Sending DDoS Alerts into Sentinel and Analytic Rule Error

Copper Contributor

I am attempting to activate a Sentinel analytic rule for DDoS incidents, specifically the rule named “DDoS Attack IP Addresses - Percent Threshold.” 

However, during the rule activation process, I encountered an error message indicating that the scalar expression ‘destPublicIpAddress_s’ could not be resolved.

It appears that the Azure Diagnostic table does not contain a column named ‘destPublicIpAddress_s.’

 

I have configured the public IP address to send logs to LA

Is there anything I can do to receive DDoS alerts into Sentinel?

or to resolve analytic rules error?

 

The query referenced is here

let T1 = AzureDiagnostics
| where ResourceType == "PUBLICIPADDRESSES" and Category == "DDoSMitigationFlowLogs"
| summarize rows_count = count() by destPublicIpAddress_s, sourcePublicIpAddress_s;

1 Reply

@BaselAlfawal 

 

Was it these instructions you followed?  View Azure DDoS Protection logs in Log Analytics workspace | Microsoft Learn

If the data hasn't showed up yet, from a genuine attack or the simulated test, then you can at least tweak the Rule code to handle the missing columns using column_ifexists() - Azure Data Explorer & Real-Time Analytics | Microsoft Learn

AzureDiagnostics
| where ResourceType == "PUBLICIPADDRESSES" and Category == "DDoSMitigationFlowLogs"
| extend destPublicIpAddress_s= column_ifexists("destPublicIpAddress_s",'')
        ,sourcePublicIpAddress_s= column_ifexists('sourcePublicIpAddress_s','')
| summarize rows_count = count() by destPublicIpAddress_s, sourcePublicIpAddress_s