Query Analytic Rules

Senior Member

Hello There,

 

Is it possible to query analytics rules for their status, last run & scheduled time....?

 

If so, which table to query?

 

@rodtrent @samikroy 

 

Thank you,

Raju

5 Replies
SentinelHealth is still in private preview but should be available soon. When available:

https://github.com/rod-trent/SentinelKQL/blob/master/UnsuccessfulRulesinLast24.txt
Q1: yes, the SecurityIncident and SecurityAlert Tables hold the last run time, basic example:

// last modified time for unique incident numbers
SecurityIncident
| summarize arg_max(LastModifiedTime,*) by IncidentNumber

There are columns for TimeGenerated, Last Modified (used above), LastActivity, createdTime, ClosedTime...
Also see: https://techcommunity.microsoft.com/t5/microsoft-sentinel/enrich-table-with-entities-from-security-i...

Q2. The rule will run from the time from when it was enabled/deployed.
i.e. If you enable the rule at 8am, and ask it to run each hour it will fire at 9am, 10am, 11am etc... You can't (yet, but it's been requested) specify a launch time, like 8:05am.
@raju_ninja007 - In addition, there is a workbook available named Log Sources & Analytic Rule Coverage in Sentinel Workbook gallery to view the rule in detail which uses the below API to extract the details
https://docs.microsoft.com/en-us/rest/api/securityinsights/stable/alert-rules/list
And you can leverage SecurityIncident table to get the latest incident created from rule.

@Clive_Watson For Q1 wouldn't that only show the last time the rule found something, not necessarily the last time it was run?

@Gary Bushey yes, you are correct