Authenticate with Entra ID using a service principal and obtain a token for the Azure management audience (management.azure.com).
List existing alert rules with GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules?api-version=2025-09-01.
Create or update a scheduled analytics rule with PUT to the same base path appended with /{ruleId}, supplying a JSON body with kind, displayName, query, queryFrequency, queryPeriod, triggerOperator, triggerThreshold, severity, and tactics fields.
Enable or disable a rule by PATCHing the enabled property on the rule object.
Export rules to ARM JSON for GitOps: retrieve each rule via GET, strip read-only fields, and store the body as a parameterized ARM template in version control.
Known gotchas
API versions change regularly; transition to api-version 2025-09-01 or later before June 2026 to avoid service disruption on repository-connection APIs.
The queryFrequency and queryPeriod fields use ISO 8601 duration strings (e.g., PT5M); malformed durations fail silently on some older API versions and produce no detection.
Analytics rules that reference custom tables require the table to already exist in the workspace; deploying the rule before the table causes the rule to be created in a disabled or errored state.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp