Forum Discussion

Qusai_Ismail's avatar
Qusai_Ismail
Brass Contributor
May 18, 2022
Solved

Analytic Rule does not display incident while In hunting there is events.

Hello,   There is a problem with an analytic rule i have created to correlate between ThreatIntelligenceIndicator & DeviceNetworkEvents, when i run the KQL query of the analytic in Log Hunting ther...
analytics
automation
detection
KQL
siem
threat hunting
  • JKatzmandu's avatar
    JKatzmandu
    May 18, 2022
    IIRC, the "time set in query" will be overruled by the analytics rule time settings. To do something similar to alert on potential C2C comms (compare NetworkIPs from ThreatIntelligenceIndicator to FW logs) I had to use a join.

    ThreatIntelligenceIndicator | where NetworkIP != "" | join (FW_DATA_Table_or_Function | where TimeGenerated >= now()-1d | project-rename NetworkIP = Dst_IP) on NetworkIP
    | project TimeGenerated1, Name, Src_IP, NetworkIP, Dst_Port, Protocol | sort by TimeGenerated1 desc




JKatzmandu's avatar
JKatzmandu
Brass Contributor
May 23, 2022
Swap the join around? I'm thinking the analytic rule test may be limiting things. So put your EmailEvents first with 1d, and then do a join to ThreatIntelligenceIndicator with ago(360) and it may work.
Qusai_Ismail's avatar
Qusai_Ismail
Brass Contributor
May 23, 2022
Thanks , as you said the set time in query is overruled by rule setting, so i changed the query to be like this

let dt_lookBack = 1h;
let ioc_lookBack = 14d;
ThreatIntelligenceIndicator
| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
| where Active == true
| where isnotempty(Url)
| join kind=innerunique (
EmailUrlInfo
| extend IngestionTime = ingestion_time()
| where IngestionTime > ago(dt_lookBack)
) on $left.Url == $right.Url

and RULE SETTINGS
Run query every 1 hour
Lookup data from the last 14 days

All is done and it's worked.

thank you.