On Premise Event timing

%3CLINGO-SUB%20id%3D%22lingo-sub-1138663%22%20slang%3D%22en-US%22%3EOn%20Premise%20Event%20timing%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1138663%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20testing%20the%20on-premise%20detection%20by%20forcing%20a%20cleared%20event%20log%20detection.%20Is%20there%20anything%20I%20can%20do%20to%20increase%20speed%20of%20detection%20for%20on-premise%20systems%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEvent%20Log%20Clearing%20Test%3A%3C%2FP%3E%3CP%3ECreated%20an%20event%20on%2001%2F28%20at%2011%3A00%20P.M.%20EST%3C%2FP%3E%3CP%3EDetect%20event%20in%20Sentinel%20on%2001%2F29%20at%206%3A29%20A.M%20EST%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1139506%22%20slang%3D%22en-US%22%3ERe%3A%20On%20Premise%20Event%20timing%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1139506%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F302106%22%20target%3D%22_blank%22%3E%40Robert_MCSE%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1)%20What%20method%20are%20you%20using%20to%20get%20the%20clear%20log%20even%20into%20Sentinel%3F%20(i.e.%20Syslog%2C%20Event%20logs%2C%20etc)%3C%2FP%3E%3CP%3E2)%20What%20time%20was%20the%20event%20written%20to%20the%20log%3F%26nbsp%3B%3C%2FP%3E%3CP%3E3)%20If%20the%20alert%20was%20raised%20by%20a%20scheduled%20Analytic%20rule%2C%20what%20is%20the%20rule%20frequency%20(AKA%26nbsp%3B%3CSPAN%3ERun%20query%20every)%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1148865%22%20slang%3D%22en-US%22%3ERe%3A%20On%20Premise%20Event%20timing%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1148865%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F302106%22%20target%3D%22_blank%22%3E%40Robert_MCSE%3C%2FA%3E%26nbsp%3BYes...%20PRAY!!%26nbsp%3B%20It%20takes%201-4%20hours%20to%20get%20logs%20into%20Sentinel%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

I am testing the on-premise detection by forcing a cleared event log detection. Is there anything I can do to increase speed of detection for on-premise systems?

 

Event Log Clearing Test:

Created an event on 01/28 at 11:00 P.M. EST

Detect event in Sentinel on 01/29 at 6:29 A.M EST

2 Replies

@Robert_MCSE 

1) What method are you using to get the clear log even into Sentinel? (i.e. Syslog, Event logs, etc)

2) What time was the event written to the log? 

3) If the alert was raised by a scheduled Analytic rule, what is the rule frequency (AKA Run query every)

@Robert_MCSE Yes... PRAY!!  It takes 1-4 hours to get logs into Sentinel