Question on "Anomalous sign-in location by user account and authenticating application" query


Trying to determine if there is a need to modify the query as it states:


//The original alert's time-frame filter, which should be added to each table in the query is:

//"where TimeGenerated between (datetime(2/16/2020 5:43:38 PM)..datetime(3/1/2020 5:43:38 PM))"


And the query has a few “where TimeGenerated” calls:


| where TimeGenerated >= startofday((datetime(3/1/2020 5:43:38 PM)-(lookBack_long)))


Should these be changed to, “| where TimeGenerated between (datetime(2/17/2020 7:00:00 AM)..datetime(3/1/2020 7:00:00 AM)), or, does “-lookback_long” cover the 14 day period?

1 Reply

@Jeff Walzer- Never mind as I figured out I simply enter the date time range of when the event occurred to see the event the triggered the alert