Question on "Anomalous sign-in location by user account and authenticating application" query

Highlighted
Contributor

Trying to determine if there is a need to modify the query as it states:

 

//The original alert's time-frame filter, which should be added to each table in the query is:

//"where TimeGenerated between (datetime(2/16/2020 5:43:38 PM)..datetime(3/1/2020 5:43:38 PM))"

 

And the query has a few “where TimeGenerated” calls:

 

| where TimeGenerated >= startofday((datetime(3/1/2020 5:43:38 PM)-(lookBack_long)))

 

Should these be changed to, “| where TimeGenerated between (datetime(2/17/2020 7:00:00 AM)..datetime(3/1/2020 7:00:00 AM)), or, does “-lookback_long” cover the 14 day period?

1 Reply
Highlighted

@Jeff Walzer- Never mind as I figured out I simply enter the date time range of when the event occurred to see the event the triggered the alert