• Does Threat Intelligence sweeping support only specific products?

Threat Intelligence sweeping currently supports Endpoint Activity Data in search APP like Apex One SaaS, Cloud One - Workload Security, Deep Security Software and Endpoint Sensor. Currently, Network and Email/Message activity data are not supported.

• What is the frequency or data range for generating sweeping report (Auto Sweeping)?

Curated intelligence reports generate a scheduled sweep and runs the sweep once every day for 7 consecutive days to search your environment for threat indicators based on incoming new reports from the selected source.

Custom intelligence reports are third-party intelligence which enable the "Run an auto sweep" option for a specific TAXII feed collection or a MISP event tag. A scheduled sweep will be generated and triggered within 24 hours to search your environment for indicators extracted from the intelligence data.

• What is the frequency or data range for generating sweeping report (Manual Sweeping)?

The first sweeping for every report will collect all historic telemetry data. The latter will collect newly uploaded telemetry data after previous sweeping.
For every report, there will only be one manual sweeping task that can be triggered within one hour. If you click manual sweeping again within one hour, you will see the error message, "Unable to start sweeping."

For every report, the second sweeping applies to newly uploaded data after the first sweep. As an example, if the user triggers a manual sweeping task at 8am on 2022/7/19, then the user cannot trigger another manual sweeping task from 8am 7/19 to 9am 7/19.
If a matched event happens on 8:30 am and the user triggers a second sweeping task after 9am, it will not hit matched sweeping and there will be no Threat Intelligence sweeping workbench alert generated.

As a workaround to this issue, the user can add a new intelligence report with same source, then trigger manual sweeping again.