Create or Update Scheduled Alert Rule

description create or update a scheduledalertrule in microsoft azure sentinel with subscription, resource group, workspace details, and rule id endpoint url /subscriptions/{{subscriptionid}}/resourcegroups/{{resourcegroupname}}/providers/microsoft operationalinsights/workspaces/{{workspacename}}/providers/microsoft securityinsights/alertrules/{{ruleid}} method put inputs path parameters (object) – required subscriptionid (string) – required the id of the target subscription resourcegroupname (string) – required the name of the resource group the name is case insensitive workspacename (string) – required the name of the workspace regex pattern ^\[a za z0 9]\[a za z0 9 ]+\[a za z0 9]$ ruleid (string) – required alert rule id parameters (object) – required api version (string) – required the api version to use for this operation json body (object) – required kind (string) the alert rule kind etag (string) etag of the azure resource properties (object) – required alertruletemplatename (string) the name of the alert rule template used to create this rule displayname (string) – required the display name for alerts created by this alert rule description (string) the description of the alert rule severity (string) – required the severity for alerts created by this alert rule enabled (boolean) – required determines whether this alert rule is enabled or disabled tactics (array) the tactics of the alert rule techniques (array) the techniques of the alert rule templateversion (string) the version of the alert rule template used to create this rule in format \<a b c>, where all are numbers, for example 0 <1 0 2> query (string) – required the query that creates alerts for this rule queryfrequency (string) – required the frequency (in iso 8601 duration format) for this alert rule to run queryperiod (string) – required the period (in iso 8601 duration format) that this alert rule looks at triggeroperator (string) – required the operation against the threshold that triggers alert rule triggerthreshold (number) – required the threshold triggers this alert rule suppressionduration (string) – required the suppression (in iso 8601 duration format) to wait since last time this alert rule been triggered suppressionenabled (boolean) – required determines whether the suppression for this alert rule is enabled or disabled eventgroupingsettings (object) the event grouping settings aggregationkind (string) the event grouping aggregation kinds customdetails (object) dictionary of string key value pairs of columns to be attached to the alert entitymappings (array) array of the entity mappings of the alert rule entitytype (string) the v3 type of the mapped entity fieldmappings (array) array of field mappings for the given entity mapping identifier (string) the v3 identifier of the entity columnname (string) the column name to be mapped to the identifier alertdetailsoverride (object) the alert details override settings alertdisplaynameformat (string) the format containing columns name(s) to override the alert description alertdescriptionformat (string) the format containing columns name(s) to override the alert name alertdynamicproperties (array) list of additional dynamic properties to override alertproperty (string) value (string) alertseveritycolumnname (string) the column name to take the alert severity from alerttacticscolumnname (string) the column name to take the alert tactics from incidentconfiguration (object) the settings of the incidents that created from alerts triggered by this analytics rule createincident (boolean) create incidents from alerts triggered by this analytics rule groupingconfiguration (object) set how the alerts that are triggered by this analytics rule, are grouped into incidents enabled (boolean) grouping enabled reopenclosedincident (boolean) re open closed matching incidents lookbackduration (string) limit the group to alerts created within the lookback duration (in iso 8601 duration format) matchingmethod (string) grouping matching method when method is selected at least one of groupbyentities, groupbyalertdetails, groupbycustomdetails must be provided and not empty groupbyentities (array) a list of entity types to group by (when matchingmethod is selected) only entities defined in the current alert rule may be used groupbyalertdetails (array) a list of alert details to group by (when matchingmethod is selected) groupbycustomdetails (array) a list of custom details keys to group by (when matchingmethod is selected) only keys defined in the current alert rule may be used output example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "id" "/subscriptions/d0cfe6b2 9ac0 4464 9919 dccaee2e48c0/resourcegroups/myrg/providers/microsoft operationalinsights/workspaces/myworkspace/providers/microsoft securityinsights/alertrules/73e01a99 5cd7 4139 a149 9f2736ff2ab5", "name" "73e01a99 5cd7 4139 a149 9f2736ff2ab5", "type" "microsoft securityinsights/alertrules", "kind" "scheduled", "etag" "\\"0300bf09 0000 0000 0000 5c37296e0000\\"", "properties" { "alertruletemplatename" null, "displayname" "my scheduled rule", "description" "an example for a scheduled rule", "severity" "high", "enabled" true, "tactics" \[ "persistence" ], "query" "heartbeat", "queryfrequency" "pt1h", "queryperiod" "p2dt1h30m", "triggeroperator" "greaterthan", "triggerthreshold" 0, "suppressionduration" "pt1h", "suppressionenabled" false, "lastmodifiedutc" "2021 03 01t13 17 30z", "eventgroupingsettings" { "aggregationkind" "alertperresult" }, "customdetails" { "operatingsystemname" "osname" }, "entitymappings" \[ { "entitytype" "ip", "fieldmappings" \[ { "identifier" "address", "columnname" "computerip" } ] } ], "alertdetailsoverride" { "alertdisplaynameformat" "alert from {{computer}}", "alertdescriptionformat" "suspicious activity was made by {{computerip}}", "alertdynamicproperties" \[ { "alertproperty" "alertlink", "value" "link" } ] }, "incidentconfiguration" { "createincident" true, "groupingconfiguration" { "enabled" true, "reopenclosedincident" false, "lookbackduration" "pt5h", "matchingmethod" "selected", "groupbyentities" \[ "host" ], "groupbyalertdetails" \[ "displayname" ] } } } } } ] output parameters status code (number) reason (string) json body (object) id (string) name (string) type (string) kind (string) etag (string) properties (object) alertruletemplatename (object) displayname (string) description (string) severity (string) enabled (boolean) tactics (array) query (string) queryfrequency (string) queryperiod (string) triggeroperator (string) triggerthreshold (number) suppressionduration (string) suppressionenabled (boolean) lastmodifiedutc (string) eventgroupingsettings (object) aggregationkind (string) customdetails (object) operatingsystemname (string) entitymappings (array) entitytype (string) fieldmappings (array) identifier (string) columnname (string) alertdetailsoverride (object) alertdisplaynameformat (string) alertdescriptionformat (string) alertdynamicproperties (array) alertproperty (string) value (string) incidentconfiguration (object) createincident (boolean) groupingconfiguration (object) enabled (boolean) reopenclosedincident (boolean) lookbackduration (string) matchingmethod (string) groupbyentities (array) groupbyalertdetails (array)