Apr 23 2024 10:22 AM
I am attempting to activate a Sentinel analytic rule for DDoS incidents, specifically the rule named “DDoS Attack IP Addresses - Percent Threshold.”
However, during the rule activation process, I encountered an error message indicating that the scalar expression ‘destPublicIpAddress_s’ could not be resolved.
It appears that the Azure Diagnostic table does not contain a column named ‘destPublicIpAddress_s.’
I have configured the public IP address to send logs to LA
Is there anything I can do to receive DDoS alerts into Sentinel?
or to resolve analytic rules error?
The query referenced is here
let T1 = AzureDiagnostics
| where ResourceType == "PUBLICIPADDRESSES" and Category == "DDoSMitigationFlowLogs"
| summarize rows_count = count() by destPublicIpAddress_s, sourcePublicIpAddress_s;
Apr 24 2024 06:13 AM
Was it these instructions you followed? View Azure DDoS Protection logs in Log Analytics workspace | Microsoft Learn
If the data hasn't showed up yet, from a genuine attack or the simulated test, then you can at least tweak the Rule code to handle the missing columns using column_ifexists() - Azure Data Explorer & Real-Time Analytics | Microsoft Learn
AzureDiagnostics
| where ResourceType == "PUBLICIPADDRESSES" and Category == "DDoSMitigationFlowLogs"
| extend destPublicIpAddress_s= column_ifexists("destPublicIpAddress_s",'')
,sourcePublicIpAddress_s= column_ifexists('sourcePublicIpAddress_s','')
| summarize rows_count = count() by destPublicIpAddress_s, sourcePublicIpAddress_s