Forum Discussion
KQL: setting query time leads to problem in watchlist column projecting
Hello to the community! I have stumbled upon a very strange issue when using watchlists. I have a watchlist with 2 columns (userPrincipalName,allowedActivity) that I am then using to whitelis...
I was wondering if you've found a way to get around this. It is making backtesting analytic rules with watchlists impossible.
Using the Results Simulation graph shows gives me a query with these set statements that end up not working when I try and run them.
Also let does not seem to work the same way set does with regards to these tests.
Using the Results Simulation graph shows gives me a query with these set statements that end up not working when I try and run them.
Also let does not seem to work the same way set does with regards to these tests.
The result simulation is doing the evaluations for you, the default message says with "current data".
I suspect like the Rule Query window there is extra filtering applied, its probably doing a query_time so you cant do one as well (e.g Rule query window excludes 14+ day lookback and union * etc...)
Only someone from the Sentinel team can say for sure
I suspect like the Rule Query window there is extra filtering applied, its probably doing a query_time so you cant do one as well (e.g Rule query window excludes 14+ day lookback and union * etc...)
Only someone from the Sentinel team can say for sure