Resources/mgmt-plane/L3N1YnNjcmlwdGlvbnMve30vcmVzb3VyY2Vncm91cHMve30vcHJvdmlkZXJzL21pY3Jvc29mdC5vcGVyYXRpb25hbGluc2lnaHRzL3dvcmtzcGFjZXMve30vcHJvdmlkZXJzL21pY3Jvc29mdC5zZWN1cml0eWluc2lnaHRzL2FsZXJ0cnVsZXRlbXBsYXRlcw==/2022-06-01-preview.xml

<?xml version='1.0' encoding='utf-8'?> <CodeGen plane="mgmt-plane"> <resource id="/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/alertruletemplates" version="2022-06-01-preview" swagger="mgmt-plane/securityinsights/ResourceProviders/Microsoft.SecurityInsights/Paths/L3N1YnNjcmlwdGlvbnMve3N1YnNjcmlwdGlvbklkfS9yZXNvdXJjZUdyb3Vwcy97cmVzb3VyY2VHcm91cE5hbWV9L3Byb3ZpZGVycy9NaWNyb3NvZnQuT3BlcmF0aW9uYWxJbnNpZ2h0cy93b3Jrc3BhY2VzL3t3b3Jrc3BhY2VOYW1lfS9wcm92aWRlcnMvTWljcm9zb2Z0LlNlY3VyaXR5SW5zaWdodHMvYWxlcnRSdWxlVGVtcGxhdGVz/V/MjAyMi0wNi0wMS1wcmV2aWV3"/> <commandGroup name="sentinel alert-rule template"> <command name="list" version="2022-06-01-preview"> <resource id="/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/alertruletemplates" version="2022-06-01-preview" swagger="mgmt-plane/securityinsights/ResourceProviders/Microsoft.SecurityInsights/Paths/L3N1YnNjcmlwdGlvbnMve3N1YnNjcmlwdGlvbklkfS9yZXNvdXJjZUdyb3Vwcy97cmVzb3VyY2VHcm91cE5hbWV9L3Byb3ZpZGVycy9NaWNyb3NvZnQuT3BlcmF0aW9uYWxJbnNpZ2h0cy93b3Jrc3BhY2VzL3t3b3Jrc3BhY2VOYW1lfS9wcm92aWRlcnMvTWljcm9zb2Z0LlNlY3VyaXR5SW5zaWdodHMvYWxlcnRSdWxlVGVtcGxhdGVz/V/MjAyMi0wNi0wMS1wcmV2aWV3"/> <argGroup name=""> <arg type="ResourceGroupName" var="$Path.resourceGroupName" options="resource-group g" required="True"/> <arg type="SubscriptionId" var="$Path.subscriptionId" options="subscription" required="True"/> <arg type="string" var="$Path.workspaceName" options="workspace-name w" required="True" stage="Experimental"> <help short="The name of the workspace."/> <format maxLength="90" minLength="1"/> </arg> </argGroup> <operation operationId="AlertRuleTemplates_List"> <http path="/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRuleTemplates"> <request method="get"> <path> <param type="string" name="resourceGroupName" arg="$Path.resourceGroupName" required="True"> <format maxLength="90" minLength="1"/> </param> <param type="string" name="subscriptionId" arg="$Path.subscriptionId" required="True"> <format minLength="1"/> </param> <param type="string" name="workspaceName" arg="$Path.workspaceName" required="True"> <format maxLength="90" minLength="1"/> </param> </path> <query> <const readOnly="True" const="True" type="string" name="api-version" required="True"> <default value=""2022-06-01-preview""/> <format minLength="1"/> </const> </query> </request> <response statusCode="200"> <body> <json var="$Instance"> <schema type="object"> <prop readOnly="True" type="string" name="nextLink"/> <prop type="array<object>" name="value" required="True"> <item type="object"> <prop readOnly="True" type="ResourceId" name="id"> <format template="/subscriptions/{}/resourceGroups/{}/providers/Microsoft.OperationalInsights/workspaces/{}/providers/Microsoft.SecurityInsights/alertRuleTemplates/{}"/> </prop> <prop type="string" name="kind" required="True"> <enum> <item value=""Fusion""/> <item value=""MLBehaviorAnalytics""/> <item value=""MicrosoftSecurityIncidentCreation""/> <item value=""NRT""/> <item value=""Scheduled""/> <item value=""ThreatIntelligence""/> </enum> </prop> <prop readOnly="True" type="string" name="name"/> <prop readOnly="True" type="object" name="systemData"> <prop readOnly="True" type="dateTime" name="createdAt"/> <prop readOnly="True" type="string" name="createdBy"/> <prop readOnly="True" type="string" name="createdByType"> <enum> <item value=""Application""/> <item value=""Key""/> <item value=""ManagedIdentity""/> <item value=""User""/> </enum> </prop> <prop readOnly="True" type="dateTime" name="lastModifiedAt"/> <prop readOnly="True" type="string" name="lastModifiedBy"/> <prop readOnly="True" type="string" name="lastModifiedByType"> <enum> <item value=""Application""/> <item value=""Key""/> <item value=""ManagedIdentity""/> <item value=""User""/> </enum> </prop> </prop> <prop readOnly="True" type="string" name="type"/> <discriminator property="kind" value="Fusion"> <prop type="object" name="properties" clientFlatten="True"> <prop type="integer32" name="alertRulesCreatedByTemplateCount" required="True"/> <prop readOnly="True" type="dateTime" name="createdDateUTC"/> <prop type="string" name="description" required="True"/> <prop type="string" name="displayName" required="True"/> <prop readOnly="True" type="dateTime" name="lastUpdatedDateUTC"/> <prop type="array<@AlertRuleTemplateDataSource_read>" name="requiredDataConnectors"> <item type="@AlertRuleTemplateDataSource_read"/> </prop> <prop type="string" name="severity" required="True"> <enum> <item value=""High""/> <item value=""Informational""/> <item value=""Low""/> <item value=""Medium""/> </enum> </prop> <prop type="array<object>" name="sourceSettings"> <item type="object"> <prop type="string" name="sourceName" required="True"/> <prop type="array<object>" name="sourceSubTypes"> <item type="object"> <prop type="object" name="severityFilter" required="True"> <prop type="boolean" name="isSupported" required="True"/> <prop type="array<string>" name="severityFilters"> <item type="string"> <enum> <item value=""High""/> <item value=""Informational""/> <item value=""Low""/> <item value=""Medium""/> </enum> </item> </prop> </prop> <prop readOnly="True" type="string" name="sourceSubTypeDisplayName"/> <prop type="string" name="sourceSubTypeName" required="True"/> </item> </prop> </item> </prop> <prop type="string" name="status" required="True"> <enum> <item value=""Available""/> <item value=""Installed""/> <item value=""NotAvailable""/> </enum> </prop> <prop type="array<string>" name="tactics"> <item type="string"> <enum> <item value=""Collection""/> <item value=""CommandAndControl""/> <item value=""CredentialAccess""/> <item value=""DefenseEvasion""/> <item value=""Discovery""/> <item value=""Execution""/> <item value=""Exfiltration""/> <item value=""Impact""/> <item value=""ImpairProcessControl""/> <item value=""InhibitResponseFunction""/> <item value=""InitialAccess""/> <item value=""LateralMovement""/> <item value=""Persistence""/> <item value=""PreAttack""/> <item value=""PrivilegeEscalation""/> <item value=""Reconnaissance""/> <item value=""ResourceDevelopment""/> </enum> </item> </prop> <prop type="array<string>" name="techniques"> <item type="string"/> </prop> </prop> </discriminator> <discriminator property="kind" value="MLBehaviorAnalytics"> <prop type="object" name="properties" clientFlatten="True"> <prop type="integer32" name="alertRulesCreatedByTemplateCount" required="True"/> <prop readOnly="True" type="dateTime" name="createdDateUTC"/> <prop type="string" name="description" required="True"/> <prop type="string" name="displayName" required="True"/> <prop readOnly="True" type="dateTime" name="lastUpdatedDateUTC"/> <prop type="array<object>" name="requiredDataConnectors"> <item type="object" cls="AlertRuleTemplateDataSource_read"> <prop type="string" name="connectorId"/> <prop type="array<string>" name="dataTypes"> <item type="string"/> </prop> </item> </prop> <prop type="string" name="severity" required="True"> <enum> <item value=""High""/> <item value=""Informational""/> <item value=""Low""/> <item value=""Medium""/> </enum> </prop> <prop type="string" name="status" required="True"> <enum> <item value=""Available""/> <item value=""Installed""/> <item value=""NotAvailable""/> </enum> </prop> <prop type="array<string>" name="tactics"> <item type="string"> <enum> <item value=""Collection""/> <item value=""CommandAndControl""/> <item value=""CredentialAccess""/> <item value=""DefenseEvasion""/> <item value=""Discovery""/> <item value=""Execution""/> <item value=""Exfiltration""/> <item value=""Impact""/> <item value=""ImpairProcessControl""/> <item value=""InhibitResponseFunction""/> <item value=""InitialAccess""/> <item value=""LateralMovement""/> <item value=""Persistence""/> <item value=""PreAttack""/> <item value=""PrivilegeEscalation""/> <item value=""Reconnaissance""/> <item value=""ResourceDevelopment""/> </enum> </item> </prop> <prop type="array<string>" name="techniques"> <item type="string"/> </prop> </prop> </discriminator> <discriminator property="kind" value="MicrosoftSecurityIncidentCreation"> <prop type="object" name="properties" clientFlatten="True"> <prop type="integer32" name="alertRulesCreatedByTemplateCount" required="True"/> <prop readOnly="True" type="dateTime" name="createdDateUTC" required="True"/> <prop type="string" name="description" required="True"/> <prop type="string" name="displayName" required="True"/> <prop type="array<string>" name="displayNamesExcludeFilter"> <item type="string"/> </prop> <prop type="array<string>" name="displayNamesFilter"> <item type="string"/> </prop> <prop readOnly="True" type="dateTime" name="lastUpdatedDateUTC"/> <prop type="string" name="productFilter" required="True"> <enum> <item value=""Azure Active Directory Identity Protection""/> <item value=""Azure Advanced Threat Protection""/> <item value=""Azure Security Center""/> <item value=""Azure Security Center for IoT""/> <item value=""Microsoft Cloud App Security""/> <item value=""Microsoft Defender Advanced Threat Protection""/> <item value=""Office 365 Advanced Threat Protection""/> </enum> </prop> <prop type="array<@AlertRuleTemplateDataSource_read>" name="requiredDataConnectors"> <item type="@AlertRuleTemplateDataSource_read"/> </prop> <prop type="array<string>" name="severitiesFilter"> <item type="string"> <enum> <item value=""High""/> <item value=""Informational""/> <item value=""Low""/> <item value=""Medium""/> </enum> </item> </prop> <prop type="string" name="status" required="True"> <enum> <item value=""Available""/> <item value=""Installed""/> <item value=""NotAvailable""/> </enum> </prop> </prop> </discriminator> <discriminator property="kind" value="NRT"> <prop type="object" name="properties" clientFlatten="True"> <prop type="@AlertDetailsOverride_read" name="alertDetailsOverride"/> <prop type="integer32" name="alertRulesCreatedByTemplateCount" required="True"/> <prop readOnly="True" type="dateTime" name="createdDateUTC"/> <prop type="object" name="customDetails"> <additionalProp> <item type="string"/> </additionalProp> </prop> <prop type="string" name="description" required="True"/> <prop type="string" name="displayName" required="True"/> <prop type="@EntityMappings_read" name="entityMappings"/> <prop readOnly="True" type="dateTime" name="lastUpdatedDateUTC"/> <prop type="string" name="query" required="True"/> <prop type="array<@AlertRuleTemplateDataSource_read>" name="requiredDataConnectors"> <item type="@AlertRuleTemplateDataSource_read"/> </prop> <prop type="string" name="severity" required="True"> <enum> <item value=""High""/> <item value=""Informational""/> <item value=""Low""/> <item value=""Medium""/> </enum> </prop> <prop type="string" name="status" required="True"> <enum> <item value=""Available""/> <item value=""Installed""/> <item value=""NotAvailable""/> </enum> </prop> <prop type="array<string>" name="tactics"> <item type="string"> <enum> <item value=""Collection""/> <item value=""CommandAndControl""/> <item value=""CredentialAccess""/> <item value=""DefenseEvasion""/> <item value=""Discovery""/> <item value=""Execution""/> <item value=""Exfiltration""/> <item value=""Impact""/> <item value=""ImpairProcessControl""/> <item value=""InhibitResponseFunction""/> <item value=""InitialAccess""/> <item value=""LateralMovement""/> <item value=""Persistence""/> <item value=""PreAttack""/> <item value=""PrivilegeEscalation""/> <item value=""Reconnaissance""/> <item value=""ResourceDevelopment""/> </enum> </item> </prop> <prop type="array<string>" name="techniques"> <item type="string"/> </prop> <prop type="string" name="version" required="True"/> </prop> </discriminator> <discriminator property="kind" value="Scheduled"> <prop type="object" name="properties" clientFlatten="True"> <prop type="object" name="alertDetailsOverride" cls="AlertDetailsOverride_read"> <prop type="string" name="alertDescriptionFormat"/> <prop type="string" name="alertDisplayNameFormat"/> <prop type="string" name="alertSeverityColumnName"/> <prop type="string" name="alertTacticsColumnName"/> </prop> <prop type="integer32" name="alertRulesCreatedByTemplateCount" required="True"/> <prop readOnly="True" type="dateTime" name="createdDateUTC"/> <prop type="object" name="customDetails"> <additionalProp> <item type="string"/> </additionalProp> </prop> <prop type="string" name="description" required="True"/> <prop type="string" name="displayName" required="True"/> <prop type="array<object>" name="entityMappings" cls="EntityMappings_read"> <item type="object"> <prop type="string" name="entityType"> <enum> <item value=""Account""/> <item value=""AzureResource""/> <item value=""CloudApplication""/> <item value=""DNS""/> <item value=""File""/> <item value=""FileHash""/> <item value=""Host""/> <item value=""IP""/> <item value=""MailCluster""/> <item value=""MailMessage""/> <item value=""Mailbox""/> <item value=""Malware""/> <item value=""Process""/> <item value=""RegistryKey""/> <item value=""RegistryValue""/> <item value=""SecurityGroup""/> <item value=""SubmissionMail""/> <item value=""URL""/> </enum> </prop> <prop type="array<object>" name="fieldMappings"> <item type="object"> <prop type="string" name="columnName"/> <prop type="string" name="identifier"/> </item> </prop> </item> </prop> <prop type="object" name="eventGroupingSettings"> <prop type="string" name="aggregationKind"> <enum> <item value=""AlertPerResult""/> <item value=""SingleAlert""/> </enum> </prop> </prop> <prop readOnly="True" type="dateTime" name="lastUpdatedDateUTC"/> <prop type="string" name="query" required="True"/> <prop type="duration" name="queryFrequency" required="True"/> <prop type="duration" name="queryPeriod" required="True"/> <prop type="array<@AlertRuleTemplateDataSource_read>" name="requiredDataConnectors"> <item type="@AlertRuleTemplateDataSource_read"/> </prop> <prop type="string" name="severity" required="True"> <enum> <item value=""High""/> <item value=""Informational""/> <item value=""Low""/> <item value=""Medium""/> </enum> </prop> <prop type="string" name="status" required="True"> <enum> <item value=""Available""/> <item value=""Installed""/> <item value=""NotAvailable""/> </enum> </prop> <prop type="array<string>" name="tactics"> <item type="string"> <enum> <item value=""Collection""/> <item value=""CommandAndControl""/> <item value=""CredentialAccess""/> <item value=""DefenseEvasion""/> <item value=""Discovery""/> <item value=""Execution""/> <item value=""Exfiltration""/> <item value=""Impact""/> <item value=""ImpairProcessControl""/> <item value=""InhibitResponseFunction""/> <item value=""InitialAccess""/> <item value=""LateralMovement""/> <item value=""Persistence""/> <item value=""PreAttack""/> <item value=""PrivilegeEscalation""/> <item value=""Reconnaissance""/> <item value=""ResourceDevelopment""/> </enum> </item> </prop> <prop type="array<string>" name="techniques"> <item type="string"/> </prop> <prop type="string" name="triggerOperator" required="True"> <enum> <item value=""Equal""/> <item value=""GreaterThan""/> <item value=""LessThan""/> <item value=""NotEqual""/> </enum> </prop> <prop type="integer32" name="triggerThreshold" required="True"/> <prop type="string" name="version" required="True"/> </prop> </discriminator> <discriminator property="kind" value="ThreatIntelligence"> <prop type="object" name="properties" clientFlatten="True"> <prop type="integer32" name="alertRulesCreatedByTemplateCount" required="True"/> <prop readOnly="True" type="dateTime" name="createdDateUTC"/> <prop type="string" name="description" required="True"/> <prop type="string" name="displayName" required="True"/> <prop readOnly="True" type="dateTime" name="lastUpdatedDateUTC"/> <prop type="array<@AlertRuleTemplateDataSource_read>" name="requiredDataConnectors"> <item type="@AlertRuleTemplateDataSource_read"/> </prop> <prop type="string" name="severity" required="True"> <enum> <item value=""High""/> <item value=""Informational""/> <item value=""Low""/> <item value=""Medium""/> </enum> </prop> <prop type="string" name="status" required="True"> <enum> <item value=""Available""/> <item value=""Installed""/> <item value=""NotAvailable""/> </enum> </prop> <prop type="array<string>" name="tactics"> <item type="string"> <enum> <item value=""Collection""/> <item value=""CommandAndControl""/> <item value=""CredentialAccess""/> <item value=""DefenseEvasion""/> <item value=""Discovery""/> <item value=""Execution""/> <item value=""Exfiltration""/> <item value=""Impact""/> <item value=""ImpairProcessControl""/> <item value=""InhibitResponseFunction""/> <item value=""InitialAccess""/> <item value=""LateralMovement""/> <item value=""Persistence""/> <item value=""PreAttack""/> <item value=""PrivilegeEscalation""/> <item value=""Reconnaissance""/> <item value=""ResourceDevelopment""/> </enum> </item> </prop> <prop type="array<string>" name="techniques"> <item type="string"/> </prop> </prop> </discriminator> </item> </prop> </schema> </json> </body> </response> <response isError="True"> <body> <json> <schema type="@ODataV4Format"/> </json> </body> </response> </http> </operation> <output type="array" ref="$Instance.value" clientFlatten="True" nextLink="$Instance.nextLink"/> </command> </commandGroup> </CodeGen>

Resources/mgmt-plane/L3N1YnNjcmlwdGlvbnMve30vcmVzb3VyY2Vncm91cHMve30vcHJvdmlkZXJzL21pY3Jvc29mdC5vcGVyYXRpb25hbGluc2lnaHRzL3dvcmtzcGFjZXMve30vcHJvdmlkZXJzL21pY3Jvc29mdC5zZWN1cml0eWluc2lnaHRzL2FsZXJ0cnVsZXRlbXBsYXRlcw==/2022-06-01-preview.xml (511 lines of code) (raw):