From 388036a7e557d27ec94feb53ed276c797e509956 Mon Sep 17 00:00:00 2001 From: Laith Hisham Date: Sun, 7 Nov 2021 12:33:54 +0200 Subject: [PATCH 1/4] add missing properties to scheduled template --- .../stable/2021-10-01/AlertRules.json | 20 +++++++++++++++++++ .../GetAlertRuleTemplateById.json | 10 ++++++++++ 2 files changed, 30 insertions(+) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/AlertRules.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/AlertRules.json index a577e19acf52..5ebd370a2f55 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/AlertRules.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/AlertRules.json @@ -1529,6 +1529,26 @@ "version": { "description": "The version of this template - in format , where all are numbers. For example <1.0.2>.", "type": "string" + }, + "eventGroupingSettings": { + "$ref": "#/definitions/EventGroupingSettings", + "description": "The event grouping settings." + }, + "customDetails": { + "description": "Dictionary of string key-value pairs of columns to be attached to the alert", + "type": "object", + "additionalProperties": { + "type": "string" + } + }, + "entityMappings": { + "$ref": "#/definitions/EntityMappings", + "description": "Array of the entity mappings of the alert rule" + }, + "alertDetailsOverride": { + "type": "object", + "$ref": "#/definitions/AlertDetailsOverride", + "description": "The alert details override settings" } }, "type": "object" diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplateById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplateById.json index a9ea1024db31..f54c6779ea1f 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplateById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplateById.json @@ -63,6 +63,16 @@ } ], "alertRulesCreatedByTemplateCount": 0 + }, + "customDetails": { + "EventNames": "EventName", + "EventTypes": "EventTypeName" + }, + "alertDetailsOverride": { + "alertDisplayNameFormat": "Alert on event {{EventName}}", + "alertDescriptionFormat": "Suspicious activity was made by {{AccountCustomEntity}}", + "alertTacticsColumnName": null, + "alertSeverityColumnName": null } } } From 1bc93c282d96d8813b113db60f06c33a7a3a55b7 Mon Sep 17 00:00:00 2001 From: Laith Hisham Date: Sun, 7 Nov 2021 12:35:32 +0200 Subject: [PATCH 2/4] prettier fixes --- .../alertRuleTemplates/GetAlertRuleTemplateById.json | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplateById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplateById.json index f54c6779ea1f..eff0261dd9e7 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplateById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplateById.json @@ -65,14 +65,14 @@ "alertRulesCreatedByTemplateCount": 0 }, "customDetails": { - "EventNames": "EventName", - "EventTypes": "EventTypeName" + "EventNames": "EventName", + "EventTypes": "EventTypeName" }, "alertDetailsOverride": { - "alertDisplayNameFormat": "Alert on event {{EventName}}", - "alertDescriptionFormat": "Suspicious activity was made by {{AccountCustomEntity}}", - "alertTacticsColumnName": null, - "alertSeverityColumnName": null + "alertDisplayNameFormat": "Alert on event {{EventName}}", + "alertDescriptionFormat": "Suspicious activity was made by {{AccountCustomEntity}}", + "alertTacticsColumnName": null, + "alertSeverityColumnName": null } } } From 43458c58f430de61bd968cc9e832260e81334239 Mon Sep 17 00:00:00 2001 From: Laith Hisham Date: Sun, 14 Nov 2021 08:35:11 +0200 Subject: [PATCH 3/4] restore templates example after merge --- .../GetAlertRuleTemplateById.json | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplateById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplateById.json index 04e8e8ac93f8..ee208001a07a 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplateById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplateById.json @@ -23,6 +23,9 @@ "triggerThreshold": 0, "displayName": "Changes to Amazon VPC settings", "description": "This alert monitors changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries and routes in route tables.\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \nand https://aws.amazon.com/vpc/", + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, "tactics": [ "PrivilegeEscalation", "LateralMovement" @@ -41,6 +44,28 @@ ], "alertRulesCreatedByTemplateCount": 0 }, + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "identifier": "FullName", + "columnName": "AccountCustomEntity" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "IPCustomEntity" + } + ] + } + ], + "alertRulesCreatedByTemplateCount": 0 + }, "customDetails": { "EventNames": "EventName", "EventTypes": "EventTypeName" From 230c02f3038c6061a69587a743125675f49ff887 Mon Sep 17 00:00:00 2001 From: Laith Hisham Date: Sun, 14 Nov 2021 08:37:52 +0200 Subject: [PATCH 4/4] fix templates example after merge and run prettier --- .../GetAlertRuleTemplateById.json | 24 +++++++++---------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplateById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplateById.json index ee208001a07a..c80c47d81ddd 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplateById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplateById.json @@ -42,9 +42,7 @@ ] } ], - "alertRulesCreatedByTemplateCount": 0 - }, - "entityMappings": [ + "entityMappings": [ { "entityType": "Account", "fieldMappings": [ @@ -64,17 +62,17 @@ ] } ], + "customDetails": { + "EventNames": "EventName", + "EventTypes": "EventTypeName" + }, + "alertDetailsOverride": { + "alertDisplayNameFormat": "Alert on event {{EventName}}", + "alertDescriptionFormat": "Suspicious activity was made by {{AccountCustomEntity}}", + "alertTacticsColumnName": null, + "alertSeverityColumnName": null + }, "alertRulesCreatedByTemplateCount": 0 - }, - "customDetails": { - "EventNames": "EventName", - "EventTypes": "EventTypeName" - }, - "alertDetailsOverride": { - "alertDisplayNameFormat": "Alert on event {{EventName}}", - "alertDescriptionFormat": "Suspicious activity was made by {{AccountCustomEntity}}", - "alertTacticsColumnName": null, - "alertSeverityColumnName": null } } }