L10. Analytics Rules: Scheduled, NRT and Fusion

Analytics Rule Types

Microsoft Sentinel offers four types of analytics rules:

Scheduled Analytics Rules

Scheduled rules run KQL queries at defined intervals. Key configuration parameters:

• Query: The KQL detection logic
• Run frequency: How often the rule executes (e.g., every 5 minutes, every hour)
• Lookup period: How far back the query looks (e.g., last 5 minutes, last 1 hour)
• Alert threshold: Minimum results to trigger an alert
• Entity mapping: Map query results to Sentinel entities (Account, Host, IP, URL, File)
• Alert grouping: Group alerts into a single incident or create separate incidents

Example scheduled rule:

SigninLogs
| where TimeGenerated > ago(1h)
| where ResultType == "50053"
| where Location != "US"
| summarize AttemptCount = count() by UserPrincipalName, IPAddress, Location
| where AttemptCount > 5

Near-Real-Time (NRT) Rules

NRT rules run every minute with a 1-minute lookup window. They are designed for detections that require minimal delay:

• No configurable frequency (fixed at ~1 minute)
• Support most KQL operators (with some limitations)
• Cannot use cross-workspace queries
• Cannot use the join operator or external data sources

Use NRT rules for high-priority detections like ransomware encryption patterns or critical system changes. Exam tip: NRT rules have a fixed run frequency and cannot use joins or cross-workspace queries. If the question describes a detection needing joins, the answer is a scheduled rule.

Fusion Rules

Fusion uses machine learning to detect multi-stage attacks by correlating low-fidelity alerts from multiple sources. For example:

1. Suspicious sign-in from an unusual location (Entra ID)
2. Inbox rule creation forwarding emails (Office 365)
3. Mass file download from SharePoint (Cloud Apps)

Individually, these alerts might not warrant investigation. Fusion correlates them into a high-confidence incident.

Fusion detects scenarios like:

• Ransomware deployment following credential compromise
• Data exfiltration after lateral movement
• Crypto mining after initial access

Fusion rules are enabled by default and cannot be customized (you cannot modify the ML logic).

Entity Mapping

Entity mapping links query results to Sentinel entity types:

• Account: UserPrincipalName, SID, AADUserId
• Host: HostName, FQDN, IP Address
• IP: Address
• URL: Url
• File: Name, Directory, Hash
• Mailbox: MailboxPrimaryAddress

Proper entity mapping enables:

• Investigation graph visualization
• Entity pages with aggregated information
• Entity behavior analytics (UEBA)
• Automated response actions targeting the entity

Alert Grouping

Alert grouping controls how alerts from the same rule are combined into incidents:

• Group all alerts into a single incident: Reduces noise when the same rule fires repeatedly
• Group alerts by selected entities: Creates separate incidents per entity (e.g., per user or per host)
• Limit group to a time window: Auto-close the group after a defined period

Tuning and Suppression

To reduce false positives:

• Add exclusion conditions to the KQL query
• Use analytics rule suppression (pause the rule after it fires for a specified duration)
• Adjust alert thresholds
• Refine entity mapping for better correlation