Creating alerts within specified hours with Log Analytics

From time to time, creating alerts using data in Log Analytics may have an additional requirement only to be alerted on specified time frames, usually within business hours or outside of core hours, examples of this may include:-

  • RDP Login in office hours
  • CPU Spike outside office hours

Part of the Log Analytics query will be used to specify the required time frame.

To assist with creating the LogAnalytics query, we utilise the query operator “let” which is used to create temporary tables and constants. Further info on available query operators found here

As below – to reference start alert time of 9am and stop alert time of 6pm. (office hours)

let startDateOfAlert = startofday(now());
let StartAlertTime = startDateOfAlert + 9hours;
let StopAlertTime = startDateOfAlert + 18hours;

Now to add the above to a query, the example I will use is for RDP login with the requirement to only alert when inside office hours

let startDateOfAlert = startofday(now());let StartAlertTime = startDateOfAlert + 9hours;let StopAlertTime = startDateOfAlert + 18hours;
SecurityEvent
| where TimeGenerated > StartAlertTime and TimeGenerated < StopAlertTime
| where EventID==528 or EventID==540 or EventID==4624
| where LogonTypeName == "10 - RemoteInteractive"
| where Computer == "tamopsvm"

Now that we have the query created, can now look at creating an alert from this.

How do I create an Alert from Log Analytics query?

Select your Log Analytics Resource and then Alerts as below

Select New Alert Rule


The below will now appear

Condition: where the enter the query along with the alert logic and evaluation based on (Period/Frequency)
Actions: Can add different filters on what should happen when the alert appears, such as severity etc. Links to action groups, I have wrote a blog on Action Groups – worth have a read of this!
Action Rule details: Name of rule about to be created and description

For this example, I will only enter condition details

As below, I have taken the search query from above and placed it there

  • Alert Logic:- If there is a RDP login in office hours I want to be alerted, evaluation based on has been set to a 5 minute period

Once condition details have been entered, click OK and you will be ready to alert within a specific time frame.

What other time related queries can be created?

Alerting out of hours

Example 6pm to 8am, change the location of time generated

| where TimeGenerated < StartAlertTime and TimeGenerated > StopAlertTime

Or alternatively swapping the StartAlertTime & StopAlertTime

Not alerting on specific day(s) of the week

Using another let – I have referenced Friday and made use of not equals to within the query.

let startDateOfAlert = startofday(now());let StartAlertTime = startDateOfAlert + 9hours;let StopAlertTime = startDateOfAlert + 18hours; let Friday = "5.00:00:00";
SecurityEvent
| where TimeGenerated > StartAlertTime and TimeGenerated < StopAlertTime
| extend ByPassDays = dayofweek(TimeGenerated)
| where ByPassDays != Friday
| where EventID==528 or EventID==540 or EventID==4624
| where LogonTypeName == "10 - RemoteInteractive"
| where Computer == "tamopsvm"

Planning a maintenance window weekly?

Rather than a not alerting for a specific day you can not alert during a time frame within that day by changing the let state to as below would not display data between 18:00-20:00 on a Friday

let Friday = "5.00:18:00-20:00";

Read more about query operators to assist you further in building your time specific queries.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: