Query Details
Anomalous Bat Exec Timeline
Query
// Get the top 5 devices whose bat executions have had the most anomalous increase let interval = 12h; let BatEvents = DeviceEvents | where isnotempty(DeviceName) | where FileName endswith ".bat"; BatEvents | make-series BatCount = count() on Timestamp from ago(30d) to now() step interval by DeviceName | extend (flag, score, baseline) = series_decompose_anomalies(BatCount) | mv-expand with_itemindex = FlagIndex flag to typeof(int) // Expand, but this time include the index in the array as FlagIndex | where flag == 1 // Once again, filter only to spikes | extend SpikeScore = todouble(score[FlagIndex]) // This will get the specific score associated with the detected spike | summarize MaxScore = max(SpikeScore) by DeviceName | top 5 by MaxScore desc | join kind=rightsemi BatEvents on DeviceName // Rejoin top 5 anomalous devices to all their BatEvents | summarize BatCount = count() by DeviceName, bin(Timestamp, interval) | render timechart
Explanation
This query retrieves the top 5 devices that have experienced the most abnormal increase in bat executions. It calculates the count of bat executions for each device over a 30-day period and identifies anomalies using the series_decompose_anomalies function. It then selects the spikes (anomalies) and calculates a score for each spike. The query finally summarizes the maximum score for each device, selects the top 5 devices with the highest scores, and joins them with all their bat events. The result is a time chart showing the count of bat executions for each device over time.
Details
C.J. May
Released: November 8, 2021
Tables
DeviceEvents
Keywords
Devices,DeviceEvents,DeviceName,FileName,BatEvents,Timestamp,flag,score,baseline,FlagIndex,SpikeScore,MaxScore
Operators
|,let,interval,=,12h,;,BatEvents,=,DeviceEvents,|,where,isnotempty(DeviceName),|,where,FileName,endswith,".bat",;,BatEvents,|,make-series,BatCount,=,count(),on,Timestamp,from,ago(30d),to,now(),step,interval,by,DeviceName,|,extend,(flag,,score,,baseline),=,series_decompose_anomalies(BatCount),|,mv-expand,with_itemindex,=,FlagIndex,flag,to,typeof(int),|,where,flag,==,1,|,extend,SpikeScore,=,todouble(score[FlagIndex]),|,summarize,MaxScore,=,max(SpikeScore),by,DeviceName,|,top,5,by,MaxScore,desc,|,join,kind=rightsemi,BatEvents,on,DeviceName,|,summarize,BatCount,=,count(),by,DeviceName,bin(Timestamp,interval),|,render,timechart,.