Delay in Azure Sentinel scheduled alerts

%3CLINGO-SUB%20id%3D%22lingo-sub-2596337%22%20slang%3D%22en-US%22%3EDelay%20in%20Azure%20Sentinel%20scheduled%20alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2596337%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Community%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESometimes%20its%20very%20delay%20to%20receive%20the%20alerts%20of%20the%20Schedule%20rules%20of%20Kaspersky.%20While%20the%20query%20runs%20every%205%20minutes%20and%20lookup%20for%20the%20data%20of%20the%20last%205%20minutes.%20while%20the%20log%20is%20ingested%20on%20AZ%20sentinel%20after%207%20minutes.%20The%20rule%20is%20not%20missing%20the%20event%20but%20delays%20in%20Alert%20triggering.%20Picture%20is%20attached%20of%20Last%207%20days%20alerts%20about%20Kaspersky%20virus%20detection.%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22zubairrahimsoc_0-1627661343944.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F299555iD75151BC7F042602%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22zubairrahimsoc_0-1627661343944.png%22%20alt%3D%22zubairrahimsoc_0-1627661343944.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2596432%22%20slang%3D%22en-US%22%3ERe%3A%20Delay%20in%20Azure%20Sentinel%20scheduled%20alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2596432%22%20slang%3D%22en-US%22%3E%3CP%3EYes%20I%20already%20implemented%20the%20test%20and%20the%20rule%20is%20not%20missing%20the%20event%20but%20its%20delay%20to%20trigger%20the%20rule%20is%20you%20seen%20above%20the%20log%20ingested%20at%20AZ%20sentinel%20at%2011.16%20pm%20and%20alert%20triggered%20at%2012.23%20AM%20after%2073%20minutes%20but%20as%20I%20said%20the%20the%20query%20runs%20every%205%20minutes%20and%20lookup%20for%20the%20data%20of%20the%20last%205%20minutes.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2596356%22%20slang%3D%22en-US%22%3ERe%3A%20Delay%20in%20Azure%20Sentinel%20scheduled%20alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2596356%22%20slang%3D%22en-US%22%3EDid%20you%20try%20implementing%20the%20following%20to%20test%3F%20%3CBR%20%2F%3E%3CBR%20%2F%3EHandling%20ingestion%20delay%20in%20Azure%20Sentinel%20scheduled%20alert%20rules%3A%20%3CA%20href%3D%22https%3A%2F%2Fcda.ms%2F2h2%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fcda.ms%2F2h2%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2620958%22%20slang%3D%22en-US%22%3ERe%3A%20Delay%20in%20Azure%20Sentinel%20scheduled%20alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2620958%22%20slang%3D%22en-US%22%3EYes%20I%20already%20implemented%20the%20test%20and%20the%20rule%20is%20not%20missing%20the%20event%20but%20its%20delay%20to%20trigger%20the%20alert%20is%20you%20see%20in%20above%20table%20the%20log%20ingested%20at%20AZ%20sentinel%20at%2011%3A16%20PM%20and%20alert%20triggered%20at%2012%3A23%20AM%20after%2073%20minutes%20but%20as%20I%20said%20the%20the%20query%20runs%20every%205%20minutes%20and%20lookup%20for%20the%20data%20of%20the%20last%205%20minutes.%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi Community,

 

Sometimes its very delay to receive the alerts of the Schedule rules of Kaspersky. While the query runs every 5 minutes and lookup for the data of the last 5 minutes. while the log is ingested on AZ sentinel after 7 minutes. The rule is not missing the event but delays in Alert triggering. Picture is attached of Last 7 days alerts about Kaspersky virus detection.

zubairrahimsoc_0-1627661343944.png

2 Replies
Did you try implementing the following to test?

Handling ingestion delay in Azure Sentinel scheduled alert rules: https://cda.ms/2h2
Yes I already implemented the test and the rule is not missing the event but its delay to trigger the alert is you see in above table the log ingested at AZ sentinel at 11:16 PM and alert triggered at 12:23 AM after 73 minutes but as I said the the query runs every 5 minutes and lookup for the data of the last 5 minutes.