Forum Discussion
How to show amount of query results as entity on incident created in Azure Sentinel
You can have a final line like this in the query, or use Alert Threshold
| where count > 500
Alert Threshold based on query result only works if I list all raw events from SQL server without processing the result with "count" since the outcome will always be 1 in number of query result.
I was hoping that there is a workaround to extract "count" to Alert name but it might not be possible at the same time only generate Alert if the amount is below 500 events.
Also i'm trying to see how it would work with "| where count < 500" but I can't get it to work.
SQLEvent
| count
| where count < 500
Query could not be parsed at '<' on line [3,14] Token: < Line: 3 Position: 14
I want to trigger alert if the amount of events is below 500 for a 15 minute period.
Regards
- CliveWatsonOct 11, 2021Former Employee
Sorry, I was doing it from my memory, the second count should be Count (with an uppercase "C"). e.g.
SecurityEvent | where TimeGenerated > startofday(ago(7d)) | count | extend status_ = iif(Count < 500,0,1)
You can build test logic, in this case, if the value is below 500, status == 0, above 500 then status == 1 (you can use true or false, rather than 0 and 1)
You can display the value as well or even a custom message - in a column I've called "status_" (feel free to change)SecurityEvent | where TimeGenerated > startofday(ago(7d)) | count | extend status_ = iif(Count < 500,strcat('Good, under 500: ',Count),strcat('Bad, over 500: ', Count))
Go to Log Analytics and run queryCount status_ 3233512 Bad, over 500: 3233512