Forum Discussion

Qusai_Ismail's avatar
Qusai_Ismail
Brass Contributor
May 18, 2022

Analytic Rule does not display incident while In hunting there is events.

Hello,   There is a problem with an analytic rule i have created to correlate between ThreatIntelligenceIndicator & DeviceNetworkEvents, when i run the KQL query of the analytic in Log Hunting ther...
  • JKatzmandu's avatar
    JKatzmandu
    May 18, 2022
    IIRC, the "time set in query" will be overruled by the analytics rule time settings. To do something similar to alert on potential C2C comms (compare NetworkIPs from ThreatIntelligenceIndicator to FW logs) I had to use a join.

    ThreatIntelligenceIndicator | where NetworkIP != "" | join (FW_DATA_Table_or_Function | where TimeGenerated >= now()-1d | project-rename NetworkIP = Dst_IP) on NetworkIP
    | project TimeGenerated1, Name, Src_IP, NetworkIP, Dst_Port, Protocol | sort by TimeGenerated1 desc




Resources