Share via

Finding classic automation in Sentinel analytics

George Zerphey 181 Reputation points
2024-05-15T18:59:30.75+00:00

I have the ability to search through ARM templates for the Sentinel analytics and I'm hoping to find a way to detect the use of classic alert automation. Does anyone know what i should be searching for in the ARM template? We have not used this method, but apparently some of our clients have.

Any information would be helpful.

Thank you,

Microsoft Security | Microsoft Sentinel

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2024-05-15T19:55:01.7333333+00:00

    Hi @George Zerphey , you can search for the following API operations in the ARM template:

    • Microsoft.Insights/AlertRules/Write
    • Microsoft.Insights/AlertRules/Delete
    • Microsoft.Insights/AlertRules/Read
    • Microsoft.Insights/AlertRules/Activated/Action
    • Microsoft.Insights/AlertRules/Resolved/Action
    • Microsoft.Insights/AlertRules/Throttled/Action
    • Microsoft.Insights/AlertRules/Incidents/Read

    If any of these operations are present in the ARM template, it indicates that classic alert automation is being used. You can also check for the presence of the "classic" keyword in the ARM template, as this may indicate the use of classic alert automation as well.

    Please let me know if you have any questions and I can help you further!

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.