Advanced Hunting query results mismatch with Custom Detection running result

Hi all,

Recently I have written an advanced hunting query to find abnormal processes behavior. However, when I created custom detection rules with that query (frequency: every hour), some alerts that had been created were somehow not existed in query result

This is my query:

let WLRegex = strcat("(?i).*(", strcat_array(dynamic(
[
    "c:\\\\program files \\(x86\\)\\\\htkk\\\\autoupdate\\\\client_versionupdate.exe",
    "c:\\\\windows\\\\softwaredistribution\\\\download\\\\install\\\\mpsigstub.exe",
    "logioptionsplus_installer.app/contents/macos/logioptionsplus_installer",
    "crashpadhandlerwindows.exe",
    "/users/[^/]+/library/application support/logmeininc/gotomeeting/g2mupdate",
    "c:\\\\windows\\\\winsxs\\\\amd64_microsoft-windows-.*\\\\TiWorker.exe",
    "/applications/vmware fusion.app/contents/macos/vmware fusion",
    "/users/time/library/application support/jetbrains",
    "/applications/discord.app/contents/macos/discord"
]
),"|"),").*");
let WLFileDescription = DeviceFileEvents
| where InitiatingProcessVersionInfoFileDescription has_any (
    "Microsoft Malware Protection Signature Update Stub", "Brother Software Installer", "SpotifyInstaller", "IE Tab Helper application",
    "DCFWinService", "DSAService", "Razer Synapse 3", "Zoom Opener", "7-Zip GUI", "Telegram Desktop",
    "Windows Driver Foundation - User-mode Driver Framework Host Process", "P-touch Editor",
    "Lenovo.Modern.ImController", "Microsoft (R) HTML Application host", "Greenshot", "Microsoft .NET Error Reporting Shim",
    "Windows Defender Advanced Threat Protection Service Executable", "Windows Defender Advanced Threat Protection Sense IR module", 
    "Windows Defender Advanced Threat Protection Communications module", "Dropbox 144.4.4491 Installer", "GameManagerService", "BkavCA Signer Plugin 2.0",
    "Dell Data Vault Data Collector Service", "Webex", "TokenManager", "Windows Explorer", "Adobe Acrobat DC", "Google Installer", "Search application", "Snagit Editor",
    "Firefox", "Manages coordination of Microsoft Office products and their related installs and updates", "Office Telemetry Dashboard Agent (OTD msoia)"
    )
| summarize by InitiatingProcessVersionInfoFileDescription;
let TodayDateTime = (){
    let CurrentUnixTime = tolong(now() - datetime(1970-01-01)) / 10000000;
    let TodayUnixTime = CurrentUnixTime - CurrentUnixTime%86400;
    let TodayTime = unixtime_seconds_todatetime(TodayUnixTime);
    TodayTime;
};
let OldOutboundProcess = DeviceNetworkEvents
| where isempty(InitiatingProcessFileName) == false 
    and Timestamp <= TodayDateTime 
    and Timestamp > (TodayDateTime - 30d)
| summarize Total = count() by InitiatingProcessFileName
| where Total > 10;
let NewOutboundProcess = DeviceNetworkEvents
| where isempty(InitiatingProcessFileName) == false 
    and Timestamp > TodayDateTime
    and InitiatingProcessFileName !in (OldOutboundProcess)
| summarize by InitiatingProcessFileName;
let WLInitFolderPath = DeviceFileEvents
| where InitiatingProcessFolderPath matches regex WLRegex
| summarize by InitiatingProcessFolderPath;
DeviceFileEvents
| where ActionType == "FileCreated" 
    and Timestamp > ago(1h)
    and InitiatingProcessVersionInfoFileDescription !in (WLFileDescription)
    and InitiatingProcessFolderPath !in (WLInitFolderPath)
    and InitiatingProcessFileName in (NewOutboundProcess) 
| project-reorder InitiatingProcessVersionInfoFileDescription, InitiatingProcessFolderPath