cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Sentinel query works in Logs but not as an Analytics Rule

isurudiv
Copper Contributor

‎Feb 07 2022 11:07 PM - edited ‎Feb 07 2022 11:08 PM

‎Feb 07 2022 11:07 PM - edited ‎Feb 07 2022 11:08 PM

Sentinel query works in Logs but not as an Analytics Rule

Hi, I have a strange occurrence where a KQL query does not return any results when it's saved as an Analytics Rule. But when the KQL is copied to the Logs, it returns data. Below is the query. 

 

I'm simply trying to find out the users who has not logged into the tenant for the last 45 days and generate an alert. 

 

 

let start_time = 90d;
let inactive_days = 45d;
let active_users = (
    SigninLogs
    | where TimeGenerated > ago(inactive_days)
    | where ResultType == 0
    | extend UserId == tolower(UserPrincipalName)
    | project UserId);
SigninLogs
| where TimeGenerated > ago(start_time)
| where UserId !in (active_users)
| where ResultType == 0
| summarize LastLogIn=max(TimeGenerated) by UserDisplayName, UserPrincipalName
| sort by LastLogIn desc

 

 

1,940 Views
0 Likes
3 Replies
Reply
3 Replies
best response confirmed by isurudiv (Copper Contributor)
Clive_Watson

‎Feb 08 2022 01:38 AM

‎Feb 08 2022 01:38 AM

Solution

Re: Sentinel query works in Logs but not as an Analytics Rule

@isurudiv 

 

Rules are limited to 14day lookback for performance reasons.
https://docs.microsoft.com/en-us/azure/sentinel/detect-threats-custom

 

...

Set Lookup data from the last to determine the time period of the data covered by the query - for example, it can query the past 10 minutes of data, or the past 6 hours of data. The maximum is 14 days.

1 Like
Reply
Clive_Watson

‎Feb 08 2022 01:41 AM

‎Feb 08 2022 01:41 AM

Re: Sentinel query works in Logs but not as an Analytics Rule

One option to workaround this is

Tiander did a great webcast here: https://www.youtube.com/watch?v=G6TIzJK8XBA&t=3152s – watch it all but “14days use case” starts at 42min
1 Like
Reply
isurudiv

‎Feb 08 2022 05:28 PM

‎Feb 08 2022 05:28 PM

Re: Sentinel query works in Logs but not as an Analytics Rule

Thanks Clive. I'll look into alternatives.
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by isurudiv (Copper Contributor)
Clive_Watson

‎Feb 08 2022 01:38 AM

‎Feb 08 2022 01:38 AM

Solution

Re: Sentinel query works in Logs but not as an Analytics Rule

@isurudiv 

 

Rules are limited to 14day lookback for performance reasons.
https://docs.microsoft.com/en-us/azure/sentinel/detect-threats-custom

 

...

Set Lookup data from the last to determine the time period of the data covered by the query - for example, it can query the past 10 minutes of data, or the past 6 hours of data. The maximum is 14 days.

View solution in original post

1 Like
Reply