From 546bf07235c16e88770710b44468177cd3cd5e81 Mon Sep 17 00:00:00 2001 From: ShaniFelig <74960756+ShaniFelig@users.noreply.github.com> Date: Mon, 30 Jan 2023 04:09:28 +0200 Subject: [PATCH] Alert Rules - add alert details override changes and PUT example (#22196) * add alert details override changes and PUT example * add missing brace * add closing brace for alertDetailsOverride * add dynamic properties to 200 response * add dynamic details to 201 response --------- Co-authored-by: ShaniFelig --- .../stable/2023-02-01/AlertRules.json | 78 +++++++++++++++++++ .../alertRules/CreateScheduledAlertRule.json | 48 ++++++++++-- 2 files changed, 121 insertions(+), 5 deletions(-) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2023-02-01/AlertRules.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2023-02-01/AlertRules.json index 411f71609143..3ca6f0963fa3 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2023-02-01/AlertRules.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2023-02-01/AlertRules.json @@ -1305,6 +1305,27 @@ "alertSeverityColumnName": { "description": "the column name to take the alert severity from", "type": "string" + }, + "alertDynamicProperties": { + "description": "List of additional dynamic properties to override", + "type": "array", + "items": { + "$ref": "#/definitions/AlertPropertyMapping" + }, + "x-ms-identifiers": [] + } + }, + "type": "object" + }, + "AlertPropertyMapping": { + "description": "A single alert property mapping to override", + "properties": { + "alertProperty": { + "$ref": "#/definitions/AlertProperty" + }, + "value": { + "description": "the column name to use to override this property", + "type": "string" } }, "type": "object" @@ -1739,6 +1760,63 @@ } ] } + }, + "AlertProperty": { + "description": "The V3 alert property", + "enum": [ + "AlertLink", + "ConfidenceLevel", + "ConfidenceScore", + "ExtendedLinks", + "ProductName", + "ProviderName", + "ProductComponentName", + "RemediationSteps", + "Techniques" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "AlertProperty", + "values": [ + { + "description": "Alert's link", + "value": "AlertLink" + }, + { + "description": "Confidence level property", + "value": "ConfidenceLevel" + }, + { + "description": "Confidence score", + "value": "ConfidenceScore" + }, + { + "description": "Extended links to the alert", + "value": "ExtendedLinks" + }, + { + "description": "Product name alert property", + "value": "ProductName" + }, + { + "description": "Provider name alert property", + "value": "ProviderName" + }, + { + "description": "Product component name alert property", + "value": "ProductComponentName" + }, + { + "description": "Remediation steps alert property", + "value": "RemediationSteps" + }, + { + "description": "Techniques alert property", + "value": "Techniques" + } + ] + } } }, "parameters": { diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2023-02-01/examples/alertRules/CreateScheduledAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2023-02-01/examples/alertRules/CreateScheduledAlertRule.json index 37344a86d58b..97eb9d7896ea 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2023-02-01/examples/alertRules/CreateScheduledAlertRule.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2023-02-01/examples/alertRules/CreateScheduledAlertRule.json @@ -54,7 +54,21 @@ ], "alertDetailsOverride": { "alertDisplayNameFormat": "Alert from {{Computer}}", - "alertDescriptionFormat": "Suspicious activity was made by {{ComputerIP}}" + "alertDescriptionFormat": "Suspicious activity was made by {{ComputerIP}}", + "alertDynamicProperties": [ + { + "alertProperty": "ProductComponentName", + "value": "ProductComponentNameCustomColumn" + }, + { + "alertProperty": "ProductName", + "value": "ProductNameCustomColumn" + }, + { + "alertProperty": "AlertLink", + "value": "Link" + } + ] }, "incidentConfiguration": { "createIncident": true, @@ -134,8 +148,20 @@ "alertDetailsOverride": { "alertDisplayNameFormat": "Alert from {{Computer}}", "alertDescriptionFormat": "Suspicious activity was made by {{ComputerIP}}", - "alertTacticsColumnName": null, - "alertSeverityColumnName": null + "alertDynamicProperties": [ + { + "alertProperty": "ProductComponentName", + "value": "ProductComponentNameCustomColumn" + }, + { + "alertProperty": "ProductName", + "value": "ProductNameCustomColumn" + }, + { + "alertProperty": "AlertLink", + "value": "Link" + } + ] }, "incidentConfiguration": { "createIncident": true, @@ -214,8 +240,20 @@ "alertDetailsOverride": { "alertDisplayNameFormat": "Alert from {{Computer}}", "alertDescriptionFormat": "Suspicious activity was made by {{ComputerIP}}", - "alertTacticsColumnName": null, - "alertSeverityColumnName": null + "alertDynamicProperties": [ + { + "alertProperty": "ProductComponentName", + "value": "ProductComponentNameCustomColumn" + }, + { + "alertProperty": "ProductName", + "value": "ProductNameCustomColumn" + }, + { + "alertProperty": "AlertLink", + "value": "Link" + } + ] }, "incidentConfiguration": { "createIncident": true,