Forum Discussion
Solved
Sentinel query works in Logs but not as an Analytics Rule
Hi, I have a strange occurrence where a KQL query does not return any results when it's saved as an Analytics Rule. But when the KQL is copied to the Logs, it returns data. Below is the query. I...
Rules are limited to 14day lookback for performance reasons.
https://docs.microsoft.com/en-us/azure/sentinel/detect-threats-custom...
Set Lookup data from the last to determine the time period of the data covered by the query - for example, it can query the past 10 minutes of data, or the past 6 hours of data. The maximum is 14 days.
Rules are limited to 14day lookback for performance reasons.
https://docs.microsoft.com/en-us/azure/sentinel/detect-threats-custom
...
Set Lookup data from the last to determine the time period of the data covered by the query - for example, it can query the past 10 minutes of data, or the past 6 hours of data. The maximum is 14 days.
One option to workaround this is
Tiander did a great webcast here: https://www.youtube.com/watch?v=G6TIzJK8XBA&t=3152s – watch it all but “14days use case” starts at 42min
Tiander did a great webcast here: https://www.youtube.com/watch?v=G6TIzJK8XBA&t=3152s – watch it all but “14days use case” starts at 42min