Feb 07 2022 11:07 PM - edited Feb 07 2022 11:08 PM
Hi, I have a strange occurrence where a KQL query does not return any results when it's saved as an Analytics Rule. But when the KQL is copied to the Logs, it returns data. Below is the query.
I'm simply trying to find out the users who has not logged into the tenant for the last 45 days and generate an alert.
let start_time = 90d;
let inactive_days = 45d;
let active_users = (
SigninLogs
| where TimeGenerated > ago(inactive_days)
| where ResultType == 0
| extend UserId == tolower(UserPrincipalName)
| project UserId);
SigninLogs
| where TimeGenerated > ago(start_time)
| where UserId !in (active_users)
| where ResultType == 0
| summarize LastLogIn=max(TimeGenerated) by UserDisplayName, UserPrincipalName
| sort by LastLogIn desc
Feb 08 2022 01:38 AM
Solution
Rules are limited to 14day lookback for performance reasons.
https://docs.microsoft.com/en-us/azure/sentinel/detect-threats-custom
...
Set Lookup data from the last to determine the time period of the data covered by the query - for example, it can query the past 10 minutes of data, or the past 6 hours of data. The maximum is 14 days.
Feb 08 2022 01:41 AM
Feb 08 2022 05:28 PM
Feb 08 2022 01:38 AM
Solution
Rules are limited to 14day lookback for performance reasons.
https://docs.microsoft.com/en-us/azure/sentinel/detect-threats-custom
...
Set Lookup data from the last to determine the time period of the data covered by the query - for example, it can query the past 10 minutes of data, or the past 6 hours of data. The maximum is 14 days.