Jul 06 2021 12:12 AM
Jul 06 2021 03:36 AM - edited Jul 06 2021 03:36 AM
Depends what you are hunting for; you may be only interested in an alert when a you go over a certain count of events over a longer period. Maybe you don't care that a user if a user types their password in wrong twice in five minutes, but what about 15 times in 10 minutes, or five different users from the same IP address over a 20 minute period? Sometimes you are looking for trends in data or anomalies rather than just a single event.
Jul 07 2021 01:18 AMSolution
Jul 07 2021 02:56 AM - edited Jul 07 2021 02:58 AM
The least minimum you can schedule a rule is 5mins. Sentinel does not support 1 minute and it is a not real time. There are a few points to consider.
1. Handling the noise, so make sure your rule is effective
2. Performance and cost of running the rule
3. Reduce the watchover period and size of the data
4. Take advantage of the Azure Playbooks or automation.
5. If you do not want the rule to be a scheduled on keep this as a hunting query for a manual run.
Lastly may i know what is the use case you were looking for a rule to run every minute ?
Jul 08 2021 05:54 AM