From 21e1963daf03644aaccc26870b160f20b5b45c7f Mon Sep 17 00:00:00 2001 From: Netanel Cohen Date: Thu, 8 Sep 2022 15:54:11 +0300 Subject: [PATCH 1/2] Add SentinelEntities and extend AlertDetailsOverride --- .../2022-10-01-preview/AlertRules.json | 112 ++++++++++++++++++ .../alertRules/CreateScheduledAlertRule.json | 21 +++- 2 files changed, 132 insertions(+), 1 deletion(-) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-10-01-preview/AlertRules.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-10-01-preview/AlertRules.json index c3d41dd02398..55bdada894c4 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-10-01-preview/AlertRules.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-10-01-preview/AlertRules.json @@ -797,6 +797,10 @@ "eventGroupingSettings": { "$ref": "#/definitions/EventGroupingSettings", "description": "The event grouping settings." + }, + "sentinelEntitiesMappings": { + "$ref": "#/definitions/SentinelEntitiesMappings", + "description": "Array of the sentinel entity mappings of the alert rule" } }, "type": "object" @@ -1759,6 +1763,10 @@ "eventGroupingSettings": { "$ref": "#/definitions/EventGroupingSettings", "description": "The event grouping settings." + }, + "sentinelEntitiesMappings": { + "$ref": "#/definitions/SentinelEntitiesMappings", + "description": "Array of the sentinel entity mappings of the alert rule" } }, "required": [ @@ -1878,6 +1886,10 @@ "type": "object", "$ref": "#/definitions/AlertDetailsOverride", "description": "The alert details override settings" + }, + "sentinelEntitiesMappings": { + "$ref": "#/definitions/SentinelEntitiesMappings", + "description": "Array of the sentinel entity mappings of the alert rule" } }, "type": "object" @@ -2051,6 +2063,10 @@ "type": "object", "$ref": "#/definitions/AlertDetailsOverride", "description": "The alert details override settings" + }, + "sentinelEntitiesMappings": { + "$ref": "#/definitions/SentinelEntitiesMappings", + "description": "Array of the sentinel entity mappings of the alert rule" } }, "type": "object" @@ -2094,6 +2110,24 @@ }, "type": "object" }, + "SentinelEntitiesMappings": { + "description": "List of sentinel entity mappings of the alert rule", + "type": "array", + "items": { + "$ref": "#/definitions/SentinelEntityMapping" + }, + "x-ms-identifiers": [] + }, + "SentinelEntityMapping": { + "description": "A single sentinel entity mapping", + "properties": { + "columnName": { + "description": "the column name to be mapped to the SentinelEntities", + "type": "string" + } + }, + "type": "object" + }, "AlertDetailsOverride": { "description": "Settings for how to dynamically override alert static details", "properties": { @@ -2112,6 +2146,27 @@ "alertSeverityColumnName": { "description": "the column name to take the alert severity from", "type": "string" + }, + "alertDynamicProperties": { + "description": "List of additional dynamic properties to override", + "type": "array", + "items": { + "$ref": "#/definitions/AlertPropertyMapping" + }, + "x-ms-identifiers": [] + } + }, + "type": "object" + }, + "AlertPropertyMapping": { + "description": "A single alert property mapping to override", + "properties": { + "alertProperty": { + "$ref": "#/definitions/AlertProperty" + }, + "value": { + "description": "the column name to use to override this property", + "type": "string" } }, "type": "object" @@ -2426,6 +2481,63 @@ } ] } + }, + "AlertProperty": { + "description": "The V3 alert property", + "enum": [ + "AlertLink", + "ConfidenceLevel", + "ConfidenceScore", + "ExtendedLinks", + "ProductName", + "ProviderName", + "ProductComponentName", + "RemediationSteps", + "Techniques" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "AlertProperty", + "values": [ + { + "description": "Alert's link", + "value": "AlertLink" + }, + { + "description": "Confidence level property", + "value": "ConfidenceLevel" + }, + { + "description": "Confidence score", + "value": "ConfidenceScore" + }, + { + "description": "Extended links to the alert", + "value": "ExtendedLinks" + }, + { + "description": "Product name alert property", + "value": "ProductName" + }, + { + "description": "Provider name alert property", + "value": "ProviderName" + }, + { + "description": "Product component name alert property", + "value": "ProductComponentName" + }, + { + "description": "Remediation steps alert property", + "value": "RemediationSteps" + }, + { + "description": "Techniques alert property", + "value": "Techniques" + } + ] + } } } } diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-10-01-preview/examples/alertRules/CreateScheduledAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-10-01-preview/examples/alertRules/CreateScheduledAlertRule.json index 1b21183d7f9d..b005bbbaea05 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-10-01-preview/examples/alertRules/CreateScheduledAlertRule.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-10-01-preview/examples/alertRules/CreateScheduledAlertRule.json @@ -55,9 +55,28 @@ ] } ], + "sentinelEntitiesMappings": [ + { + "columnName": "Entities" + } + ], "alertDetailsOverride": { "alertDisplayNameFormat": "Alert from {{Computer}}", - "alertDescriptionFormat": "Suspicious activity was made by {{ComputerIP}}" + "alertDescriptionFormat": "Suspicious activity was made by {{ComputerIP}}", + "alertDynamicProperties": [ + { + "alertProperty": "ProductComponentName", + "value": "ProductComponentNameCustomColumn" + }, + { + "alertProperty": "ProductName", + "value": "ProductNameCustomColumn" + }, + { + "alertProperty": "AlertLink", + "value": "Link" + } + ] }, "incidentConfiguration": { "createIncident": true, From 129cef2ceda8a529468faac48e2070c1ae5b3fee Mon Sep 17 00:00:00 2001 From: Netanel Cohen Date: Sun, 11 Sep 2022 11:45:26 +0300 Subject: [PATCH 2/2] Add SentinelEntities and extend AlertDetailsOverride --- .../alertRules/CreateScheduledAlertRule.json | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-10-01-preview/examples/alertRules/CreateScheduledAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-10-01-preview/examples/alertRules/CreateScheduledAlertRule.json index b005bbbaea05..633b2700fe15 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-10-01-preview/examples/alertRules/CreateScheduledAlertRule.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-10-01-preview/examples/alertRules/CreateScheduledAlertRule.json @@ -57,7 +57,7 @@ ], "sentinelEntitiesMappings": [ { - "columnName": "Entities" + "columnName": "Entities" } ], "alertDetailsOverride": { @@ -65,16 +65,16 @@ "alertDescriptionFormat": "Suspicious activity was made by {{ComputerIP}}", "alertDynamicProperties": [ { - "alertProperty": "ProductComponentName", - "value": "ProductComponentNameCustomColumn" + "alertProperty": "ProductComponentName", + "value": "ProductComponentNameCustomColumn" }, { - "alertProperty": "ProductName", - "value": "ProductNameCustomColumn" + "alertProperty": "ProductName", + "value": "ProductNameCustomColumn" }, { - "alertProperty": "AlertLink", - "value": "Link" + "alertProperty": "AlertLink", + "value": "Link" } ] },