS.txt

jernesto87 commented 2 years ago

hi, any updates regarding this parser and reported issue?

v-rucdu commented 2 years ago

Hey.. we are looking into this issue and would get back to you asap... Thanks!!!

ritika-msft commented 2 years ago

Hi @jernesto87,

We have made few changes to the parser to help improve the parser performance https://github.com/Azure/Azure-Sentinel/pull/3850/files. Can you please follow below steps and save the function with a different name and update us if you see any improvement in parser performance?

  1. Open Log Analytics Workspace
  2. Open new Query window
  3. Copy and Paste the updated query from the InfobloxNIOS.txt file provided in the PR https://github.com/Azure/Azure-Sentinel/pull/3850/files.
  4. In the query window, on the 2nd line of the query, enter the hostname(s) of your Infoblox NIOS device(s) and the Facility of the logstream.
  5. Click on Save button and select as Function from drop down by specifying function name and alias as InfobloxNIOS_Test.
  6. Run the query to validate data is being recieved and parsed, and if there are any performance improvemets?

Let us know, if the query works fine. Thanks!!

jernesto87 commented 2 years ago

Good morning, Many thanks for the improvements made. I just wanted to confirm if the previously reported potential errors were also taken into account in this new version:

"There were also some potential errors in the code in the following lines:

[207] "dhcp" should be "dhcpd" [209] "Type" should be "Log_Type" [211] "Type" should be "Log_Type""

Thanks again.

ritika-msft commented 2 years ago

Hi, We have pushed the changes for fixing potential errors mentioned above, in the same PR. Thanks!!

v-rucdu commented 2 years ago

@jernesto87 : Do we have any update on this issue? Has the performance issue resolved for you? Thanks!!!

github-actions[bot] commented 2 years ago

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

v-marimanda commented 2 years ago

@jernesto87 we are closing this issue as we did not hear back from you. Please feel free to open another issue if still face the issue.

github-actions[bot] commented 2 years ago

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.