Aug 09 2018
04:02 PM
- last edited on
Apr 07 2022
05:26 PM
by
TechCommunityAP
Aug 09 2018
04:02 PM
- last edited on
Apr 07 2022
05:26 PM
by
TechCommunityAP
This is my first time working with azure log analytics and I wanted some feedback on if my approach to my data request is correct.
I need computers which have % processor time above 50 which also have a security event both occurring within the last day using the Perf and SecurityEvent tables
This is my approach
Do you think I am on the right track?
Aug 09 2018 04:41 PM
the problem is you're averaging processor time over the whole time range (24h). did you want to know the average processor time in some time window around when the security event occurred?
Aug 09 2018 04:44 PM - edited Aug 09 2018 04:45 PM
I see what you saying. Yes, I was looking to get results for only computers that had average % processor time above 50 when there is also a security event occuring. But i'm still wondering how I would go about doing that.
Aug 09 2018 11:09 PM
SolutionHi,
I think what you are trying to achieve is the query below:
let ComputersWithSecurityEvents = SecurityEvent | where TimeGenerated > ago(24h) | distinct Computer; Perf | where Computer in (ComputersWithSecurityEvents) | where TimeGenerated > ago(24h) | where CounterName == "% Processor Time" and InstanceName == "_Total" | summarize AggregatedValue = avg(CounterValue) by Computer | where AggregatedValue > 50
Let me know if this is what you wanted to achieve. I've put the Computers with security events into separate table and I am only taking the Computer Names from there and I match them to the performance query. I've also corrected your time window as you were using < instead of >. With this query it will get the data for the last 24 hours from both performance and security.
Aug 09 2018 11:55 PM
Aug 14 2018 09:27 AM
Stanislav's solution still only shows computers that have an average percent processor time > 50% over the whole 24 hour period. If you are interested in computers that had high cpu usage around the time of the security event itself, you'll need to bin the two time streams and join on the timestamp.
let binSize = 1h;
SecurityEvent
| where TimeGenerated > ago(24h)
| project Computer, bin(TimeGenerated, binSize)
| join (
Perf
| where TimeGenerated > ago(24h)
and CounterName == "% Processor Time" and InstanceName == "_Total"
| summarize PercentProcessorTime = avg(CounterValue) by Computer, bin(TimeGenerated, binSize)
) on Computer, TimeGenerated
Aug 09 2018 11:09 PM
SolutionHi,
I think what you are trying to achieve is the query below:
let ComputersWithSecurityEvents = SecurityEvent | where TimeGenerated > ago(24h) | distinct Computer; Perf | where Computer in (ComputersWithSecurityEvents) | where TimeGenerated > ago(24h) | where CounterName == "% Processor Time" and InstanceName == "_Total" | summarize AggregatedValue = avg(CounterValue) by Computer | where AggregatedValue > 50
Let me know if this is what you wanted to achieve. I've put the Computers with security events into separate table and I am only taking the Computer Names from there and I match them to the performance query. I've also corrected your time window as you were using < instead of >. With this query it will get the data for the last 24 hours from both performance and security.