Custom detection rule "A event "x minutes after" B event"

Asked Mar 24 '23 at 20:57

Active Mar 24 '23 at 20:57

Viewed 83 times

I'm new to Kusto and trying to create a new custom detection rule with two different events.

For example, the first one above detects creating a new scheduled task. Second one detects successful login.

DeviceProcessEvents | where FolderPath endswith "schtasks.exe" and ProcessCommandLine has "/create"

DeviceLogonEvents | where ActionType == "LogonSuccess"

I want to create a rule that detects creating a scheduled task 10 minutes after successful login to same device. (not a specific device, any device)

asked Mar 24 '23 at 20:57

tobtob

You can use a time window join. See example and documentation: https://learn.microsoft.com/azure/data-explorer/kusto/query/join-timewindow – Steffen Zeidler Mar 25 '23 at 08:51

0 Answers0