J
james kay1
How can i get this query to only return unique users within 3days range instead of repeating an alert with the same location after the first one is closed.let timeframe = ago(3h); let threshold = 2; imAuthentication | where TimeGenerated > timeframe | where EventType == 'Logon' and EventResult == 'Success' | where isnotempty(SrcGeoCountry) | summarize StartTime = min(TimeGenerated) , EndTime = max(TimeGenerated) , Vendors = make_set(EventVendor, 128) , Products = make_set(EventProduct, 128) , NumOfCountries = dcount(SrcGeoCountr
Continue reading...
Continue reading...
