Merge pull request #2966 from sandytsang/patch-1

Fixed make-series TimeGenerated
Azure · Sep 17, 2021 · 5d2d659 · 5d2d659
2 parents e01fb34 + c739347
commit 5d2d659
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/Detections/SecurityEvent/TimeSeriesAnomaly-ProcessExecutions.yaml b/Detections/SecurityEvent/TimeSeriesAnomaly-ProcessExecutions.yaml
@@ -34,7 +34,7 @@ query: |
   | where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))
   | where Process in (ExeList)
   | project TimeGenerated, Computer, AccountType, Account, Process
-  | make-series Total=count() on TimeGenerated from ago(starttime) to ago(endtime) step timeframe by Process;
+  | make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by Process;
   let TimeSeriesAlerts = materialize(TimeSeriesData
   | extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 1.5, -1, 'linefit')
   | mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)
@@ -64,4 +64,4 @@ entityMappings:
     fieldMappings:
       - identifier: FullName
         columnName: HostCustomEntity
-version: 1.0.0
+version: 1.0.1