Create Or Update Saved Searches

5 min

description create or update saved searches in microsoft azure sentinel, including resource group, search id, subscription, workspace, and properties endpoint url /subscriptions/{{subscriptionid}}/resourcegroups/{{resourcegroupname}}/providers/microsoft operationalinsights/workspaces/{{workspacename}}/savedsearches/{{savedsearchid}} method put inputs path parameters (object) – required resourcegroupname (string) – required the name of the resource group the name is case insensitive savedsearchid (string) – required the id of the saved search subscriptionid (string) – required the id of the target subscription workspacename (string) – required the name of the workspace regex pattern ^\[a za z0 9]\[a za z0 9 ]+\[a za z0 9]$ parameters (object) – required api version (string) – required the api version to use for this operation json body (object) – required etag (string) the etag of the saved search to override an existing saved search, use " " or specify the current etag properties (object) – required category (string) – required the category of the saved search this helps the user to find a saved search faster displayname (string) – required saved search display name functionalias (string) the function alias if query serves as a function functionparameters (string) the optional function parameters if query serves as a function query (string) – required the query expression for the saved search tags (array) the tags attached to the saved search name (string) value (string) version (number) the version number of the query language the current version is 2 and is the default output example \[ { "status code" 200, "response headers" { "cache control" "no cache", "pragma" "no cache", "transfer encoding" "chunked", "content type" "application/json; charset=utf 8", "content encoding" "gzip", "expires" " 1", "vary" "accept encoding", "x ms ratelimit remaining subscription writes" "1199", "request context" "appid=cid v1\ e6336c63 aab2 45f0 996a e5dbab2a1508", "x content type options" "nosniff", "strict transport security" "max age=31536000; includesubdomains", "access control allow origin" " ", "x powered by" "asp net", "x ms request id" "23dc562b c32f 4155 ae6a 81f1f7962b77", "x ms correlation request id" "23dc562b c32f 4155 ae6a 81f1f7962b77", "x ms routing request id" "jioindiacentral 20230810t104018z 23dc562b c32f 4155 ae6a 81f1f7962b77", "date" "thu, 10 aug 2023 10 40 18 gmt" }, "reason" "ok", "json body" { "id" "/subscriptions/38d4cde9 8ef2 4c61 bc61 7fa8658ab74b/resourcegroups/test/providers/microsoft operationalinsights/workspaces/swimlaneazuresentinel/savedsearches/00000000 0000 0000 0000 00000000000", "etag" "w/\\"datetime'2023 08 10t10%3a40%3a18 6215548z'\\"", "properties" { "category" "saved search test category", "displayname" "create or update saved search test", "query" "heartbeat | summarize count() by computer | take a", "version" 2 } } } ] output parameters status code (number) reason (string) json body (object) id (string) etag (string) properties (object) category (string) displayname (string) query (string) version (number) response headers header type cache control string pragma string transfer encoding string content type string content encoding string expires string vary string x ms ratelimit remaining subscription writes string request context string x content type options string strict transport security string access control allow origin string x powered by string x ms request id string x ms correlation request id string x ms routing request id string date string

Create or Update MSSIC Alert Rule

Create or Update Scheduled Alert Rule