Forum Discussion

Qusai_Ismail's avatar
Qusai_Ismail
Copper Contributor
May 18, 2022
Solved

Analytic Rule does not display incident while In hunting there is events.

Hello,   There is a problem with an analytic rule i have created to correlate between ThreatIntelligenceIndicator & DeviceNetworkEvents, when i run the KQL query of the analytic in Log Hunting ther...
analytics
automation
detection
KQL
siem
threat hunting
  • JKatzmandu's avatar
    JKatzmandu
    May 18, 2022
    IIRC, the "time set in query" will be overruled by the analytics rule time settings. To do something similar to alert on potential C2C comms (compare NetworkIPs from ThreatIntelligenceIndicator to FW logs) I had to use a join.

    ThreatIntelligenceIndicator | where NetworkIP != "" | join (FW_DATA_Table_or_Function | where TimeGenerated >= now()-1d | project-rename NetworkIP = Dst_IP) on NetworkIP
    | project TimeGenerated1, Name, Src_IP, NetworkIP, Dst_Port, Protocol | sort by TimeGenerated1 desc




Jonhed's avatar
Jonhed
Steel Contributor
May 18, 2022
How did you setup the Query Scheduling and Alert threshold?
Also, is this a regular analytics rule, or is it an NRT rule?
Qusai_Ismail's avatar
Qusai_Ismail
Copper Contributor
May 18, 2022
Hi,

It's regular analytics rule
  • JKatzmandu's avatar
    JKatzmandu
    Copper Contributor
    May 18, 2022
    IIRC, the "time set in query" will be overruled by the analytics rule time settings. To do something similar to alert on potential C2C comms (compare NetworkIPs from ThreatIntelligenceIndicator to FW logs) I had to use a join.

    ThreatIntelligenceIndicator | where NetworkIP != "" | join (FW_DATA_Table_or_Function | where TimeGenerated >= now()-1d | project-rename NetworkIP = Dst_IP) on NetworkIP
    | project TimeGenerated1, Name, Src_IP, NetworkIP, Dst_Port, Protocol | sort by TimeGenerated1 desc




    • Qusai_Ismail's avatar
      Qusai_Ismail
      Copper Contributor
      May 23, 2022
      This is another example i'm trying to do.


      ThreatIntelligenceIndicator
      | where TimeGenerated > ago(360d)
      | where isnotempty(Url)
      | join (EmailUrlInfo
      | where TimeGenerated >= now()-1d) on Url
      | join (EmailEvents | where TimeGenerated >= now()-1d) on NetworkMessageId
      | project TimeGenerated , NetworkMessageId, SenderFromAddress, RecipientEmailAddress, Url , DeliveryAction, DeliveryLocation

      The analytic rule is for checking IOC URLs in EmailsEvents that have URLs.
      Analytic rule settings are :
      Run Query every : 5 minutes
      Lookup data from the last: 1 Day

      When i tested the KQL Query in Log hunting, there is an event in the result, but when trying to test it in Analytic , Simulating result has no result, and no incident generated.

      Thank you.

      • JKatzmandu's avatar
        JKatzmandu
        Copper Contributor
        May 23, 2022
        Swap the join around? I'm thinking the analytic rule test may be limiting things. So put your EmailEvents first with 1d, and then do a join to ThreatIntelligenceIndicator with ago(360) and it may work.
    • Qusai_Ismail's avatar
      Qusai_Ismail
      Copper Contributor
      May 23, 2022
      Thanks for your replay, but the time in analytic rule setting is same as i set in the query, both are 1h.

Resources