How to Force an Azure Sentinel Analytics Rule to Run

Azure Sentinel is the gift that just keeps on giving. The product team does a good job highlighting the major areas of new features, but there’s also tiny, small enhancements that happen all the time that never get their due.

One such case is what I discovered today.

I’ve always suggested that it would be valuable if you could force an Analytics Rule to kick off and do an immediate analysis of the data. Well, now that’s possible.

All you need to do is modify the schedule of an Analytics Rule and save it. Wait a few seconds and then refresh the Incident listing. The new Incident is generated.

Adjust the schedule slightly to force the rule to execute

This is (sort of) combining Hunting (a manual operation) and Analytics Rules (automated analysis).

P.S. This will work with any Analytics Rule that is scheduled-based.


[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Azure Sentinel Newsletter]