cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Analytic Rule Auditing with KQL

Alex_Bilsland
Copper Contributor

‎Sep 18 2023 07:55 AM

‎Sep 18 2023 07:55 AM

Analytic Rule Auditing with KQL

I'm looking to audit enabled analytic rules and perform transformations on the data using KQL and I'm wondering if this is possible?

 

I know that the API can be used to list the enabled analytic rules in the Log Analytics Workspace:

 

GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/provi...

 

Then when using a Workbook we can use an Azure Resource Manager query to use this same GET request to ingest the data into a Workbook parameter. From the ingested parameter can be used within the workbook to perform filtering on the data using KQL and is then presented within the workbook.

 

I'm wondering if there's a way to do something like this outside of the workbooks functionality? Is there a way to pull the information using the API, but then still use KQL to do what I want with the data? A use case example for this would be if I wanted to take the data, transform it, then export the output to another external application.

 

Thanks

Labels:
1,192 Views
1 Like
4 Replies
Reply
4 Replies
best response confirmed by Alex_Bilsland (Copper Contributor)
Clive_Watson

‎Sep 18 2023 08:20 AM

‎Sep 18 2023 08:20 AM

Solution

Re: Analytic Rule Auditing with KQL

You can but you'd need to ingest the data from the api, into a custom table - then you can use KQL on it. You can probably also use a Playbook to read the api, transform the data and export to your app in a single operation as well.
Note: If you do ingest it, you probably only need to to this once a day (or maybe less), so it's very low volume/cost.

I also showed the Workbook method in "Workspace Usage" --> Regular Checks --> Weekly --> Rules
1 Like
Reply
Alex_Bilsland

‎Sep 18 2023 11:29 PM

‎Sep 18 2023 11:29 PM

Re: Analytic Rule Auditing with KQL

Thanks Clive, much appreciated.
0 Likes
Reply
Eelco510

‎Sep 20 2023 01:38 AM

‎Sep 20 2023 01:38 AM

Re: Analytic Rule Auditing with KQL

@Clive_Watson 

 

Not sure if this is what you need, but you can use this KQL query to audit for enabled and updated analytic rules:
Azure-Sentinel/Tools/Audit-Sentinel-Detection/Readme.md at master · Azure/Azure-Sentinel · GitHub

0 Likes
Reply
Alex_Bilsland

‎Sep 20 2023 01:54 AM

‎Sep 20 2023 01:54 AM

Re: Analytic Rule Auditing with KQL

Thanks for your reply, the issue with this solution is that it will only pick up changes in state. I've ended up using the API to list out the analytics, pass it into a logic app, parse it, and from there I've used a LAW as a staging area to do the transformation on the parsed data.
1 Like
Reply
1 best response

Accepted Solutions
best response confirmed by Alex_Bilsland (Copper Contributor)
Clive_Watson

‎Sep 18 2023 08:20 AM

‎Sep 18 2023 08:20 AM

Solution

Re: Analytic Rule Auditing with KQL

You can but you'd need to ingest the data from the api, into a custom table - then you can use KQL on it. You can probably also use a Playbook to read the api, transform the data and export to your app in a single operation as well.
Note: If you do ingest it, you probably only need to to this once a day (or maybe less), so it's very low volume/cost.

I also showed the Workbook method in "Workspace Usage" --> Regular Checks --> Weekly --> Rules

View solution in original post

1 Like
Reply