This chapter dives deep into two critical analytics rule types in Microsoft Sentinel: Scheduled Analytics Rules and Near-Real-Time (NRT) Rules. Understanding when and how to use each is essential for the SC-200 exam, as questions on rule configuration and detection logic appear frequently — roughly 15-20% of exam questions touch on analytics rules. We will cover their internal mechanisms, configuration parameters, performance trade-offs, and exam-specific traps to help you choose the right rule type for any scenario.
Jump to a section
Imagine a large office building with a fire alarm system and a security guard. The fire alarm is like a Scheduled Analytics Rule: it checks every floor at a fixed interval (say, every 5 minutes) for smoke or heat. When it detects a fire, it triggers a building-wide alarm and calls the fire department. The alarm cannot detect a fire that starts and is extinguished between checks — it only sees what's present at the moment of the check. The security guard, on the other hand, is like a Near-Real-Time (NRT) Rule: they patrol continuously, watching live camera feeds and walking the halls. If they see a suspicious person or a small fire starting, they can act immediately, often in under a minute. However, the guard cannot be everywhere at once; they might miss something if they are looking the other way. The fire alarm is deterministic and covers all areas at once, but has latency. The guard provides faster response but may miss events due to human limits. In Microsoft Sentinel, Scheduled rules query logs at intervals (e.g., every 5 minutes) and can run complex logic, while NRT rules query logs every 1 minute with limited logic but lower latency. The choice depends on whether you need high-fidelity detection with some delay (scheduled) or low-latency response for fast-spreading threats (NRT).
What Are Scheduled Analytics Rules and NRT Rules?
Microsoft Sentinel analytics rules are the backbone of threat detection. They define conditions under which alerts are generated from ingested data. The two primary types are Scheduled and NRT (Near-Real-Time). Scheduled rules run Kusto Query Language (KQL) queries on a recurring schedule (e.g., every 5 minutes) against your Log Analytics workspace. NRT rules also run KQL queries but at a much higher frequency (every 1 minute) and with a shorter evaluation window. The key difference is latency vs. throughput: Scheduled rules can handle complex queries across large datasets, while NRT rules prioritize speed with simpler queries.
How Scheduled Rules Work Internally
A Scheduled rule is defined with a query, a run frequency, a lookback period (query period), and alert threshold logic. When the rule triggers, Sentinel runs the query against the workspace, looking at data within the lookback period. The query returns results, and if they meet the threshold (e.g., number of results > 0), an alert is created. The schedule is independent of the lookback; for example, you can run a query every 5 minutes looking back 1 hour. This allows detection of patterns that span multiple ingestion intervals.
Key parameters: - Frequency: How often the rule runs. Default: 5 minutes. Minimum: 5 minutes. Maximum: 14 days. - Query Period: How far back the query looks. Must be >= frequency. Default: 5 hours. Maximum: 14 days. - Threshold: Number of results to trigger an alert. Default: >0. - Suppression: After an alert is generated, you can suppress further alerts for a configurable duration (up to 24 hours). - Event Grouping: Can group multiple events into a single alert (by entity or by time window).
Performance considerations: Scheduled rules can run complex joins, aggregations, and machine learning functions. However, they consume resources from the workspace. If too many rules run simultaneously, they may be throttled. Microsoft recommends keeping the total number of scheduled rules under 500 per workspace.
How NRT Rules Work Internally
NRT rules are designed for scenarios where sub-minute latency is critical. They run every 1 minute and evaluate only the last 1 minute of data. The query must be simple — no cross-workspace queries, no join with more than one table, no complex aggregations like summarize over large windows. The rule processes data in near-real-time using a dedicated pipeline that bypasses the standard query engine. This reduces latency but limits query complexity.
Key parameters: - Frequency: Fixed at 1 minute. Cannot be changed. - Query Period: Fixed at 1 minute. Cannot be changed. - Threshold: Similar to scheduled rules. - Suppression: Supported. - Event Grouping: Supported but limited to single event per alert.
Limitations:
- Only one table or function can be queried (no cross-table joins).
- summarize is allowed but only with bin on TimeGenerated and simple aggregations like count().
- make-series and complex time-series functions are not allowed.
- Maximum query length: 10 KB.
- Cannot use externaldata or evaluate plugin.
When to Use Each
Use Scheduled rules when:
You need to detect patterns over long periods (e.g., brute force attempts over 1 hour).
Your query requires joins across multiple tables (e.g., combining Windows Event logs with network logs).
You need advanced analytics like anomaly detection or machine learning.
Latency of up to 5 minutes (plus query time) is acceptable.
Use NRT rules when:
You need immediate response to fast-moving threats (e.g., ransomware file encryption detected in process creation events).
The detection logic is simple (single table, simple filter).
Sub-minute latency is required.
You are willing to trade off query complexity for speed.
Interaction with Incidents and Automation
Both rule types can generate alerts that are grouped into incidents. Incident creation can be enabled or disabled per rule. For Scheduled rules, you can configure alert grouping by entities or time windows. NRT rules automatically create one incident per alert (unless grouping is disabled). Both can trigger automation rules and playbooks.
Default Values and Limits
Scheduled rule frequency: 5 minutes (minimum).
Scheduled rule query period: 5 hours (default).
NRT rule frequency: 1 minute (fixed).
NRT rule query period: 1 minute (fixed).
Maximum number of NRT rules per workspace: 50.
Maximum number of scheduled rules per workspace: 500 (soft limit).
Maximum query execution time for NRT: 10 seconds.
Maximum query execution time for scheduled: 10 minutes (default timeout).
Verification and Monitoring
To check rule status:
Use the Analytics blade in Sentinel to view rule health (success/failure rate, latency).
Use KQL queries on the SecurityAlert table to see generated alerts.
Monitor the ScheduledQueryRules table for rule execution logs.
For example, find all NRT rules:
ScheduledQueryRules
| where Properties contains "NRT"
| project RuleName, Status, LastRunTimeExam-Relevant Details
The SC-200 exam tests your ability to select the appropriate rule type. Key differentiating factors: - Latency: NRT = ~1 minute, Scheduled = frequency (default 5 min). - Query complexity: Scheduled = high, NRT = low. - Data scope: Scheduled = lookback period (up to 14 days), NRT = last 1 minute. - Limits: NRT max 50 per workspace, scheduled max 500. - Grouping: Scheduled supports advanced grouping; NRT supports only single event per alert.
A common exam scenario: "You need to detect a DDoS attack within 30 seconds of onset. Which rule type?" Answer: NRT, because it runs every minute and has low latency. However, if the detection requires correlating firewall logs with server logs, you must use Scheduled because NRT cannot cross tables.
Define Detection Requirement
Identify the threat scenario: what data sources are needed, how quickly must the alert fire, and what query logic is required. For example, detecting a single failed login from a new IP might be simple and urgent, suggesting NRT. Detecting a brute force over 10 minutes across multiple servers requires a join and aggregation, so Scheduled is appropriate. Document the required latency: if sub-minute is critical, NRT is mandatory; otherwise, Scheduled is more flexible.
Write and Test KQL Query
Draft the KQL query in the Logs blade. For NRT, ensure the query is simple: single table, no joins (except with a single other table using `join kind=inner` is allowed but discouraged), no complex aggregations. For Scheduled, you can use joins, `summarize`, time-series functions, etc. Test the query with a realistic time range. For NRT, set the time range to 1 minute and verify it returns results quickly (under 10 seconds). For Scheduled, test with the intended lookback period.
Configure Rule Parameters
In the Analytics blade, create a new rule. For Scheduled, set Frequency (e.g., 5 minutes) and Query Period (e.g., 5 hours). For NRT, these are fixed. Set Alert Threshold (e.g., >0). Configure Event Grouping: for Scheduled, you can group by entity or time window; for NRT, only single event. Enable Incident creation if needed. Set Suppression duration to avoid alert fatigue. For Scheduled, consider using Query Scheduling to run at specific times if needed.
Set Automation and Response
Attach automation rules or playbooks to respond to alerts. For example, an NRT rule detecting a ransomware process can trigger a playbook that isolates the machine. Automation rules can be set to run at alert creation or incident creation. Ensure the automation does not introduce unacceptable latency—NRT rules are often paired with immediate automated response. For Scheduled rules, automation can be more complex, like creating a ticket in a ticketing system.
Monitor and Tune
After deployment, monitor rule health via the Analytics blade. Check for failures (e.g., query timeout, syntax errors). For NRT, ensure the query completes within 10 seconds. For Scheduled, watch for throttling if many rules run simultaneously. Adjust frequency or query complexity if needed. Use the `ScheduledQueryRules` table to review execution logs. Tune thresholds to reduce false positives. Re-evaluate whether the rule type is still appropriate as requirements evolve.
Enterprise Scenario 1: Rapid Ransomware Detection
A large enterprise deploys Sentinel to detect ransomware early. The SOC needs to alert within 1 minute of a known ransomware process starting. The detection logic is simple: look for process creation events where the file name matches a list of known ransomware hashes. This is a perfect use case for an NRT rule because the query is simple (single table SecurityEvent or DeviceProcessEvents), the threshold is >0, and latency must be under a minute. The rule is configured to run every minute and trigger a playbook that automatically isolates the affected machine via Microsoft Defender for Endpoint. In production, the rule generates an alert on average 45 seconds after the event occurs (including ingestion delay). The SOC receives the alert before the ransomware can encrypt many files.
What goes wrong when misconfigured: If the SOC mistakenly uses a Scheduled rule with 5-minute frequency, the alert might fire 5-6 minutes after the process starts, by which time the ransomware could have encrypted critical data. Conversely, if they try to use an NRT rule with a complex query (e.g., joining process events with network logs), the query times out and no alerts are generated, leaving the threat undetected.
Enterprise Scenario 2: Brute Force Attack Detection
A financial institution needs to detect brute force attacks against its VPN. The attack typically involves hundreds of failed logins from multiple IPs over 30 minutes. The detection requires correlating multiple failed login events (from SigninLogs) and grouping by source IP. This requires a query that aggregates over a 30-minute window and filters for IPs with >10 failures. A Scheduled rule is appropriate because the query uses summarize and count() over a 30-minute lookback. The rule is set to run every 5 minutes with a 30-minute query period. It triggers an alert when any source IP has >10 failures. The alert is then escalated to the SOC for investigation.
What goes wrong when misconfigured: If an NRT rule is used, it can only look at 1 minute of data, so it would only detect a very aggressive brute force (e.g., >10 failures in 1 minute). Most attacks spread out failures to avoid detection, so NRT would miss them. Also, the query would need to be simplified to avoid joins, potentially losing correlation across different user accounts.
Enterprise Scenario 3: Compliance Monitoring for Data Exfiltration
A healthcare provider must monitor for unauthorized data access. They need to detect when a user accesses more than 100 patient records in an hour, which could indicate data exfiltration. This requires querying OfficeActivity logs for FileAccessed events, aggregating by user over a 1-hour window. A Scheduled rule is used with a 1-hour query period and a 5-minute frequency. The rule uses summarize to count accesses per user and triggers if count > 100. The alert is sent to the compliance team.
What goes wrong when misconfigured: If the rule frequency is set too high (e.g., every 5 minutes with a 1-hour lookback), the same events are evaluated multiple times, potentially causing duplicate alerts. Proper suppression settings (e.g., suppress for 1 hour after alert) prevent this. If NRT were used, it could only detect >100 accesses in 1 minute, which is unrealistic for normal use, leading to missed detections.
SC-200 Objective Coverage
This topic falls under Objective 2.3: Create and manage analytics rules in Microsoft Sentinel. Specifically, you need to:
Differentiate between Scheduled and NRT rules.
Choose the appropriate rule type based on detection requirements (latency, complexity).
Configure rule parameters correctly (frequency, query period, thresholds).
Understand limitations and defaults.
Common Wrong Answers and Why
Wrong Answer 1: "Use an NRT rule for any detection that requires low latency." While NRT rules have low latency, they cannot handle complex queries or long lookback periods. If the detection requires joining multiple tables or aggregating over hours, NRT is unsuitable. The exam often presents a scenario where the detection logic is complex but latency is important — the correct answer is Scheduled rule because NRT cannot handle the query.
Wrong Answer 2: "Scheduled rules can run every 1 minute." The minimum frequency for Scheduled rules is 5 minutes. If you need sub-5-minute latency, you must use NRT. Candidates often confuse the minimum frequency.
Wrong Answer 3: "NRT rules can query multiple tables with joins." NRT rules are limited to a single table (or a single join with one other table, but this is discouraged and may not be tested). The exam explicitly tests this limitation.
Wrong Answer 4: "Both rule types support the same query capabilities."
NRT rules have severe restrictions: no cross-workspace queries, no complex aggregations like make-series, no externaldata, and limited summarize. Scheduled rules are much more flexible.
Specific Numbers and Terms to Memorize
NRT frequency: 1 minute (fixed).
Scheduled minimum frequency: 5 minutes.
NRT query period: 1 minute.
Scheduled default query period: 5 hours.
Maximum NRT rules per workspace: 50.
Maximum Scheduled rules per workspace: 500.
NRT maximum query execution time: 10 seconds.
Scheduled default query timeout: 10 minutes.
Edge Cases and Exceptions
If a Scheduled rule's query period is less than the frequency, the rule will still run but will only look at data within the query period (which may be empty). The exam may test that query period must be >= frequency.
NRT rules do not support alert grouping by entity; each alert is a single event.
Both rule types support suppression, but for NRT, suppression is often unnecessary because alerts are generated quickly and infrequently.
You can convert a Scheduled rule to an NRT rule only if the query meets NRT limitations.
How to Eliminate Wrong Answers
When you see a question asking which rule type to use, first check the required latency: if the scenario says "within 1 minute" or "near-real-time", NRT is likely. Then check the query complexity: if it involves joins, multiple tables, or long time windows, it must be Scheduled. If both latency and complexity are high, the scenario is unrealistic — the exam will always have one clear constraint that eliminates one option. Also, look for explicit mentions of "single table" or "simple filter" to hint at NRT.
NRT rules run every 1 minute with a 1-minute query period; Scheduled rules run at a configurable frequency (minimum 5 minutes) with a configurable query period (default 5 hours).
Use NRT when sub-minute latency is required and the detection logic is simple (single table, simple filter).
Use Scheduled when the detection requires complex queries (joins, aggregations, long lookback) or when latency of 5+ minutes is acceptable.
NRT rules are limited to 50 per workspace; Scheduled rules are limited to 500 per workspace.
NRT rules cannot use cross-workspace queries, externaldata, or complex time-series functions.
Scheduled rules support alert grouping by entities; NRT rules do not.
The minimum frequency for Scheduled rules is 5 minutes; you cannot set it lower.
NRT maximum query execution time is 10 seconds; Scheduled default timeout is 10 minutes.
Both rule types support suppression and automation rules/playbooks.
When in doubt, check the required latency and query complexity to choose the correct rule type.
These come up on the exam all the time. Here's how to tell them apart.
Scheduled Analytics Rules
Minimum frequency: 5 minutes
Query period can be up to 14 days
Supports complex queries (joins, multiple tables, aggregations)
Maximum 500 rules per workspace
Supports advanced alert grouping by entities or time windows
NRT (Near-Real-Time) Rules
Fixed frequency: 1 minute
Fixed query period: 1 minute
Limited to simple queries (single table, no complex joins)
Maximum 50 rules per workspace
No entity grouping; each alert is a single event
Mistake
NRT rules can run any KQL query that a Scheduled rule can.
Correct
NRT rules are severely limited: they can only query a single table (or one join), cannot use complex aggregations like `make-series`, cannot use `externaldata`, and have a maximum query length of 10 KB. Scheduled rules are much more flexible.
Mistake
Scheduled rules can run every 1 minute if you set the frequency to 1 minute.
Correct
The minimum frequency for Scheduled rules is 5 minutes. You cannot set it lower. For sub-5-minute detection, you must use NRT rules.
Mistake
Both rule types support alert grouping by entities.
Correct
Scheduled rules support grouping by entities (e.g., group all alerts from same IP into one incident). NRT rules do not; each NRT alert is a single event and cannot be grouped by entity.
Mistake
NRT rules are always faster than Scheduled rules for any detection.
Correct
NRT rules run every 1 minute, so they detect events within ~1 minute. However, if the detection requires a long lookback (e.g., 1 hour), NRT cannot do it because its query period is fixed at 1 minute. In that case, a Scheduled rule with a 5-minute frequency may detect the pattern faster overall because it can look back further.
Mistake
You can have unlimited NRT rules in a workspace.
Correct
The maximum number of NRT rules per workspace is 50. For Scheduled rules, the soft limit is 500. Exceeding these limits can cause performance issues or rule failures.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Scheduled rules run KQL queries on a recurring schedule (minimum every 5 minutes) and can look back up to 14 days. They support complex queries including joins and aggregations. NRT rules run every 1 minute with a 1-minute lookback and are limited to simple queries on a single table. NRT is for low-latency detection, Scheduled for complex detection over longer periods.
No, because NRT rules only evaluate the last 1 minute of data. To detect a brute force over 30 minutes, you need a Scheduled rule with a query period of 30 minutes and an aggregation like `summarize count() by IP`.
The maximum is 50 NRT rules per workspace. For Scheduled rules, the soft limit is 500.
No, the minimum frequency for Scheduled rules is 5 minutes. If you need sub-5-minute detection, you must use an NRT rule.
No, NRT rules do not support grouping by entity. Each alert corresponds to a single event. Scheduled rules support grouping by entities or time windows.
NRT rules can only query a single table (or one join), cannot use `externaldata`, `make-series`, complex `summarize` (except simple `count` with `bin`), and have a maximum query length of 10 KB. They also cannot query multiple workspaces.
Use the Analytics blade in Sentinel to view rule health (success rate, failures, latency). You can also query the `ScheduledQueryRules` table for execution logs, e.g., `ScheduledQueryRules | where RuleName contains "BruteForce" | project TimeGenerated, Status, ResultType`.
You've just covered Scheduled Analytics Rules vs NRT Rules — now see how well it sticks with free SC-200 practice questions. Full explanations included, no account needed.
Done with this chapter?