Skip to main content

I have a multi event rule with a match window of 48 hours that is looking for the occurrence of one windows event code followed by another event with a different event code.

For my use case, these events usually occur 1 hour to 24 hours after one another, but I'm using the larger match window for the outliers.

The issue I'm running into is there are times where event 1 fires and event 2 fires 1 hour later, but I do not get a detection until 48 hours later. Is there a better way to approach this?

Hi @smit8,

It may be worth looking at the following documentation[1] and utilising a hop window for this specific use case.

[1] - https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-syntax#hop_window

Kind Regards,

Ayman

Hi @smit8,

It may be worth looking at the following documentation[1] and utilising a hop window for this specific use case.

[1] - https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-syntax#hop_window

Kind Regards,

Ayman

Started with a hop window and then tried sliding, but with both I found with a match section of 48 hours, the detection was delayed by approximately that time versus the event

Started with a hop window and then tried sliding, but with both I found with a match section of 48 hours, the detection was delayed by approximately that time versus the event


Hi @smit8,

It's a shame that even with a hop window this doesn't solve your use case. There is a Private Preview feature known as 'Rule Chaining'[1] which may be of greater interest. If you reach out to your account manager they should be able to provide additional information relating to this feature and if you may be able to get this added to your instance for testing.

[1] - https://cloud.google.com/chronicle/docs/detection/rule-chaining

Kind Regards,

Ayman

Hi @smit8,

It's a shame that even with a hop window this doesn't solve your use case. There is a Private Preview feature known as 'Rule Chaining'[1] which may be of greater interest. If you reach out to your account manager they should be able to provide additional information relating to this feature and if you may be able to get this added to your instance for testing.

[1] - https://cloud.google.com/chronicle/docs/detection/rule-chaining

Kind Regards,

Ayman


Thank you - I was thinking I might be able to put something together with an initial rule > ref list > SOAR, but trying to figure that out/see if anyone else has run into the same

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.