Creating NRT Rules in Microsoft Sentinel

Picture of SEC-LABS R&D

For information about NRT rules, please see previous blog post or visit

https://docs.microsoft.com/en-us/azure/sentinel/near-real-time-rules

Creating NRT rules

Navigate to Microsoft Sentinel in the Azure portal

https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/microsoft.securityinsightsarg%2Fsentinel

In the navigation, select Analytics

Click Create and select NRT query rule


Give it a name and add Description, Mitre Tactics and Severity and click Next

In the configuration window, there are no schedule and lookback time to define

Configure your query accordingly and continue the wizard.

Requirements

You can only refer to one table and cannot use unions or joins

No cross workspace query

Use project and only keep the necessary fields to avoid truncation due to size limitations of the alerts

For further information, please visit

https://docs.microsoft.com/en-us/azure/sentinel/create-nrt-rules

More articles

Onevinn

Welcome to us David!

[Who is David?]My name is David Landén I'm 38 years old and I live in Växjö with my family.

pressrelease

Onevinn helps Halmstad Municipality

Onevinn is a crucial partner in the success story of Halmstad municipality's journey to build a...

Onevinn

Welcome to us Felix!

[Who is Felix?]I’m a 34 year old living in Sundsvall with my girlfriend, 2 kids and our cat. I have...

ALL ARTICLES