Home

[DETECTION] 'Frequency', 'Period', and 'Suppression' precision

%3CLINGO-SUB%20id%3D%22lingo-sub-655597%22%20slang%3D%22en-US%22%3E%5BDETECTION%5D%20'Frequency'%2C%20'Period'%2C%20and%20'Suppression'%20precision%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-655597%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20like%20to%20have%20more%20details%20about%20the%26nbsp%3B%20'Frequency'%2C%20'Period'%2C%20and%20'Suppression'%20parameters.%20Here%20is%20what%20I%20understand%3A%3C%2FP%3E%3CUL%3E%3CLI%3E%3CSTRONG%3EFrequency%3C%2FSTRONG%3E%20-%20No%20problem%20with%20this%3A%20the%20query%20is%20run%20every%20X%20minute(s)%20or%20hour(s)%3B%3C%2FLI%3E%3CLI%3E%3CSTRONG%3EPeriod%3C%2FSTRONG%3E%20-%20According%20to%20the%20documentation%3A%20%22%3CEM%3Econtrol%20the%20time%20window%20for%20how%20much%20data%20the%20query%20runs%20on%20-%20for%20example%2C%20it%20can%20run%20every%20hour%20across%2060%20minutes%20of%20data%3C%2FEM%3E%22.%20This%20is%20where%20I%20don't%20understand%2C%20since%20the%20period%20is%20defined%20within%20the%20KQL%20Query%2C%20with%20TimeGenerated.%20I%20must%20be%20missing%20something.%3C%2FLI%3E%3CLI%3E%3CSTRONG%3ESuppression%3C%2FSTRONG%3E%20-%20When%20an%20alert%20rule%20is%20triggered%20%3CU%3Efor%20an%20event%20E%3C%2FU%3E%2C%20it%20will%20not%20be%20triggered%20again%20for%20the%20next%20X%20minute(s)%20or%20hour(s)%2C%20%3CU%3Efor%20the%20same%20event%20E%3C%2FU%3E.%20Is%20that%20right%20%3F%3C%2FLI%3E%3C%2FUL%3E%3CP%3ESo%2C%20what%20really%20is%20this%20'Period'%20%3F%26nbsp%3BI%20want%20to%20be%20sure%20to%20understand%20each%20of%20these%20parameters.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20very%20much!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECl%C3%A9ment%20BONNET%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-657885%22%20slang%3D%22en-US%22%3ERe%3A%20%5BDETECTION%5D%20'Frequency'%2C%20'Period'%2C%20and%20'Suppression'%20precision%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-657885%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F314167%22%20target%3D%22_blank%22%3E%40ClementBonnet%3C%2FA%3E%26nbsp%3BThe%20Period%20is%20used%20just%20like%20its%20description%20states%2C%20it%20is%20the%20time%20period%20for%20your%20data.%26nbsp%3B%20If%20you%20look%20under%20the%20%22Set%20alert%20query%22%20heading%20above%20where%20you%20enter%20your%20query%20it%20does%20state%20%22Set%20time%20and%20interview%20parameters%20%3CU%3Eonly%3C%2FU%3E%26nbsp%3Busing%20the%20%3CSTRONG%3EPeriod%3C%2FSTRONG%3E%20field%20under%20%3CSTRONG%3EAlert%20scheduling%3C%2FSTRONG%3E.%22%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20it%20appears%20that%20MS%20does%20not%20want%20any%20sort%20of%20time%20parameter%20in%20the%20query%20itself.%26nbsp%3B%20Hopefully%20someone%20from%20MS%20can%20state%20why%20that%20is.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-658337%22%20slang%3D%22en-US%22%3ERe%3A%20%5BDETECTION%5D%20'Frequency'%2C%20'Period'%2C%20and%20'Suppression'%20precision%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-658337%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIts%20related%20to%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Falerts-unified-log%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Falerts-unified-log%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%22%3CEM%3EThe%20query%20returns%20only%20records%20that%20were%20created%20within%20this%20range%20of%20the%20current%20time.%20Time%20period%20restricts%20the%20data%20fetched%20for%20log%20query%20to%20prevent%20abuse%20and%20circumvents%20any%20time%20command%20(like%20ago)%20used%20in%20log%20query.%26nbsp%3B%3C%2FEM%3E%22%26nbsp%3B%2024hrs%20is%20the%20max.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
ClementBonnet
Occasional Contributor

Hello,

 

I would like to have more details about the  'Frequency', 'Period', and 'Suppression' parameters. Here is what I understand:

  • Frequency - No problem with this: the query is run every X minute(s) or hour(s);
  • Period - According to the documentation: "control the time window for how much data the query runs on - for example, it can run every hour across 60 minutes of data". This is where I don't understand, since the period is defined within the KQL Query, with TimeGenerated. I must be missing something.
  • Suppression - When an alert rule is triggered for an event E, it will not be triggered again for the next X minute(s) or hour(s), for the same event E. Is that right ?

So, what really is this 'Period' ? I want to be sure to understand each of these parameters.

 

Thank you very much!

 

Clément BONNET

2 Replies

@ClementBonnet The Period is used just like its description states, it is the time period for your data.  If you look under the "Set alert query" heading above where you enter your query it does state "Set time and interview parameters only using the Period field under Alert scheduling." 

 

So it appears that MS does not want any sort of time parameter in the query itself.  Hopefully someone from MS can state why that is.

@Gary Bushey 

 

Its related to https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-unified-log 

 

"The query returns only records that were created within this range of the current time. Time period restricts the data fetched for log query to prevent abuse and circumvents any time command (like ago) used in log query. "  24hrs is the max.  

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
30 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies