Sep 22 2023 08:03 AM
Sep 25 2023 10:47 AM - edited Sep 25 2023 10:51 AM
Thanks so much Clive, that worked like a charm.
Is it possible to create an alert in log analytics whenever the count for a particular WAF rule being triggered exceeds a certain threshold in a given time frame?
i.e. if the count for "AWSManagedRulesAnonymousIpList" was typically 1000 in an hour and spiked to 15000, how can I alert on this?
Sep 25 2023 12:16 PM
AWSCloudTrail | where TimeGenerated > ago(1h) //| summarize count() by EventSource | count | where Count > 1000
AWSCloudTrail | where TimeGenerated > ago(1d) | summarize countPerHour=count() by EventSource, bin(TimeGenerated,1h) | where countPerHour > 1000
Sep 26 2023 06:11 AM