Forum Discussion
Solved
Analytic Rule does not display incident while In hunting there is events.
Hello,
There is a problem with an analytic rule i have created to correlate between ThreatIntelligenceIndicator & DeviceNetworkEvents, when i run the KQL query of the analytic in Log Hunting there are events in the result as shown in the photo.
But, when i tried to simulate the results from Analytic rule configuration, no data appear.
Also, when i clicked on view query results no result data appeared also, but as shown the time range is changed to custom by default.
When i changed the time range to Set in query, result data appeared.
Is there any changes i should do to make the event simulated as an incident in the analytic rule?
Thank you.
- IIRC, the "time set in query" will be overruled by the analytics rule time settings. To do something similar to alert on potential C2C comms (compare NetworkIPs from ThreatIntelligenceIndicator to FW logs) I had to use a join.
ThreatIntelligenceIndicator | where NetworkIP != "" | join (FW_DATA_Table_or_Function | where TimeGenerated >= now()-1d | project-rename NetworkIP = Dst_IP) on NetworkIP
| project TimeGenerated1, Name, Src_IP, NetworkIP, Dst_Port, Protocol | sort by TimeGenerated1 desc
8 Replies
- How did you setup the Query Scheduling and Alert threshold?
Also, is this a regular analytics rule, or is it an NRT rule?- Hi,
It's regular analytics rule- IIRC, the "time set in query" will be overruled by the analytics rule time settings. To do something similar to alert on potential C2C comms (compare NetworkIPs from ThreatIntelligenceIndicator to FW logs) I had to use a join.
ThreatIntelligenceIndicator | where NetworkIP != "" | join (FW_DATA_Table_or_Function | where TimeGenerated >= now()-1d | project-rename NetworkIP = Dst_IP) on NetworkIP
| project TimeGenerated1, Name, Src_IP, NetworkIP, Dst_Port, Protocol | sort by TimeGenerated1 desc
