You have a Microsoft Sentinel workspace that has User and Entity Behavior Analytics (UEBA) enabled.

In Microsoft Sentinel with UEBA enabled, user-enrichment data about identities (such as Department , Title , and Account/SID mappings ) is written t o the IdentityInfo table. Microsoft guidance recommends joining your security telemetry (for example, SecurityEvent ) with IdentityInfo to filter or scope results by organizational attributes like department. To meet the requirement “only include security-s ensitive actions by users that are NOT members of the IT department” , you enrich the Windows security events with IdentityInfo and then filter Department !~ " IT " (or equivalent).

To minimize noise and duplicated rows when joining many-to-one identity recor ds, Sentinel KQL best practices recommend using join kind=innerunique . This join returns at most one matching row from the right table for each row on the left, which helps reduce false positives that can arise from duplicate or stale identity records whil e still ensuring matches are required (i.e., inner ). After enriching, you continue your query logic (for example, restricting to Server1 and the subset of security-sensitive event IDs or an UEBA-derived mapping) to identify only the relevant actions.

There fore, the correct completions are to use join kind=innerunique and join to IdentityInfo to apply the department filter and lower false positives.