| title | description | author | ms.topic | ms.date | ms.author | ms.custom |
|---|---|---|---|---|---|---|
Work with near-real-time (NRT) detection analytics rules in Microsoft Sentinel | Microsoft Docs |
This article explains how to view and create near-real-time (NRT) detection analytics rules in Microsoft Sentinel. |
yelevin |
how-to |
11/09/2021 |
yelevin |
ignite-fall-2021 |
Important
- Near-real-time (NRT) rules are currently in PREVIEW. See the Supplemental Terms of Use for Microsoft Azure Previews for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Microsoft Sentinel’s near-real-time analytics rules provide up-to-the-minute threat detection out-of-the-box. This type of rule was designed to be highly responsive by running its query at intervals just one minute apart.
For the time being, these templates have limited application as outlined below, but the technology is rapidly evolving and growing.
-
From the Microsoft Sentinel navigation menu, select Analytics.
-
In the Active rules tab of the Analytics blade, filter the list for NRT templates:
-
Click the Rule type filter, then the drop-down list that appears below.
-
Unmark Select all, then mark NRT.
-
If necessary, click the top of the drop-down list to retract it, then click OK.
-
You create NRT rules the same way you create regular scheduled-query analytics rules:
-
From the Microsoft Sentinel navigation menu, select Analytics.
-
Select Create from the button bar, then NRT query rule from the drop-down list.
:::image type="content" source="media/create-nrt-rules/create-nrt-rule.png" alt-text="Create a new NRT rule.":::
-
Follow the instructions of the analytics rule wizard.
The configuration of NRT rules is in most ways the same as that of scheduled analytics rules.
-
You can refer to watchlists and threat intelligence feeds in your query logic.
-
You can use all of the alert enrichment methods: entity mapping, custom details, and alert details.
-
You can choose how to group alerts into incidents, and to suppress a query when a particular result has been generated.
-
You can automate responses to both alerts and incidents.
Because of the nature and limitations of NRT rules, however, the following features of scheduled analytics rules will not be available in the wizard:
- Query scheduling is not configurable, since queries are automatically scheduled to run once per minute with a one-minute lookback period.
- Alert threshold is irrelevant, since an alert is always generated.
- Event grouping configuration is not available, since events are always grouped into the alert created by the rule that captures the events. NRT rules cannot produce an alert for each event.
In addition, the query itself has the following requirements:
-
The query itself can refer to only one table, and cannot contain unions or joins.
-
You can't run the query across workspaces.
-
Due to the size limits of the alerts, your query should make use of
projectstatements to include only the necessary fields from your table. Otherwise, the information you want to surface could end up being truncated.
-
In this document, you learned how to create near-real-time (NRT) analytics rules in Microsoft Sentinel.
- Learn more about about near-real-time (NRT) analytics rules in Microsoft Sentinel.
- Explore other analytics rule types.