From f1e2910ee8ea527a3b773b0f79ee7ec5bea1c93d Mon Sep 17 00:00:00 2001 From: ShaniFelig Date: Sun, 15 Jan 2023 19:33:53 +0200 Subject: [PATCH 1/5] add alert details override changes and PUT example --- .../stable/2023-02-01/AlertRules.json | 78 +++++++++++++++++++ .../alertRules/CreateScheduledAlertRule.json | 53 ++++++++----- 2 files changed, 111 insertions(+), 20 deletions(-) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2023-02-01/AlertRules.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2023-02-01/AlertRules.json index 411f71609143..3ca6f0963fa3 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2023-02-01/AlertRules.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2023-02-01/AlertRules.json @@ -1305,6 +1305,27 @@ "alertSeverityColumnName": { "description": "the column name to take the alert severity from", "type": "string" + }, + "alertDynamicProperties": { + "description": "List of additional dynamic properties to override", + "type": "array", + "items": { + "$ref": "#/definitions/AlertPropertyMapping" + }, + "x-ms-identifiers": [] + } + }, + "type": "object" + }, + "AlertPropertyMapping": { + "description": "A single alert property mapping to override", + "properties": { + "alertProperty": { + "$ref": "#/definitions/AlertProperty" + }, + "value": { + "description": "the column name to use to override this property", + "type": "string" } }, "type": "object" @@ -1739,6 +1760,63 @@ } ] } + }, + "AlertProperty": { + "description": "The V3 alert property", + "enum": [ + "AlertLink", + "ConfidenceLevel", + "ConfidenceScore", + "ExtendedLinks", + "ProductName", + "ProviderName", + "ProductComponentName", + "RemediationSteps", + "Techniques" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "AlertProperty", + "values": [ + { + "description": "Alert's link", + "value": "AlertLink" + }, + { + "description": "Confidence level property", + "value": "ConfidenceLevel" + }, + { + "description": "Confidence score", + "value": "ConfidenceScore" + }, + { + "description": "Extended links to the alert", + "value": "ExtendedLinks" + }, + { + "description": "Product name alert property", + "value": "ProductName" + }, + { + "description": "Provider name alert property", + "value": "ProviderName" + }, + { + "description": "Product component name alert property", + "value": "ProductComponentName" + }, + { + "description": "Remediation steps alert property", + "value": "RemediationSteps" + }, + { + "description": "Techniques alert property", + "value": "Techniques" + } + ] + } } }, "parameters": { diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2023-02-01/examples/alertRules/CreateScheduledAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2023-02-01/examples/alertRules/CreateScheduledAlertRule.json index 37344a86d58b..ab5ea4d9dfef 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2023-02-01/examples/alertRules/CreateScheduledAlertRule.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2023-02-01/examples/alertRules/CreateScheduledAlertRule.json @@ -54,29 +54,42 @@ ], "alertDetailsOverride": { "alertDisplayNameFormat": "Alert from {{Computer}}", - "alertDescriptionFormat": "Suspicious activity was made by {{ComputerIP}}" - }, - "incidentConfiguration": { - "createIncident": true, - "groupingConfiguration": { - "enabled": true, - "reopenClosedIncident": false, - "lookbackDuration": "PT5H", - "matchingMethod": "Selected", - "groupByEntities": [ - "Host" - ], - "groupByAlertDetails": [ - "DisplayName" - ], - "groupByCustomDetails": [ - "OperatingSystemType", - "OperatingSystemName" - ] + "alertDescriptionFormat": "Suspicious activity was made by {{ComputerIP}}", + "alertDynamicProperties": [ + { + "alertProperty": "ProductComponentName", + "value": "ProductComponentNameCustomColumn" + }, + { + "alertProperty": "ProductName", + "value": "ProductNameCustomColumn" + }, + { + "alertProperty": "AlertLink", + "value": "Link" + } + ], + "incidentConfiguration": { + "createIncident": true, + "groupingConfiguration": { + "enabled": true, + "reopenClosedIncident": false, + "lookbackDuration": "PT5H", + "matchingMethod": "Selected", + "groupByEntities": [ + "Host" + ], + "groupByAlertDetails": [ + "DisplayName" + ], + "groupByCustomDetails": [ + "OperatingSystemType", + "OperatingSystemName" + ] + } } } } - } }, "responses": { "200": { From 16df351686b20072f0c28069883fb96828909e96 Mon Sep 17 00:00:00 2001 From: ShaniFelig Date: Mon, 16 Jan 2023 11:52:07 +0200 Subject: [PATCH 2/5] add missing brace --- .../alertRules/CreateScheduledAlertRule.json | 305 +++++++++--------- 1 file changed, 153 insertions(+), 152 deletions(-) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2023-02-01/examples/alertRules/CreateScheduledAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2023-02-01/examples/alertRules/CreateScheduledAlertRule.json index ab5ea4d9dfef..3fe64221930f 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2023-02-01/examples/alertRules/CreateScheduledAlertRule.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2023-02-01/examples/alertRules/CreateScheduledAlertRule.json @@ -90,163 +90,164 @@ } } } - }, - "responses": { - "200": { - "body": { - "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5", - "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", - "type": "Microsoft.SecurityInsights/alertRules", - "kind": "Scheduled", - "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", - "properties": { - "alertRuleTemplateName": null, - "displayName": "My scheduled rule", - "description": "An example for a scheduled rule", - "severity": "High", - "enabled": true, - "tactics": [ - "Persistence", - "LateralMovement" - ], - "query": "Heartbeat", - "queryFrequency": "PT1H", - "queryPeriod": "P2DT1H30M", - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "lastModifiedUtc": "2021-03-01T13:17:30Z", - "eventGroupingSettings": { - "aggregationKind": "AlertPerResult" - }, - "customDetails": { - "OperatingSystemName": "OSName", - "OperatingSystemType": "OSType" - }, - "entityMappings": [ - { - "entityType": "Host", - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "Computer" - } - ] + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/alertRules", + "kind": "Scheduled", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "alertRuleTemplateName": null, + "displayName": "My scheduled rule", + "description": "An example for a scheduled rule", + "severity": "High", + "enabled": true, + "tactics": [ + "Persistence", + "LateralMovement" + ], + "query": "Heartbeat", + "queryFrequency": "PT1H", + "queryPeriod": "P2DT1H30M", + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "lastModifiedUtc": "2021-03-01T13:17:30Z", + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" }, - { - "entityType": "IP", - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "ComputerIP" - } - ] - } - ], - "alertDetailsOverride": { - "alertDisplayNameFormat": "Alert from {{Computer}}", - "alertDescriptionFormat": "Suspicious activity was made by {{ComputerIP}}", - "alertTacticsColumnName": null, - "alertSeverityColumnName": null - }, - "incidentConfiguration": { - "createIncident": true, - "groupingConfiguration": { - "enabled": true, - "reopenClosedIncident": false, - "lookbackDuration": "PT5H", - "matchingMethod": "Selected", - "groupByEntities": [ - "Host" - ], - "groupByAlertDetails": [ - "DisplayName" - ], - "groupByCustomDetails": [ - "OperatingSystemType", - "OperatingSystemName" - ] + "customDetails": { + "OperatingSystemName": "OSName", + "OperatingSystemType": "OSType" + }, + "entityMappings": [ + { + "entityType": "Host", + "fieldMappings": [ + { + "identifier": "FullName", + "columnName": "Computer" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "ComputerIP" + } + ] + } + ], + "alertDetailsOverride": { + "alertDisplayNameFormat": "Alert from {{Computer}}", + "alertDescriptionFormat": "Suspicious activity was made by {{ComputerIP}}", + "alertTacticsColumnName": null, + "alertSeverityColumnName": null + }, + "incidentConfiguration": { + "createIncident": true, + "groupingConfiguration": { + "enabled": true, + "reopenClosedIncident": false, + "lookbackDuration": "PT5H", + "matchingMethod": "Selected", + "groupByEntities": [ + "Host" + ], + "groupByAlertDetails": [ + "DisplayName" + ], + "groupByCustomDetails": [ + "OperatingSystemType", + "OperatingSystemName" + ] + } } } } - } - }, - "201": { - "body": { - "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5", - "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", - "type": "Microsoft.SecurityInsights/alertRules", - "kind": "Scheduled", - "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", - "properties": { - "alertRuleTemplateName": null, - "displayName": "My scheduled rule", - "description": "An example for a scheduled rule", - "severity": "High", - "enabled": true, - "tactics": [ - "Persistence", - "LateralMovement" - ], - "query": "Heartbeat", - "queryFrequency": "PT1H", - "queryPeriod": "P2DT1H30M", - "triggerThreshold": 0, - "triggerOperator": "GreaterThan", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "lastModifiedUtc": "2021-03-01T13:15:30Z", - "eventGroupingSettings": { - "aggregationKind": "AlertPerResult" - }, - "customDetails": { - "OperatingSystemName": "OSName", - "OperatingSystemType": "OSType" - }, - "entityMappings": [ - { - "entityType": "Host", - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "Computer" - } - ] + }, + "201": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/alertRules", + "kind": "Scheduled", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "alertRuleTemplateName": null, + "displayName": "My scheduled rule", + "description": "An example for a scheduled rule", + "severity": "High", + "enabled": true, + "tactics": [ + "Persistence", + "LateralMovement" + ], + "query": "Heartbeat", + "queryFrequency": "PT1H", + "queryPeriod": "P2DT1H30M", + "triggerThreshold": 0, + "triggerOperator": "GreaterThan", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "lastModifiedUtc": "2021-03-01T13:15:30Z", + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" }, - { - "entityType": "IP", - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "ComputerIP" - } - ] - } - ], - "alertDetailsOverride": { - "alertDisplayNameFormat": "Alert from {{Computer}}", - "alertDescriptionFormat": "Suspicious activity was made by {{ComputerIP}}", - "alertTacticsColumnName": null, - "alertSeverityColumnName": null - }, - "incidentConfiguration": { - "createIncident": true, - "groupingConfiguration": { - "enabled": true, - "reopenClosedIncident": false, - "lookbackDuration": "PT5H", - "matchingMethod": "Selected", - "groupByEntities": [ - "Host" - ], - "groupByAlertDetails": [ - "DisplayName" - ], - "groupByCustomDetails": [ - "OperatingSystemType", - "OperatingSystemName" - ] + "customDetails": { + "OperatingSystemName": "OSName", + "OperatingSystemType": "OSType" + }, + "entityMappings": [ + { + "entityType": "Host", + "fieldMappings": [ + { + "identifier": "FullName", + "columnName": "Computer" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "ComputerIP" + } + ] + } + ], + "alertDetailsOverride": { + "alertDisplayNameFormat": "Alert from {{Computer}}", + "alertDescriptionFormat": "Suspicious activity was made by {{ComputerIP}}", + "alertTacticsColumnName": null, + "alertSeverityColumnName": null + }, + "incidentConfiguration": { + "createIncident": true, + "groupingConfiguration": { + "enabled": true, + "reopenClosedIncident": false, + "lookbackDuration": "PT5H", + "matchingMethod": "Selected", + "groupByEntities": [ + "Host" + ], + "groupByAlertDetails": [ + "DisplayName" + ], + "groupByCustomDetails": [ + "OperatingSystemType", + "OperatingSystemName" + ] + } } } } From bb5b928fd3914ff9506cfc4efe92a0fe8f784e16 Mon Sep 17 00:00:00 2001 From: ShaniFelig Date: Mon, 16 Jan 2023 12:35:30 +0200 Subject: [PATCH 3/5] add closing brace for alertDetailsOverride --- .../alertRules/CreateScheduledAlertRule.json | 310 +++++++++--------- 1 file changed, 155 insertions(+), 155 deletions(-) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2023-02-01/examples/alertRules/CreateScheduledAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2023-02-01/examples/alertRules/CreateScheduledAlertRule.json index 3fe64221930f..a53433f32724 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2023-02-01/examples/alertRules/CreateScheduledAlertRule.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2023-02-01/examples/alertRules/CreateScheduledAlertRule.json @@ -68,7 +68,89 @@ "alertProperty": "AlertLink", "value": "Link" } + ] + }, + "incidentConfiguration": { + "createIncident": true, + "groupingConfiguration": { + "enabled": true, + "reopenClosedIncident": false, + "lookbackDuration": "PT5H", + "matchingMethod": "Selected", + "groupByEntities": [ + "Host" + ], + "groupByAlertDetails": [ + "DisplayName" + ], + "groupByCustomDetails": [ + "OperatingSystemType", + "OperatingSystemName" + ] + } + } + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/alertRules", + "kind": "Scheduled", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "alertRuleTemplateName": null, + "displayName": "My scheduled rule", + "description": "An example for a scheduled rule", + "severity": "High", + "enabled": true, + "tactics": [ + "Persistence", + "LateralMovement" ], + "query": "Heartbeat", + "queryFrequency": "PT1H", + "queryPeriod": "P2DT1H30M", + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "lastModifiedUtc": "2021-03-01T13:17:30Z", + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "customDetails": { + "OperatingSystemName": "OSName", + "OperatingSystemType": "OSType" + }, + "entityMappings": [ + { + "entityType": "Host", + "fieldMappings": [ + { + "identifier": "FullName", + "columnName": "Computer" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "ComputerIP" + } + ] + } + ], + "alertDetailsOverride": { + "alertDisplayNameFormat": "Alert from {{Computer}}", + "alertDescriptionFormat": "Suspicious activity was made by {{ComputerIP}}", + "alertTacticsColumnName": null, + "alertSeverityColumnName": null + }, "incidentConfiguration": { "createIncident": true, "groupingConfiguration": { @@ -91,163 +173,81 @@ } } }, - "responses": { - "200": { - "body": { - "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5", - "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", - "type": "Microsoft.SecurityInsights/alertRules", - "kind": "Scheduled", - "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", - "properties": { - "alertRuleTemplateName": null, - "displayName": "My scheduled rule", - "description": "An example for a scheduled rule", - "severity": "High", - "enabled": true, - "tactics": [ - "Persistence", - "LateralMovement" - ], - "query": "Heartbeat", - "queryFrequency": "PT1H", - "queryPeriod": "P2DT1H30M", - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "lastModifiedUtc": "2021-03-01T13:17:30Z", - "eventGroupingSettings": { - "aggregationKind": "AlertPerResult" - }, - "customDetails": { - "OperatingSystemName": "OSName", - "OperatingSystemType": "OSType" - }, - "entityMappings": [ - { - "entityType": "Host", - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "Computer" - } - ] - }, - { - "entityType": "IP", - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "ComputerIP" - } - ] - } - ], - "alertDetailsOverride": { - "alertDisplayNameFormat": "Alert from {{Computer}}", - "alertDescriptionFormat": "Suspicious activity was made by {{ComputerIP}}", - "alertTacticsColumnName": null, - "alertSeverityColumnName": null + "201": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/alertRules", + "kind": "Scheduled", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "alertRuleTemplateName": null, + "displayName": "My scheduled rule", + "description": "An example for a scheduled rule", + "severity": "High", + "enabled": true, + "tactics": [ + "Persistence", + "LateralMovement" + ], + "query": "Heartbeat", + "queryFrequency": "PT1H", + "queryPeriod": "P2DT1H30M", + "triggerThreshold": 0, + "triggerOperator": "GreaterThan", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "lastModifiedUtc": "2021-03-01T13:15:30Z", + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "customDetails": { + "OperatingSystemName": "OSName", + "OperatingSystemType": "OSType" + }, + "entityMappings": [ + { + "entityType": "Host", + "fieldMappings": [ + { + "identifier": "FullName", + "columnName": "Computer" + } + ] }, - "incidentConfiguration": { - "createIncident": true, - "groupingConfiguration": { - "enabled": true, - "reopenClosedIncident": false, - "lookbackDuration": "PT5H", - "matchingMethod": "Selected", - "groupByEntities": [ - "Host" - ], - "groupByAlertDetails": [ - "DisplayName" - ], - "groupByCustomDetails": [ - "OperatingSystemType", - "OperatingSystemName" - ] - } + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "ComputerIP" + } + ] } - } - } - }, - "201": { - "body": { - "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5", - "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", - "type": "Microsoft.SecurityInsights/alertRules", - "kind": "Scheduled", - "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", - "properties": { - "alertRuleTemplateName": null, - "displayName": "My scheduled rule", - "description": "An example for a scheduled rule", - "severity": "High", - "enabled": true, - "tactics": [ - "Persistence", - "LateralMovement" - ], - "query": "Heartbeat", - "queryFrequency": "PT1H", - "queryPeriod": "P2DT1H30M", - "triggerThreshold": 0, - "triggerOperator": "GreaterThan", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "lastModifiedUtc": "2021-03-01T13:15:30Z", - "eventGroupingSettings": { - "aggregationKind": "AlertPerResult" - }, - "customDetails": { - "OperatingSystemName": "OSName", - "OperatingSystemType": "OSType" - }, - "entityMappings": [ - { - "entityType": "Host", - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "Computer" - } - ] - }, - { - "entityType": "IP", - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "ComputerIP" - } - ] - } - ], - "alertDetailsOverride": { - "alertDisplayNameFormat": "Alert from {{Computer}}", - "alertDescriptionFormat": "Suspicious activity was made by {{ComputerIP}}", - "alertTacticsColumnName": null, - "alertSeverityColumnName": null - }, - "incidentConfiguration": { - "createIncident": true, - "groupingConfiguration": { - "enabled": true, - "reopenClosedIncident": false, - "lookbackDuration": "PT5H", - "matchingMethod": "Selected", - "groupByEntities": [ - "Host" - ], - "groupByAlertDetails": [ - "DisplayName" - ], - "groupByCustomDetails": [ - "OperatingSystemType", - "OperatingSystemName" - ] - } + ], + "alertDetailsOverride": { + "alertDisplayNameFormat": "Alert from {{Computer}}", + "alertDescriptionFormat": "Suspicious activity was made by {{ComputerIP}}", + "alertTacticsColumnName": null, + "alertSeverityColumnName": null + }, + "incidentConfiguration": { + "createIncident": true, + "groupingConfiguration": { + "enabled": true, + "reopenClosedIncident": false, + "lookbackDuration": "PT5H", + "matchingMethod": "Selected", + "groupByEntities": [ + "Host" + ], + "groupByAlertDetails": [ + "DisplayName" + ], + "groupByCustomDetails": [ + "OperatingSystemType", + "OperatingSystemName" + ] } } } From 2418aeaea580bf2854b7ec3bfc8dafd4ff61cf24 Mon Sep 17 00:00:00 2001 From: ShaniFelig Date: Mon, 16 Jan 2023 13:49:08 +0200 Subject: [PATCH 4/5] add dynamic properties to 200 response --- .../alertRules/CreateScheduledAlertRule.json | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2023-02-01/examples/alertRules/CreateScheduledAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2023-02-01/examples/alertRules/CreateScheduledAlertRule.json index a53433f32724..7bcfd7e6b0bd 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2023-02-01/examples/alertRules/CreateScheduledAlertRule.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2023-02-01/examples/alertRules/CreateScheduledAlertRule.json @@ -148,8 +148,20 @@ "alertDetailsOverride": { "alertDisplayNameFormat": "Alert from {{Computer}}", "alertDescriptionFormat": "Suspicious activity was made by {{ComputerIP}}", - "alertTacticsColumnName": null, - "alertSeverityColumnName": null + "alertDynamicProperties": [ + { + "alertProperty": "ProductComponentName", + "value": "ProductComponentNameCustomColumn" + }, + { + "alertProperty": "ProductName", + "value": "ProductNameCustomColumn" + }, + { + "alertProperty": "AlertLink", + "value": "Link" + } + ] }, "incidentConfiguration": { "createIncident": true, From e00bf15c2bdc4872dc7065f05bcccc1ce280ca79 Mon Sep 17 00:00:00 2001 From: ShaniFelig Date: Mon, 16 Jan 2023 13:56:48 +0200 Subject: [PATCH 5/5] add dynamic details to 201 response --- .../alertRules/CreateScheduledAlertRule.json | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2023-02-01/examples/alertRules/CreateScheduledAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2023-02-01/examples/alertRules/CreateScheduledAlertRule.json index 7bcfd7e6b0bd..97eb9d7896ea 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2023-02-01/examples/alertRules/CreateScheduledAlertRule.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2023-02-01/examples/alertRules/CreateScheduledAlertRule.json @@ -240,8 +240,20 @@ "alertDetailsOverride": { "alertDisplayNameFormat": "Alert from {{Computer}}", "alertDescriptionFormat": "Suspicious activity was made by {{ComputerIP}}", - "alertTacticsColumnName": null, - "alertSeverityColumnName": null + "alertDynamicProperties": [ + { + "alertProperty": "ProductComponentName", + "value": "ProductComponentNameCustomColumn" + }, + { + "alertProperty": "ProductName", + "value": "ProductNameCustomColumn" + }, + { + "alertProperty": "AlertLink", + "value": "Link" + } + ] }, "incidentConfiguration": { "createIncident": true,