Sending DDoS Alerts into Sentinel and Analytic Rule Error
I am attempting to activate a Sentinel analytic rule for DDoS incidents, specifically the rule named “DDoS Attack IP Addresses – Percent Threshold.”
However, during the rule activation process, I encountered an error message indicating that the scalar expression ‘destPublicIpAddress_s’ could not be resolved.
It appears that the Azure Diagnostic table does not contain a column named ‘destPublicIpAddress_s.’
I have configured the public IP address to send logs to LA
Is there anything I can do to receive DDoS alerts into Sentinel?
or to resolve analytic rules error?
The query referenced is here
let T1 = AzureDiagnostics
| where ResourceType == “PUBLICIPADDRESSES” and Category == “DDoSMitigationFlowLogs”
| summarize rows_count = count() by destPublicIpAddress_s, sourcePublicIpAddress_s;
I am attempting to activate a Sentinel analytic rule for DDoS incidents, specifically the rule named “DDoS Attack IP Addresses – Percent Threshold.” However, during the rule activation process, I encountered an error message indicating that the scalar expression ‘destPublicIpAddress_s’ could not be resolved.It appears that the Azure Diagnostic table does not contain a column named ‘destPublicIpAddress_s.’ I have configured the public IP address to send logs to LAIs there anything I can do to receive DDoS alerts into Sentinel?or to resolve analytic rules error? The query referenced is herelet T1 = AzureDiagnostics| where ResourceType == “PUBLICIPADDRESSES” and Category == “DDoSMitigationFlowLogs”| summarize rows_count = count() by destPublicIpAddress_s, sourcePublicIpAddress_s; Read More