Issue with a analytical query

Question

How can i get this query to only return unique users within 3days range instead of repeating an alert with the same location after the first one is closed.

let timeframe = ago(3h);

let threshold = 2;

imAuthentication

| where TimeGenerated > timeframe

| where EventType == 'Logon'

  and EventResult == 'Success'

| where isnotempty(SrcGeoCountry)

| summarize

  StartTime        = min(TimeGenerated)

  , EndTime        = max(TimeGenerated)

  , Vendors        = make\_set(EventVendor, 128)

  , Products       = make\_set(EventProduct, 128)

  , NumOfCountries = dcount(SrcGeoCountry)

  , Countries      = make\_set(SrcGeoCountry, 128)

  by TargetUserId, TargetUsername, TargetUserType

| where NumOfCountries >= threshold

| extend

Name = iif(

    TargetUsername contains "@"

        , tostring(split(TargetUsername, '@', 0)[0])

        , TargetUsername

    ),

UPNSuffix = iif(

    TargetUsername contains "@"

    , tostring(split(TargetUsername, '@', 1)[0])

    , ""

)

entityMappings:

• entityType: Account fieldMappings:
  • identifier: Name columnName: Name
  • identifier: UPNSuffix columnName: UPNSuffix

Answer 1

Hello james kay1,

Thank you for posting in Microsoft Community forum.

From the description above, I understand your question is related to Microsoft Sentinel.

Since there are no engineers dedicated to Microsoft Sentinel in this forum. in order to be able to get a quick and effective handling of your issue, I recommend that you repost your question in the Q&A forum, where there will be a dedicated engineer to give you a professional and effective reply.

Here is the link for Q&A forum.
Questions - Microsoft Q&A

Click the "Ask a Question" button in the upper right corner to post your question and type "Microsoft Sentinel" tag and select any tags related to your productions.

I hope the information above is helpful.

If you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou