I need to create a sentinel analytical rule which check for last 30 days TI IP matching with any of the commonsecuritylog IP today as query is scheduled to run every 24 hours What should be the look back period set for this ? Also if look back period is set for 30 days will it check both TI logs and commonsecuritylog for last 30 days.

I created a test alert where timegenerated was last 7days but look back period was 1h. The alerts were should results of only 1 hour .

How can I create alert which matches with time generated results of the actual query ?