Forum Discussion
Solved
Sentinel alert threshold
Hi everyone, Looking into creating an alert. For example lets say in syslog a switch/server fails and it generates entries in the syslog table that there is an issue. Let's say it create 1000 cou...
Hello idontknowanything ,
When you create an Analytics rule, under "Set rule logic" you have the following setting:
Hello idontknowanything ,
When you create an Analytics rule, under "Set rule logic" you have the following setting:
Hi mikhailf,
Is it true that the Threshold in the detection rule has been removed? I no longer see this option in the rules when I want to edit them. In the "Set rule logic" tab, the Threshold option has disappeared.
Is it true that the Threshold in the detection rule has been removed? I no longer see this option in the rules when I want to edit them. In the "Set rule logic" tab, the Threshold option has disappeared.
Hello esschotenw,
It is available for Scheduled queries. However, I do not see it for NRT rules. Please, check if you are trying to edit an NRT rule.
- Since yesterday, the Threshold option is available again. Maybe temporarily deleted/hidden?
Thanks!
According to MS documentation below, the threshold option should still be visible, but I'm also not finding it there when editing existing or creating new analytics rules.
https://learn.microsoft.com/en-us/azure/sentinel/detect-threats-custom#query-scheduling-and-alert-threshold
As a workaround you could just include the threshold in your query logic i.e. (edited as was incorrect before):
| summarize count() by Hostname
| where count_ > 100- Yeah, I thought about that but as an MSSP we want to minimize editing in the query.
So I was wondering why the Threshold option is deleted.