KQL Search

Query Details

HomeAI ToolsDevice Query

Zscaler Internet Access Data Gap Detection

Query

//This query checks for gaps in Zscaler Internet Access data ingestion
//Returns results if no logs received in past 2 hours
//Zero results indicate normal operation
CommonSecurityLog | where DeviceVendor == "Zscaler" and DeviceProduct == "NSSWeblog"
| where TimeGenerated > ago(30d)
| summarize last_log = datetime_diff("second",now(), max(TimeGenerated))
| where last_log >= 7200

Explanation

This query is designed to monitor the data ingestion from Zscaler Internet Access logs. It specifically checks for any gaps in the data received. Here's a simple breakdown:

  1. Data Source: It looks at logs from Zscaler, specifically those labeled as "NSSWeblog."

  2. Time Frame: It considers logs generated in the last 30 days.

  3. Data Check: It calculates the time difference in seconds between the current time and the most recent log entry.

  4. Alert Condition: If the most recent log entry is older than 2 hours (7200 seconds), it returns results indicating a potential issue with data ingestion.

  5. Normal Operation: If there are no results returned, it means logs are being received normally without any significant gaps.

Details

Peter Upfold profile picture

Peter Upfold

Released: November 10, 2024

Tables

CommonSecurityLog

Keywords

CommonSecurityLogDeviceVendorDeviceProductTimeGenerated

Operators

whereand>agosummarizedatetime_diffnowmax>=

Actions