在 Azure Sentinel 中,我设置了多个自动化规则,可以响应各种剧本/逻辑应用程序。
我想收到通知或知道如何搜索日志以查找所有
我最接近的方法是通过 azurediagnostics 日志,但我注意到这只捕获了我的环境中不到 1% 的逻辑应用程序。
AzureDiagnostics
| where OperationName contains "Microsoft.Logic"
| extend OperationType = tostring(split(OperationName,'/')[2])
| extend LogicApp = tostring(split(ResourceId,'/')[8])
| extend IncidentNumber = toint(extract(@"[a-f0-9]{8}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{12}\_(\d+)", 1, correlation_clientTrackingId_s))
| summarize Resource = strcat_array(make_set(Resource),', '),
status_s = strcat_array(make_set(status_s),', ') by LogicApp, IncidentNumber, OperationType, Level
此 KQL 将显示所有逻辑应用程序故障,但是,当连接失败时不会显示。
AzureActivity
| where ResourceProviderValue =~ "Microsoft.Logic"
| mv-expand parse_json(Authorization)
| evaluate bag_unpack(Authorization, OutputColumnPrefix='Authorization_')
| mv-expand parse_json(Properties)
| evaluate bag_unpack(Properties, OutputColumnPrefix='Properties_')
| extend LogicApp = tostring(iff(split(ResourceId,'/')[8]=="australiaeast",split(ResourceId,'/')[-1],split(ResourceId,'/')[8]))
| summarize Properties_statusMessage=strcat_array(make_set(Properties_statusMessage),', '),
Properties_message=strcat_array(make_set(Properties_message),', '),
Properties_isComplianceCheck=strcat_array(make_set(Properties_isComplianceCheck),', '),
ActivityStatus=strcat_array(make_set(ActivityStatus),', '),
ActivityStatusValue=strcat_array(make_set(ActivityStatusValue),', '),
CallerIpAddress=strcat_array(make_set(CallerIpAddress),', ') by EventSubmissionTimestamp,LogicApp, Caller, OperationName, Resource