Query Analytic Rules

Copper Contributor

Hello There,


Is it possible to query analytics rules for their status, last run & scheduled time....?


If so, which table to query?


@Rod_Trent @samikroy 


Thank you,


5 Replies
SentinelHealth is still in private preview but should be available soon. When available:

Q1: yes, the SecurityIncident and SecurityAlert Tables hold the last run time, basic example:

// last modified time for unique incident numbers
| summarize arg_max(LastModifiedTime,*) by IncidentNumber

There are columns for TimeGenerated, Last Modified (used above), LastActivity, createdTime, ClosedTime...
Also see: https://techcommunity.microsoft.com/t5/microsoft-sentinel/enrich-table-with-entities-from-security-i...

Q2. The rule will run from the time from when it was enabled/deployed.
i.e. If you enable the rule at 8am, and ask it to run each hour it will fire at 9am, 10am, 11am etc... You can't (yet, but it's been requested) specify a launch time, like 8:05am.
@raju_ninja007 - In addition, there is a workbook available named Log Sources & Analytic Rule Coverage in Sentinel Workbook gallery to view the rule in detail which uses the below API to extract the details
And you can leverage SecurityIncident table to get the latest incident created from rule.

@Clive_Watson For Q1 wouldn't that only show the last time the rule found something, not necessarily the last time it was run?

@Gary Bushey yes, you are correct