Extract alertRules and alertRuleTemplates endpoints and their related parameters and definition from 2019-01-01-preview/SecurityInsights.json

Author: Anat Gilenson

specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/AlertRules.json

@@ -0,0 +1,44 @@
+{
+  "parameters": {
+    "api-version": "2019-01-01-preview",
+    "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
+    "resourceGroupName": "myRg",
+    "workspaceName": "myWorkspace",
+    "operationalInsightsResourceProvider": "Microsoft.OperationalInsights",
+    "ruleId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
+    "actionId": "912bec42-cb66-4c03-ac63-1761b6898c3e",
+    "action": {
+      "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
+      "properties": {
+        "triggerUri": "https://prod-31.northcentralus.logic.azure.com:443/workflows/cd3765391efd48549fd7681ded1d48d7/triggers/manual/paths/invoke?api-version=2016-10-01&sp=%2Ftriggers%2Fmanual%2Frun&sv=1.0&sig=signature",
+        "logicAppResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/MyAlerts"
+      }
+    }
+  },
+  "responses": {
+    "200": {
+      "body": {
+        "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5/actions/912bec42-cb66-4c03-ac63-1761b6898c3e",
+        "name": "912bec42-cb66-4c03-ac63-1761b6898c3e",
+        "type": "Microsoft.SecurityInsights/alertRules/actions",
+        "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
+        "properties": {
+          "workflowId": "cd3765391efd48549fd7681ded1d48d7",
+          "logicAppResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/MyAlerts"
+        }
+      }
+    },
+    "201": {
+      "body": {
+        "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5/actions/912bec42-cb66-4c03-ac63-1761b6898c3e",
+        "name": "912bec42-cb66-4c03-ac63-1761b6898c3e",
+        "type": "Microsoft.SecurityInsights/alertRules/actions",
+        "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
+        "properties": {
+          "workflowId": "cd3765391efd48549fd7681ded1d48d7",
+          "logicAppResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/MyAlerts"
+        }
+      }
+    }
+  }
+}

specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/actions/CreateActionOfAlertRule.json

@@ -0,0 +1,15 @@
+{
+  "parameters": {
+    "api-version": "2019-01-01-preview",
+    "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
+    "resourceGroupName": "myRg",
+    "workspaceName": "myWorkspace",
+    "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights",
+    "ruleId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
+    "actionId": "912bec42-cb66-4c03-ac63-1761b6898c3e"
+  },
+  "responses": {
+    "200": {},
+    "204": {}
+  }
+}

specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/actions/DeleteActionOfAlertRule.json

@@ -0,0 +1,25 @@
+{
+  "parameters": {
+    "api-version": "2019-01-01-preview",
+    "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
+    "resourceGroupName": "myRg",
+    "workspaceName": "myWorkspace",
+    "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights",
+    "ruleId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
+    "actionId": "912bec42-cb66-4c03-ac63-1761b6898c3e"
+  },
+  "responses": {
+    "200": {
+      "body": {
+        "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5/actions/912bec42-cb66-4c03-ac63-1761b6898c3e",
+        "name": "912bec42-cb66-4c03-ac63-1761b6898c3e",
+        "type": "Microsoft.SecurityInsights/alertRules/actions",
+        "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
+        "properties": {
+          "workflowId": "cd3765391efd48549fd7681ded1d48d7",
+          "logicAppResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/MyAlerts"
+        }
+      }
+    }
+  }
+}

specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/actions/GetActionOfAlertRuleById.json

@@ -0,0 +1,28 @@
+{
+  "parameters": {
+    "api-version": "2019-01-01-preview",
+    "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
+    "resourceGroupName": "myRg",
+    "workspaceName": "myWorkspace",
+    "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights",
+    "ruleId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5"
+  },
+  "responses": {
+    "200": {
+      "body": {
+        "value": [
+          {
+            "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5/actions/912bec42-cb66-4c03-ac63-1761b6898c3e",
+            "name": "912bec42-cb66-4c03-ac63-1761b6898c3e",
+            "type": "Microsoft.SecurityInsights/alertRules/actions",
+            "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
+            "properties": {
+              "workflowId": "cd3765391efd48549fd7681ded1d48d7",
+              "logicAppResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/MyAlerts"
+            }
+          }
+        ]
+      }
+    }
+  }
+}

specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/actions/GetAllActionsByAlertRule.json

@@ -0,0 +1,49 @@
+{
+  "parameters": {
+    "api-version": "2019-01-01-preview",
+    "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
+    "resourceGroupName": "myRg",
+    "workspaceName": "myWorkspace",
+    "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights",
+    "alertRuleTemplateId": "65360bb0-8986-4ade-a89d-af3cf44d28aa"
+  },
+  "responses": {
+    "200": {
+      "body": {
+        "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRuleTemplates/65360bb0-8986-4ade-a89d-af3cf44d28aa",
+        "name": "65360bb0-8986-4ade-a89d-af3cf44d28aa",
+        "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+        "kind": "Scheduled",
+        "properties": {
+          "severity": "Low",
+          "query": "let timeframe = 1d;\nAWSCloudTrail\n| where TimeGenerated >= ago(timeframe)\n| where EventName == \"CreateNetworkAclEntry\"\n    or EventName == \"CreateRoute\"\n| project TimeGenerated, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\n| extend AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress",
+          "queryFrequency": "P1D",
+          "queryPeriod": "P1D",
+          "triggerOperator": "GreaterThan",
+          "triggerThreshold": 0,
+          "displayName": "Changes to Amazon VPC settings",
+          "description": "This alert monitors changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries and routes in route tables.\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \nand https://aws.amazon.com/vpc/",
+          "eventGroupingSettings": {
+            "aggregationKind": "AlertPerResult"
+          },
+          "tactics": [
+            "PrivilegeEscalation",
+            "LateralMovement"
+          ],
+          "lastUpdatedDateUTC": "2020-02-27T00:00:00Z",
+          "createdDateUTC": "2019-02-27T00:00:00Z",
+          "status": "Available",
+          "requiredDataConnectors": [
+            {
+              "connectorId": "AWS",
+              "dataTypes": [
+                "AWSCloudTrail"
+              ]
+            }
+          ],
+          "alertRulesCreatedByTemplateCount": 0
+        }
+      }
+    }
+  }
+}

specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/alertRuleTemplates/GetAlertRuleTemplateById.json

@@ -0,0 +1,85 @@
+{
+  "parameters": {
+    "api-version": "2019-01-01-preview",
+    "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
+    "resourceGroupName": "myRg",
+    "workspaceName": "myWorkspace",
+    "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights"
+  },
+  "responses": {
+    "200": {
+      "body": {
+        "value": [
+          {
+            "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65360bb0-8986-4ade-a89d-af3cf44d28aa",
+            "name": "65360bb0-8986-4ade-a89d-af3cf44d28aa",
+            "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+            "kind": "Scheduled",
+            "properties": {
+              "severity": "Low",
+              "query": "let timeframe = 1d;\nAWSCloudTrail\n| where TimeGenerated >= ago(timeframe)\n| where EventName == \"CreateNetworkAclEntry\"\n    or EventName == \"CreateRoute\"\n| project TimeGenerated, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\n| extend AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress",
+              "queryFrequency": "P1D",
+              "queryPeriod": "P1D",
+              "triggerOperator": "GreaterThan",
+              "triggerThreshold": 0,
+              "displayName": "Changes to Amazon VPC settings",
+              "description": "This alert monitors changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries and routes in route tables.\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \nand https://aws.amazon.com/vpc/",
+              "tactics": [
+                "PrivilegeEscalation",
+                "LateralMovement"
+              ],
+              "lastUpdatedDateUTC": "2020-02-27T00:00:00Z",
+              "createdDateUTC": "2019-02-27T00:00:00Z",
+              "status": "Available",
+              "requiredDataConnectors": [
+                {
+                  "connectorId": "AWS",
+                  "dataTypes": [
+                    "AWSCloudTrail"
+                  ]
+                }
+              ],
+              "alertRulesCreatedByTemplateCount": 0
+            }
+          },
+          {
+            "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f71aba3d-28fb-450b-b192-4e76a83015c8",
+            "name": "f71aba3d-28fb-450b-b192-4e76a83015c8",
+            "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+            "kind": "Fusion",
+            "properties": {
+              "displayName": "Advanced Multi-Stage Attack Detection",
+              "description": "Place holder: Fusion uses graph powered machine learning algorithms to correlate between millions of lower fidelity anomalous activities from different products such as Azure AD Identity Protection, and Microsoft Cloud App Security, to combine them into a manageable number of interesting security cases.\n",
+              "tactics": [
+                "Persistence",
+                "LateralMovement",
+                "Exfiltration",
+                "CommandAndControl"
+              ],
+              "lastUpdatedDateUTC": "2020-02-27T00:00:00Z",
+              "createdDateUTC": "2019-07-25T00:00:00Z",
+              "status": "Available",
+              "severity": "High",
+              "alertRulesCreatedByTemplateCount": 0
+            }
+          },
+          {
+            "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b3cfc7c0-092c-481c-a55b-34a3979758cb",
+            "name": "b3cfc7c0-092c-481c-a55b-34a3979758cb",
+            "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+            "kind": "MicrosoftSecurityIncidentCreation",
+            "properties": {
+              "productFilter": "Microsoft Cloud App Security",
+              "displayName": "Create incidents based on Microsoft Cloud App Security alerts",
+              "description": "Create incidents based on all alerts generated in Microsoft Cloud App Security",
+              "lastUpdatedDateUTC": "2020-02-27T00:00:00Z",
+              "createdDateUTC": "2019-07-16T00:00:00Z",
+              "status": "Available",
+              "alertRulesCreatedByTemplateCount": 0
+            }
+          }
+        ]
+      }
+    }
+  }
+}

specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/alertRuleTemplates/GetAlertRuleTemplates.json

@@ -0,0 +1,66 @@
+{
+  "parameters": {
+    "api-version": "2019-01-01-preview",
+    "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
+    "resourceGroupName": "myRg",
+    "workspaceName": "myWorkspace",
+    "operationalInsightsResourceProvider": "Microsoft.OperationalInsights",
+    "ruleId": "myFirstFusionRule",
+    "alertRule": {
+      "kind": "Fusion",
+      "etag": "3d00c3ca-0000-0100-0000-5d42d5010000",
+      "properties": {
+        "enabled": true,
+        "alertRuleTemplateName": "f71aba3d-28fb-450b-b192-4e76a83015c8"
+      }
+    }
+  },
+  "responses": {
+    "200": {
+      "body": {
+        "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/myFirstFusionRule",
+        "name": "myFirstFusionRule",
+        "etag": "\"260090e2-0000-0d00-0000-5d6fb8670000\"",
+        "type": "Microsoft.SecurityInsights/alertRules",
+        "kind": "Fusion",
+        "properties": {
+          "displayName": "Advanced Multi-Stage Attack Detection",
+          "description": "In this mode, Sentinel combines low fidelity alerts, which themselves may not be actionable, and events across multiple products, into high fidelity security interesting incidents. The system looks at multiple products to produce actionable incidents. Custom tailored to each tenant, Fusion not only reduces false positive rates but also can detect attacks with limited or missing information. \nIncidents generated by Fusion system will encase two or more alerts. By design, Fusion incidents are low volume, high fidelity and will be high severity, which is why Fusion is turned ON by default in Azure Sentinel.\n\nFor Fusion to work, please configure the following data sources in Data Connectors tab:\nRequired - Azure Active Directory Identity Protection\nRequired - Microsoft Cloud App Security\nIf Available - Palo Alto Network\n\nFor full list of scenarios covered by Fusion, and detail instructions on how to configure the required data sources, go to aka.ms/SentinelFusion",
+          "alertRuleTemplateName": "f71aba3d-28fb-450b-b192-4e76a83015c8",
+          "tactics": [
+            "Persistence",
+            "LateralMovement",
+            "Exfiltration",
+            "CommandAndControl"
+          ],
+          "severity": "High",
+          "enabled": true,
+          "lastModifiedUtc": "2019-09-04T13:13:11.5340061Z"
+        }
+      }
+    },
+    "201": {
+      "body": {
+        "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/myFirstFusionRule",
+        "name": "myFirstFusionRule",
+        "etag": "\"260090e2-0000-0d00-0000-5d6fb8670000\"",
+        "type": "Microsoft.SecurityInsights/alertRules",
+        "kind": "Fusion",
+        "properties": {
+          "displayName": "Advanced Multi-Stage Attack Detection",
+          "description": "In this mode, Sentinel combines low fidelity alerts, which themselves may not be actionable, and events across multiple products, into high fidelity security interesting incidents. The system looks at multiple products to produce actionable incidents. Custom tailored to each tenant, Fusion not only reduces false positive rates but also can detect attacks with limited or missing information. \nIncidents generated by Fusion system will encase two or more alerts. By design, Fusion incidents are low volume, high fidelity and will be high severity, which is why Fusion is turned ON by default in Azure Sentinel.\n\nFor Fusion to work, please configure the following data sources in Data Connectors tab:\nRequired - Azure Active Directory Identity Protection\nRequired - Microsoft Cloud App Security\nIf Available - Palo Alto Network\n\nFor full list of scenarios covered by Fusion, and detail instructions on how to configure the required data sources, go to aka.ms/SentinelFusion",
+          "alertRuleTemplateName": "f71aba3d-28fb-450b-b192-4e76a83015c8",
+          "tactics": [
+            "Persistence",
+            "LateralMovement",
+            "Exfiltration",
+            "CommandAndControl"
+          ],
+          "severity": "High",
+          "enabled": true,
+          "lastModifiedUtc": "2019-09-04T13:13:11.5340061Z"
+        }
+      }
+    }
+  }
+}

specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/alertRules/CreateFusionAlertRule.json

@@ -0,0 +1,59 @@
+{
+  "parameters": {
+    "api-version": "2019-01-01-preview",
+    "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
+    "resourceGroupName": "myRg",
+    "workspaceName": "myWorkspace",
+    "operationalInsightsResourceProvider": "Microsoft.OperationalInsights",
+    "ruleId": "microsoftSecurityIncidentCreationRuleExample",
+    "alertRule": {
+      "etag": "\"260097e0-0000-0d00-0000-5d6fa88f0000\"",
+      "kind": "MicrosoftSecurityIncidentCreation",
+      "properties": {
+        "productFilter": "Microsoft Cloud App Security",
+        "displayName": "testing displayname",
+        "enabled": true
+      }
+    }
+  },
+  "responses": {
+    "200": {
+      "body": {
+        "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/microsoftSecurityIncidentCreationRuleExample",
+        "name": "microsoftSecurityIncidentCreationRuleExample",
+        "etag": "\"260097e0-0000-0d00-0000-5d6fa88f0000\"",
+        "type": "Microsoft.SecurityInsights/alertRules",
+        "kind": "MicrosoftSecurityIncidentCreation",
+        "properties": {
+          "productFilter": "Microsoft Cloud App Security",
+          "severitiesFilter": null,
+          "displayNamesFilter": null,
+          "displayName": "testing displayname",
+          "enabled": true,
+          "description": null,
+          "alertRuleTemplateName": null,
+          "lastModifiedUtc": "2019-09-04T12:05:35.7296311Z"
+        }
+      }
+    },
+    "201": {
+      "body": {
+        "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/microsoftSecurityIncidentCreationRuleExample",
+        "name": "microsoftSecurityIncidentCreationRuleExample",
+        "etag": "\"260097e0-0000-0d00-0000-5d6fa88f0000\"",
+        "type": "Microsoft.SecurityInsights/alertRules",
+        "kind": "MicrosoftSecurityIncidentCreation",
+        "properties": {
+          "productFilter": "Microsoft Cloud App Security",
+          "severitiesFilter": null,
+          "displayNamesFilter": null,
+          "displayName": "testing displayname",
+          "enabled": true,
+          "description": null,
+          "alertRuleTemplateName": null,
+          "lastModifiedUtc": "2019-09-04T12:05:35.7296311Z"
+        }
+      }
+    }
+  }
+}