Forum Discussion
Help with a query to count
Trying to create a query that will count all of the diffrent ruleid's over the past week but having a hard time. Any help appreciated. Thanks!
Thanks so much Clive, that worked like a charm.
Is it possible to create an alert in log analytics whenever the count for a particular WAF rule being triggered exceeds a certain threshold in a given time frame?
i.e. if the count for "AWSManagedRulesAnonymousIpList" was typically 1000 in an hour and spiked to 15000, how can I alert on this?
AWSCloudTrail
| where TimeGenerated > ago(1h)
//| summarize count() by EventSource
| count
| where Count > 1000or
AWSCloudTrail
| where TimeGenerated > ago(1d)
| summarize countPerHour=count() by EventSource, bin(TimeGenerated,1h)
| where countPerHour > 1000
- Thanks Clive, could you explain the difference bewteen the 2 here? How would I apply this to a specific ruleid?