Forum Discussion
Scheduled Analytics Rule not triggering...
Hello, I am trying to trigger the following KQL query in a custom scheduled Analytics Rule... It is to identify ANY Global Administrator and verify if they have committed any activity (Sign-in) over...
I'd look to remove the ago(1d) line from the SigninLogs part as the portal applies those, and retest
You can also avoid the lowercase conversion and use the ID's
let PrivilgedRoles = dynamic(["Global Administrator"]);
let PrivilegedIdentities =
IdentityInfo
| summarize arg_max(TimeGenerated, *) by AccountObjectId
| mv-expand AssignedRoles
| where AssignedRoles in~ (PrivilgedRoles)
| summarize AssignedRoles=make_set(AssignedRoles)
by
AccountObjectId,
AccountSID,
AccountUPN,
AccountDisplayName,
JobTitle,
Department;
SigninLogs
| join kind=inner PrivilegedIdentities on $left.UserId == $right.AccountObjectId
| project
TimeGenerated,
AccountDisplayName,
AccountObjectId,
AccountUPN,
UserPrincipalName,
AppDisplayName,
ResultType,
ResultDescription,
IPAddress,
LocationDetails