Share via

Getting error: "has_any(): failed to cast argument 2 to scalar constant" even though the "argument 2" is dynamic/array.

Anonymous
2023-03-07T14:52:43.3133333+00:00

In the KQL below, I am getting the error: "has_any(): failed to cast argument 2 to scalar constant" even though the "argument 2" (i.e., disabledAccountSet) is dynamic/array.

Source of the KQL: Sign-ins from IPs that attempt sign-ins to disabled accounts

Does anyone have any workarounds?

let aadFunc = (tableName:string){
table(tableName)
| where ResultType == "50057"
| where ResultDescription == "User account is disabled. The account has been disabled by an administrator."
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), disabledAccountLoginAttempts = count(),
disabledAccountsTargeted = dcount(UserPrincipalName), applicationsTargeted = dcount(AppDisplayName), disabledAccountSet = make_set(UserPrincipalName),
applicationSet = make_set(AppDisplayName) by IPAddress, Type
| order by disabledAccountLoginAttempts desc
| join kind= leftouter (
    // Consider these IPs suspicious - and alert any related  successful sign-ins
    table(tableName)
    | where ResultType == 0
    | summarize successfulAccountSigninCount = dcount(UserPrincipalName), successfulAccountSigninSet = make_set(UserPrincipalName, 15) by IPAddress, Type
    // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe
    | where successfulAccountSigninCount < 100
) on IPAddress
// IPs from which attempts to authenticate as disabled user accounts originated, and had a non-zero success rate for some other account
| where isnotempty(successfulAccountSigninCount)
| project StartTime, EndTime, IPAddress, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, successfulAccountSigninCount, successfulAccountSigninSet, Type
| extend DestinationUserName = strcat_array(successfulAccountSigninSet, ", ")
| order by disabledAccountLoginAttempts
| extend timestamp = StartTime, IPCustomEntity = IPAddress
// If there were recent successful sign-ins to the disabled account, it would probably lead to a false positive alert
| where not(DestinationUserName has_any (disabledAccountSet))
};
let aadSignin = aadFunc("SigninLogs");
let aadNonInt = aadFunc("AADNonInteractiveUserSignInLogs");
union isfuzzy=true aadSignin, aadNonInt
Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,645 questions
Microsoft Security Microsoft Sentinel
0 comments
Accepted answer
  1. Clive Watson 7,866 Reputation points MVP Volunteer Moderator
    2023-03-08T13:57:12.01+00:00

    Please try:

    //| where not(DestinationUserName has_any (disabledAccountSet))
| extend found_ =  set_difference(todynamic(DestinationUserName),disabledAccountSet) 
| where found_ !="[]"

    Update: Sorry some details were missing from my initial answer. The I did for a previous Use Case, but you may have to adapt it (I wasn't able to test the solution).

    Let me know if this helps by "accepting" the answer.

    3 people found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. User989846-7900 1 Reputation point
    2023-03-21T10:44:21.2266667+00:00

    Hello,
    Have a look at this workaround also

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.