Mar 08 2023 11:57 AM
Hi all,
I would like to ask if there is a way to create an alert when 2 events that were specified, alerted at within 1 hour of each other.
ie.
When AlertName == "Suspicious administrative activity" alerted then within 10-15mins AlertName == "Disabling of auditd logging" alerted
Regards,
drinrin
Mar 09 2023 05:59 AM
How about this?
let threshold_ = 60; //minutes
let ruleA = "Suspicious administrative activity";
let ruleB = "Disabling of auditd loggingp";
SecurityAlert
| where AlertName in (ruleA, ruleB)
| summarize arg_max(TimeGenerated,*) by AlertName
| serialize
| extend diff_ = datetime_diff('minute', TimeGenerated, prev(TimeGenerated,1))
| where diff_ < threshold_
Mar 10 2023 12:43 AM
search in (AuditLog_CL)
| where AlertName == "Suspicious administrative activity" or AlertName == "Disabling of auditd logging"
| extend TimeGeneratedUtc = TimeGenerated + 1h
| join kind=inner (
search in (AuditLog_CL)
| where AlertName == "Disabling of auditd logging" or AlertName == "Suspicious administrative activity"
) on Computer, Account, TimeGeneratedUtc
| where TimeGeneratedUtc1 < TimeGeneratedUtc
| where TimeGeneratedUtc <= TimeGeneratedUtc1 + 1h
This query looks for events with the AlertName "Suspicious administrative activity" or "Disabling of auditd logging" and joins them on the fields "Computer", "Account", and "TimeGeneratedUtc". It then filters for events where the time difference between the two events is less than 1 hour.