What is leading? Query scheduling? Or the lookback in the query?

New Contributor

Hi,

 

For an Analystic rule (scheduled KQL query), I can set the Query scheduling -> Lookup Data From Last X time:

Screenshot 2020-12-11 at 3.27.08 PM.png

However, for a sub-query, I want to perform a lookback of the data for the last 7 days.

Screenshot 2020-12-11 at 3.30.32 PM.png

Is this possible? Which lookback is leading? The one set in the query config, or the one set in the query?

 

I couldn't find my answer in the documentation :')

4 Replies

@ceesmandjes The Query scheduling take precedence over the KQL Query that was entered.  There used to be a message when creating/editing an Analytic rule that stated it but it seems to be gone now.  The one that is there now is a bit confusing.

Good night, @Gary Bushey 

Maybe you can help me.

I am having some information conflicts in this regard.

 

In the incident [52080], the first alert generated informs that the search frame is in 2 hours retroactive, as it was configured in the rule in 2 hours retroactive.

 

01.png

 

In the query, a 20-minute retroactive team was defined.

 

When entering the event log, when going to Time Range, the 2-hour retroactive time is configured, as configured in the rule, being the same value found in [Time Frame] when the incident was generated. So far, everything as expected.

 

From here the confusion begins with information.

 

Upon entering the logs of the generated alert, he informs that the logs that matched the query were active [MGKUBERAPLH3], with quantity [14] between the time [1/13/2021, 8: 32: 57.963 PM] and [1 / 13/2021, 8: 42: 32.257 PM].

 

02.PNG

But when defining the search with the timegererated parameter with the same time that is in the [Time Frame] of the incident, that is, two retroactive hoars, it does not bring the real information to the host [MGKUBERAPLH3] of the incident, but with a new quantity number [132] and new times between the 2-hour retroactive range.

04.png

 

If I modify the query to insert the retroactive value of 20 minutes, as defined in the query at the time of creation, the values ​​of the asset that was triggered in the incident are the same, being
[MGKUBERAPLH3], with the amount [14] between the time [1/13/2021, 8: 32: 57.963 PM] and [1 / 13/2021, 8: 42: 32.257 PM].

 

03.png


Question X is: If I set a time value in the 20 minute query and I set the schedule as 2 hours retroactive, what is taken into account?
Because the alert time frame in the incident is reported 2 hours, but the KQL results are based on 20 minutes?

 

 

 

@Luizao_f When running the query as part of an analytic rule, the times set for the "Run query every" and "Lookup data from the last" will override any of the times set inside the query itself.

 

I am not sure why you are seeing all the different results when looking at the alert.

@Luizao_f  The 20 minutes is the one taken into account, and it overrides the scheduled 2-hours. If the time period that's set inline in query code is shorter than the period set in rule settings, the inline period takes precedence. If it is longer, the period set in the rule settings takes precedence.