How to Get a List of Your Active Analytics Rules for Azure Sentinel

OK…to start, I admit that I stole this thought directly from my buddy Clive Watson. He expertly responded (as always) to a recent thread with this solution.

Though I’ve used the Workspace Usage Report Workbook a hundred times or more, I’ve never quite identified this little treasure myself. So, its awesome that Clive exposed this. I love learning new things. Of course, it helps that Clive is the inventor/creator of this Workbook.

So, there’s a number of times that customers ask for a way to quickly get a list of their enabled Analytics Rules. There’s ways of doing this using the API and PowerShell, but the Workspace Usage Report Workbook has the capability if you know where to look.

Getting there…

In the Workbook, jump over to the Regular Checks (D/W/M) tab and then the Weekly tab below.

Once there, traverse down the page of content to the Active Rules via Rest API module. Over to the right there’s a download arrow. Click it to download a .csv file containing the results.

Make your list

Alternatively, you can also download a list of all the Analytics Rule templates using the Rule Templates via Rest API module.

The list looks like the following:

The csv file


[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Azure Sentinel Newsletter]