Azure · lirenhe · Feb 12, 2020 · Jan 14, 2020 · Jan 14, 2020 · Jan 15, 2020
diff --git a/...ights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/SecurityInsights.json b/...ights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/SecurityInsights.json
diff --git a/...icrosoft.SecurityInsights/stable/2020-01-01/examples/actions/CreateActionOfAlertRule.json b/...icrosoft.SecurityInsights/stable/2020-01-01/examples/actions/CreateActionOfAlertRule.json
@@ -0,0 +1,47 @@
+{
+  "parameters": {
+    "api-version": "2020-01-01",
+    "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
+    "resourceGroupName": "myRg",
+    "workspaceName": "myWorkspace",
+    "operationalInsightsResourceProvider": "Microsoft.OperationalInsights",
+    "ruleId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
+    "actionId": "912bec42-cb66-4c03-ac63-1761b6898c3e",
+    "action": {
+      "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5/actions/912bec42-cb66-4c03-ac63-1761b6898c3e",
+      "name": "912bec42-cb66-4c03-ac63-1761b6898c3e",
+      "type": "Microsoft.SecurityInsights/alertRules/actions",
+      "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
+      "properties": {
+        "triggerUri": "https://prod-31.northcentralus.logic.azure.com:443/workflows/cd3765391efd48549fd7681ded1d48d7/triggers/manual/paths/invoke?api-version=2016-10-01&sp=%2Ftriggers%2Fmanual%2Frun&sv=1.0&sig=signature",
+        "logicAppResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/MyAlerts"
+      }
+    }
+  },
+  "responses": {
+    "200": {
+      "body": {
+        "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5/actions/912bec42-cb66-4c03-ac63-1761b6898c3e",
+        "name": "912bec42-cb66-4c03-ac63-1761b6898c3e",
+        "type": "Microsoft.SecurityInsights/alertRules/actions",
+        "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
+        "properties": {
+          "workflowId": "cd3765391efd48549fd7681ded1d48d7",
+          "logicAppResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/MyAlerts"
+        }
+      }
+    },
+    "201": {
+      "body": {
+        "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5/actions/912bec42-cb66-4c03-ac63-1761b6898c3e",
+        "name": "912bec42-cb66-4c03-ac63-1761b6898c3e",
+        "type": "Microsoft.SecurityInsights/alertRules/actions",
+        "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
+        "properties": {
+          "workflowId": "cd3765391efd48549fd7681ded1d48d7",
+          "logicAppResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/MyAlerts"
+        }
+      }
+    }
+  }
+}
diff --git a/...icrosoft.SecurityInsights/stable/2020-01-01/examples/actions/DeleteActionOfAlertRule.json b/...icrosoft.SecurityInsights/stable/2020-01-01/examples/actions/DeleteActionOfAlertRule.json
@@ -0,0 +1,15 @@
+{
+  "parameters": {
+    "api-version": "2020-01-01",
+    "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
+    "resourceGroupName": "myRg",
+    "workspaceName": "myWorkspace",
+    "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights",
+    "ruleId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
+    "actionId": "912bec42-cb66-4c03-ac63-1761b6898c3e"
+  },
+  "responses": {
+    "200": {},
+    "204": {}
+  }
+}
diff --git a/...crosoft.SecurityInsights/stable/2020-01-01/examples/actions/GetActionOfAlertRuleById.json b/...crosoft.SecurityInsights/stable/2020-01-01/examples/actions/GetActionOfAlertRuleById.json
@@ -0,0 +1,25 @@
+{
+  "parameters": {
+    "api-version": "2020-01-01",
+    "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
+    "resourceGroupName": "myRg",
+    "workspaceName": "myWorkspace",
+    "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights",
+    "ruleId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
+    "actionId": "912bec42-cb66-4c03-ac63-1761b6898c3e"
+  },
+  "responses": {
+    "200": {
+      "body": {
+        "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5/actions/912bec42-cb66-4c03-ac63-1761b6898c3e",
+        "name": "912bec42-cb66-4c03-ac63-1761b6898c3e",
+        "type": "Microsoft.SecurityInsights/alertRules/actions",
+        "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
+        "properties": {
+          "workflowId": "cd3765391efd48549fd7681ded1d48d7",
+          "logicAppResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/MyAlerts"
+        }
+      }
+    }
+  }
+}
diff --git a/...crosoft.SecurityInsights/stable/2020-01-01/examples/actions/GetAllActionsByAlertRule.json b/...crosoft.SecurityInsights/stable/2020-01-01/examples/actions/GetAllActionsByAlertRule.json
@@ -0,0 +1,28 @@
+{
+  "parameters": {
+    "api-version": "2020-01-01",
+    "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
+    "resourceGroupName": "myRg",
+    "workspaceName": "myWorkspace",
+    "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights",
+    "ruleId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5"
+  },
+  "responses": {
+    "200": {
+      "body": {
+        "value": [
+          {
+            "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5/actions/912bec42-cb66-4c03-ac63-1761b6898c3e",
+            "name": "912bec42-cb66-4c03-ac63-1761b6898c3e",
+            "type": "Microsoft.SecurityInsights/alertRules/actions",
+            "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
+            "properties": {
+              "workflowId": "cd3765391efd48549fd7681ded1d48d7",
+              "logicAppResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/MyAlerts"
+            }
+          }
+        ]
+      }
+    }
+  }
+}
diff --git a/...crosoft.SecurityInsights/stable/2020-01-01/examples/alertRules/CreateFusionAlertRule.json b/...crosoft.SecurityInsights/stable/2020-01-01/examples/alertRules/CreateFusionAlertRule.json
@@ -0,0 +1,66 @@
+{
+  "parameters": {
+    "api-version": "2020-01-01",
+    "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
+    "resourceGroupName": "myRg",
+    "workspaceName": "myWorkspace",
+    "operationalInsightsResourceProvider": "Microsoft.OperationalInsights",
+    "ruleId": "myFirstFusionRule",
+    "alertRule": {
+      "kind": "Fusion",
+      "etag": "3d00c3ca-0000-0100-0000-5d42d5010000",
+      "properties": {
+        "enabled": "true",
+        "alertRuleTemplateName": "f71aba3d-28fb-450b-b192-4e76a83015c8"
+      }
+    }
+  },
+  "responses": {
+    "200": {
+      "body": {
+        "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/myFirstFusionRule",
+        "name": "myFirstFusionRule",
+        "etag": "\"260090e2-0000-0d00-0000-5d6fb8670000\"",
+        "type": "Microsoft.SecurityInsights/alertRules",
+        "kind": "Fusion",
+        "properties": {
+          "displayName": "Advanced Multi-Stage Attack Detection",
+          "description": "In this mode, Sentinel combines low fidelity alerts, which themselves may not be actionable, and events across multiple products, into high fidelity security interesting incidents. The system looks at multiple products to produce actionable incidents. Custom tailored to each tenant, Fusion not only reduces false positive rates but also can detect attacks with limited or missing information. \nIncidents generated by Fusion system will encase two or more alerts. By design, Fusion incidents are low volume, high fidelity and will be high severity, which is why Fusion is turned ON by default in Azure Sentinel.\n\nFor Fusion to work, please configure the following data sources in Data Connectors tab:\nRequired - Azure Active Directory Identity Protection\nRequired - Microsoft Cloud App Security\nIf Available - Palo Alto Network\n\nFor full list of scenarios covered by Fusion, and detail instructions on how to configure the required data sources, go to aka.ms/SentinelFusion",
+          "alertRuleTemplateName": "f71aba3d-28fb-450b-b192-4e76a83015c8",
+          "tactics": [
+            "Persistence",
+            "LateralMovement",
+            "Exfiltration",
+            "CommandAndControl"
+          ],
+          "severity": "High",
+          "enabled": true,
+          "lastModifiedUtc": "2019-09-04T13:13:11.5340061Z"
+        }
+      }
+    },
+    "201": {
+      "body": {
+        "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/myFirstFusionRule",
+        "name": "myFirstFusionRule",
+        "etag": "\"260090e2-0000-0d00-0000-5d6fb8670000\"",
+        "type": "Microsoft.SecurityInsights/alertRules",
+        "kind": "Fusion",
+        "properties": {
+          "displayName": "Advanced Multi-Stage Attack Detection",
+          "description": "In this mode, Sentinel combines low fidelity alerts, which themselves may not be actionable, and events across multiple products, into high fidelity security interesting incidents. The system looks at multiple products to produce actionable incidents. Custom tailored to each tenant, Fusion not only reduces false positive rates but also can detect attacks with limited or missing information. \nIncidents generated by Fusion system will encase two or more alerts. By design, Fusion incidents are low volume, high fidelity and will be high severity, which is why Fusion is turned ON by default in Azure Sentinel.\n\nFor Fusion to work, please configure the following data sources in Data Connectors tab:\nRequired - Azure Active Directory Identity Protection\nRequired - Microsoft Cloud App Security\nIf Available - Palo Alto Network\n\nFor full list of scenarios covered by Fusion, and detail instructions on how to configure the required data sources, go to aka.ms/SentinelFusion",
+          "alertRuleTemplateName": "f71aba3d-28fb-450b-b192-4e76a83015c8",
+          "tactics": [
+            "Persistence",
+            "LateralMovement",
+            "Exfiltration",
+            "CommandAndControl"
+          ],
+          "severity": "High",
+          "enabled": true,
+          "lastModifiedUtc": "2019-09-04T13:13:11.5340061Z"
+        }
+      }
+    }
+  }
+}
diff --git a/...able/2020-01-01/examples/alertRules/CreateMicrosoftSecurityIncidentCreationAlertRule.json b/...able/2020-01-01/examples/alertRules/CreateMicrosoftSecurityIncidentCreationAlertRule.json
@@ -0,0 +1,59 @@
+{
+  "parameters": {
+    "api-version": "2020-01-01",
+    "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
+    "resourceGroupName": "myRg",
+    "workspaceName": "myWorkspace",
+    "operationalInsightsResourceProvider": "Microsoft.OperationalInsights",
+    "ruleId": "microsoftSecurityIncidentCreationRuleExample",
+    "alertRule": {
+      "etag": "\"260097e0-0000-0d00-0000-5d6fa88f0000\"",
+      "kind": "MicrosoftSecurityIncidentCreation",
+      "properties": {
+        "productFilter": "Microsoft Cloud App Security",
+        "displayName": "testing displayname",
+        "enabled": true
+      }
+    }
+  },
+  "responses": {
+    "200": {
+      "body": {
+        "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/microsoftSecurityIncidentCreationRuleExample",
+        "name": "microsoftSecurityIncidentCreationRuleExample",
+        "etag": "\"260097e0-0000-0d00-0000-5d6fa88f0000\"",
+        "type": "Microsoft.SecurityInsights/alertRules",
+        "kind": "MicrosoftSecurityIncidentCreation",
+        "properties": {
+          "productFilter": "Microsoft Cloud App Security",
+          "severitiesFilter": null,
+          "displayNamesFilter": null,
+          "displayName": "testing displayname",
+          "enabled": true,
+          "description": null,
+          "alertRuleTemplateName": null,
+          "lastModifiedUtc": "2019-09-04T12:05:35.7296311Z"
+        }
+      }
+    },
+    "201": {
+      "body": {
+        "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/microsoftSecurityIncidentCreationRuleExample",
+        "name": "microsoftSecurityIncidentCreationRuleExample",
+        "etag": "\"260097e0-0000-0d00-0000-5d6fa88f0000\"",
+        "type": "Microsoft.SecurityInsights/alertRules",
+        "kind": "MicrosoftSecurityIncidentCreation",
+        "properties": {
+          "productFilter": "Microsoft Cloud App Security",
+          "severitiesFilter": null,
+          "displayNamesFilter": null,
+          "displayName": "testing displayname",
+          "enabled": true,
+          "description": null,
+          "alertRuleTemplateName": null,
+          "lastModifiedUtc": "2019-09-04T12:05:35.7296311Z"
+        }
+      }
+    }
+  }
+}
diff --git a/...soft.SecurityInsights/stable/2020-01-01/examples/alertRules/CreateScheduledAlertRule.json b/...soft.SecurityInsights/stable/2020-01-01/examples/alertRules/CreateScheduledAlertRule.json
@@ -0,0 +1,89 @@
+{
+  "parameters": {
+    "api-version": "2020-01-01",
+    "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
+    "resourceGroupName": "myRg",
+    "workspaceName": "myWorkspace",
+    "operationalInsightsResourceProvider": "Microsoft.OperationalInsights",
+    "ruleId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
+    "alertRule": {
+      "kind": "Scheduled",
+      "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
+      "properties": {
+        "displayName": "Rule2",
+        "description": "",
+        "severity": "High",
+        "enabled": true,
+        "tactics": [
+          "Persistence",
+          "LateralMovement"
+        ],
+        "query": "ProtectionStatus | extend HostCustomEntity = Computer | extend IPCustomEntity = ComputerIP_Hidden",
+        "queryFrequency": "PT1H",
+        "queryPeriod": "P2DT1H30M",
+        "triggerOperator": "GreaterThan",
+        "triggerThreshold": 0,
+        "suppressionDuration": "PT1H",
+        "suppressionEnabled": false
+      }
+    }
+  },
+  "responses": {
+    "200": {
+      "body": {
+        "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5",
+        "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
+        "type": "Microsoft.SecurityInsights/alertRules",
+        "kind": "Scheduled",
+        "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
+        "properties": {
+          "alertRuleTemplateName": null,
+          "displayName": "Rule2",
+          "description": "",
+          "severity": "High",
+          "enabled": true,
+          "tactics": [
+            "Persistence",
+            "LateralMovement"
+          ],
+          "query": "ProtectionStatus | extend HostCustomEntity = Computer | extend IPCustomEntity = ComputerIP_Hidden",
+          "queryFrequency": "PT1H",
+          "queryPeriod": "P2DT1H30M",
+          "triggerOperator": "GreaterThan",
+          "triggerThreshold": 0,
+          "suppressionDuration": "PT1H",
+          "suppressionEnabled": false,
+          "lastModifiedUtc": "2019-01-01T13:15:30Z"
+        }
+      }
+    },
+    "201": {
+      "body": {
+        "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5",
+        "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
+        "type": "Microsoft.SecurityInsights/alertRules",
+        "kind": "Scheduled",
+        "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
+        "properties": {
+          "alertRuleTemplateName": null,
+          "displayName": "Rule2",
+          "description": "",
+          "severity": "High",
+          "enabled": true,
+          "tactics": [
+            "Persistence",
+            "LateralMovement"
+          ],
+          "query": "ProtectionStatus | extend HostCustomEntity = Computer | extend IPCustomEntity = ComputerIP_Hidden",
+          "queryFrequency": "PT1H",
+          "queryPeriod": "P2DT1H30M",
+          "triggerOperator": "GreaterThan",
+          "triggerThreshold": 0,
+          "suppressionDuration": "PT1H",
+          "suppressionEnabled": false,
+          "lastModifiedUtc": "2019-01-01T13:15:30Z"
+        }
+      }
+    }
+  }
+}
diff --git a/...ger/Microsoft.SecurityInsights/stable/2020-01-01/examples/alertRules/DeleteAlertRule.json b/...ger/Microsoft.SecurityInsights/stable/2020-01-01/examples/alertRules/DeleteAlertRule.json
@@ -0,0 +1,14 @@
+{
+  "parameters": {
+    "api-version": "2020-01-01",
+    "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
+    "resourceGroupName": "myRg",
+    "workspaceName": "myWorkspace",
+    "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights",
+    "ruleId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5"
+  },
+  "responses": {
+    "200": {},
+    "204": {}
+  }
+}