Sentinel detection rule

Paolo Tibberio 1 Reputation point
2021-02-12T12:58:54.61+00:00

In my subscription I have created an infrastructure for the Red Team exercises using various techniques to develop an effective Sentinel detection rule to respond.
In this scenario I noticed that in case of attacks on Windows VMs using sysmon to format the Windows log, if I query the Sentinel Logs from the Azure console, I immediately see the values I am looking for and that I use as criteria to activate our rule Sentinel detection, while the incident is opened by Sentinel Azure well beyond the 5 minutes I set as the Schedule Time of the Sentinel rule.
What should be done to make the Sentinel detection rule take action faster?

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,188 questions
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.