New version for alert rules and updated examples - custom details, entity mappings and new incident grouping configuration

Author: anat-gilenson

specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/AlertRules.json

@@ -1,6 +1,6 @@
 {
   "parameters": {
-    "api-version": "2019-01-01-preview",
+    "api-version": "2021-03-01-preview",
     "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
     "resourceGroupName": "myRg",
     "workspaceName": "myWorkspace",

specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/alertRuleTemplates/GetAlertRuleTemplateById.json

@@ -1,6 +1,6 @@
 {
   "parameters": {
-    "api-version": "2019-01-01-preview",
+    "api-version": "2021-03-01-preview",
     "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
     "resourceGroupName": "myRg",
     "workspaceName": "myWorkspace",

specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/alertRuleTemplates/GetAlertRuleTemplates.json

@@ -1,6 +1,6 @@
 {
   "parameters": {
-    "api-version": "2019-01-01-preview",
+    "api-version": "2021-03-01-preview",
     "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
     "resourceGroupName": "myRg",
     "workspaceName": "myWorkspace",

specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/alertRules/CreateFusionAlertRule.json

@@ -1,6 +1,6 @@
 {
   "parameters": {
-    "api-version": "2019-01-01-preview",
+    "api-version": "2021-03-01-preview",
     "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
     "resourceGroupName": "myRg",
     "workspaceName": "myWorkspace",

specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/alertRules/CreateMicrosoftSecurityIncidentCreationAlertRule.json

@@ -1,6 +1,6 @@
 {
   "parameters": {
-    "api-version": "2019-01-01-preview",
+    "api-version": "2021-03-01-preview",
     "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
     "resourceGroupName": "myRg",
     "workspaceName": "myWorkspace",
@@ -10,15 +10,15 @@
       "kind": "Scheduled",
       "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
       "properties": {
-        "displayName": "Rule2",
-        "description": "",
+        "displayName": "My scheduled rule",
+        "description": "An example for a scheduled rule",
         "severity": "High",
         "enabled": true,
         "tactics": [
           "Persistence",
           "LateralMovement"
         ],
-        "query": "ProtectionStatus | extend HostCustomEntity = Computer | extend IPCustomEntity = ComputerIP_Hidden",
+        "query": "Heartbeat",
         "queryFrequency": "PT1H",
         "queryPeriod": "P2DT1H30M",
         "triggerOperator": "GreaterThan",
@@ -28,16 +28,50 @@
         "eventGroupingSettings": {
           "aggregationKind": "AlertPerResult"
         },
+        "customDetails": {
+          "OperatingSystemName": "OSName",
+          "OperatingSystemType": "OSType"
+        },
+        "entityMappings": [
+          {
+            "entityType": "Host",
+            "fieldMappings": [
+              {
+                "identifier": "FullName",
+                "columnName": "Computer"
+              }
+            ]
+          },
+          {
+            "entityType": "IP",
+            "fieldMappings": [
+              {
+                "identifier": "Address",
+                "columnName": "ComputerIP"
+              }
+            ]
+          }
+        ],
+        "alertDetailsOverride": {
+          "alertDisplayNameFormat": "Alert from {{Computer}}",
+          "alertDescriptionFormat": "Suspicious activity was made by {{ComputerIP}}"
+        },
         "incidentConfiguration": {
           "createIncident": true,
           "groupingConfiguration": {
             "enabled": true,
             "reopenClosedIncident": false,
             "lookbackDuration": "PT5H",
-            "entitiesMatchingMethod": "Custom",
+            "matchingMethod": "Selected",
             "groupByEntities": [
-              "Host",
-              "Account"
+              "Host"
+            ],
+            "groupByAlertDetails": [
+              "DisplayName"
+            ],
+            "groupByCustomDetails": [
+              "OperatingSystemType",
+              "OperatingSystemName"
             ]
           }
         }
@@ -51,38 +85,74 @@
         "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
         "type": "Microsoft.SecurityInsights/alertRules",
         "kind": "Scheduled",
-        "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
+        "etag": "\"01005144-0000-0d00-0000-6058632c0000\"",
         "properties": {
           "alertRuleTemplateName": null,
-          "displayName": "Rule2",
-          "description": "",
+          "displayName": "My scheduled rule",
+          "description": "An example for a scheduled rule",
           "severity": "High",
           "enabled": true,
           "tactics": [
             "Persistence",
             "LateralMovement"
           ],
-          "query": "ProtectionStatus | extend HostCustomEntity = Computer | extend IPCustomEntity = ComputerIP_Hidden",
+          "query": "Heartbeat",
           "queryFrequency": "PT1H",
           "queryPeriod": "P2DT1H30M",
           "triggerOperator": "GreaterThan",
           "triggerThreshold": 0,
           "suppressionDuration": "PT1H",
           "suppressionEnabled": false,
-          "lastModifiedUtc": "2019-01-01T13:15:30Z",
+          "lastModifiedUtc": "2021-03-01T13:17:30Z",
           "eventGroupingSettings": {
             "aggregationKind": "AlertPerResult"
           },
+          "customDetails": {
+            "OperatingSystemName": "OSName",
+            "OperatingSystemType": "OSType"
+          },
+          "entityMappings": [
+            {
+              "entityType": "Host",
+              "fieldMappings": [
+                {
+                  "identifier": "FullName",
+                  "columnName": "Computer"
+                }
+              ]
+            },
+            {
+              "entityType": "IP",
+              "fieldMappings": [
+                {
+                  "identifier": "Address",
+                  "columnName": "ComputerIP"
+                }
+              ]
+            }
+          ],
+          "alertDetailsOverride": {
+            "alertDisplayNameFormat": "Alert from {{Computer}}",
+            "alertDescriptionFormat": "Suspicious activity was made by {{ComputerIP}}",
+            "alertTacticsColumnName": null,
+            "alertSeverityColumnName": null
+          },
           "incidentConfiguration": {
             "createIncident": true,
             "groupingConfiguration": {
               "enabled": true,
               "reopenClosedIncident": false,
               "lookbackDuration": "PT5H",
-              "entitiesMatchingMethod": "Custom",
+              "matchingMethod": "Selected",
               "groupByEntities": [
-                "Host",
-                "Account"
+                "Host"
+              ],
+              "groupByAlertDetails": [
+                "DisplayName"
+              ],
+              "groupByCustomDetails": [
+                "OperatingSystemType",
+                "OperatingSystemName"
               ]
             }
           }
@@ -95,35 +165,71 @@
         "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
         "type": "Microsoft.SecurityInsights/alertRules",
         "kind": "Scheduled",
-        "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
+        "etag": "\"01007444-0000-0d00-0000-605863a70000\"",
         "properties": {
           "alertRuleTemplateName": null,
-          "displayName": "Rule2",
-          "description": "",
+          "displayName": "My scheduled rule",
+          "description": "An example for a scheduled rule",
           "severity": "High",
           "enabled": true,
           "tactics": [
             "Persistence",
             "LateralMovement"
           ],
-          "query": "ProtectionStatus | extend HostCustomEntity = Computer | extend IPCustomEntity = ComputerIP_Hidden",
+          "query": "Heartbeat",
           "queryFrequency": "PT1H",
           "queryPeriod": "P2DT1H30M",
           "triggerOperator": "GreaterThan",
           "triggerThreshold": 0,
           "suppressionDuration": "PT1H",
           "suppressionEnabled": false,
-          "lastModifiedUtc": "2019-01-01T13:15:30Z",
+          "lastModifiedUtc": "2021-03-01T13:15:30Z",
+          "customDetails": {
+            "OperatingSystemName": "OSName",
+            "OperatingSystemType": "OSType"
+          },
+          "entityMappings": [
+            {
+              "entityType": "Host",
+              "fieldMappings": [
+                {
+                  "identifier": "FullName",
+                  "columnName": "Computer"
+                }
+              ]
+            },
+            {
+              "entityType": "IP",
+              "fieldMappings": [
+                {
+                  "identifier": "Address",
+                  "columnName": "ComputerIP"
+                }
+              ]
+            }
+          ],
+          "alertDetailsOverride": {
+            "alertDisplayNameFormat": "Alert from {{Computer}}",
+            "alertDescriptionFormat": "Suspicious activity was made by {{ComputerIP}}",
+            "alertTacticsColumnName": null,
+            "alertSeverityColumnName": null
+          },
           "incidentConfiguration": {
             "createIncident": true,
             "groupingConfiguration": {
               "enabled": true,
               "reopenClosedIncident": false,
               "lookbackDuration": "PT5H",
-              "entitiesMatchingMethod": "Custom",
+              "matchingMethod": "Selected",
               "groupByEntities": [
-                "Host",
-                "Account"
+                "Host"
+              ],
+              "groupByAlertDetails": [
+                "DisplayName"
+              ],
+              "groupByCustomDetails": [
+                "OperatingSystemType",
+                "OperatingSystemName"
               ]
             }
           }

specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/alertRules/CreateScheduledAlertRule.json

@@ -1,6 +1,6 @@
 {
   "parameters": {
-    "api-version": "2019-01-01-preview",
+    "api-version": "2021-03-01-preview",
     "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
     "resourceGroupName": "myRg",
     "workspaceName": "myWorkspace",

specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/alertRules/DeleteAlertRule.json

@@ -1,6 +1,6 @@
 {
   "parameters": {
-    "api-version": "2019-01-01-preview",
+    "api-version": "2021-03-01-preview",
     "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
     "resourceGroupName": "myRg",
     "workspaceName": "myWorkspace",
@@ -18,35 +18,71 @@
             "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
             "properties": {
               "alertRuleTemplateName": null,
-              "displayName": "Rule2",
-              "description": "",
+              "displayName": "My scheduled rule",
+              "description": "An example for a scheduled rule",
               "severity": "High",
               "enabled": true,
               "tactics": [
                 "Persistence",
                 "LateralMovement"
               ],
-              "query": "ProtectionStatus | extend HostCustomEntity = Computer | extend IPCustomEntity = ComputerIP_Hidden",
+              "query": "Heartbeat",
               "queryFrequency": "PT1H",
               "queryPeriod": "P2DT1H30M",
               "triggerOperator": "GreaterThan",
               "triggerThreshold": 0,
               "suppressionDuration": "PT1H",
               "suppressionEnabled": false,
-              "lastModifiedUtc": "2019-01-01T13:15:30Z",
+              "lastModifiedUtc": "2021-03-01T13:17:30Z",
               "eventGroupingSettings": {
                 "aggregationKind": "AlertPerResult"
               },
+              "customDetails": {
+                "OperatingSystemName": "OSName",
+                "OperatingSystemType": "OSType"
+              },
+              "entityMappings": [
+                {
+                  "entityType": "Host",
+                  "fieldMappings": [
+                    {
+                      "identifier": "FullName",
+                      "columnName": "Computer"
+                    }
+                  ]
+                },
+                {
+                  "entityType": "IP",
+                  "fieldMappings": [
+                    {
+                      "identifier": "Address",
+                      "columnName": "ComputerIP"
+                    }
+                  ]
+                }
+              ],
+              "alertDetailsOverride": {
+                "alertDisplayNameFormat": "Alert from {{Computer}}",
+                "alertDescriptionFormat": "Suspicious activity was made by {{ComputerIP}}",
+                "alertTacticsColumnName": null,
+                "alertSeverityColumnName": null
+              },
               "incidentConfiguration": {
                 "createIncident": true,
                 "groupingConfiguration": {
                   "enabled": true,
                   "reopenClosedIncident": false,
                   "lookbackDuration": "PT5H",
-                  "entitiesMatchingMethod": "Custom",
+                  "matchingMethod": "Selected",
                   "groupByEntities": [
-                    "Host",
-                    "Account"
+                    "Host"
+                  ],
+                  "groupByAlertDetails": [
+                    "DisplayName"
+                  ],
+                  "groupByCustomDetails": [
+                    "OperatingSystemType",
+                    "OperatingSystemName"
                   ]
                 }
               }

specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/alertRules/GetAllAlertRules.json

@@ -1,6 +1,6 @@
 {
   "parameters": {
-    "api-version": "2019-01-01-preview",
+    "api-version": "2021-03-01-preview",
     "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
     "resourceGroupName": "myRg",
     "workspaceName": "myWorkspace",

specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/alertRules/GetFusionAlertRule.json

@@ -1,6 +1,6 @@
 {
   "parameters": {
-    "api-version": "2019-01-01-preview",
+    "api-version": "2021-03-01-preview",
     "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
     "resourceGroupName": "myRg",
     "workspaceName": "myWorkspace",