List Alert Rules

7 min

description retrieve all alert rules from a specified microsoft azure sentinel workspace, requiring subscription id, resource group, and workspace name endpoint url /subscriptions/{{subscriptionid}}/resourcegroups/{{resourcegroupname}}/providers/microsoft operationalinsights/workspaces/{{workspacename}}/providers/microsoft securityinsights/alertrules method get inputs parameters (object) – required api version (string) – required the api version to use for this operation path parameters (object) – required subscriptionid (string) – required the id of the target subscription resourcegroupname (string) – required the name of the resource group the name is case insensitive workspacename (string) – required the name of the workspace regex pattern ^\[a za z0 9]\[a za z0 9 ]+\[a za z0 9]$ output example \[ { "status code" 200, "response headers" { "cache control" "no store, no cache", "pragma" "no cache", "content type" "application/json; charset=utf 8", "expires" " 1", "strict transport security" "max age=31536000; includesubdomains", "x content type options" "nosniff", "p3p" "cp=\\"dsp cur otpi ind otri onl fin\\"", "x ms request id" "f04749a8 b1d4 42ed a64d 7c0cab024e00", "x ms ests server" "2 1 18261 3 eus prodslices", "x ms srs" "1 p", "x xss protection" "0", "set cookie" "fpc=ajlweeqe3n5asdykcuumbb5d3sw4aqaaak9y 90oaaaa; expires=fri, 12 jul 2024 10 42 55 gmt; path=/; secure; httponly; samesite=none, x ms gateway slice=estsfd; path=/; secure; samesite=none; httponly, stsservicecookie=estsfd; path=/; secure; samesite=none; httponly", "date" "wed, 12 jun 2024 10 42 55 gmt", "content length" "695" }, "reason" "unauthorized", "json body" { "value" \[ { "id" "/subscriptions/d0cfe6b2 9ac0 4464 9919 dccaee2e48c0/resourcegroups/myrg/providers/microsoft operationalinsights/workspaces/myworkspace/providers/microsoft securityinsights/alertrules/73e01a99 5cd7 4139 a149 9f2736ff2ab5", "name" "73e01a99 5cd7 4139 a149 9f2736ff2ab5", "type" "microsoft securityinsights/alertrules", "kind" "scheduled", "etag" "\\"0300bf09 0000 0000 0000 5c37296e0000\\"", "properties" { "alertruletemplatename" null, "displayname" "my scheduled rule", "description" "an example for a scheduled rule", "severity" "high", "enabled" true, "tactics" \[ "persistence", "lateralmovement" ], "query" "heartbeat", "queryfrequency" "pt1h", "queryperiod" "p2dt1h30m", "triggeroperator" "greaterthan", "triggerthreshold" 0, "suppressionduration" "pt1h", "suppressionenabled" false, "lastmodifiedutc" "2021 03 01t13 17 30z", "eventgroupingsettings" { "aggregationkind" "alertperresult" }, "customdetails" { "operatingsystemname" "osname", "operatingsystemtype" "ostype" }, "entitymappings" \[ { "entitytype" "host", "fieldmappings" \[ { "identifier" "fullname", "columnname" "computer" } ] }, { "entitytype" "ip", "fieldmappings" \[ { "identifier" "address", "columnname" "computerip" } ] } ], "alertdetailsoverride" { "alertdisplaynameformat" "alert from {{computer}}", "alertdescriptionformat" "suspicious activity was made by {{computerip}}", "alerttacticscolumnname" null, "alertseveritycolumnname" null }, "incidentconfiguration" { "createincident" true, "groupingconfiguration" { "enabled" true, "reopenclosedincident" false, "lookbackduration" "pt5h", "matchingmethod" "selected", "groupbyentities" \[ "host" ], "groupbyalertdetails" \[ "displayname" ], "groupbycustomdetails" \[ "operatingsystemtype", "operatingsystemname" ] } } } }, { "id" "/subscriptions/d0cfe6b2 9ac0 4464 9919 dccaee2e48c0/resourcegroups/myrg/providers/microsoft operationalinsights/workspaces/myworkspace/providers/microsoft securityinsights/alertrules/microsoftsecurityincidentcreationruleexample", "name" "microsoftsecurityincidentcreationruleexample", "etag" "\\"260097e0 0000 0d00 0000 5d6fa88f0000\\"", "type" "microsoft securityinsights/alertrules", "kind" "microsoftsecurityincidentcreation", "properties" { "productfilter" "microsoft cloud app security", "severitiesfilter" null, "displaynamesfilter" null, "displayname" "testing displayname", "enabled" true, "description" null, "alertruletemplatename" null, "lastmodifiedutc" "2019 09 04t12 05 35 7296311z" } }, { "id" "/subscriptions/d0cfe6b2 9ac0 4464 9919 dccaee2e48c0/resourcegroups/myrg/providers/microsoft operationalinsights/workspaces/myworkspace/providers/microsoft securityinsights/alertrules/myfirstfusionrule", "name" "myfirstfusionrule", "etag" "\\"25005c11 0000 0d00 0000 5d6cc0e20000\\"", "type" "microsoft securityinsights/alertrules", "kind" "fusion", "properties" { "displayname" "advanced multi stage attack detection", "description" "in this mode, sentinel combines low fidelity alerts, which themselves may not be actionable, and events across multiple products, into high fidelity security interesting incidents the system looks at multiple products to produce actionable incidents custom tailored to each tenant, fusion not only reduces false positive rates but also can detect attacks with limited or missing information \nincidents generated by fusion system will encase two or more alerts by design, fusion incidents are low volume, high fidelity and will be high severity, which is why fusion is turned on by default in azure sentinel \n\nfor fusion to work, please configure the following data sources in data connectors tab \nrequired azure active directory identity protection\nrequired microsoft cloud app security\nif available palo alto network\n\nfor full list of scenarios covered by fusion, and detail instructions on how to configure the required data sources, go to aka ms/sentinelfusion", "alertruletemplatename" "f71aba3d 28fb 450b b192 4e76a83015c8", "tactics" \[ "persistence", "lateralmovement", "exfiltration", "commandandcontrol" ], "severity" "high", "enabled" false, "lastmodifiedutc" "2019 09 02t07🕛34 9065092z" } } ] } } ] output parameters status code (number) reason (string) json body (object) value (array) id (string) name (string) type (string) kind (string) etag (string) properties (object) displayname (string) description (string) alertruletemplatename (string) tactics (array) severity (string) enabled (boolean) lastmodifiedutc (string) response headers header type cache control string pragma string content type string expires string strict transport security string x content type options string p3p string x ms request id string x ms ests server string x ms srs string x xss protection string set cookie string date string content length string

Get Saved Searches

List By Workspace Saved Searches