Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Excessive number of failed connections from yields no Entities #11625

Open
fleckster44 opened this issue Jan 3, 2025 · 3 comments
Open

Excessive number of failed connections from yields no Entities #11625

fleckster44 opened this issue Jan 3, 2025 · 3 comments
Assignees
@v-sudkharat @v-visodadasi
Labels
Analytic Rules Incident

Comments

@fleckster44
Copy link

This alert kicked off but we see no entities. Some hunting yielded no results either to try to narrow it down.
Image
@v-visodadasi
Copy link
Contributor

Hi @fleckster44 , Thanks for flagging this issue, we will investigate this issue and get back to you with some updates. Thanks!

@v-visodadasi
Copy link
Contributor

Hi @fleckster44 ,

Could you please provide more information or context regarding the alert? Any additional details would help us investigate the issue further

@fleckster44
Copy link
Author

These alerts are from a Fortinet firewall with excessive failures. Turns out it was a windows 11 update 24H2 printing issue where when they print a broadcast was fired out causing these failures.

The way I found the actual entities was with the following KQL since the sentinel alert didnt have an entity for whatever reason:

let threshold = 1000; // Adjusted threshold value based on observed counts
_Im_NetworkSession
| where EventResult == 'Failure'
| where isnotempty(SrcIpAddr)
| where TimeGenerated > ago(10h) // Limit data to the last 10 hours
| summarize Count = count(),
DvcHostnames = make_list(DvcHostname),
DstHostnames = make_list(DstHostname),
EventOriginalResultDetails = make_list(EventOriginalResultDetails),
Process = make_list(Process),
InitiatingProcessFolderPath = make_list(InitiatingProcessFolderPath),
EventProduct = make_list(EventProduct),
Dst = make_list(Dst)
by SrcIpAddr, TimeBucket = bin(TimeGenerated, 5m), User
| where Count > threshold
| project TimeBucket, SrcIpAddr, Count, threshold, User, DvcHostnames, DstHostnames, EventOriginalResultDetails, Process, InitiatingProcessFolderPath, EventProduct, Dst // Project the necessary columns
| order by Count desc // Sort by Count from highest to lowest
| take 10 // Limit results to the top 10

Happy to report the registry edit for the printdefault fixed the broadcast and stopped these excessive failures with Sentinel:

https://answers.microsoft.com/en-us/windows/forum/all/dashostexe-is-causing-udp-broadcast-flood-on-22222/9f235e88-8719-4c3f-ad76-f13498b4c057

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@v-sudkharat v-sudkharat

@v-visodadasi v-visodadasi

Labels
Analytic Rules Incident
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@v-sudkharat @v-visodadasi @fleckster44