I have a rule that is looking for the existence of two Sysmon events. To simplify it, something like this:

events:

  $e1.principal.process.file.full_path = $process

  $e1.metadata.product_event_type = "1"

  $e2.principal.process.file.full_path = $process

  $e2.metadata.product_event_type = "3"

  $e1.metadata.event_timestamp.seconds < $e2.metadata.event_timestamp.seconds

match: $process over 2d

condition: $e1 and $e2

When the rule runs, the detection is created quickly after two events (1 e1, 1e2) are detected. In conditions (not frequent) where I detect two events of each type (ex. 2 e1, 2 e2), my detection takes the full 48 hours to trigger, despite each of those 4 events occurring within close proximity to the initial 2 events. I understand I'm using a 2d window, but when only getting two events it seems to work ok. Why might this be?

Example: Detection Time is reported as 2/26 at 0700

e1 - 2/24 - 07:04

e2 - 2/24 - 07:36

e1 (second) - 2/24 - 08:02

e2 (second) - 2/24 - 09:55

VS Detection Time - 2/22 at 2200

e1 - 2/21 - 23:47

e2 - 2/22 - 21:36