Monitoring Schedules
Configure automated scanning schedules for drift detection
monitoringschedulesautomationscanning
Monitoring Schedules
Configure how often Securtea scans your Microsoft 365 environment for configuration drift. Balance thoroughness with API efficiency.
Understanding Schedules
What Schedules Control
Monitoring schedules determine:
- When scans run
- What resources are scanned
- How often configurations are checked
Schedule Types
| Type | Description |
|---|---|
| Recurring | Runs automatically at set intervals |
| On-Demand | Manual scans initiated by users |
| Event-Triggered | Scans after specific events |
Configuring Schedules
Accessing Schedule Settings
- Navigate to Drift Detection > Settings
- Click Monitoring Schedule
- Configure scan options
Frequency Options
| Frequency | Use Case |
|---|---|
| Hourly | High-security environments |
| Every 4 hours | Active environments |
| Daily | Standard monitoring (recommended) |
| Weekly | Low-change environments |
| Custom | Specific requirements |
Time Configuration
For non-hourly schedules:
| Setting | Description |
|---|---|
| Time | Hour of day to run (your time zone) |
| Day | For weekly, which day |
| Time Zone | Display preference |
Scans run based on your organization's configured time zone, viewable in organization settings.
Resource Filtering
Select Resources to Monitor
Choose which resource types to include:
Identity & Access
- Users
- Groups
- Service Principals
- Conditional Access Policies
- Named Locations
Email & Collaboration
- Mail Flow Rules
- Anti-Phishing Policies
- SharePoint Settings
- Teams Policies
Security
- Security Defaults
- MFA Settings
- Admin Roles
Filter Strategies
| Strategy | Description |
|---|---|
| All Resources | Comprehensive coverage |
| Critical Only | Focus on security-sensitive |
| By Baseline | Only resources with baselines |
| Custom Selection | Specific resource types |
Schedule Examples
High-Security Environment
Frequency: Hourly
Resources: All
Rationale: Maximum visibility, rapid detection
Standard Business
Frequency: Daily at 6:00 AM
Resources: Identity, Access, Security
Rationale: Catch overnight changes, minimize API usage
Low-Change Environment
Frequency: Weekly on Monday at 8:00 AM
Resources: Critical only
Rationale: Sufficient for stable configurations
API Efficiency
Understanding API Usage
Each scan makes Microsoft Graph API calls:
| Resource Type | Typical API Calls |
|---|---|
| Users | 1-5 (paginated) |
| Groups | 1-5 (paginated) |
| Conditional Access | 1-2 |
| Mail Flow Rules | 1-3 |
Rate Limiting
Microsoft Graph has rate limits:
- Securtea manages API calls efficiently
- Scans are throttled if limits approached
- Large tenants may take longer
Optimization Tips
Reduce API usage by:
- Scanning only needed resources
- Using appropriate frequency
- Combining similar scans
Securtea caches some data between scans to reduce redundant API calls.
Multiple Schedules
Why Multiple Schedules?
Different resources may need different frequencies:
- Security policies: Check hourly
- User configurations: Check daily
- Rarely-changed settings: Check weekly
Creating Multiple Schedules
- Go to Monitoring Schedule
- Click Add Schedule
- Configure frequency and resources
- Ensure no resource overlap
Schedule Priority
If resources overlap:
- Most frequent schedule takes precedence
- Duplicate scans are automatically merged
Manual Scans
Running On-Demand
Trigger an immediate scan:
- Go to Drift Detection
- Click Scan Now
- Select resource types
- Click Start Scan
When to Use Manual Scans
- After making planned changes
- Before important meetings/audits
- When investigating incidents
- To verify remediation
Schedule Status
Monitoring Schedule Health
View schedule status:
| Status | Meaning |
|---|---|
| Active | Running as scheduled |
| Paused | Temporarily disabled |
| Running | Scan currently in progress |
| Failed | Last scan encountered errors |
Schedule History
View past scan runs:
- Run time and duration
- Resources scanned
- Events generated
- Any errors encountered
Notifications
Scan Notifications
Configure notifications for schedule events:
| Event | Notification |
|---|---|
| Scan started | Optional |
| Scan completed | Optional |
| Drift detected | Per alert settings |
| Scan failed | Recommended |
Failure Alerts
Get notified when scans fail:
- Go to Settings > Alerts
- Enable "Schedule failure" notifications
- Configure recipients
Best Practices
Start Conservative
Begin with daily scans, increase frequency as needed:
- Enable daily monitoring
- Review for 1-2 weeks
- Identify resources needing more frequent checks
- Add targeted high-frequency schedules
Match to Change Velocity
Align frequency with how often changes occur:
| Change Frequency | Recommended Scan Frequency |
|---|---|
| Multiple daily | Hourly |
| Daily | Every 4 hours |
| Weekly | Daily |
| Monthly | Weekly |
Consider Time Zones
Schedule scans for:
- Low-activity periods (less API contention)
- Before business hours (catch overnight changes)
- Consistent times (predictable baseline)
Document Schedule Decisions
Record why schedules are configured:
- Frequency rationale
- Resource selection criteria
- Approval and review dates
Troubleshooting
Scans Not Running
If scheduled scans don't run:
- Verify schedule is active (not paused)
- Check organization M365 connection
- Review schedule logs for errors
- Ensure time zone is correct
Scans Taking Too Long
If scans exceed expected duration:
- Check tenant size (large tenants take longer)
- Review API throttling status
- Consider filtering resources
- Run during off-peak hours
Inconsistent Results
If scan results vary unexpectedly:
- Verify consistent resource selection
- Check for M365 propagation delays
- Review for concurrent configuration changes