May 19 2021
09:01 AM
- last edited on
Dec 23 2021
11:02 AM
by
TechCommunityAP
May 19 2021
09:01 AM
- last edited on
Dec 23 2021
11:02 AM
by
TechCommunityAP
Due to the 10,000 row limit within KQL, we are working with running scan for just specific time ranges.
Query:
IdentityLogonEvents
| where LogonType == "Failed logon" and isnotempty(AccountName)
| project LogonTime = Timestamp, LogonType, Application, FailureReason, AccountName, AccountUpn, DeviceName, DestinationDeviceName
| where Timestamp between (datetime(2021-5-02)..datetime(2021-5-03))
However the datetime is not working correctly, we still get what ever the option is selected in the gui. When I test this in the lademo area, I get "Set in query".
Any help/advice on how to get the date range to work in query?
Also, it's odd how the 10,000 limit is not in a row. For example, if we did 5/5 - 5/8 and we limited out, we will get results for all dates but not all the data.
Cheers,
May 27 2021 05:56 AM
Jun 07 2021 02:33 PM