Query Details
Sentinel Analytic Rule Updates
Query
# Sentinel - Analytic Rules updates
## Query Information
### Description
Use the below querie(s) to retrieve information about Sentinel Analytic Rules updates
#### References
- [Monitor the health and audit the integrity of your analytics rules](https://learn.microsoft.com/en-us/azure/sentinel/monitor-analytics-rule-integrity)
### Microsoft Sentinel
List all analytic rules updates
```kql
SentinelAudit
| where TimeGenerated > ago(180d)
| where Description == "Create or update analytics rule."
| extend CallerIpAddress = tostring(ExtendedProperties.CallerIpAddress)
| extend CallerName = tostring(ExtendedProperties.CallerName)
| extend enabled = tostring(parse_json(tostring(parse_json(tostring(ExtendedProperties.OriginalResourceState)).properties)).enabled)
| project TimeGenerated, SentinelResourceType, SentinelResourceName, CallerIpAddress, CallerName, enabled
```
List all analytic rules updates that were made by users not listed in the CloudAdmins watchlist
```kql
let CloudAdmins = _GetWatchlist('CloudAdmins')
| project ['AccountUPN'];
SentinelAudit
| where TimeGenerated > ago(180d)
| where Description == "Create or update analytics rule."
| extend CallerIpAddress = tostring(ExtendedProperties.CallerIpAddress)
| extend CallerName = tostring(ExtendedProperties.CallerName)
| extend enabled = tostring(parse_json(tostring(parse_json(tostring(ExtendedProperties.OriginalResourceState)).properties)).enabled)
| project TimeGenerated, SentinelResourceType, SentinelResourceName, CallerIpAddress, CallerName, enabled
| where CallerName !in (CloudAdmins)
```
List deleted Analytic Rules
```kql
_SentinelAudit()
| where TimeGenerated > ago(180d)
| where SentinelResourceType =="Analytic Rule"
| where Description =="Analytics rule deleted"
| extend CallerIpAddress = tostring(ExtendedProperties.CallerIpAddress)
| extend CallerName = tostring(ExtendedProperties.CallerName)
| project TimeGenerated, SentinelResourceType, SentinelResourceName, CallerIpAddress, CallerName
```
Explanation
The first query retrieves information about all updates made to Sentinel analytic rules. It includes details such as the time the update was generated, the type and name of the Sentinel resource, the IP address and name of the caller, and whether the rule is enabled.
The second query is similar to the first one, but it filters out updates made by users listed in the CloudAdmins watchlist.
The third query specifically lists deleted analytic rules. It includes details such as the time the deletion was generated, the type and name of the Sentinel resource, and the IP address and name of the caller.
Details
Alex Verboon
Released: September 18, 2023
Tables
SentinelAudit
Keywords
SentinelAudit,TimeGenerated,Description,Createorupdateanalyticsrule,CallerIpAddress,CallerName,enabled,SentinelResourceType,SentinelResourceName,CloudAdmins,AccountUPN,Analyticsruledeleted
Operators
whereago==extendtostringparse_jsonpropertiesprojectin!in_GetWatchlist_SentinelAuditwhereextendproject