@drinrin 

How about this?

let threshold_ = 60; //minutes
let ruleA = "Suspicious administrative activity";
let ruleB = "Disabling of auditd loggingp";
SecurityAlert
| where AlertName in (ruleA, ruleB)
| summarize arg_max(TimeGenerated,*) by AlertName 
| serialize 
| extend diff_ =  datetime_diff('minute', TimeGenerated, prev(TimeGenerated,1))
| where diff_ < threshold_

@drinrin 

search in (AuditLog_CL)
| where AlertName == "Suspicious administrative activity" or AlertName == "Disabling of auditd logging"
| extend TimeGeneratedUtc = TimeGenerated + 1h
| join kind=inner (
    search in (AuditLog_CL)
    | where AlertName == "Disabling of auditd logging" or AlertName == "Suspicious administrative activity"
    ) on Computer, Account, TimeGeneratedUtc
| where TimeGeneratedUtc1 < TimeGeneratedUtc
| where TimeGeneratedUtc <= TimeGeneratedUtc1 + 1h

This query looks for events with the AlertName "Suspicious administrative activity" or "Disabling of auditd logging" and joins them on the fields "Computer", "Account", and "TimeGeneratedUtc". It then filters for events where the time difference between the two events is less than 1 hour.