Forum Discussion
Subsequent alerts with different AlertName in Analytical Rule
Hi all, I would like to ask if there is a way to create an alert when 2 events that were specified, alerted at within 1 hour of each other. ie. When AlertName == "Suspicious administrative a...
How about this?
let threshold_ = 60; //minutes
let ruleA = "Suspicious administrative activity";
let ruleB = "Disabling of auditd loggingp";
SecurityAlert
| where AlertName in (ruleA, ruleB)
| summarize arg_max(TimeGenerated,*) by AlertName
| serialize
| extend diff_ = datetime_diff('minute', TimeGenerated, prev(TimeGenerated,1))
| where diff_ < threshold_