Analytic rule does not tigger an incident in sentinel using watchlist

Occasional Contributor

Hello.

I have an issue with an analytic rule. This analytic read a watchlist to exclude some and show other users that remove other ones from specific groups.

 

 

 

let watchlst_ =_GetWatchlist('SS-PE-PAC-WL-Grp_Pacifico_MFA_BYOD_Users')
    | project SearchKey;
AuditLogs
| extend AccountID = tostring(parse_json(tostring(InitiatedBy.user)).id)
| extend AccountUPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| where OperationName in~ ('Remove member from group', 'Remove owner from group')
| extend oldValue_ = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].oldValue)))
| extend oldValueID_ = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0].oldValue)))
| extend newValue_ = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue)))
| extend newValueID_ = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0].newValue)))
| extend AccountUPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend Afectado = tostring(TargetResources[0].userPrincipalName)
| where oldValue_ in ('Grp_Pacifico_MFA_BYOD_Users', 'Grp_Office365_MFA_External_Users', 'Grp_Pacifico_Home_Office_Users', ' Grp_Pacifico_Home_Office_BYOD_Users_MAC', 'Grp_Test_Sentinel') or newValue_ in ('Grp_Pacifico_MFA_BYOD_Users', 'Grp_Office365_MFA_External_Users', 'Grp_Pacifico_Home_Office_Users', ' Grp_Pacifico_Home_Office_BYOD_Users_MAC', 'Grp_Test_Sentinel')
| join kind = inner SigninLogs on $left.AccountID == $right.UserId
| where UserId !in~ (watchlst_)
| summarize
    by
    TimeGenerated,
    AccountUPN,
    Afectado,
    CorrelationId,
    oldValue_,
    newValue_,
    oldValueID_

 

 

 

 

Output:

MiguelCuba_1-1665585843606.png

 

Everything seems working fine until you deploy a sample test and this rule is not triggering an incident in Sentinel. Evenly when you go to "View query results" at the Set rule logic menu there are not results unless you change the time range manually and this alternative is not possible because this analytic rule has a query scheduling every 7 minutes.

MiguelCuba_2-1665586176656.pngMiguelCuba_3-1665586195670.png

 

2 Replies
The gap between Rows in the output screenshot is larger than 7mins. So, unless you have data within that lookback period there wouldn't be an alert.

Have you increased the "lookup data from the last" field as a test to 1d or something?

Hi @Clive_Watson 

Yes, actually I ran a sample test more than 7 minutes before I checked the Incidents blade.

MiguelCuba_0-1665589710566.png