Forum Discussion
Query Analytic Rules
Hello There, Is it possible to query analytics rules for their status, last run & scheduled time....? If so, which table to query? Rod_Trent samikroy Thank you, Raju
Q1: yes, the SecurityIncident and SecurityAlert Tables hold the last run time, basic example:
// last modified time for unique incident numbers
SecurityIncident
| summarize arg_max(LastModifiedTime,*) by IncidentNumber
There are columns for TimeGenerated, Last Modified (used above), LastActivity, createdTime, ClosedTime...
Also see: https://techcommunity.microsoft.com/t5/microsoft-sentinel/enrich-table-with-entities-from-security-incident/m-p/3351626
Q2. The rule will run from the time from when it was enabled/deployed.
i.e. If you enable the rule at 8am, and ask it to run each hour it will fire at 9am, 10am, 11am etc... You can't (yet, but it's been requested) specify a launch time, like 8:05am.
// last modified time for unique incident numbers
SecurityIncident
| summarize arg_max(LastModifiedTime,*) by IncidentNumber
There are columns for TimeGenerated, Last Modified (used above), LastActivity, createdTime, ClosedTime...
Also see: https://techcommunity.microsoft.com/t5/microsoft-sentinel/enrich-table-with-entities-from-security-incident/m-p/3351626
Q2. The rule will run from the time from when it was enabled/deployed.
i.e. If you enable the rule at 8am, and ask it to run each hour it will fire at 9am, 10am, 11am etc... You can't (yet, but it's been requested) specify a launch time, like 8:05am.
Clive_Watson For Q1 wouldn't that only show the last time the rule found something, not necessarily the last time it was run?
GaryBushey yes, you are correct