You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/detect-threats-custom.md
+4-4Lines changed: 4 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -41,7 +41,7 @@ Analytics rules search for specific events or sets of events across your environ
41
41
42
42
1. Set the alert **Severity** as appropriate.
43
43
44
-
1 When you create the rule, its **Status** is **Enabled** by default, which means it will run immediately after you finish creating it. If you don’t want it to run immediately, select **Disabled**, and the rule will be added to your **Active rules** tab and you can enable it from there when you need it.
44
+
1. When you create the rule, its **Status** is **Enabled** by default, which means it will run immediately after you finish creating it. If you don’t want it to run immediately, select **Disabled**, and the rule will be added to your **Active rules** tab and you can enable it from there when you need it.
45
45
46
46
:::image type="content" source="media/tutorial-detect-threats-custom/general-tab.png" alt-text="Start creating a custom analytics rule":::
47
47
@@ -110,11 +110,11 @@ In the **Set rule logic** tab, you can either write a query directly in the **Ru
110
110
111
111
:::image type="content" source="media/tutorial-detect-threats-custom/set-rule-logic-tab-2.png" alt-text="Set query schedule and event grouping" lightbox="media/tutorial-detect-threats-custom/set-rule-logic-tab-all-2-new.png":::
112
112
113
-
1. Set **Run query every** to control how often the query is run—as frequently as every 5 minutes or as infrequently as once every 14 days.
113
+
- Set **Run query every** to control how often the query is run—as frequently as every 5 minutes or as infrequently as once every 14 days.
114
114
115
-
1. Set **Lookup data from the last** to determine the time period of the data covered by the query—for example, it can query the past 10 minutes of data, or the past 6 hours of data. The maximum is 14 days.
115
+
- Set **Lookup data from the last** to determine the time period of the data covered by the query—for example, it can query the past 10 minutes of data, or the past 6 hours of data. The maximum is 14 days.
116
116
117
-
1. For the new **Start running** setting (in Preview):
117
+
- For the new **Start running** setting (in Preview):
118
118
119
119
- Leave it set to **Automatically** to continue the original behavior: the rule will run for the first time immediately upon being created, and after that at the interval set in the **Run query every** setting.
0 commit comments