Forum Discussion
Alert Creation on Duplicate Event Logs
Hi, I would like to setup a simple analytic rule and trigger an alert on an event with "High Severity" in log analytics table. I will group all events into one alert.
Example:
Logs_CL
| where Category == "High"
The challenge is, the same "high severity log events" gets ingested everyday which is kind of causing duplication of log entries.
What would be the best way to setup this rule to only alert once on these events and do not generate an alert again if the same events get ingested next day?
thanks
You probably need something based around this (I used the SecurityIncident table as an example). I added a check for Severity which you may need to consider (e.g. if someone has closed the alert yesterday is is it still to be considered today?)
let highSeveritySigninLogsToday = SecurityIncident | where TimeGenerated >= startofday(now()) and Severity == "High" and Status !="Closed"; let highSeveritySigninLogsYesterday = SecurityIncident | where TimeGenerated between (startofday(ago(1d)) .. endofday(ago(1d)) ) and Severity == "High" and Status !="Closed"; highSeveritySigninLogsToday | join kind=rightanti highSeveritySigninLogsYesterday on Title
You probably need something based around this (I used the SecurityIncident table as an example). I added a check for Severity which you may need to consider (e.g. if someone has closed the alert yesterday is is it still to be considered today?)
let highSeveritySigninLogsToday = SecurityIncident | where TimeGenerated >= startofday(now()) and Severity == "High" and Status !="Closed"; let highSeveritySigninLogsYesterday = SecurityIncident | where TimeGenerated between (startofday(ago(1d)) .. endofday(ago(1d)) ) and Severity == "High" and Status !="Closed"; highSeveritySigninLogsToday | join kind=rightanti highSeveritySigninLogsYesterday on Title
- marks4sure's AZ-104 PDFs were my lifesaver. Combined with the testing engine, I aced my certification exam confidently!
