Creating NRT Rules in Microsoft Sentinel

Picture of SEC-LABS R&D

For information about NRT rules, please see previous blog post or visit

https://docs.microsoft.com/en-us/azure/sentinel/near-real-time-rules

Creating NRT rules

Navigate to Microsoft Sentinel in the Azure portal

https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/microsoft.securityinsightsarg%2Fsentinel

In the navigation, select Analytics

Click Create and select NRT query rule


Give it a name and add Description, Mitre Tactics and Severity and click Next

In the configuration window, there are no schedule and lookback time to define

Configure your query accordingly and continue the wizard.

Requirements

You can only refer to one table and cannot use unions or joins

No cross workspace query

Use project and only keep the necessary fields to avoid truncation due to size limitations of the alerts

For further information, please visit

https://docs.microsoft.com/en-us/azure/sentinel/create-nrt-rules

More articles

pressrelease

Allurity acquires Onevinn

Stockholm, Sweden – April 11, 2025

Security Testing

Security Testing: You’re Playing By The Rules, They’re Rewriting The Game

Sauron had a ring to rule them all, but unfortunately, no tool was forged in the fires of Mount...

PKI

Will your WiFi, smart cards and VPN stop working on Feb 11?

Did you read about Microsoft planning to change the default behaviour on all certificate based...

ALL ARTICLES