This chapter covers Microsoft Sentinel Near-Real-Time (NRT) Analytics Rules, a critical feature for SOC analysts who need faster detection than scheduled rules but without the overhead of real-time processing. On the SC-200 exam, NRT rules appear in approximately 5-10% of questions, typically in the context of selecting the appropriate rule type for a given scenario. You will need to understand the 5-minute default query interval, the differences from scheduled and Microsoft Security rules, and the specific use cases where NRT is the optimal choice. This chapter provides a deep dive into the mechanics, configuration, and exam-focused nuances of NRT rules.
Jump to a section
Imagine a high-end nightclub with a bouncer at the door. The bouncer has a VIP list that is updated every 5 minutes. When a VIP (a security event) arrives, the bouncer checks the list immediately — but the list only refreshes every 5 minutes. So if a VIP is added to the list 30 seconds after the bouncer last checked, that VIP will be turned away until the next refresh. The bouncer is very fast at checking (sub-second latency) but the list itself is not updated in real time. This is exactly how NRT rules work in Microsoft Sentinel: the rule runs every 5 minutes (by default) and queries data ingested in the last 5 minutes. When new data arrives, it is placed in a queue and processed within seconds, but the rule only looks at the most recent 5-minute window at each execution. The 'bouncer' is the rule engine, the 'VIP list' is the query result, and the 'VIP arrival' is a log event. If you need instant reaction (like stopping a credit card fraud in milliseconds), NRT is not enough — you need a real-time stream processing engine like Azure Stream Analytics. But for most security use cases where a 5-minute delay is acceptable, NRT provides a cost-effective and simple solution without the complexity of building a custom streaming pipeline.
What Are NRT Analytics Rules?
Near-Real-Time (NRT) analytics rules are a type of detection rule in Microsoft Sentinel designed to provide faster alert generation than scheduled analytics rules, while being simpler and more cost-effective than full stream-processing solutions. NRT rules run every 5 minutes by default and query data ingested in the last 5 minutes, producing alerts with a latency of typically under 2 minutes from when the triggering event occurs. They are ideal for scenarios where a delay of a few minutes is acceptable, such as detecting multiple failed logins from a single source or identifying known malicious IP addresses.
Why NRT Rules Exist
Before NRT rules, Sentinel offered two main rule types: scheduled analytics rules (run every 5 minutes or longer) and Microsoft Security rules (based on alerts from other Microsoft security products). Scheduled rules could be configured to run as frequently as every 5 minutes, but they still incurred the overhead of querying the entire workspace for the lookback period. NRT rules were introduced to provide a dedicated, optimized path for low-latency detection without the need for complex streaming analytics. They bridge the gap between scheduled rules (which can have delays up to 14 minutes due to ingestion and query scheduling) and real-time processing (which requires Azure Stream Analytics or similar).
How NRT Rules Work Internally
NRT rules use a specialized pipeline within Sentinel that reduces latency by:
Continuously ingesting and indexing data into a high-speed cache.
Running the rule's KQL query every 60 seconds (not every 5 minutes as commonly misunderstood) against the data from the last 5 minutes.
Processing results immediately to generate alerts and incidents.
The key difference from scheduled rules is that NRT rules do not wait for the full query interval to elapse before checking results. Instead, they execute the query at a higher frequency (every 1 minute) but only against a sliding 5-minute window. This means that an event occurring at time T will be included in the query window at T+1 minute (if the rule runs at T+1) and could generate an alert as early as T+1 minute, but the maximum delay is 5 minutes (if the event occurs immediately after a query execution).
Key Components, Values, Defaults, and Timers
Query Interval (Lookback Period): Fixed at 5 minutes. You cannot change this value. The rule queries data from the last 5 minutes.
Query Frequency (Execution Frequency): Every 1 minute. The rule runs its query every 60 seconds, but the query window is always the last 5 minutes. This is a key exam point: many candidates mistakenly think the frequency is also 5 minutes.
Alert Threshold: You can configure the rule to generate an alert only if the number of query results exceeds a threshold (e.g., > 5). This is optional.
Event Grouping: Can be set to group all events into a single alert or create an alert for each event. Default is to group all events into a single alert.
Suppression: Option to temporarily suppress alerts after a rule fires, to avoid alert fatigue. Duration can be set up to 24 hours.
Maximum Delay: The maximum time from an event occurring to an alert being generated is approximately 5 minutes (query window) + 1 minute (execution delay) + ingestion latency (typically < 1 minute). So total latency is usually under 7 minutes.
Configuration and Verification
To create an NRT rule in Sentinel: 1. Navigate to Analytics > Create > NRT rule. 2. Provide a name, description, and severity. 3. Write the KQL query. Example:
SigninLogs
| where TimeGenerated > ago(5m)
| where ResultType == "50057"
| summarize FailedCount = count() by UserPrincipalName
| where FailedCount > 5Set alert threshold (e.g., 5 failed logins).
Configure event grouping and suppression as needed.
Review and create.
To verify the rule is working:
Check the rule's status in the Analytics blade — it should show "Enabled" and the last run time.
View generated alerts in Incidents or Alerts.
Use the Log Analytics workspace to query the SecurityAlert table for alerts generated by the rule.
Interaction with Related Technologies
NRT rules complement other rule types: - Scheduled Rules: For use cases where a delay of up to 14 minutes is acceptable, or when you need to query data older than 5 minutes (e.g., looking back 24 hours). NRT cannot query beyond 5 minutes. - Microsoft Security Rules: These are based on alerts from products like Microsoft Defender for Endpoint. NRT rules are independent but can be used to correlate with those alerts. - Anomaly Rules: Use machine learning to detect unusual patterns. NRT rules are deterministic and do not use ML. - Fusion Rules: Correlate multiple alerts. NRT rules can feed into Fusion.
NRT rules are not suitable for:
Querying data older than 5 minutes (e.g., looking for patterns over 1 hour).
Scenarios requiring sub-second latency (e.g., blocking a transaction in real-time).
Complex aggregations over large datasets that might exceed execution time limits (rules must complete within 5 minutes or they time out).
Data Ingestion into Sentinel
Log data from various sources (e.g., Azure Activity, Microsoft 365 Defender, custom logs) is ingested into the Log Analytics workspace underlying Sentinel. Ingestion latency varies by data connector but is typically under 2 minutes. Data is indexed and made available for querying. For NRT rules, the data must be in the workspace within the 5-minute lookback window.
Rule Execution Every 60 Seconds
The NRT rule engine triggers the rule's KQL query every 60 seconds. This is a fixed interval and cannot be changed. The query is executed against a sliding window of the last 5 minutes (from the current time). This means that if the rule runs at 10:00:00, it queries data from 09:55:00 to 10:00:00. If it runs again at 10:01:00, it queries from 09:56:00 to 10:01:00.
Query Processing and Result Evaluation
The KQL query is executed against the workspace. The query must complete within 5 minutes; otherwise, it times out. Results are evaluated against any configured threshold. For example, if the threshold is set to 5, the rule only triggers if the query returns at least 5 rows. If no threshold is set, any non-empty result triggers an alert.
Alert Generation and Incident Creation
If the query results meet the threshold (or if any results exist when no threshold is set), an alert is generated. The alert includes the query results and any custom details defined in the rule. By default, the alert is automatically turned into an incident in Sentinel, unless the rule is configured to suppress incident creation. The incident is assigned the severity set in the rule and can trigger automation rules.
Suppression and Cooldown
After an alert is generated, the rule can be configured to suppress further alerts for a specified duration (up to 24 hours). During suppression, the rule still runs, but no new alerts or incidents are created. This prevents alert fatigue from repeated identical alerts. The suppression period starts from the time the alert is generated, not from the time of the event.
Enterprise Scenario 1: Detecting Brute-Force Attacks on VPN
A large enterprise uses Sentinel to monitor VPN authentication logs. They need to detect when a single user account has more than 10 failed login attempts within 5 minutes. NRT rules are ideal here because the attack pattern is time-bound and requires quick response. The rule queries SigninLogs for events with ResultType == '50057' and groups by UserPrincipalName. If the count exceeds 10, an alert is generated. The SOC team then investigates and potentially blocks the user account. With NRT, the alert arrives within 2-3 minutes of the attack, allowing the team to respond before the attacker succeeds.
Enterprise Scenario 2: Known Malicious IP Detection
A financial services company maintains a threat intelligence feed of known malicious IP addresses. They ingest this feed into Sentinel as a custom log table. An NRT rule correlates incoming network traffic logs with the threat intelligence table. If a match is found in the last 5 minutes, an alert is generated. This is a simple, low-latency detection that does not require complex processing. The rule runs every minute, ensuring that even if the threat feed is updated, the detection is nearly real-time.
Common Pitfalls and Misconfigurations
Incorrect Query Scope: A common mistake is writing a query that looks back more than 5 minutes (e.g., ago(10m)). The rule will still work, but it will only see data from the last 5 minutes because the query window is fixed. This can lead to missed detections.
Threshold Misunderstanding: Setting a threshold of 0 will cause the rule to never fire, because the query must return at least 1 row. Setting a threshold of 1 means any result triggers an alert.
Execution Timeout: If the query takes longer than 5 minutes to complete, it will time out and no alert is generated. This often happens with queries that scan large tables without proper filtering or indexing. To avoid this, use time filters and limit the dataset.
Suppression Overuse: Setting a long suppression period (e.g., 24 hours) can cause the rule to miss subsequent attacks on different accounts. It is better to use a shorter suppression or rely on incident management to handle duplicates.
What SC-200 Tests on NRT Rules
The SC-200 exam objective 2.3 specifically covers "Design and configure Microsoft Sentinel analytics rules." Within this, NRT rules are tested on:
Understanding the difference between NRT and scheduled rules (frequency, lookback period, latency).
Knowing the fixed 5-minute query window and 1-minute execution frequency.
Identifying appropriate use cases for NRT vs. scheduled vs. Microsoft Security rules.
Configuring alert thresholds and event grouping.
Common Wrong Answers and Why Candidates Choose Them
"NRT rules run every 5 minutes." This is the most common mistake. Candidates confuse the query window (5 minutes) with the execution frequency (1 minute). The exam will present a scenario where a rule runs every 5 minutes — that is a scheduled rule, not NRT.
"NRT rules can query data from the last 24 hours." NRT rules are limited to a 5-minute lookback. If you need to analyze data over a longer period, you must use a scheduled rule.
"NRT rules are suitable for real-time blocking." The exam may ask which rule type to use for immediate response. NRT has a delay of up to 5 minutes, so it is not real-time. The correct answer is to use Azure Stream Analytics or a custom solution.
"NRT rules require a specific license." NRT rules are available in all Sentinel tiers (pay-as-you-go and capacity reservations). There is no additional licensing requirement.
Specific Numbers and Terms to Memorize
Query window: 5 minutes (fixed)
Execution frequency: 1 minute (fixed)
Maximum query execution time: 5 minutes (timeout)
Suppression duration: up to 24 hours
Event grouping options: Group all events into a single alert or Trigger an alert for each event
Edge Cases the Exam Loves
What happens if the query returns zero results? No alert is generated.
Can you change the query window? No, it is fixed at 5 minutes.
Can NRT rules be used with custom logs? Yes, as long as the data is ingested into Sentinel.
What is the maximum latency from event to alert? Typically 5-7 minutes, depending on ingestion.
How to Eliminate Wrong Answers
If the question mentions a lookback period longer than 5 minutes, eliminate NRT.
If the question requires immediate action (seconds), eliminate NRT.
If the question says the rule runs every 5 minutes, it's likely a scheduled rule — look for the phrase "every 1 minute" to identify NRT.
If the question involves ML or anomaly detection, it's not NRT.
NRT rules run every 1 minute with a fixed 5-minute query window.
Maximum event-to-alert latency is approximately 5-7 minutes.
NRT rules cannot query data older than 5 minutes.
Alert threshold is optional; if set, the rule only fires when the result count exceeds the threshold.
Suppression can be configured for up to 24 hours to prevent alert fatigue.
NRT rules are not suitable for real-time blocking or sub-second response.
The KQL query must complete within 5 minutes or it times out.
These come up on the exam all the time. Here's how to tell them apart.
NRT Analytics Rule
Query window: fixed 5 minutes
Execution frequency: every 1 minute
Latency: typically 2-5 minutes
Cannot query data older than 5 minutes
Best for time-sensitive, short-window detections
Scheduled Analytics Rule
Query window: configurable (5 min to 14 days)
Execution frequency: configurable (5 min to 14 days)
Latency: up to query interval + ingestion delay
Can query data from the past (e.g., 24 hours)
Best for pattern analysis over longer periods
Mistake
NRT rules run every 5 minutes.
Correct
NRT rules actually run every 1 minute (60 seconds). The 5-minute value is the query window (lookback period), not the execution frequency.
Mistake
NRT rules can query data older than 5 minutes.
Correct
The query window is fixed to the last 5 minutes. Any query that attempts to look back further (e.g., ago(1h)) will still only see data from the last 5 minutes.
Mistake
NRT rules are real-time (sub-second latency).
Correct
NRT rules have a latency of up to 5 minutes from event to alert. They are 'near real-time' but not truly real-time. For sub-second latency, use Azure Stream Analytics.
Mistake
You can change the execution frequency of an NRT rule.
Correct
The execution frequency is fixed at 1 minute. You cannot configure it to run more or less frequently.
Mistake
NRT rules require a higher licensing tier.
Correct
NRT rules are available in all Sentinel pricing tiers (pay-as-you-go and capacity reservations) at no additional cost.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The primary difference is the query window and execution frequency. NRT rules have a fixed 5-minute query window and run every 1 minute, providing faster detection for short-term patterns. Scheduled rules have configurable query windows (from 5 minutes to 14 days) and execution frequencies (from 5 minutes to 14 days), making them suitable for analyzing data over longer periods. On the exam, if a scenario requires detecting events within a 5-minute window and alerting quickly, choose NRT; if it needs to look back hours or days, choose scheduled.
Yes, NRT rules are ideal for detecting brute-force attacks where multiple failed logins occur within a short time window (e.g., 5 minutes). You can write a KQL query that counts failed login attempts per user and triggers an alert if the count exceeds a threshold. The low latency of NRT ensures the SOC can respond quickly. However, if the brute-force attack spans longer than 5 minutes, a scheduled rule with a longer lookback is more appropriate.
If the KQL query takes longer than 5 minutes to execute, the rule times out and no alert is generated. This can happen if the query is inefficient or scans a large volume of data without proper filtering. To avoid timeouts, ensure your query uses time filters (e.g., `where TimeGenerated > ago(5m)`) and limits the scope of data scanned. If the query consistently times out, consider optimizing the query or using a scheduled rule with a longer execution window.
To create an NRT rule, go to the Sentinel workspace, navigate to Analytics, click 'Create' and select 'NRT rule'. Provide a name, description, severity, and write the KQL query. Optionally set an alert threshold and configure event grouping and suppression. Review and create the rule. The rule will start running within minutes. You can verify its status in the Analytics blade.
The maximum suppression duration is 24 hours. After an alert is generated, you can suppress further alerts for up to 24 hours. This helps reduce alert fatigue from repeated identical alerts. The suppression period starts from the time the alert is created, not from the event time.
Yes, NRT rules can query custom tables, including threat intelligence feeds ingested into Sentinel. For example, you can import a list of known malicious IPs and write a query that joins incoming logs with that table. If a match is found within the last 5 minutes, an alert is generated. This is a common use case for NRT rules.
Yes, NRT rules are available in all Sentinel pricing tiers, including pay-as-you-go and capacity reservations. There is no additional licensing cost to use NRT rules beyond the standard Sentinel data ingestion and retention costs.
You've just covered Sentinel Near-Real-Time (NRT) Analytics Rules — now see how well it sticks with free SC-200 practice questions. Full explanations included, no account needed.
Done with this chapter?