Forum Discussion

idontknowanything

Copper Contributor

Jun 29, 2022

Solved

Sentinel alert threshold

Hi everyone, Looking into creating an alert. For example lets say in syslog a switch/server fails and it generates entries in the syslog table that there is an issue. Let's say it create 1000 cou...

mikhailf
Jun 30, 2022
Hello idontknowanything ,

When you create an Analytics rule, under "Set rule logic" you have the following setting:

Iron Contributor

Jun 30, 2022

Hello idontknowanything ,

When you create an Analytics rule, under "Set rule logic" you have the following setting:

esschotenw
Copper Contributor
Jul 05, 2023
Hi mikhailf,

Is it true that the Threshold in the detection rule has been removed? I no longer see this option in the rules when I want to edit them. In the "Set rule logic" tab, the Threshold option has disappeared.
- mikhailf
  Iron Contributor
  Jul 08, 2023
  Hello esschotenw,
  
  It is available for Scheduled queries. However, I do not see it for NRT rules. Please, check if you are trying to edit an NRT rule.
  - esschotenw
    Copper Contributor
    Jul 08, 2023
    Since yesterday, the Threshold option is available again. Maybe temporarily deleted/hidden?
    Thanks!
- KubaTom
  Brass Contributor
  Jul 05, 2023
  According to MS documentation below, the threshold option should still be visible, but I'm also not finding it there when editing existing or creating new analytics rules.
  https://learn.microsoft.com/en-us/azure/sentinel/detect-threats-custom#query-scheduling-and-alert-threshold
  
  As a workaround you could just include the threshold in your query logic i.e. (edited as was incorrect before):
  | summarize count() by Hostname
  | where count_ > 100
  - esschotenw
    Copper Contributor
    Jul 06, 2023
    Yeah, I thought about that but as an MSSP we want to minimize editing in the query.
    So I was wondering why the Threshold option is deleted.

Resources