KQL Search

Query Details

HomeAI ToolsDevice Query

Anamoly Higher Than Expected Sys Log

Query

//Returns any machines with a significant increase in syslog events over the last 5 days in every 30 minutes of data
let starttime = 5d;
let timeframe = 30m;
let Computers=Syslog
    | where TimeGenerated >= ago(starttime)
    | summarize EventCount=count() by Computer, bin(TimeGenerated, timeframe)
    | where EventCount > 1500
    | order by TimeGenerated
    | summarize EventCount=make_list(EventCount), TimeGenerated=make_list(TimeGenerated) by Computer
    | extend outliers=series_decompose_anomalies(EventCount, 2)
    | mv-expand TimeGenerated, EventCount, outliers
    | where outliers == 1
    | distinct Computer
;
Syslog
| where TimeGenerated >= ago(starttime)
| where Computer in (Computers)
| summarize EventCount=count() by Computer, bin(TimeGenerated, timeframe)
| render timechart

Explanation

This query looks for machines that have had a significant increase in syslog events over the last 5 days, with data collected every 30 minutes. It first identifies machines with an event count greater than 1500, then orders them by time generated. It then decomposes the event count data to identify outliers, and selects machines where outliers are present. Finally, it retrieves the syslog events for the identified machines and visualizes the event count over time.

Details

Matt Zorich profile picture

Matt Zorich

Released: August 20, 2021

Tables

Syslog

Keywords

Devices,Syslog

Operators

| where| summarize| count()| by| bin()| order by| extend| series_decompose_anomalies()| mv-expand| distinct| render

Actions