Query Details
Unsuccessful Rulesin Last24
Query
//Sentinel Health must be enabled (https://cda.ms/3Fd), but this shows rules that have not executed successfully in the last 24 hours and how many times it failed. //General query version to show Analytics Rules not firing or not firing completely (partial success) SentinelHealth | where TimeGenerated >= ago(1d) | where OperationName == "Scheduled analytics rule run" | where Status != "Success" | distinct SentinelResourceName | summarize count() by SentinelResourceName //Analytics Rule version to show partial success. See: https://urlcoming SentinelHealth | where TimeGenerated >= ago(1d) | where OperationName == "Scheduled analytics rule run" | where Status != "Success" //Analytics Rule version to show complete failure. See: https://urlcoming SentinelHealth | where TimeGenerated >= ago(1d) | where OperationName == "Scheduled analytics rule run" | where Status == "Failure"
Explanation
This query is used to identify analytics rules in Sentinel Health that have not executed successfully in the last 24 hours. It provides information on the rules that have failed and how many times they have failed. There are two versions of the query: one to show partial success and another to show complete failure. The query filters the data based on the time generated, operation name, and status of the analytics rule run.
Details
Rod Trent
Released: January 20, 2022
Tables
SentinelHealth
Keywords
SentinelHealth,TimeGenerated,OperationName,Status,SentinelResourceName
Operators
whereago==!=distinctsummarizecount()