NRT Rules are hard-coded to run once every minute and capture events ingested in the preceding minute.
This is for faster detection and response opportunity.
Considerations
- No more than 20 rules can be defined per customer at this time
- As this type of rule is new, its syntax is currently limited but will gradually evolve. Therefore, at this time the following restrictions are in effect:
- The query defined in an NRT rule can reference only one table. Queries can, however, refer to multiple watchlists and to threat intelligence feeds.
- You cannot use unions or joins.
- Because this rule type is in near real time, we have reduced the built-in delay to a minimum (two minutes).
- Since NRT rules use the ingestion time rather than the event generation time (represented by the TimeGenerated field), you can safely ignore the data source delay and the ingestion time latency (see above).
- Queries can run only within a single workspace. There is no cross-workspace capability.
- There is no event grouping. NRT rules produce a single alert that groups all the applicable events.
There is a technical limit which blocks union, join etc.
For further information about Near-Real-Time, NRT, analytic rules, please visit:
https://docs.microsoft.com/en-us/azure/sentinel/near-real-time-rules
Happy Hunting!