Sentinel Alert on below average log activity

GarudaLead-8570 46 Reputation points
2022-01-28T00:43:39.007+00:00

Is it possible run a query in sentinel that averages out the last 7 days of daily total log events for our monitored servers and then trigger an alert if the last 24hours shows shows events is a certain percentage below the 7 day average?

I have heartbeat queries and alerts setup but if the server and the agent are still up we won't be notified if logs stop for whatever reason.

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
975 questions
0 comments
Accepted answer
  1. Andrew Blumhardt 9,491 Reputation points Microsoft Employee
    2022-01-28T04:15:31.373+00:00

    What you are describing sounds like a 'series decompose anomalies' query. Though you likely are better to track when data collection stops for longer than desired. There are less complicated ways to achieve the result. Event volume anomaly detection could be misleading.

    //Data collection to any table has stopped

    let DownLimit = ago(1d);
    union withsource=TableName1 *
    | project TimeGenerated, TableName1
    | summarize arg_max(TimeGenerated, *) by TableName1
    | where TimeGenerated < DownLimit

    //No security evens received from a Windows device in over an hour

    let DownLimit = ago(1h);
    SecurityEvent
    | project TimeGenerated, Computer
    | summarize arg_max(TimeGenerated, *) by Computer
    | where TimeGenerated < DownLimit

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest