I am facing problem with sentinel analytical rule, as it failed to detect certain events because of delay in log ingestion time and conflict with my scheduling frequency.
below conditions of my analytical rule to explain my problem statement.
//Delay on log ingestion from Office365 to sentinel
Max: 30 mins
let timeframe = 5m; OfficeActivity | where TimeGenerated >= ago(timeframe) | where Operation =~ "Set-AdminAuditLogConfig"
//Query Scheduling in Analytical rule
Our objective is to identify high severity incidents within 5mins from the log ingestion time on sentinel, I am unable to use ingestion_time() Property in my query (as it returns default timeframe 24 hours)
Can you suggest me solution or workaround to solve this issue? as we have more than 50+ use cases having the similar problem.
PS: To overcome this i have increased the Lookup data from time, in that case i receive duplicate alerts