20 строки
931 B
YAML
20 строки
931 B
YAML
id: a4dfa95d-eb8a-4d71-b669-dcb6dcfcf37a
|
|
name: Events surrounding alert
|
|
description: |
|
|
This query looks for events that are near in time to a detected event.
|
|
It shows how you could avoid typing exact timestamps, and replace it with a simple query to get the timestamp of your pivot event (e.g. a detected event).
|
|
This is useful when you have queries that you run often - e.g. as part of your regular investigation of an alert.
|
|
Original query: filter for network logon events right before some timestamp.
|
|
requiredDataConnectors:
|
|
- connectorId: MicrosoftThreatProtection
|
|
dataTypes:
|
|
- DeviceLogonEvents
|
|
query: |
|
|
let DeviceId = "474908f457a1dc4c1fab568f808d5f77bf3bb951";
|
|
let timestamp = datetime(2018-06-09T02:23:26.6832917Z);
|
|
let lookupPeriod = 10m;
|
|
DeviceLogonEvents
|
|
| where Timestamp between ((timestamp - lookupPeriod) .. lookupPeriod)
|
|
and DeviceId == DeviceId
|
|
and LogonType == "Network"
|