You have a custom analytics rule to detect threats in Azure Sentinel.
You discover that the analytics rule stopped running. The rule was disabled, and the rule name has a prefix of AUTO DISABLED.
What is a possible cause of the issue?
You have a custom analytics rule to detect threats in Azure Sentinel.
You discover that the analytics rule stopped running. The rule was disabled, and the rule name has a prefix of AUTO DISABLED.
What is a possible cause of the issue?
In Azure Sentinel, a custom analytics rule will be auto-disabled and its name will be prefixed with 'AUTO DISABLED' due to permanent failures. One common cause of a permanent failure is when permissions to one of the data sources of the rule query are modified. This change prevents the rule from accessing necessary data, resulting in the rule being disabled. Other transient issues, such as connectivity problems or query timeouts, would not result in the rule being permanently disabled.
D - https://docs.microsoft.com/en-us/azure/sentinel/tutorial-detect-threats-custom#issue-a-scheduled-rule-failed-to-execute-or-appears-with-auto-disabled-added-to-the-name
Correct answer is D Permanent failure - rule auto-disable due to the following reasons The target workspace (on which the rule query operated) has been deleted. The target table (on which the rule query operated) has been deleted. Microsoft Sentinel had been removed from the target workspace. A function used by the rule query is no longer valid; it has been either modified or removed. Permissions to one of the data sources of the rule query were changed. One of the data sources of the rule query was deleted or disconnected.
From the article: Permanent failure - rule auto-disabled: - Permissions to one of the data sources of the rule query were changed.
Correct answer - D. Permission change stopped rule from connecting.
Other Exam, Transient failure: A and C
answer is C not D
A permanent failure occurs due to a change in the conditions that allow the rule to run, which without human intervention can't return to their former status. The following are some examples of failures that are classified as permanent: The target workspace (on which the rule query operated) was deleted. The target table (on which the rule query operated) was deleted. Microsoft Sentinel was removed from the target workspace. A function used by the rule query is no longer valid; it was either modified or removed. Permissions to one of the data sources of the rule query were changed (see example). One of the data sources of the rule query was deleted. https://learn.microsoft.com/en-us/azure/sentinel/troubleshoot-analytics-rules
A function used by the rule query is no longer valid; it has been either modified or removed. Permanent failure - rule auto-disabled Correct. For Transient failure there are two reasons and both are listed A rule query takes too long to run and times out. Connectivity issues between data sources and Log Analytics, or between Log Analytics and Microsoft Sentinel. Any other new and unknown failure is considered transient.
Option D. I think it is option D as both option A and C are for transient and question asked to pick one option. Also question says stopped while with transient failure it tries again to run the rule
Correct D.
Correct
The possible cause of the issue is D. Permissions to one of the data sources of the rule query were modified. Option C is not correct because the rule query timeout does not cause a rule to be disabled. The default timeout for a rule query is 10 minutes, but it can be extended up to 60 minutes by using the query_timeout parameter in the advanced settings. If a query exceeds the timeout limit, it will fail and generate an error, but it will not disable the rule.
https://learn.microsoft.com/en-us/azure/sentinel/detect-threats-custom#permanent-failure---rule-auto-disabled
Correct: ACD Transient reasons: * A rule query takes too long to run and times out. * Connectivity issues between data sources and Log Analytics, or between Log Analytics and Microsoft Sentinel. * Any other new and unknown failure is considered transient. Permanent reasons: * The target workspace (on which the rule query operated) has been deleted. * The target table (on which the rule query operated) has been deleted. * Microsoft Sentinel had been removed from the target workspace. * A function used by the rule query is no longer valid; it has been either modified or removed. * Permissions to one of the data sources of the rule query were changed. * One of the data sources of the rule query was deleted. Source: https://learn.microsoft.com/en-us/azure/sentinel/detect-threats-custom#issue-a-scheduled-rule-failed-to-execute-or-appears-with-auto-disabled-added-to-the-name
D is correct.
D is the correct answer. This is a permanent failure. A and C are Transient failure
answer is C. A rule query takes too long to run and times out.
Answer is D. A,C are "Transient failures" - "In a transient failure, Azure Sentinel continues trying to execute" The question states "You discover that the analytics rule stopped running" D is a "Permanent failure - rule auto-disabled" - "In consecutive permanent failures, Azure Sentinel stops trying to execute......"Adds the words "AUTO DISABLED"