question

StoopCorne-1614 avatar image
0 Votes"
StoopCorne-1614 asked azure-cxp-api edited

Alert on query a log

Hi,
I have made a Loganalatycs workspace, Resource and configured a query to get an alert when some user logs in to Azure or application. However when i test the user login i do not get an email and when executing the query it says that there are no results. Someone a idea what am i doiing wrong?
The query is:
SigninLogs
| project UserId
| where UserId == "objectid" or UserId == "objectid"

The objectid is copied from active directory users in Azure so they must be good.
Settings:
Number of result greater then 0
evaluate based on periode 5 minutes and frequency 5 minutes


When testing the query it gives no error but also there are no results to display. Maybe i must make a connection or something but i did the config as Microsoft advice.

azure-ad-audit-logs
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi, we are investigating your issue and will update you shortly.

Best,
James

0 Votes 0 ·

1 Answer

JamesHamil-MSFT avatar image
0 Votes"
JamesHamil-MSFT answered

Hi, please check the following configurations in the alert rule:

  • Alert condition (signal logic) that you are using in the alert rule. Check if at all the alert is getting triggered as per the condition set.

  • The Action Group that you have set up contains the correct email id, where the alert email should be received.

  • Use the queries and alerts from this article.


Why are you using UserId == "objectid" , twice in the query? Are you following any documentation? If so please share. Are you able to see the sign in logs in Azure Active Directory? How have you set up the log analytics workspace? You need to send the sign in logs to log analytics workspace through Diagnostics settings.

If you are able to see the sign in logs, and are sending the same to the LA workspace correctly, and if only the alert is not triggering, then this is most likely a log analytics issue.

Please let me know if this helps.

Thank you,
James


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.