diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/AlertRules.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/AlertRules.json index fa13084d8432..04ea7ff97698 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/AlertRules.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/AlertRules.json @@ -88,6 +88,9 @@ "Get a Scheduled alert rule.": { "$ref": "./examples/alertRules/GetScheduledAlertRule.json" }, + "Get an Nrt alert rule.": { + "$ref": "./examples/alertRules/GetNrtAlertRule.json" + }, "Get a Fusion alert rule.": { "$ref": "./examples/alertRules/GetFusionAlertRule.json" }, @@ -140,6 +143,9 @@ "Creates or updates a Scheduled alert rule.": { "$ref": "./examples/alertRules/CreateScheduledAlertRule.json" }, + "Creates or updates a Nrt alert rule.": { + "$ref": "./examples/alertRules/CreateNrtAlertRule.json" + }, "Creates or updates a Fusion alert rule.": { "$ref": "./examples/alertRules/CreateFusionAlertRule.json" }, @@ -622,7 +628,8 @@ "MicrosoftSecurityIncidentCreation", "Fusion", "MLBehaviorAnalytics", - "ThreatIntelligence" + "ThreatIntelligence", + "NRT" ], "type": "string", "x-ms-enum": { @@ -643,6 +650,9 @@ }, { "value": "ThreatIntelligence" + }, + { + "value": "NRT" } ] } @@ -748,6 +758,47 @@ }, "type": "object" }, + "QueryBasedAlertRuleTemplateProperties": { + "description": "Query based alert rule template base property bag.", + "properties": { + "query": { + "description": "The query that creates alerts for this rule.", + "type": "string" + }, + "severity": { + "$ref": "./common/AlertTypes.json#/definitions/AlertSeverityEnum", + "description": "The severity for alerts created by this alert rule." + }, + "tactics": { + "description": "The tactics of the alert rule", + "items": { + "$ref": "./common/AlertTypes.json#/definitions/AttackTactic" + }, + "type": "array" + }, + "version": { + "description": "The version of this template - in format , where all are numbers. For example <1.0.2>.", + "type": "string" + }, + "customDetails": { + "description": "Dictionary of string key-value pairs of columns to be attached to the alert", + "type": "object", + "additionalProperties": { + "type": "string" + } + }, + "entityMappings": { + "$ref": "#/definitions/EntityMappings", + "description": "Array of the entity mappings of the alert rule" + }, + "alertDetailsOverride": { + "type": "object", + "$ref": "#/definitions/AlertDetailsOverride", + "description": "The alert details override settings" + } + }, + "type": "object" + }, "AlertRuleTemplatesList": { "description": "List all the alert rule templates.", "properties": { @@ -1256,13 +1307,8 @@ "type": "object", "x-ms-discriminator-value": "MicrosoftSecurityIncidentCreation" }, - "ScheduledAlertRuleProperties": { - "allOf": [ - { - "$ref": "#/definitions/ScheduledAlertRuleCommonProperties" - } - ], - "description": "Scheduled alert rule base property bag.", + "QueryBasedAlertRuleProperties": { + "description": "Query based alert rule base property bag.", "properties": { "alertRuleTemplateName": { "description": "The Name of the alert rule template used to create this rule.", @@ -1276,6 +1322,10 @@ "description": "The description of the alert rule.", "type": "string" }, + "query": { + "description": "The query that creates alerts for this rule.", + "type": "string" + }, "displayName": { "description": "The display name for alerts created by this alert rule.", "type": "string" @@ -1299,6 +1349,10 @@ "description": "Determines whether the suppression for this alert rule is enabled or disabled.", "type": "boolean" }, + "severity": { + "$ref": "./common/AlertTypes.json#/definitions/AlertSeverityEnum", + "description": "The severity for alerts created by this alert rule." + }, "tactics": { "description": "The tactics of the alert rule", "items": { @@ -1309,8 +1363,42 @@ "incidentConfiguration": { "$ref": "#/definitions/IncidentConfiguration", "description": "The settings of the incidents that created from alerts triggered by this analytics rule" + }, + "customDetails": { + "description": "Dictionary of string key-value pairs of columns to be attached to the alert", + "type": "object", + "additionalProperties": { + "type": "string" + } + }, + "entityMappings": { + "$ref": "#/definitions/EntityMappings", + "description": "Array of the entity mappings of the alert rule" + }, + "alertDetailsOverride": { + "type": "object", + "$ref": "#/definitions/AlertDetailsOverride", + "description": "The alert details override settings" } }, + "required": [ + "displayName", + "enabled", + "suppressionEnabled", + "suppressionDuration" + ], + "type": "object" + }, + "ScheduledAlertRuleProperties": { + "allOf": [ + { + "$ref": "#/definitions/ScheduledAlertRuleCommonProperties" + }, + { + "$ref": "#/definitions/QueryBasedAlertRuleProperties" + } + ], + "description": "Scheduled alert rule base property bag.", "required": [ "displayName", "enabled", @@ -1325,6 +1413,15 @@ ], "type": "object" }, + "NrtAlertRuleProperties": { + "allOf": [ + { + "$ref": "#/definitions/QueryBasedAlertRuleProperties" + } + ], + "description": "Nrt alert rule base property bag.", + "type": "object" + }, "ScheduledAlertRuleTemplate": { "allOf": [ { @@ -1338,6 +1435,9 @@ { "$ref": "#/definitions/AlertRuleTemplatePropertiesBase" }, + { + "$ref": "#/definitions/QueryBasedAlertRuleTemplateProperties" + }, { "$ref": "#/definitions/ScheduledAlertRuleCommonProperties" } @@ -1350,10 +1450,6 @@ "$ref": "./common/AlertTypes.json#/definitions/AttackTactic" }, "type": "array" - }, - "version": { - "description": "The version of this template - in format , where all are numbers. For example <1.0.2>.", - "type": "string" } }, "required": [ @@ -1376,6 +1472,40 @@ "type": "object", "x-ms-discriminator-value": "Scheduled" }, + "NrtAlertRuleTemplate": { + "allOf": [ + { + "$ref": "#/definitions/AlertRuleTemplate" + } + ], + "description": "Represents NRT alert rule template.", + "properties": { + "properties": { + "allOf": [ + { + "$ref": "#/definitions/AlertRuleTemplatePropertiesBase" + }, + { + "$ref": "#/definitions/QueryBasedAlertRuleTemplateProperties" + } + ], + "description": "NRT alert rule template properties", + "required": [ + "displayName", + "description", + "status", + "alertRulesCreatedByTemplateCount", + "severity", + "query", + "version" + ], + "type": "object", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "NRT" + }, "EventGroupingSettings": { "description": "Event grouping settings property bag.", "properties": { @@ -1414,13 +1544,26 @@ "type": "object", "x-ms-discriminator-value": "Scheduled" }, + "NrtAlertRule": { + "allOf": [ + { + "$ref": "#/definitions/AlertRule" + } + ], + "description": "Represents NRT alert rule.", + "properties": { + "properties": { + "$ref": "#/definitions/NrtAlertRuleProperties", + "description": "NRT alert rule properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "NRT" + }, "ScheduledAlertRuleCommonProperties": { "description": "Scheduled alert rule template property bag.", "properties": { - "query": { - "description": "The query that creates alerts for this rule.", - "type": "string" - }, "queryFrequency": { "description": "The frequency (in ISO 8601 duration format) for this alert rule to run.", "format": "duration", @@ -1431,10 +1574,6 @@ "format": "duration", "type": "string" }, - "severity": { - "$ref": "./common/AlertTypes.json#/definitions/AlertSeverityEnum", - "description": "The severity for alerts created by this alert rule." - }, "triggerOperator": { "$ref": "#/definitions/AlertRuleTriggerOperator", "description": "The operation against the threshold that triggers alert rule." @@ -1447,22 +1586,6 @@ "eventGroupingSettings": { "$ref": "#/definitions/EventGroupingSettings", "description": "The event grouping settings." - }, - "customDetails": { - "description": "Dictionary of string key-value pairs of columns to be attached to the alert", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "entityMappings": { - "$ref": "#/definitions/EntityMappings", - "description": "Array of the entity mappings of the alert rule" - }, - "alertDetailsOverride": { - "type": "object", - "$ref": "#/definitions/AlertDetailsOverride", - "description": "The alert details override settings" } }, "type": "object" diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/examples/alertRules/CreateNrtAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/examples/alertRules/CreateNrtAlertRule.json new file mode 100644 index 000000000000..cdb112873a95 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/examples/alertRules/CreateNrtAlertRule.json @@ -0,0 +1,119 @@ +{ + "parameters": { + "api-version": "2019-01-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "ruleId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "alertRule": { + "kind": "NRT", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "displayName": "Rule2", + "description": "", + "severity": "High", + "enabled": true, + "tactics": [ + "Persistence", + "LateralMovement" + ], + "query": "ProtectionStatus | extend HostCustomEntity = Computer | extend IPCustomEntity = ComputerIP_Hidden", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "incidentConfiguration": { + "createIncident": true, + "groupingConfiguration": { + "enabled": true, + "reopenClosedIncident": false, + "lookbackDuration": "PT5H", + "matchingMethod": "Selected", + "groupByEntities": [ + "Host", + "Account" + ] + } + } + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/alertRules", + "kind": "NRT", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "alertRuleTemplateName": null, + "displayName": "Rule2", + "description": "", + "severity": "High", + "enabled": true, + "tactics": [ + "Persistence", + "LateralMovement" + ], + "query": "ProtectionStatus | extend HostCustomEntity = Computer | extend IPCustomEntity = ComputerIP_Hidden", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "lastModifiedUtc": "2019-01-01T13:15:30Z", + "incidentConfiguration": { + "createIncident": true, + "groupingConfiguration": { + "enabled": true, + "reopenClosedIncident": false, + "lookbackDuration": "PT5H", + "matchingMethod": "Selected", + "groupByEntities": [ + "Host", + "Account" + ] + } + } + } + } + }, + "201": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/alertRules", + "kind": "NRT", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "alertRuleTemplateName": null, + "displayName": "Rule2", + "description": "", + "severity": "High", + "enabled": true, + "tactics": [ + "Persistence", + "LateralMovement" + ], + "query": "ProtectionStatus | extend HostCustomEntity = Computer | extend IPCustomEntity = ComputerIP_Hidden", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "lastModifiedUtc": "2019-01-01T13:15:30Z", + "incidentConfiguration": { + "createIncident": true, + "groupingConfiguration": { + "enabled": true, + "reopenClosedIncident": false, + "lookbackDuration": "PT5H", + "matchingMethod": "Selected", + "groupByEntities": [ + "Host", + "Account" + ] + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/examples/alertRules/GetNrtAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/examples/alertRules/GetNrtAlertRule.json new file mode 100644 index 000000000000..1c5db150e7d5 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/examples/alertRules/GetNrtAlertRule.json @@ -0,0 +1,49 @@ +{ + "parameters": { + "api-version": "2019-01-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights", + "ruleId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/alertRules", + "kind": "NRT", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "alertRuleTemplateName": null, + "displayName": "Rule2", + "description": "", + "severity": "High", + "enabled": true, + "tactics": [ + "Persistence", + "LateralMovement" + ], + "query": "ProtectionStatus | extend HostCustomEntity = Computer | extend IPCustomEntity = ComputerIP_Hidden", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "lastModifiedUtc": "2019-01-01T13:15:30Z", + "incidentConfiguration": { + "createIncident": true, + "groupingConfiguration": { + "enabled": true, + "reopenClosedIncident": false, + "lookbackDuration": "PT5H", + "matchingMethod": "Selected", + "groupByEntities": [ + "Host", + "Account" + ] + } + } + } + } + } + } +}