Log search latency problem

Our current virus alerts don’t include the virus hash. So i created a workflow that goes and gets it from the trellix log in IDR and put it in the investigation as a comment.

The workflow works fine when triggered manually by an analyst. However, if the workflow is triggered automatically by the virus alert, then it finds nothing when it search the log. Comes back with an empty array.

I thought i could fix it with a timer. I got it working on a 4 minute timer once with an EICAR file but in the wild i’ve now seen it fail with as much as a 5 minute timer.

Anyone else have experience trying to query newly created logs just after they are created and how you deal with (what appears to be) the latency problem

Latency is to be expected when it comes to the difference between alert detection and finding those results in log search. I believe IDR documentation states a standard 5 minute delay, but it always a good idea to add more time for extenuating circumstances. That being said, you are on the right track with a timer delay in the workflow. I have used 5 minutes with success in the past, but your milage may vary.

Thanks for your reply. Support original said 30 second latency but then came back to say to expect 7 minutes for the virus alerts specifically.