![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(220.8, 6%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELJ%3C/text%3E%3C/svg%3E)
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,258 questions
Thank you for your post!
I understand that you're trying to see the history of a custom analytics rule within Microsoft Sentinel to determine who created it and when it was created. To hopefully help point you in the right direction or resolve your issue, I'll share my findings below.
Findings:
- To locate the history of an Analytics rule definition such as who created it or when it was created, you should be able to leverage the SentinelAudit table to search for these events. For more info - SentinelAudit table columns schema.
When it comes to a KQL query to notify you when an analytics alert rule is created and who created it - I created a template query that will hopefully help point you in the right direction.
Create a custom analytics rule with a scheduled query:
- From the Microsoft Sentinel navigation menu, select Analytics.
- In the action bar at the top, select +Create and select Scheduled query rule. This opens the Analytics rule wizard.
- Once on the Set rule logic tab, you can input the query below to hopefully help.
- Use the Entity mapping configuration as needed to map parameters from the query to Microsoft Sentinel.
//This query uses the SentinelAudit table
//Searching for any ...alertRules/Write operations which indicates a create or update to an alert rule(s)
//The query will project the time, who performed the operation, analytics rule name, and additional properties.
SentinelAudit
| where OperationName == "Microsoft.SecurityInsights/alertRules/Write"
| project TimeGenerated, ExtendedProperties.CallerName, SentinelResourceName, SentinelResourceType, ExtendedProperties.UpdatedResourceState
Additional Links:
- Understanding SentinelHealth and SentinelAudit table events
- Create a custom analytics rule with a scheduled query
- SentinelAudit table columns schema
- SentinelAudit table columns schema - Extended properties
- Microsoft.SecurityInsights
I hope this helps!
If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.
If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.