KQL Azure Alert only fire if other event has not been logged

Catcha24
April 6, 2023
141 views
0 votes
2 Answers

I have a basic azure alert where it looks at the windows logs of a VM, and determines whether it should fire an alert upon detecting a specific event ID

Event | where EventID == "500" | summarize arg_max(TimeGenerated, *) by ParameterXml | project TimeGenerated, Computer, EventID, RenderedDescription | order by TimeGenerated

The conditions are whether the event is detected once or more in the space of 5 minutes. I’m looking to have some alert logic in there where it only fires, if additional alert event "650" has not fired.

I have tried using joins to attach the additional event ID onto the query, but unsure how to parse the logic to say not fired

https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-log-query (Example 4)

Summary

Fire alert if event id 500 detected and event id 650 not detected

Answers

- SteffenZeidler
- April 6, 2023 at 2:31 pm
- 0 votes
0
A possible solution:
```
Event
| where EventID in (500, 650)
| summarize
    arg_max(iff(EventID == 500, TimeGenerated, datetime(null)), *),
    Cond= countif(EventID == 650) == 0
    by Computer
| where Cond
| project TimeGenerated, Computer, EventID, RenderedDescription
| order by TimeGenerated
```
The summarize line filters the newest event with ID 500 and counts the events with ID 650.
Login or Signup to reply.

- SteffenZeidler
- April 7, 2023 at 12:30 pm
- 0 votes
0
A possible solution with join leftanti:
```
Event
| where EventID in (500, 650)
| summarize arg_max(TimeGenerated, *) by EventID, Computer
| as T
| where EventID == 500
| join kind=leftanti (T | where EventID == 650) on Computer
```
Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.