![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 31%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGZ%3C/text%3E%3C/svg%3E)
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,004 questions
Hi @George Zerphey , you can search for the following API operations in the ARM template:
- Microsoft.Insights/AlertRules/Write
- Microsoft.Insights/AlertRules/Delete
- Microsoft.Insights/AlertRules/Read
- Microsoft.Insights/AlertRules/Activated/Action
- Microsoft.Insights/AlertRules/Resolved/Action
- Microsoft.Insights/AlertRules/Throttled/Action
- Microsoft.Insights/AlertRules/Incidents/Read
If any of these operations are present in the ARM template, it indicates that classic alert automation is being used. You can also check for the presence of the "classic" keyword in the ARM template, as this may indicate the use of classic alert automation as well.
Please let me know if you have any questions and I can help you further!