Forum Discussion

Marekjdj's avatar
Marekjdj
Copper Contributor
May 16, 2025

IdentityInfo with analytics KQL query

Hi, I'm currently trying to create a KQL query for an alert rule in Sentinel. The log source upon which the alert rule is based, only contains the SAMAccountName, which prevents me from mapping it t...
analytics
detection
KQL
AndrewBlumhardt's avatar
AndrewBlumhardt
Icon for Microsoft rankMicrosoft
May 19, 2025

Hard to help without more transparency on your query but I would set the rule to 14 days, run a 14 day lookback query on IdentityInfo using arg_max, put that into a let variable, then run a 10 min query on the target table, and join the results. You might also look at building this as an XDR rule. Worst case setup a logic app to setup a reference watchlist.


IdentityInfo
| summarize arg_max(TimeGenerated, *) by SAMAccountName

Marekjdj's avatar
Marekjdj
Copper Contributor
May 19, 2025

This is the query I currently have:

Log_source
| where TimeGenerated >= ago(10m)
| join kind=leftouter (
    IdentityInfo
    | where TimeGenerated >= ago(14d)
    | distinct SAMAccountName, AccountObjectId
    )
    on $left.sourceProcessUsername == $right.SAMAccountName

This works as intended when run as a separate query, as it properly adds the AccountObjectId for each row. However when configuring it as an analytics rule, setting the lookup data to 14 days limits the query frequency to once an hour:

Maybe this is just the way Sentinel works, but I feel like I'm missing something and there is a more efficient way of solving this.

Marek

  • AndrewBlumhardt's avatar
    AndrewBlumhardt
    Icon for Microsoft rankMicrosoft
    May 19, 2025

    The Sentinel rule settings override your query lookback (where TimeGenerated).

    It is not documented but I suspect that putting your SAM lookup table into a let table first will prevent the rule from overriding.

    So run your rule every 10 min if that is your preferred frequency with a reasonable lookback like 10-15 minutes. Create a lookup table first.

    let SamLookup = IdentityInfo
    | where TimeGenerated > ago(14d)
    | summarize arg_max(TimeGenerated, *) by SAMAccountName;
    Log_source
    | project-rename SAMAccountName=sourceProcessUsername
    | join SamLookup on SAMAccountName


    • Marekjdj's avatar
      Marekjdj
      Copper Contributor
      May 21, 2025

      I did some testing but unfortunatly putting the lookup in a let function is still being overridden by the rule settings. I've also tried creating the lookup table as an external function, but the lookback is still overridden.

      • AndrewBlumhardt's avatar
        AndrewBlumhardt
        Icon for Microsoft rankMicrosoft
        May 21, 2025

        Thanks for the info, good to know.

        Can you create this as an XDR detection rule instead? I don't think the same restriction apply and this is the future direction for all detection rules.

    • Marekjdj's avatar
      Marekjdj
      Copper Contributor
      May 20, 2025

      Hey Andrew,

      Thanks for the suggestion! I will be testing it for the next few days to see if it works, but from what I can tell this might have solved the problem.

      Marek

Resources