You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
- Provide a unique **Name** and a **Description**.
36
36
@@ -109,11 +109,24 @@ In the **Set rule logic** tab, you can either write a query directly in the **Ru
109
109
110
110
:::image type="content" source="media/tutorial-detect-threats-custom/set-rule-logic-tab-2.png" alt-text="Set query schedule and event grouping" lightbox="media/tutorial-detect-threats-custom/set-rule-logic-tab-all-2-new.png":::
111
111
112
-
- Set **Run query every** to control how often the query is run - as frequently as every 5 minutes or as infrequently as once every 14 days.
112
+
- Set **Run query every** to control how often the query is run—as frequently as every 5 minutes or as infrequently as once every 14 days.
113
113
114
-
- Set **Lookup data from the last** to determine the time period of the data covered by the query - for example, it can query the past 10 minutes of data, or the past 6 hours of data. The maximum is 14 days.
114
+
- Set **Lookup data from the last** to determine the time period of the data covered by the query—for example, it can query the past 10 minutes of data, or the past 6 hours of data. The maximum is 14 days.
115
+
116
+
- For the new **Start running** setting (in Preview):
117
+
118
+
- Leave it set to **Automatically** to continue the original behavior: the rule will run for the first time immediately upon being created, and after that at the interval set in the **Run query every** setting.
119
+
120
+
- Toggle the switch to **At specific time** if you want to determine when the rule first runs, instead of having it run immediately. Then choose the date using the calendar picker and enter the time in the format of the example shown.
121
+
122
+
:::image type="content" source="media/tutorial-detect-threats-custom/advanced-scheduling.png" alt-text="Screenshot of advanced scheduling toggle and settings.":::
123
+
124
+
Future runnings of the rule will occur at the specified interval after the first running.
125
+
126
+
The line of text under the **Start running** setting (with the information icon at its left) summarizes the current query scheduling and lookback settings.
115
127
116
128
> [!NOTE]
129
+
>
117
130
> **Query intervals and lookback period**
118
131
>
119
132
> These two settings are independent of each other, up to a point. You can run a query at a short interval covering a time period longer than the interval (in effect having overlapping queries), but you cannot run a query at an interval that exceeds the coverage period, otherwise you will have gaps in the overall query coverage.
-[Advanced scheduling for analytics rules (Preview)](#advanced-scheduling-for-analytics-rules-preview)
23
+
24
+
### Advanced scheduling for analytics rules (Preview)
25
+
26
+
To give you more flexibility in scheduling your analytics rule execution times and to help you avoid potential conflicts, Microsoft Sentinel now allows you to determine when newly created analytics rules will run for the first time. The default behavior is as it has been: for them to run immediately upon creation.
27
+
28
+
[Learn more about advanced scheduling](detect-threats-custom.md#query-scheduling-and-alert-threshold).
29
+
21
30
## January 2023
22
31
23
-
-[Monitor SAP system health (Preview)](#monitor-sap-system-health-and-role-preview)
-[Monitor SAP system health (Preview)](#monitor-sap-system-health-and-role-preview)
25
34
-[Microsoft Purview Information Protection connector (Preview)](#microsoft-purview-information-protection-connector-preview)
26
35
27
-
### Monitor SAP system health and role (Preview)
28
-
29
-
To ensure proper functioning and performance of your SAP systems, you can now use the SAP data connector page to [monitor information about the health of your SAP systems](monitor-sap-system-health.md) and the status of the SAP roles for the system. You can also use an alert rule template to get information about the health of the SAP agent's data collection.
30
-
31
36
### New incident investigation experience (Preview)
32
37
33
38
SOC analysts need to understand the full scope of an attack as fast as possible to respond effectively.
@@ -40,6 +45,10 @@ Learn more about the new investigation experience:
40
45
-[Understand Microsoft Sentinel's incident investigation and case management capabilities](incident-investigation.md)
41
46
-[Navigate and investigate incidents in Microsoft Sentinel](investigate-incidents.md)
42
47
48
+
### Monitor SAP system health and role (Preview)
49
+
50
+
To ensure proper functioning and performance of your SAP systems, you can now use the SAP data connector page to [monitor information about the health of your SAP systems](monitor-sap-system-health.md) and the status of the SAP roles for the system. You can also use an alert rule template to get information about the health of the SAP agent's data collection.
51
+
43
52
### Microsoft Purview Information Protection connector (Preview)
44
53
45
54
With the new [Microsoft Purview Information Protection connector](connect-microsoft-purview.md), you can stream data from Microsoft Purview Information Protection (formerly Microsoft Information Protection or MIP) to Microsoft Sentinel. You can use the data ingested from the Microsoft Purview labeling clients and scanners to track, analyze, report on the data, and use it for compliance purposes.
0 commit comments