Forum Discussion

dolce-anthony's avatar
dolce-anthony
Copper Contributor
Nov 21, 2023

Analytics rule - 2 joined queries need a different execution timeframe.

Is there a way to instruct a kql query running inside of the sentinel analytics engine not to use the loopback for a portion of the query.   Example:   table A | where x happens (use the default lo...
analytics
automation
KQL
monitoring
siem
_Mathias_'s avatar
_Mathias_
Copper Contributor
Nov 27, 2023

Hidolce-anthony ,

 

In my expericence you can use both methods in analytics rules. Look at these analytics rule templates from Microsoft:

  • https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20365/Analytic%20Rules/MailItemsAccessedTimeSeries.yaml
  • https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Analytic%20Rules/TimeSeriesAnomaly-ProcessExecutions.yaml

 

Resources