You may have noticed that when you go into your Microsoft Sentinel Analytic rule templates area, you will see a banner like the one shown below:
What does this mean? Basically, Microsoft Sentinel is not going to deploy all the Analytic rule templates (as well as Workbook templates, hunting queries, and data connectors) when a new Microsoft Sentinel instance is created. Rather, you will need to deploy Solutions from the content hub to get these items.
There are some exceptions to this. The Fusion, Microsoft Security, ML Behavior Analytics, and Threat Intelligence rule templates will still be there but any of the Scheduled rule templates will not. Keep in mind that there at no data connectors deployed so there is no data for these rule templates to go against. You will still need to deploy the appropriate solution as well.
So, that brings us to the title of this blog post. The Scheduled Analytic rules are not gone. If you look at the banner, you can still display them. If you were to run the Alert Rule Template API, shown below, you will see it returns 487 results.
https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRuleTemplates?api-version=2023-02-01Now if I install a solution, for instance “42Crunch Microsoft Sentinel Connector, which has 11 analytic rules and re-run the query, I still get 487 rule templates. BTW, I did check to see if any of the analytic rule templates from this solution showed up previously in the rule template list and they didn’t.
The brings up the question, how do we see the new rule templates we have just installed via code? There is a new REST API in preview that will show this information. Actually, there are a few new REST APIs but those will be discussed in a different blog post.
The new REST API to call is
https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/contentTemplates?api-version=2023-06-01-previewAfter I run this, I see that I have 13 entries. 13??? The solution has only 11 Analytic Rule templates. What is going on? Turns out this REST API call will return ALL the items that have been installed by the solutions, not just the Analytic Rule templates. That can be useful but, again, for another blog post 🙂
The good thing is this REST API can accept optional parameters that will allow you to return just those Analytic Rule templates. This is preferable to filtering in the code since you will get a smaller amount of data returned. To do the filtering, add the code below to the end of your REST API call
&%24filter=(properties%2FcontentKind%20eq%20'AnalyticsRule')Summary
With the new way that Microsoft Sentinel is going to handle templates, there is a new way to get the Analytic Rule templates. Not sure if the existing rule template API will be modified in the future to return all the rule templates so, for now, if you want a list of ALL the rule templates you have , you will need to make two calls.