Exclude alert if from same date and has write/create entry

Copper Contributor

How to add condition wherein if there's a create/write activity of the same day, it will be excluded from the alert.

 

For example, 

Time generated   VirtualMachine   OperationValueName                  

5/20/2022            Test1                  Microsoft.Compute/virtualMachines/extensions/delete

5/20/2022            Test1                  Microsoft.Compute/virtualMachines/extensions/write

Since there's delete and write activity for the same date, it should have been excluded from the alert.

 

Here's the current query:
AzureActivity
| where * has "extensions/delete"
| where Resource contains "Agent"
or Resource contains "OMS"
or Resource contains "VMDiagnosticsSettings"
| where ActivityStatus has "Succeeded"
| sort by EventSubmissionTimestamp desc
| extend VirtualMachine = replace(@"(.*?\/virtualMachines\/)(\S+)(\/extensions\/)(\S+)", @"\2", ResourceId)
| where Resource !contains "CustomScript"
| summarize count() by Resource, VirtualMachine, Caller

0 Replies