Add AlertRules to microsoft.security insights 2021 10 01 (#15657)

* Adds base for updating Microsoft.SecurityInsight's AlertRules from version stable/2020-01-01 to version 2021-10-01

* Updates API version in AlertRules specs and examples

* Use common types in AlertRules.json and remove redundant SecurityInsights

* Add AlertRules to readme

* Copy action examples for alert rules

* Add type:object where missing

* Align CloudError with rest of the resources in this version

* Update readme

Co-authored-by: Anat Gilenson <[email protected]>

Author: anat-gilenson

specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/AlertRules.json

@@ -1707,6 +1707,7 @@
           }
         }
       },
+      "type": "object",
       "required": [
         "value"
       ]

specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/Incidents.json

@@ -502,7 +502,8 @@
           "description": "The error object of the CloudError response"
         }
       },
-      "description": "An error response for a resource management request."
+      "description": "An error response for a resource management request.",
+      "type": "object"
     },
     "ThreatIntelligenceInformation": {
       "allOf": [

specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/ThreatIntelligence.json

@@ -0,0 +1,44 @@
+{
+  "parameters": {
+    "api-version": "2021-10-01",
+    "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
+    "resourceGroupName": "myRg",
+    "workspaceName": "myWorkspace",
+    "operationalInsightsResourceProvider": "Microsoft.OperationalInsights",
+    "ruleId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
+    "actionId": "912bec42-cb66-4c03-ac63-1761b6898c3e",
+    "action": {
+      "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
+      "properties": {
+        "triggerUri": "https://prod-31.northcentralus.logic.azure.com:443/workflows/cd3765391efd48549fd7681ded1d48d7/triggers/manual/paths/invoke?api-version=2016-10-01&sp=%2Ftriggers%2Fmanual%2Frun&sv=1.0&sig=signature",
+        "logicAppResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/MyAlerts"
+      }
+    }
+  },
+  "responses": {
+    "200": {
+      "body": {
+        "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5/actions/912bec42-cb66-4c03-ac63-1761b6898c3e",
+        "name": "912bec42-cb66-4c03-ac63-1761b6898c3e",
+        "type": "Microsoft.SecurityInsights/alertRules/actions",
+        "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
+        "properties": {
+          "workflowId": "cd3765391efd48549fd7681ded1d48d7",
+          "logicAppResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/MyAlerts"
+        }
+      }
+    },
+    "201": {
+      "body": {
+        "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5/actions/912bec42-cb66-4c03-ac63-1761b6898c3e",
+        "name": "912bec42-cb66-4c03-ac63-1761b6898c3e",
+        "type": "Microsoft.SecurityInsights/alertRules/actions",
+        "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
+        "properties": {
+          "workflowId": "cd3765391efd48549fd7681ded1d48d7",
+          "logicAppResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/MyAlerts"
+        }
+      }
+    }
+  }
+}

specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/actions/CreateActionOfAlertRule.json

@@ -0,0 +1,15 @@
+{
+  "parameters": {
+    "api-version": "2021-10-01",
+    "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
+    "resourceGroupName": "myRg",
+    "workspaceName": "myWorkspace",
+    "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights",
+    "ruleId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
+    "actionId": "912bec42-cb66-4c03-ac63-1761b6898c3e"
+  },
+  "responses": {
+    "200": {},
+    "204": {}
+  }
+}

specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/actions/DeleteActionOfAlertRule.json

@@ -0,0 +1,25 @@
+{
+  "parameters": {
+    "api-version": "2021-10-01",
+    "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
+    "resourceGroupName": "myRg",
+    "workspaceName": "myWorkspace",
+    "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights",
+    "ruleId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
+    "actionId": "912bec42-cb66-4c03-ac63-1761b6898c3e"
+  },
+  "responses": {
+    "200": {
+      "body": {
+        "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5/actions/912bec42-cb66-4c03-ac63-1761b6898c3e",
+        "name": "912bec42-cb66-4c03-ac63-1761b6898c3e",
+        "type": "Microsoft.SecurityInsights/alertRules/actions",
+        "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
+        "properties": {
+          "workflowId": "cd3765391efd48549fd7681ded1d48d7",
+          "logicAppResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/MyAlerts"
+        }
+      }
+    }
+  }
+}

specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/actions/GetActionOfAlertRuleById.json

@@ -0,0 +1,28 @@
+{
+  "parameters": {
+    "api-version": "2021-10-01",
+    "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
+    "resourceGroupName": "myRg",
+    "workspaceName": "myWorkspace",
+    "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights",
+    "ruleId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5"
+  },
+  "responses": {
+    "200": {
+      "body": {
+        "value": [
+          {
+            "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5/actions/912bec42-cb66-4c03-ac63-1761b6898c3e",
+            "name": "912bec42-cb66-4c03-ac63-1761b6898c3e",
+            "type": "Microsoft.SecurityInsights/alertRules/actions",
+            "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
+            "properties": {
+              "workflowId": "cd3765391efd48549fd7681ded1d48d7",
+              "logicAppResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/MyAlerts"
+            }
+          }
+        ]
+      }
+    }
+  }
+}

specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/actions/GetAllActionsByAlertRule.json

@@ -0,0 +1,45 @@
+{
+  "parameters": {
+    "api-version": "2021-10-01",
+    "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
+    "resourceGroupName": "myRg",
+    "workspaceName": "myWorkspace",
+    "operationalInsightsResourceProvider": "Microsoft.OperationalInsights",
+    "alertRuleTemplateId": "65360bb0-8986-4ade-a89d-af3cf44d28aa"
+  },
+  "responses": {
+    "200": {
+      "body": {
+        "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRuleTemplates/65360bb0-8986-4ade-a89d-af3cf44d28aa",
+        "name": "65360bb0-8986-4ade-a89d-af3cf44d28aa",
+        "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+        "kind": "Scheduled",
+        "properties": {
+          "severity": "Low",
+          "query": "let timeframe = 1d;\nAWSCloudTrail\n| where TimeGenerated >= ago(timeframe)\n| where EventName == \"CreateNetworkAclEntry\"\n    or EventName == \"CreateRoute\"\n| project TimeGenerated, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\n| extend AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress",
+          "queryFrequency": "P1D",
+          "queryPeriod": "P1D",
+          "triggerOperator": "GreaterThan",
+          "triggerThreshold": 0,
+          "displayName": "Changes to Amazon VPC settings",
+          "description": "This alert monitors changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries and routes in route tables.\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \nand https://aws.amazon.com/vpc/",
+          "tactics": [
+            "PrivilegeEscalation",
+            "LateralMovement"
+          ],
+          "createdDateUTC": "2019-02-27T00:00:00Z",
+          "status": "Available",
+          "requiredDataConnectors": [
+            {
+              "connectorId": "AWS",
+              "dataTypes": [
+                "AWSCloudTrail"
+              ]
+            }
+          ],
+          "alertRulesCreatedByTemplateCount": 0
+        }
+      }
+    }
+  }
+}

specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplateById.json

@@ -0,0 +1,82 @@
+{
+  "parameters": {
+    "api-version": "2021-10-01",
+    "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
+    "resourceGroupName": "myRg",
+    "workspaceName": "myWorkspace",
+    "operationalInsightsResourceProvider": "Microsoft.OperationalInsights"
+  },
+  "responses": {
+    "200": {
+      "body": {
+        "value": [
+          {
+            "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65360bb0-8986-4ade-a89d-af3cf44d28aa",
+            "name": "65360bb0-8986-4ade-a89d-af3cf44d28aa",
+            "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+            "kind": "Scheduled",
+            "properties": {
+              "severity": "Low",
+              "query": "let timeframe = 1d;\nAWSCloudTrail\n| where TimeGenerated >= ago(timeframe)\n| where EventName == \"CreateNetworkAclEntry\"\n    or EventName == \"CreateRoute\"\n| project TimeGenerated, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\n| extend AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress",
+              "queryFrequency": "P1D",
+              "queryPeriod": "P1D",
+              "triggerOperator": "GreaterThan",
+              "triggerThreshold": 0,
+              "displayName": "Changes to Amazon VPC settings",
+              "description": "This alert monitors changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries and routes in route tables.\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \nand https://aws.amazon.com/vpc/",
+              "tactics": [
+                "PrivilegeEscalation",
+                "LateralMovement"
+              ],
+              "createdDateUTC": "2019-02-27T00:00:00Z",
+              "status": "Available",
+              "requiredDataConnectors": [
+                {
+                  "connectorId": "AWS",
+                  "dataTypes": [
+                    "AWSCloudTrail"
+                  ]
+                }
+              ],
+              "alertRulesCreatedByTemplateCount": 0
+            }
+          },
+          {
+            "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f71aba3d-28fb-450b-b192-4e76a83015c8",
+            "name": "f71aba3d-28fb-450b-b192-4e76a83015c8",
+            "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+            "kind": "Fusion",
+            "properties": {
+              "displayName": "Advanced Multi-Stage Attack Detection",
+              "description": "Place holder: Fusion uses graph powered machine learning algorithms to correlate between millions of lower fidelity anomalous activities from different products such as Azure AD Identity Protection, and Microsoft Cloud App Security, to combine them into a manageable number of interesting security cases.\n",
+              "tactics": [
+                "Persistence",
+                "LateralMovement",
+                "Exfiltration",
+                "CommandAndControl"
+              ],
+              "createdDateUTC": "2019-07-25T00:00:00Z",
+              "status": "Available",
+              "severity": "High",
+              "alertRulesCreatedByTemplateCount": 0
+            }
+          },
+          {
+            "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b3cfc7c0-092c-481c-a55b-34a3979758cb",
+            "name": "b3cfc7c0-092c-481c-a55b-34a3979758cb",
+            "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+            "kind": "MicrosoftSecurityIncidentCreation",
+            "properties": {
+              "productFilter": "Microsoft Cloud App Security",
+              "displayName": "Create incidents based on Microsoft Cloud App Security alerts",
+              "description": "Create incidents based on all alerts generated in Microsoft Cloud App Security",
+              "createdDateUTC": "2019-07-16T00:00:00Z",
+              "status": "Available",
+              "alertRulesCreatedByTemplateCount": 0
+            }
+          }
+        ]
+      }
+    }
+  }
+}

specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplates.json

@@ -0,0 +1,66 @@
+{
+  "parameters": {
+    "api-version": "2021-10-01",
+    "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
+    "resourceGroupName": "myRg",
+    "workspaceName": "myWorkspace",
+    "operationalInsightsResourceProvider": "Microsoft.OperationalInsights",
+    "ruleId": "myFirstFusionRule",
+    "alertRule": {
+      "kind": "Fusion",
+      "etag": "3d00c3ca-0000-0100-0000-5d42d5010000",
+      "properties": {
+        "enabled": true,
+        "alertRuleTemplateName": "f71aba3d-28fb-450b-b192-4e76a83015c8"
+      }
+    }
+  },
+  "responses": {
+    "200": {
+      "body": {
+        "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/myFirstFusionRule",
+        "name": "myFirstFusionRule",
+        "etag": "\"260090e2-0000-0d00-0000-5d6fb8670000\"",
+        "type": "Microsoft.SecurityInsights/alertRules",
+        "kind": "Fusion",
+        "properties": {
+          "displayName": "Advanced Multi-Stage Attack Detection",
+          "description": "In this mode, Sentinel combines low fidelity alerts, which themselves may not be actionable, and events across multiple products, into high fidelity security interesting incidents. The system looks at multiple products to produce actionable incidents. Custom tailored to each tenant, Fusion not only reduces false positive rates but also can detect attacks with limited or missing information. \nIncidents generated by Fusion system will encase two or more alerts. By design, Fusion incidents are low volume, high fidelity and will be high severity, which is why Fusion is turned ON by default in Azure Sentinel.\n\nFor Fusion to work, please configure the following data sources in Data Connectors tab:\nRequired - Azure Active Directory Identity Protection\nRequired - Microsoft Cloud App Security\nIf Available - Palo Alto Network\n\nFor full list of scenarios covered by Fusion, and detail instructions on how to configure the required data sources, go to aka.ms/SentinelFusion",
+          "alertRuleTemplateName": "f71aba3d-28fb-450b-b192-4e76a83015c8",
+          "tactics": [
+            "Persistence",
+            "LateralMovement",
+            "Exfiltration",
+            "CommandAndControl"
+          ],
+          "severity": "High",
+          "enabled": true,
+          "lastModifiedUtc": "2019-09-04T13:13:11.5340061Z"
+        }
+      }
+    },
+    "201": {
+      "body": {
+        "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/myFirstFusionRule",
+        "name": "myFirstFusionRule",
+        "etag": "\"260090e2-0000-0d00-0000-5d6fb8670000\"",
+        "type": "Microsoft.SecurityInsights/alertRules",
+        "kind": "Fusion",
+        "properties": {
+          "displayName": "Advanced Multi-Stage Attack Detection",
+          "description": "In this mode, Sentinel combines low fidelity alerts, which themselves may not be actionable, and events across multiple products, into high fidelity security interesting incidents. The system looks at multiple products to produce actionable incidents. Custom tailored to each tenant, Fusion not only reduces false positive rates but also can detect attacks with limited or missing information. \nIncidents generated by Fusion system will encase two or more alerts. By design, Fusion incidents are low volume, high fidelity and will be high severity, which is why Fusion is turned ON by default in Azure Sentinel.\n\nFor Fusion to work, please configure the following data sources in Data Connectors tab:\nRequired - Azure Active Directory Identity Protection\nRequired - Microsoft Cloud App Security\nIf Available - Palo Alto Network\n\nFor full list of scenarios covered by Fusion, and detail instructions on how to configure the required data sources, go to aka.ms/SentinelFusion",
+          "alertRuleTemplateName": "f71aba3d-28fb-450b-b192-4e76a83015c8",
+          "tactics": [
+            "Persistence",
+            "LateralMovement",
+            "Exfiltration",
+            "CommandAndControl"
+          ],
+          "severity": "High",
+          "enabled": true,
+          "lastModifiedUtc": "2019-09-04T13:13:11.5340061Z"
+        }
+      }
+    }
+  }
+}