How to find the creation date of each analytical rule on Sentinel

Question

Hi all,

I am aiming to find the number of new analytical rules created per month, as well as the existing total per month on Sentinel for the last 2 months and present it to a Sentinel workbook.

To achieve this, I am considering REST calls against Resource Manager "Alert rules - List" as described on the following link: https://learn.microsoft.com/en-us/rest/api/securityinsights/alert-rules/list?view=rest-securityinsights-2024-03-01&tabs=HTTP#systemdata

My problem is that a response from this endpoint carries only the "lastModifiedUtc" key, but not the "createdAt" which I am interested on. Looking further into the same link, there is a section "systemData" which refers to "createdAt" as metadata.

Could you help me as to how I would be able to reach to that metadata and map it to a specific rule ?

Note that I do not have access on SentinelAudit table from which I would be able to find a partial solution on the number of rules created, but not existing total.

Answer 1

This data has always been missing, the solution I used in "Workspace Usage" Workbook (look under [Regular Checks] --> Weekly --> Rules) - sorry its nested in lots of groups, if you go looking for the code"

1st query:

/subscriptions/{Subscription:id}/resourceGroups/{resourceGroup}/providers/Microsoft.OperationalInsights/workspaces/{Workspace:name}/providers/Microsoft.SecurityInsights/AlertRuleTemplates

then

/subscriptions/{Subscription:id}/resourceGroups/{resourceGroup}/providers/Microsoft.OperationalInsights/workspaces/{Workspace:name}/providers/Microsoft.SecurityInsights/AlertRules

then use a merge to join them - this does assume you are deploying from the Sentinel Github