Set the run frequency

Rule run frequency impacts the latency with which detections are discovered for each rule. Longer run frequencies increase the amount of time between when an event occurs and when a detection is processed for that event. For details, see Detection latencies.

To specify the run frequency for a rule, complete the following steps:

1. Navigate to the Rules Dashboard.

2. Open the rule options menu.

3. Click Run frequency.

4. Choose one of the Run frequency values.

   • Near Real-time: Single-event rules can be executed over data in streaming fashion. The detection engine executes rules as soon as data is processed.
   • 10 min: For multi-event rules, choose this frequency if you want your detections as soon as possible.
   • 1 hr: Detections begin to process after 1-2 hours, after which they are subject to normal detection latency.
   • 24 hrs: Detections begin to process after 24 hours, after which they are subject to normal detection latency.

   Multi-event rules with a window size greater than one hour are limited to the 1 hr and 24 hrs run frequencies.