Azure Sentinel - Analytics - Rare RDP Connections Template - Possible Bug?
Category: azure log integration
Question
Luke Riot on Tue, 19 May 2020 23:33:58
Am getting some false positives with this standard template.
Is it possible the Rule query should be:
| where TimeGenerated between (ago(endtime) .. ago(starttime))
Instead of:
| where TimeGenerated between (ago(starttime) .. ago(endtime))