Alert Rules - List
Gets all alert rules.
GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules?api-version=2024-09-01
URI Parameters
Name | In | Required | Type | Description |
---|---|---|---|---|
resource
|
path | True |
string |
The name of the resource group. The name is case insensitive. |
subscription
|
path | True |
string uuid |
The ID of the target subscription. The value must be an UUID. |
workspace
|
path | True |
string |
The name of the workspace. Regex pattern: |
api-version
|
query | True |
string |
The API version to use for this operation. |
Responses
Name | Type | Description |
---|---|---|
200 OK |
OK, Operation successfully completed |
|
Other Status Codes |
Error response describing why the operation failed. |
Security
azure_auth
Azure Active Directory OAuth2 Flow
Type:
oauth2
Flow:
implicit
Authorization URL:
https://login.microsoftonline.com/common/oauth2/authorize
Scopes
Name | Description |
---|---|
user_impersonation | impersonate your user account |
Examples
Get all alert rules.
Sample request
GET https://management.azure.com/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules?api-version=2024-09-01
Sample response
{
"value": [
{
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5",
"name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
"type": "Microsoft.SecurityInsights/alertRules",
"kind": "Scheduled",
"etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
"properties": {
"alertRuleTemplateName": null,
"displayName": "My scheduled rule",
"description": "An example for a scheduled rule",
"severity": "High",
"enabled": true,
"tactics": [
"Persistence",
"LateralMovement"
],
"query": "Heartbeat",
"queryFrequency": "PT1H",
"queryPeriod": "P2DT1H30M",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"lastModifiedUtc": "2021-03-01T13:17:30Z",
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"customDetails": {
"OperatingSystemName": "OSName",
"OperatingSystemType": "OSType"
},
"entityMappings": [
{
"entityType": "Host",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "Computer"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "ComputerIP"
}
]
}
],
"alertDetailsOverride": {
"alertDisplayNameFormat": "Alert from {{Computer}}",
"alertDescriptionFormat": "Suspicious activity was made by {{ComputerIP}}",
"alertTacticsColumnName": null,
"alertSeverityColumnName": null
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"reopenClosedIncident": false,
"lookbackDuration": "PT5H",
"matchingMethod": "Selected",
"groupByEntities": [
"Host"
],
"groupByAlertDetails": [
"DisplayName"
],
"groupByCustomDetails": [
"OperatingSystemType",
"OperatingSystemName"
]
}
}
}
},
{
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/microsoftSecurityIncidentCreationRuleExample",
"name": "microsoftSecurityIncidentCreationRuleExample",
"etag": "\"260097e0-0000-0d00-0000-5d6fa88f0000\"",
"type": "Microsoft.SecurityInsights/alertRules",
"kind": "MicrosoftSecurityIncidentCreation",
"properties": {
"productFilter": "Microsoft Cloud App Security",
"severitiesFilter": null,
"displayNamesFilter": null,
"displayName": "testing displayname",
"enabled": true,
"description": null,
"alertRuleTemplateName": null,
"lastModifiedUtc": "2019-09-04T12:05:35.7296311Z"
}
},
{
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/myFirstFusionRule",
"name": "myFirstFusionRule",
"etag": "\"25005c11-0000-0d00-0000-5d6cc0e20000\"",
"type": "Microsoft.SecurityInsights/alertRules",
"kind": "Fusion",
"properties": {
"displayName": "Advanced Multi-Stage Attack Detection",
"description": "In this mode, Sentinel combines low fidelity alerts, which themselves may not be actionable, and events across multiple products, into high fidelity security interesting incidents. The system looks at multiple products to produce actionable incidents. Custom tailored to each tenant, Fusion not only reduces false positive rates but also can detect attacks with limited or missing information. \nIncidents generated by Fusion system will encase two or more alerts. By design, Fusion incidents are low volume, high fidelity and will be high severity, which is why Fusion is turned ON by default in Azure Sentinel.\n\nFor Fusion to work, please configure the following data sources in Data Connectors tab:\nRequired - Azure Active Directory Identity Protection\nRequired - Microsoft Cloud App Security\nIf Available - Palo Alto Network\n\nFor full list of scenarios covered by Fusion, and detail instructions on how to configure the required data sources, go to aka.ms/SentinelFusion",
"alertRuleTemplateName": "f71aba3d-28fb-450b-b192-4e76a83015c8",
"tactics": [
"Persistence",
"LateralMovement",
"Exfiltration",
"CommandAndControl"
],
"severity": "High",
"enabled": false,
"lastModifiedUtc": "2019-09-02T07:12:34.9065092Z"
}
}
]
}
Definitions
Name | Description |
---|---|
Alert |
A list of alert details to group by (when matchingMethod is Selected) |
Alert |
Settings for how to dynamically override alert static details |
Alert |
The V3 alert property |
Alert |
A single alert property mapping to override |
Alert |
List all the alert rules. |
Alert |
The severity for alerts created by this alert rule. |
Attack |
The severity for alerts created by this alert rule. |
Cloud |
Error response structure. |
Cloud |
Error details. |
created |
The type of identity that created the resource. |
Entity |
Single entity mapping for the alert rule |
Entity |
The V3 type of the mapped entity |
Event |
The event grouping aggregation kinds |
Event |
Event grouping settings property bag. |
Field |
A single field mapping of the mapped entity |
Fusion |
Represents Fusion alert rule. |
Grouping |
Grouping configuration property bag. |
Incident |
Incident Configuration property bag. |
Matching |
Grouping matching method. When method is Selected at least one of groupByEntities, groupByAlertDetails, groupByCustomDetails must be provided and not empty. |
Microsoft |
Represents MicrosoftSecurityIncidentCreation rule. |
Microsoft |
The alerts' productName on which the cases will be generated |
Scheduled |
Represents scheduled alert rule. |
system |
Metadata pertaining to creation and last modification of the resource. |
Trigger |
The operation against the threshold that triggers alert rule. |
AlertDetail
A list of alert details to group by (when matchingMethod is Selected)
Name | Type | Description |
---|---|---|
DisplayName |
string |
Alert display name |
Severity |
string |
Alert severity |
AlertDetailsOverride
Settings for how to dynamically override alert static details
Name | Type | Description |
---|---|---|
alertDescriptionFormat |
string |
the format containing columns name(s) to override the alert description |
alertDisplayNameFormat |
string |
the format containing columns name(s) to override the alert name |
alertDynamicProperties |
List of additional dynamic properties to override |
|
alertSeverityColumnName |
string |
the column name to take the alert severity from |
alertTacticsColumnName |
string |
the column name to take the alert tactics from |
AlertProperty
The V3 alert property
Name | Type | Description |
---|---|---|
AlertLink |
string |
Alert's link |
ConfidenceLevel |
string |
Confidence level property |
ConfidenceScore |
string |
Confidence score |
ExtendedLinks |
string |
Extended links to the alert |
ProductComponentName |
string |
Product component name alert property |
ProductName |
string |
Product name alert property |
ProviderName |
string |
Provider name alert property |
RemediationSteps |
string |
Remediation steps alert property |
Techniques |
string |
Techniques alert property |
AlertPropertyMapping
A single alert property mapping to override
Name | Type | Description |
---|---|---|
alertProperty |
The V3 alert property |
|
value |
string |
the column name to use to override this property |
AlertRulesList
List all the alert rules.
Name | Type | Description |
---|---|---|
nextLink |
string |
URL to fetch the next set of alert rules. |
value | AlertRule[]: |
Array of alert rules. |
AlertSeverity
The severity for alerts created by this alert rule.
Name | Type | Description |
---|---|---|
High |
string |
High severity |
Informational |
string |
Informational severity |
Low |
string |
Low severity |
Medium |
string |
Medium severity |
AttackTactic
The severity for alerts created by this alert rule.
Name | Type | Description |
---|---|---|
Collection |
string |
|
CommandAndControl |
string |
|
CredentialAccess |
string |
|
DefenseEvasion |
string |
|
Discovery |
string |
|
Execution |
string |
|
Exfiltration |
string |
|
Impact |
string |
|
ImpairProcessControl |
string |
|
InhibitResponseFunction |
string |
|
InitialAccess |
string |
|
LateralMovement |
string |
|
Persistence |
string |
|
PreAttack |
string |
|
PrivilegeEscalation |
string |
|
Reconnaissance |
string |
|
ResourceDevelopment |
string |
CloudError
Error response structure.
Name | Type | Description |
---|---|---|
error |
Error data |
CloudErrorBody
Error details.
Name | Type | Description |
---|---|---|
code |
string |
An identifier for the error. Codes are invariant and are intended to be consumed programmatically. |
message |
string |
A message describing the error, intended to be suitable for display in a user interface. |
createdByType
The type of identity that created the resource.
Name | Type | Description |
---|---|---|
Application |
string |
|
Key |
string |
|
ManagedIdentity |
string |
|
User |
string |
EntityMapping
Single entity mapping for the alert rule
Name | Type | Description |
---|---|---|
entityType |
The V3 type of the mapped entity |
|
fieldMappings |
array of field mappings for the given entity mapping |
EntityMappingType
The V3 type of the mapped entity
Name | Type | Description |
---|---|---|
Account |
string |
User account entity type |
AzureResource |
string |
Azure resource entity type |
CloudApplication |
string |
Cloud app entity type |
DNS |
string |
DNS entity type |
File |
string |
System file entity type |
FileHash |
string |
File-hash entity type |
Host |
string |
Host entity type |
IP |
string |
IP address entity type |
MailCluster |
string |
Mail cluster entity type |
MailMessage |
string |
Mail message entity type |
Mailbox |
string |
Mailbox entity type |
Malware |
string |
Malware entity type |
Process |
string |
Process entity type |
RegistryKey |
string |
Registry key entity type |
RegistryValue |
string |
Registry value entity type |
SecurityGroup |
string |
Security group entity type |
SubmissionMail |
string |
Submission mail entity type |
URL |
string |
URL entity type |
EventGroupingAggregationKind
The event grouping aggregation kinds
Name | Type | Description |
---|---|---|
AlertPerResult |
string |
|
SingleAlert |
string |
EventGroupingSettings
Event grouping settings property bag.
Name | Type | Description |
---|---|---|
aggregationKind |
The event grouping aggregation kinds |
FieldMapping
A single field mapping of the mapped entity
Name | Type | Description |
---|---|---|
columnName |
string |
the column name to be mapped to the identifier |
identifier |
string |
the V3 identifier of the entity |
FusionAlertRule
Represents Fusion alert rule.
Name | Type | Description |
---|---|---|
etag |
string |
Etag of the azure resource |
id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
kind |
string:
Fusion |
The alert rule kind |
name |
string |
The name of the resource |
properties.alertRuleTemplateName |
string |
The Name of the alert rule template used to create this rule. |
properties.description |
string |
The description of the alert rule. |
properties.displayName |
string |
The display name for alerts created by this alert rule. |
properties.enabled |
boolean |
Determines whether this alert rule is enabled or disabled. |
properties.lastModifiedUtc |
string |
The last time that this alert has been modified. |
properties.severity |
The severity for alerts created by this alert rule. |
|
properties.tactics |
The tactics of the alert rule |
|
properties.techniques |
string[] |
The techniques of the alert rule |
systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
GroupingConfiguration
Grouping configuration property bag.
Name | Type | Description |
---|---|---|
enabled |
boolean |
Grouping enabled |
groupByAlertDetails |
A list of alert details to group by (when matchingMethod is Selected) |
|
groupByCustomDetails |
string[] |
A list of custom details keys to group by (when matchingMethod is Selected). Only keys defined in the current alert rule may be used. |
groupByEntities |
A list of entity types to group by (when matchingMethod is Selected). Only entities defined in the current alert rule may be used. |
|
lookbackDuration |
string |
Limit the group to alerts created within the lookback duration (in ISO 8601 duration format) |
matchingMethod |
Grouping matching method. When method is Selected at least one of groupByEntities, groupByAlertDetails, groupByCustomDetails must be provided and not empty. |
|
reopenClosedIncident |
boolean |
Re-open closed matching incidents |
IncidentConfiguration
Incident Configuration property bag.
Name | Type | Description |
---|---|---|
createIncident |
boolean |
Create incidents from alerts triggered by this analytics rule |
groupingConfiguration |
Set how the alerts that are triggered by this analytics rule, are grouped into incidents |
MatchingMethod
Grouping matching method. When method is Selected at least one of groupByEntities, groupByAlertDetails, groupByCustomDetails must be provided and not empty.
Name | Type | Description |
---|---|---|
AllEntities |
string |
Grouping alerts into a single incident if all the entities match |
AnyAlert |
string |
Grouping any alerts triggered by this rule into a single incident |
Selected |
string |
Grouping alerts into a single incident if the selected entities, custom details and alert details match |
MicrosoftSecurityIncidentCreationAlertRule
Represents MicrosoftSecurityIncidentCreation rule.
Name | Type | Description |
---|---|---|
etag |
string |
Etag of the azure resource |
id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
kind |
string:
Microsoft |
The alert rule kind |
name |
string |
The name of the resource |
properties.alertRuleTemplateName |
string |
The Name of the alert rule template used to create this rule. |
properties.description |
string |
The description of the alert rule. |
properties.displayName |
string |
The display name for alerts created by this alert rule. |
properties.displayNamesExcludeFilter |
string[] |
the alerts' displayNames on which the cases will not be generated |
properties.displayNamesFilter |
string[] |
the alerts' displayNames on which the cases will be generated |
properties.enabled |
boolean |
Determines whether this alert rule is enabled or disabled. |
properties.lastModifiedUtc |
string |
The last time that this alert has been modified. |
properties.productFilter |
The alerts' productName on which the cases will be generated |
|
properties.severitiesFilter |
the alerts' severities on which the cases will be generated |
|
systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
MicrosoftSecurityProductName
The alerts' productName on which the cases will be generated
Name | Type | Description |
---|---|---|
Azure Active Directory Identity Protection |
string |
|
Azure Advanced Threat Protection |
string |
|
Azure Security Center |
string |
|
Azure Security Center for IoT |
string |
|
Microsoft Cloud App Security |
string |
ScheduledAlertRule
Represents scheduled alert rule.
Name | Type | Description |
---|---|---|
etag |
string |
Etag of the azure resource |
id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
kind |
string:
Scheduled |
The alert rule kind |
name |
string |
The name of the resource |
properties.alertDetailsOverride |
The alert details override settings |
|
properties.alertRuleTemplateName |
string |
The Name of the alert rule template used to create this rule. |
properties.customDetails |
object |
Dictionary of string key-value pairs of columns to be attached to the alert |
properties.description |
string |
The description of the alert rule. |
properties.displayName |
string |
The display name for alerts created by this alert rule. |
properties.enabled |
boolean |
Determines whether this alert rule is enabled or disabled. |
properties.entityMappings |
Array of the entity mappings of the alert rule |
|
properties.eventGroupingSettings |
The event grouping settings. |
|
properties.incidentConfiguration |
The settings of the incidents that created from alerts triggered by this analytics rule |
|
properties.lastModifiedUtc |
string |
The last time that this alert rule has been modified. |
properties.query |
string |
The query that creates alerts for this rule. |
properties.queryFrequency |
string |
The frequency (in ISO 8601 duration format) for this alert rule to run. |
properties.queryPeriod |
string |
The period (in ISO 8601 duration format) that this alert rule looks at. |
properties.severity |
The severity for alerts created by this alert rule. |
|
properties.suppressionDuration |
string |
The suppression (in ISO 8601 duration format) to wait since last time this alert rule been triggered. |
properties.suppressionEnabled |
boolean |
Determines whether the suppression for this alert rule is enabled or disabled. |
properties.tactics |
The tactics of the alert rule |
|
properties.techniques |
string[] |
The techniques of the alert rule |
properties.templateVersion |
string |
The version of the alert rule template used to create this rule - in format <a.b.c>, where all are numbers, for example 0 <1.0.2> |
properties.triggerOperator |
The operation against the threshold that triggers alert rule. |
|
properties.triggerThreshold |
integer |
The threshold triggers this alert rule. |
systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
systemData
Metadata pertaining to creation and last modification of the resource.
Name | Type | Description |
---|---|---|
createdAt |
string |
The timestamp of resource creation (UTC). |
createdBy |
string |
The identity that created the resource. |
createdByType |
The type of identity that created the resource. |
|
lastModifiedAt |
string |
The timestamp of resource last modification (UTC) |
lastModifiedBy |
string |
The identity that last modified the resource. |
lastModifiedByType |
The type of identity that last modified the resource. |
TriggerOperator
The operation against the threshold that triggers alert rule.
Name | Type | Description |
---|---|---|
Equal |
string |
|
GreaterThan |
string |
|
LessThan |
string |
|
NotEqual |
string |