Alert Rules - List

Gets all alert rules.

GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules?api-version=2021-10-01

URI Parameters

Name In Required Type Description
resourceGroupName
path True
  • string

The name of the resource group. The name is case insensitive.

subscriptionId
path True
  • string

The ID of the target subscription.

workspaceName
path True
  • string

The name of the workspace.

api-version
query True
  • string

The API version to use for this operation.

Responses

Name Type Description
200 OK

OK, Operation successfully completed

Other Status Codes

Error response describing why the operation failed.

Security

azure_auth

Azure Active Directory OAuth2 Flow

Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Scopes

Name Description
user_impersonation impersonate your user account

Examples

Get all alert rules.

Sample Request

GET https://management.azure.com/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules?api-version=2021-10-01

Sample Response

{
  "value": [
    {
      "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5",
      "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
      "type": "Microsoft.SecurityInsights/alertRules",
      "kind": "Scheduled",
      "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
      "properties": {
        "alertRuleTemplateName": null,
        "displayName": "My scheduled rule",
        "description": "An example for a scheduled rule",
        "severity": "High",
        "enabled": true,
        "tactics": [
          "Persistence",
          "LateralMovement"
        ],
        "query": "Heartbeat",
        "queryFrequency": "PT1H",
        "queryPeriod": "P2DT1H30M",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "lastModifiedUtc": "2021-03-01T13:17:30Z",
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "customDetails": {
          "OperatingSystemName": "OSName",
          "OperatingSystemType": "OSType"
        },
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "Computer"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "ComputerIP"
              }
            ]
          }
        ],
        "alertDetailsOverride": {
          "alertDisplayNameFormat": "Alert from {{Computer}}",
          "alertDescriptionFormat": "Suspicious activity was made by {{ComputerIP}}",
          "alertTacticsColumnName": null,
          "alertSeverityColumnName": null
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "reopenClosedIncident": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "Selected",
            "groupByEntities": [
              "Host"
            ],
            "groupByAlertDetails": [
              "DisplayName"
            ],
            "groupByCustomDetails": [
              "OperatingSystemType",
              "OperatingSystemName"
            ]
          }
        }
      }
    },
    {
      "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/microsoftSecurityIncidentCreationRuleExample",
      "name": "microsoftSecurityIncidentCreationRuleExample",
      "etag": "\"260097e0-0000-0d00-0000-5d6fa88f0000\"",
      "type": "Microsoft.SecurityInsights/alertRules",
      "kind": "MicrosoftSecurityIncidentCreation",
      "properties": {
        "productFilter": "Microsoft Cloud App Security",
        "severitiesFilter": null,
        "displayNamesFilter": null,
        "displayName": "testing displayname",
        "enabled": true,
        "description": null,
        "alertRuleTemplateName": null,
        "lastModifiedUtc": "2019-09-04T12:05:35.7296311Z"
      }
    },
    {
      "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/myFirstFusionRule",
      "name": "myFirstFusionRule",
      "etag": "\"25005c11-0000-0d00-0000-5d6cc0e20000\"",
      "type": "Microsoft.SecurityInsights/alertRules",
      "kind": "Fusion",
      "properties": {
        "displayName": "Advanced Multi-Stage Attack Detection",
        "description": "In this mode, Sentinel combines low fidelity alerts, which themselves may not be actionable, and events across multiple products, into high fidelity security interesting incidents. The system looks at multiple products to produce actionable incidents. Custom tailored to each tenant, Fusion not only reduces false positive rates but also can detect attacks with limited or missing information. \nIncidents generated by Fusion system will encase two or more alerts. By design, Fusion incidents are low volume, high fidelity and will be high severity, which is why Fusion is turned ON by default in Azure Sentinel.\n\nFor Fusion to work, please configure the following data sources in Data Connectors tab:\nRequired - Azure Active Directory Identity Protection\nRequired - Microsoft Cloud App Security\nIf Available - Palo Alto Network\n\nFor full list of scenarios covered by Fusion, and detail instructions on how to configure the required data sources, go to aka.ms/SentinelFusion",
        "alertRuleTemplateName": "f71aba3d-28fb-450b-b192-4e76a83015c8",
        "tactics": [
          "Persistence",
          "LateralMovement",
          "Exfiltration",
          "CommandAndControl"
        ],
        "severity": "High",
        "enabled": false,
        "lastModifiedUtc": "2019-09-02T07:12:34.9065092Z"
      }
    }
  ]
}

Definitions

AlertDetailsOverride

Settings for how to dynamically override alert static details

AlertRulesList

List all the alert rules.

AlertSeverity

The severity for alerts created by this alert rule.

CloudError

Error response structure.

CloudErrorBody

Error details.

createdByType

The type of identity that created the resource.

EntityMapping

Single entity mapping for the alert rule

EntityMappingType

The V3 type of the mapped entity

EventGroupingAggregationKind

The event grouping aggregation kinds

EventGroupingSettings

Event grouping settings property bag.

FieldMapping

A single field mapping of the mapped entity

FusionAlertRule

Represents Fusion alert rule.

GroupingConfiguration

Grouping configuration property bag.

IncidentConfiguration

Incident Configuration property bag.

MatchingMethod

Grouping matching method. When method is Selected at least one of groupByEntities, groupByAlertDetails, groupByCustomDetails must be provided and not empty.

MicrosoftSecurityIncidentCreationAlertRule

Represents MicrosoftSecurityIncidentCreation rule.

MicrosoftSecurityProductName

The alerts' productName on which the cases will be generated

ScheduledAlertRule

Represents scheduled alert rule.

systemData

Metadata pertaining to creation and last modification of the resource.

TriggerOperator

The operation against the threshold that triggers alert rule.

AlertDetailsOverride

Settings for how to dynamically override alert static details

Name Type Description
alertDescriptionFormat
  • string

the format containing columns name(s) to override the alert description

alertDisplayNameFormat
  • string

the format containing columns name(s) to override the alert name

alertSeverityColumnName
  • string

the column name to take the alert severity from

alertTacticsColumnName
  • string

the column name to take the alert tactics from

AlertRulesList

List all the alert rules.

Name Type Description
nextLink
  • string

URL to fetch the next set of alert rules.

value AlertRule[]:

Array of alert rules.

AlertSeverity

The severity for alerts created by this alert rule.

Name Type Description
High
  • string

High severity

Informational
  • string

Informational severity

Low
  • string

Low severity

Medium
  • string

Medium severity

CloudError

Error response structure.

Name Type Description
error

Error data

CloudErrorBody

Error details.

Name Type Description
code
  • string

An identifier for the error. Codes are invariant and are intended to be consumed programmatically.

message
  • string

A message describing the error, intended to be suitable for display in a user interface.

createdByType

The type of identity that created the resource.

Name Type Description
Application
  • string
Key
  • string
ManagedIdentity
  • string
User
  • string

EntityMapping

Single entity mapping for the alert rule

Name Type Description
entityType

The V3 type of the mapped entity

fieldMappings

array of field mappings for the given entity mapping

EntityMappingType

The V3 type of the mapped entity

Name Type Description
Account
  • string

User account entity type

AzureResource
  • string

Azure resource entity type

CloudApplication
  • string

Cloud app entity type

DNS
  • string

DNS entity type

File
  • string

System file entity type

FileHash
  • string

File-hash entity type

Host
  • string

Host entity type

IP
  • string

IP address entity type

MailCluster
  • string

Mail cluster entity type

MailMessage
  • string

Mail message entity type

Mailbox
  • string

Mailbox entity type

Malware
  • string

Malware entity type

Process
  • string

Process entity type

RegistryKey
  • string

Registry key entity type

RegistryValue
  • string

Registry value entity type

SecurityGroup
  • string

Security group entity type

SubmissionMail
  • string

Submission mail entity type

URL
  • string

URL entity type

EventGroupingAggregationKind

The event grouping aggregation kinds

Name Type Description
AlertPerResult
  • string
SingleAlert
  • string

EventGroupingSettings

Event grouping settings property bag.

Name Type Description
aggregationKind

The event grouping aggregation kinds

FieldMapping

A single field mapping of the mapped entity

Name Type Description
columnName
  • string

the column name to be mapped to the identifier

identifier
  • string

the V3 identifier of the entity

FusionAlertRule

Represents Fusion alert rule.

Name Type Description
etag
  • string

Etag of the azure resource

id
  • string

Fully qualified resource ID for the resource. Ex - /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}

kind string:
  • Fusion

The alert rule kind

name
  • string

The name of the resource

properties.alertRuleTemplateName
  • string

The Name of the alert rule template used to create this rule.

properties.description
  • string

The description of the alert rule.

properties.displayName
  • string

The display name for alerts created by this alert rule.

properties.enabled
  • boolean

Determines whether this alert rule is enabled or disabled.

properties.lastModifiedUtc
  • string

The last time that this alert has been modified.

properties.severity

The severity for alerts created by this alert rule.

properties.tactics
  • string[]

The tactics of the alert rule

systemData

Azure Resource Manager metadata containing createdBy and modifiedBy information.

type
  • string

The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"

GroupingConfiguration

Grouping configuration property bag.

Name Type Description
enabled
  • boolean

Grouping enabled

groupByAlertDetails
  • string[]

A list of alert details to group by (when matchingMethod is Selected)

groupByCustomDetails
  • string[]

A list of custom details keys to group by (when matchingMethod is Selected). Only keys defined in the current alert rule may be used.

groupByEntities
  • string[]

A list of entity types to group by (when matchingMethod is Selected). Only entities defined in the current alert rule may be used.

lookbackDuration
  • string

Limit the group to alerts created within the lookback duration (in ISO 8601 duration format)

matchingMethod

Grouping matching method. When method is Selected at least one of groupByEntities, groupByAlertDetails, groupByCustomDetails must be provided and not empty.

reopenClosedIncident
  • boolean

Re-open closed matching incidents

IncidentConfiguration

Incident Configuration property bag.

Name Type Description
createIncident
  • boolean

Create incidents from alerts triggered by this analytics rule

groupingConfiguration

Set how the alerts that are triggered by this analytics rule, are grouped into incidents

MatchingMethod

Grouping matching method. When method is Selected at least one of groupByEntities, groupByAlertDetails, groupByCustomDetails must be provided and not empty.

Name Type Description
AllEntities
  • string

Grouping alerts into a single incident if all the entities match

AnyAlert
  • string

Grouping any alerts triggered by this rule into a single incident

Selected
  • string

Grouping alerts into a single incident if the selected entities, custom details and alert details match

MicrosoftSecurityIncidentCreationAlertRule

Represents MicrosoftSecurityIncidentCreation rule.

Name Type Description
etag
  • string

Etag of the azure resource

id
  • string

Fully qualified resource ID for the resource. Ex - /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}

kind string:
  • MicrosoftSecurityIncidentCreation

The alert rule kind

name
  • string

The name of the resource

properties.alertRuleTemplateName
  • string

The Name of the alert rule template used to create this rule.

properties.description
  • string

The description of the alert rule.

properties.displayName
  • string

The display name for alerts created by this alert rule.

properties.displayNamesExcludeFilter
  • string[]

the alerts' displayNames on which the cases will not be generated

properties.displayNamesFilter
  • string[]

the alerts' displayNames on which the cases will be generated

properties.enabled
  • boolean

Determines whether this alert rule is enabled or disabled.

properties.lastModifiedUtc
  • string

The last time that this alert has been modified.

properties.productFilter

The alerts' productName on which the cases will be generated

properties.severitiesFilter
  • string[]

the alerts' severities on which the cases will be generated

systemData

Azure Resource Manager metadata containing createdBy and modifiedBy information.

type
  • string

The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"

MicrosoftSecurityProductName

The alerts' productName on which the cases will be generated

Name Type Description
Azure Active Directory Identity Protection
  • string
Azure Advanced Threat Protection
  • string
Azure Security Center
  • string
Azure Security Center for IoT
  • string
Microsoft Cloud App Security
  • string

ScheduledAlertRule

Represents scheduled alert rule.

Name Type Description
etag
  • string

Etag of the azure resource

id
  • string

Fully qualified resource ID for the resource. Ex - /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}

kind string:
  • Scheduled

The alert rule kind

name
  • string

The name of the resource

properties.alertDetailsOverride

The alert details override settings

properties.alertRuleTemplateName
  • string

The Name of the alert rule template used to create this rule.

properties.customDetails
  • object

Dictionary of string key-value pairs of columns to be attached to the alert

properties.description
  • string

The description of the alert rule.

properties.displayName
  • string

The display name for alerts created by this alert rule.

properties.enabled
  • boolean

Determines whether this alert rule is enabled or disabled.

properties.entityMappings

Array of the entity mappings of the alert rule

properties.eventGroupingSettings

The event grouping settings.

properties.incidentConfiguration

The settings of the incidents that created from alerts triggered by this analytics rule

properties.lastModifiedUtc
  • string

The last time that this alert rule has been modified.

properties.query
  • string

The query that creates alerts for this rule.

properties.queryFrequency
  • string

The frequency (in ISO 8601 duration format) for this alert rule to run.

properties.queryPeriod
  • string

The period (in ISO 8601 duration format) that this alert rule looks at.

properties.severity

The severity for alerts created by this alert rule.

properties.suppressionDuration
  • string

The suppression (in ISO 8601 duration format) to wait since last time this alert rule been triggered.

properties.suppressionEnabled
  • boolean

Determines whether the suppression for this alert rule is enabled or disabled.

properties.tactics
  • string[]

The tactics of the alert rule

properties.templateVersion
  • string

The version of the alert rule template used to create this rule - in format <a.b.c>, where all are numbers, for example 0 <1.0.2>

properties.triggerOperator

The operation against the threshold that triggers alert rule.

properties.triggerThreshold
  • integer

The threshold triggers this alert rule.

systemData

Azure Resource Manager metadata containing createdBy and modifiedBy information.

type
  • string

The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"

systemData

Metadata pertaining to creation and last modification of the resource.

Name Type Description
createdAt
  • string

The timestamp of resource creation (UTC).

createdBy
  • string

The identity that created the resource.

createdByType

The type of identity that created the resource.

lastModifiedAt
  • string

The timestamp of resource last modification (UTC)

lastModifiedBy
  • string

The identity that last modified the resource.

lastModifiedByType

The type of identity that last modified the resource.

TriggerOperator

The operation against the threshold that triggers alert rule.

Name Type Description
Equal
  • string
GreaterThan
  • string
LessThan
  • string
NotEqual
  • string