Forum Discussion

Khushal Jobanputra's avatar
Khushal Jobanputra
Copper Contributor
Aug 09, 2018
Solved

Query for finding computers with % processor time above 50 when a security event is occuring

This is my first time working with azure log analytics and I wanted some feedback on if my approach to my data request is correct. I need computers which have % processor time above 50 which also ha...
Azure Log Analytics
azure monitor
  • Stanislav_Zhelyazkov's avatar
    Stanislav_Zhelyazkov
    Aug 09, 2018

    Hi,

    I think what you are trying to achieve is the query below:

     

    let ComputersWithSecurityEvents = SecurityEvent
| where TimeGenerated > ago(24h) | distinct Computer;
Perf
| where Computer in (ComputersWithSecurityEvents)
| where TimeGenerated > ago(24h)
| where CounterName == "% Processor Time" and InstanceName == "_Total"
| summarize AggregatedValue = avg(CounterValue) by Computer
| where AggregatedValue > 50

    Let me know if this is what you wanted to achieve. I've put the Computers with security events into separate table and I am only taking the Computer Names from there and I match them to the performance query. I've also corrected your time window as you were using < instead of >. With this query it will get the data for the last 24 hours from both performance and security.

Khushal Jobanputra's avatar
Khushal Jobanputra
Copper Contributor
Aug 09, 2018

I see what you saying. Yes, I was looking to get results for only computers that had average % processor time above 50 when there is also a security event occuring. But i'm still wondering how I would go about doing that.

Stanislav_Zhelyazkov's avatar
Stanislav_Zhelyazkov
MVP
Aug 09, 2018

Hi,

I think what you are trying to achieve is the query below:

 

let ComputersWithSecurityEvents = SecurityEvent
| where TimeGenerated > ago(24h) | distinct Computer;
Perf
| where Computer in (ComputersWithSecurityEvents)
| where TimeGenerated > ago(24h)
| where CounterName == "% Processor Time" and InstanceName == "_Total"
| summarize AggregatedValue = avg(CounterValue) by Computer
| where AggregatedValue > 50

Let me know if this is what you wanted to achieve. I've put the Computers with security events into separate table and I am only taking the Computer Names from there and I match them to the performance query. I've also corrected your time window as you were using < instead of >. With this query it will get the data for the last 24 hours from both performance and security.

  • Khushal Jobanputra's avatar
    Khushal Jobanputra
    Copper Contributor
    Aug 09, 2018
    Thank you so much Stanislav and Patrick. This is exactly what I was looking for. This really helps.
    • Patrick Naughton's avatar
      Patrick Naughton
      Brass Contributor
      Aug 14, 2018

      Stanislav's solution still only shows computers that have an average percent processor time > 50% over the whole 24 hour period. If you are interested in computers that had high cpu usage around the time of the security event itself, you'll need to bin the two time streams and join on the timestamp.

      let binSize = 1h;
      SecurityEvent
      | where TimeGenerated > ago(24h)
      | project Computer, bin(TimeGenerated, binSize)
      | join (
       Perf
       | where TimeGenerated > ago(24h)
          and CounterName == "% Processor Time" and InstanceName == "_Total"
       | summarize PercentProcessorTime = avg(CounterValue) by Computer, bin(TimeGenerated, binSize)
      ) on Computer, TimeGenerated