Forum Discussion
How to show amount of query results as entity on incident created in Azure Sentinel
Hi,
I need to do a simple monitoring on the amount of event logs from our SQL databases to our log analytics space.
The query looks like this
SQLEvent
| where TimeGenerated > ago (15min)
Then I'm configuring Alert Threshold to trigger an incident if the amount of query result is fewer than 500.
I would like to use Entity mapping to map the query number result so I quickly can see the number without the need of running the query manually.
Is this possible to create?
Regards,
Tony
- CliveWatson
Microsoft
I'd actually do this another way (but you can choose):
1. First if you just need a count, only return that data, like in this example SQLEvent | count , the rule can also define the lookback and schedule time to 15mins for both
2. You can use the Alert Details feature, to display the count from step 1 into the Alert name - see the Alert Name format example below. In my example the returned column was "Count" so I put that in double curly braces {{ Count }}
Now I get a Alert title that includes the number/count from {{ Clount }}, so I see this without needing to go into an entity or even open the Incident
- Thank you!
This was a better suggestion how to handle this!
RegardsHi CliveWatson
I just realized that by this rule logic I will have incidents created every time the analytics rule being executed since the " | count" will always be equal to 1.
My intention is that I want incident to be created if the count is lower than a specific number (500 or something).
Is there any way to still keep "{{ count }}" in the incident name by doing some magic on the rule itself?
Regards
