Compartilhar via


Alert Rules - List

Gets all alert rules.

GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules?api-version=2024-09-01

URI Parameters

Name In Required Type Description
resourceGroupName
path True

string

The name of the resource group. The name is case insensitive.

subscriptionId
path True

string

uuid

The ID of the target subscription. The value must be an UUID.

workspaceName
path True

string

The name of the workspace.

Regex pattern: ^[A-Za-z0-9][A-Za-z0-9-]+[A-Za-z0-9]$

api-version
query True

string

The API version to use for this operation.

Responses

Name Type Description
200 OK

AlertRulesList

OK, Operation successfully completed

Other Status Codes

CloudError

Error response describing why the operation failed.

Security

azure_auth

Azure Active Directory OAuth2 Flow

Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Scopes

Name Description
user_impersonation impersonate your user account

Examples

Get all alert rules.

Sample request

GET https://management.azure.com/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules?api-version=2024-09-01

Sample response

{
  "value": [
    {
      "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5",
      "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
      "type": "Microsoft.SecurityInsights/alertRules",
      "kind": "Scheduled",
      "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
      "properties": {
        "alertRuleTemplateName": null,
        "displayName": "My scheduled rule",
        "description": "An example for a scheduled rule",
        "severity": "High",
        "enabled": true,
        "tactics": [
          "Persistence",
          "LateralMovement"
        ],
        "query": "Heartbeat",
        "queryFrequency": "PT1H",
        "queryPeriod": "P2DT1H30M",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "lastModifiedUtc": "2021-03-01T13:17:30Z",
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "customDetails": {
          "OperatingSystemName": "OSName",
          "OperatingSystemType": "OSType"
        },
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "Computer"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "ComputerIP"
              }
            ]
          }
        ],
        "alertDetailsOverride": {
          "alertDisplayNameFormat": "Alert from {{Computer}}",
          "alertDescriptionFormat": "Suspicious activity was made by {{ComputerIP}}",
          "alertTacticsColumnName": null,
          "alertSeverityColumnName": null
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "reopenClosedIncident": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "Selected",
            "groupByEntities": [
              "Host"
            ],
            "groupByAlertDetails": [
              "DisplayName"
            ],
            "groupByCustomDetails": [
              "OperatingSystemType",
              "OperatingSystemName"
            ]
          }
        }
      }
    },
    {
      "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/microsoftSecurityIncidentCreationRuleExample",
      "name": "microsoftSecurityIncidentCreationRuleExample",
      "etag": "\"260097e0-0000-0d00-0000-5d6fa88f0000\"",
      "type": "Microsoft.SecurityInsights/alertRules",
      "kind": "MicrosoftSecurityIncidentCreation",
      "properties": {
        "productFilter": "Microsoft Cloud App Security",
        "severitiesFilter": null,
        "displayNamesFilter": null,
        "displayName": "testing displayname",
        "enabled": true,
        "description": null,
        "alertRuleTemplateName": null,
        "lastModifiedUtc": "2019-09-04T12:05:35.7296311Z"
      }
    },
    {
      "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/myFirstFusionRule",
      "name": "myFirstFusionRule",
      "etag": "\"25005c11-0000-0d00-0000-5d6cc0e20000\"",
      "type": "Microsoft.SecurityInsights/alertRules",
      "kind": "Fusion",
      "properties": {
        "displayName": "Advanced Multi-Stage Attack Detection",
        "description": "In this mode, Sentinel combines low fidelity alerts, which themselves may not be actionable, and events across multiple products, into high fidelity security interesting incidents. The system looks at multiple products to produce actionable incidents. Custom tailored to each tenant, Fusion not only reduces false positive rates but also can detect attacks with limited or missing information. \nIncidents generated by Fusion system will encase two or more alerts. By design, Fusion incidents are low volume, high fidelity and will be high severity, which is why Fusion is turned ON by default in Azure Sentinel.\n\nFor Fusion to work, please configure the following data sources in Data Connectors tab:\nRequired - Azure Active Directory Identity Protection\nRequired - Microsoft Cloud App Security\nIf Available - Palo Alto Network\n\nFor full list of scenarios covered by Fusion, and detail instructions on how to configure the required data sources, go to aka.ms/SentinelFusion",
        "alertRuleTemplateName": "f71aba3d-28fb-450b-b192-4e76a83015c8",
        "tactics": [
          "Persistence",
          "LateralMovement",
          "Exfiltration",
          "CommandAndControl"
        ],
        "severity": "High",
        "enabled": false,
        "lastModifiedUtc": "2019-09-02T07:12:34.9065092Z"
      }
    }
  ]
}

Definitions

Name Description
AlertDetail

A list of alert details to group by (when matchingMethod is Selected)

AlertDetailsOverride

Settings for how to dynamically override alert static details

AlertProperty

The V3 alert property

AlertPropertyMapping

A single alert property mapping to override

AlertRulesList

List all the alert rules.

AlertSeverity

The severity for alerts created by this alert rule.

AttackTactic

The severity for alerts created by this alert rule.

CloudError

Error response structure.

CloudErrorBody

Error details.

createdByType

The type of identity that created the resource.

EntityMapping

Single entity mapping for the alert rule

EntityMappingType

The V3 type of the mapped entity

EventGroupingAggregationKind

The event grouping aggregation kinds

EventGroupingSettings

Event grouping settings property bag.

FieldMapping

A single field mapping of the mapped entity

FusionAlertRule

Represents Fusion alert rule.

GroupingConfiguration

Grouping configuration property bag.

IncidentConfiguration

Incident Configuration property bag.

MatchingMethod

Grouping matching method. When method is Selected at least one of groupByEntities, groupByAlertDetails, groupByCustomDetails must be provided and not empty.

MicrosoftSecurityIncidentCreationAlertRule

Represents MicrosoftSecurityIncidentCreation rule.

MicrosoftSecurityProductName

The alerts' productName on which the cases will be generated

ScheduledAlertRule

Represents scheduled alert rule.

systemData

Metadata pertaining to creation and last modification of the resource.

TriggerOperator

The operation against the threshold that triggers alert rule.

AlertDetail

A list of alert details to group by (when matchingMethod is Selected)

Name Type Description
DisplayName

string

Alert display name

Severity

string

Alert severity

AlertDetailsOverride

Settings for how to dynamically override alert static details

Name Type Description
alertDescriptionFormat

string

the format containing columns name(s) to override the alert description

alertDisplayNameFormat

string

the format containing columns name(s) to override the alert name

alertDynamicProperties

AlertPropertyMapping[]

List of additional dynamic properties to override

alertSeverityColumnName

string

the column name to take the alert severity from

alertTacticsColumnName

string

the column name to take the alert tactics from

AlertProperty

The V3 alert property

Name Type Description
AlertLink

string

Alert's link

ConfidenceLevel

string

Confidence level property

ConfidenceScore

string

Confidence score

ExtendedLinks

string

Extended links to the alert

ProductComponentName

string

Product component name alert property

ProductName

string

Product name alert property

ProviderName

string

Provider name alert property

RemediationSteps

string

Remediation steps alert property

Techniques

string

Techniques alert property

AlertPropertyMapping

A single alert property mapping to override

Name Type Description
alertProperty

AlertProperty

The V3 alert property

value

string

the column name to use to override this property

AlertRulesList

List all the alert rules.

Name Type Description
nextLink

string

URL to fetch the next set of alert rules.

value AlertRule[]:

Array of alert rules.

AlertSeverity

The severity for alerts created by this alert rule.

Name Type Description
High

string

High severity

Informational

string

Informational severity

Low

string

Low severity

Medium

string

Medium severity

AttackTactic

The severity for alerts created by this alert rule.

Name Type Description
Collection

string

CommandAndControl

string

CredentialAccess

string

DefenseEvasion

string

Discovery

string

Execution

string

Exfiltration

string

Impact

string

ImpairProcessControl

string

InhibitResponseFunction

string

InitialAccess

string

LateralMovement

string

Persistence

string

PreAttack

string

PrivilegeEscalation

string

Reconnaissance

string

ResourceDevelopment

string

CloudError

Error response structure.

Name Type Description
error

CloudErrorBody

Error data

CloudErrorBody

Error details.

Name Type Description
code

string

An identifier for the error. Codes are invariant and are intended to be consumed programmatically.

message

string

A message describing the error, intended to be suitable for display in a user interface.

createdByType

The type of identity that created the resource.

Name Type Description
Application

string

Key

string

ManagedIdentity

string

User

string

EntityMapping

Single entity mapping for the alert rule

Name Type Description
entityType

EntityMappingType

The V3 type of the mapped entity

fieldMappings

FieldMapping[]

array of field mappings for the given entity mapping

EntityMappingType

The V3 type of the mapped entity

Name Type Description
Account

string

User account entity type

AzureResource

string

Azure resource entity type

CloudApplication

string

Cloud app entity type

DNS

string

DNS entity type

File

string

System file entity type

FileHash

string

File-hash entity type

Host

string

Host entity type

IP

string

IP address entity type

MailCluster

string

Mail cluster entity type

MailMessage

string

Mail message entity type

Mailbox

string

Mailbox entity type

Malware

string

Malware entity type

Process

string

Process entity type

RegistryKey

string

Registry key entity type

RegistryValue

string

Registry value entity type

SecurityGroup

string

Security group entity type

SubmissionMail

string

Submission mail entity type

URL

string

URL entity type

EventGroupingAggregationKind

The event grouping aggregation kinds

Name Type Description
AlertPerResult

string

SingleAlert

string

EventGroupingSettings

Event grouping settings property bag.

Name Type Description
aggregationKind

EventGroupingAggregationKind

The event grouping aggregation kinds

FieldMapping

A single field mapping of the mapped entity

Name Type Description
columnName

string

the column name to be mapped to the identifier

identifier

string

the V3 identifier of the entity

FusionAlertRule

Represents Fusion alert rule.

Name Type Description
etag

string

Etag of the azure resource

id

string

Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}"

kind string:

Fusion

The alert rule kind

name

string

The name of the resource

properties.alertRuleTemplateName

string

The Name of the alert rule template used to create this rule.

properties.description

string

The description of the alert rule.

properties.displayName

string

The display name for alerts created by this alert rule.

properties.enabled

boolean

Determines whether this alert rule is enabled or disabled.

properties.lastModifiedUtc

string

The last time that this alert has been modified.

properties.severity

AlertSeverity

The severity for alerts created by this alert rule.

properties.tactics

AttackTactic[]

The tactics of the alert rule

properties.techniques

string[]

The techniques of the alert rule

systemData

systemData

Azure Resource Manager metadata containing createdBy and modifiedBy information.

type

string

The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"

GroupingConfiguration

Grouping configuration property bag.

Name Type Description
enabled

boolean

Grouping enabled

groupByAlertDetails

AlertDetail[]

A list of alert details to group by (when matchingMethod is Selected)

groupByCustomDetails

string[]

A list of custom details keys to group by (when matchingMethod is Selected). Only keys defined in the current alert rule may be used.

groupByEntities

EntityMappingType[]

A list of entity types to group by (when matchingMethod is Selected). Only entities defined in the current alert rule may be used.

lookbackDuration

string

Limit the group to alerts created within the lookback duration (in ISO 8601 duration format)

matchingMethod

MatchingMethod

Grouping matching method. When method is Selected at least one of groupByEntities, groupByAlertDetails, groupByCustomDetails must be provided and not empty.

reopenClosedIncident

boolean

Re-open closed matching incidents

IncidentConfiguration

Incident Configuration property bag.

Name Type Description
createIncident

boolean

Create incidents from alerts triggered by this analytics rule

groupingConfiguration

GroupingConfiguration

Set how the alerts that are triggered by this analytics rule, are grouped into incidents

MatchingMethod

Grouping matching method. When method is Selected at least one of groupByEntities, groupByAlertDetails, groupByCustomDetails must be provided and not empty.

Name Type Description
AllEntities

string

Grouping alerts into a single incident if all the entities match

AnyAlert

string

Grouping any alerts triggered by this rule into a single incident

Selected

string

Grouping alerts into a single incident if the selected entities, custom details and alert details match

MicrosoftSecurityIncidentCreationAlertRule

Represents MicrosoftSecurityIncidentCreation rule.

Name Type Description
etag

string

Etag of the azure resource

id

string

Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}"

kind string:

MicrosoftSecurityIncidentCreation

The alert rule kind

name

string

The name of the resource

properties.alertRuleTemplateName

string

The Name of the alert rule template used to create this rule.

properties.description

string

The description of the alert rule.

properties.displayName

string

The display name for alerts created by this alert rule.

properties.displayNamesExcludeFilter

string[]

the alerts' displayNames on which the cases will not be generated

properties.displayNamesFilter

string[]

the alerts' displayNames on which the cases will be generated

properties.enabled

boolean

Determines whether this alert rule is enabled or disabled.

properties.lastModifiedUtc

string

The last time that this alert has been modified.

properties.productFilter

MicrosoftSecurityProductName

The alerts' productName on which the cases will be generated

properties.severitiesFilter

AlertSeverity[]

the alerts' severities on which the cases will be generated

systemData

systemData

Azure Resource Manager metadata containing createdBy and modifiedBy information.

type

string

The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"

MicrosoftSecurityProductName

The alerts' productName on which the cases will be generated

Name Type Description
Azure Active Directory Identity Protection

string

Azure Advanced Threat Protection

string

Azure Security Center

string

Azure Security Center for IoT

string

Microsoft Cloud App Security

string

ScheduledAlertRule

Represents scheduled alert rule.

Name Type Description
etag

string

Etag of the azure resource

id

string

Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}"

kind string:

Scheduled

The alert rule kind

name

string

The name of the resource

properties.alertDetailsOverride

AlertDetailsOverride

The alert details override settings

properties.alertRuleTemplateName

string

The Name of the alert rule template used to create this rule.

properties.customDetails

object

Dictionary of string key-value pairs of columns to be attached to the alert

properties.description

string

The description of the alert rule.

properties.displayName

string

The display name for alerts created by this alert rule.

properties.enabled

boolean

Determines whether this alert rule is enabled or disabled.

properties.entityMappings

EntityMapping[]

Array of the entity mappings of the alert rule

properties.eventGroupingSettings

EventGroupingSettings

The event grouping settings.

properties.incidentConfiguration

IncidentConfiguration

The settings of the incidents that created from alerts triggered by this analytics rule

properties.lastModifiedUtc

string

The last time that this alert rule has been modified.

properties.query

string

The query that creates alerts for this rule.

properties.queryFrequency

string

The frequency (in ISO 8601 duration format) for this alert rule to run.

properties.queryPeriod

string

The period (in ISO 8601 duration format) that this alert rule looks at.

properties.severity

AlertSeverity

The severity for alerts created by this alert rule.

properties.suppressionDuration

string

The suppression (in ISO 8601 duration format) to wait since last time this alert rule been triggered.

properties.suppressionEnabled

boolean

Determines whether the suppression for this alert rule is enabled or disabled.

properties.tactics

AttackTactic[]

The tactics of the alert rule

properties.techniques

string[]

The techniques of the alert rule

properties.templateVersion

string

The version of the alert rule template used to create this rule - in format <a.b.c>, where all are numbers, for example 0 <1.0.2>

properties.triggerOperator

TriggerOperator

The operation against the threshold that triggers alert rule.

properties.triggerThreshold

integer

The threshold triggers this alert rule.

systemData

systemData

Azure Resource Manager metadata containing createdBy and modifiedBy information.

type

string

The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"

systemData

Metadata pertaining to creation and last modification of the resource.

Name Type Description
createdAt

string

The timestamp of resource creation (UTC).

createdBy

string

The identity that created the resource.

createdByType

createdByType

The type of identity that created the resource.

lastModifiedAt

string

The timestamp of resource last modification (UTC)

lastModifiedBy

string

The identity that last modified the resource.

lastModifiedByType

createdByType

The type of identity that last modified the resource.

TriggerOperator

The operation against the threshold that triggers alert rule.

Name Type Description
Equal

string

GreaterThan

string

LessThan

string

NotEqual

string