Securitycenter long delays for incidents to show up

Copper Contributor

good day,

 

getting started using M365 Defender and Sentinel I noticed that some incidents/alerts seem to take ages to appear in the Securitycenter Portal and then some to show up in Sentinel. although there's no SLA  I found statistics claiming 95% of events would pop up within 10' or so. my experience here is a rather different one and I wonder why.

 

Yesterday I just watched the most curious iteration happening:

 

- MDE on a MAC reported successful remediation of a ransomware on unpacking a ZIP file 3 months ago. incident was closed as confirmed activity (colleague was doing blue team training).

- today at 2pm and months later MDE suddenly kicks into gear and reports removal of the same malware again. interpretation of info presented in Securitycenter: while above remediation tackled the unpacked contents it left the ZIP which popped up in a regular filesystem scan yesterday.

- not wanting to miss alerts I configured notification e-mails for new alerts.  2.30pm yesterday I received an e-mail notifying incident ID111, containing a link to the security center which successfully opens and shows yesterday's remediation action.

- opening security center on its own, ie. WITHOUT above link, even today I don't  get to see incident 111.  110 is the last one (no filters set). needless to say that there's nothing to be seen yet in Sentinel either.

 

MDE/MDI incidents do arrive. just checked with an EICAR test file

Any hints how to troubleshoot this?

 

Thanks!

Urs

 

 

0 Replies