Forum Discussion
Sending DDoS Alerts into Sentinel and Analytic Rule Error
I am attempting to activate a Sentinel analytic rule for DDoS incidents, specifically the rule named “DDoS Attack IP Addresses - Percent Threshold.” However, during the rule activation process, I e...
Was it these instructions you followed? View Azure DDoS Protection logs in Log Analytics workspace | Microsoft Learn
If the data hasn't showed up yet, from a genuine attack or the simulated test, then you can at least tweak the Rule code to handle the missing columns using column_ifexists() - Azure Data Explorer & Real-Time Analytics | Microsoft Learn
AzureDiagnostics
| where ResourceType == "PUBLICIPADDRESSES" and Category == "DDoSMitigationFlowLogs"
| extend destPublicIpAddress_s= column_ifexists("destPublicIpAddress_s",'')
,sourcePublicIpAddress_s= column_ifexists('sourcePublicIpAddress_s','')
| summarize rows_count = count() by destPublicIpAddress_s, sourcePublicIpAddress_s