Forum Discussion
Data Connector - Analytics Rule
There are lots of scenarios for this. The most common solution is to monitor for a time delay - so if there is no data in say 15mins then it's probably down. However it could just as easily not have sent any data in that period, so you may have to also check back to the same period the day or week before to see if its uncommon. You may need different thresholds for each connector/Table - so a watchlist can help.
Anomaly detection can help here as well - look at series_decompose_anomalies(), however in a Rule you are limited to 14days lookback - which isn't often enough to detect seasonal patterns.
If the data is from Syslog /CommonSecurtitylog, you may actually want to monitor the Log collector server(s), using the Heartbeat table, so if for example one server fails out of 4 you still have 75% online capacity - if you just monitored the connector/Table then all 4 have to fail (or not send data).
There are some basic examples in the Queries pane for Heartbeat.
There are lots of scenarios for this. The most common solution is to monitor for a time delay - so if there is no data in say 15mins then it's probably down. However it could just as easily not have sent any data in that period, so you may have to also check back to the same period the day or week before to see if its uncommon. You may need different thresholds for each connector/Table - so a watchlist can help.
Anomaly detection can help here as well - look at series_decompose_anomalies(), however in a Rule you are limited to 14days lookback - which isn't often enough to detect seasonal patterns.
If the data is from Syslog /CommonSecurtitylog, you may actually want to monitor the Log collector server(s), using the Heartbeat table, so if for example one server fails out of 4 you still have 75% online capacity - if you just monitored the connector/Table then all 4 have to fail (or not send data).
There are some basic examples in the Queries pane for Heartbeat.
- Did you manage to make it work?
I did it in different way. I got analytic rule like that:
CommonSecurityLog
|summarize Events = count()
|where Events ==0
Then I have automation rule that is being triggered by this rule. Automation rule triggers playbook that sends Email / SMS 🙂Kaaamil Not quite like that, still trying to figure it out..
I'm using this query:
let Now = now();
let queryResult = range TimeGenerated from (Now - 1d) to (Now - 4h) step 4h
| extend Count = 0
| union isfuzzy=true
(CommonSecurityLog
| where DeviceVendor == "connector_name_here"
| summarize Count = count() by bin(TimeGenerated, 8h))
| union (
range x from (Now - 1d) to (Now - 4h) step 8h
| project TimeGenerated = x, Count = 0
)
| summarize Count = max(Count) by bin(TimeGenerated, 8h)
| sort by TimeGenerated
| project Value = iff(isnull(Count), 0, Count), Time = TimeGenerated, Legend = "connector_name_here";
queryResultTrying something like this, and with the alert threshold: is equal to 0
But it isn't working, i have the connector returning me 0 values and it doesn't open a alert
Try this one - very basic but does the work 🙂
{ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "workspace": { "type": "String" } }, "resources": [ { "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8c6e05a5-26ad-49ae-9cd6-a3e0f9df305b')]", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8c6e05a5-26ad-49ae-9cd6-a3e0f9df305b')]", "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", "kind": "Scheduled", "apiVersion": "2022-11-01-preview", "properties": { "displayName": "No logs from CommonSecuritylog from last 1 hour", "description": "Rule triggers when Sentinel doesn't receive commonsecurity logs", "severity": "High", "enabled": true, "query": "CommonSecurityLog\r\n|summarize Events = count()\r\n|where Events ==0", "queryFrequency": "PT1H", "queryPeriod": "PT1H", "triggerOperator": "GreaterThan", "triggerThreshold": 0, "suppressionDuration": "PT5H", "suppressionEnabled": false, "startTimeUtc": null, "tactics": [], "techniques": [], "alertRuleTemplateName": null, "incidentConfiguration": { "createIncident": true, "groupingConfiguration": { "enabled": false, "reopenClosedIncident": false, "lookbackDuration": "PT5H", "matchingMethod": "AllEntities", "groupByEntities": [], "groupByAlertDetails": [], "groupByCustomDetails": [] } }, "eventGroupingSettings": { "aggregationKind": "SingleAlert" }, "alertDetailsOverride": null, "customDetails": null, "entityMappings": null, "sentinelEntitiesMappings": null, "templateVersion": null } } ] }
