Creating NRT Rules in Microsoft Sentinel

Picture of SEC-LABS R&D

For information about NRT rules, please see previous blog post or visit

https://docs.microsoft.com/en-us/azure/sentinel/near-real-time-rules

Creating NRT rules

Navigate to Microsoft Sentinel in the Azure portal

https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/microsoft.securityinsightsarg%2Fsentinel

In the navigation, select Analytics

Click Create and select NRT query rule


Give it a name and add Description, Mitre Tactics and Severity and click Next

In the configuration window, there are no schedule and lookback time to define

Configure your query accordingly and continue the wizard.

Requirements

You can only refer to one table and cannot use unions or joins

No cross workspace query

Use project and only keep the necessary fields to avoid truncation due to size limitations of the alerts

For further information, please visit

https://docs.microsoft.com/en-us/azure/sentinel/create-nrt-rules

More articles

microsoft MDR

Onevinn MDR Now Available on Microsoft Security Store

As Microsoft Ignite approaches in San Francisco, we’re thrilled to announce a major milestone: ...

Data Security

Strengthen Your Data Security Posture

As organizations scale, data grows, spreads, and becomes harder to control. Add hybrid work,...

Onevinn microsoft

Onevinn joins Microsoft Security Summit Sweden

Onevinn, a proud partner of Microsoft and a sponsor of Microsoft Security Summit Sweden

ALL ARTICLES