Microsoft Sentinel · Capability

Microsoft Sentinel REST API — AlertRules

Microsoft Sentinel REST API — AlertRules. 4 operations. Lead operation: List alert rules. Self-contained Naftiko capability covering one Microsoft Sentinel business surface.

Run with Naftiko Microsoft SentinelAlertRules

What You Can Do

GET
Listalertrules — List alert rules
/v1/subscriptions/{subscriptionid}/resourcegroups/{resourcegroupname}/providers/microsoft-operationalinsights/workspaces/{workspacename}/providers/microsoft-securityinsights/alertrules
GET
Getalertrule — Get alert rule
/v1/subscriptions/{subscriptionid}/resourcegroups/{resourcegroupname}/providers/microsoft-operationalinsights/workspaces/{workspacename}/providers/microsoft-securityinsights/alertrules/{ruleid}
PUT
Createorupdatealertrule — Create or update alert rule
/v1/subscriptions/{subscriptionid}/resourcegroups/{resourcegroupname}/providers/microsoft-operationalinsights/workspaces/{workspacename}/providers/microsoft-securityinsights/alertrules/{ruleid}
DELETE
Deletealertrule — Delete alert rule
/v1/subscriptions/{subscriptionid}/resourcegroups/{resourcegroupname}/providers/microsoft-operationalinsights/workspaces/{workspacename}/providers/microsoft-securityinsights/alertrules/{ruleid}

MCP Tools

list-alert-rules

List alert rules

read-only idempotent
get-alert-rule

Get alert rule

read-only idempotent
create-update-alert-rule

Create or update alert rule

idempotent
delete-alert-rule

Delete alert rule

idempotent

Capability Spec

microsoft-sentinel-alertrules.yaml Raw ↑ 
naftiko: 1.0.0-alpha2
info:
  label: Microsoft Sentinel REST API — AlertRules
  description: 'Microsoft Sentinel REST API — AlertRules. 4 operations. Lead operation: List alert rules. Self-contained Naftiko
    capability covering one Microsoft Sentinel business surface.'
  tags:
  - Microsoft Sentinel
  - AlertRules
  created: '2026-05-19'
  modified: '2026-05-19'
binds:
- namespace: env
  keys:
    MICROSOFT_SENTINEL_API_KEY: MICROSOFT_SENTINEL_API_KEY
capability:
  consumes:
  - type: http
    namespace: microsoft-sentinel-alertrules
    baseUri: https://management.azure.com
    description: Microsoft Sentinel REST API — AlertRules business capability. Self-contained, no shared references.
    resources:
    - name: subscriptions-subscriptionId-resourceGroups-resourceGroupName-providers-Microsof
      path: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules
      operations:
      - name: listalertrules
        method: GET
        description: List alert rules
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: subscriptions-subscriptionId-resourceGroups-resourceGroupName-providers-Microsof
      path: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}
      operations:
      - name: getalertrule
        method: GET
        description: Get alert rule
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
      - name: createorupdatealertrule
        method: PUT
        description: Create or update alert rule
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
      - name: deletealertrule
        method: DELETE
        description: Delete alert rule
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    authentication:
      type: bearer
      token: '{{env.MICROSOFT_SENTINEL_API_KEY}}'
  exposes:
  - type: rest
    namespace: microsoft-sentinel-alertrules-rest
    port: 8080
    description: REST adapter for Microsoft Sentinel REST API — AlertRules. One Spectral-compliant resource per consumed operation,
      prefixed with /v1.
    resources:
    - path: /v1/subscriptions/{subscriptionid}/resourcegroups/{resourcegroupname}/providers/microsoft-operationalinsights/workspaces/{workspacename}/providers/microsoft-securityinsights/alertrules
      name: subscriptions-subscriptionid-resourcegroups-resourcegroupname-providers-microsof
      description: REST surface for subscriptions-subscriptionId-resourceGroups-resourceGroupName-providers-Microsof.
      operations:
      - method: GET
        name: listalertrules
        description: List alert rules
        call: microsoft-sentinel-alertrules.listalertrules
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/subscriptions/{subscriptionid}/resourcegroups/{resourcegroupname}/providers/microsoft-operationalinsights/workspaces/{workspacename}/providers/microsoft-securityinsights/alertrules/{ruleid}
      name: subscriptions-subscriptionid-resourcegroups-resourcegroupname-providers-microsof
      description: REST surface for subscriptions-subscriptionId-resourceGroups-resourceGroupName-providers-Microsof.
      operations:
      - method: GET
        name: getalertrule
        description: Get alert rule
        call: microsoft-sentinel-alertrules.getalertrule
        outputParameters:
        - type: object
          mapping: $.
      - method: PUT
        name: createorupdatealertrule
        description: Create or update alert rule
        call: microsoft-sentinel-alertrules.createorupdatealertrule
        with:
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
      - method: DELETE
        name: deletealertrule
        description: Delete alert rule
        call: microsoft-sentinel-alertrules.deletealertrule
        outputParameters:
        - type: object
          mapping: $.
  - type: mcp
    namespace: microsoft-sentinel-alertrules-mcp
    port: 9090
    transport: http
    description: MCP adapter for Microsoft Sentinel REST API — AlertRules. One tool per consumed operation, routed inline
      through this capability's consumes block.
    tools:
    - name: list-alert-rules
      description: List alert rules
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: microsoft-sentinel-alertrules.listalertrules
      outputParameters:
      - type: object
        mapping: $.
    - name: get-alert-rule
      description: Get alert rule
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: microsoft-sentinel-alertrules.getalertrule
      outputParameters:
      - type: object
        mapping: $.
    - name: create-update-alert-rule
      description: Create or update alert rule
      hints:
        readOnly: false
        destructive: false
        idempotent: true
      call: microsoft-sentinel-alertrules.createorupdatealertrule
      with:
        body: tools.body
      outputParameters:
      - type: object
        mapping: $.
    - name: delete-alert-rule
      description: Delete alert rule
      hints:
        readOnly: false
        destructive: true
        idempotent: true
      call: microsoft-sentinel-alertrules.deletealertrule
      outputParameters:
      - type: object
        mapping: $.