Analytic rule query frequency

Brass Contributor

Hi all,

Why wouldn't you want to set all analytic rules in sentinel to query as often as possible (every minute), to get a faster response time on incident handling, instead of only querying once every 5 hours, or once every day?

4 Replies

Depends what you are hunting for; you may be only interested in an alert when a you go over a certain count of events over a longer period. Maybe you don't care that a user if a user types their password in wrong twice in five minutes, but what about 15 times in 10 minutes, or five different users from the same IP address over a 20 minute period? Sometimes you are looking for trends in data or anomalies rather than just a single event.

best response confirmed by Larssen92 (Brass Contributor)
Rules are currently scheduled for 5mins to 14days, not 1min. You also have to consider the performance (Microsoft need to maintain a good response for thousands of Alerts in 1000s of customers), and you need to understand your performance/SLA as well. e.g. If you ran all rules at 1min, then they have to finish within that window as well - poorly written queries might not, or ones that look over large datasets. Can you deal with that frequency, or queries that don't finish, even with automation (SOAR)? You may also miss (as per the last answer) anomaly or trends, and create too many false Alerts.
That said, there may be specific use cases where 5min (or less when supported) is key.

The least minimum you can schedule a rule is 5mins. Sentinel does not support 1 minute and it is a not real time. There are a few points to consider.
1. Handling the noise, so make sure your rule is effective
2. Performance and cost of running the rule
3. Reduce the watchover period and size of the data
4. Take advantage of the Azure Playbooks or automation.
5. If you do not want the rule to be a scheduled on keep this as a hunting query for a manual run.
Lastly may i know what is the use case you were looking for a rule to run every minute ?

Thanks for your response!

An example of a use case where I want querying as often as possible, is user privilege escalation. In that case, I want to react as fast as possible, in the case that it is an unwanted event.