Query Details
Sys Log Detect Anomalies In Events
Query
//Detect potential anomalous increase in syslog volume, adjust time frames to suit
let Computers=Syslog_CL
| where TimeGenerated >= ago(4d)
| summarize EventCount=count() by Computer, bin(TimeGenerated, 15m)
| where EventCount >= 1000
| order by TimeGenerated
| summarize EventCount=make_list(EventCount), TimeGenerated=make_list(TimeGenerated) by Computer
| extend outliers=series_decompose_anomalies(EventCount, 2)
| mv-expand TimeGenerated, EventCount, outliers
| where outliers == 1
| distinct Computer
;
Syslog_CL
| where TimeGenerated >= ago(4d)
| where Computer in (Computers)
| summarize EventCount=count() by Computer, bin(TimeGenerated, 15m)
| render timechart Explanation
This query is looking for potential abnormal increases in syslog volume. It first identifies computers that have had at least 1000 syslog events in the past 4 days. It then analyzes the event counts for each computer and identifies any outliers using a series decomposition algorithm. Finally, it retrieves the syslog events for the identified outlier computers in the past 4 days and visualizes the event counts over time.
Details
Matt Zorich
Released: August 20, 2021
Tables
Syslog_CL
Keywords
Devices,Syslog_CL
Operators
letwheresummarizecount()bybin()order byextendmake_list()series_decompose_anomalies()mv-expanddistinctinrendertimechart