cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Analytic rule query frequency

Larssen92
Brass Contributor

‎Jul 06 2021 12:12 AM

‎Jul 06 2021 12:12 AM

Analytic rule query frequency

Hi all,

Why wouldn't you want to set all analytic rules in sentinel to query as often as possible (every minute), to get a faster response time on incident handling, instead of only querying once every 5 hours, or once every day?

2,531 Views
1 Like
4 Replies
Reply
4 Replies
m_zorich

‎Jul 06 2021 03:36 AM - edited ‎Jul 06 2021 03:36 AM

‎Jul 06 2021 03:36 AM - edited ‎Jul 06 2021 03:36 AM

Re: Analytic rule query frequency

Depends what you are hunting for; you may be only interested in an alert when a you go over a certain count of events over a longer period. Maybe you don't care that a user if a user types their password in wrong twice in five minutes, but what about 15 times in 10 minutes, or five different users from the same IP address over a 20 minute period? Sometimes you are looking for trends in data or anomalies rather than just a single event.

0 Likes
Reply
best response confirmed by Larssen92 (Brass Contributor)
CliveWatson

‎Jul 07 2021 01:18 AM

‎Jul 07 2021 01:18 AM

Solution

Re: Analytic rule query frequency

Rules are currently scheduled for 5mins to 14days, not 1min. You also have to consider the performance (Microsoft need to maintain a good response for thousands of Alerts in 1000s of customers), and you need to understand your performance/SLA as well. e.g. If you ran all rules at 1min, then they have to finish within that window as well - poorly written queries might not, or ones that look over large datasets. Can you deal with that frequency, or queries that don't finish, even with automation (SOAR)? You may also miss (as per the last answer) anomaly or trends, and create too many false Alerts.
That said, there may be specific use cases where 5min (or less when supported) is key.
0 Likes
Reply
PrashTechTalk

‎Jul 07 2021 02:56 AM - edited ‎Jul 07 2021 02:58 AM

‎Jul 07 2021 02:56 AM - edited ‎Jul 07 2021 02:58 AM

Re: Analytic rule query frequency

The least minimum you can schedule a rule is 5mins. Sentinel does not support 1 minute and it is a not real time. There are a few points to consider.
1. Handling the noise, so make sure your rule is effective
2. Performance and cost of running the rule
3. Reduce the watchover period and size of the data
4. Take advantage of the Azure Playbooks or automation.
5. If you do not want the rule to be a scheduled on keep this as a hunting query for a manual run.
Lastly may i know what is the use case you were looking for a rule to run every minute ?

0 Likes
Reply
Larssen92

‎Jul 08 2021 05:54 AM

‎Jul 08 2021 05:54 AM

Re: Analytic rule query frequency

Thanks for your response!

An example of a use case where I want querying as often as possible, is user privilege escalation. In that case, I want to react as fast as possible, in the case that it is an unwanted event.
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Larssen92 (Brass Contributor)
CliveWatson

‎Jul 07 2021 01:18 AM

‎Jul 07 2021 01:18 AM

Solution

Re: Analytic rule query frequency

Rules are currently scheduled for 5mins to 14days, not 1min. You also have to consider the performance (Microsoft need to maintain a good response for thousands of Alerts in 1000s of customers), and you need to understand your performance/SLA as well. e.g. If you ran all rules at 1min, then they have to finish within that window as well - poorly written queries might not, or ones that look over large datasets. Can you deal with that frequency, or queries that don't finish, even with automation (SOAR)? You may also miss (as per the last answer) anomaly or trends, and create too many false Alerts.
That said, there may be specific use cases where 5min (or less when supported) is key.

View solution in original post

0 Likes
Reply