Forum Discussion
Solved
Alert Creation on Duplicate Event Logs
Hi, I would like to setup a simple analytic rule and trigger an alert on an event with "High Severity" in log analytics table. I will group all events into one alert. Example: Logs_CL | where Cate...
You probably need something based around this (I used the SecurityIncident table as an example). I added a check for Severity which you may need to consider (e.g. if someone has closed the alert yesterday is is it still to be considered today?)
let highSeveritySigninLogsToday = SecurityIncident | where TimeGenerated >= startofday(now()) and Severity == "High" and Status !="Closed"; let highSeveritySigninLogsYesterday = SecurityIncident | where TimeGenerated between (startofday(ago(1d)) .. endofday(ago(1d)) ) and Severity == "High" and Status !="Closed"; highSeveritySigninLogsToday | join kind=rightanti highSeveritySigninLogsYesterday on Title
You probably need something based around this (I used the SecurityIncident table as an example). I added a check for Severity which you may need to consider (e.g. if someone has closed the alert yesterday is is it still to be considered today?)
let highSeveritySigninLogsToday = SecurityIncident
| where TimeGenerated >= startofday(now())
and Severity == "High"
and Status !="Closed";
let highSeveritySigninLogsYesterday = SecurityIncident
| where TimeGenerated between (startofday(ago(1d)) .. endofday(ago(1d)) )
and Severity == "High"
and Status !="Closed";
highSeveritySigninLogsToday
| join kind=rightanti
highSeveritySigninLogsYesterday
on Title