a signal is created and displayed with suspect & host (Suspicious Remote Desktop Network Activity) or just a suspect (Detect Outlook exe writing a zip file). But when we then click on the Workbook in the signals/pending review screen & execute the workbook the query returns no data around 50% of the time.
This happens for different data streams (e.g. firewall, sysmon-process). The retention time is set to 90 days, the signals we tested are in a timeframe of 01.07.2021 to today. There is more than enough storage left on disk. When we search the relevant stream in the timeframe a signal was created there is data returned. If we then however filter the data matching the querie that initially created the signal we again don’t get anything returned.
What could cause this?