Rule run frequency impacts the latency with which detections are discovered for
each rule. Longer run frequencies increase the amount of time between when an
event occurs and when a detection is processed for that event.
For details, see
Detection latencies.
To specify the run frequency for a rule, complete the following steps:
Navigate to the Rules Dashboard.
Open the rule options menu.
Click Run frequency.
Choose one of the Run frequency values.
Near Real-time: Single-event rules can be executed over data in streaming
fashion. The detection engine executes rules as soon as data is processed.
10 min: For multi-event rules, choose this frequency if you want your
detections as soon as possible.
1 hr: Detections begin to process after 1-2 hours, after which they are
subject to normal detection latency.
24 hrs: Detections begin to process after 24 hours, after which they
are subject to normal detection latency.
Multi-event rules with a window size greater than one hour are
limited to the 1 hr and 24 hrs run frequencies.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-03-13 UTC."],[[["Rule run frequency affects how quickly detections are discovered, with longer frequencies increasing the time between an event and its detection."],["You can set the run frequency for a rule in the Rules Dashboard by accessing the rule options menu and selecting from the available frequencies."],["Near Real-time frequency allows single-event rules to execute immediately upon data processing, while 10 min is for the quickest detection of multi-event rules."],["The 1 hr and 24 hrs frequencies start processing detections after 1-2 hours and 24 hours, respectively, followed by normal detection latency."],["Multi-event rules that have a window size greater than one hour can only use 1 hr or 24 hrs as run frequencies."]]],[]]
