Find creation date of custom analytical rule created in Sentinel

Question

Hi all,

I am aiming to find the number of new analytical rules created per month (including custom as well as from github deployed), as well as the existing total per month on Sentinel for the last 2 months and present it to a Sentinel workbook.

How could I query systemData table from ARM (as defined here: https://learn.microsoft.com/en-us/rest/api/securityinsights/alert-rules/list?view=rest-securityinsights-2024-03-01&tabs=HTTP#systemdata) in order to map the createdAt to custom/gituhub/etc. deployed rules?

Regards,

Ev

Answer 1

@Ev s

Thank you for posting your query on Microsoft Q&A, from above description I could understand that you are looking to find custom analytical rule creation date in Sentinel.

Please do correct me if this is not the case by responding in the comments section.

You could use the built in query from the documentation by hitting "Try it" and get the alert ID:

The systemData tablewould return Azure Resource Manager metadata containing createdBy and modifiedBy information. The created by info is stored for templates and not rules, hence it could not be fetched. Would recommend to go by template creation date or by last modified date.

Please do let me know if you have any queries in the comments section. If you don't have any further queries and the suggestion above answers your ask, please "Accept the answer", This will help us and others in the community as well.

Thanks,

Akshay Kaushik