Subsequent alerts with different AlertName in Analytical Rule

Copper Contributor

Hi all,

 

I would like to ask if there is a way to create an alert when 2 events that were specified, alerted at within 1 hour of each other.

 

ie.

When AlertName == "Suspicious administrative activity" alerted then within 10-15mins AlertName == "Disabling of auditd logging" alerted

 

Regards,

drinrin 

2 Replies

@drinrin 

 

How about this?

let threshold_ = 60; //minutes
let ruleA = "Suspicious administrative activity";
let ruleB = "Disabling of auditd loggingp";
SecurityAlert
| where AlertName in (ruleA, ruleB)
| summarize arg_max(TimeGenerated,*) by AlertName 
| serialize 
| extend diff_ =  datetime_diff('minute', TimeGenerated, prev(TimeGenerated,1))
| where diff_ < threshold_

@drinrin 

 

search in (AuditLog_CL)
| where AlertName == "Suspicious administrative activity" or AlertName == "Disabling of auditd logging"
| extend TimeGeneratedUtc = TimeGenerated + 1h
| join kind=inner (
    search in (AuditLog_CL)
    | where AlertName == "Disabling of auditd logging" or AlertName == "Suspicious administrative activity"
    ) on Computer, Account, TimeGeneratedUtc
| where TimeGeneratedUtc1 < TimeGeneratedUtc
| where TimeGeneratedUtc <= TimeGeneratedUtc1 + 1h

 

This query looks for events with the AlertName "Suspicious administrative activity" or "Disabling of auditd logging" and joins them on the fields "Computer", "Account", and "TimeGeneratedUtc". It then filters for events where the time difference between the two events is less than 1 hour.