Forum Discussion
Data Connector - Analytics Rule
- Jun 21, 2023
There are lots of scenarios for this. The most common solution is to monitor for a time delay - so if there is no data in say 15mins then it's probably down. However it could just as easily not have sent any data in that period, so you may have to also check back to the same period the day or week before to see if its uncommon. You may need different thresholds for each connector/Table - so a watchlist can help.
Anomaly detection can help here as well - look at series_decompose_anomalies(), however in a Rule you are limited to 14days lookback - which isn't often enough to detect seasonal patterns.
If the data is from Syslog /CommonSecurtitylog, you may actually want to monitor the Log collector server(s), using the Heartbeat table, so if for example one server fails out of 4 you still have 75% online capacity - if you just monitored the connector/Table then all 4 have to fail (or not send data).
There are some basic examples in the Queries pane for Heartbeat.
| Where DeviceVendor == "devicevendor"
Yep! Just make sure you add it to both places.
let averageCount = toscalar(
CommonSecurityLog
| where DeviceVendor == "YourVendor"
| where TimeGenerated >= ago(24h)
| summarize count()
);
CommonSecurityLog
| where DeviceVendor == "YourVendor"
| where TimeGenerated >= ago(1h)
| summarize LogCount = count()
| extend isBelowThreshold = iff(LogCount < averageCount * 0.01, 1, 0)
| where isBelowThreshold == 1
- miguelfacJul 14, 2023Copper ContributorAlright thank you a lot for your inputs! I'll add the analytic rule, as soon as i have more news ill tell you 🙂
Thanks!