Alert Rule Templates - List
Gets all alert rule templates.
GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRuleTemplates?api-version=2024-03-01URI Parameters
| Name | In | Required | Type | Description |
|---|---|---|---|---|
|
resource
|
path | True |
string |
The name of the resource group. The name is case insensitive. |
|
subscription
|
path | True |
string |
The ID of the target subscription. |
|
workspace
|
path | True |
string |
The name of the workspace. Regex pattern: |
|
api-version
|
query | True |
string |
The API version to use for this operation. |
Responses
| Name | Type | Description |
|---|---|---|
| 200 OK |
OK, Operation successfully completed |
|
| Other Status Codes |
Error response describing why the operation failed. |
Security
azure_auth
Azure Active Directory OAuth2 Flow
Type:
oauth2
Flow:
implicit
Authorization URL:
https://login.microsoftonline.com/common/oauth2/authorize
Scopes
| Name | Description |
|---|---|
| user_impersonation | impersonate your user account |
Examples
Get all alert rule templates.
Sample request
GET https://management.azure.com/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRuleTemplates?api-version=2024-03-01
Sample response
{
"value": [
{
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65360bb0-8986-4ade-a89d-af3cf44d28aa",
"name": "65360bb0-8986-4ade-a89d-af3cf44d28aa",
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
"kind": "Scheduled",
"properties": {
"severity": "Low",
"query": "let timeframe = 1d;\nAWSCloudTrail\n| where TimeGenerated >= ago(timeframe)\n| where EventName == \"CreateNetworkAclEntry\"\n or EventName == \"CreateRoute\"\n| project TimeGenerated, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\n| extend AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"displayName": "Changes to Amazon VPC settings",
"description": "This alert monitors changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries and routes in route tables.\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \nand https://aws.amazon.com/vpc/",
"tactics": [
"PrivilegeEscalation",
"LateralMovement"
],
"lastUpdatedDateUTC": "2021-02-27T10:00:00Z",
"createdDateUTC": "2019-02-27T00:00:00Z",
"status": "Available",
"version": "1.0.1",
"requiredDataConnectors": [
{
"connectorId": "AWS",
"dataTypes": [
"AWSCloudTrail"
]
}
],
"alertRulesCreatedByTemplateCount": 0
}
},
{
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f71aba3d-28fb-450b-b192-4e76a83015c8",
"name": "f71aba3d-28fb-450b-b192-4e76a83015c8",
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
"kind": "Fusion",
"properties": {
"displayName": "Advanced Multi-Stage Attack Detection",
"description": "Place holder: Fusion uses graph powered machine learning algorithms to correlate between millions of lower fidelity anomalous activities from different products such as Azure AD Identity Protection, and Microsoft Cloud App Security, to combine them into a manageable number of interesting security cases.\n",
"tactics": [
"Persistence",
"LateralMovement",
"Exfiltration",
"CommandAndControl"
],
"lastUpdatedDateUTC": "2021-03-27T10:00:00Z",
"createdDateUTC": "2019-07-25T00:00:00Z",
"status": "Available",
"severity": "High",
"alertRulesCreatedByTemplateCount": 0
}
},
{
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b3cfc7c0-092c-481c-a55b-34a3979758cb",
"name": "b3cfc7c0-092c-481c-a55b-34a3979758cb",
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
"kind": "MicrosoftSecurityIncidentCreation",
"properties": {
"productFilter": "Microsoft Cloud App Security",
"displayName": "Create incidents based on Microsoft Cloud App Security alerts",
"description": "Create incidents based on all alerts generated in Microsoft Cloud App Security",
"lastUpdatedDateUTC": "2021-05-27T10:00:00Z",
"createdDateUTC": "2019-07-16T00:00:00Z",
"status": "Available",
"alertRulesCreatedByTemplateCount": 0
}
}
]
}Definitions
| Name | Description |
|---|---|
|
Alert |
Settings for how to dynamically override alert static details |
|
Alert |
The V3 alert property |
|
Alert |
A single alert property mapping to override |
|
Alert |
alert rule template data sources |
|
Alert |
List all the alert rule templates. |
|
Alert |
The severity for alerts created by this alert rule. |
|
Attack |
The severity for alerts created by this alert rule. |
|
Cloud |
Error response structure. |
|
Cloud |
Error details. |
|
created |
The type of identity that created the resource. |
|
Entity |
Single entity mapping for the alert rule |
|
Entity |
The V3 type of the mapped entity |
|
Event |
The event grouping aggregation kinds |
|
Event |
Event grouping settings property bag. |
|
Field |
A single field mapping of the mapped entity |
|
Fusion |
Represents Fusion alert rule template. |
|
Microsoft |
Represents MicrosoftSecurityIncidentCreation rule template. |
|
Microsoft |
The alerts' productName on which the cases will be generated |
|
Scheduled |
Represents scheduled alert rule template. |
|
system |
Metadata pertaining to creation and last modification of the resource. |
|
Template |
The alert rule template status. |
|
Trigger |
The operation against the threshold that triggers alert rule. |
AlertDetailsOverride
Settings for how to dynamically override alert static details
| Name | Type | Description |
|---|---|---|
| alertDescriptionFormat |
string |
the format containing columns name(s) to override the alert description |
| alertDisplayNameFormat |
string |
the format containing columns name(s) to override the alert name |
| alertDynamicProperties |
List of additional dynamic properties to override |
|
| alertSeverityColumnName |
string |
the column name to take the alert severity from |
| alertTacticsColumnName |
string |
the column name to take the alert tactics from |
AlertProperty
The V3 alert property
| Name | Type | Description |
|---|---|---|
| AlertLink |
string |
Alert's link |
| ConfidenceLevel |
string |
Confidence level property |
| ConfidenceScore |
string |
Confidence score |
| ExtendedLinks |
string |
Extended links to the alert |
| ProductComponentName |
string |
Product component name alert property |
| ProductName |
string |
Product name alert property |
| ProviderName |
string |
Provider name alert property |
| RemediationSteps |
string |
Remediation steps alert property |
| Techniques |
string |
Techniques alert property |
AlertPropertyMapping
A single alert property mapping to override
| Name | Type | Description |
|---|---|---|
| alertProperty |
The V3 alert property |
|
| value |
string |
the column name to use to override this property |
AlertRuleTemplateDataSource
alert rule template data sources
| Name | Type | Description |
|---|---|---|
| connectorId |
string |
The connector id that provides the following data types |
| dataTypes |
string[] |
The data types used by the alert rule template |
AlertRuleTemplatesList
List all the alert rule templates.
| Name | Type | Description |
|---|---|---|
| nextLink |
string |
URL to fetch the next set of alert rule templates. |
| value | AlertRuleTemplate[]: |
Array of alert rule templates. |
AlertSeverity
The severity for alerts created by this alert rule.
| Name | Type | Description |
|---|---|---|
| High |
string |
High severity |
| Informational |
string |
Informational severity |
| Low |
string |
Low severity |
| Medium |
string |
Medium severity |
AttackTactic
The severity for alerts created by this alert rule.
| Name | Type | Description |
|---|---|---|
| Collection |
string |
|
| CommandAndControl |
string |
|
| CredentialAccess |
string |
|
| DefenseEvasion |
string |
|
| Discovery |
string |
|
| Execution |
string |
|
| Exfiltration |
string |
|
| Impact |
string |
|
| ImpairProcessControl |
string |
|
| InhibitResponseFunction |
string |
|
| InitialAccess |
string |
|
| LateralMovement |
string |
|
| Persistence |
string |
|
| PreAttack |
string |
|
| PrivilegeEscalation |
string |
|
| Reconnaissance |
string |
|
| ResourceDevelopment |
string |
CloudError
Error response structure.
| Name | Type | Description |
|---|---|---|
| error |
Error data |
CloudErrorBody
Error details.
| Name | Type | Description |
|---|---|---|
| code |
string |
An identifier for the error. Codes are invariant and are intended to be consumed programmatically. |
| message |
string |
A message describing the error, intended to be suitable for display in a user interface. |
createdByType
The type of identity that created the resource.
| Name | Type | Description |
|---|---|---|
| Application |
string |
|
| Key |
string |
|
| ManagedIdentity |
string |
|
| User |
string |
EntityMapping
Single entity mapping for the alert rule
| Name | Type | Description |
|---|---|---|
| entityType |
The V3 type of the mapped entity |
|
| fieldMappings |
array of field mappings for the given entity mapping |
EntityMappingType
The V3 type of the mapped entity
| Name | Type | Description |
|---|---|---|
| Account |
string |
User account entity type |
| AzureResource |
string |
Azure resource entity type |
| CloudApplication |
string |
Cloud app entity type |
| DNS |
string |
DNS entity type |
| File |
string |
System file entity type |
| FileHash |
string |
File-hash entity type |
| Host |
string |
Host entity type |
| IP |
string |
IP address entity type |
| MailCluster |
string |
Mail cluster entity type |
| MailMessage |
string |
Mail message entity type |
| Mailbox |
string |
Mailbox entity type |
| Malware |
string |
Malware entity type |
| Process |
string |
Process entity type |
| RegistryKey |
string |
Registry key entity type |
| RegistryValue |
string |
Registry value entity type |
| SecurityGroup |
string |
Security group entity type |
| SubmissionMail |
string |
Submission mail entity type |
| URL |
string |
URL entity type |
EventGroupingAggregationKind
The event grouping aggregation kinds
| Name | Type | Description |
|---|---|---|
| AlertPerResult |
string |
|
| SingleAlert |
string |
EventGroupingSettings
Event grouping settings property bag.
| Name | Type | Description |
|---|---|---|
| aggregationKind |
The event grouping aggregation kinds |
FieldMapping
A single field mapping of the mapped entity
| Name | Type | Description |
|---|---|---|
| columnName |
string |
the column name to be mapped to the identifier |
| identifier |
string |
the V3 identifier of the entity |
FusionAlertRuleTemplate
Represents Fusion alert rule template.
| Name | Type | Description |
|---|---|---|
| id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
| kind |
string:
Fusion |
The alert rule kind |
| name |
string |
The name of the resource |
| properties.alertRulesCreatedByTemplateCount |
integer |
the number of alert rules that were created by this template |
| properties.createdDateUTC |
string |
The time that this alert rule template has been added. |
| properties.description |
string |
The description of the alert rule template. |
| properties.displayName |
string |
The display name for alert rule template. |
| properties.lastUpdatedDateUTC |
string |
The time that this alert rule template was last updated. |
| properties.requiredDataConnectors |
The required data connectors for this template |
|
| properties.severity |
The severity for alerts created by this alert rule. |
|
| properties.status |
The alert rule template status. |
|
| properties.tactics |
The tactics of the alert rule template |
|
| properties.techniques |
string[] |
The techniques of the alert rule template |
| systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
| type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
MicrosoftSecurityIncidentCreationAlertRuleTemplate
Represents MicrosoftSecurityIncidentCreation rule template.
| Name | Type | Description |
|---|---|---|
| id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
| kind |
string:
Microsoft |
The alert rule kind |
| name |
string |
The name of the resource |
| properties.alertRulesCreatedByTemplateCount |
integer |
the number of alert rules that were created by this template |
| properties.createdDateUTC |
string |
The time that this alert rule template has been added. |
| properties.description |
string |
The description of the alert rule template. |
| properties.displayName |
string |
The display name for alert rule template. |
| properties.displayNamesExcludeFilter |
string[] |
the alerts' displayNames on which the cases will not be generated |
| properties.displayNamesFilter |
string[] |
the alerts' displayNames on which the cases will be generated |
| properties.lastUpdatedDateUTC |
string |
The time that this alert rule template was last updated. |
| properties.productFilter |
The alerts' productName on which the cases will be generated |
|
| properties.requiredDataConnectors |
The required data connectors for this template |
|
| properties.severitiesFilter |
the alerts' severities on which the cases will be generated |
|
| properties.status |
The alert rule template status. |
|
| systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
| type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
MicrosoftSecurityProductName
The alerts' productName on which the cases will be generated
| Name | Type | Description |
|---|---|---|
| Azure Active Directory Identity Protection |
string |
|
| Azure Advanced Threat Protection |
string |
|
| Azure Security Center |
string |
|
| Azure Security Center for IoT |
string |
|
| Microsoft Cloud App Security |
string |
ScheduledAlertRuleTemplate
Represents scheduled alert rule template.
| Name | Type | Description |
|---|---|---|
| id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
| kind |
string:
Scheduled |
The alert rule kind |
| name |
string |
The name of the resource |
| properties.alertDetailsOverride |
The alert details override settings |
|
| properties.alertRulesCreatedByTemplateCount |
integer |
the number of alert rules that were created by this template |
| properties.createdDateUTC |
string |
The time that this alert rule template has been added. |
| properties.customDetails |
object |
Dictionary of string key-value pairs of columns to be attached to the alert |
| properties.description |
string |
The description of the alert rule template. |
| properties.displayName |
string |
The display name for alert rule template. |
| properties.entityMappings |
Array of the entity mappings of the alert rule |
|
| properties.eventGroupingSettings |
The event grouping settings. |
|
| properties.lastUpdatedDateUTC |
string |
The time that this alert rule template was last updated. |
| properties.query |
string |
The query that creates alerts for this rule. |
| properties.queryFrequency |
string |
The frequency (in ISO 8601 duration format) for this alert rule to run. |
| properties.queryPeriod |
string |
The period (in ISO 8601 duration format) that this alert rule looks at. |
| properties.requiredDataConnectors |
The required data connectors for this template |
|
| properties.severity |
The severity for alerts created by this alert rule. |
|
| properties.status |
The alert rule template status. |
|
| properties.tactics |
The tactics of the alert rule template |
|
| properties.techniques |
string[] |
The techniques of the alert rule template |
| properties.triggerOperator |
The operation against the threshold that triggers alert rule. |
|
| properties.triggerThreshold |
integer |
The threshold triggers this alert rule. |
| properties.version |
string |
The version of this template - in format <a.b.c>, where all are numbers. For example <1.0.2>. |
| systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
| type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
systemData
Metadata pertaining to creation and last modification of the resource.
| Name | Type | Description |
|---|---|---|
| createdAt |
string |
The timestamp of resource creation (UTC). |
| createdBy |
string |
The identity that created the resource. |
| createdByType |
The type of identity that created the resource. |
|
| lastModifiedAt |
string |
The timestamp of resource last modification (UTC) |
| lastModifiedBy |
string |
The identity that last modified the resource. |
| lastModifiedByType |
The type of identity that last modified the resource. |
TemplateStatus
The alert rule template status.
| Name | Type | Description |
|---|---|---|
| Available |
string |
Alert rule template is available. |
| Installed |
string |
Alert rule template installed. and can not use more then once |
| NotAvailable |
string |
Alert rule template is not available |
TriggerOperator
The operation against the threshold that triggers alert rule.
| Name | Type | Description |
|---|---|---|
| Equal |
string |
|
| GreaterThan |
string |
|
| LessThan |
string |
|
| NotEqual |
string |