I am attempting to create an alert that lets me know if a data source stops providing logs to Sentinel. While I know it displays anomalies in log data on the dash board, I am hoping to receive alerts if a source stops providing logs for an extended period of time.
Something like creating a rule with the following query (CEF in this case):
CommonSecurityLog
| where TimeGenerated > ago(24h)
| summarize count() by DeviceVendor, DeviceProduct, DeviceName, DeviceExternalID
| where count_ == 0
Related
I'm trying to have a quick overview on last heartbeats from all the workspaces we have.
Now, I can do that with this query, except for the watchlist line, because it uses the watchlist from the workspace where I'm doing the query, not from each of the other workspaces:
union
workspace("<workspace_id1").Heartbeat,
workspace("<workspace_id2").Heartbeat
| where TimeGenerated > ago(timeRange)
| where not (Computer in ( (_GetWatchlist('<watchlist_name>') | project SearchKey)) )
| summarize arg_max(TimeGenerated,*) by Computer, OSType
Is it possible to do it?
Thanks in advance
My CloudWatch log is coming in the below format:
2022-08-04T12:55:52.395Z 1d42aae9-740f-437d-bdf1-4e8c747e0f04 INFO 14 Field Service activities within Launch Advisory are a core set of activities and recommendations that are proven to support successful deployments and accelerate time-to-value. For customers implementing an AEC Product for the first time, the first year of Field Services available to the Customer will be comprised of Launch Advisory activities only. Google’s Launch Advisory services team will work with the Customer's solution implementation team to guide, assess, and make recommendations for the implementation of newly licensed APAC Products..
2022-08-04T12:55:52.395Z : Is the time stamp
1d42aae9-740f-437d-bdf1-4e8c747e0f04: request Id
INFO : Logging Type
Rest is the actual message
I want to parse those above fields from the message. By taking reference from the AWS document started writing the following query but it's not working
fields #timestamp, #message, #logStream
| PARSE #message "* [*] [*] *" as loggingTime, requestId, loggingType, loggingMessage
| sort #timestamp desc
| display loggingTime, requestId, loggingType, loggingMessage
| limit 200
But, the above parsing expression is not working. Can someone suggest how can this message be parsed?
I'm sorry for not having much to go on with this. My boss has asked for logs of all administrative actions performed in Azure. I did some research and was able to set up Log Analytic to get all administrative logs from Azure Activity. I also sent all of the AAD audit logs to Log Analytics. My issue is now filtering through the audit logs with KQL. I have no clue how to pull the logs from only the users in the global admin role. If someone could point me in the right direction it would be greatly appreciated.
AzureActivity
| where TimeGenerated > ago(70d)
| where Caller contains "#yourdomain.com"
//| where ResourceProviderValue contains "MICROSOFT.MIGRATE"
//| where ActivityStatusValue contains "Success"
| where ActivityStatusValue !contains "Start"
| extend ResourceName = Properties_d.resource
| project
TimeGenerated,
Caller,
ResourceName,
ResourceGroup,
ResourceProviderValue,
ActivityStatusValue,
ActivitySubstatusValue,
CallerIpAddress,
CategoryValue,
OperationNameValue
| sort by TimeGenerated desc
I am new to splunk. Wanted to create a splunk alert to check if logs has been received from all the host or not and if not need to set a alert trigger.
| tstats latest(_time) as latest where index=* earliest=-24h by host
| eval recent = if(latest > relative_time(now(),"-5m"),1,0), realLatest = strftime(latest,"%c")
| where recent=0
is the above splunk Query correct?
The query looks good, but the best way to know is to try it. Does it produce the desired results?
I've created a custom metric to monitor free disk C: space on my Azure VM.
But when i'n trying to create an alert rule (not classic), i can't find my custom metrics in the options list. i'm thinking that this is due to the fact that i'm using the new Rule alrts insted of the Classic Rules.
Has someone succeeded to create a new alert rule based on a custom metric?
Using a query can give me the output, but i don't know from where this info are coming (VM extension ? Diagnostic Log?):
Perf
| where TimeGenerated >ago(1d)
| where CounterName == "% Free Space" and ObjectName == "LogicalDisk" and InstanceName == "C:" and CounterValue > 90
| sort by TimeGenerated desc