You have an Azure subscription that contains the following resources:• A virtual machine named VM1...

To detect sign-ins to VM1 by users outside the IT department while leveraging UEBA, you should enrich Windows security events with identity attributes from UEBA’s enrichment tables. In Microsoft Sentinel, UEBA writes organizational attributes (e.g., Department, Title, AAD object IDs/SIDs) to the IdentityInfo table. Joining SecurityEvent (Event IDs 4624/4625) with IdentityInfo on the user SID lets you filter with where Department != "IT"—meeting the requirement to utilize UEBA results.

For performance and fewer false positives, use join kind=inner. An inner join only returns rows where the user in SecurityEvent has a corresponding identity record in IdentityInfo, avoiding unmatched and potentially noisy events. Options like fullouter would introduce non-matching rows (increasing noise), and anti would return only unmatched rows (the opposite of what’s needed).

BehaviorAnalytics contains anomaly scores/events rather than static attributes like department, and SigninLogs is raw AAD sign-in telemetry (not the UEBA-enriched identity inventory needed for department filtering). Therefore, IdentityInfo is the correct enrichment source.

Thus, to satisfy use UEBA, maximize performance, and minimize false positives: join kind=inner with IdentityInfo and then filter Department != "IT".