Forum Widgets
Latest Discussions
Azure Devops to Workbook visualization
Hi team, please help us on enabling the azure devops pipeline jobs status, log and relevant dashboard to integrate in azure workbook view rather checking from Azure devops portal. please share the procedure, documentation link on performing this activity. Thanks!
KQL Query to summerize session counts over time
Hello folks, I'm trying to find a "good" way to achieve what I think is a simple task but cannot think of a simple solution. I have logs with session information, one entry per session StartTime(datetime), EndTime(datetime), Duration(in seconds), Computer(string) I want to count how many sessions are active for each 5 minute interval and graph that. Keep in mind, the sessions will overlap. I included a graphic of what I'm trying to do. With the result below Which should return: Time + 5, 1 Time + 10, 3 Time + 15, 3 Time + 20, 2
What do sign-in logs to Azure AD Identity Governance - Entitlement Management tell me
BLUF: I'm seeing a few user accounts (members and guests) that are showing up in sign in activity to Azure AD Identity Governance - Entitlement Management...but most other user accounts (members and guests) do not show up with sign-ins against that app, why would I be seeing sign-in logs for that, and what exactly am I seeing? We have about 50 internal users (members) and 500 external users (guests)...out of those typical sign-ins I mostly see then within the apps that they are utilizing, however there are a few user accounts (members and guests) where I'm seeing sign-in logs specifically to the application name = Azure AD Identity Governance - Entitlement Management. We do have 100+ apps in which we have setup access packages for external users, but I haven't seen any other sign in activity to apps that they haven't been given permission to access, this seemed to have started around first of June 2024. I'm just curious as to what I'm actually seeing when I see a user sign-in log showing up for Application = Azure AD Identity Governance - Entitlement Management.
Data Collection Rule : XPath queries to filter 7036 without WMI etc
Hi, In PowerShell on server I’m trying to filter out some events from Event Id 7036 Service Control Manager Start stop services. I’m trying to filter out WMI Performance Adapter, so I don’t want to have those events imported in log analytic workspace with data collection rule. Can you help me what I’m doing wrong ? $XPath = 'System!*[System[(EventID="7036")]] and [EventData[Data[@Name="param1"]!="WMI Performance Adapter"]]' Get-WinEvent -FilterXPath $XPath Get-WinEvent : Could not retrieve information about the Security log. Error: Attempted to perform an unauthorized operation.. At line:3 char:1 + Get-WinEvent -FilterXPath $XPath + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Get-WinEvent], Exception + FullyQualifiedErrorId : LogInfoUnavailable,Microsoft.PowerShell.Commands.GetWinEventCommand Get-WinEvent : No events were found that match the specified selection criteria. At line:3 char:1 + Get-WinEvent -FilterXPath $XPath + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (:) [Get-WinEvent], Exception + FullyQualifiedErrorId : NoMatchingEventsFound,Microsoft.PowerShell.Commands.GetWinEventCommand $XPath = 'System!*[System[(EventID="7036")]] and [EventData[Data[@Name="param1"]!="WMI Performance Adapter"]]' Get-WinEvent -LogName 'System' -FilterXPath $XPath Get-WinEvent : The specified query is invalid At line:2 char:1 + Get-WinEvent -LogName 'System' -FilterXPath $XPath + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Get-WinEvent], EventLogException + FullyQualifiedErrorId : System.Diagnostics.Eventing.Reader.EventLogException,Microsoft.PowerShell.Commands.GetWinEventCommandConsumer REST API for Azure Event Hub
Hello, We have an existing setup where we use Kafka and we have a Kafka client written in Java that talks to the Kafka server. We have a Java producer that sends data to consumer for a topic and a Java consumer that subscribes to this topic and gets data fro kafka. We are now trying to offer similar support for Azure Event Hub too. From the documentation and examples, I can see that we can add similar code in Java. Basically a Java producer and consumer that talks to Azure Event Hub server. We are now trying to do the same with REST API. I see that we have an API to send data to an Azure Event Hub server. But I don't see any field in that to include the topic. In addition, is there an API to consume data for a particular topic or subscribe for a particular topic? (Since the documentation mentions nothing about consumer API, I am assuming there is no support for consumer REST API in Azure Event hub. But wanted to confirm. Logically also, using REST API for this kind of system where producer and consumer behave in async fashion is not a good idea) Please let me know. Thanks, Om
MetricsQueryClient returning different results based on timespan
I'm using the Python MetricsQueryClient to list out how many tokens were used on certain days via the APIM policy "azure-openai-emit-token-metric". The problem is that when I call the query_resource() function with "timespan" set for the entire month of October, I get different results for token count usage for today's date than when I set the "timespan" to just the last 48 hours. For example, when setting the timespan to be from 10/20/2024 to 10/22/2024, I see 34 prompt tokens for today's date. But if I set the timespan to be 10/1/24 to 11/1/24, I see 0 prompt tokens for today's date. Is this a known issue? It is documented somewhere?
"gettype()" function in KQL - "double" result
"double" is supposedly not a datatype in Kusto (Copilot says it is a synonym for "real"), but the gettype function will return it as a value... gettype(123.45) -> "real" gettype(cm.total) -> "double" (where cm was a container of measurements used to contain a number of C# double values) MS should either return "real" or mention "real" in the gettype documentation so programmers writing switch statements will realize that "double" is a possible value that should be handled.Dependency Agent Alternatives
Hello. The retirement notice for the Azure Dependency Agent (https://learn.microsoft.com/en-us/azure/azure-monitor/vm/vminsights-maps-retirement) recommends selecting an Azure Marketplace product as a replacement but is not specific about what product(s) offer similar functionality. Would appreciate more specific guidance and experiences from the wider community. Thanks.Recent Logic Apps Failures with Defender ATP Steps – "TimeGenerated" No Longer Recognized
Hi everyone, I’ve recently encountered an issue with Logic Apps failing on Defender ATP steps. Requests containing the TimeGenerated parameter no longer work—the column seems to be unrecognized. My code hasn’t changed at all, and the same queries run successfully in Defender 365’s Advanced Hunting. For example, this basic KQL query: DeviceLogonEvents | where TimeGenerated >= ago(30d) | where LogonType != "Local" | where DeviceName !contains ".fr" | where DeviceName !contains "shared-" | where DeviceName !contains "gdc-" | where DeviceName !contains "mon-" | distinct DeviceName Now throws the error: Failed to resolve column or scalar expression named 'TimeGenerated'. Fix semantic errors in your query. Removing TimeGenerated makes the query work again, but this isn’t a viable solution. Notably, the identical query still functions in Defender 365’s Advanced Hunting UI. This issue started affecting a Logic App that runs weekly—it worked on May 11th but failed on May 18th. Questions: Has there been a recent schema change or deprecation of TimeGenerated in Defender ATP's KQL for Logic Apps? Is there an alternative column or syntax we should use now? Are others experiencing this? Any insights or workarounds would be greatly appreciated!
