tldr: Brute force incidents are taking upwards of 24 hours to reflect in Sentinel. How can I find where the what is causing the delay?
I have been working on ways to generate incidents in Sentinel so that I can test Playbooks. As a result of this, I have noticed that some alerts can take upwards of a day to become an incident and I am trying to understand why.
I am using Azure Security Center standard with auto provisioning and can confirm, when looking at the VM extensions, that the agent is installed. But when I try find the machines, I cant seem to find them in any tables in my workspace.
I went into the config for the agent on my Linux box and found a setting that I think may be the problem:
When I change the number from 24h to 300, the number changes back. I have tested brute forcing a windows box (RDP) and Linux (SSH).