An Analytics Rule to Report on Analytics Rules in Microsoft Sentinel

With the public preview release of our Microsoft Sentinel Health Monitoring capability, this gives customers the ability to monitor more about the tool’s environment than just Data Connectors and ingestion failures. It also provides a way to create alerts when Analytics Rules fail – or partially fail – to fire.

The following query can be used to create a Scheduled Analytics Rule that runs each day to report on Analytics Rule failures.

SentinelHealth
| where TimeGenerated >= ago(1d)
| where OperationName == "Scheduled analytics rule run"
| where Status == "Failure"

Personally, I prefer to report on outright failures, but you may be so inclined to report on more including Partial Success. Partial Success is used to report on things like mismatched entities (i.e., a possibly badly written Analytics Rule). Details on the options are available on the SentinelHealth logs reference page: https://rodtrent.com/xes.

The following image shows how the Analytics Rule is configured. Everything else is default. I do run this every day, looking back through the last 24 hours of data.

One thing I do want to highlight about the rule’s configuration is the Alert Enrichment section. To get the actual Analytics Rule’s name(s) that failed as an Entity in the Incident, I’m assigning it as an Account (Account-Name-SentinelResourceName).

If you choose to query against Partial Success even this rule will be reported as suspect when the rule fires off due to the Entity mismatch. Just be aware of that.

A big reason why I chose to configure the Analytics Rule name as an Entity is so that I can monitor the history of failures for each failed rule using the built-in Entity Behavior, shown in the next image.

Entity Behavior for Analytics Rule Failures

To determine what the actual issue is with the Analytic Rule(s), you can find the description in the Extended Properties-Issues through the Alert query…

Author