Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

[DETECTION] 'Frequency', 'Period', and 'Suppression' precision

Brass Contributor

Hello,

 

I would like to have more details about the  'Frequency', 'Period', and 'Suppression' parameters. Here is what I understand:

  • Frequency - No problem with this: the query is run every X minute(s) or hour(s);
  • Period - According to the documentation: "control the time window for how much data the query runs on - for example, it can run every hour across 60 minutes of data". This is where I don't understand, since the period is defined within the KQL Query, with TimeGenerated. I must be missing something.
  • Suppression - When an alert rule is triggered for an event E, it will not be triggered again for the next X minute(s) or hour(s), for the same event E. Is that right ?

So, what really is this 'Period' ? I want to be sure to understand each of these parameters.

 

Thank you very much!

 

Clément BONNET

2 Replies

@ClémentB The Period is used just like its description states, it is the time period for your data.  If you look under the "Set alert query" heading above where you enter your query it does state "Set time and interview parameters only using the Period field under Alert scheduling." 

 

So it appears that MS does not want any sort of time parameter in the query itself.  Hopefully someone from MS can state why that is.

@Gary Bushey 

 

Its related to https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-unified-log 

 

"The query returns only records that were created within this range of the current time. Time period restricts the data fetched for log query to prevent abuse and circumvents any time command (like ago) used in log query. "  24hrs is the max.