I am trying to query For Remote Code Execution Attempt alerts, Does anyone have an idea how to go about this.
SecurityAlert
| where TimeGenerated >= ago(20d)
| where AlertName contains "Remote code execution attempt"
| extend Entities = tostring(parse_json(Entities)[0])
| project Entities, AlertName, Status
I am trying to output the Hostnames and other information
Related
I created an Azure Alert using a Query (KQL - Kusto Query Language) reading from the Log. That is, it's an Log Alert.
After a few minutes, the alert was triggered (as I expected based on my condition).
My condition checks if there are Pods of a specific name in Failed state:
KubePodInventory
| where TimeGenerated between (now(-24h) .. now())
| where ClusterName == 'mycluster'
| where Namespace == 'mynamespace'
| where Name startswith "myjobname"
| where PodStatus == 'Failed'
| where ContainerStatusReason == 'Completed' //or 'Error' or doesn't matter? (there are duplicated entries, one with Completed and one with Error)
| order by TimeGenerated desc
These errors stay in the log, and I only want to catch (alert about them) once per day (that is, I check if there is at least one entry in the log (threshold), then fire the alert).
Is the log query evaluated every time there is a new entry in the log, or is it evaluated in a set frequency?I could not find in Azure Portal a frequency specified to check Alerts, so maybe it evaluates the Alert(s) condition(s) every time there is something new in the Log?
I can run the 2 queries below to view the logs for a certain time, separately.
AppServiceConsoleLogs | where TimeGenerated >= datetime('2021-04-10 14:00')
AppServiceHTTPLogs | where TimeGenerated >= datetime('2021-04-10 14:00')
How do I combine these into a single query to view the logs together?
The union operator does the job to show all records from the specified tables.
I used the query below and no the problems you mentioned:
union requests, traces
| where timestamp > ago(1d)
The screenshot of the query result:
If you still have the problem, please share us the screenshot and more detailed info.
I would like to have query that would return something like for single vm. So query should be showing results of single vm and what kinda log type / solutions it has used and how much.
I don't know if this is even possible to do anything similar maybe? Tips?
With this query I'm able to list total usage for all vm's reporting to laws but I would like to have more details about a single vm
find where TimeGenerated > ago(30d) project _BilledSize, _IsBillable, Computer
| where _IsBillable == true
| extend computerName = tolower(tostring(split(Computer, '.')[0]))
| summarize BillableDataBytes = sum(_BilledSize) by computerName
| sort by BillableDataBytes nulls last
Mostly you would be able to accomplish it by querying standard columns or properties _BilledSize, Type, _IsBillable and Computer.
Below is the sample query for your reference:
union withsource=tt *
| where TimeGenerated between (ago(7d) .. now())
| where _IsBillable == true
| where isnotempty(Computer)
| where Computer == "MM-VM-RHEL-7"
| summarize BillableDataBytes = sum(_BilledSize) by Computer, _IsBillable, Type
| render piechart
Below is the screenshot for illustration:
Related references:
Log data usage - Understanding ingested data volume
Standard columns in logs
We have a requirement to get status of windows service when it is started and stopped do that I have returned one query, but I am facing issue when joining 2 tables to get output.
I have tried using inner and left outer joins but still getting duplicates
Event
| where EventLog == "System" and EventID == 7036 and Source == "Service Control Manager"
| parse kind=relaxed EventData with * '<Data Name="param1">' Windows_Service_Name '</Data><Data Name="param2">' Windows_Service_State '</Data>' *
| where Windows_Service_State == "running" and Windows_Service_Name == "Microsoft Monitoring Agent Azure VM Extension Heartbeat Service"
| extend startedtime = TimeGenerated
| join (
Event
| where EventLog == "System" and EventID == 7036 and Source == "Service Control Manager"
| parse kind=relaxed EventData with * '<Data Name="param1">' Windows_Service_Name '</Data><Data Name="param2">' Windows_Service_State '</Data>' *
| where Windows_Service_State == "stopped" and Windows_Service_Name == "Microsoft Monitoring Agent Azure VM Extension Heartbeat Service"
| extend stoppedtime = TimeGenerated
) on Computer
| extend downtime = startedtime - stoppedtime
| project Computer, Windows_Service_Name,stoppedtime , startedtime ,downtime
| top 10 by Windows_Service_Name desc
we want to get no of times that service started and stopped if the service restarted multiple times in a day we are getting duplicate timings in starttime when joining please have a look on link (https://ibb.co/JzqxjC0)
I am not sure I fully understand what is going on, since I don't have access to the data. But. I can see you are using the default join flavor.
The default is inner unique:
The inner-join function is like the standard inner-join from the SQL world. An output record is produced whenever a record on the left side has the same join key as the record on the right side.
Which means a new line in the result is created on every match between the left and the right side. Therefore. let's assume you have a computer that was restarted twice, so it has 2 lines of stopped, and 2 lines of running. That will produce 4 rows in Kusto answer.
Looking at your picture, it makes sense to me because you have lines with negative downtime. I guess that is not possible.
What I would do, is look for an identifier that is unique on every Computer run. Then you can join on that, and stay safe not to generate data that you don't want.
My cucumber Gherkins look like this:
Feature: Story XYZ- Title of Story
"""
Title: Story XYZ- Title of Story
"""
Background:
Given Appointments are being created using "SOAP" API
#scenario1
Scenario Outline: Create an appointment for a New start service order
Given Appointment does not exist for order id "Test_PR_Order123"
When Request for create appointment is received for order "Test_PR_Order123" and following
| FieldName | FieldValue |
| ServiceGroupName | <ServiceGroupName> |
| SerivceGroupID | TestSG123 |
| ServiceType | <ServiceType> |
Then Appointment ID should be created
And Appointment for order "Test_PR_Order123" should have following details
| FieldName | FieldValue |
| ServiceGroupName | <ServiceGroupName> |
| SerivceGroupID | TestSG123 |
| ServiceType | <ServiceType> |
And Appointment history should exist for "Create Appointment"
Examples:
| ServiceType | ServiceGroupName |
| Service1 | ServiceGroup1 |
| Service2 | ServiceGroup2 |
#scenario22
Scenario Outline: Create an appointment for a Change Service order
Given Appointment does not exist for order id "Test_CH_Order123"
When Request for create appointment is received for order "Test_CH_Order123" and following
| FieldName | FieldValue |
| ServiceGroupName | <ServiceGroupName> |
| SerivceGroupID | TestSG123 |
| ServiceType | <ServiceType> |
Then Appointment ID should be created
And Appointment for order "Test_CH_Order123" should have following details
| FieldName | FieldValue |
| ServiceGroupName | <ServiceGroupName> |
| SerivceGroupID | TestSG123 |
| ServiceType | <ServiceType> |
And Appointment history should exist for "Create Appointment"
Examples:
| ServiceType | ServiceGroupName |
| Service1 | ServiceGroup1 |
| Service2 | ServiceGroup2 |
In above feature there is a background which will execute for each example in both Scenario Outline.
Also, in java implementation we have implemented #After and #Before hooks which will also execute for each example.
We are using spring-cucumber for data injection between steps.
Problem occurs when all examples in first scenario outline ends, #After implemented method is invoked 2 times. When 2nd time #After starts at the same time 2nd Scenario Outline examples start executing.
As a result sequential execution of scenarios is disturbed and automation start to fail.
Please suggest if this is a bug in cucumber or we are missing anything.
One of the many things you are missing is keeping scenarios simple. By using a scenario outlines and by embedding so many technical details in your Gherkin you are making things much harder for yourself. In addition you are using before and after hooks to make this work.
Another problem is that your scenarios do not make sense. They are all about making appointments for orders, but your don't at any point create the order.
Finally you have two identical scenarios that you say do different things. The first is for New, the second is for Change. There has to be some difference otherwise you would not need the second scenario.
What I would do is try and extract a single scenario out of this tangle and use that to diagnose any problems. You should be able to end up with something like
Scenario: Create an appointment for an order
Given there is an order
And appointments are made using SOAP
When a new start appointment is made for the order
Then the appointment should be created
And the appointment should have a history
There should be no reason why you can't make this scenario work without any #before or #after. When you have this working then create other scenarios whatever other cases you are trying to examine. Again you should be able to do this without doing any of the following
Using example data to differentiate between scenarios
Using outlines
Using #before and #after
When using Cucumber you want to push the complexity of automation outside of Cucumber. Either pull it up to script before Cucumber starts, or push it down to execute in helper methods that are called in a single step definition. If you keep the complexity in Cucumber and in particular try and link scenarios to each other and use #before and #after to keep state between scenarios you will not have a pleasant time using (misusing) Cucumber.
Its far more likely that your problems are caused by your code than by Cucumbers. Even if Cucumber did have a problem with outlines and hooks, you can fix your problems by just not using them. Outlines are completely unnecessary and hooks are mostly misused.