cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Help with a query to count

Porter76
Brass Contributor

‎Sep 22 2023 08:03 AM

‎Sep 22 2023 08:03 AM

Help with a query to count

Porter76_0-1695394945398.png

Trying to create a query that will count all of the diffrent ruleid's over the past week but having a hard time. Any help appreciated.

 

Thanks!

Labels:
782 Views
0 Likes
4 Replies
Reply
4 Replies
Clive_Watson

‎Sep 22 2023 03:48 PM

‎Sep 22 2023 03:48 PM

Re: Help with a query to count

@Porter76 

 

Its will be similar to this, you'll have to amend lines 1 & 2 to match your Table and Columns 

 

AzureActivity
| extend ruleID = tostring(parse_json(Properties).activitySubstatusValue)
| summarize count() by ruleID

 

0 Likes
Reply
Porter76

‎Sep 25 2023 10:47 AM - edited ‎Sep 25 2023 10:51 AM

‎Sep 25 2023 10:47 AM - edited ‎Sep 25 2023 10:51 AM

Re: Help with a query to count

Thanks so much Clive, that worked like a charm.
Is it possible to create an alert in log analytics whenever the count for a particular WAF rule being triggered exceeds a certain threshold in a given time frame?

i.e. if the count for "AWSManagedRulesAnonymousIpList" was typically 1000 in an hour and spiked to 15000, how can I alert on this?

0 Likes
Reply
Clive_Watson

‎Sep 25 2023 12:16 PM

‎Sep 25 2023 12:16 PM

Re: Help with a query to count

@Porter76 

 

AWSCloudTrail
| where TimeGenerated > ago(1h)
//| summarize count() by EventSource
| count
| where Count > 1000

or

AWSCloudTrail
| where TimeGenerated > ago(1d)
| summarize countPerHour=count() by EventSource, bin(TimeGenerated,1h)
| where countPerHour > 1000

 

0 Likes
Reply
Porter76

‎Sep 26 2023 06:11 AM

‎Sep 26 2023 06:11 AM

Re: Help with a query to count

Thanks Clive, could you explain the difference bewteen the 2 here? How would I apply this to a specific ruleid?
0 Likes
Reply