Update UserImpersonateByAAID.yaml

removed the time condition
Azure · Aug 31, 2023 · ad82a6b · ad82a6b
1 parent 4ebb640
commit ad82a6b
Showing 1 changed file with 0 additions and 2 deletions.
diff --git a/Detections/MultipleDataSources/UserImpersonateByAAID.yaml b/Detections/MultipleDataSources/UserImpersonateByAAID.yaml
@@ -21,7 +21,6 @@ relevantTechniques:
 query: |
  // Retrieve SecurityAlerts generated within the last day
   SecurityAlert 
-  | where TimeGenerated >= ago(1d)
   // Filter alerts for Azure Active Directory Identity Protection and High severity
   | where ProductName has "Azure Active Directory Identity Protection"
   | where AlertSeverity == "High"
@@ -40,7 +39,6 @@ query: |
   // Perform an inner join with AWS CloudTrail events
   | join kind=inner (
       AWSCloudTrail
-      | where TimeGenerated >= ago(1d)
       | where isempty(ErrorMessage)
       //|where EventSource == "iam.amazonaws.com"
       | extend UserType = tostring(parse_json(RequestParameters).userType)