Skip to content

Commit

Permalink
Add aggregated alert top devices information (#7409)
Browse files Browse the repository at this point in the history 
* Add alert top 10 devices information

* fix errors

* fix errors

* fix errors

* fix errors

* fix array error

* fix time field

* fix time field
  • Loading branch information
@hagba @erich-wang
hagba authored and erich-wang committed Oct 9, 2019
1 parent e86aaf6 commit 9fb60f2
Show file tree
Hide file tree
Showing 3 changed files with 63 additions and 3 deletions.
14 changes: 13 additions & 1 deletion ...xamples/IoTSecuritySolutionsAnalytics/GetIoTSecuritySolutionsSecurityAggregatedAlert.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,19 @@
"effectedResourceType": "IoT Device",
"systemSource": "Devices",
"actionTaken": "Detected",
"logAnalyticsQuery": "SecurityAlert | where tolower(ResourceId) == tolower('/subscriptions/b77ec8a9-04ed-48d2-a87a-e5887b978ba6/resourceGroups/IoT-Solution-DemoEnv/providers/Microsoft.Devices/IotHubs/rtogm-hub') and tolower(AlertName) == tolower('Custom Alert - number of device to cloud messages in MQTT protocol is not in the allowed range') | extend DeviceId=parse_json(ExtendedProperties)['DeviceId'] | project DeviceId, TimeGenerated, DisplayName, AlertSeverity, Description, RemediationSteps, ExtendedProperties"
"logAnalyticsQuery": "SecurityAlert | where tolower(ResourceId) == tolower('/subscriptions/b77ec8a9-04ed-48d2-a87a-e5887b978ba6/resourceGroups/IoT-Solution-DemoEnv/providers/Microsoft.Devices/IotHubs/rtogm-hub') and tolower(AlertName) == tolower('Custom Alert - number of device to cloud messages in MQTT protocol is not in the allowed range') | extend DeviceId=parse_json(ExtendedProperties)['DeviceId'] | project DeviceId, TimeGenerated, DisplayName, AlertSeverity, Description, RemediationSteps, ExtendedProperties",
"topDevicesList": [
{
"deviceId": "testDevice1",
"alertsCount": 100,
"lastOccurrence": "10:42"
},
{
"deviceId": "testDevice2",
"alertsCount": 80,
"lastOccurrence": "15:42"
}
]
}
}
}
Expand Down
28 changes: 26 additions & 2 deletions ...les/IoTSecuritySolutionsAnalytics/GetIoTSecuritySolutionsSecurityAggregatedAlertList.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,19 @@
"effectedResourceType": "IoT Device",
"systemSource": "Devices",
"actionTaken": "Detected",
"logAnalyticsQuery": "SecurityAlert | where tolower(ResourceId) == tolower('/subscriptions/b77ec8a9-04ed-48d2-a87a-e5887b978ba6/resourceGroups/IoT-Solution-DemoEnv/providers/Microsoft.Devices/IotHubs/rtogm-hub') and tolower(AlertName) == tolower('Custom Alert - number of device to cloud messages in MQTT protocol is not in the allowed range') | extend DeviceId=parse_json(ExtendedProperties)['DeviceId'] | project DeviceId, TimeGenerated, DisplayName, AlertSeverity, Description, RemediationSteps, ExtendedProperties"
"logAnalyticsQuery": "SecurityAlert | where tolower(ResourceId) == tolower('/subscriptions/b77ec8a9-04ed-48d2-a87a-e5887b978ba6/resourceGroups/IoT-Solution-DemoEnv/providers/Microsoft.Devices/IotHubs/rtogm-hub') and tolower(AlertName) == tolower('Custom Alert - number of device to cloud messages in MQTT protocol is not in the allowed range') | extend DeviceId=parse_json(ExtendedProperties)['DeviceId'] | project DeviceId, TimeGenerated, DisplayName, AlertSeverity, Description, RemediationSteps, ExtendedProperties",
"topDevicesList": [
{
"deviceId": "testDevice1",
"alertsCount": 45,
"lastOccurrence": "10:42"
},
{
"deviceId": "testDevice2",
"alertsCount": 30,
"lastOccurrence": "15:42"
}
]
}
},
{
Expand All @@ -44,7 +56,19 @@
"effectedResourceType": "IoT Device",
"systemSource": "Devices",
"actionTaken": "Detected",
"logAnalyticsQuery": "SecurityAlert | where tolower(ResourceId) == tolower('/subscriptions/b77ec8a9-04ed-48d2-a87a-e5887b978ba6/resourceGroups/IoT-Solution-DemoEnv/providers/Microsoft.Devices/IotHubs/rtogm-hub') and tolower(AlertName) == tolower('Custom Alert - number of device to cloud messages in MQTT protocol is not in the allowed range') | extend DeviceId=parse_json(ExtendedProperties)['DeviceId'] | project DeviceId, TimeGenerated, DisplayName, AlertSeverity, Description, RemediationSteps, ExtendedProperties"
"logAnalyticsQuery": "SecurityAlert | where tolower(ResourceId) == tolower('/subscriptions/b77ec8a9-04ed-48d2-a87a-e5887b978ba6/resourceGroups/IoT-Solution-DemoEnv/providers/Microsoft.Devices/IotHubs/rtogm-hub') and tolower(AlertName) == tolower('Custom Alert - number of device to cloud messages in MQTT protocol is not in the allowed range') | extend DeviceId=parse_json(ExtendedProperties)['DeviceId'] | project DeviceId, TimeGenerated, DisplayName, AlertSeverity, Description, RemediationSteps, ExtendedProperties",
"topDevicesList": [
{
"deviceId": "testDevice1",
"alertsCount": 12321,
"lastOccurrence": "10:42"
},
{
"deviceId": "testDevice2",
"alertsCount": 455,
"lastOccurrence": "15:42"
}
]
}
}
]
Expand Down
24 changes: 24 additions & 0 deletions ...y/resource-manager/Microsoft.Security/stable/2019-08-01/iotSecuritySolutionAnalytics.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -628,6 +628,30 @@
"readOnly": true,
"type": "string",
"description": "Log analytics query for getting the list of affected devices/alerts."
},
"topDevicesList": {
"description": "10 devices with the highest number of occurrences of this alert type, on this day.",
"type": "array",
"readOnly": true,
"items": {
"properties": {
"deviceId": {
"readOnly": true,
"type": "string",
"description": "Name of the device."
},
"alertsCount": {
"readOnly": true,
"type": "integer",
"description": "Number of alerts raised for this device."
},
"lastOccurrence": {
"readOnly": true,
"type": "string",
"description": "Most recent time this alert was raised for this device, on this day."
}
}
}
}
}
},
Expand Down

0 comments on commit 9fb60f2

Please sign in to comment.