Forum Discussion
On Premise Event timing
I am testing the on-premise detection by forcing a cleared event log detection. Is there anything I can do to increase speed of detection for on-premise systems?
Event Log Clearing Test:
Created an event on 01/28 at 11:00 P.M. EST
Detect event in Sentinel on 01/29 at 6:29 A.M EST
2 Replies
Robert_MCSE Yes... PRAY!! It takes 1-4 hours to get logs into Sentinel
1) What method are you using to get the clear log even into Sentinel? (i.e. Syslog, Event logs, etc)
2) What time was the event written to the log?
3) If the alert was raised by a scheduled Analytic rule, what is the rule frequency (AKA Run query every)
