Alert Rules - add alert details override changes and PUT example (#22196

) * add alert details override changes and PUT example * add missing brace * add closing brace for alertDetailsOverride * add dynamic properties to 200 response * add dynamic details to 201 response --------- Co-authored-by: ShaniFelig <[email protected]>
Azure · Jan 30, 2023 · 546bf07 · 546bf07
1 parent 10ae699
commit 546bf07
Show file tree

Hide file tree

Showing 2 changed files with 121 additions and 5 deletions.
diff --git a/...ityinsights/resource-manager/Microsoft.SecurityInsights/stable/2023-02-01/AlertRules.json b/...ityinsights/resource-manager/Microsoft.SecurityInsights/stable/2023-02-01/AlertRules.json
@@ -1305,6 +1305,27 @@
         "alertSeverityColumnName": {
           "description": "the column name to take the alert severity from",
           "type": "string"
+        },
+        "alertDynamicProperties": {
+          "description": "List of additional dynamic properties to override",
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/AlertPropertyMapping"
+          },
+          "x-ms-identifiers": []
+        }
+      },
+      "type": "object"
+    },
+    "AlertPropertyMapping": {
+      "description": "A single alert property mapping to override",
+      "properties": {
+        "alertProperty": {
+          "$ref": "#/definitions/AlertProperty"
+        },
+        "value": {
+          "description": "the column name to use to override this property",
+          "type": "string"
         }
       },
       "type": "object"
@@ -1739,6 +1760,63 @@
           }
         ]
       }
+    },
+    "AlertProperty": {
+      "description": "The V3 alert property",
+      "enum": [
+        "AlertLink",
+        "ConfidenceLevel",
+        "ConfidenceScore",
+        "ExtendedLinks",
+        "ProductName",
+        "ProviderName",
+        "ProductComponentName",
+        "RemediationSteps",
+        "Techniques"
+      ],
+      "type": "string",
+      "x-ms-enum": {
+        "modelAsString": true,
+        "name": "AlertProperty",
+        "values": [
+          {
+            "description": "Alert's link",
+            "value": "AlertLink"
+          },
+          {
+            "description": "Confidence level property",
+            "value": "ConfidenceLevel"
+          },
+          {
+            "description": "Confidence score",
+            "value": "ConfidenceScore"
+          },
+          {
+            "description": "Extended links to the alert",
+            "value": "ExtendedLinks"
+          },
+          {
+            "description": "Product name alert property",
+            "value": "ProductName"
+          },
+          {
+            "description": "Provider name alert property",
+            "value": "ProviderName"
+          },
+          {
+            "description": "Product component name alert property",
+            "value": "ProductComponentName"
+          },
+          {
+            "description": "Remediation steps alert property",
+            "value": "RemediationSteps"
+          },
+          {
+            "description": "Techniques alert property",
+            "value": "Techniques"
+          }
+        ]
+      }
     }
   },
   "parameters": {

diff --git a/...soft.SecurityInsights/stable/2023-02-01/examples/alertRules/CreateScheduledAlertRule.json b/...soft.SecurityInsights/stable/2023-02-01/examples/alertRules/CreateScheduledAlertRule.json
@@ -54,7 +54,21 @@
         ],
         "alertDetailsOverride": {
           "alertDisplayNameFormat": "Alert from {{Computer}}",
-          "alertDescriptionFormat": "Suspicious activity was made by {{ComputerIP}}"
+          "alertDescriptionFormat": "Suspicious activity was made by {{ComputerIP}}",
+          "alertDynamicProperties": [
+            {
+              "alertProperty": "ProductComponentName",
+              "value": "ProductComponentNameCustomColumn"
+            },
+            {
+              "alertProperty": "ProductName",
+              "value": "ProductNameCustomColumn"
+            },
+            {
+              "alertProperty": "AlertLink",
+              "value": "Link"
+            }
+          ]
         },
         "incidentConfiguration": {
           "createIncident": true,
@@ -134,8 +148,20 @@
           "alertDetailsOverride": {
             "alertDisplayNameFormat": "Alert from {{Computer}}",
             "alertDescriptionFormat": "Suspicious activity was made by {{ComputerIP}}",
-            "alertTacticsColumnName": null,
-            "alertSeverityColumnName": null
+            "alertDynamicProperties": [
+              {
+                "alertProperty": "ProductComponentName",
+                "value": "ProductComponentNameCustomColumn"
+              },
+              {
+                "alertProperty": "ProductName",
+                "value": "ProductNameCustomColumn"
+              },
+              {
+                "alertProperty": "AlertLink",
+                "value": "Link"
+              }
+            ]
           },
           "incidentConfiguration": {
             "createIncident": true,
@@ -214,8 +240,20 @@
           "alertDetailsOverride": {
             "alertDisplayNameFormat": "Alert from {{Computer}}",
             "alertDescriptionFormat": "Suspicious activity was made by {{ComputerIP}}",
-            "alertTacticsColumnName": null,
-            "alertSeverityColumnName": null
+            "alertDynamicProperties": [
+              {
+                "alertProperty": "ProductComponentName",
+                "value": "ProductComponentNameCustomColumn"
+              },
+              {
+                "alertProperty": "ProductName",
+                "value": "ProductNameCustomColumn"
+              },
+              {
+                "alertProperty": "AlertLink",
+                "value": "Link"
+              }
+            ]
           },
           "incidentConfiguration": {
             "createIncident": true,