Jan 07 2020 06:58 AM - edited Jan 07 2020 06:59 AM
Hi Guys,
I am trying to create one new rule in Sentinel Analytics which calls/Lookups another previously created Analytics Rule. How can i achieve that, could you kindly provide an input. It will be of great Help.
Jan 07 2020 09:17 AM
@kmanish Not really sure what your scenario is here. Do you want a new alert to start only after a different alert is created? Or is it something else?
If you just want one alert to use the code from another one you would be better off copying the code and modifying it to fit your needs.
Jan 07 2020 10:53 AM
@Gary Bushey Hi Gary,
Thanks for replying. Actually i have already created one rule and wanted its results in the new rule (user_machine) which i have not created yet.
One way is to write the query again for the already created rule in the new rule (however that is a tedious task).
The feature to call already created rules is there in many SIEM solutions. It will be useful if it is present in Sentinel.
Jan 08 2020 02:14 PM
@kmanish Thank you for the clarification. The "SecurityAlert" table in the Logs contains all the alerts that have been created. You should be able to query that to get the information you need.