It seems the issue is caused by the issue with the Azure Premium P1/P2 license. Recently we updated the licenses for all in the company and some of those licenses don't work properly with Sentinel.
BehaviorAnalytics stopped collecting FailedLogon events
Hi there.
Starting from April 2022 we experience the situation when the query to the BehaviorAnalytics table doesn't select any records with the ActivityType containing 'FailedLogOn'. And there are no records like that if you select the records without any filters.
I checked all connected logs and everything looks enabled.
Could you please guide me on how to fix this?
2 answers
Sort by: Most helpful
-
-
Andrew Blumhardt 9,496 Reputation points Microsoft Employee
2022-05-02T15:46:44.003+00:00 I would start by checking the source tables for activity. Make sure your AAD Audit and Signin Logs are flowing. Maybe reset the UEBA settings. It may need reauthorization.
https://learn.microsoft.com/en-us/azure/sentinel/enable-entity-behavior-analytics