I'm trying to have a quick overview on last heartbeats from all the workspaces we have.
Now, I can do that with this query, except for the watchlist line, because it uses the watchlist from the workspace where I'm doing the query, not from each of the other workspaces:
union
workspace("<workspace_id1").Heartbeat,
workspace("<workspace_id2").Heartbeat
| where TimeGenerated > ago(timeRange)
| where not (Computer in ( (_GetWatchlist('<watchlist_name>') | project SearchKey)) )
| summarize arg_max(TimeGenerated,*) by Computer, OSType
Is it possible to do it?
Thanks in advance
Related
I'm sorry for not having much to go on with this. My boss has asked for logs of all administrative actions performed in Azure. I did some research and was able to set up Log Analytic to get all administrative logs from Azure Activity. I also sent all of the AAD audit logs to Log Analytics. My issue is now filtering through the audit logs with KQL. I have no clue how to pull the logs from only the users in the global admin role. If someone could point me in the right direction it would be greatly appreciated.
AzureActivity
| where TimeGenerated > ago(70d)
| where Caller contains "#yourdomain.com"
//| where ResourceProviderValue contains "MICROSOFT.MIGRATE"
//| where ActivityStatusValue contains "Success"
| where ActivityStatusValue !contains "Start"
| extend ResourceName = Properties_d.resource
| project
TimeGenerated,
Caller,
ResourceName,
ResourceGroup,
ResourceProviderValue,
ActivityStatusValue,
ActivitySubstatusValue,
CallerIpAddress,
CategoryValue,
OperationNameValue
| sort by TimeGenerated desc
I am new to splunk. Wanted to create a splunk alert to check if logs has been received from all the host or not and if not need to set a alert trigger.
| tstats latest(_time) as latest where index=* earliest=-24h by host
| eval recent = if(latest > relative_time(now(),"-5m"),1,0), realLatest = strftime(latest,"%c")
| where recent=0
is the above splunk Query correct?
The query looks good, but the best way to know is to try it. Does it produce the desired results?
I am attempting to create an alert that lets me know if a data source stops providing logs to Sentinel. While I know it displays anomalies in log data on the dash board, I am hoping to receive alerts if a source stops providing logs for an extended period of time.
Something like creating a rule with the following query (CEF in this case):
CommonSecurityLog
| where TimeGenerated > ago(24h)
| summarize count() by DeviceVendor, DeviceProduct, DeviceName, DeviceExternalID
| where count_ == 0
I am setting up som alerts for windows services. using the code below. But sometimes I am getting an alert for a service that have the state "Running". We canĀ“t se that the service are stopped or restarted under the period. Does any one have an idea what could be wrong? Or should I change the query to something else?
I want an alert every time the service is stopped so the support team can take action.
ConfigurationData
| project Computer, SvcName, SvcDisplayName, SvcState, TimeGenerated
| where (SvcName =~ "W3SVC")
| project Computer, SvcName, SvcDisplayName, SvcState, TimeGenerated
| where SvcState != "Running"
Update:
There is a potential issue in your query, like below:
if the SvcState state is stopped at 2019/09/06 1:00 PM, then you fix the issue by restart it. Let's say it's running again in 2019/09/06 2:00 PM. But in your query, for example, the query runs from 2019/09/06 1:00 PM, it will always return a result to indicate the service is stopped(which is actually an old state in 1:00 pm, but the latest state is running in 2:00 pm)
So you should get the latest SvcState by using top 1 by TimeGenerated, which is ordered by desc in TimeGenerated by default.
Please try the code below:
ConfigurationData
| top 1 by TimeGenerated
| project Computer, SvcName, SvcDisplayName, SvcState, TimeGenerated
| where (SvcName =~ "W3SVC") and SvcState != "Running"
I've created a custom metric to monitor free disk C: space on my Azure VM.
But when i'n trying to create an alert rule (not classic), i can't find my custom metrics in the options list. i'm thinking that this is due to the fact that i'm using the new Rule alrts insted of the Classic Rules.
Has someone succeeded to create a new alert rule based on a custom metric?
Using a query can give me the output, but i don't know from where this info are coming (VM extension ? Diagnostic Log?):
Perf
| where TimeGenerated >ago(1d)
| where CounterName == "% Free Space" and ObjectName == "LogicalDisk" and InstanceName == "C:" and CounterValue > 90
| sort by TimeGenerated desc