KQL Query works in editor but not in Custom Detection Rules (scheduled)

Christoffer Brydensholt 0 Reputation points
2024-07-23T11:28:50.28+00:00

I have the following query to find machines that have their Real Time Protection disabled:

DeviceTvmSecureConfigurationAssessmentKB
| join kind=innerunique DeviceTvmSecureConfigurationAssessment on ConfigurationId
| join DeviceEvents on DeviceId
| where IsApplicable == 1 and IsCompliant != 1
| where ConfigurationId in ("scid-2012")
| project  Timestamp, ConfigurationName, ConfigurationDescription, DeviceName, OSPlatform ,ConfigurationId,ConfigurationImpact, ReportId, DeviceId
| summarize arg_min(Timestamp, ConfigurationName, ConfigurationDescription, DeviceName, OSPlatform ,ConfigurationId,ConfigurationImpact, ReportId) by DeviceId
| sort by ConfigurationImpact



When i run this in the query editor, i get the correct results returned to me.

When i do "Create Detection Rule" and set it as a scheduled rule, it says "Failed" with the information "No events match the given event identifiers (a combination of ReportId, AlertId, BehaviorId, or DeviceId and Timestamp). Edit the query's aggregation expressions for these columns and try again."

My question is firstly, how do i fix this?

Secondly:

I made this query too:

DeviceEvents
| join kind=innerunique DeviceTvmSecureConfigurationAssessment on DeviceId
| join kind=innerunique DeviceTvmSecureConfigurationAssessmentKB on ConfigurationId
| where IsApplicable == 1 and IsCompliant != 1
| where ConfigurationId in ("scid-2012")
| project  Timestamp, ConfigurationName, ConfigurationDescription, DeviceName, OSPlatform ,ConfigurationId,ConfigurationImpact, ReportId, DeviceId
| sort by ConfigurationImpact


This query can be used as a scheduled detection rule, but it gives me just 1 result, whereas the first one i wrote correctly gives me multiple results.

Can you help me by either telling me how to fix the first option, or the second option?

Microsoft Defender for Identity
Microsoft Defender for Identity
A Microsoft service that helps protect enterprise hybrid environments from multiple types of advanced, targeted cyberattacks and insider threats.
229 questions
Microsoft Defender for Endpoint Training
Microsoft Defender for Endpoint Training
Microsoft Defender for Endpoint: A Microsoft unified security platform for preventative protection, postbreach detection, and automated investigation and response. Previously known as Microsoft Defender Advanced Threat Protection.Training: Instruction to develop new skills.
17 questions
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.