Forum Discussion
KQL query to detect the disablement and deletion of Automation Rules
Hi Community, We want to create a KQL-query that detects whether an automation rule has been disabled. The only way to partially do that at the moment is the AzureActivity table. The problem with...
You can use the REST API, search for "Automation Rules - List - REST API (Azure Sentinel)" The website was down so I couldn't provide a good link.
You'd have to call this in a Playbook and monitor the state change - the api also has the display name of the rule as well as the GUID you see in the Activity logs. You can then get the Playbook to create an Incident or email you etc...
Example of the api output from "Workspace Usage" workbook: "Regular Checks --> Weekly --> Rules
- Hi Clive,
thanks for your answer, we currently are having an issue where the Automation Rule list api request does not give us ALL the automation rules that are inside our sentinel workspace. We contacted Microsoft and they still do not have a solution for this problem. So unfortunately using the API is out of scope for our project. According to your message a KQL query is not possible if I understand correctly?
