I am attempting to create an alert that lets me know if a data source stops providing logs to Sentinel. While I know it displays anomalies in log data on the dash board, I am hoping to receive alerts if a source stops providing logs for an extended period of time.
Asked
Active
Viewed 640 times
0
-
You need to provide a minimal code to reproduce the problem. See more details on how to post a question at this link: https://stackoverflow.com/help/minimal-reproducible-example – Usama Abdulrehman Jun 17 '20 at 00:41
1 Answers
0
Something like creating a rule with the following query (CEF in this case):
CommonSecurityLog
| where TimeGenerated > ago(24h)
| summarize count() by DeviceVendor, DeviceProduct, DeviceName, DeviceExternalID
| where count_ == 0
Ofer Shezaf
- 46
- 2