Sentinel Incident delay

%3CLINGO-SUB%20id%3D%22lingo-sub-1588263%22%20slang%3D%22en-US%22%3ESentinel%20Incident%20delay%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1588263%22%20slang%3D%22en-US%22%3E%3CP%3Etldr%3A%20Brute%20force%20incidents%20are%20taking%20upwards%20of%2024%20hours%20to%20reflect%20in%20Sentinel.%20How%20can%20I%20find%20where%20the%20what%20is%20causing%20the%20delay%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20been%20working%20on%20ways%20to%20generate%20incidents%20in%20Sentinel%20so%20that%20I%20can%20test%20Playbooks.%20As%20a%20result%20of%20this%2C%20I%20have%20noticed%20that%20some%20alerts%20can%20take%20upwards%20of%20a%20day%20to%20become%20an%20incident%20and%20I%20am%20trying%20to%20understand%20why.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20using%20Azure%20Security%20Center%20standard%20with%20auto%20provisioning%20and%20can%20confirm%2C%20when%20looking%20at%20the%20VM%20extensions%2C%20that%20the%20agent%20is%20installed.%20But%20when%20I%20try%20find%20the%20machines%2C%20I%20cant%20seem%20to%20find%20them%20in%20any%20tables%20in%20my%20workspace.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20went%20into%20the%20config%20for%20the%20agent%20on%20my%20Linux%20box%20and%20found%20a%20setting%20that%20I%20think%20may%20be%20the%20problem%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22ReccoB_0-1597372037584.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F212343i8525CF608066FFC7%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22ReccoB_0-1597372037584.png%22%20alt%3D%22ReccoB_0-1597372037584.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EWhen%20I%20change%20the%20number%20from%2024h%20to%20300%2C%20the%20number%20changes%20back.%20I%20have%20tested%20brute%20forcing%20a%20windows%20box%20(RDP)%20and%20Linux%20(SSH).%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20can%20I%20troubleshoot%20this%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1588263%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESentinel%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Contributor

tldr: Brute force incidents are taking upwards of 24 hours to reflect in Sentinel. How can I find where the what is causing the delay?

 

I have been working on ways to generate incidents in Sentinel so that I can test Playbooks. As a result of this, I have noticed that some alerts can take upwards of a day to become an incident and I am trying to understand why.

 

I am using Azure Security Center standard with auto provisioning and can confirm, when looking at the VM extensions, that the agent is installed. But when I try find the machines, I cant seem to find them in any tables in my workspace. 

 

I went into the config for the agent on my Linux box and found a setting that I think may be the problem:

ReccoB_0-1597372037584.png

When I change the number from 24h to 300, the number changes back. I have tested brute forcing a windows box (RDP) and Linux (SSH). 

 

How can I troubleshoot this?

0 Replies