SOLVED

Query for finding computers with % processor time above 50 when a security event is occuring

Copper Contributor

This is my first time working with azure log analytics and I wanted some feedback on if my approach to my data request is correct.

I need computers which have % processor time above 50 which also have a security event both occurring within the last day using the Perf and SecurityEvent tables

This is my approach

Perf
| join (SecurityEvent) on Computer
| where TimeGenerated < ago(24h)
| where CounterName == "% Processor Time" and InstanceName == "_Total"
| summarize AggregatedValue = avg(CounterValue) by Computer
| where AggregatedValue > 50

 

Do you think I am on the right track?

5 Replies

the problem is you're averaging processor time over the whole time range (24h).  did you want to know the average processor time in some time window around when the security event occurred?

 

 

I see what you saying. Yes, I was looking to get results for only computers that had average % processor time above 50 when there is also a security event occuring. But i'm still wondering how I would go about doing that.

best response confirmed by Khushal Jobanputra (Copper Contributor)
Solution

Hi,

I think what you are trying to achieve is the query below:

 

let ComputersWithSecurityEvents = SecurityEvent
| where TimeGenerated > ago(24h) | distinct Computer;
Perf
| where Computer in (ComputersWithSecurityEvents)
| where TimeGenerated > ago(24h)
| where CounterName == "% Processor Time" and InstanceName == "_Total"
| summarize AggregatedValue = avg(CounterValue) by Computer
| where AggregatedValue > 50

Let me know if this is what you wanted to achieve. I've put the Computers with security events into separate table and I am only taking the Computer Names from there and I match them to the performance query. I've also corrected your time window as you were using < instead of >. With this query it will get the data for the last 24 hours from both performance and security.

Thank you so much Stanislav and Patrick. This is exactly what I was looking for. This really helps.

Stanislav's solution still only shows computers that have an average percent processor time > 50% over the whole 24 hour period. If you are interested in computers that had high cpu usage around the time of the security event itself, you'll need to bin the two time streams and join on the timestamp.

let binSize = 1h;
SecurityEvent
| where TimeGenerated > ago(24h)
| project Computer, bin(TimeGenerated, binSize)
| join (
Perf
| where TimeGenerated > ago(24h)
and CounterName == "% Processor Time" and InstanceName == "_Total"
| summarize PercentProcessorTime = avg(CounterValue) by Computer, bin(TimeGenerated, binSize)
) on Computer, TimeGenerated
1 best response

Accepted Solutions
best response confirmed by Khushal Jobanputra (Copper Contributor)
Solution

Hi,

I think what you are trying to achieve is the query below:

 

let ComputersWithSecurityEvents = SecurityEvent
| where TimeGenerated > ago(24h) | distinct Computer;
Perf
| where Computer in (ComputersWithSecurityEvents)
| where TimeGenerated > ago(24h)
| where CounterName == "% Processor Time" and InstanceName == "_Total"
| summarize AggregatedValue = avg(CounterValue) by Computer
| where AggregatedValue > 50

Let me know if this is what you wanted to achieve. I've put the Computers with security events into separate table and I am only taking the Computer Names from there and I match them to the performance query. I've also corrected your time window as you were using < instead of >. With this query it will get the data for the last 24 hours from both performance and security.

View solution in original post