Lookup of one Analytics Rule in Another

%3CLINGO-SUB%20id%3D%22lingo-sub-1094676%22%20slang%3D%22en-US%22%3ELookup%20of%20one%20Analytics%20Rule%20in%20Another%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1094676%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Guys%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20trying%20to%20create%20one%20rule%20in%20Sentinel%20which%20calls%2FLookups%20another%20previously%20called%20Analytics%20Rule.%20How%20can%20i%20achieve%20that%2C%20could%20you%20kindly%20provide%20an%20input.%20It%20will%20be%20of%20great%20Help.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1095015%22%20slang%3D%22en-US%22%3ERe%3A%20Lookup%20of%20one%20Analytics%20Rule%20in%20Another%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1095015%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F503472%22%20target%3D%22_blank%22%3E%40kmanish%3C%2FA%3E%26nbsp%3B%20Not%20really%20sure%20what%20your%20scenario%20is%20here.%26nbsp%3B%20Do%20you%20want%20a%20new%20alert%20to%20start%20only%20after%20a%20different%20alert%20is%20created%3F%26nbsp%3B%20%26nbsp%3BOr%20is%20it%20something%20else%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20just%20want%20one%20alert%20to%20use%20the%20code%20from%20another%20one%20you%20would%20be%20better%20off%20copying%20the%20code%20and%20modifying%20it%20to%20fit%20your%20needs.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1095183%22%20slang%3D%22en-US%22%3ERe%3A%20Lookup%20of%20one%20Analytics%20Rule%20in%20Another%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1095183%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E%26nbsp%3BHi%20Gary%2C%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20replying.%20Actually%20i%20have%20already%20created%20one%20rule%20and%20wanted%20its%20results%20in%20the%20new%20rule%20(user_machine)%20which%20i%20have%20not%20created%20yet.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOne%20way%20is%20to%20write%20the%20query%20again%20for%20the%20already%20created%20rule%20in%20the%20new%20rule%26nbsp%3B%20(however%20that%20is%20a%20tedious%20task).%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20feature%20to%20call%20already%20created%20rules%20is%20there%20in%20many%20SIEM%20solutions.%20It%20will%20be%20useful%20if%20it%20is%20present%20in%20Sentinel.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1097542%22%20slang%3D%22en-US%22%3ERe%3A%20Lookup%20of%20one%20Analytics%20Rule%20in%20Another%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1097542%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F503472%22%20target%3D%22_blank%22%3E%40kmanish%3C%2FA%3E%26nbsp%3BThank%20you%20for%20the%20clarification.%26nbsp%3B%20The%20%22SecurityAlert%22%20table%20in%20the%20Logs%20contains%20all%20the%20alerts%20that%20have%20been%20created.%26nbsp%3B%20You%20should%20be%20able%20to%20query%20that%20to%20get%20the%20information%20you%20need.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hi Guys, 

 

I am trying to create one new rule in Sentinel Analytics which calls/Lookups another previously created Analytics Rule. How can i achieve that, could you kindly provide an input. It will be of great Help. 

3 Replies
Highlighted

@kmanish  Not really sure what your scenario is here.  Do you want a new alert to start only after a different alert is created?   Or is it something else?

 

If you just want one alert to use the code from another one you would be better off copying the code and modifying it to fit your needs.

Highlighted

@Gary Bushey Hi Gary, 

Thanks for replying. Actually i have already created one rule and wanted its results in the new rule (user_machine) which i have not created yet. 

 

One way is to write the query again for the already created rule in the new rule  (however that is a tedious task). 

 

The feature to call already created rules is there in many SIEM solutions. It will be useful if it is present in Sentinel. 

Highlighted

@kmanish Thank you for the clarification.  The "SecurityAlert" table in the Logs contains all the alerts that have been created.  You should be able to query that to get the information you need.