What is leading? Query scheduling? Or the lookback in the query?

Question

Hi,&nbsp;For an Analystic rule (scheduled KQL query), I can set the Query scheduling -&gt; Lookup Data From Last X time:However, for a sub-query, I want to perform a lookback of the data for the last 7 days. Is this possible? Which lookback is leading? The one set in the query config, or the one set in the query?&nbsp;I couldn't find my answer in the documentation :')

majo01 · Answer

Luizao_f&nbsp; The 20 minutes is the one taken into account, and it overrides the scheduled 2-hours. If the time period that's set inline in query code is shorter than the period set in rule settings, the inline period takes precedence. If it is longer, the period set in the rule settings takes precedence.

garybushey · Answer

ceesmandjes&nbsp;The Query scheduling take precedence over the KQL Query that was entered.&nbsp; There used to be a message when creating/editing an Analytic rule that stated it but it seems to be gone now.&nbsp; The one that is there now is a bit confusing.

luizao_f · Answer

Good night,&nbsp;GaryBushey&nbsp;Maybe you can help me.I am having some information conflicts in this regard.&nbsp;In the incident [52080], the first alert generated informs that the search frame is in 2 hours retroactive, as it was configured in the rule in 2 hours retroactive.&nbsp;&nbsp;In the query, a 20-minute retroactive team was defined.&nbsp;When entering the event log, when going to Time Range, the 2-hour retroactive time is configured, as configured in the rule, being the same value found in [Time Frame] when the incident was generated. So far, everything as expected.&nbsp;From here the confusion begins with information.&nbsp;Upon entering the logs of the generated alert, he informs that the logs that matched the query were active [MGKUBERAPLH3], with quantity [14] between the time [1/13/2021, 8: 32: 57.963 PM] and [1 / 13/2021, 8: 42: 32.257 PM].&nbsp;But when defining the search with the timegererated parameter with the same time that is in the [Time Frame] of the incident, that is, two retroactive hoars, it does not bring the real information to the host [MGKUBERAPLH3] of the incident, but with a new quantity number [132] and new times between the 2-hour retroactive range.&nbsp;If I modify the query to insert the retroactive value of 20 minutes, as defined in the query at the time of creation, the values ​​of the asset that was triggered in the incident are the same, being[MGKUBERAPLH3], with the amount [14] between the time [1/13/2021, 8: 32: 57.963 PM] and [1 / 13/2021, 8: 42: 32.257 PM].&nbsp;Question X is: If I set a time value in the 20 minute query and I set the schedule as 2 hours retroactive, what is taken into account?Because the alert time frame in the incident is reported 2 hours, but the KQL results are based on 20 minutes?&nbsp;&nbsp;&nbsp;

garybushey · Answer

Luizao_f&nbsp;When running the query as part of an analytic rule, the times set for the "Run query every" and "Lookup data from the last" will override any of the times set inside the query itself.&nbsp;I am not sure why you are seeing all the different results when looking at the alert.

Forum Discussion

What is leading? Query scheduling? Or the lookback in the query?

Share

Resources