Query Details
Automation Rule Has Run
Query
//Identify when Automation rules have run. SecurityIncident | where TimeGenerated >= ago(90d) | where ModifiedBy contains "Automation rule" | parse-where ModifiedBy with * "rule - " Rule_Name | distinct Incident_Number = ProviderIncidentId, Rule_Name, TimeGenerated
Explanation
This query is looking for security incidents where automation rules have been run in the past 90 days. It filters the results based on the "ModifiedBy" field containing the phrase "Automation rule" and then extracts the rule name using the "parse-where" operator. Finally, it returns a distinct list of incident numbers, rule names, and the time they were generated.
Details
Rod Trent
Released: August 31, 2022
Tables
SecurityIncident
Keywords
SecurityIncident,TimeGenerated,ModifiedBy,Automationrule,Rule_Name,ProviderIncidentId
Operators
| where>=agocontainsparse-wherewith*distinct