Analytic Rule - Query Scheduling - Sentinel

Question

Analytic Rule - Query Scheduling - Sentinel

Miguel Calderón 45

Dear Team.

I´m trying to join Security Event logs looking for two specific Event ID, one must be 4days ago (Event A,TimeGenerated > Ago(4d)) and the other one 1 hour (Event B, TimeGenerated > Ago(1h)), so when I join to excluded the Users found on Event A.

So, when i run the query everything works, but I´m not sure about what values should i include in the scheduling on the analytic rule. I want to this rule run every hour.


TableA = (
    SecurityEvent
    | where EventID == EventA
    | where TimeGenerated > ago (4d)
);
TableB = (
	SecurityEvent
	| where EventID == EventB
	| where TimeGenerated > ago (1h)
);
TableA
| join kind=  leftanti  (
    TableA
) on TargetUserName
| sort by TimeGenerated desc

User's image

Givary-MSFT 35,786 Puntos de reputación Empleado de Microsoft Moderador

2023-12-04T07:44:25.09+00:00

@Miguel Calderón Just checking in to see if below information was helpful. If you have any further updates on this issue, please feel free to post back.

Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.

Respuesta aceptada por el autor de la pregunta

0 respuestas adicionales

Su respuesta

Givary-MSFT 35,786 Puntos de reputación Empleado de Microsoft Moderador

2023-12-04T07:44:25.09+00:00

@Miguel Calderón Just checking in to see if below information was helpful. If you have any further updates on this issue, please feel free to post back.

Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.

Answer 1

Givary-MSFT 35,786 Empleado de Microsoft Moderador

@Miguel Calderón Thank you for reaching out to us, regarding your ask did check with my team the values in the query scheduling looks fine to me, as you have put 4 days, in the lookup, cause that parameter determines the "look back" period for your analytic query and frequency is also correctly defined (every 1 hour) or probably better to use TimeGenerated >= ago(4d), since you need the whole 4 days back data.

Let me know if you have any further questions, feel free to post back.

Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.

Miguel Calderón 45

Hey Givary, awesome.

But which value should i use in the look back period if i need go further back, Let's say 90d.

TableA = (
    SecurityEvent
    | where EventID == EventA
    | where TimeGenerated > ago (90d)
);
TableB = (
	SecurityEvent
	| where EventID == EventB
	| where TimeGenerated > ago (1h)
);
TableA
| join kind=  leftanti  (
    TableA
) on TargetUserName
| sort by TimeGenerated desc

The "look back" only lets me go back up to 14 days.

Givary-MSFT 35,786 Puntos de reputación Empleado de Microsoft Moderador

2023-11-20T09:14:59.17+00:00

@Miguel Calderón Apologies for the delayed response, Azure Sentinel rules have a max look back of 14days - https://learn.microsoft.com/en-us/azure/sentinel/detect-threats-custom#query-scheduling-and-alert-threshold

There is a workaround - https://www.youtube.com/watch?v=G6TIzJK8XBA&t=3152s (“14days use case” starts at 42min).

Reference: https://techcommunity.microsoft.com/t5/azure-observability/conflict-with-custom-time-range-when-running-scheduled-sentinel/m-p/2846379

Let me know if you have any further questions, feel free to post back.
Miguel Calderón 45 Puntos de reputación

2023-11-20T22:07:29.3333333+00:00

Hey Givary, thanks that´s a good workaround i was working on something like that too, but if you have any documentantion using a logic app to create or update a watchlist would be great.

BR
Givary-MSFT 35,786 Puntos de reputación Empleado de Microsoft Moderador

2023-11-21T03:19:14.6433333+00:00

@Miguel Calderón

Check this blog for documentantion using a logic app to create or update a watchlist

https://techcommunity.microsoft.com/t5/security-compliance-and-identity/sentinel-watchlist-automation-using-logic-apps/ba-p/3718753

Let me know if you have any further questions, feel free to post back.

Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.
Miguel Calderón 45 Puntos de reputación

2023-12-06T16:10:07.4933333+00:00

Hey Givary, sorry for my late response, logic apps works, thanks a lot.

Compartir a través de

Analytic Rule - Query Scheduling - Sentinel

0 respuestas adicionales

Su respuesta