Sep 10 2023 03:46 PM
Hi , We've firewall logs going into CEF table, I would like to monitor and alert if any of the firewall stops ingestion.. Anyone using a KQL query/Custom NRL rule for this? thanks
Sep 11 2023 12:46 AM - edited Sep 11 2023 12:49 AM
SolutionHi @gsingh_,
The following KQL will be a nice basis for your alert.
Here's a version that you can use as NRT:
CommonSecurityLog
//| where DeviceProduct == "Some unique identifier"
| count
| where Count == 0
//| extend AlertText = "No Firewall Logs were ingested in the last minute."
If you have multiple types of CommonSecurityLog devices logging to the table, you will need to specify some unique identifier for your Firewall logs on line 2 based on the DeviceProduct column, but there may be a more appropriate column for this in your logs. I also added an AlertText on line 5 that may be useful to set as a Custom Detail. Since they're both optional to a working solution, I commented them out in my examples.
Depending on your set-up, this rule may be too sensitive. NRT rules run every minute, and some variation in ingestion speed is to be expected in normal set-ups. Here's a version that can be deployed as a Scheduled rule instead:
CommonSecurityLog
//| where DeviceProduct == "Some unique identifier"
| where ingestion_time() > ago(15m)
| count
| where Count == 0
//| extend AlertText = "No Firewall Logs were ingested in the last 15 minutes."
Let me know if you have any questions!
Kind regards,
Rutger Smeets
Sep 11 2023 12:46 AM - edited Sep 11 2023 12:49 AM
SolutionHi @gsingh_,
The following KQL will be a nice basis for your alert.
Here's a version that you can use as NRT:
CommonSecurityLog
//| where DeviceProduct == "Some unique identifier"
| count
| where Count == 0
//| extend AlertText = "No Firewall Logs were ingested in the last minute."
If you have multiple types of CommonSecurityLog devices logging to the table, you will need to specify some unique identifier for your Firewall logs on line 2 based on the DeviceProduct column, but there may be a more appropriate column for this in your logs. I also added an AlertText on line 5 that may be useful to set as a Custom Detail. Since they're both optional to a working solution, I commented them out in my examples.
Depending on your set-up, this rule may be too sensitive. NRT rules run every minute, and some variation in ingestion speed is to be expected in normal set-ups. Here's a version that can be deployed as a Scheduled rule instead:
CommonSecurityLog
//| where DeviceProduct == "Some unique identifier"
| where ingestion_time() > ago(15m)
| count
| where Count == 0
//| extend AlertText = "No Firewall Logs were ingested in the last 15 minutes."
Let me know if you have any questions!
Kind regards,
Rutger Smeets