Forum Discussion

Lumka1122's avatar
Lumka1122
Copper Contributor
Dec 12, 2024

Analytic Rules for Log Forwarder

Good day,

 

May you kindly assist with KQL queries to create these 4 analytic on our environment.

Log Rate-Insufficient

Agent Heartbeat Latency

Agent Heartbeat Monitor

Agent-Health-Alert

1 Reply

Sort By
  • kyazaferr's avatar
    kyazaferr
    MCT
    Dec 13, 2024

    Log Rate-Insufficient 

    Heartbeat_CL
    | where TimeGenerated > ago(5m)
    | summarize TotalHeartbeats = count(), 
                UniqueAgents = dcount(Computer)
    | where TotalHeartbeats < 10 or UniqueAgents < 3
    | project 
        AlertTitle = "Log Rate Insufficient",
        TotalHeartbeats,
        UniqueAgents,
        Severity = 2

     

    Agent Heartbeat Latency

    Heartbeat_CL
    | where TimeGenerated > ago(1h)
    | extend HeartbeatLatency = todouble(latency_ms_d)
    | summarize 
        AvgLatency = avg(HeartbeatLatency),
        MaxLatency = max(HeartbeatLatency),
        LatencyCount = count()
    | where AvgLatency > 500 or MaxLatency > 1000
    | project 
        AlertTitle = "Agent Heartbeat Latency High",
        AverageLatencyMS = round(AvgLatency, 2),
        MaximumLatencyMS = round(MaxLatency, 2),
        Severity = 1

     

    Agent Heartbeat Monitor

    Heartbeat_CL
    | where TimeGenerated > ago(15m)
    | summarize 
        LastHeartbeat = max(TimeGenerated),
        HeartbeatCount = count()
    | extend MinutesSinceLastHeartbeat = datetime_diff('minute', now(), LastHeartbeat)
    | where MinutesSinceLastHeartbeat > 10
    | project 
        AlertTitle = "Agent Heartbeat Missing",
        LastHeartbeatTime = LastHeartbeat,
        MinutesSinceLastHeartbeat,
        Severity = 3

     

    Agent-Health-Alert

    Heartbeat_CL
    | where TimeGenerated > ago(1h)
    | summarize 
        AvailableAgents = dcount(Computer),
        TotalAgents = count_distinct(Computer),
        HealthyAgents = dcountif(Computer, isnotnull(Computer))
    | extend HealthPercentage = (HealthyAgents * 100.0) / TotalAgents
    | where HealthPercentage < 80
    | project 
        AlertTitle = "Agent Health Below Threshold",
        TotalAgents = TotalAgents,
        HealthyAgents = HealthyAgents,
        HealthPercentage = round(HealthPercentage, 2),
        Severity = 2

     

    Key Considerations:

    • These queries assume you're using the Heartbeat_CL custom log table
    • Adjust time ranges and thresholds based on your specific environment
    • Severity levels are suggested (1-3, with 1 being most critical)
    • Modify column names if they differ in your log schema

    Recommendations:

    • Test these queries in your Log Analytics workspace
    • Validate thresholds against your specific log forwarder environment
    • Consider adding more context or additional filtering as needed

Resources