Forum Discussion
Get a list of rules that haven't triggered any alerts/incidents
Hi everyone,
I'm trying to create a workbook that will list analytics rules that haven't triggered any alerts/incidents in specified time range (e.g. in last 7 days). First step is to prepare a KQL query, and as there is no rules table (list of rules is only available through REST API) my idea is:
- create Logic App that runs on a schedule, gets the list of all rules and stores it in the watchlist
- joint this watchlist with alerts (or incidents) table and find without corresponding alerts/incidents
- use left anti or right anti join
I've looked at "Security Operations Efficiency" and "Analytics Efficiency" workbooks but they don't cover this requirement.
Has anyone done something similar, is there a better way to get the data (without Logic App and watchlist)?
Thanks,
Bojan
- The Workbook "Analytic Efficiency" does this
6 Replies
- Thanks, looks like I missed that one ("Rules that require attention").
- The Workbook "Analytic Efficiency" does this
Clive_Watson I agree. Select one or more of the rules that are listed and then scroll down to the bottom of the page and look at the "Rules that require attention". This will tell you if the rule has created an alert within in the selected timespan.
Unfortunately, there does not appear to be any way to select all the rules at one time but at the very least it will tell you the query that it uses to determine if the rule has kicked off an alert or not and you can go from there.
