![]() | extend Threshold = 10 // set a refernce line | summarize avg(CounterValue), percentiles(CounterValue, 50, 95 ) by bin(TimeGenerated, 1 h) | summarize AggregatedValue = avg(CounterValue) by bin(TimeGenerated, 1 h), Computer | where ObjectName = “Processor” and CounterName = “% Processor Time” and InstanceName = “_Total” and Computer in ((Heartbeat | summarize avg(CounterValue) by Computer | where avg_CounterValue > 70 | where ObjectName= “Memory” and CounterName= “% Committed Bytes In Use” | where TimeGenerated > StartTime and TimeGenerated StartTime and TimeGenerated StartTime and TimeGenerated StartTime and TimeGenerated 10 | project Activity, activityArr, activityId=activityArr | extend activityArr=split(Activity, ” – “ ) | parse Activity with activityID ” – “ activityDesc | summarize count (), SessionDuration=avg(SessionDuration), dcount(TargetLogonId), dcount(Account) by Computer | where SessionDuration != todouble(TimeList) | extend SessionDuration = todouble(SessionDuration) | extend SessionDuration = series_fir(TimeList, dynamic(), false, false ) | summarize TimeList = makelist(TimeGenerated/ 1 s, 100000 ) by Computer, Account, TargetLogonId | order by TimeGenerated asc, EventID asc | project Computer, Account, TargetLogonId, TimeGenerated, EventID | where Computer in (detections) and EventID = 4624 Let detections = toscalar(SecurityDetection find which accounts failed to logon on computers where we identify a security detection | summarize SecurityAlerts=makeset(AlertTitle), HighAlertsCount= count () by Computer | summarize UpdatesNeeded=makeset(Title), Updates=dcount(Title) by Computer List of Computers missing updates and also detected high severity security dections | summarize UniqueUpdatesCount = count (), makeset(Title), makeset(KBID) by Computer | where OSType != “Linux” and UpdateState = “Needed” and Optional = “false” and (Classification = “Security Updates” or Classification = “Critical Updates” ) Needed Security Updates & Critical Updates by Computer ![]() | summarize UniqueUpdatesCount = dcount(Product) by Computer, OSType | where Computer in (lastDa圜omputersMissingUpdates) | where Classification = “Critical Updates” and UpdateState != “Not needed” and UpdateState != “NotNeeded” | where TimeGenerated between (ago( 3 d).ago( 2 d)) Kusto summarize update#Let lastDa圜omputersMissingUpdates = Update Computers Missing Updates last week and still missing it. | summarize count () by bin (TimeGenerated, 1 h), Process Create a time chart of these 5 processes – hour by hour Find the 5 processes that were run the most Find all processes that started in the last 3 days. Top 5 running processes in the last 3 days ![]() search, where, take, count, summarize, bin, top, extend, project, distinct // - 80% of what you'll ever do, 10 commands -// ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |