Forum Discussion
raju_ninja007
Jun 30, 2022Copper Contributor
Query Analytic Rules
Hello There,
Is it possible to query analytics rules for their status, last run & scheduled time....?
If so, which table to query?
Thank you,
Raju
- samikroyBrass Contributorraju_ninja007 - In addition, there is a workbook available named Log Sources & Analytic Rule Coverage in Sentinel Workbook gallery to view the rule in detail which uses the below API to extract the details
https://docs.microsoft.com/en-us/rest/api/securityinsights/stable/alert-rules/list
And you can leverage SecurityIncident table to get the latest incident created from rule. - Clive_WatsonBronze ContributorQ1: yes, the SecurityIncident and SecurityAlert Tables hold the last run time, basic example:
// last modified time for unique incident numbers
SecurityIncident
| summarize arg_max(LastModifiedTime,*) by IncidentNumber
There are columns for TimeGenerated, Last Modified (used above), LastActivity, createdTime, ClosedTime...
Also see: https://techcommunity.microsoft.com/t5/microsoft-sentinel/enrich-table-with-entities-from-security-incident/m-p/3351626
Q2. The rule will run from the time from when it was enabled/deployed.
i.e. If you enable the rule at 8am, and ask it to run each hour it will fire at 9am, 10am, 11am etc... You can't (yet, but it's been requested) specify a launch time, like 8:05am.- GaryBusheyBronze Contributor
Clive_Watson For Q1 wouldn't that only show the last time the rule found something, not necessarily the last time it was run?
- Clive_WatsonBronze Contributor
GaryBushey yes, you are correct
- Rod_Trent
Microsoft
SentinelHealth is still in private preview but should be available soon. When available:
https://github.com/rod-trent/SentinelKQL/blob/master/UnsuccessfulRulesinLast24.txt