Forum Discussion
IdentityInfo with analytics KQL query
Hi, I'm currently trying to create a KQL query for an alert rule in Sentinel. The log source upon which the alert rule is based, only contains the SAMAccountName, which prevents me from mapping it t...
I did some testing but unfortunatly putting the lookup in a let function is still being overridden by the rule settings. I've also tried creating the lookup table as an external function, but the lookback is still overridden.
AndrewBlumhardt
Microsoft
MicrosoftThanks for the info, good to know.
Can you create this as an XDR detection rule instead? I don't think the same restriction apply and this is the future direction for all detection rules.
Hi Andrew,
Sorry for the late response. For now, I've configured the rule to run only once an hour, allowing me to extend the lookup to two weeks. It's not ideal, but for now it'll have to do. Thanks!