This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 73%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
I am trying to create Custom Detection in Microsoft Security Center where my query has multiple Join and summarize statements.
Whenever I am running query its providing results but after saving in Custom Detection form and under its results section its giving below message, although I already have Timestamp, ReportId, DeviceId as an output coming.
"No events match the given event identifiers (a combination of ReportId, AlertId, BehaviorId, or DeviceId and Timestamp). Edit the query's aggregation expressions for these columns and try again."
Can anyone help me to understand how I can fix the above issue?
Your suggestion helped me to update my query which I posted above. Thanks for your support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
@Ankush Kumar Thank you for reaching out to us, for better understanding of the issue, if you can share the screenshot/query which you are trying to execute.
DeviceLogonEvents
| where Timestamp >=ago(1d)
| where ActionType=="LogonSuccess" and LogonType=="Interactive"
| extend parsing=parse_json(AdditionalFields)
| extend LocalLogon=parsing["IsLocalLogon"]
| where LocalLogon=="true"
| summarize count(), Timestamp=max(Timestamp) by DeviceName, AccountName, DeviceId, ReportId
| project DeviceName, AccountName, DeviceId, ReportId, Timestamp
| join kind=inner (DeviceInfo
| where Timestamp >=ago(1d)
| where MachineGroup=="Joomla"
| project MachineGroup, DeviceName, Timestamp, DeviceId, ReportId) on DeviceName
| join kind=inner (DeviceNetworkInfo
| where Timestamp >=ago(1d)
| where NetworkAdapterType startswith "Wireless" and ConnectedNetworks !=""
| extend SSID=todynamic(ConnectedNetworks)
| mvexpand SSID
| extend SSID=tostring(SSID.Name)
| where SSID contains "Jumbo"
| summarize count() by DeviceName, SSID, Timestamp,ReportId, DeviceId
| project DeviceName, SSID, Timestamp, ReportId, DeviceId) on DeviceName
| project DeviceName, AccountName, SSID, Timestamp, ReportId, DeviceId
| summarize dc_devices=dcount(DeviceName), DeviceName=max(DeviceName), ReportId=max(ReportId), Timestamp=max(Timestamp), DeviceId=max(DeviceId) by AccountName, SSID
| where dc_devices>=5
@Ankush Kumar Thank you for sharing the query, checking internally on this issue, however I used one of our internal AI tool to review your ask, here is the response, would recommend checking if the below response helps to resolve your issue, however I am checking internally as well to get more inputs on the error message you mentioned above.
The error message you are seeing indicates that the aggregation expressions for the columns ReportId, AlertId, BehaviorId, or DeviceId and Timestamp are not correct.
In your query, you are already selecting ReportId, DeviceId, and Timestamp in the final projection. However, you need to make sure that the aggregation expressions for these columns are correct in the summarize statements.
For example, in the first summarize statement, you are aggregating by DeviceName, AccountName, DeviceId, and ReportId. You are also selecting Timestamp using the max aggregation function. This is correct.
However, in the second summarize statement, you are aggregating by DeviceName, SSID, Timestamp, ReportId, and DeviceId. You are not selecting Timestamp using an aggregation function. You need to change this to Timestamp=max(Timestamp) to make sure that the aggregation expression is correct.
Similarly, in the final summarize statement, you are aggregating by AccountName and SSID. You are selecting ReportId and Timestamp using the max aggregation function. This is correct.
Once you have made these changes, you should be able to save the query as a Custom Detection in Microsoft Security Center without any issues.
Let me try this one; I will keep you posted about results. Many Thanks.
DeviceLogonEvents
| where Timestamp >=ago(1d)
| where ActionType=="LogonSuccess" and LogonType=="Interactive"
| extend parsing=parse_json(AdditionalFields)
| extend LocalLogon=parsing["IsLocalLogon"]
| where LocalLogon=="true"
| summarize count() by DeviceName, AccountName
| project DeviceName, AccountName
| join kind=inner (DeviceInfo
| where Timestamp >=ago(1d)
| where MachineGroup=="Joomla"
| project MachineGroup, DeviceName) on DeviceName
| join kind=inner (DeviceNetworkInfo
| where Timestamp >=ago(1d)
| where NetworkAdapterType startswith "Wireless" and ConnectedNetworks !=""
| extend SSID=todynamic(ConnectedNetworks)
| mvexpand SSID
| extend SSID=tostring(SSID.Name)
| where SSID contains "jumbo"
| summarize count(), Timestamp=max(Timestamp) by DeviceName, SSID,ReportId, DeviceId
| project DeviceName, SSID, Timestamp, ReportId, DeviceId) on DeviceName
| summarize dc_devices=dcount(DeviceName), DeviceName=max(DeviceName), ReportId=max(ReportId), Timestamp=max(Timestamp), DeviceId=max(DeviceId) by AccountName, SSID
| where dc_devices>=5
| summarize by dc_devices, DeviceName, ReportId, Timestamp, DeviceId, AccountName, SSID
@Ankush Kumar Noticed you changed the kusto query, did the above suggestion helped or still facing the issue?
yes your suggestion helped me to update my query which in the result solved my issue. I posted my updated query to help the community.
@Ankush Kumar Thats great, glad AI suggestion helped to resolve your issue, I have summarized our conversation as an answer to your question.
Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(182.40000000000003, 80%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJF%3C/text%3E%3C/svg%3E)
I have a very similar (but probably simpler) query where I run into the same problem.
I actually only need an alarm if a user logs in several times (5 times a day) on his client as local admin
The following query works as a query, but not as a custom detection rule
DeviceLogonEvents
| where DeviceName startswith “NB”
| where ActionType==“LogonSuccess” and LogonType=="Interactive”
| extend parsing=parse_json(AdditionalFields)
| extend LocalLogon=parsing[“IsLocalLogon”]
| where LocalLogon=="true”
| where Timestamp > ago(1d)
| summarize LogonCount=count(), LatestTimestamp=max(Timestamp) by DeviceId, AccountName, bin(Timestamp, 1d), DeviceName
| where LogonCount >= 5
| where AccountName startswith “admin_”
| project DeviceId, DeviceName, AccountName, LatestTimestamp, LogonCount, ReportId = tostring(DeviceId), Timestamp = LatestTimestamp