Query Details
Multiple Entra ID Protection Risk Events
Query
// This query is too long to be in an Analytics Rule (more than 10.000 characters), so it had to be made a function that can be called by the rule. // You can find the function in the next link, just try to define "query_frequency" and "query_period". // // https://github.com/ep3p/Sentinel_KQL/blob/main/Functions/Analytics-EntraIDProtectionRiskEvents.kql // EntraIDProtectionRiskEvents(query_frequency = 5m, query_period = 2d)
Explanation
This query is using a predefined function called EntraIDProtectionRiskEvents to analyze risk events related to Entra ID Protection. The function is designed to be used within an analytics rule, but due to its length, it has been defined separately and can be accessed via a provided link.
The function takes two parameters:
query_frequency: This specifies how often the query should be run, set to every 5 minutes (5m).query_period: This defines the time span over which the data should be analyzed, set to 2 days (2d).
In simple terms, this query is set up to frequently check for risk events in Entra ID Protection over the past two days, running every five minutes.
Details
Jose Sebastián Canós
Released: September 17, 2025
Tables
EntraIDProtectionRiskEvents
Keywords
EntraIDProtectionRiskEventsQueryFrequencyQueryPeriod
Operators
EntraIDProtectionRiskEvents=