Updated IdentityInfo distinct case sensitive AccountUpn (from UPN)

[AntoPorter]

Change(s):

• Updated IdentityInfo distinct case sensitive AccountUpn (from UPN)

Reason for Change(s):

• Query fails on run.

Version Updated:

• Update to version 1. No changes have been made since creation.

Testing Completed:

• Successfully runs after updating to reflect change

[v-shukore]

Hi @AntoPorter, please resolve kql validation failure. Thanks!

[AntoPorter]

@v-shukore

So in the schema used by the repo’s validator, IdentityInfo does not contain AccountUpn, it contains AccountUPN (uppercase UPN). This matches the Log Analytics / Sentinel table reference where the column is documented as AccountUPN. At the same time, in Defender XDR Advanced Hunting (unified IdentityInfo schema) the column is documented as AccountUpn (lowercase pn).

So the validator is doing its job: in this repo context, AccountUpn is “unknown”, therefore the PR fails tests.

The issue is that this query is only available to be ran within Defender XDR's advanced hunting, as the table only exists within Defender, and does not reflect within Sentinel/Log Analytics Workspace. The check is then failing against the Log Analytics Query.

This mismatch is a known pain point because KQL is case-sensitive, and the IdentityInfo schema differs depending on whether you’re querying Sentinel Log Analytics versus Defender portal Advanced Hunting/unified schema.

Successful query with lowercase pn via Advanced Hunting

Failed query with uppercase PN via Advanced Hunting

[v-shukore]

Hi @AntoPorter, got it. thanks!

[AntoPorter]

What are the next steps for this? I am unable to merge due to the failed check.