Forum Discussion
Qusai_Ismail
May 18, 2022Brass Contributor
Analytic Rule does not display incident while In hunting there is events.
Hello, There is a problem with an analytic rule i have created to correlate between ThreatIntelligenceIndicator & DeviceNetworkEvents, when i run the KQL query of the analytic in Log Hunting ther...
- May 18, 2022IIRC, the "time set in query" will be overruled by the analytics rule time settings. To do something similar to alert on potential C2C comms (compare NetworkIPs from ThreatIntelligenceIndicator to FW logs) I had to use a join.
ThreatIntelligenceIndicator | where NetworkIP != "" | join (FW_DATA_Table_or_Function | where TimeGenerated >= now()-1d | project-rename NetworkIP = Dst_IP) on NetworkIP
| project TimeGenerated1, Name, Src_IP, NetworkIP, Dst_Port, Protocol | sort by TimeGenerated1 desc
JKatzmandu
May 18, 2022Brass Contributor
IIRC, the "time set in query" will be overruled by the analytics rule time settings. To do something similar to alert on potential C2C comms (compare NetworkIPs from ThreatIntelligenceIndicator to FW logs) I had to use a join.
ThreatIntelligenceIndicator | where NetworkIP != "" | join (FW_DATA_Table_or_Function | where TimeGenerated >= now()-1d | project-rename NetworkIP = Dst_IP) on NetworkIP
| project TimeGenerated1, Name, Src_IP, NetworkIP, Dst_Port, Protocol | sort by TimeGenerated1 desc
ThreatIntelligenceIndicator | where NetworkIP != "" | join (FW_DATA_Table_or_Function | where TimeGenerated >= now()-1d | project-rename NetworkIP = Dst_IP) on NetworkIP
| project TimeGenerated1, Name, Src_IP, NetworkIP, Dst_Port, Protocol | sort by TimeGenerated1 desc
Qusai_Ismail
May 23, 2022Brass Contributor
Thanks for your replay, but the time in analytic rule setting is same as i set in the query, both are 1h.