Query Details
Multiple Unexpected Entra ID Device
Query
// This query is too long to be in an Analytics Rule (more than 10.000 characters), so it had to be made a function that can be called by the rule. // You can find the function in the next link, just try to define "query_frequency", "query_period" and "query_wait". // // https://github.com/ep3p/Sentinel_KQL/blob/main/Functions/Analytics-UnexpectedEntraIDDevice.kql // UnexpectedEntraIDDevice(query_frequency = 1h, query_period = 14d, query_wait = 1h)
Explanation
This query is designed to detect unexpected devices accessing Entra ID (formerly Azure Active Directory) by using a predefined function. Here's a simple breakdown of the parameters used in the function:
-
query_frequency (1h): This parameter sets how often the query should be run. In this case, it is set to run every hour.
-
query_period (14d): This parameter defines the time span over which the data is analyzed. Here, it is set to analyze data from the past 14 days.
-
query_wait (1h): This parameter specifies a waiting period before the query is executed. It is set to wait for 1 hour, likely to ensure that all relevant data has been ingested and is available for analysis.
Overall, the function is used to identify devices accessing Entra ID that are not expected based on historical access patterns, and it does so by running hourly checks over a two-week period.
Details
Jose Sebastián Canós
Released: June 23, 2025
Tables
Keywords
Operators