azure monitor
1277 Topics'where' operator: Failed to resolve table or column expression named 'SecurityEvent'
Hello Community, Whenever I attempt to run the following Log Analytic query in Azure Log Analytics I get the following error: 'where' operator: Failed to resolve table or column expression named 'SecurityEvent' I think it's because I need to enable 'SecurityEvent' in Log Analytics but I'm not sure. I was wondering if someone could provide a guide; SecurityEvent | where AccountType == "User" and EventID == 4625 and TimeGenerated > ago(6h) | summarize IPCount = dcount(IpAddress), makeset(IpAddress) by Account | where IPCount > 5 | sort by IPCount desc Any ideas would be much appreciated. CheersSolved160KViews0likes10Commentsquery multiple "contains"
Greetings Community, I'm trying to come up with a way to query for multiple computers, but I have different strings to search for. For example: Heartbeat | where TimeGenerated >= ago(1h) | where Computer contains 'ACOMPUTER1' | summarize max(TimeGenerated) by Computer I can run this query but I have to execute it for a different string each time: Heartbeat | where TimeGenerated >= ago(1h) | where Computer contains 'ACOMPUTER1' | summarize max(TimeGenerated) by Computer Heartbeat | where TimeGenerated >= ago(1h) | where Computer contains 'SERVERABC' | summarize max(TimeGenerated) by Computer Heartbeat | where TimeGenerated >= ago(1h) | where Computer contains 'THISMACHINE_B' | summarize max(TimeGenerated) by Computer Is there a way to go through multiple "contains" or "has" statements in a single query? Was thinking that I'd have to build an array in a function or something... any help is appreciated.Solved106KViews0likes11CommentsRemove duplicates from query
Hi, hope somebody can help me as I'm a bit stuck in my understanding of the query language. So I'm trying to get some creation events for App Services, though there seems to be multiple entries for the same App. Therefore I'm trying to find a way to remove duplicates on a column but retain the rest of the columns in the output / or a defined set of columns. Though after dodging distinct on a specific column only this is retained in the output. This is my query: AzureActivity | where OperationName == 'Delete website' and ActivityStatus == 'Succeeded' and ResourceProvider == 'Azure Web Sites' Though this produces two entires for the same deletion, so I tired this: AzureActivity | where OperationName == 'Delete website' and ActivityStatus == 'Succeeded' and ResourceProvider == 'Azure Web Sites' | distinct CorrelationId Though this only leaves the CorrelationId in the output but I need the Resource, ResourceID,OperationName also to be shown in the output. Any tips on how to get the syntax correct? ThanksSolved101KViews1like11Comments'summarize' operator: Failed to resolve scalar expression named 'TimeGenerated'
I got the error as title, when execute below query, anyone know about this? let containerNames = Perf | where InstanceName like 'shenzhou-tts-829bbd20-3e9e-43a0-a7d7-35252d5ef498' | where ObjectName == 'K8SContainer' | where CounterName == "memoryRssBytes" | distinct InstanceName; containerNames | join ( Perf ) on InstanceName | where CounterName == "memoryRssBytes" | extend usage = tolong(CounterValue) | summarize max(usage) by InstanceName, Computer | extend maxUsageMB = max_usage * 1.0/(1024*1024) | summarize sum(maxUsageMB) by Computer, bin(TimeGenerated, 2h)Solved67KViews0likes2CommentsAnnouncing new management, security, and monitoring capabilities in Windows Virtual Desktop
With the global pandemic, we are seeing increasing demand for technologies that enable remote work. We’ve seen significant growth in the use of Windows Virtual Desktop, as organizations use it to ensure that their employees have access to the desktops and tools they need to stay productive. To help customers continue to accelerate this move to secure remote work with Windows Virtual Desktop, we are announcing several new capabilities that make it even easier to deploy, secure, and scale your virtual desktop deployments. These new capabilities will be available in public preview by the end of the calendar year 2020. Before we dive into the new capabilities, we want to take a moment to share some of the experiences of our customers. Sebastian Meyer, the Global Service Owner for Modern Client Technologies at Beiersdorf Shared Services, shared his thoughts in moving to Windows Virtual Desktop to modernize his virtual desktop infrastructure. "What Microsoft has developed here is simply phenomenal! Windows Virtual Desktop serves so many use cases and is very close to the end user. We were able to achieve maximum success with the project." You can read the full story here. Internally here at Microsoft, we are of course facing the same challenges as many of you. For example, getting a corporate laptop in the hands of new employees and interns takes time and impacts productivity. Windows Virtual Desktop is helping our new hires by providing a secure and productive remote work experience with access to the apps they need to get working immediately: “Windows Virtual Desktop allows you to create virtual desktops that work just like a physical Windows PC would,” says Mark Lawrence, a senior program manager on Microsoft’s digital security team. “That means the people who use one—new hires, interns, and so on—get access to the Windows Start menu, with Microsoft’s productivity applications, the Microsoft Edge browser, and everything else they would need to work at any location. No more waiting for a physical device delivery.” You can read the full story here. Simplified Management With Windows Virtual Desktop, you can move from a simple proof-of-concept (PoC) to a fully operational environment faster than ever before. As you start to scale your deployment, here are some new capabilities that will help you manage and operate your deployment efficiently. Microsoft Endpoint Manager integration Microsoft Endpoint Manager allows you to manage policies and distribute applications across devices. You can now enroll Windows Virtual Desktop virtual machines that are hybrid Azure Active Directory domain-joined (joined to your on-premises Active Directory and registered with your Azure Active Directory) with Microsoft Intune and manage them in the Microsoft Endpoint Manager admin center the same way as physical devices. This simplifies management, provides a centralized view across both physical devices and virtual desktops, and creates new areas of collaboration. The Microsoft Endpoint Manager integration is generally available for Windows 10 Enterprise desktops - you can learn more in the public FAQ. The public preview for Windows 10 Enterprise multi-session will be available in the coming months and will initially support policies at the device level. MSIX app attach in Azure portal MSIX app attach is an application layering solution that allows you to dynamically attach an application (that is an MSIX package) to a user session. Separating out the application from the operating system makes it easier to create a golden virtual machine image, and you get more control with providing the right application for the right user. Previously, you had to use PowerShell scripts to enable MSIX app attach. We will be integrating the app attach capability in the Azure portal and Azure Resource Manager. This will eliminate the need for custom scripts and makes it possible to publish your packaged applications to application groups with a few clicks. Proactive Monitoring Proactively monitoring your deployment is important to ensure your deployment is always up and running and your employees have an optimal experience using virtual desktops. Azure Monitor workbook Azure Monitor workbook for Windows Virtual Desktop aims to provide you all the monitoring telemetry and visualizations you need to debug and troubleshoot issues. You can configure alerts to proactively identify issues before they impact your employees. You can look at connection and host level performance and also drill down to specific user session to see if there are any issues. You can also look at usage across host pools and make sure you are optimizing for cost and performance. Improved Security With Windows Virtual Desktop, you can use security capabilities such as Azure encryption, Azure Firewall, Azure Security Center, and Microsoft Defender to secure your entire VDI infrastructure and ensure that your corporate and customer data is protected and stored securely. We continue to add additional security capabilities: Screen capture protection One common attack vector with remote sessions is screen capture. To protect your sensitive information, we are adding the option to disable screen capture for your remote apps and desktop on all the supported Windows Virtual Desktop clients. Direct RDP to session host We are introducing a new capability that can be set at a host pool level and will take into account the type of network you are connecting from, and when possible, establish a direct peer-to-peer UDP connection to the session host rather than over the internal Windows Virtual Desktop gateways. By eliminating the intermediate hops and using a more efficient connection over a trusted network, you get a secure optimized experience with lesser connection latency and better performance. Thank you again for the amazing feedback that you have provided to us. You can track the progress of these upcoming public previews in our roadmap page. If you are attending Microsoft Ignite conference, you can learn more about these features and get your questions answered in our sessions and you can always reach us anytime at the Windows Virtual Desktop Tech Community page. You can also register here to attend our upcoming webinars.60KViews9likes5CommentsHelp with Disk query in Log Analytics
Hi I was wondering if I could get some help with Log analytics. New to this so bear with me. I'm trying to create a query that will provide informtaion on disk utilisation in Azure. I've gottwo commands (below), however I'm not able to merge them as I would like one query which gives me % free space, overall size of disk, name of vm and name of disk. Anything else I can get in terms of disk usage would be great, not overly concerned with IOPs at the moment. The commands are: Thsi proivides info on free space: search ObjectName == "LogicalDisk" and CounterName == "% Free Space" This one provides information on free Mb remaining. search ObjectName == "LogicalDisk" and CounterName == "Free Megabytes" I have tried this which helps, but again information is quite limited search ObjectName == "LogicalDisk" and CounterName == "Free Megabytes" and TimeGenerated > ago(1d) | summarize FreeSpace = min(CounterValue) by Computer, InstanceName | where strlen(InstanceName) ==2 and InstanceName contains ":" Thanks in advance 🙂Solved57KViews0likes15Comments