Query Details
NRT Failed
Query
//Shows when an NRT rule failed to run and supplies the reason. SentinelHealth | where OperationName == "NRT analytics rule run" | where Status == "Failure" | project SentinelResourceName, Status, Description
Explanation
This query shows when a rule for real-time analytics failed to run and provides the reason for the failure. It retrieves the Sentinel resource name, status, and description for each failed rule run.
Details
Rod Trent
Released: January 17, 2023
Tables
SentinelHealth
Keywords
SentinelHealth,OperationName,NRT,Status,Failure,project,SentinelResourceName,Description
Operators
| where=="NRT analytics rule run"
| where=="Failure"
| projectSentinelResourceNameStatusDescription