az sentinel alert-rule list command does not return the expected number of alert rules

[calintje]

az feedback auto-generates most of the information requested below, as of CLI version 2.0.62

Describe the bug az sentinel alert-rule list command does not return the expected number of alert rules. From the portal, we see that we have 181 alert rules enabled, but the az command only returns 143. This is true when using the Azure REST API directly as well.

To Reproduce

• see the number of alert-rules enabled from Microsoft Sentinel in the Azure portal.
• request the number of alert rules via the azure cli or via the Azure REST API:

$url = "https://management.azure.com/subscriptions/<subscription_id>/resourceGroups/<rg_nam>/providers/Microsoft.OperationalInsights/workspaces/<workspace_name>/providers/Microsoft.SecurityInsights/alertRules?api-version=2020-01-01"
$method = "GET"
$token = Get-AzAccessToken -ResourceUrl "https://management.azure.com/"
$token = $token.Token
$headers = @{Authorization = "Bearer $token"}
$response = Invoke-RestMethod -Uri $url -Method $method -Headers $headers
$response.value.Count

Expected behavior The number of alert-rules should be equal.

[jiasli]

Routing to service team.

[calintje]

Thank you. When can I expect an answer?

[cabneydp]

Any updates on this? I tested and It looks like it's fixed in the 2021-10-01-preview of the REST API. Any idea when the preview will be merged into the stable and Azure CLI will support it?

[calintje]

After some digging, I found that the missing alert rules are of the type 'Anomaly'. According to this article, these rules are automatically added to the Sentinel configuration:

"In public preview, all built-in anomaly rules are enabled by default in your workspace. Even though all anomaly rules are enabled, only those anomaly rules that have the required data in your workspace will fire anomalies."

However, these alert-rules are (still) not returned with the command az sentinel alert-rule list.