Forum Discussion
Solved
Data Connector - Analytics Rule
Hi everyone, I want to have a analytic rule / Automation Rule that everytime that a certain connector (e.g Some Firewall Connector) is down, to receive a Alert in Sentinel. I've been searching f...
There are lots of scenarios for this. The most common solution is to monitor for a time delay - so if there is no data in say 15mins then it's probably down. However it could just as easily not have sent any data in that period, so you may have to also check back to the same period the day or week before to see if its uncommon. You may need different thresholds for each connector/Table - so a watchlist can help.
Anomaly detection can help here as well - look at series_decompose_anomalies(), however in a Rule you are limited to 14days lookback - which isn't often enough to detect seasonal patterns.
If the data is from Syslog /CommonSecurtitylog, you may actually want to monitor the Log collector server(s), using the Heartbeat table, so if for example one server fails out of 4 you still have 75% online capacity - if you just monitored the connector/Table then all 4 have to fail (or not send data).
There are some basic examples in the Queries pane for Heartbeat.
Kaaamil Not quite like that, still trying to figure it out..
I'm using this query:
let Now = now();
let queryResult = range TimeGenerated from (Now - 1d) to (Now - 4h) step 4h
| extend Count = 0
| union isfuzzy=true
(CommonSecurityLog
| where DeviceVendor == "connector_name_here"
| summarize Count = count() by bin(TimeGenerated, 8h))
| union (
range x from (Now - 1d) to (Now - 4h) step 8h
| project TimeGenerated = x, Count = 0
)
| summarize Count = max(Count) by bin(TimeGenerated, 8h)
| sort by TimeGenerated
| project Value = iff(isnull(Count), 0, Count), Time = TimeGenerated, Legend = "connector_name_here";
queryResult
Trying something like this, and with the alert threshold: is equal to 0
But it isn't working, i have the connector returning me 0 values and it doesn't open a alert
Try this one - very basic but does the work 🙂
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8c6e05a5-26ad-49ae-9cd6-a3e0f9df305b')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8c6e05a5-26ad-49ae-9cd6-a3e0f9df305b')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01-preview",
"properties": {
"displayName": "No logs from CommonSecuritylog from last 1 hour",
"description": "Rule triggers when Sentinel doesn't receive commonsecurity logs",
"severity": "High",
"enabled": true,
"query": "CommonSecurityLog\r\n|summarize Events = count()\r\n|where Events ==0",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"startTimeUtc": null,
"tactics": [],
"techniques": [],
"alertRuleTemplateName": null,
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"reopenClosedIncident": false,
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"groupByEntities": [],
"groupByAlertDetails": [],
"groupByCustomDetails": []
}
},
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"alertDetailsOverride": null,
"customDetails": null,
"entityMappings": null,
"sentinelEntitiesMappings": null,
"templateVersion": null
}
}
]
}
- Sorry for the late response, i have been out for a couple days.
Do i need to put this query in the analytics rule? With the same thresh hold settings?- It's ready template try to import it as a new rule (modify table if it's different) and check if it works.
- Im still not getting it 😧 I dont think its working, at least im not receiving anything on sentinel, with that connector returning me 0 values. Or i didn't deploy it correctly?