Forum Discussion
Log sources down
You can also use a query like this, which I prefer as it also gives you the pattern (some sources can be up/down or delayed, so you can check a little history)
CommonSecurityLog
| where DeviceVendor == "Cisco"
| where DeviceProduct == "ASA"
| make-series count() default=0 on TimeGenerated from ago(1h) to now() step 15m by Computer
| where count_ [-1] == 0 // look at the last record [-1] and only show events when last data point was equal to zero
| project-away TimeGeneratedThis shows me Computers with no data in the past 15mins and also the 3 previous 15min intervals (so I know in my Alert if this is normal or not.
You can see from this screenshot (different use case), the count of logs differs in each 15min bin during the past two hours - showing me servers that are sending low volumes (or could be swapped to high) if you wanted.
If you wanted to take it further when you understand make-series you can also look for anomalies - this example is for Tables, but you can switch to the Cisco source yourself (note 30 or even 90days+ is better to lookback on for this type of query).
union *
| make-series count() default=0 on TimeGenerated from startofday(ago(30d)) to now()-1h step 1d by Type
// only show when last data point equals zero
| where count_ [-1] == 0
| extend (anomalies, score, baseline) = series_decompose_anomalies(count_, 2.5, -1, 'linefit', 1, 'ctukey')
| extend Score = score[-1]
| extend expectedEventCounts=baseline[-1], actualEventCount=count_[-1], Score = score[-1], count_
| project Type, round(toreal(Score),2), count_ , anomalies //, baseline
// a high score means that the Table is normally up/sending data so this more anomolious So the output of the above is ONLY tables that sent "zero" data in the last bin/interval. The Score column gives me a clue to how anomalous each is, -13 being the highest - you can see from the count_ column its unusual that Table sends zero records.
