1,296 questions
That is correct, please see here for more: https://learn.microsoft.com/en-us/azure/sentinel/near-real-time-rules#considerations
Do you have a question about this?
NRT New access credential added to Application or Service Principal
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 39%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMN%3C/text%3E%3C/svg%3E)
M Nurohmat
100
Reputation points
NRT queries cannot use joins or unions, or query more than one table.
Microsoft Security | Microsoft Sentinel
Accepted answer
-
Clive Watson 7,866 Reputation points MVP Volunteer Moderator2023-07-05T15:54:01.0233333+00:00 -
Clive Watson 7,866 Reputation points MVP Volunteer Moderator
2023-07-05T15:59:18.9733333+00:00 I see you asked this question again, and received an answer.
-
M Nurohmat 100 Reputation points
2023-07-06T02:21:32.0166667+00:00 No, thank you for informations
Sign in to comment -
1 additional answer
Sort by: Most helpful
-
JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator2023-07-05T19:39:51.58+00:00 Thank you for your post!
Error Message:
NRT queries cannot use joins or unions, or query more than one tableI understand that you're trying to leverage the near-real-time (NRT) analytics rules but when creating the rule you're running into the above error. To hopefully point you in the right direction or resolve your issue I'll share my findings below.
Findings:
Because Near-real-time (NRT) rules are currently in PREVIEW, please keep in mind that there are still limitations currently governing the use of NRT rules.
Because you can create NRT rules the same way you create regular scheduled-query analytics rules - When it comes to your template deployment, you should be able to identify if it's an NRT rule or a scheduled query rule through the Query scheduling and alert threshold. For more info.
-
Unlike regular scheduled rules that run on a built-in five-minute delay to account for ingestion time lag, NRT rules run on just a two-minute delay.
I hope this helps!
If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.
If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
-