but even so, the documentation here is one of the worst, I would almoast say contradictory: 1.prioritize current data VS data completion, what would one be supposed to understand from such abstract terms
2.As excessive failed logins matter most when you hear about them quickly VS If you care more about identifying all excessive failed logins in your environment -again what is the differnce between this two statememts?
might be because I am not native english speaker,but I am not so sure is my fault
”
Configure a schedule for the correlation search
Correlation searches can run with a real-time or continuous schedule.
• Use a real-time schedule to prioritize current data and performance. Searches with a real-time schedule are skipped if the search cannot be
11
run at the scheduled time. Searches with a real-time schedule do not
backfill gaps in data that occur if the search is skipped.
• Use a continuous schedule to prioritize data completion, as searches with
a continuous schedule are never skipped.
As excessive failed logins matter most when you hear about them quickly, select a real-time schedule for the search. If you care more about identifying all excessive failed logins in your environment, you can select a continuous schedule for the search instead.
”
... View more