KQL Search

Query Details

HomeAI ToolsDevice Query

Anomalies Unusual Anomaly

Query

let query_frequency = 1h;
let query_lookback = 3d;
let _MonitoredRules = toscalar(
    _GetWatchlist('AlertName-SubstitutedDetections')
    | where ProductName == "Anomalies"
    | summarize make_list(AlertName)
);
Anomalies
| where TimeGenerated > ago(query_frequency)
| where not(replace_string(replace_string(RuleName, "(Preview) ", ""), " - Customized", "") in (_MonitoredRules))
| join kind = leftanti (
    Anomalies
    | where TimeGenerated between (ago(query_frequency + query_lookback) .. ago(query_frequency))
    | distinct RuleName
) on RuleName

Explanation

This KQL query is designed to identify specific anomaly detection rules that have generated alerts within the last hour but have not done so in the previous three days. Here's a breakdown of what the query does:

  1. Parameters Definition:

    • query_frequency is set to 1 hour, indicating the recent time window for analysis.
    • query_lookback is set to 3 days, representing the historical period to compare against.

  2. Watchlist Retrieval:

    • It retrieves a list of monitored alert names from a watchlist named 'AlertName-SubstitutedDetections' where the product name is "Anomalies".

  3. Current Alerts Filtering:

    • It filters the Anomalies table to include only those alerts generated in the last hour (query_frequency).

  4. Exclusion of Monitored Rules:

    • It excludes alerts whose rule names, after removing "(Preview) " and " - Customized" from their names, are present in the monitored rules list.

  5. Historical Comparison:

    • It performs a left anti join with another set of Anomalies data, which includes distinct rule names from the past 3 days up to 1 hour ago.
    • This step ensures that only rules that have not generated alerts in the previous 3 days are considered.

In summary, the query identifies anomaly detection rules that have triggered alerts in the last hour but did not trigger any alerts in the preceding three days, excluding certain monitored rules.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: November 25, 2024

Tables

Anomalies

Keywords

AnomaliesAlertNameProductNameRuleNameTimeGenerated

Operators

lettoscalarwheresummarizemake_listagoreplace_stringinjoinkindbetweendistinct

Actions