By Rod Trent and Azure Sentinel News
Rare? Yes…this is a rare enough situation that I’ve only recently seen once – and only recently. And, thanks to a customer exposing me to this occurrence, I’m a bit smarter.
I love it when I get to learn new things about Azure Sentinel.
As shown in the image, a customer had located several Scheduled Analytics Rules that had been Auto-disable in the system.
I had never, ever seen this before – so I was left scratching my head and had to seek internal counsel. I even assumed (incorrectly) that this might be due to the situation where enabling one of the new, combined Defender-type Analytics Rules would disable legacy rules if configured to do so. (See: How to Reenable Analytics Rules Disabled by Enabling the Microsoft 365 Defender (Preview) Alerts)
But, no. This situation is documented at the following link and worth calling out in the event you see this yourself.
Issue: A scheduled rule failed to execute, or appears with AUTO DISABLED added to the name: https://docs.microsoft.com/en-us/azure/sentinel/tutorial-detect-threats-custom#issue-a-scheduled-rule-failed-to-execute-or-appears-with-auto-disabled-added-to-the-name
More specifically, at the provided link, look at the Permanent failure – rule auto-disabled section. It lists the following as some of the reasons behind the permanent failure:
- The target workspace (on which the rule query operated) has been deleted.
- The target table (on which the rule query operated) has been deleted.
- Azure Sentinel had been removed from the target workspace.
- A function used by the rule query is no longer valid; it has been either modified or removed.
- Permissions to one of the data sources of the rule query were changed.
- One of the data sources of the rule query was deleted or disconnected.
Essentially, these rules were not able to execute for some reason. And after a predetermined number of failures, the rule is disabled and the AUTO DISABLED indicator is inserted into the Analytics Rule title for easy identification. Knowing this, you will need to be aware if this happens and be on the lookout for issues with Scheduled Analytics Rules.
Again, this is such a rare occurrence I’ve only seen it once, but it could happen, considering the reasons are self-inflicted.