Analytic Rule - Query Scheduling - Sentinel

Miguel Calderón 45 Puntos de reputación
2023-11-10T20:03:29.85+00:00

Dear Team.

I´m trying to join Security Event logs looking for two specific Event ID, one must be 4days ago (Event A,TimeGenerated > Ago(4d)) and the other one 1 hour (Event B, TimeGenerated > Ago(1h)), so when I join to excluded the Users found on Event A.

So, when i run the query everything works, but I´m not sure about what values should i include in the scheduling on the analytic rule. I want to this rule run every hour.


TableA = (
    SecurityEvent
    | where EventID == EventA
    | where TimeGenerated > ago (4d)
);
TableB = (
	SecurityEvent
	| where EventID == EventB
	| where TimeGenerated > ago (1h)
);
TableA
| join kind=  leftanti  (
    TableA
) on TargetUserName
| sort by TimeGenerated desc

User's image

Sin supervisión
Sin supervisión
Etiqueta no supervisada por Microsoft.
203 preguntas
{count} votos

Respuesta aceptada
  1. Givary-MSFT 30.851 Puntos de reputación Empleado de Microsoft
    2023-11-16T10:17:50.6133333+00:00

    @Miguel Calderón Thank you for reaching out to us, regarding your ask did check with my team the values in the query scheduling looks fine to me, as you have put 4 days, in the lookup, cause that parameter determines the "look back" period for your analytic query and frequency is also correctly defined (every 1 hour) or probably better to use TimeGenerated >= ago(4d), since you need the whole 4 days back data.

    Let me know if you have any further questions, feel free to post back.

    Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.


0 respuestas adicionales

Ordenar por: Muy útil