Created
September 3, 2021 15:00
-
-
Save x3nc0n/1a60171f700b4ad02a031032e0e9e4e4 to your computer and use it in GitHub Desktop.
KQL Query for Front Door Access Anomalies
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| let request_threshold = toscalar( | |
| AzureDiagnostics | |
| | where Category contains "FrontDoorAccessLog" | |
| | where TimeGenerated >= startofday(ago(90d)) and TimeGenerated < startofday(now()) | |
| | summarize cnt=count() by clientIp_s, bin(TimeGenerated, 1d) | |
| | summarize avg(cnt), stdev(cnt) | |
| | project threshold = avg_cnt+stdev_cnt); | |
| AzureDiagnostics | |
| | where Category == "FrontdoorAccessLog" | |
| | summarize count() by userAgent_s,clientIp_s | |
| | where count_ > request_threshold |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Kql query for front door resource health alert