diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-10-01-preview/AlertRules.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-10-01-preview/AlertRules.json index c3d41dd02398..55bdada894c4 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-10-01-preview/AlertRules.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-10-01-preview/AlertRules.json @@ -797,6 +797,10 @@ "eventGroupingSettings": { "$ref": "#/definitions/EventGroupingSettings", "description": "The event grouping settings." + }, + "sentinelEntitiesMappings": { + "$ref": "#/definitions/SentinelEntitiesMappings", + "description": "Array of the sentinel entity mappings of the alert rule" } }, "type": "object" @@ -1759,6 +1763,10 @@ "eventGroupingSettings": { "$ref": "#/definitions/EventGroupingSettings", "description": "The event grouping settings." + }, + "sentinelEntitiesMappings": { + "$ref": "#/definitions/SentinelEntitiesMappings", + "description": "Array of the sentinel entity mappings of the alert rule" } }, "required": [ @@ -1878,6 +1886,10 @@ "type": "object", "$ref": "#/definitions/AlertDetailsOverride", "description": "The alert details override settings" + }, + "sentinelEntitiesMappings": { + "$ref": "#/definitions/SentinelEntitiesMappings", + "description": "Array of the sentinel entity mappings of the alert rule" } }, "type": "object" @@ -2051,6 +2063,10 @@ "type": "object", "$ref": "#/definitions/AlertDetailsOverride", "description": "The alert details override settings" + }, + "sentinelEntitiesMappings": { + "$ref": "#/definitions/SentinelEntitiesMappings", + "description": "Array of the sentinel entity mappings of the alert rule" } }, "type": "object" @@ -2094,6 +2110,24 @@ }, "type": "object" }, + "SentinelEntitiesMappings": { + "description": "List of sentinel entity mappings of the alert rule", + "type": "array", + "items": { + "$ref": "#/definitions/SentinelEntityMapping" + }, + "x-ms-identifiers": [] + }, + "SentinelEntityMapping": { + "description": "A single sentinel entity mapping", + "properties": { + "columnName": { + "description": "the column name to be mapped to the SentinelEntities", + "type": "string" + } + }, + "type": "object" + }, "AlertDetailsOverride": { "description": "Settings for how to dynamically override alert static details", "properties": { @@ -2112,6 +2146,27 @@ "alertSeverityColumnName": { "description": "the column name to take the alert severity from", "type": "string" + }, + "alertDynamicProperties": { + "description": "List of additional dynamic properties to override", + "type": "array", + "items": { + "$ref": "#/definitions/AlertPropertyMapping" + }, + "x-ms-identifiers": [] + } + }, + "type": "object" + }, + "AlertPropertyMapping": { + "description": "A single alert property mapping to override", + "properties": { + "alertProperty": { + "$ref": "#/definitions/AlertProperty" + }, + "value": { + "description": "the column name to use to override this property", + "type": "string" } }, "type": "object" @@ -2426,6 +2481,63 @@ } ] } + }, + "AlertProperty": { + "description": "The V3 alert property", + "enum": [ + "AlertLink", + "ConfidenceLevel", + "ConfidenceScore", + "ExtendedLinks", + "ProductName", + "ProviderName", + "ProductComponentName", + "RemediationSteps", + "Techniques" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "AlertProperty", + "values": [ + { + "description": "Alert's link", + "value": "AlertLink" + }, + { + "description": "Confidence level property", + "value": "ConfidenceLevel" + }, + { + "description": "Confidence score", + "value": "ConfidenceScore" + }, + { + "description": "Extended links to the alert", + "value": "ExtendedLinks" + }, + { + "description": "Product name alert property", + "value": "ProductName" + }, + { + "description": "Provider name alert property", + "value": "ProviderName" + }, + { + "description": "Product component name alert property", + "value": "ProductComponentName" + }, + { + "description": "Remediation steps alert property", + "value": "RemediationSteps" + }, + { + "description": "Techniques alert property", + "value": "Techniques" + } + ] + } } } } diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-10-01-preview/examples/alertRules/CreateScheduledAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-10-01-preview/examples/alertRules/CreateScheduledAlertRule.json index 1b21183d7f9d..633b2700fe15 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-10-01-preview/examples/alertRules/CreateScheduledAlertRule.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-10-01-preview/examples/alertRules/CreateScheduledAlertRule.json @@ -55,9 +55,28 @@ ] } ], + "sentinelEntitiesMappings": [ + { + "columnName": "Entities" + } + ], "alertDetailsOverride": { "alertDisplayNameFormat": "Alert from {{Computer}}", - "alertDescriptionFormat": "Suspicious activity was made by {{ComputerIP}}" + "alertDescriptionFormat": "Suspicious activity was made by {{ComputerIP}}", + "alertDynamicProperties": [ + { + "alertProperty": "ProductComponentName", + "value": "ProductComponentNameCustomColumn" + }, + { + "alertProperty": "ProductName", + "value": "ProductNameCustomColumn" + }, + { + "alertProperty": "AlertLink", + "value": "Link" + } + ] }, "incidentConfiguration": { "createIncident": true,