updating fields
This commit is contained in:
Ashwin Patil
Родитель
823e18e7fa
Коммит
4f2151a13c
|
|
@ -30,9 +30,9 @@ query: |
|
|||
let activity = AzureActivity
|
||||
| where TimeGenerated >= startofday(ago(lookback))
|
||||
// We look for any Operation that created and then succeeded where ActivitySubstatusValue has a value so that we can provide context
|
||||
| where OperationName has "Create"
|
||||
| where OperationNameValue endswith "write"
|
||||
| where ActivityStatusValue has "Succeeded"
|
||||
| make-series dResourceCount=dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(startofday(ago(7d)), now(), 1d) by Caller, Resource, OperationName
|
||||
| make-series dResourceCount=dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(startofday(ago(7d)), now(), 1d) by Caller, Resource, OperationNameValue
|
||||
| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)
|
||||
// Comment slope reference below to see all returns
|
||||
| where Slope > 0.2
|
||||
|
|
@ -41,13 +41,13 @@ query: |
|
|||
AzureActivity
|
||||
| where TimeGenerated between(starttime..endtime)
|
||||
// We look for any Operation that created and then succeeded where ActivitySubstatusValue has a value so that we can provide context
|
||||
| where OperationName has "Create"
|
||||
| where OperationNameValue endswith "write"
|
||||
| where ActivityStatusValue has "Succeeded"
|
||||
| make-series dResourceCount=dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(startofday(ago(1d)), now(), 1d) by Caller, Resource, OperationName
|
||||
| make-series dResourceCount=dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(startofday(ago(1d)), now(), 1d) by Caller, Resource, OperationNameValue
|
||||
| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)
|
||||
// Comment slope reference below to see all returns
|
||||
| where Slope > 0.2
|
||||
) on Caller, Resource, OperationName
|
||||
) on Caller, Resource, OperationNameValue
|
||||
// Expanding the fields that were grouped so we can match on a time window when we join the details later
|
||||
| mvexpand EventSubmissionTimestamp, dResourceCount
|
||||
// Making sure the fields are the right type or the join fails
|
||||
|
|
@ -56,10 +56,10 @@ query: |
|
|||
AzureActivity
|
||||
| where TimeGenerated between(starttime..endtime)
|
||||
// We look for any Operation that created and then succeeded where ActivitySubstatusValue has a value so that we can provide context
|
||||
| where OperationName has "Create"
|
||||
| where OperationNameValue endswith "write"
|
||||
| where ActivityStatusValue has "Succeeded" and isnotempty(ActivitySubstatusValue)
|
||||
| summarize by EventSubmissionTimestamp = bin(EventSubmissionTimestamp, 1d), Caller, CallerIpAddress, OperationName, ActivityStatusValue, Resource, ResourceGroup, ResourceId, SubscriptionId
|
||||
) on EventSubmissionTimestamp, Caller, Resource, OperationName;
|
||||
| summarize by EventSubmissionTimestamp = bin(EventSubmissionTimestamp, 1d), Caller, CallerIpAddress, OperationNameValue, ActivityStatusValue, Resource, ResourceGroup, ResourceId, SubscriptionId
|
||||
) on EventSubmissionTimestamp, Caller, Resource, OperationNameValue;
|
||||
let NetworkAnalytics =
|
||||
union isfuzzy=true
|
||||
(AzureNetworkAnalytics_CL
|
||||
|
|
@ -101,4 +101,4 @@ query: |
|
|||
;
|
||||
activity | join kind= leftouter (NetworkAnalytics
|
||||
) on $left.Resource == $right.NSG_Name
|
||||
| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress
|
||||
| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче