diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/AlertRules.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/AlertRules.json index 4b145bde9de1..a577e19acf52 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/AlertRules.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/AlertRules.json @@ -786,60 +786,6 @@ "value" ] }, - "AlertSeverity": { - "description": "The severity of the alert", - "enum": [ - "High", - "Medium", - "Low", - "Informational" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "AlertSeverity", - "values": [ - { - "description": "High severity", - "value": "High" - }, - { - "description": "Medium severity", - "value": "Medium" - }, - { - "description": "Low severity", - "value": "Low" - }, - { - "description": "Informational severity", - "value": "Informational" - } - ] - } - }, - "AttackTactic": { - "description": "The severity for alerts created by this alert rule.", - "enum": [ - "InitialAccess", - "Execution", - "Persistence", - "PrivilegeEscalation", - "DefenseEvasion", - "CredentialAccess", - "Discovery", - "LateralMovement", - "Collection", - "Exfiltration", - "CommandAndControl", - "Impact" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "AttackTactic" - } - }, "FusionAlertRule": { "allOf": [ { @@ -885,14 +831,14 @@ "type": "string" }, "severity": { - "$ref": "#/definitions/AlertSeverity", + "$ref": "./common/AlertTypes.json#/definitions/AlertSeverity", "description": "The severity for alerts created by this alert rule.", "readOnly": true }, "tactics": { "description": "The tactics of the alert rule", "items": { - "$ref": "#/definitions/AttackTactic" + "$ref": "./common/AlertTypes.json#/definitions/AttackTactic" }, "readOnly": true, "type": "array" @@ -942,6 +888,12 @@ "readOnly": true, "type": "string" }, + "lastUpdatedDateUTC": { + "description": "The time that this alert rule template was last updated.", + "format": "date-time", + "readOnly": true, + "type": "string" + }, "description": { "description": "The description of the alert rule template.", "type": "string" @@ -963,13 +915,13 @@ "type": "string" }, "severity": { - "$ref": "#/definitions/AlertSeverity", + "$ref": "./common/AlertTypes.json#/definitions/AlertSeverity", "description": "The severity for alerts created by this alert rule." }, "tactics": { "description": "The tactics of the alert rule template", "items": { - "$ref": "#/definitions/AttackTactic" + "$ref": "./common/AlertTypes.json#/definitions/AttackTactic" }, "type": "array" } @@ -1017,7 +969,7 @@ "severitiesFilter": { "description": "the alerts' severities on which the cases will be generated", "items": { - "$ref": "#/definitions/AlertSeverity" + "$ref": "./common/AlertTypes.json#/definitions/AlertSeverity" }, "type": "array" } @@ -1104,6 +1056,12 @@ "readOnly": true, "type": "string" }, + "lastUpdatedDateUTC": { + "description": "The time that this alert rule template was last updated.", + "format": "date-time", + "readOnly": true, + "type": "string" + }, "description": { "description": "The description of the alert rule template.", "type": "string" @@ -1145,7 +1103,7 @@ "severitiesFilter": { "description": "the alerts' severities on which the cases will be generated", "items": { - "$ref": "#/definitions/AlertSeverity" + "$ref": "./common/AlertTypes.json#/definitions/AlertSeverity" }, "type": "array" } @@ -1188,7 +1146,7 @@ "x-ms-discriminator-value": "Scheduled" }, "ScheduledAlertRuleCommonProperties": { - "description": "Schedule alert rule template property bag.", + "description": "Scheduled alert rule template property bag.", "properties": { "query": { "description": "The query that creates alerts for this rule.", @@ -1205,7 +1163,7 @@ "type": "string" }, "severity": { - "$ref": "#/definitions/AlertSeverity", + "$ref": "./common/AlertTypes.json#/definitions/AlertSeverity", "description": "The severity for alerts created by this alert rule." }, "triggerOperator": { @@ -1216,10 +1174,219 @@ "description": "The threshold triggers this alert rule.", "format": "int32", "type": "integer" + }, + "eventGroupingSettings": { + "$ref": "#/definitions/EventGroupingSettings", + "description": "The event grouping settings." + }, + "customDetails": { + "description": "Dictionary of string key-value pairs of columns to be attached to the alert", + "type": "object", + "additionalProperties": { + "type": "string" + } + }, + "entityMappings": { + "$ref": "#/definitions/EntityMappings", + "description": "Array of the entity mappings of the alert rule" + }, + "alertDetailsOverride": { + "type": "object", + "$ref": "#/definitions/AlertDetailsOverride", + "description": "The alert details override settings" } }, "type": "object" }, + "EventGroupingSettings": { + "description": "Event grouping settings property bag.", + "properties": { + "aggregationKind": { + "$ref": "#/definitions/EventGroupingAggregationKind" + } + }, + "type": "object" + }, + "EventGroupingAggregationKind": { + "description": "The event grouping aggregation kinds", + "enum": [ + "SingleAlert", + "AlertPerResult" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "EventGroupingAggregationKind" + } + }, + "EntityMappings": { + "description": "List of entity mappings of the alert rule", + "type": "array", + "items": { + "$ref": "#/definitions/EntityMapping" + } + }, + "EntityMapping": { + "description": "Single entity mapping for the alert rule", + "properties": { + "entityType": { + "$ref": "#/definitions/EntityMappingType" + }, + "fieldMappings": { + "description": "array of field mappings for the given entity mapping", + "type": "array", + "items": { + "$ref": "#/definitions/FieldMapping" + } + } + }, + "type": "object" + }, + "FieldMapping": { + "description": "A single field mapping of the mapped entity", + "properties": { + "identifier": { + "description": "the V3 identifier of the entity", + "type": "string" + }, + "columnName": { + "description": "the column name to be mapped to the identifier", + "type": "string" + } + }, + "type": "object" + }, + "AlertDetailsOverride": { + "description": "Settings for how to dynamically override alert static details", + "properties": { + "alertDisplayNameFormat": { + "description": "the format containing columns name(s) to override the alert name", + "type": "string" + }, + "alertDescriptionFormat": { + "description": "the format containing columns name(s) to override the alert description", + "type": "string" + }, + "alertTacticsColumnName": { + "description": "the column name to take the alert tactics from", + "type": "string" + }, + "alertSeverityColumnName": { + "description": "the column name to take the alert severity from", + "type": "string" + } + }, + "type": "object" + }, + "IncidentConfiguration": { + "description": "Incident Configuration property bag.", + "properties": { + "createIncident": { + "description": "Create incidents from alerts triggered by this analytics rule", + "type": "boolean" + }, + "groupingConfiguration": { + "$ref": "#/definitions/GroupingConfiguration", + "description": "Set how the alerts that are triggered by this analytics rule, are grouped into incidents" + } + }, + "type": "object", + "required": [ + "createIncident" + ] + }, + "GroupingConfiguration": { + "description": "Grouping configuration property bag.", + "properties": { + "enabled": { + "description": "Grouping enabled", + "type": "boolean" + }, + "reopenClosedIncident": { + "description": "Re-open closed matching incidents", + "type": "boolean" + }, + "lookbackDuration": { + "description": "Limit the group to alerts created within the lookback duration (in ISO 8601 duration format)", + "format": "duration", + "type": "string" + }, + "matchingMethod": { + "description": "Grouping matching method. When method is Selected at least one of groupByEntities, groupByAlertDetails, groupByCustomDetails must be provided and not empty.", + "enum": [ + "AllEntities", + "AnyAlert", + "Selected" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "MatchingMethod", + "values": [ + { + "description": "Grouping alerts into a single incident if all the entities match", + "value": "AllEntities" + }, + { + "description": "Grouping any alerts triggered by this rule into a single incident", + "value": "AnyAlert" + }, + { + "description": "Grouping alerts into a single incident if the selected entities, custom details and alert details match", + "value": "Selected" + } + ] + } + }, + "groupByEntities": { + "description": "A list of entity types to group by (when matchingMethod is Selected). Only entities defined in the current alert rule may be used.", + "items": { + "$ref": "#/definitions/EntityMappingType" + }, + "type": "array" + }, + "groupByAlertDetails": { + "description": "A list of alert details to group by (when matchingMethod is Selected)", + "items": { + "description": "Alert detail", + "enum": [ + "DisplayName", + "Severity" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "AlertDetail", + "values": [ + { + "description": "Alert display name", + "value": "DisplayName" + }, + { + "description": "Alert severity", + "value": "Severity" + } + ] + } + }, + "type": "array" + }, + "groupByCustomDetails": { + "description": "A list of custom details keys to group by (when matchingMethod is Selected). Only keys defined in the current alert rule may be used.", + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "enabled", + "reopenClosedIncident", + "lookbackDuration", + "matchingMethod" + ] + }, "ScheduledAlertRuleProperties": { "allOf": [ { @@ -1262,9 +1429,13 @@ "tactics": { "description": "The tactics of the alert rule", "items": { - "$ref": "#/definitions/AttackTactic" + "$ref": "./common/AlertTypes.json#/definitions/AttackTactic" }, "type": "array" + }, + "incidentConfiguration": { + "$ref": "#/definitions/IncidentConfiguration", + "description": "The settings of the incidents that created from alerts triggered by this analytics rule" } }, "required": [ @@ -1295,6 +1466,12 @@ "readOnly": true, "type": "string" }, + "lastUpdatedDateUTC": { + "description": "The time that this alert rule template was last updated.", + "format": "date-time", + "readOnly": true, + "type": "string" + }, "description": { "description": "The description of the alert rule template.", "type": "string" @@ -1330,7 +1507,7 @@ "type": "string" }, "severity": { - "$ref": "#/definitions/AlertSeverity", + "$ref": "./common/AlertTypes.json#/definitions/AlertSeverity", "description": "The severity for alerts created by this alert rule." }, "triggerOperator": { @@ -1345,9 +1522,13 @@ "tactics": { "description": "The tactics of the alert rule template", "items": { - "$ref": "#/definitions/AttackTactic" + "$ref": "./common/AlertTypes.json#/definitions/AttackTactic" }, "type": "array" + }, + "version": { + "description": "The version of this template - in format , where all are numbers. For example <1.0.2>.", + "type": "string" } }, "type": "object" @@ -1373,13 +1554,116 @@ "queryFrequency", "queryPeriod", "triggerOperator", - "triggerThreshold" + "triggerThreshold", + "version" ], "x-ms-client-flatten": true } }, "type": "object", "x-ms-discriminator-value": "Scheduled" + }, + "EntityMappingType": { + "description": "The V3 type of the mapped entity", + "enum": [ + "Account", + "Host", + "IP", + "Malware", + "File", + "Process", + "CloudApplication", + "DNS", + "AzureResource", + "FileHash", + "RegistryKey", + "RegistryValue", + "SecurityGroup", + "URL", + "Mailbox", + "MailCluster", + "MailMessage", + "SubmissionMail" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "EntityMappingType", + "values": [ + { + "description": "User account entity type", + "value": "Account" + }, + { + "description": "Host entity type", + "value": "Host" + }, + { + "description": "IP address entity type", + "value": "IP" + }, + { + "description": "Malware entity type", + "value": "Malware" + }, + { + "description": "System file entity type", + "value": "File" + }, + { + "description": "Process entity type", + "value": "Process" + }, + { + "description": "Cloud app entity type", + "value": "CloudApplication" + }, + { + "description": "DNS entity type", + "value": "DNS" + }, + { + "description": "Azure resource entity type", + "value": "AzureResource" + }, + { + "description": "File-hash entity type", + "value": "FileHash" + }, + { + "description": "Registry key entity type", + "value": "RegistryKey" + }, + { + "description": "Registry value entity type", + "value": "RegistryValue" + }, + { + "description": "Security group entity type", + "value": "SecurityGroup" + }, + { + "description": "URL entity type", + "value": "URL" + }, + { + "description": "Mailbox entity type", + "value": "Mailbox" + }, + { + "description": "Mail cluster entity type", + "value": "MailCluster" + }, + { + "description": "Mail message entity type", + "value": "MailMessage" + }, + { + "description": "Submission mail entity type", + "value": "SubmissionMail" + } + ] + } } }, "parameters": { diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/Incidents.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/Incidents.json index 1d6ac6ca507d..bfc76a678c36 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/Incidents.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/Incidents.json @@ -877,60 +877,6 @@ }, "type": "object" }, - "AlertSeverity": { - "description": "The severity of the alert", - "enum": [ - "High", - "Medium", - "Low", - "Informational" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "AlertSeverity", - "values": [ - { - "description": "High severity", - "value": "High" - }, - { - "description": "Medium severity", - "value": "Medium" - }, - { - "description": "Low severity", - "value": "Low" - }, - { - "description": "Informational severity", - "value": "Informational" - } - ] - } - }, - "AttackTactic": { - "description": "The severity for alerts created by this alert rule.", - "enum": [ - "InitialAccess", - "Execution", - "Persistence", - "PrivilegeEscalation", - "DefenseEvasion", - "CredentialAccess", - "Discovery", - "LateralMovement", - "Collection", - "Exfiltration", - "CommandAndControl", - "Impact" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "AttackTactic" - } - }, "AzureResourceEntity": { "allOf": [ { @@ -1677,7 +1623,7 @@ "tactics": { "description": "The tactics associated with incident", "items": { - "$ref": "#/definitions/AttackTactic" + "$ref": "./common/AlertTypes.json#/definitions/AttackTactic" }, "readOnly": true, "type": "array" @@ -3445,7 +3391,7 @@ "type": "array" }, "severity": { - "$ref": "#/definitions/AlertSeverity", + "$ref": "./common/AlertTypes.json#/definitions/AlertSeverity", "description": "The severity of the alert" }, "startTimeUtc": { @@ -3500,7 +3446,7 @@ "tactics": { "description": "The tactics of the alert", "items": { - "$ref": "#/definitions/AttackTactic" + "$ref": "./common/AlertTypes.json#/definitions/AttackTactic" }, "readOnly": true, "type": "array" diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/common/AlertTypes.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/common/AlertTypes.json new file mode 100644 index 000000000000..e129c738777a --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/common/AlertTypes.json @@ -0,0 +1,66 @@ +{ + "swagger": "2.0", + "info": { + "version": "2021-10-01", + "title": "Common Alert types" + }, + "paths": {}, + "definitions": { + "AlertSeverity": { + "description": "The severity of the alert", + "enum": [ + "High", + "Medium", + "Low", + "Informational" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "AlertSeverity", + "values": [ + { + "description": "High severity", + "value": "High" + }, + { + "description": "Medium severity", + "value": "Medium" + }, + { + "description": "Low severity", + "value": "Low" + }, + { + "description": "Informational severity", + "value": "Informational" + } + ] + } + }, + "AttackTactic": { + "description": "The severity for alerts created by this alert rule.", + "enum": [ + "InitialAccess", + "Execution", + "Persistence", + "PrivilegeEscalation", + "DefenseEvasion", + "CredentialAccess", + "Discovery", + "LateralMovement", + "Collection", + "Exfiltration", + "CommandAndControl", + "Impact", + "PreAttack" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "AttackTactic" + } + } + }, + "parameters": {} +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplateById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplateById.json index 387ff76ae6ee..a9ea1024db31 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplateById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplateById.json @@ -23,12 +23,17 @@ "triggerThreshold": 0, "displayName": "Changes to Amazon VPC settings", "description": "This alert monitors changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries and routes in route tables.\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \nand https://aws.amazon.com/vpc/", + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, "tactics": [ "PrivilegeEscalation", "LateralMovement" ], + "lastUpdatedDateUTC": "2021-02-27T10:00:00Z", "createdDateUTC": "2019-02-27T00:00:00Z", "status": "Available", + "version": "1.0.2", "requiredDataConnectors": [ { "connectorId": "AWS", @@ -37,6 +42,26 @@ ] } ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "identifier": "FullName", + "columnName": "AccountCustomEntity" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "IPCustomEntity" + } + ] + } + ], "alertRulesCreatedByTemplateCount": 0 } } diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplates.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplates.json index 6ae1ed2b8440..d088c9f081e2 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplates.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplates.json @@ -28,8 +28,10 @@ "PrivilegeEscalation", "LateralMovement" ], + "lastUpdatedDateUTC": "2021-02-27T10:00:00Z", "createdDateUTC": "2019-02-27T00:00:00Z", "status": "Available", + "version": "1.0.1", "requiredDataConnectors": [ { "connectorId": "AWS", @@ -55,6 +57,7 @@ "Exfiltration", "CommandAndControl" ], + "lastUpdatedDateUTC": "2021-03-27T10:00:00Z", "createdDateUTC": "2019-07-25T00:00:00Z", "status": "Available", "severity": "High", @@ -70,6 +73,7 @@ "productFilter": "Microsoft Cloud App Security", "displayName": "Create incidents based on Microsoft Cloud App Security alerts", "description": "Create incidents based on all alerts generated in Microsoft Cloud App Security", + "lastUpdatedDateUTC": "2021-05-27T10:00:00Z", "createdDateUTC": "2019-07-16T00:00:00Z", "status": "Available", "alertRulesCreatedByTemplateCount": 0 diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/CreateScheduledAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/CreateScheduledAlertRule.json index 498d2223aafa..c5f37622de6d 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/CreateScheduledAlertRule.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/CreateScheduledAlertRule.json @@ -10,21 +10,71 @@ "kind": "Scheduled", "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", "properties": { - "displayName": "Rule2", - "description": "", + "displayName": "My scheduled rule", + "description": "An example for a scheduled rule", "severity": "High", "enabled": true, "tactics": [ "Persistence", "LateralMovement" ], - "query": "ProtectionStatus | extend HostCustomEntity = Computer | extend IPCustomEntity = ComputerIP_Hidden", + "query": "Heartbeat", "queryFrequency": "PT1H", "queryPeriod": "P2DT1H30M", "triggerOperator": "GreaterThan", "triggerThreshold": 0, "suppressionDuration": "PT1H", - "suppressionEnabled": false + "suppressionEnabled": false, + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "customDetails": { + "OperatingSystemName": "OSName", + "OperatingSystemType": "OSType" + }, + "entityMappings": [ + { + "entityType": "Host", + "fieldMappings": [ + { + "identifier": "FullName", + "columnName": "Computer" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "ComputerIP" + } + ] + } + ], + "alertDetailsOverride": { + "alertDisplayNameFormat": "Alert from {{Computer}}", + "alertDescriptionFormat": "Suspicious activity was made by {{ComputerIP}}" + }, + "incidentConfiguration": { + "createIncident": true, + "groupingConfiguration": { + "enabled": true, + "reopenClosedIncident": false, + "lookbackDuration": "PT5H", + "matchingMethod": "Selected", + "groupByEntities": [ + "Host" + ], + "groupByAlertDetails": [ + "DisplayName" + ], + "groupByCustomDetails": [ + "OperatingSystemType", + "OperatingSystemName" + ] + } + } } } }, @@ -38,22 +88,74 @@ "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", "properties": { "alertRuleTemplateName": null, - "displayName": "Rule2", - "description": "", + "displayName": "My scheduled rule", + "description": "An example for a scheduled rule", "severity": "High", "enabled": true, "tactics": [ "Persistence", "LateralMovement" ], - "query": "ProtectionStatus | extend HostCustomEntity = Computer | extend IPCustomEntity = ComputerIP_Hidden", + "query": "Heartbeat", "queryFrequency": "PT1H", "queryPeriod": "P2DT1H30M", "triggerOperator": "GreaterThan", "triggerThreshold": 0, "suppressionDuration": "PT1H", "suppressionEnabled": false, - "lastModifiedUtc": "2019-01-01T13:15:30Z" + "lastModifiedUtc": "2021-03-01T13:17:30Z", + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "customDetails": { + "OperatingSystemName": "OSName", + "OperatingSystemType": "OSType" + }, + "entityMappings": [ + { + "entityType": "Host", + "fieldMappings": [ + { + "identifier": "FullName", + "columnName": "Computer" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "ComputerIP" + } + ] + } + ], + "alertDetailsOverride": { + "alertDisplayNameFormat": "Alert from {{Computer}}", + "alertDescriptionFormat": "Suspicious activity was made by {{ComputerIP}}", + "alertTacticsColumnName": null, + "alertSeverityColumnName": null + }, + "incidentConfiguration": { + "createIncident": true, + "groupingConfiguration": { + "enabled": true, + "reopenClosedIncident": false, + "lookbackDuration": "PT5H", + "matchingMethod": "Selected", + "groupByEntities": [ + "Host" + ], + "groupByAlertDetails": [ + "DisplayName" + ], + "groupByCustomDetails": [ + "OperatingSystemType", + "OperatingSystemName" + ] + } + } } } }, @@ -66,22 +168,74 @@ "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", "properties": { "alertRuleTemplateName": null, - "displayName": "Rule2", - "description": "", + "displayName": "My scheduled rule", + "description": "An example for a scheduled rule", "severity": "High", "enabled": true, "tactics": [ "Persistence", "LateralMovement" ], - "query": "ProtectionStatus | extend HostCustomEntity = Computer | extend IPCustomEntity = ComputerIP_Hidden", + "query": "Heartbeat", "queryFrequency": "PT1H", "queryPeriod": "P2DT1H30M", - "triggerOperator": "GreaterThan", "triggerThreshold": 0, + "triggerOperator": "GreaterThan", "suppressionDuration": "PT1H", "suppressionEnabled": false, - "lastModifiedUtc": "2019-01-01T13:15:30Z" + "lastModifiedUtc": "2021-03-01T13:15:30Z", + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "customDetails": { + "OperatingSystemName": "OSName", + "OperatingSystemType": "OSType" + }, + "entityMappings": [ + { + "entityType": "Host", + "fieldMappings": [ + { + "identifier": "FullName", + "columnName": "Computer" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "ComputerIP" + } + ] + } + ], + "alertDetailsOverride": { + "alertDisplayNameFormat": "Alert from {{Computer}}", + "alertDescriptionFormat": "Suspicious activity was made by {{ComputerIP}}", + "alertTacticsColumnName": null, + "alertSeverityColumnName": null + }, + "incidentConfiguration": { + "createIncident": true, + "groupingConfiguration": { + "enabled": true, + "reopenClosedIncident": false, + "lookbackDuration": "PT5H", + "matchingMethod": "Selected", + "groupByEntities": [ + "Host" + ], + "groupByAlertDetails": [ + "DisplayName" + ], + "groupByCustomDetails": [ + "OperatingSystemType", + "OperatingSystemName" + ] + } + } } } } diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetAllAlertRules.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetAllAlertRules.json index ce4025b71b59..41b69c14da7d 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetAllAlertRules.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetAllAlertRules.json @@ -18,22 +18,74 @@ "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", "properties": { "alertRuleTemplateName": null, - "displayName": "Rule2", - "description": "", + "displayName": "My scheduled rule", + "description": "An example for a scheduled rule", "severity": "High", "enabled": true, "tactics": [ "Persistence", "LateralMovement" ], - "query": "ProtectionStatus | extend HostCustomEntity = Computer | extend IPCustomEntity = ComputerIP_Hidden", + "query": "Heartbeat", "queryFrequency": "PT1H", "queryPeriod": "P2DT1H30M", "triggerOperator": "GreaterThan", "triggerThreshold": 0, "suppressionDuration": "PT1H", "suppressionEnabled": false, - "lastModifiedUtc": "2019-01-01T13:15:30Z" + "lastModifiedUtc": "2021-03-01T13:17:30Z", + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "customDetails": { + "OperatingSystemName": "OSName", + "OperatingSystemType": "OSType" + }, + "entityMappings": [ + { + "entityType": "Host", + "fieldMappings": [ + { + "identifier": "FullName", + "columnName": "Computer" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "ComputerIP" + } + ] + } + ], + "alertDetailsOverride": { + "alertDisplayNameFormat": "Alert from {{Computer}}", + "alertDescriptionFormat": "Suspicious activity was made by {{ComputerIP}}", + "alertTacticsColumnName": null, + "alertSeverityColumnName": null + }, + "incidentConfiguration": { + "createIncident": true, + "groupingConfiguration": { + "enabled": true, + "reopenClosedIncident": false, + "lookbackDuration": "PT5H", + "matchingMethod": "Selected", + "groupByEntities": [ + "Host" + ], + "groupByAlertDetails": [ + "DisplayName" + ], + "groupByCustomDetails": [ + "OperatingSystemType", + "OperatingSystemName" + ] + } + } } }, { diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetScheduledAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetScheduledAlertRule.json index 6b969a692f32..ee97809a314a 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetScheduledAlertRule.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetScheduledAlertRule.json @@ -17,22 +17,74 @@ "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", "properties": { "alertRuleTemplateName": null, - "displayName": "Rule2", - "description": "", + "displayName": "My scheduled rule", + "description": "An example for a scheduled rule", "severity": "High", "enabled": true, "tactics": [ "Persistence", "LateralMovement" ], - "query": "ProtectionStatus | extend HostCustomEntity = Computer | extend IPCustomEntity = ComputerIP_Hidden", + "query": "Heartbeat", "queryFrequency": "PT1H", "queryPeriod": "P2DT1H30M", "triggerOperator": "GreaterThan", "triggerThreshold": 0, "suppressionDuration": "PT1H", "suppressionEnabled": false, - "lastModifiedUtc": "2019-01-01T13:15:30Z" + "lastModifiedUtc": "2019-01-01T13:15:30Z", + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "customDetails": { + "OperatingSystemName": "OSName", + "OperatingSystemType": "OSType" + }, + "entityMappings": [ + { + "entityType": "Host", + "fieldMappings": [ + { + "identifier": "FullName", + "columnName": "Computer" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "ComputerIP" + } + ] + } + ], + "alertDetailsOverride": { + "alertDisplayNameFormat": "Alert from {{Computer}}", + "alertDescriptionFormat": "Suspicious activity was made by {{ComputerIP}}", + "alertTacticsColumnName": null, + "alertSeverityColumnName": null + }, + "incidentConfiguration": { + "createIncident": true, + "groupingConfiguration": { + "enabled": true, + "reopenClosedIncident": false, + "lookbackDuration": "PT5H", + "matchingMethod": "Selected", + "groupByEntities": [ + "Host" + ], + "groupByAlertDetails": [ + "DisplayName" + ], + "groupByCustomDetails": [ + "OperatingSystemType", + "OperatingSystemName" + ] + } + } } } }