Azure Logic Apps
An Azure service that automates the access and use of data across clouds without writing code.
3,203 questions
Querry returns 2 events instead of one
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 64%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESN%3C/text%3E%3C/svg%3E)
Solange Ngundu
0
Reputation points
I created a querry in sentinel for unfamiliar sign in. the logic app flow works well but the issue is this query sometimes returns 2 or more different events at the same time under the same incident number instead of one. And other times it will return one event like it should. how can i fix it to always return just one event per incident? here is the query.
Thank you all for your help
// The query_now parameter represents the time (in UTC) at which the scheduled analytics rule ran to produce this alert.
set query_now = datetime(2024-08-27T17:02:59.2030482Z);
let signin=
SigninLogs
| where TimeGenerated > ago (24h)
| extend SigninTime = TimeGenerated
| where UserPrincipalName =~ UserPrincipalName
| where RiskEventTypes_V2 != "[]"
| summarize
FirstSeen = min(TimeGenerated),
LastObserved = max(TimeGenerated),
SuccessfullCount = count(ResultType = 0),
FailureCount = count(ResultType != 0)
by
UserPrincipalName,
IPAddress,
Location,
UserAgent,
ClientAppUsed,
AppDisplayName,
RiskEventTypes_V2;
AADUserRiskEvents
| where TimeGenerated > ago(24h)
| extend RiskTime = TimeGenerated
| where DetectionTimingType == "realtime"
| join kind=inner SigninLogs on CorrelationId
| project UserDisplayName1, IpAddress, AppDisplayName, UserAgent, Location, RiskEventType
Sign in to answer