Saturday, May 17, 2025

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Kusto Query LanguageMicrosoft SentinelSECURE

List Analytics Rules Failures

Wayne Andes 2 min read

Description

This KQL query check for failures in Analytics Rules.

Query

Microsoft Sentinel
Kusto
SentinelHealth
| where TimeGenerated > ago(30d)
| where Status == "Failure"
| where SentinelResourceType == "Analytics Rule"
| where ExtendedProperties !contains "TemporaryIssuesDelay"
| summarize Count=count() by SentinelResourceName, Issue=tostring(ExtendedProperties.Issues)
| project SentinelResourceName, Count, Issue

References

You May Also Like

Hunt For Newly Identified Lateral Movement Paths To Sensitive Accounts

Wayne Andes

List Data Connector Changed From Success To Failed State

Wayne Andes

Detect PowerShell Launching Scripts From WindowsApps Directory (FIN7)

Wayne Andes

Leave a Reply

Your email address will not be published. Required fields are marked *