From 0698a8c2f0a1ce22cb28460dc4a755e317295a75 Mon Sep 17 00:00:00 2001 From: Dor Siso Date: Wed, 8 Jun 2022 17:56:02 +0300 Subject: [PATCH] Update automation rules alert trigger swagger --- .../2022-07-01-preview/AutomationRules.json | 12 ++- .../AutomationRules_CreateOrUpdate.json | 85 ++++--------------- .../automationRules/AutomationRules_Get.json | 29 ++----- .../automationRules/AutomationRules_List.json | 29 ++----- 4 files changed, 40 insertions(+), 115 deletions(-) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-07-01-preview/AutomationRules.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-07-01-preview/AutomationRules.json index 709f7bb0a49f..156aa1ab8e04 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-07-01-preview/AutomationRules.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-07-01-preview/AutomationRules.json @@ -606,6 +606,7 @@ "AccountObjectGuid", "AccountUPNSuffix", "AlertProductNames", + "AlertAnalyticRuleIds", "AzureResourceResourceId", "AzureResourceSubscriptionId", "CloudApplicationAppId", @@ -718,6 +719,10 @@ "value": "AlertProductNames", "description": "The name of the product of the alert" }, + { + "value": "AlertAnalyticRuleIds", + "description": "The analytic rule ids of the alert" + }, { "value": "AzureResourceResourceId", "description": "The Azure resource id" @@ -1114,7 +1119,8 @@ }, "triggersOn": { "enum": [ - "Incidents" + "Incidents", + "Alerts" ], "type": "string", "example": "Incidents", @@ -1125,6 +1131,10 @@ { "value": "Incidents", "description": "Trigger on Incidents" + }, + { + "value": "Alerts", + "description": "Trigger on Alerts" } ] } diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-07-01-preview/examples/automationRules/AutomationRules_CreateOrUpdate.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-07-01-preview/examples/automationRules/AutomationRules_CreateOrUpdate.json index d9a8609e8572..234efee36259 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-07-01-preview/examples/automationRules/AutomationRules_CreateOrUpdate.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-07-01-preview/examples/automationRules/AutomationRules_CreateOrUpdate.json @@ -11,50 +11,33 @@ "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", "type": "Microsoft.SecurityInsights/automationRules", "properties": { - "displayName": "High severity incidents escalation", + "displayName": "Suspicious alerts in workspace", "order": 1, "triggeringLogic": { "isEnabled": true, - "triggersOn": "Incidents", + "triggersOn": "Alerts", "triggersWhen": "Created", "conditions": [ { "conditionType": "Property", "conditionProperties": { - "propertyName": "IncidentRelatedAnalyticRuleIds", + "propertyName": "AlertAnalyticRuleIds", "operator": "Contains", "propertyValues": [ "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/fab3d2d4-747f-46a7-8ef0-9c0be8112bf7", "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/8deb8303-e94d-46ff-96e0-5fd94b33df1a" ] } - }, - { - "conditionType": "PropertyChanged", - "conditionProperties": { - "propertyName": "IncidentStatus", - "changeType": "ChangedFrom", - "operator": "Equals", - "propertyValues": [ - "Closed" - ] - } - }, - { - "conditionType": "PropertyArrayChanged", - "conditionProperties": { - "arrayType": "Alerts", - "changeType": "Added" - } } ] }, "actions": [ { "order": 1, - "actionType": "ModifyProperties", + "actionType": "RunPlaybook", "actionConfiguration": { - "severity": "High" + "tenantId": "d23e3eef-eed0-428f-a2d5-bc48c268e31d", + "logicAppResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/AlertPlaybook" } } ], @@ -83,50 +66,33 @@ "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", "type": "Microsoft.SecurityInsights/automationRules", "properties": { - "displayName": "High severity incidents escalation", + "displayName": "Suspicious alerts in workspace", "order": 1, "triggeringLogic": { "isEnabled": true, - "triggersOn": "Incidents", + "triggersOn": "Alerts", "triggersWhen": "Created", "conditions": [ { "conditionType": "Property", "conditionProperties": { - "propertyName": "IncidentRelatedAnalyticRuleIds", + "propertyName": "AlertAnalyticRuleIds", "operator": "Contains", "propertyValues": [ "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/fab3d2d4-747f-46a7-8ef0-9c0be8112bf7", "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/8deb8303-e94d-46ff-96e0-5fd94b33df1a" ] } - }, - { - "conditionType": "PropertyChanged", - "conditionProperties": { - "propertyName": "IncidentStatus", - "changeType": "ChangedFrom", - "operator": "Equals", - "propertyValues": [ - "Closed" - ] - } - }, - { - "conditionType": "PropertyArrayChanged", - "conditionProperties": { - "arrayType": "Alerts", - "changeType": "Added" - } } ] }, "actions": [ { "order": 1, - "actionType": "ModifyProperties", + "actionType": "RunPlaybook", "actionConfiguration": { - "severity": "High" + "tenantId": "d23e3eef-eed0-428f-a2d5-bc48c268e31d", + "logicAppResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/AlertPlaybook" } } ], @@ -154,7 +120,7 @@ "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", "type": "Microsoft.SecurityInsights/automationRules", "properties": { - "displayName": "High severity incidents escalation", + "displayName": "Suspicious alerts in workspace", "order": 1, "triggeringLogic": { "isEnabled": true, @@ -164,40 +130,23 @@ { "conditionType": "Property", "conditionProperties": { - "propertyName": "IncidentRelatedAnalyticRuleIds", + "propertyName": "AlertAnalyticRuleIds", "operator": "Contains", "propertyValues": [ "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/fab3d2d4-747f-46a7-8ef0-9c0be8112bf7", "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/8deb8303-e94d-46ff-96e0-5fd94b33df1a" ] } - }, - { - "conditionType": "PropertyChanged", - "conditionProperties": { - "propertyName": "IncidentStatus", - "changeType": "ChangedFrom", - "operator": "Equals", - "propertyValues": [ - "Closed" - ] - } - }, - { - "conditionType": "PropertyArrayChanged", - "conditionProperties": { - "arrayType": "Alerts", - "changeType": "Added" - } } ] }, "actions": [ { "order": 1, - "actionType": "ModifyProperties", + "actionType": "RunPlaybook", "actionConfiguration": { - "severity": "High" + "tenantId": "d23e3eef-eed0-428f-a2d5-bc48c268e31d", + "logicAppResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/AlertPlaybook" } } ], diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-07-01-preview/examples/automationRules/AutomationRules_Get.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-07-01-preview/examples/automationRules/AutomationRules_Get.json index 3797988074d8..790f82e0cd1a 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-07-01-preview/examples/automationRules/AutomationRules_Get.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-07-01-preview/examples/automationRules/AutomationRules_Get.json @@ -14,50 +14,33 @@ "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", "type": "Microsoft.SecurityInsights/automationRules", "properties": { - "displayName": "High severity incidents escalation", + "displayName": "Suspicious alerts in workspace", "order": 1, "triggeringLogic": { "isEnabled": true, - "triggersOn": "Incidents", + "triggersOn": "Alerts", "triggersWhen": "Created", "conditions": [ { "conditionType": "Property", "conditionProperties": { - "propertyName": "IncidentRelatedAnalyticRuleIds", + "propertyName": "AlertAnalyticRuleIds", "operator": "Contains", "propertyValues": [ "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/fab3d2d4-747f-46a7-8ef0-9c0be8112bf7", "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/8deb8303-e94d-46ff-96e0-5fd94b33df1a" ] } - }, - { - "conditionType": "PropertyChanged", - "conditionProperties": { - "propertyName": "IncidentStatus", - "changeType": "ChangedFrom", - "operator": "Equals", - "propertyValues": [ - "Closed" - ] - } - }, - { - "conditionType": "PropertyArrayChanged", - "conditionProperties": { - "arrayType": "Alerts", - "changeType": "Added" - } } ] }, "actions": [ { "order": 1, - "actionType": "ModifyProperties", + "actionType": "RunPlaybook", "actionConfiguration": { - "severity": "High" + "tenantId": "d23e3eef-eed0-428f-a2d5-bc48c268e31d", + "logicAppResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/AlertPlaybook" } } ], diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-07-01-preview/examples/automationRules/AutomationRules_List.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-07-01-preview/examples/automationRules/AutomationRules_List.json index 0ca23332f2e4..b28bb740b2d2 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-07-01-preview/examples/automationRules/AutomationRules_List.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-07-01-preview/examples/automationRules/AutomationRules_List.json @@ -15,50 +15,33 @@ "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", "type": "Microsoft.SecurityInsights/automationRules", "properties": { - "displayName": "High severity incidents escalation", + "displayName": "Suspicious alerts in workspace", "order": 1, "triggeringLogic": { "isEnabled": true, - "triggersOn": "Incidents", + "triggersOn": "Alerts", "triggersWhen": "Created", "conditions": [ { "conditionType": "Property", "conditionProperties": { - "propertyName": "IncidentRelatedAnalyticRuleIds", + "propertyName": "AlertAnalyticRuleIds", "operator": "Contains", "propertyValues": [ "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/fab3d2d4-747f-46a7-8ef0-9c0be8112bf7", "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/8deb8303-e94d-46ff-96e0-5fd94b33df1a" ] } - }, - { - "conditionType": "PropertyChanged", - "conditionProperties": { - "propertyName": "IncidentStatus", - "changeType": "ChangedFrom", - "operator": "Equals", - "propertyValues": [ - "Closed" - ] - } - }, - { - "conditionType": "PropertyArrayChanged", - "conditionProperties": { - "arrayType": "Alerts", - "changeType": "Added" - } } ] }, "actions": [ { "order": 1, - "actionType": "ModifyProperties", + "actionType": "RunPlaybook", "actionConfiguration": { - "severity": "High" + "tenantId": "d23e3eef-eed0-428f-a2d5-bc48c268e31d", + "logicAppResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/AlertPlaybook" } } ],