To have your query1 run every hour in a Microsoft Sentinel environment, you should configure it as an analytics rule—specifically a scheduled query (custom detection) rule . Microsoft’s official documentation for Sentinel describes “scheduled analytics rules” as queries that you configure to run on a recurring schedule, with a defined lookback period, and trigger alerts if the query results meet the rule criteria. Those scheduled rules are the mechanism by which KQL queries are periodically executed automatically.

When you create an analytics rule in Sentinel, you supply the query (i.e. query1) and you specify the recurrence (for example, every hour). Once configured as such, Sentinel takes care of executing it on schedule with minimal ongoing administrative intervention. This aligns exactly with “minimize administrative effort.”

Among the answer choices:

An automation rule is used to act upon alerts (for example, route, suppress, or apply playbooks) but does not itself schedule periodic queries.

Automated Investigation and Response (AIR) is part of Defender for Endpoint’s automated remediation workflow and is used for responding to alerts on endpoints—not for scheduling general KQL hunting queries.

A watchlist is a static data reference (list of values) you can use within queries or rules but does not itself execute queries on a schedule.

A custom detection (analytics) rule is exactly what you would use to wrap query1 into a scheduled operation.

Thus, converting query1 into a custom detection rule (i.e. a scheduled analyt ics rule) is the correct choice.

From Microsoft SecOps and Sentinel rule documentation: scheduled rules are based on Kusto queries configured to run at regular intervals over a lookback period, and if results cross a threshold, an alert is triggered. The rule’s scheduling frequency (such as hourly) is part of rule configuration. This model ensures your query1 gets executed every hour automatically with minimal manual work.