Data Connector Health - Push Notification Alerts

Published Dec 17 2020 12:57 AM 5,218 Views
Microsoft

Postbanner.PNG

This enhanced solution builds on the existing “Connector Health Workbook” described in this video. The Logic App leverages underlying KQL queries to provide you with an option to configure “Push notifications” to e-mail and/or a Microsoft Teams channel based on user defined anomaly scores as well as time since the last “Heartbeat” from Virtual Machines connected to the workspace. Below is a detailed description of how the rule and the logic app are put together. The solution is available for deployment from the official Azure Sentinel GitHub repo on this link .

 

Overview of the steps the Logic App works through

 

Appoverview.png

The Logic App is activated by a Recurrence trigger whose frequency of execution can be adjusted to your requirements

 

1-Reccurence.png

Since the Logic App is being deployed from an ARM template you will need to make connections to Azure Monitor, Office 365 and Teams before the Logic App can work in your environment. You can expect to see windows like the one below. Click “Add new” to create a connection for each of the three resources.

 2-Connections.png

 

 

The KQL query below will be added to this step in the Logic App and will execute against your workspace. You can modify the threshold values to suit your needs

let UpperThreshold = 3.0; // Upper Anomaly threshold score

let LowerThreshold = -3.0; // Lower anomaly threshold score

let TableIgnoreList = dynamic(['SecurityAlert', 'BehaviorAnalytics', 'SecurityBaseline', 'ProtectionStatus']); // select tables you want to EXCLUDE from the results

union withsource=TableName1 *

| make-series count() on TimeGenerated from ago(14d) to now() step 1d by TableName1

| extend (anomalies, score, baseline) = series_decompose_anomalies(count_, 1.5, 7, 'linefit', 1, 'ctukey', 0.01)

| where anomalies[-1] == 1 or anomalies[-1] == -1

| extend Score = score[-1]

| where Score >= UpperThreshold or Score <= LowerThreshold

| where TableName1 !in (TableIgnoreList)

| project TableName=TableName1, ExpectedCount=round(todouble(baseline[-1]),1), ActualCount=round(todouble(count_[-1]),1), AnomalyScore = round(todouble(score[-1]),1)

 3-IngestionAnomaly.png

 

Execute query against workspace to detect potential VM connectivity issues

 

4-HeartBeatQuery.png

To adjust the lookback period for the last heartbeat received from VMs in the workspace, change the “| where LastHeartbeat < ago(5h)” line in the query above

 

Send out the results of the query to the SOC team as a summarized HTML table

 

5-SOCemail.png

 

Note that while the two queries use two query outputs named “Body” they are different and care should be taken to select the correct output. Naming the Ingestion Anomaly and the Heart Beat query steps differently will help distinguish between the two “Body” variables.

 

Send the same message to a Microsoft Teams channel monitored by the SOC team

 

6-TeamsMEssage.png

Below is a sample output of the push notification message

 

7-SampleEmail.png

 

 This solution was built in close collaboration with @Javier Soriano , @Jeremy Tan and @BenjiSec 

9 Comments
%3CLINGO-SUB%20id%3D%22lingo-sub-1996918%22%20slang%3D%22en-US%22%3ERe%3A%20Data%20Connector%20Health%20-%20Push%20Notification%20Alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1996918%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20not%20currently%20working%20in%20any%20of%20our%20Sentinel%20instances.%20Scheduled%20searches%20with%20union%20*%20fail%20to%20save%20with%20the%20error%20message%3A%3C%2FP%3E%3CPRE%3EFailed%20to%20save%20analytics%20rule%20'Sentinel%20table%20missing%20logs'.%20Invalid%20data%20model.%20%5BProperties.Query%3A%20Scheduled%20alert%20rule%20query%20should%20not%20contain%20'search'%20or%20'union%20*'%5D%3C%2FPRE%3E%3CP%3ERelated%20Github%20issue%3A%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Fissues%2F1437%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Fissues%2F1437%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1997058%22%20slang%3D%22en-US%22%3ERe%3A%20Data%20Connector%20Health%20-%20Push%20Notification%20Alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1997058%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F456796%22%20target%3D%22_blank%22%3E%40pemontto%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3EYou%20shouldn't%20be%20creating%20analytic%20rule%2C%20but%20only%20Logic%20App%20so%20that%20you%20can%20use%20above%20solution.%26nbsp%3B%3CBR%20%2F%3EYou%20can%20also%20use%20Deploy%20to%20Azure%20template%20from%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Ftree%2Fmaster%2FPlaybooks%2FSend-ConnectorHealthStatus%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure-Sentinel%2FPlaybooks%2FSend-ConnectorHealthStatus%20at%20master%20%C2%B7%20Azure%2FAzure-Sentinel%20(github.com)%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20just%20done%20it%20again%20via%20template%20and%20it%20works%20with%20no%20issues%20on%20my%20Sentinel%20environment.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1998434%22%20slang%3D%22en-US%22%3ERe%3A%20Data%20Connector%20Health%20-%20Push%20Notification%20Alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1998434%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F329567%22%20target%3D%22_blank%22%3E%40BenjiSec%3C%2FA%3E%26nbsp%3Bjust%20to%20add%20the%20reason%20why%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F456796%22%20target%3D%22_blank%22%3E%40pemontto%3C%2FA%3E%26nbsp%3B%20here's%20the%20explanation%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Ftutorial-detect-threats-custom%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ECreate%20custom%20analytics%20rules%20to%20detect%20threats%20with%20Azure%20Sentinel%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2000424%22%20slang%3D%22en-US%22%3ERe%3A%20Data%20Connector%20Health%20-%20Push%20Notification%20Alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2000424%22%20slang%3D%22en-US%22%3E%3CP%3ECan%20you%20expand%20a%20bit%20on%20the%20User%20Name%20variable%20used%20in%20the%20deployment%3F%20What%20kind%20of%20identity%20would%20be%20good%20practice%20here%2C%20and%20what%20roles%20or%20rights%20does%20the%20user%20require%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2005708%22%20slang%3D%22en-US%22%3ERe%3A%20Data%20Connector%20Health%20-%20Push%20Notification%20Alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2005708%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F803217%22%20target%3D%22_blank%22%3E%40Mikko_Koivunen%3C%2FA%3E%26nbsp%3B%20thanks%20for%20your%20query%2C%20the%20username%20variable%20is%20the%20user%20ID%20with%20permissions%20to%20deploy%20the%20solution%20within%20your%20Azure%20environment.%20In%20this%20case%20it%20has%20to%20have%20a%20minimum%20of%20%22Logic%20App%20Contributor%22%20role%20in%20the%20resource%20group%20where%20you%20want%20to%20deploy%20this%20logic%20app.%26nbsp%3B%20To%20run%20the%20two%20queries%20you%20need%20a%20minimum%20of%20%22Reader%22%20role%20for%20the%20Workspace.%20To%20make%20the%20Office%20365%20and%20Teams%20connections%20you%20just%20need%20a%20mailbox%20in%20the%20tenant%20where%20this%20messages%20will%20be%20sent%20from.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1996442%22%20slang%3D%22en-US%22%3EData%20Connector%20Health%20-%20Push%20Notification%20Alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1996442%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20enhanced%20solution%20builds%20on%20the%20existing%20%E2%80%9CConnector%20Health%20Workbook%E2%80%9D%20described%20in%20this%20%3CA%20href%3D%22https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DT6Vyo7gZYds%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Evideo%3C%2FA%3E.%20The%20Logic%20App%20leverages%20underlying%20KQL%20queries%20to%20provide%20you%20with%20an%20option%20to%20configure%20%E2%80%9CPush%20notifications%E2%80%9D%20to%20e-mail%20and%2For%20a%20Microsoft%20Teams%20channel%20based%20on%20user%20defined%20anomaly%20scores%20as%20well%20as%20time%20since%20the%20last%20%E2%80%9CHeartbeat%E2%80%9D%20from%20Virtual%20Machines%20connected%20to%20the%20workspace.%20Below%20is%20a%20detailed%20description%20of%20how%20the%20rule%20and%20the%20logic%20app%20are%20put%20together.%26nbsp%3BThe%20solution%20is%20available%20for%20deployment%20from%20the%20official%20Azure%20Sentinel%20GitHub%20repo%20on%20this%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Ftree%2Fmaster%2FPlaybooks%2FSend-ConnectorHealthStatus%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Elink%3C%2FA%3E%26nbsp%3B.%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EOverview%20of%20the%20steps%20the%20Logic%20App%20works%20through%20%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorInnocent%20Wafula_0%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Appoverview.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F241289i78ECB69136070124%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Appoverview.png%22%20alt%3D%22Appoverview.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EThe%20Logic%20App%20is%20activated%20by%20a%20Recurrence%20trigger%20whose%20frequency%20of%20execution%20can%20be%20adjusted%20to%20your%20requirements%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorInnocent%20Wafula_1%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%221-Reccurence.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F241277i44C834537B0B95D3%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%221-Reccurence.png%22%20alt%3D%221-Reccurence.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ESince%20the%20Logic%20App%20is%20being%20deployed%20from%20an%20ARM%20template%20you%20will%20need%20to%20make%20connections%20to%20Azure%20Monitor%2C%20Office%20365%20and%20Teams%20before%20the%20Logic%20App%20can%20work%20in%20your%20environment.%20You%20can%20expect%20to%20see%20windows%20like%20the%20one%20below.%20Click%20%E2%80%9CAdd%20new%E2%80%9D%20to%20create%20a%20connection%20for%20each%20of%20the%20three%20resources.%20%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%26nbsp%3B%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%222-Connections.png%22%20style%3D%22width%3A%20200px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F241266iE4EF9EE850E08C91%2Fimage-size%2Fsmall%3Fv%3D1.0%26amp%3Bpx%3D200%22%20role%3D%22button%22%20title%3D%222-Connections.png%22%20alt%3D%222-Connections.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorInnocent%20Wafula_2%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3E%3CSTRONG%3EThe%20KQL%20query%20below%20will%20be%20added%20to%20this%20step%20in%20the%20Logic%20App%20and%20will%20execute%20against%20your%20workspace.%20You%20can%20modify%20the%20threshold%20values%20to%20suit%20your%20needs%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3Elet%26nbsp%3BUpperThreshold%26nbsp%3B%3D%26nbsp%3B3.0%3B%20%2F%2F%20Upper%20Anomaly%20threshold%20score%3C%2FP%3E%0A%3CP%3Elet%26nbsp%3BLowerThreshold%26nbsp%3B%3D%26nbsp%3B-3.0%3B%20%2F%2F%20Lower%20anomaly%20threshold%20score%3C%2FP%3E%0A%3CP%3Elet%26nbsp%3BTableIgnoreList%26nbsp%3B%3D%26nbsp%3Bdynamic(%5B'SecurityAlert'%2C%26nbsp%3B'BehaviorAnalytics'%2C%26nbsp%3B'SecurityBaseline'%2C%26nbsp%3B'ProtectionStatus'%5D)%3B%20%2F%2F%20select%20tables%20you%20want%20to%20EXCLUDE%20from%20the%20results%3C%2FP%3E%0A%3CP%3Eunion%26nbsp%3Bwithsource%3DTableName1%26nbsp%3B*%3C%2FP%3E%0A%3CP%3E%7C%26nbsp%3Bmake-series%26nbsp%3Bcount()%26nbsp%3Bon%26nbsp%3BTimeGenerated%26nbsp%3Bfrom%26nbsp%3Bago(14d)%26nbsp%3Bto%26nbsp%3Bnow()%26nbsp%3Bstep%26nbsp%3B1d%26nbsp%3Bby%26nbsp%3BTableName1%3C%2FP%3E%0A%3CP%3E%7C%26nbsp%3Bextend%26nbsp%3B(anomalies%2C%26nbsp%3Bscore%2C%26nbsp%3Bbaseline)%26nbsp%3B%3D%26nbsp%3Bseries_decompose_anomalies(count_%2C%26nbsp%3B1.5%2C%26nbsp%3B7%2C%26nbsp%3B'linefit'%2C%26nbsp%3B1%2C%26nbsp%3B'ctukey'%2C%26nbsp%3B0.01)%3C%2FP%3E%0A%3CP%3E%7C%26nbsp%3Bwhere%26nbsp%3Banomalies%5B-1%5D%26nbsp%3B%3D%3D%26nbsp%3B1%26nbsp%3Bor%26nbsp%3Banomalies%5B-1%5D%26nbsp%3B%3D%3D%26nbsp%3B-1%3C%2FP%3E%0A%3CP%3E%7C%26nbsp%3Bextend%26nbsp%3BScore%26nbsp%3B%3D%26nbsp%3Bscore%5B-1%5D%3C%2FP%3E%0A%3CP%3E%7C%26nbsp%3Bwhere%26nbsp%3BScore%26nbsp%3B%26gt%3B%3D%26nbsp%3BUpperThreshold%26nbsp%3Bor%26nbsp%3BScore%26nbsp%3B%26lt%3B%3D%26nbsp%3BLowerThreshold%3C%2FP%3E%0A%3CP%3E%7C%26nbsp%3Bwhere%26nbsp%3BTableName1%26nbsp%3B!in%26nbsp%3B(TableIgnoreList)%3C%2FP%3E%0A%3CP%3E%7C%26nbsp%3Bproject%26nbsp%3BTableName%3DTableName1%2C%26nbsp%3BExpectedCount%3Dround(todouble(baseline%5B-1%5D)%2C1)%2C%26nbsp%3BActualCount%3Dround(todouble(count_%5B-1%5D)%2C1)%2C%26nbsp%3BAnomalyScore%26nbsp%3B%3D%26nbsp%3Bround(todouble(score%5B-1%5D)%2C1)%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%26nbsp%3B%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%223-IngestionAnomaly.png%22%20style%3D%22width%3A%20200px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F241268iFC9D150F866F251C%2Fimage-size%2Fsmall%3Fv%3D1.0%26amp%3Bpx%3D200%22%20role%3D%22button%22%20title%3D%223-IngestionAnomaly.png%22%20alt%3D%223-IngestionAnomaly.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorInnocent%20Wafula_3%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3E%3CSTRONG%3EExecute%20query%20against%20workspace%20to%20detect%20potential%20VM%20connectivity%20issues%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorInnocent%20Wafula_4%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%224-HeartBeatQuery.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F241280i58B31D9AA49EA529%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%224-HeartBeatQuery.png%22%20alt%3D%224-HeartBeatQuery.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3ETo%20adjust%20the%20lookback%20period%20for%20the%20last%20heartbeat%20received%20from%20VMs%20in%20the%20workspace%2C%20change%20the%20%E2%80%9C%7C%20where%20LastHeartbest%20%26lt%3B%20ago(5h)%E2%80%9D%20line%20in%20the%20query%20above%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ESend%20out%20the%20results%20of%20the%20query%20to%20the%20SOC%20team%20as%20a%20summarized%20HTML%20table%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorInnocent%20Wafula_5%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%225-SOCemail.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F241281iA2BFD57D6462F416%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%225-SOCemail.png%22%20alt%3D%225-SOCemail.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3ENote%20that%20while%20the%20two%20queries%20use%20two%20query%20outputs%20named%20%E2%80%9CBody%E2%80%9D%20they%20are%20different%20and%20care%20should%20be%20taken%20to%20select%20the%20correct%20output.%20Naming%20the%20Ingestion%20Anomaly%20and%20the%20Heart%20Beat%20query%20steps%20differently%20will%20help%20distinguish%20between%20the%20two%20%E2%80%9CBody%E2%80%9D%20variables.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ESend%20the%20same%20message%20to%20a%20Microsoft%20Teams%20channel%20monitored%20by%20the%20SOC%20team%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorInnocent%20Wafula_6%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%226-TeamsMEssage.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F241282i5C8752152320FA6A%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%226-TeamsMEssage.png%22%20alt%3D%226-TeamsMEssage.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EBelow%20is%20a%20sample%20output%20of%20the%20push%20notification%20message%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorInnocent%20Wafula_7%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%227-SampleEmail.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F241283iC7992A388FB310C2%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%227-SampleEmail.png%22%20alt%3D%227-SampleEmail.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3E%26nbsp%3BThis%20solution%26nbsp%3B%3C%2FEM%3E%3CEM%3Ewas%20built%20in%20close%20collaboration%20with%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F66621%22%20target%3D%22_blank%22%3E%40Javier%20Soriano%3C%2FA%3E%26nbsp%3B%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F215052%22%20target%3D%22_blank%22%3E%40Jeremy%20Tan%3C%2FA%3E%26nbsp%3Band%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F329567%22%20target%3D%22_blank%22%3E%40BenjiSec%3C%2FA%3E%26nbsp%3B%3C%2FEM%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1996442%22%20slang%3D%22en-US%22%3E%3CDIV%20id%3D%22lia-teaserTinyMceEditorInnocent%20Wafula_0%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Postbanner.PNG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F242774i881DA85D95B305DB%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Postbanner.PNG%22%20alt%3D%22Postbanner.PNG%22%20%2F%3E%3C%2FSPAN%3EThe%20health%20of%20data%20connectors%20for%20a%20SIEM%20is%20of%20vital%20importance%20to%20SOC%20engineers%20as%20they%20seek%20to%20ensure%20that%20the%20in-flow%20of%20security%20telemetry%20needed%20to%20support%20detections%20is%20consistent%20with%20what%20is%20expected.%20To%20make%20the%20process%20of%20monitoring%20the%20health%20state%20of%20these%20data%20connectors%20in%20Azure%20Sentinel%20even%20easier%2C%20we%20are%20pleased%20to%20share%20with%20you%20this%20piece%20of%20automation%20based%20on%20Azure%20Logic%20Apps.%20The%20solution%20allows%20you%20to%20select%20the%20tables%20upon%20which%20you%20would%20like%20to%20receive%20alerts%20by%20e-mail%20or%20via%20a%20Microsoft%20Teams%20message%20should%20a%20data%20connector%20enter%20into%20an%20anomalous%20state.%3C%2FP%3E%0A%3CP%3E.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2015846%22%20slang%3D%22en-US%22%3ERe%3A%20Data%20Connector%20Health%20-%20Push%20Notification%20Alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2015846%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20there%20a%20reason%20for%20not%20using%20Azure%20monitor%20alert%20rules%20for%20this%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2030258%22%20slang%3D%22en-US%22%3ERe%3A%20Data%20Connector%20Health%20-%20Push%20Notification%20Alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2030258%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F94294%22%20target%3D%22_blank%22%3E%40Innocent%20Wafula%3C%2FA%3E%26nbsp%3BWould%20you%20be%20so%20kind%20to%20explain%20a%20part%20of%20kql%20query%20used%20for%26nbsp%3B%3CSTRONG%3E%3CSPAN%3ETables%20with%20Data%20Ingestion%20Anomalies%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EEspecially%20these%20below%20lines%20from%20the%20kql%20query%2C%3C%2FSPAN%3E%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3E%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Eextend%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B(anomalies%2C%26nbsp%3Bscore%2C%26nbsp%3Bbaseline)%26nbsp%3B%3D%26nbsp%3Bseries_decompose_anomalies(count_%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E1.5%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E7%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E'linefit'%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E1%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E'ctukey'%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E0.01%3C%2FSPAN%3E%3CSPAN%3E)%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3Banomalies%5B-%3C%2FSPAN%3E%3CSPAN%3E1%3C%2FSPAN%3E%3CSPAN%3E%5D%26nbsp%3B%3D%3D%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E1%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Eor%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3Banomalies%5B-%3C%2FSPAN%3E%3CSPAN%3E1%3C%2FSPAN%3E%3CSPAN%3E%5D%26nbsp%3B%3D%3D%26nbsp%3B-%3C%2FSPAN%3E%3CSPAN%3E1%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Eextend%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BScore%26nbsp%3B%3D%26nbsp%3Bscore%5B-%3C%2FSPAN%3E%3CSPAN%3E1%3C%2FSPAN%3E%3CSPAN%3E%5D%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2035100%22%20slang%3D%22en-US%22%3ERe%3A%20Data%20Connector%20Health%20-%20Push%20Notification%20Alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2035100%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F810782%22%20target%3D%22_blank%22%3E%40AlphaBetaGamma%3C%2FA%3E%26nbsp%3B%20thanks%20for%20raising%20this%20query.%20Please%20see%20below%20explanations.%20I%20will%20also%20make%20an%20update%20to%20the%20blog%20later%20on%20to%20include%20them%20in%20the%20main%20body%20for%20the%20benefit%20of%20others%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%22%3E%3CSPAN%20style%3D%22font-family%3A%20Consolas%3B%20font-size%3A%2010.5pt%3B%20color%3A%20black%3B%22%3Elet%26nbsp%3BUpperThreshold%26nbsp%3B%3D%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-family%3A%20Consolas%3B%20font-size%3A%2010.5pt%3B%20color%3A%20%23098658%3B%22%3E3%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-family%3A%20Consolas%3B%20font-size%3A%2010.5pt%3B%20color%3A%20black%3B%22%3E%26nbsp%3B%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-family%3A%20Consolas%3B%20font-size%3A%2010.5pt%3B%20color%3A%20green%3B%22%3E%2F%2F%2B%26nbsp%3Bor%26nbsp%3B-3%20is%20the%20suggested%20number%20and%20it%20indicates%20a%20strong%26nbsp%3Banomaly%20though%20you%20can%20modify%20it%20%3A%20%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FOutlier%23Tukey%2527s_fences%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%3CSPAN%20style%3D%22font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3EOutlier%20-%20Wikipedia%3C%2FSPAN%3E%3C%2FA%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Consolas%3B%20font-size%3A%2010.5pt%3B%22%3E%3CSPAN%20style%3D%22color%3A%20black%3B%22%3Elet%26nbsp%3BLowerThreshold%26nbsp%3B%3D%26nbsp%3B-%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20%23098658%3B%22%3E3%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20black%3B%22%3E%26nbsp%3B%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Consolas%3B%20font-size%3A%2010.5pt%3B%22%3E%3CSPAN%20style%3D%22color%3A%20black%3B%22%3Elet%26nbsp%3BTableIgnoreList%26nbsp%3B%3D%26nbsp%3Bdynamic(%5B%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20%23a31515%3B%22%3E'SecurityAlert'%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20black%3B%22%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20%23a31515%3B%22%3E'BehaviorAnalytics'%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20black%3B%22%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20%23a31515%3B%22%3E'SecurityBaseline'%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20black%3B%22%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20%23a31515%3B%22%3E'ProtectionStatus'%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20black%3B%22%3E%5D)%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20green%3B%22%3E%2F%2F%26nbsp%3Bselect%26nbsp%3Btables%26nbsp%3Byou%26nbsp%3Bwant%26nbsp%3Bto%26nbsp%3BEXCLUDE%26nbsp%3Bfrom%26nbsp%3Bthe%26nbsp%3Bresults%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Consolas%3B%20font-size%3A%2010.5pt%3B%22%3E%3CSPAN%20style%3D%22color%3A%20lightslategray%3B%22%3Eunion%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20black%3B%22%3E%26nbsp%3Bwithsource%3DTableName1%26nbsp%3B*%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Consolas%3B%20font-size%3A%2010.5pt%3B%22%3E%3CSPAN%20style%3D%22color%3A%20black%3B%22%3E%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20lightslategray%3B%22%3Emake-series%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20black%3B%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20lightslategray%3B%22%3Ecount%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20black%3B%22%3E()%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20blue%3B%22%3Eon%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20black%3B%22%3E%26nbsp%3BTimeGenerated%26nbsp%3Bfrom%26nbsp%3Bago(%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20%23098658%3B%22%3E14%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20black%3B%22%3Ed)%26nbsp%3Bto%26nbsp%3Bnow()%26nbsp%3Bstep%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20%23098658%3B%22%3E1%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20black%3B%22%3Ed%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20blue%3B%22%3Eby%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20black%3B%22%3E%26nbsp%3BTableName1%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20green%3B%22%3E%2F%2Fcreate%26nbsp%3Barray%26nbsp%3Bbased%26nbsp%3Bon%26nbsp%3Bingested%26nbsp%3B%26nbsp%3Bdata%26nbsp%3Bfrom%26nbsp%3Ball%26nbsp%3Btables%26nbsp%3Bin%26nbsp%3Bthe%26nbsp%3Bworkspace%26nbsp%3Bacross%26nbsp%3B14%26nbsp%3Bdays%26nbsp%3Bon%26nbsp%3Ba%26nbsp%3Bdaily%26nbsp%3Bbasis%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%22%3E%3CSPAN%20style%3D%22font-family%3A%20Consolas%3B%20font-size%3A%2010.5pt%3B%20color%3A%20black%3B%22%3E%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-family%3A%20Consolas%3B%20font-size%3A%2010.5pt%3B%20color%3A%20lightslategray%3B%22%3Eextend%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-family%3A%20Consolas%3B%20font-size%3A%2010.5pt%3B%20color%3A%20black%3B%22%3E%26nbsp%3B(anomalies%2C%26nbsp%3Bscore%2C%26nbsp%3Bbaseline)%26nbsp%3B%3D%26nbsp%3Bseries_decompose_anomalies(count_%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-family%3A%20Consolas%3B%20font-size%3A%2010.5pt%3B%20color%3A%20%23098658%3B%22%3E1.5%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-family%3A%20Consolas%3B%20font-size%3A%2010.5pt%3B%20color%3A%20black%3B%22%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-family%3A%20Consolas%3B%20font-size%3A%2010.5pt%3B%20color%3A%20%23098658%3B%22%3E7%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-family%3A%20Consolas%3B%20font-size%3A%2010.5pt%3B%20color%3A%20black%3B%22%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-family%3A%20Consolas%3B%20font-size%3A%2010.5pt%3B%20color%3A%20%23a31515%3B%22%3E'linefit'%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-family%3A%20Consolas%3B%20font-size%3A%2010.5pt%3B%20color%3A%20black%3B%22%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-family%3A%20Consolas%3B%20font-size%3A%2010.5pt%3B%20color%3A%20%23098658%3B%22%3E1%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-family%3A%20Consolas%3B%20font-size%3A%2010.5pt%3B%20color%3A%20black%3B%22%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-family%3A%20Consolas%3B%20font-size%3A%2010.5pt%3B%20color%3A%20%23a31515%3B%22%3E'ctukey'%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-family%3A%20Consolas%3B%20font-size%3A%2010.5pt%3B%20color%3A%20black%3B%22%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-family%3A%20Consolas%3B%20font-size%3A%2010.5pt%3B%20color%3A%20%23098658%3B%22%3E0.01%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-family%3A%20Consolas%3B%20font-size%3A%2010.5pt%3B%20color%3A%20black%3B%22%3E)%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-family%3A%20Consolas%3B%20font-size%3A%2010.5pt%3B%20color%3A%20green%3B%22%3E%2F%2Ftake%26nbsp%3Bthe%26nbsp%3Barray%26nbsp%3Bof%26nbsp%3Bingested%26nbsp%3Bdata%26nbsp%3Bacross%26nbsp%3Bthe%26nbsp%3B14%26nbsp%3Bdays%26nbsp%3Band%26nbsp%3Bextract%26nbsp%3Banomalous%26nbsp%3Bpoints%26nbsp%3Bwith%26nbsp%3Bscores%26nbsp%3Bbased%26nbsp%3Bon%26nbsp%3Bpredicted%26nbsp%3Bvalues%20using%20the%20linear%20regression%20concept.%26nbsp%3BSee%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fdata-explorer%2Fkusto%2Fquery%2Fseries-decompose-anomaliesfunction%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20style%3D%22font-family%3A%20Consolas%3B%20font-size%3A%2010.5pt%3B%20color%3A%20green%3B%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fdata-explorer%2Fkusto%2Fquery%2Fseries-decompose-anomaliesfunction%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20style%3D%22font-family%3A%20Consolas%3B%20font-size%3A%2010.5pt%3B%20color%3A%20green%3B%22%3E%26nbsp%3Bfor%26nbsp%3Ba%20detailed%26nbsp%3Bexplanation%26nbsp%3Bof%26nbsp%3Beach%26nbsp%3Bargument.%20For%20an%20explanation%20of%20'ctukey'%20read%3A%20%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FOutlier%23Tukey%2527s_fences%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%3CSPAN%20style%3D%22font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3EOutlier%20-%20Wikipedia.%3C%2FSPAN%3E%3C%2FA%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Consolas%3B%20font-size%3A%2010.5pt%3B%22%3E%3CSPAN%20style%3D%22color%3A%20black%3B%22%3E%26nbsp%3B%20in%20our%20case%20the%20seasonality%20argument%20(7)%20can%20be%20left%20at%20default%20i.e.%20-1%20and%20the%20output%20would%20still%20be%20the%20same%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Consolas%3B%20font-size%3A%2010.5pt%3B%22%3E%3CSPAN%20style%3D%22color%3A%20black%3B%22%3E%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20lightslategray%3B%22%3Ewhere%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20black%3B%22%3E%26nbsp%3Banomalies%5B-%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20%23098658%3B%22%3E1%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20black%3B%22%3E%5D%26nbsp%3B%3D%3D%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20%23098658%3B%22%3E1%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20black%3B%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20blue%3B%22%3Eor%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20black%3B%22%3E%26nbsp%3Banomalies%5B-%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20%23098658%3B%22%3E1%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20black%3B%22%3E%5D%26nbsp%3B%3D%3D%26nbsp%3B-%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20%23098658%3B%22%3E1%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20black%3B%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20green%3B%22%3E%2F%2Fthe%26nbsp%3Boutput%26nbsp%3Bof%26nbsp%3Bseries_decompose_anomalies%26nbsp%3Bfunction%26nbsp%3Bis%26nbsp%3Bthree%26nbsp%3Bthings%3A%26nbsp%3BA%26nbsp%3Bternary%20(as%20opposed%20to%20binary)%26nbsp%3Bseries%26nbsp%3Bcontaining%26nbsp%3B(%2B1%2C%26nbsp%3B-1%2C%26nbsp%3B0)%26nbsp%3Bmarking%26nbsp%3Bup%2Fdown%2Fno%26nbsp%3Banomaly%26nbsp%3Brespectively%2C%26nbsp%3Bthe%26nbsp%3BAnomaly%26nbsp%3Bscore%26nbsp%3Band%26nbsp%3Bthe%26nbsp%3Bpredicted%26nbsp%3Bvalue%26nbsp%3Bor%26nbsp%3Bbaseline.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Consolas%3B%20font-size%3A%2010.5pt%3B%22%3E%3CSPAN%20style%3D%22color%3A%20black%3B%22%3E%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20lightslategray%3B%22%3Eextend%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20black%3B%22%3E%26nbsp%3BScore%26nbsp%3B%3D%26nbsp%3Bscore%5B-%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20%23098658%3B%22%3E1%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20black%3B%22%3E%5D%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20green%3B%22%3E%2F%2Fthis%20picks%20up%20the%20anomaly%20state%20from%20the%20most%20recent%20run.%20-1%20indicates%20a%20position%20in%20the%20array.%20To%20see%20exactly%20how%20it%20works%20I%20suggest%20you%20run%20parts%20of%20the%20query%20and%20look%20at%20the%20output.%20i.e.%20up%20to%20line%209.%20In%20my%20case%20one%20of%20the%20runs%20produced%20the%20below%20output%3C%2FSPAN%3E%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorInnocent%20Wafula_0%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CTABLE%20width%3D%221159%22%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22213%22%3ETableName1%3C%2FTD%3E%0A%3CTD%20width%3D%22179%22%3Eanomalies%3C%2FTD%3E%0A%3CTD%20width%3D%22703%22%3Escore%3C%2FTD%3E%0A%3CTD%20width%3D%2264%22%3EScore%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3EAzureMetrics%3C%2FTD%3E%0A%3CTD%3E%5B0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C-1%5D%3C%2FTD%3E%0A%3CTD%3E%5B0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C-3.9998356305150646%5D%3C%2FTD%3E%0A%3CTD%3E-3.99984%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3ESyslog%3C%2FTD%3E%0A%3CTD%3E%5B0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C-1%5D%3C%2FTD%3E%0A%3CTD%3E%5B-0.00036792965707559%2C0%2C0%2C0%2C0%2C0%2C0%2C1.3549523289867058%2C0.09720032576946343%2C0%2C0%2C-0.7998683232928704%2C0%2C-4.7250625572418405%5D%3C%2FTD%3E%0A%3CTD%3E-4.72506%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3EAzureActivity%3C%2FTD%3E%0A%3CTD%3E%5B0%2C0%2C0%2C0%2C0%2C-1%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C1%5D%3C%2FTD%3E%0A%3CTD%3E%5B0.255883471606481%2C0%2C0%2C0%2C0%2C-1.8238931029256342%2C0%2C-0.21675871267353206%2C0%2C0%2C0%2C0%2C1.3739583751967412%2C4.334262181116097%5D%3C%2FTD%3E%0A%3CTD%3E4.334262%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3EOperation%3C%2FTD%3E%0A%3CTD%3E%5B0%2C1%2C0%2C0%2C0%2C0%2C0%2C0%2C-1%2C0%2C0%2C0%2C0%2C1%5D%3C%2FTD%3E%0A%3CTD%3E%5B-0.17908658774875946%2C2.248291860653117%2C0%2C0%2C0%2C0%2C0%2C0%2C-2.6172533848101915%2C0%2C0%2C0%2C0.12298717471902801%2C8.68893601041275%5D%3C%2FTD%3E%0A%3CTD%3E8.688936%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3EUserAccessAnalytics%3C%2FTD%3E%0A%3CTD%3E%5B0%2C0%2C0%2C0%2C0%2C1%2C0%2C0%2C0%2C0%2C0%2C0%2C-1%2C-1%5D%3C%2FTD%3E%0A%3CTD%3E%5B-0.051628790842371826%2C0%2C0%2C0%2C0%2C5.2235777977951106%2C0%2C0%2C0%2C0%2C0%2C0.06069871355792385%2C-3.710993763386163%2C-10.209942232260403%5D%3C%2FTD%3E%0A%3CTD%3E-10.2099%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%3CEM%3ENote%3A%20I%20filtered%20the%20columns%20above%20so%20as%20to%20be%20able%20to%20display%20the%20two%20score%20columns%20and%20anomalies%20in%20this%20limited%20space%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3Ethe%20-1%20is%20the%20position%20in%20the%20array%20counting%20from%20the%20extreme%20right.%20The%20result%20there%20will%20be%20either%201%2C%200%20or%20-1%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Consolas%3B%20font-size%3A%2010.5pt%3B%22%3E%3CSPAN%20style%3D%22color%3A%20black%3B%22%3E%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20lightslategray%3B%22%3Ewhere%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20black%3B%22%3E%26nbsp%3BScore%26nbsp%3B%26gt%3B%3D%26nbsp%3BUpperThreshold%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20blue%3B%22%3Eor%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20black%3B%22%3E%26nbsp%3BScore%26nbsp%3B%26lt%3B%3D%26nbsp%3BLowerThreshold%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20lightslategray%3B%22%3Ewhere%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20black%3B%22%3E%26nbsp%3BTableName1%26nbsp%3B!in%26nbsp%3B(TableIgnoreList)%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20green%3B%22%3E%2F%2Fcompare%26nbsp%3Bwith%26nbsp%3Bstrong%26nbsp%3Banomaly%26nbsp%3Bindicator%26nbsp%3Bvalues%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Consolas%3B%20font-size%3A%2010.5pt%3B%22%3E%3CSPAN%20style%3D%22color%3A%20black%3B%22%3E%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20lightslategray%3B%22%3Eproject%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20black%3B%22%3E%26nbsp%3BTableName%3DTableName1%2C%26nbsp%3BExpectedCount%3Dround(todouble(baseline%5B-%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20%23098658%3B%22%3E1%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20black%3B%22%3E%5D)%2C%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20%23098658%3B%22%3E1%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20black%3B%22%3E)%2C%26nbsp%3BActualCount%3Dround(todouble(count_%5B-%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20%23098658%3B%22%3E1%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20black%3B%22%3E%5D)%2C%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20%23098658%3B%22%3E1%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20black%3B%22%3E)%2C%26nbsp%3BAnomalyScore%26nbsp%3B%3D%26nbsp%3Bround(todouble(score%5B-%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20%23098658%3B%22%3E1%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20black%3B%22%3E%5D)%2C%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20%23098658%3B%22%3E1%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20black%3B%22%3E)%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2035101%22%20slang%3D%22en-US%22%3ERe%3A%20Data%20Connector%20Health%20-%20Push%20Notification%20Alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2035101%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F556033%22%20target%3D%22_blank%22%3E%40niklasvolcz1%3C%2FA%3E%26nbsp%3Byou%20can%20use%20Azure%20Monitor%20alerts.%20The%20idea%20of%20the%20blog%20is%20to%20showcase%20the%20concept%20of%20push%20notifications%20for%20important%20alerts.%20However%2C%20with%20Azure%20Monitor%20alerts%20the%20cost%20is%20higher-even%20though%20both%20logic%20apps%20and%20azure%20monitor%20alerts%20are%20both%20quite%20low%20in%20cost.%20Also%2C%20when%20it%20comes%20to%20presenting%20the%20output%20in%20a%20HTML%20table-it%20takes%20more%20work%20and%20expertise%20to%20do%20so%20with%20Azure%20Monitor%20alerts%3C%2FP%3E%3C%2FLINGO-BODY%3E
Co-Authors
Version history
Last update:
‎Nov 01 2021 04:24 PM
Updated by: