diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/AlertRules.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/AlertRules.json index 7b0ab31b7605..f2d0da33aa61 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/AlertRules.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/AlertRules.json @@ -991,6 +991,19 @@ "description": "Determines whether this alert rule is enabled or disabled.", "type": "boolean" }, + "sourceSettings": { + "description": "Configuration for all supported source signals in fusion detection.", + "items": { + "$ref": "#/definitions/FusionSourceSettings" + }, + "x-ms-identifiers": [], + "type": "array" + }, + "scenarioExclusionPatterns": { + "description": "Configuration to exclude scenarios in fusion detection.", + "$ref": "#/definitions/FusionScenarioExclusionPattern", + "type": "object" + }, "lastModifiedUtc": { "description": "The last time that this alert has been modified.", "format": "date-time", @@ -1025,6 +1038,128 @@ ], "type": "object" }, + "FusionSourceSettings": { + "description": "Represents a supported source signal configuration in Fusion detection.", + "properties": { + "enabled": { + "description": "Determines whether this source signal is enabled or disabled in Fusion detection.", + "type": "boolean" + }, + "sourceName": { + "description": "Name of the Fusion source signal. Refer to Fusion alert rule template for supported values.", + "type": "string" + }, + "sourceSubTypes": { + "description": "Configuration for all source subtypes under this source signal consumed in fusion detection.", + "items": { + "$ref": "#/definitions/FusionSourceSubTypeSetting" + }, + "x-ms-identifiers": [], + "type": "array" + } + }, + "required": [ + "enabled", + "sourceName" + ], + "type": "object" + }, + "FusionSourceSubTypeSetting": { + "description": "Represents a supported source subtype configuration under a source signal in Fusion detection.", + "properties": { + "enabled": { + "description": "Determines whether this source subtype under source signal is enabled or disabled in Fusion detection.", + "type": "boolean" + }, + "sourceSubTypeName": { + "description": "The Name of the source subtype under a given source signal in Fusion detection. Refer to Fusion alert rule template for supported values.", + "type": "string" + }, + "severityFilters": { + "description": "Severity configuration for a source subtype consumed in fusion detection.", + "$ref": "#/definitions/FusionSubTypeSeverityFilter", + "type": "object" + } + }, + "required": [ + "enabled", + "sourceSubTypeName", + "severityFilters" + ], + "type": "object" + }, + "FusionSubTypeSeverityFilter": { + "description": "Represents severity configuration for a source subtype consumed in Fusion detection.", + "properties": { + "isSupported": { + "description": "Determines whether this source subtype supports severity configuration or not.", + "type": "boolean", + "readOnly": true + }, + "filters": { + "description": "Individual Severity configuration settings for a given source subtype consumed in Fusion detection.", + "items": { + "$ref": "#/definitions/FusionSubTypeSeverityFiltersItem" + }, + "x-ms-identifiers": [], + "type": "array" + } + }, + "type": "object" + }, + "FusionSubTypeSeverityFiltersItem": { + "description": "Represents a Severity filter setting for a given source subtype consumed in Fusion detection.", + "properties": { + "severity": { + "$ref": "./common/AlertTypes.json#/definitions/AlertSeverityEnum", + "description": "The Severity for a given source subtype consumed in Fusion detection." + }, + "enabled": { + "description": "Determines whether this severity is enabled or disabled for this source subtype consumed in Fusion detection.", + "type": "boolean" + } + }, + "required": [ + "severity", + "enabled" + ], + "type": "object" + }, + "FusionScenarioExclusionPattern": { + "description": "Represents Fusion scenario exclusion patterns in Fusion detection.", + "properties": { + "scenarioExclusionPatterns": { + "description": "Individual scenario exclusion pattern.", + "items": { + "$ref": "#/definitions/FusionScenarioExclusionPatternItem" + }, + "x-ms-identifiers": [], + "type": "array" + } + }, + "required": [ + "scenarioExclusionPatterns" + ], + "type": "object" + }, + "FusionScenarioExclusionPatternItem": { + "description": "Represents individual Fusion scenario exclusion pattern in Fusion detection.", + "properties": { + "exclusionPattern": { + "description": "Scenario exclusion pattern.", + "type": "string" + }, + "dateAddedInUTC": { + "description": "DateTime in UTC.", + "type": "string" + } + }, + "required": [ + "exclusionPattern", + "dateAddedInUTC" + ], + "type": "object" + }, "FusionAlertRuleTemplate": { "allOf": [ { @@ -1046,11 +1181,21 @@ "description": "The severity for alerts created by this alert rule." } }, + "sourceSettings": + { + "description": "All supported source signal configurations consumed in fusion detection.", + "items": { + "$ref": "#/definitions/FusionTemplateSourceSetting" + }, + "x-ms-identifiers": [], + "type": "array" + }, "required": [ "displayName", "description", "status", "severity", + "sourceSettings", "alertRulesCreatedByTemplateCount" ], "type": "object", @@ -1060,6 +1205,68 @@ "type": "object", "x-ms-discriminator-value": "Fusion" }, + "FusionTemplateSourceSetting": { + "description": "Represents a source signal consumed in Fusion detection.", + "properties": { + "sourceName": { + "description": "The name of a source signal consumed in Fusion detection.", + "type": "string" + }, + "sourceSubTypes": { + "description": "All supported source subtypes under this source signal consumed in fusion detection.", + "items": { + "$ref": "#/definitions/FusionTemplateSourceSubType" + }, + "x-ms-identifiers": [], + "type": "array" + } + }, + "required": [ + "sourceName", + "sourceSubTypes" + ], + "type": "object" + }, + "FusionTemplateSourceSubType": { + "description": "Represents a source subtype under a source signal consumed in Fusion detection.", + "properties": { + "sourceSubTypeName": { + "description": "The name of source subtype under a source signal consumed in Fusion detection.", + "type": "string" + }, + "severityFilter": { + "description": "Severity configuration available for a source subtype consumed in fusion detection.", + "$ref": "#/definitions/FusionTemplateSubTypeSeverityFilter", + "type": "object" + } + }, + "required": [ + "sourceSubTypeName", + "severityFilter" + ], + "type": "object" + }, + "FusionTemplateSubTypeSeverityFilter": { + "description": "Represents severity configurations available for a source subtype consumed in Fusion detection.", + "properties": { + "isSupported": { + "description": "Determines whether severity configuration is supported for this source subtype consumed in Fusion detection.", + "type": "boolean" + }, + "severityFilters": { + "description": "List of all supported severities for this source subtype consumed in Fusion detection.", + "items": { + "$ref": "./common/AlertTypes.json#/definitions/AlertSeverityEnum" + }, + "x-ms-identifiers": [], + "type": "array" + } + }, + "required": [ + "isSupported" + ], + "type": "object" + }, "ThreatIntelligenceAlertRule": { "allOf": [ {