I am trying to trigger the following KQL query in a custom scheduled Analytics Rule...

It is to identify ANY Global Administrator and verify if they have committed any activity (Sign-in) over the last 24 hours.

Simple testing is to get a Global Administrator to sign in within the last 24 hours.

Now the query triggers and returns records when run in the Logs pane...

What I have noticed is that when activated in a custom-scheduled Analytics Rule, it fails to return records!

Now the time range set for the analytics rule (query frequency & lookback duration) aligns properly with the query logic or any log ingestion delay.

Query scheduling

Run query every: 1 day Lookup data from the last: 1 day

The funny thing is, when testing the KQL query in the Analytics Rule and Set rule logic/View query results, if the FIRST ATTEMPT returns no results (in the simulation), after repeatedly testing (clicking the test link), it DOES return records!

Why is there a time-lag? How can I ensure the query triggers correctly, returning records accordingly, and related Incidents?

This is the KQL query...

let PrivilgedRoles = dynamic(["Global Administrator"]);
let PrivilegedIdentities =
    IdentityInfo
    | summarize arg_max(TimeGenerated, *) by AccountObjectId
    | mv-expand AssignedRoles
    | where AssignedRoles in~ (PrivilgedRoles)
    | extend lc_AccountUPN = tolower(AccountUPN)
    | summarize AssignedRoles=make_set(AssignedRoles)
        by
        AccountObjectId,
        AccountSID,
        lc_AccountUPN,
        AccountDisplayName,
        JobTitle,
        Department;
SigninLogs
| where TimeGenerated > ago (1d)
| extend lc_UserPrincipalName = tolower(UserPrincipalName)
| join kind=inner PrivilegedIdentities on $left.lc_UserPrincipalName == $right.lc_AccountUPN
| project
    TimeGenerated,
    AccountDisplayName,
    AccountObjectId,
    lc_AccountUPN,
    lc_UserPrincipalName,
    AppDisplayName,
    ResultType,
    ResultDescription,
    IPAddress,
    LocationDetails