Forum Discussion
Data Connector - Analytics Rule
- Jun 21, 2023
There are lots of scenarios for this. The most common solution is to monitor for a time delay - so if there is no data in say 15mins then it's probably down. However it could just as easily not have sent any data in that period, so you may have to also check back to the same period the day or week before to see if its uncommon. You may need different thresholds for each connector/Table - so a watchlist can help.
Anomaly detection can help here as well - look at series_decompose_anomalies(), however in a Rule you are limited to 14days lookback - which isn't often enough to detect seasonal patterns.
If the data is from Syslog /CommonSecurtitylog, you may actually want to monitor the Log collector server(s), using the Heartbeat table, so if for example one server fails out of 4 you still have 75% online capacity - if you just monitored the connector/Table then all 4 have to fail (or not send data).
There are some basic examples in the Queries pane for Heartbeat.
Do i need to put this query in the analytics rule? With the same thresh hold settings?
- miguelfacJul 07, 2023Copper ContributorAlright i just imported it, ill test if it checks if my connector (for example checkpoint one) gets 0 values, and it generates a alert for me.
For this i can just test it by turning off rsyslog off for a few hours. - KaaamilJul 07, 2023Copper Contributor
You can import json file:
Import and export Microsoft Sentinel analytics rules | Microsoft Learn
Let me explain more this logic.
I want to check if CommonSecurityLog table doesn't have logs:CommonSecurityLog
|summarize Events = count()
|where Events ==0If query returns no results it means that CommonSecurityLog is not empty for last X amount of time.
Look how many log entries I have for last 30 minutes:So lets check if we have 0 logs for last 30 minutes:
Events==0 is false so it won't be triggered If it'd be true it would mean no logs for last 30 minutes and triggered an incident 🙂
- miguelfacJul 03, 2023Copper ContributorIm still not getting it 😧 I dont think its working, at least im not receiving anything on sentinel, with that connector returning me 0 values. Or i didn't deploy it correctly?