Excessive number of failed connections from yields no Entities

[fleckster44]

This alert kicked off but we see no entities. Some hunting yielded no results either to try to narrow it down.

[v-visodadasi]

Hi @fleckster44 , Thanks for flagging this issue, we will investigate this issue and get back to you with some updates. Thanks!

[v-visodadasi]

Hi @fleckster44 ,

Could you please provide more information or context regarding the alert? Any additional details would help us investigate the issue further

[fleckster44]

These alerts are from a Fortinet firewall with excessive failures. Turns out it was a windows 11 update 24H2 printing issue where when they print a broadcast was fired out causing these failures.

The way I found the actual entities was with the following KQL since the sentinel alert didnt have an entity for whatever reason:

let threshold = 1000; // Adjusted threshold value based on observed counts
_Im_NetworkSession
| where EventResult == 'Failure'
| where isnotempty(SrcIpAddr)
| where TimeGenerated > ago(10h) // Limit data to the last 10 hours
| summarize Count = count(),
DvcHostnames = make_list(DvcHostname),
DstHostnames = make_list(DstHostname),
EventOriginalResultDetails = make_list(EventOriginalResultDetails),
Process = make_list(Process),
InitiatingProcessFolderPath = make_list(InitiatingProcessFolderPath),
EventProduct = make_list(EventProduct),
Dst = make_list(Dst)
by SrcIpAddr, TimeBucket = bin(TimeGenerated, 5m), User
| where Count > threshold
| project TimeBucket, SrcIpAddr, Count, threshold, User, DvcHostnames, DstHostnames, EventOriginalResultDetails, Process, InitiatingProcessFolderPath, EventProduct, Dst // Project the necessary columns
| order by Count desc // Sort by Count from highest to lowest
| take 10 // Limit results to the top 10

Happy to report the registry edit for the printdefault fixed the broadcast and stopped these excessive failures with Sentinel:

https://answers.microsoft.com/en-us/windows/forum/all/dashostexe-is-causing-udp-broadcast-flood-on-22222/9f235e88-8719-4c3f-ad76-f13498b4c057

[v-sudkharat]

Hi @fleckster44, Sorry for the delayed response.

We have reviewed the existing rule, which points to this path: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Network%20Session%20Essentials/Analytic%20Rules/ExcessiveHTTPFailuresFromSource.yaml

We attempted to replicate the same in our environment for Entities using our data. Based on the data availability in our workspace, we modified the threshold value to get the SrcIpAddr. As a result, we were able to see the entities reflected in the incidents.
Below is a screenshot of an incident with entities:

However, if we keep the default threshold value (threshold = 5000), the query will check the condition | where Count > threshold, and since it doesn’t meet the threshold, the SrcIpAddr won’t be projected.
Below is a screenshot of an incident with no entities:

To check if the SrcIpAddr is not null in your case, you can run the following query in your workspace:

  let threshold = 5000;
  _Im_NetworkSession(eventresult='Failure')
  | summarize Count=count() by SrcIpAddr, bin(TimeGenerated,5m)
  | where Count > threshold
  | extend timestamp = TimeGenerated, threshold
  | project SrcIpAddr

You can adjust the threshold value accordingly. Once you see results for SrcIpAddr, apply the same threshold value in your analytic rule.

I hope this helps resolve your issue.

Thanks!