Realtime alerting possible?

Highlighted
Occasional Contributor

Hello,

 

I was wondering if real-time alerting is possible, 1-2minutes delay is ok.

 

Setup:

Windows server with client, is connected to Azure sentinel.

 

Case:

When someone tries to login with an admin account and it fails, i would like to receive a mail.

 

I already know how this would be done, but i'm struggeling to send real time alert(the mail)

 

can it be done?

1 Reply
Highlighted

@FeintBE 

 

There are possible workarounds such as using a Logic App using a "recurrence" trigger of 1second +(which will have $ cost!!!).  To be clear I'm NOT suggesting this is a good idea.  See screenshot at the end.

 

However unless you are sat at the console/email client 24x7 there will be a human delay in the process anyway. 

I assume when you get the email you will perform a task, if you add that task to the Playbook you can decrease the overall timeline to resolve the issue.

 

My simplified scenario:

 

Logon occurs at 9:00, data is sent, Indexed and seen by Sentinel at 9:02 (with Livestream as per your other thread, you'd see these faster than an email).  The Alert fires within 5mins (worst case), but this notifies you AND resolves the issue (if you can automate the response via a playbook?).

compared to your scenario:


Logon occurs at 9:00, data is sent and Indexed and seen by Sentinel at 9:02.  A near real-time alert is generated, you wait (unspecified time for the email to be sent) + (time to see the email) +( [thinking time) + [time to take a manual action] + [any time you need to get a process approved] + [time for process to execute] ). 

The above is not fully formed but I've discussed this in the past.  In the cases where we looked the scenario I suggested has alleviated any 5min delay and provided a more consistent approach.

 

"recurrence" trigger of 1sec (or value you prefer) 

 

Annotation 2020-02-26 100220.jpg