Forum Discussion
Deleted
Sep 18, 2023Analytic Rule Auditing with KQL
I'm looking to audit enabled analytic rules and perform transformations on the data using KQL and I'm wondering if this is possible? I know that the API can be used to list the enabled analytic r...
- Sep 18, 2023You can but you'd need to ingest the data from the api, into a custom table - then you can use KQL on it. You can probably also use a Playbook to read the api, transform the data and export to your app in a single operation as well.
Note: If you do ingest it, you probably only need to to this once a day (or maybe less), so it's very low volume/cost.
I also showed the Workbook method in "Workspace Usage" --> Regular Checks --> Weekly --> Rules
Clive_Watson
Bronze Contributor
You can but you'd need to ingest the data from the api, into a custom table - then you can use KQL on it. You can probably also use a Playbook to read the api, transform the data and export to your app in a single operation as well.
Note: If you do ingest it, you probably only need to to this once a day (or maybe less), so it's very low volume/cost.
I also showed the Workbook method in "Workspace Usage" --> Regular Checks --> Weekly --> Rules
Note: If you do ingest it, you probably only need to to this once a day (or maybe less), so it's very low volume/cost.
I also showed the Workbook method in "Workspace Usage" --> Regular Checks --> Weekly --> Rules
Eelco510
Sep 20, 2023Copper Contributor
Not sure if this is what you need, but you can use this KQL query to audit for enabled and updated analytic rules:
Azure-Sentinel/Tools/Audit-Sentinel-Detection/Readme.md at master · Azure/Azure-Sentinel · GitHub
- DeletedSep 20, 2023Thanks for your reply, the issue with this solution is that it will only pick up changes in state. I've ended up using the API to list out the analytics, pass it into a logic app, parse it, and from there I've used a LAW as a staging area to do the transformation on the parsed data.