Forum Discussion

Marekjdj's avatar
Marekjdj
Copper Contributor
May 16, 2025

IdentityInfo with analytics KQL query

Hi, I'm currently trying to create a KQL query for an alert rule in Sentinel. The log source upon which the alert rule is based, only contains the SAMAccountName, which prevents me from mapping it t...
analytics
detection
KQL
AndrewBlumhardt's avatar
AndrewBlumhardt
Icon for Microsoft rankMicrosoft
May 19, 2025

The Sentinel rule settings override your query lookback (where TimeGenerated).

It is not documented but I suspect that putting your SAM lookup table into a let table first will prevent the rule from overriding.

So run your rule every 10 min if that is your preferred frequency with a reasonable lookback like 10-15 minutes. Create a lookup table first.

let SamLookup = IdentityInfo
| where TimeGenerated > ago(14d)
| summarize arg_max(TimeGenerated, *) by SAMAccountName;
Log_source
| project-rename SAMAccountName=sourceProcessUsername
| join SamLookup on SAMAccountName


Marekjdj's avatar
Marekjdj
Copper Contributor
May 21, 2025

I did some testing but unfortunatly putting the lookup in a let function is still being overridden by the rule settings. I've also tried creating the lookup table as an external function, but the lookback is still overridden.

  • AndrewBlumhardt's avatar
    AndrewBlumhardt
    Icon for Microsoft rankMicrosoft
    May 21, 2025

    Thanks for the info, good to know.

    Can you create this as an XDR detection rule instead? I don't think the same restriction apply and this is the future direction for all detection rules.

    • Marekjdj's avatar
      Marekjdj
      Copper Contributor
      Jun 02, 2025

      Hi Andrew,

      Sorry for the late response. For now, I've configured the rule to run only once an hour, allowing me to extend the lookup to two weeks. It's not ideal, but for now it'll have to do. Thanks!

Resources