cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Get a list of rules that haven't triggered any alerts/incidents

Bojan Pasic
Copper Contributor

‎Jun 01 2022 02:56 AM - edited ‎Jun 01 2022 03:00 AM

‎Jun 01 2022 02:56 AM - edited ‎Jun 01 2022 03:00 AM

Get a list of rules that haven't triggered any alerts/incidents

Hi everyone,

 

I'm trying to create a workbook that will list analytics rules that haven't triggered any alerts/incidents in specified time range (e.g. in last 7 days). First step is to prepare a KQL query, and as there is no rules table (list of rules is only available through REST API) my idea is:

  • create Logic App that runs on a schedule, gets the list of all rules and stores it in the watchlist
  • joint this watchlist with alerts (or incidents) table and find without corresponding alerts/incidents
    • use left anti or right anti join

I've looked at "Security Operations Efficiency" and "Analytics Efficiency" workbooks but they don't cover this requirement.

Has anyone done something similar, is there a better way to get the data (without Logic App and watchlist)?

 

Thanks,

Bojan

Labels:
1,237 Views
0 Likes
6 Replies
Reply
6 Replies
best response confirmed by Bojan Pasic (Copper Contributor)
Clive_Watson

‎Jun 01 2022 03:44 AM

‎Jun 01 2022 03:44 AM

Solution

Re: Get a list of rules that haven't triggered any alerts/incidents

The Workbook "Analytic Efficiency" does this
0 Likes
Reply
Gary Bushey

‎Jun 01 2022 03:55 AM

‎Jun 01 2022 03:55 AM

Re: Get a list of rules that haven't triggered any alerts/incidents

@Clive_Watson I agree.  Select one or more of the rules that are listed and then scroll down to the bottom of the page and look at the "Rules that require attention".   This will tell you if the rule has created an alert within in the selected timespan. 

 

Unfortunately, there does not appear to be any way to select all the rules at one time but at the very least it will tell you the query that it uses to determine if the rule has kicked off an alert or not and you can go from there.

0 Likes
Reply
Clive_Watson

‎Jun 01 2022 03:57 AM

‎Jun 01 2022 03:57 AM

Re: Get a list of rules that haven't triggered any alerts/incidents

@Gary Bushey

Check the "top tick box" - to select All

 

Clive_Watson_0-1654081037407.png

 

0 Likes
Reply
Bojan Pasic

‎Jun 01 2022 04:03 AM

‎Jun 01 2022 04:03 AM

Re: Get a list of rules that haven't triggered any alerts/incidents

Thanks, looks like I missed that one ("Rules that require attention").
0 Likes
Reply
Gary Bushey

‎Jun 01 2022 06:20 AM

‎Jun 01 2022 06:20 AM

Re: Get a list of rules that haven't triggered any alerts/incidents

Weird. I don't see that in my environment at all.
0 Likes
Reply
Clive_Watson

‎Jun 01 2022 06:35 AM

‎Jun 01 2022 06:35 AM

Re: Get a list of rules that haven't triggered any alerts/incidents

I've seen that before....but never worked out why. Sometimes toggling between workspace and subscriptions seems to make it appear
0 Likes
Reply