Office 365 ATP analytics rule for Azure Sentinel very slow to create incidents

Gareth Young 1 Reputation point
2020-11-02T22:30:59.403+00:00

Hello,

I have a demo tenant that we are using to test monitoring of Office 365 ATP Alerts in Azure Sentinel

We are using the standard analytics rule that generates an incident when an alert is generated in ATP.

It takes HOURS between the time the alert is generated to Sentinel picking it up and creating an incident.

Is this the expected behaviour? Is there any way to force the analytics rule to run, it does not appear to be customizable.

Thanks!

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,141 questions
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.