Support for other rule types #12
Comments
|
Can we perhaps agree on some sort of documented format on how to store these as YAML?
|
|
Definitely. I will create some extensive YAML files that we can use for validation purposes |
|
The first two examples |
|
Basically we should implement a 1:1 version of the ARM template converted to YAML with the following changes:
Microsoft.SecurityInsights alertRules ScheduledalertDetailsOverride:
alertDescriptionFormat: string
alertDisplayNameFormat: string
alertDynamicProperties:
- alertProperty: string
value: string
alertSeverityColumnName: string
alertTacticsColumnName: string
id: string
customDetails: {}
description: string
name: string
enabled: bool
entityMappings:
- entityType: string
fieldMappings:
- columnName: string
identifier: string
eventGroupingSettings:
aggregationKind: string
incidentConfiguration:
createIncident: bool
groupingConfiguration:
enabled: bool
groupByAlertDetails:
- string
groupByCustomDetails:
- string
groupByEntities:
- string
lookbackDuration: string
matchingMethod: string
reopenClosedIncident: bool
query: string
queryFrequency: string
queryPeriod: string
sentinelEntitiesMappings:
- columnName: string
severity: string
suppressionDuration: string
suppressionEnabled: bool
tactics:
- string
relevantTechniques:
- string
version: string
triggerOperator: string
triggerThreshold: int |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Summary of the new feature / enhancement
Add support for
[ ] Fusion
[ ] NRT
[ ] ML
[ ] Threat Intelligence
[ ] Microsoft Security
Proposed technical implementation details (optional)
Based on YAML or ARM template rule detection
The text was updated successfully, but these errors were encountered: