Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
- Latest
- 2025-06-01
- 2025-04-01-preview
- 2025-03-01
- 2025-01-01-preview
- 2024-10-01-preview
- 2024-09-01
- 2024-04-01-preview
- 2024-03-01
- 2024-01-01-preview
- 2023-12-01-preview
- 2023-11-01
- 2023-10-01-preview
- 2023-09-01-preview
- 2023-08-01-preview
- 2023-07-01-preview
- 2023-06-01-preview
- 2023-05-01-preview
- 2023-04-01-preview
- 2023-03-01-preview
- 2023-02-01
- 2023-02-01-preview
- 2022-12-01-preview
- 2022-11-01
- 2022-11-01-preview
- 2022-10-01-preview
- 2022-09-01-preview
- 2022-08-01
- 2022-08-01-preview
- 2022-07-01-preview
- 2022-06-01-preview
- 2022-05-01-preview
- 2022-04-01-preview
- 2022-01-01-preview
- 2021-10-01
- 2021-10-01-preview
- 2021-09-01-preview
- 2021-03-01-preview
- 2020-01-01
- 2019-01-01-preview
Bicep resource definition
The alertRules resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.SecurityInsights/alertRules resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.SecurityInsights/alertRules@2025-06-01' = {
etag: 'string'
name: 'string'
kind: 'string'
// For remaining properties, see Microsoft.SecurityInsights/alertRules objects
}
Microsoft.SecurityInsights/alertRules objects
Set the kind property to specify the type of object.
For Fusion, use:
{
kind: 'Fusion'
properties: {
alertRuleTemplateName: 'string'
enabled: bool
}
}
For MicrosoftSecurityIncidentCreation, use:
{
kind: 'MicrosoftSecurityIncidentCreation'
properties: {
alertRuleTemplateName: 'string'
description: 'string'
displayName: 'string'
displayNamesExcludeFilter: [
'string'
]
displayNamesFilter: [
'string'
]
enabled: bool
productFilter: 'string'
severitiesFilter: [
'string'
]
}
}
For Scheduled, use:
{
kind: 'Scheduled'
properties: {
alertDetailsOverride: {
alertDescriptionFormat: 'string'
alertDisplayNameFormat: 'string'
alertDynamicProperties: [
{
alertProperty: 'string'
value: 'string'
}
]
alertSeverityColumnName: 'string'
alertTacticsColumnName: 'string'
}
alertRuleTemplateName: 'string'
customDetails: {
{customized property}: 'string'
}
description: 'string'
displayName: 'string'
enabled: bool
entityMappings: [
{
entityType: 'string'
fieldMappings: [
{
columnName: 'string'
identifier: 'string'
}
]
}
]
eventGroupingSettings: {
aggregationKind: 'string'
}
incidentConfiguration: {
createIncident: bool
groupingConfiguration: {
enabled: bool
groupByAlertDetails: [
'string'
]
groupByCustomDetails: [
'string'
]
groupByEntities: [
'string'
]
lookbackDuration: 'string'
matchingMethod: 'string'
reopenClosedIncident: bool
}
}
query: 'string'
queryFrequency: 'string'
queryPeriod: 'string'
severity: 'string'
suppressionDuration: 'string'
suppressionEnabled: bool
tactics: [
'string'
]
techniques: [
'string'
]
templateVersion: 'string'
triggerOperator: 'string'
triggerThreshold: int
}
}
Property Values
Microsoft.SecurityInsights/alertRules
| Name | Description | Value |
|---|---|---|
| etag | Etag of the azure resource | string |
| kind | Set to 'Fusion' for type FusionAlertRule. Set to 'MicrosoftSecurityIncidentCreation' for type MicrosoftSecurityIncidentCreationAlertRule. Set to 'Scheduled' for type ScheduledAlertRule. | 'Fusion' 'MicrosoftSecurityIncidentCreation' 'Scheduled' (required) |
| name | The resource name | string (required) |
| scope | Use when creating a resource at a scope that is different than the deployment scope. | Set this property to the symbolic name of a resource to apply the extension resource. |
AlertDetailsOverride
| Name | Description | Value |
|---|---|---|
| alertDescriptionFormat | the format containing columns name(s) to override the alert description | string |
| alertDisplayNameFormat | the format containing columns name(s) to override the alert name | string |
| alertDynamicProperties | List of additional dynamic properties to override | AlertPropertyMapping[] |
| alertSeverityColumnName | the column name to take the alert severity from | string |
| alertTacticsColumnName | the column name to take the alert tactics from | string |
AlertPropertyMapping
| Name | Description | Value |
|---|---|---|
| alertProperty | The V3 alert property | 'AlertLink' 'ConfidenceLevel' 'ConfidenceScore' 'ExtendedLinks' 'ProductComponentName' 'ProductName' 'ProviderName' 'RemediationSteps' 'Techniques' |
| value | the column name to use to override this property | string |
EntityMapping
| Name | Description | Value |
|---|---|---|
| entityType | The V3 type of the mapped entity | 'Account' 'AzureResource' 'CloudApplication' 'DNS' 'File' 'FileHash' 'Host' 'IP' 'Mailbox' 'MailCluster' 'MailMessage' 'Malware' 'Process' 'RegistryKey' 'RegistryValue' 'SecurityGroup' 'SubmissionMail' 'URL' |
| fieldMappings | array of field mappings for the given entity mapping | FieldMapping[] |
EventGroupingSettings
| Name | Description | Value |
|---|---|---|
| aggregationKind | The event grouping aggregation kinds | 'AlertPerResult' 'SingleAlert' |
FieldMapping
| Name | Description | Value |
|---|---|---|
| columnName | the column name to be mapped to the identifier | string |
| identifier | the V3 identifier of the entity | string |
FusionAlertRule
| Name | Description | Value |
|---|---|---|
| kind | The alert rule kind | 'Fusion' (required) |
| properties | Fusion alert rule properties | FusionAlertRuleProperties |
FusionAlertRuleProperties
| Name | Description | Value |
|---|---|---|
| alertRuleTemplateName | The Name of the alert rule template used to create this rule. | string (required) |
| enabled | Determines whether this alert rule is enabled or disabled. | bool (required) |
GroupingConfiguration
| Name | Description | Value |
|---|---|---|
| enabled | Grouping enabled | bool (required) |
| groupByAlertDetails | A list of alert details to group by (when matchingMethod is Selected) | String array containing any of: 'DisplayName' 'Severity' |
| groupByCustomDetails | A list of custom details keys to group by (when matchingMethod is Selected). Only keys defined in the current alert rule may be used. | string[] |
| groupByEntities | A list of entity types to group by (when matchingMethod is Selected). Only entities defined in the current alert rule may be used. | String array containing any of: 'Account' 'AzureResource' 'CloudApplication' 'DNS' 'File' 'FileHash' 'Host' 'IP' 'Mailbox' 'MailCluster' 'MailMessage' 'Malware' 'Process' 'RegistryKey' 'RegistryValue' 'SecurityGroup' 'SubmissionMail' 'URL' |
| lookbackDuration | Limit the group to alerts created within the lookback duration (in ISO 8601 duration format) | string (required) |
| matchingMethod | Grouping matching method. When method is Selected at least one of groupByEntities, groupByAlertDetails, groupByCustomDetails must be provided and not empty. | 'AllEntities' 'AnyAlert' 'Selected' (required) |
| reopenClosedIncident | Re-open closed matching incidents | bool (required) |
IncidentConfiguration
| Name | Description | Value |
|---|---|---|
| createIncident | Create incidents from alerts triggered by this analytics rule | bool (required) |
| groupingConfiguration | Set how the alerts that are triggered by this analytics rule, are grouped into incidents | GroupingConfiguration |
MicrosoftSecurityIncidentCreationAlertRule
| Name | Description | Value |
|---|---|---|
| kind | The alert rule kind | 'MicrosoftSecurityIncidentCreation' (required) |
| properties | MicrosoftSecurityIncidentCreation rule properties | MicrosoftSecurityIncidentCreationAlertRuleProperties |
MicrosoftSecurityIncidentCreationAlertRuleProperties
| Name | Description | Value |
|---|---|---|
| alertRuleTemplateName | The Name of the alert rule template used to create this rule. | string |
| description | The description of the alert rule. | string |
| displayName | The display name for alerts created by this alert rule. | string (required) |
| displayNamesExcludeFilter | the alerts' displayNames on which the cases will not be generated | string[] |
| displayNamesFilter | the alerts' displayNames on which the cases will be generated | string[] |
| enabled | Determines whether this alert rule is enabled or disabled. | bool (required) |
| productFilter | The alerts' productName on which the cases will be generated | 'Azure Active Directory Identity Protection' 'Azure Advanced Threat Protection' 'Azure Security Center for IoT' 'Azure Security Center' 'Microsoft Cloud App Security' (required) |
| severitiesFilter | the alerts' severities on which the cases will be generated | String array containing any of: 'High' 'Informational' 'Low' 'Medium' |
ScheduledAlertRule
| Name | Description | Value |
|---|---|---|
| kind | The alert rule kind | 'Scheduled' (required) |
| properties | Scheduled alert rule properties | ScheduledAlertRuleProperties |
ScheduledAlertRuleCommonPropertiesCustomDetails
| Name | Description | Value |
|---|
ScheduledAlertRuleProperties
| Name | Description | Value |
|---|---|---|
| alertDetailsOverride | The alert details override settings | AlertDetailsOverride |
| alertRuleTemplateName | The Name of the alert rule template used to create this rule. | string |
| customDetails | Dictionary of string key-value pairs of columns to be attached to the alert | ScheduledAlertRuleCommonPropertiesCustomDetails |
| description | The description of the alert rule. | string |
| displayName | The display name for alerts created by this alert rule. | string (required) |
| enabled | Determines whether this alert rule is enabled or disabled. | bool (required) |
| entityMappings | Array of the entity mappings of the alert rule | EntityMapping[] |
| eventGroupingSettings | The event grouping settings. | EventGroupingSettings |
| incidentConfiguration | The settings of the incidents that created from alerts triggered by this analytics rule | IncidentConfiguration |
| query | The query that creates alerts for this rule. | string |
| queryFrequency | The frequency (in ISO 8601 duration format) for this alert rule to run. | string |
| queryPeriod | The period (in ISO 8601 duration format) that this alert rule looks at. | string |
| severity | The severity for alerts created by this alert rule. | 'High' 'Informational' 'Low' 'Medium' |
| suppressionDuration | The suppression (in ISO 8601 duration format) to wait since last time this alert rule been triggered. | string (required) |
| suppressionEnabled | Determines whether the suppression for this alert rule is enabled or disabled. | bool (required) |
| tactics | The tactics of the alert rule | String array containing any of: 'Collection' 'CommandAndControl' 'CredentialAccess' 'DefenseEvasion' 'Discovery' 'Execution' 'Exfiltration' 'Impact' 'ImpairProcessControl' 'InhibitResponseFunction' 'InitialAccess' 'LateralMovement' 'Persistence' 'PreAttack' 'PrivilegeEscalation' 'Reconnaissance' 'ResourceDevelopment' |
| techniques | The techniques of the alert rule | string[] |
| templateVersion | The version of the alert rule template used to create this rule - in format <a.b.c>, where all are numbers, for example 0 <1.0.2> | string |
| triggerOperator | The operation against the threshold that triggers alert rule. | 'Equal' 'GreaterThan' 'LessThan' 'NotEqual' |
| triggerThreshold | The threshold triggers this alert rule. | int |
ARM template resource definition
The alertRules resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.SecurityInsights/alertRules resource, add the following JSON to your template.
{
"etag": "string",
"name": "string",
"kind": "string"
// For remaining properties, see Microsoft.SecurityInsights/alertRules objects
}
Microsoft.SecurityInsights/alertRules objects
Set the kind property to specify the type of object.
For Fusion, use:
{
"kind": "Fusion",
"properties": {
"alertRuleTemplateName": "string",
"enabled": "bool"
}
}
For MicrosoftSecurityIncidentCreation, use:
{
"kind": "MicrosoftSecurityIncidentCreation",
"properties": {
"alertRuleTemplateName": "string",
"description": "string",
"displayName": "string",
"displayNamesExcludeFilter": [ "string" ],
"displayNamesFilter": [ "string" ],
"enabled": "bool",
"productFilter": "string",
"severitiesFilter": [ "string" ]
}
}
For Scheduled, use:
{
"kind": "Scheduled",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "string",
"alertDisplayNameFormat": "string",
"alertDynamicProperties": [
{
"alertProperty": "string",
"value": "string"
}
],
"alertSeverityColumnName": "string",
"alertTacticsColumnName": "string"
},
"alertRuleTemplateName": "string",
"customDetails": {
"{customized property}": "string"
},
"description": "string",
"displayName": "string",
"enabled": "bool",
"entityMappings": [
{
"entityType": "string",
"fieldMappings": [
{
"columnName": "string",
"identifier": "string"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "string"
},
"incidentConfiguration": {
"createIncident": "bool",
"groupingConfiguration": {
"enabled": "bool",
"groupByAlertDetails": [ "string" ],
"groupByCustomDetails": [ "string" ],
"groupByEntities": [ "string" ],
"lookbackDuration": "string",
"matchingMethod": "string",
"reopenClosedIncident": "bool"
}
},
"query": "string",
"queryFrequency": "string",
"queryPeriod": "string",
"severity": "string",
"suppressionDuration": "string",
"suppressionEnabled": "bool",
"tactics": [ "string" ],
"techniques": [ "string" ],
"templateVersion": "string",
"triggerOperator": "string",
"triggerThreshold": "int"
}
}
Property Values
Microsoft.SecurityInsights/alertRules
| Name | Description | Value |
|---|---|---|
| apiVersion | The api version | '2025-06-01' |
| etag | Etag of the azure resource | string |
| kind | Set to 'Fusion' for type FusionAlertRule. Set to 'MicrosoftSecurityIncidentCreation' for type MicrosoftSecurityIncidentCreationAlertRule. Set to 'Scheduled' for type ScheduledAlertRule. | 'Fusion' 'MicrosoftSecurityIncidentCreation' 'Scheduled' (required) |
| name | The resource name | string (required) |
| type | The resource type | 'Microsoft.SecurityInsights/alertRules' |
AlertDetailsOverride
| Name | Description | Value |
|---|---|---|
| alertDescriptionFormat | the format containing columns name(s) to override the alert description | string |
| alertDisplayNameFormat | the format containing columns name(s) to override the alert name | string |
| alertDynamicProperties | List of additional dynamic properties to override | AlertPropertyMapping[] |
| alertSeverityColumnName | the column name to take the alert severity from | string |
| alertTacticsColumnName | the column name to take the alert tactics from | string |
AlertPropertyMapping
| Name | Description | Value |
|---|---|---|
| alertProperty | The V3 alert property | 'AlertLink' 'ConfidenceLevel' 'ConfidenceScore' 'ExtendedLinks' 'ProductComponentName' 'ProductName' 'ProviderName' 'RemediationSteps' 'Techniques' |
| value | the column name to use to override this property | string |
EntityMapping
| Name | Description | Value |
|---|---|---|
| entityType | The V3 type of the mapped entity | 'Account' 'AzureResource' 'CloudApplication' 'DNS' 'File' 'FileHash' 'Host' 'IP' 'Mailbox' 'MailCluster' 'MailMessage' 'Malware' 'Process' 'RegistryKey' 'RegistryValue' 'SecurityGroup' 'SubmissionMail' 'URL' |
| fieldMappings | array of field mappings for the given entity mapping | FieldMapping[] |
EventGroupingSettings
| Name | Description | Value |
|---|---|---|
| aggregationKind | The event grouping aggregation kinds | 'AlertPerResult' 'SingleAlert' |
FieldMapping
| Name | Description | Value |
|---|---|---|
| columnName | the column name to be mapped to the identifier | string |
| identifier | the V3 identifier of the entity | string |
FusionAlertRule
| Name | Description | Value |
|---|---|---|
| kind | The alert rule kind | 'Fusion' (required) |
| properties | Fusion alert rule properties | FusionAlertRuleProperties |
FusionAlertRuleProperties
| Name | Description | Value |
|---|---|---|
| alertRuleTemplateName | The Name of the alert rule template used to create this rule. | string (required) |
| enabled | Determines whether this alert rule is enabled or disabled. | bool (required) |
GroupingConfiguration
| Name | Description | Value |
|---|---|---|
| enabled | Grouping enabled | bool (required) |
| groupByAlertDetails | A list of alert details to group by (when matchingMethod is Selected) | String array containing any of: 'DisplayName' 'Severity' |
| groupByCustomDetails | A list of custom details keys to group by (when matchingMethod is Selected). Only keys defined in the current alert rule may be used. | string[] |
| groupByEntities | A list of entity types to group by (when matchingMethod is Selected). Only entities defined in the current alert rule may be used. | String array containing any of: 'Account' 'AzureResource' 'CloudApplication' 'DNS' 'File' 'FileHash' 'Host' 'IP' 'Mailbox' 'MailCluster' 'MailMessage' 'Malware' 'Process' 'RegistryKey' 'RegistryValue' 'SecurityGroup' 'SubmissionMail' 'URL' |
| lookbackDuration | Limit the group to alerts created within the lookback duration (in ISO 8601 duration format) | string (required) |
| matchingMethod | Grouping matching method. When method is Selected at least one of groupByEntities, groupByAlertDetails, groupByCustomDetails must be provided and not empty. | 'AllEntities' 'AnyAlert' 'Selected' (required) |
| reopenClosedIncident | Re-open closed matching incidents | bool (required) |
IncidentConfiguration
| Name | Description | Value |
|---|---|---|
| createIncident | Create incidents from alerts triggered by this analytics rule | bool (required) |
| groupingConfiguration | Set how the alerts that are triggered by this analytics rule, are grouped into incidents | GroupingConfiguration |
MicrosoftSecurityIncidentCreationAlertRule
| Name | Description | Value |
|---|---|---|
| kind | The alert rule kind | 'MicrosoftSecurityIncidentCreation' (required) |
| properties | MicrosoftSecurityIncidentCreation rule properties | MicrosoftSecurityIncidentCreationAlertRuleProperties |
MicrosoftSecurityIncidentCreationAlertRuleProperties
| Name | Description | Value |
|---|---|---|
| alertRuleTemplateName | The Name of the alert rule template used to create this rule. | string |
| description | The description of the alert rule. | string |
| displayName | The display name for alerts created by this alert rule. | string (required) |
| displayNamesExcludeFilter | the alerts' displayNames on which the cases will not be generated | string[] |
| displayNamesFilter | the alerts' displayNames on which the cases will be generated | string[] |
| enabled | Determines whether this alert rule is enabled or disabled. | bool (required) |
| productFilter | The alerts' productName on which the cases will be generated | 'Azure Active Directory Identity Protection' 'Azure Advanced Threat Protection' 'Azure Security Center for IoT' 'Azure Security Center' 'Microsoft Cloud App Security' (required) |
| severitiesFilter | the alerts' severities on which the cases will be generated | String array containing any of: 'High' 'Informational' 'Low' 'Medium' |
ScheduledAlertRule
| Name | Description | Value |
|---|---|---|
| kind | The alert rule kind | 'Scheduled' (required) |
| properties | Scheduled alert rule properties | ScheduledAlertRuleProperties |
ScheduledAlertRuleCommonPropertiesCustomDetails
| Name | Description | Value |
|---|
ScheduledAlertRuleProperties
| Name | Description | Value |
|---|---|---|
| alertDetailsOverride | The alert details override settings | AlertDetailsOverride |
| alertRuleTemplateName | The Name of the alert rule template used to create this rule. | string |
| customDetails | Dictionary of string key-value pairs of columns to be attached to the alert | ScheduledAlertRuleCommonPropertiesCustomDetails |
| description | The description of the alert rule. | string |
| displayName | The display name for alerts created by this alert rule. | string (required) |
| enabled | Determines whether this alert rule is enabled or disabled. | bool (required) |
| entityMappings | Array of the entity mappings of the alert rule | EntityMapping[] |
| eventGroupingSettings | The event grouping settings. | EventGroupingSettings |
| incidentConfiguration | The settings of the incidents that created from alerts triggered by this analytics rule | IncidentConfiguration |
| query | The query that creates alerts for this rule. | string |
| queryFrequency | The frequency (in ISO 8601 duration format) for this alert rule to run. | string |
| queryPeriod | The period (in ISO 8601 duration format) that this alert rule looks at. | string |
| severity | The severity for alerts created by this alert rule. | 'High' 'Informational' 'Low' 'Medium' |
| suppressionDuration | The suppression (in ISO 8601 duration format) to wait since last time this alert rule been triggered. | string (required) |
| suppressionEnabled | Determines whether the suppression for this alert rule is enabled or disabled. | bool (required) |
| tactics | The tactics of the alert rule | String array containing any of: 'Collection' 'CommandAndControl' 'CredentialAccess' 'DefenseEvasion' 'Discovery' 'Execution' 'Exfiltration' 'Impact' 'ImpairProcessControl' 'InhibitResponseFunction' 'InitialAccess' 'LateralMovement' 'Persistence' 'PreAttack' 'PrivilegeEscalation' 'Reconnaissance' 'ResourceDevelopment' |
| techniques | The techniques of the alert rule | string[] |
| templateVersion | The version of the alert rule template used to create this rule - in format <a.b.c>, where all are numbers, for example 0 <1.0.2> | string |
| triggerOperator | The operation against the threshold that triggers alert rule. | 'Equal' 'GreaterThan' 'LessThan' 'NotEqual' |
| triggerThreshold | The threshold triggers this alert rule. | int |
Usage Examples
Azure Quickstart Templates
The following Azure Quickstart templates deploy this resource type.
| Template | Description |
|---|---|
Creates a new Microsoft Sentinel Scheduled Analytics Rule |
This sample shows how to create a new scheduled analytics rule in Microsoft Sentinel |
Terraform (AzAPI provider) resource definition
The alertRules resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.SecurityInsights/alertRules resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
etag = "string"
name = "string"
kind = "string"
// For remaining properties, see Microsoft.SecurityInsights/alertRules objects
}
Microsoft.SecurityInsights/alertRules objects
Set the kind property to specify the type of object.
For Fusion, use:
{
kind = "Fusion"
properties = {
alertRuleTemplateName = "string"
enabled = bool
}
}
For MicrosoftSecurityIncidentCreation, use:
{
kind = "MicrosoftSecurityIncidentCreation"
properties = {
alertRuleTemplateName = "string"
description = "string"
displayName = "string"
displayNamesExcludeFilter = [
"string"
]
displayNamesFilter = [
"string"
]
enabled = bool
productFilter = "string"
severitiesFilter = [
"string"
]
}
}
For Scheduled, use:
{
kind = "Scheduled"
properties = {
alertDetailsOverride = {
alertDescriptionFormat = "string"
alertDisplayNameFormat = "string"
alertDynamicProperties = [
{
alertProperty = "string"
value = "string"
}
]
alertSeverityColumnName = "string"
alertTacticsColumnName = "string"
}
alertRuleTemplateName = "string"
customDetails = {
{customized property} = "string"
}
description = "string"
displayName = "string"
enabled = bool
entityMappings = [
{
entityType = "string"
fieldMappings = [
{
columnName = "string"
identifier = "string"
}
]
}
]
eventGroupingSettings = {
aggregationKind = "string"
}
incidentConfiguration = {
createIncident = bool
groupingConfiguration = {
enabled = bool
groupByAlertDetails = [
"string"
]
groupByCustomDetails = [
"string"
]
groupByEntities = [
"string"
]
lookbackDuration = "string"
matchingMethod = "string"
reopenClosedIncident = bool
}
}
query = "string"
queryFrequency = "string"
queryPeriod = "string"
severity = "string"
suppressionDuration = "string"
suppressionEnabled = bool
tactics = [
"string"
]
techniques = [
"string"
]
templateVersion = "string"
triggerOperator = "string"
triggerThreshold = int
}
}
Property Values
Microsoft.SecurityInsights/alertRules
| Name | Description | Value |
|---|---|---|
| etag | Etag of the azure resource | string |
| kind | Set to 'Fusion' for type FusionAlertRule. Set to 'MicrosoftSecurityIncidentCreation' for type MicrosoftSecurityIncidentCreationAlertRule. Set to 'Scheduled' for type ScheduledAlertRule. | 'Fusion' 'MicrosoftSecurityIncidentCreation' 'Scheduled' (required) |
| name | The resource name | string (required) |
| parent_id | The ID of the resource to apply this extension resource to. | string (required) |
| type | The resource type | "Microsoft.SecurityInsights/alertRules@2025-06-01" |
AlertDetailsOverride
| Name | Description | Value |
|---|---|---|
| alertDescriptionFormat | the format containing columns name(s) to override the alert description | string |
| alertDisplayNameFormat | the format containing columns name(s) to override the alert name | string |
| alertDynamicProperties | List of additional dynamic properties to override | AlertPropertyMapping[] |
| alertSeverityColumnName | the column name to take the alert severity from | string |
| alertTacticsColumnName | the column name to take the alert tactics from | string |
AlertPropertyMapping
| Name | Description | Value |
|---|---|---|
| alertProperty | The V3 alert property | 'AlertLink' 'ConfidenceLevel' 'ConfidenceScore' 'ExtendedLinks' 'ProductComponentName' 'ProductName' 'ProviderName' 'RemediationSteps' 'Techniques' |
| value | the column name to use to override this property | string |
EntityMapping
| Name | Description | Value |
|---|---|---|
| entityType | The V3 type of the mapped entity | 'Account' 'AzureResource' 'CloudApplication' 'DNS' 'File' 'FileHash' 'Host' 'IP' 'Mailbox' 'MailCluster' 'MailMessage' 'Malware' 'Process' 'RegistryKey' 'RegistryValue' 'SecurityGroup' 'SubmissionMail' 'URL' |
| fieldMappings | array of field mappings for the given entity mapping | FieldMapping[] |
EventGroupingSettings
| Name | Description | Value |
|---|---|---|
| aggregationKind | The event grouping aggregation kinds | 'AlertPerResult' 'SingleAlert' |
FieldMapping
| Name | Description | Value |
|---|---|---|
| columnName | the column name to be mapped to the identifier | string |
| identifier | the V3 identifier of the entity | string |
FusionAlertRule
| Name | Description | Value |
|---|---|---|
| kind | The alert rule kind | 'Fusion' (required) |
| properties | Fusion alert rule properties | FusionAlertRuleProperties |
FusionAlertRuleProperties
| Name | Description | Value |
|---|---|---|
| alertRuleTemplateName | The Name of the alert rule template used to create this rule. | string (required) |
| enabled | Determines whether this alert rule is enabled or disabled. | bool (required) |
GroupingConfiguration
| Name | Description | Value |
|---|---|---|
| enabled | Grouping enabled | bool (required) |
| groupByAlertDetails | A list of alert details to group by (when matchingMethod is Selected) | String array containing any of: 'DisplayName' 'Severity' |
| groupByCustomDetails | A list of custom details keys to group by (when matchingMethod is Selected). Only keys defined in the current alert rule may be used. | string[] |
| groupByEntities | A list of entity types to group by (when matchingMethod is Selected). Only entities defined in the current alert rule may be used. | String array containing any of: 'Account' 'AzureResource' 'CloudApplication' 'DNS' 'File' 'FileHash' 'Host' 'IP' 'Mailbox' 'MailCluster' 'MailMessage' 'Malware' 'Process' 'RegistryKey' 'RegistryValue' 'SecurityGroup' 'SubmissionMail' 'URL' |
| lookbackDuration | Limit the group to alerts created within the lookback duration (in ISO 8601 duration format) | string (required) |
| matchingMethod | Grouping matching method. When method is Selected at least one of groupByEntities, groupByAlertDetails, groupByCustomDetails must be provided and not empty. | 'AllEntities' 'AnyAlert' 'Selected' (required) |
| reopenClosedIncident | Re-open closed matching incidents | bool (required) |
IncidentConfiguration
| Name | Description | Value |
|---|---|---|
| createIncident | Create incidents from alerts triggered by this analytics rule | bool (required) |
| groupingConfiguration | Set how the alerts that are triggered by this analytics rule, are grouped into incidents | GroupingConfiguration |
MicrosoftSecurityIncidentCreationAlertRule
| Name | Description | Value |
|---|---|---|
| kind | The alert rule kind | 'MicrosoftSecurityIncidentCreation' (required) |
| properties | MicrosoftSecurityIncidentCreation rule properties | MicrosoftSecurityIncidentCreationAlertRuleProperties |
MicrosoftSecurityIncidentCreationAlertRuleProperties
| Name | Description | Value |
|---|---|---|
| alertRuleTemplateName | The Name of the alert rule template used to create this rule. | string |
| description | The description of the alert rule. | string |
| displayName | The display name for alerts created by this alert rule. | string (required) |
| displayNamesExcludeFilter | the alerts' displayNames on which the cases will not be generated | string[] |
| displayNamesFilter | the alerts' displayNames on which the cases will be generated | string[] |
| enabled | Determines whether this alert rule is enabled or disabled. | bool (required) |
| productFilter | The alerts' productName on which the cases will be generated | 'Azure Active Directory Identity Protection' 'Azure Advanced Threat Protection' 'Azure Security Center for IoT' 'Azure Security Center' 'Microsoft Cloud App Security' (required) |
| severitiesFilter | the alerts' severities on which the cases will be generated | String array containing any of: 'High' 'Informational' 'Low' 'Medium' |
ScheduledAlertRule
| Name | Description | Value |
|---|---|---|
| kind | The alert rule kind | 'Scheduled' (required) |
| properties | Scheduled alert rule properties | ScheduledAlertRuleProperties |
ScheduledAlertRuleCommonPropertiesCustomDetails
| Name | Description | Value |
|---|
ScheduledAlertRuleProperties
| Name | Description | Value |
|---|---|---|
| alertDetailsOverride | The alert details override settings | AlertDetailsOverride |
| alertRuleTemplateName | The Name of the alert rule template used to create this rule. | string |
| customDetails | Dictionary of string key-value pairs of columns to be attached to the alert | ScheduledAlertRuleCommonPropertiesCustomDetails |
| description | The description of the alert rule. | string |
| displayName | The display name for alerts created by this alert rule. | string (required) |
| enabled | Determines whether this alert rule is enabled or disabled. | bool (required) |
| entityMappings | Array of the entity mappings of the alert rule | EntityMapping[] |
| eventGroupingSettings | The event grouping settings. | EventGroupingSettings |
| incidentConfiguration | The settings of the incidents that created from alerts triggered by this analytics rule | IncidentConfiguration |
| query | The query that creates alerts for this rule. | string |
| queryFrequency | The frequency (in ISO 8601 duration format) for this alert rule to run. | string |
| queryPeriod | The period (in ISO 8601 duration format) that this alert rule looks at. | string |
| severity | The severity for alerts created by this alert rule. | 'High' 'Informational' 'Low' 'Medium' |
| suppressionDuration | The suppression (in ISO 8601 duration format) to wait since last time this alert rule been triggered. | string (required) |
| suppressionEnabled | Determines whether the suppression for this alert rule is enabled or disabled. | bool (required) |
| tactics | The tactics of the alert rule | String array containing any of: 'Collection' 'CommandAndControl' 'CredentialAccess' 'DefenseEvasion' 'Discovery' 'Execution' 'Exfiltration' 'Impact' 'ImpairProcessControl' 'InhibitResponseFunction' 'InitialAccess' 'LateralMovement' 'Persistence' 'PreAttack' 'PrivilegeEscalation' 'Reconnaissance' 'ResourceDevelopment' |
| techniques | The techniques of the alert rule | string[] |
| templateVersion | The version of the alert rule template used to create this rule - in format <a.b.c>, where all are numbers, for example 0 <1.0.2> | string |
| triggerOperator | The operation against the threshold that triggers alert rule. | 'Equal' 'GreaterThan' 'LessThan' 'NotEqual' |
| triggerThreshold | The threshold triggers this alert rule. | int |