Forum Discussion
Larssen92
Jul 06, 2021Brass Contributor
Analytic rule query frequency
Hi all, Why wouldn't you want to set all analytic rules in sentinel to query as often as possible (every minute), to get a faster response time on incident handling, instead of only querying once ...
- Jul 07, 2021Rules are currently scheduled for 5mins to 14days, not 1min. You also have to consider the performance (Microsoft need to maintain a good response for thousands of Alerts in 1000s of customers), and you need to understand your performance/SLA as well. e.g. If you ran all rules at 1min, then they have to finish within that window as well - poorly written queries might not, or ones that look over large datasets. Can you deal with that frequency, or queries that don't finish, even with automation (SOAR)? You may also miss (as per the last answer) anomaly or trends, and create too many false Alerts.
That said, there may be specific use cases where 5min (or less when supported) is key.
m_zorich
Jul 06, 2021Iron Contributor
Depends what you are hunting for; you may be only interested in an alert when a you go over a certain count of events over a longer period. Maybe you don't care that a user if a user types their password in wrong twice in five minutes, but what about 15 times in 10 minutes, or five different users from the same IP address over a 20 minute period? Sometimes you are looking for trends in data or anomalies rather than just a single event.
CliveWatson
Microsoft
Jul 07, 2021Rules are currently scheduled for 5mins to 14days, not 1min. You also have to consider the performance (Microsoft need to maintain a good response for thousands of Alerts in 1000s of customers), and you need to understand your performance/SLA as well. e.g. If you ran all rules at 1min, then they have to finish within that window as well - poorly written queries might not, or ones that look over large datasets. Can you deal with that frequency, or queries that don't finish, even with automation (SOAR)? You may also miss (as per the last answer) anomaly or trends, and create too many false Alerts.
That said, there may be specific use cases where 5min (or less when supported) is key.
That said, there may be specific use cases where 5min (or less when supported) is key.