diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json index 544974958663..88e1a4ff1e04 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json @@ -62,8 +62,8 @@ "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules": { "get": { "x-ms-examples": { - "Get all scheduled alert rules.": { - "$ref": "./examples/alertRules/GetScheduledAlertRules.json" + "Get all alert rules.": { + "$ref": "./examples/alertRules/GetAllAlertRules.json" } }, "tags": [ @@ -110,8 +110,14 @@ "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}": { "get": { "x-ms-examples": { - "Get a scheduled alert rule.": { - "$ref": "./examples/alertRules/GetScheduledAlertRuleById.json" + "Get a Scheduled alert rule.": { + "$ref": "./examples/alertRules/GetScheduledAlertRule.json" + }, + "Get a Fusion alert rule.": { + "$ref": "./examples/alertRules/GetFusionAlertRule.json" + }, + "Get a MicrosoftSecurityIncidentCreation rule.": { + "$ref": "./examples/alertRules/GetMicrosoftSecurityIncidentCreationAlertRule.json" } }, "tags": [ @@ -156,8 +162,14 @@ }, "put": { "x-ms-examples": { - "Creates or updates a scheduled alert rule.": { + "Creates or updates a Scheduled alert rule.": { "$ref": "./examples/alertRules/CreateScheduledAlertRule.json" + }, + "Creates or updates a Fusion alert rule.": { + "$ref": "./examples/alertRules/CreateFusionAlertRule.json" + }, + "Creates or updates a MicrosoftSecurityIncidentCreation rule.": { + "$ref": "./examples/alertRules/CreateMicrosoftSecurityIncidentCreationAlertRule.json" } }, "tags": [ @@ -211,8 +223,8 @@ }, "delete": { "x-ms-examples": { - "Delete a scheduled alert rule.": { - "$ref": "./examples/alertRules/DeleteScheduledAlertRule.json" + "Delete an alert rule.": { + "$ref": "./examples/alertRules/DeleteAlertRule.json" } }, "tags": [ @@ -2106,15 +2118,11 @@ "Action": { "allOf": [ { - "$ref": "#/definitions/Resource" + "$ref": "#/definitions/ResourceWithEtag" } ], "description": "Action for alert rule.", "properties": { - "etag": { - "description": "Etag of the action.", - "type": "string" - }, "properties": { "$ref": "#/definitions/ActionProperties", "description": "Action properties", @@ -2186,7 +2194,7 @@ "AlertRule": { "allOf": [ { - "$ref": "#/definitions/Resource" + "$ref": "#/definitions/ResourceWithEtag" }, { "$ref": "#/definitions/AlertRuleKind" @@ -2194,12 +2202,6 @@ ], "description": "Alert rule.", "discriminator": "kind", - "properties": { - "etag": { - "description": "Etag of the alert rule.", - "type": "string" - } - }, "type": "object" }, "AlertRuleKind": { @@ -2209,7 +2211,7 @@ "description": "The kind of the alert rule", "enum": [ "Scheduled", - "Filter", + "MicrosoftSecurityIncidentCreation", "Fusion" ], "type": "string", @@ -2221,7 +2223,7 @@ "value": "Scheduled" }, { - "value": "Filter" + "value": "MicrosoftSecurityIncidentCreation" }, { "value": "Fusion" @@ -2243,10 +2245,69 @@ ], "description": "Alert rule template.", "discriminator": "kind", + "type": "object" + }, + "AlertRuleTemplatePropertiesBase": { + "description": "Base alert rule template property bag.", "properties": { - "etag": { - "description": "Etag of the alert rule.", + "alertRulesCreatedByTemplateCount": { + "description": "the number of alert rules that were created by this template", + "type": "integer" + }, + "createdDateUTC": { + "description": "The time that this alert rule template has been added.", + "format": "date-time", + "readOnly": true, "type": "string" + }, + "description": { + "description": "The description of the alert rule template.", + "type": "string" + }, + "displayName": { + "description": "The display name for alert rule template.", + "type": "string" + }, + "requiredDataConnectors": { + "description": "The required data connectors for this template", + "items": { + "$ref": "#/definitions/DataConnectorStatus" + }, + "type": "array" + }, + "status": { + "description": "The alert rule template status.", + "enum": [ + "Installed", + "Available", + "NotAvailable" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "TemplateStatus", + "values": [ + { + "description": "Alert rule template installed. and can not use more then once", + "value": "Installed" + }, + { + "description": "Alert rule template is available.", + "value": "Available" + }, + { + "description": "Alert rule template is not available", + "value": "NotAvailable" + } + ] + } + }, + "tactics": { + "description": "The tactics of the alert rule template", + "items": { + "$ref": "#/definitions/AttackTactic" + }, + "type": "array" } }, "type": "object" @@ -2315,7 +2376,7 @@ ], "type": "string", "x-ms-enum": { - "modelAsString": false, + "modelAsString": true, "name": "AlertSeverity", "values": [ { @@ -2365,11 +2426,12 @@ "LateralMovement", "Collection", "Exfiltration", - "CommandAndControl" + "CommandAndControl", + "Impact" ], "type": "string", "x-ms-enum": { - "modelAsString": false, + "modelAsString": true, "name": "AttackTactic" } }, @@ -2452,82 +2514,14 @@ }, "type": "object" }, - "BaseAlertRuleTemplateProperties": { - "description": "Base alert rule template property bag.", - "properties": { - "alertRulesCreatedByTemplateCount": { - "description": "the number of alert rules that were created by this template", - "type": "integer" - }, - "createdDateUTC": { - "description": "The time that this alert rule template has been added.", - "readOnly": true, - "type": "string" - }, - "description": { - "description": "The description of the alert rule template.", - "type": "string" - }, - "displayName": { - "description": "The display name for alert rule template.", - "type": "string" - }, - "requiredDataConnectors": { - "description": "The required data connectors for this template", - "items": { - "$ref": "#/definitions/DataConnectorStatus" - }, - "type": "array" - }, - "status": { - "description": "The alert rule template status.", - "enum": [ - "Installed", - "Available", - "NotAvailable" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": false, - "name": "TemplateStatus", - "values": [ - { - "description": "Alert rule template installed. and can not use more then once", - "value": "Installed" - }, - { - "description": "Alert rule template is available.", - "value": "Available" - }, - { - "description": "Alert rule template is not available", - "value": "NotAvailable" - } - ] - } - }, - "tactics": { - "description": "The tactics of the alert rule template", - "items": { - "$ref": "#/definitions/AttackTactic" - }, - "type": "array" - } - }, - "type": "object" - }, "Bookmark": { "allOf": [ { - "$ref": "#/definitions/Resource" + "$ref": "#/definitions/ResourceWithEtag" } ], "description": "Represents a bookmark in Azure Security Insights.", "properties": { - "etag": { - "description": "Etag of the bookmark.", - "type": "string" - }, "properties": { "$ref": "#/definitions/BookmarkProperties", "description": "Bookmark properties", @@ -2612,15 +2606,11 @@ "Case": { "allOf": [ { - "$ref": "#/definitions/Resource" + "$ref": "#/definitions/ResourceWithEtag" } ], "description": "Represents a case in Azure Security Insights.", "properties": { - "etag": { - "description": "Etag of the alert rule.", - "type": "string" - }, "properties": { "$ref": "#/definitions/CaseProperties", "description": "Case properties", @@ -3061,7 +3051,7 @@ "DataConnector": { "allOf": [ { - "$ref": "#/definitions/Resource" + "$ref": "#/definitions/ResourceWithEtag" }, { "$ref": "#/definitions/DataConnectorKind" @@ -3069,12 +3059,6 @@ ], "description": "Data connector.", "discriminator": "kind", - "properties": { - "etag": { - "description": "Etag of the data connector.", - "type": "string" - } - }, "type": "object" }, "DataConnectorDataTypeCommon": { @@ -3180,7 +3164,7 @@ ], "type": "string", "x-ms-enum": { - "modelAsString": false, + "modelAsString": true, "name": "DataTypeStatus" } }, @@ -3790,60 +3774,68 @@ }, "type": "object" }, - "FilterAlertRuleTemplate": { + "FusionAlertRule": { "allOf": [ { - "$ref": "#/definitions/AlertRuleTemplate" + "$ref": "#/definitions/AlertRule" } ], - "description": "Represents filter alert rule template.", + "description": "Represents Fusion alert rule.", "properties": { "properties": { - "allOf": [ - { - "$ref": "#/definitions/BaseAlertRuleTemplateProperties" - }, - { - "$ref": "#/definitions/FilterAlertRuleTemplateProperties" - } - ], - "description": "Filter alert rule template properties", - "required": [ - "displayName", - "description", - "createdDateUTC", - "status", - "alertRulesCreatedByTemplateCount", - "filterProduct" - ], + "$ref": "#/definitions/FusionAlertRuleProperties", + "description": "Fusion alert rule properties", "x-ms-client-flatten": true } }, "type": "object", - "x-ms-discriminator-value": "Filter" + "x-ms-discriminator-value": "Fusion" }, - "FilterAlertRuleTemplateProperties": { - "description": "Filter alert rule template property bag.", + "FusionAlertRuleProperties": { + "description": "Fusion alert rule base property bag.", "properties": { - "filterProduct": { - "description": "The filter product name for this template rule.", + "alertRuleTemplateName": { + "description": "The Name of the alert rule template used to create this rule.", "type": "string" }, - "filterSeverities": { - "description": "the alert’s severities on which the cases will be generated", - "items": { - "$ref": "#/definitions/AlertSeverity" - }, - "type": "array" + "description": { + "description": "The description of the alert rule.", + "readOnly": true, + "type": "string" + }, + "displayName": { + "description": "The display name for alerts created by this alert rule.", + "readOnly": true, + "type": "string" + }, + "enabled": { + "description": "Determines whether this alert rule is enabled or disabled.", + "type": "boolean" + }, + "lastModifiedUtc": { + "description": "The last time that this alert has been modified.", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "severity": { + "$ref": "#/definitions/AlertSeverity", + "description": "The severity for alerts created by this alert rule.", + "readOnly": true }, - "filterTitles": { - "description": "the alert’s titles on which the cases will be generated", + "tactics": { + "description": "The tactics of the alert rule", "items": { - "type": "string" + "$ref": "#/definitions/AttackTactic" }, + "readOnly": true, "type": "array" } }, + "required": [ + "alertRuleTemplateName", + "enabled" + ], "type": "object" }, "FusionAlertRuleTemplate": { @@ -3852,23 +3844,26 @@ "$ref": "#/definitions/AlertRuleTemplate" } ], - "description": "Represents fusion alert rule template.", + "description": "Represents Fusion alert rule template.", "properties": { "properties": { "allOf": [ { - "$ref": "#/definitions/BaseAlertRuleTemplateProperties" - }, - { - "$ref": "#/definitions/FusionAlertRuleTemplateProperties" + "$ref": "#/definitions/AlertRuleTemplatePropertiesBase" } ], "description": "Fusion alert rule template properties", + "properties": { + "severity": { + "$ref": "#/definitions/AlertSeverity", + "description": "The severity for alerts created by this alert rule." + } + }, "required": [ "displayName", "description", - "createdDateUTC", "status", + "severity", "alertRulesCreatedByTemplateCount" ], "x-ms-client-flatten": true @@ -3877,16 +3872,6 @@ "type": "object", "x-ms-discriminator-value": "Fusion" }, - "FusionAlertRuleTemplateProperties": { - "description": "Filter alert rule template property bag.", - "properties": { - "severity": { - "$ref": "#/definitions/AlertSeverity", - "description": "The severity for alerts created by this alert rule." - } - }, - "type": "object" - }, "GeoLocation": { "description": "The geo-location context attached to the ip entity", "properties": { @@ -4217,6 +4202,137 @@ }, "type": "object" }, + "MicrosoftSecurityIncidentCreationAlertRule": { + "allOf": [ + { + "$ref": "#/definitions/AlertRule" + } + ], + "description": "Represents MicrosoftSecurityIncidentCreation rule.", + "properties": { + "properties": { + "$ref": "#/definitions/MicrosoftSecurityIncidentCreationAlertRuleProperties", + "description": "MicrosoftSecurityIncidentCreation rule properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "MicrosoftSecurityIncidentCreation" + }, + "MicrosoftSecurityIncidentCreationAlertRuleCommonProperties": { + "description": "MicrosoftSecurityIncidentCreation rule common property bag.", + "properties": { + "displayNamesFilter": { + "description": "the alerts' displayNames on which the cases will be generated", + "items": { + "type": "string" + }, + "type": "array" + }, + "productFilter": { + "description": "The alerts' productName on which the cases will be generated", + "enum": [ + "Microsoft Cloud App Security", + "Azure Security Center", + "Azure Advanced Threat Protection", + "Azure Active Directory Identity Protection" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "MicrosoftSecurityProductName" + } + }, + "severitiesFilter": { + "description": "the alerts' severities on which the cases will be generated", + "items": { + "$ref": "#/definitions/AlertSeverity" + }, + "type": "array" + } + }, + "required": [ + "productFilter" + ], + "type": "object" + }, + "MicrosoftSecurityIncidentCreationAlertRuleProperties": { + "allOf": [ + { + "$ref": "#/definitions/MicrosoftSecurityIncidentCreationAlertRuleCommonProperties" + } + ], + "description": "MicrosoftSecurityIncidentCreation rule property bag.", + "properties": { + "alertRuleTemplateName": { + "description": "The Name of the alert rule template used to create this rule.", + "type": "string" + }, + "description": { + "description": "The description of the alert rule.", + "type": "string" + }, + "displayName": { + "description": "The display name for alerts created by this alert rule.", + "type": "string" + }, + "enabled": { + "description": "Determines whether this alert rule is enabled or disabled.", + "type": "boolean" + }, + "lastModifiedUtc": { + "description": "The last time that this alert has been modified.", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "tactics": { + "description": "The tactics of the alert rule", + "items": { + "$ref": "#/definitions/AttackTactic" + }, + "type": "array" + } + }, + "required": [ + "displayName", + "enabled", + "productFilter" + ], + "type": "object" + }, + "MicrosoftSecurityIncidentCreationAlertRuleTemplate": { + "allOf": [ + { + "$ref": "#/definitions/AlertRuleTemplate" + } + ], + "description": "Represents MicrosoftSecurityIncidentCreation rule template.", + "properties": { + "properties": { + "allOf": [ + { + "$ref": "#/definitions/AlertRuleTemplatePropertiesBase" + }, + { + "$ref": "#/definitions/MicrosoftSecurityIncidentCreationAlertRuleCommonProperties" + } + ], + "description": "MicrosoftSecurityIncidentCreation rule template properties", + "required": [ + "displayName", + "description", + "createdDateUTC", + "status", + "alertRulesCreatedByTemplateCount", + "productFilter" + ], + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "MicrosoftSecurityIncidentCreation" + }, "OfficeConsent": { "allOf": [ { @@ -4683,6 +4799,20 @@ }, "x-ms-azure-resource": true }, + "ResourceWithEtag": { + "allOf": [ + { + "$ref": "#/definitions/Resource" + } + ], + "description": "An azure resource object with an Etag property", + "properties": { + "etag": { + "description": "Etag of the azure resource", + "type": "string" + } + } + }, "ScheduledAlertRule": { "allOf": [ { @@ -4700,26 +4830,9 @@ "type": "object", "x-ms-discriminator-value": "Scheduled" }, - "ScheduledAlertRuleProperties": { - "description": "Alert rule property bag.", + "ScheduledAlertRuleCommonProperties": { + "description": "Schedule alert rule template property bag.", "properties": { - "description": { - "description": "The description of the alert rule.", - "type": "string" - }, - "displayName": { - "description": "The display name for alerts created by this alert rule.", - "type": "string" - }, - "enabled": { - "description": "Determines whether this alert rule is enabled or disabled.", - "type": "boolean" - }, - "lastModifiedUtc": { - "description": "The last time that this alert has been modified.", - "readOnly": true, - "type": "string" - }, "query": { "description": "The query that creates alerts for this rule.", "type": "string" @@ -4738,6 +4851,47 @@ "$ref": "#/definitions/AlertSeverity", "description": "The severity for alerts created by this alert rule." }, + "triggerOperator": { + "$ref": "#/definitions/AlertRuleTriggerOperator", + "description": "The operation against the threshold that triggers alert rule." + }, + "triggerThreshold": { + "description": "The threshold triggers this alert rule.", + "type": "integer" + } + }, + "type": "object" + }, + "ScheduledAlertRuleProperties": { + "allOf": [ + { + "$ref": "#/definitions/ScheduledAlertRuleCommonProperties" + } + ], + "description": "Scheduled alert rule base property bag.", + "properties": { + "alertRuleTemplateName": { + "description": "The Name of the alert rule template used to create this rule.", + "type": "string" + }, + "description": { + "description": "The description of the alert rule.", + "type": "string" + }, + "displayName": { + "description": "The display name for alerts created by this alert rule.", + "type": "string" + }, + "enabled": { + "description": "Determines whether this alert rule is enabled or disabled.", + "type": "boolean" + }, + "lastModifiedUtc": { + "description": "The last time that this alert rule has been modified.", + "format": "date-time", + "readOnly": true, + "type": "string" + }, "suppressionDuration": { "description": "The suppression (in ISO 8601 duration format) to wait since last time this alert rule been triggered.", "format": "duration", @@ -4747,20 +4901,18 @@ "description": "Determines whether the suppression for this alert rule is enabled or disabled.", "type": "boolean" }, - "triggerOperator": { - "$ref": "#/definitions/AlertRuleTriggerOperator", - "description": "The operation against the threshold that triggers alert rule." - }, - "triggerThreshold": { - "description": "The threshold triggers this alert rule.", - "type": "integer" + "tactics": { + "description": "The tactics of the alert rule", + "items": { + "$ref": "#/definitions/AttackTactic" + }, + "type": "array" } }, "required": [ "displayName", - "description", - "severity", "enabled", + "severity", "query", "queryFrequency", "queryPeriod", @@ -4782,19 +4934,17 @@ "properties": { "allOf": [ { - "$ref": "#/definitions/BaseAlertRuleTemplateProperties" + "$ref": "#/definitions/AlertRuleTemplatePropertiesBase" }, { - "$ref": "#/definitions/ScheduledAlertRuleTemplateProperties" + "$ref": "#/definitions/ScheduledAlertRuleCommonProperties" } ], "description": "Scheduled alert rule template properties", "required": [ "displayName", "description", - "createdDateUTC", "status", - "requiredDataConnectors", "alertRulesCreatedByTemplateCount", "severity", "query", @@ -4809,38 +4959,6 @@ "type": "object", "x-ms-discriminator-value": "Scheduled" }, - "ScheduledAlertRuleTemplateProperties": { - "description": "Schedule alert rule template property bag.", - "properties": { - "query": { - "description": "The query that creates alerts for this rule.", - "type": "string" - }, - "queryFrequency": { - "description": "The frequency (in ISO 8601 duration format) for this alert rule to run.", - "format": "duration", - "type": "string" - }, - "queryPeriod": { - "description": "The period (in ISO 8601 duration format) that this alert rule looks at.", - "format": "duration", - "type": "string" - }, - "severity": { - "$ref": "#/definitions/AlertSeverity", - "description": "The severity for alerts created by this alert rule." - }, - "triggerOperator": { - "$ref": "#/definitions/AlertRuleTriggerOperator", - "description": "The operation against the threshold that triggers alert rule." - }, - "triggerThreshold": { - "description": "The threshold triggers this alert rule.", - "type": "integer" - } - }, - "type": "object" - }, "SecurityAlert": { "allOf": [ { @@ -5206,7 +5324,7 @@ "Settings": { "allOf": [ { - "$ref": "#/definitions/Resource" + "$ref": "#/definitions/ResourceWithEtag" }, { "$ref": "#/definitions/SettingsKind" @@ -5214,12 +5332,6 @@ ], "description": "The Setting.", "discriminator": "kind", - "properties": { - "etag": { - "description": "Etag of the alert rule.", - "type": "string" - } - }, "type": "object" }, "SettingsKind": { @@ -5721,4 +5833,4 @@ "x-ms-parameter-location": "method" } } -} +} \ No newline at end of file diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/alertRuleTemplates/GetAlertRuleTemplateById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/alertRuleTemplates/GetAlertRuleTemplateById.json index 761488cfb9cf..be1bf6b9329e 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/alertRuleTemplates/GetAlertRuleTemplateById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/alertRuleTemplates/GetAlertRuleTemplateById.json @@ -16,26 +16,26 @@ "kind": "Scheduled", "properties": { "severity": "Low", - "query": "\nlet timeframe = 1d;\nAWSCloudTrail\n| where TimeGenerated >= ago(timeframe)\n| where EventName == \"CreateNetworkAclEntry\"\n or EventName == \"CreateRoute\"\n| project TimeGenerated, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\n", - "queryFrequency": "1.00:00:00", - "queryPeriod": "1.00:00:00", + "query": "let timeframe = 1d;\nAWSCloudTrail\n| where TimeGenerated >= ago(timeframe)\n| where EventName == \"CreateNetworkAclEntry\"\n or EventName == \"CreateRoute\"\n| project TimeGenerated, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\n| extend AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress", + "queryFrequency": "P1D", + "queryPeriod": "P1D", "triggerOperator": "GreaterThan", "triggerThreshold": 0, - "displayName": "AWS - Changes to VPC settings", - "description": "This alert monitors changes to VPC settings such as new ACL entries and routes in route tables.\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255\n", + "displayName": "Changes to Amazon VPC settings", + "description": "This alert monitors changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries and routes in route tables.\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \nand https://aws.amazon.com/vpc/", "tactics": [ - "LateralMovement", - "PrivilegeEscalation" + "PrivilegeEscalation", + "LateralMovement" ], - "createdDateUTC": "2019-02-27T00:00:00", - "status": "NotAvailable", + "createdDateUTC": "2019-02-27T00:00:00Z", + "status": "Available", "requiredDataConnectors": [ - { - "connectorId": "AWS", - "dataTypes": { - "AWSCloudTrail": "NotExist" + { + "connectorId": "AWS", + "dataTypes": { + "AWSCloudTrail": "Exist" + } } - } ], "alertRulesCreatedByTemplateCount": 0 } diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/alertRuleTemplates/GetAlertRuleTemplates.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/alertRuleTemplates/GetAlertRuleTemplates.json index eac47ee14c98..31611d1ace08 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/alertRuleTemplates/GetAlertRuleTemplates.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/alertRuleTemplates/GetAlertRuleTemplates.json @@ -17,26 +17,26 @@ "kind": "Scheduled", "properties": { "severity": "Low", - "query": "\nlet timeframe = 1d;\nAWSCloudTrail\n| where TimeGenerated >= ago(timeframe)\n| where EventName == \"CreateNetworkAclEntry\"\n or EventName == \"CreateRoute\"\n| project TimeGenerated, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\n", - "queryFrequency": "1.00:00:00", - "queryPeriod": "1.00:00:00", + "query": "let timeframe = 1d;\nAWSCloudTrail\n| where TimeGenerated >= ago(timeframe)\n| where EventName == \"CreateNetworkAclEntry\"\n or EventName == \"CreateRoute\"\n| project TimeGenerated, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\n| extend AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress", + "queryFrequency": "P1D", + "queryPeriod": "P1D", "triggerOperator": "GreaterThan", "triggerThreshold": 0, - "displayName": "AWS - Changes to VPC settings", - "description": "This alert monitors changes to VPC settings such as new ACL entries and routes in route tables.\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255\n", + "displayName": "Changes to Amazon VPC settings", + "description": "This alert monitors changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries and routes in route tables.\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \nand https://aws.amazon.com/vpc/", "tactics": [ - "LateralMovement", - "PrivilegeEscalation" + "PrivilegeEscalation", + "LateralMovement" ], - "createdDateUTC": "2019-02-27T00:00:00", - "status": "NotAvailable", + "createdDateUTC": "2019-02-27T00:00:00Z", + "status": "Available", "requiredDataConnectors": [ - { - "connectorId": "AWS", - "dataTypes": { - "AWSCloudTrail": "NotExist" + { + "connectorId": "AWS", + "dataTypes": { + "AWSCloudTrail": "Exist" + } } - } ], "alertRulesCreatedByTemplateCount": 0 } @@ -47,36 +47,31 @@ "type": "Microsoft.SecurityInsights/AlertRuleTemplates", "kind": "Fusion", "properties": { - "displayName": "Fusion Detections", + "displayName": "Advanced Multi-Stage Attack Detection", "description": "Place holder: Fusion uses graph powered machine learning algorithms to correlate between millions of lower fidelity anomalous activities from different products such as Azure AD Identity Protection, and Microsoft Cloud App Security, to combine them into a manageable number of interesting security cases.\n", "tactics": [ - "Persistence", - "Exfiltration" + "Persistence", + "LateralMovement", + "Exfiltration", + "CommandAndControl" ], - "createdDateUTC": "2019-07-25T00:00:00", + "createdDateUTC": "2019-07-25T00:00:00Z", "status": "Available", + "severity": "High", "alertRulesCreatedByTemplateCount": 0 } }, { - "id": "/subscriptions/bd794837-4d29-4647-9105-6339bfdb4e6a/resourceGroups/mms-eus/providers/Microsoft.OperationalInsights/workspaces/avdvirInt/providers/Microsoft.SecurityInsights/AlertRuleTemplates/eb7b4e69-085d-44dd-9227-9b0d67af9fe7", - "name": "eb7b4e69-085d-44dd-9227-9b0d67af9fe7", + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b3cfc7c0-092c-481c-a55b-34a3979758cb", + "name": "b3cfc7c0-092c-481c-a55b-34a3979758cb", "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "kind": "Filter", + "kind": "MicrosoftSecurityIncidentCreation", "properties": { - "filterProduct": "Azure Active Directory Identity Protection", - "displayName": "All alerts from AADIP", - "description": "All alerts from AADIP\n", - "createdDateUTC": "2019-07-16T00:00:00", + "productFilter": "Microsoft Cloud App Security", + "displayName": "Create incidents based on Microsoft Cloud App Security alerts", + "description": "Create incidents based on all alerts generated in Microsoft Cloud App Security", + "createdDateUTC": "2019-07-16T00:00:00Z", "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "AzureActiveDirectoryIdentityProtection", - "dataTypes": { - "SecurityAlert": "Exist" - } - } - ], "alertRulesCreatedByTemplateCount": 0 } } diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/alertRules/CreateFusionAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/alertRules/CreateFusionAlertRule.json new file mode 100644 index 000000000000..d3fc30ca7c5c --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/alertRules/CreateFusionAlertRule.json @@ -0,0 +1,66 @@ +{ + "parameters": { + "api-version": "2019-01-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "ruleId": "myFirstFusionRule", + "alertRule": { + "kind": "Fusion", + "etag": "3d00c3ca-0000-0100-0000-5d42d5010000", + "properties": { + "enabled": "true", + "alertRuleTemplateName": "f71aba3d-28fb-450b-b192-4e76a83015c8" + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/myFirstFusionRule", + "name": "myFirstFusionRule", + "etag": "\"260090e2-0000-0d00-0000-5d6fb8670000\"", + "type": "Microsoft.SecurityInsights/alertRules", + "kind": "Fusion", + "properties": { + "displayName": "Advanced Multi-Stage Attack Detection", + "description": "In this mode, Sentinel combines low fidelity alerts, which themselves may not be actionable, and events across multiple products, into high fidelity security interesting incidents. The system looks at multiple products to produce actionable incidents. Custom tailored to each tenant, Fusion not only reduces false positive rates but also can detect attacks with limited or missing information. \nIncidents generated by Fusion system will encase two or more alerts. By design, Fusion incidents are low volume, high fidelity and will be high severity, which is why Fusion is turned ON by default in Azure Sentinel.\n\nFor Fusion to work, please configure the following data sources in Data Connectors tab:\nRequired - Azure Active Directory Identity Protection\nRequired - Microsoft Cloud App Security\nIf Available - Palo Alto Network\n\nFor full list of scenarios covered by Fusion, and detail instructions on how to configure the required data sources, go to aka.ms/SentinelFusion", + "alertRuleTemplateName": "f71aba3d-28fb-450b-b192-4e76a83015c8", + "tactics": [ + "Persistence", + "LateralMovement", + "Exfiltration", + "CommandAndControl" + ], + "severity": "High", + "enabled": true, + "lastModifiedUtc": "2019-09-04T13:13:11.5340061Z" + } + } + }, + "201": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/myFirstFusionRule", + "name": "myFirstFusionRule", + "etag": "\"260090e2-0000-0d00-0000-5d6fb8670000\"", + "type": "Microsoft.SecurityInsights/alertRules", + "kind": "Fusion", + "properties": { + "displayName": "Advanced Multi-Stage Attack Detection", + "description": "In this mode, Sentinel combines low fidelity alerts, which themselves may not be actionable, and events across multiple products, into high fidelity security interesting incidents. The system looks at multiple products to produce actionable incidents. Custom tailored to each tenant, Fusion not only reduces false positive rates but also can detect attacks with limited or missing information. \nIncidents generated by Fusion system will encase two or more alerts. By design, Fusion incidents are low volume, high fidelity and will be high severity, which is why Fusion is turned ON by default in Azure Sentinel.\n\nFor Fusion to work, please configure the following data sources in Data Connectors tab:\nRequired - Azure Active Directory Identity Protection\nRequired - Microsoft Cloud App Security\nIf Available - Palo Alto Network\n\nFor full list of scenarios covered by Fusion, and detail instructions on how to configure the required data sources, go to aka.ms/SentinelFusion", + "alertRuleTemplateName": "f71aba3d-28fb-450b-b192-4e76a83015c8", + "tactics": [ + "Persistence", + "LateralMovement", + "Exfiltration", + "CommandAndControl" + ], + "severity": "High", + "enabled": true, + "lastModifiedUtc": "2019-09-04T13:13:11.5340061Z" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/alertRules/CreateMicrosoftSecurityIncidentCreationAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/alertRules/CreateMicrosoftSecurityIncidentCreationAlertRule.json new file mode 100644 index 000000000000..3a78f2fc919e --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/alertRules/CreateMicrosoftSecurityIncidentCreationAlertRule.json @@ -0,0 +1,61 @@ +{ + "parameters": { + "api-version": "2019-01-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "ruleId": "microsoftSecurityIncidentCreationRuleExample", + "alertRule": { + "etag": "\"260097e0-0000-0d00-0000-5d6fa88f0000\"", + "kind": "MicrosoftSecurityIncidentCreation", + "properties": { + "productFilter": "Microsoft Cloud App Security", + "displayName": "testing displayname", + "enabled": true + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/microsoftSecurityIncidentCreationRuleExample", + "name": "microsoftSecurityIncidentCreationRuleExample", + "etag": "\"260097e0-0000-0d00-0000-5d6fa88f0000\"", + "type": "Microsoft.SecurityInsights/alertRules", + "kind": "MicrosoftSecurityIncidentCreation", + "properties": { + "productFilter": "Microsoft Cloud App Security", + "severitiesFilter": null, + "displayNamesFilter": null, + "displayName": "testing displayname", + "enabled": true, + "description": null, + "tactics": [], + "alertRuleTemplateName": null, + "lastModifiedUtc": "2019-09-04T12:05:35.7296311Z" + } + } + }, + "201": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/microsoftSecurityIncidentCreationRuleExample", + "name": "microsoftSecurityIncidentCreationRuleExample", + "etag": "\"260097e0-0000-0d00-0000-5d6fa88f0000\"", + "type": "Microsoft.SecurityInsights/alertRules", + "kind": "MicrosoftSecurityIncidentCreation", + "properties": { + "productFilter": "Microsoft Cloud App Security", + "severitiesFilter": null, + "displayNamesFilter": null, + "displayName": "testing displayname", + "enabled": true, + "description": null, + "tactics": [], + "alertRuleTemplateName": null, + "lastModifiedUtc": "2019-09-04T12:05:35.7296311Z" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/alertRules/CreateScheduledAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/alertRules/CreateScheduledAlertRule.json index ea715332f89b..8c5f6c5f8d8d 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/alertRules/CreateScheduledAlertRule.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/alertRules/CreateScheduledAlertRule.json @@ -7,9 +7,6 @@ "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", "ruleId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", "alertRule": { - "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5", - "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", - "type": "Microsoft.SecurityInsights/alertRules", "kind": "Scheduled", "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", "properties": { @@ -17,6 +14,10 @@ "description": "", "severity": "High", "enabled": true, + "tactics": [ + "Persistence", + "LateralMovement" + ], "query": "ProtectionStatus | extend HostCustomEntity = Computer | extend IPCustomEntity = ComputerIP_Hidden", "queryFrequency": "PT1H", "queryPeriod": "P2DT1H30M", @@ -36,10 +37,15 @@ "kind": "Scheduled", "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", "properties": { + "alertRuleTemplateName": null, "displayName": "Rule2", "description": "", "severity": "High", "enabled": true, + "tactics": [ + "Persistence", + "LateralMovement" + ], "query": "ProtectionStatus | extend HostCustomEntity = Computer | extend IPCustomEntity = ComputerIP_Hidden", "queryFrequency": "PT1H", "queryPeriod": "P2DT1H30M", @@ -59,17 +65,23 @@ "kind": "Scheduled", "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", "properties": { + "alertRuleTemplateName": null, "displayName": "Rule2", "description": "", "severity": "High", "enabled": true, + "tactics": [ + "Persistence", + "LateralMovement" + ], "query": "ProtectionStatus | extend HostCustomEntity = Computer | extend IPCustomEntity = ComputerIP_Hidden", "queryFrequency": "PT1H", "queryPeriod": "P2DT1H30M", "triggerOperator": "GreaterThan", "triggerThreshold": 0, "suppressionDuration": "PT1H", - "suppressionEnabled": false + "suppressionEnabled": false, + "lastModifiedUtc": "2019-01-01T13:15:30Z" } } } diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/alertRules/DeleteScheduledAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/alertRules/DeleteAlertRule.json similarity index 100% rename from specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/alertRules/DeleteScheduledAlertRule.json rename to specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/alertRules/DeleteAlertRule.json diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/alertRules/GetAllAlertRules.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/alertRules/GetAllAlertRules.json new file mode 100644 index 000000000000..d467cb1a1d23 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/alertRules/GetAllAlertRules.json @@ -0,0 +1,82 @@ +{ + "parameters": { + "api-version": "2019-01-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/alertRules", + "kind": "Scheduled", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "alertRuleTemplateName": null, + "displayName": "Rule2", + "description": "", + "severity": "High", + "enabled": true, + "tactics": [ + "Persistence", + "LateralMovement" + ], + "query": "ProtectionStatus | extend HostCustomEntity = Computer | extend IPCustomEntity = ComputerIP_Hidden", + "queryFrequency": "PT1H", + "queryPeriod": "P2DT1H30M", + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "lastModifiedUtc": "2019-01-01T13:15:30Z" + } + }, + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/microsoftSecurityIncidentCreationRuleExample", + "name": "microsoftSecurityIncidentCreationRuleExample", + "etag": "\"260097e0-0000-0d00-0000-5d6fa88f0000\"", + "type": "Microsoft.SecurityInsights/alertRules", + "kind": "MicrosoftSecurityIncidentCreation", + "properties": { + "productFilter": "Microsoft Cloud App Security", + "severitiesFilter": null, + "displayNamesFilter": null, + "displayName": "testing displayname", + "enabled": true, + "description": null, + "tactics": [], + "alertRuleTemplateName": null, + "lastModifiedUtc": "2019-09-04T12:05:35.7296311Z" + } + }, + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/myFirstFusionRule", + "name": "myFirstFusionRule", + "etag": "\"25005c11-0000-0d00-0000-5d6cc0e20000\"", + "type": "Microsoft.SecurityInsights/alertRules", + "kind": "Fusion", + "properties": { + "displayName": "Advanced Multi-Stage Attack Detection", + "description": "In this mode, Sentinel combines low fidelity alerts, which themselves may not be actionable, and events across multiple products, into high fidelity security interesting incidents. The system looks at multiple products to produce actionable incidents. Custom tailored to each tenant, Fusion not only reduces false positive rates but also can detect attacks with limited or missing information. \nIncidents generated by Fusion system will encase two or more alerts. By design, Fusion incidents are low volume, high fidelity and will be high severity, which is why Fusion is turned ON by default in Azure Sentinel.\n\nFor Fusion to work, please configure the following data sources in Data Connectors tab:\nRequired - Azure Active Directory Identity Protection\nRequired - Microsoft Cloud App Security\nIf Available - Palo Alto Network\n\nFor full list of scenarios covered by Fusion, and detail instructions on how to configure the required data sources, go to aka.ms/SentinelFusion", + "alertRuleTemplateName": "f71aba3d-28fb-450b-b192-4e76a83015c8", + "tactics": [ + "Persistence", + "LateralMovement", + "Exfiltration", + "CommandAndControl" + ], + "severity": "High", + "enabled": false, + "lastModifiedUtc": "2019-09-02T07:12:34.9065092Z" + } + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/alertRules/GetFusionAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/alertRules/GetFusionAlertRule.json new file mode 100644 index 000000000000..d53f95e4c84e --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/alertRules/GetFusionAlertRule.json @@ -0,0 +1,35 @@ +{ + "parameters": { + "api-version": "2019-01-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights", + "ruleId": "myFirstFusionRule" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/myFirstFusionRule", + "name": "myFirstFusionRule", + "etag": "\"260090e2-0000-0d00-0000-5d6fb8670000\"", + "type": "Microsoft.SecurityInsights/alertRules", + "kind": "Fusion", + "properties": { + "displayName": "Advanced Multi-Stage Attack Detection", + "description": "In this mode, Sentinel combines low fidelity alerts, which themselves may not be actionable, and events across multiple products, into high fidelity security interesting incidents. The system looks at multiple products to produce actionable incidents. Custom tailored to each tenant, Fusion not only reduces false positive rates but also can detect attacks with limited or missing information. \nIncidents generated by Fusion system will encase two or more alerts. By design, Fusion incidents are low volume, high fidelity and will be high severity, which is why Fusion is turned ON by default in Azure Sentinel.\n\nFor Fusion to work, please configure the following data sources in Data Connectors tab:\nRequired - Azure Active Directory Identity Protection\nRequired - Microsoft Cloud App Security\nIf Available - Palo Alto Network\n\nFor full list of scenarios covered by Fusion, and detail instructions on how to configure the required data sources, go to aka.ms/SentinelFusion", + "alertRuleTemplateName": "f71aba3d-28fb-450b-b192-4e76a83015c8", + "tactics": [ + "Persistence", + "LateralMovement", + "Exfiltration", + "CommandAndControl" + ], + "severity": "High", + "enabled": true, + "lastModifiedUtc": "2019-09-04T13:13:11.5340061Z" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/alertRules/GetMicrosoftSecurityIncidentCreationAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/alertRules/GetMicrosoftSecurityIncidentCreationAlertRule.json new file mode 100644 index 000000000000..2aa4401ba452 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/alertRules/GetMicrosoftSecurityIncidentCreationAlertRule.json @@ -0,0 +1,32 @@ +{ + "parameters": { + "api-version": "2019-01-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights", + "ruleId": "microsoftSecurityIncidentCreationRuleExample" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/microsoftSecurityIncidentCreationRuleExample", + "name": "microsoftSecurityIncidentCreationRuleExample", + "etag": "\"260097e0-0000-0d00-0000-5d6fa88f0000\"", + "type": "Microsoft.SecurityInsights/alertRules", + "kind": "MicrosoftSecurityIncidentCreation", + "properties": { + "productFilter": "Microsoft Cloud App Security", + "severitiesFilter": null, + "displayNamesFilter": null, + "displayName": "testing displayname", + "enabled": true, + "description": null, + "tactics": [], + "alertRuleTemplateName": null, + "lastModifiedUtc": "2019-09-04T12:05:35.7296311Z" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/alertRules/GetScheduledAlertRuleById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/alertRules/GetScheduledAlertRule.json similarity index 90% rename from specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/alertRules/GetScheduledAlertRuleById.json rename to specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/alertRules/GetScheduledAlertRule.json index 21dd07939632..cdb33a0877af 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/alertRules/GetScheduledAlertRuleById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/alertRules/GetScheduledAlertRule.json @@ -16,10 +16,15 @@ "kind": "Scheduled", "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", "properties": { + "alertRuleTemplateName": null, "displayName": "Rule2", "description": "", "severity": "High", "enabled": true, + "tactics": [ + "Persistence", + "LateralMovement" + ], "query": "ProtectionStatus | extend HostCustomEntity = Computer | extend IPCustomEntity = ComputerIP_Hidden", "queryFrequency": "PT1H", "queryPeriod": "P2DT1H30M", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/alertRules/GetScheduledAlertRules.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/alertRules/GetScheduledAlertRules.json deleted file mode 100644 index 53be777607c7..000000000000 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/alertRules/GetScheduledAlertRules.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "parameters": { - "api-version": "2019-01-01-preview", - "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", - "resourceGroupName": "myRg", - "workspaceName": "myWorkspace", - "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights" - }, - "responses": { - "200": { - "body": { - "value": [ - { - "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5", - "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", - "type": "Microsoft.SecurityInsights/alertRules", - "kind": "Scheduled", - "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", - "properties": { - "displayName": "Rule2", - "description": "", - "severity": "High", - "enabled": true, - "query": "ProtectionStatus | extend HostCustomEntity = Computer | extend IPCustomEntity = ComputerIP_Hidden", - "queryFrequency": "PT1H", - "queryPeriod": "P2DT1H30M", - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "lastModifiedUtc": "2019-01-01T13:15:30Z" - } - } - ] - } - } - } -}