question

DmitriyKolesnikov-3855 avatar image
0 Votes"
DmitriyKolesnikov-3855 asked AndrewBlumhardt-1137 answered

BehaviorAnalytics stopped collecting FailedLogon events

Hi there.

Starting from April 2022 we experience the situation when the query to the BehaviorAnalytics table doesn't select any records with the ActivityType containing 'FailedLogOn'. And there are no records like that if you select the records without any filters.

I checked all connected logs and everything looks enabled.

Could you please guide me on how to fix this?

microsoft-sentinelazure-ad-sign-in-logs
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

2 Answers

DmitriyKolesnikov-3855 avatar image
0 Votes"
DmitriyKolesnikov-3855 answered

It seems the issue is caused by the issue with the Azure Premium P1/P2 license. Recently we updated the licenses for all in the company and some of those licenses don't work properly with Sentinel.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndrewBlumhardt-1137 avatar image
0 Votes"
AndrewBlumhardt-1137 answered

I would start by checking the source tables for activity. Make sure your AAD Audit and Signin Logs are flowing. Maybe reset the UEBA settings. It may need reauthorization.

https://docs.microsoft.com/en-us/azure/sentinel/enable-entity-behavior-analytics

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.