Home

Analytic rule querying

%3CLINGO-SUB%20id%3D%22lingo-sub-1192766%22%20slang%3D%22en-US%22%3EAnalytic%20rule%20querying%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1192766%22%20slang%3D%22en-US%22%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EHello%2C%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EI'm%20working%20on%20alerting%20in%20Azure%20sentinel%2C%20my%20domain%20controller%20is%20connected%20with%20Azure%2C%20for%20example%20when%20someone%20trying%20to%20login%20to%20my%20domain%2C%20it%20will%20be%20logged.%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EI%20already%20know%20u%20can%20make%20an%20analytic%20rule%20with%20a%20query%20and%20run%20it%20every%20x%20minutes%20and%20u%20can%20attach%20a%20playbook%20to%20it%2C%20for%20example%2C%20to%20send%20mail%20of%20the%20incident.%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EBut%20here%20is%20my%20question%2C%20how%20do%20u%20do%20real-time%20alerting%3F%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3Efor%20example%20in%20the%20analytics%20tab%2C%20u%20can%20only%20trigger%20to%20query%20every%205%20minutes%20to%20look%20if%20your%20query%20has%20results%20or%20not%2C%20based%20on%20the%20results%20u%20can%20send%20an%20alert.%26nbsp%3B%3CSPAN%3EU%20can't%20go%20below%205%20minutes%2C%20this%20means%20if%20someone%20got%20access%20to%20the%20account%2C%20it%20would%20take%20at%20least%205%20minutes%20to%20send%20an%20alert.%3C%2FSPAN%3E%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3E%3CSPAN%3EDoes%20anyone%20know%20know%20how%20to%20query%20it%20for%20example%20every%201-2%20minutes%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1193162%22%20slang%3D%22en-US%22%3ERe%3A%20Analytic%20rule%20querying%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1193162%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F567396%22%20target%3D%22_blank%22%3E%40FeintBE%3C%2FA%3E%26nbsp%3BAre%20you%20familiar%20with%20our%20Livestream%20component%20in%20the%20Hunting%20blade.%20When%20you%20right-click%20on%20a%20query%20here%2C%20you%20can%20add%20it%20to%20the%20Livestream%20tab%20where%20you%20can%20start%20and%20stop%20the%20stream.%20What%20this%20does%20is%20set%20the%20query%20to%20run%20every%201%20minute%20and%20you'll%20be%20alerted%20through%20Azure%20notifications%20as%20long%20as%20the%20livestream%20is%20active.%20The%20display%20for%20the%20active%20Livestream%20will%20also%20increment%20whenever%20the%20result%20is%20reached.%20This%20is%20a%20great%20way%20to%20monitor%20a%20potentially%20active%20threat.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22livestreamcomp.jpg%22%20style%3D%22width%3A%20942px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F173432i3DED16CC2D6C2624%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22livestreamcomp.jpg%22%20alt%3D%22livestreamcomp.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1195173%22%20slang%3D%22en-US%22%3ERe%3A%20Analytic%20rule%20querying%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1195173%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F324945%22%20target%3D%22_blank%22%3E%40rodtrent%3C%2FA%3E%26nbsp%3B%20Well%20this%20is%20very%20nice%2C%20but%20there%20is%20an%20option%20to%20connect%20your%20livestream%20with%20an%20analytic%20rule%2C%20and%20thus%20there%20will%20be%20a%205%20min%20delay%20till%20i%20can%20get%20a%20mail%20as%20alert.%20or%20do%20u%20know%20a%20work%20around%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hello,

 

I'm working on alerting in Azure sentinel, my domain controller is connected with Azure, for example when someone trying to login to my domain, it will be logged.

 

I already know u can make an analytic rule with a query and run it every x minutes and u can attach a playbook to it, for example, to send mail of the incident.

 

But here is my question, how do u do real-time alerting?

 

for example in the analytics tab, u can only trigger to query every 5 minutes to look if your query has results or not, based on the results u can send an alert. U can't go below 5 minutes, this means if someone got access to the account, it would take at least 5 minutes to send an alert.

 

Does anyone know know how to query it for example every 1-2 minutes?

2 Replies
Highlighted

@FeintBE Are you familiar with our Livestream component in the Hunting blade. When you right-click on a query here, you can add it to the Livestream tab where you can start and stop the stream. What this does is set the query to run every 1 minute and you'll be alerted through Azure notifications as long as the livestream is active. The display for the active Livestream will also increment whenever the result is reached. This is a great way to monitor a potentially active threat.

 

livestreamcomp.jpg

Highlighted

@rodtrent  Well this is very nice, but there is an option to connect your livestream with an analytic rule, and thus there will be a 5 min delay till i can get a mail as alert. or do u know a work around?