Sentinel - Detection (Analytical Rule) problem because of log ingestion delay

%3CLINGO-SUB%20id%3D%22lingo-sub-1672199%22%20slang%3D%22en-US%22%3ESentinel%20-%20Detection%20(Analytical%20Rule)%20problem%20because%20of%20log%20ingestion%20delay%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1672199%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20facing%20problem%20with%20sentinel%20analytical%20rule%2C%20as%20it%20failed%20to%20detect%20certain%20events%20because%20of%20delay%20in%20log%20ingestion%20time%20and%20conflict%20with%20my%20scheduling%20frequency.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ebelow%20conditions%20of%20my%20analytical%20rule%20to%20explain%20my%20problem%20statement.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%2F%2FDelay%20on%20log%20ingestion%20from%20Office365%20to%20sentinel%3C%2FP%3E%3CP%3E%3CFONT%20color%3D%22%230000FF%22%3EMinimum%3A10%20mins%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CFONT%20color%3D%22%230000FF%22%3EMax%3A%2030%20mins%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%20color%3D%22%23000000%22%3E%2F%2FQuery-Office365Activity%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CFONT%20color%3D%22%230000FF%22%3Elet%20timeframe%20%3D%205m%3B%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20color%3D%22%230000FF%22%3EOfficeActivity%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20color%3D%22%230000FF%22%3E%7C%20where%20TimeGenerated%20%26gt%3B%3D%20ago(timeframe)%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20color%3D%22%230000FF%22%3E%7C%20where%20Operation%20%3D~%20%22Set-AdminAuditLogConfig%22%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%20color%3D%22%23000000%22%3E%2F%2FQuery%20Scheduling%26nbsp%3Bin%20Analytical%26nbsp%3Brule%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22KrishhnaM_0-1600243711791.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F218671iFD0E9D9CE8A89D45%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22KrishhnaM_0-1600243711791.png%22%20alt%3D%22KrishhnaM_0-1600243711791.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOur%20objective%20is%20to%20identify%20high%20severity%20incidents%20within%205mins%20from%20the%20log%20ingestion%20time%20on%20sentinel%2C%20I%20am%20unable%20to%20use%26nbsp%3B%3CSPAN%3Eingestion_time()%26nbsp%3B%3CFONT%20color%3D%22%23000000%22%3EProperty%20in%20my%20query%20(as%20it%20returns%20default%20timeframe%2024%20hours)%3C%2FFONT%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3ECan%20you%20suggest%20me%20solution%20or%20workaround%20to%20solve%20this%20issue%3F%20as%20we%20have%20more%20than%2050%2B%20use%20cases%20having%20the%20similar%20problem.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%20color%3D%22%230000FF%22%3E%3CU%3EPS%3A%20To%20overcome%20this%20i%20have%20increased%20the%20Lookup%20data%20from%20time%2C%20in%20that%20case%20i%20receive%20duplicate%20alerts%3C%2FU%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi,

 

I am facing problem with sentinel analytical rule, as it failed to detect certain events because of delay in log ingestion time and conflict with my scheduling frequency.

 

below conditions of my analytical rule to explain my problem statement.

 

//Delay on log ingestion from Office365 to sentinel

Minimum:10 mins

Max: 30 mins

 

//Query-Office365Activity

let timeframe = 5m;
OfficeActivity
| where TimeGenerated >= ago(timeframe)
| where Operation =~ "Set-AdminAuditLogConfig"

 

//Query Scheduling in Analytical rule

KrishhnaM_0-1600243711791.png

 

Our objective is to identify high severity incidents within 5mins from the log ingestion time on sentinel, I am unable to use ingestion_time() Property in my query (as it returns default timeframe 24 hours)

Can you suggest me solution or workaround to solve this issue? as we have more than 50+ use cases having the similar problem.

 

PS: To overcome this i have increased the Lookup data from time, in that case i receive duplicate alerts

 

1 Reply