Anayltics Rules - kql should have access to Query scheduling settings (run query/lookup data values)

[JiTmun]

Is your feature request related to a problem?

When an analytic rule has a "run Query" different than the "lookup data", we need to hardcode the same values into the kql, which is error prone.

Describe the solution you'd like

A kql when evaluated by sentinel should have access to scheduling its analytic rule scheduling settings, like a kind of environnement variable.
Workbooks already have a similar feature to call workbook parameters into kqls, cf here

Describe alternatives you've considered

for now I first define Scheduling settings in the GUI

Then my KQLs looks like;

let runFrequency = ago(5m); // should be replace by a 
let data_lookup = ago(14d);
SecurityEvent
| where TimeGenerated > data_lookup
// some field extraction
| as data
// keep alerting data
| where TimeGenerated > runFrequency
// discard baseline
| join kind = leftanti (data |where TimeGenerated between (data_lookup .. runFreqeuncy)) on <some columns>

[v-rusraut]

Hi @JiTmun, Thanks for flagging this issue, we will investigate this issue and get back to you with some updates. Thanks!

[v-rusraut]

Hi @JiTmun,
While creating Analytical Rule, there is option available for query scheduling, please refer below screen shot.

If you are referring to a different issue other than the information above, please provide detailed information about your issue.

[JiTmun]

I know, but if you create a use case which should raise an alert each hours if the same behaviour has not been seen on the past 14d, you must set the scheduling settings in your screenshot with:

• "Lookup data for the last" = 14days
• "Run query every" = 1h

You also need to hardcode it in the query itself, because by default a kql get all the data for the period now() to "Lookup data for the last". Without harcoding it, a rule running every hour with data on the past 14d could generate an incident every hours for 14days. (

The goal would be to only set Scheduling settings in the GUI like as in you screenshot, and use some placeholders in the kql to point to the defined scheduling settings.
Then, the Kql could look like

SecurityEvent
| where TimeGenerated > {:points to "Lookup data for the last":}
// some field extraction
| as data
// keep alerting data
| where TimeGenerated >  {:reference "run query every":}
// discard baseline
| join kind = leftanti (
                         data
                         | where TimeGenerated between ( {:reference "Lookup data for the last":} ..  {:reference "run query every":})
                         ) on <some columns>

[v-rusraut]

Hi @JiTmun, Thank you for your suggestion. We understand the convenience of having placeholders for scheduling settings in KQL. However, at this time, it is not possible, as a workaround, you can define scheduling settings in the GUI and reference them in your KQL queries manually. closing this issue now, if you still need support for this issue, feel free to re-open it any time. Thank you for your co-operation