Jan 29 2020 05:58 PM
I am testing the on-premise detection by forcing a cleared event log detection. Is there anything I can do to increase speed of detection for on-premise systems?
Event Log Clearing Test:
Created an event on 01/28 at 11:00 P.M. EST
Detect event in Sentinel on 01/29 at 6:29 A.M EST
Jan 30 2020 03:48 AM
1) What method are you using to get the clear log even into Sentinel? (i.e. Syslog, Event logs, etc)
2) What time was the event written to the log?
3) If the alert was raised by a scheduled Analytic rule, what is the rule frequency (AKA Run query every)
Feb 03 2020 12:52 PM
@Robert_MCSE Yes... PRAY!! It takes 1-4 hours to get logs into Sentinel