Feb 22 2021 08:53 AM
Hi,
You will have to forgive my basic Azure knowledge, as I'm a DBA looking after about 250 servers for various clients, but have been asked by my company if I could write some KQL that will alert them if a data connector goes down or is deleted.
I have managed to write some KQL that tells me if a resource hasn't raised any events in the last hour or X hours, depending on the resource, but when I try and create an alert based on this KQL it passes validation, but then I get the message failed to create the rule as your query contains "union" and "search". I have read it's not possible to use union and search in such queries, but is there an alternative method? Due to the amount of connectors we have, we don't want to create an individual alert rule for each connector.
We'd like to set the query to run every hour or so and get an alert if no events have been raised by a data connector.
Also, is there anyway to specifically check if a data connector that previously existed is no longer working or has been deleted? And how do you actually delete a data connector once you've created it? Is it possible to do it from the porta las I can't seem to find a way to do it for my testing
Thanks and sorry for my lack of Azure knowledge, but learning all the time! If anyone needs DBA help, more than happy to help.
Feb 22 2021 09:02 AM
Solution
Search and Union wildcards are not allowed (i.e union *) but you can name the Tables, as per this simple example using two common Tables:
union SecurityAlert, SecurityEvent
| limit 10
(within a Analytics scheduled rule in Azure Sentinel)
Feb 22 2021 11:04 AM
@CliveWatson Ah. OK, yes I was using union *, it works fine when I put the table names in. Thanks Clive, much appreciated!
So, just being a bit cheeky does anyone know how to delete a connector, as I need to do this for testing? I'm assuming I have to use HTTP and pass in the URI parameters. But as an example, I've got an Azure SQL Database connector that I want to delete. Where would I find the connector ID? I tried just putting in 'Azure SQL Database' in the connector ID parameter but I got a 204 code back.
Thanks
Feb 22 2021 09:02 AM
Solution
Search and Union wildcards are not allowed (i.e union *) but you can name the Tables, as per this simple example using two common Tables:
union SecurityAlert, SecurityEvent
| limit 10
(within a Analytics scheduled rule in Azure Sentinel)