Add the stable api version of Azure Sentinel api (#8146)

* Add the stable api version of Azure Sentinel api

    stable\2020-01-01

* Add kind as required

* Resolve  Avocado and Semantic check errors

* Edit readme.md

* Change readme.md

* make prettier

* Add default response for operations

* Change version in examples

* Fix version

* Change version

* Add AlertRuleTemplateDataSource and remove tactics

* Fix examples

* change description

* Changed {operationalInsightsResourceProvider} to Microsoft.OperationalInsights

* remove OperationalInsightsResourceProvider

* supress R2059

* Changed name

specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/actions/CreateActionOfAlertRule.json

@@ -0,0 +1,47 @@
+{
+  "parameters": {
+    "api-version": "2020-01-01",
+    "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
+    "resourceGroupName": "myRg",
+    "workspaceName": "myWorkspace",
+    "operationalInsightsResourceProvider": "Microsoft.OperationalInsights",
+    "ruleId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
+    "actionId": "912bec42-cb66-4c03-ac63-1761b6898c3e",
+    "action": {
+      "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5/actions/912bec42-cb66-4c03-ac63-1761b6898c3e",
+      "name": "912bec42-cb66-4c03-ac63-1761b6898c3e",
+      "type": "Microsoft.SecurityInsights/alertRules/actions",
+      "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
+      "properties": {
+        "triggerUri": "https://prod-31.northcentralus.logic.azure.com:443/workflows/cd3765391efd48549fd7681ded1d48d7/triggers/manual/paths/invoke?api-version=2016-10-01&sp=%2Ftriggers%2Fmanual%2Frun&sv=1.0&sig=signature",
+        "logicAppResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/MyAlerts"
+      }
+    }
+  },
+  "responses": {
+    "200": {
+      "body": {
+        "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5/actions/912bec42-cb66-4c03-ac63-1761b6898c3e",
+        "name": "912bec42-cb66-4c03-ac63-1761b6898c3e",
+        "type": "Microsoft.SecurityInsights/alertRules/actions",
+        "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
+        "properties": {
+          "workflowId": "cd3765391efd48549fd7681ded1d48d7",
+          "logicAppResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/MyAlerts"
+        }
+      }
+    },
+    "201": {
+      "body": {
+        "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5/actions/912bec42-cb66-4c03-ac63-1761b6898c3e",
+        "name": "912bec42-cb66-4c03-ac63-1761b6898c3e",
+        "type": "Microsoft.SecurityInsights/alertRules/actions",
+        "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
+        "properties": {
+          "workflowId": "cd3765391efd48549fd7681ded1d48d7",
+          "logicAppResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/MyAlerts"
+        }
+      }
+    }
+  }
+}

specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/actions/DeleteActionOfAlertRule.json

@@ -0,0 +1,15 @@
+{
+  "parameters": {
+    "api-version": "2020-01-01",
+    "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
+    "resourceGroupName": "myRg",
+    "workspaceName": "myWorkspace",
+    "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights",
+    "ruleId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
+    "actionId": "912bec42-cb66-4c03-ac63-1761b6898c3e"
+  },
+  "responses": {
+    "200": {},
+    "204": {}
+  }
+}

specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/actions/GetActionOfAlertRuleById.json

@@ -0,0 +1,25 @@
+{
+  "parameters": {
+    "api-version": "2020-01-01",
+    "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
+    "resourceGroupName": "myRg",
+    "workspaceName": "myWorkspace",
+    "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights",
+    "ruleId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
+    "actionId": "912bec42-cb66-4c03-ac63-1761b6898c3e"
+  },
+  "responses": {
+    "200": {
+      "body": {
+        "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5/actions/912bec42-cb66-4c03-ac63-1761b6898c3e",
+        "name": "912bec42-cb66-4c03-ac63-1761b6898c3e",
+        "type": "Microsoft.SecurityInsights/alertRules/actions",
+        "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
+        "properties": {
+          "workflowId": "cd3765391efd48549fd7681ded1d48d7",
+          "logicAppResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/MyAlerts"
+        }
+      }
+    }
+  }
+}

specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/actions/GetAllActionsByAlertRule.json

@@ -0,0 +1,28 @@
+{
+  "parameters": {
+    "api-version": "2020-01-01",
+    "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
+    "resourceGroupName": "myRg",
+    "workspaceName": "myWorkspace",
+    "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights",
+    "ruleId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5"
+  },
+  "responses": {
+    "200": {
+      "body": {
+        "value": [
+          {
+            "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5/actions/912bec42-cb66-4c03-ac63-1761b6898c3e",
+            "name": "912bec42-cb66-4c03-ac63-1761b6898c3e",
+            "type": "Microsoft.SecurityInsights/alertRules/actions",
+            "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
+            "properties": {
+              "workflowId": "cd3765391efd48549fd7681ded1d48d7",
+              "logicAppResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/MyAlerts"
+            }
+          }
+        ]
+      }
+    }
+  }
+}

specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/alertRules/CreateFusionAlertRule.json

@@ -0,0 +1,66 @@
+{
+  "parameters": {
+    "api-version": "2020-01-01",
+    "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
+    "resourceGroupName": "myRg",
+    "workspaceName": "myWorkspace",
+    "operationalInsightsResourceProvider": "Microsoft.OperationalInsights",
+    "ruleId": "myFirstFusionRule",
+    "alertRule": {
+      "kind": "Fusion",
+      "etag": "3d00c3ca-0000-0100-0000-5d42d5010000",
+      "properties": {
+        "enabled": "true",
+        "alertRuleTemplateName": "f71aba3d-28fb-450b-b192-4e76a83015c8"
+      }
+    }
+  },
+  "responses": {
+    "200": {
+      "body": {
+        "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/myFirstFusionRule",
+        "name": "myFirstFusionRule",
+        "etag": "\"260090e2-0000-0d00-0000-5d6fb8670000\"",
+        "type": "Microsoft.SecurityInsights/alertRules",
+        "kind": "Fusion",
+        "properties": {
+          "displayName": "Advanced Multi-Stage Attack Detection",
+          "description": "In this mode, Sentinel combines low fidelity alerts, which themselves may not be actionable, and events across multiple products, into high fidelity security interesting incidents. The system looks at multiple products to produce actionable incidents. Custom tailored to each tenant, Fusion not only reduces false positive rates but also can detect attacks with limited or missing information. \nIncidents generated by Fusion system will encase two or more alerts. By design, Fusion incidents are low volume, high fidelity and will be high severity, which is why Fusion is turned ON by default in Azure Sentinel.\n\nFor Fusion to work, please configure the following data sources in Data Connectors tab:\nRequired - Azure Active Directory Identity Protection\nRequired - Microsoft Cloud App Security\nIf Available - Palo Alto Network\n\nFor full list of scenarios covered by Fusion, and detail instructions on how to configure the required data sources, go to aka.ms/SentinelFusion",
+          "alertRuleTemplateName": "f71aba3d-28fb-450b-b192-4e76a83015c8",
+          "tactics": [
+            "Persistence",
+            "LateralMovement",
+            "Exfiltration",
+            "CommandAndControl"
+          ],
+          "severity": "High",
+          "enabled": true,
+          "lastModifiedUtc": "2019-09-04T13:13:11.5340061Z"
+        }
+      }
+    },
+    "201": {
+      "body": {
+        "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/myFirstFusionRule",
+        "name": "myFirstFusionRule",
+        "etag": "\"260090e2-0000-0d00-0000-5d6fb8670000\"",
+        "type": "Microsoft.SecurityInsights/alertRules",
+        "kind": "Fusion",
+        "properties": {
+          "displayName": "Advanced Multi-Stage Attack Detection",
+          "description": "In this mode, Sentinel combines low fidelity alerts, which themselves may not be actionable, and events across multiple products, into high fidelity security interesting incidents. The system looks at multiple products to produce actionable incidents. Custom tailored to each tenant, Fusion not only reduces false positive rates but also can detect attacks with limited or missing information. \nIncidents generated by Fusion system will encase two or more alerts. By design, Fusion incidents are low volume, high fidelity and will be high severity, which is why Fusion is turned ON by default in Azure Sentinel.\n\nFor Fusion to work, please configure the following data sources in Data Connectors tab:\nRequired - Azure Active Directory Identity Protection\nRequired - Microsoft Cloud App Security\nIf Available - Palo Alto Network\n\nFor full list of scenarios covered by Fusion, and detail instructions on how to configure the required data sources, go to aka.ms/SentinelFusion",
+          "alertRuleTemplateName": "f71aba3d-28fb-450b-b192-4e76a83015c8",
+          "tactics": [
+            "Persistence",
+            "LateralMovement",
+            "Exfiltration",
+            "CommandAndControl"
+          ],
+          "severity": "High",
+          "enabled": true,
+          "lastModifiedUtc": "2019-09-04T13:13:11.5340061Z"
+        }
+      }
+    }
+  }
+}

specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/alertRules/CreateMicrosoftSecurityIncidentCreationAlertRule.json

@@ -0,0 +1,59 @@
+{
+  "parameters": {
+    "api-version": "2020-01-01",
+    "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
+    "resourceGroupName": "myRg",
+    "workspaceName": "myWorkspace",
+    "operationalInsightsResourceProvider": "Microsoft.OperationalInsights",
+    "ruleId": "microsoftSecurityIncidentCreationRuleExample",
+    "alertRule": {
+      "etag": "\"260097e0-0000-0d00-0000-5d6fa88f0000\"",
+      "kind": "MicrosoftSecurityIncidentCreation",
+      "properties": {
+        "productFilter": "Microsoft Cloud App Security",
+        "displayName": "testing displayname",
+        "enabled": true
+      }
+    }
+  },
+  "responses": {
+    "200": {
+      "body": {
+        "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/microsoftSecurityIncidentCreationRuleExample",
+        "name": "microsoftSecurityIncidentCreationRuleExample",
+        "etag": "\"260097e0-0000-0d00-0000-5d6fa88f0000\"",
+        "type": "Microsoft.SecurityInsights/alertRules",
+        "kind": "MicrosoftSecurityIncidentCreation",
+        "properties": {
+          "productFilter": "Microsoft Cloud App Security",
+          "severitiesFilter": null,
+          "displayNamesFilter": null,
+          "displayName": "testing displayname",
+          "enabled": true,
+          "description": null,
+          "alertRuleTemplateName": null,
+          "lastModifiedUtc": "2019-09-04T12:05:35.7296311Z"
+        }
+      }
+    },
+    "201": {
+      "body": {
+        "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/microsoftSecurityIncidentCreationRuleExample",
+        "name": "microsoftSecurityIncidentCreationRuleExample",
+        "etag": "\"260097e0-0000-0d00-0000-5d6fa88f0000\"",
+        "type": "Microsoft.SecurityInsights/alertRules",
+        "kind": "MicrosoftSecurityIncidentCreation",
+        "properties": {
+          "productFilter": "Microsoft Cloud App Security",
+          "severitiesFilter": null,
+          "displayNamesFilter": null,
+          "displayName": "testing displayname",
+          "enabled": true,
+          "description": null,
+          "alertRuleTemplateName": null,
+          "lastModifiedUtc": "2019-09-04T12:05:35.7296311Z"
+        }
+      }
+    }
+  }
+}

specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/alertRules/CreateScheduledAlertRule.json

@@ -0,0 +1,89 @@
+{
+  "parameters": {
+    "api-version": "2020-01-01",
+    "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
+    "resourceGroupName": "myRg",
+    "workspaceName": "myWorkspace",
+    "operationalInsightsResourceProvider": "Microsoft.OperationalInsights",
+    "ruleId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
+    "alertRule": {
+      "kind": "Scheduled",
+      "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
+      "properties": {
+        "displayName": "Rule2",
+        "description": "",
+        "severity": "High",
+        "enabled": true,
+        "tactics": [
+          "Persistence",
+          "LateralMovement"
+        ],
+        "query": "ProtectionStatus | extend HostCustomEntity = Computer | extend IPCustomEntity = ComputerIP_Hidden",
+        "queryFrequency": "PT1H",
+        "queryPeriod": "P2DT1H30M",
+        "triggerOperator": "GreaterThan",
+        "triggerThreshold": 0,
+        "suppressionDuration": "PT1H",
+        "suppressionEnabled": false
+      }
+    }
+  },
+  "responses": {
+    "200": {
+      "body": {
+        "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5",
+        "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
+        "type": "Microsoft.SecurityInsights/alertRules",
+        "kind": "Scheduled",
+        "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
+        "properties": {
+          "alertRuleTemplateName": null,
+          "displayName": "Rule2",
+          "description": "",
+          "severity": "High",
+          "enabled": true,
+          "tactics": [
+            "Persistence",
+            "LateralMovement"
+          ],
+          "query": "ProtectionStatus | extend HostCustomEntity = Computer | extend IPCustomEntity = ComputerIP_Hidden",
+          "queryFrequency": "PT1H",
+          "queryPeriod": "P2DT1H30M",
+          "triggerOperator": "GreaterThan",
+          "triggerThreshold": 0,
+          "suppressionDuration": "PT1H",
+          "suppressionEnabled": false,
+          "lastModifiedUtc": "2019-01-01T13:15:30Z"
+        }
+      }
+    },
+    "201": {
+      "body": {
+        "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5",
+        "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
+        "type": "Microsoft.SecurityInsights/alertRules",
+        "kind": "Scheduled",
+        "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
+        "properties": {
+          "alertRuleTemplateName": null,
+          "displayName": "Rule2",
+          "description": "",
+          "severity": "High",
+          "enabled": true,
+          "tactics": [
+            "Persistence",
+            "LateralMovement"
+          ],
+          "query": "ProtectionStatus | extend HostCustomEntity = Computer | extend IPCustomEntity = ComputerIP_Hidden",
+          "queryFrequency": "PT1H",
+          "queryPeriod": "P2DT1H30M",
+          "triggerOperator": "GreaterThan",
+          "triggerThreshold": 0,
+          "suppressionDuration": "PT1H",
+          "suppressionEnabled": false,
+          "lastModifiedUtc": "2019-01-01T13:15:30Z"
+        }
+      }
+    }
+  }
+}

specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/alertRules/DeleteAlertRule.json

@@ -0,0 +1,14 @@
+{
+  "parameters": {
+    "api-version": "2020-01-01",
+    "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
+    "resourceGroupName": "myRg",
+    "workspaceName": "myWorkspace",
+    "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights",
+    "ruleId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5"
+  },
+  "responses": {
+    "200": {},
+    "204": {}
+  }
+}