Multiple Stopped Event Reception

// This is a heavy query, please, don't use it with query frequencies lower than 1h let query_frequency = 1h; let query_period = 3d; let _ExpectedFrequencies = _GetWatchlist('DataType-IngestedTables') | project Type, Critical, ExpectedIngestionFrequency = totimespan(Frequency) ; union withsource=_Type //This is a comment * // withsource= is just used to bypass the Analytics rule wizard | where TimeGenerated > ago(query_period) | summarize IngestionTime = max(ingestion_time()) by Type | lookup kind=leftouter _ExpectedFrequencies on Type | where IngestionTime between (ago(ExpectedIngestionFrequency + query_frequency) .. ago(ExpectedIngestionFrequency)) | extend TimespanWithoutIngestion = now() - IngestionTime, AlertSeverity = case( Critical == "true", "High", "Informational" ) | project Type, Critical, ExpectedIngestionFrequency, TimespanWithoutIngestion, AlertSeverity

Explanation

This query is used to monitor the ingestion time of different data types. It retrieves the expected ingestion frequency for each data type from a watchlist, and then compares the actual ingestion time with the expected frequency. If the actual ingestion time falls within a certain range of the expected frequency, it calculates the timespan without ingestion and assigns an alert severity based on the criticality of the data type. The query should not be used with query frequencies lower than 1 hour.

Details

Jose Sebastián Canós

Released: September 30, 2022

Tables

_Type

Keywords

Keywords:let,query_frequency,query_period,_ExpectedFrequencies,_GetWatchlist,project,Type,Critical,ExpectedIngestionFrequency,totimespan,union,withsource,where,TimeGenerated,ago,summarize,IngestionTime,max,ingestion_time,lookup,kind,leftouter,extend,TimespanWithoutIngestion,now,AlertSeverity,case,High,Informational,

Operators

letunionwithsourceprojectwheresummarizelookupbetweenagoextendcase

KQL Search