Forum Discussion
KQL; Failed to save analytic rule; The request timed out; series-outliers() ; NSG logs via Syslog
jjsantanna It looks like it was a 'hiccup' from Azure or Sentinel or Log Analytics. I was not able to debug.
Microsoftjjsantanna : just to confirm - were you able to save the rule? if not, it might have timeout. Can you post a few sample events so that we can try to help optimize the query?
Ofer_Shezaf thanks for getting back! Yes, I was able to save the query. Then, I 'closed the message.' I must say that it was the first time that I've received a "timeout." I really don't know what I could have done differently. The main point is that to use "series_outliers()" we need to create a timeseries; and to filter the scores higher than 1,5 (output of series_outliers()) we need to convert the timeseries back to tabular with mv-expand. I've tried multiple ways to optimize the query but I was unsuccessful.
| make-series TotalBytesSent=sum(toint(BytesSent)) on TimeGenerated from lookback to now() step timebin by SourceIP//make a series considering the full time window
| extend outlier_scores = series_outliers(TotalBytesSent) // evaluation the outliers considering the TotalBytesSent (aggregated per timebin per user)
| mv-expand TimeGenerated to typeof(datetime), TotalBytesSent to typeof(double), outlier_scores to typeof(double)// expanding the variables for a better visualization and extration of outliers
- Ofer_Shezaf
jjsantanna : while series analysis is intensive in nature, but itself it is not a blocker. The trick is usually to prepare the data in the most efficient manner. As said, to try to look into this, I would need a sample of events to work with.