Hi all,

I need help with a query, which will be used for a (Sentinel) analytics rule. The purpose of this alert rule is to check for logons to disabled accounts in the last day and only show results when that account was disabled >30 days ago.

This is what I've made so far:

let DisabledAccount = SecurityEvent
| where EventID == "4725" // EventID 4725 = User disabled in AD
| where TimeGenerated > ago(30d) // Disabling of account should be more than 30 days ago.
| where SubjectUserName !endswith "$" and TargetUserName !endswith "$" // Filter out share accounts.
| project DisabledOnDate = TimeGenerated, TargetUserName, UserDisabledBy = SubjectUserName ;
let LogonWithDisabledAccount = SecurityEvent
| where TimeGenerated > ago(1d) // Logon with disabled account should be in the last 1 day.
| where EventID == "4768" and Status contains "0x12" // EventID 4768 = logon on disabled account
| where SubjectUserName !endswith "$" // Filter out share accounts.
| project LogonTime = TimeGenerated, TargetUserName, Observer = Computer ;
DisabledAccount
| join ( LogonWithDisabledAccount ) on TargetUserName
| project LogonTime, TargetUserName, UserDisabledBy, DisabledOnDate, Observer

I've tried running each of the sections of this code and they give back results. But once I run the whole query, including the join, it gives back that no results have been found for the selected timerange, which is set to "In query" by the way.

Can you help me out?