Feature/alshulma/update stable version (Azure#8884)

* Update stable version

* Some updates

* Another change

* Remove objects

* Removed IncidentConfiguration

* Fix issues

* revert preview

* Add objects

* Add Entity

* Add more

* EntityCommonProperties

* Changes

* prettier

* Remove

* Make pretty

* Remove unneeded definitions

* Update incidents definition and examples

* Update CreateOfficeDataConnetor.json

delete read only from data connector examples

* Update CreateOfficeDataConnetor.json

Delete read only from data connector create

* Update CreateFusionAlertRule.json

Change "true" to true

* Update CreateBookmark.json

remove type, name, id since are read only

* Update CreateActionOfAlertRule.json

remove name, id and type from example since are read only

* Update CreateBookmark.json

delete read only email and names

* Update CreateBookmark.json

remove ,

* Update operationId of GET on a single incident comment

Co-authored-by: Mark Cowlishaw <[email protected]>

* Update SecurityInsights.json

Add "description": "OK, Operation successfully completed",

* Update SecurityInsights.json

Remove redundant ,

* Fixed Analytics issues + CloudError from common

* More fixes to the Analytics sections

* fixed AlertRuleKind after referencing to it - changed to string

* fix incorrect hierarchy in MicrosoftSecurityIncidentCreationAlertRuleTemplate

* extracted MicrosoftSecurityIncidentCreationAlertRuleTemplateCommonProperties to a separate object definition

* extracted MicrosoftSecurityProductName to enum

* Update SecurityInsights.json

"discriminator": "kind", in AlertRuleKind and DataConnectorKind

* Update SecurityInsights.json

Kind discriminator required

* remove discriminator and required from enum - it is set on the using definitions

* Revert "remove discriminator and required from enum - it is set on the using definitions"

This reverts commit c24e7d0.

Revert "extracted MicrosoftSecurityProductName to enum"

This reverts commit 2389fc9.

Revert "extracted MicrosoftSecurityIncidentCreationAlertRuleTemplateCommonProperties to a separate object definition"

This reverts commit 7228009.

Revert "fix incorrect hierarchy in MicrosoftSecurityIncidentCreationAlertRuleTemplate"

This reverts commit dbf12a9.

revert 03ace77

revert 1cc27d5

Revert "Fixed Analytics issues + CloudError from common"

This reverts commit 39bffde.

Revert Analytics Changes

* revert the discriminator kind change

* Revert "revert the discriminator kind change"

This reverts commit abee5fb.

* Revert "Revert "remove discriminator and required from enum - it is set on the using definitions""

This reverts commit 81054a9.

* Update SecurityInsights.json

add "format": "int32" to integer types

* DataConnectorKind to enum

Change DataConnectorKind to enum and fix DataConnector to use it in the property

* SettingsKind to enum

Change SettingsKind to enum and use in the Settings properties.

* Remove double allOff in connectors

* Fix connectors inner properties

* fix scheduled alert rule template properties

* fixed nested all of issue in analytic rules templates

* Fix inner allof in connectors properties

Co-authored-by: Itai Yankelevsky <[email protected]>
Co-authored-by: ofshomro <[email protected]>
Co-authored-by: ityankel <[email protected]>
Co-authored-by: Mark Cowlishaw <[email protected]>
Co-authored-by: Laith Hisham <[email protected]>
Co-authored-by: Ofir Shomron <[email protected]>

Author: 6 people

specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/SecurityInsights.json

@@ -8,9 +8,6 @@
     "ruleId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
     "actionId": "912bec42-cb66-4c03-ac63-1761b6898c3e",
     "action": {
-      "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5/actions/912bec42-cb66-4c03-ac63-1761b6898c3e",
-      "name": "912bec42-cb66-4c03-ac63-1761b6898c3e",
-      "type": "Microsoft.SecurityInsights/alertRules/actions",
       "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
       "properties": {
         "triggerUri": "https://prod-31.northcentralus.logic.azure.com:443/workflows/cd3765391efd48549fd7681ded1d48d7/triggers/manual/paths/invoke?api-version=2016-10-01&sp=%2Ftriggers%2Fmanual%2Frun&sv=1.0&sig=signature",

specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/actions/CreateActionOfAlertRule.json

@@ -0,0 +1,45 @@
+{
+  "parameters": {
+    "api-version": "2020-01-01",
+    "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
+    "resourceGroupName": "myRg",
+    "workspaceName": "myWorkspace",
+    "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights",
+    "alertRuleTemplateId": "65360bb0-8986-4ade-a89d-af3cf44d28aa"
+  },
+  "responses": {
+    "200": {
+      "body": {
+        "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRuleTemplates/65360bb0-8986-4ade-a89d-af3cf44d28aa",
+        "name": "65360bb0-8986-4ade-a89d-af3cf44d28aa",
+        "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+        "kind": "Scheduled",
+        "properties": {
+          "severity": "Low",
+          "query": "let timeframe = 1d;\nAWSCloudTrail\n| where TimeGenerated >= ago(timeframe)\n| where EventName == \"CreateNetworkAclEntry\"\n    or EventName == \"CreateRoute\"\n| project TimeGenerated, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\n| extend AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress",
+          "queryFrequency": "P1D",
+          "queryPeriod": "P1D",
+          "triggerOperator": "GreaterThan",
+          "triggerThreshold": 0,
+          "displayName": "Changes to Amazon VPC settings",
+          "description": "This alert monitors changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries and routes in route tables.\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \nand https://aws.amazon.com/vpc/",
+          "tactics": [
+            "PrivilegeEscalation",
+            "LateralMovement"
+          ],
+          "createdDateUTC": "2019-02-27T00:00:00Z",
+          "status": "Available",
+          "requiredDataConnectors": [
+            {
+              "connectorId": "AWS",
+              "dataTypes": [
+                "AWSCloudTrail"
+              ]
+            }
+          ],
+          "alertRulesCreatedByTemplateCount": 0
+        }
+      }
+    }
+  }
+}

specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/alertRuleTemplates/GetAlertRuleTemplateById.json

@@ -0,0 +1,82 @@
+{
+  "parameters": {
+    "api-version": "2020-01-01",
+    "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
+    "resourceGroupName": "myRg",
+    "workspaceName": "myWorkspace",
+    "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights"
+  },
+  "responses": {
+    "200": {
+      "body": {
+        "value": [
+          {
+            "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65360bb0-8986-4ade-a89d-af3cf44d28aa",
+            "name": "65360bb0-8986-4ade-a89d-af3cf44d28aa",
+            "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+            "kind": "Scheduled",
+            "properties": {
+              "severity": "Low",
+              "query": "let timeframe = 1d;\nAWSCloudTrail\n| where TimeGenerated >= ago(timeframe)\n| where EventName == \"CreateNetworkAclEntry\"\n    or EventName == \"CreateRoute\"\n| project TimeGenerated, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\n| extend AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress",
+              "queryFrequency": "P1D",
+              "queryPeriod": "P1D",
+              "triggerOperator": "GreaterThan",
+              "triggerThreshold": 0,
+              "displayName": "Changes to Amazon VPC settings",
+              "description": "This alert monitors changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries and routes in route tables.\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \nand https://aws.amazon.com/vpc/",
+              "tactics": [
+                "PrivilegeEscalation",
+                "LateralMovement"
+              ],
+              "createdDateUTC": "2019-02-27T00:00:00Z",
+              "status": "Available",
+              "requiredDataConnectors": [
+                {
+                  "connectorId": "AWS",
+                  "dataTypes": [
+                    "AWSCloudTrail"
+                  ]
+                }
+              ],
+              "alertRulesCreatedByTemplateCount": 0
+            }
+          },
+          {
+            "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f71aba3d-28fb-450b-b192-4e76a83015c8",
+            "name": "f71aba3d-28fb-450b-b192-4e76a83015c8",
+            "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+            "kind": "Fusion",
+            "properties": {
+              "displayName": "Advanced Multi-Stage Attack Detection",
+              "description": "Place holder: Fusion uses graph powered machine learning algorithms to correlate between millions of lower fidelity anomalous activities from different products such as Azure AD Identity Protection, and Microsoft Cloud App Security, to combine them into a manageable number of interesting security cases.\n",
+              "tactics": [
+                "Persistence",
+                "LateralMovement",
+                "Exfiltration",
+                "CommandAndControl"
+              ],
+              "createdDateUTC": "2019-07-25T00:00:00Z",
+              "status": "Available",
+              "severity": "High",
+              "alertRulesCreatedByTemplateCount": 0
+            }
+          },
+          {
+            "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b3cfc7c0-092c-481c-a55b-34a3979758cb",
+            "name": "b3cfc7c0-092c-481c-a55b-34a3979758cb",
+            "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+            "kind": "MicrosoftSecurityIncidentCreation",
+            "properties": {
+              "productFilter": "Microsoft Cloud App Security",
+              "displayName": "Create incidents based on Microsoft Cloud App Security alerts",
+              "description": "Create incidents based on all alerts generated in Microsoft Cloud App Security",
+              "createdDateUTC": "2019-07-16T00:00:00Z",
+              "status": "Available",
+              "alertRulesCreatedByTemplateCount": 0
+            }
+          }
+        ]
+      }
+    }
+  }
+}

specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/alertRuleTemplates/GetAlertRuleTemplates.json

@@ -10,7 +10,7 @@
       "kind": "Fusion",
       "etag": "3d00c3ca-0000-0100-0000-5d42d5010000",
       "properties": {
-        "enabled": "true",
+        "enabled": true,
         "alertRuleTemplateName": "f71aba3d-28fb-450b-b192-4e76a83015c8"
       }
     }

specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/alertRules/CreateFusionAlertRule.json

@@ -0,0 +1,93 @@
+{
+  "parameters": {
+    "api-version": "2020-01-01",
+    "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
+    "resourceGroupName": "myRg",
+    "workspaceName": "myWorkspace",
+    "operationalInsightsResourceProvider": "Microsoft.OperationalInsights",
+    "bookmarkId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
+    "bookmark": {
+      "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
+      "properties": {
+        "displayName": "My bookmark",
+        "createdBy": {
+          "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70"
+        },
+        "updatedBy": {
+          "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70"
+        },
+        "updated": "2019-01-01T13:15:30Z",
+        "created": "2019-01-01T13:15:30Z",
+        "notes": "Found a suspicious activity",
+        "labels": [
+          "Tag1",
+          "Tag2"
+        ],
+        "query": "SecurityEvent | where TimeGenerated > ago(1d) and TimeGenerated < ago(2d)",
+        "queryResult": "Security Event query result"
+      }
+    }
+  },
+  "responses": {
+    "200": {
+      "body": {
+        "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/bookmarks/73e01a99-5cd7-4139-a149-9f2736ff2ab5",
+        "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
+        "type": "Microsoft.SecurityInsights/bookmarks",
+        "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
+        "properties": {
+          "displayName": "My bookmark",
+          "createdBy": {
+            "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70",
+            "email": "[email protected]",
+            "name": "john doe"
+          },
+          "updatedBy": {
+            "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70",
+            "email": "[email protected]",
+            "name": "john doe"
+          },
+          "updated": "2019-01-01T13:15:30Z",
+          "created": "2019-01-01T13:15:30Z",
+          "notes": "Found a suspicious activity",
+          "labels": [
+            "Tag1",
+            "Tag2"
+          ],
+          "query": "SecurityEvent | where TimeGenerated > ago(1d) and TimeGenerated < ago(2d)",
+          "queryResult": "Security Event query result"
+        }
+      }
+    },
+    "201": {
+      "body": {
+        "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/bookmarks/73e01a99-5cd7-4139-a149-9f2736ff2ab5",
+        "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
+        "type": "Microsoft.SecurityInsights/bookmarks",
+        "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
+        "properties": {
+          "displayName": "My bookmark",
+          "createdBy": {
+            "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70",
+            "email": "[email protected]",
+            "name": "john doe"
+          },
+          "updatedBy": {
+            "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70",
+            "email": "[email protected]",
+            "name": "john doe"
+          },
+          "updated": "2019-01-01T13:15:30Z",
+          "created": "2019-01-01T13:15:30Z",
+          "notes": "Found a suspicious activity",
+          "labels": [
+            "Tag1",
+            "Tag2"
+          ],
+          "query": "SecurityEvent | where TimeGenerated > ago(1d) and TimeGenerated < ago(2d)",
+          "queryResult": "Security Event query result"
+        }
+      }
+    }
+  }
+}

specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/bookmarks/CreateBookmark.json

@@ -0,0 +1,14 @@
+{
+  "parameters": {
+    "api-version": "2020-01-01",
+    "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
+    "resourceGroupName": "myRg",
+    "workspaceName": "myWorkspace",
+    "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights",
+    "bookmarkId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5"
+  },
+  "responses": {
+    "200": {},
+    "204": {}
+  }
+}

specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/bookmarks/DeleteBookmark.json

@@ -0,0 +1,48 @@
+{
+  "parameters": {
+    "api-version": "2020-01-01",
+    "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
+    "resourceGroupName": "myRg",
+    "workspaceName": "myWorkspace",
+    "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights",
+    "bookmarkId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5"
+  },
+  "responses": {
+    "200": {
+      "body": {
+        "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/bookmarks/73e01a99-5cd7-4139-a149-9f2736ff2ab5",
+        "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
+        "type": "Microsoft.SecurityInsights/bookmarks",
+        "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
+        "properties": {
+          "displayName": "My bookmark",
+          "createdBy": {
+            "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70",
+            "email": "[email protected]",
+            "name": "john doe"
+          },
+          "updatedBy": {
+            "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70",
+            "email": "[email protected]",
+            "name": "john doe"
+          },
+          "updated": "2019-01-01T13:15:30Z",
+          "created": "2019-01-01T13:15:30Z",
+          "notes": "Found a suspicious activity",
+          "labels": [
+            "Tag1",
+            "Tag2"
+          ],
+          "query": "SecurityEvent | where TimeGenerated > ago(1d) and TimeGenerated < ago(2d)",
+          "queryResult": "Security Event query result",
+          "incidentInfo": {
+            "incidentId": "DDA55F97-170B-40B9-B8ED-CBFD05481E7D",
+            "severity": "Low",
+            "title": "New case 1",
+            "relationName": "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0018"
+          }
+        }
+      }
+    }
+  }
+}

specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/bookmarks/GetBookmarkById.json

@@ -0,0 +1,51 @@
+{
+  "parameters": {
+    "api-version": "2020-01-01",
+    "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
+    "resourceGroupName": "myRg",
+    "workspaceName": "myWorkspace",
+    "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights"
+  },
+  "responses": {
+    "200": {
+      "body": {
+        "value": [
+          {
+            "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/bookmarks/73e01a99-5cd7-4139-a149-9f2736ff2ab5",
+            "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
+            "type": "Microsoft.SecurityInsights/bookmarks",
+            "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
+            "properties": {
+              "displayName": "My bookmark",
+              "createdBy": {
+                "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70",
+                "email": "[email protected]",
+                "name": "john doe"
+              },
+              "updatedBy": {
+                "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70",
+                "email": "[email protected]",
+                "name": "john doe"
+              },
+              "updated": "2019-01-01T13:15:30Z",
+              "created": "2019-01-01T13:15:30Z",
+              "notes": "Found a suspicious activity",
+              "labels": [
+                "Tag1",
+                "Tag2"
+              ],
+              "query": "SecurityEvent | where TimeGenerated > ago(1d) and TimeGenerated < ago(2d)",
+              "queryResult": "Security Event query result",
+              "incidentInfo": {
+                "incidentId": "DDA55F97-170B-40B9-B8ED-CBFD05481E7D",
+                "severity": "Low",
+                "title": "New case 1",
+                "relationName": "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0018"
+              }
+            }
+          }
+        ]
+      }
+    }
+  }
+}

specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/bookmarks/GetBookmarks.json

@@ -7,9 +7,6 @@
     "operationalInsightsResourceProvider": "Microsoft.OperationalInsights",
     "dataConnectorId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
     "dataConnector": {
-      "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/73e01a99-5cd7-4139-a149-9f2736ff2ab5",
-      "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
-      "type": "Microsoft.SecurityInsights/dataConnectors",
       "kind": "Office365",
       "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
       "properties": {