Compartir a través de

Security ML Analytics Settings - Get

Service:
Sentinel
API Version:
2025-03-01

Gets the Security ML Analytics Settings.

GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/securityMLAnalyticsSettings/{settingsResourceName}?api-version=2025-03-01

URI Parameters

Name In Required Type Description
resourceGroupName
 path True

string

minLength: 1
maxLength: 90

The name of the resource group. The name is case insensitive.
settingsResourceName
 path True

string

Security ML Analytics Settings resource name
subscriptionId
 path True

string (uuid)

The ID of the target subscription. The value must be an UUID.
workspaceName
 path True

string

minLength: 1
maxLength: 90
pattern: ^[A-Za-z0-9][A-Za-z0-9-]+[A-Za-z0-9]$

The name of the workspace.
api-version
 query True

string

minLength: 1

The API version to use for this operation.

Responses

Name Type Description
200 OK SecurityMLAnalyticsSetting:

AnomalySecurityMLAnalyticsSettings

OK
Other Status Codes

CloudError

Error response describing why the operation failed.

Security

azure_auth

Azure Active Directory OAuth2 Flow

Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Scopes

Name Description
user_impersonation impersonate your user account

Examples

Get a Anomaly Security ML Analytics Settings.

Sample request

GET https://management.azure.com/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/securityMLAnalyticsSettings/myFirstAnomalySettings?api-version=2025-03-01

Sample response

Status code:
200 
{
  "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/securityMLAnalyticsSettings/f209187f-1d17-4431-94af-c141bf5f23db",
  "name": "f209187f-1d17-4431-94af-c141bf5f23db",
  "etag": "\"260090e2-0000-0d00-0000-5d6fb8670000\"",
  "type": "Microsoft.SecurityInsights/securityMLAnalyticsSettings",
  "kind": "Anomaly",
  "properties": {
    "displayName": "Login from unusual region",
    "description": "When account logs from a source region that has rarely been logged in from during the last 14 days, an anomaly is triggered.",
    "enabled": true,
    "lastModifiedUtc": "2021-10-20T13:13:11.5340061Z",
    "requiredDataConnectors": [
      {
        "connectorId": "AWS",
        "dataTypes": [
          "AWSCloudTrail"
        ]
      }
    ],
    "tactics": [
      "Exfiltration",
      "CommandAndControl"
    ],
    "techniques": [
      "T1037",
      "T1021"
    ],
    "anomalyVersion": "1.0.5",
    "customizableObservations": {
      "multiSelectObservations": null,
      "singleSelectObservations": [
        {
          "supportedValues": [
            "Palo Alto Networks",
            "Fortinet",
            "Check Point"
          ],
          "value": [
            "Palo Alto Networks"
          ],
          "supportedValuesKql": null,
          "valuesKql": null,
          "name": "Device vendor",
          "description": "Select device vendor of network connection logs from CommonSecurityLog",
          "sequenceNumber": 1,
          "rerun": "RerunAlways"
        }
      ],
      "prioritizeExcludeObservations": null,
      "thresholdObservations": [
        {
          "minimum": "1",
          "maximum": "100",
          "value": "25",
          "name": "Daily data transfer threshold in MB",
          "description": "Suppress anomalies when daily data transfered (in MB) per hour is less than the chosen value",
          "sequenceNumber": 1,
          "rerun": "RerunAlways"
        },
        {
          "minimum": "2",
          "maximum": "10",
          "value": "3",
          "name": "Number of standard deviations",
          "description": "Triggers anomalies when number of standard deviations is greater than the chosen value",
          "sequenceNumber": 2,
          "rerun": "RerunAlways"
        }
      ],
      "singleValueObservations": null
    },
    "frequency": "PT1H",
    "settingsStatus": "Production",
    "isDefaultSettings": true,
    "anomalySettingsVersion": 0,
    "settingsDefinitionId": "f209187f-1d17-4431-94af-c141bf5f23db"
  }
}

Definitions

Name Description
AnomalySecurityMLAnalyticsSettings

Represents Anomaly Security ML Analytics Settings
AttackTactic

The severity for alerts created by this alert rule.
CloudError

Error response structure.
CloudErrorBody

Error details.
createdByType

The type of identity that created the resource.
SecurityMLAnalyticsSettingsDataSource

security ml analytics settings data sources
SettingsStatus

The anomaly SecurityMLAnalyticsSettings status
systemData

Metadata pertaining to creation and last modification of the resource.

AnomalySecurityMLAnalyticsSettings

Object

Represents Anomaly Security ML Analytics Settings

Name Type Description
etag

string

Etag of the azure resource
id

string (arm-id)

Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}"
kind string:

Anomaly

The kind of security ML Analytics Settings
name

string

The name of the resource
properties.anomalySettingsVersion

integer (int32)

The anomaly settings version of the Anomaly security ml analytics settings that dictates whether job version gets updated or not.
properties.anomalyVersion

string

The anomaly version of the AnomalySecurityMLAnalyticsSettings.
properties.customizableObservations

object

The customizable observations of the AnomalySecurityMLAnalyticsSettings.
properties.description

string

The description of the SecurityMLAnalyticsSettings.
properties.displayName

string

The display name for settings created by this SecurityMLAnalyticsSettings.
properties.enabled

boolean

Determines whether this settings is enabled or disabled.
properties.frequency

string (duration)

The frequency that this SecurityMLAnalyticsSettings will be run.
properties.isDefaultSettings

boolean

Determines whether this anomaly security ml analytics settings is a default settings
properties.lastModifiedUtc

string (date-time)

The last time that this SecurityMLAnalyticsSettings has been modified.
properties.requiredDataConnectors

SecurityMLAnalyticsSettingsDataSource[]

The required data sources for this SecurityMLAnalyticsSettings
properties.settingsDefinitionId

string (uuid)

The anomaly settings definition Id
properties.settingsStatus

SettingsStatus

The anomaly SecurityMLAnalyticsSettings status
properties.tactics

AttackTactic[]

The tactics of the SecurityMLAnalyticsSettings
properties.techniques

string[]

The techniques of the SecurityMLAnalyticsSettings
systemData

systemData

Azure Resource Manager metadata containing createdBy and modifiedBy information.
type

string

The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"

AttackTactic

Enumeration

The severity for alerts created by this alert rule.

Value Description
Collection
CommandAndControl
CredentialAccess
DefenseEvasion
Discovery
Execution
Exfiltration
Impact
ImpairProcessControl
InhibitResponseFunction
InitialAccess
LateralMovement
Persistence
PreAttack
PrivilegeEscalation
Reconnaissance
ResourceDevelopment

CloudError

Object

Error response structure.

Name Type Description
error

CloudErrorBody

Error data

CloudErrorBody

Object

Error details.

Name Type Description
code

string

An identifier for the error. Codes are invariant and are intended to be consumed programmatically.
message

string

A message describing the error, intended to be suitable for display in a user interface.

createdByType

Enumeration

The type of identity that created the resource.

Value Description
Application
Key
ManagedIdentity
User

SecurityMLAnalyticsSettingsDataSource

Object

security ml analytics settings data sources

Name Type Description
connectorId

string

The connector id that provides the following data types
dataTypes

string[]

The data types used by the security ml analytics settings

SettingsStatus

Enumeration

The anomaly SecurityMLAnalyticsSettings status

Value Description
Flighting

Anomaly settings status in Flighting mode
Production

Anomaly settings status in Production mode

systemData

Object

Metadata pertaining to creation and last modification of the resource.

Name Type Description
createdAt

string (date-time)

The timestamp of resource creation (UTC).
createdBy

string

The identity that created the resource.
createdByType

createdByType

The type of identity that created the resource.
lastModifiedAt

string (date-time)

The timestamp of resource last modification (UTC)
lastModifiedBy

string

The identity that last modified the resource.
lastModifiedByType

createdByType

The type of identity that last modified the resource.