Alert Rule Templates - Get
Gets the alert rule template.
GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRuleTemplates/{alertRuleTemplateId}?api-version=2024-09-01
URI Parameters
Name | In | Required | Type | Description |
---|---|---|---|---|
alert
|
path | True |
string |
Alert rule template ID |
resource
|
path | True |
string |
The name of the resource group. The name is case insensitive. |
subscription
|
path | True |
string uuid |
The ID of the target subscription. The value must be an UUID. |
workspace
|
path | True |
string |
The name of the workspace. Regex pattern: |
api-version
|
query | True |
string |
The API version to use for this operation. |
Responses
Name | Type | Description |
---|---|---|
200 OK | AlertRuleTemplate: |
OK, Operation successfully completed |
Other Status Codes |
Error response describing why the operation failed. |
Security
azure_auth
Azure Active Directory OAuth2 Flow
Type:
oauth2
Flow:
implicit
Authorization URL:
https://login.microsoftonline.com/common/oauth2/authorize
Scopes
Name | Description |
---|---|
user_impersonation | impersonate your user account |
Examples
Get alert rule template by Id.
Sample request
GET https://management.azure.com/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRuleTemplates/65360bb0-8986-4ade-a89d-af3cf44d28aa?api-version=2024-09-01
Sample response
{
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRuleTemplates/65360bb0-8986-4ade-a89d-af3cf44d28aa",
"name": "65360bb0-8986-4ade-a89d-af3cf44d28aa",
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
"kind": "Scheduled",
"properties": {
"severity": "Low",
"query": "let timeframe = 1d;\nAWSCloudTrail\n| where TimeGenerated >= ago(timeframe)\n| where EventName == \"CreateNetworkAclEntry\"\n or EventName == \"CreateRoute\"\n| project TimeGenerated, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\n| extend AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"displayName": "Changes to Amazon VPC settings",
"description": "This alert monitors changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries and routes in route tables.\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \nand https://aws.amazon.com/vpc/",
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"tactics": [
"PrivilegeEscalation",
"LateralMovement"
],
"lastUpdatedDateUTC": "2021-02-27T10:00:00Z",
"createdDateUTC": "2019-02-27T00:00:00Z",
"status": "Available",
"version": "1.0.2",
"requiredDataConnectors": [
{
"connectorId": "AWS",
"dataTypes": [
"AWSCloudTrail"
]
}
],
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "AccountCustomEntity"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPCustomEntity"
}
]
}
],
"customDetails": {
"EventNames": "EventName",
"EventTypes": "EventTypeName"
},
"alertDetailsOverride": {
"alertDisplayNameFormat": "Alert on event {{EventName}}",
"alertDescriptionFormat": "Suspicious activity was made by {{AccountCustomEntity}}",
"alertTacticsColumnName": null,
"alertSeverityColumnName": null
},
"alertRulesCreatedByTemplateCount": 0
}
}
Definitions
Name | Description |
---|---|
Alert |
Settings for how to dynamically override alert static details |
Alert |
The V3 alert property |
Alert |
A single alert property mapping to override |
Alert |
alert rule template data sources |
Alert |
The severity for alerts created by this alert rule. |
Attack |
The severity for alerts created by this alert rule. |
Cloud |
Error response structure. |
Cloud |
Error details. |
created |
The type of identity that created the resource. |
Entity |
Single entity mapping for the alert rule |
Entity |
The V3 type of the mapped entity |
Event |
The event grouping aggregation kinds |
Event |
Event grouping settings property bag. |
Field |
A single field mapping of the mapped entity |
Fusion |
Represents Fusion alert rule template. |
Microsoft |
Represents MicrosoftSecurityIncidentCreation rule template. |
Microsoft |
The alerts' productName on which the cases will be generated |
Scheduled |
Represents scheduled alert rule template. |
system |
Metadata pertaining to creation and last modification of the resource. |
Template |
The alert rule template status. |
Trigger |
The operation against the threshold that triggers alert rule. |
AlertDetailsOverride
Settings for how to dynamically override alert static details
Name | Type | Description |
---|---|---|
alertDescriptionFormat |
string |
the format containing columns name(s) to override the alert description |
alertDisplayNameFormat |
string |
the format containing columns name(s) to override the alert name |
alertDynamicProperties |
List of additional dynamic properties to override |
|
alertSeverityColumnName |
string |
the column name to take the alert severity from |
alertTacticsColumnName |
string |
the column name to take the alert tactics from |
AlertProperty
The V3 alert property
Name | Type | Description |
---|---|---|
AlertLink |
string |
Alert's link |
ConfidenceLevel |
string |
Confidence level property |
ConfidenceScore |
string |
Confidence score |
ExtendedLinks |
string |
Extended links to the alert |
ProductComponentName |
string |
Product component name alert property |
ProductName |
string |
Product name alert property |
ProviderName |
string |
Provider name alert property |
RemediationSteps |
string |
Remediation steps alert property |
Techniques |
string |
Techniques alert property |
AlertPropertyMapping
A single alert property mapping to override
Name | Type | Description |
---|---|---|
alertProperty |
The V3 alert property |
|
value |
string |
the column name to use to override this property |
AlertRuleTemplateDataSource
alert rule template data sources
Name | Type | Description |
---|---|---|
connectorId |
string |
The connector id that provides the following data types |
dataTypes |
string[] |
The data types used by the alert rule template |
AlertSeverity
The severity for alerts created by this alert rule.
Name | Type | Description |
---|---|---|
High |
string |
High severity |
Informational |
string |
Informational severity |
Low |
string |
Low severity |
Medium |
string |
Medium severity |
AttackTactic
The severity for alerts created by this alert rule.
Name | Type | Description |
---|---|---|
Collection |
string |
|
CommandAndControl |
string |
|
CredentialAccess |
string |
|
DefenseEvasion |
string |
|
Discovery |
string |
|
Execution |
string |
|
Exfiltration |
string |
|
Impact |
string |
|
ImpairProcessControl |
string |
|
InhibitResponseFunction |
string |
|
InitialAccess |
string |
|
LateralMovement |
string |
|
Persistence |
string |
|
PreAttack |
string |
|
PrivilegeEscalation |
string |
|
Reconnaissance |
string |
|
ResourceDevelopment |
string |
CloudError
Error response structure.
Name | Type | Description |
---|---|---|
error |
Error data |
CloudErrorBody
Error details.
Name | Type | Description |
---|---|---|
code |
string |
An identifier for the error. Codes are invariant and are intended to be consumed programmatically. |
message |
string |
A message describing the error, intended to be suitable for display in a user interface. |
createdByType
The type of identity that created the resource.
Name | Type | Description |
---|---|---|
Application |
string |
|
Key |
string |
|
ManagedIdentity |
string |
|
User |
string |
EntityMapping
Single entity mapping for the alert rule
Name | Type | Description |
---|---|---|
entityType |
The V3 type of the mapped entity |
|
fieldMappings |
array of field mappings for the given entity mapping |
EntityMappingType
The V3 type of the mapped entity
Name | Type | Description |
---|---|---|
Account |
string |
User account entity type |
AzureResource |
string |
Azure resource entity type |
CloudApplication |
string |
Cloud app entity type |
DNS |
string |
DNS entity type |
File |
string |
System file entity type |
FileHash |
string |
File-hash entity type |
Host |
string |
Host entity type |
IP |
string |
IP address entity type |
MailCluster |
string |
Mail cluster entity type |
MailMessage |
string |
Mail message entity type |
Mailbox |
string |
Mailbox entity type |
Malware |
string |
Malware entity type |
Process |
string |
Process entity type |
RegistryKey |
string |
Registry key entity type |
RegistryValue |
string |
Registry value entity type |
SecurityGroup |
string |
Security group entity type |
SubmissionMail |
string |
Submission mail entity type |
URL |
string |
URL entity type |
EventGroupingAggregationKind
The event grouping aggregation kinds
Name | Type | Description |
---|---|---|
AlertPerResult |
string |
|
SingleAlert |
string |
EventGroupingSettings
Event grouping settings property bag.
Name | Type | Description |
---|---|---|
aggregationKind |
The event grouping aggregation kinds |
FieldMapping
A single field mapping of the mapped entity
Name | Type | Description |
---|---|---|
columnName |
string |
the column name to be mapped to the identifier |
identifier |
string |
the V3 identifier of the entity |
FusionAlertRuleTemplate
Represents Fusion alert rule template.
Name | Type | Description |
---|---|---|
id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
kind |
string:
Fusion |
The alert rule kind |
name |
string |
The name of the resource |
properties.alertRulesCreatedByTemplateCount |
integer |
the number of alert rules that were created by this template |
properties.createdDateUTC |
string |
The time that this alert rule template has been added. |
properties.description |
string |
The description of the alert rule template. |
properties.displayName |
string |
The display name for alert rule template. |
properties.lastUpdatedDateUTC |
string |
The time that this alert rule template was last updated. |
properties.requiredDataConnectors |
The required data connectors for this template |
|
properties.severity |
The severity for alerts created by this alert rule. |
|
properties.status |
The alert rule template status. |
|
properties.tactics |
The tactics of the alert rule template |
|
properties.techniques |
string[] |
The techniques of the alert rule template |
systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
MicrosoftSecurityIncidentCreationAlertRuleTemplate
Represents MicrosoftSecurityIncidentCreation rule template.
Name | Type | Description |
---|---|---|
id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
kind |
string:
Microsoft |
The alert rule kind |
name |
string |
The name of the resource |
properties.alertRulesCreatedByTemplateCount |
integer |
the number of alert rules that were created by this template |
properties.createdDateUTC |
string |
The time that this alert rule template has been added. |
properties.description |
string |
The description of the alert rule template. |
properties.displayName |
string |
The display name for alert rule template. |
properties.displayNamesExcludeFilter |
string[] |
the alerts' displayNames on which the cases will not be generated |
properties.displayNamesFilter |
string[] |
the alerts' displayNames on which the cases will be generated |
properties.lastUpdatedDateUTC |
string |
The time that this alert rule template was last updated. |
properties.productFilter |
The alerts' productName on which the cases will be generated |
|
properties.requiredDataConnectors |
The required data connectors for this template |
|
properties.severitiesFilter |
the alerts' severities on which the cases will be generated |
|
properties.status |
The alert rule template status. |
|
systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
MicrosoftSecurityProductName
The alerts' productName on which the cases will be generated
Name | Type | Description |
---|---|---|
Azure Active Directory Identity Protection |
string |
|
Azure Advanced Threat Protection |
string |
|
Azure Security Center |
string |
|
Azure Security Center for IoT |
string |
|
Microsoft Cloud App Security |
string |
ScheduledAlertRuleTemplate
Represents scheduled alert rule template.
Name | Type | Description |
---|---|---|
id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
kind |
string:
Scheduled |
The alert rule kind |
name |
string |
The name of the resource |
properties.alertDetailsOverride |
The alert details override settings |
|
properties.alertRulesCreatedByTemplateCount |
integer |
the number of alert rules that were created by this template |
properties.createdDateUTC |
string |
The time that this alert rule template has been added. |
properties.customDetails |
object |
Dictionary of string key-value pairs of columns to be attached to the alert |
properties.description |
string |
The description of the alert rule template. |
properties.displayName |
string |
The display name for alert rule template. |
properties.entityMappings |
Array of the entity mappings of the alert rule |
|
properties.eventGroupingSettings |
The event grouping settings. |
|
properties.lastUpdatedDateUTC |
string |
The time that this alert rule template was last updated. |
properties.query |
string |
The query that creates alerts for this rule. |
properties.queryFrequency |
string |
The frequency (in ISO 8601 duration format) for this alert rule to run. |
properties.queryPeriod |
string |
The period (in ISO 8601 duration format) that this alert rule looks at. |
properties.requiredDataConnectors |
The required data connectors for this template |
|
properties.severity |
The severity for alerts created by this alert rule. |
|
properties.status |
The alert rule template status. |
|
properties.tactics |
The tactics of the alert rule template |
|
properties.techniques |
string[] |
The techniques of the alert rule template |
properties.triggerOperator |
The operation against the threshold that triggers alert rule. |
|
properties.triggerThreshold |
integer |
The threshold triggers this alert rule. |
properties.version |
string |
The version of this template - in format <a.b.c>, where all are numbers. For example <1.0.2>. |
systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
systemData
Metadata pertaining to creation and last modification of the resource.
Name | Type | Description |
---|---|---|
createdAt |
string |
The timestamp of resource creation (UTC). |
createdBy |
string |
The identity that created the resource. |
createdByType |
The type of identity that created the resource. |
|
lastModifiedAt |
string |
The timestamp of resource last modification (UTC) |
lastModifiedBy |
string |
The identity that last modified the resource. |
lastModifiedByType |
The type of identity that last modified the resource. |
TemplateStatus
The alert rule template status.
Name | Type | Description |
---|---|---|
Available |
string |
Alert rule template is available. |
Installed |
string |
Alert rule template installed. and can not use more then once |
NotAvailable |
string |
Alert rule template is not available |
TriggerOperator
The operation against the threshold that triggers alert rule.
Name | Type | Description |
---|---|---|
Equal |
string |
|
GreaterThan |
string |
|
LessThan |
string |
|
NotEqual |
string |