From 51c03cda7b8005bf149b3b6247bcf26d5494d735 Mon Sep 17 00:00:00 2001 From: Laith Hisham Date: Sun, 3 Oct 2021 12:33:14 +0300 Subject: [PATCH 01/10] Add AlertRules Stable version to 2021-10-01 --- .../stable/2021-10-01/AlertRules.json | 342 +++++++++++++++++- .../GetAlertRuleTemplateById.json | 26 +- .../GetAlertRuleTemplates.json | 3 + .../alertRules/CreateScheduledAlertRule.json | 180 ++++++++- .../examples/alertRules/GetAllAlertRules.json | 62 +++- .../alertRules/GetScheduledAlertRule.json | 62 +++- 6 files changed, 647 insertions(+), 28 deletions(-) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/AlertRules.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/AlertRules.json index 4b145bde9de1..ddfb3de9e168 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/AlertRules.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/AlertRules.json @@ -157,7 +157,7 @@ "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" }, { - "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + "$ref": "../../../common/1.0/types.json#/parameters/WorkspaceName" }, { "$ref": "#/parameters/RuleId" @@ -832,7 +832,8 @@ "Collection", "Exfiltration", "CommandAndControl", - "Impact" + "Impact", + "PreAttack" ], "type": "string", "x-ms-enum": { @@ -942,6 +943,12 @@ "readOnly": true, "type": "string" }, + "lastUpdatedDateUTC": { + "description": "The time that this alert rule template was last updated.", + "format": "date-time", + "readOnly": true, + "type": "string" + }, "description": { "description": "The description of the alert rule template.", "type": "string" @@ -1104,6 +1111,12 @@ "readOnly": true, "type": "string" }, + "lastUpdatedDateUTC": { + "description": "The time that this alert rule template was last updated.", + "format": "date-time", + "readOnly": true, + "type": "string" + }, "description": { "description": "The description of the alert rule template.", "type": "string" @@ -1188,7 +1201,7 @@ "x-ms-discriminator-value": "Scheduled" }, "ScheduledAlertRuleCommonProperties": { - "description": "Schedule alert rule template property bag.", + "description": "Scheduled alert rule template property bag.", "properties": { "query": { "description": "The query that creates alerts for this rule.", @@ -1216,10 +1229,219 @@ "description": "The threshold triggers this alert rule.", "format": "int32", "type": "integer" + }, + "eventGroupingSettings": { + "$ref": "#/definitions/EventGroupingSettings", + "description": "The event grouping settings." + }, + "customDetails": { + "description": "Dictionary of string key-value pairs of columns to be attached to the alert", + "type": "object", + "additionalProperties": { + "type": "string" + } + }, + "entityMappings": { + "$ref": "#/definitions/EntityMappings", + "description": "Array of the entity mappings of the alert rule" + }, + "alertDetailsOverride": { + "type": "object", + "$ref": "#/definitions/AlertDetailsOverride", + "description": "The alert details override settings" + } + }, + "type": "object" + }, + "EventGroupingSettings": { + "description": "Event grouping settings property bag.", + "properties": { + "aggregationKind": { + "$ref": "#/definitions/EventGroupingAggregationKind" + } + }, + "type": "object" + }, + "EventGroupingAggregationKind": { + "description": "The event grouping aggregation kinds", + "enum": [ + "SingleAlert", + "AlertPerResult" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "EventGroupingAggregationKind" + } + }, + "EntityMappings": { + "description": "List of entity mappings of the alert rule", + "type": "array", + "items": { + "$ref": "#/definitions/EntityMapping" + } + }, + "EntityMapping": { + "description": "Single entity mapping for the alert rule", + "properties": { + "entityType": { + "$ref": "#/definitions/EntityMappingType" + }, + "fieldMappings": { + "description": "array of field mappings for the given entity mapping", + "type": "array", + "items": { + "$ref": "#/definitions/FieldMapping" + } } }, "type": "object" }, + "FieldMapping": { + "description": "A single field mapping of the mapped entity", + "properties": { + "identifier": { + "description": "the V3 identifier of the entity", + "type": "string" + }, + "columnName": { + "description": "the column name to be mapped to the identifier", + "type": "string" + } + }, + "type": "object" + }, + "AlertDetailsOverride": { + "description": "Settings for how to dynamically override alert static details", + "properties": { + "alertDisplayNameFormat": { + "description": "the format containing columns name(s) to override the alert name", + "type": "string" + }, + "alertDescriptionFormat": { + "description": "the format containing columns name(s) to override the alert description", + "type": "string" + }, + "alertTacticsColumnName": { + "description": "the column name to take the alert tactics from", + "type": "string" + }, + "alertSeverityColumnName": { + "description": "the column name to take the alert severity from", + "type": "string" + } + }, + "type": "object" + }, + "IncidentConfiguration": { + "description": "Incident Configuration property bag.", + "properties": { + "createIncident": { + "description": "Create incidents from alerts triggered by this analytics rule", + "type": "boolean" + }, + "groupingConfiguration": { + "$ref": "#/definitions/GroupingConfiguration", + "description": "Set how the alerts that are triggered by this analytics rule, are grouped into incidents" + } + }, + "type": "object", + "required": [ + "createIncident" + ] + }, + "GroupingConfiguration": { + "description": "Grouping configuration property bag.", + "properties": { + "enabled": { + "description": "Grouping enabled", + "type": "boolean" + }, + "reopenClosedIncident": { + "description": "Re-open closed matching incidents", + "type": "boolean" + }, + "lookbackDuration": { + "description": "Limit the group to alerts created within the lookback duration (in ISO 8601 duration format)", + "format": "duration", + "type": "string" + }, + "matchingMethod": { + "description": "Grouping matching method. When method is Selected at least one of groupByEntities, groupByAlertDetails, groupByCustomDetails must be provided and not empty.", + "enum": [ + "AllEntities", + "AnyAlert", + "Selected" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "MatchingMethod", + "values": [ + { + "description": "Grouping alerts into a single incident if all the entities match", + "value": "AllEntities" + }, + { + "description": "Grouping any alerts triggered by this rule into a single incident", + "value": "AnyAlert" + }, + { + "description": "Grouping alerts into a single incident if the selected entities, custom details and alert details match", + "value": "Selected" + } + ] + } + }, + "groupByEntities": { + "description": "A list of entity types to group by (when matchingMethod is Selected). Only entities defined in the current alert rule may be used.", + "items": { + "$ref": "#/definitions/EntityMappingType" + }, + "type": "array" + }, + "groupByAlertDetails": { + "description": "A list of alert details to group by (when matchingMethod is Selected)", + "items": { + "description": "Alert detail", + "enum": [ + "DisplayName", + "Severity" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "AlertDetail", + "values": [ + { + "description": "Alert display name", + "value": "DisplayName" + }, + { + "description": "Alert severity", + "value": "Severity" + } + ] + } + }, + "type": "array" + }, + "groupByCustomDetails": { + "description": "A list of custom details keys to group by (when matchingMethod is Selected). Only keys defined in the current alert rule may be used.", + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "enabled", + "reopenClosedIncident", + "lookbackDuration", + "matchingMethod" + ] + }, "ScheduledAlertRuleProperties": { "allOf": [ { @@ -1265,6 +1487,10 @@ "$ref": "#/definitions/AttackTactic" }, "type": "array" + }, + "incidentConfiguration": { + "$ref": "#/definitions/IncidentConfiguration", + "description": "The settings of the incidents that created from alerts triggered by this analytics rule" } }, "required": [ @@ -1295,6 +1521,12 @@ "readOnly": true, "type": "string" }, + "lastUpdatedDateUTC": { + "description": "The time that this alert rule template was last updated.", + "format": "date-time", + "readOnly": true, + "type": "string" + }, "description": { "description": "The description of the alert rule template.", "type": "string" @@ -1380,6 +1612,108 @@ }, "type": "object", "x-ms-discriminator-value": "Scheduled" + }, + "EntityMappingType": { + "description": "The V3 type of the mapped entity", + "enum": [ + "Account", + "Host", + "IP", + "Malware", + "File", + "Process", + "CloudApplication", + "DNS", + "AzureResource", + "FileHash", + "RegistryKey", + "RegistryValue", + "SecurityGroup", + "URL", + "Mailbox", + "MailCluster", + "MailMessage", + "SubmissionMail" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "EntityMappingType", + "values": [ + { + "description": "User account entity type", + "value": "Account" + }, + { + "description": "Host entity type", + "value": "Host" + }, + { + "description": "IP address entity type", + "value": "IP" + }, + { + "description": "Malware entity type", + "value": "Malware" + }, + { + "description": "System file entity type", + "value": "File" + }, + { + "description": "Process entity type", + "value": "Process" + }, + { + "description": "Cloud app entity type", + "value": "CloudApplication" + }, + { + "description": "DNS entity type", + "value": "DNS" + }, + { + "description": "Azure resource entity type", + "value": "AzureResource" + }, + { + "description": "File-hash entity type", + "value": "FileHash" + }, + { + "description": "Registry key entity type", + "value": "RegistryKey" + }, + { + "description": "Registry value entity type", + "value": "RegistryValue" + }, + { + "description": "Security group entity type", + "value": "SecurityGroup" + }, + { + "description": "URL entity type", + "value": "URL" + }, + { + "description": "Mailbox entity type", + "value": "Mailbox" + }, + { + "description": "Mail cluster entity type", + "value": "MailCluster" + }, + { + "description": "Mail message entity type", + "value": "MailMessage" + }, + { + "description": "Submission mail entity type", + "value": "SubmissionMail" + } + ] + } } }, "parameters": { @@ -1428,4 +1762,4 @@ "x-ms-parameter-location": "method" } } -} +} \ No newline at end of file diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplateById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplateById.json index 387ff76ae6ee..3e1d0355e2f7 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplateById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplateById.json @@ -23,10 +23,14 @@ "triggerThreshold": 0, "displayName": "Changes to Amazon VPC settings", "description": "This alert monitors changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries and routes in route tables.\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \nand https://aws.amazon.com/vpc/", + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, "tactics": [ "PrivilegeEscalation", "LateralMovement" ], + "lastUpdatedDateUTC": "2021-02-27T10:00:00Z", "createdDateUTC": "2019-02-27T00:00:00Z", "status": "Available", "requiredDataConnectors": [ @@ -37,9 +41,29 @@ ] } ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "identifier": "FullName", + "columnName": "AccountCustomEntity" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "IPCustomEntity" + } + ] + } + ], "alertRulesCreatedByTemplateCount": 0 } } } } -} +} \ No newline at end of file diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplates.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplates.json index 6ae1ed2b8440..6481a336cb14 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplates.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplates.json @@ -28,6 +28,7 @@ "PrivilegeEscalation", "LateralMovement" ], + "lastUpdatedDateUTC": "2021-02-27T10:00:00Z", "createdDateUTC": "2019-02-27T00:00:00Z", "status": "Available", "requiredDataConnectors": [ @@ -55,6 +56,7 @@ "Exfiltration", "CommandAndControl" ], + "lastUpdatedDateUTC": "2021-03-27T10:00:00Z", "createdDateUTC": "2019-07-25T00:00:00Z", "status": "Available", "severity": "High", @@ -70,6 +72,7 @@ "productFilter": "Microsoft Cloud App Security", "displayName": "Create incidents based on Microsoft Cloud App Security alerts", "description": "Create incidents based on all alerts generated in Microsoft Cloud App Security", + "lastUpdatedDateUTC": "2021-05-27T10:00:00Z", "createdDateUTC": "2019-07-16T00:00:00Z", "status": "Available", "alertRulesCreatedByTemplateCount": 0 diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/CreateScheduledAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/CreateScheduledAlertRule.json index 498d2223aafa..0f2ebe9109a3 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/CreateScheduledAlertRule.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/CreateScheduledAlertRule.json @@ -10,21 +10,71 @@ "kind": "Scheduled", "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", "properties": { - "displayName": "Rule2", - "description": "", + "displayName": "My scheduled rule", + "description": "An example for a scheduled rule", "severity": "High", "enabled": true, "tactics": [ "Persistence", "LateralMovement" ], - "query": "ProtectionStatus | extend HostCustomEntity = Computer | extend IPCustomEntity = ComputerIP_Hidden", + "query": "Heartbeat", "queryFrequency": "PT1H", "queryPeriod": "P2DT1H30M", "triggerOperator": "GreaterThan", "triggerThreshold": 0, "suppressionDuration": "PT1H", - "suppressionEnabled": false + "suppressionEnabled": false, + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "customDetails": { + "OperatingSystemName": "OSName", + "OperatingSystemType": "OSType" + }, + "entityMappings": [ + { + "entityType": "Host", + "fieldMappings": [ + { + "identifier": "FullName", + "columnName": "Computer" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "ComputerIP" + } + ] + } + ], + "alertDetailsOverride": { + "alertDisplayNameFormat": "Alert from {{Computer}}", + "alertDescriptionFormat": "Suspicious activity was made by {{ComputerIP}}" + }, + "incidentConfiguration": { + "createIncident": true, + "groupingConfiguration": { + "enabled": true, + "reopenClosedIncident": false, + "lookbackDuration": "PT5H", + "matchingMethod": "Selected", + "groupByEntities": [ + "Host" + ], + "groupByAlertDetails": [ + "DisplayName" + ], + "groupByCustomDetails": [ + "OperatingSystemType", + "OperatingSystemName" + ] + } + } } } }, @@ -38,22 +88,74 @@ "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", "properties": { "alertRuleTemplateName": null, - "displayName": "Rule2", - "description": "", + "displayName": "My scheduled rule", + "description": "An example for a scheduled rule", "severity": "High", "enabled": true, "tactics": [ "Persistence", "LateralMovement" ], - "query": "ProtectionStatus | extend HostCustomEntity = Computer | extend IPCustomEntity = ComputerIP_Hidden", + "query": "Heartbeat", "queryFrequency": "PT1H", "queryPeriod": "P2DT1H30M", "triggerOperator": "GreaterThan", "triggerThreshold": 0, "suppressionDuration": "PT1H", "suppressionEnabled": false, - "lastModifiedUtc": "2019-01-01T13:15:30Z" + "lastModifiedUtc": "2021-03-01T13:17:30Z", + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "customDetails": { + "OperatingSystemName": "OSName", + "OperatingSystemType": "OSType" + }, + "entityMappings": [ + { + "entityType": "Host", + "fieldMappings": [ + { + "identifier": "FullName", + "columnName": "Computer" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "ComputerIP" + } + ] + } + ], + "alertDetailsOverride": { + "alertDisplayNameFormat": "Alert from {{Computer}}", + "alertDescriptionFormat": "Suspicious activity was made by {{ComputerIP}}", + "alertTacticsColumnName": null, + "alertSeverityColumnName": null + }, + "incidentConfiguration": { + "createIncident": true, + "groupingConfiguration": { + "enabled": true, + "reopenClosedIncident": false, + "lookbackDuration": "PT5H", + "matchingMethod": "Selected", + "groupByEntities": [ + "Host" + ], + "groupByAlertDetails": [ + "DisplayName" + ], + "groupByCustomDetails": [ + "OperatingSystemType", + "OperatingSystemName" + ] + } + } } } }, @@ -66,24 +168,76 @@ "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", "properties": { "alertRuleTemplateName": null, - "displayName": "Rule2", - "description": "", + "displayName": "My scheduled rule", + "description": "An example for a scheduled rule", "severity": "High", "enabled": true, "tactics": [ "Persistence", "LateralMovement" ], - "query": "ProtectionStatus | extend HostCustomEntity = Computer | extend IPCustomEntity = ComputerIP_Hidden", + "query": "Heartbeat", "queryFrequency": "PT1H", "queryPeriod": "P2DT1H30M", "triggerOperator": "GreaterThan", "triggerThreshold": 0, "suppressionDuration": "PT1H", "suppressionEnabled": false, - "lastModifiedUtc": "2019-01-01T13:15:30Z" + "lastModifiedUtc": "2021-03-01T13:15:30Z", + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "customDetails": { + "OperatingSystemName": "OSName", + "OperatingSystemType": "OSType" + }, + "entityMappings": [ + { + "entityType": "Host", + "fieldMappings": [ + { + "identifier": "FullName", + "columnName": "Computer" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "ComputerIP" + } + ] + } + ], + "alertDetailsOverride": { + "alertDisplayNameFormat": "Alert from {{Computer}}", + "alertDescriptionFormat": "Suspicious activity was made by {{ComputerIP}}", + "alertTacticsColumnName": null, + "alertSeverityColumnName": null + }, + "incidentConfiguration": { + "createIncident": true, + "groupingConfiguration": { + "enabled": true, + "reopenClosedIncident": false, + "lookbackDuration": "PT5H", + "matchingMethod": "Selected", + "groupByEntities": [ + "Host" + ], + "groupByAlertDetails": [ + "DisplayName" + ], + "groupByCustomDetails": [ + "OperatingSystemType", + "OperatingSystemName" + ] + } + } } } } } -} +} \ No newline at end of file diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetAllAlertRules.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetAllAlertRules.json index ce4025b71b59..daea4221b6f6 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetAllAlertRules.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetAllAlertRules.json @@ -18,22 +18,74 @@ "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", "properties": { "alertRuleTemplateName": null, - "displayName": "Rule2", - "description": "", + "displayName": "My scheduled rule", + "description": "An example for a scheduled rule", "severity": "High", "enabled": true, "tactics": [ "Persistence", "LateralMovement" ], - "query": "ProtectionStatus | extend HostCustomEntity = Computer | extend IPCustomEntity = ComputerIP_Hidden", + "query": "Heartbeat", "queryFrequency": "PT1H", "queryPeriod": "P2DT1H30M", "triggerOperator": "GreaterThan", "triggerThreshold": 0, "suppressionDuration": "PT1H", "suppressionEnabled": false, - "lastModifiedUtc": "2019-01-01T13:15:30Z" + "lastModifiedUtc": "2021-03-01T13:17:30Z", + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "customDetails": { + "OperatingSystemName": "OSName", + "OperatingSystemType": "OSType" + }, + "entityMappings": [ + { + "entityType": "Host", + "fieldMappings": [ + { + "identifier": "FullName", + "columnName": "Computer" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "ComputerIP" + } + ] + } + ], + "alertDetailsOverride": { + "alertDisplayNameFormat": "Alert from {{Computer}}", + "alertDescriptionFormat": "Suspicious activity was made by {{ComputerIP}}", + "alertTacticsColumnName": null, + "alertSeverityColumnName": null + }, + "incidentConfiguration": { + "createIncident": true, + "groupingConfiguration": { + "enabled": true, + "reopenClosedIncident": false, + "lookbackDuration": "PT5H", + "matchingMethod": "Selected", + "groupByEntities": [ + "Host" + ], + "groupByAlertDetails": [ + "DisplayName" + ], + "groupByCustomDetails": [ + "OperatingSystemType", + "OperatingSystemName" + ] + } + } } }, { @@ -78,4 +130,4 @@ } } } -} +} \ No newline at end of file diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetScheduledAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetScheduledAlertRule.json index 6b969a692f32..2f57e80c7f09 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetScheduledAlertRule.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetScheduledAlertRule.json @@ -17,24 +17,76 @@ "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", "properties": { "alertRuleTemplateName": null, - "displayName": "Rule2", - "description": "", + "displayName": "My scheduled rule", + "description": "An example for a scheduled rule", "severity": "High", "enabled": true, "tactics": [ "Persistence", "LateralMovement" ], - "query": "ProtectionStatus | extend HostCustomEntity = Computer | extend IPCustomEntity = ComputerIP_Hidden", + "query": "Heartbeat", "queryFrequency": "PT1H", "queryPeriod": "P2DT1H30M", "triggerOperator": "GreaterThan", "triggerThreshold": 0, "suppressionDuration": "PT1H", "suppressionEnabled": false, - "lastModifiedUtc": "2019-01-01T13:15:30Z" + "lastModifiedUtc": "2019-01-01T13:15:30Z", + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "customDetails": { + "OperatingSystemName": "OSName", + "OperatingSystemType": "OSType" + }, + "entityMappings": [ + { + "entityType": "Host", + "fieldMappings": [ + { + "identifier": "FullName", + "columnName": "Computer" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "ComputerIP" + } + ] + } + ], + "alertDetailsOverride": { + "alertDisplayNameFormat": "Alert from {{Computer}}", + "alertDescriptionFormat": "Suspicious activity was made by {{ComputerIP}}", + "alertTacticsColumnName": null, + "alertSeverityColumnName": null + }, + "incidentConfiguration": { + "createIncident": true, + "groupingConfiguration": { + "enabled": true, + "reopenClosedIncident": false, + "lookbackDuration": "PT5H", + "matchingMethod": "Selected", + "groupByEntities": [ + "Host" + ], + "groupByAlertDetails": [ + "DisplayName" + ], + "groupByCustomDetails": [ + "OperatingSystemType", + "OperatingSystemName" + ] + } + } } } } } -} +} \ No newline at end of file From f46041ed0369ed84f2bf2f2902106b38064e2a28 Mon Sep 17 00:00:00 2001 From: Laith Hisham Date: Sun, 3 Oct 2021 12:48:53 +0300 Subject: [PATCH 02/10] Fix missing alignment in common types --- .../stable/2021-10-01/AlertRules.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/AlertRules.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/AlertRules.json index ddfb3de9e168..f04b3080115f 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/AlertRules.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/AlertRules.json @@ -157,7 +157,7 @@ "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" }, { - "$ref": "../../../common/1.0/types.json#/parameters/WorkspaceName" + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" }, { "$ref": "#/parameters/RuleId" From e4ea5c60d44af5e78bd619ae6bfcf56b25583106 Mon Sep 17 00:00:00 2001 From: Laith Hisham Date: Sun, 3 Oct 2021 14:39:33 +0300 Subject: [PATCH 03/10] prettier fixes --- .../stable/2021-10-01/AlertRules.json | 2 +- .../examples/alertRuleTemplates/GetAlertRuleTemplateById.json | 2 +- .../examples/alertRuleTemplates/GetAlertRuleTemplates.json | 2 +- .../2021-10-01/examples/alertRules/CreateFusionAlertRule.json | 2 +- .../CreateMicrosoftSecurityIncidentCreationAlertRule.json | 2 +- .../examples/alertRules/CreateScheduledAlertRule.json | 2 +- .../stable/2021-10-01/examples/alertRules/DeleteAlertRule.json | 2 +- .../stable/2021-10-01/examples/alertRules/GetAllAlertRules.json | 2 +- .../2021-10-01/examples/alertRules/GetFusionAlertRule.json | 2 +- .../GetMicrosoftSecurityIncidentCreationAlertRule.json | 2 +- .../2021-10-01/examples/alertRules/GetScheduledAlertRule.json | 2 +- 11 files changed, 11 insertions(+), 11 deletions(-) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/AlertRules.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/AlertRules.json index f04b3080115f..0839a1816f05 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/AlertRules.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/AlertRules.json @@ -1762,4 +1762,4 @@ "x-ms-parameter-location": "method" } } -} \ No newline at end of file +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplateById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplateById.json index 3e1d0355e2f7..182cfbfe9acb 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplateById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplateById.json @@ -66,4 +66,4 @@ } } } -} \ No newline at end of file +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplates.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplates.json index 6481a336cb14..1df7ed43575a 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplates.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplates.json @@ -82,4 +82,4 @@ } } } -} +} \ No newline at end of file diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/CreateFusionAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/CreateFusionAlertRule.json index f42add047e54..bf33df46ed38 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/CreateFusionAlertRule.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/CreateFusionAlertRule.json @@ -63,4 +63,4 @@ } } } -} +} \ No newline at end of file diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/CreateMicrosoftSecurityIncidentCreationAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/CreateMicrosoftSecurityIncidentCreationAlertRule.json index 3c0cdad425e7..5b886d3157a3 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/CreateMicrosoftSecurityIncidentCreationAlertRule.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/CreateMicrosoftSecurityIncidentCreationAlertRule.json @@ -56,4 +56,4 @@ } } } -} +} \ No newline at end of file diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/CreateScheduledAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/CreateScheduledAlertRule.json index 0f2ebe9109a3..676c634741ac 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/CreateScheduledAlertRule.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/CreateScheduledAlertRule.json @@ -240,4 +240,4 @@ } } } -} \ No newline at end of file +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/DeleteAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/DeleteAlertRule.json index 9658597e086f..38cbfff213e3 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/DeleteAlertRule.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/DeleteAlertRule.json @@ -11,4 +11,4 @@ "200": {}, "204": {} } -} +} \ No newline at end of file diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetAllAlertRules.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetAllAlertRules.json index daea4221b6f6..41b69c14da7d 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetAllAlertRules.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetAllAlertRules.json @@ -130,4 +130,4 @@ } } } -} \ No newline at end of file +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetFusionAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetFusionAlertRule.json index 653d0a11cf09..f93332f49488 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetFusionAlertRule.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetFusionAlertRule.json @@ -32,4 +32,4 @@ } } } -} +} \ No newline at end of file diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetMicrosoftSecurityIncidentCreationAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetMicrosoftSecurityIncidentCreationAlertRule.json index ce5badf2aa99..1994cb749d7e 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetMicrosoftSecurityIncidentCreationAlertRule.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetMicrosoftSecurityIncidentCreationAlertRule.json @@ -28,4 +28,4 @@ } } } -} +} \ No newline at end of file diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetScheduledAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetScheduledAlertRule.json index 2f57e80c7f09..ee97809a314a 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetScheduledAlertRule.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetScheduledAlertRule.json @@ -89,4 +89,4 @@ } } } -} \ No newline at end of file +} From 20a52857b4155f5dd2906878d6213871566985a9 Mon Sep 17 00:00:00 2001 From: Laith Hisham Date: Sun, 3 Oct 2021 16:38:41 +0300 Subject: [PATCH 04/10] move tactics and severity to common --- .../stable/2021-10-01/AlertRules.json | 75 +++---------------- .../stable/2021-10-01/Incidents.json | 60 +-------------- .../stable/2021-10-01/common/AlertTypes.txt | 66 ++++++++++++++++ 3 files changed, 79 insertions(+), 122 deletions(-) create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/common/AlertTypes.txt diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/AlertRules.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/AlertRules.json index 0839a1816f05..514cf9243f1e 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/AlertRules.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/AlertRules.json @@ -786,61 +786,6 @@ "value" ] }, - "AlertSeverity": { - "description": "The severity of the alert", - "enum": [ - "High", - "Medium", - "Low", - "Informational" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "AlertSeverity", - "values": [ - { - "description": "High severity", - "value": "High" - }, - { - "description": "Medium severity", - "value": "Medium" - }, - { - "description": "Low severity", - "value": "Low" - }, - { - "description": "Informational severity", - "value": "Informational" - } - ] - } - }, - "AttackTactic": { - "description": "The severity for alerts created by this alert rule.", - "enum": [ - "InitialAccess", - "Execution", - "Persistence", - "PrivilegeEscalation", - "DefenseEvasion", - "CredentialAccess", - "Discovery", - "LateralMovement", - "Collection", - "Exfiltration", - "CommandAndControl", - "Impact", - "PreAttack" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "AttackTactic" - } - }, "FusionAlertRule": { "allOf": [ { @@ -886,14 +831,14 @@ "type": "string" }, "severity": { - "$ref": "#/definitions/AlertSeverity", + "$ref": "./common/AlertTypes.json#/definitions/AlertSeverity", "description": "The severity for alerts created by this alert rule.", "readOnly": true }, "tactics": { "description": "The tactics of the alert rule", "items": { - "$ref": "#/definitions/AttackTactic" + "$ref": "./common/AlertTypes.json#/definitions/AttackTactic" }, "readOnly": true, "type": "array" @@ -970,13 +915,13 @@ "type": "string" }, "severity": { - "$ref": "#/definitions/AlertSeverity", + "$ref": "./common/AlertTypes.json#/definitions/AlertSeverity", "description": "The severity for alerts created by this alert rule." }, "tactics": { "description": "The tactics of the alert rule template", "items": { - "$ref": "#/definitions/AttackTactic" + "$ref": "./common/AlertTypes.json#/definitions/AttackTactic" }, "type": "array" } @@ -1024,7 +969,7 @@ "severitiesFilter": { "description": "the alerts' severities on which the cases will be generated", "items": { - "$ref": "#/definitions/AlertSeverity" + "$ref": "./common/AlertTypes.json#/definitions/AlertSeverity" }, "type": "array" } @@ -1158,7 +1103,7 @@ "severitiesFilter": { "description": "the alerts' severities on which the cases will be generated", "items": { - "$ref": "#/definitions/AlertSeverity" + "$ref": "./common/AlertTypes.json#/definitions/AlertSeverity" }, "type": "array" } @@ -1218,7 +1163,7 @@ "type": "string" }, "severity": { - "$ref": "#/definitions/AlertSeverity", + "$ref": "./common/AlertTypes.json#/definitions/AlertSeverity", "description": "The severity for alerts created by this alert rule." }, "triggerOperator": { @@ -1484,7 +1429,7 @@ "tactics": { "description": "The tactics of the alert rule", "items": { - "$ref": "#/definitions/AttackTactic" + "$ref": "./common/AlertTypes.json#/definitions/AttackTactic" }, "type": "array" }, @@ -1562,7 +1507,7 @@ "type": "string" }, "severity": { - "$ref": "#/definitions/AlertSeverity", + "$ref": "./common/AlertTypes.json#/definitions/AlertSeverity", "description": "The severity for alerts created by this alert rule." }, "triggerOperator": { @@ -1577,7 +1522,7 @@ "tactics": { "description": "The tactics of the alert rule template", "items": { - "$ref": "#/definitions/AttackTactic" + "$ref": "./common/AlertTypes.json#/definitions/AttackTactic" }, "type": "array" } diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/Incidents.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/Incidents.json index 1d6ac6ca507d..bfc76a678c36 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/Incidents.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/Incidents.json @@ -877,60 +877,6 @@ }, "type": "object" }, - "AlertSeverity": { - "description": "The severity of the alert", - "enum": [ - "High", - "Medium", - "Low", - "Informational" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "AlertSeverity", - "values": [ - { - "description": "High severity", - "value": "High" - }, - { - "description": "Medium severity", - "value": "Medium" - }, - { - "description": "Low severity", - "value": "Low" - }, - { - "description": "Informational severity", - "value": "Informational" - } - ] - } - }, - "AttackTactic": { - "description": "The severity for alerts created by this alert rule.", - "enum": [ - "InitialAccess", - "Execution", - "Persistence", - "PrivilegeEscalation", - "DefenseEvasion", - "CredentialAccess", - "Discovery", - "LateralMovement", - "Collection", - "Exfiltration", - "CommandAndControl", - "Impact" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "AttackTactic" - } - }, "AzureResourceEntity": { "allOf": [ { @@ -1677,7 +1623,7 @@ "tactics": { "description": "The tactics associated with incident", "items": { - "$ref": "#/definitions/AttackTactic" + "$ref": "./common/AlertTypes.json#/definitions/AttackTactic" }, "readOnly": true, "type": "array" @@ -3445,7 +3391,7 @@ "type": "array" }, "severity": { - "$ref": "#/definitions/AlertSeverity", + "$ref": "./common/AlertTypes.json#/definitions/AlertSeverity", "description": "The severity of the alert" }, "startTimeUtc": { @@ -3500,7 +3446,7 @@ "tactics": { "description": "The tactics of the alert", "items": { - "$ref": "#/definitions/AttackTactic" + "$ref": "./common/AlertTypes.json#/definitions/AttackTactic" }, "readOnly": true, "type": "array" diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/common/AlertTypes.txt b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/common/AlertTypes.txt new file mode 100644 index 000000000000..0faba6d208b1 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/common/AlertTypes.txt @@ -0,0 +1,66 @@ +{ + "swagger": "2.0", + "info": { + "version": "2021-10-01", + "title": "Common Alert types" + }, + "paths": {}, + "definitions": { + "AlertSeverity": { + "description": "The severity of the alert", + "enum": [ + "High", + "Medium", + "Low", + "Informational" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "AlertSeverity", + "values": [ + { + "description": "High severity", + "value": "High" + }, + { + "description": "Medium severity", + "value": "Medium" + }, + { + "description": "Low severity", + "value": "Low" + }, + { + "description": "Informational severity", + "value": "Informational" + } + ] + } + }, + "AttackTactic": { + "description": "The severity for alerts created by this alert rule.", + "enum": [ + "InitialAccess", + "Execution", + "Persistence", + "PrivilegeEscalation", + "DefenseEvasion", + "CredentialAccess", + "Discovery", + "LateralMovement", + "Collection", + "Exfiltration", + "CommandAndControl", + "Impact", + "PreAttack" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "AttackTactic" + } + } + }, + "parameters": {} +} \ No newline at end of file From f75e4a26c59158547a8ea9ed94aaafbc1611ba5e Mon Sep 17 00:00:00 2001 From: Laith Hisham Date: Sun, 3 Oct 2021 16:50:34 +0300 Subject: [PATCH 05/10] fix common types file extension --- .../stable/2021-10-01/common/{AlertTypes.txt => AlertTypes.json} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/common/{AlertTypes.txt => AlertTypes.json} (100%) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/common/AlertTypes.txt b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/common/AlertTypes.json similarity index 100% rename from specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/common/AlertTypes.txt rename to specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/common/AlertTypes.json From 0700f8a83a11ea3789adffaac8de8c68454de797 Mon Sep 17 00:00:00 2001 From: Laith Hisham Date: Sun, 3 Oct 2021 17:05:22 +0300 Subject: [PATCH 06/10] more prettier fixes --- .../stable/2021-10-01/common/AlertTypes.json | 2 +- .../examples/alertRuleTemplates/GetAlertRuleTemplates.json | 2 +- .../2021-10-01/examples/alertRules/CreateFusionAlertRule.json | 2 +- .../CreateMicrosoftSecurityIncidentCreationAlertRule.json | 2 +- .../stable/2021-10-01/examples/alertRules/DeleteAlertRule.json | 2 +- .../2021-10-01/examples/alertRules/GetFusionAlertRule.json | 2 +- .../GetMicrosoftSecurityIncidentCreationAlertRule.json | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/common/AlertTypes.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/common/AlertTypes.json index 0faba6d208b1..e129c738777a 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/common/AlertTypes.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/common/AlertTypes.json @@ -63,4 +63,4 @@ } }, "parameters": {} -} \ No newline at end of file +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplates.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplates.json index 1df7ed43575a..6481a336cb14 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplates.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplates.json @@ -82,4 +82,4 @@ } } } -} \ No newline at end of file +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/CreateFusionAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/CreateFusionAlertRule.json index bf33df46ed38..f42add047e54 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/CreateFusionAlertRule.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/CreateFusionAlertRule.json @@ -63,4 +63,4 @@ } } } -} \ No newline at end of file +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/CreateMicrosoftSecurityIncidentCreationAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/CreateMicrosoftSecurityIncidentCreationAlertRule.json index 5b886d3157a3..3c0cdad425e7 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/CreateMicrosoftSecurityIncidentCreationAlertRule.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/CreateMicrosoftSecurityIncidentCreationAlertRule.json @@ -56,4 +56,4 @@ } } } -} \ No newline at end of file +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/DeleteAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/DeleteAlertRule.json index 38cbfff213e3..9658597e086f 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/DeleteAlertRule.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/DeleteAlertRule.json @@ -11,4 +11,4 @@ "200": {}, "204": {} } -} \ No newline at end of file +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetFusionAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetFusionAlertRule.json index f93332f49488..653d0a11cf09 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetFusionAlertRule.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetFusionAlertRule.json @@ -32,4 +32,4 @@ } } } -} \ No newline at end of file +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetMicrosoftSecurityIncidentCreationAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetMicrosoftSecurityIncidentCreationAlertRule.json index 1994cb749d7e..ce5badf2aa99 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetMicrosoftSecurityIncidentCreationAlertRule.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetMicrosoftSecurityIncidentCreationAlertRule.json @@ -28,4 +28,4 @@ } } } -} \ No newline at end of file +} From d2ef4e29be683aa694ccba02e87a3aab72957c26 Mon Sep 17 00:00:00 2001 From: Laith Hisham Date: Tue, 5 Oct 2021 08:08:24 +0300 Subject: [PATCH 07/10] Add template version field --- .../stable/2021-10-01/AlertRules.json | 6 +++++- .../alertRuleTemplates/GetAlertRuleTemplateById.json | 3 ++- .../examples/alertRuleTemplates/GetAlertRuleTemplates.json | 3 ++- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/AlertRules.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/AlertRules.json index 514cf9243f1e..d7d6a0bab3fd 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/AlertRules.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/AlertRules.json @@ -1525,6 +1525,10 @@ "$ref": "./common/AlertTypes.json#/definitions/AttackTactic" }, "type": "array" + }, + "version": { + "description": "The version of this template - in format , where all are numbers. For example <1.0.2>.", + "type": "string" } }, "type": "object" @@ -1707,4 +1711,4 @@ "x-ms-parameter-location": "method" } } -} +} \ No newline at end of file diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplateById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplateById.json index 182cfbfe9acb..8a0e58fc6c0e 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplateById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplateById.json @@ -33,6 +33,7 @@ "lastUpdatedDateUTC": "2021-02-27T10:00:00Z", "createdDateUTC": "2019-02-27T00:00:00Z", "status": "Available", + "version": "1.0.2", "requiredDataConnectors": [ { "connectorId": "AWS", @@ -66,4 +67,4 @@ } } } -} +} \ No newline at end of file diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplates.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplates.json index 6481a336cb14..8fae8e5687f9 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplates.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplates.json @@ -31,6 +31,7 @@ "lastUpdatedDateUTC": "2021-02-27T10:00:00Z", "createdDateUTC": "2019-02-27T00:00:00Z", "status": "Available", + "version": "1.0.1", "requiredDataConnectors": [ { "connectorId": "AWS", @@ -82,4 +83,4 @@ } } } -} +} \ No newline at end of file From a67b2995f72d56138893b6a816dfd53f7662ed8d Mon Sep 17 00:00:00 2001 From: Laith Hisham Date: Tue, 5 Oct 2021 08:09:00 +0300 Subject: [PATCH 08/10] prettier --- .../stable/2021-10-01/AlertRules.json | 2 +- .../examples/alertRuleTemplates/GetAlertRuleTemplateById.json | 2 +- .../examples/alertRuleTemplates/GetAlertRuleTemplates.json | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/AlertRules.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/AlertRules.json index d7d6a0bab3fd..59c6456ca028 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/AlertRules.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/AlertRules.json @@ -1711,4 +1711,4 @@ "x-ms-parameter-location": "method" } } -} \ No newline at end of file +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplateById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplateById.json index 8a0e58fc6c0e..a9ea1024db31 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplateById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplateById.json @@ -67,4 +67,4 @@ } } } -} \ No newline at end of file +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplates.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplates.json index 8fae8e5687f9..d088c9f081e2 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplates.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplates.json @@ -83,4 +83,4 @@ } } } -} \ No newline at end of file +} From 14332239c05c65533550feddde4a9dfc847f4516 Mon Sep 17 00:00:00 2001 From: Laith Hisham Date: Tue, 5 Oct 2021 08:10:22 +0300 Subject: [PATCH 09/10] added version to required fields --- .../stable/2021-10-01/AlertRules.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/AlertRules.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/AlertRules.json index 59c6456ca028..a577e19acf52 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/AlertRules.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/AlertRules.json @@ -1554,7 +1554,8 @@ "queryFrequency", "queryPeriod", "triggerOperator", - "triggerThreshold" + "triggerThreshold", + "version" ], "x-ms-client-flatten": true } From fa61b48bfdb743f321fcc80cc6def4149059a482 Mon Sep 17 00:00:00 2001 From: Laith Hisham Date: Wed, 6 Oct 2021 08:25:09 +0300 Subject: [PATCH 10/10] dummy change to trigger checks again --- .../examples/alertRules/CreateScheduledAlertRule.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/CreateScheduledAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/CreateScheduledAlertRule.json index 676c634741ac..c5f37622de6d 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/CreateScheduledAlertRule.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/CreateScheduledAlertRule.json @@ -179,8 +179,8 @@ "query": "Heartbeat", "queryFrequency": "PT1H", "queryPeriod": "P2DT1H30M", - "triggerOperator": "GreaterThan", "triggerThreshold": 0, + "triggerOperator": "GreaterThan", "suppressionDuration": "PT1H", "suppressionEnabled": false, "lastModifiedUtc": "2021-03-01T13:15:30Z",