Forum Discussion

Larssen92's avatar
Larssen92
Brass Contributor
Jul 06, 2021

Analytic rule query frequency

Hi all, Why wouldn't you want to set all analytic rules in sentinel to query as often as possible (every minute), to get a faster response time on incident handling, instead of only querying once ...
  • CliveWatson's avatar
    CliveWatson
    Jul 07, 2021
    Rules are currently scheduled for 5mins to 14days, not 1min. You also have to consider the performance (Microsoft need to maintain a good response for thousands of Alerts in 1000s of customers), and you need to understand your performance/SLA as well. e.g. If you ran all rules at 1min, then they have to finish within that window as well - poorly written queries might not, or ones that look over large datasets. Can you deal with that frequency, or queries that don't finish, even with automation (SOAR)? You may also miss (as per the last answer) anomaly or trends, and create too many false Alerts.
    That said, there may be specific use cases where 5min (or less when supported) is key.

Resources