Resources/mgmt-plane/L3N1YnNjcmlwdGlvbnMve30vcmVzb3VyY2Vncm91cHMve30vcHJvdmlkZXJzL21pY3Jvc29mdC5vcGVyYXRpb25hbGluc2lnaHRzL3dvcmtzcGFjZXMve30vcHJvdmlkZXJzL21pY3Jvc29mdC5zZWN1cml0eWluc2lnaHRzL2FsZXJ0cnVsZXMve30=/2022-06-01-preview.xml (3,086 lines of code) (raw):
<?xml version='1.0' encoding='utf-8'?>
<CodeGen plane="mgmt-plane">
<resource id="/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/alertrules/{}" version="2022-06-01-preview" swagger="mgmt-plane/securityinsights/ResourceProviders/Microsoft.SecurityInsights/Paths/L3N1YnNjcmlwdGlvbnMve3N1YnNjcmlwdGlvbklkfS9yZXNvdXJjZUdyb3Vwcy97cmVzb3VyY2VHcm91cE5hbWV9L3Byb3ZpZGVycy9NaWNyb3NvZnQuT3BlcmF0aW9uYWxJbnNpZ2h0cy93b3Jrc3BhY2VzL3t3b3Jrc3BhY2VOYW1lfS9wcm92aWRlcnMvTWljcm9zb2Z0LlNlY3VyaXR5SW5zaWdodHMvYWxlcnRSdWxlcy97cnVsZUlkfQ==/V/MjAyMi0wNi0wMS1wcmV2aWV3"/>
<commandGroup name="sentinel alert-rule">
<command name="show" version="2022-06-01-preview">
<resource id="/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/alertrules/{}" version="2022-06-01-preview" swagger="mgmt-plane/securityinsights/ResourceProviders/Microsoft.SecurityInsights/Paths/L3N1YnNjcmlwdGlvbnMve3N1YnNjcmlwdGlvbklkfS9yZXNvdXJjZUdyb3Vwcy97cmVzb3VyY2VHcm91cE5hbWV9L3Byb3ZpZGVycy9NaWNyb3NvZnQuT3BlcmF0aW9uYWxJbnNpZ2h0cy93b3Jrc3BhY2VzL3t3b3Jrc3BhY2VOYW1lfS9wcm92aWRlcnMvTWljcm9zb2Z0LlNlY3VyaXR5SW5zaWdodHMvYWxlcnRSdWxlcy97cnVsZUlkfQ==/V/MjAyMi0wNi0wMS1wcmV2aWV3"/>
<argGroup name="">
<arg type="ResourceGroupName" var="$Path.resourceGroupName" options="resource-group g" required="True" idPart="resource_group"/>
<arg type="string" var="$Path.ruleId" options="rule-name name n" required="True" stage="Experimental" idPart="child_name_1">
<help short="Name of alert rule."/>
</arg>
<arg type="SubscriptionId" var="$Path.subscriptionId" options="subscription" required="True" idPart="subscription"/>
<arg type="string" var="$Path.workspaceName" options="workspace-name w" required="True" stage="Experimental" idPart="name">
<help short="The name of the workspace."/>
<format maxLength="90" minLength="1"/>
</arg>
</argGroup>
<operation operationId="AlertRules_Get">
<http path="/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}">
<request method="get">
<path>
<param type="string" name="resourceGroupName" arg="$Path.resourceGroupName" required="True">
<format maxLength="90" minLength="1"/>
</param>
<param type="string" name="ruleId" arg="$Path.ruleId" required="True"/>
<param type="string" name="subscriptionId" arg="$Path.subscriptionId" required="True">
<format minLength="1"/>
</param>
<param type="string" name="workspaceName" arg="$Path.workspaceName" required="True">
<format maxLength="90" minLength="1"/>
</param>
</path>
<query>
<const readOnly="True" const="True" type="string" name="api-version" required="True">
<default value=""2022-06-01-preview""/>
<format minLength="1"/>
</const>
</query>
</request>
<response statusCode="200">
<body>
<json var="$Instance">
<schema type="object">
<prop type="string" name="etag"/>
<prop readOnly="True" type="ResourceId" name="id">
<format template="/subscriptions/{}/resourceGroups/{}/providers/Microsoft.OperationalInsights/workspaces/{}/providers/Microsoft.SecurityInsights/alertRules/{}"/>
</prop>
<prop type="string" name="kind" required="True">
<enum>
<item value=""Fusion""/>
<item value=""MLBehaviorAnalytics""/>
<item value=""MicrosoftSecurityIncidentCreation""/>
<item value=""NRT""/>
<item value=""Scheduled""/>
<item value=""ThreatIntelligence""/>
</enum>
</prop>
<prop readOnly="True" type="string" name="name"/>
<prop readOnly="True" type="object" name="systemData">
<prop readOnly="True" type="dateTime" name="createdAt"/>
<prop readOnly="True" type="string" name="createdBy"/>
<prop readOnly="True" type="string" name="createdByType">
<enum>
<item value=""Application""/>
<item value=""Key""/>
<item value=""ManagedIdentity""/>
<item value=""User""/>
</enum>
</prop>
<prop readOnly="True" type="dateTime" name="lastModifiedAt"/>
<prop readOnly="True" type="string" name="lastModifiedBy"/>
<prop readOnly="True" type="string" name="lastModifiedByType">
<enum>
<item value=""Application""/>
<item value=""Key""/>
<item value=""ManagedIdentity""/>
<item value=""User""/>
</enum>
</prop>
</prop>
<prop readOnly="True" type="string" name="type"/>
<discriminator property="kind" value="Fusion">
<prop type="object" name="properties" clientFlatten="True">
<prop type="string" name="alertRuleTemplateName" required="True"/>
<prop readOnly="True" type="string" name="description"/>
<prop readOnly="True" type="string" name="displayName"/>
<prop type="boolean" name="enabled" required="True"/>
<prop readOnly="True" type="dateTime" name="lastModifiedUtc"/>
<prop type="array<object>" name="scenarioExclusionPatterns">
<item type="object">
<prop type="string" name="dateAddedInUTC" required="True"/>
<prop type="string" name="exclusionPattern" required="True"/>
</item>
</prop>
<prop readOnly="True" type="string" name="severity">
<enum>
<item value=""High""/>
<item value=""Informational""/>
<item value=""Low""/>
<item value=""Medium""/>
</enum>
</prop>
<prop type="array<object>" name="sourceSettings">
<item type="object">
<prop type="boolean" name="enabled" required="True"/>
<prop type="string" name="sourceName" required="True"/>
<prop type="array<object>" name="sourceSubTypes">
<item type="object">
<prop type="boolean" name="enabled" required="True"/>
<prop type="object" name="severityFilters" required="True">
<prop type="array<object>" name="filters">
<item type="object">
<prop type="boolean" name="enabled" required="True"/>
<prop type="string" name="severity" required="True">
<enum>
<item value=""High""/>
<item value=""Informational""/>
<item value=""Low""/>
<item value=""Medium""/>
</enum>
</prop>
</item>
</prop>
<prop readOnly="True" type="boolean" name="isSupported"/>
</prop>
<prop readOnly="True" type="string" name="sourceSubTypeDisplayName"/>
<prop type="string" name="sourceSubTypeName" required="True"/>
</item>
</prop>
</item>
</prop>
<prop readOnly="True" type="array<string>" name="tactics">
<item readOnly="True" type="string">
<enum>
<item value=""Collection""/>
<item value=""CommandAndControl""/>
<item value=""CredentialAccess""/>
<item value=""DefenseEvasion""/>
<item value=""Discovery""/>
<item value=""Execution""/>
<item value=""Exfiltration""/>
<item value=""Impact""/>
<item value=""ImpairProcessControl""/>
<item value=""InhibitResponseFunction""/>
<item value=""InitialAccess""/>
<item value=""LateralMovement""/>
<item value=""Persistence""/>
<item value=""PreAttack""/>
<item value=""PrivilegeEscalation""/>
<item value=""Reconnaissance""/>
<item value=""ResourceDevelopment""/>
</enum>
</item>
</prop>
<prop readOnly="True" type="array<string>" name="techniques">
<item readOnly="True" type="string"/>
</prop>
</prop>
</discriminator>
<discriminator property="kind" value="MLBehaviorAnalytics">
<prop type="object" name="properties" clientFlatten="True">
<prop type="string" name="alertRuleTemplateName" required="True"/>
<prop readOnly="True" type="string" name="description"/>
<prop readOnly="True" type="string" name="displayName"/>
<prop type="boolean" name="enabled" required="True"/>
<prop readOnly="True" type="dateTime" name="lastModifiedUtc"/>
<prop readOnly="True" type="string" name="severity">
<enum>
<item value=""High""/>
<item value=""Informational""/>
<item value=""Low""/>
<item value=""Medium""/>
</enum>
</prop>
<prop readOnly="True" type="array<string>" name="tactics">
<item readOnly="True" type="string">
<enum>
<item value=""Collection""/>
<item value=""CommandAndControl""/>
<item value=""CredentialAccess""/>
<item value=""DefenseEvasion""/>
<item value=""Discovery""/>
<item value=""Execution""/>
<item value=""Exfiltration""/>
<item value=""Impact""/>
<item value=""ImpairProcessControl""/>
<item value=""InhibitResponseFunction""/>
<item value=""InitialAccess""/>
<item value=""LateralMovement""/>
<item value=""Persistence""/>
<item value=""PreAttack""/>
<item value=""PrivilegeEscalation""/>
<item value=""Reconnaissance""/>
<item value=""ResourceDevelopment""/>
</enum>
</item>
</prop>
<prop readOnly="True" type="array<string>" name="techniques">
<item readOnly="True" type="string"/>
</prop>
</prop>
</discriminator>
<discriminator property="kind" value="MicrosoftSecurityIncidentCreation">
<prop type="object" name="properties" clientFlatten="True">
<prop type="string" name="alertRuleTemplateName"/>
<prop type="string" name="description"/>
<prop type="string" name="displayName" required="True"/>
<prop type="array<string>" name="displayNamesExcludeFilter">
<item type="string"/>
</prop>
<prop type="array<string>" name="displayNamesFilter">
<item type="string"/>
</prop>
<prop type="boolean" name="enabled" required="True"/>
<prop readOnly="True" type="dateTime" name="lastModifiedUtc"/>
<prop type="string" name="productFilter" required="True">
<enum>
<item value=""Azure Active Directory Identity Protection""/>
<item value=""Azure Advanced Threat Protection""/>
<item value=""Azure Security Center""/>
<item value=""Azure Security Center for IoT""/>
<item value=""Microsoft Cloud App Security""/>
<item value=""Microsoft Defender Advanced Threat Protection""/>
<item value=""Office 365 Advanced Threat Protection""/>
</enum>
</prop>
<prop type="array<string>" name="severitiesFilter">
<item type="string">
<enum>
<item value=""High""/>
<item value=""Informational""/>
<item value=""Low""/>
<item value=""Medium""/>
</enum>
</item>
</prop>
</prop>
</discriminator>
<discriminator property="kind" value="NRT">
<prop type="object" name="properties" clientFlatten="True">
<prop type="@AlertDetailsOverride_read" name="alertDetailsOverride"/>
<prop type="string" name="alertRuleTemplateName"/>
<prop type="object" name="customDetails">
<additionalProp>
<item type="string"/>
</additionalProp>
</prop>
<prop type="string" name="description"/>
<prop type="string" name="displayName" required="True"/>
<prop type="boolean" name="enabled" required="True"/>
<prop type="@EntityMappings_read" name="entityMappings"/>
<prop type="@IncidentConfiguration_read" name="incidentConfiguration"/>
<prop readOnly="True" type="dateTime" name="lastModifiedUtc"/>
<prop type="string" name="query" required="True"/>
<prop type="string" name="severity" required="True">
<enum>
<item value=""High""/>
<item value=""Informational""/>
<item value=""Low""/>
<item value=""Medium""/>
</enum>
</prop>
<prop type="duration" name="suppressionDuration" required="True"/>
<prop type="boolean" name="suppressionEnabled" required="True"/>
<prop type="array<string>" name="tactics">
<item type="string">
<enum>
<item value=""Collection""/>
<item value=""CommandAndControl""/>
<item value=""CredentialAccess""/>
<item value=""DefenseEvasion""/>
<item value=""Discovery""/>
<item value=""Execution""/>
<item value=""Exfiltration""/>
<item value=""Impact""/>
<item value=""ImpairProcessControl""/>
<item value=""InhibitResponseFunction""/>
<item value=""InitialAccess""/>
<item value=""LateralMovement""/>
<item value=""Persistence""/>
<item value=""PreAttack""/>
<item value=""PrivilegeEscalation""/>
<item value=""Reconnaissance""/>
<item value=""ResourceDevelopment""/>
</enum>
</item>
</prop>
<prop type="array<string>" name="techniques">
<item type="string"/>
</prop>
<prop type="string" name="templateVersion"/>
</prop>
</discriminator>
<discriminator property="kind" value="Scheduled">
<prop type="object" name="properties" clientFlatten="True">
<prop type="object" name="alertDetailsOverride" cls="AlertDetailsOverride_read">
<prop type="string" name="alertDescriptionFormat"/>
<prop type="string" name="alertDisplayNameFormat"/>
<prop type="string" name="alertSeverityColumnName"/>
<prop type="string" name="alertTacticsColumnName"/>
</prop>
<prop type="string" name="alertRuleTemplateName"/>
<prop type="object" name="customDetails">
<additionalProp>
<item type="string"/>
</additionalProp>
</prop>
<prop type="string" name="description"/>
<prop type="string" name="displayName" required="True"/>
<prop type="boolean" name="enabled" required="True"/>
<prop type="array<object>" name="entityMappings" cls="EntityMappings_read">
<item type="object">
<prop type="string" name="entityType">
<enum>
<item value=""Account""/>
<item value=""AzureResource""/>
<item value=""CloudApplication""/>
<item value=""DNS""/>
<item value=""File""/>
<item value=""FileHash""/>
<item value=""Host""/>
<item value=""IP""/>
<item value=""MailCluster""/>
<item value=""MailMessage""/>
<item value=""Mailbox""/>
<item value=""Malware""/>
<item value=""Process""/>
<item value=""RegistryKey""/>
<item value=""RegistryValue""/>
<item value=""SecurityGroup""/>
<item value=""SubmissionMail""/>
<item value=""URL""/>
</enum>
</prop>
<prop type="array<object>" name="fieldMappings">
<item type="object">
<prop type="string" name="columnName"/>
<prop type="string" name="identifier"/>
</item>
</prop>
</item>
</prop>
<prop type="object" name="eventGroupingSettings">
<prop type="string" name="aggregationKind">
<enum>
<item value=""AlertPerResult""/>
<item value=""SingleAlert""/>
</enum>
</prop>
</prop>
<prop type="object" name="incidentConfiguration" cls="IncidentConfiguration_read">
<prop type="boolean" name="createIncident" required="True"/>
<prop type="object" name="groupingConfiguration">
<prop type="boolean" name="enabled" required="True"/>
<prop type="array<string>" name="groupByAlertDetails">
<item type="string">
<enum>
<item value=""DisplayName""/>
<item value=""Severity""/>
</enum>
</item>
</prop>
<prop type="array<string>" name="groupByCustomDetails">
<item type="string"/>
</prop>
<prop type="array<string>" name="groupByEntities">
<item type="string">
<enum>
<item value=""Account""/>
<item value=""AzureResource""/>
<item value=""CloudApplication""/>
<item value=""DNS""/>
<item value=""File""/>
<item value=""FileHash""/>
<item value=""Host""/>
<item value=""IP""/>
<item value=""MailCluster""/>
<item value=""MailMessage""/>
<item value=""Mailbox""/>
<item value=""Malware""/>
<item value=""Process""/>
<item value=""RegistryKey""/>
<item value=""RegistryValue""/>
<item value=""SecurityGroup""/>
<item value=""SubmissionMail""/>
<item value=""URL""/>
</enum>
</item>
</prop>
<prop type="duration" name="lookbackDuration" required="True"/>
<prop type="string" name="matchingMethod" required="True">
<enum>
<item value=""AllEntities""/>
<item value=""AnyAlert""/>
<item value=""Selected""/>
</enum>
</prop>
<prop type="boolean" name="reopenClosedIncident" required="True"/>
</prop>
</prop>
<prop readOnly="True" type="dateTime" name="lastModifiedUtc"/>
<prop type="string" name="query" required="True"/>
<prop type="duration" name="queryFrequency" required="True"/>
<prop type="duration" name="queryPeriod" required="True"/>
<prop type="string" name="severity" required="True">
<enum>
<item value=""High""/>
<item value=""Informational""/>
<item value=""Low""/>
<item value=""Medium""/>
</enum>
</prop>
<prop type="duration" name="suppressionDuration" required="True"/>
<prop type="boolean" name="suppressionEnabled" required="True"/>
<prop type="array<string>" name="tactics">
<item type="string">
<enum>
<item value=""Collection""/>
<item value=""CommandAndControl""/>
<item value=""CredentialAccess""/>
<item value=""DefenseEvasion""/>
<item value=""Discovery""/>
<item value=""Execution""/>
<item value=""Exfiltration""/>
<item value=""Impact""/>
<item value=""ImpairProcessControl""/>
<item value=""InhibitResponseFunction""/>
<item value=""InitialAccess""/>
<item value=""LateralMovement""/>
<item value=""Persistence""/>
<item value=""PreAttack""/>
<item value=""PrivilegeEscalation""/>
<item value=""Reconnaissance""/>
<item value=""ResourceDevelopment""/>
</enum>
</item>
</prop>
<prop type="array<string>" name="techniques">
<item type="string"/>
</prop>
<prop type="string" name="templateVersion"/>
<prop type="string" name="triggerOperator" required="True">
<enum>
<item value=""Equal""/>
<item value=""GreaterThan""/>
<item value=""LessThan""/>
<item value=""NotEqual""/>
</enum>
</prop>
<prop type="integer32" name="triggerThreshold" required="True"/>
</prop>
</discriminator>
<discriminator property="kind" value="ThreatIntelligence">
<prop type="object" name="properties" clientFlatten="True">
<prop type="string" name="alertRuleTemplateName" required="True"/>
<prop readOnly="True" type="string" name="description"/>
<prop readOnly="True" type="string" name="displayName"/>
<prop type="boolean" name="enabled" required="True"/>
<prop readOnly="True" type="dateTime" name="lastModifiedUtc"/>
<prop readOnly="True" type="string" name="severity">
<enum>
<item value=""High""/>
<item value=""Informational""/>
<item value=""Low""/>
<item value=""Medium""/>
</enum>
</prop>
<prop readOnly="True" type="array<string>" name="tactics">
<item readOnly="True" type="string">
<enum>
<item value=""Collection""/>
<item value=""CommandAndControl""/>
<item value=""CredentialAccess""/>
<item value=""DefenseEvasion""/>
<item value=""Discovery""/>
<item value=""Execution""/>
<item value=""Exfiltration""/>
<item value=""Impact""/>
<item value=""ImpairProcessControl""/>
<item value=""InhibitResponseFunction""/>
<item value=""InitialAccess""/>
<item value=""LateralMovement""/>
<item value=""Persistence""/>
<item value=""PreAttack""/>
<item value=""PrivilegeEscalation""/>
<item value=""Reconnaissance""/>
<item value=""ResourceDevelopment""/>
</enum>
</item>
</prop>
<prop readOnly="True" type="array<string>" name="techniques">
<item readOnly="True" type="string"/>
</prop>
</prop>
</discriminator>
</schema>
</json>
</body>
</response>
<response isError="True">
<body>
<json>
<schema type="@ODataV4Format"/>
</json>
</body>
</response>
</http>
</operation>
<output type="object" ref="$Instance" clientFlatten="True"/>
</command>
<command name="delete" version="2022-06-01-preview" confirmation="Are you sure you want to perform this operation?">
<resource id="/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/alertrules/{}" version="2022-06-01-preview" swagger="mgmt-plane/securityinsights/ResourceProviders/Microsoft.SecurityInsights/Paths/L3N1YnNjcmlwdGlvbnMve3N1YnNjcmlwdGlvbklkfS9yZXNvdXJjZUdyb3Vwcy97cmVzb3VyY2VHcm91cE5hbWV9L3Byb3ZpZGVycy9NaWNyb3NvZnQuT3BlcmF0aW9uYWxJbnNpZ2h0cy93b3Jrc3BhY2VzL3t3b3Jrc3BhY2VOYW1lfS9wcm92aWRlcnMvTWljcm9zb2Z0LlNlY3VyaXR5SW5zaWdodHMvYWxlcnRSdWxlcy97cnVsZUlkfQ==/V/MjAyMi0wNi0wMS1wcmV2aWV3"/>
<argGroup name="">
<arg type="ResourceGroupName" var="$Path.resourceGroupName" options="resource-group g" required="True" idPart="resource_group"/>
<arg type="string" var="$Path.ruleId" options="rule-name name n" required="True" stage="Experimental" idPart="child_name_1">
<help short="Name of alert rule."/>
</arg>
<arg type="SubscriptionId" var="$Path.subscriptionId" options="subscription" required="True" idPart="subscription"/>
<arg type="string" var="$Path.workspaceName" options="workspace-name w" required="True" stage="Experimental" idPart="name">
<help short="The name of the workspace."/>
<format maxLength="90" minLength="1"/>
</arg>
</argGroup>
<operation operationId="AlertRules_Delete">
<http path="/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}">
<request method="delete">
<path>
<param type="string" name="resourceGroupName" arg="$Path.resourceGroupName" required="True">
<format maxLength="90" minLength="1"/>
</param>
<param type="string" name="ruleId" arg="$Path.ruleId" required="True"/>
<param type="string" name="subscriptionId" arg="$Path.subscriptionId" required="True">
<format minLength="1"/>
</param>
<param type="string" name="workspaceName" arg="$Path.workspaceName" required="True">
<format maxLength="90" minLength="1"/>
</param>
</path>
<query>
<const readOnly="True" const="True" type="string" name="api-version" required="True">
<default value=""2022-06-01-preview""/>
<format minLength="1"/>
</const>
</query>
</request>
<response statusCode="200"/>
<response statusCode="204"/>
<response isError="True">
<body>
<json>
<schema type="@ODataV4Format"/>
</json>
</body>
</response>
</http>
</operation>
</command>
<command name="create" version="2022-06-01-preview">
<resource id="/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/alertrules/{}" version="2022-06-01-preview" swagger="mgmt-plane/securityinsights/ResourceProviders/Microsoft.SecurityInsights/Paths/L3N1YnNjcmlwdGlvbnMve3N1YnNjcmlwdGlvbklkfS9yZXNvdXJjZUdyb3Vwcy97cmVzb3VyY2VHcm91cE5hbWV9L3Byb3ZpZGVycy9NaWNyb3NvZnQuT3BlcmF0aW9uYWxJbnNpZ2h0cy93b3Jrc3BhY2VzL3t3b3Jrc3BhY2VOYW1lfS9wcm92aWRlcnMvTWljcm9zb2Z0LlNlY3VyaXR5SW5zaWdodHMvYWxlcnRSdWxlcy97cnVsZUlkfQ==/V/MjAyMi0wNi0wMS1wcmV2aWV3"/>
<argGroup name="">
<arg type="ResourceGroupName" var="$Path.resourceGroupName" options="resource-group g" required="True" idPart="resource_group"/>
<arg type="string" var="$Path.ruleId" options="rule-name name n" required="True" stage="Experimental" idPart="child_name_1">
<help short="Name of alert rule."/>
</arg>
<arg type="SubscriptionId" var="$Path.subscriptionId" options="subscription" required="True" idPart="subscription"/>
<arg type="string" var="$Path.workspaceName" options="workspace-name w" required="True" stage="Experimental" idPart="name">
<help short="The name of the workspace."/>
<format maxLength="90" minLength="1"/>
</arg>
</argGroup>
<argGroup name="AlertRule">
<arg type="object" var="$alertRule.Fusion" options="fusion" group="AlertRule">
<arg type="string" var="$alertRule.Fusion.properties.alertRuleTemplateName" options="alert-rule-template-name" group="Properties">
<help short="The Name of the alert rule template used to create this rule."/>
</arg>
<arg type="boolean" var="$alertRule.Fusion.properties.enabled" options="enabled" group="Properties">
<help short="Determines whether this alert rule is enabled or disabled."/>
</arg>
<arg type="array<object>" var="$alertRule.Fusion.properties.scenarioExclusionPatterns" options="scenario-exclusion-patterns" group="Properties">
<help short="Configuration to exclude scenarios in fusion detection."/>
<item type="object">
<arg type="string" var="$alertRule.Fusion.properties.scenarioExclusionPatterns[].dateAddedInUTC" options="date-added-in-utc" required="True">
<help short="DateTime when scenario exclusion pattern is added in UTC."/>
</arg>
<arg type="string" var="$alertRule.Fusion.properties.scenarioExclusionPatterns[].exclusionPattern" options="exclusion-pattern" required="True">
<help short="Scenario exclusion pattern."/>
</arg>
</item>
</arg>
<arg type="array<object>" var="$alertRule.Fusion.properties.sourceSettings" options="source-settings" group="Properties">
<help short="Configuration for all supported source signals in fusion detection."/>
<item type="object">
<arg type="boolean" var="$alertRule.Fusion.properties.sourceSettings[].enabled" options="enabled" required="True">
<help short="Determines whether this source signal is enabled or disabled in Fusion detection."/>
</arg>
<arg type="string" var="$alertRule.Fusion.properties.sourceSettings[].sourceName" options="source-name" required="True">
<help short="Name of the Fusion source signal. Refer to Fusion alert rule template for supported values."/>
</arg>
<arg type="array<object>" var="$alertRule.Fusion.properties.sourceSettings[].sourceSubTypes" options="source-sub-types">
<help short="Configuration for all source subtypes under this source signal consumed in fusion detection."/>
<item type="object">
<arg type="boolean" var="$alertRule.Fusion.properties.sourceSettings[].sourceSubTypes[].enabled" options="enabled" required="True">
<help short="Determines whether this source subtype under source signal is enabled or disabled in Fusion detection."/>
</arg>
<arg type="object" var="$alertRule.Fusion.properties.sourceSettings[].sourceSubTypes[].severityFilters" options="severity-filters" required="True">
<help short="Severity configuration for a source subtype consumed in fusion detection."/>
<arg type="array<object>" var="$alertRule.Fusion.properties.sourceSettings[].sourceSubTypes[].severityFilters.filters" options="filters">
<help short="Individual Severity configuration settings for a given source subtype consumed in Fusion detection."/>
<item type="object">
<arg type="boolean" var="$alertRule.Fusion.properties.sourceSettings[].sourceSubTypes[].severityFilters.filters[].enabled" options="enabled" required="True">
<help short="Determines whether this severity is enabled or disabled for this source subtype consumed in Fusion detection."/>
</arg>
<arg type="string" var="$alertRule.Fusion.properties.sourceSettings[].sourceSubTypes[].severityFilters.filters[].severity" options="severity" required="True">
<help short="The Severity for a given source subtype consumed in Fusion detection."/>
<enum>
<item name="High" value=""High""/>
<item name="Informational" value=""Informational""/>
<item name="Low" value=""Low""/>
<item name="Medium" value=""Medium""/>
</enum>
</arg>
</item>
</arg>
</arg>
<arg type="string" var="$alertRule.Fusion.properties.sourceSettings[].sourceSubTypes[].sourceSubTypeName" options="source-sub-type-name" required="True">
<help short="The Name of the source subtype under a given source signal in Fusion detection. Refer to Fusion alert rule template for supported values."/>
</arg>
</item>
</arg>
</item>
</arg>
</arg>
<arg type="object" var="$alertRule.MLBehaviorAnalytics" options="ml-behavior-analytics" group="AlertRule">
<arg type="string" var="$alertRule.MLBehaviorAnalytics.properties.alertRuleTemplateName" options="alert-rule-template-name" group="Properties">
<help short="The Name of the alert rule template used to create this rule."/>
</arg>
<arg type="boolean" var="$alertRule.MLBehaviorAnalytics.properties.enabled" options="enabled" group="Properties">
<help short="Determines whether this alert rule is enabled or disabled."/>
</arg>
</arg>
<arg type="object" var="$alertRule.MicrosoftSecurityIncidentCreation" options="ms-security-incident" stage="Experimental" group="AlertRule">
<help short="Microsoft security incident creation."/>
<arg type="string" var="$alertRule.MicrosoftSecurityIncidentCreation.properties.alertRuleTemplateName" options="alert-rule-template-name" group="Properties">
<help short="The Name of the alert rule template used to create this rule."/>
</arg>
<arg type="string" var="$alertRule.MicrosoftSecurityIncidentCreation.properties.description" options="description" group="Properties">
<help short="The description of the alert rule."/>
</arg>
<arg type="string" var="$alertRule.MicrosoftSecurityIncidentCreation.properties.displayName" options="display-name" group="Properties">
<help short="The display name for alerts created by this alert rule."/>
</arg>
<arg type="array<string>" var="$alertRule.MicrosoftSecurityIncidentCreation.properties.displayNamesExcludeFilter" options="display-names-exclude-filter" group="Properties">
<help short="the alerts' displayNames on which the cases will not be generated"/>
<item type="string"/>
</arg>
<arg type="array<string>" var="$alertRule.MicrosoftSecurityIncidentCreation.properties.displayNamesFilter" options="display-names-filter" group="Properties">
<help short="the alerts' displayNames on which the cases will be generated"/>
<item type="string"/>
</arg>
<arg type="boolean" var="$alertRule.MicrosoftSecurityIncidentCreation.properties.enabled" options="enabled" group="Properties">
<help short="Determines whether this alert rule is enabled or disabled."/>
</arg>
<arg type="string" var="$alertRule.MicrosoftSecurityIncidentCreation.properties.productFilter" options="product-filter" group="Properties">
<help short="The alerts' productName on which the cases will be generated"/>
<enum>
<item name="Azure Active Directory Identity Protection" value=""Azure Active Directory Identity Protection""/>
<item name="Azure Advanced Threat Protection" value=""Azure Advanced Threat Protection""/>
<item name="Azure Security Center" value=""Azure Security Center""/>
<item name="Azure Security Center for IoT" value=""Azure Security Center for IoT""/>
<item name="Microsoft Cloud App Security" value=""Microsoft Cloud App Security""/>
<item name="Microsoft Defender Advanced Threat Protection" value=""Microsoft Defender Advanced Threat Protection""/>
<item name="Office 365 Advanced Threat Protection" value=""Office 365 Advanced Threat Protection""/>
</enum>
</arg>
<arg type="array<string>" var="$alertRule.MicrosoftSecurityIncidentCreation.properties.severitiesFilter" options="severities-filter" group="Properties">
<help short="the alerts' severities on which the cases will be generated"/>
<item type="string">
<enum>
<item name="High" value=""High""/>
<item name="Informational" value=""Informational""/>
<item name="Low" value=""Low""/>
<item name="Medium" value=""Medium""/>
</enum>
</item>
</arg>
</arg>
<arg type="object" var="$alertRule.NRT" options="nrt" group="AlertRule">
<arg type="@AlertDetailsOverride_create" var="$alertRule.NRT.properties.alertDetailsOverride" options="alert-details-override" group="Properties">
<help short="The alert details override settings"/>
</arg>
<arg type="string" var="$alertRule.NRT.properties.alertRuleTemplateName" options="alert-rule-template-name" group="Properties">
<help short="The Name of the alert rule template used to create this rule."/>
</arg>
<arg type="object" var="$alertRule.NRT.properties.customDetails" options="custom-details" group="Properties">
<help short="Dictionary of string key-value pairs of columns to be attached to the alert"/>
<additionalProp>
<item type="string"/>
</additionalProp>
</arg>
<arg type="string" var="$alertRule.NRT.properties.description" options="description" group="Properties">
<help short="The description of the alert rule."/>
</arg>
<arg type="string" var="$alertRule.NRT.properties.displayName" options="display-name" group="Properties">
<help short="The display name for alerts created by this alert rule."/>
</arg>
<arg type="boolean" var="$alertRule.NRT.properties.enabled" options="enabled" group="Properties">
<help short="Determines whether this alert rule is enabled or disabled."/>
</arg>
<arg type="@EntityMappings_create" var="$alertRule.NRT.properties.entityMappings" options="entity-mappings" group="Properties">
<help short="Array of the entity mappings of the alert rule"/>
</arg>
<arg type="@IncidentConfiguration_create" var="$alertRule.NRT.properties.incidentConfiguration" options="incident-configuration" group="Properties">
<help short="The settings of the incidents that created from alerts triggered by this analytics rule"/>
</arg>
<arg type="string" var="$alertRule.NRT.properties.query" options="query" group="Properties">
<help short="The query that creates alerts for this rule."/>
</arg>
<arg type="string" var="$alertRule.NRT.properties.severity" options="severity" group="Properties">
<help short="The severity for alerts created by this alert rule."/>
<enum>
<item name="High" value=""High""/>
<item name="Informational" value=""Informational""/>
<item name="Low" value=""Low""/>
<item name="Medium" value=""Medium""/>
</enum>
</arg>
<arg type="duration" var="$alertRule.NRT.properties.suppressionDuration" options="suppression-duration" group="Properties">
<help short="The suppression (in ISO 8601 duration format) to wait since last time this alert rule been triggered."/>
</arg>
<arg type="boolean" var="$alertRule.NRT.properties.suppressionEnabled" options="suppression-enabled" group="Properties">
<help short="Determines whether the suppression for this alert rule is enabled or disabled."/>
</arg>
<arg type="array<string>" var="$alertRule.NRT.properties.tactics" options="tactics" group="Properties">
<help short="The tactics of the alert rule"/>
<item type="string">
<enum>
<item name="Collection" value=""Collection""/>
<item name="CommandAndControl" value=""CommandAndControl""/>
<item name="CredentialAccess" value=""CredentialAccess""/>
<item name="DefenseEvasion" value=""DefenseEvasion""/>
<item name="Discovery" value=""Discovery""/>
<item name="Execution" value=""Execution""/>
<item name="Exfiltration" value=""Exfiltration""/>
<item name="Impact" value=""Impact""/>
<item name="ImpairProcessControl" value=""ImpairProcessControl""/>
<item name="InhibitResponseFunction" value=""InhibitResponseFunction""/>
<item name="InitialAccess" value=""InitialAccess""/>
<item name="LateralMovement" value=""LateralMovement""/>
<item name="Persistence" value=""Persistence""/>
<item name="PreAttack" value=""PreAttack""/>
<item name="PrivilegeEscalation" value=""PrivilegeEscalation""/>
<item name="Reconnaissance" value=""Reconnaissance""/>
<item name="ResourceDevelopment" value=""ResourceDevelopment""/>
</enum>
</item>
</arg>
<arg type="array<string>" var="$alertRule.NRT.properties.techniques" options="techniques" group="Properties">
<help short="The techniques of the alert rule"/>
<item type="string"/>
</arg>
<arg type="string" var="$alertRule.NRT.properties.templateVersion" options="template-version" group="Properties">
<help short="The version of the alert rule template used to create this rule - in format <a.b.c>, where all are numbers, for example 0 <1.0.2>"/>
</arg>
</arg>
<arg type="object" var="$alertRule.Scheduled" options="scheduled" group="AlertRule">
<arg type="object" var="$alertRule.Scheduled.properties.alertDetailsOverride" options="alert-details-override" group="Properties" cls="AlertDetailsOverride_create">
<help short="The alert details override settings"/>
<arg type="string" var="@AlertDetailsOverride_create.alertDescriptionFormat" options="alert-description-format">
<help short="the format containing columns name(s) to override the alert description"/>
</arg>
<arg type="string" var="@AlertDetailsOverride_create.alertDisplayNameFormat" options="alert-display-name-format">
<help short="the format containing columns name(s) to override the alert name"/>
</arg>
<arg type="string" var="@AlertDetailsOverride_create.alertSeverityColumnName" options="alert-severity-column-name">
<help short="the column name to take the alert severity from"/>
</arg>
<arg type="string" var="@AlertDetailsOverride_create.alertTacticsColumnName" options="alert-tactics-column-name">
<help short="the column name to take the alert tactics from"/>
</arg>
</arg>
<arg type="string" var="$alertRule.Scheduled.properties.alertRuleTemplateName" options="alert-rule-template-name" group="Properties">
<help short="The Name of the alert rule template used to create this rule."/>
</arg>
<arg type="object" var="$alertRule.Scheduled.properties.customDetails" options="custom-details" group="Properties">
<help short="Dictionary of string key-value pairs of columns to be attached to the alert"/>
<additionalProp>
<item type="string"/>
</additionalProp>
</arg>
<arg type="string" var="$alertRule.Scheduled.properties.description" options="description" group="Properties">
<help short="The description of the alert rule."/>
</arg>
<arg type="string" var="$alertRule.Scheduled.properties.displayName" options="display-name" group="Properties">
<help short="The display name for alerts created by this alert rule."/>
</arg>
<arg type="boolean" var="$alertRule.Scheduled.properties.enabled" options="enabled" group="Properties">
<help short="Determines whether this alert rule is enabled or disabled."/>
</arg>
<arg type="array<object>" var="$alertRule.Scheduled.properties.entityMappings" options="entity-mappings" group="Properties" cls="EntityMappings_create">
<help short="Array of the entity mappings of the alert rule"/>
<item type="object">
<arg type="string" var="@EntityMappings_create[].entityType" options="entity-type">
<help short="The V3 type of the mapped entity"/>
<enum>
<item name="Account" value=""Account""/>
<item name="AzureResource" value=""AzureResource""/>
<item name="CloudApplication" value=""CloudApplication""/>
<item name="DNS" value=""DNS""/>
<item name="File" value=""File""/>
<item name="FileHash" value=""FileHash""/>
<item name="Host" value=""Host""/>
<item name="IP" value=""IP""/>
<item name="MailCluster" value=""MailCluster""/>
<item name="MailMessage" value=""MailMessage""/>
<item name="Mailbox" value=""Mailbox""/>
<item name="Malware" value=""Malware""/>
<item name="Process" value=""Process""/>
<item name="RegistryKey" value=""RegistryKey""/>
<item name="RegistryValue" value=""RegistryValue""/>
<item name="SecurityGroup" value=""SecurityGroup""/>
<item name="SubmissionMail" value=""SubmissionMail""/>
<item name="URL" value=""URL""/>
</enum>
</arg>
<arg type="array<object>" var="@EntityMappings_create[].fieldMappings" options="field-mappings">
<help short="array of field mappings for the given entity mapping"/>
<item type="object">
<arg type="string" var="@EntityMappings_create[].fieldMappings[].columnName" options="column-name">
<help short="the column name to be mapped to the identifier"/>
</arg>
<arg type="string" var="@EntityMappings_create[].fieldMappings[].identifier" options="identifier">
<help short="the V3 identifier of the entity"/>
</arg>
</item>
</arg>
</item>
</arg>
<arg type="object" var="$alertRule.Scheduled.properties.eventGroupingSettings" options="event-grouping-settings" group="Properties">
<help short="The event grouping settings."/>
<arg type="string" var="$alertRule.Scheduled.properties.eventGroupingSettings.aggregationKind" options="aggregation-kind">
<help short="The event grouping aggregation kinds"/>
<enum>
<item name="AlertPerResult" value=""AlertPerResult""/>
<item name="SingleAlert" value=""SingleAlert""/>
</enum>
</arg>
</arg>
<arg type="object" var="$alertRule.Scheduled.properties.incidentConfiguration" options="incident-configuration" group="Properties" cls="IncidentConfiguration_create">
<help short="The settings of the incidents that created from alerts triggered by this analytics rule"/>
<arg type="boolean" var="@IncidentConfiguration_create.createIncident" options="create-incident" required="True">
<help short="Create incidents from alerts triggered by this analytics rule"/>
</arg>
<arg type="object" var="@IncidentConfiguration_create.groupingConfiguration" options="grouping-configuration">
<help short="Set how the alerts that are triggered by this analytics rule, are grouped into incidents"/>
<arg type="boolean" var="@IncidentConfiguration_create.groupingConfiguration.enabled" options="enabled" required="True">
<help short="Grouping enabled"/>
</arg>
<arg type="array<string>" var="@IncidentConfiguration_create.groupingConfiguration.groupByAlertDetails" options="group-by-alert-details">
<help short="A list of alert details to group by (when matchingMethod is Selected)"/>
<item type="string">
<enum>
<item name="DisplayName" value=""DisplayName""/>
<item name="Severity" value=""Severity""/>
</enum>
</item>
</arg>
<arg type="array<string>" var="@IncidentConfiguration_create.groupingConfiguration.groupByCustomDetails" options="group-by-custom-details">
<help short="A list of custom details keys to group by (when matchingMethod is Selected). Only keys defined in the current alert rule may be used."/>
<item type="string"/>
</arg>
<arg type="array<string>" var="@IncidentConfiguration_create.groupingConfiguration.groupByEntities" options="group-by-entities">
<help short="A list of entity types to group by (when matchingMethod is Selected). Only entities defined in the current alert rule may be used."/>
<item type="string">
<enum>
<item name="Account" value=""Account""/>
<item name="AzureResource" value=""AzureResource""/>
<item name="CloudApplication" value=""CloudApplication""/>
<item name="DNS" value=""DNS""/>
<item name="File" value=""File""/>
<item name="FileHash" value=""FileHash""/>
<item name="Host" value=""Host""/>
<item name="IP" value=""IP""/>
<item name="MailCluster" value=""MailCluster""/>
<item name="MailMessage" value=""MailMessage""/>
<item name="Mailbox" value=""Mailbox""/>
<item name="Malware" value=""Malware""/>
<item name="Process" value=""Process""/>
<item name="RegistryKey" value=""RegistryKey""/>
<item name="RegistryValue" value=""RegistryValue""/>
<item name="SecurityGroup" value=""SecurityGroup""/>
<item name="SubmissionMail" value=""SubmissionMail""/>
<item name="URL" value=""URL""/>
</enum>
</item>
</arg>
<arg type="duration" var="@IncidentConfiguration_create.groupingConfiguration.lookbackDuration" options="lookback-duration" required="True">
<help short="Limit the group to alerts created within the lookback duration (in ISO 8601 duration format)"/>
</arg>
<arg type="string" var="@IncidentConfiguration_create.groupingConfiguration.matchingMethod" options="matching-method" required="True">
<help short="Grouping matching method. When method is Selected at least one of groupByEntities, groupByAlertDetails, groupByCustomDetails must be provided and not empty."/>
<enum>
<item name="AllEntities" value=""AllEntities""/>
<item name="AnyAlert" value=""AnyAlert""/>
<item name="Selected" value=""Selected""/>
</enum>
</arg>
<arg type="boolean" var="@IncidentConfiguration_create.groupingConfiguration.reopenClosedIncident" options="reopen-closed-incident" required="True">
<help short="Re-open closed matching incidents"/>
</arg>
</arg>
</arg>
<arg type="string" var="$alertRule.Scheduled.properties.query" options="query" group="Properties">
<help short="The query that creates alerts for this rule."/>
</arg>
<arg type="duration" var="$alertRule.Scheduled.properties.queryFrequency" options="query-frequency" group="Properties">
<help short="The frequency (in ISO 8601 duration format) for this alert rule to run."/>
</arg>
<arg type="duration" var="$alertRule.Scheduled.properties.queryPeriod" options="query-period" group="Properties">
<help short="The period (in ISO 8601 duration format) that this alert rule looks at."/>
</arg>
<arg type="string" var="$alertRule.Scheduled.properties.severity" options="severity" group="Properties">
<help short="The severity for alerts created by this alert rule."/>
<enum>
<item name="High" value=""High""/>
<item name="Informational" value=""Informational""/>
<item name="Low" value=""Low""/>
<item name="Medium" value=""Medium""/>
</enum>
</arg>
<arg type="duration" var="$alertRule.Scheduled.properties.suppressionDuration" options="suppression-duration" group="Properties">
<help short="The suppression (in ISO 8601 duration format) to wait since last time this alert rule been triggered."/>
</arg>
<arg type="boolean" var="$alertRule.Scheduled.properties.suppressionEnabled" options="suppression-enabled" group="Properties">
<help short="Determines whether the suppression for this alert rule is enabled or disabled."/>
</arg>
<arg type="array<string>" var="$alertRule.Scheduled.properties.tactics" options="tactics" group="Properties">
<help short="The tactics of the alert rule"/>
<item type="string">
<enum>
<item name="Collection" value=""Collection""/>
<item name="CommandAndControl" value=""CommandAndControl""/>
<item name="CredentialAccess" value=""CredentialAccess""/>
<item name="DefenseEvasion" value=""DefenseEvasion""/>
<item name="Discovery" value=""Discovery""/>
<item name="Execution" value=""Execution""/>
<item name="Exfiltration" value=""Exfiltration""/>
<item name="Impact" value=""Impact""/>
<item name="ImpairProcessControl" value=""ImpairProcessControl""/>
<item name="InhibitResponseFunction" value=""InhibitResponseFunction""/>
<item name="InitialAccess" value=""InitialAccess""/>
<item name="LateralMovement" value=""LateralMovement""/>
<item name="Persistence" value=""Persistence""/>
<item name="PreAttack" value=""PreAttack""/>
<item name="PrivilegeEscalation" value=""PrivilegeEscalation""/>
<item name="Reconnaissance" value=""Reconnaissance""/>
<item name="ResourceDevelopment" value=""ResourceDevelopment""/>
</enum>
</item>
</arg>
<arg type="array<string>" var="$alertRule.Scheduled.properties.techniques" options="techniques" group="Properties">
<help short="The techniques of the alert rule"/>
<item type="string"/>
</arg>
<arg type="string" var="$alertRule.Scheduled.properties.templateVersion" options="template-version" group="Properties">
<help short="The version of the alert rule template used to create this rule - in format <a.b.c>, where all are numbers, for example 0 <1.0.2>"/>
</arg>
<arg type="string" var="$alertRule.Scheduled.properties.triggerOperator" options="trigger-operator" group="Properties">
<help short="The operation against the threshold that triggers alert rule."/>
<enum>
<item name="Equal" value=""Equal""/>
<item name="GreaterThan" value=""GreaterThan""/>
<item name="LessThan" value=""LessThan""/>
<item name="NotEqual" value=""NotEqual""/>
</enum>
</arg>
<arg type="integer32" var="$alertRule.Scheduled.properties.triggerThreshold" options="trigger-threshold" group="Properties">
<help short="The threshold triggers this alert rule."/>
</arg>
</arg>
<arg type="object" var="$alertRule.ThreatIntelligence" options="threat-intelligence" group="AlertRule">
<arg type="string" var="$alertRule.ThreatIntelligence.properties.alertRuleTemplateName" options="alert-rule-template-name" group="Properties">
<help short="The Name of the alert rule template used to create this rule."/>
</arg>
<arg type="boolean" var="$alertRule.ThreatIntelligence.properties.enabled" options="enabled" group="Properties">
<help short="Determines whether this alert rule is enabled or disabled."/>
</arg>
</arg>
<arg type="string" var="$alertRule.etag" options="etag" group="AlertRule">
<help short="Etag of the azure resource"/>
</arg>
</argGroup>
<operation operationId="AlertRules_CreateOrUpdate">
<http path="/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}">
<request method="put">
<path>
<param type="string" name="resourceGroupName" arg="$Path.resourceGroupName" required="True">
<format maxLength="90" minLength="1"/>
</param>
<param type="string" name="ruleId" arg="$Path.ruleId" required="True"/>
<param type="string" name="subscriptionId" arg="$Path.subscriptionId" required="True">
<format minLength="1"/>
</param>
<param type="string" name="workspaceName" arg="$Path.workspaceName" required="True">
<format maxLength="90" minLength="1"/>
</param>
</path>
<query>
<const readOnly="True" const="True" type="string" name="api-version" required="True">
<default value=""2022-06-01-preview""/>
<format minLength="1"/>
</const>
</query>
<body>
<json>
<schema type="object" name="alertRule" required="True" clientFlatten="True">
<prop type="string" name="etag" arg="$alertRule.etag"/>
<prop type="string" name="kind" required="True">
<enum>
<item arg="$alertRule.Fusion" value=""Fusion""/>
<item arg="$alertRule.MLBehaviorAnalytics" value=""MLBehaviorAnalytics""/>
<item arg="$alertRule.MicrosoftSecurityIncidentCreation" value=""MicrosoftSecurityIncidentCreation""/>
<item arg="$alertRule.NRT" value=""NRT""/>
<item arg="$alertRule.Scheduled" value=""Scheduled""/>
<item arg="$alertRule.ThreatIntelligence" value=""ThreatIntelligence""/>
</enum>
</prop>
<discriminator property="kind" value="Fusion">
<prop type="object" name="properties" clientFlatten="True">
<prop type="string" name="alertRuleTemplateName" arg="$alertRule.Fusion.properties.alertRuleTemplateName" required="True"/>
<prop type="boolean" name="enabled" arg="$alertRule.Fusion.properties.enabled" required="True"/>
<prop type="array<object>" name="scenarioExclusionPatterns" arg="$alertRule.Fusion.properties.scenarioExclusionPatterns">
<item type="object">
<prop type="string" name="dateAddedInUTC" arg="$alertRule.Fusion.properties.scenarioExclusionPatterns[].dateAddedInUTC" required="True"/>
<prop type="string" name="exclusionPattern" arg="$alertRule.Fusion.properties.scenarioExclusionPatterns[].exclusionPattern" required="True"/>
</item>
</prop>
<prop type="array<object>" name="sourceSettings" arg="$alertRule.Fusion.properties.sourceSettings">
<item type="object">
<prop type="boolean" name="enabled" arg="$alertRule.Fusion.properties.sourceSettings[].enabled" required="True"/>
<prop type="string" name="sourceName" arg="$alertRule.Fusion.properties.sourceSettings[].sourceName" required="True"/>
<prop type="array<object>" name="sourceSubTypes" arg="$alertRule.Fusion.properties.sourceSettings[].sourceSubTypes">
<item type="object">
<prop type="boolean" name="enabled" arg="$alertRule.Fusion.properties.sourceSettings[].sourceSubTypes[].enabled" required="True"/>
<prop type="object" name="severityFilters" arg="$alertRule.Fusion.properties.sourceSettings[].sourceSubTypes[].severityFilters" required="True">
<prop type="array<object>" name="filters" arg="$alertRule.Fusion.properties.sourceSettings[].sourceSubTypes[].severityFilters.filters">
<item type="object">
<prop type="boolean" name="enabled" arg="$alertRule.Fusion.properties.sourceSettings[].sourceSubTypes[].severityFilters.filters[].enabled" required="True"/>
<prop type="string" name="severity" arg="$alertRule.Fusion.properties.sourceSettings[].sourceSubTypes[].severityFilters.filters[].severity" required="True">
<enum>
<item value=""High""/>
<item value=""Informational""/>
<item value=""Low""/>
<item value=""Medium""/>
</enum>
</prop>
</item>
</prop>
</prop>
<prop type="string" name="sourceSubTypeName" arg="$alertRule.Fusion.properties.sourceSettings[].sourceSubTypes[].sourceSubTypeName" required="True"/>
</item>
</prop>
</item>
</prop>
</prop>
</discriminator>
<discriminator property="kind" value="MLBehaviorAnalytics">
<prop type="object" name="properties" clientFlatten="True">
<prop type="string" name="alertRuleTemplateName" arg="$alertRule.MLBehaviorAnalytics.properties.alertRuleTemplateName" required="True"/>
<prop type="boolean" name="enabled" arg="$alertRule.MLBehaviorAnalytics.properties.enabled" required="True"/>
</prop>
</discriminator>
<discriminator property="kind" value="MicrosoftSecurityIncidentCreation">
<prop type="object" name="properties" clientFlatten="True">
<prop type="string" name="alertRuleTemplateName" arg="$alertRule.MicrosoftSecurityIncidentCreation.properties.alertRuleTemplateName"/>
<prop type="string" name="description" arg="$alertRule.MicrosoftSecurityIncidentCreation.properties.description"/>
<prop type="string" name="displayName" arg="$alertRule.MicrosoftSecurityIncidentCreation.properties.displayName" required="True"/>
<prop type="array<string>" name="displayNamesExcludeFilter" arg="$alertRule.MicrosoftSecurityIncidentCreation.properties.displayNamesExcludeFilter">
<item type="string"/>
</prop>
<prop type="array<string>" name="displayNamesFilter" arg="$alertRule.MicrosoftSecurityIncidentCreation.properties.displayNamesFilter">
<item type="string"/>
</prop>
<prop type="boolean" name="enabled" arg="$alertRule.MicrosoftSecurityIncidentCreation.properties.enabled" required="True"/>
<prop type="string" name="productFilter" arg="$alertRule.MicrosoftSecurityIncidentCreation.properties.productFilter" required="True">
<enum>
<item value=""Azure Active Directory Identity Protection""/>
<item value=""Azure Advanced Threat Protection""/>
<item value=""Azure Security Center""/>
<item value=""Azure Security Center for IoT""/>
<item value=""Microsoft Cloud App Security""/>
<item value=""Microsoft Defender Advanced Threat Protection""/>
<item value=""Office 365 Advanced Threat Protection""/>
</enum>
</prop>
<prop type="array<string>" name="severitiesFilter" arg="$alertRule.MicrosoftSecurityIncidentCreation.properties.severitiesFilter">
<item type="string">
<enum>
<item value=""High""/>
<item value=""Informational""/>
<item value=""Low""/>
<item value=""Medium""/>
</enum>
</item>
</prop>
</prop>
</discriminator>
<discriminator property="kind" value="NRT">
<prop type="object" name="properties" clientFlatten="True">
<prop type="@AlertDetailsOverride_create" name="alertDetailsOverride" arg="$alertRule.NRT.properties.alertDetailsOverride"/>
<prop type="string" name="alertRuleTemplateName" arg="$alertRule.NRT.properties.alertRuleTemplateName"/>
<prop type="object" name="customDetails" arg="$alertRule.NRT.properties.customDetails">
<additionalProp>
<item type="string"/>
</additionalProp>
</prop>
<prop type="string" name="description" arg="$alertRule.NRT.properties.description"/>
<prop type="string" name="displayName" arg="$alertRule.NRT.properties.displayName" required="True"/>
<prop type="boolean" name="enabled" arg="$alertRule.NRT.properties.enabled" required="True"/>
<prop type="@EntityMappings_create" name="entityMappings" arg="$alertRule.NRT.properties.entityMappings"/>
<prop type="@IncidentConfiguration_create" name="incidentConfiguration" arg="$alertRule.NRT.properties.incidentConfiguration"/>
<prop type="string" name="query" arg="$alertRule.NRT.properties.query" required="True"/>
<prop type="string" name="severity" arg="$alertRule.NRT.properties.severity" required="True">
<enum>
<item value=""High""/>
<item value=""Informational""/>
<item value=""Low""/>
<item value=""Medium""/>
</enum>
</prop>
<prop type="duration" name="suppressionDuration" arg="$alertRule.NRT.properties.suppressionDuration" required="True"/>
<prop type="boolean" name="suppressionEnabled" arg="$alertRule.NRT.properties.suppressionEnabled" required="True"/>
<prop type="array<string>" name="tactics" arg="$alertRule.NRT.properties.tactics">
<item type="string">
<enum>
<item value=""Collection""/>
<item value=""CommandAndControl""/>
<item value=""CredentialAccess""/>
<item value=""DefenseEvasion""/>
<item value=""Discovery""/>
<item value=""Execution""/>
<item value=""Exfiltration""/>
<item value=""Impact""/>
<item value=""ImpairProcessControl""/>
<item value=""InhibitResponseFunction""/>
<item value=""InitialAccess""/>
<item value=""LateralMovement""/>
<item value=""Persistence""/>
<item value=""PreAttack""/>
<item value=""PrivilegeEscalation""/>
<item value=""Reconnaissance""/>
<item value=""ResourceDevelopment""/>
</enum>
</item>
</prop>
<prop type="array<string>" name="techniques" arg="$alertRule.NRT.properties.techniques">
<item type="string"/>
</prop>
<prop type="string" name="templateVersion" arg="$alertRule.NRT.properties.templateVersion"/>
</prop>
</discriminator>
<discriminator property="kind" value="Scheduled">
<prop type="object" name="properties" clientFlatten="True">
<prop type="object" name="alertDetailsOverride" arg="$alertRule.Scheduled.properties.alertDetailsOverride" cls="AlertDetailsOverride_create">
<prop type="string" name="alertDescriptionFormat" arg="@AlertDetailsOverride_create.alertDescriptionFormat"/>
<prop type="string" name="alertDisplayNameFormat" arg="@AlertDetailsOverride_create.alertDisplayNameFormat"/>
<prop type="string" name="alertSeverityColumnName" arg="@AlertDetailsOverride_create.alertSeverityColumnName"/>
<prop type="string" name="alertTacticsColumnName" arg="@AlertDetailsOverride_create.alertTacticsColumnName"/>
</prop>
<prop type="string" name="alertRuleTemplateName" arg="$alertRule.Scheduled.properties.alertRuleTemplateName"/>
<prop type="object" name="customDetails" arg="$alertRule.Scheduled.properties.customDetails">
<additionalProp>
<item type="string"/>
</additionalProp>
</prop>
<prop type="string" name="description" arg="$alertRule.Scheduled.properties.description"/>
<prop type="string" name="displayName" arg="$alertRule.Scheduled.properties.displayName" required="True"/>
<prop type="boolean" name="enabled" arg="$alertRule.Scheduled.properties.enabled" required="True"/>
<prop type="array<object>" name="entityMappings" arg="$alertRule.Scheduled.properties.entityMappings" cls="EntityMappings_create">
<item type="object">
<prop type="string" name="entityType" arg="@EntityMappings_create[].entityType">
<enum>
<item value=""Account""/>
<item value=""AzureResource""/>
<item value=""CloudApplication""/>
<item value=""DNS""/>
<item value=""File""/>
<item value=""FileHash""/>
<item value=""Host""/>
<item value=""IP""/>
<item value=""MailCluster""/>
<item value=""MailMessage""/>
<item value=""Mailbox""/>
<item value=""Malware""/>
<item value=""Process""/>
<item value=""RegistryKey""/>
<item value=""RegistryValue""/>
<item value=""SecurityGroup""/>
<item value=""SubmissionMail""/>
<item value=""URL""/>
</enum>
</prop>
<prop type="array<object>" name="fieldMappings" arg="@EntityMappings_create[].fieldMappings">
<item type="object">
<prop type="string" name="columnName" arg="@EntityMappings_create[].fieldMappings[].columnName"/>
<prop type="string" name="identifier" arg="@EntityMappings_create[].fieldMappings[].identifier"/>
</item>
</prop>
</item>
</prop>
<prop type="object" name="eventGroupingSettings" arg="$alertRule.Scheduled.properties.eventGroupingSettings">
<prop type="string" name="aggregationKind" arg="$alertRule.Scheduled.properties.eventGroupingSettings.aggregationKind">
<enum>
<item value=""AlertPerResult""/>
<item value=""SingleAlert""/>
</enum>
</prop>
</prop>
<prop type="object" name="incidentConfiguration" arg="$alertRule.Scheduled.properties.incidentConfiguration" cls="IncidentConfiguration_create">
<prop type="boolean" name="createIncident" arg="@IncidentConfiguration_create.createIncident" required="True"/>
<prop type="object" name="groupingConfiguration" arg="@IncidentConfiguration_create.groupingConfiguration">
<prop type="boolean" name="enabled" arg="@IncidentConfiguration_create.groupingConfiguration.enabled" required="True"/>
<prop type="array<string>" name="groupByAlertDetails" arg="@IncidentConfiguration_create.groupingConfiguration.groupByAlertDetails">
<item type="string">
<enum>
<item value=""DisplayName""/>
<item value=""Severity""/>
</enum>
</item>
</prop>
<prop type="array<string>" name="groupByCustomDetails" arg="@IncidentConfiguration_create.groupingConfiguration.groupByCustomDetails">
<item type="string"/>
</prop>
<prop type="array<string>" name="groupByEntities" arg="@IncidentConfiguration_create.groupingConfiguration.groupByEntities">
<item type="string">
<enum>
<item value=""Account""/>
<item value=""AzureResource""/>
<item value=""CloudApplication""/>
<item value=""DNS""/>
<item value=""File""/>
<item value=""FileHash""/>
<item value=""Host""/>
<item value=""IP""/>
<item value=""MailCluster""/>
<item value=""MailMessage""/>
<item value=""Mailbox""/>
<item value=""Malware""/>
<item value=""Process""/>
<item value=""RegistryKey""/>
<item value=""RegistryValue""/>
<item value=""SecurityGroup""/>
<item value=""SubmissionMail""/>
<item value=""URL""/>
</enum>
</item>
</prop>
<prop type="duration" name="lookbackDuration" arg="@IncidentConfiguration_create.groupingConfiguration.lookbackDuration" required="True"/>
<prop type="string" name="matchingMethod" arg="@IncidentConfiguration_create.groupingConfiguration.matchingMethod" required="True">
<enum>
<item value=""AllEntities""/>
<item value=""AnyAlert""/>
<item value=""Selected""/>
</enum>
</prop>
<prop type="boolean" name="reopenClosedIncident" arg="@IncidentConfiguration_create.groupingConfiguration.reopenClosedIncident" required="True"/>
</prop>
</prop>
<prop type="string" name="query" arg="$alertRule.Scheduled.properties.query" required="True"/>
<prop type="duration" name="queryFrequency" arg="$alertRule.Scheduled.properties.queryFrequency" required="True"/>
<prop type="duration" name="queryPeriod" arg="$alertRule.Scheduled.properties.queryPeriod" required="True"/>
<prop type="string" name="severity" arg="$alertRule.Scheduled.properties.severity" required="True">
<enum>
<item value=""High""/>
<item value=""Informational""/>
<item value=""Low""/>
<item value=""Medium""/>
</enum>
</prop>
<prop type="duration" name="suppressionDuration" arg="$alertRule.Scheduled.properties.suppressionDuration" required="True"/>
<prop type="boolean" name="suppressionEnabled" arg="$alertRule.Scheduled.properties.suppressionEnabled" required="True"/>
<prop type="array<string>" name="tactics" arg="$alertRule.Scheduled.properties.tactics">
<item type="string">
<enum>
<item value=""Collection""/>
<item value=""CommandAndControl""/>
<item value=""CredentialAccess""/>
<item value=""DefenseEvasion""/>
<item value=""Discovery""/>
<item value=""Execution""/>
<item value=""Exfiltration""/>
<item value=""Impact""/>
<item value=""ImpairProcessControl""/>
<item value=""InhibitResponseFunction""/>
<item value=""InitialAccess""/>
<item value=""LateralMovement""/>
<item value=""Persistence""/>
<item value=""PreAttack""/>
<item value=""PrivilegeEscalation""/>
<item value=""Reconnaissance""/>
<item value=""ResourceDevelopment""/>
</enum>
</item>
</prop>
<prop type="array<string>" name="techniques" arg="$alertRule.Scheduled.properties.techniques">
<item type="string"/>
</prop>
<prop type="string" name="templateVersion" arg="$alertRule.Scheduled.properties.templateVersion"/>
<prop type="string" name="triggerOperator" arg="$alertRule.Scheduled.properties.triggerOperator" required="True">
<enum>
<item value=""Equal""/>
<item value=""GreaterThan""/>
<item value=""LessThan""/>
<item value=""NotEqual""/>
</enum>
</prop>
<prop type="integer32" name="triggerThreshold" arg="$alertRule.Scheduled.properties.triggerThreshold" required="True"/>
</prop>
</discriminator>
<discriminator property="kind" value="ThreatIntelligence">
<prop type="object" name="properties" clientFlatten="True">
<prop type="string" name="alertRuleTemplateName" arg="$alertRule.ThreatIntelligence.properties.alertRuleTemplateName" required="True"/>
<prop type="boolean" name="enabled" arg="$alertRule.ThreatIntelligence.properties.enabled" required="True"/>
</prop>
</discriminator>
</schema>
</json>
</body>
</request>
<response statusCode="200 201">
<body>
<json var="$Instance">
<schema type="object">
<prop type="string" name="etag"/>
<prop readOnly="True" type="ResourceId" name="id">
<format template="/subscriptions/{}/resourceGroups/{}/providers/Microsoft.OperationalInsights/workspaces/{}/providers/Microsoft.SecurityInsights/alertRules/{}"/>
</prop>
<prop type="string" name="kind" required="True">
<enum>
<item value=""Fusion""/>
<item value=""MLBehaviorAnalytics""/>
<item value=""MicrosoftSecurityIncidentCreation""/>
<item value=""NRT""/>
<item value=""Scheduled""/>
<item value=""ThreatIntelligence""/>
</enum>
</prop>
<prop readOnly="True" type="string" name="name"/>
<prop readOnly="True" type="object" name="systemData">
<prop readOnly="True" type="dateTime" name="createdAt"/>
<prop readOnly="True" type="string" name="createdBy"/>
<prop readOnly="True" type="string" name="createdByType">
<enum>
<item value=""Application""/>
<item value=""Key""/>
<item value=""ManagedIdentity""/>
<item value=""User""/>
</enum>
</prop>
<prop readOnly="True" type="dateTime" name="lastModifiedAt"/>
<prop readOnly="True" type="string" name="lastModifiedBy"/>
<prop readOnly="True" type="string" name="lastModifiedByType">
<enum>
<item value=""Application""/>
<item value=""Key""/>
<item value=""ManagedIdentity""/>
<item value=""User""/>
</enum>
</prop>
</prop>
<prop readOnly="True" type="string" name="type"/>
<discriminator property="kind" value="Fusion">
<prop type="object" name="properties" clientFlatten="True">
<prop type="string" name="alertRuleTemplateName" required="True"/>
<prop readOnly="True" type="string" name="description"/>
<prop readOnly="True" type="string" name="displayName"/>
<prop type="boolean" name="enabled" required="True"/>
<prop readOnly="True" type="dateTime" name="lastModifiedUtc"/>
<prop type="array<object>" name="scenarioExclusionPatterns">
<item type="object">
<prop type="string" name="dateAddedInUTC" required="True"/>
<prop type="string" name="exclusionPattern" required="True"/>
</item>
</prop>
<prop readOnly="True" type="string" name="severity">
<enum>
<item value=""High""/>
<item value=""Informational""/>
<item value=""Low""/>
<item value=""Medium""/>
</enum>
</prop>
<prop type="array<object>" name="sourceSettings">
<item type="object">
<prop type="boolean" name="enabled" required="True"/>
<prop type="string" name="sourceName" required="True"/>
<prop type="array<object>" name="sourceSubTypes">
<item type="object">
<prop type="boolean" name="enabled" required="True"/>
<prop type="object" name="severityFilters" required="True">
<prop type="array<object>" name="filters">
<item type="object">
<prop type="boolean" name="enabled" required="True"/>
<prop type="string" name="severity" required="True">
<enum>
<item value=""High""/>
<item value=""Informational""/>
<item value=""Low""/>
<item value=""Medium""/>
</enum>
</prop>
</item>
</prop>
<prop readOnly="True" type="boolean" name="isSupported"/>
</prop>
<prop readOnly="True" type="string" name="sourceSubTypeDisplayName"/>
<prop type="string" name="sourceSubTypeName" required="True"/>
</item>
</prop>
</item>
</prop>
<prop readOnly="True" type="array<string>" name="tactics">
<item readOnly="True" type="string">
<enum>
<item value=""Collection""/>
<item value=""CommandAndControl""/>
<item value=""CredentialAccess""/>
<item value=""DefenseEvasion""/>
<item value=""Discovery""/>
<item value=""Execution""/>
<item value=""Exfiltration""/>
<item value=""Impact""/>
<item value=""ImpairProcessControl""/>
<item value=""InhibitResponseFunction""/>
<item value=""InitialAccess""/>
<item value=""LateralMovement""/>
<item value=""Persistence""/>
<item value=""PreAttack""/>
<item value=""PrivilegeEscalation""/>
<item value=""Reconnaissance""/>
<item value=""ResourceDevelopment""/>
</enum>
</item>
</prop>
<prop readOnly="True" type="array<string>" name="techniques">
<item readOnly="True" type="string"/>
</prop>
</prop>
</discriminator>
<discriminator property="kind" value="MLBehaviorAnalytics">
<prop type="object" name="properties" clientFlatten="True">
<prop type="string" name="alertRuleTemplateName" required="True"/>
<prop readOnly="True" type="string" name="description"/>
<prop readOnly="True" type="string" name="displayName"/>
<prop type="boolean" name="enabled" required="True"/>
<prop readOnly="True" type="dateTime" name="lastModifiedUtc"/>
<prop readOnly="True" type="string" name="severity">
<enum>
<item value=""High""/>
<item value=""Informational""/>
<item value=""Low""/>
<item value=""Medium""/>
</enum>
</prop>
<prop readOnly="True" type="array<string>" name="tactics">
<item readOnly="True" type="string">
<enum>
<item value=""Collection""/>
<item value=""CommandAndControl""/>
<item value=""CredentialAccess""/>
<item value=""DefenseEvasion""/>
<item value=""Discovery""/>
<item value=""Execution""/>
<item value=""Exfiltration""/>
<item value=""Impact""/>
<item value=""ImpairProcessControl""/>
<item value=""InhibitResponseFunction""/>
<item value=""InitialAccess""/>
<item value=""LateralMovement""/>
<item value=""Persistence""/>
<item value=""PreAttack""/>
<item value=""PrivilegeEscalation""/>
<item value=""Reconnaissance""/>
<item value=""ResourceDevelopment""/>
</enum>
</item>
</prop>
<prop readOnly="True" type="array<string>" name="techniques">
<item readOnly="True" type="string"/>
</prop>
</prop>
</discriminator>
<discriminator property="kind" value="MicrosoftSecurityIncidentCreation">
<prop type="object" name="properties" clientFlatten="True">
<prop type="string" name="alertRuleTemplateName"/>
<prop type="string" name="description"/>
<prop type="string" name="displayName" required="True"/>
<prop type="array<string>" name="displayNamesExcludeFilter">
<item type="string"/>
</prop>
<prop type="array<string>" name="displayNamesFilter">
<item type="string"/>
</prop>
<prop type="boolean" name="enabled" required="True"/>
<prop readOnly="True" type="dateTime" name="lastModifiedUtc"/>
<prop type="string" name="productFilter" required="True">
<enum>
<item value=""Azure Active Directory Identity Protection""/>
<item value=""Azure Advanced Threat Protection""/>
<item value=""Azure Security Center""/>
<item value=""Azure Security Center for IoT""/>
<item value=""Microsoft Cloud App Security""/>
<item value=""Microsoft Defender Advanced Threat Protection""/>
<item value=""Office 365 Advanced Threat Protection""/>
</enum>
</prop>
<prop type="array<string>" name="severitiesFilter">
<item type="string">
<enum>
<item value=""High""/>
<item value=""Informational""/>
<item value=""Low""/>
<item value=""Medium""/>
</enum>
</item>
</prop>
</prop>
</discriminator>
<discriminator property="kind" value="NRT">
<prop type="object" name="properties" clientFlatten="True">
<prop type="@AlertDetailsOverride_read" name="alertDetailsOverride"/>
<prop type="string" name="alertRuleTemplateName"/>
<prop type="object" name="customDetails">
<additionalProp>
<item type="string"/>
</additionalProp>
</prop>
<prop type="string" name="description"/>
<prop type="string" name="displayName" required="True"/>
<prop type="boolean" name="enabled" required="True"/>
<prop type="@EntityMappings_read" name="entityMappings"/>
<prop type="@IncidentConfiguration_read" name="incidentConfiguration"/>
<prop readOnly="True" type="dateTime" name="lastModifiedUtc"/>
<prop type="string" name="query" required="True"/>
<prop type="string" name="severity" required="True">
<enum>
<item value=""High""/>
<item value=""Informational""/>
<item value=""Low""/>
<item value=""Medium""/>
</enum>
</prop>
<prop type="duration" name="suppressionDuration" required="True"/>
<prop type="boolean" name="suppressionEnabled" required="True"/>
<prop type="array<string>" name="tactics">
<item type="string">
<enum>
<item value=""Collection""/>
<item value=""CommandAndControl""/>
<item value=""CredentialAccess""/>
<item value=""DefenseEvasion""/>
<item value=""Discovery""/>
<item value=""Execution""/>
<item value=""Exfiltration""/>
<item value=""Impact""/>
<item value=""ImpairProcessControl""/>
<item value=""InhibitResponseFunction""/>
<item value=""InitialAccess""/>
<item value=""LateralMovement""/>
<item value=""Persistence""/>
<item value=""PreAttack""/>
<item value=""PrivilegeEscalation""/>
<item value=""Reconnaissance""/>
<item value=""ResourceDevelopment""/>
</enum>
</item>
</prop>
<prop type="array<string>" name="techniques">
<item type="string"/>
</prop>
<prop type="string" name="templateVersion"/>
</prop>
</discriminator>
<discriminator property="kind" value="Scheduled">
<prop type="object" name="properties" clientFlatten="True">
<prop type="object" name="alertDetailsOverride" cls="AlertDetailsOverride_read">
<prop type="string" name="alertDescriptionFormat"/>
<prop type="string" name="alertDisplayNameFormat"/>
<prop type="string" name="alertSeverityColumnName"/>
<prop type="string" name="alertTacticsColumnName"/>
</prop>
<prop type="string" name="alertRuleTemplateName"/>
<prop type="object" name="customDetails">
<additionalProp>
<item type="string"/>
</additionalProp>
</prop>
<prop type="string" name="description"/>
<prop type="string" name="displayName" required="True"/>
<prop type="boolean" name="enabled" required="True"/>
<prop type="array<object>" name="entityMappings" cls="EntityMappings_read">
<item type="object">
<prop type="string" name="entityType">
<enum>
<item value=""Account""/>
<item value=""AzureResource""/>
<item value=""CloudApplication""/>
<item value=""DNS""/>
<item value=""File""/>
<item value=""FileHash""/>
<item value=""Host""/>
<item value=""IP""/>
<item value=""MailCluster""/>
<item value=""MailMessage""/>
<item value=""Mailbox""/>
<item value=""Malware""/>
<item value=""Process""/>
<item value=""RegistryKey""/>
<item value=""RegistryValue""/>
<item value=""SecurityGroup""/>
<item value=""SubmissionMail""/>
<item value=""URL""/>
</enum>
</prop>
<prop type="array<object>" name="fieldMappings">
<item type="object">
<prop type="string" name="columnName"/>
<prop type="string" name="identifier"/>
</item>
</prop>
</item>
</prop>
<prop type="object" name="eventGroupingSettings">
<prop type="string" name="aggregationKind">
<enum>
<item value=""AlertPerResult""/>
<item value=""SingleAlert""/>
</enum>
</prop>
</prop>
<prop type="object" name="incidentConfiguration" cls="IncidentConfiguration_read">
<prop type="boolean" name="createIncident" required="True"/>
<prop type="object" name="groupingConfiguration">
<prop type="boolean" name="enabled" required="True"/>
<prop type="array<string>" name="groupByAlertDetails">
<item type="string">
<enum>
<item value=""DisplayName""/>
<item value=""Severity""/>
</enum>
</item>
</prop>
<prop type="array<string>" name="groupByCustomDetails">
<item type="string"/>
</prop>
<prop type="array<string>" name="groupByEntities">
<item type="string">
<enum>
<item value=""Account""/>
<item value=""AzureResource""/>
<item value=""CloudApplication""/>
<item value=""DNS""/>
<item value=""File""/>
<item value=""FileHash""/>
<item value=""Host""/>
<item value=""IP""/>
<item value=""MailCluster""/>
<item value=""MailMessage""/>
<item value=""Mailbox""/>
<item value=""Malware""/>
<item value=""Process""/>
<item value=""RegistryKey""/>
<item value=""RegistryValue""/>
<item value=""SecurityGroup""/>
<item value=""SubmissionMail""/>
<item value=""URL""/>
</enum>
</item>
</prop>
<prop type="duration" name="lookbackDuration" required="True"/>
<prop type="string" name="matchingMethod" required="True">
<enum>
<item value=""AllEntities""/>
<item value=""AnyAlert""/>
<item value=""Selected""/>
</enum>
</prop>
<prop type="boolean" name="reopenClosedIncident" required="True"/>
</prop>
</prop>
<prop readOnly="True" type="dateTime" name="lastModifiedUtc"/>
<prop type="string" name="query" required="True"/>
<prop type="duration" name="queryFrequency" required="True"/>
<prop type="duration" name="queryPeriod" required="True"/>
<prop type="string" name="severity" required="True">
<enum>
<item value=""High""/>
<item value=""Informational""/>
<item value=""Low""/>
<item value=""Medium""/>
</enum>
</prop>
<prop type="duration" name="suppressionDuration" required="True"/>
<prop type="boolean" name="suppressionEnabled" required="True"/>
<prop type="array<string>" name="tactics">
<item type="string">
<enum>
<item value=""Collection""/>
<item value=""CommandAndControl""/>
<item value=""CredentialAccess""/>
<item value=""DefenseEvasion""/>
<item value=""Discovery""/>
<item value=""Execution""/>
<item value=""Exfiltration""/>
<item value=""Impact""/>
<item value=""ImpairProcessControl""/>
<item value=""InhibitResponseFunction""/>
<item value=""InitialAccess""/>
<item value=""LateralMovement""/>
<item value=""Persistence""/>
<item value=""PreAttack""/>
<item value=""PrivilegeEscalation""/>
<item value=""Reconnaissance""/>
<item value=""ResourceDevelopment""/>
</enum>
</item>
</prop>
<prop type="array<string>" name="techniques">
<item type="string"/>
</prop>
<prop type="string" name="templateVersion"/>
<prop type="string" name="triggerOperator" required="True">
<enum>
<item value=""Equal""/>
<item value=""GreaterThan""/>
<item value=""LessThan""/>
<item value=""NotEqual""/>
</enum>
</prop>
<prop type="integer32" name="triggerThreshold" required="True"/>
</prop>
</discriminator>
<discriminator property="kind" value="ThreatIntelligence">
<prop type="object" name="properties" clientFlatten="True">
<prop type="string" name="alertRuleTemplateName" required="True"/>
<prop readOnly="True" type="string" name="description"/>
<prop readOnly="True" type="string" name="displayName"/>
<prop type="boolean" name="enabled" required="True"/>
<prop readOnly="True" type="dateTime" name="lastModifiedUtc"/>
<prop readOnly="True" type="string" name="severity">
<enum>
<item value=""High""/>
<item value=""Informational""/>
<item value=""Low""/>
<item value=""Medium""/>
</enum>
</prop>
<prop readOnly="True" type="array<string>" name="tactics">
<item readOnly="True" type="string">
<enum>
<item value=""Collection""/>
<item value=""CommandAndControl""/>
<item value=""CredentialAccess""/>
<item value=""DefenseEvasion""/>
<item value=""Discovery""/>
<item value=""Execution""/>
<item value=""Exfiltration""/>
<item value=""Impact""/>
<item value=""ImpairProcessControl""/>
<item value=""InhibitResponseFunction""/>
<item value=""InitialAccess""/>
<item value=""LateralMovement""/>
<item value=""Persistence""/>
<item value=""PreAttack""/>
<item value=""PrivilegeEscalation""/>
<item value=""Reconnaissance""/>
<item value=""ResourceDevelopment""/>
</enum>
</item>
</prop>
<prop readOnly="True" type="array<string>" name="techniques">
<item readOnly="True" type="string"/>
</prop>
</prop>
</discriminator>
</schema>
</json>
</body>
</response>
<response isError="True">
<body>
<json>
<schema type="@ODataV4Format"/>
</json>
</body>
</response>
</http>
</operation>
<output type="object" ref="$Instance" clientFlatten="True"/>
</command>
<command name="update" version="2022-06-01-preview">
<resource id="/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/alertrules/{}" version="2022-06-01-preview" swagger="mgmt-plane/securityinsights/ResourceProviders/Microsoft.SecurityInsights/Paths/L3N1YnNjcmlwdGlvbnMve3N1YnNjcmlwdGlvbklkfS9yZXNvdXJjZUdyb3Vwcy97cmVzb3VyY2VHcm91cE5hbWV9L3Byb3ZpZGVycy9NaWNyb3NvZnQuT3BlcmF0aW9uYWxJbnNpZ2h0cy93b3Jrc3BhY2VzL3t3b3Jrc3BhY2VOYW1lfS9wcm92aWRlcnMvTWljcm9zb2Z0LlNlY3VyaXR5SW5zaWdodHMvYWxlcnRSdWxlcy97cnVsZUlkfQ==/V/MjAyMi0wNi0wMS1wcmV2aWV3"/>
<argGroup name="">
<arg type="ResourceGroupName" var="$Path.resourceGroupName" options="resource-group g" required="True" idPart="resource_group"/>
<arg type="string" var="$Path.ruleId" options="rule-name name n" required="True" stage="Experimental" idPart="child_name_1">
<help short="Name of alert rule."/>
</arg>
<arg type="SubscriptionId" var="$Path.subscriptionId" options="subscription" required="True" idPart="subscription"/>
<arg type="string" var="$Path.workspaceName" options="workspace-name w" required="True" stage="Experimental" idPart="name">
<help short="The name of the workspace."/>
<format maxLength="90" minLength="1"/>
</arg>
</argGroup>
<argGroup name="AlertRule">
<arg type="object" var="$alertRule.Fusion" options="fusion" group="AlertRule">
<arg type="string" var="$alertRule.Fusion.properties.alertRuleTemplateName" options="alert-rule-template-name" group="Properties">
<help short="The Name of the alert rule template used to create this rule."/>
</arg>
<arg type="boolean" var="$alertRule.Fusion.properties.enabled" options="enabled" group="Properties">
<help short="Determines whether this alert rule is enabled or disabled."/>
</arg>
<arg nullable="True" type="array<object>" var="$alertRule.Fusion.properties.scenarioExclusionPatterns" options="scenario-exclusion-patterns" group="Properties">
<help short="Configuration to exclude scenarios in fusion detection."/>
<item type="object">
<arg type="string" var="$alertRule.Fusion.properties.scenarioExclusionPatterns[].dateAddedInUTC" options="date-added-in-utc">
<help short="DateTime when scenario exclusion pattern is added in UTC."/>
</arg>
<arg type="string" var="$alertRule.Fusion.properties.scenarioExclusionPatterns[].exclusionPattern" options="exclusion-pattern">
<help short="Scenario exclusion pattern."/>
</arg>
</item>
</arg>
<arg nullable="True" type="array<object>" var="$alertRule.Fusion.properties.sourceSettings" options="source-settings" group="Properties">
<help short="Configuration for all supported source signals in fusion detection."/>
<item type="object">
<arg type="boolean" var="$alertRule.Fusion.properties.sourceSettings[].enabled" options="enabled">
<help short="Determines whether this source signal is enabled or disabled in Fusion detection."/>
</arg>
<arg type="string" var="$alertRule.Fusion.properties.sourceSettings[].sourceName" options="source-name">
<help short="Name of the Fusion source signal. Refer to Fusion alert rule template for supported values."/>
</arg>
<arg nullable="True" type="array<object>" var="$alertRule.Fusion.properties.sourceSettings[].sourceSubTypes" options="source-sub-types">
<help short="Configuration for all source subtypes under this source signal consumed in fusion detection."/>
<item type="object">
<arg type="boolean" var="$alertRule.Fusion.properties.sourceSettings[].sourceSubTypes[].enabled" options="enabled">
<help short="Determines whether this source subtype under source signal is enabled or disabled in Fusion detection."/>
</arg>
<arg type="object" var="$alertRule.Fusion.properties.sourceSettings[].sourceSubTypes[].severityFilters" options="severity-filters">
<help short="Severity configuration for a source subtype consumed in fusion detection."/>
<arg nullable="True" type="array<object>" var="$alertRule.Fusion.properties.sourceSettings[].sourceSubTypes[].severityFilters.filters" options="filters">
<help short="Individual Severity configuration settings for a given source subtype consumed in Fusion detection."/>
<item type="object">
<arg type="boolean" var="$alertRule.Fusion.properties.sourceSettings[].sourceSubTypes[].severityFilters.filters[].enabled" options="enabled">
<help short="Determines whether this severity is enabled or disabled for this source subtype consumed in Fusion detection."/>
</arg>
<arg type="string" var="$alertRule.Fusion.properties.sourceSettings[].sourceSubTypes[].severityFilters.filters[].severity" options="severity">
<help short="The Severity for a given source subtype consumed in Fusion detection."/>
<enum>
<item name="High" value=""High""/>
<item name="Informational" value=""Informational""/>
<item name="Low" value=""Low""/>
<item name="Medium" value=""Medium""/>
</enum>
</arg>
</item>
</arg>
</arg>
<arg type="string" var="$alertRule.Fusion.properties.sourceSettings[].sourceSubTypes[].sourceSubTypeName" options="source-sub-type-name">
<help short="The Name of the source subtype under a given source signal in Fusion detection. Refer to Fusion alert rule template for supported values."/>
</arg>
</item>
</arg>
</item>
</arg>
</arg>
<arg type="object" var="$alertRule.MLBehaviorAnalytics" options="ml-behavior-analytics" group="AlertRule">
<arg type="string" var="$alertRule.MLBehaviorAnalytics.properties.alertRuleTemplateName" options="alert-rule-template-name" group="Properties">
<help short="The Name of the alert rule template used to create this rule."/>
</arg>
<arg type="boolean" var="$alertRule.MLBehaviorAnalytics.properties.enabled" options="enabled" group="Properties">
<help short="Determines whether this alert rule is enabled or disabled."/>
</arg>
</arg>
<arg type="object" var="$alertRule.MicrosoftSecurityIncidentCreation" options="ms-security-incident" stage="Experimental" group="AlertRule">
<help short="Microsoft security incident creation."/>
<arg nullable="True" type="string" var="$alertRule.MicrosoftSecurityIncidentCreation.properties.alertRuleTemplateName" options="alert-rule-template-name" group="Properties">
<help short="The Name of the alert rule template used to create this rule."/>
</arg>
<arg nullable="True" type="string" var="$alertRule.MicrosoftSecurityIncidentCreation.properties.description" options="description" group="Properties">
<help short="The description of the alert rule."/>
</arg>
<arg type="string" var="$alertRule.MicrosoftSecurityIncidentCreation.properties.displayName" options="display-name" group="Properties">
<help short="The display name for alerts created by this alert rule."/>
</arg>
<arg nullable="True" type="array<string>" var="$alertRule.MicrosoftSecurityIncidentCreation.properties.displayNamesExcludeFilter" options="display-names-exclude-filter" group="Properties">
<help short="the alerts' displayNames on which the cases will not be generated"/>
<item type="string"/>
</arg>
<arg nullable="True" type="array<string>" var="$alertRule.MicrosoftSecurityIncidentCreation.properties.displayNamesFilter" options="display-names-filter" group="Properties">
<help short="the alerts' displayNames on which the cases will be generated"/>
<item type="string"/>
</arg>
<arg type="boolean" var="$alertRule.MicrosoftSecurityIncidentCreation.properties.enabled" options="enabled" group="Properties">
<help short="Determines whether this alert rule is enabled or disabled."/>
</arg>
<arg type="string" var="$alertRule.MicrosoftSecurityIncidentCreation.properties.productFilter" options="product-filter" group="Properties">
<help short="The alerts' productName on which the cases will be generated"/>
<enum>
<item name="Azure Active Directory Identity Protection" value=""Azure Active Directory Identity Protection""/>
<item name="Azure Advanced Threat Protection" value=""Azure Advanced Threat Protection""/>
<item name="Azure Security Center" value=""Azure Security Center""/>
<item name="Azure Security Center for IoT" value=""Azure Security Center for IoT""/>
<item name="Microsoft Cloud App Security" value=""Microsoft Cloud App Security""/>
<item name="Microsoft Defender Advanced Threat Protection" value=""Microsoft Defender Advanced Threat Protection""/>
<item name="Office 365 Advanced Threat Protection" value=""Office 365 Advanced Threat Protection""/>
</enum>
</arg>
<arg nullable="True" type="array<string>" var="$alertRule.MicrosoftSecurityIncidentCreation.properties.severitiesFilter" options="severities-filter" group="Properties">
<help short="the alerts' severities on which the cases will be generated"/>
<item type="string">
<enum>
<item name="High" value=""High""/>
<item name="Informational" value=""Informational""/>
<item name="Low" value=""Low""/>
<item name="Medium" value=""Medium""/>
</enum>
</item>
</arg>
</arg>
<arg type="object" var="$alertRule.NRT" options="nrt" group="AlertRule">
<arg nullable="True" type="@AlertDetailsOverride_update" var="$alertRule.NRT.properties.alertDetailsOverride" options="alert-details-override" group="Properties">
<help short="The alert details override settings"/>
</arg>
<arg nullable="True" type="string" var="$alertRule.NRT.properties.alertRuleTemplateName" options="alert-rule-template-name" group="Properties">
<help short="The Name of the alert rule template used to create this rule."/>
</arg>
<arg nullable="True" type="object" var="$alertRule.NRT.properties.customDetails" options="custom-details" group="Properties">
<help short="Dictionary of string key-value pairs of columns to be attached to the alert"/>
<additionalProp>
<item type="string"/>
</additionalProp>
</arg>
<arg nullable="True" type="string" var="$alertRule.NRT.properties.description" options="description" group="Properties">
<help short="The description of the alert rule."/>
</arg>
<arg type="string" var="$alertRule.NRT.properties.displayName" options="display-name" group="Properties">
<help short="The display name for alerts created by this alert rule."/>
</arg>
<arg type="boolean" var="$alertRule.NRT.properties.enabled" options="enabled" group="Properties">
<help short="Determines whether this alert rule is enabled or disabled."/>
</arg>
<arg nullable="True" type="@EntityMappings_update" var="$alertRule.NRT.properties.entityMappings" options="entity-mappings" group="Properties">
<help short="Array of the entity mappings of the alert rule"/>
</arg>
<arg nullable="True" type="@IncidentConfiguration_update" var="$alertRule.NRT.properties.incidentConfiguration" options="incident-configuration" group="Properties">
<help short="The settings of the incidents that created from alerts triggered by this analytics rule"/>
</arg>
<arg type="string" var="$alertRule.NRT.properties.query" options="query" group="Properties">
<help short="The query that creates alerts for this rule."/>
</arg>
<arg type="string" var="$alertRule.NRT.properties.severity" options="severity" group="Properties">
<help short="The severity for alerts created by this alert rule."/>
<enum>
<item name="High" value=""High""/>
<item name="Informational" value=""Informational""/>
<item name="Low" value=""Low""/>
<item name="Medium" value=""Medium""/>
</enum>
</arg>
<arg type="duration" var="$alertRule.NRT.properties.suppressionDuration" options="suppression-duration" group="Properties">
<help short="The suppression (in ISO 8601 duration format) to wait since last time this alert rule been triggered."/>
</arg>
<arg type="boolean" var="$alertRule.NRT.properties.suppressionEnabled" options="suppression-enabled" group="Properties">
<help short="Determines whether the suppression for this alert rule is enabled or disabled."/>
</arg>
<arg nullable="True" type="array<string>" var="$alertRule.NRT.properties.tactics" options="tactics" group="Properties">
<help short="The tactics of the alert rule"/>
<item type="string">
<enum>
<item name="Collection" value=""Collection""/>
<item name="CommandAndControl" value=""CommandAndControl""/>
<item name="CredentialAccess" value=""CredentialAccess""/>
<item name="DefenseEvasion" value=""DefenseEvasion""/>
<item name="Discovery" value=""Discovery""/>
<item name="Execution" value=""Execution""/>
<item name="Exfiltration" value=""Exfiltration""/>
<item name="Impact" value=""Impact""/>
<item name="ImpairProcessControl" value=""ImpairProcessControl""/>
<item name="InhibitResponseFunction" value=""InhibitResponseFunction""/>
<item name="InitialAccess" value=""InitialAccess""/>
<item name="LateralMovement" value=""LateralMovement""/>
<item name="Persistence" value=""Persistence""/>
<item name="PreAttack" value=""PreAttack""/>
<item name="PrivilegeEscalation" value=""PrivilegeEscalation""/>
<item name="Reconnaissance" value=""Reconnaissance""/>
<item name="ResourceDevelopment" value=""ResourceDevelopment""/>
</enum>
</item>
</arg>
<arg nullable="True" type="array<string>" var="$alertRule.NRT.properties.techniques" options="techniques" group="Properties">
<help short="The techniques of the alert rule"/>
<item type="string"/>
</arg>
<arg nullable="True" type="string" var="$alertRule.NRT.properties.templateVersion" options="template-version" group="Properties">
<help short="The version of the alert rule template used to create this rule - in format <a.b.c>, where all are numbers, for example 0 <1.0.2>"/>
</arg>
</arg>
<arg type="object" var="$alertRule.Scheduled" options="scheduled" group="AlertRule">
<arg nullable="True" type="object" var="$alertRule.Scheduled.properties.alertDetailsOverride" options="alert-details-override" group="Properties" cls="AlertDetailsOverride_update">
<help short="The alert details override settings"/>
<arg nullable="True" type="string" var="@AlertDetailsOverride_update.alertDescriptionFormat" options="alert-description-format">
<help short="the format containing columns name(s) to override the alert description"/>
</arg>
<arg nullable="True" type="string" var="@AlertDetailsOverride_update.alertDisplayNameFormat" options="alert-display-name-format">
<help short="the format containing columns name(s) to override the alert name"/>
</arg>
<arg nullable="True" type="string" var="@AlertDetailsOverride_update.alertSeverityColumnName" options="alert-severity-column-name">
<help short="the column name to take the alert severity from"/>
</arg>
<arg nullable="True" type="string" var="@AlertDetailsOverride_update.alertTacticsColumnName" options="alert-tactics-column-name">
<help short="the column name to take the alert tactics from"/>
</arg>
</arg>
<arg nullable="True" type="string" var="$alertRule.Scheduled.properties.alertRuleTemplateName" options="alert-rule-template-name" group="Properties">
<help short="The Name of the alert rule template used to create this rule."/>
</arg>
<arg nullable="True" type="object" var="$alertRule.Scheduled.properties.customDetails" options="custom-details" group="Properties">
<help short="Dictionary of string key-value pairs of columns to be attached to the alert"/>
<additionalProp>
<item type="string"/>
</additionalProp>
</arg>
<arg nullable="True" type="string" var="$alertRule.Scheduled.properties.description" options="description" group="Properties">
<help short="The description of the alert rule."/>
</arg>
<arg type="string" var="$alertRule.Scheduled.properties.displayName" options="display-name" group="Properties">
<help short="The display name for alerts created by this alert rule."/>
</arg>
<arg type="boolean" var="$alertRule.Scheduled.properties.enabled" options="enabled" group="Properties">
<help short="Determines whether this alert rule is enabled or disabled."/>
</arg>
<arg nullable="True" type="array<object>" var="$alertRule.Scheduled.properties.entityMappings" options="entity-mappings" group="Properties" cls="EntityMappings_update">
<help short="Array of the entity mappings of the alert rule"/>
<item type="object">
<arg nullable="True" type="string" var="@EntityMappings_update[].entityType" options="entity-type">
<help short="The V3 type of the mapped entity"/>
<enum>
<item name="Account" value=""Account""/>
<item name="AzureResource" value=""AzureResource""/>
<item name="CloudApplication" value=""CloudApplication""/>
<item name="DNS" value=""DNS""/>
<item name="File" value=""File""/>
<item name="FileHash" value=""FileHash""/>
<item name="Host" value=""Host""/>
<item name="IP" value=""IP""/>
<item name="MailCluster" value=""MailCluster""/>
<item name="MailMessage" value=""MailMessage""/>
<item name="Mailbox" value=""Mailbox""/>
<item name="Malware" value=""Malware""/>
<item name="Process" value=""Process""/>
<item name="RegistryKey" value=""RegistryKey""/>
<item name="RegistryValue" value=""RegistryValue""/>
<item name="SecurityGroup" value=""SecurityGroup""/>
<item name="SubmissionMail" value=""SubmissionMail""/>
<item name="URL" value=""URL""/>
</enum>
</arg>
<arg nullable="True" type="array<object>" var="@EntityMappings_update[].fieldMappings" options="field-mappings">
<help short="array of field mappings for the given entity mapping"/>
<item type="object">
<arg nullable="True" type="string" var="@EntityMappings_update[].fieldMappings[].columnName" options="column-name">
<help short="the column name to be mapped to the identifier"/>
</arg>
<arg nullable="True" type="string" var="@EntityMappings_update[].fieldMappings[].identifier" options="identifier">
<help short="the V3 identifier of the entity"/>
</arg>
</item>
</arg>
</item>
</arg>
<arg nullable="True" type="object" var="$alertRule.Scheduled.properties.eventGroupingSettings" options="event-grouping-settings" group="Properties">
<help short="The event grouping settings."/>
<arg nullable="True" type="string" var="$alertRule.Scheduled.properties.eventGroupingSettings.aggregationKind" options="aggregation-kind">
<help short="The event grouping aggregation kinds"/>
<enum>
<item name="AlertPerResult" value=""AlertPerResult""/>
<item name="SingleAlert" value=""SingleAlert""/>
</enum>
</arg>
</arg>
<arg nullable="True" type="object" var="$alertRule.Scheduled.properties.incidentConfiguration" options="incident-configuration" group="Properties" cls="IncidentConfiguration_update">
<help short="The settings of the incidents that created from alerts triggered by this analytics rule"/>
<arg type="boolean" var="@IncidentConfiguration_update.createIncident" options="create-incident">
<help short="Create incidents from alerts triggered by this analytics rule"/>
</arg>
<arg nullable="True" type="object" var="@IncidentConfiguration_update.groupingConfiguration" options="grouping-configuration">
<help short="Set how the alerts that are triggered by this analytics rule, are grouped into incidents"/>
<arg type="boolean" var="@IncidentConfiguration_update.groupingConfiguration.enabled" options="enabled">
<help short="Grouping enabled"/>
</arg>
<arg nullable="True" type="array<string>" var="@IncidentConfiguration_update.groupingConfiguration.groupByAlertDetails" options="group-by-alert-details">
<help short="A list of alert details to group by (when matchingMethod is Selected)"/>
<item type="string">
<enum>
<item name="DisplayName" value=""DisplayName""/>
<item name="Severity" value=""Severity""/>
</enum>
</item>
</arg>
<arg nullable="True" type="array<string>" var="@IncidentConfiguration_update.groupingConfiguration.groupByCustomDetails" options="group-by-custom-details">
<help short="A list of custom details keys to group by (when matchingMethod is Selected). Only keys defined in the current alert rule may be used."/>
<item type="string"/>
</arg>
<arg nullable="True" type="array<string>" var="@IncidentConfiguration_update.groupingConfiguration.groupByEntities" options="group-by-entities">
<help short="A list of entity types to group by (when matchingMethod is Selected). Only entities defined in the current alert rule may be used."/>
<item type="string">
<enum>
<item name="Account" value=""Account""/>
<item name="AzureResource" value=""AzureResource""/>
<item name="CloudApplication" value=""CloudApplication""/>
<item name="DNS" value=""DNS""/>
<item name="File" value=""File""/>
<item name="FileHash" value=""FileHash""/>
<item name="Host" value=""Host""/>
<item name="IP" value=""IP""/>
<item name="MailCluster" value=""MailCluster""/>
<item name="MailMessage" value=""MailMessage""/>
<item name="Mailbox" value=""Mailbox""/>
<item name="Malware" value=""Malware""/>
<item name="Process" value=""Process""/>
<item name="RegistryKey" value=""RegistryKey""/>
<item name="RegistryValue" value=""RegistryValue""/>
<item name="SecurityGroup" value=""SecurityGroup""/>
<item name="SubmissionMail" value=""SubmissionMail""/>
<item name="URL" value=""URL""/>
</enum>
</item>
</arg>
<arg type="duration" var="@IncidentConfiguration_update.groupingConfiguration.lookbackDuration" options="lookback-duration">
<help short="Limit the group to alerts created within the lookback duration (in ISO 8601 duration format)"/>
</arg>
<arg type="string" var="@IncidentConfiguration_update.groupingConfiguration.matchingMethod" options="matching-method">
<help short="Grouping matching method. When method is Selected at least one of groupByEntities, groupByAlertDetails, groupByCustomDetails must be provided and not empty."/>
<enum>
<item name="AllEntities" value=""AllEntities""/>
<item name="AnyAlert" value=""AnyAlert""/>
<item name="Selected" value=""Selected""/>
</enum>
</arg>
<arg type="boolean" var="@IncidentConfiguration_update.groupingConfiguration.reopenClosedIncident" options="reopen-closed-incident">
<help short="Re-open closed matching incidents"/>
</arg>
</arg>
</arg>
<arg type="string" var="$alertRule.Scheduled.properties.query" options="query" group="Properties">
<help short="The query that creates alerts for this rule."/>
</arg>
<arg type="duration" var="$alertRule.Scheduled.properties.queryFrequency" options="query-frequency" group="Properties">
<help short="The frequency (in ISO 8601 duration format) for this alert rule to run."/>
</arg>
<arg type="duration" var="$alertRule.Scheduled.properties.queryPeriod" options="query-period" group="Properties">
<help short="The period (in ISO 8601 duration format) that this alert rule looks at."/>
</arg>
<arg type="string" var="$alertRule.Scheduled.properties.severity" options="severity" group="Properties">
<help short="The severity for alerts created by this alert rule."/>
<enum>
<item name="High" value=""High""/>
<item name="Informational" value=""Informational""/>
<item name="Low" value=""Low""/>
<item name="Medium" value=""Medium""/>
</enum>
</arg>
<arg type="duration" var="$alertRule.Scheduled.properties.suppressionDuration" options="suppression-duration" group="Properties">
<help short="The suppression (in ISO 8601 duration format) to wait since last time this alert rule been triggered."/>
</arg>
<arg type="boolean" var="$alertRule.Scheduled.properties.suppressionEnabled" options="suppression-enabled" group="Properties">
<help short="Determines whether the suppression for this alert rule is enabled or disabled."/>
</arg>
<arg nullable="True" type="array<string>" var="$alertRule.Scheduled.properties.tactics" options="tactics" group="Properties">
<help short="The tactics of the alert rule"/>
<item type="string">
<enum>
<item name="Collection" value=""Collection""/>
<item name="CommandAndControl" value=""CommandAndControl""/>
<item name="CredentialAccess" value=""CredentialAccess""/>
<item name="DefenseEvasion" value=""DefenseEvasion""/>
<item name="Discovery" value=""Discovery""/>
<item name="Execution" value=""Execution""/>
<item name="Exfiltration" value=""Exfiltration""/>
<item name="Impact" value=""Impact""/>
<item name="ImpairProcessControl" value=""ImpairProcessControl""/>
<item name="InhibitResponseFunction" value=""InhibitResponseFunction""/>
<item name="InitialAccess" value=""InitialAccess""/>
<item name="LateralMovement" value=""LateralMovement""/>
<item name="Persistence" value=""Persistence""/>
<item name="PreAttack" value=""PreAttack""/>
<item name="PrivilegeEscalation" value=""PrivilegeEscalation""/>
<item name="Reconnaissance" value=""Reconnaissance""/>
<item name="ResourceDevelopment" value=""ResourceDevelopment""/>
</enum>
</item>
</arg>
<arg nullable="True" type="array<string>" var="$alertRule.Scheduled.properties.techniques" options="techniques" group="Properties">
<help short="The techniques of the alert rule"/>
<item type="string"/>
</arg>
<arg nullable="True" type="string" var="$alertRule.Scheduled.properties.templateVersion" options="template-version" group="Properties">
<help short="The version of the alert rule template used to create this rule - in format <a.b.c>, where all are numbers, for example 0 <1.0.2>"/>
</arg>
<arg type="string" var="$alertRule.Scheduled.properties.triggerOperator" options="trigger-operator" group="Properties">
<help short="The operation against the threshold that triggers alert rule."/>
<enum>
<item name="Equal" value=""Equal""/>
<item name="GreaterThan" value=""GreaterThan""/>
<item name="LessThan" value=""LessThan""/>
<item name="NotEqual" value=""NotEqual""/>
</enum>
</arg>
<arg type="integer32" var="$alertRule.Scheduled.properties.triggerThreshold" options="trigger-threshold" group="Properties">
<help short="The threshold triggers this alert rule."/>
</arg>
</arg>
<arg type="object" var="$alertRule.ThreatIntelligence" options="threat-intelligence" group="AlertRule">
<arg type="string" var="$alertRule.ThreatIntelligence.properties.alertRuleTemplateName" options="alert-rule-template-name" group="Properties">
<help short="The Name of the alert rule template used to create this rule."/>
</arg>
<arg type="boolean" var="$alertRule.ThreatIntelligence.properties.enabled" options="enabled" group="Properties">
<help short="Determines whether this alert rule is enabled or disabled."/>
</arg>
</arg>
<arg nullable="True" type="string" var="$alertRule.etag" options="etag" group="AlertRule">
<help short="Etag of the azure resource"/>
</arg>
</argGroup>
<operation operationId="AlertRules_Get">
<http path="/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}">
<request method="get">
<path>
<param type="string" name="resourceGroupName" arg="$Path.resourceGroupName" required="True">
<format maxLength="90" minLength="1"/>
</param>
<param type="string" name="ruleId" arg="$Path.ruleId" required="True"/>
<param type="string" name="subscriptionId" arg="$Path.subscriptionId" required="True">
<format minLength="1"/>
</param>
<param type="string" name="workspaceName" arg="$Path.workspaceName" required="True">
<format maxLength="90" minLength="1"/>
</param>
</path>
<query>
<const readOnly="True" const="True" type="string" name="api-version" required="True">
<default value=""2022-06-01-preview""/>
<format minLength="1"/>
</const>
</query>
</request>
<response statusCode="200">
<body>
<json var="$Instance">
<schema type="object" cls="AlertRule_read">
<prop type="string" name="etag"/>
<prop readOnly="True" type="ResourceId" name="id">
<format template="/subscriptions/{}/resourceGroups/{}/providers/Microsoft.OperationalInsights/workspaces/{}/providers/Microsoft.SecurityInsights/alertRules/{}"/>
</prop>
<prop type="string" name="kind" required="True">
<enum>
<item value=""Fusion""/>
<item value=""MLBehaviorAnalytics""/>
<item value=""MicrosoftSecurityIncidentCreation""/>
<item value=""NRT""/>
<item value=""Scheduled""/>
<item value=""ThreatIntelligence""/>
</enum>
</prop>
<prop readOnly="True" type="string" name="name"/>
<prop readOnly="True" type="object" name="systemData">
<prop readOnly="True" type="dateTime" name="createdAt"/>
<prop readOnly="True" type="string" name="createdBy"/>
<prop readOnly="True" type="string" name="createdByType">
<enum>
<item value=""Application""/>
<item value=""Key""/>
<item value=""ManagedIdentity""/>
<item value=""User""/>
</enum>
</prop>
<prop readOnly="True" type="dateTime" name="lastModifiedAt"/>
<prop readOnly="True" type="string" name="lastModifiedBy"/>
<prop readOnly="True" type="string" name="lastModifiedByType">
<enum>
<item value=""Application""/>
<item value=""Key""/>
<item value=""ManagedIdentity""/>
<item value=""User""/>
</enum>
</prop>
</prop>
<prop readOnly="True" type="string" name="type"/>
<discriminator property="kind" value="Fusion">
<prop type="object" name="properties" clientFlatten="True">
<prop type="string" name="alertRuleTemplateName" required="True"/>
<prop readOnly="True" type="string" name="description"/>
<prop readOnly="True" type="string" name="displayName"/>
<prop type="boolean" name="enabled" required="True"/>
<prop readOnly="True" type="dateTime" name="lastModifiedUtc"/>
<prop type="array<object>" name="scenarioExclusionPatterns">
<item type="object">
<prop type="string" name="dateAddedInUTC" required="True"/>
<prop type="string" name="exclusionPattern" required="True"/>
</item>
</prop>
<prop readOnly="True" type="string" name="severity">
<enum>
<item value=""High""/>
<item value=""Informational""/>
<item value=""Low""/>
<item value=""Medium""/>
</enum>
</prop>
<prop type="array<object>" name="sourceSettings">
<item type="object">
<prop type="boolean" name="enabled" required="True"/>
<prop type="string" name="sourceName" required="True"/>
<prop type="array<object>" name="sourceSubTypes">
<item type="object">
<prop type="boolean" name="enabled" required="True"/>
<prop type="object" name="severityFilters" required="True">
<prop type="array<object>" name="filters">
<item type="object">
<prop type="boolean" name="enabled" required="True"/>
<prop type="string" name="severity" required="True">
<enum>
<item value=""High""/>
<item value=""Informational""/>
<item value=""Low""/>
<item value=""Medium""/>
</enum>
</prop>
</item>
</prop>
<prop readOnly="True" type="boolean" name="isSupported"/>
</prop>
<prop readOnly="True" type="string" name="sourceSubTypeDisplayName"/>
<prop type="string" name="sourceSubTypeName" required="True"/>
</item>
</prop>
</item>
</prop>
<prop readOnly="True" type="array<string>" name="tactics">
<item readOnly="True" type="string">
<enum>
<item value=""Collection""/>
<item value=""CommandAndControl""/>
<item value=""CredentialAccess""/>
<item value=""DefenseEvasion""/>
<item value=""Discovery""/>
<item value=""Execution""/>
<item value=""Exfiltration""/>
<item value=""Impact""/>
<item value=""ImpairProcessControl""/>
<item value=""InhibitResponseFunction""/>
<item value=""InitialAccess""/>
<item value=""LateralMovement""/>
<item value=""Persistence""/>
<item value=""PreAttack""/>
<item value=""PrivilegeEscalation""/>
<item value=""Reconnaissance""/>
<item value=""ResourceDevelopment""/>
</enum>
</item>
</prop>
<prop readOnly="True" type="array<string>" name="techniques">
<item readOnly="True" type="string"/>
</prop>
</prop>
</discriminator>
<discriminator property="kind" value="MLBehaviorAnalytics">
<prop type="object" name="properties" clientFlatten="True">
<prop type="string" name="alertRuleTemplateName" required="True"/>
<prop readOnly="True" type="string" name="description"/>
<prop readOnly="True" type="string" name="displayName"/>
<prop type="boolean" name="enabled" required="True"/>
<prop readOnly="True" type="dateTime" name="lastModifiedUtc"/>
<prop readOnly="True" type="string" name="severity">
<enum>
<item value=""High""/>
<item value=""Informational""/>
<item value=""Low""/>
<item value=""Medium""/>
</enum>
</prop>
<prop readOnly="True" type="array<string>" name="tactics">
<item readOnly="True" type="string">
<enum>
<item value=""Collection""/>
<item value=""CommandAndControl""/>
<item value=""CredentialAccess""/>
<item value=""DefenseEvasion""/>
<item value=""Discovery""/>
<item value=""Execution""/>
<item value=""Exfiltration""/>
<item value=""Impact""/>
<item value=""ImpairProcessControl""/>
<item value=""InhibitResponseFunction""/>
<item value=""InitialAccess""/>
<item value=""LateralMovement""/>
<item value=""Persistence""/>
<item value=""PreAttack""/>
<item value=""PrivilegeEscalation""/>
<item value=""Reconnaissance""/>
<item value=""ResourceDevelopment""/>
</enum>
</item>
</prop>
<prop readOnly="True" type="array<string>" name="techniques">
<item readOnly="True" type="string"/>
</prop>
</prop>
</discriminator>
<discriminator property="kind" value="MicrosoftSecurityIncidentCreation">
<prop type="object" name="properties" clientFlatten="True">
<prop type="string" name="alertRuleTemplateName"/>
<prop type="string" name="description"/>
<prop type="string" name="displayName" required="True"/>
<prop type="array<string>" name="displayNamesExcludeFilter">
<item type="string"/>
</prop>
<prop type="array<string>" name="displayNamesFilter">
<item type="string"/>
</prop>
<prop type="boolean" name="enabled" required="True"/>
<prop readOnly="True" type="dateTime" name="lastModifiedUtc"/>
<prop type="string" name="productFilter" required="True">
<enum>
<item value=""Azure Active Directory Identity Protection""/>
<item value=""Azure Advanced Threat Protection""/>
<item value=""Azure Security Center""/>
<item value=""Azure Security Center for IoT""/>
<item value=""Microsoft Cloud App Security""/>
<item value=""Microsoft Defender Advanced Threat Protection""/>
<item value=""Office 365 Advanced Threat Protection""/>
</enum>
</prop>
<prop type="array<string>" name="severitiesFilter">
<item type="string">
<enum>
<item value=""High""/>
<item value=""Informational""/>
<item value=""Low""/>
<item value=""Medium""/>
</enum>
</item>
</prop>
</prop>
</discriminator>
<discriminator property="kind" value="NRT">
<prop type="object" name="properties" clientFlatten="True">
<prop type="@AlertDetailsOverride_read" name="alertDetailsOverride"/>
<prop type="string" name="alertRuleTemplateName"/>
<prop type="object" name="customDetails">
<additionalProp>
<item type="string"/>
</additionalProp>
</prop>
<prop type="string" name="description"/>
<prop type="string" name="displayName" required="True"/>
<prop type="boolean" name="enabled" required="True"/>
<prop type="@EntityMappings_read" name="entityMappings"/>
<prop type="@IncidentConfiguration_read" name="incidentConfiguration"/>
<prop readOnly="True" type="dateTime" name="lastModifiedUtc"/>
<prop type="string" name="query" required="True"/>
<prop type="string" name="severity" required="True">
<enum>
<item value=""High""/>
<item value=""Informational""/>
<item value=""Low""/>
<item value=""Medium""/>
</enum>
</prop>
<prop type="duration" name="suppressionDuration" required="True"/>
<prop type="boolean" name="suppressionEnabled" required="True"/>
<prop type="array<string>" name="tactics">
<item type="string">
<enum>
<item value=""Collection""/>
<item value=""CommandAndControl""/>
<item value=""CredentialAccess""/>
<item value=""DefenseEvasion""/>
<item value=""Discovery""/>
<item value=""Execution""/>
<item value=""Exfiltration""/>
<item value=""Impact""/>
<item value=""ImpairProcessControl""/>
<item value=""InhibitResponseFunction""/>
<item value=""InitialAccess""/>
<item value=""LateralMovement""/>
<item value=""Persistence""/>
<item value=""PreAttack""/>
<item value=""PrivilegeEscalation""/>
<item value=""Reconnaissance""/>
<item value=""ResourceDevelopment""/>
</enum>
</item>
</prop>
<prop type="array<string>" name="techniques">
<item type="string"/>
</prop>
<prop type="string" name="templateVersion"/>
</prop>
</discriminator>
<discriminator property="kind" value="Scheduled">
<prop type="object" name="properties" clientFlatten="True">
<prop type="object" name="alertDetailsOverride" cls="AlertDetailsOverride_read">
<prop type="string" name="alertDescriptionFormat"/>
<prop type="string" name="alertDisplayNameFormat"/>
<prop type="string" name="alertSeverityColumnName"/>
<prop type="string" name="alertTacticsColumnName"/>
</prop>
<prop type="string" name="alertRuleTemplateName"/>
<prop type="object" name="customDetails">
<additionalProp>
<item type="string"/>
</additionalProp>
</prop>
<prop type="string" name="description"/>
<prop type="string" name="displayName" required="True"/>
<prop type="boolean" name="enabled" required="True"/>
<prop type="array<object>" name="entityMappings" cls="EntityMappings_read">
<item type="object">
<prop type="string" name="entityType">
<enum>
<item value=""Account""/>
<item value=""AzureResource""/>
<item value=""CloudApplication""/>
<item value=""DNS""/>
<item value=""File""/>
<item value=""FileHash""/>
<item value=""Host""/>
<item value=""IP""/>
<item value=""MailCluster""/>
<item value=""MailMessage""/>
<item value=""Mailbox""/>
<item value=""Malware""/>
<item value=""Process""/>
<item value=""RegistryKey""/>
<item value=""RegistryValue""/>
<item value=""SecurityGroup""/>
<item value=""SubmissionMail""/>
<item value=""URL""/>
</enum>
</prop>
<prop type="array<object>" name="fieldMappings">
<item type="object">
<prop type="string" name="columnName"/>
<prop type="string" name="identifier"/>
</item>
</prop>
</item>
</prop>
<prop type="object" name="eventGroupingSettings">
<prop type="string" name="aggregationKind">
<enum>
<item value=""AlertPerResult""/>
<item value=""SingleAlert""/>
</enum>
</prop>
</prop>
<prop type="object" name="incidentConfiguration" cls="IncidentConfiguration_read">
<prop type="boolean" name="createIncident" required="True"/>
<prop type="object" name="groupingConfiguration">
<prop type="boolean" name="enabled" required="True"/>
<prop type="array<string>" name="groupByAlertDetails">
<item type="string">
<enum>
<item value=""DisplayName""/>
<item value=""Severity""/>
</enum>
</item>
</prop>
<prop type="array<string>" name="groupByCustomDetails">
<item type="string"/>
</prop>
<prop type="array<string>" name="groupByEntities">
<item type="string">
<enum>
<item value=""Account""/>
<item value=""AzureResource""/>
<item value=""CloudApplication""/>
<item value=""DNS""/>
<item value=""File""/>
<item value=""FileHash""/>
<item value=""Host""/>
<item value=""IP""/>
<item value=""MailCluster""/>
<item value=""MailMessage""/>
<item value=""Mailbox""/>
<item value=""Malware""/>
<item value=""Process""/>
<item value=""RegistryKey""/>
<item value=""RegistryValue""/>
<item value=""SecurityGroup""/>
<item value=""SubmissionMail""/>
<item value=""URL""/>
</enum>
</item>
</prop>
<prop type="duration" name="lookbackDuration" required="True"/>
<prop type="string" name="matchingMethod" required="True">
<enum>
<item value=""AllEntities""/>
<item value=""AnyAlert""/>
<item value=""Selected""/>
</enum>
</prop>
<prop type="boolean" name="reopenClosedIncident" required="True"/>
</prop>
</prop>
<prop readOnly="True" type="dateTime" name="lastModifiedUtc"/>
<prop type="string" name="query" required="True"/>
<prop type="duration" name="queryFrequency" required="True"/>
<prop type="duration" name="queryPeriod" required="True"/>
<prop type="string" name="severity" required="True">
<enum>
<item value=""High""/>
<item value=""Informational""/>
<item value=""Low""/>
<item value=""Medium""/>
</enum>
</prop>
<prop type="duration" name="suppressionDuration" required="True"/>
<prop type="boolean" name="suppressionEnabled" required="True"/>
<prop type="array<string>" name="tactics">
<item type="string">
<enum>
<item value=""Collection""/>
<item value=""CommandAndControl""/>
<item value=""CredentialAccess""/>
<item value=""DefenseEvasion""/>
<item value=""Discovery""/>
<item value=""Execution""/>
<item value=""Exfiltration""/>
<item value=""Impact""/>
<item value=""ImpairProcessControl""/>
<item value=""InhibitResponseFunction""/>
<item value=""InitialAccess""/>
<item value=""LateralMovement""/>
<item value=""Persistence""/>
<item value=""PreAttack""/>
<item value=""PrivilegeEscalation""/>
<item value=""Reconnaissance""/>
<item value=""ResourceDevelopment""/>
</enum>
</item>
</prop>
<prop type="array<string>" name="techniques">
<item type="string"/>
</prop>
<prop type="string" name="templateVersion"/>
<prop type="string" name="triggerOperator" required="True">
<enum>
<item value=""Equal""/>
<item value=""GreaterThan""/>
<item value=""LessThan""/>
<item value=""NotEqual""/>
</enum>
</prop>
<prop type="integer32" name="triggerThreshold" required="True"/>
</prop>
</discriminator>
<discriminator property="kind" value="ThreatIntelligence">
<prop type="object" name="properties" clientFlatten="True">
<prop type="string" name="alertRuleTemplateName" required="True"/>
<prop readOnly="True" type="string" name="description"/>
<prop readOnly="True" type="string" name="displayName"/>
<prop type="boolean" name="enabled" required="True"/>
<prop readOnly="True" type="dateTime" name="lastModifiedUtc"/>
<prop readOnly="True" type="string" name="severity">
<enum>
<item value=""High""/>
<item value=""Informational""/>
<item value=""Low""/>
<item value=""Medium""/>
</enum>
</prop>
<prop readOnly="True" type="array<string>" name="tactics">
<item readOnly="True" type="string">
<enum>
<item value=""Collection""/>
<item value=""CommandAndControl""/>
<item value=""CredentialAccess""/>
<item value=""DefenseEvasion""/>
<item value=""Discovery""/>
<item value=""Execution""/>
<item value=""Exfiltration""/>
<item value=""Impact""/>
<item value=""ImpairProcessControl""/>
<item value=""InhibitResponseFunction""/>
<item value=""InitialAccess""/>
<item value=""LateralMovement""/>
<item value=""Persistence""/>
<item value=""PreAttack""/>
<item value=""PrivilegeEscalation""/>
<item value=""Reconnaissance""/>
<item value=""ResourceDevelopment""/>
</enum>
</item>
</prop>
<prop readOnly="True" type="array<string>" name="techniques">
<item readOnly="True" type="string"/>
</prop>
</prop>
</discriminator>
</schema>
</json>
</body>
</response>
<response isError="True">
<body>
<json>
<schema type="@ODataV4Format"/>
</json>
</body>
</response>
</http>
</operation>
<operation>
<instanceUpdate instance="$Instance">
<json>
<schema type="object" name="alertRule" required="True" clientFlatten="True">
<prop type="string" name="etag" arg="$alertRule.etag"/>
<prop type="string" name="kind" required="True">
<enum>
<item arg="$alertRule.Fusion" value=""Fusion""/>
<item arg="$alertRule.MLBehaviorAnalytics" value=""MLBehaviorAnalytics""/>
<item arg="$alertRule.MicrosoftSecurityIncidentCreation" value=""MicrosoftSecurityIncidentCreation""/>
<item arg="$alertRule.NRT" value=""NRT""/>
<item arg="$alertRule.Scheduled" value=""Scheduled""/>
<item arg="$alertRule.ThreatIntelligence" value=""ThreatIntelligence""/>
</enum>
</prop>
<discriminator property="kind" value="Fusion">
<prop type="object" name="properties" clientFlatten="True">
<prop type="string" name="alertRuleTemplateName" arg="$alertRule.Fusion.properties.alertRuleTemplateName" required="True"/>
<prop type="boolean" name="enabled" arg="$alertRule.Fusion.properties.enabled" required="True"/>
<prop type="array<object>" name="scenarioExclusionPatterns" arg="$alertRule.Fusion.properties.scenarioExclusionPatterns">
<item type="object">
<prop type="string" name="dateAddedInUTC" arg="$alertRule.Fusion.properties.scenarioExclusionPatterns[].dateAddedInUTC" required="True"/>
<prop type="string" name="exclusionPattern" arg="$alertRule.Fusion.properties.scenarioExclusionPatterns[].exclusionPattern" required="True"/>
</item>
</prop>
<prop type="array<object>" name="sourceSettings" arg="$alertRule.Fusion.properties.sourceSettings">
<item type="object">
<prop type="boolean" name="enabled" arg="$alertRule.Fusion.properties.sourceSettings[].enabled" required="True"/>
<prop type="string" name="sourceName" arg="$alertRule.Fusion.properties.sourceSettings[].sourceName" required="True"/>
<prop type="array<object>" name="sourceSubTypes" arg="$alertRule.Fusion.properties.sourceSettings[].sourceSubTypes">
<item type="object">
<prop type="boolean" name="enabled" arg="$alertRule.Fusion.properties.sourceSettings[].sourceSubTypes[].enabled" required="True"/>
<prop type="object" name="severityFilters" arg="$alertRule.Fusion.properties.sourceSettings[].sourceSubTypes[].severityFilters" required="True">
<prop type="array<object>" name="filters" arg="$alertRule.Fusion.properties.sourceSettings[].sourceSubTypes[].severityFilters.filters">
<item type="object">
<prop type="boolean" name="enabled" arg="$alertRule.Fusion.properties.sourceSettings[].sourceSubTypes[].severityFilters.filters[].enabled" required="True"/>
<prop type="string" name="severity" arg="$alertRule.Fusion.properties.sourceSettings[].sourceSubTypes[].severityFilters.filters[].severity" required="True">
<enum>
<item value=""High""/>
<item value=""Informational""/>
<item value=""Low""/>
<item value=""Medium""/>
</enum>
</prop>
</item>
</prop>
</prop>
<prop type="string" name="sourceSubTypeName" arg="$alertRule.Fusion.properties.sourceSettings[].sourceSubTypes[].sourceSubTypeName" required="True"/>
</item>
</prop>
</item>
</prop>
</prop>
</discriminator>
<discriminator property="kind" value="MLBehaviorAnalytics">
<prop type="object" name="properties" clientFlatten="True">
<prop type="string" name="alertRuleTemplateName" arg="$alertRule.MLBehaviorAnalytics.properties.alertRuleTemplateName" required="True"/>
<prop type="boolean" name="enabled" arg="$alertRule.MLBehaviorAnalytics.properties.enabled" required="True"/>
</prop>
</discriminator>
<discriminator property="kind" value="MicrosoftSecurityIncidentCreation">
<prop type="object" name="properties" clientFlatten="True">
<prop type="string" name="alertRuleTemplateName" arg="$alertRule.MicrosoftSecurityIncidentCreation.properties.alertRuleTemplateName"/>
<prop type="string" name="description" arg="$alertRule.MicrosoftSecurityIncidentCreation.properties.description"/>
<prop type="string" name="displayName" arg="$alertRule.MicrosoftSecurityIncidentCreation.properties.displayName" required="True"/>
<prop type="array<string>" name="displayNamesExcludeFilter" arg="$alertRule.MicrosoftSecurityIncidentCreation.properties.displayNamesExcludeFilter">
<item type="string"/>
</prop>
<prop type="array<string>" name="displayNamesFilter" arg="$alertRule.MicrosoftSecurityIncidentCreation.properties.displayNamesFilter">
<item type="string"/>
</prop>
<prop type="boolean" name="enabled" arg="$alertRule.MicrosoftSecurityIncidentCreation.properties.enabled" required="True"/>
<prop type="string" name="productFilter" arg="$alertRule.MicrosoftSecurityIncidentCreation.properties.productFilter" required="True">
<enum>
<item value=""Azure Active Directory Identity Protection""/>
<item value=""Azure Advanced Threat Protection""/>
<item value=""Azure Security Center""/>
<item value=""Azure Security Center for IoT""/>
<item value=""Microsoft Cloud App Security""/>
<item value=""Microsoft Defender Advanced Threat Protection""/>
<item value=""Office 365 Advanced Threat Protection""/>
</enum>
</prop>
<prop type="array<string>" name="severitiesFilter" arg="$alertRule.MicrosoftSecurityIncidentCreation.properties.severitiesFilter">
<item type="string">
<enum>
<item value=""High""/>
<item value=""Informational""/>
<item value=""Low""/>
<item value=""Medium""/>
</enum>
</item>
</prop>
</prop>
</discriminator>
<discriminator property="kind" value="NRT">
<prop type="object" name="properties" clientFlatten="True">
<prop type="@AlertDetailsOverride_update" name="alertDetailsOverride" arg="$alertRule.NRT.properties.alertDetailsOverride"/>
<prop type="string" name="alertRuleTemplateName" arg="$alertRule.NRT.properties.alertRuleTemplateName"/>
<prop type="object" name="customDetails" arg="$alertRule.NRT.properties.customDetails">
<additionalProp>
<item type="string"/>
</additionalProp>
</prop>
<prop type="string" name="description" arg="$alertRule.NRT.properties.description"/>
<prop type="string" name="displayName" arg="$alertRule.NRT.properties.displayName" required="True"/>
<prop type="boolean" name="enabled" arg="$alertRule.NRT.properties.enabled" required="True"/>
<prop type="@EntityMappings_update" name="entityMappings" arg="$alertRule.NRT.properties.entityMappings"/>
<prop type="@IncidentConfiguration_update" name="incidentConfiguration" arg="$alertRule.NRT.properties.incidentConfiguration"/>
<prop type="string" name="query" arg="$alertRule.NRT.properties.query" required="True"/>
<prop type="string" name="severity" arg="$alertRule.NRT.properties.severity" required="True">
<enum>
<item value=""High""/>
<item value=""Informational""/>
<item value=""Low""/>
<item value=""Medium""/>
</enum>
</prop>
<prop type="duration" name="suppressionDuration" arg="$alertRule.NRT.properties.suppressionDuration" required="True"/>
<prop type="boolean" name="suppressionEnabled" arg="$alertRule.NRT.properties.suppressionEnabled" required="True"/>
<prop type="array<string>" name="tactics" arg="$alertRule.NRT.properties.tactics">
<item type="string">
<enum>
<item value=""Collection""/>
<item value=""CommandAndControl""/>
<item value=""CredentialAccess""/>
<item value=""DefenseEvasion""/>
<item value=""Discovery""/>
<item value=""Execution""/>
<item value=""Exfiltration""/>
<item value=""Impact""/>
<item value=""ImpairProcessControl""/>
<item value=""InhibitResponseFunction""/>
<item value=""InitialAccess""/>
<item value=""LateralMovement""/>
<item value=""Persistence""/>
<item value=""PreAttack""/>
<item value=""PrivilegeEscalation""/>
<item value=""Reconnaissance""/>
<item value=""ResourceDevelopment""/>
</enum>
</item>
</prop>
<prop type="array<string>" name="techniques" arg="$alertRule.NRT.properties.techniques">
<item type="string"/>
</prop>
<prop type="string" name="templateVersion" arg="$alertRule.NRT.properties.templateVersion"/>
</prop>
</discriminator>
<discriminator property="kind" value="Scheduled">
<prop type="object" name="properties" clientFlatten="True">
<prop type="object" name="alertDetailsOverride" arg="$alertRule.Scheduled.properties.alertDetailsOverride" cls="AlertDetailsOverride_update">
<prop type="string" name="alertDescriptionFormat" arg="@AlertDetailsOverride_update.alertDescriptionFormat"/>
<prop type="string" name="alertDisplayNameFormat" arg="@AlertDetailsOverride_update.alertDisplayNameFormat"/>
<prop type="string" name="alertSeverityColumnName" arg="@AlertDetailsOverride_update.alertSeverityColumnName"/>
<prop type="string" name="alertTacticsColumnName" arg="@AlertDetailsOverride_update.alertTacticsColumnName"/>
</prop>
<prop type="string" name="alertRuleTemplateName" arg="$alertRule.Scheduled.properties.alertRuleTemplateName"/>
<prop type="object" name="customDetails" arg="$alertRule.Scheduled.properties.customDetails">
<additionalProp>
<item type="string"/>
</additionalProp>
</prop>
<prop type="string" name="description" arg="$alertRule.Scheduled.properties.description"/>
<prop type="string" name="displayName" arg="$alertRule.Scheduled.properties.displayName" required="True"/>
<prop type="boolean" name="enabled" arg="$alertRule.Scheduled.properties.enabled" required="True"/>
<prop type="array<object>" name="entityMappings" arg="$alertRule.Scheduled.properties.entityMappings" cls="EntityMappings_update">
<item type="object">
<prop type="string" name="entityType" arg="@EntityMappings_update[].entityType">
<enum>
<item value=""Account""/>
<item value=""AzureResource""/>
<item value=""CloudApplication""/>
<item value=""DNS""/>
<item value=""File""/>
<item value=""FileHash""/>
<item value=""Host""/>
<item value=""IP""/>
<item value=""MailCluster""/>
<item value=""MailMessage""/>
<item value=""Mailbox""/>
<item value=""Malware""/>
<item value=""Process""/>
<item value=""RegistryKey""/>
<item value=""RegistryValue""/>
<item value=""SecurityGroup""/>
<item value=""SubmissionMail""/>
<item value=""URL""/>
</enum>
</prop>
<prop type="array<object>" name="fieldMappings" arg="@EntityMappings_update[].fieldMappings">
<item type="object">
<prop type="string" name="columnName" arg="@EntityMappings_update[].fieldMappings[].columnName"/>
<prop type="string" name="identifier" arg="@EntityMappings_update[].fieldMappings[].identifier"/>
</item>
</prop>
</item>
</prop>
<prop type="object" name="eventGroupingSettings" arg="$alertRule.Scheduled.properties.eventGroupingSettings">
<prop type="string" name="aggregationKind" arg="$alertRule.Scheduled.properties.eventGroupingSettings.aggregationKind">
<enum>
<item value=""AlertPerResult""/>
<item value=""SingleAlert""/>
</enum>
</prop>
</prop>
<prop type="object" name="incidentConfiguration" arg="$alertRule.Scheduled.properties.incidentConfiguration" cls="IncidentConfiguration_update">
<prop type="boolean" name="createIncident" arg="@IncidentConfiguration_update.createIncident" required="True"/>
<prop type="object" name="groupingConfiguration" arg="@IncidentConfiguration_update.groupingConfiguration">
<prop type="boolean" name="enabled" arg="@IncidentConfiguration_update.groupingConfiguration.enabled" required="True"/>
<prop type="array<string>" name="groupByAlertDetails" arg="@IncidentConfiguration_update.groupingConfiguration.groupByAlertDetails">
<item type="string">
<enum>
<item value=""DisplayName""/>
<item value=""Severity""/>
</enum>
</item>
</prop>
<prop type="array<string>" name="groupByCustomDetails" arg="@IncidentConfiguration_update.groupingConfiguration.groupByCustomDetails">
<item type="string"/>
</prop>
<prop type="array<string>" name="groupByEntities" arg="@IncidentConfiguration_update.groupingConfiguration.groupByEntities">
<item type="string">
<enum>
<item value=""Account""/>
<item value=""AzureResource""/>
<item value=""CloudApplication""/>
<item value=""DNS""/>
<item value=""File""/>
<item value=""FileHash""/>
<item value=""Host""/>
<item value=""IP""/>
<item value=""MailCluster""/>
<item value=""MailMessage""/>
<item value=""Mailbox""/>
<item value=""Malware""/>
<item value=""Process""/>
<item value=""RegistryKey""/>
<item value=""RegistryValue""/>
<item value=""SecurityGroup""/>
<item value=""SubmissionMail""/>
<item value=""URL""/>
</enum>
</item>
</prop>
<prop type="duration" name="lookbackDuration" arg="@IncidentConfiguration_update.groupingConfiguration.lookbackDuration" required="True"/>
<prop type="string" name="matchingMethod" arg="@IncidentConfiguration_update.groupingConfiguration.matchingMethod" required="True">
<enum>
<item value=""AllEntities""/>
<item value=""AnyAlert""/>
<item value=""Selected""/>
</enum>
</prop>
<prop type="boolean" name="reopenClosedIncident" arg="@IncidentConfiguration_update.groupingConfiguration.reopenClosedIncident" required="True"/>
</prop>
</prop>
<prop type="string" name="query" arg="$alertRule.Scheduled.properties.query" required="True"/>
<prop type="duration" name="queryFrequency" arg="$alertRule.Scheduled.properties.queryFrequency" required="True"/>
<prop type="duration" name="queryPeriod" arg="$alertRule.Scheduled.properties.queryPeriod" required="True"/>
<prop type="string" name="severity" arg="$alertRule.Scheduled.properties.severity" required="True">
<enum>
<item value=""High""/>
<item value=""Informational""/>
<item value=""Low""/>
<item value=""Medium""/>
</enum>
</prop>
<prop type="duration" name="suppressionDuration" arg="$alertRule.Scheduled.properties.suppressionDuration" required="True"/>
<prop type="boolean" name="suppressionEnabled" arg="$alertRule.Scheduled.properties.suppressionEnabled" required="True"/>
<prop type="array<string>" name="tactics" arg="$alertRule.Scheduled.properties.tactics">
<item type="string">
<enum>
<item value=""Collection""/>
<item value=""CommandAndControl""/>
<item value=""CredentialAccess""/>
<item value=""DefenseEvasion""/>
<item value=""Discovery""/>
<item value=""Execution""/>
<item value=""Exfiltration""/>
<item value=""Impact""/>
<item value=""ImpairProcessControl""/>
<item value=""InhibitResponseFunction""/>
<item value=""InitialAccess""/>
<item value=""LateralMovement""/>
<item value=""Persistence""/>
<item value=""PreAttack""/>
<item value=""PrivilegeEscalation""/>
<item value=""Reconnaissance""/>
<item value=""ResourceDevelopment""/>
</enum>
</item>
</prop>
<prop type="array<string>" name="techniques" arg="$alertRule.Scheduled.properties.techniques">
<item type="string"/>
</prop>
<prop type="string" name="templateVersion" arg="$alertRule.Scheduled.properties.templateVersion"/>
<prop type="string" name="triggerOperator" arg="$alertRule.Scheduled.properties.triggerOperator" required="True">
<enum>
<item value=""Equal""/>
<item value=""GreaterThan""/>
<item value=""LessThan""/>
<item value=""NotEqual""/>
</enum>
</prop>
<prop type="integer32" name="triggerThreshold" arg="$alertRule.Scheduled.properties.triggerThreshold" required="True"/>
</prop>
</discriminator>
<discriminator property="kind" value="ThreatIntelligence">
<prop type="object" name="properties" clientFlatten="True">
<prop type="string" name="alertRuleTemplateName" arg="$alertRule.ThreatIntelligence.properties.alertRuleTemplateName" required="True"/>
<prop type="boolean" name="enabled" arg="$alertRule.ThreatIntelligence.properties.enabled" required="True"/>
</prop>
</discriminator>
</schema>
</json>
</instanceUpdate>
</operation>
<operation operationId="AlertRules_CreateOrUpdate">
<http path="/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}">
<request method="put">
<path>
<param type="string" name="resourceGroupName" arg="$Path.resourceGroupName" required="True">
<format maxLength="90" minLength="1"/>
</param>
<param type="string" name="ruleId" arg="$Path.ruleId" required="True"/>
<param type="string" name="subscriptionId" arg="$Path.subscriptionId" required="True">
<format minLength="1"/>
</param>
<param type="string" name="workspaceName" arg="$Path.workspaceName" required="True">
<format maxLength="90" minLength="1"/>
</param>
</path>
<query>
<const readOnly="True" const="True" type="string" name="api-version" required="True">
<default value=""2022-06-01-preview""/>
<format minLength="1"/>
</const>
</query>
<body>
<json ref="$Instance"/>
</body>
</request>
<response statusCode="200 201">
<body>
<json var="$Instance">
<schema type="@AlertRule_read"/>
</json>
</body>
</response>
<response isError="True">
<body>
<json>
<schema type="@ODataV4Format"/>
</json>
</body>
</response>
</http>
</operation>
<output type="object" ref="$Instance" clientFlatten="True"/>
</command>
</commandGroup>
</CodeGen>