Forum Discussion
LewisRussell
Jan 14, 2023Copper Contributor
Being notified when authentication is successful
Hi everyone,
I am trying to setup Azure to notify me when somebody successfully logs into my VM.
So far I have a log analytics workspace connected to the VM and I can run queries like "Syslog | where processname == "sshd" | where SyslogMessage contains "Accepted ""
But the button to create a new alert is greyed out
Also, any general guidance if I am going about this the right way is greatly appreciated.
Regards,
Lewis
- LewisRussellCopper ContributorOkay I've created an alert rule and alert processing rule now, set to always for the action group.
When I test the action group the email sends, but it is like the alert rule is not being processed and/or not firing.
Here is the KQL for the alert rule:
Syslog
| where ProcessName == "sshd"
| where SyslogMessage contains "Accepted"
| where EventTime between (ago(1h) .. now())
| count
When I run the query, it returns a count greater than 1, and the alert rule trigger is set to greater than or equal to 1.
The condition name is "Whenever the Total of Custom log search is greater than or equal to 1"
and the measure is set to "Count"
Not sure yet how to get it working from here