Rule Frequency and Execution Windows

Rules execute at a regular frequency and check data over a specified window of time that has passed. To catch aberrations occurring between run periods, rule windows often overlap.

717

This rule runs every two weeks, and checks over data from the four weeks before it started to run. Note that the run windows overlap. Without an end date, the rule runs perpetually.

Rules have two stages:

  • Validation, which execute on historical data
  • Deployment, which executes the rule on the data going forward.

For both validation and deployment, rules run over fixed periods of time, at fixed frequencies.
In these docs, frequency refers to how often a rule runs. Window refers to the period over which the rule checks data. For example, if a rule has a frequency of 2 weeks and a window of 4 weeks, that means that, every two weeks, the rule checks over data from the last four weeks.

All rule operations depend on the rule start dates. Validation occurs for the window prior to the date, and execution starts on the start date.

Validation starts at time of rule start date

When a rule validates, it begins analyzing transactions from some period earlier than its execution start date. In the case of most scenarios, the period parameter explicitly determines when this analysis begins.

For Example:

  • If a rule’s execution start date is 01/01/2021 and its period parameter is 365 days, the rule begins analyzing events starting on 01/01/2020.

  • If the start date is 01/01/2021 00:00 and the period is 1 hour, the rule begins analyzing events starting from 12/31/2020 23:00.

913

Every week, this rule runs over the transaction data from the last three months, and generates an alert each time it discovers an entity that has a transaction sum greater than $1,000,000 in that three month period.

Some rules have no period parameter. In these cases, the rules begin validating from the earliest historical point.

Deployed rules run at set frequencies from time of start date

When a rule is deployed, it begins running at the time of the rule start date. After that, it continues to run regularly at the frequency you set, checking data over the window you set. If no start date is set, then the start date happens at the time an agent deploys a rule.

For example, if a rule executes every two weeks over a four week period, then at the time of the rule start date, it:

  1. Checks for rule violations over the last 4 weeks.
  2. Executes again 2 weeks after its first execution. As it checks for violations over the last 4 weeks, the rule window will have a two week overlap with its first window..

This behavior continues until the rule end date. If no end date is set, it runs indefinitely, or until an agent stops the rule.

Run frequency is proportional to run window .

For whatever window you set, you also configure the rule’s execution frequency. The execution frequency is proportional to the period. For example, if you select a period of 1 hour, you can select to run the rule at a frequency between every 4 and 60 minutes. If you change the period to 1 month, the frequency changes to between 3 and 31 days.

🚧

Warning

Running long, frequent queries puts a large amount of load on the system. Please do so only when necessary. If you want to analyze historical data, please select the minimum frequency necessary within the minimum timeframe necessary.