Alert Rule Templates - Get

Gets the alert rule template.

GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRuleTemplates/{alertRuleTemplateId}?api-version=2024-09-01

URI Parameters

Name In Required Type Description
alertRuleTemplateId
path True

string

Alert rule template ID

resourceGroupName
path True

string

The name of the resource group. The name is case insensitive.

subscriptionId
path True

string

uuid

The ID of the target subscription. The value must be an UUID.

workspaceName
path True

string

The name of the workspace.

Regex pattern: ^[A-Za-z0-9][A-Za-z0-9-]+[A-Za-z0-9]$

api-version
query True

string

The API version to use for this operation.

Responses

Name Type Description
200 OK AlertRuleTemplate:

OK, Operation successfully completed

Other Status Codes

CloudError

Error response describing why the operation failed.

Security

azure_auth

Azure Active Directory OAuth2 Flow

Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Scopes

Name Description
user_impersonation impersonate your user account

Examples

Get alert rule template by Id.

Sample request

GET https://management.azure.com/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRuleTemplates/65360bb0-8986-4ade-a89d-af3cf44d28aa?api-version=2024-09-01

Sample response

{
  "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRuleTemplates/65360bb0-8986-4ade-a89d-af3cf44d28aa",
  "name": "65360bb0-8986-4ade-a89d-af3cf44d28aa",
  "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
  "kind": "Scheduled",
  "properties": {
    "severity": "Low",
    "query": "let timeframe = 1d;\nAWSCloudTrail\n| where TimeGenerated >= ago(timeframe)\n| where EventName == \"CreateNetworkAclEntry\"\n    or EventName == \"CreateRoute\"\n| project TimeGenerated, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\n| extend AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress",
    "queryFrequency": "P1D",
    "queryPeriod": "P1D",
    "triggerOperator": "GreaterThan",
    "triggerThreshold": 0,
    "displayName": "Changes to Amazon VPC settings",
    "description": "This alert monitors changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries and routes in route tables.\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \nand https://aws.amazon.com/vpc/",
    "eventGroupingSettings": {
      "aggregationKind": "AlertPerResult"
    },
    "tactics": [
      "PrivilegeEscalation",
      "LateralMovement"
    ],
    "lastUpdatedDateUTC": "2021-02-27T10:00:00Z",
    "createdDateUTC": "2019-02-27T00:00:00Z",
    "status": "Available",
    "version": "1.0.2",
    "requiredDataConnectors": [
      {
        "connectorId": "AWS",
        "dataTypes": [
          "AWSCloudTrail"
        ]
      }
    ],
    "entityMappings": [
      {
        "entityType": "Account",
        "fieldMappings": [
          {
            "identifier": "FullName",
            "columnName": "AccountCustomEntity"
          }
        ]
      },
      {
        "entityType": "IP",
        "fieldMappings": [
          {
            "identifier": "Address",
            "columnName": "IPCustomEntity"
          }
        ]
      }
    ],
    "customDetails": {
      "EventNames": "EventName",
      "EventTypes": "EventTypeName"
    },
    "alertDetailsOverride": {
      "alertDisplayNameFormat": "Alert on event {{EventName}}",
      "alertDescriptionFormat": "Suspicious activity was made by {{AccountCustomEntity}}",
      "alertTacticsColumnName": null,
      "alertSeverityColumnName": null
    },
    "alertRulesCreatedByTemplateCount": 0
  }
}

Definitions

Name Description
AlertDetailsOverride

Settings for how to dynamically override alert static details

AlertProperty

The V3 alert property

AlertPropertyMapping

A single alert property mapping to override

AlertRuleTemplateDataSource

alert rule template data sources

AlertSeverity

The severity for alerts created by this alert rule.

AttackTactic

The severity for alerts created by this alert rule.

CloudError

Error response structure.

CloudErrorBody

Error details.

createdByType

The type of identity that created the resource.

EntityMapping

Single entity mapping for the alert rule

EntityMappingType

The V3 type of the mapped entity

EventGroupingAggregationKind

The event grouping aggregation kinds

EventGroupingSettings

Event grouping settings property bag.

FieldMapping

A single field mapping of the mapped entity

FusionAlertRuleTemplate

Represents Fusion alert rule template.

MicrosoftSecurityIncidentCreationAlertRuleTemplate

Represents MicrosoftSecurityIncidentCreation rule template.

MicrosoftSecurityProductName

The alerts' productName on which the cases will be generated

ScheduledAlertRuleTemplate

Represents scheduled alert rule template.

systemData

Metadata pertaining to creation and last modification of the resource.

TemplateStatus

The alert rule template status.

TriggerOperator

The operation against the threshold that triggers alert rule.

AlertDetailsOverride

Settings for how to dynamically override alert static details

Name Type Description
alertDescriptionFormat

string

the format containing columns name(s) to override the alert description

alertDisplayNameFormat

string

the format containing columns name(s) to override the alert name

alertDynamicProperties

AlertPropertyMapping[]

List of additional dynamic properties to override

alertSeverityColumnName

string

the column name to take the alert severity from

alertTacticsColumnName

string

the column name to take the alert tactics from

AlertProperty

The V3 alert property

Name Type Description
AlertLink

string

Alert's link

ConfidenceLevel

string

Confidence level property

ConfidenceScore

string

Confidence score

ExtendedLinks

string

Extended links to the alert

ProductComponentName

string

Product component name alert property

ProductName

string

Product name alert property

ProviderName

string

Provider name alert property

RemediationSteps

string

Remediation steps alert property

Techniques

string

Techniques alert property

AlertPropertyMapping

A single alert property mapping to override

Name Type Description
alertProperty

AlertProperty

The V3 alert property

value

string

the column name to use to override this property

AlertRuleTemplateDataSource

alert rule template data sources

Name Type Description
connectorId

string

The connector id that provides the following data types

dataTypes

string[]

The data types used by the alert rule template

AlertSeverity

The severity for alerts created by this alert rule.

Name Type Description
High

string

High severity

Informational

string

Informational severity

Low

string

Low severity

Medium

string

Medium severity

AttackTactic

The severity for alerts created by this alert rule.

Name Type Description
Collection

string

CommandAndControl

string

CredentialAccess

string

DefenseEvasion

string

Discovery

string

Execution

string

Exfiltration

string

Impact

string

ImpairProcessControl

string

InhibitResponseFunction

string

InitialAccess

string

LateralMovement

string

Persistence

string

PreAttack

string

PrivilegeEscalation

string

Reconnaissance

string

ResourceDevelopment

string

CloudError

Error response structure.

Name Type Description
error

CloudErrorBody

Error data

CloudErrorBody

Error details.

Name Type Description
code

string

An identifier for the error. Codes are invariant and are intended to be consumed programmatically.

message

string

A message describing the error, intended to be suitable for display in a user interface.

createdByType

The type of identity that created the resource.

Name Type Description
Application

string

Key

string

ManagedIdentity

string

User

string

EntityMapping

Single entity mapping for the alert rule

Name Type Description
entityType

EntityMappingType

The V3 type of the mapped entity

fieldMappings

FieldMapping[]

array of field mappings for the given entity mapping

EntityMappingType

The V3 type of the mapped entity

Name Type Description
Account

string

User account entity type

AzureResource

string

Azure resource entity type

CloudApplication

string

Cloud app entity type

DNS

string

DNS entity type

File

string

System file entity type

FileHash

string

File-hash entity type

Host

string

Host entity type

IP

string

IP address entity type

MailCluster

string

Mail cluster entity type

MailMessage

string

Mail message entity type

Mailbox

string

Mailbox entity type

Malware

string

Malware entity type

Process

string

Process entity type

RegistryKey

string

Registry key entity type

RegistryValue

string

Registry value entity type

SecurityGroup

string

Security group entity type

SubmissionMail

string

Submission mail entity type

URL

string

URL entity type

EventGroupingAggregationKind

The event grouping aggregation kinds

Name Type Description
AlertPerResult

string

SingleAlert

string

EventGroupingSettings

Event grouping settings property bag.

Name Type Description
aggregationKind

EventGroupingAggregationKind

The event grouping aggregation kinds

FieldMapping

A single field mapping of the mapped entity

Name Type Description
columnName

string

the column name to be mapped to the identifier

identifier

string

the V3 identifier of the entity

FusionAlertRuleTemplate

Represents Fusion alert rule template.

Name Type Description
id

string

Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}"

kind string:

Fusion

The alert rule kind

name

string

The name of the resource

properties.alertRulesCreatedByTemplateCount

integer

the number of alert rules that were created by this template

properties.createdDateUTC

string

The time that this alert rule template has been added.

properties.description

string

The description of the alert rule template.

properties.displayName

string

The display name for alert rule template.

properties.lastUpdatedDateUTC

string

The time that this alert rule template was last updated.

properties.requiredDataConnectors

AlertRuleTemplateDataSource[]

The required data connectors for this template

properties.severity

AlertSeverity

The severity for alerts created by this alert rule.

properties.status

TemplateStatus

The alert rule template status.

properties.tactics

AttackTactic[]

The tactics of the alert rule template

properties.techniques

string[]

The techniques of the alert rule template

systemData

systemData

Azure Resource Manager metadata containing createdBy and modifiedBy information.

type

string

The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"

MicrosoftSecurityIncidentCreationAlertRuleTemplate

Represents MicrosoftSecurityIncidentCreation rule template.

Name Type Description
id

string

Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}"

kind string:

MicrosoftSecurityIncidentCreation

The alert rule kind

name

string

The name of the resource

properties.alertRulesCreatedByTemplateCount

integer

the number of alert rules that were created by this template

properties.createdDateUTC

string

The time that this alert rule template has been added.

properties.description

string

The description of the alert rule template.

properties.displayName

string

The display name for alert rule template.

properties.displayNamesExcludeFilter

string[]

the alerts' displayNames on which the cases will not be generated

properties.displayNamesFilter

string[]

the alerts' displayNames on which the cases will be generated

properties.lastUpdatedDateUTC

string

The time that this alert rule template was last updated.

properties.productFilter

MicrosoftSecurityProductName

The alerts' productName on which the cases will be generated

properties.requiredDataConnectors

AlertRuleTemplateDataSource[]

The required data connectors for this template

properties.severitiesFilter

AlertSeverity[]

the alerts' severities on which the cases will be generated

properties.status

TemplateStatus

The alert rule template status.

systemData

systemData

Azure Resource Manager metadata containing createdBy and modifiedBy information.

type

string

The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"

MicrosoftSecurityProductName

The alerts' productName on which the cases will be generated

Name Type Description
Azure Active Directory Identity Protection

string

Azure Advanced Threat Protection

string

Azure Security Center

string

Azure Security Center for IoT

string

Microsoft Cloud App Security

string

ScheduledAlertRuleTemplate

Represents scheduled alert rule template.

Name Type Description
id

string

Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}"

kind string:

Scheduled

The alert rule kind

name

string

The name of the resource

properties.alertDetailsOverride

AlertDetailsOverride

The alert details override settings

properties.alertRulesCreatedByTemplateCount

integer

the number of alert rules that were created by this template

properties.createdDateUTC

string

The time that this alert rule template has been added.

properties.customDetails

object

Dictionary of string key-value pairs of columns to be attached to the alert

properties.description

string

The description of the alert rule template.

properties.displayName

string

The display name for alert rule template.

properties.entityMappings

EntityMapping[]

Array of the entity mappings of the alert rule

properties.eventGroupingSettings

EventGroupingSettings

The event grouping settings.

properties.lastUpdatedDateUTC

string

The time that this alert rule template was last updated.

properties.query

string

The query that creates alerts for this rule.

properties.queryFrequency

string

The frequency (in ISO 8601 duration format) for this alert rule to run.

properties.queryPeriod

string

The period (in ISO 8601 duration format) that this alert rule looks at.

properties.requiredDataConnectors

AlertRuleTemplateDataSource[]

The required data connectors for this template

properties.severity

AlertSeverity

The severity for alerts created by this alert rule.

properties.status

TemplateStatus

The alert rule template status.

properties.tactics

AttackTactic[]

The tactics of the alert rule template

properties.techniques

string[]

The techniques of the alert rule template

properties.triggerOperator

TriggerOperator

The operation against the threshold that triggers alert rule.

properties.triggerThreshold

integer

The threshold triggers this alert rule.

properties.version

string

The version of this template - in format <a.b.c>, where all are numbers. For example <1.0.2>.

systemData

systemData

Azure Resource Manager metadata containing createdBy and modifiedBy information.

type

string

The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"

systemData

Metadata pertaining to creation and last modification of the resource.

Name Type Description
createdAt

string

The timestamp of resource creation (UTC).

createdBy

string

The identity that created the resource.

createdByType

createdByType

The type of identity that created the resource.

lastModifiedAt

string

The timestamp of resource last modification (UTC)

lastModifiedBy

string

The identity that last modified the resource.

lastModifiedByType

createdByType

The type of identity that last modified the resource.

TemplateStatus

The alert rule template status.

Name Type Description
Available

string

Alert rule template is available.

Installed

string

Alert rule template installed. and can not use more then once

NotAvailable

string

Alert rule template is not available

TriggerOperator

The operation against the threshold that triggers alert rule.

Name Type Description
Equal

string

GreaterThan

string

LessThan

string

NotEqual

string