Forum Discussion
Solved
Conflict with custom time range when running scheduled Sentinel Alert - identityinfo
Hi team. I'm working with Sentinel to create a custom alert rule in attempt to reduce the noise generated by false positives. I've went ahead and modified the out-of-the-box alert for "RDP Nesting" ...
- There is a dedicated Sentinel channel. https://techcommunity.microsoft.com/t5/azure-sentinel/bd-p/AzureSentinel
Azure Sentinel rules have a max look back of 14days https://docs.microsoft.com/en-us/azure/sentinel/detect-threats-custom#query-scheduling-and-alert-threshold
There is a workaround (if you really need it). Tiander did a great webcast here: https://youtu.be/G6TIzJK8XBA?t=3152 – watch it all 😊, but “14days use case” starts at 42min
Hi there,
Hope you are doing well :).
I have noticed that you have set a custom time range in your search query and I would like to know how you set the look back time window(Lookup data from the last) in your analytics rule setting? Is your custom time range going to overwrite the look back window or it is going to be overwritten by the look back window?
Hope to hear from you soon!
Regards,
Colin