KQL Search

Query Details

HomeAI ToolsDevice Query

Detection Enrichment Entra User

Query

# Detection Enrichment - Entra User

## Query Information

#### Description
Sentinel Data Lake job to put an aggregated table of entra users in LAW for filtering/enrichment in detections and automations.

#### References
- https://learn.microsoft.com/en-us/azure/sentinel/datalake/enable-data-connectors


## Sentinel
```KQL
EntraUsers
| where TimeGenerated > ago(3d)
| summarize arg_max(TimeGenerated, * ) by id
| project-away _*
| project-rename ObjectId = id
```

Explanation

This KQL (Kusto Query Language) query is designed to create an enriched dataset of Entra users for use in Microsoft Sentinel, a security information and event management (SIEM) system. Here's a simple breakdown of what the query does:

  1. Data Source: It starts by accessing a table called EntraUsers, which contains information about users.

  2. Time Filter: The query filters the data to include only records generated in the last three days (TimeGenerated > ago(3d)).

  3. Aggregation: It uses the summarize function with arg_max to get the most recent record for each user based on the TimeGenerated field. This ensures that for each user ID (id), only the latest information is retained.

  4. Column Management:

    • project-away _*: This removes any columns that start with an underscore, which are typically system-generated or less relevant for the intended use.
    • project-rename ObjectId = id: This renames the id column to ObjectId for clarity or consistency with other datasets.

In summary, this query creates a streamlined and up-to-date list of Entra users, retaining only the most recent information for each user, and prepares it for further use in security detections and automations within Microsoft Sentinel.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: February 11, 2026

Tables

EntraUsers

Keywords

EntraUsersTimeGeneratedIdObjectId

Operators

agosummarizearg_maxbyproject-awayproject-rename

Actions