Analytic Rule Auditing with KQL

Copper Contributor

I'm looking to audit enabled analytic rules and perform transformations on the data using KQL and I'm wondering if this is possible?


I know that the API can be used to list the enabled analytic rules in the Log Analytics Workspace:




Then when using a Workbook we can use an Azure Resource Manager query to use this same GET request to ingest the data into a Workbook parameter. From the ingested parameter can be used within the workbook to perform filtering on the data using KQL and is then presented within the workbook.


I'm wondering if there's a way to do something like this outside of the workbooks functionality? Is there a way to pull the information using the API, but then still use KQL to do what I want with the data? A use case example for this would be if I wanted to take the data, transform it, then export the output to another external application.



4 Replies
best response confirmed by Alex_Bilsland (Copper Contributor)
You can but you'd need to ingest the data from the api, into a custom table - then you can use KQL on it. You can probably also use a Playbook to read the api, transform the data and export to your app in a single operation as well.
Note: If you do ingest it, you probably only need to to this once a day (or maybe less), so it's very low volume/cost.

I also showed the Workbook method in "Workspace Usage" --> Regular Checks --> Weekly --> Rules
Thanks Clive, much appreciated.



Not sure if this is what you need, but you can use this KQL query to audit for enabled and updated analytic rules:
Azure-Sentinel/Tools/Audit-Sentinel-Detection/ at master · Azure/Azure-Sentinel · GitHub

Thanks for your reply, the issue with this solution is that it will only pick up changes in state. I've ended up using the API to list out the analytics, pass it into a logic app, parse it, and from there I've used a LAW as a staging area to do the transformation on the parsed data.