Forum Discussion
Solved
Analytic rule query frequency
Hi all, Why wouldn't you want to set all analytic rules in sentinel to query as often as possible (every minute), to get a faster response time on incident handling, instead of only querying once ...
- Rules are currently scheduled for 5mins to 14days, not 1min. You also have to consider the performance (Microsoft need to maintain a good response for thousands of Alerts in 1000s of customers), and you need to understand your performance/SLA as well. e.g. If you ran all rules at 1min, then they have to finish within that window as well - poorly written queries might not, or ones that look over large datasets. Can you deal with that frequency, or queries that don't finish, even with automation (SOAR)? You may also miss (as per the last answer) anomaly or trends, and create too many false Alerts.
That said, there may be specific use cases where 5min (or less when supported) is key.
The least minimum you can schedule a rule is 5mins. Sentinel does not support 1 minute and it is a not real time. There are a few points to consider.
1. Handling the noise, so make sure your rule is effective
2. Performance and cost of running the rule
3. Reduce the watchover period and size of the data
4. Take advantage of the Azure Playbooks or automation.
5. If you do not want the rule to be a scheduled on keep this as a hunting query for a manual run.
Lastly may i know what is the use case you were looking for a rule to run every minute ?
Thanks for your response!
An example of a use case where I want querying as often as possible, is user privilege escalation. In that case, I want to react as fast as possible, in the case that it is an unwanted event.
An example of a use case where I want querying as often as possible, is user privilege escalation. In that case, I want to react as fast as possible, in the case that it is an unwanted event.