Forum Discussion
TiIndicators not showing up in ThreatIntelligenceIndicator Logs
It seems that around July 2nd, 7/2/2020, 9:17:26.272 PM UTC, all of our custom TiIndicators stopped showing up in our
ThreatIntelligenceIndicator logs. All of the logic apps are running successfully and POSTing to the SecGraphApi - with the correct responses. We can also send a GET to the API with the newly created TiIndicator ID and verify that the indicator exists. When searching the logs we are not seeing anything, however.
The indicators retrieved by the built in TAXII data connector are still in the logs.
We have tested this with the standard POST method the to API as well as the new MS Graph Security - Create TiIndicator/Create Multiple TiIndicator actions in the LogicApps. We have also tested in a separate tenant.
We experienced the same issue and on the same date. I already opened a support ticket with microsoft support. But they haven't yet identified that there was an issue
RijutaKapoorMicrosoft
majo01 : The issue is now resolved. Are you still seeing the issue persisting?
Please make sure that the TIP Connector in Sentinel is turned on.
We are still seeing this issue. It works for a few days then breaks again. I have attached an image with our baseline. You can see when the issue starts to ramp up and then totally stop.
We are experiencing the same issues . I have logged a MS support ticket. Waiting for themfind resolution.
- RijutaKapoor
MalliBoppe - Can you please provide the support ticket link? We would need the workspace id and tenant id to further investigate the issue.
RijutaKapoor I think the issue has been resolved now. I was told by teh MS engineer that the issue impacted the Australia region.
Not sure who put this fix in, but we are seeing positive results now in both tenants. Nothing changed on our end. Any post-fix info would be great. Thanks again MS Sentinel Team!
- Ofer_Shezaf
JBUB_Accelerynt : While we monitor for issues and try to preempt, I do recommend opening a support ticket in such a case. Whether instead of or in addition to a community post. While the community interaction is lively and quite fast, if something disrupts your service, we want to make sure we resolve it as soon as possible.
Ofer_Shezaf Thank you Ofer 😃
We have opened a ticket and I can confirm it is broken again. 3 separate tenants and the last threat intel entry that shows up in the logs is on the 10th. The logic apps run and I can return threat intel, but it's just not in the logs for use in analytic rules.
I encourage others to check their logs and make sure their rules are working. Or at least be aware log entries are missing.
