Why might a custom analytics rule in Azure Sentinel be prefixed with "AUTO DISABLED"?

A custom analytics rule in Azure Sentinel may be prefixed with "AUTO DISABLED" to indicate that there has been a change in permissions to one or more of the data sources that the rule query relies on. This automatic disabling mechanism is in place to prevent rules from functioning correctly if they cannot access the necessary data for detection. When permissions to the data sources are modified, the rule cannot execute its query successfully, thus leading to its automatic disabling.

This safety feature helps maintain the integrity of the security operations by ensuring that alerts are not generated from incomplete or unreliable data. If a rule is unable to access critical logs or telemetry due to permission changes, it could lead to undetected security incidents. Therefore, the auto-disabled prefix is an important indicator for security analysts to investigate potential permission issues and re-establish necessary access.