Share via

Analytic Rule -Which time prevails, Lookup data from the last or set in query?

Eduardo Vilar 0 Reputation points
2024-04-11T11:15:46.35+00:00

I have a question regarding the search times when configuring a new alert and I don't know which time predominates, the one that is put in the query or the one that is set at the level of the alert configuration.

Let's take the following query as an example, where you look for RDP events in the last 14 days and then see that users who made an RDP connection in the last 6 hours don't have any in the previous 14 days.

let starttime = 14d; let endtime = 6h; SecurityEvent | where EventID == 4624 and LogonType == 10 | where TimeGenerated between (ago(starttime) .. ago(endtime)) | join kind=rightanti ( SecurityEvent | where EventID == 4624 and LogonType == 10 | where TimeGenerated >= ago(endtime)//RDP connections last 6h ) on Account | summarize arg_max(TimeGenerated,*), count() by Account, Computer, IpAddress | project TimeGenerated, Account, Computer, IpAddress

If I set a "Lookup data from the last" period of 2 days for example.

Would it work the same? What if the Lookup data from the last is 20 days?

What would be optimal?

User's image

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,261 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Clive Watson 7,481 Reputation points MVP
    2024-04-11T12:21:48.62+00:00

    The portal (screenshot 2) overrides anything in the query. Also remember 14day is the max lookback for an Alert Rule.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.