How to Get a List of Your Active Analytics Rules for Microsoft Sentinel

Though I’ve used the Workspace Usage Report Workbook a hundred times or more, I’ve never quite identified this little treasure myself.

There’s a number of times that customers ask for a way to quickly get a list of their enabled Analytics Rules. There are ways of doing this using the API and PowerShell, but the Workspace Usage Report Workbook has the capability if you know where to look.

Getting there…

In the Workbook, jump over to the Regular Checks (D/W/M) tab and then the Weekly tab below.

Once there, traverse down the page of content to the Active Rules via Rest API module. Over to the right there’s a download arrow. Click it to download a .csv file containing the results.

Make your list

Alternatively, you can also download a list of all the Analytics Rule templates using the Rule Templates via Rest API module.

The list looks like the following:

The csv file

=========================

[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Microsoft Sentinel Newsletter]

[Subscribe to the Weekly Microsoft Defender Newsletter]

[Learn KQL with the Must Learn KQL series and book]

Author