Forum Discussion
Sentinel query works in Logs but not as an Analytics Rule
Hi, I have a strange occurrence where a KQL query does not return any results when it's saved as an Analytics Rule. But when the KQL is copied to the Logs, it returns data. Below is the query.
I'm simply trying to find out the users who has not logged into the tenant for the last 45 days and generate an alert.
let start_time = 90d;
let inactive_days = 45d;
let active_users = (
SigninLogs
| where TimeGenerated > ago(inactive_days)
| where ResultType == 0
| extend UserId == tolower(UserPrincipalName)
| project UserId);
SigninLogs
| where TimeGenerated > ago(start_time)
| where UserId !in (active_users)
| where ResultType == 0
| summarize LastLogIn=max(TimeGenerated) by UserDisplayName, UserPrincipalName
| sort by LastLogIn desc
Rules are limited to 14day lookback for performance reasons.
https://docs.microsoft.com/en-us/azure/sentinel/detect-threats-custom...
Set Lookup data from the last to determine the time period of the data covered by the query - for example, it can query the past 10 minutes of data, or the past 6 hours of data. The maximum is 14 days.
3 Replies
Rules are limited to 14day lookback for performance reasons.
https://docs.microsoft.com/en-us/azure/sentinel/detect-threats-custom...
Set Lookup data from the last to determine the time period of the data covered by the query - for example, it can query the past 10 minutes of data, or the past 6 hours of data. The maximum is 14 days.
- Thanks Clive. I'll look into alternatives.
- One option to workaround this is
Tiander did a great webcast here: https://www.youtube.com/watch?v=G6TIzJK8XBA&t=3152s – watch it all but “14days use case” starts at 42min
