I am trying to make a KQL query that detects get requests to an address on port 80 more than 5 times within a 5 minute timespan. This query works fine when I run it in "Advanced Hunting" but fails when it is assigned to a detection rule.
The error I receive is "No events match the given event identifiers (a combination of ReportId, AlertId, BehaviorId, or DeviceId and Timestamp). Edit the query's aggregation expressions for these columns and try again."
DeviceNetworkEvents
| extend parsed = parse_json(AdditionalFields)
| where parsed.method has "get"
| where RemotePort == 80
| where not (parsed.host endswith ".goog" or parsed.host startswith "10.32.")
| where not (parsed.uri endswith "windowsupdate.com")
| where not (parsed.host has_any ("intranet", "gvt1.com", "usertrust.com", "entrust.net", "wpad", "169.254.169.254", "adobe.com", "msftconnecttest.com", "narrabay", "windowsupdate.com", "microsoft.com", "digicert.com", "lencr.org", "amazontrust.com"))
| summarize (Timestamp, ReportId)=arg_max(Timestamp, ReportId), count() by DeviceId, bin(Timestamp, 5m)
| where count_ > 5
As far as I know, I need the ReportId, DeviceId, and Timestamp in order for this to work, which I have. I also tried with the AlertId and BehaviorId. What can I do to make this detection rule work?
It seems I figured it out. Since I was using Timestamp twice (Once for arg_max and once in bin), it was sending two timestamps which seemingly makes it not work. I just added
extend timestamp2 = Timestamp
and used that in bin instead of Timestamp itself.