Advanced scheduling of analytics rules

Author: yelevin

articles/sentinel/detect-threats-custom.md

@@ -30,7 +30,7 @@ Analytics rules search for specific events or sets of events across your environ
 
     :::image type="content" source="media/tutorial-detect-threats-custom/create-scheduled-query-small.png" alt-text="Create scheduled query" lightbox="media/tutorial-detect-threats-custom/create-scheduled-query-full.png":::
 
-### Analytics rule wizard - General tab
+### Analytics rule wizard—General tab
 
 - Provide a unique **Name** and a **Description**.
 
@@ -109,15 +109,32 @@ In the **Set rule logic** tab, you can either write a query directly in the **Ru
 
    :::image type="content" source="media/tutorial-detect-threats-custom/set-rule-logic-tab-2.png" alt-text="Set query schedule and event grouping" lightbox="media/tutorial-detect-threats-custom/set-rule-logic-tab-all-2-new.png":::
 
-  - Set **Run query every** to control how often the query is run - as frequently as every 5 minutes or as infrequently as once every 14 days.
+  - Set **Run query every** to control how often the query is run—as frequently as every 5 minutes or as infrequently as once every 14 days.
 
-  - Set **Lookup data from the last** to determine the time period of the data covered by the query - for example, it can query the past 10 minutes of data, or the past 6 hours of data. The maximum is 14 days.
+  - Set **Lookup data from the last** to determine the time period of the data covered by the query—for example, it can query the past 10 minutes of data, or the past 6 hours of data. The maximum is 14 days.
+  
+  - For the new **Start running** setting (in Preview):
+
+      - Leave it set to **Automatically** to continue the original behavior: the rule will run for the first time immediately upon being created, and after that at the interval set in the **Run query every** setting.
+
+      - Toggle the switch to **At specific time** if you want to determine when the rule first runs, instead of having it run immediately. Then choose the date using the calendar picker and enter the time in the format of the example shown.
+
+        :::image type="content" source="media/tutorial-detect-threats-custom/advanced-scheduling.png" alt-text="Screenshot of advanced scheduling toggle and settings.":::
+    
+        Future runnings of the rule will occur at the specified interval after the first running (see **Advanced scheduling** note below).
+
+    The line of text under the **Start running** setting (with the information icon at its left) summarizes the current query scheduling and lookback settings.
 
     > [!NOTE]
+    >
     > **Query intervals and lookback period**
     >
     >  These two settings are independent of each other, up to a point. You can run a query at a short interval covering a time period longer than the interval (in effect having overlapping queries), but you cannot run a query at an interval that exceeds the coverage period, otherwise you will have gaps in the overall query coverage.
     >
+    > **Advanced scheduling**
+    >
+    > If you choose to start the running of a rule at a specific time (instead of automatically upon creation), be aware that the **actual** first run time of the rule may vary from the time you specified by up to half an hour in either direction. In any case, the interval for future runnings will be measured from the actual starting time of the previous run, not from the specified time.
+    >
     > **Ingestion delay**
     >
     > To account for **latency** that may occur between an event's generation at the source and its ingestion into Microsoft Sentinel, and to ensure complete coverage without data duplication, Microsoft Sentinel runs scheduled analytics rules on a **five-minute delay** from their scheduled time.

articles/sentinel/media/tutorial-detect-threats-custom/advanced-scheduling.png

@@ -18,6 +18,14 @@ See these [important announcements](#announcements) about recent changes to feat
 
 [!INCLUDE [reference-to-feature-availability](includes/reference-to-feature-availability.md)]
 
+## February 2023
+
+### Advanced scheduling for analytics rules (Preview)
+
+To give you more flexibility in scheduling your analytics rule execution times, and avoid potential conflicts, Microsoft Sentinel now allows you to determine when newly created analytics rules will run for the first time. The default behavior is as it has been: for them to run immediately upon creation.
+
+[Learn more about advanced scheduling](detect-threats-custom.md#query-scheduling-and-alert-threshold).
+
 ## January 2023
 
 - [Monitor SAP system health (Preview)](#monitor-sap-system-health-and-role-preview)