Forum Discussion

Ankit's avatar
Ankit
Brass Contributor
Aug 07, 2025

You want to stop getting false alerts for certain service accounts and machines (or IPs). 

What to do:
Make a watchlist in Sentinel with two columns:

AccountName (the service account name)
DeviceName (the machine or IP you want to ignore)

In your query, load that watchlist and filter out any events where the account name and device name match a pair in the watchlist.

To exclude those pairs in your query:
Add this part to your query (replace ServiceAccountExclusion with your actual watchlist name):

let exclusions = ServiceAccountExclusion | project AccountName, DeviceName;
| join kind=leftanti (exclusions) on AccountName, DeviceName

This means: Ignore any logs where both the account name and device name match the watchlist.

Adusted query

let exclusions = ServiceAccountExclusion | project AccountName, DeviceName;
let InteractiveTypes = pack_array(
    'Interactive',
    'CachedInteractive',
    'Unlock',
    'RemoteInteractive',
    'CachedRemoteInteractive',
    'CachedUnlock'
);

let WhitelistedCmdlets = pack_array(
    'prompt',
    'Out-Default',
    'out-lineoutput',
    'format-default',
    'Set-StrictMode',
    'TabExpansion2'
);

let WhitelistedAccounts = pack_array('FakeWhitelistedAccount');

DeviceLogonEvents
| where AccountName !in~ (WhitelistedAccounts)
| where ActionType == "LogonSuccess"
| where AccountName !contains "$"
| where AccountName !has "winrm va_"
| extend IsInteractive = (LogonType in (InteractiveTypes))
| summarize HasInteractiveLogon = max(IsInteractive) by AccountName
| where HasInteractiveLogon == 0
| join kind=rightsemi (
    DeviceEvents
    | where ActionType == 'PowerShellCommand'
    | where InitiatingProcessFileName =~ 'wsmprovhost.exe'
    | extend AccountName = InitiatingProcessAccountName
) on AccountName
| extend Command = tostring(extractjson('$.Command', tostring(AdditionalFields)))
| where Command !in (WhitelistedCmdlets)
// EXCLUDE events where (AccountName + DeviceName) is in your watchlist
| join kind=leftanti (exclusions) on AccountName, DeviceName
| summarize (Timestamp, ReportId) = arg_max(TimeGenerated, ReportId),
    make_set(Command, 100000), count(), min(TimeGenerated)
    by AccountName, AccountDomain, DeviceName, DeviceId
| order by AccountName asc
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")

 



 

Resources