question

HUIACE-4516 avatar image
0 Votes"
HUIACE-4516 asked vipulsparsh-MSFT edited

log lags and analytic rules

hi kind community!

I am new to sentinel, so I wanted to ask about the delays of the log creation and injections in to sentinel. take AAD login logs for example, there is usually a delay for the logs to be generated and passed through the sentinel. so if I have a analytic rules that query logs every 30 mins, if the lag is greater than 30 mins, is that meaning the rules will never be satisfied. looking forward hearing from the community!

cheers

azure-sentinel
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

vipulsparsh-MSFT avatar image
0 Votes"
vipulsparsh-MSFT answered vipulsparsh-MSFT edited

@HUIACE-4516 Thanks for reaching out.

The longer is delay is only at first time, when we send the logs while adding the connector. After that the logs are ingested as soon as the respective service generates it. Within 5 minutes in case of Azure AD (not at the first time) But yes, the logs need to be present in order for the analytic query to work and find on something.

In that case you need to schedule your query accordingly. However, do let us know if you think few logs take more time to sync to Sentinel LAWS.

For that you do have query options which you can set for different time frames while creating an analytic rule
132214-image.png




Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.



image.png (13.9 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.