Create or Update Fusion Alert Rule

description create or update a fusion alert rule in microsoft azure sentinel, including subscription, resource group, workspace details, and rule id endpoint url /subscriptions/{{subscriptionid}}/resourcegroups/{{resourcegroupname}}/providers/microsoft operationalinsights/workspaces/{{workspacename}}/providers/microsoft securityinsights/alertrules/{{ruleid}} method put inputs path parameters (object) – required subscriptionid (string) – required the id of the target subscription resourcegroupname (string) – required the name of the resource group the name is case insensitive workspacename (string) – required the name of the workspace regex pattern ^\[a za z0 9]\[a za z0 9 ]+\[a za z0 9]$ ruleid (string) – required alert rule id parameters (object) – required api version (string) – required the api version to use for this operation json body (object) – required kind (string) the alert rule kind etag (string) etag of the azure resource properties (object) – required enabled (boolean) – required determines whether this alert rule is enabled or disabled alertruletemplatename (string) – required the name of the alert rule template used to create this rule output example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "id" "/subscriptions/d0cfe6b2 9ac0 4464 9919 dccaee2e48c0/resourcegroups/myrg/providers/microsoft operationalinsights/workspaces/myworkspace/providers/microsoft securityinsights/alertrules/myfirstfusionrule", "name" "myfirstfusionrule", "etag" "\\"260090e2 0000 0d00 0000 5d6fb8670000\\"", "type" "microsoft securityinsights/alertrules", "kind" "fusion", "properties" { "displayname" "advanced multi stage attack detection", "description" "in this mode, sentinel combines low fidelity alerts, which themselves may not be actionable, and events across multiple products, into high fidelity security interesting incidents the system looks at multiple products to produce actionable incidents custom tailored to each tenant, fusion not only reduces false positive rates but also can detect attacks with limited or missing information \nincidents generated by fusion system will encase two or more alerts by design, fusion incidents are low volume, high fidelity and will be high severity, which is why fusion is turned on by default in azure sentinel \n\nfor fusion to work, please configure the following data sources in data connectors tab \nrequired azure active directory identity protection\nrequired microsoft cloud app security\nif available palo alto network\n\nfor full list of scenarios covered by fusion, and detail instructions on how to configure the required data sources, go to aka ms/sentinelfusion", "alertruletemplatename" "f71aba3d 28fb 450b b192 4e76a83015c8", "tactics" \[ "persistence", "lateralmovement", "exfiltration", "commandandcontrol" ], "severity" "high", "enabled" true, "lastmodifiedutc" "2019 09 04t13 13 11 5340061z" } } } ] output parameters status code (number) reason (string) json body (object) id (string) name (string) etag (string) type (string) kind (string) properties (object) displayname (string) description (string) alertruletemplatename (string) tactics (array) severity (string) enabled (boolean) lastmodifiedutc (string)