Forum Discussion

tkeller's avatar
tkeller
Copper Contributor
Dec 03, 2019
Solved

Expanding Alert Log Search Query

Hello - We have an alert setup that does the following: W3CIISLog | where Computer == "W9" or Computer == "W10" | summarize Hits=count() by cIP | where Hits >= 600 | where cIP !startswith "10.0...
Azure Alert Logs Query
azure monitor
  • hspinto's avatar
    hspinto
    Dec 05, 2019

    Glad I am helping, tkeller.

     

    Regarding the low threshold, I am not sure I understood what you meant, but:

     

    [I am also structuring the query better]

     

    1) If you want to exclude hits/URLs counts less than 50

     

    W3CIISLog
    | where (Computer == "W9" or Computer == "W10") and cIP !startswith "10.0"
    | summarize Hits=count() by cIP
    | where Hits >= 600

    join kind=inner (W3CIISLog | summarize UriHits = count() by cIP, csUriStem) on cIP

    project cIP, Hits, csUriStem, UriHits
    | where Hits > 50 and UriHits > 50
    order by Hits desc, UriHits desc
     

    2) If you want just the topmost 50 cIP:

     

    W3CIISLog
    | where (Computer == "W9" or Computer == "W10") and cIP !startswith "10.0"
    | summarize Hits=count() by cIP
    | where Hits >= 600

    | order by Hits desc

    | limit 50
    join kind=inner (W3CIISLog | summarize UriHits = count() by cIP, csUriStem) on cIP

    project cIP, Hits, csUriStem, UriHits
    order by Hits desc, UriHits desc
    // I don't think we can limit here further for UriHits results
     

     

hspinto's avatar
hspinto
Icon for Microsoft rankMicrosoft
Dec 03, 2019

tkeller, something like this?

 

W3CIISLog
| where Computer == "W9" or Computer == "W10"
| summarize Hits=count() by cIP
| where Hits >= 600
| where cIP !startswith "10.0"

| join kind=inner (W3CIISLog | summarize UriHits = count() by cIP, csUriStem) on cIP

| project cIP, Hits, csUriStem, UriHits
| order by Hits desc, UriHits desc
 
tkeller's avatar
tkeller
Copper Contributor
Dec 03, 2019

hspintowill check this out tomorrow, thanks for the reply (y)

Resources