Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Analytic Rule does not display incident while In hunting there is events.

Brass Contributor

Hello,

 

There is a problem with an analytic rule i have created to correlate between ThreatIntelligenceIndicator & DeviceNetworkEvents, when i run the KQL query of the analytic in Log Hunting there are events in the result as shown in the photo.

5F330B0C-DD45-42F1-B45F-56920176FF67.jpeg

But, when i tried to simulate the results from Analytic rule configuration, no data appear.

6BD4AFF2-F67F-49E6-8023-EE1B0D40200D.jpeg

 

Also, when i clicked on view query results no result data appeared also, but as shown the time range is changed to custom by default.

 

28449F30-C4C4-4F98-AB77-37DE88FF2F02.jpeg

 

When i changed the time range to Set in query, result data appeared.

 

7FACAA39-8604-4F7F-9555-DE86F73E5BB8.jpeg

 

Is there any changes i should do to make the event simulated as an incident in the analytic rule?

 

Thank you.

8 Replies
How did you setup the Query Scheduling and Alert threshold?
Also, is this a regular analytics rule, or is it an NRT rule?
Hi,

It's regular analytics rule
best response confirmed by Qusai_Ismail (Brass Contributor)
Solution
IIRC, the "time set in query" will be overruled by the analytics rule time settings. To do something similar to alert on potential C2C comms (compare NetworkIPs from ThreatIntelligenceIndicator to FW logs) I had to use a join.

ThreatIntelligenceIndicator | where NetworkIP != "" | join (FW_DATA_Table_or_Function | where TimeGenerated >= now()-1d | project-rename NetworkIP = Dst_IP) on NetworkIP
| project TimeGenerated1, Name, Src_IP, NetworkIP, Dst_Port, Protocol | sort by TimeGenerated1 desc




Thanks for your replay, but the time in analytic rule setting is same as i set in the query, both are 1h.
This is another example i'm trying to do.


ThreatIntelligenceIndicator
| where TimeGenerated > ago(360d)
| where isnotempty(Url)
| join (EmailUrlInfo
| where TimeGenerated >= now()-1d) on Url
| join (EmailEvents | where TimeGenerated >= now()-1d) on NetworkMessageId
| project TimeGenerated , NetworkMessageId, SenderFromAddress, RecipientEmailAddress, Url , DeliveryAction, DeliveryLocation

The analytic rule is for checking IOC URLs in EmailsEvents that have URLs.
Analytic rule settings are :
Run Query every : 5 minutes
Lookup data from the last: 1 Day

When i tested the KQL Query in Log hunting, there is an event in the result, but when trying to test it in Analytic , Simulating result has no result, and no incident generated.

Thank you.

Swap the join around? I'm thinking the analytic rule test may be limiting things. So put your EmailEvents first with 1d, and then do a join to ThreatIntelligenceIndicator with ago(360) and it may work.
Thanks , as you said the set time in query is overruled by rule setting, so i changed the query to be like this

let dt_lookBack = 1h;
let ioc_lookBack = 14d;
ThreatIntelligenceIndicator
| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
| where Active == true
| where isnotempty(Url)
| join kind=innerunique (
EmailUrlInfo
| extend IngestionTime = ingestion_time()
| where IngestionTime > ago(dt_lookBack)
) on $left.Url == $right.Url

and RULE SETTINGS
Run query every 1 hour
Lookup data from the last 14 days

All is done and it's worked.

thank you.
1 best response

Accepted Solutions
best response confirmed by Qusai_Ismail (Brass Contributor)
Solution
IIRC, the "time set in query" will be overruled by the analytics rule time settings. To do something similar to alert on potential C2C comms (compare NetworkIPs from ThreatIntelligenceIndicator to FW logs) I had to use a join.

ThreatIntelligenceIndicator | where NetworkIP != "" | join (FW_DATA_Table_or_Function | where TimeGenerated >= now()-1d | project-rename NetworkIP = Dst_IP) on NetworkIP
| project TimeGenerated1, Name, Src_IP, NetworkIP, Dst_Port, Protocol | sort by TimeGenerated1 desc




View solution in original post