This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 67%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKM%3C/text%3E%3C/svg%3E)
As a MSSP for Microsoft Sentinel we have the Defender MDO Data connectors enabled and we're creating Incidents based on the Alerts that are created from each of the different MDO's
What I am in need of is to get a list of the Analytic Rules that exist in each of the above Security Rule Types.
To extract the list of Analytics rules from each of the above-mentioned Microsoft Defender products, you can utilize the Azure Sentinel REST API or Azure PowerShell cmdlets.
Get-AzSentinelAlertRule -ResourceGroupName 'your_resource_group' -WorkspaceName 'your_workspace_name'
This will return a list of all Analytic Rules present in the workspace. This list will contain rules from all data sources (not just Defender products). If you want to filter out rules related to only Microsoft Defender products, you'll have to inspect each rule's details to see what data source it's associated with.
Unfortunately the use cases I'm looking for do not exist in the Workspace so I'm not able to export them this way.
Each of these solutions takes a slightly different approach to alert rule transparency. Many like MDI and MDFC have a published alerts list in the official documentation. In some cases, the alert names are dynamic or considered proprietary. For most of these solutions, the criteria are considered proprietary or the result of dynamic processes. Sentinel rules are fully customizable and you can see all of the deployed rules and templates including the criteria. Though a majority of the incidents seen in Sentinel are forwarded from other solutions like MDE where the rule logic resides.
You could come up with your own list, if you just need a distinct list of incident titles. For example, query the past 90 days of incidents in Sentinel. Maybe create a playbook to keep a running list of every distinct incident name in a watchlist as they are encountered.
This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
you'd think the associated apis would allow a read only request for enabled and available rules/policies. good enhancement request.
@David Broggy Does this mean that it isn't possible???
<insert crying man here>