Forum Discussion
Subsequent alerts with different AlertName in Analytical Rule
Hi all,
I would like to ask if there is a way to create an alert when 2 events that were specified, alerted at within 1 hour of each other.
ie.
When AlertName == "Suspicious administrative activity" alerted then within 10-15mins AlertName == "Disabling of auditd logging" alerted
Regards,
drinrin
search in (AuditLog_CL) | where AlertName == "Suspicious administrative activity" or AlertName == "Disabling of auditd logging" | extend TimeGeneratedUtc = TimeGenerated + 1h | join kind=inner ( search in (AuditLog_CL) | where AlertName == "Disabling of auditd logging" or AlertName == "Suspicious administrative activity" ) on Computer, Account, TimeGeneratedUtc | where TimeGeneratedUtc1 < TimeGeneratedUtc | where TimeGeneratedUtc <= TimeGeneratedUtc1 + 1hThis query looks for events with the AlertName "Suspicious administrative activity" or "Disabling of auditd logging" and joins them on the fields "Computer", "Account", and "TimeGeneratedUtc". It then filters for events where the time difference between the two events is less than 1 hour.
How about this?
let threshold_ = 60; //minutes let ruleA = "Suspicious administrative activity"; let ruleB = "Disabling of auditd loggingp"; SecurityAlert | where AlertName in (ruleA, ruleB) | summarize arg_max(TimeGenerated,*) by AlertName | serialize | extend diff_ = datetime_diff('minute', TimeGenerated, prev(TimeGenerated,1)) | where diff_ < threshold_
