Forum Discussion

LewisRussell's avatar
LewisRussell
Copper Contributor
Jan 14, 2023

Being notified when authentication is successful

Hi everyone,

 

I am trying to setup Azure to notify me when somebody successfully logs into my VM.

 

So far I have a log analytics workspace connected to the VM and I can run queries like "Syslog | where processname == "sshd" | where SyslogMessage contains "Accepted ""

 

But the button to create a new alert is greyed out

 

Also, any general guidance if I am going about this the right way is greatly appreciated.

 

Regards,

Lewis

  • LewisRussell's avatar
    LewisRussell
    Copper Contributor
    Okay I've created an alert rule and alert processing rule now, set to always for the action group.
    When I test the action group the email sends, but it is like the alert rule is not being processed and/or not firing.
    Here is the KQL for the alert rule:
    Syslog
    | where ProcessName == "sshd"
    | where SyslogMessage contains "Accepted"
    | where EventTime between (ago(1h) .. now())
    | count

    When I run the query, it returns a count greater than 1, and the alert rule trigger is set to greater than or equal to 1.

    The condition name is "Whenever the Total of Custom log search is greater than or equal to 1"
    and the measure is set to "Count"

    Not sure yet how to get it working from here

Resources