Cuenta creada y promovida a admin en menos de una hora
MIN(CASE(...)) captura ambos hitos (creación, elevación) por cuenta objetivo, y luego DATE_DIFF mide el intervalo — un intervalo corto es un marcador de persistencia del atacante.
Requisitos
Elasticsearch 8.13+, logs IAM/AD
SQL
FROM "logs-iam-*"
| WHERE event.action IN ("user_created", "group_admin_added")
| STATS
creation = MIN(CASE(event.action == "user_created", @timestamp, NULL)),
elevation = MIN(CASE(event.action == "group_admin_added", @timestamp, NULL))
BY user.target.name
| WHERE creation IS NOT NULL AND elevation IS NOT NULL
| EVAL delai_min = DATE_DIFF("minute", creation, elevation)
| WHERE delai_min >= 0 AND delai_min <= 60
| SORT delai_min ASC
| LIMIT 50Resultado
user.target.name | creation | elevation | delai_min -----------------+--------------------------+--------------------------+---------- svc-maint2 | 2026-06-10T03:12:08.000Z | 2026-06-10T03:14:51.000Z | 2 backup-adm | 2026-06-09T22:40:12.000Z | 2026-06-09T23:02:33.000Z | 22 jdupont-test | 2026-06-08T14:05:47.000Z | 2026-06-08T14:51:20.000Z | 45
SOCIAMDATE_DIFFPersistance