Introduction
This post is in response to a question that was asked on LinkedIn. The person wanted to know how to get the custom hunting queries using the REST API since it didn’t seem that any of the Microsoft Sentinel APIs retrieve that information.
That is correct. There are no Microsoft Sentinel REST APIs to get the custom hunting queries.
How to get them
So then, how do you get them? The hunting queries are stored as saved queries, rather than analytic rules, so there is a different provider that you have to use to get them. You have to use a different provider than the one that Microsoft Sentinel uses, namely the “Microsoft.SecurityInsights”. Instead, you use “Microsoft.OperationalInsights”.
If you do not know how to setup PowerShell to call the Microsoft Sentinel REST APIs, refer back to Your first Azure Sentinel REST API call – Yet Another Security Blog (garybushey.com)
The URL to get the rules is
https://management.azure.com/subscriptions/<subscription>/resourceGroups/<resourceGroup>/providers/Microsoft.OperationalInsights/workspaces/<workspace>/savedSearches?api-version=2017-04-26-previewThis will retrieve a listing of all the different types of saved queries you may have in your environment, so you also need to look for “Hunting Queries” in the “Category” field under “properties”.
Summary
This short blog post shows how to get the custom hunting queries using a REST API. It is a different provider than the one we use for other Microsoft Sentinel REST API calls so it can confuse people.