Sign In

DE1.6 NRT Rules — When Seconds Matter

2-3 hours · Module 1 · Free
Operational Objective
The NRT Architecture: Near-Real-Time rules run approximately every minute — 12x faster than a 5-minute scheduled rule and 60x faster than an hourly rule. But they sacrifice KQL flexibility for speed: no joins, no aggregations, limited table support, and any-row triggering. This subsection covers the NRT rule architecture in depth, its specific limitations, the detection patterns where sub-minute latency justifies the constraints, and the NE-specific rules that should be NRT.
Deliverable: Understanding of when NRT rules are appropriate, their architectural limitations, and the specific NE detection rules that justify NRT deployment.
⏱ Estimated completion: 25 minutes

How NRT rules execute

NRT rules differ architecturally from scheduled rules in four fundamental ways. Understanding these differences prevents the common mistake of converting a working scheduled rule to NRT and having it fail.

Execution cycle: NRT rules run approximately every 60 seconds. This is not configurable — there is no frequency setting. The engine checks for new events since the last successful execution and runs the query against only those new events. This means the lookback is dynamic — it covers exactly the period since the last run, not a fixed window.

Query scope: Because NRT queries only see events since the last run (approximately 1 minute of data), they cannot perform time-windowed aggregations. A query that counts failed sign-ins per IP over 30 minutes is meaningless in NRT — it would only see the sign-ins from the last minute. Scheduled rules aggregate over configurable windows. NRT rules detect individual events.

KQL restrictions: NRT rules do not support join, union (except with the same table), summarize, count, dcount, make-set, make-list, arg_max, arg_min, percentile, or any cross-table operator. They support where, extend, project, parse, mv-expand, and string/datetime functions. This limits NRT to single-table, single-event pattern detection.

Table support: NRT rules can query a subset of Sentinel tables. The supported tables include the major Microsoft telemetry tables (SecurityAlert, SecurityIncident, SigninLogs, AuditLogs, DeviceProcessEvents, DeviceNetworkEvents, DeviceFileEvents, DeviceLogonEvents, DeviceRegistryEvents, EmailEvents, OfficeActivity, CommonSecurityLog, Syslog, WindowsEvent) but not all custom tables or all third-party connector tables. Check the Microsoft documentation for the current supported table list before building an NRT rule.

NRT RULE EXECUTION CYCLE — ARCHITECTUREEVENT OCCURSvssadmin delete shadowsat T+0:00INGESTIONEvent arrives in workspace~1-3 min latencyNRT QUERYRuns ~every 1 minDetects at T+1-4 minALERT + AUTOMATIONAlert fires → automation rule →playbook isolates device at T+2-5 minTOTAL: Event → Alert → Containment in under 5 minutesCompare: 5-min scheduled rule = 5-8 min | 30-min rule = 18-33 min | 1-hr rule = 33-63 min

Figure DE1.6 — NRT execution cycle. From event occurrence to automated containment in under 5 minutes. The speed advantage over scheduled rules is most significant for catastrophic-impact detections where minutes determine outcome.

NRT-worthy detections for Northgate Engineering

Not every high-severity detection justifies NRT. The three conditions must ALL be met: high confidence (very low FP rate), catastrophic impact if delayed, and single-event detection pattern (no correlation needed). At NE, the following rules justify NRT:

Ransomware pre-encryption (CHAIN-MESH Phase 7):

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

// NRT RULE: Ransomware Pre-Encryption Indicators
// CRITICAL severity  automated device isolation on trigger
DeviceProcessEvents
| where FileName in~ ("vssadmin.exe", "wbadmin.exe", "bcdedit.exe", "wmic.exe")
| where ProcessCommandLine has_any (
    "delete shadows",          // Shadow copy deletion
    "delete catalog",          // Backup catalog deletion
    "recoveryenabled no",      // Recovery mode disabled
    "shadowcopy delete",       // WMI shadow copy deletion
    "delete systemstatebackup" // System state backup deletion
)
| where InitiatingProcessAccountName !in ("SYSTEM", "LOCAL SERVICE")
// Exclude system-initiated  legitimate backup operations run as SYSTEM
| extend AlertContext = strcat(
    "Ransomware indicator: ", FileName, " executed by ",
    InitiatingProcessAccountName, " on ", DeviceName,
    " | Command: ", ProcessCommandLine
)
// Entity mapping: Host  DeviceName, Account  InitiatingProcessAccountName
// Process  FileName + ProcessCommandLine

This rule fires on a single event — no aggregation, no join. The confidence is high: non-SYSTEM processes deleting shadow copies is almost always malicious (legitimate backup operations run as SYSTEM). The impact is catastrophic: ransomware encryption is in progress. The NRT detection fires within 1-4 minutes, and the automation rule triggers device isolation via playbook — stopping encryption before it completes.

LSASS memory access by non-system process:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

// NRT RULE: LSASS Credential Dump Detection
// CRITICAL severity  indicates active credential theft
DeviceProcessEvents
| where FileName =~ "lsass.exe"
    or ProcessCommandLine has_any (
        "sekurlsa", "mimikatz", "procdump",
        "comsvcs.dll", "MiniDump", "lsass"
    )
| where InitiatingProcessFileName !in~ (
    "svchost.exe", "lsass.exe", "csrss.exe",  // System processes
    "MsMpEng.exe", "SenseIR.exe"                // Defender processes
)
// Entity mapping: Host  DeviceName, Account  InitiatingProcessAccountName
// Process  InitiatingProcessFileName + InitiatingProcessCommandLine

Known C2 beacon command patterns:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

// NRT RULE: Cobalt Strike Beacon Detection
// HIGH severity  fileless beacon activation
DeviceProcessEvents
| where ProcessCommandLine has_any (
    "IEX (New-Object Net.WebClient).DownloadString",
    "-nop -w hidden -encodedcommand",
    "powershell -ep bypass -nop -w hidden",
    "[System.Convert]::FromBase64String"
)
| where InitiatingProcessFileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe")
// Entity mapping: Host  DeviceName, Account  AccountName, IP  RemoteIP (if available)
⚠ Compliance Myth: "We should convert all our high-severity rules to NRT for faster detection"

The myth: NRT is always better than scheduled for high-severity detections. Faster detection is always better.

The reality: Most high-severity detections require correlation. CHAIN-HARVEST Phase 2 (AiTM token theft) requires joining SigninLogs with AADNonInteractiveUserSignInLogs on user and time window — impossible in NRT. CHAIN-MESH Phase 3 (lateral RDP movement) requires comparing the current RDP connection against a 90-day user-to-device access baseline — impossible in NRT. The AiTM detection at 5-minute scheduled frequency provides near-real-time detection (average 5.5 minutes including ingestion) with full correlation capability. The NRT alternative would need to detect the same attack from a single SigninLogs event without context — producing unacceptable FP rates because individual sign-in events from new IPs are common for NE’s 120 remote workers.

Reserve NRT for the 3-5 rules where: (1) a single event is sufficient for high-confidence detection, (2) the FP rate is under 5%, and (3) each minute of additional detection latency measurably increases damage. Ransomware encryption, credential dumps, and confirmed C2 activation meet all three criteria. Most other detections do not.

NRT operational considerations

Alert volume management: NRT rules trigger on ANY row returned — there is no threshold setting. If the query returns 10 events in a 1-minute cycle, it creates 10 alerts (or 10 events within one alert, depending on configuration). Ensure the query’s where filters are precise enough that false positives do not overwhelm the Critical alert queue. An NRT rule with a 10% FP rate generating 5 alerts per day means 0.5 false Critical alerts per day — each one interrupting the analyst. Over a month, that is 15 unnecessary interruptions at the highest priority level.

Testing before NRT deployment: Run the query as a scheduled rule at 5-minute frequency for 14 days first. Measure the TP/FP rate. If the TP rate exceeds 90% and the daily alert volume is manageable (under 5 alerts per day), convert to NRT. If not, keep it as a scheduled rule and tune until it meets the NRT confidence threshold.

Fallback pattern: Deploy the NRT rule for single-event detection AND a scheduled rule for the same technique with correlation context. The NRT fires first (within minutes) for immediate containment. The scheduled rule fires later (within the hour) with enriched context (what did the user do before and after the event) for investigation. The NRT catches it fast. The scheduled rule explains it fully.

Try it yourself

Exercise: Identify your NRT candidates

Review your current high-severity scheduled rules. Which ones detect single-event patterns (no join, no aggregation)? Of those, which have a TP rate above 90%? Of those, which detect techniques where minutes matter (ransomware, credential dump, active C2)? The remaining rules — typically 3-5 — are your NRT candidates.

If you have no rules meeting all three criteria, you do not need NRT rules yet. Build the scheduled rules first (DE3-DE8), tune them (DE9), and identify NRT candidates from the high-confidence, high-impact subset.

Check your understanding

You build an NRT rule for password spray detection that counts failed sign-ins per IP per minute. After deployment, the rule never fires — even during a known spray event. Why?

Answer: NRT rules cannot use `summarize`, `count`, or any aggregation operator. A query that counts failed sign-ins per IP requires `summarize count() by IPAddress` — which is not supported in NRT. The rule compiles and deploys without error, but the aggregation silently fails (returns 0 rows). Password spray detection requires a scheduled rule with a time-windowed aggregation: run every 5-15 minutes with a 30-60 minute lookback, summarize failed sign-ins per IP, and fire when the count exceeds the threshold. Single-event detection (NRT) cannot detect volume-based patterns (spray). This is the fundamental NRT limitation.

Troubleshooting: NRT issues

“NRT rule deployed but no alerts fire.” Three common causes: (1) the query uses unsupported operators (join, summarize) that fail silently, (2) the query references a table not in the NRT-supported table list, or (3) the where filters are too restrictive and no individual events match. Test: run the same query in Advanced Hunting with | take 100 against the last hour. If it returns results there but not in NRT, the issue is likely unsupported operators.

“NRT rule fires too often.” The where filters need tightening. NRT has no threshold — every matching event generates an alert. Add exclusions: service accounts, SYSTEM processes, known-good applications. If the event type is legitimately high-volume (sign-in events, process creation events), NRT is the wrong rule type — convert to a scheduled rule with a threshold.

“NRT alerts lack context for investigation.” Expected. NRT detects the event but cannot join with other tables for context. Build a companion scheduled rule that fires on the same technique with full correlation (join with identity data, prior activity, device context). The NRT provides the fast alert. The scheduled rule provides the investigation context. Both contribute to the same incident via entity-based alert grouping (DE1.9).

📋 Operational Artifact — NRT Candidacy Assessment

Rule name: ___

Single-event pattern? [Y/N] — if N, use scheduled rule

KQL uses join/summarize/aggregation? [Y/N] — if Y, use scheduled rule

Table supported by NRT? [Y/N] — check documentation

Estimated TP rate: ___% — if <90%, keep as scheduled until tuned

Catastrophic impact if delayed? [Y/N] — if N, 5-min scheduled is sufficient

Expected daily alert volume: ___ — if >5/day, review filter precision

NRT deployment decision: [Deploy NRT / Keep Scheduled / Deploy Both]

Companion scheduled rule for context? [Y/N] — rule name: ___

References used in this subsection

  • Microsoft Sentinel NRT rules documentation
  • Course cross-references: DE1.3 (frequency selection), DE1.5 (severity — NRT = Critical), DE1.10 (automation for NRT response), DE8 (ransomware NRT rule build), DE9 (testing methodology for NRT candidacy)
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You're reading the free modules of Detection Engineering

The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts. Premium subscribers get access to all courses.

View Pricing See Full Syllabus
← DE1.5 Severity Classification and MITRE ATT&CK Mapping DE1.7 Anomaly Rules and Fusion →