[Hub Generated] Public private branch 'Azure-SecurityInsights-New-Pre…

…view' (Azure#14753) * Add 'Resource' definition in common types * Export incidents resource to new preview API version * New version for incidents and updated examples - team colaboration * Extract alertRules and alertRuleTemplates endpoints and their related parameters and definition from 2019-01-01-preview/SecurityInsights.json * New version for alert rules and updated examples - custom details, entity mappings and new incident grouping configuration * Fix readme * mark triggerUri secret * Fix linting errors Co-authored-by: Dor Siso <[email protected]> Co-authored-by: Anat Gilenson <[email protected]> Co-authored-by: Anat Gilenson <[email protected]>
asager · Jun 24, 2021 · 5105730 · 5105730
1 parent a49c5da
commit 5105730
Show file tree

Hide file tree

Showing 33 changed files with 7,758 additions and 0 deletions.
diff --git a/...ts/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/AlertRules.json b/...ts/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/AlertRules.json
diff --git a/...hts/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/Incidents.json b/...hts/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/Incidents.json
diff --git a/...SecurityInsights/preview/2021-03-01-preview/examples/actions/CreateActionOfAlertRule.json b/...SecurityInsights/preview/2021-03-01-preview/examples/actions/CreateActionOfAlertRule.json
@@ -0,0 +1,44 @@
+{
+  "parameters": {
+    "api-version": "2019-01-01-preview",
+    "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
+    "resourceGroupName": "myRg",
+    "workspaceName": "myWorkspace",
+    "operationalInsightsResourceProvider": "Microsoft.OperationalInsights",
+    "ruleId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
+    "actionId": "912bec42-cb66-4c03-ac63-1761b6898c3e",
+    "action": {
+      "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
+      "properties": {
+        "triggerUri": "https://prod-31.northcentralus.logic.azure.com:443/workflows/cd3765391efd48549fd7681ded1d48d7/triggers/manual/paths/invoke?api-version=2016-10-01&sp=%2Ftriggers%2Fmanual%2Frun&sv=1.0&sig=signature",
+        "logicAppResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/MyAlerts"
+      }
+    }
+  },
+  "responses": {
+    "200": {
+      "body": {
+        "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5/actions/912bec42-cb66-4c03-ac63-1761b6898c3e",
+        "name": "912bec42-cb66-4c03-ac63-1761b6898c3e",
+        "type": "Microsoft.SecurityInsights/alertRules/actions",
+        "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
+        "properties": {
+          "workflowId": "cd3765391efd48549fd7681ded1d48d7",
+          "logicAppResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/MyAlerts"
+        }
+      }
+    },
+    "201": {
+      "body": {
+        "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5/actions/912bec42-cb66-4c03-ac63-1761b6898c3e",
+        "name": "912bec42-cb66-4c03-ac63-1761b6898c3e",
+        "type": "Microsoft.SecurityInsights/alertRules/actions",
+        "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
+        "properties": {
+          "workflowId": "cd3765391efd48549fd7681ded1d48d7",
+          "logicAppResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/MyAlerts"
+        }
+      }
+    }
+  }
+}
diff --git a/...SecurityInsights/preview/2021-03-01-preview/examples/actions/DeleteActionOfAlertRule.json b/...SecurityInsights/preview/2021-03-01-preview/examples/actions/DeleteActionOfAlertRule.json
@@ -0,0 +1,15 @@
+{
+  "parameters": {
+    "api-version": "2019-01-01-preview",
+    "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
+    "resourceGroupName": "myRg",
+    "workspaceName": "myWorkspace",
+    "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights",
+    "ruleId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
+    "actionId": "912bec42-cb66-4c03-ac63-1761b6898c3e"
+  },
+  "responses": {
+    "200": {},
+    "204": {}
+  }
+}
diff --git a/...ecurityInsights/preview/2021-03-01-preview/examples/actions/GetActionOfAlertRuleById.json b/...ecurityInsights/preview/2021-03-01-preview/examples/actions/GetActionOfAlertRuleById.json
@@ -0,0 +1,25 @@
+{
+  "parameters": {
+    "api-version": "2019-01-01-preview",
+    "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
+    "resourceGroupName": "myRg",
+    "workspaceName": "myWorkspace",
+    "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights",
+    "ruleId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
+    "actionId": "912bec42-cb66-4c03-ac63-1761b6898c3e"
+  },
+  "responses": {
+    "200": {
+      "body": {
+        "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5/actions/912bec42-cb66-4c03-ac63-1761b6898c3e",
+        "name": "912bec42-cb66-4c03-ac63-1761b6898c3e",
+        "type": "Microsoft.SecurityInsights/alertRules/actions",
+        "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
+        "properties": {
+          "workflowId": "cd3765391efd48549fd7681ded1d48d7",
+          "logicAppResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/MyAlerts"
+        }
+      }
+    }
+  }
+}
diff --git a/...ecurityInsights/preview/2021-03-01-preview/examples/actions/GetAllActionsByAlertRule.json b/...ecurityInsights/preview/2021-03-01-preview/examples/actions/GetAllActionsByAlertRule.json
@@ -0,0 +1,28 @@
+{
+  "parameters": {
+    "api-version": "2019-01-01-preview",
+    "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
+    "resourceGroupName": "myRg",
+    "workspaceName": "myWorkspace",
+    "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights",
+    "ruleId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5"
+  },
+  "responses": {
+    "200": {
+      "body": {
+        "value": [
+          {
+            "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5/actions/912bec42-cb66-4c03-ac63-1761b6898c3e",
+            "name": "912bec42-cb66-4c03-ac63-1761b6898c3e",
+            "type": "Microsoft.SecurityInsights/alertRules/actions",
+            "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
+            "properties": {
+              "workflowId": "cd3765391efd48549fd7681ded1d48d7",
+              "logicAppResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/MyAlerts"
+            }
+          }
+        ]
+      }
+    }
+  }
+}
diff --git a/...ghts/preview/2021-03-01-preview/examples/alertRuleTemplates/GetAlertRuleTemplateById.json b/...ghts/preview/2021-03-01-preview/examples/alertRuleTemplates/GetAlertRuleTemplateById.json
@@ -0,0 +1,49 @@
+{
+  "parameters": {
+    "api-version": "2021-03-01-preview",
+    "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
+    "resourceGroupName": "myRg",
+    "workspaceName": "myWorkspace",
+    "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights",
+    "alertRuleTemplateId": "65360bb0-8986-4ade-a89d-af3cf44d28aa"
+  },
+  "responses": {
+    "200": {
+      "body": {
+        "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRuleTemplates/65360bb0-8986-4ade-a89d-af3cf44d28aa",
+        "name": "65360bb0-8986-4ade-a89d-af3cf44d28aa",
+        "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+        "kind": "Scheduled",
+        "properties": {
+          "severity": "Low",
+          "query": "let timeframe = 1d;\nAWSCloudTrail\n| where TimeGenerated >= ago(timeframe)\n| where EventName == \"CreateNetworkAclEntry\"\n    or EventName == \"CreateRoute\"\n| project TimeGenerated, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\n| extend AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress",
+          "queryFrequency": "P1D",
+          "queryPeriod": "P1D",
+          "triggerOperator": "GreaterThan",
+          "triggerThreshold": 0,
+          "displayName": "Changes to Amazon VPC settings",
+          "description": "This alert monitors changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries and routes in route tables.\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \nand https://aws.amazon.com/vpc/",
+          "eventGroupingSettings": {
+            "aggregationKind": "AlertPerResult"
+          },
+          "tactics": [
+            "PrivilegeEscalation",
+            "LateralMovement"
+          ],
+          "lastUpdatedDateUTC": "2020-02-27T00:00:00Z",
+          "createdDateUTC": "2019-02-27T00:00:00Z",
+          "status": "Available",
+          "requiredDataConnectors": [
+            {
+              "connectorId": "AWS",
+              "dataTypes": [
+                "AWSCloudTrail"
+              ]
+            }
+          ],
+          "alertRulesCreatedByTemplateCount": 0
+        }
+      }
+    }
+  }
+}
diff --git a/...nsights/preview/2021-03-01-preview/examples/alertRuleTemplates/GetAlertRuleTemplates.json b/...nsights/preview/2021-03-01-preview/examples/alertRuleTemplates/GetAlertRuleTemplates.json
@@ -0,0 +1,85 @@
+{
+  "parameters": {
+    "api-version": "2021-03-01-preview",
+    "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
+    "resourceGroupName": "myRg",
+    "workspaceName": "myWorkspace",
+    "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights"
+  },
+  "responses": {
+    "200": {
+      "body": {
+        "value": [
+          {
+            "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65360bb0-8986-4ade-a89d-af3cf44d28aa",
+            "name": "65360bb0-8986-4ade-a89d-af3cf44d28aa",
+            "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+            "kind": "Scheduled",
+            "properties": {
+              "severity": "Low",
+              "query": "let timeframe = 1d;\nAWSCloudTrail\n| where TimeGenerated >= ago(timeframe)\n| where EventName == \"CreateNetworkAclEntry\"\n    or EventName == \"CreateRoute\"\n| project TimeGenerated, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\n| extend AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress",
+              "queryFrequency": "P1D",
+              "queryPeriod": "P1D",
+              "triggerOperator": "GreaterThan",
+              "triggerThreshold": 0,
+              "displayName": "Changes to Amazon VPC settings",
+              "description": "This alert monitors changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries and routes in route tables.\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \nand https://aws.amazon.com/vpc/",
+              "tactics": [
+                "PrivilegeEscalation",
+                "LateralMovement"
+              ],
+              "lastUpdatedDateUTC": "2020-02-27T00:00:00Z",
+              "createdDateUTC": "2019-02-27T00:00:00Z",
+              "status": "Available",
+              "requiredDataConnectors": [
+                {
+                  "connectorId": "AWS",
+                  "dataTypes": [
+                    "AWSCloudTrail"
+                  ]
+                }
+              ],
+              "alertRulesCreatedByTemplateCount": 0
+            }
+          },
+          {
+            "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f71aba3d-28fb-450b-b192-4e76a83015c8",
+            "name": "f71aba3d-28fb-450b-b192-4e76a83015c8",
+            "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+            "kind": "Fusion",
+            "properties": {
+              "displayName": "Advanced Multi-Stage Attack Detection",
+              "description": "Place holder: Fusion uses graph powered machine learning algorithms to correlate between millions of lower fidelity anomalous activities from different products such as Azure AD Identity Protection, and Microsoft Cloud App Security, to combine them into a manageable number of interesting security cases.\n",
+              "tactics": [
+                "Persistence",
+                "LateralMovement",
+                "Exfiltration",
+                "CommandAndControl"
+              ],
+              "lastUpdatedDateUTC": "2020-02-27T00:00:00Z",
+              "createdDateUTC": "2019-07-25T00:00:00Z",
+              "status": "Available",
+              "severity": "High",
+              "alertRulesCreatedByTemplateCount": 0
+            }
+          },
+          {
+            "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b3cfc7c0-092c-481c-a55b-34a3979758cb",
+            "name": "b3cfc7c0-092c-481c-a55b-34a3979758cb",
+            "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+            "kind": "MicrosoftSecurityIncidentCreation",
+            "properties": {
+              "productFilter": "Microsoft Cloud App Security",
+              "displayName": "Create incidents based on Microsoft Cloud App Security alerts",
+              "description": "Create incidents based on all alerts generated in Microsoft Cloud App Security",
+              "lastUpdatedDateUTC": "2020-02-27T00:00:00Z",
+              "createdDateUTC": "2019-07-16T00:00:00Z",
+              "status": "Available",
+              "alertRulesCreatedByTemplateCount": 0
+            }
+          }
+        ]
+      }
+    }
+  }
+}
diff --git a/...ecurityInsights/preview/2021-03-01-preview/examples/alertRules/CreateFusionAlertRule.json b/...ecurityInsights/preview/2021-03-01-preview/examples/alertRules/CreateFusionAlertRule.json
@@ -0,0 +1,66 @@
+{
+  "parameters": {
+    "api-version": "2021-03-01-preview",
+    "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
+    "resourceGroupName": "myRg",
+    "workspaceName": "myWorkspace",
+    "operationalInsightsResourceProvider": "Microsoft.OperationalInsights",
+    "ruleId": "myFirstFusionRule",
+    "alertRule": {
+      "kind": "Fusion",
+      "etag": "3d00c3ca-0000-0100-0000-5d42d5010000",
+      "properties": {
+        "enabled": true,
+        "alertRuleTemplateName": "f71aba3d-28fb-450b-b192-4e76a83015c8"
+      }
+    }
+  },
+  "responses": {
+    "200": {
+      "body": {
+        "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/myFirstFusionRule",
+        "name": "myFirstFusionRule",
+        "etag": "\"260090e2-0000-0d00-0000-5d6fb8670000\"",
+        "type": "Microsoft.SecurityInsights/alertRules",
+        "kind": "Fusion",
+        "properties": {
+          "displayName": "Advanced Multi-Stage Attack Detection",
+          "description": "In this mode, Sentinel combines low fidelity alerts, which themselves may not be actionable, and events across multiple products, into high fidelity security interesting incidents. The system looks at multiple products to produce actionable incidents. Custom tailored to each tenant, Fusion not only reduces false positive rates but also can detect attacks with limited or missing information. \nIncidents generated by Fusion system will encase two or more alerts. By design, Fusion incidents are low volume, high fidelity and will be high severity, which is why Fusion is turned ON by default in Azure Sentinel.\n\nFor Fusion to work, please configure the following data sources in Data Connectors tab:\nRequired - Azure Active Directory Identity Protection\nRequired - Microsoft Cloud App Security\nIf Available - Palo Alto Network\n\nFor full list of scenarios covered by Fusion, and detail instructions on how to configure the required data sources, go to aka.ms/SentinelFusion",
+          "alertRuleTemplateName": "f71aba3d-28fb-450b-b192-4e76a83015c8",
+          "tactics": [
+            "Persistence",
+            "LateralMovement",
+            "Exfiltration",
+            "CommandAndControl"
+          ],
+          "severity": "High",
+          "enabled": true,
+          "lastModifiedUtc": "2019-09-04T13:13:11.5340061Z"
+        }
+      }
+    },
+    "201": {
+      "body": {
+        "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/myFirstFusionRule",
+        "name": "myFirstFusionRule",
+        "etag": "\"260090e2-0000-0d00-0000-5d6fb8670000\"",
+        "type": "Microsoft.SecurityInsights/alertRules",
+        "kind": "Fusion",
+        "properties": {
+          "displayName": "Advanced Multi-Stage Attack Detection",
+          "description": "In this mode, Sentinel combines low fidelity alerts, which themselves may not be actionable, and events across multiple products, into high fidelity security interesting incidents. The system looks at multiple products to produce actionable incidents. Custom tailored to each tenant, Fusion not only reduces false positive rates but also can detect attacks with limited or missing information. \nIncidents generated by Fusion system will encase two or more alerts. By design, Fusion incidents are low volume, high fidelity and will be high severity, which is why Fusion is turned ON by default in Azure Sentinel.\n\nFor Fusion to work, please configure the following data sources in Data Connectors tab:\nRequired - Azure Active Directory Identity Protection\nRequired - Microsoft Cloud App Security\nIf Available - Palo Alto Network\n\nFor full list of scenarios covered by Fusion, and detail instructions on how to configure the required data sources, go to aka.ms/SentinelFusion",
+          "alertRuleTemplateName": "f71aba3d-28fb-450b-b192-4e76a83015c8",
+          "tactics": [
+            "Persistence",
+            "LateralMovement",
+            "Exfiltration",
+            "CommandAndControl"
+          ],
+          "severity": "High",
+          "enabled": true,
+          "lastModifiedUtc": "2019-09-04T13:13:11.5340061Z"
+        }
+      }
+    }
+  }
+}
diff --git a/...1-03-01-preview/examples/alertRules/CreateMicrosoftSecurityIncidentCreationAlertRule.json b/...1-03-01-preview/examples/alertRules/CreateMicrosoftSecurityIncidentCreationAlertRule.json
@@ -0,0 +1,59 @@
+{
+  "parameters": {
+    "api-version": "2021-03-01-preview",
+    "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
+    "resourceGroupName": "myRg",
+    "workspaceName": "myWorkspace",
+    "operationalInsightsResourceProvider": "Microsoft.OperationalInsights",
+    "ruleId": "microsoftSecurityIncidentCreationRuleExample",
+    "alertRule": {
+      "etag": "\"260097e0-0000-0d00-0000-5d6fa88f0000\"",
+      "kind": "MicrosoftSecurityIncidentCreation",
+      "properties": {
+        "productFilter": "Microsoft Cloud App Security",
+        "displayName": "testing displayname",
+        "enabled": true
+      }
+    }
+  },
+  "responses": {
+    "200": {
+      "body": {
+        "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/microsoftSecurityIncidentCreationRuleExample",
+        "name": "microsoftSecurityIncidentCreationRuleExample",
+        "etag": "\"260097e0-0000-0d00-0000-5d6fa88f0000\"",
+        "type": "Microsoft.SecurityInsights/alertRules",
+        "kind": "MicrosoftSecurityIncidentCreation",
+        "properties": {
+          "productFilter": "Microsoft Cloud App Security",
+          "severitiesFilter": null,
+          "displayNamesFilter": null,
+          "displayName": "testing displayname",
+          "enabled": true,
+          "description": null,
+          "alertRuleTemplateName": null,
+          "lastModifiedUtc": "2019-09-04T12:05:35.7296311Z"
+        }
+      }
+    },
+    "201": {
+      "body": {
+        "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/microsoftSecurityIncidentCreationRuleExample",
+        "name": "microsoftSecurityIncidentCreationRuleExample",
+        "etag": "\"260097e0-0000-0d00-0000-5d6fa88f0000\"",
+        "type": "Microsoft.SecurityInsights/alertRules",
+        "kind": "MicrosoftSecurityIncidentCreation",
+        "properties": {
+          "productFilter": "Microsoft Cloud App Security",
+          "severitiesFilter": null,
+          "displayNamesFilter": null,
+          "displayName": "testing displayname",
+          "enabled": true,
+          "description": null,
+          "alertRuleTemplateName": null,
+          "lastModifiedUtc": "2019-09-04T12:05:35.7296311Z"
+        }
+      }
+    }
+  }
+}