Defender Advance Query
I was looking for some advice or help on my query. Basically I am trying to create a query to detect possible anomalies against emails attachment from sender rending it into a linechart. For some reason it's not letting me render it (| render linechart). Can't figure for the life of me, but the resulted fine without chart. Thanks a head of time.
let interval = 12h;
// Anomaly threshold
let AnomalyThreshold = 1;
//Distinct Sender Threshold
let SenderThreshold = 5;
EmailAttachmentInfo
// Make a series based on Distinct Mail by file types
| make-series DistinctMailCount = count() on Timestamp from ago(10d) to now() step interval by FileType , SenderFromAddress
// Do anomaly detection on DistinctMailCount
| extend (AnomaliesDetected, AnomaliesScore, AnomaliesBaseline) = series_decompose_anomalies(DistinctMailCount, AnomalyThreshold, -1, 'linefit')
// Place all the items on a single line
| mv-expand DistinctMailCount to typeof(double), Timestamp to typeof(datetime), AnomaliesDetected to typeof(double), AnomaliesScore to typeof(double), AnomaliesBaseline to typeof(long)
// Show all rows with a detected anomaly and where the threshold is higher than DeviceThreshold
| where AnomaliesDetected == 1 and DistinctMailCount >= SenderThreshold
| summarize count() by SenderFromAddress, bin(Timestamp, interval), FileType
Solution
Maybe this helps:
let interval = 1h;
let AnomalyThreshold = 1;
let SenderThreshold = 1;
let EmailAttachmentInfo = datatable (SenderFromAddress:string, Timestamp:datetime, FileType:string, DistinctMailCount:long)
[
'sender1@example.com', datetime(2024-07-01T00:00:00Z), 'pdf', 6,
'sender2@example.com', datetime(2024-07-01T12:00:00Z), 'docx', 8,
'sender3@example.com', datetime(2024-07-02T00:00:00Z), 'xlsx', 7,
'sender1@example.com', datetime(2024-07-02T12:00:00Z), 'pdf', 10,
'sender2@example.com', datetime(2024-07-03T00:00:00Z), 'docx', 15,
'sender3@example.com', datetime(2024-07-03T12:00:00Z), 'xlsx', 12,
'sender4@example.com', datetime(2024-07-04T00:00:00Z), 'pptx', 6,
'sender5@example.com', datetime(202a4-07-04T12:00:00Z), 'jpg', 9,
'sender1@example.com', datetime(2024-07-05T00:00:00Z), 'pdf', 11,
'sender2@example.com', datetime(2024-07-05T12:00:00Z), 'docx', 14
];
EmailAttachmentInfo
| where SenderFromAddress !has "lowes.com"
| make-series DistinctMailCount = count() on Timestamp from ago(20d) to now() step interval by FileType, SenderFromAddress
| extend (AnomaliesDetected, AnomaliesScore, AnomaliesBaseline) = series_decompose_anomalies(DistinctMailCount, AnomalyThreshold, -1, 'linefit')
| mv-expand DistinctMailCount to typeof(double), Timestamp to typeof(datetime), AnomaliesDetected to typeof(double), AnomaliesScore to typeof(double), AnomaliesBaseline to typeof(long)
| where AnomaliesDetected == 1 and DistinctMailCount >= SenderThreshold
| summarize count() by SenderFromAddress, bin(Timestamp, interval), FileType
| render columnchart
I think columnchart looks better.
Sample code can be found here.
- Kusto make-series by month
- KQL merge rows with the same ID into one row
- How to do a KQL time window join at millisecond granularity?
- Kusto Query replace the timestamp of duplicate rows
- Bin producing unexpected results
- How to create a whitelist with two fields in KQL with a Watchlist?
- KQL Query for Calculation of ErrorDuration within Timespan
- Add text to point(s) in Kusto linechart
- Kusto query with multiple sample values from an aggregate
- How to get data for specific date (startofweek) in a given time range in KQL?
- How can I convert TimeGenerated to TimeIngested in this KQL query for an Azure Workbook?
- multiple if and else within kql azure
- Controlling scatter chart markers in Azure Data Explorer dashboard using KQL
- Monitor HTTP traffic for Azure Web App using Log analitics and KQL query
- Defining external table kind as delta
- Kusto query map through array
- how to use or condition in kql
- KQL: Every time a word is mentioned in a column append it to a new column as a list
- KQL: Create an id column every time a value changes in column x ordered by another column y
- KQL query returns available memory but not Total Memory
- Display lines & values for whole range of y-axis values in Kusto linechart
- Kusto - fetch data from one table where matching records do not exist in another table
- KQL - extract property value from an array of JSON objects, based on the value of another property
- Defender Advance Query
- Calculation of outlier score in series_outlier method
- How to get Azure Advisor scores from azure resource graph explorer?
- KQL: How to reference columns within a let query in the next query
- KQL Query works in advanced hunting but fails when made into a detection rule
- Creating KQL query to get Azure VMs not patched since 30days
- Create a function to calculate power of tens with a loop and reuse them in another query