Forum Discussion
Question on "Anomalous sign-in location by user account and authenticating application" query
Trying to determine if there is a need to modify the query as it states:
//The original alert's time-frame filter, which should be added to each table in the query is:
//"where TimeGenerated between (datetime(2/16/2020 5:43:38 PM)..datetime(3/1/2020 5:43:38 PM))"
And the query has a few “where TimeGenerated” calls:
| where TimeGenerated >= startofday((datetime(3/1/2020 5:43:38 PM)-(lookBack_long)))
Should these be changed to, “| where TimeGenerated between (datetime(2/17/2020 7:00:00 AM)..datetime(3/1/2020 7:00:00 AM)), or, does “-lookback_long” cover the 14 day period?
Jeff Walzer- Never mind as I figured out I simply enter the date time range of when the event occurred to see the event the triggered the alert
