Forum Discussion

dolce-anthony's avatar
dolce-anthony
Copper Contributor
Nov 21, 2023

Analytics rule - 2 joined queries need a different execution timeframe.

Is there a way to instruct a kql query running inside of the sentinel analytics engine not to use the loopback for a portion of the query.   Example:

 

table A | where x happens (use the default loopback)

join Table B | where y happens | where timegenerated > ago(1d)

 

I need the query that runs against table B to use the fixed timegenerated field instead of applying the automated lookback that is supplied from the analytics engine.  It runs fine all day outside of the analytics engine.

analytics
automation
KQL
monitoring
siem

1 Reply

Sort By
  • _Mathias_'s avatar
    _Mathias_
    Copper Contributor
    Nov 27, 2023

    Hidolce-anthony ,

     

    In my expericence you can use both methods in analytics rules. Look at these analytics rule templates from Microsoft:

    • https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20365/Analytic%20Rules/MailItemsAccessedTimeSeries.yaml
    • https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Analytic%20Rules/TimeSeriesAnomaly-ProcessExecutions.yaml

     

Resources