Display the Azure Sentinel Analytics Rules that have produced Incidents

Working with a customer today they wanted to understand which Analytics Rules were most active (hitting thresholds) and how many times each were enacted. It didn’t take long to whip up a KQL query to retrieve the information but thought it worthy of sharing in the event someone else is looking to do this, too. Sharing makes us all smarter.

Of course, this would make great data for a Workbook, too, as part of an overall set of visuals. So, feel free to create your own and share it back to the community.

What it looks like…

Query:

SecurityAlert
| where ProviderName contains “ASI”
| summarize count() by DisplayName

Results:

Grab it from GitHub: https://github.com/rod-trent/SentinelKQL/blob/master/AnalyticsRulesRunbyTimes.txt

P.S. Change the time range to look back further or add a TimeGenerated > ago() component to the query.

Author

Leave a Reply