Forum Discussion

Copper Contributor

Mar 08, 2023

Subsequent alerts with different AlertName in Analytical Rule

Hi all, I would like to ask if there is a way to create an alert when 2 events that were specified, alerted at within 1 hour of each other. ie. When AlertName == "Suspicious administrative a...

KQL

kusto

microsoft defender for cloud

Varun_Ghildiyal

Iron Contributor

Mar 10, 2023

drinrin

search in (AuditLog_CL)
| where AlertName == "Suspicious administrative activity" or AlertName == "Disabling of auditd logging"
| extend TimeGeneratedUtc = TimeGenerated + 1h
| join kind=inner (
    search in (AuditLog_CL)
    | where AlertName == "Disabling of auditd logging" or AlertName == "Suspicious administrative activity"
    ) on Computer, Account, TimeGeneratedUtc
| where TimeGeneratedUtc1 < TimeGeneratedUtc
| where TimeGeneratedUtc <= TimeGeneratedUtc1 + 1h

This query looks for events with the AlertName "Suspicious administrative activity" or "Disabling of auditd logging" and joins them on the fields "Computer", "Account", and "TimeGeneratedUtc". It then filters for events where the time difference between the two events is less than 1 hour.