Forum Discussion

gsingh_'s avatar
gsingh_
Copper Contributor
Apr 22, 2024
Solved

Alert Creation on Duplicate Event Logs

Hi, I would like to setup a simple analytic rule and trigger an alert on an event with "High Severity" in log analytics table. I will group all events into one alert. Example: Logs_CL | where Cate...
analytics
  • Clive_Watson's avatar
    Clive_Watson
    Apr 22, 2024

    gsingh_ 

    You probably need something based around this (I used the SecurityIncident table as an example).  I added a check for Severity which you may need to consider (e.g. if someone has closed the alert yesterday is is it still to be considered today?)

    let highSeveritySigninLogsToday = SecurityIncident
| where TimeGenerated >= startofday(now()) 
    and Severity == "High"
    and Status !="Closed";
let highSeveritySigninLogsYesterday = SecurityIncident
| where TimeGenerated between (startofday(ago(1d)) .. endofday(ago(1d)) ) 
    and Severity == "High"
    and Status !="Closed";
highSeveritySigninLogsToday
| join kind=rightanti
    highSeveritySigninLogsYesterday
    on Title


     

     

     

jasonmarkford's avatar
jasonmarkford
Copper Contributor
Apr 22, 2024
marks4sure's AZ-104 PDFs were my lifesaver. Combined with the testing engine, I aced my certification exam confidently!

Resources