Forum Discussion
Best way to unify a user identity
Greetings I have a firewall that's feeding our Log Analyrics workspace with events. URL blocks, spyware and such. I then have a Sentinel NRT analytics rule that use these events to create alerts whi...
NRT is limited and unable to join multiple tables in query,
alternatively you can use Scheduled query join FirewallLOgs_CL and SecurityAlert table to combine both the alerts.
alternatively you can use Scheduled query join FirewallLOgs_CL and SecurityAlert table to combine both the alerts.
I am aware of the join limitation between NRT and Scheduled alerts, but my question is on how Sentinel parses a user into a singual entity. I am not trying to combine two tables.