Azure Sentinel:当 playbook 运行失败或 playbook 操作断开连接时收到通知

问题描述 投票:0回答:1

在 Azure Sentinel 中,我设置了多个自动化规则,可以响应各种剧本/逻辑应用程序。

我想收到通知或知道如何搜索日志以查找所有

  1. 失败的运行
  2. 失败的操作(通过剧本/逻辑应用)和
  3. 当剧本连接断开时(参见下面的屏幕截图)。

我最接近的方法是通过 azurediagnostics 日志,但我注意到这只捕获了我的环境中不到 1% 的逻辑应用程序。

AzureDiagnostics 
    | where OperationName contains "Microsoft.Logic"
    | extend OperationType = tostring(split(OperationName,'/')[2])
    | extend LogicApp = tostring(split(ResourceId,'/')[8])
    | extend IncidentNumber = toint(extract(@"[a-f0-9]{8}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{12}\_(\d+)", 1, correlation_clientTrackingId_s))
    | summarize Resource = strcat_array(make_set(Resource),', '),
     status_s = strcat_array(make_set(status_s),', ')  by LogicApp, IncidentNumber, OperationType, Level
azure azure-automation azure-diagnostics azure-sentinel
1个回答
0
投票

此 KQL 将显示所有逻辑应用程序故障,但是,当连接失败时不会显示。

AzureActivity
| where ResourceProviderValue =~ "Microsoft.Logic"
| mv-expand parse_json(Authorization)
| evaluate bag_unpack(Authorization,  OutputColumnPrefix='Authorization_')
| mv-expand parse_json(Properties)
| evaluate bag_unpack(Properties,  OutputColumnPrefix='Properties_')
| extend LogicApp = tostring(iff(split(ResourceId,'/')[8]=="australiaeast",split(ResourceId,'/')[-1],split(ResourceId,'/')[8]))
| summarize Properties_statusMessage=strcat_array(make_set(Properties_statusMessage),', '),
Properties_message=strcat_array(make_set(Properties_message),', '),
Properties_isComplianceCheck=strcat_array(make_set(Properties_isComplianceCheck),', '),
ActivityStatus=strcat_array(make_set(ActivityStatus),', '),
ActivityStatusValue=strcat_array(make_set(ActivityStatusValue),', '),
CallerIpAddress=strcat_array(make_set(CallerIpAddress),', ')  by EventSubmissionTimestamp,LogicApp, Caller, OperationName, Resource
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.