Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
- Latest
- 2025-03-01
- 2025-01-01-preview
- 2024-10-01-preview
- 2024-09-01
- 2024-04-01-preview
- 2024-03-01
- 2024-01-01-preview
- 2023-12-01-preview
- 2023-11-01
- 2023-10-01-preview
- 2023-09-01-preview
- 2023-08-01-preview
- 2023-07-01-preview
- 2023-06-01-preview
- 2023-05-01-preview
- 2023-04-01-preview
- 2023-03-01-preview
- 2023-02-01
- 2023-02-01-preview
- 2022-12-01-preview
- 2022-11-01
- 2022-11-01-preview
- 2022-10-01-preview
- 2022-09-01-preview
- 2022-08-01
- 2022-08-01-preview
- 2022-07-01-preview
- 2022-06-01-preview
- 2022-05-01-preview
- 2022-04-01-preview
- 2022-01-01-preview
- 2021-10-01
- 2021-10-01-preview
- 2021-09-01-preview
- 2021-03-01-preview
- 2020-01-01
- 2019-01-01-preview
Bicep resource definition
The alertRules resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.SecurityInsights/alertRules resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.SecurityInsights/alertRules@2022-10-01-preview' = {
etag: 'string'
name: 'string'
kind: 'string'
// For remaining properties, see Microsoft.SecurityInsights/alertRules objects
}
Microsoft.SecurityInsights/alertRules objects
Set the kind property to specify the type of object.
For Fusion, use:
{
kind: 'Fusion'
properties: {
alertRuleTemplateName: 'string'
enabled: bool
scenarioExclusionPatterns: [
{
dateAddedInUTC: 'string'
exclusionPattern: 'string'
}
]
sourceSettings: [
{
enabled: bool
sourceName: 'string'
sourceSubTypes: [
{
enabled: bool
severityFilters: {
filters: [
{
enabled: bool
severity: 'string'
}
]
}
sourceSubTypeName: 'string'
}
]
}
]
}
}
For MLBehaviorAnalytics, use:
{
kind: 'MLBehaviorAnalytics'
properties: {
alertRuleTemplateName: 'string'
enabled: bool
}
}
For MicrosoftSecurityIncidentCreation, use:
{
kind: 'MicrosoftSecurityIncidentCreation'
properties: {
alertRuleTemplateName: 'string'
description: 'string'
displayName: 'string'
displayNamesExcludeFilter: [
'string'
]
displayNamesFilter: [
'string'
]
enabled: bool
productFilter: 'string'
severitiesFilter: [
'string'
]
}
}
For NRT, use:
{
kind: 'NRT'
properties: {
alertDetailsOverride: {
alertDescriptionFormat: 'string'
alertDisplayNameFormat: 'string'
alertDynamicProperties: [
{
alertProperty: 'string'
value: 'string'
}
]
alertSeverityColumnName: 'string'
alertTacticsColumnName: 'string'
}
alertRuleTemplateName: 'string'
customDetails: {
{customized property}: 'string'
}
description: 'string'
displayName: 'string'
enabled: bool
entityMappings: [
{
entityType: 'string'
fieldMappings: [
{
columnName: 'string'
identifier: 'string'
}
]
}
]
eventGroupingSettings: {
aggregationKind: 'string'
}
incidentConfiguration: {
createIncident: bool
groupingConfiguration: {
enabled: bool
groupByAlertDetails: [
'string'
]
groupByCustomDetails: [
'string'
]
groupByEntities: [
'string'
]
lookbackDuration: 'string'
matchingMethod: 'string'
reopenClosedIncident: bool
}
}
query: 'string'
sentinelEntitiesMappings: [
{
columnName: 'string'
}
]
severity: 'string'
suppressionDuration: 'string'
suppressionEnabled: bool
tactics: [
'string'
]
techniques: [
'string'
]
templateVersion: 'string'
}
}
For Scheduled, use:
{
kind: 'Scheduled'
properties: {
alertDetailsOverride: {
alertDescriptionFormat: 'string'
alertDisplayNameFormat: 'string'
alertDynamicProperties: [
{
alertProperty: 'string'
value: 'string'
}
]
alertSeverityColumnName: 'string'
alertTacticsColumnName: 'string'
}
alertRuleTemplateName: 'string'
customDetails: {
{customized property}: 'string'
}
description: 'string'
displayName: 'string'
enabled: bool
entityMappings: [
{
entityType: 'string'
fieldMappings: [
{
columnName: 'string'
identifier: 'string'
}
]
}
]
eventGroupingSettings: {
aggregationKind: 'string'
}
incidentConfiguration: {
createIncident: bool
groupingConfiguration: {
enabled: bool
groupByAlertDetails: [
'string'
]
groupByCustomDetails: [
'string'
]
groupByEntities: [
'string'
]
lookbackDuration: 'string'
matchingMethod: 'string'
reopenClosedIncident: bool
}
}
query: 'string'
queryFrequency: 'string'
queryPeriod: 'string'
sentinelEntitiesMappings: [
{
columnName: 'string'
}
]
severity: 'string'
suppressionDuration: 'string'
suppressionEnabled: bool
tactics: [
'string'
]
techniques: [
'string'
]
templateVersion: 'string'
triggerOperator: 'string'
triggerThreshold: int
}
}
For ThreatIntelligence, use:
{
kind: 'ThreatIntelligence'
properties: {
alertRuleTemplateName: 'string'
enabled: bool
}
}
Property Values
AlertDetailsOverride
| Name | Description | Value |
|---|---|---|
| alertDescriptionFormat | the format containing columns name(s) to override the alert description | string |
| alertDisplayNameFormat | the format containing columns name(s) to override the alert name | string |
| alertDynamicProperties | List of additional dynamic properties to override | AlertPropertyMapping[] |
| alertSeverityColumnName | the column name to take the alert severity from | string |
| alertTacticsColumnName | the column name to take the alert tactics from | string |
AlertPropertyMapping
| Name | Description | Value |
|---|---|---|
| alertProperty | The V3 alert property | 'AlertLink' 'ConfidenceLevel' 'ConfidenceScore' 'ExtendedLinks' 'ProductComponentName' 'ProductName' 'ProviderName' 'RemediationSteps' 'Techniques' |
| value | the column name to use to override this property | string |
EntityMapping
| Name | Description | Value |
|---|---|---|
| entityType | The V3 type of the mapped entity | 'Account' 'AzureResource' 'CloudApplication' 'DNS' 'File' 'FileHash' 'Host' 'IP' 'Mailbox' 'MailCluster' 'MailMessage' 'Malware' 'Process' 'RegistryKey' 'RegistryValue' 'SecurityGroup' 'SubmissionMail' 'URL' |
| fieldMappings | array of field mappings for the given entity mapping | FieldMapping[] |
EventGroupingSettings
| Name | Description | Value |
|---|---|---|
| aggregationKind | The event grouping aggregation kinds | 'AlertPerResult' 'SingleAlert' |
FieldMapping
| Name | Description | Value |
|---|---|---|
| columnName | the column name to be mapped to the identifier | string |
| identifier | the V3 identifier of the entity | string |
FusionAlertRule
| Name | Description | Value |
|---|---|---|
| kind | The kind of the alert rule | 'Fusion' (required) |
| properties | Fusion alert rule properties | FusionAlertRuleProperties |
FusionAlertRuleProperties
| Name | Description | Value |
|---|---|---|
| alertRuleTemplateName | The Name of the alert rule template used to create this rule. | string (required) |
| enabled | Determines whether this alert rule is enabled or disabled. | bool (required) |
| scenarioExclusionPatterns | Configuration to exclude scenarios in fusion detection. | FusionScenarioExclusionPattern[] |
| sourceSettings | Configuration for all supported source signals in fusion detection. | FusionSourceSettings[] |
FusionScenarioExclusionPattern
| Name | Description | Value |
|---|---|---|
| dateAddedInUTC | DateTime when scenario exclusion pattern is added in UTC. | string (required) |
| exclusionPattern | Scenario exclusion pattern. | string (required) |
FusionSourceSettings
| Name | Description | Value |
|---|---|---|
| enabled | Determines whether this source signal is enabled or disabled in Fusion detection. | bool (required) |
| sourceName | Name of the Fusion source signal. Refer to Fusion alert rule template for supported values. | string (required) |
| sourceSubTypes | Configuration for all source subtypes under this source signal consumed in fusion detection. | FusionSourceSubTypeSetting[] |
FusionSourceSubTypeSetting
| Name | Description | Value |
|---|---|---|
| enabled | Determines whether this source subtype under source signal is enabled or disabled in Fusion detection. | bool (required) |
| severityFilters | Severity configuration for a source subtype consumed in fusion detection. | FusionSubTypeSeverityFilter (required) |
| sourceSubTypeName | The Name of the source subtype under a given source signal in Fusion detection. Refer to Fusion alert rule template for supported values. | string (required) |
FusionSubTypeSeverityFilter
| Name | Description | Value |
|---|---|---|
| filters | Individual Severity configuration settings for a given source subtype consumed in Fusion detection. | FusionSubTypeSeverityFiltersItem[] |
FusionSubTypeSeverityFiltersItem
| Name | Description | Value |
|---|---|---|
| enabled | Determines whether this severity is enabled or disabled for this source subtype consumed in Fusion detection. | bool (required) |
| severity | The Severity for a given source subtype consumed in Fusion detection. | 'High' 'Informational' 'Low' 'Medium' (required) |
GroupingConfiguration
| Name | Description | Value |
|---|---|---|
| enabled | Grouping enabled | bool (required) |
| groupByAlertDetails | A list of alert details to group by (when matchingMethod is Selected) | String array containing any of: 'DisplayName' 'Severity' |
| groupByCustomDetails | A list of custom details keys to group by (when matchingMethod is Selected). Only keys defined in the current alert rule may be used. | string[] |
| groupByEntities | A list of entity types to group by (when matchingMethod is Selected). Only entities defined in the current alert rule may be used. | String array containing any of: 'Account' 'AzureResource' 'CloudApplication' 'DNS' 'File' 'FileHash' 'Host' 'IP' 'Mailbox' 'MailCluster' 'MailMessage' 'Malware' 'Process' 'RegistryKey' 'RegistryValue' 'SecurityGroup' 'SubmissionMail' 'URL' |
| lookbackDuration | Limit the group to alerts created within the lookback duration (in ISO 8601 duration format) | string (required) |
| matchingMethod | Grouping matching method. When method is Selected at least one of groupByEntities, groupByAlertDetails, groupByCustomDetails must be provided and not empty. | 'AllEntities' 'AnyAlert' 'Selected' (required) |
| reopenClosedIncident | Re-open closed matching incidents | bool (required) |
IncidentConfiguration
| Name | Description | Value |
|---|---|---|
| createIncident | Create incidents from alerts triggered by this analytics rule | bool (required) |
| groupingConfiguration | Set how the alerts that are triggered by this analytics rule, are grouped into incidents | GroupingConfiguration |
Microsoft.SecurityInsights/alertRules
| Name | Description | Value |
|---|---|---|
| etag | Etag of the azure resource | string |
| kind | Set to 'Fusion' for type FusionAlertRule. Set to 'MLBehaviorAnalytics' for type MLBehaviorAnalyticsAlertRule. Set to 'MicrosoftSecurityIncidentCreation' for type MicrosoftSecurityIncidentCreationAlertRule. Set to 'NRT' for type NrtAlertRule. Set to 'Scheduled' for type ScheduledAlertRule. Set to 'ThreatIntelligence' for type ThreatIntelligenceAlertRule. | 'Fusion' 'MicrosoftSecurityIncidentCreation' 'MLBehaviorAnalytics' 'NRT' 'Scheduled' 'ThreatIntelligence' (required) |
| name | The resource name | string (required) |
| scope | Use when creating a resource at a scope that is different than the deployment scope. | Set this property to the symbolic name of a resource to apply the extension resource. |
MicrosoftSecurityIncidentCreationAlertRule
| Name | Description | Value |
|---|---|---|
| kind | The kind of the alert rule | 'MicrosoftSecurityIncidentCreation' (required) |
| properties | MicrosoftSecurityIncidentCreation rule properties | MicrosoftSecurityIncidentCreationAlertRuleProperties |
MicrosoftSecurityIncidentCreationAlertRuleProperties
| Name | Description | Value |
|---|---|---|
| alertRuleTemplateName | The Name of the alert rule template used to create this rule. | string |
| description | The description of the alert rule. | string |
| displayName | The display name for alerts created by this alert rule. | string (required) |
| displayNamesExcludeFilter | the alerts' displayNames on which the cases will not be generated | string[] |
| displayNamesFilter | the alerts' displayNames on which the cases will be generated | string[] |
| enabled | Determines whether this alert rule is enabled or disabled. | bool (required) |
| productFilter | The alerts' productName on which the cases will be generated | 'Azure Active Directory Identity Protection' 'Azure Advanced Threat Protection' 'Azure Security Center for IoT' 'Azure Security Center' 'Microsoft Cloud App Security' 'Microsoft Defender Advanced Threat Protection' 'Office 365 Advanced Threat Protection' (required) |
| severitiesFilter | the alerts' severities on which the cases will be generated | String array containing any of: 'High' 'Informational' 'Low' 'Medium' |
MLBehaviorAnalyticsAlertRule
| Name | Description | Value |
|---|---|---|
| kind | The kind of the alert rule | 'MLBehaviorAnalytics' (required) |
| properties | MLBehaviorAnalytics alert rule properties | MLBehaviorAnalyticsAlertRuleProperties |
MLBehaviorAnalyticsAlertRuleProperties
| Name | Description | Value |
|---|---|---|
| alertRuleTemplateName | The Name of the alert rule template used to create this rule. | string (required) |
| enabled | Determines whether this alert rule is enabled or disabled. | bool (required) |
NrtAlertRule
| Name | Description | Value |
|---|---|---|
| kind | The kind of the alert rule | 'NRT' (required) |
| properties | NRT alert rule properties | NrtAlertRuleProperties |
NrtAlertRuleProperties
| Name | Description | Value |
|---|---|---|
| alertDetailsOverride | The alert details override settings | AlertDetailsOverride |
| alertRuleTemplateName | The Name of the alert rule template used to create this rule. | string |
| customDetails | Dictionary of string key-value pairs of columns to be attached to the alert | NrtAlertRulePropertiesCustomDetails |
| description | The description of the alert rule. | string |
| displayName | The display name for alerts created by this alert rule. | string (required) |
| enabled | Determines whether this alert rule is enabled or disabled. | bool (required) |
| entityMappings | Array of the entity mappings of the alert rule | EntityMapping[] |
| eventGroupingSettings | The event grouping settings. | EventGroupingSettings |
| incidentConfiguration | The settings of the incidents that created from alerts triggered by this analytics rule | IncidentConfiguration |
| query | The query that creates alerts for this rule. | string (required) |
| sentinelEntitiesMappings | Array of the sentinel entity mappings of the alert rule | SentinelEntityMapping[] |
| severity | The severity for alerts created by this alert rule. | 'High' 'Informational' 'Low' 'Medium' (required) |
| suppressionDuration | The suppression (in ISO 8601 duration format) to wait since last time this alert rule been triggered. | string (required) |
| suppressionEnabled | Determines whether the suppression for this alert rule is enabled or disabled. | bool (required) |
| tactics | The tactics of the alert rule | String array containing any of: 'Collection' 'CommandAndControl' 'CredentialAccess' 'DefenseEvasion' 'Discovery' 'Execution' 'Exfiltration' 'Impact' 'ImpairProcessControl' 'InhibitResponseFunction' 'InitialAccess' 'LateralMovement' 'Persistence' 'PreAttack' 'PrivilegeEscalation' 'Reconnaissance' 'ResourceDevelopment' |
| techniques | The techniques of the alert rule | string[] |
| templateVersion | The version of the alert rule template used to create this rule - in format <a.b.c>, where all are numbers, for example 0 <1.0.2> | string |
NrtAlertRulePropertiesCustomDetails
| Name | Description | Value |
|---|
ScheduledAlertRule
| Name | Description | Value |
|---|---|---|
| kind | The kind of the alert rule | 'Scheduled' (required) |
| properties | Scheduled alert rule properties | ScheduledAlertRuleProperties |
ScheduledAlertRuleCommonPropertiesCustomDetails
| Name | Description | Value |
|---|
ScheduledAlertRuleProperties
| Name | Description | Value |
|---|---|---|
| alertDetailsOverride | The alert details override settings | AlertDetailsOverride |
| alertRuleTemplateName | The Name of the alert rule template used to create this rule. | string |
| customDetails | Dictionary of string key-value pairs of columns to be attached to the alert | ScheduledAlertRuleCommonPropertiesCustomDetails |
| description | The description of the alert rule. | string |
| displayName | The display name for alerts created by this alert rule. | string (required) |
| enabled | Determines whether this alert rule is enabled or disabled. | bool (required) |
| entityMappings | Array of the entity mappings of the alert rule | EntityMapping[] |
| eventGroupingSettings | The event grouping settings. | EventGroupingSettings |
| incidentConfiguration | The settings of the incidents that created from alerts triggered by this analytics rule | IncidentConfiguration |
| query | The query that creates alerts for this rule. | string |
| queryFrequency | The frequency (in ISO 8601 duration format) for this alert rule to run. | string |
| queryPeriod | The period (in ISO 8601 duration format) that this alert rule looks at. | string |
| sentinelEntitiesMappings | Array of the sentinel entity mappings of the alert rule | SentinelEntityMapping[] |
| severity | The severity for alerts created by this alert rule. | 'High' 'Informational' 'Low' 'Medium' |
| suppressionDuration | The suppression (in ISO 8601 duration format) to wait since last time this alert rule been triggered. | string (required) |
| suppressionEnabled | Determines whether the suppression for this alert rule is enabled or disabled. | bool (required) |
| tactics | The tactics of the alert rule | String array containing any of: 'Collection' 'CommandAndControl' 'CredentialAccess' 'DefenseEvasion' 'Discovery' 'Execution' 'Exfiltration' 'Impact' 'ImpairProcessControl' 'InhibitResponseFunction' 'InitialAccess' 'LateralMovement' 'Persistence' 'PreAttack' 'PrivilegeEscalation' 'Reconnaissance' 'ResourceDevelopment' |
| techniques | The techniques of the alert rule | string[] |
| templateVersion | The version of the alert rule template used to create this rule - in format <a.b.c>, where all are numbers, for example 0 <1.0.2> | string |
| triggerOperator | The operation against the threshold that triggers alert rule. | 'Equal' 'GreaterThan' 'LessThan' 'NotEqual' |
| triggerThreshold | The threshold triggers this alert rule. | int |
SentinelEntityMapping
| Name | Description | Value |
|---|---|---|
| columnName | the column name to be mapped to the SentinelEntities | string |
ThreatIntelligenceAlertRule
| Name | Description | Value |
|---|---|---|
| kind | The kind of the alert rule | 'ThreatIntelligence' (required) |
| properties | Threat Intelligence alert rule properties | ThreatIntelligenceAlertRuleProperties |
ThreatIntelligenceAlertRuleProperties
| Name | Description | Value |
|---|---|---|
| alertRuleTemplateName | The Name of the alert rule template used to create this rule. | string (required) |
| enabled | Determines whether this alert rule is enabled or disabled. | bool (required) |
ARM template resource definition
The alertRules resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.SecurityInsights/alertRules resource, add the following JSON to your template.
{
"etag": "string",
"name": "string",
"kind": "string"
// For remaining properties, see Microsoft.SecurityInsights/alertRules objects
}
Microsoft.SecurityInsights/alertRules objects
Set the kind property to specify the type of object.
For Fusion, use:
{
"kind": "Fusion",
"properties": {
"alertRuleTemplateName": "string",
"enabled": "bool",
"scenarioExclusionPatterns": [
{
"dateAddedInUTC": "string",
"exclusionPattern": "string"
}
],
"sourceSettings": [
{
"enabled": "bool",
"sourceName": "string",
"sourceSubTypes": [
{
"enabled": "bool",
"severityFilters": {
"filters": [
{
"enabled": "bool",
"severity": "string"
}
]
},
"sourceSubTypeName": "string"
}
]
}
]
}
}
For MLBehaviorAnalytics, use:
{
"kind": "MLBehaviorAnalytics",
"properties": {
"alertRuleTemplateName": "string",
"enabled": "bool"
}
}
For MicrosoftSecurityIncidentCreation, use:
{
"kind": "MicrosoftSecurityIncidentCreation",
"properties": {
"alertRuleTemplateName": "string",
"description": "string",
"displayName": "string",
"displayNamesExcludeFilter": [ "string" ],
"displayNamesFilter": [ "string" ],
"enabled": "bool",
"productFilter": "string",
"severitiesFilter": [ "string" ]
}
}
For NRT, use:
{
"kind": "NRT",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "string",
"alertDisplayNameFormat": "string",
"alertDynamicProperties": [
{
"alertProperty": "string",
"value": "string"
}
],
"alertSeverityColumnName": "string",
"alertTacticsColumnName": "string"
},
"alertRuleTemplateName": "string",
"customDetails": {
"{customized property}": "string"
},
"description": "string",
"displayName": "string",
"enabled": "bool",
"entityMappings": [
{
"entityType": "string",
"fieldMappings": [
{
"columnName": "string",
"identifier": "string"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "string"
},
"incidentConfiguration": {
"createIncident": "bool",
"groupingConfiguration": {
"enabled": "bool",
"groupByAlertDetails": [ "string" ],
"groupByCustomDetails": [ "string" ],
"groupByEntities": [ "string" ],
"lookbackDuration": "string",
"matchingMethod": "string",
"reopenClosedIncident": "bool"
}
},
"query": "string",
"sentinelEntitiesMappings": [
{
"columnName": "string"
}
],
"severity": "string",
"suppressionDuration": "string",
"suppressionEnabled": "bool",
"tactics": [ "string" ],
"techniques": [ "string" ],
"templateVersion": "string"
}
}
For Scheduled, use:
{
"kind": "Scheduled",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "string",
"alertDisplayNameFormat": "string",
"alertDynamicProperties": [
{
"alertProperty": "string",
"value": "string"
}
],
"alertSeverityColumnName": "string",
"alertTacticsColumnName": "string"
},
"alertRuleTemplateName": "string",
"customDetails": {
"{customized property}": "string"
},
"description": "string",
"displayName": "string",
"enabled": "bool",
"entityMappings": [
{
"entityType": "string",
"fieldMappings": [
{
"columnName": "string",
"identifier": "string"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "string"
},
"incidentConfiguration": {
"createIncident": "bool",
"groupingConfiguration": {
"enabled": "bool",
"groupByAlertDetails": [ "string" ],
"groupByCustomDetails": [ "string" ],
"groupByEntities": [ "string" ],
"lookbackDuration": "string",
"matchingMethod": "string",
"reopenClosedIncident": "bool"
}
},
"query": "string",
"queryFrequency": "string",
"queryPeriod": "string",
"sentinelEntitiesMappings": [
{
"columnName": "string"
}
],
"severity": "string",
"suppressionDuration": "string",
"suppressionEnabled": "bool",
"tactics": [ "string" ],
"techniques": [ "string" ],
"templateVersion": "string",
"triggerOperator": "string",
"triggerThreshold": "int"
}
}
For ThreatIntelligence, use:
{
"kind": "ThreatIntelligence",
"properties": {
"alertRuleTemplateName": "string",
"enabled": "bool"
}
}
Property Values
AlertDetailsOverride
| Name | Description | Value |
|---|---|---|
| alertDescriptionFormat | the format containing columns name(s) to override the alert description | string |
| alertDisplayNameFormat | the format containing columns name(s) to override the alert name | string |
| alertDynamicProperties | List of additional dynamic properties to override | AlertPropertyMapping[] |
| alertSeverityColumnName | the column name to take the alert severity from | string |
| alertTacticsColumnName | the column name to take the alert tactics from | string |
AlertPropertyMapping
| Name | Description | Value |
|---|---|---|
| alertProperty | The V3 alert property | 'AlertLink' 'ConfidenceLevel' 'ConfidenceScore' 'ExtendedLinks' 'ProductComponentName' 'ProductName' 'ProviderName' 'RemediationSteps' 'Techniques' |
| value | the column name to use to override this property | string |
EntityMapping
| Name | Description | Value |
|---|---|---|
| entityType | The V3 type of the mapped entity | 'Account' 'AzureResource' 'CloudApplication' 'DNS' 'File' 'FileHash' 'Host' 'IP' 'Mailbox' 'MailCluster' 'MailMessage' 'Malware' 'Process' 'RegistryKey' 'RegistryValue' 'SecurityGroup' 'SubmissionMail' 'URL' |
| fieldMappings | array of field mappings for the given entity mapping | FieldMapping[] |
EventGroupingSettings
| Name | Description | Value |
|---|---|---|
| aggregationKind | The event grouping aggregation kinds | 'AlertPerResult' 'SingleAlert' |
FieldMapping
| Name | Description | Value |
|---|---|---|
| columnName | the column name to be mapped to the identifier | string |
| identifier | the V3 identifier of the entity | string |
FusionAlertRule
| Name | Description | Value |
|---|---|---|
| kind | The kind of the alert rule | 'Fusion' (required) |
| properties | Fusion alert rule properties | FusionAlertRuleProperties |
FusionAlertRuleProperties
| Name | Description | Value |
|---|---|---|
| alertRuleTemplateName | The Name of the alert rule template used to create this rule. | string (required) |
| enabled | Determines whether this alert rule is enabled or disabled. | bool (required) |
| scenarioExclusionPatterns | Configuration to exclude scenarios in fusion detection. | FusionScenarioExclusionPattern[] |
| sourceSettings | Configuration for all supported source signals in fusion detection. | FusionSourceSettings[] |
FusionScenarioExclusionPattern
| Name | Description | Value |
|---|---|---|
| dateAddedInUTC | DateTime when scenario exclusion pattern is added in UTC. | string (required) |
| exclusionPattern | Scenario exclusion pattern. | string (required) |
FusionSourceSettings
| Name | Description | Value |
|---|---|---|
| enabled | Determines whether this source signal is enabled or disabled in Fusion detection. | bool (required) |
| sourceName | Name of the Fusion source signal. Refer to Fusion alert rule template for supported values. | string (required) |
| sourceSubTypes | Configuration for all source subtypes under this source signal consumed in fusion detection. | FusionSourceSubTypeSetting[] |
FusionSourceSubTypeSetting
| Name | Description | Value |
|---|---|---|
| enabled | Determines whether this source subtype under source signal is enabled or disabled in Fusion detection. | bool (required) |
| severityFilters | Severity configuration for a source subtype consumed in fusion detection. | FusionSubTypeSeverityFilter (required) |
| sourceSubTypeName | The Name of the source subtype under a given source signal in Fusion detection. Refer to Fusion alert rule template for supported values. | string (required) |
FusionSubTypeSeverityFilter
| Name | Description | Value |
|---|---|---|
| filters | Individual Severity configuration settings for a given source subtype consumed in Fusion detection. | FusionSubTypeSeverityFiltersItem[] |
FusionSubTypeSeverityFiltersItem
| Name | Description | Value |
|---|---|---|
| enabled | Determines whether this severity is enabled or disabled for this source subtype consumed in Fusion detection. | bool (required) |
| severity | The Severity for a given source subtype consumed in Fusion detection. | 'High' 'Informational' 'Low' 'Medium' (required) |
GroupingConfiguration
| Name | Description | Value |
|---|---|---|
| enabled | Grouping enabled | bool (required) |
| groupByAlertDetails | A list of alert details to group by (when matchingMethod is Selected) | String array containing any of: 'DisplayName' 'Severity' |
| groupByCustomDetails | A list of custom details keys to group by (when matchingMethod is Selected). Only keys defined in the current alert rule may be used. | string[] |
| groupByEntities | A list of entity types to group by (when matchingMethod is Selected). Only entities defined in the current alert rule may be used. | String array containing any of: 'Account' 'AzureResource' 'CloudApplication' 'DNS' 'File' 'FileHash' 'Host' 'IP' 'Mailbox' 'MailCluster' 'MailMessage' 'Malware' 'Process' 'RegistryKey' 'RegistryValue' 'SecurityGroup' 'SubmissionMail' 'URL' |
| lookbackDuration | Limit the group to alerts created within the lookback duration (in ISO 8601 duration format) | string (required) |
| matchingMethod | Grouping matching method. When method is Selected at least one of groupByEntities, groupByAlertDetails, groupByCustomDetails must be provided and not empty. | 'AllEntities' 'AnyAlert' 'Selected' (required) |
| reopenClosedIncident | Re-open closed matching incidents | bool (required) |
IncidentConfiguration
| Name | Description | Value |
|---|---|---|
| createIncident | Create incidents from alerts triggered by this analytics rule | bool (required) |
| groupingConfiguration | Set how the alerts that are triggered by this analytics rule, are grouped into incidents | GroupingConfiguration |
Microsoft.SecurityInsights/alertRules
| Name | Description | Value |
|---|---|---|
| apiVersion | The api version | '2022-10-01-preview' |
| etag | Etag of the azure resource | string |
| kind | Set to 'Fusion' for type FusionAlertRule. Set to 'MLBehaviorAnalytics' for type MLBehaviorAnalyticsAlertRule. Set to 'MicrosoftSecurityIncidentCreation' for type MicrosoftSecurityIncidentCreationAlertRule. Set to 'NRT' for type NrtAlertRule. Set to 'Scheduled' for type ScheduledAlertRule. Set to 'ThreatIntelligence' for type ThreatIntelligenceAlertRule. | 'Fusion' 'MicrosoftSecurityIncidentCreation' 'MLBehaviorAnalytics' 'NRT' 'Scheduled' 'ThreatIntelligence' (required) |
| name | The resource name | string (required) |
| type | The resource type | 'Microsoft.SecurityInsights/alertRules' |
MicrosoftSecurityIncidentCreationAlertRule
| Name | Description | Value |
|---|---|---|
| kind | The kind of the alert rule | 'MicrosoftSecurityIncidentCreation' (required) |
| properties | MicrosoftSecurityIncidentCreation rule properties | MicrosoftSecurityIncidentCreationAlertRuleProperties |
MicrosoftSecurityIncidentCreationAlertRuleProperties
| Name | Description | Value |
|---|---|---|
| alertRuleTemplateName | The Name of the alert rule template used to create this rule. | string |
| description | The description of the alert rule. | string |
| displayName | The display name for alerts created by this alert rule. | string (required) |
| displayNamesExcludeFilter | the alerts' displayNames on which the cases will not be generated | string[] |
| displayNamesFilter | the alerts' displayNames on which the cases will be generated | string[] |
| enabled | Determines whether this alert rule is enabled or disabled. | bool (required) |
| productFilter | The alerts' productName on which the cases will be generated | 'Azure Active Directory Identity Protection' 'Azure Advanced Threat Protection' 'Azure Security Center for IoT' 'Azure Security Center' 'Microsoft Cloud App Security' 'Microsoft Defender Advanced Threat Protection' 'Office 365 Advanced Threat Protection' (required) |
| severitiesFilter | the alerts' severities on which the cases will be generated | String array containing any of: 'High' 'Informational' 'Low' 'Medium' |
MLBehaviorAnalyticsAlertRule
| Name | Description | Value |
|---|---|---|
| kind | The kind of the alert rule | 'MLBehaviorAnalytics' (required) |
| properties | MLBehaviorAnalytics alert rule properties | MLBehaviorAnalyticsAlertRuleProperties |
MLBehaviorAnalyticsAlertRuleProperties
| Name | Description | Value |
|---|---|---|
| alertRuleTemplateName | The Name of the alert rule template used to create this rule. | string (required) |
| enabled | Determines whether this alert rule is enabled or disabled. | bool (required) |
NrtAlertRule
| Name | Description | Value |
|---|---|---|
| kind | The kind of the alert rule | 'NRT' (required) |
| properties | NRT alert rule properties | NrtAlertRuleProperties |
NrtAlertRuleProperties
| Name | Description | Value |
|---|---|---|
| alertDetailsOverride | The alert details override settings | AlertDetailsOverride |
| alertRuleTemplateName | The Name of the alert rule template used to create this rule. | string |
| customDetails | Dictionary of string key-value pairs of columns to be attached to the alert | NrtAlertRulePropertiesCustomDetails |
| description | The description of the alert rule. | string |
| displayName | The display name for alerts created by this alert rule. | string (required) |
| enabled | Determines whether this alert rule is enabled or disabled. | bool (required) |
| entityMappings | Array of the entity mappings of the alert rule | EntityMapping[] |
| eventGroupingSettings | The event grouping settings. | EventGroupingSettings |
| incidentConfiguration | The settings of the incidents that created from alerts triggered by this analytics rule | IncidentConfiguration |
| query | The query that creates alerts for this rule. | string (required) |
| sentinelEntitiesMappings | Array of the sentinel entity mappings of the alert rule | SentinelEntityMapping[] |
| severity | The severity for alerts created by this alert rule. | 'High' 'Informational' 'Low' 'Medium' (required) |
| suppressionDuration | The suppression (in ISO 8601 duration format) to wait since last time this alert rule been triggered. | string (required) |
| suppressionEnabled | Determines whether the suppression for this alert rule is enabled or disabled. | bool (required) |
| tactics | The tactics of the alert rule | String array containing any of: 'Collection' 'CommandAndControl' 'CredentialAccess' 'DefenseEvasion' 'Discovery' 'Execution' 'Exfiltration' 'Impact' 'ImpairProcessControl' 'InhibitResponseFunction' 'InitialAccess' 'LateralMovement' 'Persistence' 'PreAttack' 'PrivilegeEscalation' 'Reconnaissance' 'ResourceDevelopment' |
| techniques | The techniques of the alert rule | string[] |
| templateVersion | The version of the alert rule template used to create this rule - in format <a.b.c>, where all are numbers, for example 0 <1.0.2> | string |
NrtAlertRulePropertiesCustomDetails
| Name | Description | Value |
|---|
ScheduledAlertRule
| Name | Description | Value |
|---|---|---|
| kind | The kind of the alert rule | 'Scheduled' (required) |
| properties | Scheduled alert rule properties | ScheduledAlertRuleProperties |
ScheduledAlertRuleCommonPropertiesCustomDetails
| Name | Description | Value |
|---|
ScheduledAlertRuleProperties
| Name | Description | Value |
|---|---|---|
| alertDetailsOverride | The alert details override settings | AlertDetailsOverride |
| alertRuleTemplateName | The Name of the alert rule template used to create this rule. | string |
| customDetails | Dictionary of string key-value pairs of columns to be attached to the alert | ScheduledAlertRuleCommonPropertiesCustomDetails |
| description | The description of the alert rule. | string |
| displayName | The display name for alerts created by this alert rule. | string (required) |
| enabled | Determines whether this alert rule is enabled or disabled. | bool (required) |
| entityMappings | Array of the entity mappings of the alert rule | EntityMapping[] |
| eventGroupingSettings | The event grouping settings. | EventGroupingSettings |
| incidentConfiguration | The settings of the incidents that created from alerts triggered by this analytics rule | IncidentConfiguration |
| query | The query that creates alerts for this rule. | string |
| queryFrequency | The frequency (in ISO 8601 duration format) for this alert rule to run. | string |
| queryPeriod | The period (in ISO 8601 duration format) that this alert rule looks at. | string |
| sentinelEntitiesMappings | Array of the sentinel entity mappings of the alert rule | SentinelEntityMapping[] |
| severity | The severity for alerts created by this alert rule. | 'High' 'Informational' 'Low' 'Medium' |
| suppressionDuration | The suppression (in ISO 8601 duration format) to wait since last time this alert rule been triggered. | string (required) |
| suppressionEnabled | Determines whether the suppression for this alert rule is enabled or disabled. | bool (required) |
| tactics | The tactics of the alert rule | String array containing any of: 'Collection' 'CommandAndControl' 'CredentialAccess' 'DefenseEvasion' 'Discovery' 'Execution' 'Exfiltration' 'Impact' 'ImpairProcessControl' 'InhibitResponseFunction' 'InitialAccess' 'LateralMovement' 'Persistence' 'PreAttack' 'PrivilegeEscalation' 'Reconnaissance' 'ResourceDevelopment' |
| techniques | The techniques of the alert rule | string[] |
| templateVersion | The version of the alert rule template used to create this rule - in format <a.b.c>, where all are numbers, for example 0 <1.0.2> | string |
| triggerOperator | The operation against the threshold that triggers alert rule. | 'Equal' 'GreaterThan' 'LessThan' 'NotEqual' |
| triggerThreshold | The threshold triggers this alert rule. | int |
SentinelEntityMapping
| Name | Description | Value |
|---|---|---|
| columnName | the column name to be mapped to the SentinelEntities | string |
ThreatIntelligenceAlertRule
| Name | Description | Value |
|---|---|---|
| kind | The kind of the alert rule | 'ThreatIntelligence' (required) |
| properties | Threat Intelligence alert rule properties | ThreatIntelligenceAlertRuleProperties |
ThreatIntelligenceAlertRuleProperties
| Name | Description | Value |
|---|---|---|
| alertRuleTemplateName | The Name of the alert rule template used to create this rule. | string (required) |
| enabled | Determines whether this alert rule is enabled or disabled. | bool (required) |
Usage Examples
Azure Quickstart Templates
The following Azure Quickstart templates deploy this resource type.
| Template | Description |
|---|---|
Creates a new Microsoft Sentinel Scheduled Analytics Rule |
This sample shows how to create a new scheduled analytics rule in Microsoft Sentinel |
Terraform (AzAPI provider) resource definition
The alertRules resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.SecurityInsights/alertRules resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
etag = "string"
name = "string"
kind = "string"
// For remaining properties, see Microsoft.SecurityInsights/alertRules objects
}
Microsoft.SecurityInsights/alertRules objects
Set the kind property to specify the type of object.
For Fusion, use:
{
kind = "Fusion"
properties = {
alertRuleTemplateName = "string"
enabled = bool
scenarioExclusionPatterns = [
{
dateAddedInUTC = "string"
exclusionPattern = "string"
}
]
sourceSettings = [
{
enabled = bool
sourceName = "string"
sourceSubTypes = [
{
enabled = bool
severityFilters = {
filters = [
{
enabled = bool
severity = "string"
}
]
}
sourceSubTypeName = "string"
}
]
}
]
}
}
For MLBehaviorAnalytics, use:
{
kind = "MLBehaviorAnalytics"
properties = {
alertRuleTemplateName = "string"
enabled = bool
}
}
For MicrosoftSecurityIncidentCreation, use:
{
kind = "MicrosoftSecurityIncidentCreation"
properties = {
alertRuleTemplateName = "string"
description = "string"
displayName = "string"
displayNamesExcludeFilter = [
"string"
]
displayNamesFilter = [
"string"
]
enabled = bool
productFilter = "string"
severitiesFilter = [
"string"
]
}
}
For NRT, use:
{
kind = "NRT"
properties = {
alertDetailsOverride = {
alertDescriptionFormat = "string"
alertDisplayNameFormat = "string"
alertDynamicProperties = [
{
alertProperty = "string"
value = "string"
}
]
alertSeverityColumnName = "string"
alertTacticsColumnName = "string"
}
alertRuleTemplateName = "string"
customDetails = {
{customized property} = "string"
}
description = "string"
displayName = "string"
enabled = bool
entityMappings = [
{
entityType = "string"
fieldMappings = [
{
columnName = "string"
identifier = "string"
}
]
}
]
eventGroupingSettings = {
aggregationKind = "string"
}
incidentConfiguration = {
createIncident = bool
groupingConfiguration = {
enabled = bool
groupByAlertDetails = [
"string"
]
groupByCustomDetails = [
"string"
]
groupByEntities = [
"string"
]
lookbackDuration = "string"
matchingMethod = "string"
reopenClosedIncident = bool
}
}
query = "string"
sentinelEntitiesMappings = [
{
columnName = "string"
}
]
severity = "string"
suppressionDuration = "string"
suppressionEnabled = bool
tactics = [
"string"
]
techniques = [
"string"
]
templateVersion = "string"
}
}
For Scheduled, use:
{
kind = "Scheduled"
properties = {
alertDetailsOverride = {
alertDescriptionFormat = "string"
alertDisplayNameFormat = "string"
alertDynamicProperties = [
{
alertProperty = "string"
value = "string"
}
]
alertSeverityColumnName = "string"
alertTacticsColumnName = "string"
}
alertRuleTemplateName = "string"
customDetails = {
{customized property} = "string"
}
description = "string"
displayName = "string"
enabled = bool
entityMappings = [
{
entityType = "string"
fieldMappings = [
{
columnName = "string"
identifier = "string"
}
]
}
]
eventGroupingSettings = {
aggregationKind = "string"
}
incidentConfiguration = {
createIncident = bool
groupingConfiguration = {
enabled = bool
groupByAlertDetails = [
"string"
]
groupByCustomDetails = [
"string"
]
groupByEntities = [
"string"
]
lookbackDuration = "string"
matchingMethod = "string"
reopenClosedIncident = bool
}
}
query = "string"
queryFrequency = "string"
queryPeriod = "string"
sentinelEntitiesMappings = [
{
columnName = "string"
}
]
severity = "string"
suppressionDuration = "string"
suppressionEnabled = bool
tactics = [
"string"
]
techniques = [
"string"
]
templateVersion = "string"
triggerOperator = "string"
triggerThreshold = int
}
}
For ThreatIntelligence, use:
{
kind = "ThreatIntelligence"
properties = {
alertRuleTemplateName = "string"
enabled = bool
}
}
Property Values
AlertDetailsOverride
| Name | Description | Value |
|---|---|---|
| alertDescriptionFormat | the format containing columns name(s) to override the alert description | string |
| alertDisplayNameFormat | the format containing columns name(s) to override the alert name | string |
| alertDynamicProperties | List of additional dynamic properties to override | AlertPropertyMapping[] |
| alertSeverityColumnName | the column name to take the alert severity from | string |
| alertTacticsColumnName | the column name to take the alert tactics from | string |
AlertPropertyMapping
| Name | Description | Value |
|---|---|---|
| alertProperty | The V3 alert property | 'AlertLink' 'ConfidenceLevel' 'ConfidenceScore' 'ExtendedLinks' 'ProductComponentName' 'ProductName' 'ProviderName' 'RemediationSteps' 'Techniques' |
| value | the column name to use to override this property | string |
EntityMapping
| Name | Description | Value |
|---|---|---|
| entityType | The V3 type of the mapped entity | 'Account' 'AzureResource' 'CloudApplication' 'DNS' 'File' 'FileHash' 'Host' 'IP' 'Mailbox' 'MailCluster' 'MailMessage' 'Malware' 'Process' 'RegistryKey' 'RegistryValue' 'SecurityGroup' 'SubmissionMail' 'URL' |
| fieldMappings | array of field mappings for the given entity mapping | FieldMapping[] |
EventGroupingSettings
| Name | Description | Value |
|---|---|---|
| aggregationKind | The event grouping aggregation kinds | 'AlertPerResult' 'SingleAlert' |
FieldMapping
| Name | Description | Value |
|---|---|---|
| columnName | the column name to be mapped to the identifier | string |
| identifier | the V3 identifier of the entity | string |
FusionAlertRule
| Name | Description | Value |
|---|---|---|
| kind | The kind of the alert rule | 'Fusion' (required) |
| properties | Fusion alert rule properties | FusionAlertRuleProperties |
FusionAlertRuleProperties
| Name | Description | Value |
|---|---|---|
| alertRuleTemplateName | The Name of the alert rule template used to create this rule. | string (required) |
| enabled | Determines whether this alert rule is enabled or disabled. | bool (required) |
| scenarioExclusionPatterns | Configuration to exclude scenarios in fusion detection. | FusionScenarioExclusionPattern[] |
| sourceSettings | Configuration for all supported source signals in fusion detection. | FusionSourceSettings[] |
FusionScenarioExclusionPattern
| Name | Description | Value |
|---|---|---|
| dateAddedInUTC | DateTime when scenario exclusion pattern is added in UTC. | string (required) |
| exclusionPattern | Scenario exclusion pattern. | string (required) |
FusionSourceSettings
| Name | Description | Value |
|---|---|---|
| enabled | Determines whether this source signal is enabled or disabled in Fusion detection. | bool (required) |
| sourceName | Name of the Fusion source signal. Refer to Fusion alert rule template for supported values. | string (required) |
| sourceSubTypes | Configuration for all source subtypes under this source signal consumed in fusion detection. | FusionSourceSubTypeSetting[] |
FusionSourceSubTypeSetting
| Name | Description | Value |
|---|---|---|
| enabled | Determines whether this source subtype under source signal is enabled or disabled in Fusion detection. | bool (required) |
| severityFilters | Severity configuration for a source subtype consumed in fusion detection. | FusionSubTypeSeverityFilter (required) |
| sourceSubTypeName | The Name of the source subtype under a given source signal in Fusion detection. Refer to Fusion alert rule template for supported values. | string (required) |
FusionSubTypeSeverityFilter
| Name | Description | Value |
|---|---|---|
| filters | Individual Severity configuration settings for a given source subtype consumed in Fusion detection. | FusionSubTypeSeverityFiltersItem[] |
FusionSubTypeSeverityFiltersItem
| Name | Description | Value |
|---|---|---|
| enabled | Determines whether this severity is enabled or disabled for this source subtype consumed in Fusion detection. | bool (required) |
| severity | The Severity for a given source subtype consumed in Fusion detection. | 'High' 'Informational' 'Low' 'Medium' (required) |
GroupingConfiguration
| Name | Description | Value |
|---|---|---|
| enabled | Grouping enabled | bool (required) |
| groupByAlertDetails | A list of alert details to group by (when matchingMethod is Selected) | String array containing any of: 'DisplayName' 'Severity' |
| groupByCustomDetails | A list of custom details keys to group by (when matchingMethod is Selected). Only keys defined in the current alert rule may be used. | string[] |
| groupByEntities | A list of entity types to group by (when matchingMethod is Selected). Only entities defined in the current alert rule may be used. | String array containing any of: 'Account' 'AzureResource' 'CloudApplication' 'DNS' 'File' 'FileHash' 'Host' 'IP' 'Mailbox' 'MailCluster' 'MailMessage' 'Malware' 'Process' 'RegistryKey' 'RegistryValue' 'SecurityGroup' 'SubmissionMail' 'URL' |
| lookbackDuration | Limit the group to alerts created within the lookback duration (in ISO 8601 duration format) | string (required) |
| matchingMethod | Grouping matching method. When method is Selected at least one of groupByEntities, groupByAlertDetails, groupByCustomDetails must be provided and not empty. | 'AllEntities' 'AnyAlert' 'Selected' (required) |
| reopenClosedIncident | Re-open closed matching incidents | bool (required) |
IncidentConfiguration
| Name | Description | Value |
|---|---|---|
| createIncident | Create incidents from alerts triggered by this analytics rule | bool (required) |
| groupingConfiguration | Set how the alerts that are triggered by this analytics rule, are grouped into incidents | GroupingConfiguration |
Microsoft.SecurityInsights/alertRules
| Name | Description | Value |
|---|---|---|
| etag | Etag of the azure resource | string |
| kind | Set to 'Fusion' for type FusionAlertRule. Set to 'MLBehaviorAnalytics' for type MLBehaviorAnalyticsAlertRule. Set to 'MicrosoftSecurityIncidentCreation' for type MicrosoftSecurityIncidentCreationAlertRule. Set to 'NRT' for type NrtAlertRule. Set to 'Scheduled' for type ScheduledAlertRule. Set to 'ThreatIntelligence' for type ThreatIntelligenceAlertRule. | 'Fusion' 'MicrosoftSecurityIncidentCreation' 'MLBehaviorAnalytics' 'NRT' 'Scheduled' 'ThreatIntelligence' (required) |
| name | The resource name | string (required) |
| parent_id | The ID of the resource to apply this extension resource to. | string (required) |
| type | The resource type | "Microsoft.SecurityInsights/alertRules@2022-10-01-preview" |
MicrosoftSecurityIncidentCreationAlertRule
| Name | Description | Value |
|---|---|---|
| kind | The kind of the alert rule | 'MicrosoftSecurityIncidentCreation' (required) |
| properties | MicrosoftSecurityIncidentCreation rule properties | MicrosoftSecurityIncidentCreationAlertRuleProperties |
MicrosoftSecurityIncidentCreationAlertRuleProperties
| Name | Description | Value |
|---|---|---|
| alertRuleTemplateName | The Name of the alert rule template used to create this rule. | string |
| description | The description of the alert rule. | string |
| displayName | The display name for alerts created by this alert rule. | string (required) |
| displayNamesExcludeFilter | the alerts' displayNames on which the cases will not be generated | string[] |
| displayNamesFilter | the alerts' displayNames on which the cases will be generated | string[] |
| enabled | Determines whether this alert rule is enabled or disabled. | bool (required) |
| productFilter | The alerts' productName on which the cases will be generated | 'Azure Active Directory Identity Protection' 'Azure Advanced Threat Protection' 'Azure Security Center for IoT' 'Azure Security Center' 'Microsoft Cloud App Security' 'Microsoft Defender Advanced Threat Protection' 'Office 365 Advanced Threat Protection' (required) |
| severitiesFilter | the alerts' severities on which the cases will be generated | String array containing any of: 'High' 'Informational' 'Low' 'Medium' |
MLBehaviorAnalyticsAlertRule
| Name | Description | Value |
|---|---|---|
| kind | The kind of the alert rule | 'MLBehaviorAnalytics' (required) |
| properties | MLBehaviorAnalytics alert rule properties | MLBehaviorAnalyticsAlertRuleProperties |
MLBehaviorAnalyticsAlertRuleProperties
| Name | Description | Value |
|---|---|---|
| alertRuleTemplateName | The Name of the alert rule template used to create this rule. | string (required) |
| enabled | Determines whether this alert rule is enabled or disabled. | bool (required) |
NrtAlertRule
| Name | Description | Value |
|---|---|---|
| kind | The kind of the alert rule | 'NRT' (required) |
| properties | NRT alert rule properties | NrtAlertRuleProperties |
NrtAlertRuleProperties
| Name | Description | Value |
|---|---|---|
| alertDetailsOverride | The alert details override settings | AlertDetailsOverride |
| alertRuleTemplateName | The Name of the alert rule template used to create this rule. | string |
| customDetails | Dictionary of string key-value pairs of columns to be attached to the alert | NrtAlertRulePropertiesCustomDetails |
| description | The description of the alert rule. | string |
| displayName | The display name for alerts created by this alert rule. | string (required) |
| enabled | Determines whether this alert rule is enabled or disabled. | bool (required) |
| entityMappings | Array of the entity mappings of the alert rule | EntityMapping[] |
| eventGroupingSettings | The event grouping settings. | EventGroupingSettings |
| incidentConfiguration | The settings of the incidents that created from alerts triggered by this analytics rule | IncidentConfiguration |
| query | The query that creates alerts for this rule. | string (required) |
| sentinelEntitiesMappings | Array of the sentinel entity mappings of the alert rule | SentinelEntityMapping[] |
| severity | The severity for alerts created by this alert rule. | 'High' 'Informational' 'Low' 'Medium' (required) |
| suppressionDuration | The suppression (in ISO 8601 duration format) to wait since last time this alert rule been triggered. | string (required) |
| suppressionEnabled | Determines whether the suppression for this alert rule is enabled or disabled. | bool (required) |
| tactics | The tactics of the alert rule | String array containing any of: 'Collection' 'CommandAndControl' 'CredentialAccess' 'DefenseEvasion' 'Discovery' 'Execution' 'Exfiltration' 'Impact' 'ImpairProcessControl' 'InhibitResponseFunction' 'InitialAccess' 'LateralMovement' 'Persistence' 'PreAttack' 'PrivilegeEscalation' 'Reconnaissance' 'ResourceDevelopment' |
| techniques | The techniques of the alert rule | string[] |
| templateVersion | The version of the alert rule template used to create this rule - in format <a.b.c>, where all are numbers, for example 0 <1.0.2> | string |
NrtAlertRulePropertiesCustomDetails
| Name | Description | Value |
|---|
ScheduledAlertRule
| Name | Description | Value |
|---|---|---|
| kind | The kind of the alert rule | 'Scheduled' (required) |
| properties | Scheduled alert rule properties | ScheduledAlertRuleProperties |
ScheduledAlertRuleCommonPropertiesCustomDetails
| Name | Description | Value |
|---|
ScheduledAlertRuleProperties
| Name | Description | Value |
|---|---|---|
| alertDetailsOverride | The alert details override settings | AlertDetailsOverride |
| alertRuleTemplateName | The Name of the alert rule template used to create this rule. | string |
| customDetails | Dictionary of string key-value pairs of columns to be attached to the alert | ScheduledAlertRuleCommonPropertiesCustomDetails |
| description | The description of the alert rule. | string |
| displayName | The display name for alerts created by this alert rule. | string (required) |
| enabled | Determines whether this alert rule is enabled or disabled. | bool (required) |
| entityMappings | Array of the entity mappings of the alert rule | EntityMapping[] |
| eventGroupingSettings | The event grouping settings. | EventGroupingSettings |
| incidentConfiguration | The settings of the incidents that created from alerts triggered by this analytics rule | IncidentConfiguration |
| query | The query that creates alerts for this rule. | string |
| queryFrequency | The frequency (in ISO 8601 duration format) for this alert rule to run. | string |
| queryPeriod | The period (in ISO 8601 duration format) that this alert rule looks at. | string |
| sentinelEntitiesMappings | Array of the sentinel entity mappings of the alert rule | SentinelEntityMapping[] |
| severity | The severity for alerts created by this alert rule. | 'High' 'Informational' 'Low' 'Medium' |
| suppressionDuration | The suppression (in ISO 8601 duration format) to wait since last time this alert rule been triggered. | string (required) |
| suppressionEnabled | Determines whether the suppression for this alert rule is enabled or disabled. | bool (required) |
| tactics | The tactics of the alert rule | String array containing any of: 'Collection' 'CommandAndControl' 'CredentialAccess' 'DefenseEvasion' 'Discovery' 'Execution' 'Exfiltration' 'Impact' 'ImpairProcessControl' 'InhibitResponseFunction' 'InitialAccess' 'LateralMovement' 'Persistence' 'PreAttack' 'PrivilegeEscalation' 'Reconnaissance' 'ResourceDevelopment' |
| techniques | The techniques of the alert rule | string[] |
| templateVersion | The version of the alert rule template used to create this rule - in format <a.b.c>, where all are numbers, for example 0 <1.0.2> | string |
| triggerOperator | The operation against the threshold that triggers alert rule. | 'Equal' 'GreaterThan' 'LessThan' 'NotEqual' |
| triggerThreshold | The threshold triggers this alert rule. | int |
SentinelEntityMapping
| Name | Description | Value |
|---|---|---|
| columnName | the column name to be mapped to the SentinelEntities | string |
ThreatIntelligenceAlertRule
| Name | Description | Value |
|---|---|---|
| kind | The kind of the alert rule | 'ThreatIntelligence' (required) |
| properties | Threat Intelligence alert rule properties | ThreatIntelligenceAlertRuleProperties |
ThreatIntelligenceAlertRuleProperties
| Name | Description | Value |
|---|---|---|
| alertRuleTemplateName | The Name of the alert rule template used to create this rule. | string (required) |
| enabled | Determines whether this alert rule is enabled or disabled. | bool (required) |