Merge pull request #226675 from yelevin/yelevin/analytics-health-and-audit

Analytics health and audit additions

Author: v-regandowner

articles/sentinel/health-audit.md

@@ -64,7 +64,7 @@ To start collecting health and audit data, you need to [enable health and audit
 - Run queries on the *SentinelHealth* and *SentinelAudit* data tables from the Microsoft Sentinel **Logs** blade.
     - [Data connectors](monitor-data-connector-health.md#run-queries-to-detect-health-drifts)
     - [Automation rules and playbooks](monitor-automation-health.md#get-the-complete-automation-picture) (join query with Azure Logic Apps diagnostics)
-    - [Analytics rules](monitor-analytics-rule-integrity.md)
+    - [Analytics rules](monitor-analytics-rule-integrity.md#run-queries-to-detect-health-and-integrity-issues)
 
 - Use the health monitoring workbooks provided in Microsoft Sentinel.
     - [Data connectors](monitor-data-connector-health.md#use-the-health-monitoring-workbook)

articles/sentinel/monitor-analytics-rule-integrity.md

@@ -56,6 +56,80 @@ The following types of analytics rule audit events are logged in the *SentinelAu
 
     For more information, see [SentinelAudit table columns schema](audit-table-reference.md#sentinelaudit-table-columns-schema).
 
+### Run queries to detect health and integrity issues
+
+For best results, you should build your queries on the **pre-built functions** on these tables, ***_SentinelHealth()*** and ***_SentinelAudit()***, instead of querying the tables directly. These functions ensure the maintenance of your queries' backward compatibility in the event of changes being made to the schema of the tables themselves.
+
+As a first step, your queries should filter the tables for data related to analytics rules. Use the `SentinelResourceType` parameter.
+
+```kusto
+_SentinelHealth()
+| where SentinelResourceType == "Analytics Rule"
+```
+
+If you want, you can further filter the list for a particular kind of analytics rule. Use the `SentinelResourceKind` parameter for this.
+
+```kusto
+| where SentinelResourceKind == "Scheduled"
+
+# OR
+
+| where SentinelResourceKind == "NRT"
+```
+
+Here are some sample queries to help you get started:
+
+- Find rules that didn't run successfully:
+
+    ```kusto
+    _SentinelHealth()
+    | where SentinelResourceType == "Analytics Rule"
+    | where Status != "Success"
+    ``` 
+
+- Find rules that have been "[auto-disabled](detect-threats-custom.md#issue-a-scheduled-rule-failed-to-execute-or-appears-with-auto-disabled-added-to-the-name)":
+
+    ```kusto
+    _SentinelHealth()
+    | where SentinelResourceType == "Analytics Rule"
+    | where Reason == "The analytics rule is disabled and was not executed."
+    ``` 
+
+- Count the rules and runnings that succeeded or failed, by reason:
+
+    ```kusto
+    _SentinelHealth()
+    | where SentinelResourceType == "Analytics Rule"
+    | summarize Occurrence=count(), Unique_rule=dcount(SentinelResourceId) by Status, Reason
+    ``` 
+ 
+- Find rule deletion activity:
+
+    ```kusto
+    _SentinelAudit()
+    | where SentinelResourceType =="Analytic Rule"
+    | where Description =="Analytics rule deleted"
+    ```
+
+- Find activity on rules, by rule name and activity name:
+
+    ```kusto
+    _SentinelAudit()
+    | where SentinelResourceType =="Analytic Rule"
+    | summarize Count= count() by RuleName=SentinelResourceName, Activity=Description
+    ```
+
+- Find activity on rules, by caller name (the identity that performed the activity):
+
+    ```kusto
+    _SentinelAudit()
+    | where SentinelResourceType =="Analytic Rule"
+    | extend Caller= tostring(ExtendedProperties.CallerName)
+    | summarize Count = count() by Caller, Activity=Description
+    ```
+
+ 
+
 ### Statuses, errors and suggested steps
 
 For either **Scheduled analytics rule run** or **NRT analytics rule run**, you may see any of the following statuses and descriptions:

articles/sentinel/whats-new.md

@@ -19,10 +19,19 @@ See these [important announcements](#announcements) about recent changes to feat
 
 ## February 2023
 
+- [Audit and monitor the health of your analytics rules (Preview)](#audit-and-monitor-the-health-of-your-analytics-rules-preview)
 - [New behavior for alert grouping in analytics rules](#new-behavior-for-alert-grouping-in-analytics-rules) (in [Announcements](#announcements) section below)
 - [Microsoft 365 Defender data connector is now generally available](#microsoft-365-defender-data-connector-is-now-generally-available)
 - [Advanced scheduling for analytics rules (Preview)](#advanced-scheduling-for-analytics-rules-preview)
 
+### Audit and monitor the health of your analytics rules (Preview)
+
+Microsoft Sentinel's **health monitoring feature is now available for analytics rules** in addition to automation rules, playbooks, and data connectors. Also now available for the first time, and currently only for analytics rules, is Microsoft Sentinel's **audit feature**. The audit feature collects information about any changes made to Sentinel resources (analytics rules) so that you can discover any unauthorized actions or tampering with the service.
+
+Learn more about [auditing and health monitoring in Microsoft Sentinel](health-audit.md):
+- [Turn on auditing and health monitoring for Microsoft Sentinel (preview)](enable-monitoring.md)
+- [Monitor the health and audit the integrity of your analytics rules](monitor-analytics-rule-integrity.md)
+
 ### Microsoft 365 Defender data connector is now generally available
 
 Microsoft 365 Defender incidents, alerts, and raw event data can be ingested into Microsoft Sentinel using this connector. It also enables the bi-directional synchronization of incidents between Microsoft 365 Defender and Microsoft Sentinel. This integration allows you to manage all of your incidents in Microsoft Sentinel, while taking advantage of Microsoft 365 Defender's specialized tools and capabilities to investigate those incidents that originated in Microsoft 365.