SOLVED

Get a list of rules that haven't triggered any alerts/incidents

New Contributor

Hi everyone,

 

I'm trying to create a workbook that will list analytics rules that haven't triggered any alerts/incidents in specified time range (e.g. in last 7 days). First step is to prepare a KQL query, and as there is no rules table (list of rules is only available through REST API) my idea is:

  • create Logic App that runs on a schedule, gets the list of all rules and stores it in the watchlist
  • joint this watchlist with alerts (or incidents) table and find without corresponding alerts/incidents
    • use left anti or right anti join

I've looked at "Security Operations Efficiency" and "Analytics Efficiency" workbooks but they don't cover this requirement.

Has anyone done something similar, is there a better way to get the data (without Logic App and watchlist)?

 

Thanks,

Bojan

6 Replies
best response confirmed by Bojan Pasic (New Contributor)
Solution
The Workbook "Analytic Efficiency" does this

@Clive_Watson I agree.  Select one or more of the rules that are listed and then scroll down to the bottom of the page and look at the "Rules that require attention".   This will tell you if the rule has created an alert within in the selected timespan. 

 

Unfortunately, there does not appear to be any way to select all the rules at one time but at the very least it will tell you the query that it uses to determine if the rule has kicked off an alert or not and you can go from there.

@Gary Bushey

Check the "top tick box" - to select All

 

Clive_Watson_0-1654081037407.png

 

Thanks, looks like I missed that one ("Rules that require attention").
Weird. I don't see that in my environment at all.
I've seen that before....but never worked out why. Sometimes toggling between workspace and subscriptions seems to make it appear