Near-real-time (NRT) Analytics Rules in Microsoft Sentinel

A new type of Analytic Rule has hit the horizon in the Microsoft Sentinel console. The NRT rule works similarly as LiveStream in the Hunting blade in that it forces the KQL query to run every single minute. But, while LiveStream doesn’t produce alerts and Incidents, the NRT rule does.

NRT query rule

The steps to create the rule are the same as any other Scheduled Analytics Rules, but with only a few exceptions. For example, you can’t define a longer schedule or the lookback period in the rule configuration.

Many might consider that using an NRT rule for everything – after all it should expose threats more quickly, right? Well, there are drawbacks and limitations that need to be considered.

From the docs:

  1. No more than 20 rules can be defined per customer at this time.
  2. As this type of rule is new, its syntax is currently limited but will gradually evolve. Therefore, at this time the following restrictions are in effect:
    • The query defined in an NRT rule can reference¬†only one table. Queries can, however, refer to multiple watchlists and to threat intelligence feeds.
    • You cannot use unions or joins.
    • Because this rule type is in near real time, we have reduced the built-in delay to a minimum (two minutes).
    • Since NRT rules use the ingestion time rather than the event generation time (represented by the TimeGenerated field), you can safely ignore the data source delay and the ingestion time latency (see above).
    • Queries can run only within a single workspace. There is no cross-workspace capability.
    • There is no event grouping. NRT rules produce a single alert that groups all the applicable events.

The docs for this feature are now available:


[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Azure Sentinel Newsletter]

[Subscribe to the Bi-Weekly Azure Security Center Newsletter]


Leave a Reply