Forum Discussion
Azure Sentinel triggers incident when it shouldn't
Greetings, I just ran into something interesting. I have created a analytics rule that looks like this: let exceptionUsers = IdentityInfo
| where TimeGenerated > ago(22d) //IdentityInfo refreshe...
It looks right. I would double check the values you are getting in your custom tables to make sure they are matching what you are seeing in the SigninLogs.
You may also want to use a Watchlist for the locations to make it easier to keep up to date.
You may also want to use a Watchlist for the locations to make it easier to keep up to date.
For anyone else that might have been wondering, seemingly the best way i found to make this work is to fetch the AAD group members into a custom table and update this according to how often you would want to run the analytics rule since the analytics rule wizard overrides any time references made in a query. If i want the query to run every 1 hour with the latest 1 hour of data i would need to update the custom table every 1 hour or less.