diff --git a/src/securityinsight/HISTORY.rst b/src/securityinsight/HISTORY.rst
new file mode 100644
index 00000000000..1c139576ba0
--- /dev/null
+++ b/src/securityinsight/HISTORY.rst
@@ -0,0 +1,8 @@
+.. :changelog:
+
+Release History
+===============
+
+0.1.0
+++++++
+* Initial release.
diff --git a/src/securityinsight/README.md b/src/securityinsight/README.md
new file mode 100644
index 00000000000..90913a91f07
--- /dev/null
+++ b/src/securityinsight/README.md
@@ -0,0 +1,184 @@
+# Azure CLI sentinel Extension #
+This is the extension for sentinel
+
+### How to use ###
+Install this extension using the below CLI command
+```
+az extension add --name sentinel
+```
+
+### Included Features ###
+#### sentinel alert-rule ####
+##### Create #####
+```
+az sentinel alert-rule create --etag "\\"0300bf09-0000-0000-0000-5c37296e0000\\"" \
+ --logic-app-resource-id "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/MyAlerts" \
+ --trigger-uri "https://prod-31.northcentralus.logic.azure.com:443/workflows/cd3765391efd48549fd7681ded1d48d7/triggers/manual/paths/invoke?api-version=2016-10-01&sp=%2Ftriggers%2Fmanual%2Frun&sv=1.0&sig=signature" \
+ --action-id "912bec42-cb66-4c03-ac63-1761b6898c3e" --resource-group "myRg" \
+ --rule-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --workspace-name "myWorkspace"
+```
+##### Show #####
+```
+az sentinel alert-rule show --resource-group "myRg" --rule-id "myFirstFusionRule" --workspace-name "myWorkspace"
+```
+##### Show #####
+```
+az sentinel alert-rule show --resource-group "myRg" --rule-id "microsoftSecurityIncidentCreationRuleExample" \
+ --workspace-name "myWorkspace"
+```
+##### Show #####
+```
+az sentinel alert-rule show --resource-group "myRg" --rule-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" \
+ --workspace-name "myWorkspace"
+```
+##### List #####
+```
+az sentinel alert-rule list --resource-group "myRg" --workspace-name "myWorkspace"
+```
+##### Get-action #####
+```
+az sentinel alert-rule get-action --action-id "912bec42-cb66-4c03-ac63-1761b6898c3e" --resource-group "myRg" \
+ --rule-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --workspace-name "myWorkspace"
+```
+##### Delete #####
+```
+az sentinel alert-rule delete --action-id "912bec42-cb66-4c03-ac63-1761b6898c3e" --resource-group "myRg" \
+ --rule-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --workspace-name "myWorkspace"
+```
+#### sentinel action ####
+##### List #####
+```
+az sentinel action list --resource-group "myRg" --rule-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" \
+ --workspace-name "myWorkspace"
+```
+#### sentinel alert-rule-template ####
+##### List #####
+```
+az sentinel alert-rule-template list --resource-group "myRg" --workspace-name "myWorkspace"
+```
+##### Show #####
+```
+az sentinel alert-rule-template show --alert-rule-template-id "65360bb0-8986-4ade-a89d-af3cf44d28aa" \
+ --resource-group "myRg" --workspace-name "myWorkspace"
+```
+#### sentinel bookmark ####
+##### Create #####
+```
+az sentinel bookmark create --etag "\\"0300bf09-0000-0000-0000-5c37296e0000\\"" --created "2019-01-01T13:15:30Z" \
+ --display-name "My bookmark" --labels "Tag1" --labels "Tag2" --notes "Found a suspicious activity" \
+ --query "SecurityEvent | where TimeGenerated > ago(1d) and TimeGenerated < ago(2d)" \
+ --query-result "Security Event query result" --updated "2019-01-01T13:15:30Z" \
+ --bookmark-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" --workspace-name "myWorkspace"
+```
+##### Show #####
+```
+az sentinel bookmark show --bookmark-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" \
+ --workspace-name "myWorkspace"
+```
+##### List #####
+```
+az sentinel bookmark list --resource-group "myRg" --workspace-name "myWorkspace"
+```
+##### Delete #####
+```
+az sentinel bookmark delete --bookmark-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" \
+ --workspace-name "myWorkspace"
+```
+#### sentinel data-connector ####
+##### Create #####
+```
+az sentinel data-connector create \
+ --office-data-connector etag="\\"0300bf09-0000-0000-0000-5c37296e0000\\"" tenant-id="2070ecc9-b4d5-4ae4-adaa-936fa1954fa8" \
+ --data-connector-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" --workspace-name "myWorkspace"
+```
+##### Show #####
+```
+az sentinel data-connector show --data-connector-id "763f9fa1-c2d3-4fa2-93e9-bccd4899aa12" --resource-group "myRg" \
+ --workspace-name "myWorkspace"
+```
+##### Show #####
+```
+az sentinel data-connector show --data-connector-id "b96d014d-b5c2-4a01-9aba-a8058f629d42" --resource-group "myRg" \
+ --workspace-name "myWorkspace"
+```
+##### Show #####
+```
+az sentinel data-connector show --data-connector-id "06b3ccb8-1384-4bcc-aec7-852f6d57161b" --resource-group "myRg" \
+ --workspace-name "myWorkspace"
+```
+##### Show #####
+```
+az sentinel data-connector show --data-connector-id "c345bf40-8509-4ed2-b947-50cb773aaf04" --resource-group "myRg" \
+ --workspace-name "myWorkspace"
+```
+##### Show #####
+```
+az sentinel data-connector show --data-connector-id "f0cd27d2-5f03-4c06-ba31-d2dc82dcb51d" --resource-group "myRg" \
+ --workspace-name "myWorkspace"
+```
+##### Show #####
+```
+az sentinel data-connector show --data-connector-id "07e42cb3-e658-4e90-801c-efa0f29d3d44" --resource-group "myRg" \
+ --workspace-name "myWorkspace"
+```
+##### Show #####
+```
+az sentinel data-connector show --data-connector-id "c345bf40-8509-4ed2-b947-50cb773aaf04" --resource-group "myRg" \
+ --workspace-name "myWorkspace"
+```
+##### Show #####
+```
+az sentinel data-connector show --data-connector-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" \
+ --workspace-name "myWorkspace"
+```
+##### List #####
+```
+az sentinel data-connector list --resource-group "myRg" --workspace-name "myWorkspace"
+```
+##### Delete #####
+```
+az sentinel data-connector delete --data-connector-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" \
+ --workspace-name "myWorkspace"
+```
+#### sentinel incident ####
+##### Create #####
+```
+az sentinel incident create --etag "\\"0300bf09-0000-0000-0000-5c37296e0000\\"" \
+ --description "This is a demo incident" --classification "FalsePositive" \
+ --classification-comment "Not a malicious activity" --classification-reason "IncorrectAlertLogic" \
+ --first-activity-time-utc "2019-01-01T13:00:30Z" --last-activity-time-utc "2019-01-01T13:05:30Z" \
+ --owner object-id="2046feea-040d-4a46-9e2b-91c2941bfa70" --severity "High" --status "Closed" --title "My incident" \
+ --incident-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" --workspace-name "myWorkspace"
+```
+##### Show #####
+```
+az sentinel incident show --incident-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" \
+ --workspace-name "myWorkspace"
+```
+##### List #####
+```
+az sentinel incident list --orderby "properties/createdTimeUtc desc" --top 1 --resource-group "myRg" \
+ --workspace-name "myWorkspace"
+```
+##### Delete #####
+```
+az sentinel incident delete --incident-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" \
+ --workspace-name "myWorkspace"
+```
+#### sentinel incident-comment ####
+##### Create #####
+```
+az sentinel incident-comment create --message "Some message" \
+ --incident-comment-id "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014" --incident-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" \
+ --resource-group "myRg" --workspace-name "myWorkspace"
+```
+##### Show #####
+```
+az sentinel incident-comment show --incident-comment-id "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014" \
+ --incident-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" --workspace-name "myWorkspace"
+```
+##### List #####
+```
+az sentinel incident-comment list --incident-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" \
+ --workspace-name "myWorkspace"
+```
\ No newline at end of file
diff --git a/src/securityinsight/azext_sentinel/__init__.py b/src/securityinsight/azext_sentinel/__init__.py
new file mode 100644
index 00000000000..cba11ad4731
--- /dev/null
+++ b/src/securityinsight/azext_sentinel/__init__.py
@@ -0,0 +1,50 @@
+# --------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for
+# license information.
+#
+# Code generated by Microsoft (R) AutoRest Code Generator.
+# Changes may cause incorrect behavior and will be lost if the code is
+# regenerated.
+# --------------------------------------------------------------------------
+
+from azure.cli.core import AzCommandsLoader
+from azext_sentinel.generated._help import helps # pylint: disable=unused-import
+try:
+ from azext_sentinel.manual._help import helps # pylint: disable=reimported
+except ImportError:
+ pass
+
+
+class SecurityInsightsCommandsLoader(AzCommandsLoader):
+
+ def __init__(self, cli_ctx=None):
+ from azure.cli.core.commands import CliCommandType
+ from azext_sentinel.generated._client_factory import cf_sentinel_cl
+ sentinel_custom = CliCommandType(
+ operations_tmpl='azext_sentinel.custom#{}',
+ client_factory=cf_sentinel_cl)
+ parent = super(SecurityInsightsCommandsLoader, self)
+ parent.__init__(cli_ctx=cli_ctx, custom_command_type=sentinel_custom)
+
+ def load_command_table(self, args):
+ from azext_sentinel.generated.commands import load_command_table
+ load_command_table(self, args)
+ try:
+ from azext_sentinel.manual.commands import load_command_table as load_command_table_manual
+ load_command_table_manual(self, args)
+ except ImportError:
+ pass
+ return self.command_table
+
+ def load_arguments(self, command):
+ from azext_sentinel.generated._params import load_arguments
+ load_arguments(self, command)
+ try:
+ from azext_sentinel.manual._params import load_arguments as load_arguments_manual
+ load_arguments_manual(self, command)
+ except ImportError:
+ pass
+
+
+COMMAND_LOADER_CLS = SecurityInsightsCommandsLoader
diff --git a/src/securityinsight/azext_sentinel/action.py b/src/securityinsight/azext_sentinel/action.py
new file mode 100644
index 00000000000..d95d53bf711
--- /dev/null
+++ b/src/securityinsight/azext_sentinel/action.py
@@ -0,0 +1,17 @@
+# --------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for
+# license information.
+#
+# Code generated by Microsoft (R) AutoRest Code Generator.
+# Changes may cause incorrect behavior and will be lost if the code is
+# regenerated.
+# --------------------------------------------------------------------------
+# pylint: disable=wildcard-import
+# pylint: disable=unused-wildcard-import
+
+from .generated.action import * # noqa: F403
+try:
+ from .manual.action import * # noqa: F403
+except ImportError:
+ pass
diff --git a/src/securityinsight/azext_sentinel/azext_metadata.json b/src/securityinsight/azext_sentinel/azext_metadata.json
new file mode 100644
index 00000000000..4f48fa652a5
--- /dev/null
+++ b/src/securityinsight/azext_sentinel/azext_metadata.json
@@ -0,0 +1,4 @@
+{
+ "azext.isExperimental": true,
+ "azext.minCliCoreVersion": "2.11.0"
+}
\ No newline at end of file
diff --git a/src/securityinsight/azext_sentinel/custom.py b/src/securityinsight/azext_sentinel/custom.py
new file mode 100644
index 00000000000..dbe9d5f9742
--- /dev/null
+++ b/src/securityinsight/azext_sentinel/custom.py
@@ -0,0 +1,17 @@
+# --------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for
+# license information.
+#
+# Code generated by Microsoft (R) AutoRest Code Generator.
+# Changes may cause incorrect behavior and will be lost if the code is
+# regenerated.
+# --------------------------------------------------------------------------
+# pylint: disable=wildcard-import
+# pylint: disable=unused-wildcard-import
+
+from .generated.custom import * # noqa: F403
+try:
+ from .manual.custom import * # noqa: F403
+except ImportError:
+ pass
diff --git a/src/securityinsight/azext_sentinel/generated/__init__.py b/src/securityinsight/azext_sentinel/generated/__init__.py
new file mode 100644
index 00000000000..c9cfdc73e77
--- /dev/null
+++ b/src/securityinsight/azext_sentinel/generated/__init__.py
@@ -0,0 +1,12 @@
+# coding=utf-8
+# --------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for
+# license information.
+#
+# Code generated by Microsoft (R) AutoRest Code Generator.
+# Changes may cause incorrect behavior and will be lost if the code is
+# regenerated.
+# --------------------------------------------------------------------------
+
+__path__ = __import__('pkgutil').extend_path(__path__, __name__)
diff --git a/src/securityinsight/azext_sentinel/generated/_client_factory.py b/src/securityinsight/azext_sentinel/generated/_client_factory.py
new file mode 100644
index 00000000000..6868ae4601c
--- /dev/null
+++ b/src/securityinsight/azext_sentinel/generated/_client_factory.py
@@ -0,0 +1,44 @@
+# --------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for
+# license information.
+#
+# Code generated by Microsoft (R) AutoRest Code Generator.
+# Changes may cause incorrect behavior and will be lost if the code is
+# regenerated.
+# --------------------------------------------------------------------------
+
+
+def cf_sentinel_cl(cli_ctx, *_):
+ from azure.cli.core.commands.client_factory import get_mgmt_service_client
+ from ..vendored_sdks.securityinsight import SecurityInsights
+ return get_mgmt_service_client(cli_ctx,
+ SecurityInsights)
+
+
+def cf_alert_rule(cli_ctx, *_):
+ return cf_sentinel_cl(cli_ctx).alert_rule
+
+
+def cf_action(cli_ctx, *_):
+ return cf_sentinel_cl(cli_ctx).action
+
+
+def cf_alert_rule_template(cli_ctx, *_):
+ return cf_sentinel_cl(cli_ctx).alert_rule_template
+
+
+def cf_bookmark(cli_ctx, *_):
+ return cf_sentinel_cl(cli_ctx).bookmark
+
+
+def cf_data_connector(cli_ctx, *_):
+ return cf_sentinel_cl(cli_ctx).data_connector
+
+
+def cf_incident(cli_ctx, *_):
+ return cf_sentinel_cl(cli_ctx).incident
+
+
+def cf_incident_comment(cli_ctx, *_):
+ return cf_sentinel_cl(cli_ctx).incident_comment
diff --git a/src/securityinsight/azext_sentinel/generated/_help.py b/src/securityinsight/azext_sentinel/generated/_help.py
new file mode 100644
index 00000000000..09a6f71e5c0
--- /dev/null
+++ b/src/securityinsight/azext_sentinel/generated/_help.py
@@ -0,0 +1,676 @@
+# --------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for
+# license information.
+#
+# Code generated by Microsoft (R) AutoRest Code Generator.
+# Changes may cause incorrect behavior and will be lost if the code is
+# regenerated.
+# --------------------------------------------------------------------------
+# pylint: disable=too-many-lines
+
+from knack.help_files import helps
+
+
+helps['sentinel alert-rule'] = """
+ type: group
+ short-summary: sentinel alert-rule
+"""
+
+helps['sentinel alert-rule list'] = """
+ type: command
+ short-summary: "Gets all alert rules."
+ examples:
+ - name: Get all alert rules.
+ text: |-
+ az sentinel alert-rule list --resource-group "myRg" --workspace-name "myWorkspace"
+"""
+
+helps['sentinel alert-rule show'] = """
+ type: command
+ short-summary: "Gets the alert rule."
+ examples:
+ - name: Get a Fusion alert rule.
+ text: |-
+ az sentinel alert-rule show --resource-group "myRg" --rule-id "myFirstFusionRule" --workspace-name \
+"myWorkspace"
+ - name: Get a MicrosoftSecurityIncidentCreation rule.
+ text: |-
+ az sentinel alert-rule show --resource-group "myRg" --rule-id "microsoftSecurityIncidentCreationRuleExam\
+ple" --workspace-name "myWorkspace"
+ - name: Get a Scheduled alert rule.
+ text: |-
+ az sentinel alert-rule show --resource-group "myRg" --rule-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" \
+--workspace-name "myWorkspace"
+"""
+
+helps['sentinel alert-rule create'] = """
+ type: command
+ short-summary: "Creates or updates the action of alert rule. And Create the alert rule."
+ parameters:
+ - name: --fusion-alert-rule
+ short-summary: "Represents Fusion alert rule."
+ long-summary: |
+ Usage: --fusion-alert-rule alert-rule-template-name=XX enabled=XX kind=XX etag=XX
+
+ alert-rule-template-name: The Name of the alert rule template used to create this rule.
+ enabled: Determines whether this alert rule is enabled or disabled.
+ kind: Required. The alert rule kind
+ etag: Etag of the azure resource
+ - name: --microsoft-security-incident-creation-alert-rule
+ short-summary: "Represents MicrosoftSecurityIncidentCreation rule."
+ long-summary: |
+ Usage: --microsoft-security-incident-creation-alert-rule display-names-filter=XX \
+display-names-exclude-filter=XX product-filter=XX severities-filter=XX alert-rule-template-name=XX description=XX \
+display-name=XX enabled=XX kind=XX etag=XX
+
+ display-names-filter: the alerts' displayNames on which the cases will be generated
+ display-names-exclude-filter: the alerts' displayNames on which the cases will not be generated
+ product-filter: The alerts' productName on which the cases will be generated
+ severities-filter: the alerts' severities on which the cases will be generated
+ alert-rule-template-name: The Name of the alert rule template used to create this rule.
+ description: The description of the alert rule.
+ display-name: The display name for alerts created by this alert rule.
+ enabled: Determines whether this alert rule is enabled or disabled.
+ kind: Required. The alert rule kind
+ etag: Etag of the azure resource
+ - name: --scheduled-alert-rule
+ short-summary: "Represents scheduled alert rule."
+ long-summary: |
+ Usage: --scheduled-alert-rule query=XX query-frequency=XX query-period=XX severity=XX trigger-operator=XX \
+trigger-threshold=XX alert-rule-template-name=XX description=XX display-name=XX enabled=XX suppression-duration=XX \
+suppression-enabled=XX tactics=XX kind=XX etag=XX
+
+ query: The query that creates alerts for this rule.
+ query-frequency: The frequency (in ISO 8601 duration format) for this alert rule to run.
+ query-period: The period (in ISO 8601 duration format) that this alert rule looks at.
+ severity: The severity for alerts created by this alert rule.
+ trigger-operator: The operation against the threshold that triggers alert rule.
+ trigger-threshold: The threshold triggers this alert rule.
+ alert-rule-template-name: The Name of the alert rule template used to create this rule.
+ description: The description of the alert rule.
+ display-name: The display name for alerts created by this alert rule.
+ enabled: Determines whether this alert rule is enabled or disabled.
+ suppression-duration: The suppression (in ISO 8601 duration format) to wait since last time this alert \
+rule been triggered.
+ suppression-enabled: Determines whether the suppression for this alert rule is enabled or disabled.
+ tactics: The tactics of the alert rule
+ kind: Required. The alert rule kind
+ etag: Etag of the azure resource
+ examples:
+ - name: Creates or updates an action of alert rule.
+ text: |-
+ az sentinel alert-rule create --etag "\\"0300bf09-0000-0000-0000-5c37296e0000\\"" \
+--logic-app-resource-id "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Lo\
+gic/workflows/MyAlerts" --trigger-uri "https://prod-31.northcentralus.logic.azure.com:443/workflows/cd3765391efd48549fd\
+7681ded1d48d7/triggers/manual/paths/invoke?api-version=2016-10-01&sp=%2Ftriggers%2Fmanual%2Frun&sv=1.0&sig=signature" \
+--action-id "912bec42-cb66-4c03-ac63-1761b6898c3e" --resource-group "myRg" --rule-id "73e01a99-5cd7-4139-a149-9f2736ff2\
+ab5" --workspace-name "myWorkspace"
+ - name: Creates or updates a Fusion alert rule.
+ text: |-
+ az sentinel alert-rule create --fusion-alert-rule etag="3d00c3ca-0000-0100-0000-5d42d5010000" \
+alert-rule-template-name="f71aba3d-28fb-450b-b192-4e76a83015c8" enabled=true --resource-group "myRg" --rule-id \
+"myFirstFusionRule" --workspace-name "myWorkspace"
+ - name: Creates or updates a MicrosoftSecurityIncidentCreation rule.
+ text: |-
+ az sentinel alert-rule create --microsoft-security-incident-creation-alert-rule \
+etag="\\"260097e0-0000-0d00-0000-5d6fa88f0000\\"" product-filter="Microsoft Cloud App Security" display-name="testing \
+displayname" enabled=true --resource-group "myRg" --rule-id "microsoftSecurityIncidentCreationRuleExample" \
+--workspace-name "myWorkspace"
+ - name: Creates or updates a Scheduled alert rule.
+ text: |-
+ az sentinel alert-rule create --scheduled-alert-rule etag="\\"0300bf09-0000-0000-0000-5c37296e0000\\"" \
+query="ProtectionStatus | extend HostCustomEntity = Computer | extend IPCustomEntity = ComputerIP_Hidden" \
+query-frequency="PT1H" query-period="P2DT1H30M" severity="High" trigger-operator="GreaterThan" trigger-threshold=0 \
+description="" display-name="Rule2" enabled=true suppression-duration="PT1H" suppression-enabled=false \
+tactics="Persistence" tactics="LateralMovement" --resource-group "myRg" --rule-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5\
+" --workspace-name "myWorkspace"
+"""
+
+helps['sentinel alert-rule update'] = """
+ type: command
+ short-summary: "Update the alert rule."
+ parameters:
+ - name: --fusion-alert-rule
+ short-summary: "Represents Fusion alert rule."
+ long-summary: |
+ Usage: --fusion-alert-rule alert-rule-template-name=XX enabled=XX kind=XX etag=XX
+
+ alert-rule-template-name: The Name of the alert rule template used to create this rule.
+ enabled: Determines whether this alert rule is enabled or disabled.
+ kind: Required. The alert rule kind
+ etag: Etag of the azure resource
+ - name: --microsoft-security-incident-creation-alert-rule
+ short-summary: "Represents MicrosoftSecurityIncidentCreation rule."
+ long-summary: |
+ Usage: --microsoft-security-incident-creation-alert-rule display-names-filter=XX \
+display-names-exclude-filter=XX product-filter=XX severities-filter=XX alert-rule-template-name=XX description=XX \
+display-name=XX enabled=XX kind=XX etag=XX
+
+ display-names-filter: the alerts' displayNames on which the cases will be generated
+ display-names-exclude-filter: the alerts' displayNames on which the cases will not be generated
+ product-filter: The alerts' productName on which the cases will be generated
+ severities-filter: the alerts' severities on which the cases will be generated
+ alert-rule-template-name: The Name of the alert rule template used to create this rule.
+ description: The description of the alert rule.
+ display-name: The display name for alerts created by this alert rule.
+ enabled: Determines whether this alert rule is enabled or disabled.
+ kind: Required. The alert rule kind
+ etag: Etag of the azure resource
+ - name: --scheduled-alert-rule
+ short-summary: "Represents scheduled alert rule."
+ long-summary: |
+ Usage: --scheduled-alert-rule query=XX query-frequency=XX query-period=XX severity=XX trigger-operator=XX \
+trigger-threshold=XX alert-rule-template-name=XX description=XX display-name=XX enabled=XX suppression-duration=XX \
+suppression-enabled=XX tactics=XX kind=XX etag=XX
+
+ query: The query that creates alerts for this rule.
+ query-frequency: The frequency (in ISO 8601 duration format) for this alert rule to run.
+ query-period: The period (in ISO 8601 duration format) that this alert rule looks at.
+ severity: The severity for alerts created by this alert rule.
+ trigger-operator: The operation against the threshold that triggers alert rule.
+ trigger-threshold: The threshold triggers this alert rule.
+ alert-rule-template-name: The Name of the alert rule template used to create this rule.
+ description: The description of the alert rule.
+ display-name: The display name for alerts created by this alert rule.
+ enabled: Determines whether this alert rule is enabled or disabled.
+ suppression-duration: The suppression (in ISO 8601 duration format) to wait since last time this alert \
+rule been triggered.
+ suppression-enabled: Determines whether the suppression for this alert rule is enabled or disabled.
+ tactics: The tactics of the alert rule
+ kind: Required. The alert rule kind
+ etag: Etag of the azure resource
+"""
+
+helps['sentinel alert-rule delete'] = """
+ type: command
+ short-summary: "Delete the action of alert rule. And Delete the alert rule."
+ examples:
+ - name: Delete an action of alert rule.
+ text: |-
+ az sentinel alert-rule delete --action-id "912bec42-cb66-4c03-ac63-1761b6898c3e" --resource-group \
+"myRg" --rule-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --workspace-name "myWorkspace"
+ - name: Delete an alert rule.
+ text: |-
+ az sentinel alert-rule delete --resource-group "myRg" --rule-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" \
+--workspace-name "myWorkspace"
+"""
+
+helps['sentinel alert-rule get-action'] = """
+ type: command
+ short-summary: "Gets the action of alert rule."
+ examples:
+ - name: Get an action of alert rule.
+ text: |-
+ az sentinel alert-rule get-action --action-id "912bec42-cb66-4c03-ac63-1761b6898c3e" --resource-group \
+"myRg" --rule-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --workspace-name "myWorkspace"
+"""
+
+helps['sentinel action'] = """
+ type: group
+ short-summary: sentinel action
+"""
+
+helps['sentinel action list'] = """
+ type: command
+ short-summary: "Gets all actions of alert rule."
+ examples:
+ - name: Get all actions of alert rule.
+ text: |-
+ az sentinel action list --resource-group "myRg" --rule-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" \
+--workspace-name "myWorkspace"
+"""
+
+helps['sentinel alert-rule-template'] = """
+ type: group
+ short-summary: sentinel alert-rule-template
+"""
+
+helps['sentinel alert-rule-template list'] = """
+ type: command
+ short-summary: "Gets all alert rule templates."
+ examples:
+ - name: Get all alert rule templates.
+ text: |-
+ az sentinel alert-rule-template list --resource-group "myRg" --workspace-name "myWorkspace"
+"""
+
+helps['sentinel alert-rule-template show'] = """
+ type: command
+ short-summary: "Gets the alert rule template."
+ examples:
+ - name: Get alert rule template by Id.
+ text: |-
+ az sentinel alert-rule-template show --alert-rule-template-id "65360bb0-8986-4ade-a89d-af3cf44d28aa" \
+--resource-group "myRg" --workspace-name "myWorkspace"
+"""
+
+helps['sentinel bookmark'] = """
+ type: group
+ short-summary: sentinel bookmark
+"""
+
+helps['sentinel bookmark list'] = """
+ type: command
+ short-summary: "Gets all bookmarks."
+ examples:
+ - name: Get all bookmarks.
+ text: |-
+ az sentinel bookmark list --resource-group "myRg" --workspace-name "myWorkspace"
+"""
+
+helps['sentinel bookmark show'] = """
+ type: command
+ short-summary: "Gets a bookmark."
+ examples:
+ - name: Get a bookmark.
+ text: |-
+ az sentinel bookmark show --bookmark-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" \
+--workspace-name "myWorkspace"
+"""
+
+helps['sentinel bookmark create'] = """
+ type: command
+ short-summary: "Create the bookmark."
+ parameters:
+ - name: --incident-info
+ short-summary: "Describes an incident that relates to bookmark"
+ long-summary: |
+ Usage: --incident-info incident-id=XX severity=XX title=XX relation-name=XX
+
+ incident-id: Required. Incident Id
+ severity: Required. The severity of the incident
+ title: Required. The title of the incident
+ relation-name: Required. Relation Name
+ examples:
+ - name: Creates or updates a bookmark.
+ text: |-
+ az sentinel bookmark create --etag "\\"0300bf09-0000-0000-0000-5c37296e0000\\"" --created \
+"2019-01-01T13:15:30Z" --display-name "My bookmark" --labels "Tag1" --labels "Tag2" --notes "Found a suspicious \
+activity" --query "SecurityEvent | where TimeGenerated > ago(1d) and TimeGenerated < ago(2d)" --query-result "Security \
+Event query result" --updated "2019-01-01T13:15:30Z" --bookmark-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" \
+--resource-group "myRg" --workspace-name "myWorkspace"
+"""
+
+helps['sentinel bookmark update'] = """
+ type: command
+ short-summary: "Update the bookmark."
+ parameters:
+ - name: --incident-info
+ short-summary: "Describes an incident that relates to bookmark"
+ long-summary: |
+ Usage: --incident-info incident-id=XX severity=XX title=XX relation-name=XX
+
+ incident-id: Required. Incident Id
+ severity: Required. The severity of the incident
+ title: Required. The title of the incident
+ relation-name: Required. Relation Name
+"""
+
+helps['sentinel bookmark delete'] = """
+ type: command
+ short-summary: "Delete the bookmark."
+ examples:
+ - name: Delete a bookmark.
+ text: |-
+ az sentinel bookmark delete --bookmark-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group \
+"myRg" --workspace-name "myWorkspace"
+"""
+
+helps['sentinel data-connector'] = """
+ type: group
+ short-summary: sentinel data-connector
+"""
+
+helps['sentinel data-connector list'] = """
+ type: command
+ short-summary: "Gets all data connectors."
+ examples:
+ - name: Get all data connectors.
+ text: |-
+ az sentinel data-connector list --resource-group "myRg" --workspace-name "myWorkspace"
+"""
+
+helps['sentinel data-connector show'] = """
+ type: command
+ short-summary: "Gets a data connector."
+ examples:
+ - name: Get a ASC data connector.
+ text: |-
+ az sentinel data-connector show --data-connector-id "763f9fa1-c2d3-4fa2-93e9-bccd4899aa12" \
+--resource-group "myRg" --workspace-name "myWorkspace"
+ - name: Get a MCAS data connector.
+ text: |-
+ az sentinel data-connector show --data-connector-id "b96d014d-b5c2-4a01-9aba-a8058f629d42" \
+--resource-group "myRg" --workspace-name "myWorkspace"
+ - name: Get a MDATP data connector
+ text: |-
+ az sentinel data-connector show --data-connector-id "06b3ccb8-1384-4bcc-aec7-852f6d57161b" \
+--resource-group "myRg" --workspace-name "myWorkspace"
+ - name: Get a TI data connector.
+ text: |-
+ az sentinel data-connector show --data-connector-id "c345bf40-8509-4ed2-b947-50cb773aaf04" \
+--resource-group "myRg" --workspace-name "myWorkspace"
+ - name: Get an AAD data connector.
+ text: |-
+ az sentinel data-connector show --data-connector-id "f0cd27d2-5f03-4c06-ba31-d2dc82dcb51d" \
+--resource-group "myRg" --workspace-name "myWorkspace"
+ - name: Get an AATP data connector.
+ text: |-
+ az sentinel data-connector show --data-connector-id "07e42cb3-e658-4e90-801c-efa0f29d3d44" \
+--resource-group "myRg" --workspace-name "myWorkspace"
+ - name: Get an AwsCloudTrail data connector.
+ text: |-
+ az sentinel data-connector show --data-connector-id "c345bf40-8509-4ed2-b947-50cb773aaf04" \
+--resource-group "myRg" --workspace-name "myWorkspace"
+ - name: Get an Office365 data connector.
+ text: |-
+ az sentinel data-connector show --data-connector-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" \
+--resource-group "myRg" --workspace-name "myWorkspace"
+"""
+
+helps['sentinel data-connector create'] = """
+ type: command
+ short-summary: "Create the data connector."
+ parameters:
+ - name: --aad-data-connector
+ short-summary: "Represents AAD (Azure Active Directory) data connector."
+ long-summary: |
+ Usage: --aad-data-connector tenant-id=XX state=XX kind=XX etag=XX
+
+ tenant-id: The tenant id to connect to, and get the data from.
+ state: Describe whether this data type connection is enabled or not.
+ kind: Required. The data connector kind
+ etag: Etag of the azure resource
+ - name: --aatp-data-connector
+ short-summary: "Represents AATP (Azure Advanced Threat Protection) data connector."
+ long-summary: |
+ Usage: --aatp-data-connector tenant-id=XX state=XX kind=XX etag=XX
+
+ tenant-id: The tenant id to connect to, and get the data from.
+ state: Describe whether this data type connection is enabled or not.
+ kind: Required. The data connector kind
+ etag: Etag of the azure resource
+ - name: --asc-data-connector
+ short-summary: "Represents ASC (Azure Security Center) data connector."
+ long-summary: |
+ Usage: --asc-data-connector subscription-id=XX state=XX kind=XX etag=XX
+
+ subscription-id: The subscription id to connect to, and get the data from.
+ state: Describe whether this data type connection is enabled or not.
+ kind: Required. The data connector kind
+ etag: Etag of the azure resource
+ - name: --aws-cloud-trail-data-connector
+ short-summary: "Represents Amazon Web Services CloudTrail data connector."
+ long-summary: |
+ Usage: --aws-cloud-trail-data-connector aws-role-arn=XX state=XX kind=XX etag=XX
+
+ aws-role-arn: The Aws Role Arn (with CloudTrailReadOnly policy) that is used to access the Aws account.
+ state: Describe whether this data type connection is enabled or not.
+ kind: Required. The data connector kind
+ etag: Etag of the azure resource
+ - name: --mcas-data-connector
+ short-summary: "Represents MCAS (Microsoft Cloud App Security) data connector."
+ long-summary: |
+ Usage: --mcas-data-connector tenant-id=XX state-data-types-alerts-state=XX state-data-types-discovery-logs-\
+state=XX kind=XX etag=XX
+
+ tenant-id: The tenant id to connect to, and get the data from.
+ state-data-types-alerts-state: Describe whether this data type connection is enabled or not.
+ state-data-types-discovery-logs-state: Describe whether this data type connection is enabled or not.
+ kind: Required. The data connector kind
+ etag: Etag of the azure resource
+ - name: --mdatp-data-connector
+ short-summary: "Represents MDATP (Microsoft Defender Advanced Threat Protection) data connector."
+ long-summary: |
+ Usage: --mdatp-data-connector tenant-id=XX state=XX kind=XX etag=XX
+
+ tenant-id: The tenant id to connect to, and get the data from.
+ state: Describe whether this data type connection is enabled or not.
+ kind: Required. The data connector kind
+ etag: Etag of the azure resource
+ - name: --office-data-connector
+ short-summary: "Represents office data connector."
+ long-summary: |
+ Usage: --office-data-connector tenant-id=XX state-data-types-share-point-state=XX \
+state-data-types-exchange-state=XX kind=XX etag=XX
+
+ tenant-id: The tenant id to connect to, and get the data from.
+ state-data-types-share-point-state: Describe whether this data type connection is enabled or not.
+ state-data-types-exchange-state: Describe whether this data type connection is enabled or not.
+ kind: Required. The data connector kind
+ etag: Etag of the azure resource
+ - name: --ti-data-connector
+ short-summary: "Represents threat intelligence data connector."
+ long-summary: |
+ Usage: --ti-data-connector tenant-id=XX state=XX kind=XX etag=XX
+
+ tenant-id: The tenant id to connect to, and get the data from.
+ state: Describe whether this data type connection is enabled or not.
+ kind: Required. The data connector kind
+ etag: Etag of the azure resource
+ examples:
+ - name: Creates or updates an Office365 data connector.
+ text: |-
+ az sentinel data-connector create --office-data-connector etag="\\"0300bf09-0000-0000-0000-5c37296e0000\
+\\"" tenant-id="2070ecc9-b4d5-4ae4-adaa-936fa1954fa8" --data-connector-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" \
+--resource-group "myRg" --workspace-name "myWorkspace"
+"""
+
+helps['sentinel data-connector update'] = """
+ type: command
+ short-summary: "Update the data connector."
+ parameters:
+ - name: --aad-data-connector
+ short-summary: "Represents AAD (Azure Active Directory) data connector."
+ long-summary: |
+ Usage: --aad-data-connector tenant-id=XX state=XX kind=XX etag=XX
+
+ tenant-id: The tenant id to connect to, and get the data from.
+ state: Describe whether this data type connection is enabled or not.
+ kind: Required. The data connector kind
+ etag: Etag of the azure resource
+ - name: --aatp-data-connector
+ short-summary: "Represents AATP (Azure Advanced Threat Protection) data connector."
+ long-summary: |
+ Usage: --aatp-data-connector tenant-id=XX state=XX kind=XX etag=XX
+
+ tenant-id: The tenant id to connect to, and get the data from.
+ state: Describe whether this data type connection is enabled or not.
+ kind: Required. The data connector kind
+ etag: Etag of the azure resource
+ - name: --asc-data-connector
+ short-summary: "Represents ASC (Azure Security Center) data connector."
+ long-summary: |
+ Usage: --asc-data-connector subscription-id=XX state=XX kind=XX etag=XX
+
+ subscription-id: The subscription id to connect to, and get the data from.
+ state: Describe whether this data type connection is enabled or not.
+ kind: Required. The data connector kind
+ etag: Etag of the azure resource
+ - name: --aws-cloud-trail-data-connector
+ short-summary: "Represents Amazon Web Services CloudTrail data connector."
+ long-summary: |
+ Usage: --aws-cloud-trail-data-connector aws-role-arn=XX state=XX kind=XX etag=XX
+
+ aws-role-arn: The Aws Role Arn (with CloudTrailReadOnly policy) that is used to access the Aws account.
+ state: Describe whether this data type connection is enabled or not.
+ kind: Required. The data connector kind
+ etag: Etag of the azure resource
+ - name: --mcas-data-connector
+ short-summary: "Represents MCAS (Microsoft Cloud App Security) data connector."
+ long-summary: |
+ Usage: --mcas-data-connector tenant-id=XX state-data-types-alerts-state=XX state-data-types-discovery-logs-\
+state=XX kind=XX etag=XX
+
+ tenant-id: The tenant id to connect to, and get the data from.
+ state-data-types-alerts-state: Describe whether this data type connection is enabled or not.
+ state-data-types-discovery-logs-state: Describe whether this data type connection is enabled or not.
+ kind: Required. The data connector kind
+ etag: Etag of the azure resource
+ - name: --mdatp-data-connector
+ short-summary: "Represents MDATP (Microsoft Defender Advanced Threat Protection) data connector."
+ long-summary: |
+ Usage: --mdatp-data-connector tenant-id=XX state=XX kind=XX etag=XX
+
+ tenant-id: The tenant id to connect to, and get the data from.
+ state: Describe whether this data type connection is enabled or not.
+ kind: Required. The data connector kind
+ etag: Etag of the azure resource
+ - name: --office-data-connector
+ short-summary: "Represents office data connector."
+ long-summary: |
+ Usage: --office-data-connector tenant-id=XX state-data-types-share-point-state=XX \
+state-data-types-exchange-state=XX kind=XX etag=XX
+
+ tenant-id: The tenant id to connect to, and get the data from.
+ state-data-types-share-point-state: Describe whether this data type connection is enabled or not.
+ state-data-types-exchange-state: Describe whether this data type connection is enabled or not.
+ kind: Required. The data connector kind
+ etag: Etag of the azure resource
+ - name: --ti-data-connector
+ short-summary: "Represents threat intelligence data connector."
+ long-summary: |
+ Usage: --ti-data-connector tenant-id=XX state=XX kind=XX etag=XX
+
+ tenant-id: The tenant id to connect to, and get the data from.
+ state: Describe whether this data type connection is enabled or not.
+ kind: Required. The data connector kind
+ etag: Etag of the azure resource
+"""
+
+helps['sentinel data-connector delete'] = """
+ type: command
+ short-summary: "Delete the data connector."
+ examples:
+ - name: Delete an Office365 data connector.
+ text: |-
+ az sentinel data-connector delete --data-connector-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" \
+--resource-group "myRg" --workspace-name "myWorkspace"
+"""
+
+helps['sentinel incident'] = """
+ type: group
+ short-summary: sentinel incident
+"""
+
+helps['sentinel incident list'] = """
+ type: command
+ short-summary: "Gets all incidents."
+ examples:
+ - name: Get all incidents.
+ text: |-
+ az sentinel incident list --orderby "properties/createdTimeUtc desc" --top 1 --resource-group "myRg" \
+--workspace-name "myWorkspace"
+"""
+
+helps['sentinel incident show'] = """
+ type: command
+ short-summary: "Gets an incident."
+ examples:
+ - name: Get an incident.
+ text: |-
+ az sentinel incident show --incident-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" \
+--workspace-name "myWorkspace"
+"""
+
+helps['sentinel incident create'] = """
+ type: command
+ short-summary: "Create the incident."
+ parameters:
+ - name: --labels
+ short-summary: "List of labels relevant to this incident"
+ long-summary: |
+ Usage: --labels label-name=XX
+
+ label-name: Required. The name of the label
+
+ Multiple actions can be specified by using more than one --labels argument.
+ - name: --owner
+ short-summary: "Describes a user that the incident is assigned to"
+ long-summary: |
+ Usage: --owner email=XX assigned-to=XX object-id=XX user-principal-name=XX
+
+ email: The email of the user the incident is assigned to.
+ assigned-to: The name of the user the incident is assigned to.
+ object-id: The object id of the user the incident is assigned to.
+ user-principal-name: The user principal name of the user the incident is assigned to.
+ examples:
+ - name: Creates or updates an incident.
+ text: |-
+ az sentinel incident create --etag "\\"0300bf09-0000-0000-0000-5c37296e0000\\"" --description "This is \
+a demo incident" --classification "FalsePositive" --classification-comment "Not a malicious activity" \
+--classification-reason "IncorrectAlertLogic" --first-activity-time-utc "2019-01-01T13:00:30Z" \
+--last-activity-time-utc "2019-01-01T13:05:30Z" --owner object-id="2046feea-040d-4a46-9e2b-91c2941bfa70" --severity \
+"High" --status "Closed" --title "My incident" --incident-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group \
+"myRg" --workspace-name "myWorkspace"
+"""
+
+helps['sentinel incident update'] = """
+ type: command
+ short-summary: "Update the incident."
+ parameters:
+ - name: --labels
+ short-summary: "List of labels relevant to this incident"
+ long-summary: |
+ Usage: --labels label-name=XX
+
+ label-name: Required. The name of the label
+
+ Multiple actions can be specified by using more than one --labels argument.
+ - name: --owner
+ short-summary: "Describes a user that the incident is assigned to"
+ long-summary: |
+ Usage: --owner email=XX assigned-to=XX object-id=XX user-principal-name=XX
+
+ email: The email of the user the incident is assigned to.
+ assigned-to: The name of the user the incident is assigned to.
+ object-id: The object id of the user the incident is assigned to.
+ user-principal-name: The user principal name of the user the incident is assigned to.
+"""
+
+helps['sentinel incident delete'] = """
+ type: command
+ short-summary: "Delete the incident."
+ examples:
+ - name: Delete an incident.
+ text: |-
+ az sentinel incident delete --incident-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group \
+"myRg" --workspace-name "myWorkspace"
+"""
+
+helps['sentinel incident-comment'] = """
+ type: group
+ short-summary: sentinel incident-comment
+"""
+
+helps['sentinel incident-comment list'] = """
+ type: command
+ short-summary: "Gets all incident comments."
+ examples:
+ - name: Get all incident comments.
+ text: |-
+ az sentinel incident-comment list --incident-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group \
+"myRg" --workspace-name "myWorkspace"
+"""
+
+helps['sentinel incident-comment show'] = """
+ type: command
+ short-summary: "Gets an incident comment."
+ examples:
+ - name: Get an incident comment.
+ text: |-
+ az sentinel incident-comment show --incident-comment-id "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014" \
+--incident-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" --workspace-name "myWorkspace"
+"""
+
+helps['sentinel incident-comment create'] = """
+ type: command
+ short-summary: "Creates the incident comment."
+ examples:
+ - name: Creates an incident comment.
+ text: |-
+ az sentinel incident-comment create --message "Some message" --incident-comment-id \
+"4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014" --incident-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" \
+--workspace-name "myWorkspace"
+"""
diff --git a/src/securityinsight/azext_sentinel/generated/_params.py b/src/securityinsight/azext_sentinel/generated/_params.py
new file mode 100644
index 00000000000..1d0fd616a6f
--- /dev/null
+++ b/src/securityinsight/azext_sentinel/generated/_params.py
@@ -0,0 +1,293 @@
+# --------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for
+# license information.
+#
+# Code generated by Microsoft (R) AutoRest Code Generator.
+# Changes may cause incorrect behavior and will be lost if the code is
+# regenerated.
+# --------------------------------------------------------------------------
+# pylint: disable=too-many-lines
+# pylint: disable=too-many-statements
+
+from azure.cli.core.commands.parameters import (
+ get_enum_type,
+ resource_group_name_type
+)
+from azext_sentinel.action import (
+ AddFusionAlertRule,
+ AddMicrosoftSecurityIncidentCreationAlertRule,
+ AddScheduledAlertRule,
+ AddIncidentInfo,
+ AddAadDataConnector,
+ AddAatpDataConnector,
+ AddAscDataConnector,
+ AddAwsCloudTrailDataConnector,
+ AddMcasDataConnector,
+ AddMdatpDataConnector,
+ AddOfficeDataConnector,
+ AddTiDataConnector,
+ AddLabels,
+ AddOwner
+)
+
+
+def load_arguments(self, _):
+
+ with self.argument_context('sentinel alert-rule list') as c:
+ c.argument('resource_group_name', resource_group_name_type)
+ c.argument('workspace_name', type=str, help='The name of the workspace.')
+
+ with self.argument_context('sentinel alert-rule show') as c:
+ c.argument('resource_group_name', resource_group_name_type)
+ c.argument('workspace_name', type=str, help='The name of the workspace.', id_part='name')
+ c.argument('rule_id', type=str, help='Alert rule ID', id_part='child_name_1')
+
+ with self.argument_context('sentinel alert-rule create') as c:
+ c.argument('resource_group_name', resource_group_name_type)
+ c.argument('workspace_name', type=str, help='The name of the workspace.')
+ c.argument('rule_id', type=str, help='Alert rule ID')
+ c.argument('action_id', type=str, help='Action ID')
+ c.argument('etag', type=str, help='Etag of the azure resource')
+ c.argument('logic_app_resource_id', type=str, help='Logic App Resource Id, /subscriptions/{my-subscription}/res'
+ 'ourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my-workflow-id}.')
+ c.argument('trigger_uri', type=str, help='Logic App Callback URL for this specific workflow.')
+ c.argument('fusion_alert_rule', action=AddFusionAlertRule, nargs='*', help='Represents Fusion alert rule.',
+ arg_group='AlertRule')
+ c.argument('microsoft_security_incident_creation_alert_rule',
+ action=AddMicrosoftSecurityIncidentCreationAlertRule, nargs='*', help='Represents '
+ 'MicrosoftSecurityIncidentCreation rule.', arg_group='AlertRule')
+ c.argument('scheduled_alert_rule', action=AddScheduledAlertRule, nargs='*', help='Represents scheduled alert '
+ 'rule.', arg_group='AlertRule')
+
+ with self.argument_context('sentinel alert-rule update') as c:
+ c.argument('resource_group_name', resource_group_name_type)
+ c.argument('workspace_name', type=str, help='The name of the workspace.', id_part='name')
+ c.argument('rule_id', type=str, help='Alert rule ID', id_part='child_name_1')
+ c.argument('fusion_alert_rule', action=AddFusionAlertRule, nargs='*', help='Represents Fusion alert rule.',
+ arg_group='AlertRule')
+ c.argument('microsoft_security_incident_creation_alert_rule',
+ action=AddMicrosoftSecurityIncidentCreationAlertRule, nargs='*', help='Represents '
+ 'MicrosoftSecurityIncidentCreation rule.', arg_group='AlertRule')
+ c.argument('scheduled_alert_rule', action=AddScheduledAlertRule, nargs='*', help='Represents scheduled alert '
+ 'rule.', arg_group='AlertRule')
+
+ with self.argument_context('sentinel alert-rule delete') as c:
+ c.argument('resource_group_name', resource_group_name_type)
+ c.argument('workspace_name', type=str, help='The name of the workspace.', id_part='name')
+ c.argument('rule_id', type=str, help='Alert rule ID', id_part='child_name_1')
+ c.argument('action_id', type=str, help='Action ID', id_part='child_name_2')
+
+ with self.argument_context('sentinel alert-rule get-action') as c:
+ c.argument('resource_group_name', resource_group_name_type)
+ c.argument('workspace_name', type=str, help='The name of the workspace.', id_part='name')
+ c.argument('rule_id', type=str, help='Alert rule ID', id_part='child_name_1')
+ c.argument('action_id', type=str, help='Action ID', id_part='child_name_2')
+
+ with self.argument_context('sentinel action list') as c:
+ c.argument('resource_group_name', resource_group_name_type)
+ c.argument('workspace_name', type=str, help='The name of the workspace.')
+ c.argument('rule_id', type=str, help='Alert rule ID')
+
+ with self.argument_context('sentinel alert-rule-template list') as c:
+ c.argument('resource_group_name', resource_group_name_type)
+ c.argument('workspace_name', type=str, help='The name of the workspace.')
+
+ with self.argument_context('sentinel alert-rule-template show') as c:
+ c.argument('resource_group_name', resource_group_name_type)
+ c.argument('workspace_name', type=str, help='The name of the workspace.', id_part='name')
+ c.argument('alert_rule_template_id', type=str, help='Alert rule template ID', id_part='child_name_1')
+
+ with self.argument_context('sentinel bookmark list') as c:
+ c.argument('resource_group_name', resource_group_name_type)
+ c.argument('workspace_name', type=str, help='The name of the workspace.')
+
+ with self.argument_context('sentinel bookmark show') as c:
+ c.argument('resource_group_name', resource_group_name_type)
+ c.argument('workspace_name', type=str, help='The name of the workspace.', id_part='name')
+ c.argument('bookmark_id', type=str, help='Bookmark ID', id_part='child_name_1')
+
+ with self.argument_context('sentinel bookmark create') as c:
+ c.argument('resource_group_name', resource_group_name_type)
+ c.argument('workspace_name', type=str, help='The name of the workspace.')
+ c.argument('bookmark_id', type=str, help='Bookmark ID')
+ c.argument('etag', type=str, help='Etag of the azure resource')
+ c.argument('created', help='The time the bookmark was created')
+ c.argument('display_name', type=str, help='The display name of the bookmark')
+ c.argument('labels', nargs='*', help='List of labels relevant to this bookmark')
+ c.argument('notes', type=str, help='The notes of the bookmark')
+ c.argument('query', type=str, help='The query of the bookmark.')
+ c.argument('query_result', type=str, help='The query result of the bookmark.')
+ c.argument('updated', help='The last time the bookmark was updated')
+ c.argument('incident_info', action=AddIncidentInfo, nargs='*', help='Describes an incident that relates to '
+ 'bookmark')
+ c.argument('updated_by_object_id', help='The object id of the user.')
+
+ with self.argument_context('sentinel bookmark update') as c:
+ c.argument('resource_group_name', resource_group_name_type)
+ c.argument('workspace_name', type=str, help='The name of the workspace.', id_part='name')
+ c.argument('bookmark_id', type=str, help='Bookmark ID', id_part='child_name_1')
+ c.argument('etag', type=str, help='Etag of the azure resource')
+ c.argument('created', help='The time the bookmark was created')
+ c.argument('display_name', type=str, help='The display name of the bookmark')
+ c.argument('labels', nargs='*', help='List of labels relevant to this bookmark')
+ c.argument('notes', type=str, help='The notes of the bookmark')
+ c.argument('query', type=str, help='The query of the bookmark.')
+ c.argument('query_result', type=str, help='The query result of the bookmark.')
+ c.argument('updated', help='The last time the bookmark was updated')
+ c.argument('incident_info', action=AddIncidentInfo, nargs='*', help='Describes an incident that relates to '
+ 'bookmark')
+ c.argument('updated_by_object_id', help='The object id of the user.')
+
+ with self.argument_context('sentinel bookmark delete') as c:
+ c.argument('resource_group_name', resource_group_name_type)
+ c.argument('workspace_name', type=str, help='The name of the workspace.', id_part='name')
+ c.argument('bookmark_id', type=str, help='Bookmark ID', id_part='child_name_1')
+
+ with self.argument_context('sentinel data-connector list') as c:
+ c.argument('resource_group_name', resource_group_name_type)
+ c.argument('workspace_name', type=str, help='The name of the workspace.')
+
+ with self.argument_context('sentinel data-connector show') as c:
+ c.argument('resource_group_name', resource_group_name_type)
+ c.argument('workspace_name', type=str, help='The name of the workspace.', id_part='name')
+ c.argument('data_connector_id', type=str, help='Connector ID', id_part='child_name_1')
+
+ with self.argument_context('sentinel data-connector create') as c:
+ c.argument('resource_group_name', resource_group_name_type)
+ c.argument('workspace_name', type=str, help='The name of the workspace.')
+ c.argument('data_connector_id', type=str, help='Connector ID')
+ c.argument('aad_data_connector', action=AddAadDataConnector, nargs='*', help='Represents AAD (Azure Active '
+ 'Directory) data connector.', arg_group='DataConnector')
+ c.argument('aatp_data_connector', action=AddAatpDataConnector, nargs='*', help='Represents AATP (Azure '
+ 'Advanced Threat Protection) data connector.', arg_group='DataConnector')
+ c.argument('asc_data_connector', action=AddAscDataConnector, nargs='*', help='Represents ASC (Azure Security '
+ 'Center) data connector.', arg_group='DataConnector')
+ c.argument('aws_cloud_trail_data_connector', action=AddAwsCloudTrailDataConnector, nargs='*', help='Represents '
+ 'Amazon Web Services CloudTrail data connector.', arg_group='DataConnector')
+ c.argument('mcas_data_connector', action=AddMcasDataConnector, nargs='*', help='Represents MCAS (Microsoft '
+ 'Cloud App Security) data connector.', arg_group='DataConnector')
+ c.argument('mdatp_data_connector', action=AddMdatpDataConnector, nargs='*', help='Represents MDATP (Microsoft '
+ 'Defender Advanced Threat Protection) data connector.', arg_group='DataConnector')
+ c.argument('office_data_connector', action=AddOfficeDataConnector, nargs='*', help='Represents office data '
+ 'connector.', arg_group='DataConnector')
+ c.argument('ti_data_connector', action=AddTiDataConnector, nargs='*', help='Represents threat intelligence '
+ 'data connector.', arg_group='DataConnector')
+
+ with self.argument_context('sentinel data-connector update') as c:
+ c.argument('resource_group_name', resource_group_name_type)
+ c.argument('workspace_name', type=str, help='The name of the workspace.', id_part='name')
+ c.argument('data_connector_id', type=str, help='Connector ID', id_part='child_name_1')
+ c.argument('aad_data_connector', action=AddAadDataConnector, nargs='*', help='Represents AAD (Azure Active '
+ 'Directory) data connector.', arg_group='DataConnector')
+ c.argument('aatp_data_connector', action=AddAatpDataConnector, nargs='*', help='Represents AATP (Azure '
+ 'Advanced Threat Protection) data connector.', arg_group='DataConnector')
+ c.argument('asc_data_connector', action=AddAscDataConnector, nargs='*', help='Represents ASC (Azure Security '
+ 'Center) data connector.', arg_group='DataConnector')
+ c.argument('aws_cloud_trail_data_connector', action=AddAwsCloudTrailDataConnector, nargs='*', help='Represents '
+ 'Amazon Web Services CloudTrail data connector.', arg_group='DataConnector')
+ c.argument('mcas_data_connector', action=AddMcasDataConnector, nargs='*', help='Represents MCAS (Microsoft '
+ 'Cloud App Security) data connector.', arg_group='DataConnector')
+ c.argument('mdatp_data_connector', action=AddMdatpDataConnector, nargs='*', help='Represents MDATP (Microsoft '
+ 'Defender Advanced Threat Protection) data connector.', arg_group='DataConnector')
+ c.argument('office_data_connector', action=AddOfficeDataConnector, nargs='*', help='Represents office data '
+ 'connector.', arg_group='DataConnector')
+ c.argument('ti_data_connector', action=AddTiDataConnector, nargs='*', help='Represents threat intelligence '
+ 'data connector.', arg_group='DataConnector')
+
+ with self.argument_context('sentinel data-connector delete') as c:
+ c.argument('resource_group_name', resource_group_name_type)
+ c.argument('workspace_name', type=str, help='The name of the workspace.', id_part='name')
+ c.argument('data_connector_id', type=str, help='Connector ID', id_part='child_name_1')
+
+ with self.argument_context('sentinel incident list') as c:
+ c.argument('resource_group_name', resource_group_name_type)
+ c.argument('workspace_name', type=str, help='The name of the workspace.')
+ c.argument('filter_', options_list=['--filter'], type=str, help='Filters the results, based on a Boolean '
+ 'condition. Optional.')
+ c.argument('orderby', type=str, help='Sorts the results. Optional.')
+ c.argument('top', type=int, help='Returns only the first n results. Optional.')
+ c.argument('skip_token', type=str, help='Skiptoken is only used if a previous operation returned a partial '
+ 'result. If a previous response contains a nextLink element, the value of the nextLink element will '
+ 'include a skiptoken parameter that specifies a starting point to use for subsequent calls. '
+ 'Optional.')
+
+ with self.argument_context('sentinel incident show') as c:
+ c.argument('resource_group_name', resource_group_name_type)
+ c.argument('workspace_name', type=str, help='The name of the workspace.', id_part='name')
+ c.argument('incident_id', type=str, help='Incident ID', id_part='child_name_1')
+
+ with self.argument_context('sentinel incident create') as c:
+ c.argument('resource_group_name', resource_group_name_type)
+ c.argument('workspace_name', type=str, help='The name of the workspace.')
+ c.argument('incident_id', type=str, help='Incident ID')
+ c.argument('etag', type=str, help='Etag of the azure resource')
+ c.argument('classification', arg_type=get_enum_type(['Undetermined', 'TruePositive', 'BenignPositive', ''
+ 'FalsePositive']), help='The reason the incident was '
+ 'closed')
+ c.argument('classification_comment', type=str, help='Describes the reason the incident was closed')
+ c.argument('classification_reason', arg_type=get_enum_type(['SuspiciousActivity', 'SuspiciousButExpected', ''
+ 'IncorrectAlertLogic', 'InaccurateData']), help=''
+ 'The classification reason the incident was closed with')
+ c.argument('description', type=str, help='The description of the incident')
+ c.argument('first_activity_time_utc', help='The time of the first activity in the incident')
+ c.argument('labels', action=AddLabels, nargs='*', help='List of labels relevant to this incident')
+ c.argument('last_activity_time_utc', help='The time of the last activity in the incident')
+ c.argument('owner', action=AddOwner, nargs='*', help='Describes a user that the incident is assigned to')
+ c.argument('severity', arg_type=get_enum_type(['High', 'Medium', 'Low', 'Informational']), help='The severity '
+ 'of the incident')
+ c.argument('status', arg_type=get_enum_type(['New', 'Active', 'Closed']), help='The status of the incident')
+ c.argument('title', type=str, help='The title of the incident')
+
+ with self.argument_context('sentinel incident update') as c:
+ c.argument('resource_group_name', resource_group_name_type)
+ c.argument('workspace_name', type=str, help='The name of the workspace.', id_part='name')
+ c.argument('incident_id', type=str, help='Incident ID', id_part='child_name_1')
+ c.argument('etag', type=str, help='Etag of the azure resource')
+ c.argument('classification', arg_type=get_enum_type(['Undetermined', 'TruePositive', 'BenignPositive', ''
+ 'FalsePositive']), help='The reason the incident was '
+ 'closed')
+ c.argument('classification_comment', type=str, help='Describes the reason the incident was closed')
+ c.argument('classification_reason', arg_type=get_enum_type(['SuspiciousActivity', 'SuspiciousButExpected', ''
+ 'IncorrectAlertLogic', 'InaccurateData']), help=''
+ 'The classification reason the incident was closed with')
+ c.argument('description', type=str, help='The description of the incident')
+ c.argument('first_activity_time_utc', help='The time of the first activity in the incident')
+ c.argument('labels', action=AddLabels, nargs='*', help='List of labels relevant to this incident')
+ c.argument('last_activity_time_utc', help='The time of the last activity in the incident')
+ c.argument('owner', action=AddOwner, nargs='*', help='Describes a user that the incident is assigned to')
+ c.argument('severity', arg_type=get_enum_type(['High', 'Medium', 'Low', 'Informational']), help='The severity '
+ 'of the incident')
+ c.argument('status', arg_type=get_enum_type(['New', 'Active', 'Closed']), help='The status of the incident')
+ c.argument('title', type=str, help='The title of the incident')
+
+ with self.argument_context('sentinel incident delete') as c:
+ c.argument('resource_group_name', resource_group_name_type)
+ c.argument('workspace_name', type=str, help='The name of the workspace.', id_part='name')
+ c.argument('incident_id', type=str, help='Incident ID', id_part='child_name_1')
+
+ with self.argument_context('sentinel incident-comment list') as c:
+ c.argument('resource_group_name', resource_group_name_type)
+ c.argument('workspace_name', type=str, help='The name of the workspace.')
+ c.argument('incident_id', type=str, help='Incident ID')
+ c.argument('filter_', options_list=['--filter'], type=str, help='Filters the results, based on a Boolean '
+ 'condition. Optional.')
+ c.argument('orderby', type=str, help='Sorts the results. Optional.')
+ c.argument('top', type=int, help='Returns only the first n results. Optional.')
+ c.argument('skip_token', type=str, help='Skiptoken is only used if a previous operation returned a partial '
+ 'result. If a previous response contains a nextLink element, the value of the nextLink element will '
+ 'include a skiptoken parameter that specifies a starting point to use for subsequent calls. '
+ 'Optional.')
+
+ with self.argument_context('sentinel incident-comment show') as c:
+ c.argument('resource_group_name', resource_group_name_type)
+ c.argument('workspace_name', type=str, help='The name of the workspace.', id_part='name')
+ c.argument('incident_id', type=str, help='Incident ID', id_part='child_name_1')
+ c.argument('incident_comment_id', type=str, help='Incident comment ID', id_part='child_name_2')
+
+ with self.argument_context('sentinel incident-comment create') as c:
+ c.argument('resource_group_name', resource_group_name_type)
+ c.argument('workspace_name', type=str, help='The name of the workspace.')
+ c.argument('incident_id', type=str, help='Incident ID')
+ c.argument('incident_comment_id', type=str, help='Incident comment ID')
+ c.argument('message', type=str, help='The comment message')
diff --git a/src/securityinsight/azext_sentinel/generated/_validators.py b/src/securityinsight/azext_sentinel/generated/_validators.py
new file mode 100644
index 00000000000..b33a44c1ebf
--- /dev/null
+++ b/src/securityinsight/azext_sentinel/generated/_validators.py
@@ -0,0 +1,9 @@
+# --------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for
+# license information.
+#
+# Code generated by Microsoft (R) AutoRest Code Generator.
+# Changes may cause incorrect behavior and will be lost if the code is
+# regenerated.
+# --------------------------------------------------------------------------
diff --git a/src/securityinsight/azext_sentinel/generated/action.py b/src/securityinsight/azext_sentinel/generated/action.py
new file mode 100644
index 00000000000..640e939dbf8
--- /dev/null
+++ b/src/securityinsight/azext_sentinel/generated/action.py
@@ -0,0 +1,427 @@
+# --------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for
+# license information.
+#
+# Code generated by Microsoft (R) AutoRest Code Generator.
+# Changes may cause incorrect behavior and will be lost if the code is
+# regenerated.
+# --------------------------------------------------------------------------
+# pylint: disable=protected-access
+
+import argparse
+from collections import defaultdict
+from knack.util import CLIError
+
+
+class AddFusionAlertRule(argparse.Action):
+ def __call__(self, parser, namespace, values, option_string=None):
+ action = self.get_action(values, option_string)
+ namespace.fusion_alert_rule = action
+
+ def get_action(self, values, option_string): # pylint: disable=no-self-use
+ try:
+ properties = defaultdict(list)
+ for (k, v) in (x.split('=', 1) for x in values):
+ properties[k].append(v)
+ properties = dict(properties)
+ except ValueError:
+ raise CLIError('usage error: {} [KEY=VALUE ...]'.format(option_string))
+ d = {}
+ for k in properties:
+ kl = k.lower()
+ v = properties[k]
+ if kl == 'alert-rule-template-name':
+ d['alert_rule_template_name'] = v[0]
+ elif kl == 'enabled':
+ d['enabled'] = v[0]
+ elif kl == 'etag':
+ d['etag'] = v[0]
+ d['kind'] = 'Fusion'
+ return d
+
+
+class AddMicrosoftSecurityIncidentCreationAlertRule(argparse.Action):
+ def __call__(self, parser, namespace, values, option_string=None):
+ action = self.get_action(values, option_string)
+ namespace.microsoft_security_incident_creation_alert_rule = action
+
+ def get_action(self, values, option_string): # pylint: disable=no-self-use
+ try:
+ properties = defaultdict(list)
+ for (k, v) in (x.split('=', 1) for x in values):
+ properties[k].append(v)
+ properties = dict(properties)
+ except ValueError:
+ raise CLIError('usage error: {} [KEY=VALUE ...]'.format(option_string))
+ d = {}
+ for k in properties:
+ kl = k.lower()
+ v = properties[k]
+ if kl == 'display-names-filter':
+ d['display_names_filter'] = v
+ elif kl == 'display-names-exclude-filter':
+ d['display_names_exclude_filter'] = v
+ elif kl == 'product-filter':
+ d['product_filter'] = v[0]
+ elif kl == 'severities-filter':
+ d['severities_filter'] = v
+ elif kl == 'alert-rule-template-name':
+ d['alert_rule_template_name'] = v[0]
+ elif kl == 'description':
+ d['description'] = v[0]
+ elif kl == 'display-name':
+ d['display_name'] = v[0]
+ elif kl == 'enabled':
+ d['enabled'] = v[0]
+ elif kl == 'etag':
+ d['etag'] = v[0]
+ d['kind'] = 'MicrosoftSecurityIncidentCreation'
+ return d
+
+
+class AddScheduledAlertRule(argparse.Action):
+ def __call__(self, parser, namespace, values, option_string=None):
+ action = self.get_action(values, option_string)
+ namespace.scheduled_alert_rule = action
+
+ def get_action(self, values, option_string): # pylint: disable=no-self-use
+ try:
+ properties = defaultdict(list)
+ for (k, v) in (x.split('=', 1) for x in values):
+ properties[k].append(v)
+ properties = dict(properties)
+ except ValueError:
+ raise CLIError('usage error: {} [KEY=VALUE ...]'.format(option_string))
+ d = {}
+ for k in properties:
+ kl = k.lower()
+ v = properties[k]
+ if kl == 'query':
+ d['query'] = v[0]
+ elif kl == 'query-frequency':
+ d['query_frequency'] = v[0]
+ elif kl == 'query-period':
+ d['query_period'] = v[0]
+ elif kl == 'severity':
+ d['severity'] = v[0]
+ elif kl == 'trigger-operator':
+ d['trigger_operator'] = v[0]
+ elif kl == 'trigger-threshold':
+ d['trigger_threshold'] = v[0]
+ elif kl == 'alert-rule-template-name':
+ d['alert_rule_template_name'] = v[0]
+ elif kl == 'description':
+ d['description'] = v[0]
+ elif kl == 'display-name':
+ d['display_name'] = v[0]
+ elif kl == 'enabled':
+ d['enabled'] = v[0]
+ elif kl == 'suppression-duration':
+ d['suppression_duration'] = v[0]
+ elif kl == 'suppression-enabled':
+ d['suppression_enabled'] = v[0]
+ elif kl == 'tactics':
+ d['tactics'] = v
+ elif kl == 'etag':
+ d['etag'] = v[0]
+ d['kind'] = 'Scheduled'
+ return d
+
+
+class AddIncidentInfo(argparse.Action):
+ def __call__(self, parser, namespace, values, option_string=None):
+ action = self.get_action(values, option_string)
+ namespace.incident_info = action
+
+ def get_action(self, values, option_string): # pylint: disable=no-self-use
+ try:
+ properties = defaultdict(list)
+ for (k, v) in (x.split('=', 1) for x in values):
+ properties[k].append(v)
+ properties = dict(properties)
+ except ValueError:
+ raise CLIError('usage error: {} [KEY=VALUE ...]'.format(option_string))
+ d = {}
+ for k in properties:
+ kl = k.lower()
+ v = properties[k]
+ if kl == 'incident-id':
+ d['incident_id'] = v[0]
+ elif kl == 'severity':
+ d['severity'] = v[0]
+ elif kl == 'title':
+ d['title'] = v[0]
+ elif kl == 'relation-name':
+ d['relation_name'] = v[0]
+ return d
+
+
+class AddAadDataConnector(argparse.Action):
+ def __call__(self, parser, namespace, values, option_string=None):
+ action = self.get_action(values, option_string)
+ namespace.aad_data_connector = action
+
+ def get_action(self, values, option_string): # pylint: disable=no-self-use
+ try:
+ properties = defaultdict(list)
+ for (k, v) in (x.split('=', 1) for x in values):
+ properties[k].append(v)
+ properties = dict(properties)
+ except ValueError:
+ raise CLIError('usage error: {} [KEY=VALUE ...]'.format(option_string))
+ d = {}
+ for k in properties:
+ kl = k.lower()
+ v = properties[k]
+ if kl == 'tenant-id':
+ d['tenant_id'] = v[0]
+ elif kl == 'state':
+ d['state'] = v[0]
+ elif kl == 'etag':
+ d['etag'] = v[0]
+ d['kind'] = 'AzureActiveDirectory'
+ return d
+
+
+class AddAatpDataConnector(argparse.Action):
+ def __call__(self, parser, namespace, values, option_string=None):
+ action = self.get_action(values, option_string)
+ namespace.aatp_data_connector = action
+
+ def get_action(self, values, option_string): # pylint: disable=no-self-use
+ try:
+ properties = defaultdict(list)
+ for (k, v) in (x.split('=', 1) for x in values):
+ properties[k].append(v)
+ properties = dict(properties)
+ except ValueError:
+ raise CLIError('usage error: {} [KEY=VALUE ...]'.format(option_string))
+ d = {}
+ for k in properties:
+ kl = k.lower()
+ v = properties[k]
+ if kl == 'tenant-id':
+ d['tenant_id'] = v[0]
+ elif kl == 'state':
+ d['state'] = v[0]
+ elif kl == 'etag':
+ d['etag'] = v[0]
+ d['kind'] = 'AzureAdvancedThreatProtection'
+ return d
+
+
+class AddAscDataConnector(argparse.Action):
+ def __call__(self, parser, namespace, values, option_string=None):
+ action = self.get_action(values, option_string)
+ namespace.asc_data_connector = action
+
+ def get_action(self, values, option_string): # pylint: disable=no-self-use
+ try:
+ properties = defaultdict(list)
+ for (k, v) in (x.split('=', 1) for x in values):
+ properties[k].append(v)
+ properties = dict(properties)
+ except ValueError:
+ raise CLIError('usage error: {} [KEY=VALUE ...]'.format(option_string))
+ d = {}
+ for k in properties:
+ kl = k.lower()
+ v = properties[k]
+ if kl == 'subscription-id':
+ d['subscription_id'] = v[0]
+ elif kl == 'state':
+ d['state'] = v[0]
+ elif kl == 'etag':
+ d['etag'] = v[0]
+ d['kind'] = 'AzureSecurityCenter'
+ return d
+
+
+class AddAwsCloudTrailDataConnector(argparse.Action):
+ def __call__(self, parser, namespace, values, option_string=None):
+ action = self.get_action(values, option_string)
+ namespace.aws_cloud_trail_data_connector = action
+
+ def get_action(self, values, option_string): # pylint: disable=no-self-use
+ try:
+ properties = defaultdict(list)
+ for (k, v) in (x.split('=', 1) for x in values):
+ properties[k].append(v)
+ properties = dict(properties)
+ except ValueError:
+ raise CLIError('usage error: {} [KEY=VALUE ...]'.format(option_string))
+ d = {}
+ for k in properties:
+ kl = k.lower()
+ v = properties[k]
+ if kl == 'aws-role-arn':
+ d['aws_role_arn'] = v[0]
+ elif kl == 'state':
+ d['state'] = v[0]
+ elif kl == 'etag':
+ d['etag'] = v[0]
+ d['kind'] = 'AmazonWebServicesCloudTrail'
+ return d
+
+
+class AddMcasDataConnector(argparse.Action):
+ def __call__(self, parser, namespace, values, option_string=None):
+ action = self.get_action(values, option_string)
+ namespace.mcas_data_connector = action
+
+ def get_action(self, values, option_string): # pylint: disable=no-self-use
+ try:
+ properties = defaultdict(list)
+ for (k, v) in (x.split('=', 1) for x in values):
+ properties[k].append(v)
+ properties = dict(properties)
+ except ValueError:
+ raise CLIError('usage error: {} [KEY=VALUE ...]'.format(option_string))
+ d = {}
+ for k in properties:
+ kl = k.lower()
+ v = properties[k]
+ if kl == 'tenant-id':
+ d['tenant_id'] = v[0]
+ elif kl == 'state-data-types-alerts-state':
+ d['state_data_types_alerts_state'] = v[0]
+ elif kl == 'state-data-types-discovery-logs-state':
+ d['state_data_types_discovery_logs_state'] = v[0]
+ elif kl == 'etag':
+ d['etag'] = v[0]
+ d['kind'] = 'MicrosoftCloudAppSecurity'
+ return d
+
+
+class AddMdatpDataConnector(argparse.Action):
+ def __call__(self, parser, namespace, values, option_string=None):
+ action = self.get_action(values, option_string)
+ namespace.mdatp_data_connector = action
+
+ def get_action(self, values, option_string): # pylint: disable=no-self-use
+ try:
+ properties = defaultdict(list)
+ for (k, v) in (x.split('=', 1) for x in values):
+ properties[k].append(v)
+ properties = dict(properties)
+ except ValueError:
+ raise CLIError('usage error: {} [KEY=VALUE ...]'.format(option_string))
+ d = {}
+ for k in properties:
+ kl = k.lower()
+ v = properties[k]
+ if kl == 'tenant-id':
+ d['tenant_id'] = v[0]
+ elif kl == 'state':
+ d['state'] = v[0]
+ elif kl == 'etag':
+ d['etag'] = v[0]
+ d['kind'] = 'MicrosoftDefenderAdvancedThreatProtection'
+ return d
+
+
+class AddOfficeDataConnector(argparse.Action):
+ def __call__(self, parser, namespace, values, option_string=None):
+ action = self.get_action(values, option_string)
+ namespace.office_data_connector = action
+
+ def get_action(self, values, option_string): # pylint: disable=no-self-use
+ try:
+ properties = defaultdict(list)
+ for (k, v) in (x.split('=', 1) for x in values):
+ properties[k].append(v)
+ properties = dict(properties)
+ except ValueError:
+ raise CLIError('usage error: {} [KEY=VALUE ...]'.format(option_string))
+ d = {}
+ for k in properties:
+ kl = k.lower()
+ v = properties[k]
+ if kl == 'tenant-id':
+ d['tenant_id'] = v[0]
+ elif kl == 'state-data-types-share-point-state':
+ d['state_data_types_share_point_state'] = v[0]
+ elif kl == 'state-data-types-exchange-state':
+ d['state_data_types_exchange_state'] = v[0]
+ elif kl == 'etag':
+ d['etag'] = v[0]
+ d['kind'] = 'Office365'
+ return d
+
+
+class AddTiDataConnector(argparse.Action):
+ def __call__(self, parser, namespace, values, option_string=None):
+ action = self.get_action(values, option_string)
+ namespace.ti_data_connector = action
+
+ def get_action(self, values, option_string): # pylint: disable=no-self-use
+ try:
+ properties = defaultdict(list)
+ for (k, v) in (x.split('=', 1) for x in values):
+ properties[k].append(v)
+ properties = dict(properties)
+ except ValueError:
+ raise CLIError('usage error: {} [KEY=VALUE ...]'.format(option_string))
+ d = {}
+ for k in properties:
+ kl = k.lower()
+ v = properties[k]
+ if kl == 'tenant-id':
+ d['tenant_id'] = v[0]
+ elif kl == 'state':
+ d['state'] = v[0]
+ elif kl == 'etag':
+ d['etag'] = v[0]
+ d['kind'] = 'ThreatIntelligence'
+ return d
+
+
+class AddLabels(argparse._AppendAction):
+ def __call__(self, parser, namespace, values, option_string=None):
+ action = self.get_action(values, option_string)
+ super(AddLabels, self).__call__(parser, namespace, action, option_string)
+
+ def get_action(self, values, option_string): # pylint: disable=no-self-use
+ try:
+ properties = defaultdict(list)
+ for (k, v) in (x.split('=', 1) for x in values):
+ properties[k].append(v)
+ properties = dict(properties)
+ except ValueError:
+ raise CLIError('usage error: {} [KEY=VALUE ...]'.format(option_string))
+ d = {}
+ for k in properties:
+ kl = k.lower()
+ v = properties[k]
+ if kl == 'label-name':
+ d['label_name'] = v[0]
+ return d
+
+
+class AddOwner(argparse.Action):
+ def __call__(self, parser, namespace, values, option_string=None):
+ action = self.get_action(values, option_string)
+ namespace.owner = action
+
+ def get_action(self, values, option_string): # pylint: disable=no-self-use
+ try:
+ properties = defaultdict(list)
+ for (k, v) in (x.split('=', 1) for x in values):
+ properties[k].append(v)
+ properties = dict(properties)
+ except ValueError:
+ raise CLIError('usage error: {} [KEY=VALUE ...]'.format(option_string))
+ d = {}
+ for k in properties:
+ kl = k.lower()
+ v = properties[k]
+ if kl == 'email':
+ d['email'] = v[0]
+ elif kl == 'assigned-to':
+ d['assigned_to'] = v[0]
+ elif kl == 'object-id':
+ d['object_id'] = v[0]
+ elif kl == 'user-principal-name':
+ d['user_principal_name'] = v[0]
+ return d
diff --git a/src/securityinsight/azext_sentinel/generated/commands.py b/src/securityinsight/azext_sentinel/generated/commands.py
new file mode 100644
index 00000000000..f8dac3f83d6
--- /dev/null
+++ b/src/securityinsight/azext_sentinel/generated/commands.py
@@ -0,0 +1,100 @@
+# --------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for
+# license information.
+#
+# Code generated by Microsoft (R) AutoRest Code Generator.
+# Changes may cause incorrect behavior and will be lost if the code is
+# regenerated.
+# --------------------------------------------------------------------------
+# pylint: disable=too-many-statements
+# pylint: disable=too-many-locals
+
+from azure.cli.core.commands import CliCommandType
+
+
+def load_command_table(self, _):
+
+ from azext_sentinel.generated._client_factory import cf_alert_rule
+ sentinel_alert_rule = CliCommandType(
+ operations_tmpl='azext_sentinel.vendored_sdks.securityinsight.operations._alert_rule_operations#AlertRuleOperat'
+ 'ions.{}',
+ client_factory=cf_alert_rule)
+ with self.command_group('sentinel alert-rule', sentinel_alert_rule, client_factory=cf_alert_rule,
+ is_experimental=True) as g:
+ g.custom_command('list', 'sentinel_alert_rule_list')
+ g.custom_show_command('show', 'sentinel_alert_rule_show')
+ g.custom_command('create', 'sentinel_alert_rule_create')
+ g.generic_update_command('update', setter_arg_name='alert_rule',
+ custom_func_name='sentinel_alert_rule_update')
+ g.custom_command('delete', 'sentinel_alert_rule_delete', confirmation=True)
+ g.custom_command('get-action', 'sentinel_alert_rule_get_action')
+
+ from azext_sentinel.generated._client_factory import cf_action
+ sentinel_action = CliCommandType(
+ operations_tmpl='azext_sentinel.vendored_sdks.securityinsight.operations._action_operations#ActionOperations.{}'
+ '',
+ client_factory=cf_action)
+ with self.command_group('sentinel action', sentinel_action, client_factory=cf_action, is_experimental=True) as g:
+ g.custom_command('list', 'sentinel_action_list')
+
+ from azext_sentinel.generated._client_factory import cf_alert_rule_template
+ sentinel_alert_rule_template = CliCommandType(
+ operations_tmpl='azext_sentinel.vendored_sdks.securityinsight.operations._alert_rule_template_operations#AlertR'
+ 'uleTemplateOperations.{}',
+ client_factory=cf_alert_rule_template)
+ with self.command_group('sentinel alert-rule-template', sentinel_alert_rule_template,
+ client_factory=cf_alert_rule_template, is_experimental=True) as g:
+ g.custom_command('list', 'sentinel_alert_rule_template_list')
+ g.custom_show_command('show', 'sentinel_alert_rule_template_show')
+
+ from azext_sentinel.generated._client_factory import cf_bookmark
+ sentinel_bookmark = CliCommandType(
+ operations_tmpl='azext_sentinel.vendored_sdks.securityinsight.operations._bookmark_operations#BookmarkOperation'
+ 's.{}',
+ client_factory=cf_bookmark)
+ with self.command_group('sentinel bookmark', sentinel_bookmark, client_factory=cf_bookmark,
+ is_experimental=True) as g:
+ g.custom_command('list', 'sentinel_bookmark_list')
+ g.custom_show_command('show', 'sentinel_bookmark_show')
+ g.custom_command('create', 'sentinel_bookmark_create')
+ g.custom_command('update', 'sentinel_bookmark_update')
+ g.custom_command('delete', 'sentinel_bookmark_delete', confirmation=True)
+
+ from azext_sentinel.generated._client_factory import cf_data_connector
+ sentinel_data_connector = CliCommandType(
+ operations_tmpl='azext_sentinel.vendored_sdks.securityinsight.operations._data_connector_operations#DataConnect'
+ 'orOperations.{}',
+ client_factory=cf_data_connector)
+ with self.command_group('sentinel data-connector', sentinel_data_connector, client_factory=cf_data_connector,
+ is_experimental=True) as g:
+ g.custom_command('list', 'sentinel_data_connector_list')
+ g.custom_show_command('show', 'sentinel_data_connector_show')
+ g.custom_command('create', 'sentinel_data_connector_create')
+ g.generic_update_command('update', setter_arg_name='data_connector', custom_func_name=''
+ 'sentinel_data_connector_update')
+ g.custom_command('delete', 'sentinel_data_connector_delete', confirmation=True)
+
+ from azext_sentinel.generated._client_factory import cf_incident
+ sentinel_incident = CliCommandType(
+ operations_tmpl='azext_sentinel.vendored_sdks.securityinsight.operations._incident_operations#IncidentOperation'
+ 's.{}',
+ client_factory=cf_incident)
+ with self.command_group('sentinel incident', sentinel_incident, client_factory=cf_incident,
+ is_experimental=True) as g:
+ g.custom_command('list', 'sentinel_incident_list')
+ g.custom_show_command('show', 'sentinel_incident_show')
+ g.custom_command('create', 'sentinel_incident_create')
+ g.custom_command('update', 'sentinel_incident_update')
+ g.custom_command('delete', 'sentinel_incident_delete', confirmation=True)
+
+ from azext_sentinel.generated._client_factory import cf_incident_comment
+ sentinel_incident_comment = CliCommandType(
+ operations_tmpl='azext_sentinel.vendored_sdks.securityinsight.operations._incident_comment_operations#IncidentC'
+ 'ommentOperations.{}',
+ client_factory=cf_incident_comment)
+ with self.command_group('sentinel incident-comment', sentinel_incident_comment, client_factory=cf_incident_comment,
+ is_experimental=True) as g:
+ g.custom_command('list', 'sentinel_incident_comment_list')
+ g.custom_show_command('show', 'sentinel_incident_comment_show')
+ g.custom_command('create', 'sentinel_incident_comment_create')
diff --git a/src/securityinsight/azext_sentinel/generated/custom.py b/src/securityinsight/azext_sentinel/generated/custom.py
new file mode 100644
index 00000000000..aecb82f2db6
--- /dev/null
+++ b/src/securityinsight/azext_sentinel/generated/custom.py
@@ -0,0 +1,433 @@
+# --------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for
+# license information.
+#
+# Code generated by Microsoft (R) AutoRest Code Generator.
+# Changes may cause incorrect behavior and will be lost if the code is
+# regenerated.
+# --------------------------------------------------------------------------
+# pylint: disable=too-many-lines
+# pylint: disable=unused-argument
+
+from knack.util import CLIError
+
+
+def sentinel_alert_rule_list(client,
+ resource_group_name,
+ workspace_name):
+ return client.list(resource_group_name=resource_group_name,
+ workspace_name=workspace_name)
+
+
+def sentinel_alert_rule_show(client,
+ resource_group_name,
+ workspace_name,
+ rule_id):
+ return client.get(resource_group_name=resource_group_name,
+ workspace_name=workspace_name,
+ rule_id=rule_id)
+
+
+def sentinel_alert_rule_create(client,
+ resource_group_name,
+ workspace_name,
+ rule_id,
+ action_id=None,
+ etag=None,
+ logic_app_resource_id=None,
+ trigger_uri=None,
+ fusion_alert_rule=None,
+ microsoft_security_incident_creation_alert_rule=None,
+ scheduled_alert_rule=None):
+ all_alert_rule = []
+ if fusion_alert_rule is not None:
+ all_alert_rule.append(fusion_alert_rule)
+ if microsoft_security_incident_creation_alert_rule is not None:
+ all_alert_rule.append(microsoft_security_incident_creation_alert_rule)
+ if scheduled_alert_rule is not None:
+ all_alert_rule.append(scheduled_alert_rule)
+ if len(all_alert_rule) > 1:
+ raise CLIError('at most one of fusion_alert_rule, microsoft_security_incident_creation_alert_rule, '
+ 'scheduled_alert_rule is needed for alert_rule!')
+ alert_rule = all_alert_rule[0] if len(all_alert_rule) == 1 else None
+ if resource_group_name and workspace_name is not None and rule_id is not None and action_id is not None:
+ return client.create_or_update_action(resource_group_name=resource_group_name,
+ workspace_name=workspace_name,
+ rule_id=rule_id,
+ action_id=action_id,
+ etag=etag,
+ logic_app_resource_id=logic_app_resource_id,
+ trigger_uri=trigger_uri)
+ return client.create_or_update(resource_group_name=resource_group_name,
+ workspace_name=workspace_name,
+ rule_id=rule_id,
+ alert_rule=alert_rule)
+
+
+def sentinel_alert_rule_update(instance,
+ resource_group_name,
+ workspace_name,
+ rule_id,
+ fusion_alert_rule=None,
+ microsoft_security_incident_creation_alert_rule=None,
+ scheduled_alert_rule=None):
+ return instance
+
+
+def sentinel_alert_rule_delete(client,
+ resource_group_name,
+ workspace_name,
+ rule_id,
+ action_id=None):
+ if resource_group_name and workspace_name is not None and rule_id is not None and action_id is not None:
+ return client.delete_action(resource_group_name=resource_group_name,
+ workspace_name=workspace_name,
+ rule_id=rule_id,
+ action_id=action_id)
+ return client.delete(resource_group_name=resource_group_name,
+ workspace_name=workspace_name,
+ rule_id=rule_id)
+
+
+def sentinel_alert_rule_get_action(client,
+ resource_group_name,
+ workspace_name,
+ rule_id,
+ action_id):
+ return client.get_action(resource_group_name=resource_group_name,
+ workspace_name=workspace_name,
+ rule_id=rule_id,
+ action_id=action_id)
+
+
+def sentinel_action_list(client,
+ resource_group_name,
+ workspace_name,
+ rule_id):
+ return client.list_by_alert_rule(resource_group_name=resource_group_name,
+ workspace_name=workspace_name,
+ rule_id=rule_id)
+
+
+def sentinel_alert_rule_template_list(client,
+ resource_group_name,
+ workspace_name):
+ return client.list(resource_group_name=resource_group_name,
+ workspace_name=workspace_name)
+
+
+def sentinel_alert_rule_template_show(client,
+ resource_group_name,
+ workspace_name,
+ alert_rule_template_id):
+ return client.get(resource_group_name=resource_group_name,
+ workspace_name=workspace_name,
+ alert_rule_template_id=alert_rule_template_id)
+
+
+def sentinel_bookmark_list(client,
+ resource_group_name,
+ workspace_name):
+ return client.list(resource_group_name=resource_group_name,
+ workspace_name=workspace_name)
+
+
+def sentinel_bookmark_show(client,
+ resource_group_name,
+ workspace_name,
+ bookmark_id):
+ return client.get(resource_group_name=resource_group_name,
+ workspace_name=workspace_name,
+ bookmark_id=bookmark_id)
+
+
+def sentinel_bookmark_create(client,
+ resource_group_name,
+ workspace_name,
+ bookmark_id,
+ etag=None,
+ created=None,
+ display_name=None,
+ labels=None,
+ notes=None,
+ query=None,
+ query_result=None,
+ updated=None,
+ incident_info=None,
+ updated_by_object_id=None):
+ return client.create_or_update(resource_group_name=resource_group_name,
+ workspace_name=workspace_name,
+ bookmark_id=bookmark_id,
+ etag=etag,
+ created=created,
+ display_name=display_name,
+ labels=labels,
+ notes=notes,
+ query=query,
+ query_result=query_result,
+ updated=updated,
+ incident_info=incident_info,
+ object_id=updated_by_object_id)
+
+
+def sentinel_bookmark_update(client,
+ resource_group_name,
+ workspace_name,
+ bookmark_id,
+ etag=None,
+ created=None,
+ display_name=None,
+ labels=None,
+ notes=None,
+ query=None,
+ query_result=None,
+ updated=None,
+ incident_info=None,
+ updated_by_object_id=None):
+ return client.create_or_update(resource_group_name=resource_group_name,
+ workspace_name=workspace_name,
+ bookmark_id=bookmark_id,
+ etag=etag,
+ created=created,
+ display_name=display_name,
+ labels=labels,
+ notes=notes,
+ query=query,
+ query_result=query_result,
+ updated=updated,
+ incident_info=incident_info,
+ object_id=updated_by_object_id)
+
+
+def sentinel_bookmark_delete(client,
+ resource_group_name,
+ workspace_name,
+ bookmark_id):
+ return client.delete(resource_group_name=resource_group_name,
+ workspace_name=workspace_name,
+ bookmark_id=bookmark_id)
+
+
+def sentinel_data_connector_list(client,
+ resource_group_name,
+ workspace_name):
+ return client.list(resource_group_name=resource_group_name,
+ workspace_name=workspace_name)
+
+
+def sentinel_data_connector_show(client,
+ resource_group_name,
+ workspace_name,
+ data_connector_id):
+ return client.get(resource_group_name=resource_group_name,
+ workspace_name=workspace_name,
+ data_connector_id=data_connector_id)
+
+
+def sentinel_data_connector_create(client,
+ resource_group_name,
+ workspace_name,
+ data_connector_id,
+ aad_data_connector=None,
+ aatp_data_connector=None,
+ asc_data_connector=None,
+ aws_cloud_trail_data_connector=None,
+ mcas_data_connector=None,
+ mdatp_data_connector=None,
+ office_data_connector=None,
+ ti_data_connector=None):
+ all_data_connector = []
+ if aad_data_connector is not None:
+ all_data_connector.append(aad_data_connector)
+ if aatp_data_connector is not None:
+ all_data_connector.append(aatp_data_connector)
+ if asc_data_connector is not None:
+ all_data_connector.append(asc_data_connector)
+ if aws_cloud_trail_data_connector is not None:
+ all_data_connector.append(aws_cloud_trail_data_connector)
+ if mcas_data_connector is not None:
+ all_data_connector.append(mcas_data_connector)
+ if mdatp_data_connector is not None:
+ all_data_connector.append(mdatp_data_connector)
+ if office_data_connector is not None:
+ all_data_connector.append(office_data_connector)
+ if ti_data_connector is not None:
+ all_data_connector.append(ti_data_connector)
+ if len(all_data_connector) > 1:
+ raise CLIError('at most one of aad_data_connector, aatp_data_connector, asc_data_connector, '
+ 'aws_cloud_trail_data_connector, mcas_data_connector, mdatp_data_connector, '
+ 'office_data_connector, ti_data_connector is needed for data_connector!')
+ if len(all_data_connector) != 1:
+ raise CLIError('data_connector is required. but none of aad_data_connector, aatp_data_connector, '
+ 'asc_data_connector, aws_cloud_trail_data_connector, mcas_data_connector, mdatp_data_connector, '
+ 'office_data_connector, ti_data_connector is provided!')
+ data_connector = all_data_connector[0] if len(all_data_connector) == 1 else None
+ return client.create_or_update(resource_group_name=resource_group_name,
+ workspace_name=workspace_name,
+ data_connector_id=data_connector_id,
+ data_connector=data_connector)
+
+
+def sentinel_data_connector_update(instance,
+ resource_group_name,
+ workspace_name,
+ data_connector_id,
+ aad_data_connector=None,
+ aatp_data_connector=None,
+ asc_data_connector=None,
+ aws_cloud_trail_data_connector=None,
+ mcas_data_connector=None,
+ mdatp_data_connector=None,
+ office_data_connector=None,
+ ti_data_connector=None):
+ return instance
+
+
+def sentinel_data_connector_delete(client,
+ resource_group_name,
+ workspace_name,
+ data_connector_id):
+ return client.delete(resource_group_name=resource_group_name,
+ workspace_name=workspace_name,
+ data_connector_id=data_connector_id)
+
+
+def sentinel_incident_list(client,
+ resource_group_name,
+ workspace_name,
+ filter_=None,
+ orderby=None,
+ top=None,
+ skip_token=None):
+ return client.list(resource_group_name=resource_group_name,
+ workspace_name=workspace_name,
+ filter=filter_,
+ orderby=orderby,
+ top=top,
+ skip_token=skip_token)
+
+
+def sentinel_incident_show(client,
+ resource_group_name,
+ workspace_name,
+ incident_id):
+ return client.get(resource_group_name=resource_group_name,
+ workspace_name=workspace_name,
+ incident_id=incident_id)
+
+
+def sentinel_incident_create(client,
+ resource_group_name,
+ workspace_name,
+ incident_id,
+ etag=None,
+ classification=None,
+ classification_comment=None,
+ classification_reason=None,
+ description=None,
+ first_activity_time_utc=None,
+ labels=None,
+ last_activity_time_utc=None,
+ owner=None,
+ severity=None,
+ status=None,
+ title=None):
+ return client.create_or_update(resource_group_name=resource_group_name,
+ workspace_name=workspace_name,
+ incident_id=incident_id,
+ etag=etag,
+ classification=classification,
+ classification_comment=classification_comment,
+ classification_reason=classification_reason,
+ description=description,
+ first_activity_time_utc=first_activity_time_utc,
+ labels=labels,
+ last_activity_time_utc=last_activity_time_utc,
+ owner=owner,
+ severity=severity,
+ status=status,
+ title=title)
+
+
+def sentinel_incident_update(client,
+ resource_group_name,
+ workspace_name,
+ incident_id,
+ etag=None,
+ classification=None,
+ classification_comment=None,
+ classification_reason=None,
+ description=None,
+ first_activity_time_utc=None,
+ labels=None,
+ last_activity_time_utc=None,
+ owner=None,
+ severity=None,
+ status=None,
+ title=None):
+ return client.create_or_update(resource_group_name=resource_group_name,
+ workspace_name=workspace_name,
+ incident_id=incident_id,
+ etag=etag,
+ classification=classification,
+ classification_comment=classification_comment,
+ classification_reason=classification_reason,
+ description=description,
+ first_activity_time_utc=first_activity_time_utc,
+ labels=labels,
+ last_activity_time_utc=last_activity_time_utc,
+ owner=owner,
+ severity=severity,
+ status=status,
+ title=title)
+
+
+def sentinel_incident_delete(client,
+ resource_group_name,
+ workspace_name,
+ incident_id):
+ return client.delete(resource_group_name=resource_group_name,
+ workspace_name=workspace_name,
+ incident_id=incident_id)
+
+
+def sentinel_incident_comment_list(client,
+ resource_group_name,
+ workspace_name,
+ incident_id,
+ filter_=None,
+ orderby=None,
+ top=None,
+ skip_token=None):
+ return client.list_by_incident(resource_group_name=resource_group_name,
+ workspace_name=workspace_name,
+ incident_id=incident_id,
+ filter=filter_,
+ orderby=orderby,
+ top=top,
+ skip_token=skip_token)
+
+
+def sentinel_incident_comment_show(client,
+ resource_group_name,
+ workspace_name,
+ incident_id,
+ incident_comment_id):
+ return client.get(resource_group_name=resource_group_name,
+ workspace_name=workspace_name,
+ incident_id=incident_id,
+ incident_comment_id=incident_comment_id)
+
+
+def sentinel_incident_comment_create(client,
+ resource_group_name,
+ workspace_name,
+ incident_id,
+ incident_comment_id,
+ message=None):
+ return client.create_comment(resource_group_name=resource_group_name,
+ workspace_name=workspace_name,
+ incident_id=incident_id,
+ incident_comment_id=incident_comment_id,
+ message=message)
diff --git a/src/securityinsight/azext_sentinel/manual/__init__.py b/src/securityinsight/azext_sentinel/manual/__init__.py
new file mode 100644
index 00000000000..c9cfdc73e77
--- /dev/null
+++ b/src/securityinsight/azext_sentinel/manual/__init__.py
@@ -0,0 +1,12 @@
+# coding=utf-8
+# --------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for
+# license information.
+#
+# Code generated by Microsoft (R) AutoRest Code Generator.
+# Changes may cause incorrect behavior and will be lost if the code is
+# regenerated.
+# --------------------------------------------------------------------------
+
+__path__ = __import__('pkgutil').extend_path(__path__, __name__)
diff --git a/src/securityinsight/azext_sentinel/tests/__init__.py b/src/securityinsight/azext_sentinel/tests/__init__.py
new file mode 100644
index 00000000000..50e0627daff
--- /dev/null
+++ b/src/securityinsight/azext_sentinel/tests/__init__.py
@@ -0,0 +1,114 @@
+# coding=utf-8
+# --------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for
+# license information.
+#
+# Code generated by Microsoft (R) AutoRest Code Generator.
+# Changes may cause incorrect behavior and will be lost if the code is
+# regenerated.
+# --------------------------------------------------------------------------
+import inspect
+import logging
+import os
+import sys
+import traceback
+import datetime as dt
+
+from azure.core.exceptions import AzureError
+from azure.cli.testsdk.exceptions import CliTestError, CliExecutionError, JMESPathCheckAssertionError
+
+
+logger = logging.getLogger('azure.cli.testsdk')
+logger.addHandler(logging.StreamHandler())
+__path__ = __import__('pkgutil').extend_path(__path__, __name__)
+exceptions = []
+test_map = dict()
+SUCCESSED = "successed"
+FAILED = "failed"
+
+
+def try_manual(func):
+ def import_manual_function(origin_func):
+ from importlib import import_module
+ decorated_path = inspect.getfile(origin_func)
+ module_path = __path__[0]
+ if not decorated_path.startswith(module_path):
+ raise Exception("Decorator can only be used in submodules!")
+ manual_path = os.path.join(
+ decorated_path[module_path.rfind(os.path.sep) + 1:])
+ manual_file_path, manual_file_name = os.path.split(manual_path)
+ module_name, _ = os.path.splitext(manual_file_name)
+ manual_module = "..manual." + \
+ ".".join(manual_file_path.split(os.path.sep) + [module_name, ])
+ return getattr(import_module(manual_module, package=__name__), origin_func.__name__)
+
+ def get_func_to_call():
+ func_to_call = func
+ try:
+ func_to_call = import_manual_function(func)
+ func_to_call = import_manual_function(func)
+ logger.info("Found manual override for %s(...)", func.__name__)
+ except (ImportError, AttributeError):
+ pass
+ return func_to_call
+
+ def wrapper(*args, **kwargs):
+ func_to_call = get_func_to_call()
+ logger.info("running %s()...", func.__name__)
+ try:
+ test_map[func.__name__] = dict()
+ test_map[func.__name__]["result"] = SUCCESSED
+ test_map[func.__name__]["error_message"] = ""
+ test_map[func.__name__]["error_stack"] = ""
+ test_map[func.__name__]["error_normalized"] = ""
+ test_map[func.__name__]["start_dt"] = dt.datetime.utcnow()
+ ret = func_to_call(*args, **kwargs)
+ except (AssertionError, AzureError, CliTestError, CliExecutionError, SystemExit,
+ JMESPathCheckAssertionError) as e:
+ test_map[func.__name__]["end_dt"] = dt.datetime.utcnow()
+ test_map[func.__name__]["result"] = FAILED
+ test_map[func.__name__]["error_message"] = str(e).replace("\r\n", " ").replace("\n", " ")[:500]
+ test_map[func.__name__]["error_stack"] = traceback.format_exc().replace(
+ "\r\n", " ").replace("\n", " ")[:500]
+ logger.info("--------------------------------------")
+ logger.info("step exception: %s", e)
+ logger.error("--------------------------------------")
+ logger.error("step exception in %s: %s", func.__name__, e)
+ logger.info(traceback.format_exc())
+ exceptions.append((func.__name__, sys.exc_info()))
+ else:
+ test_map[func.__name__]["end_dt"] = dt.datetime.utcnow()
+ return ret
+
+ if inspect.isclass(func):
+ return get_func_to_call()
+ return wrapper
+
+
+def calc_coverage(filename):
+ filename = filename.split(".")[0]
+ coverage_name = filename + "_coverage.md"
+ with open(coverage_name, "w") as f:
+ f.write("|Scenario|Result|ErrorMessage|ErrorStack|ErrorNormalized|StartDt|EndDt|\n")
+ total = len(test_map)
+ covered = 0
+ for k, v in test_map.items():
+ if not k.startswith("step_"):
+ total -= 1
+ continue
+ if v["result"] == SUCCESSED:
+ covered += 1
+ f.write("|{step_name}|{result}|{error_message}|{error_stack}|{error_normalized}|{start_dt}|"
+ "{end_dt}|\n".format(step_name=k, **v))
+ f.write("Coverage: {}/{}\n".format(covered, total))
+ print("Create coverage\n", file=sys.stderr)
+
+
+def raise_if():
+ if exceptions:
+ if len(exceptions) <= 1:
+ raise exceptions[0][1][1]
+ message = "{}\nFollowed with exceptions in other steps:\n".format(str(exceptions[0][1][1]))
+ message += "\n".join(["{}: {}".format(h[0], h[1][1]) for h in exceptions[1:]])
+ raise exceptions[0][1][0](message).with_traceback(exceptions[0][1][2])
diff --git a/src/securityinsight/azext_sentinel/tests/latest/__init__.py b/src/securityinsight/azext_sentinel/tests/latest/__init__.py
new file mode 100644
index 00000000000..c9cfdc73e77
--- /dev/null
+++ b/src/securityinsight/azext_sentinel/tests/latest/__init__.py
@@ -0,0 +1,12 @@
+# coding=utf-8
+# --------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for
+# license information.
+#
+# Code generated by Microsoft (R) AutoRest Code Generator.
+# Changes may cause incorrect behavior and will be lost if the code is
+# regenerated.
+# --------------------------------------------------------------------------
+
+__path__ = __import__('pkgutil').extend_path(__path__, __name__)
diff --git a/src/securityinsight/azext_sentinel/tests/latest/test_sentinel_scenario.py b/src/securityinsight/azext_sentinel/tests/latest/test_sentinel_scenario.py
new file mode 100644
index 00000000000..6e1e99057bb
--- /dev/null
+++ b/src/securityinsight/azext_sentinel/tests/latest/test_sentinel_scenario.py
@@ -0,0 +1,486 @@
+# --------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for
+# license information.
+#
+# Code generated by Microsoft (R) AutoRest Code Generator.
+# Changes may cause incorrect behavior and will be lost if the code is
+# regenerated.
+# --------------------------------------------------------------------------
+
+import os
+from azure.cli.testsdk import ScenarioTest
+from .. import try_manual, raise_if, calc_coverage
+from azure.cli.testsdk import ResourceGroupPreparer
+
+
+TEST_DIR = os.path.abspath(os.path.join(os.path.abspath(__file__), '..'))
+
+
+# Env setup
+@try_manual
+def setup(test, rg):
+ pass
+
+
+# EXAMPLE: /Actions/get/Get all actions of alert rule.
+@try_manual
+def step__actions_get_get_all_actions_of_alert_rule_(test, rg):
+ test.cmd('az sentinel action list '
+ '--resource-group "{rg}" '
+ '--rule-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" '
+ '--workspace-name "myWorkspace"',
+ checks=[])
+
+
+# EXAMPLE: /AlertRules/put/Creates or updates a Fusion alert rule.
+@try_manual
+def step__alertrules_put(test, rg):
+ test.cmd('az sentinel alert-rule create '
+ '--fusion-alert-rule etag="3d00c3ca-0000-0100-0000-5d42d5010000" alert-rule-template-name="f71aba3d-28fb-4'
+ '50b-b192-4e76a83015c8" enabled=true '
+ '--resource-group "{rg}" '
+ '--rule-id "myFirstFusionRule" '
+ '--workspace-name "myWorkspace"',
+ checks=[])
+
+
+# EXAMPLE: /AlertRules/put/Creates or updates a MicrosoftSecurityIncidentCreation rule.
+@try_manual
+def step__alertrules_put2(test, rg):
+ test.cmd('az sentinel alert-rule create '
+ '--microsoft-security-incident-creation-alert-rule etag="\\"260097e0-0000-0d00-0000-5d6fa88f0000\\"" '
+ 'product-filter="Microsoft Cloud App Security" display-name="testing displayname" enabled=true '
+ '--resource-group "{rg}" '
+ '--rule-id "microsoftSecurityIncidentCreationRuleExample" '
+ '--workspace-name "myWorkspace"',
+ checks=[])
+
+
+# EXAMPLE: /AlertRules/put/Creates or updates a Scheduled alert rule.
+@try_manual
+def step__alertrules_put3(test, rg):
+ test.cmd('az sentinel alert-rule create '
+ '--scheduled-alert-rule etag="\\"0300bf09-0000-0000-0000-5c37296e0000\\"" query="ProtectionStatus | '
+ 'extend HostCustomEntity query-frequency="PT1H" query-period="P2DT1H30M" severity="High" '
+ 'trigger-operator="GreaterThan" trigger-threshold=0 description="" display-name="Rule2" enabled=true '
+ 'suppression-duration="PT1H" suppression-enabled=false tactics="Persistence" tactics="LateralMovement" '
+ '--resource-group "{rg}" '
+ '--rule-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" '
+ '--workspace-name "myWorkspace"',
+ checks=[])
+
+
+# EXAMPLE: /AlertRules/put/Creates or updates an action of alert rule.
+@try_manual
+def step__alertrules_put4(test, rg):
+ test.cmd('az sentinel alert-rule create '
+ '--etag "\\"0300bf09-0000-0000-0000-5c37296e0000\\"" '
+ '--logic-app-resource-id "/subscriptions/{subscription_id}/resourceGroups/{rg}/providers/Microsoft.Logic/w'
+ 'orkflows/MyAlerts" '
+ '--trigger-uri "https://prod-31.northcentralus.logic.azure.com:443/workflows/cd3765391efd48549fd7681ded1d4'
+ '8d7/triggers/manual/paths/invoke?api-version=2016-10-01&sp=%2Ftriggers%2Fmanual%2Frun&sv=1.0&sig=signatur'
+ 'e" '
+ '--action-id "912bec42-cb66-4c03-ac63-1761b6898c3e" '
+ '--resource-group "{rg}" '
+ '--rule-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" '
+ '--workspace-name "myWorkspace"',
+ checks=[])
+
+
+# EXAMPLE: /AlertRules/get/Get a Fusion alert rule.
+@try_manual
+def step__alertrules_get_get_a_fusion_alert_rule_(test, rg):
+ test.cmd('az sentinel alert-rule show '
+ '--resource-group "{rg}" '
+ '--rule-id "myFirstFusionRule" '
+ '--workspace-name "myWorkspace"',
+ checks=[])
+
+
+# EXAMPLE: /AlertRules/get/Get a MicrosoftSecurityIncidentCreation rule.
+@try_manual
+def step__alertrules_get(test, rg):
+ test.cmd('az sentinel alert-rule show '
+ '--resource-group "{rg}" '
+ '--rule-id "microsoftSecurityIncidentCreationRuleExample" '
+ '--workspace-name "myWorkspace"',
+ checks=[])
+
+
+# EXAMPLE: /AlertRules/get/Get a Scheduled alert rule.
+@try_manual
+def step__alertrules_get_get_a_scheduled_alert_rule_(test, rg):
+ test.cmd('az sentinel alert-rule show '
+ '--resource-group "{rg}" '
+ '--rule-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" '
+ '--workspace-name "myWorkspace"',
+ checks=[])
+
+
+# EXAMPLE: /AlertRules/get/Get all alert rules.
+@try_manual
+def step__alertrules_get_get_all_alert_rules_(test, rg):
+ test.cmd('az sentinel alert-rule list '
+ '--resource-group "{rg}" '
+ '--workspace-name "myWorkspace"',
+ checks=[])
+
+
+# EXAMPLE: /AlertRules/get/Get an action of alert rule.
+@try_manual
+def step__alertrules_get_get_an_action_of_alert_rule_(test, rg):
+ test.cmd('az sentinel alert-rule get-action '
+ '--action-id "912bec42-cb66-4c03-ac63-1761b6898c3e" '
+ '--resource-group "{rg}" '
+ '--rule-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" '
+ '--workspace-name "myWorkspace"',
+ checks=[])
+
+
+# EXAMPLE: /AlertRules/delete/Delete an action of alert rule.
+@try_manual
+def step__alertrules_delete(test, rg):
+ test.cmd('az sentinel alert-rule delete -y '
+ '--action-id "912bec42-cb66-4c03-ac63-1761b6898c3e" '
+ '--resource-group "{rg}" '
+ '--rule-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" '
+ '--workspace-name "myWorkspace"',
+ checks=[])
+
+
+# EXAMPLE: /AlertRules/delete/Delete an alert rule.
+@try_manual
+def step__alertrules_delete_delete_an_alert_rule_(test, rg):
+ test.cmd('az sentinel alert-rule delete -y '
+ '--resource-group "{rg}" '
+ '--rule-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" '
+ '--workspace-name "myWorkspace"',
+ checks=[])
+
+
+# EXAMPLE: /AlertRuleTemplates/get/Get alert rule template by Id.
+@try_manual
+def step__alertruletemplates_get(test, rg):
+ test.cmd('az sentinel alert-rule-template show '
+ '--alert-rule-template-id "65360bb0-8986-4ade-a89d-af3cf44d28aa" '
+ '--resource-group "{rg}" '
+ '--workspace-name "myWorkspace"',
+ checks=[])
+
+
+# EXAMPLE: /AlertRuleTemplates/get/Get all alert rule templates.
+@try_manual
+def step__alertruletemplates_get2(test, rg):
+ test.cmd('az sentinel alert-rule-template list '
+ '--resource-group "{rg}" '
+ '--workspace-name "myWorkspace"',
+ checks=[])
+
+
+# EXAMPLE: /Bookmarks/put/Creates or updates a bookmark.
+@try_manual
+def step__bookmarks_put_creates_or_updates_a_bookmark_(test, rg):
+ test.cmd('az sentinel bookmark create '
+ '--etag "\\"0300bf09-0000-0000-0000-5c37296e0000\\"" '
+ '--created "2019-01-01T13:15:30Z" '
+ '--display-name "My bookmark" '
+ '--labels "Tag1" '
+ '--labels "Tag2" '
+ '--notes "Found a suspicious activity" '
+ '--query "SecurityEvent | where TimeGenerated > ago(1d) and TimeGenerated < ago(2d)" '
+ '--query-result "Security Event query result" '
+ '--updated "2019-01-01T13:15:30Z" '
+ '--bookmark-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" '
+ '--resource-group "{rg}" '
+ '--workspace-name "myWorkspace"',
+ checks=[])
+
+
+# EXAMPLE: /Bookmarks/get/Get a bookmark.
+@try_manual
+def step__bookmarks_get_get_a_bookmark_(test, rg):
+ test.cmd('az sentinel bookmark show '
+ '--bookmark-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" '
+ '--resource-group "{rg}" '
+ '--workspace-name "myWorkspace"',
+ checks=[])
+
+
+# EXAMPLE: /Bookmarks/get/Get all bookmarks.
+@try_manual
+def step__bookmarks_get_get_all_bookmarks_(test, rg):
+ test.cmd('az sentinel bookmark list '
+ '--resource-group "{rg}" '
+ '--workspace-name "myWorkspace"',
+ checks=[])
+
+
+# EXAMPLE: /Bookmarks/delete/Delete a bookmark.
+@try_manual
+def step__bookmarks_delete_delete_a_bookmark_(test, rg):
+ test.cmd('az sentinel bookmark delete -y '
+ '--bookmark-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" '
+ '--resource-group "{rg}" '
+ '--workspace-name "myWorkspace"',
+ checks=[])
+
+
+# EXAMPLE: /DataConnectors/put/Creates or updates an Office365 data connector.
+@try_manual
+def step__dataconnectors_put(test, rg):
+ test.cmd('az sentinel data-connector create '
+ '--office-data-connector etag="\\"0300bf09-0000-0000-0000-5c37296e0000\\"" tenant-id="2070ecc9-b4d5-4ae4-a'
+ 'daa-936fa1954fa8" '
+ '--data-connector-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" '
+ '--resource-group "{rg}" '
+ '--workspace-name "myWorkspace"',
+ checks=[])
+
+
+# EXAMPLE: /DataConnectors/get/Get a ASC data connector.
+@try_manual
+def step__dataconnectors_get_get_a_asc_data_connector_(test, rg):
+ test.cmd('az sentinel data-connector show '
+ '--data-connector-id "763f9fa1-c2d3-4fa2-93e9-bccd4899aa12" '
+ '--resource-group "{rg}" '
+ '--workspace-name "myWorkspace"',
+ checks=[])
+
+
+# EXAMPLE: /DataConnectors/get/Get a MCAS data connector.
+@try_manual
+def step__dataconnectors_get(test, rg):
+ test.cmd('az sentinel data-connector show '
+ '--data-connector-id "b96d014d-b5c2-4a01-9aba-a8058f629d42" '
+ '--resource-group "{rg}" '
+ '--workspace-name "myWorkspace"',
+ checks=[])
+
+
+# EXAMPLE: /DataConnectors/get/Get a MDATP data connector
+@try_manual
+def step__dataconnectors_get2(test, rg):
+ test.cmd('az sentinel data-connector show '
+ '--data-connector-id "06b3ccb8-1384-4bcc-aec7-852f6d57161b" '
+ '--resource-group "{rg}" '
+ '--workspace-name "myWorkspace"',
+ checks=[])
+
+
+# EXAMPLE: /DataConnectors/get/Get a TI data connector.
+@try_manual
+def step__dataconnectors_get_get_a_ti_data_connector_(test, rg):
+ test.cmd('az sentinel data-connector show '
+ '--data-connector-id "c345bf40-8509-4ed2-b947-50cb773aaf04" '
+ '--resource-group "{rg}" '
+ '--workspace-name "myWorkspace"',
+ checks=[])
+
+
+# EXAMPLE: /DataConnectors/get/Get all data connectors.
+@try_manual
+def step__dataconnectors_get_get_all_data_connectors_(test, rg):
+ test.cmd('az sentinel data-connector list '
+ '--resource-group "{rg}" '
+ '--workspace-name "myWorkspace"',
+ checks=[])
+
+
+# EXAMPLE: /DataConnectors/get/Get an AAD data connector.
+@try_manual
+def step__dataconnectors_get3(test, rg):
+ test.cmd('az sentinel data-connector show '
+ '--data-connector-id "f0cd27d2-5f03-4c06-ba31-d2dc82dcb51d" '
+ '--resource-group "{rg}" '
+ '--workspace-name "myWorkspace"',
+ checks=[])
+
+
+# EXAMPLE: /DataConnectors/get/Get an AATP data connector.
+@try_manual
+def step__dataconnectors_get4(test, rg):
+ test.cmd('az sentinel data-connector show '
+ '--data-connector-id "07e42cb3-e658-4e90-801c-efa0f29d3d44" '
+ '--resource-group "{rg}" '
+ '--workspace-name "myWorkspace"',
+ checks=[])
+
+
+# EXAMPLE: /DataConnectors/get/Get an AwsCloudTrail data connector.
+@try_manual
+def step__dataconnectors_get5(test, rg):
+ test.cmd('az sentinel data-connector show '
+ '--data-connector-id "c345bf40-8509-4ed2-b947-50cb773aaf04" '
+ '--resource-group "{rg}" '
+ '--workspace-name "myWorkspace"',
+ checks=[])
+
+
+# EXAMPLE: /DataConnectors/get/Get an Office365 data connector.
+@try_manual
+def step__dataconnectors_get6(test, rg):
+ test.cmd('az sentinel data-connector show '
+ '--data-connector-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" '
+ '--resource-group "{rg}" '
+ '--workspace-name "myWorkspace"',
+ checks=[])
+
+
+# EXAMPLE: /DataConnectors/delete/Delete an Office365 data connector.
+@try_manual
+def step__dataconnectors_delete(test, rg):
+ test.cmd('az sentinel data-connector delete -y '
+ '--data-connector-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" '
+ '--resource-group "{rg}" '
+ '--workspace-name "myWorkspace"',
+ checks=[])
+
+
+# EXAMPLE: /IncidentComments/put/Creates an incident comment.
+@try_manual
+def step__incidentcomments_put(test, rg):
+ test.cmd('az sentinel incident-comment create '
+ '--message "Some message" '
+ '--incident-comment-id "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014" '
+ '--incident-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" '
+ '--resource-group "{rg}" '
+ '--workspace-name "myWorkspace"',
+ checks=[])
+
+
+# EXAMPLE: /IncidentComments/get/Get all incident comments.
+@try_manual
+def step__incidentcomments_get(test, rg):
+ test.cmd('az sentinel incident-comment list '
+ '--incident-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" '
+ '--resource-group "{rg}" '
+ '--workspace-name "myWorkspace"',
+ checks=[])
+
+
+# EXAMPLE: /IncidentComments/get/Get an incident comment.
+@try_manual
+def step__incidentcomments_get2(test, rg):
+ test.cmd('az sentinel incident-comment show '
+ '--incident-comment-id "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014" '
+ '--incident-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" '
+ '--resource-group "{rg}" '
+ '--workspace-name "myWorkspace"',
+ checks=[])
+
+
+# EXAMPLE: /Incidents/put/Creates or updates an incident.
+@try_manual
+def step__incidents_put(test, rg):
+ test.cmd('az sentinel incident create '
+ '--etag "\\"0300bf09-0000-0000-0000-5c37296e0000\\"" '
+ '--description "This is a demo incident" '
+ '--classification "FalsePositive" '
+ '--classification-comment "Not a malicious activity" '
+ '--classification-reason "IncorrectAlertLogic" '
+ '--first-activity-time-utc "2019-01-01T13:00:30Z" '
+ '--last-activity-time-utc "2019-01-01T13:05:30Z" '
+ '--owner object-id="2046feea-040d-4a46-9e2b-91c2941bfa70" '
+ '--severity "High" '
+ '--status "Closed" '
+ '--title "My incident" '
+ '--incident-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" '
+ '--resource-group "{rg}" '
+ '--workspace-name "myWorkspace"',
+ checks=[])
+
+
+# EXAMPLE: /Incidents/get/Get all incidents.
+@try_manual
+def step__incidents_get_get_all_incidents_(test, rg):
+ test.cmd('az sentinel incident list '
+ '--orderby "properties/createdTimeUtc desc" '
+ '--top 1 '
+ '--resource-group "{rg}" '
+ '--workspace-name "myWorkspace"',
+ checks=[])
+
+
+# EXAMPLE: /Incidents/get/Get an incident.
+@try_manual
+def step__incidents_get_get_an_incident_(test, rg):
+ test.cmd('az sentinel incident show '
+ '--incident-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" '
+ '--resource-group "{rg}" '
+ '--workspace-name "myWorkspace"',
+ checks=[])
+
+
+# EXAMPLE: /Incidents/delete/Delete an incident.
+@try_manual
+def step__incidents_delete_delete_an_incident_(test, rg):
+ test.cmd('az sentinel incident delete -y '
+ '--incident-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" '
+ '--resource-group "{rg}" '
+ '--workspace-name "myWorkspace"',
+ checks=[])
+
+
+# Env cleanup
+@try_manual
+def cleanup(test, rg):
+ pass
+
+
+# Testcase
+@try_manual
+def call_scenario(test, rg):
+ setup(test, rg)
+ step__actions_get_get_all_actions_of_alert_rule_(test, rg)
+ step__alertrules_put(test, rg)
+ step__alertrules_put2(test, rg)
+ step__alertrules_put3(test, rg)
+ step__alertrules_put4(test, rg)
+ step__alertrules_get_get_a_fusion_alert_rule_(test, rg)
+ step__alertrules_get(test, rg)
+ step__alertrules_get_get_a_scheduled_alert_rule_(test, rg)
+ step__alertrules_get_get_all_alert_rules_(test, rg)
+ step__alertrules_get_get_an_action_of_alert_rule_(test, rg)
+ step__alertrules_delete(test, rg)
+ step__alertrules_delete_delete_an_alert_rule_(test, rg)
+ step__alertruletemplates_get(test, rg)
+ step__alertruletemplates_get2(test, rg)
+ step__bookmarks_put_creates_or_updates_a_bookmark_(test, rg)
+ step__bookmarks_get_get_a_bookmark_(test, rg)
+ step__bookmarks_get_get_all_bookmarks_(test, rg)
+ step__bookmarks_delete_delete_a_bookmark_(test, rg)
+ step__dataconnectors_put(test, rg)
+ step__dataconnectors_get_get_a_asc_data_connector_(test, rg)
+ step__dataconnectors_get(test, rg)
+ step__dataconnectors_get2(test, rg)
+ step__dataconnectors_get_get_a_ti_data_connector_(test, rg)
+ step__dataconnectors_get_get_all_data_connectors_(test, rg)
+ step__dataconnectors_get3(test, rg)
+ step__dataconnectors_get4(test, rg)
+ step__dataconnectors_get5(test, rg)
+ step__dataconnectors_get6(test, rg)
+ step__dataconnectors_delete(test, rg)
+ step__incidentcomments_put(test, rg)
+ step__incidentcomments_get(test, rg)
+ step__incidentcomments_get2(test, rg)
+ step__incidents_put(test, rg)
+ step__incidents_get_get_all_incidents_(test, rg)
+ step__incidents_get_get_an_incident_(test, rg)
+ step__incidents_delete_delete_an_incident_(test, rg)
+ cleanup(test, rg)
+
+
+@try_manual
+class SecurityInsightsScenarioTest(ScenarioTest):
+
+ @ResourceGroupPreparer(name_prefix='clitestsentinel_myRg'[:7], key='rg', parameter_name='rg')
+ def test_sentinel(self, rg):
+
+ self.kwargs.update({
+ 'subscription_id': self.get_subscription_id()
+ })
+
+ call_scenario(self, rg)
+ calc_coverage(__file__)
+ raise_if()
diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/__init__.py b/src/securityinsight/azext_sentinel/vendored_sdks/__init__.py
new file mode 100644
index 00000000000..c9cfdc73e77
--- /dev/null
+++ b/src/securityinsight/azext_sentinel/vendored_sdks/__init__.py
@@ -0,0 +1,12 @@
+# coding=utf-8
+# --------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for
+# license information.
+#
+# Code generated by Microsoft (R) AutoRest Code Generator.
+# Changes may cause incorrect behavior and will be lost if the code is
+# regenerated.
+# --------------------------------------------------------------------------
+
+__path__ = __import__('pkgutil').extend_path(__path__, __name__)
diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/__init__.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/__init__.py
new file mode 100644
index 00000000000..adcb1a40f19
--- /dev/null
+++ b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/__init__.py
@@ -0,0 +1,16 @@
+# coding=utf-8
+# --------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# Code generated by Microsoft (R) AutoRest Code Generator.
+# Changes may cause incorrect behavior and will be lost if the code is regenerated.
+# --------------------------------------------------------------------------
+
+from ._security_insights import SecurityInsights
+__all__ = ['SecurityInsights']
+
+try:
+ from ._patch import patch_sdk # type: ignore
+ patch_sdk()
+except ImportError:
+ pass
diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/_configuration.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/_configuration.py
new file mode 100644
index 00000000000..e24ce7ef4eb
--- /dev/null
+++ b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/_configuration.py
@@ -0,0 +1,70 @@
+# coding=utf-8
+# --------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# Code generated by Microsoft (R) AutoRest Code Generator.
+# Changes may cause incorrect behavior and will be lost if the code is regenerated.
+# --------------------------------------------------------------------------
+
+from typing import TYPE_CHECKING
+
+from azure.core.configuration import Configuration
+from azure.core.pipeline import policies
+from azure.mgmt.core.policies import ARMHttpLoggingPolicy
+
+if TYPE_CHECKING:
+ # pylint: disable=unused-import,ungrouped-imports
+ from typing import Any
+
+ from azure.core.credentials import TokenCredential
+
+VERSION = "unknown"
+
+class SecurityInsightsConfiguration(Configuration):
+ """Configuration for SecurityInsights.
+
+ Note that all parameters used to create this instance are saved as instance
+ attributes.
+
+ :param credential: Credential needed for the client to connect to Azure.
+ :type credential: ~azure.core.credentials.TokenCredential
+ :param subscription_id: Azure subscription ID.
+ :type subscription_id: str
+ """
+
+ def __init__(
+ self,
+ credential, # type: "TokenCredential"
+ subscription_id, # type: str
+ **kwargs # type: Any
+ ):
+ # type: (...) -> None
+ if credential is None:
+ raise ValueError("Parameter 'credential' must not be None.")
+ if subscription_id is None:
+ raise ValueError("Parameter 'subscription_id' must not be None.")
+ super(SecurityInsightsConfiguration, self).__init__(**kwargs)
+
+ self.credential = credential
+ self.subscription_id = subscription_id
+ self.api_version = "2020-01-01"
+ self.credential_scopes = kwargs.pop('credential_scopes', ['https://management.azure.com/.default'])
+ kwargs.setdefault('sdk_moniker', 'securityinsights/{}'.format(VERSION))
+ self._configure(**kwargs)
+
+ def _configure(
+ self,
+ **kwargs # type: Any
+ ):
+ # type: (...) -> None
+ self.user_agent_policy = kwargs.get('user_agent_policy') or policies.UserAgentPolicy(**kwargs)
+ self.headers_policy = kwargs.get('headers_policy') or policies.HeadersPolicy(**kwargs)
+ self.proxy_policy = kwargs.get('proxy_policy') or policies.ProxyPolicy(**kwargs)
+ self.logging_policy = kwargs.get('logging_policy') or policies.NetworkTraceLoggingPolicy(**kwargs)
+ self.http_logging_policy = kwargs.get('http_logging_policy') or ARMHttpLoggingPolicy(**kwargs)
+ self.retry_policy = kwargs.get('retry_policy') or policies.RetryPolicy(**kwargs)
+ self.custom_hook_policy = kwargs.get('custom_hook_policy') or policies.CustomHookPolicy(**kwargs)
+ self.redirect_policy = kwargs.get('redirect_policy') or policies.RedirectPolicy(**kwargs)
+ self.authentication_policy = kwargs.get('authentication_policy')
+ if self.credential and not self.authentication_policy:
+ self.authentication_policy = policies.BearerTokenCredentialPolicy(self.credential, *self.credential_scopes, **kwargs)
diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/_security_insights.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/_security_insights.py
new file mode 100644
index 00000000000..3f1b4e49c01
--- /dev/null
+++ b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/_security_insights.py
@@ -0,0 +1,103 @@
+# coding=utf-8
+# --------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# Code generated by Microsoft (R) AutoRest Code Generator.
+# Changes may cause incorrect behavior and will be lost if the code is regenerated.
+# --------------------------------------------------------------------------
+
+from typing import TYPE_CHECKING
+
+from azure.mgmt.core import ARMPipelineClient
+from msrest import Deserializer, Serializer
+
+if TYPE_CHECKING:
+ # pylint: disable=unused-import,ungrouped-imports
+ from typing import Any, Optional
+
+ from azure.core.credentials import TokenCredential
+
+from ._configuration import SecurityInsightsConfiguration
+from .operations import OperationOperations
+from .operations import AlertRuleOperations
+from .operations import ActionOperations
+from .operations import AlertRuleTemplateOperations
+from .operations import BookmarkOperations
+from .operations import DataConnectorOperations
+from .operations import IncidentOperations
+from .operations import IncidentCommentOperations
+from . import models
+
+
+class SecurityInsights(object):
+ """API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider.
+
+ :ivar operation: OperationOperations operations
+ :vartype operation: security_insights.operations.OperationOperations
+ :ivar alert_rule: AlertRuleOperations operations
+ :vartype alert_rule: security_insights.operations.AlertRuleOperations
+ :ivar action: ActionOperations operations
+ :vartype action: security_insights.operations.ActionOperations
+ :ivar alert_rule_template: AlertRuleTemplateOperations operations
+ :vartype alert_rule_template: security_insights.operations.AlertRuleTemplateOperations
+ :ivar bookmark: BookmarkOperations operations
+ :vartype bookmark: security_insights.operations.BookmarkOperations
+ :ivar data_connector: DataConnectorOperations operations
+ :vartype data_connector: security_insights.operations.DataConnectorOperations
+ :ivar incident: IncidentOperations operations
+ :vartype incident: security_insights.operations.IncidentOperations
+ :ivar incident_comment: IncidentCommentOperations operations
+ :vartype incident_comment: security_insights.operations.IncidentCommentOperations
+ :param credential: Credential needed for the client to connect to Azure.
+ :type credential: ~azure.core.credentials.TokenCredential
+ :param subscription_id: Azure subscription ID.
+ :type subscription_id: str
+ :param str base_url: Service URL
+ """
+
+ def __init__(
+ self,
+ credential, # type: "TokenCredential"
+ subscription_id, # type: str
+ base_url=None, # type: Optional[str]
+ **kwargs # type: Any
+ ):
+ # type: (...) -> None
+ if not base_url:
+ base_url = 'https://management.azure.com'
+ self._config = SecurityInsightsConfiguration(credential, subscription_id, **kwargs)
+ self._client = ARMPipelineClient(base_url=base_url, config=self._config, **kwargs)
+
+ client_models = {k: v for k, v in models.__dict__.items() if isinstance(v, type)}
+ self._serialize = Serializer(client_models)
+ self._deserialize = Deserializer(client_models)
+
+ self.operation = OperationOperations(
+ self._client, self._config, self._serialize, self._deserialize)
+ self.alert_rule = AlertRuleOperations(
+ self._client, self._config, self._serialize, self._deserialize)
+ self.action = ActionOperations(
+ self._client, self._config, self._serialize, self._deserialize)
+ self.alert_rule_template = AlertRuleTemplateOperations(
+ self._client, self._config, self._serialize, self._deserialize)
+ self.bookmark = BookmarkOperations(
+ self._client, self._config, self._serialize, self._deserialize)
+ self.data_connector = DataConnectorOperations(
+ self._client, self._config, self._serialize, self._deserialize)
+ self.incident = IncidentOperations(
+ self._client, self._config, self._serialize, self._deserialize)
+ self.incident_comment = IncidentCommentOperations(
+ self._client, self._config, self._serialize, self._deserialize)
+
+ def close(self):
+ # type: () -> None
+ self._client.close()
+
+ def __enter__(self):
+ # type: () -> SecurityInsights
+ self._client.__enter__()
+ return self
+
+ def __exit__(self, *exc_details):
+ # type: (Any) -> None
+ self._client.__exit__(*exc_details)
diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/__init__.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/__init__.py
new file mode 100644
index 00000000000..17980852599
--- /dev/null
+++ b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/__init__.py
@@ -0,0 +1,10 @@
+# coding=utf-8
+# --------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# Code generated by Microsoft (R) AutoRest Code Generator.
+# Changes may cause incorrect behavior and will be lost if the code is regenerated.
+# --------------------------------------------------------------------------
+
+from ._security_insights import SecurityInsights
+__all__ = ['SecurityInsights']
diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/_configuration.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/_configuration.py
new file mode 100644
index 00000000000..160eb378d2f
--- /dev/null
+++ b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/_configuration.py
@@ -0,0 +1,66 @@
+# coding=utf-8
+# --------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# Code generated by Microsoft (R) AutoRest Code Generator.
+# Changes may cause incorrect behavior and will be lost if the code is regenerated.
+# --------------------------------------------------------------------------
+
+from typing import Any, TYPE_CHECKING
+
+from azure.core.configuration import Configuration
+from azure.core.pipeline import policies
+from azure.mgmt.core.policies import ARMHttpLoggingPolicy
+
+if TYPE_CHECKING:
+ # pylint: disable=unused-import,ungrouped-imports
+ from azure.core.credentials_async import AsyncTokenCredential
+
+VERSION = "unknown"
+
+class SecurityInsightsConfiguration(Configuration):
+ """Configuration for SecurityInsights.
+
+ Note that all parameters used to create this instance are saved as instance
+ attributes.
+
+ :param credential: Credential needed for the client to connect to Azure.
+ :type credential: ~azure.core.credentials_async.AsyncTokenCredential
+ :param subscription_id: Azure subscription ID.
+ :type subscription_id: str
+ """
+
+ def __init__(
+ self,
+ credential: "AsyncTokenCredential",
+ subscription_id: str,
+ **kwargs: Any
+ ) -> None:
+ if credential is None:
+ raise ValueError("Parameter 'credential' must not be None.")
+ if subscription_id is None:
+ raise ValueError("Parameter 'subscription_id' must not be None.")
+ super(SecurityInsightsConfiguration, self).__init__(**kwargs)
+
+ self.credential = credential
+ self.subscription_id = subscription_id
+ self.api_version = "2020-01-01"
+ self.credential_scopes = kwargs.pop('credential_scopes', ['https://management.azure.com/.default'])
+ kwargs.setdefault('sdk_moniker', 'securityinsights/{}'.format(VERSION))
+ self._configure(**kwargs)
+
+ def _configure(
+ self,
+ **kwargs: Any
+ ) -> None:
+ self.user_agent_policy = kwargs.get('user_agent_policy') or policies.UserAgentPolicy(**kwargs)
+ self.headers_policy = kwargs.get('headers_policy') or policies.HeadersPolicy(**kwargs)
+ self.proxy_policy = kwargs.get('proxy_policy') or policies.ProxyPolicy(**kwargs)
+ self.logging_policy = kwargs.get('logging_policy') or policies.NetworkTraceLoggingPolicy(**kwargs)
+ self.http_logging_policy = kwargs.get('http_logging_policy') or ARMHttpLoggingPolicy(**kwargs)
+ self.retry_policy = kwargs.get('retry_policy') or policies.AsyncRetryPolicy(**kwargs)
+ self.custom_hook_policy = kwargs.get('custom_hook_policy') or policies.CustomHookPolicy(**kwargs)
+ self.redirect_policy = kwargs.get('redirect_policy') or policies.AsyncRedirectPolicy(**kwargs)
+ self.authentication_policy = kwargs.get('authentication_policy')
+ if self.credential and not self.authentication_policy:
+ self.authentication_policy = policies.AsyncBearerTokenCredentialPolicy(self.credential, *self.credential_scopes, **kwargs)
diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/_security_insights.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/_security_insights.py
new file mode 100644
index 00000000000..7eb275a24fa
--- /dev/null
+++ b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/_security_insights.py
@@ -0,0 +1,97 @@
+# coding=utf-8
+# --------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# Code generated by Microsoft (R) AutoRest Code Generator.
+# Changes may cause incorrect behavior and will be lost if the code is regenerated.
+# --------------------------------------------------------------------------
+
+from typing import Any, Optional, TYPE_CHECKING
+
+from azure.mgmt.core import AsyncARMPipelineClient
+from msrest import Deserializer, Serializer
+
+if TYPE_CHECKING:
+ # pylint: disable=unused-import,ungrouped-imports
+ from azure.core.credentials_async import AsyncTokenCredential
+
+from ._configuration import SecurityInsightsConfiguration
+from .operations import OperationOperations
+from .operations import AlertRuleOperations
+from .operations import ActionOperations
+from .operations import AlertRuleTemplateOperations
+from .operations import BookmarkOperations
+from .operations import DataConnectorOperations
+from .operations import IncidentOperations
+from .operations import IncidentCommentOperations
+from .. import models
+
+
+class SecurityInsights(object):
+ """API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider.
+
+ :ivar operation: OperationOperations operations
+ :vartype operation: security_insights.aio.operations.OperationOperations
+ :ivar alert_rule: AlertRuleOperations operations
+ :vartype alert_rule: security_insights.aio.operations.AlertRuleOperations
+ :ivar action: ActionOperations operations
+ :vartype action: security_insights.aio.operations.ActionOperations
+ :ivar alert_rule_template: AlertRuleTemplateOperations operations
+ :vartype alert_rule_template: security_insights.aio.operations.AlertRuleTemplateOperations
+ :ivar bookmark: BookmarkOperations operations
+ :vartype bookmark: security_insights.aio.operations.BookmarkOperations
+ :ivar data_connector: DataConnectorOperations operations
+ :vartype data_connector: security_insights.aio.operations.DataConnectorOperations
+ :ivar incident: IncidentOperations operations
+ :vartype incident: security_insights.aio.operations.IncidentOperations
+ :ivar incident_comment: IncidentCommentOperations operations
+ :vartype incident_comment: security_insights.aio.operations.IncidentCommentOperations
+ :param credential: Credential needed for the client to connect to Azure.
+ :type credential: ~azure.core.credentials_async.AsyncTokenCredential
+ :param subscription_id: Azure subscription ID.
+ :type subscription_id: str
+ :param str base_url: Service URL
+ """
+
+ def __init__(
+ self,
+ credential: "AsyncTokenCredential",
+ subscription_id: str,
+ base_url: Optional[str] = None,
+ **kwargs: Any
+ ) -> None:
+ if not base_url:
+ base_url = 'https://management.azure.com'
+ self._config = SecurityInsightsConfiguration(credential, subscription_id, **kwargs)
+ self._client = AsyncARMPipelineClient(base_url=base_url, config=self._config, **kwargs)
+
+ client_models = {k: v for k, v in models.__dict__.items() if isinstance(v, type)}
+ self._serialize = Serializer(client_models)
+ self._deserialize = Deserializer(client_models)
+
+ self.operation = OperationOperations(
+ self._client, self._config, self._serialize, self._deserialize)
+ self.alert_rule = AlertRuleOperations(
+ self._client, self._config, self._serialize, self._deserialize)
+ self.action = ActionOperations(
+ self._client, self._config, self._serialize, self._deserialize)
+ self.alert_rule_template = AlertRuleTemplateOperations(
+ self._client, self._config, self._serialize, self._deserialize)
+ self.bookmark = BookmarkOperations(
+ self._client, self._config, self._serialize, self._deserialize)
+ self.data_connector = DataConnectorOperations(
+ self._client, self._config, self._serialize, self._deserialize)
+ self.incident = IncidentOperations(
+ self._client, self._config, self._serialize, self._deserialize)
+ self.incident_comment = IncidentCommentOperations(
+ self._client, self._config, self._serialize, self._deserialize)
+
+ async def close(self) -> None:
+ await self._client.close()
+
+ async def __aenter__(self) -> "SecurityInsights":
+ await self._client.__aenter__()
+ return self
+
+ async def __aexit__(self, *exc_details) -> None:
+ await self._client.__aexit__(*exc_details)
diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/__init__.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/__init__.py
new file mode 100644
index 00000000000..5e67996dcd4
--- /dev/null
+++ b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/__init__.py
@@ -0,0 +1,27 @@
+# coding=utf-8
+# --------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# Code generated by Microsoft (R) AutoRest Code Generator.
+# Changes may cause incorrect behavior and will be lost if the code is regenerated.
+# --------------------------------------------------------------------------
+
+from ._operation_operations import OperationOperations
+from ._alert_rule_operations import AlertRuleOperations
+from ._action_operations import ActionOperations
+from ._alert_rule_template_operations import AlertRuleTemplateOperations
+from ._bookmark_operations import BookmarkOperations
+from ._data_connector_operations import DataConnectorOperations
+from ._incident_operations import IncidentOperations
+from ._incident_comment_operations import IncidentCommentOperations
+
+__all__ = [
+ 'OperationOperations',
+ 'AlertRuleOperations',
+ 'ActionOperations',
+ 'AlertRuleTemplateOperations',
+ 'BookmarkOperations',
+ 'DataConnectorOperations',
+ 'IncidentOperations',
+ 'IncidentCommentOperations',
+]
diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_action_operations.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_action_operations.py
new file mode 100644
index 00000000000..378198b2cfb
--- /dev/null
+++ b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_action_operations.py
@@ -0,0 +1,121 @@
+# coding=utf-8
+# --------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# Code generated by Microsoft (R) AutoRest Code Generator.
+# Changes may cause incorrect behavior and will be lost if the code is regenerated.
+# --------------------------------------------------------------------------
+from typing import Any, AsyncIterable, Callable, Dict, Generic, Optional, TypeVar
+import warnings
+
+from azure.core.async_paging import AsyncItemPaged, AsyncList
+from azure.core.exceptions import ClientAuthenticationError, HttpResponseError, ResourceExistsError, ResourceNotFoundError, map_error
+from azure.core.pipeline import PipelineResponse
+from azure.core.pipeline.transport import AsyncHttpResponse, HttpRequest
+from azure.mgmt.core.exceptions import ARMErrorFormat
+
+from ... import models
+
+T = TypeVar('T')
+ClsType = Optional[Callable[[PipelineResponse[HttpRequest, AsyncHttpResponse], T, Dict[str, Any]], Any]]
+
+class ActionOperations:
+ """ActionOperations async operations.
+
+ You should not instantiate this class directly. Instead, you should create a Client instance that
+ instantiates it for you and attaches it as an attribute.
+
+ :ivar models: Alias to model classes used in this operation group.
+ :type models: ~security_insights.models
+ :param client: Client for service requests.
+ :param config: Configuration of service client.
+ :param serializer: An object model serializer.
+ :param deserializer: An object model deserializer.
+ """
+
+ models = models
+
+ def __init__(self, client, config, serializer, deserializer) -> None:
+ self._client = client
+ self._serialize = serializer
+ self._deserialize = deserializer
+ self._config = config
+
+ def list_by_alert_rule(
+ self,
+ resource_group_name: str,
+ workspace_name: str,
+ rule_id: str,
+ **kwargs
+ ) -> AsyncIterable["models.ActionsList"]:
+ """Gets all actions of alert rule.
+
+ :param resource_group_name: The name of the resource group within the user's subscription. The
+ name is case insensitive.
+ :type resource_group_name: str
+ :param workspace_name: The name of the workspace.
+ :type workspace_name: str
+ :param rule_id: Alert rule ID.
+ :type rule_id: str
+ :keyword callable cls: A custom type or function that will be passed the direct response
+ :return: An iterator like instance of either ActionsList or the result of cls(response)
+ :rtype: ~azure.core.async_paging.AsyncItemPaged[~security_insights.models.ActionsList]
+ :raises: ~azure.core.exceptions.HttpResponseError
+ """
+ cls = kwargs.pop('cls', None) # type: ClsType["models.ActionsList"]
+ error_map = {
+ 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError
+ }
+ error_map.update(kwargs.pop('error_map', {}))
+ api_version = "2020-01-01"
+ accept = "application/json"
+
+ def prepare_request(next_link=None):
+ # Construct headers
+ header_parameters = {} # type: Dict[str, Any]
+ header_parameters['Accept'] = self._serialize.header("accept", accept, 'str')
+
+ if not next_link:
+ # Construct URL
+ url = self.list_by_alert_rule.metadata['url'] # type: ignore
+ path_format_arguments = {
+ 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'),
+ 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'),
+ 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1),
+ 'ruleId': self._serialize.url("rule_id", rule_id, 'str'),
+ }
+ url = self._client.format_url(url, **path_format_arguments)
+ # Construct parameters
+ query_parameters = {} # type: Dict[str, Any]
+ query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str')
+
+ request = self._client.get(url, query_parameters, header_parameters)
+ else:
+ url = next_link
+ query_parameters = {} # type: Dict[str, Any]
+ request = self._client.get(url, query_parameters, header_parameters)
+ return request
+
+ async def extract_data(pipeline_response):
+ deserialized = self._deserialize('ActionsList', pipeline_response)
+ list_of_elem = deserialized.value
+ if cls:
+ list_of_elem = cls(list_of_elem)
+ return deserialized.next_link or None, AsyncList(list_of_elem)
+
+ async def get_next(next_link=None):
+ request = prepare_request(next_link)
+
+ pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs)
+ response = pipeline_response.http_response
+
+ if response.status_code not in [200]:
+ map_error(status_code=response.status_code, response=response, error_map=error_map)
+ raise HttpResponseError(response=response, error_format=ARMErrorFormat)
+
+ return pipeline_response
+
+ return AsyncItemPaged(
+ get_next, extract_data
+ )
+ list_by_alert_rule.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}/actions'} # type: ignore
diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_alert_rule_operations.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_alert_rule_operations.py
new file mode 100644
index 00000000000..89d90bb06be
--- /dev/null
+++ b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_alert_rule_operations.py
@@ -0,0 +1,535 @@
+# coding=utf-8
+# --------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# Code generated by Microsoft (R) AutoRest Code Generator.
+# Changes may cause incorrect behavior and will be lost if the code is regenerated.
+# --------------------------------------------------------------------------
+from typing import Any, AsyncIterable, Callable, Dict, Generic, Optional, TypeVar, Union
+import warnings
+
+from azure.core.async_paging import AsyncItemPaged, AsyncList
+from azure.core.exceptions import ClientAuthenticationError, HttpResponseError, ResourceExistsError, ResourceNotFoundError, map_error
+from azure.core.pipeline import PipelineResponse
+from azure.core.pipeline.transport import AsyncHttpResponse, HttpRequest
+from azure.mgmt.core.exceptions import ARMErrorFormat
+
+from ... import models
+
+T = TypeVar('T')
+ClsType = Optional[Callable[[PipelineResponse[HttpRequest, AsyncHttpResponse], T, Dict[str, Any]], Any]]
+
+class AlertRuleOperations:
+ """AlertRuleOperations async operations.
+
+ You should not instantiate this class directly. Instead, you should create a Client instance that
+ instantiates it for you and attaches it as an attribute.
+
+ :ivar models: Alias to model classes used in this operation group.
+ :type models: ~security_insights.models
+ :param client: Client for service requests.
+ :param config: Configuration of service client.
+ :param serializer: An object model serializer.
+ :param deserializer: An object model deserializer.
+ """
+
+ models = models
+
+ def __init__(self, client, config, serializer, deserializer) -> None:
+ self._client = client
+ self._serialize = serializer
+ self._deserialize = deserializer
+ self._config = config
+
+ def list(
+ self,
+ resource_group_name: str,
+ workspace_name: str,
+ **kwargs
+ ) -> AsyncIterable["models.AlertRulesList"]:
+ """Gets all alert rules.
+
+ :param resource_group_name: The name of the resource group within the user's subscription. The
+ name is case insensitive.
+ :type resource_group_name: str
+ :param workspace_name: The name of the workspace.
+ :type workspace_name: str
+ :keyword callable cls: A custom type or function that will be passed the direct response
+ :return: An iterator like instance of either AlertRulesList or the result of cls(response)
+ :rtype: ~azure.core.async_paging.AsyncItemPaged[~security_insights.models.AlertRulesList]
+ :raises: ~azure.core.exceptions.HttpResponseError
+ """
+ cls = kwargs.pop('cls', None) # type: ClsType["models.AlertRulesList"]
+ error_map = {
+ 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError
+ }
+ error_map.update(kwargs.pop('error_map', {}))
+ api_version = "2020-01-01"
+ accept = "application/json"
+
+ def prepare_request(next_link=None):
+ # Construct headers
+ header_parameters = {} # type: Dict[str, Any]
+ header_parameters['Accept'] = self._serialize.header("accept", accept, 'str')
+
+ if not next_link:
+ # Construct URL
+ url = self.list.metadata['url'] # type: ignore
+ path_format_arguments = {
+ 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'),
+ 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'),
+ 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1),
+ }
+ url = self._client.format_url(url, **path_format_arguments)
+ # Construct parameters
+ query_parameters = {} # type: Dict[str, Any]
+ query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str')
+
+ request = self._client.get(url, query_parameters, header_parameters)
+ else:
+ url = next_link
+ query_parameters = {} # type: Dict[str, Any]
+ request = self._client.get(url, query_parameters, header_parameters)
+ return request
+
+ async def extract_data(pipeline_response):
+ deserialized = self._deserialize('AlertRulesList', pipeline_response)
+ list_of_elem = deserialized.value
+ if cls:
+ list_of_elem = cls(list_of_elem)
+ return deserialized.next_link or None, AsyncList(list_of_elem)
+
+ async def get_next(next_link=None):
+ request = prepare_request(next_link)
+
+ pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs)
+ response = pipeline_response.http_response
+
+ if response.status_code not in [200]:
+ map_error(status_code=response.status_code, response=response, error_map=error_map)
+ raise HttpResponseError(response=response, error_format=ARMErrorFormat)
+
+ return pipeline_response
+
+ return AsyncItemPaged(
+ get_next, extract_data
+ )
+ list.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules'} # type: ignore
+
+ async def get(
+ self,
+ resource_group_name: str,
+ workspace_name: str,
+ rule_id: str,
+ **kwargs
+ ) -> "models.AlertRule":
+ """Gets the alert rule.
+
+ :param resource_group_name: The name of the resource group within the user's subscription. The
+ name is case insensitive.
+ :type resource_group_name: str
+ :param workspace_name: The name of the workspace.
+ :type workspace_name: str
+ :param rule_id: Alert rule ID.
+ :type rule_id: str
+ :keyword callable cls: A custom type or function that will be passed the direct response
+ :return: AlertRule, or the result of cls(response)
+ :rtype: ~security_insights.models.AlertRule
+ :raises: ~azure.core.exceptions.HttpResponseError
+ """
+ cls = kwargs.pop('cls', None) # type: ClsType["models.AlertRule"]
+ error_map = {
+ 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError
+ }
+ error_map.update(kwargs.pop('error_map', {}))
+ api_version = "2020-01-01"
+ accept = "application/json"
+
+ # Construct URL
+ url = self.get.metadata['url'] # type: ignore
+ path_format_arguments = {
+ 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'),
+ 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'),
+ 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1),
+ 'ruleId': self._serialize.url("rule_id", rule_id, 'str'),
+ }
+ url = self._client.format_url(url, **path_format_arguments)
+
+ # Construct parameters
+ query_parameters = {} # type: Dict[str, Any]
+ query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str')
+
+ # Construct headers
+ header_parameters = {} # type: Dict[str, Any]
+ header_parameters['Accept'] = self._serialize.header("accept", accept, 'str')
+
+ request = self._client.get(url, query_parameters, header_parameters)
+ pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs)
+ response = pipeline_response.http_response
+
+ if response.status_code not in [200]:
+ map_error(status_code=response.status_code, response=response, error_map=error_map)
+ raise HttpResponseError(response=response, error_format=ARMErrorFormat)
+
+ deserialized = self._deserialize('AlertRule', pipeline_response)
+
+ if cls:
+ return cls(pipeline_response, deserialized, {})
+
+ return deserialized
+ get.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}'} # type: ignore
+
+ async def create_or_update(
+ self,
+ resource_group_name: str,
+ workspace_name: str,
+ rule_id: str,
+ alert_rule: "models.AlertRule",
+ **kwargs
+ ) -> "models.AlertRule":
+ """Creates or updates the alert rule.
+
+ :param resource_group_name: The name of the resource group within the user's subscription. The
+ name is case insensitive.
+ :type resource_group_name: str
+ :param workspace_name: The name of the workspace.
+ :type workspace_name: str
+ :param rule_id: Alert rule ID.
+ :type rule_id: str
+ :param alert_rule: The alert rule.
+ :type alert_rule: ~security_insights.models.AlertRule
+ :keyword callable cls: A custom type or function that will be passed the direct response
+ :return: AlertRule, or the result of cls(response)
+ :rtype: ~security_insights.models.AlertRule
+ :raises: ~azure.core.exceptions.HttpResponseError
+ """
+ cls = kwargs.pop('cls', None) # type: ClsType["models.AlertRule"]
+ error_map = {
+ 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError
+ }
+ error_map.update(kwargs.pop('error_map', {}))
+ api_version = "2020-01-01"
+ content_type = kwargs.pop("content_type", "application/json")
+ accept = "application/json"
+
+ # Construct URL
+ url = self.create_or_update.metadata['url'] # type: ignore
+ path_format_arguments = {
+ 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'),
+ 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'),
+ 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1),
+ 'ruleId': self._serialize.url("rule_id", rule_id, 'str'),
+ }
+ url = self._client.format_url(url, **path_format_arguments)
+
+ # Construct parameters
+ query_parameters = {} # type: Dict[str, Any]
+ query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str')
+
+ # Construct headers
+ header_parameters = {} # type: Dict[str, Any]
+ header_parameters['Content-Type'] = self._serialize.header("content_type", content_type, 'str')
+ header_parameters['Accept'] = self._serialize.header("accept", accept, 'str')
+
+ body_content_kwargs = {} # type: Dict[str, Any]
+ body_content = self._serialize.body(alert_rule, 'AlertRule')
+ body_content_kwargs['content'] = body_content
+ request = self._client.put(url, query_parameters, header_parameters, **body_content_kwargs)
+ pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs)
+ response = pipeline_response.http_response
+
+ if response.status_code not in [200, 201]:
+ map_error(status_code=response.status_code, response=response, error_map=error_map)
+ raise HttpResponseError(response=response, error_format=ARMErrorFormat)
+
+ if response.status_code == 200:
+ deserialized = self._deserialize('AlertRule', pipeline_response)
+
+ if response.status_code == 201:
+ deserialized = self._deserialize('AlertRule', pipeline_response)
+
+ if cls:
+ return cls(pipeline_response, deserialized, {})
+
+ return deserialized
+ create_or_update.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}'} # type: ignore
+
+ async def delete(
+ self,
+ resource_group_name: str,
+ workspace_name: str,
+ rule_id: str,
+ **kwargs
+ ) -> None:
+ """Delete the alert rule.
+
+ :param resource_group_name: The name of the resource group within the user's subscription. The
+ name is case insensitive.
+ :type resource_group_name: str
+ :param workspace_name: The name of the workspace.
+ :type workspace_name: str
+ :param rule_id: Alert rule ID.
+ :type rule_id: str
+ :keyword callable cls: A custom type or function that will be passed the direct response
+ :return: None, or the result of cls(response)
+ :rtype: None
+ :raises: ~azure.core.exceptions.HttpResponseError
+ """
+ cls = kwargs.pop('cls', None) # type: ClsType[None]
+ error_map = {
+ 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError
+ }
+ error_map.update(kwargs.pop('error_map', {}))
+ api_version = "2020-01-01"
+ accept = "application/json"
+
+ # Construct URL
+ url = self.delete.metadata['url'] # type: ignore
+ path_format_arguments = {
+ 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'),
+ 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'),
+ 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1),
+ 'ruleId': self._serialize.url("rule_id", rule_id, 'str'),
+ }
+ url = self._client.format_url(url, **path_format_arguments)
+
+ # Construct parameters
+ query_parameters = {} # type: Dict[str, Any]
+ query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str')
+
+ # Construct headers
+ header_parameters = {} # type: Dict[str, Any]
+ header_parameters['Accept'] = self._serialize.header("accept", accept, 'str')
+
+ request = self._client.delete(url, query_parameters, header_parameters)
+ pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs)
+ response = pipeline_response.http_response
+
+ if response.status_code not in [200, 204]:
+ map_error(status_code=response.status_code, response=response, error_map=error_map)
+ raise HttpResponseError(response=response, error_format=ARMErrorFormat)
+
+ if cls:
+ return cls(pipeline_response, None, {})
+
+ delete.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}'} # type: ignore
+
+ async def get_action(
+ self,
+ resource_group_name: str,
+ workspace_name: str,
+ rule_id: str,
+ action_id: str,
+ **kwargs
+ ) -> "models.ActionResponse":
+ """Gets the action of alert rule.
+
+ :param resource_group_name: The name of the resource group within the user's subscription. The
+ name is case insensitive.
+ :type resource_group_name: str
+ :param workspace_name: The name of the workspace.
+ :type workspace_name: str
+ :param rule_id: Alert rule ID.
+ :type rule_id: str
+ :param action_id: Action ID.
+ :type action_id: str
+ :keyword callable cls: A custom type or function that will be passed the direct response
+ :return: ActionResponse, or the result of cls(response)
+ :rtype: ~security_insights.models.ActionResponse
+ :raises: ~azure.core.exceptions.HttpResponseError
+ """
+ cls = kwargs.pop('cls', None) # type: ClsType["models.ActionResponse"]
+ error_map = {
+ 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError
+ }
+ error_map.update(kwargs.pop('error_map', {}))
+ api_version = "2020-01-01"
+ accept = "application/json"
+
+ # Construct URL
+ url = self.get_action.metadata['url'] # type: ignore
+ path_format_arguments = {
+ 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'),
+ 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'),
+ 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1),
+ 'ruleId': self._serialize.url("rule_id", rule_id, 'str'),
+ 'actionId': self._serialize.url("action_id", action_id, 'str'),
+ }
+ url = self._client.format_url(url, **path_format_arguments)
+
+ # Construct parameters
+ query_parameters = {} # type: Dict[str, Any]
+ query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str')
+
+ # Construct headers
+ header_parameters = {} # type: Dict[str, Any]
+ header_parameters['Accept'] = self._serialize.header("accept", accept, 'str')
+
+ request = self._client.get(url, query_parameters, header_parameters)
+ pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs)
+ response = pipeline_response.http_response
+
+ if response.status_code not in [200]:
+ map_error(status_code=response.status_code, response=response, error_map=error_map)
+ raise HttpResponseError(response=response, error_format=ARMErrorFormat)
+
+ deserialized = self._deserialize('ActionResponse', pipeline_response)
+
+ if cls:
+ return cls(pipeline_response, deserialized, {})
+
+ return deserialized
+ get_action.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}/actions/{actionId}'} # type: ignore
+
+ async def create_or_update_action(
+ self,
+ resource_group_name: str,
+ workspace_name: str,
+ rule_id: str,
+ action_id: str,
+ etag: Optional[str] = None,
+ logic_app_resource_id: Optional[str] = None,
+ trigger_uri: Optional[str] = None,
+ **kwargs
+ ) -> "models.ActionResponse":
+ """Creates or updates the action of alert rule.
+
+ :param resource_group_name: The name of the resource group within the user's subscription. The
+ name is case insensitive.
+ :type resource_group_name: str
+ :param workspace_name: The name of the workspace.
+ :type workspace_name: str
+ :param rule_id: Alert rule ID.
+ :type rule_id: str
+ :param action_id: Action ID.
+ :type action_id: str
+ :param etag: Etag of the azure resource.
+ :type etag: str
+ :param logic_app_resource_id: Logic App Resource Id, /subscriptions/{my-
+ subscription}/resourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my-
+ workflow-id}.
+ :type logic_app_resource_id: str
+ :param trigger_uri: Logic App Callback URL for this specific workflow.
+ :type trigger_uri: str
+ :keyword callable cls: A custom type or function that will be passed the direct response
+ :return: ActionResponse, or the result of cls(response)
+ :rtype: ~security_insights.models.ActionResponse
+ :raises: ~azure.core.exceptions.HttpResponseError
+ """
+ cls = kwargs.pop('cls', None) # type: ClsType["models.ActionResponse"]
+ error_map = {
+ 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError
+ }
+ error_map.update(kwargs.pop('error_map', {}))
+
+ action = models.ActionRequest(etag=etag, logic_app_resource_id=logic_app_resource_id, trigger_uri=trigger_uri)
+ api_version = "2020-01-01"
+ content_type = kwargs.pop("content_type", "application/json")
+ accept = "application/json"
+
+ # Construct URL
+ url = self.create_or_update_action.metadata['url'] # type: ignore
+ path_format_arguments = {
+ 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'),
+ 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'),
+ 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1),
+ 'ruleId': self._serialize.url("rule_id", rule_id, 'str'),
+ 'actionId': self._serialize.url("action_id", action_id, 'str'),
+ }
+ url = self._client.format_url(url, **path_format_arguments)
+
+ # Construct parameters
+ query_parameters = {} # type: Dict[str, Any]
+ query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str')
+
+ # Construct headers
+ header_parameters = {} # type: Dict[str, Any]
+ header_parameters['Content-Type'] = self._serialize.header("content_type", content_type, 'str')
+ header_parameters['Accept'] = self._serialize.header("accept", accept, 'str')
+
+ body_content_kwargs = {} # type: Dict[str, Any]
+ body_content = self._serialize.body(action, 'ActionRequest')
+ body_content_kwargs['content'] = body_content
+ request = self._client.put(url, query_parameters, header_parameters, **body_content_kwargs)
+ pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs)
+ response = pipeline_response.http_response
+
+ if response.status_code not in [200, 201]:
+ map_error(status_code=response.status_code, response=response, error_map=error_map)
+ raise HttpResponseError(response=response, error_format=ARMErrorFormat)
+
+ if response.status_code == 200:
+ deserialized = self._deserialize('ActionResponse', pipeline_response)
+
+ if response.status_code == 201:
+ deserialized = self._deserialize('ActionResponse', pipeline_response)
+
+ if cls:
+ return cls(pipeline_response, deserialized, {})
+
+ return deserialized
+ create_or_update_action.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}/actions/{actionId}'} # type: ignore
+
+ async def delete_action(
+ self,
+ resource_group_name: str,
+ workspace_name: str,
+ rule_id: str,
+ action_id: str,
+ **kwargs
+ ) -> None:
+ """Delete the action of alert rule.
+
+ :param resource_group_name: The name of the resource group within the user's subscription. The
+ name is case insensitive.
+ :type resource_group_name: str
+ :param workspace_name: The name of the workspace.
+ :type workspace_name: str
+ :param rule_id: Alert rule ID.
+ :type rule_id: str
+ :param action_id: Action ID.
+ :type action_id: str
+ :keyword callable cls: A custom type or function that will be passed the direct response
+ :return: None, or the result of cls(response)
+ :rtype: None
+ :raises: ~azure.core.exceptions.HttpResponseError
+ """
+ cls = kwargs.pop('cls', None) # type: ClsType[None]
+ error_map = {
+ 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError
+ }
+ error_map.update(kwargs.pop('error_map', {}))
+ api_version = "2020-01-01"
+ accept = "application/json"
+
+ # Construct URL
+ url = self.delete_action.metadata['url'] # type: ignore
+ path_format_arguments = {
+ 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'),
+ 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'),
+ 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1),
+ 'ruleId': self._serialize.url("rule_id", rule_id, 'str'),
+ 'actionId': self._serialize.url("action_id", action_id, 'str'),
+ }
+ url = self._client.format_url(url, **path_format_arguments)
+
+ # Construct parameters
+ query_parameters = {} # type: Dict[str, Any]
+ query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str')
+
+ # Construct headers
+ header_parameters = {} # type: Dict[str, Any]
+ header_parameters['Accept'] = self._serialize.header("accept", accept, 'str')
+
+ request = self._client.delete(url, query_parameters, header_parameters)
+ pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs)
+ response = pipeline_response.http_response
+
+ if response.status_code not in [200, 204]:
+ map_error(status_code=response.status_code, response=response, error_map=error_map)
+ raise HttpResponseError(response=response, error_format=ARMErrorFormat)
+
+ if cls:
+ return cls(pipeline_response, None, {})
+
+ delete_action.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}/actions/{actionId}'} # type: ignore
diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_alert_rule_template_operations.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_alert_rule_template_operations.py
new file mode 100644
index 00000000000..986138cb66b
--- /dev/null
+++ b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_alert_rule_template_operations.py
@@ -0,0 +1,180 @@
+# coding=utf-8
+# --------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# Code generated by Microsoft (R) AutoRest Code Generator.
+# Changes may cause incorrect behavior and will be lost if the code is regenerated.
+# --------------------------------------------------------------------------
+from typing import Any, AsyncIterable, Callable, Dict, Generic, Optional, TypeVar
+import warnings
+
+from azure.core.async_paging import AsyncItemPaged, AsyncList
+from azure.core.exceptions import ClientAuthenticationError, HttpResponseError, ResourceExistsError, ResourceNotFoundError, map_error
+from azure.core.pipeline import PipelineResponse
+from azure.core.pipeline.transport import AsyncHttpResponse, HttpRequest
+from azure.mgmt.core.exceptions import ARMErrorFormat
+
+from ... import models
+
+T = TypeVar('T')
+ClsType = Optional[Callable[[PipelineResponse[HttpRequest, AsyncHttpResponse], T, Dict[str, Any]], Any]]
+
+class AlertRuleTemplateOperations:
+ """AlertRuleTemplateOperations async operations.
+
+ You should not instantiate this class directly. Instead, you should create a Client instance that
+ instantiates it for you and attaches it as an attribute.
+
+ :ivar models: Alias to model classes used in this operation group.
+ :type models: ~security_insights.models
+ :param client: Client for service requests.
+ :param config: Configuration of service client.
+ :param serializer: An object model serializer.
+ :param deserializer: An object model deserializer.
+ """
+
+ models = models
+
+ def __init__(self, client, config, serializer, deserializer) -> None:
+ self._client = client
+ self._serialize = serializer
+ self._deserialize = deserializer
+ self._config = config
+
+ def list(
+ self,
+ resource_group_name: str,
+ workspace_name: str,
+ **kwargs
+ ) -> AsyncIterable["models.AlertRuleTemplatesList"]:
+ """Gets all alert rule templates.
+
+ :param resource_group_name: The name of the resource group within the user's subscription. The
+ name is case insensitive.
+ :type resource_group_name: str
+ :param workspace_name: The name of the workspace.
+ :type workspace_name: str
+ :keyword callable cls: A custom type or function that will be passed the direct response
+ :return: An iterator like instance of either AlertRuleTemplatesList or the result of cls(response)
+ :rtype: ~azure.core.async_paging.AsyncItemPaged[~security_insights.models.AlertRuleTemplatesList]
+ :raises: ~azure.core.exceptions.HttpResponseError
+ """
+ cls = kwargs.pop('cls', None) # type: ClsType["models.AlertRuleTemplatesList"]
+ error_map = {
+ 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError
+ }
+ error_map.update(kwargs.pop('error_map', {}))
+ api_version = "2020-01-01"
+ accept = "application/json"
+
+ def prepare_request(next_link=None):
+ # Construct headers
+ header_parameters = {} # type: Dict[str, Any]
+ header_parameters['Accept'] = self._serialize.header("accept", accept, 'str')
+
+ if not next_link:
+ # Construct URL
+ url = self.list.metadata['url'] # type: ignore
+ path_format_arguments = {
+ 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'),
+ 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'),
+ 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1),
+ }
+ url = self._client.format_url(url, **path_format_arguments)
+ # Construct parameters
+ query_parameters = {} # type: Dict[str, Any]
+ query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str')
+
+ request = self._client.get(url, query_parameters, header_parameters)
+ else:
+ url = next_link
+ query_parameters = {} # type: Dict[str, Any]
+ request = self._client.get(url, query_parameters, header_parameters)
+ return request
+
+ async def extract_data(pipeline_response):
+ deserialized = self._deserialize('AlertRuleTemplatesList', pipeline_response)
+ list_of_elem = deserialized.value
+ if cls:
+ list_of_elem = cls(list_of_elem)
+ return deserialized.next_link or None, AsyncList(list_of_elem)
+
+ async def get_next(next_link=None):
+ request = prepare_request(next_link)
+
+ pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs)
+ response = pipeline_response.http_response
+
+ if response.status_code not in [200]:
+ map_error(status_code=response.status_code, response=response, error_map=error_map)
+ raise HttpResponseError(response=response, error_format=ARMErrorFormat)
+
+ return pipeline_response
+
+ return AsyncItemPaged(
+ get_next, extract_data
+ )
+ list.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRuleTemplates'} # type: ignore
+
+ async def get(
+ self,
+ resource_group_name: str,
+ workspace_name: str,
+ alert_rule_template_id: str,
+ **kwargs
+ ) -> "models.AlertRuleTemplate":
+ """Gets the alert rule template.
+
+ :param resource_group_name: The name of the resource group within the user's subscription. The
+ name is case insensitive.
+ :type resource_group_name: str
+ :param workspace_name: The name of the workspace.
+ :type workspace_name: str
+ :param alert_rule_template_id: Alert rule template ID.
+ :type alert_rule_template_id: str
+ :keyword callable cls: A custom type or function that will be passed the direct response
+ :return: AlertRuleTemplate, or the result of cls(response)
+ :rtype: ~security_insights.models.AlertRuleTemplate
+ :raises: ~azure.core.exceptions.HttpResponseError
+ """
+ cls = kwargs.pop('cls', None) # type: ClsType["models.AlertRuleTemplate"]
+ error_map = {
+ 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError
+ }
+ error_map.update(kwargs.pop('error_map', {}))
+ api_version = "2020-01-01"
+ accept = "application/json"
+
+ # Construct URL
+ url = self.get.metadata['url'] # type: ignore
+ path_format_arguments = {
+ 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'),
+ 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'),
+ 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1),
+ 'alertRuleTemplateId': self._serialize.url("alert_rule_template_id", alert_rule_template_id, 'str'),
+ }
+ url = self._client.format_url(url, **path_format_arguments)
+
+ # Construct parameters
+ query_parameters = {} # type: Dict[str, Any]
+ query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str')
+
+ # Construct headers
+ header_parameters = {} # type: Dict[str, Any]
+ header_parameters['Accept'] = self._serialize.header("accept", accept, 'str')
+
+ request = self._client.get(url, query_parameters, header_parameters)
+ pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs)
+ response = pipeline_response.http_response
+
+ if response.status_code not in [200]:
+ map_error(status_code=response.status_code, response=response, error_map=error_map)
+ raise HttpResponseError(response=response, error_format=ARMErrorFormat)
+
+ deserialized = self._deserialize('AlertRuleTemplate', pipeline_response)
+
+ if cls:
+ return cls(pipeline_response, deserialized, {})
+
+ return deserialized
+ get.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRuleTemplates/{alertRuleTemplateId}'} # type: ignore
diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_bookmark_operations.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_bookmark_operations.py
new file mode 100644
index 00000000000..6cd59a2dc8c
--- /dev/null
+++ b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_bookmark_operations.py
@@ -0,0 +1,345 @@
+# coding=utf-8
+# --------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# Code generated by Microsoft (R) AutoRest Code Generator.
+# Changes may cause incorrect behavior and will be lost if the code is regenerated.
+# --------------------------------------------------------------------------
+import datetime
+from typing import Any, AsyncIterable, Callable, Dict, Generic, List, Optional, TypeVar, Union
+import warnings
+
+from azure.core.async_paging import AsyncItemPaged, AsyncList
+from azure.core.exceptions import ClientAuthenticationError, HttpResponseError, ResourceExistsError, ResourceNotFoundError, map_error
+from azure.core.pipeline import PipelineResponse
+from azure.core.pipeline.transport import AsyncHttpResponse, HttpRequest
+from azure.mgmt.core.exceptions import ARMErrorFormat
+
+from ... import models
+
+T = TypeVar('T')
+ClsType = Optional[Callable[[PipelineResponse[HttpRequest, AsyncHttpResponse], T, Dict[str, Any]], Any]]
+
+class BookmarkOperations:
+ """BookmarkOperations async operations.
+
+ You should not instantiate this class directly. Instead, you should create a Client instance that
+ instantiates it for you and attaches it as an attribute.
+
+ :ivar models: Alias to model classes used in this operation group.
+ :type models: ~security_insights.models
+ :param client: Client for service requests.
+ :param config: Configuration of service client.
+ :param serializer: An object model serializer.
+ :param deserializer: An object model deserializer.
+ """
+
+ models = models
+
+ def __init__(self, client, config, serializer, deserializer) -> None:
+ self._client = client
+ self._serialize = serializer
+ self._deserialize = deserializer
+ self._config = config
+
+ def list(
+ self,
+ resource_group_name: str,
+ workspace_name: str,
+ **kwargs
+ ) -> AsyncIterable["models.BookmarkList"]:
+ """Gets all bookmarks.
+
+ :param resource_group_name: The name of the resource group within the user's subscription. The
+ name is case insensitive.
+ :type resource_group_name: str
+ :param workspace_name: The name of the workspace.
+ :type workspace_name: str
+ :keyword callable cls: A custom type or function that will be passed the direct response
+ :return: An iterator like instance of either BookmarkList or the result of cls(response)
+ :rtype: ~azure.core.async_paging.AsyncItemPaged[~security_insights.models.BookmarkList]
+ :raises: ~azure.core.exceptions.HttpResponseError
+ """
+ cls = kwargs.pop('cls', None) # type: ClsType["models.BookmarkList"]
+ error_map = {
+ 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError
+ }
+ error_map.update(kwargs.pop('error_map', {}))
+ api_version = "2020-01-01"
+ accept = "application/json"
+
+ def prepare_request(next_link=None):
+ # Construct headers
+ header_parameters = {} # type: Dict[str, Any]
+ header_parameters['Accept'] = self._serialize.header("accept", accept, 'str')
+
+ if not next_link:
+ # Construct URL
+ url = self.list.metadata['url'] # type: ignore
+ path_format_arguments = {
+ 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'),
+ 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'),
+ 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1),
+ }
+ url = self._client.format_url(url, **path_format_arguments)
+ # Construct parameters
+ query_parameters = {} # type: Dict[str, Any]
+ query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str')
+
+ request = self._client.get(url, query_parameters, header_parameters)
+ else:
+ url = next_link
+ query_parameters = {} # type: Dict[str, Any]
+ request = self._client.get(url, query_parameters, header_parameters)
+ return request
+
+ async def extract_data(pipeline_response):
+ deserialized = self._deserialize('BookmarkList', pipeline_response)
+ list_of_elem = deserialized.value
+ if cls:
+ list_of_elem = cls(list_of_elem)
+ return deserialized.next_link or None, AsyncList(list_of_elem)
+
+ async def get_next(next_link=None):
+ request = prepare_request(next_link)
+
+ pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs)
+ response = pipeline_response.http_response
+
+ if response.status_code not in [200]:
+ map_error(status_code=response.status_code, response=response, error_map=error_map)
+ raise HttpResponseError(response=response, error_format=ARMErrorFormat)
+
+ return pipeline_response
+
+ return AsyncItemPaged(
+ get_next, extract_data
+ )
+ list.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks'} # type: ignore
+
+ async def get(
+ self,
+ resource_group_name: str,
+ workspace_name: str,
+ bookmark_id: str,
+ **kwargs
+ ) -> "models.Bookmark":
+ """Gets a bookmark.
+
+ :param resource_group_name: The name of the resource group within the user's subscription. The
+ name is case insensitive.
+ :type resource_group_name: str
+ :param workspace_name: The name of the workspace.
+ :type workspace_name: str
+ :param bookmark_id: Bookmark ID.
+ :type bookmark_id: str
+ :keyword callable cls: A custom type or function that will be passed the direct response
+ :return: Bookmark, or the result of cls(response)
+ :rtype: ~security_insights.models.Bookmark
+ :raises: ~azure.core.exceptions.HttpResponseError
+ """
+ cls = kwargs.pop('cls', None) # type: ClsType["models.Bookmark"]
+ error_map = {
+ 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError
+ }
+ error_map.update(kwargs.pop('error_map', {}))
+ api_version = "2020-01-01"
+ accept = "application/json"
+
+ # Construct URL
+ url = self.get.metadata['url'] # type: ignore
+ path_format_arguments = {
+ 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'),
+ 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'),
+ 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1),
+ 'bookmarkId': self._serialize.url("bookmark_id", bookmark_id, 'str'),
+ }
+ url = self._client.format_url(url, **path_format_arguments)
+
+ # Construct parameters
+ query_parameters = {} # type: Dict[str, Any]
+ query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str')
+
+ # Construct headers
+ header_parameters = {} # type: Dict[str, Any]
+ header_parameters['Accept'] = self._serialize.header("accept", accept, 'str')
+
+ request = self._client.get(url, query_parameters, header_parameters)
+ pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs)
+ response = pipeline_response.http_response
+
+ if response.status_code not in [200]:
+ map_error(status_code=response.status_code, response=response, error_map=error_map)
+ raise HttpResponseError(response=response, error_format=ARMErrorFormat)
+
+ deserialized = self._deserialize('Bookmark', pipeline_response)
+
+ if cls:
+ return cls(pipeline_response, deserialized, {})
+
+ return deserialized
+ get.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks/{bookmarkId}'} # type: ignore
+
+ async def create_or_update(
+ self,
+ resource_group_name: str,
+ workspace_name: str,
+ bookmark_id: str,
+ etag: Optional[str] = None,
+ created: Optional[datetime.datetime] = None,
+ display_name: Optional[str] = None,
+ labels: Optional[List[str]] = None,
+ notes: Optional[str] = None,
+ query: Optional[str] = None,
+ query_result: Optional[str] = None,
+ updated: Optional[datetime.datetime] = None,
+ incident_info: Optional["models.IncidentInfo"] = None,
+ object_id: Optional[str] = None,
+ **kwargs
+ ) -> "models.Bookmark":
+ """Creates or updates the bookmark.
+
+ :param resource_group_name: The name of the resource group within the user's subscription. The
+ name is case insensitive.
+ :type resource_group_name: str
+ :param workspace_name: The name of the workspace.
+ :type workspace_name: str
+ :param bookmark_id: Bookmark ID.
+ :type bookmark_id: str
+ :param etag: Etag of the azure resource.
+ :type etag: str
+ :param created: The time the bookmark was created.
+ :type created: ~datetime.datetime
+ :param display_name: The display name of the bookmark.
+ :type display_name: str
+ :param labels: List of labels relevant to this bookmark.
+ :type labels: list[str]
+ :param notes: The notes of the bookmark.
+ :type notes: str
+ :param query: The query of the bookmark.
+ :type query: str
+ :param query_result: The query result of the bookmark.
+ :type query_result: str
+ :param updated: The last time the bookmark was updated.
+ :type updated: ~datetime.datetime
+ :param incident_info: Describes an incident that relates to bookmark.
+ :type incident_info: ~security_insights.models.IncidentInfo
+ :param object_id: The object id of the user.
+ :type object_id: str
+ :keyword callable cls: A custom type or function that will be passed the direct response
+ :return: Bookmark, or the result of cls(response)
+ :rtype: ~security_insights.models.Bookmark
+ :raises: ~azure.core.exceptions.HttpResponseError
+ """
+ cls = kwargs.pop('cls', None) # type: ClsType["models.Bookmark"]
+ error_map = {
+ 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError
+ }
+ error_map.update(kwargs.pop('error_map', {}))
+
+ bookmark = models.Bookmark(etag=etag, created=created, display_name=display_name, labels=labels, notes=notes, query=query, query_result=query_result, updated=updated, incident_info=incident_info, object_id_updated_by_object_id=object_id)
+ api_version = "2020-01-01"
+ content_type = kwargs.pop("content_type", "application/json")
+ accept = "application/json"
+
+ # Construct URL
+ url = self.create_or_update.metadata['url'] # type: ignore
+ path_format_arguments = {
+ 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'),
+ 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'),
+ 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1),
+ 'bookmarkId': self._serialize.url("bookmark_id", bookmark_id, 'str'),
+ }
+ url = self._client.format_url(url, **path_format_arguments)
+
+ # Construct parameters
+ query_parameters = {} # type: Dict[str, Any]
+ query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str')
+
+ # Construct headers
+ header_parameters = {} # type: Dict[str, Any]
+ header_parameters['Content-Type'] = self._serialize.header("content_type", content_type, 'str')
+ header_parameters['Accept'] = self._serialize.header("accept", accept, 'str')
+
+ body_content_kwargs = {} # type: Dict[str, Any]
+ body_content = self._serialize.body(bookmark, 'Bookmark')
+ body_content_kwargs['content'] = body_content
+ request = self._client.put(url, query_parameters, header_parameters, **body_content_kwargs)
+ pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs)
+ response = pipeline_response.http_response
+
+ if response.status_code not in [200, 201]:
+ map_error(status_code=response.status_code, response=response, error_map=error_map)
+ raise HttpResponseError(response=response, error_format=ARMErrorFormat)
+
+ if response.status_code == 200:
+ deserialized = self._deserialize('Bookmark', pipeline_response)
+
+ if response.status_code == 201:
+ deserialized = self._deserialize('Bookmark', pipeline_response)
+
+ if cls:
+ return cls(pipeline_response, deserialized, {})
+
+ return deserialized
+ create_or_update.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks/{bookmarkId}'} # type: ignore
+
+ async def delete(
+ self,
+ resource_group_name: str,
+ workspace_name: str,
+ bookmark_id: str,
+ **kwargs
+ ) -> None:
+ """Delete the bookmark.
+
+ :param resource_group_name: The name of the resource group within the user's subscription. The
+ name is case insensitive.
+ :type resource_group_name: str
+ :param workspace_name: The name of the workspace.
+ :type workspace_name: str
+ :param bookmark_id: Bookmark ID.
+ :type bookmark_id: str
+ :keyword callable cls: A custom type or function that will be passed the direct response
+ :return: None, or the result of cls(response)
+ :rtype: None
+ :raises: ~azure.core.exceptions.HttpResponseError
+ """
+ cls = kwargs.pop('cls', None) # type: ClsType[None]
+ error_map = {
+ 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError
+ }
+ error_map.update(kwargs.pop('error_map', {}))
+ api_version = "2020-01-01"
+ accept = "application/json"
+
+ # Construct URL
+ url = self.delete.metadata['url'] # type: ignore
+ path_format_arguments = {
+ 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'),
+ 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'),
+ 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1),
+ 'bookmarkId': self._serialize.url("bookmark_id", bookmark_id, 'str'),
+ }
+ url = self._client.format_url(url, **path_format_arguments)
+
+ # Construct parameters
+ query_parameters = {} # type: Dict[str, Any]
+ query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str')
+
+ # Construct headers
+ header_parameters = {} # type: Dict[str, Any]
+ header_parameters['Accept'] = self._serialize.header("accept", accept, 'str')
+
+ request = self._client.delete(url, query_parameters, header_parameters)
+ pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs)
+ response = pipeline_response.http_response
+
+ if response.status_code not in [200, 204]:
+ map_error(status_code=response.status_code, response=response, error_map=error_map)
+ raise HttpResponseError(response=response, error_format=ARMErrorFormat)
+
+ if cls:
+ return cls(pipeline_response, None, {})
+
+ delete.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks/{bookmarkId}'} # type: ignore
diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_data_connector_operations.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_data_connector_operations.py
new file mode 100644
index 00000000000..9f83b3170a9
--- /dev/null
+++ b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_data_connector_operations.py
@@ -0,0 +1,315 @@
+# coding=utf-8
+# --------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# Code generated by Microsoft (R) AutoRest Code Generator.
+# Changes may cause incorrect behavior and will be lost if the code is regenerated.
+# --------------------------------------------------------------------------
+from typing import Any, AsyncIterable, Callable, Dict, Generic, Optional, TypeVar, Union
+import warnings
+
+from azure.core.async_paging import AsyncItemPaged, AsyncList
+from azure.core.exceptions import ClientAuthenticationError, HttpResponseError, ResourceExistsError, ResourceNotFoundError, map_error
+from azure.core.pipeline import PipelineResponse
+from azure.core.pipeline.transport import AsyncHttpResponse, HttpRequest
+from azure.mgmt.core.exceptions import ARMErrorFormat
+
+from ... import models
+
+T = TypeVar('T')
+ClsType = Optional[Callable[[PipelineResponse[HttpRequest, AsyncHttpResponse], T, Dict[str, Any]], Any]]
+
+class DataConnectorOperations:
+ """DataConnectorOperations async operations.
+
+ You should not instantiate this class directly. Instead, you should create a Client instance that
+ instantiates it for you and attaches it as an attribute.
+
+ :ivar models: Alias to model classes used in this operation group.
+ :type models: ~security_insights.models
+ :param client: Client for service requests.
+ :param config: Configuration of service client.
+ :param serializer: An object model serializer.
+ :param deserializer: An object model deserializer.
+ """
+
+ models = models
+
+ def __init__(self, client, config, serializer, deserializer) -> None:
+ self._client = client
+ self._serialize = serializer
+ self._deserialize = deserializer
+ self._config = config
+
+ def list(
+ self,
+ resource_group_name: str,
+ workspace_name: str,
+ **kwargs
+ ) -> AsyncIterable["models.DataConnectorList"]:
+ """Gets all data connectors.
+
+ :param resource_group_name: The name of the resource group within the user's subscription. The
+ name is case insensitive.
+ :type resource_group_name: str
+ :param workspace_name: The name of the workspace.
+ :type workspace_name: str
+ :keyword callable cls: A custom type or function that will be passed the direct response
+ :return: An iterator like instance of either DataConnectorList or the result of cls(response)
+ :rtype: ~azure.core.async_paging.AsyncItemPaged[~security_insights.models.DataConnectorList]
+ :raises: ~azure.core.exceptions.HttpResponseError
+ """
+ cls = kwargs.pop('cls', None) # type: ClsType["models.DataConnectorList"]
+ error_map = {
+ 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError
+ }
+ error_map.update(kwargs.pop('error_map', {}))
+ api_version = "2020-01-01"
+ accept = "application/json"
+
+ def prepare_request(next_link=None):
+ # Construct headers
+ header_parameters = {} # type: Dict[str, Any]
+ header_parameters['Accept'] = self._serialize.header("accept", accept, 'str')
+
+ if not next_link:
+ # Construct URL
+ url = self.list.metadata['url'] # type: ignore
+ path_format_arguments = {
+ 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'),
+ 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'),
+ 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1),
+ }
+ url = self._client.format_url(url, **path_format_arguments)
+ # Construct parameters
+ query_parameters = {} # type: Dict[str, Any]
+ query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str')
+
+ request = self._client.get(url, query_parameters, header_parameters)
+ else:
+ url = next_link
+ query_parameters = {} # type: Dict[str, Any]
+ request = self._client.get(url, query_parameters, header_parameters)
+ return request
+
+ async def extract_data(pipeline_response):
+ deserialized = self._deserialize('DataConnectorList', pipeline_response)
+ list_of_elem = deserialized.value
+ if cls:
+ list_of_elem = cls(list_of_elem)
+ return deserialized.next_link or None, AsyncList(list_of_elem)
+
+ async def get_next(next_link=None):
+ request = prepare_request(next_link)
+
+ pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs)
+ response = pipeline_response.http_response
+
+ if response.status_code not in [200]:
+ map_error(status_code=response.status_code, response=response, error_map=error_map)
+ raise HttpResponseError(response=response, error_format=ARMErrorFormat)
+
+ return pipeline_response
+
+ return AsyncItemPaged(
+ get_next, extract_data
+ )
+ list.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors'} # type: ignore
+
+ async def get(
+ self,
+ resource_group_name: str,
+ workspace_name: str,
+ data_connector_id: str,
+ **kwargs
+ ) -> "models.DataConnector":
+ """Gets a data connector.
+
+ :param resource_group_name: The name of the resource group within the user's subscription. The
+ name is case insensitive.
+ :type resource_group_name: str
+ :param workspace_name: The name of the workspace.
+ :type workspace_name: str
+ :param data_connector_id: Connector ID.
+ :type data_connector_id: str
+ :keyword callable cls: A custom type or function that will be passed the direct response
+ :return: DataConnector, or the result of cls(response)
+ :rtype: ~security_insights.models.DataConnector
+ :raises: ~azure.core.exceptions.HttpResponseError
+ """
+ cls = kwargs.pop('cls', None) # type: ClsType["models.DataConnector"]
+ error_map = {
+ 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError
+ }
+ error_map.update(kwargs.pop('error_map', {}))
+ api_version = "2020-01-01"
+ accept = "application/json"
+
+ # Construct URL
+ url = self.get.metadata['url'] # type: ignore
+ path_format_arguments = {
+ 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'),
+ 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'),
+ 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1),
+ 'dataConnectorId': self._serialize.url("data_connector_id", data_connector_id, 'str'),
+ }
+ url = self._client.format_url(url, **path_format_arguments)
+
+ # Construct parameters
+ query_parameters = {} # type: Dict[str, Any]
+ query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str')
+
+ # Construct headers
+ header_parameters = {} # type: Dict[str, Any]
+ header_parameters['Accept'] = self._serialize.header("accept", accept, 'str')
+
+ request = self._client.get(url, query_parameters, header_parameters)
+ pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs)
+ response = pipeline_response.http_response
+
+ if response.status_code not in [200]:
+ map_error(status_code=response.status_code, response=response, error_map=error_map)
+ raise HttpResponseError(response=response, error_format=ARMErrorFormat)
+
+ deserialized = self._deserialize('DataConnector', pipeline_response)
+
+ if cls:
+ return cls(pipeline_response, deserialized, {})
+
+ return deserialized
+ get.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors/{dataConnectorId}'} # type: ignore
+
+ async def create_or_update(
+ self,
+ resource_group_name: str,
+ workspace_name: str,
+ data_connector_id: str,
+ data_connector: "models.DataConnector",
+ **kwargs
+ ) -> "models.DataConnector":
+ """Creates or updates the data connector.
+
+ :param resource_group_name: The name of the resource group within the user's subscription. The
+ name is case insensitive.
+ :type resource_group_name: str
+ :param workspace_name: The name of the workspace.
+ :type workspace_name: str
+ :param data_connector_id: Connector ID.
+ :type data_connector_id: str
+ :param data_connector: The data connector.
+ :type data_connector: ~security_insights.models.DataConnector
+ :keyword callable cls: A custom type or function that will be passed the direct response
+ :return: DataConnector, or the result of cls(response)
+ :rtype: ~security_insights.models.DataConnector
+ :raises: ~azure.core.exceptions.HttpResponseError
+ """
+ cls = kwargs.pop('cls', None) # type: ClsType["models.DataConnector"]
+ error_map = {
+ 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError
+ }
+ error_map.update(kwargs.pop('error_map', {}))
+ api_version = "2020-01-01"
+ content_type = kwargs.pop("content_type", "application/json")
+ accept = "application/json"
+
+ # Construct URL
+ url = self.create_or_update.metadata['url'] # type: ignore
+ path_format_arguments = {
+ 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'),
+ 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'),
+ 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1),
+ 'dataConnectorId': self._serialize.url("data_connector_id", data_connector_id, 'str'),
+ }
+ url = self._client.format_url(url, **path_format_arguments)
+
+ # Construct parameters
+ query_parameters = {} # type: Dict[str, Any]
+ query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str')
+
+ # Construct headers
+ header_parameters = {} # type: Dict[str, Any]
+ header_parameters['Content-Type'] = self._serialize.header("content_type", content_type, 'str')
+ header_parameters['Accept'] = self._serialize.header("accept", accept, 'str')
+
+ body_content_kwargs = {} # type: Dict[str, Any]
+ body_content = self._serialize.body(data_connector, 'DataConnector')
+ body_content_kwargs['content'] = body_content
+ request = self._client.put(url, query_parameters, header_parameters, **body_content_kwargs)
+ pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs)
+ response = pipeline_response.http_response
+
+ if response.status_code not in [200, 201]:
+ map_error(status_code=response.status_code, response=response, error_map=error_map)
+ raise HttpResponseError(response=response, error_format=ARMErrorFormat)
+
+ if response.status_code == 200:
+ deserialized = self._deserialize('DataConnector', pipeline_response)
+
+ if response.status_code == 201:
+ deserialized = self._deserialize('DataConnector', pipeline_response)
+
+ if cls:
+ return cls(pipeline_response, deserialized, {})
+
+ return deserialized
+ create_or_update.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors/{dataConnectorId}'} # type: ignore
+
+ async def delete(
+ self,
+ resource_group_name: str,
+ workspace_name: str,
+ data_connector_id: str,
+ **kwargs
+ ) -> None:
+ """Delete the data connector.
+
+ :param resource_group_name: The name of the resource group within the user's subscription. The
+ name is case insensitive.
+ :type resource_group_name: str
+ :param workspace_name: The name of the workspace.
+ :type workspace_name: str
+ :param data_connector_id: Connector ID.
+ :type data_connector_id: str
+ :keyword callable cls: A custom type or function that will be passed the direct response
+ :return: None, or the result of cls(response)
+ :rtype: None
+ :raises: ~azure.core.exceptions.HttpResponseError
+ """
+ cls = kwargs.pop('cls', None) # type: ClsType[None]
+ error_map = {
+ 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError
+ }
+ error_map.update(kwargs.pop('error_map', {}))
+ api_version = "2020-01-01"
+ accept = "application/json"
+
+ # Construct URL
+ url = self.delete.metadata['url'] # type: ignore
+ path_format_arguments = {
+ 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'),
+ 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'),
+ 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1),
+ 'dataConnectorId': self._serialize.url("data_connector_id", data_connector_id, 'str'),
+ }
+ url = self._client.format_url(url, **path_format_arguments)
+
+ # Construct parameters
+ query_parameters = {} # type: Dict[str, Any]
+ query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str')
+
+ # Construct headers
+ header_parameters = {} # type: Dict[str, Any]
+ header_parameters['Accept'] = self._serialize.header("accept", accept, 'str')
+
+ request = self._client.delete(url, query_parameters, header_parameters)
+ pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs)
+ response = pipeline_response.http_response
+
+ if response.status_code not in [200, 204]:
+ map_error(status_code=response.status_code, response=response, error_map=error_map)
+ raise HttpResponseError(response=response, error_format=ARMErrorFormat)
+
+ if cls:
+ return cls(pipeline_response, None, {})
+
+ delete.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors/{dataConnectorId}'} # type: ignore
diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_incident_comment_operations.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_incident_comment_operations.py
new file mode 100644
index 00000000000..cc2b8403fc1
--- /dev/null
+++ b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_incident_comment_operations.py
@@ -0,0 +1,287 @@
+# coding=utf-8
+# --------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# Code generated by Microsoft (R) AutoRest Code Generator.
+# Changes may cause incorrect behavior and will be lost if the code is regenerated.
+# --------------------------------------------------------------------------
+from typing import Any, AsyncIterable, Callable, Dict, Generic, Optional, TypeVar
+import warnings
+
+from azure.core.async_paging import AsyncItemPaged, AsyncList
+from azure.core.exceptions import ClientAuthenticationError, HttpResponseError, ResourceExistsError, ResourceNotFoundError, map_error
+from azure.core.pipeline import PipelineResponse
+from azure.core.pipeline.transport import AsyncHttpResponse, HttpRequest
+from azure.mgmt.core.exceptions import ARMErrorFormat
+
+from ... import models
+
+T = TypeVar('T')
+ClsType = Optional[Callable[[PipelineResponse[HttpRequest, AsyncHttpResponse], T, Dict[str, Any]], Any]]
+
+class IncidentCommentOperations:
+ """IncidentCommentOperations async operations.
+
+ You should not instantiate this class directly. Instead, you should create a Client instance that
+ instantiates it for you and attaches it as an attribute.
+
+ :ivar models: Alias to model classes used in this operation group.
+ :type models: ~security_insights.models
+ :param client: Client for service requests.
+ :param config: Configuration of service client.
+ :param serializer: An object model serializer.
+ :param deserializer: An object model deserializer.
+ """
+
+ models = models
+
+ def __init__(self, client, config, serializer, deserializer) -> None:
+ self._client = client
+ self._serialize = serializer
+ self._deserialize = deserializer
+ self._config = config
+
+ def list_by_incident(
+ self,
+ resource_group_name: str,
+ workspace_name: str,
+ incident_id: str,
+ filter: Optional[str] = None,
+ orderby: Optional[str] = None,
+ top: Optional[int] = None,
+ skip_token: Optional[str] = None,
+ **kwargs
+ ) -> AsyncIterable["models.IncidentCommentList"]:
+ """Gets all incident comments.
+
+ :param resource_group_name: The name of the resource group within the user's subscription. The
+ name is case insensitive.
+ :type resource_group_name: str
+ :param workspace_name: The name of the workspace.
+ :type workspace_name: str
+ :param incident_id: Incident ID.
+ :type incident_id: str
+ :param filter: Filters the results, based on a Boolean condition. Optional.
+ :type filter: str
+ :param orderby: Sorts the results. Optional.
+ :type orderby: str
+ :param top: Returns only the first n results. Optional.
+ :type top: int
+ :param skip_token: Skiptoken is only used if a previous operation returned a partial result. If
+ a previous response contains a nextLink element, the value of the nextLink element will include
+ a skiptoken parameter that specifies a starting point to use for subsequent calls. Optional.
+ :type skip_token: str
+ :keyword callable cls: A custom type or function that will be passed the direct response
+ :return: An iterator like instance of either IncidentCommentList or the result of cls(response)
+ :rtype: ~azure.core.async_paging.AsyncItemPaged[~security_insights.models.IncidentCommentList]
+ :raises: ~azure.core.exceptions.HttpResponseError
+ """
+ cls = kwargs.pop('cls', None) # type: ClsType["models.IncidentCommentList"]
+ error_map = {
+ 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError
+ }
+ error_map.update(kwargs.pop('error_map', {}))
+ api_version = "2020-01-01"
+ accept = "application/json"
+
+ def prepare_request(next_link=None):
+ # Construct headers
+ header_parameters = {} # type: Dict[str, Any]
+ header_parameters['Accept'] = self._serialize.header("accept", accept, 'str')
+
+ if not next_link:
+ # Construct URL
+ url = self.list_by_incident.metadata['url'] # type: ignore
+ path_format_arguments = {
+ 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'),
+ 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'),
+ 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1),
+ 'incidentId': self._serialize.url("incident_id", incident_id, 'str'),
+ }
+ url = self._client.format_url(url, **path_format_arguments)
+ # Construct parameters
+ query_parameters = {} # type: Dict[str, Any]
+ query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str')
+ if filter is not None:
+ query_parameters['$filter'] = self._serialize.query("filter", filter, 'str')
+ if orderby is not None:
+ query_parameters['$orderby'] = self._serialize.query("orderby", orderby, 'str')
+ if top is not None:
+ query_parameters['$top'] = self._serialize.query("top", top, 'int')
+ if skip_token is not None:
+ query_parameters['$skipToken'] = self._serialize.query("skip_token", skip_token, 'str')
+
+ request = self._client.get(url, query_parameters, header_parameters)
+ else:
+ url = next_link
+ query_parameters = {} # type: Dict[str, Any]
+ request = self._client.get(url, query_parameters, header_parameters)
+ return request
+
+ async def extract_data(pipeline_response):
+ deserialized = self._deserialize('IncidentCommentList', pipeline_response)
+ list_of_elem = deserialized.value
+ if cls:
+ list_of_elem = cls(list_of_elem)
+ return deserialized.next_link or None, AsyncList(list_of_elem)
+
+ async def get_next(next_link=None):
+ request = prepare_request(next_link)
+
+ pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs)
+ response = pipeline_response.http_response
+
+ if response.status_code not in [200]:
+ map_error(status_code=response.status_code, response=response, error_map=error_map)
+ raise HttpResponseError(response=response, error_format=ARMErrorFormat)
+
+ return pipeline_response
+
+ return AsyncItemPaged(
+ get_next, extract_data
+ )
+ list_by_incident.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/comments'} # type: ignore
+
+ async def get(
+ self,
+ resource_group_name: str,
+ workspace_name: str,
+ incident_id: str,
+ incident_comment_id: str,
+ **kwargs
+ ) -> "models.IncidentComment":
+ """Gets an incident comment.
+
+ :param resource_group_name: The name of the resource group within the user's subscription. The
+ name is case insensitive.
+ :type resource_group_name: str
+ :param workspace_name: The name of the workspace.
+ :type workspace_name: str
+ :param incident_id: Incident ID.
+ :type incident_id: str
+ :param incident_comment_id: Incident comment ID.
+ :type incident_comment_id: str
+ :keyword callable cls: A custom type or function that will be passed the direct response
+ :return: IncidentComment, or the result of cls(response)
+ :rtype: ~security_insights.models.IncidentComment
+ :raises: ~azure.core.exceptions.HttpResponseError
+ """
+ cls = kwargs.pop('cls', None) # type: ClsType["models.IncidentComment"]
+ error_map = {
+ 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError
+ }
+ error_map.update(kwargs.pop('error_map', {}))
+ api_version = "2020-01-01"
+ accept = "application/json"
+
+ # Construct URL
+ url = self.get.metadata['url'] # type: ignore
+ path_format_arguments = {
+ 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'),
+ 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'),
+ 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1),
+ 'incidentId': self._serialize.url("incident_id", incident_id, 'str'),
+ 'incidentCommentId': self._serialize.url("incident_comment_id", incident_comment_id, 'str'),
+ }
+ url = self._client.format_url(url, **path_format_arguments)
+
+ # Construct parameters
+ query_parameters = {} # type: Dict[str, Any]
+ query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str')
+
+ # Construct headers
+ header_parameters = {} # type: Dict[str, Any]
+ header_parameters['Accept'] = self._serialize.header("accept", accept, 'str')
+
+ request = self._client.get(url, query_parameters, header_parameters)
+ pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs)
+ response = pipeline_response.http_response
+
+ if response.status_code not in [200]:
+ map_error(status_code=response.status_code, response=response, error_map=error_map)
+ raise HttpResponseError(response=response, error_format=ARMErrorFormat)
+
+ deserialized = self._deserialize('IncidentComment', pipeline_response)
+
+ if cls:
+ return cls(pipeline_response, deserialized, {})
+
+ return deserialized
+ get.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/comments/{incidentCommentId}'} # type: ignore
+
+ async def create_comment(
+ self,
+ resource_group_name: str,
+ workspace_name: str,
+ incident_id: str,
+ incident_comment_id: str,
+ message: Optional[str] = None,
+ **kwargs
+ ) -> "models.IncidentComment":
+ """Creates the incident comment.
+
+ :param resource_group_name: The name of the resource group within the user's subscription. The
+ name is case insensitive.
+ :type resource_group_name: str
+ :param workspace_name: The name of the workspace.
+ :type workspace_name: str
+ :param incident_id: Incident ID.
+ :type incident_id: str
+ :param incident_comment_id: Incident comment ID.
+ :type incident_comment_id: str
+ :param message: The comment message.
+ :type message: str
+ :keyword callable cls: A custom type or function that will be passed the direct response
+ :return: IncidentComment, or the result of cls(response)
+ :rtype: ~security_insights.models.IncidentComment
+ :raises: ~azure.core.exceptions.HttpResponseError
+ """
+ cls = kwargs.pop('cls', None) # type: ClsType["models.IncidentComment"]
+ error_map = {
+ 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError
+ }
+ error_map.update(kwargs.pop('error_map', {}))
+
+ incident_comment = models.IncidentComment(message=message)
+ api_version = "2020-01-01"
+ content_type = kwargs.pop("content_type", "application/json")
+ accept = "application/json"
+
+ # Construct URL
+ url = self.create_comment.metadata['url'] # type: ignore
+ path_format_arguments = {
+ 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'),
+ 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'),
+ 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1),
+ 'incidentId': self._serialize.url("incident_id", incident_id, 'str'),
+ 'incidentCommentId': self._serialize.url("incident_comment_id", incident_comment_id, 'str'),
+ }
+ url = self._client.format_url(url, **path_format_arguments)
+
+ # Construct parameters
+ query_parameters = {} # type: Dict[str, Any]
+ query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str')
+
+ # Construct headers
+ header_parameters = {} # type: Dict[str, Any]
+ header_parameters['Content-Type'] = self._serialize.header("content_type", content_type, 'str')
+ header_parameters['Accept'] = self._serialize.header("accept", accept, 'str')
+
+ body_content_kwargs = {} # type: Dict[str, Any]
+ body_content = self._serialize.body(incident_comment, 'IncidentComment')
+ body_content_kwargs['content'] = body_content
+ request = self._client.put(url, query_parameters, header_parameters, **body_content_kwargs)
+ pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs)
+ response = pipeline_response.http_response
+
+ if response.status_code not in [201]:
+ map_error(status_code=response.status_code, response=response, error_map=error_map)
+ raise HttpResponseError(response=response, error_format=ARMErrorFormat)
+
+ deserialized = self._deserialize('IncidentComment', pipeline_response)
+
+ if cls:
+ return cls(pipeline_response, deserialized, {})
+
+ return deserialized
+ create_comment.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/comments/{incidentCommentId}'} # type: ignore
diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_incident_operations.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_incident_operations.py
new file mode 100644
index 00000000000..8efc09e2788
--- /dev/null
+++ b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_incident_operations.py
@@ -0,0 +1,373 @@
+# coding=utf-8
+# --------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# Code generated by Microsoft (R) AutoRest Code Generator.
+# Changes may cause incorrect behavior and will be lost if the code is regenerated.
+# --------------------------------------------------------------------------
+import datetime
+from typing import Any, AsyncIterable, Callable, Dict, Generic, List, Optional, TypeVar, Union
+import warnings
+
+from azure.core.async_paging import AsyncItemPaged, AsyncList
+from azure.core.exceptions import ClientAuthenticationError, HttpResponseError, ResourceExistsError, ResourceNotFoundError, map_error
+from azure.core.pipeline import PipelineResponse
+from azure.core.pipeline.transport import AsyncHttpResponse, HttpRequest
+from azure.mgmt.core.exceptions import ARMErrorFormat
+
+from ... import models
+
+T = TypeVar('T')
+ClsType = Optional[Callable[[PipelineResponse[HttpRequest, AsyncHttpResponse], T, Dict[str, Any]], Any]]
+
+class IncidentOperations:
+ """IncidentOperations async operations.
+
+ You should not instantiate this class directly. Instead, you should create a Client instance that
+ instantiates it for you and attaches it as an attribute.
+
+ :ivar models: Alias to model classes used in this operation group.
+ :type models: ~security_insights.models
+ :param client: Client for service requests.
+ :param config: Configuration of service client.
+ :param serializer: An object model serializer.
+ :param deserializer: An object model deserializer.
+ """
+
+ models = models
+
+ def __init__(self, client, config, serializer, deserializer) -> None:
+ self._client = client
+ self._serialize = serializer
+ self._deserialize = deserializer
+ self._config = config
+
+ def list(
+ self,
+ resource_group_name: str,
+ workspace_name: str,
+ filter: Optional[str] = None,
+ orderby: Optional[str] = None,
+ top: Optional[int] = None,
+ skip_token: Optional[str] = None,
+ **kwargs
+ ) -> AsyncIterable["models.IncidentList"]:
+ """Gets all incidents.
+
+ :param resource_group_name: The name of the resource group within the user's subscription. The
+ name is case insensitive.
+ :type resource_group_name: str
+ :param workspace_name: The name of the workspace.
+ :type workspace_name: str
+ :param filter: Filters the results, based on a Boolean condition. Optional.
+ :type filter: str
+ :param orderby: Sorts the results. Optional.
+ :type orderby: str
+ :param top: Returns only the first n results. Optional.
+ :type top: int
+ :param skip_token: Skiptoken is only used if a previous operation returned a partial result. If
+ a previous response contains a nextLink element, the value of the nextLink element will include
+ a skiptoken parameter that specifies a starting point to use for subsequent calls. Optional.
+ :type skip_token: str
+ :keyword callable cls: A custom type or function that will be passed the direct response
+ :return: An iterator like instance of either IncidentList or the result of cls(response)
+ :rtype: ~azure.core.async_paging.AsyncItemPaged[~security_insights.models.IncidentList]
+ :raises: ~azure.core.exceptions.HttpResponseError
+ """
+ cls = kwargs.pop('cls', None) # type: ClsType["models.IncidentList"]
+ error_map = {
+ 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError
+ }
+ error_map.update(kwargs.pop('error_map', {}))
+ api_version = "2020-01-01"
+ accept = "application/json"
+
+ def prepare_request(next_link=None):
+ # Construct headers
+ header_parameters = {} # type: Dict[str, Any]
+ header_parameters['Accept'] = self._serialize.header("accept", accept, 'str')
+
+ if not next_link:
+ # Construct URL
+ url = self.list.metadata['url'] # type: ignore
+ path_format_arguments = {
+ 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'),
+ 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'),
+ 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1),
+ }
+ url = self._client.format_url(url, **path_format_arguments)
+ # Construct parameters
+ query_parameters = {} # type: Dict[str, Any]
+ query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str')
+ if filter is not None:
+ query_parameters['$filter'] = self._serialize.query("filter", filter, 'str')
+ if orderby is not None:
+ query_parameters['$orderby'] = self._serialize.query("orderby", orderby, 'str')
+ if top is not None:
+ query_parameters['$top'] = self._serialize.query("top", top, 'int')
+ if skip_token is not None:
+ query_parameters['$skipToken'] = self._serialize.query("skip_token", skip_token, 'str')
+
+ request = self._client.get(url, query_parameters, header_parameters)
+ else:
+ url = next_link
+ query_parameters = {} # type: Dict[str, Any]
+ request = self._client.get(url, query_parameters, header_parameters)
+ return request
+
+ async def extract_data(pipeline_response):
+ deserialized = self._deserialize('IncidentList', pipeline_response)
+ list_of_elem = deserialized.value
+ if cls:
+ list_of_elem = cls(list_of_elem)
+ return deserialized.next_link or None, AsyncList(list_of_elem)
+
+ async def get_next(next_link=None):
+ request = prepare_request(next_link)
+
+ pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs)
+ response = pipeline_response.http_response
+
+ if response.status_code not in [200]:
+ map_error(status_code=response.status_code, response=response, error_map=error_map)
+ raise HttpResponseError(response=response, error_format=ARMErrorFormat)
+
+ return pipeline_response
+
+ return AsyncItemPaged(
+ get_next, extract_data
+ )
+ list.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents'} # type: ignore
+
+ async def get(
+ self,
+ resource_group_name: str,
+ workspace_name: str,
+ incident_id: str,
+ **kwargs
+ ) -> "models.Incident":
+ """Gets an incident.
+
+ :param resource_group_name: The name of the resource group within the user's subscription. The
+ name is case insensitive.
+ :type resource_group_name: str
+ :param workspace_name: The name of the workspace.
+ :type workspace_name: str
+ :param incident_id: Incident ID.
+ :type incident_id: str
+ :keyword callable cls: A custom type or function that will be passed the direct response
+ :return: Incident, or the result of cls(response)
+ :rtype: ~security_insights.models.Incident
+ :raises: ~azure.core.exceptions.HttpResponseError
+ """
+ cls = kwargs.pop('cls', None) # type: ClsType["models.Incident"]
+ error_map = {
+ 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError
+ }
+ error_map.update(kwargs.pop('error_map', {}))
+ api_version = "2020-01-01"
+ accept = "application/json"
+
+ # Construct URL
+ url = self.get.metadata['url'] # type: ignore
+ path_format_arguments = {
+ 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'),
+ 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'),
+ 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1),
+ 'incidentId': self._serialize.url("incident_id", incident_id, 'str'),
+ }
+ url = self._client.format_url(url, **path_format_arguments)
+
+ # Construct parameters
+ query_parameters = {} # type: Dict[str, Any]
+ query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str')
+
+ # Construct headers
+ header_parameters = {} # type: Dict[str, Any]
+ header_parameters['Accept'] = self._serialize.header("accept", accept, 'str')
+
+ request = self._client.get(url, query_parameters, header_parameters)
+ pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs)
+ response = pipeline_response.http_response
+
+ if response.status_code not in [200]:
+ map_error(status_code=response.status_code, response=response, error_map=error_map)
+ raise HttpResponseError(response=response, error_format=ARMErrorFormat)
+
+ deserialized = self._deserialize('Incident', pipeline_response)
+
+ if cls:
+ return cls(pipeline_response, deserialized, {})
+
+ return deserialized
+ get.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}'} # type: ignore
+
+ async def create_or_update(
+ self,
+ resource_group_name: str,
+ workspace_name: str,
+ incident_id: str,
+ etag: Optional[str] = None,
+ classification: Optional[Union[str, "models.IncidentClassification"]] = None,
+ classification_comment: Optional[str] = None,
+ classification_reason: Optional[Union[str, "models.IncidentClassificationReason"]] = None,
+ description: Optional[str] = None,
+ first_activity_time_utc: Optional[datetime.datetime] = None,
+ labels: Optional[List["models.IncidentLabel"]] = None,
+ last_activity_time_utc: Optional[datetime.datetime] = None,
+ owner: Optional["models.IncidentOwnerInfo"] = None,
+ severity: Optional[Union[str, "models.IncidentSeverity"]] = None,
+ status: Optional[Union[str, "models.IncidentStatus"]] = None,
+ title: Optional[str] = None,
+ **kwargs
+ ) -> "models.Incident":
+ """Creates or updates the incident.
+
+ :param resource_group_name: The name of the resource group within the user's subscription. The
+ name is case insensitive.
+ :type resource_group_name: str
+ :param workspace_name: The name of the workspace.
+ :type workspace_name: str
+ :param incident_id: Incident ID.
+ :type incident_id: str
+ :param etag: Etag of the azure resource.
+ :type etag: str
+ :param classification: The reason the incident was closed.
+ :type classification: str or ~security_insights.models.IncidentClassification
+ :param classification_comment: Describes the reason the incident was closed.
+ :type classification_comment: str
+ :param classification_reason: The classification reason the incident was closed with.
+ :type classification_reason: str or ~security_insights.models.IncidentClassificationReason
+ :param description: The description of the incident.
+ :type description: str
+ :param first_activity_time_utc: The time of the first activity in the incident.
+ :type first_activity_time_utc: ~datetime.datetime
+ :param labels: List of labels relevant to this incident.
+ :type labels: list[~security_insights.models.IncidentLabel]
+ :param last_activity_time_utc: The time of the last activity in the incident.
+ :type last_activity_time_utc: ~datetime.datetime
+ :param owner: Describes a user that the incident is assigned to.
+ :type owner: ~security_insights.models.IncidentOwnerInfo
+ :param severity: The severity of the incident.
+ :type severity: str or ~security_insights.models.IncidentSeverity
+ :param status: The status of the incident.
+ :type status: str or ~security_insights.models.IncidentStatus
+ :param title: The title of the incident.
+ :type title: str
+ :keyword callable cls: A custom type or function that will be passed the direct response
+ :return: Incident, or the result of cls(response)
+ :rtype: ~security_insights.models.Incident
+ :raises: ~azure.core.exceptions.HttpResponseError
+ """
+ cls = kwargs.pop('cls', None) # type: ClsType["models.Incident"]
+ error_map = {
+ 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError
+ }
+ error_map.update(kwargs.pop('error_map', {}))
+
+ incident = models.Incident(etag=etag, classification=classification, classification_comment=classification_comment, classification_reason=classification_reason, description=description, first_activity_time_utc=first_activity_time_utc, labels=labels, last_activity_time_utc=last_activity_time_utc, owner=owner, severity=severity, status=status, title=title)
+ api_version = "2020-01-01"
+ content_type = kwargs.pop("content_type", "application/json")
+ accept = "application/json"
+
+ # Construct URL
+ url = self.create_or_update.metadata['url'] # type: ignore
+ path_format_arguments = {
+ 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'),
+ 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'),
+ 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1),
+ 'incidentId': self._serialize.url("incident_id", incident_id, 'str'),
+ }
+ url = self._client.format_url(url, **path_format_arguments)
+
+ # Construct parameters
+ query_parameters = {} # type: Dict[str, Any]
+ query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str')
+
+ # Construct headers
+ header_parameters = {} # type: Dict[str, Any]
+ header_parameters['Content-Type'] = self._serialize.header("content_type", content_type, 'str')
+ header_parameters['Accept'] = self._serialize.header("accept", accept, 'str')
+
+ body_content_kwargs = {} # type: Dict[str, Any]
+ body_content = self._serialize.body(incident, 'Incident')
+ body_content_kwargs['content'] = body_content
+ request = self._client.put(url, query_parameters, header_parameters, **body_content_kwargs)
+ pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs)
+ response = pipeline_response.http_response
+
+ if response.status_code not in [200, 201]:
+ map_error(status_code=response.status_code, response=response, error_map=error_map)
+ raise HttpResponseError(response=response, error_format=ARMErrorFormat)
+
+ if response.status_code == 200:
+ deserialized = self._deserialize('Incident', pipeline_response)
+
+ if response.status_code == 201:
+ deserialized = self._deserialize('Incident', pipeline_response)
+
+ if cls:
+ return cls(pipeline_response, deserialized, {})
+
+ return deserialized
+ create_or_update.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}'} # type: ignore
+
+ async def delete(
+ self,
+ resource_group_name: str,
+ workspace_name: str,
+ incident_id: str,
+ **kwargs
+ ) -> None:
+ """Delete the incident.
+
+ :param resource_group_name: The name of the resource group within the user's subscription. The
+ name is case insensitive.
+ :type resource_group_name: str
+ :param workspace_name: The name of the workspace.
+ :type workspace_name: str
+ :param incident_id: Incident ID.
+ :type incident_id: str
+ :keyword callable cls: A custom type or function that will be passed the direct response
+ :return: None, or the result of cls(response)
+ :rtype: None
+ :raises: ~azure.core.exceptions.HttpResponseError
+ """
+ cls = kwargs.pop('cls', None) # type: ClsType[None]
+ error_map = {
+ 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError
+ }
+ error_map.update(kwargs.pop('error_map', {}))
+ api_version = "2020-01-01"
+ accept = "application/json"
+
+ # Construct URL
+ url = self.delete.metadata['url'] # type: ignore
+ path_format_arguments = {
+ 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'),
+ 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'),
+ 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1),
+ 'incidentId': self._serialize.url("incident_id", incident_id, 'str'),
+ }
+ url = self._client.format_url(url, **path_format_arguments)
+
+ # Construct parameters
+ query_parameters = {} # type: Dict[str, Any]
+ query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str')
+
+ # Construct headers
+ header_parameters = {} # type: Dict[str, Any]
+ header_parameters['Accept'] = self._serialize.header("accept", accept, 'str')
+
+ request = self._client.delete(url, query_parameters, header_parameters)
+ pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs)
+ response = pipeline_response.http_response
+
+ if response.status_code not in [200, 204]:
+ map_error(status_code=response.status_code, response=response, error_map=error_map)
+ raise HttpResponseError(response=response, error_format=ARMErrorFormat)
+
+ if cls:
+ return cls(pipeline_response, None, {})
+
+ delete.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}'} # type: ignore
diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_operation_operations.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_operation_operations.py
new file mode 100644
index 00000000000..d8d19921e5c
--- /dev/null
+++ b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_operation_operations.py
@@ -0,0 +1,104 @@
+# coding=utf-8
+# --------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# Code generated by Microsoft (R) AutoRest Code Generator.
+# Changes may cause incorrect behavior and will be lost if the code is regenerated.
+# --------------------------------------------------------------------------
+from typing import Any, AsyncIterable, Callable, Dict, Generic, Optional, TypeVar
+import warnings
+
+from azure.core.async_paging import AsyncItemPaged, AsyncList
+from azure.core.exceptions import ClientAuthenticationError, HttpResponseError, ResourceExistsError, ResourceNotFoundError, map_error
+from azure.core.pipeline import PipelineResponse
+from azure.core.pipeline.transport import AsyncHttpResponse, HttpRequest
+from azure.mgmt.core.exceptions import ARMErrorFormat
+
+from ... import models
+
+T = TypeVar('T')
+ClsType = Optional[Callable[[PipelineResponse[HttpRequest, AsyncHttpResponse], T, Dict[str, Any]], Any]]
+
+class OperationOperations:
+ """OperationOperations async operations.
+
+ You should not instantiate this class directly. Instead, you should create a Client instance that
+ instantiates it for you and attaches it as an attribute.
+
+ :ivar models: Alias to model classes used in this operation group.
+ :type models: ~security_insights.models
+ :param client: Client for service requests.
+ :param config: Configuration of service client.
+ :param serializer: An object model serializer.
+ :param deserializer: An object model deserializer.
+ """
+
+ models = models
+
+ def __init__(self, client, config, serializer, deserializer) -> None:
+ self._client = client
+ self._serialize = serializer
+ self._deserialize = deserializer
+ self._config = config
+
+ def list(
+ self,
+ **kwargs
+ ) -> AsyncIterable["models.OperationsList"]:
+ """Lists all operations available Azure Security Insights Resource Provider.
+
+ :keyword callable cls: A custom type or function that will be passed the direct response
+ :return: An iterator like instance of either OperationsList or the result of cls(response)
+ :rtype: ~azure.core.async_paging.AsyncItemPaged[~security_insights.models.OperationsList]
+ :raises: ~azure.core.exceptions.HttpResponseError
+ """
+ cls = kwargs.pop('cls', None) # type: ClsType["models.OperationsList"]
+ error_map = {
+ 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError
+ }
+ error_map.update(kwargs.pop('error_map', {}))
+ api_version = "2020-01-01"
+ accept = "application/json"
+
+ def prepare_request(next_link=None):
+ # Construct headers
+ header_parameters = {} # type: Dict[str, Any]
+ header_parameters['Accept'] = self._serialize.header("accept", accept, 'str')
+
+ if not next_link:
+ # Construct URL
+ url = self.list.metadata['url'] # type: ignore
+ # Construct parameters
+ query_parameters = {} # type: Dict[str, Any]
+ query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str')
+
+ request = self._client.get(url, query_parameters, header_parameters)
+ else:
+ url = next_link
+ query_parameters = {} # type: Dict[str, Any]
+ request = self._client.get(url, query_parameters, header_parameters)
+ return request
+
+ async def extract_data(pipeline_response):
+ deserialized = self._deserialize('OperationsList', pipeline_response)
+ list_of_elem = deserialized.value
+ if cls:
+ list_of_elem = cls(list_of_elem)
+ return deserialized.next_link or None, AsyncList(list_of_elem)
+
+ async def get_next(next_link=None):
+ request = prepare_request(next_link)
+
+ pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs)
+ response = pipeline_response.http_response
+
+ if response.status_code not in [200]:
+ map_error(status_code=response.status_code, response=response, error_map=error_map)
+ raise HttpResponseError(response=response, error_format=ARMErrorFormat)
+
+ return pipeline_response
+
+ return AsyncItemPaged(
+ get_next, extract_data
+ )
+ list.metadata = {'url': '/providers/Microsoft.SecurityInsights/operations'} # type: ignore
diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/models/__init__.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/models/__init__.py
new file mode 100644
index 00000000000..d50534763d7
--- /dev/null
+++ b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/models/__init__.py
@@ -0,0 +1,245 @@
+# coding=utf-8
+# --------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# Code generated by Microsoft (R) AutoRest Code Generator.
+# Changes may cause incorrect behavior and will be lost if the code is regenerated.
+# --------------------------------------------------------------------------
+
+try:
+ from ._models_py3 import AADDataConnector
+ from ._models_py3 import AATPDataConnector
+ from ._models_py3 import ASCDataConnector
+ from ._models_py3 import ASCDataConnectorProperties
+ from ._models_py3 import ActionPropertiesBase
+ from ._models_py3 import ActionRequest
+ from ._models_py3 import ActionRequestProperties
+ from ._models_py3 import ActionResponse
+ from ._models_py3 import ActionResponseProperties
+ from ._models_py3 import ActionsList
+ from ._models_py3 import AlertRule
+ from ._models_py3 import AlertRuleTemplate
+ from ._models_py3 import AlertRuleTemplateDataSource
+ from ._models_py3 import AlertRuleTemplatesList
+ from ._models_py3 import AlertRulesList
+ from ._models_py3 import AlertsDataTypeOfDataConnector
+ from ._models_py3 import AwsCloudTrailDataConnector
+ from ._models_py3 import AwsCloudTrailDataConnectorDataTypesLogs
+ from ._models_py3 import Bookmark
+ from ._models_py3 import BookmarkList
+ from ._models_py3 import ClientInfo
+ from ._models_py3 import DataConnector
+ from ._models_py3 import DataConnectorDataTypeCommon
+ from ._models_py3 import DataConnectorList
+ from ._models_py3 import DataConnectorTenantId
+ from ._models_py3 import DataConnectorWithAlertsProperties
+ from ._models_py3 import ErrorAdditionalInfo
+ from ._models_py3 import ErrorResponse
+ from ._models_py3 import FusionAlertRule
+ from ._models_py3 import FusionAlertRuleTemplate
+ from ._models_py3 import Incident
+ from ._models_py3 import IncidentAdditionalData
+ from ._models_py3 import IncidentComment
+ from ._models_py3 import IncidentCommentList
+ from ._models_py3 import IncidentInfo
+ from ._models_py3 import IncidentLabel
+ from ._models_py3 import IncidentList
+ from ._models_py3 import IncidentOwnerInfo
+ from ._models_py3 import MCASDataConnector
+ from ._models_py3 import MCASDataConnectorDataTypes
+ from ._models_py3 import MDATPDataConnector
+ from ._models_py3 import MicrosoftSecurityIncidentCreationAlertRule
+ from ._models_py3 import MicrosoftSecurityIncidentCreationAlertRuleCommonProperties
+ from ._models_py3 import MicrosoftSecurityIncidentCreationAlertRuleProperties
+ from ._models_py3 import MicrosoftSecurityIncidentCreationAlertRuleTemplate
+ from ._models_py3 import OfficeConsent
+ from ._models_py3 import OfficeConsentList
+ from ._models_py3 import OfficeDataConnector
+ from ._models_py3 import OfficeDataConnectorDataTypesExchange
+ from ._models_py3 import OfficeDataConnectorDataTypesSharePoint
+ from ._models_py3 import Operation
+ from ._models_py3 import OperationDisplay
+ from ._models_py3 import OperationsList
+ from ._models_py3 import Resource
+ from ._models_py3 import ResourceWithEtag
+ from ._models_py3 import ScheduledAlertRule
+ from ._models_py3 import ScheduledAlertRuleCommonProperties
+ from ._models_py3 import ScheduledAlertRuleProperties
+ from ._models_py3 import ScheduledAlertRuleTemplate
+ from ._models_py3 import Settings
+ from ._models_py3 import TIDataConnector
+ from ._models_py3 import TIDataConnectorDataTypesIndicators
+ from ._models_py3 import ThreatIntelligence
+ from ._models_py3 import ToggleSettings
+ from ._models_py3 import UebaSettings
+except (SyntaxError, ImportError):
+ from ._models import AADDataConnector # type: ignore
+ from ._models import AATPDataConnector # type: ignore
+ from ._models import ASCDataConnector # type: ignore
+ from ._models import ASCDataConnectorProperties # type: ignore
+ from ._models import ActionPropertiesBase # type: ignore
+ from ._models import ActionRequest # type: ignore
+ from ._models import ActionRequestProperties # type: ignore
+ from ._models import ActionResponse # type: ignore
+ from ._models import ActionResponseProperties # type: ignore
+ from ._models import ActionsList # type: ignore
+ from ._models import AlertRule # type: ignore
+ from ._models import AlertRuleTemplate # type: ignore
+ from ._models import AlertRuleTemplateDataSource # type: ignore
+ from ._models import AlertRuleTemplatesList # type: ignore
+ from ._models import AlertRulesList # type: ignore
+ from ._models import AlertsDataTypeOfDataConnector # type: ignore
+ from ._models import AwsCloudTrailDataConnector # type: ignore
+ from ._models import AwsCloudTrailDataConnectorDataTypesLogs # type: ignore
+ from ._models import Bookmark # type: ignore
+ from ._models import BookmarkList # type: ignore
+ from ._models import ClientInfo # type: ignore
+ from ._models import DataConnector # type: ignore
+ from ._models import DataConnectorDataTypeCommon # type: ignore
+ from ._models import DataConnectorList # type: ignore
+ from ._models import DataConnectorTenantId # type: ignore
+ from ._models import DataConnectorWithAlertsProperties # type: ignore
+ from ._models import ErrorAdditionalInfo # type: ignore
+ from ._models import ErrorResponse # type: ignore
+ from ._models import FusionAlertRule # type: ignore
+ from ._models import FusionAlertRuleTemplate # type: ignore
+ from ._models import Incident # type: ignore
+ from ._models import IncidentAdditionalData # type: ignore
+ from ._models import IncidentComment # type: ignore
+ from ._models import IncidentCommentList # type: ignore
+ from ._models import IncidentInfo # type: ignore
+ from ._models import IncidentLabel # type: ignore
+ from ._models import IncidentList # type: ignore
+ from ._models import IncidentOwnerInfo # type: ignore
+ from ._models import MCASDataConnector # type: ignore
+ from ._models import MCASDataConnectorDataTypes # type: ignore
+ from ._models import MDATPDataConnector # type: ignore
+ from ._models import MicrosoftSecurityIncidentCreationAlertRule # type: ignore
+ from ._models import MicrosoftSecurityIncidentCreationAlertRuleCommonProperties # type: ignore
+ from ._models import MicrosoftSecurityIncidentCreationAlertRuleProperties # type: ignore
+ from ._models import MicrosoftSecurityIncidentCreationAlertRuleTemplate # type: ignore
+ from ._models import OfficeConsent # type: ignore
+ from ._models import OfficeConsentList # type: ignore
+ from ._models import OfficeDataConnector # type: ignore
+ from ._models import OfficeDataConnectorDataTypesExchange # type: ignore
+ from ._models import OfficeDataConnectorDataTypesSharePoint # type: ignore
+ from ._models import Operation # type: ignore
+ from ._models import OperationDisplay # type: ignore
+ from ._models import OperationsList # type: ignore
+ from ._models import Resource # type: ignore
+ from ._models import ResourceWithEtag # type: ignore
+ from ._models import ScheduledAlertRule # type: ignore
+ from ._models import ScheduledAlertRuleCommonProperties # type: ignore
+ from ._models import ScheduledAlertRuleProperties # type: ignore
+ from ._models import ScheduledAlertRuleTemplate # type: ignore
+ from ._models import Settings # type: ignore
+ from ._models import TIDataConnector # type: ignore
+ from ._models import TIDataConnectorDataTypesIndicators # type: ignore
+ from ._models import ThreatIntelligence # type: ignore
+ from ._models import ToggleSettings # type: ignore
+ from ._models import UebaSettings # type: ignore
+
+from ._security_insights_enums import (
+ AlertRuleKind,
+ AlertSeverity,
+ AttackTactic,
+ CaseSeverity,
+ DataConnectorKind,
+ DataTypeState,
+ IncidentClassification,
+ IncidentClassificationReason,
+ IncidentLabelType,
+ IncidentSeverity,
+ IncidentStatus,
+ LicenseStatus,
+ MicrosoftSecurityProductName,
+ SettingKind,
+ StatusInMCAS,
+ TemplateStatus,
+ TriggerOperator,
+)
+
+__all__ = [
+ 'AADDataConnector',
+ 'AATPDataConnector',
+ 'ASCDataConnector',
+ 'ASCDataConnectorProperties',
+ 'ActionPropertiesBase',
+ 'ActionRequest',
+ 'ActionRequestProperties',
+ 'ActionResponse',
+ 'ActionResponseProperties',
+ 'ActionsList',
+ 'AlertRule',
+ 'AlertRuleTemplate',
+ 'AlertRuleTemplateDataSource',
+ 'AlertRuleTemplatesList',
+ 'AlertRulesList',
+ 'AlertsDataTypeOfDataConnector',
+ 'AwsCloudTrailDataConnector',
+ 'AwsCloudTrailDataConnectorDataTypesLogs',
+ 'Bookmark',
+ 'BookmarkList',
+ 'ClientInfo',
+ 'DataConnector',
+ 'DataConnectorDataTypeCommon',
+ 'DataConnectorList',
+ 'DataConnectorTenantId',
+ 'DataConnectorWithAlertsProperties',
+ 'ErrorAdditionalInfo',
+ 'ErrorResponse',
+ 'FusionAlertRule',
+ 'FusionAlertRuleTemplate',
+ 'Incident',
+ 'IncidentAdditionalData',
+ 'IncidentComment',
+ 'IncidentCommentList',
+ 'IncidentInfo',
+ 'IncidentLabel',
+ 'IncidentList',
+ 'IncidentOwnerInfo',
+ 'MCASDataConnector',
+ 'MCASDataConnectorDataTypes',
+ 'MDATPDataConnector',
+ 'MicrosoftSecurityIncidentCreationAlertRule',
+ 'MicrosoftSecurityIncidentCreationAlertRuleCommonProperties',
+ 'MicrosoftSecurityIncidentCreationAlertRuleProperties',
+ 'MicrosoftSecurityIncidentCreationAlertRuleTemplate',
+ 'OfficeConsent',
+ 'OfficeConsentList',
+ 'OfficeDataConnector',
+ 'OfficeDataConnectorDataTypesExchange',
+ 'OfficeDataConnectorDataTypesSharePoint',
+ 'Operation',
+ 'OperationDisplay',
+ 'OperationsList',
+ 'Resource',
+ 'ResourceWithEtag',
+ 'ScheduledAlertRule',
+ 'ScheduledAlertRuleCommonProperties',
+ 'ScheduledAlertRuleProperties',
+ 'ScheduledAlertRuleTemplate',
+ 'Settings',
+ 'TIDataConnector',
+ 'TIDataConnectorDataTypesIndicators',
+ 'ThreatIntelligence',
+ 'ToggleSettings',
+ 'UebaSettings',
+ 'AlertRuleKind',
+ 'AlertSeverity',
+ 'AttackTactic',
+ 'CaseSeverity',
+ 'DataConnectorKind',
+ 'DataTypeState',
+ 'IncidentClassification',
+ 'IncidentClassificationReason',
+ 'IncidentLabelType',
+ 'IncidentSeverity',
+ 'IncidentStatus',
+ 'LicenseStatus',
+ 'MicrosoftSecurityProductName',
+ 'SettingKind',
+ 'StatusInMCAS',
+ 'TemplateStatus',
+ 'TriggerOperator',
+]
diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/models/_models.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/models/_models.py
new file mode 100644
index 00000000000..53b00b59bc5
--- /dev/null
+++ b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/models/_models.py
@@ -0,0 +1,2922 @@
+# coding=utf-8
+# --------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# Code generated by Microsoft (R) AutoRest Code Generator.
+# Changes may cause incorrect behavior and will be lost if the code is regenerated.
+# --------------------------------------------------------------------------
+
+import msrest.serialization
+
+
+class ResourceWithEtag(msrest.serialization.Model):
+ """An azure resource object with an Etag property.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ :ivar id: Azure resource Id.
+ :vartype id: str
+ :ivar name: Azure resource name.
+ :vartype name: str
+ :ivar type: Azure resource type.
+ :vartype type: str
+ :param etag: Etag of the azure resource.
+ :type etag: str
+ """
+
+ _validation = {
+ 'id': {'readonly': True},
+ 'name': {'readonly': True},
+ 'type': {'readonly': True},
+ }
+
+ _attribute_map = {
+ 'id': {'key': 'id', 'type': 'str'},
+ 'name': {'key': 'name', 'type': 'str'},
+ 'type': {'key': 'type', 'type': 'str'},
+ 'etag': {'key': 'etag', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(ResourceWithEtag, self).__init__(**kwargs)
+ self.id = None
+ self.name = None
+ self.type = None
+ self.etag = kwargs.get('etag', None)
+
+
+class DataConnector(ResourceWithEtag):
+ """Data connector.
+
+ You probably want to use the sub-classes and not this class directly. Known
+ sub-classes are: AwsCloudTrailDataConnector, AADDataConnector, AATPDataConnector, ASCDataConnector, MCASDataConnector, MDATPDataConnector, OfficeDataConnector, TIDataConnector.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :ivar id: Azure resource Id.
+ :vartype id: str
+ :ivar name: Azure resource name.
+ :vartype name: str
+ :ivar type: Azure resource type.
+ :vartype type: str
+ :param etag: Etag of the azure resource.
+ :type etag: str
+ :param kind: Required. The data connector kind.Constant filled by server. Possible values
+ include: "AzureActiveDirectory", "AzureSecurityCenter", "MicrosoftCloudAppSecurity",
+ "ThreatIntelligence", "Office365", "AmazonWebServicesCloudTrail",
+ "AzureAdvancedThreatProtection", "MicrosoftDefenderAdvancedThreatProtection".
+ :type kind: str or ~security_insights.models.DataConnectorKind
+ """
+
+ _validation = {
+ 'id': {'readonly': True},
+ 'name': {'readonly': True},
+ 'type': {'readonly': True},
+ 'kind': {'required': True},
+ }
+
+ _attribute_map = {
+ 'id': {'key': 'id', 'type': 'str'},
+ 'name': {'key': 'name', 'type': 'str'},
+ 'type': {'key': 'type', 'type': 'str'},
+ 'etag': {'key': 'etag', 'type': 'str'},
+ 'kind': {'key': 'kind', 'type': 'str'},
+ }
+
+ _subtype_map = {
+ 'kind': {'AmazonWebServicesCloudTrail': 'AwsCloudTrailDataConnector', 'AzureActiveDirectory': 'AADDataConnector', 'AzureAdvancedThreatProtection': 'AATPDataConnector', 'AzureSecurityCenter': 'ASCDataConnector', 'MicrosoftCloudAppSecurity': 'MCASDataConnector', 'MicrosoftDefenderAdvancedThreatProtection': 'MDATPDataConnector', 'Office365': 'OfficeDataConnector', 'ThreatIntelligence': 'TIDataConnector'}
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(DataConnector, self).__init__(**kwargs)
+ self.kind = 'DataConnector' # type: str
+
+
+class AADDataConnector(DataConnector):
+ """Represents AAD (Azure Active Directory) data connector.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :ivar id: Azure resource Id.
+ :vartype id: str
+ :ivar name: Azure resource name.
+ :vartype name: str
+ :ivar type: Azure resource type.
+ :vartype type: str
+ :param etag: Etag of the azure resource.
+ :type etag: str
+ :param kind: Required. The data connector kind.Constant filled by server. Possible values
+ include: "AzureActiveDirectory", "AzureSecurityCenter", "MicrosoftCloudAppSecurity",
+ "ThreatIntelligence", "Office365", "AmazonWebServicesCloudTrail",
+ "AzureAdvancedThreatProtection", "MicrosoftDefenderAdvancedThreatProtection".
+ :type kind: str or ~security_insights.models.DataConnectorKind
+ :param tenant_id: The tenant id to connect to, and get the data from.
+ :type tenant_id: str
+ :param state: Describe whether this data type connection is enabled or not. Possible values
+ include: "Enabled", "Disabled".
+ :type state: str or ~security_insights.models.DataTypeState
+ """
+
+ _validation = {
+ 'id': {'readonly': True},
+ 'name': {'readonly': True},
+ 'type': {'readonly': True},
+ 'kind': {'required': True},
+ }
+
+ _attribute_map = {
+ 'id': {'key': 'id', 'type': 'str'},
+ 'name': {'key': 'name', 'type': 'str'},
+ 'type': {'key': 'type', 'type': 'str'},
+ 'etag': {'key': 'etag', 'type': 'str'},
+ 'kind': {'key': 'kind', 'type': 'str'},
+ 'tenant_id': {'key': 'properties.tenantId', 'type': 'str'},
+ 'state': {'key': 'dataTypes.alerts.state', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(AADDataConnector, self).__init__(**kwargs)
+ self.kind = 'AzureActiveDirectory' # type: str
+ self.tenant_id = kwargs.get('tenant_id', None)
+ self.state = kwargs.get('state', None)
+
+
+class AATPDataConnector(DataConnector):
+ """Represents AATP (Azure Advanced Threat Protection) data connector.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :ivar id: Azure resource Id.
+ :vartype id: str
+ :ivar name: Azure resource name.
+ :vartype name: str
+ :ivar type: Azure resource type.
+ :vartype type: str
+ :param etag: Etag of the azure resource.
+ :type etag: str
+ :param kind: Required. The data connector kind.Constant filled by server. Possible values
+ include: "AzureActiveDirectory", "AzureSecurityCenter", "MicrosoftCloudAppSecurity",
+ "ThreatIntelligence", "Office365", "AmazonWebServicesCloudTrail",
+ "AzureAdvancedThreatProtection", "MicrosoftDefenderAdvancedThreatProtection".
+ :type kind: str or ~security_insights.models.DataConnectorKind
+ :param tenant_id: The tenant id to connect to, and get the data from.
+ :type tenant_id: str
+ :param state: Describe whether this data type connection is enabled or not. Possible values
+ include: "Enabled", "Disabled".
+ :type state: str or ~security_insights.models.DataTypeState
+ """
+
+ _validation = {
+ 'id': {'readonly': True},
+ 'name': {'readonly': True},
+ 'type': {'readonly': True},
+ 'kind': {'required': True},
+ }
+
+ _attribute_map = {
+ 'id': {'key': 'id', 'type': 'str'},
+ 'name': {'key': 'name', 'type': 'str'},
+ 'type': {'key': 'type', 'type': 'str'},
+ 'etag': {'key': 'etag', 'type': 'str'},
+ 'kind': {'key': 'kind', 'type': 'str'},
+ 'tenant_id': {'key': 'properties.tenantId', 'type': 'str'},
+ 'state': {'key': 'dataTypes.alerts.state', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(AATPDataConnector, self).__init__(**kwargs)
+ self.kind = 'AzureAdvancedThreatProtection' # type: str
+ self.tenant_id = kwargs.get('tenant_id', None)
+ self.state = kwargs.get('state', None)
+
+
+class ActionPropertiesBase(msrest.serialization.Model):
+ """Action property bag base.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :param logic_app_resource_id: Required. Logic App Resource Id, /subscriptions/{my-
+ subscription}/resourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my-
+ workflow-id}.
+ :type logic_app_resource_id: str
+ """
+
+ _validation = {
+ 'logic_app_resource_id': {'required': True},
+ }
+
+ _attribute_map = {
+ 'logic_app_resource_id': {'key': 'logicAppResourceId', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(ActionPropertiesBase, self).__init__(**kwargs)
+ self.logic_app_resource_id = kwargs['logic_app_resource_id']
+
+
+class ActionRequest(ResourceWithEtag):
+ """Action for alert rule.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ :ivar id: Azure resource Id.
+ :vartype id: str
+ :ivar name: Azure resource name.
+ :vartype name: str
+ :ivar type: Azure resource type.
+ :vartype type: str
+ :param etag: Etag of the azure resource.
+ :type etag: str
+ :param logic_app_resource_id: Logic App Resource Id, /subscriptions/{my-
+ subscription}/resourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my-
+ workflow-id}.
+ :type logic_app_resource_id: str
+ :param trigger_uri: Logic App Callback URL for this specific workflow.
+ :type trigger_uri: str
+ """
+
+ _validation = {
+ 'id': {'readonly': True},
+ 'name': {'readonly': True},
+ 'type': {'readonly': True},
+ }
+
+ _attribute_map = {
+ 'id': {'key': 'id', 'type': 'str'},
+ 'name': {'key': 'name', 'type': 'str'},
+ 'type': {'key': 'type', 'type': 'str'},
+ 'etag': {'key': 'etag', 'type': 'str'},
+ 'logic_app_resource_id': {'key': 'properties.logicAppResourceId', 'type': 'str'},
+ 'trigger_uri': {'key': 'properties.triggerUri', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(ActionRequest, self).__init__(**kwargs)
+ self.logic_app_resource_id = kwargs.get('logic_app_resource_id', None)
+ self.trigger_uri = kwargs.get('trigger_uri', None)
+
+
+class ActionRequestProperties(ActionPropertiesBase):
+ """Action property bag.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :param logic_app_resource_id: Required. Logic App Resource Id, /subscriptions/{my-
+ subscription}/resourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my-
+ workflow-id}.
+ :type logic_app_resource_id: str
+ :param trigger_uri: Logic App Callback URL for this specific workflow.
+ :type trigger_uri: str
+ """
+
+ _validation = {
+ 'logic_app_resource_id': {'required': True},
+ }
+
+ _attribute_map = {
+ 'logic_app_resource_id': {'key': 'logicAppResourceId', 'type': 'str'},
+ 'trigger_uri': {'key': 'triggerUri', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(ActionRequestProperties, self).__init__(**kwargs)
+ self.trigger_uri = kwargs.get('trigger_uri', None)
+
+
+class Resource(msrest.serialization.Model):
+ """An azure resource object.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ :ivar id: Azure resource Id.
+ :vartype id: str
+ :ivar name: Azure resource name.
+ :vartype name: str
+ :ivar type: Azure resource type.
+ :vartype type: str
+ """
+
+ _validation = {
+ 'id': {'readonly': True},
+ 'name': {'readonly': True},
+ 'type': {'readonly': True},
+ }
+
+ _attribute_map = {
+ 'id': {'key': 'id', 'type': 'str'},
+ 'name': {'key': 'name', 'type': 'str'},
+ 'type': {'key': 'type', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(Resource, self).__init__(**kwargs)
+ self.id = None
+ self.name = None
+ self.type = None
+
+
+class ActionResponse(Resource):
+ """Action for alert rule.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ :ivar id: Azure resource Id.
+ :vartype id: str
+ :ivar name: Azure resource name.
+ :vartype name: str
+ :ivar type: Azure resource type.
+ :vartype type: str
+ :param etag: Etag of the action.
+ :type etag: str
+ :param logic_app_resource_id: Logic App Resource Id, /subscriptions/{my-
+ subscription}/resourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my-
+ workflow-id}.
+ :type logic_app_resource_id: str
+ :param workflow_id: The name of the logic app's workflow.
+ :type workflow_id: str
+ """
+
+ _validation = {
+ 'id': {'readonly': True},
+ 'name': {'readonly': True},
+ 'type': {'readonly': True},
+ }
+
+ _attribute_map = {
+ 'id': {'key': 'id', 'type': 'str'},
+ 'name': {'key': 'name', 'type': 'str'},
+ 'type': {'key': 'type', 'type': 'str'},
+ 'etag': {'key': 'etag', 'type': 'str'},
+ 'logic_app_resource_id': {'key': 'properties.logicAppResourceId', 'type': 'str'},
+ 'workflow_id': {'key': 'properties.workflowId', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(ActionResponse, self).__init__(**kwargs)
+ self.etag = kwargs.get('etag', None)
+ self.logic_app_resource_id = kwargs.get('logic_app_resource_id', None)
+ self.workflow_id = kwargs.get('workflow_id', None)
+
+
+class ActionResponseProperties(ActionPropertiesBase):
+ """Action property bag.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :param logic_app_resource_id: Required. Logic App Resource Id, /subscriptions/{my-
+ subscription}/resourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my-
+ workflow-id}.
+ :type logic_app_resource_id: str
+ :param workflow_id: The name of the logic app's workflow.
+ :type workflow_id: str
+ """
+
+ _validation = {
+ 'logic_app_resource_id': {'required': True},
+ }
+
+ _attribute_map = {
+ 'logic_app_resource_id': {'key': 'logicAppResourceId', 'type': 'str'},
+ 'workflow_id': {'key': 'workflowId', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(ActionResponseProperties, self).__init__(**kwargs)
+ self.workflow_id = kwargs.get('workflow_id', None)
+
+
+class ActionsList(msrest.serialization.Model):
+ """List all the actions.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :ivar next_link: URL to fetch the next set of actions.
+ :vartype next_link: str
+ :param value: Required. Array of actions.
+ :type value: list[~security_insights.models.ActionResponse]
+ """
+
+ _validation = {
+ 'next_link': {'readonly': True},
+ 'value': {'required': True},
+ }
+
+ _attribute_map = {
+ 'next_link': {'key': 'nextLink', 'type': 'str'},
+ 'value': {'key': 'value', 'type': '[ActionResponse]'},
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(ActionsList, self).__init__(**kwargs)
+ self.next_link = None
+ self.value = kwargs['value']
+
+
+class AlertRule(ResourceWithEtag):
+ """Alert rule.
+
+ You probably want to use the sub-classes and not this class directly. Known
+ sub-classes are: FusionAlertRule, MicrosoftSecurityIncidentCreationAlertRule, ScheduledAlertRule.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :ivar id: Azure resource Id.
+ :vartype id: str
+ :ivar name: Azure resource name.
+ :vartype name: str
+ :ivar type: Azure resource type.
+ :vartype type: str
+ :param etag: Etag of the azure resource.
+ :type etag: str
+ :param kind: Required. The alert rule kind.Constant filled by server. Possible values include:
+ "Scheduled", "MicrosoftSecurityIncidentCreation", "Fusion".
+ :type kind: str or ~security_insights.models.AlertRuleKind
+ """
+
+ _validation = {
+ 'id': {'readonly': True},
+ 'name': {'readonly': True},
+ 'type': {'readonly': True},
+ 'kind': {'required': True},
+ }
+
+ _attribute_map = {
+ 'id': {'key': 'id', 'type': 'str'},
+ 'name': {'key': 'name', 'type': 'str'},
+ 'type': {'key': 'type', 'type': 'str'},
+ 'etag': {'key': 'etag', 'type': 'str'},
+ 'kind': {'key': 'kind', 'type': 'str'},
+ }
+
+ _subtype_map = {
+ 'kind': {'Fusion': 'FusionAlertRule', 'MicrosoftSecurityIncidentCreation': 'MicrosoftSecurityIncidentCreationAlertRule', 'Scheduled': 'ScheduledAlertRule'}
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(AlertRule, self).__init__(**kwargs)
+ self.kind = 'AlertRule' # type: str
+
+
+class AlertRulesList(msrest.serialization.Model):
+ """List all the alert rules.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :ivar next_link: URL to fetch the next set of alert rules.
+ :vartype next_link: str
+ :param value: Required. Array of alert rules.
+ :type value: list[~security_insights.models.AlertRule]
+ """
+
+ _validation = {
+ 'next_link': {'readonly': True},
+ 'value': {'required': True},
+ }
+
+ _attribute_map = {
+ 'next_link': {'key': 'nextLink', 'type': 'str'},
+ 'value': {'key': 'value', 'type': '[AlertRule]'},
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(AlertRulesList, self).__init__(**kwargs)
+ self.next_link = None
+ self.value = kwargs['value']
+
+
+class AlertRuleTemplate(Resource):
+ """Alert rule template.
+
+ You probably want to use the sub-classes and not this class directly. Known
+ sub-classes are: FusionAlertRuleTemplate, MicrosoftSecurityIncidentCreationAlertRuleTemplate, ScheduledAlertRuleTemplate.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :ivar id: Azure resource Id.
+ :vartype id: str
+ :ivar name: Azure resource name.
+ :vartype name: str
+ :ivar type: Azure resource type.
+ :vartype type: str
+ :param kind: Required. The alert rule kind.Constant filled by server. Possible values include:
+ "Scheduled", "MicrosoftSecurityIncidentCreation", "Fusion".
+ :type kind: str or ~security_insights.models.AlertRuleKind
+ """
+
+ _validation = {
+ 'id': {'readonly': True},
+ 'name': {'readonly': True},
+ 'type': {'readonly': True},
+ 'kind': {'required': True},
+ }
+
+ _attribute_map = {
+ 'id': {'key': 'id', 'type': 'str'},
+ 'name': {'key': 'name', 'type': 'str'},
+ 'type': {'key': 'type', 'type': 'str'},
+ 'kind': {'key': 'kind', 'type': 'str'},
+ }
+
+ _subtype_map = {
+ 'kind': {'Fusion': 'FusionAlertRuleTemplate', 'MicrosoftSecurityIncidentCreation': 'MicrosoftSecurityIncidentCreationAlertRuleTemplate', 'Scheduled': 'ScheduledAlertRuleTemplate'}
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(AlertRuleTemplate, self).__init__(**kwargs)
+ self.kind = 'AlertRuleTemplate' # type: str
+
+
+class AlertRuleTemplateDataSource(msrest.serialization.Model):
+ """alert rule template data sources.
+
+ :param connector_id: The connector id that provides the following data types.
+ :type connector_id: str
+ :param data_types: The data types used by the alert rule template.
+ :type data_types: list[str]
+ """
+
+ _attribute_map = {
+ 'connector_id': {'key': 'connectorId', 'type': 'str'},
+ 'data_types': {'key': 'dataTypes', 'type': '[str]'},
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(AlertRuleTemplateDataSource, self).__init__(**kwargs)
+ self.connector_id = kwargs.get('connector_id', None)
+ self.data_types = kwargs.get('data_types', None)
+
+
+class AlertRuleTemplatesList(msrest.serialization.Model):
+ """List all the alert rule templates.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :ivar next_link: URL to fetch the next set of alert rule templates.
+ :vartype next_link: str
+ :param value: Required. Array of alert rule templates.
+ :type value: list[~security_insights.models.AlertRuleTemplate]
+ """
+
+ _validation = {
+ 'next_link': {'readonly': True},
+ 'value': {'required': True},
+ }
+
+ _attribute_map = {
+ 'next_link': {'key': 'nextLink', 'type': 'str'},
+ 'value': {'key': 'value', 'type': '[AlertRuleTemplate]'},
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(AlertRuleTemplatesList, self).__init__(**kwargs)
+ self.next_link = None
+ self.value = kwargs['value']
+
+
+class AlertsDataTypeOfDataConnector(msrest.serialization.Model):
+ """Alerts data type for data connectors.
+
+ :param state: Describe whether this data type connection is enabled or not. Possible values
+ include: "Enabled", "Disabled".
+ :type state: str or ~security_insights.models.DataTypeState
+ """
+
+ _attribute_map = {
+ 'state': {'key': 'alerts.state', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(AlertsDataTypeOfDataConnector, self).__init__(**kwargs)
+ self.state = kwargs.get('state', None)
+
+
+class ASCDataConnector(DataConnector):
+ """Represents ASC (Azure Security Center) data connector.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :ivar id: Azure resource Id.
+ :vartype id: str
+ :ivar name: Azure resource name.
+ :vartype name: str
+ :ivar type: Azure resource type.
+ :vartype type: str
+ :param etag: Etag of the azure resource.
+ :type etag: str
+ :param kind: Required. The data connector kind.Constant filled by server. Possible values
+ include: "AzureActiveDirectory", "AzureSecurityCenter", "MicrosoftCloudAppSecurity",
+ "ThreatIntelligence", "Office365", "AmazonWebServicesCloudTrail",
+ "AzureAdvancedThreatProtection", "MicrosoftDefenderAdvancedThreatProtection".
+ :type kind: str or ~security_insights.models.DataConnectorKind
+ :param subscription_id: The subscription id to connect to, and get the data from.
+ :type subscription_id: str
+ :param state: Describe whether this data type connection is enabled or not. Possible values
+ include: "Enabled", "Disabled".
+ :type state: str or ~security_insights.models.DataTypeState
+ """
+
+ _validation = {
+ 'id': {'readonly': True},
+ 'name': {'readonly': True},
+ 'type': {'readonly': True},
+ 'kind': {'required': True},
+ }
+
+ _attribute_map = {
+ 'id': {'key': 'id', 'type': 'str'},
+ 'name': {'key': 'name', 'type': 'str'},
+ 'type': {'key': 'type', 'type': 'str'},
+ 'etag': {'key': 'etag', 'type': 'str'},
+ 'kind': {'key': 'kind', 'type': 'str'},
+ 'subscription_id': {'key': 'properties.subscriptionId', 'type': 'str'},
+ 'state': {'key': 'dataTypes.alerts.state', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(ASCDataConnector, self).__init__(**kwargs)
+ self.kind = 'AzureSecurityCenter' # type: str
+ self.subscription_id = kwargs.get('subscription_id', None)
+ self.state = kwargs.get('state', None)
+
+
+class DataConnectorWithAlertsProperties(msrest.serialization.Model):
+ """Data connector properties.
+
+ :param data_types: The available data types for the connector.
+ :type data_types: ~security_insights.models.AlertsDataTypeOfDataConnector
+ """
+
+ _attribute_map = {
+ 'data_types': {'key': 'dataTypes', 'type': 'AlertsDataTypeOfDataConnector'},
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(DataConnectorWithAlertsProperties, self).__init__(**kwargs)
+ self.data_types = kwargs.get('data_types', None)
+
+
+class ASCDataConnectorProperties(DataConnectorWithAlertsProperties):
+ """ASC (Azure Security Center) data connector properties.
+
+ :param data_types: The available data types for the connector.
+ :type data_types: ~security_insights.models.AlertsDataTypeOfDataConnector
+ :param subscription_id: The subscription id to connect to, and get the data from.
+ :type subscription_id: str
+ """
+
+ _attribute_map = {
+ 'data_types': {'key': 'dataTypes', 'type': 'AlertsDataTypeOfDataConnector'},
+ 'subscription_id': {'key': 'subscriptionId', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(ASCDataConnectorProperties, self).__init__(**kwargs)
+ self.subscription_id = kwargs.get('subscription_id', None)
+
+
+class AwsCloudTrailDataConnector(DataConnector):
+ """Represents Amazon Web Services CloudTrail data connector.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :ivar id: Azure resource Id.
+ :vartype id: str
+ :ivar name: Azure resource name.
+ :vartype name: str
+ :ivar type: Azure resource type.
+ :vartype type: str
+ :param etag: Etag of the azure resource.
+ :type etag: str
+ :param kind: Required. The data connector kind.Constant filled by server. Possible values
+ include: "AzureActiveDirectory", "AzureSecurityCenter", "MicrosoftCloudAppSecurity",
+ "ThreatIntelligence", "Office365", "AmazonWebServicesCloudTrail",
+ "AzureAdvancedThreatProtection", "MicrosoftDefenderAdvancedThreatProtection".
+ :type kind: str or ~security_insights.models.DataConnectorKind
+ :param aws_role_arn: The Aws Role Arn (with CloudTrailReadOnly policy) that is used to access
+ the Aws account.
+ :type aws_role_arn: str
+ :param state: Describe whether this data type connection is enabled or not. Possible values
+ include: "Enabled", "Disabled".
+ :type state: str or ~security_insights.models.DataTypeState
+ """
+
+ _validation = {
+ 'id': {'readonly': True},
+ 'name': {'readonly': True},
+ 'type': {'readonly': True},
+ 'kind': {'required': True},
+ }
+
+ _attribute_map = {
+ 'id': {'key': 'id', 'type': 'str'},
+ 'name': {'key': 'name', 'type': 'str'},
+ 'type': {'key': 'type', 'type': 'str'},
+ 'etag': {'key': 'etag', 'type': 'str'},
+ 'kind': {'key': 'kind', 'type': 'str'},
+ 'aws_role_arn': {'key': 'properties.awsRoleArn', 'type': 'str'},
+ 'state': {'key': 'dataTypes.logs.state', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(AwsCloudTrailDataConnector, self).__init__(**kwargs)
+ self.kind = 'AmazonWebServicesCloudTrail' # type: str
+ self.aws_role_arn = kwargs.get('aws_role_arn', None)
+ self.state = kwargs.get('state', None)
+
+
+class DataConnectorDataTypeCommon(msrest.serialization.Model):
+ """Common field for data type in data connectors.
+
+ :param state: Describe whether this data type connection is enabled or not. Possible values
+ include: "Enabled", "Disabled".
+ :type state: str or ~security_insights.models.DataTypeState
+ """
+
+ _attribute_map = {
+ 'state': {'key': 'state', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(DataConnectorDataTypeCommon, self).__init__(**kwargs)
+ self.state = kwargs.get('state', None)
+
+
+class AwsCloudTrailDataConnectorDataTypesLogs(DataConnectorDataTypeCommon):
+ """Logs data type.
+
+ :param state: Describe whether this data type connection is enabled or not. Possible values
+ include: "Enabled", "Disabled".
+ :type state: str or ~security_insights.models.DataTypeState
+ """
+
+ _attribute_map = {
+ 'state': {'key': 'state', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(AwsCloudTrailDataConnectorDataTypesLogs, self).__init__(**kwargs)
+
+
+class Bookmark(ResourceWithEtag):
+ """Represents a bookmark in Azure Security Insights.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ :ivar id: Azure resource Id.
+ :vartype id: str
+ :ivar name: Azure resource name.
+ :vartype name: str
+ :ivar type: Azure resource type.
+ :vartype type: str
+ :param etag: Etag of the azure resource.
+ :type etag: str
+ :param created: The time the bookmark was created.
+ :type created: ~datetime.datetime
+ :param display_name: The display name of the bookmark.
+ :type display_name: str
+ :param labels: List of labels relevant to this bookmark.
+ :type labels: list[str]
+ :param notes: The notes of the bookmark.
+ :type notes: str
+ :param query: The query of the bookmark.
+ :type query: str
+ :param query_result: The query result of the bookmark.
+ :type query_result: str
+ :param updated: The last time the bookmark was updated.
+ :type updated: ~datetime.datetime
+ :param incident_info: Describes an incident that relates to bookmark.
+ :type incident_info: ~security_insights.models.IncidentInfo
+ :ivar email_updated_by_email: The email of the user.
+ :vartype email_updated_by_email: str
+ :ivar name_updated_by_name: The name of the user.
+ :vartype name_updated_by_name: str
+ :param object_id_updated_by_object_id: The object id of the user.
+ :type object_id_updated_by_object_id: str
+ :ivar email_created_by_email: The email of the user.
+ :vartype email_created_by_email: str
+ :ivar name_created_by_name: The name of the user.
+ :vartype name_created_by_name: str
+ :param object_id_created_by_object_id: The object id of the user.
+ :type object_id_created_by_object_id: str
+ """
+
+ _validation = {
+ 'id': {'readonly': True},
+ 'name': {'readonly': True},
+ 'type': {'readonly': True},
+ 'email_updated_by_email': {'readonly': True},
+ 'name_updated_by_name': {'readonly': True},
+ 'email_created_by_email': {'readonly': True},
+ 'name_created_by_name': {'readonly': True},
+ }
+
+ _attribute_map = {
+ 'id': {'key': 'id', 'type': 'str'},
+ 'name': {'key': 'name', 'type': 'str'},
+ 'type': {'key': 'type', 'type': 'str'},
+ 'etag': {'key': 'etag', 'type': 'str'},
+ 'created': {'key': 'properties.created', 'type': 'iso-8601'},
+ 'display_name': {'key': 'properties.displayName', 'type': 'str'},
+ 'labels': {'key': 'properties.labels', 'type': '[str]'},
+ 'notes': {'key': 'properties.notes', 'type': 'str'},
+ 'query': {'key': 'properties.query', 'type': 'str'},
+ 'query_result': {'key': 'properties.queryResult', 'type': 'str'},
+ 'updated': {'key': 'properties.updated', 'type': 'iso-8601'},
+ 'incident_info': {'key': 'properties.incidentInfo', 'type': 'IncidentInfo'},
+ 'email_updated_by_email': {'key': 'updatedBy.email', 'type': 'str'},
+ 'name_updated_by_name': {'key': 'updatedBy.name', 'type': 'str'},
+ 'object_id_updated_by_object_id': {'key': 'updatedBy.objectId', 'type': 'str'},
+ 'email_created_by_email': {'key': 'createdBy.email', 'type': 'str'},
+ 'name_created_by_name': {'key': 'createdBy.name', 'type': 'str'},
+ 'object_id_created_by_object_id': {'key': 'createdBy.objectId', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(Bookmark, self).__init__(**kwargs)
+ self.created = kwargs.get('created', None)
+ self.display_name = kwargs.get('display_name', None)
+ self.labels = kwargs.get('labels', None)
+ self.notes = kwargs.get('notes', None)
+ self.query = kwargs.get('query', None)
+ self.query_result = kwargs.get('query_result', None)
+ self.updated = kwargs.get('updated', None)
+ self.incident_info = kwargs.get('incident_info', None)
+ self.email_updated_by_email = None
+ self.name_updated_by_name = None
+ self.object_id_updated_by_object_id = kwargs.get('object_id_updated_by_object_id', None)
+ self.email_created_by_email = None
+ self.name_created_by_name = None
+ self.object_id_created_by_object_id = kwargs.get('object_id_created_by_object_id', None)
+
+
+class BookmarkList(msrest.serialization.Model):
+ """List all the bookmarks.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :ivar next_link: URL to fetch the next set of cases.
+ :vartype next_link: str
+ :param value: Required. Array of bookmarks.
+ :type value: list[~security_insights.models.Bookmark]
+ """
+
+ _validation = {
+ 'next_link': {'readonly': True},
+ 'value': {'required': True},
+ }
+
+ _attribute_map = {
+ 'next_link': {'key': 'nextLink', 'type': 'str'},
+ 'value': {'key': 'value', 'type': '[Bookmark]'},
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(BookmarkList, self).__init__(**kwargs)
+ self.next_link = None
+ self.value = kwargs['value']
+
+
+class ClientInfo(msrest.serialization.Model):
+ """Information on the client (user or application) that made some action.
+
+ :param email: The email of the client.
+ :type email: str
+ :param name: The name of the client.
+ :type name: str
+ :param object_id: The object id of the client.
+ :type object_id: str
+ :param user_principal_name: The user principal name of the client.
+ :type user_principal_name: str
+ """
+
+ _attribute_map = {
+ 'email': {'key': 'email', 'type': 'str'},
+ 'name': {'key': 'name', 'type': 'str'},
+ 'object_id': {'key': 'objectId', 'type': 'str'},
+ 'user_principal_name': {'key': 'userPrincipalName', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(ClientInfo, self).__init__(**kwargs)
+ self.email = kwargs.get('email', None)
+ self.name = kwargs.get('name', None)
+ self.object_id = kwargs.get('object_id', None)
+ self.user_principal_name = kwargs.get('user_principal_name', None)
+
+
+class DataConnectorList(msrest.serialization.Model):
+ """List all the data connectors.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :ivar next_link: URL to fetch the next set of data connectors.
+ :vartype next_link: str
+ :param value: Required. Array of data connectors.
+ :type value: list[~security_insights.models.DataConnector]
+ """
+
+ _validation = {
+ 'next_link': {'readonly': True},
+ 'value': {'required': True},
+ }
+
+ _attribute_map = {
+ 'next_link': {'key': 'nextLink', 'type': 'str'},
+ 'value': {'key': 'value', 'type': '[DataConnector]'},
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(DataConnectorList, self).__init__(**kwargs)
+ self.next_link = None
+ self.value = kwargs['value']
+
+
+class DataConnectorTenantId(msrest.serialization.Model):
+ """Properties data connector on tenant level.
+
+ :param tenant_id: The tenant id to connect to, and get the data from.
+ :type tenant_id: str
+ """
+
+ _attribute_map = {
+ 'tenant_id': {'key': 'tenantId', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(DataConnectorTenantId, self).__init__(**kwargs)
+ self.tenant_id = kwargs.get('tenant_id', None)
+
+
+class ErrorAdditionalInfo(msrest.serialization.Model):
+ """The resource management error additional info.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ :ivar type: The additional info type.
+ :vartype type: str
+ :ivar info: The additional info.
+ :vartype info: object
+ """
+
+ _validation = {
+ 'type': {'readonly': True},
+ 'info': {'readonly': True},
+ }
+
+ _attribute_map = {
+ 'type': {'key': 'type', 'type': 'str'},
+ 'info': {'key': 'info', 'type': 'object'},
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(ErrorAdditionalInfo, self).__init__(**kwargs)
+ self.type = None
+ self.info = None
+
+
+class ErrorResponse(msrest.serialization.Model):
+ """Common error response for all Azure Resource Manager APIs to return error details for failed operations. (This also follows the OData error response format.).
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ :ivar code: The error code.
+ :vartype code: str
+ :ivar message: The error message.
+ :vartype message: str
+ :ivar target: The error target.
+ :vartype target: str
+ :ivar details: The error details.
+ :vartype details: list[~security_insights.models.ErrorResponse]
+ :ivar additional_info: The error additional info.
+ :vartype additional_info: list[~security_insights.models.ErrorAdditionalInfo]
+ """
+
+ _validation = {
+ 'code': {'readonly': True},
+ 'message': {'readonly': True},
+ 'target': {'readonly': True},
+ 'details': {'readonly': True},
+ 'additional_info': {'readonly': True},
+ }
+
+ _attribute_map = {
+ 'code': {'key': 'code', 'type': 'str'},
+ 'message': {'key': 'message', 'type': 'str'},
+ 'target': {'key': 'target', 'type': 'str'},
+ 'details': {'key': 'details', 'type': '[ErrorResponse]'},
+ 'additional_info': {'key': 'additionalInfo', 'type': '[ErrorAdditionalInfo]'},
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(ErrorResponse, self).__init__(**kwargs)
+ self.code = None
+ self.message = None
+ self.target = None
+ self.details = None
+ self.additional_info = None
+
+
+class FusionAlertRule(AlertRule):
+ """Represents Fusion alert rule.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :ivar id: Azure resource Id.
+ :vartype id: str
+ :ivar name: Azure resource name.
+ :vartype name: str
+ :ivar type: Azure resource type.
+ :vartype type: str
+ :param etag: Etag of the azure resource.
+ :type etag: str
+ :param kind: Required. The alert rule kind.Constant filled by server. Possible values include:
+ "Scheduled", "MicrosoftSecurityIncidentCreation", "Fusion".
+ :type kind: str or ~security_insights.models.AlertRuleKind
+ :param alert_rule_template_name: The Name of the alert rule template used to create this rule.
+ :type alert_rule_template_name: str
+ :ivar description: The description of the alert rule.
+ :vartype description: str
+ :ivar display_name: The display name for alerts created by this alert rule.
+ :vartype display_name: str
+ :param enabled: Determines whether this alert rule is enabled or disabled.
+ :type enabled: bool
+ :ivar last_modified_utc: The last time that this alert has been modified.
+ :vartype last_modified_utc: ~datetime.datetime
+ :ivar severity: The severity for alerts created by this alert rule. Possible values include:
+ "High", "Medium", "Low", "Informational".
+ :vartype severity: str or ~security_insights.models.AlertSeverity
+ :ivar tactics: The tactics of the alert rule.
+ :vartype tactics: list[str or ~security_insights.models.AttackTactic]
+ """
+
+ _validation = {
+ 'id': {'readonly': True},
+ 'name': {'readonly': True},
+ 'type': {'readonly': True},
+ 'kind': {'required': True},
+ 'description': {'readonly': True},
+ 'display_name': {'readonly': True},
+ 'last_modified_utc': {'readonly': True},
+ 'severity': {'readonly': True},
+ 'tactics': {'readonly': True},
+ }
+
+ _attribute_map = {
+ 'id': {'key': 'id', 'type': 'str'},
+ 'name': {'key': 'name', 'type': 'str'},
+ 'type': {'key': 'type', 'type': 'str'},
+ 'etag': {'key': 'etag', 'type': 'str'},
+ 'kind': {'key': 'kind', 'type': 'str'},
+ 'alert_rule_template_name': {'key': 'properties.alertRuleTemplateName', 'type': 'str'},
+ 'description': {'key': 'properties.description', 'type': 'str'},
+ 'display_name': {'key': 'properties.displayName', 'type': 'str'},
+ 'enabled': {'key': 'properties.enabled', 'type': 'bool'},
+ 'last_modified_utc': {'key': 'properties.lastModifiedUtc', 'type': 'iso-8601'},
+ 'severity': {'key': 'properties.severity', 'type': 'str'},
+ 'tactics': {'key': 'properties.tactics', 'type': '[str]'},
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(FusionAlertRule, self).__init__(**kwargs)
+ self.kind = 'Fusion' # type: str
+ self.alert_rule_template_name = kwargs.get('alert_rule_template_name', None)
+ self.description = None
+ self.display_name = None
+ self.enabled = kwargs.get('enabled', None)
+ self.last_modified_utc = None
+ self.severity = None
+ self.tactics = None
+
+
+class FusionAlertRuleTemplate(AlertRuleTemplate):
+ """Represents Fusion alert rule template.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :ivar id: Azure resource Id.
+ :vartype id: str
+ :ivar name: Azure resource name.
+ :vartype name: str
+ :ivar type: Azure resource type.
+ :vartype type: str
+ :param kind: Required. The alert rule kind.Constant filled by server. Possible values include:
+ "Scheduled", "MicrosoftSecurityIncidentCreation", "Fusion".
+ :type kind: str or ~security_insights.models.AlertRuleKind
+ :param alert_rules_created_by_template_count: the number of alert rules that were created by
+ this template.
+ :type alert_rules_created_by_template_count: int
+ :ivar created_date_utc: The time that this alert rule template has been added.
+ :vartype created_date_utc: ~datetime.datetime
+ :param description: The description of the alert rule template.
+ :type description: str
+ :param display_name: The display name for alert rule template.
+ :type display_name: str
+ :param required_data_connectors: The required data connectors for this template.
+ :type required_data_connectors: list[~security_insights.models.AlertRuleTemplateDataSource]
+ :param status: The alert rule template status. Possible values include: "Installed",
+ "Available", "NotAvailable".
+ :type status: str or ~security_insights.models.TemplateStatus
+ :param severity: The severity for alerts created by this alert rule. Possible values include:
+ "High", "Medium", "Low", "Informational".
+ :type severity: str or ~security_insights.models.AlertSeverity
+ :param tactics: The tactics of the alert rule template.
+ :type tactics: list[str or ~security_insights.models.AttackTactic]
+ """
+
+ _validation = {
+ 'id': {'readonly': True},
+ 'name': {'readonly': True},
+ 'type': {'readonly': True},
+ 'kind': {'required': True},
+ 'created_date_utc': {'readonly': True},
+ }
+
+ _attribute_map = {
+ 'id': {'key': 'id', 'type': 'str'},
+ 'name': {'key': 'name', 'type': 'str'},
+ 'type': {'key': 'type', 'type': 'str'},
+ 'kind': {'key': 'kind', 'type': 'str'},
+ 'alert_rules_created_by_template_count': {'key': 'properties.alertRulesCreatedByTemplateCount', 'type': 'int'},
+ 'created_date_utc': {'key': 'properties.createdDateUTC', 'type': 'iso-8601'},
+ 'description': {'key': 'properties.description', 'type': 'str'},
+ 'display_name': {'key': 'properties.displayName', 'type': 'str'},
+ 'required_data_connectors': {'key': 'properties.requiredDataConnectors', 'type': '[AlertRuleTemplateDataSource]'},
+ 'status': {'key': 'properties.status', 'type': 'str'},
+ 'severity': {'key': 'properties.severity', 'type': 'str'},
+ 'tactics': {'key': 'properties.tactics', 'type': '[str]'},
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(FusionAlertRuleTemplate, self).__init__(**kwargs)
+ self.kind = 'Fusion' # type: str
+ self.alert_rules_created_by_template_count = kwargs.get('alert_rules_created_by_template_count', None)
+ self.created_date_utc = None
+ self.description = kwargs.get('description', None)
+ self.display_name = kwargs.get('display_name', None)
+ self.required_data_connectors = kwargs.get('required_data_connectors', None)
+ self.status = kwargs.get('status', None)
+ self.severity = kwargs.get('severity', None)
+ self.tactics = kwargs.get('tactics', None)
+
+
+class Incident(ResourceWithEtag):
+ """Represents an incident in Azure Security Insights.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ :ivar id: Azure resource Id.
+ :vartype id: str
+ :ivar name: Azure resource name.
+ :vartype name: str
+ :ivar type: Azure resource type.
+ :vartype type: str
+ :param etag: Etag of the azure resource.
+ :type etag: str
+ :ivar additional_data: Additional data on the incident.
+ :vartype additional_data: ~security_insights.models.IncidentAdditionalData
+ :param classification: The reason the incident was closed. Possible values include:
+ "Undetermined", "TruePositive", "BenignPositive", "FalsePositive".
+ :type classification: str or ~security_insights.models.IncidentClassification
+ :param classification_comment: Describes the reason the incident was closed.
+ :type classification_comment: str
+ :param classification_reason: The classification reason the incident was closed with. Possible
+ values include: "SuspiciousActivity", "SuspiciousButExpected", "IncorrectAlertLogic",
+ "InaccurateData".
+ :type classification_reason: str or ~security_insights.models.IncidentClassificationReason
+ :ivar created_time_utc: The time the incident was created.
+ :vartype created_time_utc: ~datetime.datetime
+ :param description: The description of the incident.
+ :type description: str
+ :param first_activity_time_utc: The time of the first activity in the incident.
+ :type first_activity_time_utc: ~datetime.datetime
+ :ivar incident_url: The deep-link url to the incident in Azure portal.
+ :vartype incident_url: str
+ :ivar incident_number: A sequential number.
+ :vartype incident_number: int
+ :param labels: List of labels relevant to this incident.
+ :type labels: list[~security_insights.models.IncidentLabel]
+ :param last_activity_time_utc: The time of the last activity in the incident.
+ :type last_activity_time_utc: ~datetime.datetime
+ :ivar last_modified_time_utc: The last time the incident was updated.
+ :vartype last_modified_time_utc: ~datetime.datetime
+ :param owner: Describes a user that the incident is assigned to.
+ :type owner: ~security_insights.models.IncidentOwnerInfo
+ :ivar related_analytic_rule_ids: List of resource ids of Analytic rules related to the
+ incident.
+ :vartype related_analytic_rule_ids: list[str]
+ :param severity: The severity of the incident. Possible values include: "High", "Medium",
+ "Low", "Informational".
+ :type severity: str or ~security_insights.models.IncidentSeverity
+ :param status: The status of the incident. Possible values include: "New", "Active", "Closed".
+ :type status: str or ~security_insights.models.IncidentStatus
+ :param title: The title of the incident.
+ :type title: str
+ """
+
+ _validation = {
+ 'id': {'readonly': True},
+ 'name': {'readonly': True},
+ 'type': {'readonly': True},
+ 'additional_data': {'readonly': True},
+ 'created_time_utc': {'readonly': True},
+ 'incident_url': {'readonly': True},
+ 'incident_number': {'readonly': True},
+ 'last_modified_time_utc': {'readonly': True},
+ 'related_analytic_rule_ids': {'readonly': True},
+ }
+
+ _attribute_map = {
+ 'id': {'key': 'id', 'type': 'str'},
+ 'name': {'key': 'name', 'type': 'str'},
+ 'type': {'key': 'type', 'type': 'str'},
+ 'etag': {'key': 'etag', 'type': 'str'},
+ 'additional_data': {'key': 'properties.additionalData', 'type': 'IncidentAdditionalData'},
+ 'classification': {'key': 'properties.classification', 'type': 'str'},
+ 'classification_comment': {'key': 'properties.classificationComment', 'type': 'str'},
+ 'classification_reason': {'key': 'properties.classificationReason', 'type': 'str'},
+ 'created_time_utc': {'key': 'properties.createdTimeUtc', 'type': 'iso-8601'},
+ 'description': {'key': 'properties.description', 'type': 'str'},
+ 'first_activity_time_utc': {'key': 'properties.firstActivityTimeUtc', 'type': 'iso-8601'},
+ 'incident_url': {'key': 'properties.incidentUrl', 'type': 'str'},
+ 'incident_number': {'key': 'properties.incidentNumber', 'type': 'int'},
+ 'labels': {'key': 'properties.labels', 'type': '[IncidentLabel]'},
+ 'last_activity_time_utc': {'key': 'properties.lastActivityTimeUtc', 'type': 'iso-8601'},
+ 'last_modified_time_utc': {'key': 'properties.lastModifiedTimeUtc', 'type': 'iso-8601'},
+ 'owner': {'key': 'properties.owner', 'type': 'IncidentOwnerInfo'},
+ 'related_analytic_rule_ids': {'key': 'properties.relatedAnalyticRuleIds', 'type': '[str]'},
+ 'severity': {'key': 'properties.severity', 'type': 'str'},
+ 'status': {'key': 'properties.status', 'type': 'str'},
+ 'title': {'key': 'properties.title', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(Incident, self).__init__(**kwargs)
+ self.additional_data = None
+ self.classification = kwargs.get('classification', None)
+ self.classification_comment = kwargs.get('classification_comment', None)
+ self.classification_reason = kwargs.get('classification_reason', None)
+ self.created_time_utc = None
+ self.description = kwargs.get('description', None)
+ self.first_activity_time_utc = kwargs.get('first_activity_time_utc', None)
+ self.incident_url = None
+ self.incident_number = None
+ self.labels = kwargs.get('labels', None)
+ self.last_activity_time_utc = kwargs.get('last_activity_time_utc', None)
+ self.last_modified_time_utc = None
+ self.owner = kwargs.get('owner', None)
+ self.related_analytic_rule_ids = None
+ self.severity = kwargs.get('severity', None)
+ self.status = kwargs.get('status', None)
+ self.title = kwargs.get('title', None)
+
+
+class IncidentAdditionalData(msrest.serialization.Model):
+ """Incident additional data property bag.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ :ivar alerts_count: The number of alerts in the incident.
+ :vartype alerts_count: int
+ :ivar bookmarks_count: The number of bookmarks in the incident.
+ :vartype bookmarks_count: int
+ :ivar comments_count: The number of comments in the incident.
+ :vartype comments_count: int
+ :ivar alert_product_names: List of product names of alerts in the incident.
+ :vartype alert_product_names: list[str]
+ :ivar tactics: The tactics associated with incident.
+ :vartype tactics: list[str or ~security_insights.models.AttackTactic]
+ """
+
+ _validation = {
+ 'alerts_count': {'readonly': True},
+ 'bookmarks_count': {'readonly': True},
+ 'comments_count': {'readonly': True},
+ 'alert_product_names': {'readonly': True},
+ 'tactics': {'readonly': True},
+ }
+
+ _attribute_map = {
+ 'alerts_count': {'key': 'alertsCount', 'type': 'int'},
+ 'bookmarks_count': {'key': 'bookmarksCount', 'type': 'int'},
+ 'comments_count': {'key': 'commentsCount', 'type': 'int'},
+ 'alert_product_names': {'key': 'alertProductNames', 'type': '[str]'},
+ 'tactics': {'key': 'tactics', 'type': '[str]'},
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(IncidentAdditionalData, self).__init__(**kwargs)
+ self.alerts_count = None
+ self.bookmarks_count = None
+ self.comments_count = None
+ self.alert_product_names = None
+ self.tactics = None
+
+
+class IncidentComment(Resource):
+ """Represents an incident comment.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ :ivar id: Azure resource Id.
+ :vartype id: str
+ :ivar name: Azure resource name.
+ :vartype name: str
+ :ivar type: Azure resource type.
+ :vartype type: str
+ :ivar created_time_utc: The time the comment was created.
+ :vartype created_time_utc: ~datetime.datetime
+ :param message: The comment message.
+ :type message: str
+ :ivar author: Describes the client that created the comment.
+ :vartype author: ~security_insights.models.ClientInfo
+ """
+
+ _validation = {
+ 'id': {'readonly': True},
+ 'name': {'readonly': True},
+ 'type': {'readonly': True},
+ 'created_time_utc': {'readonly': True},
+ 'author': {'readonly': True},
+ }
+
+ _attribute_map = {
+ 'id': {'key': 'id', 'type': 'str'},
+ 'name': {'key': 'name', 'type': 'str'},
+ 'type': {'key': 'type', 'type': 'str'},
+ 'created_time_utc': {'key': 'properties.createdTimeUtc', 'type': 'iso-8601'},
+ 'message': {'key': 'properties.message', 'type': 'str'},
+ 'author': {'key': 'properties.author', 'type': 'ClientInfo'},
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(IncidentComment, self).__init__(**kwargs)
+ self.created_time_utc = None
+ self.message = kwargs.get('message', None)
+ self.author = None
+
+
+class IncidentCommentList(msrest.serialization.Model):
+ """List of incident comments.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :ivar next_link: URL to fetch the next set of comments.
+ :vartype next_link: str
+ :param value: Required. Array of comments.
+ :type value: list[~security_insights.models.IncidentComment]
+ """
+
+ _validation = {
+ 'next_link': {'readonly': True},
+ 'value': {'required': True},
+ }
+
+ _attribute_map = {
+ 'next_link': {'key': 'nextLink', 'type': 'str'},
+ 'value': {'key': 'value', 'type': '[IncidentComment]'},
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(IncidentCommentList, self).__init__(**kwargs)
+ self.next_link = None
+ self.value = kwargs['value']
+
+
+class IncidentInfo(msrest.serialization.Model):
+ """Describes related incident information for the bookmark.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :param incident_id: Required. Incident Id.
+ :type incident_id: str
+ :param severity: Required. The severity of the incident. Possible values include: "Critical",
+ "High", "Medium", "Low", "Informational".
+ :type severity: str or ~security_insights.models.CaseSeverity
+ :param title: Required. The title of the incident.
+ :type title: str
+ :param relation_name: Required. Relation Name.
+ :type relation_name: str
+ """
+
+ _validation = {
+ 'incident_id': {'required': True},
+ 'severity': {'required': True},
+ 'title': {'required': True},
+ 'relation_name': {'required': True},
+ }
+
+ _attribute_map = {
+ 'incident_id': {'key': 'incidentId', 'type': 'str'},
+ 'severity': {'key': 'severity', 'type': 'str'},
+ 'title': {'key': 'title', 'type': 'str'},
+ 'relation_name': {'key': 'relationName', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(IncidentInfo, self).__init__(**kwargs)
+ self.incident_id = kwargs['incident_id']
+ self.severity = kwargs['severity']
+ self.title = kwargs['title']
+ self.relation_name = kwargs['relation_name']
+
+
+class IncidentLabel(msrest.serialization.Model):
+ """Represents an incident label.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :param label_name: Required. The name of the label.
+ :type label_name: str
+ :ivar label_type: The type of the label. Possible values include: "User", "System".
+ :vartype label_type: str or ~security_insights.models.IncidentLabelType
+ """
+
+ _validation = {
+ 'label_name': {'required': True},
+ 'label_type': {'readonly': True},
+ }
+
+ _attribute_map = {
+ 'label_name': {'key': 'labelName', 'type': 'str'},
+ 'label_type': {'key': 'labelType', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(IncidentLabel, self).__init__(**kwargs)
+ self.label_name = kwargs['label_name']
+ self.label_type = None
+
+
+class IncidentList(msrest.serialization.Model):
+ """List all the incidents.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :ivar next_link: URL to fetch the next set of incidents.
+ :vartype next_link: str
+ :param value: Required. Array of incidents.
+ :type value: list[~security_insights.models.Incident]
+ """
+
+ _validation = {
+ 'next_link': {'readonly': True},
+ 'value': {'required': True},
+ }
+
+ _attribute_map = {
+ 'next_link': {'key': 'nextLink', 'type': 'str'},
+ 'value': {'key': 'value', 'type': '[Incident]'},
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(IncidentList, self).__init__(**kwargs)
+ self.next_link = None
+ self.value = kwargs['value']
+
+
+class IncidentOwnerInfo(msrest.serialization.Model):
+ """Information on the user an incident is assigned to.
+
+ :param email: The email of the user the incident is assigned to.
+ :type email: str
+ :param assigned_to: The name of the user the incident is assigned to.
+ :type assigned_to: str
+ :param object_id: The object id of the user the incident is assigned to.
+ :type object_id: str
+ :param user_principal_name: The user principal name of the user the incident is assigned to.
+ :type user_principal_name: str
+ """
+
+ _attribute_map = {
+ 'email': {'key': 'email', 'type': 'str'},
+ 'assigned_to': {'key': 'assignedTo', 'type': 'str'},
+ 'object_id': {'key': 'objectId', 'type': 'str'},
+ 'user_principal_name': {'key': 'userPrincipalName', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(IncidentOwnerInfo, self).__init__(**kwargs)
+ self.email = kwargs.get('email', None)
+ self.assigned_to = kwargs.get('assigned_to', None)
+ self.object_id = kwargs.get('object_id', None)
+ self.user_principal_name = kwargs.get('user_principal_name', None)
+
+
+class MCASDataConnector(DataConnector):
+ """Represents MCAS (Microsoft Cloud App Security) data connector.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :ivar id: Azure resource Id.
+ :vartype id: str
+ :ivar name: Azure resource name.
+ :vartype name: str
+ :ivar type: Azure resource type.
+ :vartype type: str
+ :param etag: Etag of the azure resource.
+ :type etag: str
+ :param kind: Required. The data connector kind.Constant filled by server. Possible values
+ include: "AzureActiveDirectory", "AzureSecurityCenter", "MicrosoftCloudAppSecurity",
+ "ThreatIntelligence", "Office365", "AmazonWebServicesCloudTrail",
+ "AzureAdvancedThreatProtection", "MicrosoftDefenderAdvancedThreatProtection".
+ :type kind: str or ~security_insights.models.DataConnectorKind
+ :param tenant_id: The tenant id to connect to, and get the data from.
+ :type tenant_id: str
+ :param state_data_types_alerts_state: Describe whether this data type connection is enabled or
+ not. Possible values include: "Enabled", "Disabled".
+ :type state_data_types_alerts_state: str or ~security_insights.models.DataTypeState
+ :param state_data_types_discovery_logs_state: Describe whether this data type connection is
+ enabled or not. Possible values include: "Enabled", "Disabled".
+ :type state_data_types_discovery_logs_state: str or ~security_insights.models.DataTypeState
+ """
+
+ _validation = {
+ 'id': {'readonly': True},
+ 'name': {'readonly': True},
+ 'type': {'readonly': True},
+ 'kind': {'required': True},
+ }
+
+ _attribute_map = {
+ 'id': {'key': 'id', 'type': 'str'},
+ 'name': {'key': 'name', 'type': 'str'},
+ 'type': {'key': 'type', 'type': 'str'},
+ 'etag': {'key': 'etag', 'type': 'str'},
+ 'kind': {'key': 'kind', 'type': 'str'},
+ 'tenant_id': {'key': 'properties.tenantId', 'type': 'str'},
+ 'state_data_types_alerts_state': {'key': 'dataTypes.alerts.state', 'type': 'str'},
+ 'state_data_types_discovery_logs_state': {'key': 'dataTypes.discoveryLogs.state', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(MCASDataConnector, self).__init__(**kwargs)
+ self.kind = 'MicrosoftCloudAppSecurity' # type: str
+ self.tenant_id = kwargs.get('tenant_id', None)
+ self.state_data_types_alerts_state = kwargs.get('state_data_types_alerts_state', None)
+ self.state_data_types_discovery_logs_state = kwargs.get('state_data_types_discovery_logs_state', None)
+
+
+class MCASDataConnectorDataTypes(AlertsDataTypeOfDataConnector):
+ """The available data types for MCAS (Microsoft Cloud App Security) data connector.
+
+ :param state: Describe whether this data type connection is enabled or not. Possible values
+ include: "Enabled", "Disabled".
+ :type state: str or ~security_insights.models.DataTypeState
+ :param state_discovery_logs_state: Describe whether this data type connection is enabled or
+ not. Possible values include: "Enabled", "Disabled".
+ :type state_discovery_logs_state: str or ~security_insights.models.DataTypeState
+ """
+
+ _attribute_map = {
+ 'state': {'key': 'alerts.state', 'type': 'str'},
+ 'state_discovery_logs_state': {'key': 'discoveryLogs.state', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(MCASDataConnectorDataTypes, self).__init__(**kwargs)
+ self.state_discovery_logs_state = kwargs.get('state_discovery_logs_state', None)
+
+
+class MDATPDataConnector(DataConnector):
+ """Represents MDATP (Microsoft Defender Advanced Threat Protection) data connector.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :ivar id: Azure resource Id.
+ :vartype id: str
+ :ivar name: Azure resource name.
+ :vartype name: str
+ :ivar type: Azure resource type.
+ :vartype type: str
+ :param etag: Etag of the azure resource.
+ :type etag: str
+ :param kind: Required. The data connector kind.Constant filled by server. Possible values
+ include: "AzureActiveDirectory", "AzureSecurityCenter", "MicrosoftCloudAppSecurity",
+ "ThreatIntelligence", "Office365", "AmazonWebServicesCloudTrail",
+ "AzureAdvancedThreatProtection", "MicrosoftDefenderAdvancedThreatProtection".
+ :type kind: str or ~security_insights.models.DataConnectorKind
+ :param tenant_id: The tenant id to connect to, and get the data from.
+ :type tenant_id: str
+ :param state: Describe whether this data type connection is enabled or not. Possible values
+ include: "Enabled", "Disabled".
+ :type state: str or ~security_insights.models.DataTypeState
+ """
+
+ _validation = {
+ 'id': {'readonly': True},
+ 'name': {'readonly': True},
+ 'type': {'readonly': True},
+ 'kind': {'required': True},
+ }
+
+ _attribute_map = {
+ 'id': {'key': 'id', 'type': 'str'},
+ 'name': {'key': 'name', 'type': 'str'},
+ 'type': {'key': 'type', 'type': 'str'},
+ 'etag': {'key': 'etag', 'type': 'str'},
+ 'kind': {'key': 'kind', 'type': 'str'},
+ 'tenant_id': {'key': 'properties.tenantId', 'type': 'str'},
+ 'state': {'key': 'dataTypes.alerts.state', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(MDATPDataConnector, self).__init__(**kwargs)
+ self.kind = 'MicrosoftDefenderAdvancedThreatProtection' # type: str
+ self.tenant_id = kwargs.get('tenant_id', None)
+ self.state = kwargs.get('state', None)
+
+
+class MicrosoftSecurityIncidentCreationAlertRule(AlertRule):
+ """Represents MicrosoftSecurityIncidentCreation rule.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :ivar id: Azure resource Id.
+ :vartype id: str
+ :ivar name: Azure resource name.
+ :vartype name: str
+ :ivar type: Azure resource type.
+ :vartype type: str
+ :param etag: Etag of the azure resource.
+ :type etag: str
+ :param kind: Required. The alert rule kind.Constant filled by server. Possible values include:
+ "Scheduled", "MicrosoftSecurityIncidentCreation", "Fusion".
+ :type kind: str or ~security_insights.models.AlertRuleKind
+ :param display_names_filter: the alerts' displayNames on which the cases will be generated.
+ :type display_names_filter: list[str]
+ :param display_names_exclude_filter: the alerts' displayNames on which the cases will not be
+ generated.
+ :type display_names_exclude_filter: list[str]
+ :param product_filter: The alerts' productName on which the cases will be generated. Possible
+ values include: "Microsoft Cloud App Security", "Azure Security Center", "Azure Advanced Threat
+ Protection", "Azure Active Directory Identity Protection", "Azure Security Center for IoT".
+ :type product_filter: str or ~security_insights.models.MicrosoftSecurityProductName
+ :param severities_filter: the alerts' severities on which the cases will be generated.
+ :type severities_filter: list[str or ~security_insights.models.AlertSeverity]
+ :param alert_rule_template_name: The Name of the alert rule template used to create this rule.
+ :type alert_rule_template_name: str
+ :param description: The description of the alert rule.
+ :type description: str
+ :param display_name: The display name for alerts created by this alert rule.
+ :type display_name: str
+ :param enabled: Determines whether this alert rule is enabled or disabled.
+ :type enabled: bool
+ :ivar last_modified_utc: The last time that this alert has been modified.
+ :vartype last_modified_utc: ~datetime.datetime
+ """
+
+ _validation = {
+ 'id': {'readonly': True},
+ 'name': {'readonly': True},
+ 'type': {'readonly': True},
+ 'kind': {'required': True},
+ 'last_modified_utc': {'readonly': True},
+ }
+
+ _attribute_map = {
+ 'id': {'key': 'id', 'type': 'str'},
+ 'name': {'key': 'name', 'type': 'str'},
+ 'type': {'key': 'type', 'type': 'str'},
+ 'etag': {'key': 'etag', 'type': 'str'},
+ 'kind': {'key': 'kind', 'type': 'str'},
+ 'display_names_filter': {'key': 'properties.displayNamesFilter', 'type': '[str]'},
+ 'display_names_exclude_filter': {'key': 'properties.displayNamesExcludeFilter', 'type': '[str]'},
+ 'product_filter': {'key': 'properties.productFilter', 'type': 'str'},
+ 'severities_filter': {'key': 'properties.severitiesFilter', 'type': '[str]'},
+ 'alert_rule_template_name': {'key': 'properties.alertRuleTemplateName', 'type': 'str'},
+ 'description': {'key': 'properties.description', 'type': 'str'},
+ 'display_name': {'key': 'properties.displayName', 'type': 'str'},
+ 'enabled': {'key': 'properties.enabled', 'type': 'bool'},
+ 'last_modified_utc': {'key': 'properties.lastModifiedUtc', 'type': 'iso-8601'},
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(MicrosoftSecurityIncidentCreationAlertRule, self).__init__(**kwargs)
+ self.kind = 'MicrosoftSecurityIncidentCreation' # type: str
+ self.display_names_filter = kwargs.get('display_names_filter', None)
+ self.display_names_exclude_filter = kwargs.get('display_names_exclude_filter', None)
+ self.product_filter = kwargs.get('product_filter', None)
+ self.severities_filter = kwargs.get('severities_filter', None)
+ self.alert_rule_template_name = kwargs.get('alert_rule_template_name', None)
+ self.description = kwargs.get('description', None)
+ self.display_name = kwargs.get('display_name', None)
+ self.enabled = kwargs.get('enabled', None)
+ self.last_modified_utc = None
+
+
+class MicrosoftSecurityIncidentCreationAlertRuleCommonProperties(msrest.serialization.Model):
+ """MicrosoftSecurityIncidentCreation rule common property bag.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :param display_names_filter: the alerts' displayNames on which the cases will be generated.
+ :type display_names_filter: list[str]
+ :param display_names_exclude_filter: the alerts' displayNames on which the cases will not be
+ generated.
+ :type display_names_exclude_filter: list[str]
+ :param product_filter: Required. The alerts' productName on which the cases will be generated.
+ Possible values include: "Microsoft Cloud App Security", "Azure Security Center", "Azure
+ Advanced Threat Protection", "Azure Active Directory Identity Protection", "Azure Security
+ Center for IoT".
+ :type product_filter: str or ~security_insights.models.MicrosoftSecurityProductName
+ :param severities_filter: the alerts' severities on which the cases will be generated.
+ :type severities_filter: list[str or ~security_insights.models.AlertSeverity]
+ """
+
+ _validation = {
+ 'product_filter': {'required': True},
+ }
+
+ _attribute_map = {
+ 'display_names_filter': {'key': 'displayNamesFilter', 'type': '[str]'},
+ 'display_names_exclude_filter': {'key': 'displayNamesExcludeFilter', 'type': '[str]'},
+ 'product_filter': {'key': 'productFilter', 'type': 'str'},
+ 'severities_filter': {'key': 'severitiesFilter', 'type': '[str]'},
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(MicrosoftSecurityIncidentCreationAlertRuleCommonProperties, self).__init__(**kwargs)
+ self.display_names_filter = kwargs.get('display_names_filter', None)
+ self.display_names_exclude_filter = kwargs.get('display_names_exclude_filter', None)
+ self.product_filter = kwargs['product_filter']
+ self.severities_filter = kwargs.get('severities_filter', None)
+
+
+class MicrosoftSecurityIncidentCreationAlertRuleProperties(MicrosoftSecurityIncidentCreationAlertRuleCommonProperties):
+ """MicrosoftSecurityIncidentCreation rule property bag.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :param display_names_filter: the alerts' displayNames on which the cases will be generated.
+ :type display_names_filter: list[str]
+ :param display_names_exclude_filter: the alerts' displayNames on which the cases will not be
+ generated.
+ :type display_names_exclude_filter: list[str]
+ :param product_filter: Required. The alerts' productName on which the cases will be generated.
+ Possible values include: "Microsoft Cloud App Security", "Azure Security Center", "Azure
+ Advanced Threat Protection", "Azure Active Directory Identity Protection", "Azure Security
+ Center for IoT".
+ :type product_filter: str or ~security_insights.models.MicrosoftSecurityProductName
+ :param severities_filter: the alerts' severities on which the cases will be generated.
+ :type severities_filter: list[str or ~security_insights.models.AlertSeverity]
+ :param alert_rule_template_name: The Name of the alert rule template used to create this rule.
+ :type alert_rule_template_name: str
+ :param description: The description of the alert rule.
+ :type description: str
+ :param display_name: Required. The display name for alerts created by this alert rule.
+ :type display_name: str
+ :param enabled: Required. Determines whether this alert rule is enabled or disabled.
+ :type enabled: bool
+ :ivar last_modified_utc: The last time that this alert has been modified.
+ :vartype last_modified_utc: ~datetime.datetime
+ """
+
+ _validation = {
+ 'product_filter': {'required': True},
+ 'display_name': {'required': True},
+ 'enabled': {'required': True},
+ 'last_modified_utc': {'readonly': True},
+ }
+
+ _attribute_map = {
+ 'display_names_filter': {'key': 'displayNamesFilter', 'type': '[str]'},
+ 'display_names_exclude_filter': {'key': 'displayNamesExcludeFilter', 'type': '[str]'},
+ 'product_filter': {'key': 'productFilter', 'type': 'str'},
+ 'severities_filter': {'key': 'severitiesFilter', 'type': '[str]'},
+ 'alert_rule_template_name': {'key': 'alertRuleTemplateName', 'type': 'str'},
+ 'description': {'key': 'description', 'type': 'str'},
+ 'display_name': {'key': 'displayName', 'type': 'str'},
+ 'enabled': {'key': 'enabled', 'type': 'bool'},
+ 'last_modified_utc': {'key': 'lastModifiedUtc', 'type': 'iso-8601'},
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(MicrosoftSecurityIncidentCreationAlertRuleProperties, self).__init__(**kwargs)
+ self.alert_rule_template_name = kwargs.get('alert_rule_template_name', None)
+ self.description = kwargs.get('description', None)
+ self.display_name = kwargs['display_name']
+ self.enabled = kwargs['enabled']
+ self.last_modified_utc = None
+
+
+class MicrosoftSecurityIncidentCreationAlertRuleTemplate(AlertRuleTemplate):
+ """Represents MicrosoftSecurityIncidentCreation rule template.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :ivar id: Azure resource Id.
+ :vartype id: str
+ :ivar name: Azure resource name.
+ :vartype name: str
+ :ivar type: Azure resource type.
+ :vartype type: str
+ :param kind: Required. The alert rule kind.Constant filled by server. Possible values include:
+ "Scheduled", "MicrosoftSecurityIncidentCreation", "Fusion".
+ :type kind: str or ~security_insights.models.AlertRuleKind
+ :param alert_rules_created_by_template_count: the number of alert rules that were created by
+ this template.
+ :type alert_rules_created_by_template_count: int
+ :ivar created_date_utc: The time that this alert rule template has been added.
+ :vartype created_date_utc: ~datetime.datetime
+ :param description: The description of the alert rule template.
+ :type description: str
+ :param display_name: The display name for alert rule template.
+ :type display_name: str
+ :param required_data_connectors: The required data connectors for this template.
+ :type required_data_connectors: list[~security_insights.models.AlertRuleTemplateDataSource]
+ :param status: The alert rule template status. Possible values include: "Installed",
+ "Available", "NotAvailable".
+ :type status: str or ~security_insights.models.TemplateStatus
+ :param display_names_filter: the alerts' displayNames on which the cases will be generated.
+ :type display_names_filter: list[str]
+ :param display_names_exclude_filter: the alerts' displayNames on which the cases will not be
+ generated.
+ :type display_names_exclude_filter: list[str]
+ :param product_filter: The alerts' productName on which the cases will be generated. Possible
+ values include: "Microsoft Cloud App Security", "Azure Security Center", "Azure Advanced Threat
+ Protection", "Azure Active Directory Identity Protection", "Azure Security Center for IoT".
+ :type product_filter: str or ~security_insights.models.MicrosoftSecurityProductName
+ :param severities_filter: the alerts' severities on which the cases will be generated.
+ :type severities_filter: list[str or ~security_insights.models.AlertSeverity]
+ """
+
+ _validation = {
+ 'id': {'readonly': True},
+ 'name': {'readonly': True},
+ 'type': {'readonly': True},
+ 'kind': {'required': True},
+ 'created_date_utc': {'readonly': True},
+ }
+
+ _attribute_map = {
+ 'id': {'key': 'id', 'type': 'str'},
+ 'name': {'key': 'name', 'type': 'str'},
+ 'type': {'key': 'type', 'type': 'str'},
+ 'kind': {'key': 'kind', 'type': 'str'},
+ 'alert_rules_created_by_template_count': {'key': 'properties.alertRulesCreatedByTemplateCount', 'type': 'int'},
+ 'created_date_utc': {'key': 'properties.createdDateUTC', 'type': 'iso-8601'},
+ 'description': {'key': 'properties.description', 'type': 'str'},
+ 'display_name': {'key': 'properties.displayName', 'type': 'str'},
+ 'required_data_connectors': {'key': 'properties.requiredDataConnectors', 'type': '[AlertRuleTemplateDataSource]'},
+ 'status': {'key': 'properties.status', 'type': 'str'},
+ 'display_names_filter': {'key': 'properties.displayNamesFilter', 'type': '[str]'},
+ 'display_names_exclude_filter': {'key': 'properties.displayNamesExcludeFilter', 'type': '[str]'},
+ 'product_filter': {'key': 'properties.productFilter', 'type': 'str'},
+ 'severities_filter': {'key': 'properties.severitiesFilter', 'type': '[str]'},
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(MicrosoftSecurityIncidentCreationAlertRuleTemplate, self).__init__(**kwargs)
+ self.kind = 'MicrosoftSecurityIncidentCreation' # type: str
+ self.alert_rules_created_by_template_count = kwargs.get('alert_rules_created_by_template_count', None)
+ self.created_date_utc = None
+ self.description = kwargs.get('description', None)
+ self.display_name = kwargs.get('display_name', None)
+ self.required_data_connectors = kwargs.get('required_data_connectors', None)
+ self.status = kwargs.get('status', None)
+ self.display_names_filter = kwargs.get('display_names_filter', None)
+ self.display_names_exclude_filter = kwargs.get('display_names_exclude_filter', None)
+ self.product_filter = kwargs.get('product_filter', None)
+ self.severities_filter = kwargs.get('severities_filter', None)
+
+
+class OfficeConsent(Resource):
+ """Consent for Office365 tenant that already made.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ :ivar id: Azure resource Id.
+ :vartype id: str
+ :ivar name: Azure resource name.
+ :vartype name: str
+ :ivar type: Azure resource type.
+ :vartype type: str
+ :param tenant_id: The tenantId of the Office365 with the consent.
+ :type tenant_id: str
+ :ivar tenant_name: The tenant name of the Office365 with the consent.
+ :vartype tenant_name: str
+ """
+
+ _validation = {
+ 'id': {'readonly': True},
+ 'name': {'readonly': True},
+ 'type': {'readonly': True},
+ 'tenant_name': {'readonly': True},
+ }
+
+ _attribute_map = {
+ 'id': {'key': 'id', 'type': 'str'},
+ 'name': {'key': 'name', 'type': 'str'},
+ 'type': {'key': 'type', 'type': 'str'},
+ 'tenant_id': {'key': 'properties.tenantId', 'type': 'str'},
+ 'tenant_name': {'key': 'properties.tenantName', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(OfficeConsent, self).__init__(**kwargs)
+ self.tenant_id = kwargs.get('tenant_id', None)
+ self.tenant_name = None
+
+
+class OfficeConsentList(msrest.serialization.Model):
+ """List of all the office365 consents.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :ivar next_link: URL to fetch the next set of office consents.
+ :vartype next_link: str
+ :param value: Required. Array of the consents.
+ :type value: list[~security_insights.models.OfficeConsent]
+ """
+
+ _validation = {
+ 'next_link': {'readonly': True},
+ 'value': {'required': True},
+ }
+
+ _attribute_map = {
+ 'next_link': {'key': 'nextLink', 'type': 'str'},
+ 'value': {'key': 'value', 'type': '[OfficeConsent]'},
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(OfficeConsentList, self).__init__(**kwargs)
+ self.next_link = None
+ self.value = kwargs['value']
+
+
+class OfficeDataConnector(DataConnector):
+ """Represents office data connector.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :ivar id: Azure resource Id.
+ :vartype id: str
+ :ivar name: Azure resource name.
+ :vartype name: str
+ :ivar type: Azure resource type.
+ :vartype type: str
+ :param etag: Etag of the azure resource.
+ :type etag: str
+ :param kind: Required. The data connector kind.Constant filled by server. Possible values
+ include: "AzureActiveDirectory", "AzureSecurityCenter", "MicrosoftCloudAppSecurity",
+ "ThreatIntelligence", "Office365", "AmazonWebServicesCloudTrail",
+ "AzureAdvancedThreatProtection", "MicrosoftDefenderAdvancedThreatProtection".
+ :type kind: str or ~security_insights.models.DataConnectorKind
+ :param tenant_id: The tenant id to connect to, and get the data from.
+ :type tenant_id: str
+ :param state_data_types_share_point_state: Describe whether this data type connection is
+ enabled or not. Possible values include: "Enabled", "Disabled".
+ :type state_data_types_share_point_state: str or ~security_insights.models.DataTypeState
+ :param state_data_types_exchange_state: Describe whether this data type connection is enabled
+ or not. Possible values include: "Enabled", "Disabled".
+ :type state_data_types_exchange_state: str or ~security_insights.models.DataTypeState
+ """
+
+ _validation = {
+ 'id': {'readonly': True},
+ 'name': {'readonly': True},
+ 'type': {'readonly': True},
+ 'kind': {'required': True},
+ }
+
+ _attribute_map = {
+ 'id': {'key': 'id', 'type': 'str'},
+ 'name': {'key': 'name', 'type': 'str'},
+ 'type': {'key': 'type', 'type': 'str'},
+ 'etag': {'key': 'etag', 'type': 'str'},
+ 'kind': {'key': 'kind', 'type': 'str'},
+ 'tenant_id': {'key': 'properties.tenantId', 'type': 'str'},
+ 'state_data_types_share_point_state': {'key': 'dataTypes.sharePoint.state', 'type': 'str'},
+ 'state_data_types_exchange_state': {'key': 'dataTypes.exchange.state', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(OfficeDataConnector, self).__init__(**kwargs)
+ self.kind = 'Office365' # type: str
+ self.tenant_id = kwargs.get('tenant_id', None)
+ self.state_data_types_share_point_state = kwargs.get('state_data_types_share_point_state', None)
+ self.state_data_types_exchange_state = kwargs.get('state_data_types_exchange_state', None)
+
+
+class OfficeDataConnectorDataTypesExchange(DataConnectorDataTypeCommon):
+ """Exchange data type connection.
+
+ :param state: Describe whether this data type connection is enabled or not. Possible values
+ include: "Enabled", "Disabled".
+ :type state: str or ~security_insights.models.DataTypeState
+ """
+
+ _attribute_map = {
+ 'state': {'key': 'state', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(OfficeDataConnectorDataTypesExchange, self).__init__(**kwargs)
+
+
+class OfficeDataConnectorDataTypesSharePoint(DataConnectorDataTypeCommon):
+ """SharePoint data type connection.
+
+ :param state: Describe whether this data type connection is enabled or not. Possible values
+ include: "Enabled", "Disabled".
+ :type state: str or ~security_insights.models.DataTypeState
+ """
+
+ _attribute_map = {
+ 'state': {'key': 'state', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(OfficeDataConnectorDataTypesSharePoint, self).__init__(**kwargs)
+
+
+class Operation(msrest.serialization.Model):
+ """Operation provided by provider.
+
+ :param display: Properties of the operation.
+ :type display: ~security_insights.models.OperationDisplay
+ :param name: Name of the operation.
+ :type name: str
+ """
+
+ _attribute_map = {
+ 'display': {'key': 'display', 'type': 'OperationDisplay'},
+ 'name': {'key': 'name', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(Operation, self).__init__(**kwargs)
+ self.display = kwargs.get('display', None)
+ self.name = kwargs.get('name', None)
+
+
+class OperationDisplay(msrest.serialization.Model):
+ """Properties of the operation.
+
+ :param description: Description of the operation.
+ :type description: str
+ :param operation: Operation name.
+ :type operation: str
+ :param provider: Provider name.
+ :type provider: str
+ :param resource: Resource name.
+ :type resource: str
+ """
+
+ _attribute_map = {
+ 'description': {'key': 'description', 'type': 'str'},
+ 'operation': {'key': 'operation', 'type': 'str'},
+ 'provider': {'key': 'provider', 'type': 'str'},
+ 'resource': {'key': 'resource', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(OperationDisplay, self).__init__(**kwargs)
+ self.description = kwargs.get('description', None)
+ self.operation = kwargs.get('operation', None)
+ self.provider = kwargs.get('provider', None)
+ self.resource = kwargs.get('resource', None)
+
+
+class OperationsList(msrest.serialization.Model):
+ """Lists the operations available in the SecurityInsights RP.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :param next_link: URL to fetch the next set of operations.
+ :type next_link: str
+ :param value: Required. Array of operations.
+ :type value: list[~security_insights.models.Operation]
+ """
+
+ _validation = {
+ 'value': {'required': True},
+ }
+
+ _attribute_map = {
+ 'next_link': {'key': 'nextLink', 'type': 'str'},
+ 'value': {'key': 'value', 'type': '[Operation]'},
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(OperationsList, self).__init__(**kwargs)
+ self.next_link = kwargs.get('next_link', None)
+ self.value = kwargs['value']
+
+
+class ScheduledAlertRule(AlertRule):
+ """Represents scheduled alert rule.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :ivar id: Azure resource Id.
+ :vartype id: str
+ :ivar name: Azure resource name.
+ :vartype name: str
+ :ivar type: Azure resource type.
+ :vartype type: str
+ :param etag: Etag of the azure resource.
+ :type etag: str
+ :param kind: Required. The alert rule kind.Constant filled by server. Possible values include:
+ "Scheduled", "MicrosoftSecurityIncidentCreation", "Fusion".
+ :type kind: str or ~security_insights.models.AlertRuleKind
+ :param query: The query that creates alerts for this rule.
+ :type query: str
+ :param query_frequency: The frequency (in ISO 8601 duration format) for this alert rule to run.
+ :type query_frequency: ~datetime.timedelta
+ :param query_period: The period (in ISO 8601 duration format) that this alert rule looks at.
+ :type query_period: ~datetime.timedelta
+ :param severity: The severity for alerts created by this alert rule. Possible values include:
+ "High", "Medium", "Low", "Informational".
+ :type severity: str or ~security_insights.models.AlertSeverity
+ :param trigger_operator: The operation against the threshold that triggers alert rule. Possible
+ values include: "GreaterThan", "LessThan", "Equal", "NotEqual".
+ :type trigger_operator: str or ~security_insights.models.TriggerOperator
+ :param trigger_threshold: The threshold triggers this alert rule.
+ :type trigger_threshold: int
+ :param alert_rule_template_name: The Name of the alert rule template used to create this rule.
+ :type alert_rule_template_name: str
+ :param description: The description of the alert rule.
+ :type description: str
+ :param display_name: The display name for alerts created by this alert rule.
+ :type display_name: str
+ :param enabled: Determines whether this alert rule is enabled or disabled.
+ :type enabled: bool
+ :ivar last_modified_utc: The last time that this alert rule has been modified.
+ :vartype last_modified_utc: ~datetime.datetime
+ :param suppression_duration: The suppression (in ISO 8601 duration format) to wait since last
+ time this alert rule been triggered.
+ :type suppression_duration: ~datetime.timedelta
+ :param suppression_enabled: Determines whether the suppression for this alert rule is enabled
+ or disabled.
+ :type suppression_enabled: bool
+ :param tactics: The tactics of the alert rule.
+ :type tactics: list[str or ~security_insights.models.AttackTactic]
+ """
+
+ _validation = {
+ 'id': {'readonly': True},
+ 'name': {'readonly': True},
+ 'type': {'readonly': True},
+ 'kind': {'required': True},
+ 'last_modified_utc': {'readonly': True},
+ }
+
+ _attribute_map = {
+ 'id': {'key': 'id', 'type': 'str'},
+ 'name': {'key': 'name', 'type': 'str'},
+ 'type': {'key': 'type', 'type': 'str'},
+ 'etag': {'key': 'etag', 'type': 'str'},
+ 'kind': {'key': 'kind', 'type': 'str'},
+ 'query': {'key': 'properties.query', 'type': 'str'},
+ 'query_frequency': {'key': 'properties.queryFrequency', 'type': 'duration'},
+ 'query_period': {'key': 'properties.queryPeriod', 'type': 'duration'},
+ 'severity': {'key': 'properties.severity', 'type': 'str'},
+ 'trigger_operator': {'key': 'properties.triggerOperator', 'type': 'str'},
+ 'trigger_threshold': {'key': 'properties.triggerThreshold', 'type': 'int'},
+ 'alert_rule_template_name': {'key': 'properties.alertRuleTemplateName', 'type': 'str'},
+ 'description': {'key': 'properties.description', 'type': 'str'},
+ 'display_name': {'key': 'properties.displayName', 'type': 'str'},
+ 'enabled': {'key': 'properties.enabled', 'type': 'bool'},
+ 'last_modified_utc': {'key': 'properties.lastModifiedUtc', 'type': 'iso-8601'},
+ 'suppression_duration': {'key': 'properties.suppressionDuration', 'type': 'duration'},
+ 'suppression_enabled': {'key': 'properties.suppressionEnabled', 'type': 'bool'},
+ 'tactics': {'key': 'properties.tactics', 'type': '[str]'},
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(ScheduledAlertRule, self).__init__(**kwargs)
+ self.kind = 'Scheduled' # type: str
+ self.query = kwargs.get('query', None)
+ self.query_frequency = kwargs.get('query_frequency', None)
+ self.query_period = kwargs.get('query_period', None)
+ self.severity = kwargs.get('severity', None)
+ self.trigger_operator = kwargs.get('trigger_operator', None)
+ self.trigger_threshold = kwargs.get('trigger_threshold', None)
+ self.alert_rule_template_name = kwargs.get('alert_rule_template_name', None)
+ self.description = kwargs.get('description', None)
+ self.display_name = kwargs.get('display_name', None)
+ self.enabled = kwargs.get('enabled', None)
+ self.last_modified_utc = None
+ self.suppression_duration = kwargs.get('suppression_duration', None)
+ self.suppression_enabled = kwargs.get('suppression_enabled', None)
+ self.tactics = kwargs.get('tactics', None)
+
+
+class ScheduledAlertRuleCommonProperties(msrest.serialization.Model):
+ """Schedule alert rule template property bag.
+
+ :param query: The query that creates alerts for this rule.
+ :type query: str
+ :param query_frequency: The frequency (in ISO 8601 duration format) for this alert rule to run.
+ :type query_frequency: ~datetime.timedelta
+ :param query_period: The period (in ISO 8601 duration format) that this alert rule looks at.
+ :type query_period: ~datetime.timedelta
+ :param severity: The severity for alerts created by this alert rule. Possible values include:
+ "High", "Medium", "Low", "Informational".
+ :type severity: str or ~security_insights.models.AlertSeverity
+ :param trigger_operator: The operation against the threshold that triggers alert rule. Possible
+ values include: "GreaterThan", "LessThan", "Equal", "NotEqual".
+ :type trigger_operator: str or ~security_insights.models.TriggerOperator
+ :param trigger_threshold: The threshold triggers this alert rule.
+ :type trigger_threshold: int
+ """
+
+ _attribute_map = {
+ 'query': {'key': 'query', 'type': 'str'},
+ 'query_frequency': {'key': 'queryFrequency', 'type': 'duration'},
+ 'query_period': {'key': 'queryPeriod', 'type': 'duration'},
+ 'severity': {'key': 'severity', 'type': 'str'},
+ 'trigger_operator': {'key': 'triggerOperator', 'type': 'str'},
+ 'trigger_threshold': {'key': 'triggerThreshold', 'type': 'int'},
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(ScheduledAlertRuleCommonProperties, self).__init__(**kwargs)
+ self.query = kwargs.get('query', None)
+ self.query_frequency = kwargs.get('query_frequency', None)
+ self.query_period = kwargs.get('query_period', None)
+ self.severity = kwargs.get('severity', None)
+ self.trigger_operator = kwargs.get('trigger_operator', None)
+ self.trigger_threshold = kwargs.get('trigger_threshold', None)
+
+
+class ScheduledAlertRuleProperties(ScheduledAlertRuleCommonProperties):
+ """Scheduled alert rule base property bag.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :param query: The query that creates alerts for this rule.
+ :type query: str
+ :param query_frequency: The frequency (in ISO 8601 duration format) for this alert rule to run.
+ :type query_frequency: ~datetime.timedelta
+ :param query_period: The period (in ISO 8601 duration format) that this alert rule looks at.
+ :type query_period: ~datetime.timedelta
+ :param severity: The severity for alerts created by this alert rule. Possible values include:
+ "High", "Medium", "Low", "Informational".
+ :type severity: str or ~security_insights.models.AlertSeverity
+ :param trigger_operator: The operation against the threshold that triggers alert rule. Possible
+ values include: "GreaterThan", "LessThan", "Equal", "NotEqual".
+ :type trigger_operator: str or ~security_insights.models.TriggerOperator
+ :param trigger_threshold: The threshold triggers this alert rule.
+ :type trigger_threshold: int
+ :param alert_rule_template_name: The Name of the alert rule template used to create this rule.
+ :type alert_rule_template_name: str
+ :param description: The description of the alert rule.
+ :type description: str
+ :param display_name: Required. The display name for alerts created by this alert rule.
+ :type display_name: str
+ :param enabled: Required. Determines whether this alert rule is enabled or disabled.
+ :type enabled: bool
+ :ivar last_modified_utc: The last time that this alert rule has been modified.
+ :vartype last_modified_utc: ~datetime.datetime
+ :param suppression_duration: Required. The suppression (in ISO 8601 duration format) to wait
+ since last time this alert rule been triggered.
+ :type suppression_duration: ~datetime.timedelta
+ :param suppression_enabled: Required. Determines whether the suppression for this alert rule is
+ enabled or disabled.
+ :type suppression_enabled: bool
+ :param tactics: The tactics of the alert rule.
+ :type tactics: list[str or ~security_insights.models.AttackTactic]
+ """
+
+ _validation = {
+ 'display_name': {'required': True},
+ 'enabled': {'required': True},
+ 'last_modified_utc': {'readonly': True},
+ 'suppression_duration': {'required': True},
+ 'suppression_enabled': {'required': True},
+ }
+
+ _attribute_map = {
+ 'query': {'key': 'query', 'type': 'str'},
+ 'query_frequency': {'key': 'queryFrequency', 'type': 'duration'},
+ 'query_period': {'key': 'queryPeriod', 'type': 'duration'},
+ 'severity': {'key': 'severity', 'type': 'str'},
+ 'trigger_operator': {'key': 'triggerOperator', 'type': 'str'},
+ 'trigger_threshold': {'key': 'triggerThreshold', 'type': 'int'},
+ 'alert_rule_template_name': {'key': 'alertRuleTemplateName', 'type': 'str'},
+ 'description': {'key': 'description', 'type': 'str'},
+ 'display_name': {'key': 'displayName', 'type': 'str'},
+ 'enabled': {'key': 'enabled', 'type': 'bool'},
+ 'last_modified_utc': {'key': 'lastModifiedUtc', 'type': 'iso-8601'},
+ 'suppression_duration': {'key': 'suppressionDuration', 'type': 'duration'},
+ 'suppression_enabled': {'key': 'suppressionEnabled', 'type': 'bool'},
+ 'tactics': {'key': 'tactics', 'type': '[str]'},
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(ScheduledAlertRuleProperties, self).__init__(**kwargs)
+ self.alert_rule_template_name = kwargs.get('alert_rule_template_name', None)
+ self.description = kwargs.get('description', None)
+ self.display_name = kwargs['display_name']
+ self.enabled = kwargs['enabled']
+ self.last_modified_utc = None
+ self.suppression_duration = kwargs['suppression_duration']
+ self.suppression_enabled = kwargs['suppression_enabled']
+ self.tactics = kwargs.get('tactics', None)
+
+
+class ScheduledAlertRuleTemplate(AlertRuleTemplate):
+ """Represents scheduled alert rule template.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :ivar id: Azure resource Id.
+ :vartype id: str
+ :ivar name: Azure resource name.
+ :vartype name: str
+ :ivar type: Azure resource type.
+ :vartype type: str
+ :param kind: Required. The alert rule kind.Constant filled by server. Possible values include:
+ "Scheduled", "MicrosoftSecurityIncidentCreation", "Fusion".
+ :type kind: str or ~security_insights.models.AlertRuleKind
+ :param alert_rules_created_by_template_count: the number of alert rules that were created by
+ this template.
+ :type alert_rules_created_by_template_count: int
+ :ivar created_date_utc: The time that this alert rule template has been added.
+ :vartype created_date_utc: ~datetime.datetime
+ :param description: The description of the alert rule template.
+ :type description: str
+ :param display_name: The display name for alert rule template.
+ :type display_name: str
+ :param required_data_connectors: The required data connectors for this template.
+ :type required_data_connectors: list[~security_insights.models.AlertRuleTemplateDataSource]
+ :param status: The alert rule template status. Possible values include: "Installed",
+ "Available", "NotAvailable".
+ :type status: str or ~security_insights.models.TemplateStatus
+ :param query: The query that creates alerts for this rule.
+ :type query: str
+ :param query_frequency: The frequency (in ISO 8601 duration format) for this alert rule to run.
+ :type query_frequency: ~datetime.timedelta
+ :param query_period: The period (in ISO 8601 duration format) that this alert rule looks at.
+ :type query_period: ~datetime.timedelta
+ :param severity: The severity for alerts created by this alert rule. Possible values include:
+ "High", "Medium", "Low", "Informational".
+ :type severity: str or ~security_insights.models.AlertSeverity
+ :param trigger_operator: The operation against the threshold that triggers alert rule. Possible
+ values include: "GreaterThan", "LessThan", "Equal", "NotEqual".
+ :type trigger_operator: str or ~security_insights.models.TriggerOperator
+ :param trigger_threshold: The threshold triggers this alert rule.
+ :type trigger_threshold: int
+ :param tactics: The tactics of the alert rule template.
+ :type tactics: list[str or ~security_insights.models.AttackTactic]
+ """
+
+ _validation = {
+ 'id': {'readonly': True},
+ 'name': {'readonly': True},
+ 'type': {'readonly': True},
+ 'kind': {'required': True},
+ 'created_date_utc': {'readonly': True},
+ }
+
+ _attribute_map = {
+ 'id': {'key': 'id', 'type': 'str'},
+ 'name': {'key': 'name', 'type': 'str'},
+ 'type': {'key': 'type', 'type': 'str'},
+ 'kind': {'key': 'kind', 'type': 'str'},
+ 'alert_rules_created_by_template_count': {'key': 'properties.alertRulesCreatedByTemplateCount', 'type': 'int'},
+ 'created_date_utc': {'key': 'properties.createdDateUTC', 'type': 'iso-8601'},
+ 'description': {'key': 'properties.description', 'type': 'str'},
+ 'display_name': {'key': 'properties.displayName', 'type': 'str'},
+ 'required_data_connectors': {'key': 'properties.requiredDataConnectors', 'type': '[AlertRuleTemplateDataSource]'},
+ 'status': {'key': 'properties.status', 'type': 'str'},
+ 'query': {'key': 'properties.query', 'type': 'str'},
+ 'query_frequency': {'key': 'properties.queryFrequency', 'type': 'duration'},
+ 'query_period': {'key': 'properties.queryPeriod', 'type': 'duration'},
+ 'severity': {'key': 'properties.severity', 'type': 'str'},
+ 'trigger_operator': {'key': 'properties.triggerOperator', 'type': 'str'},
+ 'trigger_threshold': {'key': 'properties.triggerThreshold', 'type': 'int'},
+ 'tactics': {'key': 'properties.tactics', 'type': '[str]'},
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(ScheduledAlertRuleTemplate, self).__init__(**kwargs)
+ self.kind = 'Scheduled' # type: str
+ self.alert_rules_created_by_template_count = kwargs.get('alert_rules_created_by_template_count', None)
+ self.created_date_utc = None
+ self.description = kwargs.get('description', None)
+ self.display_name = kwargs.get('display_name', None)
+ self.required_data_connectors = kwargs.get('required_data_connectors', None)
+ self.status = kwargs.get('status', None)
+ self.query = kwargs.get('query', None)
+ self.query_frequency = kwargs.get('query_frequency', None)
+ self.query_period = kwargs.get('query_period', None)
+ self.severity = kwargs.get('severity', None)
+ self.trigger_operator = kwargs.get('trigger_operator', None)
+ self.trigger_threshold = kwargs.get('trigger_threshold', None)
+ self.tactics = kwargs.get('tactics', None)
+
+
+class Settings(ResourceWithEtag):
+ """The Settings.
+
+ You probably want to use the sub-classes and not this class directly. Known
+ sub-classes are: ToggleSettings, UebaSettings.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :ivar id: Azure resource Id.
+ :vartype id: str
+ :ivar name: Azure resource name.
+ :vartype name: str
+ :ivar type: Azure resource type.
+ :vartype type: str
+ :param etag: Etag of the azure resource.
+ :type etag: str
+ :param kind: Required. The data connector kind.Constant filled by server. Possible values
+ include: "UebaSettings", "ToggleSettings".
+ :type kind: str or ~security_insights.models.SettingKind
+ """
+
+ _validation = {
+ 'id': {'readonly': True},
+ 'name': {'readonly': True},
+ 'type': {'readonly': True},
+ 'kind': {'required': True},
+ }
+
+ _attribute_map = {
+ 'id': {'key': 'id', 'type': 'str'},
+ 'name': {'key': 'name', 'type': 'str'},
+ 'type': {'key': 'type', 'type': 'str'},
+ 'etag': {'key': 'etag', 'type': 'str'},
+ 'kind': {'key': 'kind', 'type': 'str'},
+ }
+
+ _subtype_map = {
+ 'kind': {'ToggleSettings': 'ToggleSettings', 'UebaSettings': 'UebaSettings'}
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(Settings, self).__init__(**kwargs)
+ self.kind = 'Settings' # type: str
+
+
+class ThreatIntelligence(msrest.serialization.Model):
+ """ThreatIntelligence property bag.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ :ivar confidence: Confidence (must be between 0 and 1).
+ :vartype confidence: float
+ :ivar provider_name: Name of the provider from whom this Threat Intelligence information was
+ received.
+ :vartype provider_name: str
+ :ivar report_link: Report link.
+ :vartype report_link: str
+ :ivar threat_description: Threat description (free text).
+ :vartype threat_description: str
+ :ivar threat_name: Threat name (e.g. "Jedobot malware").
+ :vartype threat_name: str
+ :ivar threat_type: Threat type (e.g. "Botnet").
+ :vartype threat_type: str
+ """
+
+ _validation = {
+ 'confidence': {'readonly': True},
+ 'provider_name': {'readonly': True},
+ 'report_link': {'readonly': True},
+ 'threat_description': {'readonly': True},
+ 'threat_name': {'readonly': True},
+ 'threat_type': {'readonly': True},
+ }
+
+ _attribute_map = {
+ 'confidence': {'key': 'confidence', 'type': 'float'},
+ 'provider_name': {'key': 'providerName', 'type': 'str'},
+ 'report_link': {'key': 'reportLink', 'type': 'str'},
+ 'threat_description': {'key': 'threatDescription', 'type': 'str'},
+ 'threat_name': {'key': 'threatName', 'type': 'str'},
+ 'threat_type': {'key': 'threatType', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(ThreatIntelligence, self).__init__(**kwargs)
+ self.confidence = None
+ self.provider_name = None
+ self.report_link = None
+ self.threat_description = None
+ self.threat_name = None
+ self.threat_type = None
+
+
+class TIDataConnector(DataConnector):
+ """Represents threat intelligence data connector.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :ivar id: Azure resource Id.
+ :vartype id: str
+ :ivar name: Azure resource name.
+ :vartype name: str
+ :ivar type: Azure resource type.
+ :vartype type: str
+ :param etag: Etag of the azure resource.
+ :type etag: str
+ :param kind: Required. The data connector kind.Constant filled by server. Possible values
+ include: "AzureActiveDirectory", "AzureSecurityCenter", "MicrosoftCloudAppSecurity",
+ "ThreatIntelligence", "Office365", "AmazonWebServicesCloudTrail",
+ "AzureAdvancedThreatProtection", "MicrosoftDefenderAdvancedThreatProtection".
+ :type kind: str or ~security_insights.models.DataConnectorKind
+ :param tenant_id: The tenant id to connect to, and get the data from.
+ :type tenant_id: str
+ :param state: Describe whether this data type connection is enabled or not. Possible values
+ include: "Enabled", "Disabled".
+ :type state: str or ~security_insights.models.DataTypeState
+ """
+
+ _validation = {
+ 'id': {'readonly': True},
+ 'name': {'readonly': True},
+ 'type': {'readonly': True},
+ 'kind': {'required': True},
+ }
+
+ _attribute_map = {
+ 'id': {'key': 'id', 'type': 'str'},
+ 'name': {'key': 'name', 'type': 'str'},
+ 'type': {'key': 'type', 'type': 'str'},
+ 'etag': {'key': 'etag', 'type': 'str'},
+ 'kind': {'key': 'kind', 'type': 'str'},
+ 'tenant_id': {'key': 'properties.tenantId', 'type': 'str'},
+ 'state': {'key': 'dataTypes.indicators.state', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(TIDataConnector, self).__init__(**kwargs)
+ self.kind = 'ThreatIntelligence' # type: str
+ self.tenant_id = kwargs.get('tenant_id', None)
+ self.state = kwargs.get('state', None)
+
+
+class TIDataConnectorDataTypesIndicators(DataConnectorDataTypeCommon):
+ """Data type for indicators connection.
+
+ :param state: Describe whether this data type connection is enabled or not. Possible values
+ include: "Enabled", "Disabled".
+ :type state: str or ~security_insights.models.DataTypeState
+ """
+
+ _attribute_map = {
+ 'state': {'key': 'state', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(TIDataConnectorDataTypesIndicators, self).__init__(**kwargs)
+
+
+class ToggleSettings(Settings):
+ """Settings with single toggle.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :ivar id: Azure resource Id.
+ :vartype id: str
+ :ivar name: Azure resource name.
+ :vartype name: str
+ :ivar type: Azure resource type.
+ :vartype type: str
+ :param etag: Etag of the azure resource.
+ :type etag: str
+ :param kind: Required. The data connector kind.Constant filled by server. Possible values
+ include: "UebaSettings", "ToggleSettings".
+ :type kind: str or ~security_insights.models.SettingKind
+ :param is_enabled: Determines whether the setting is enable or disabled.
+ :type is_enabled: bool
+ """
+
+ _validation = {
+ 'id': {'readonly': True},
+ 'name': {'readonly': True},
+ 'type': {'readonly': True},
+ 'kind': {'required': True},
+ }
+
+ _attribute_map = {
+ 'id': {'key': 'id', 'type': 'str'},
+ 'name': {'key': 'name', 'type': 'str'},
+ 'type': {'key': 'type', 'type': 'str'},
+ 'etag': {'key': 'etag', 'type': 'str'},
+ 'kind': {'key': 'kind', 'type': 'str'},
+ 'is_enabled': {'key': 'properties.isEnabled', 'type': 'bool'},
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(ToggleSettings, self).__init__(**kwargs)
+ self.kind = 'ToggleSettings' # type: str
+ self.is_enabled = kwargs.get('is_enabled', None)
+
+
+class UebaSettings(Settings):
+ """Represents settings for User and Entity Behavior Analytics enablement.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :ivar id: Azure resource Id.
+ :vartype id: str
+ :ivar name: Azure resource name.
+ :vartype name: str
+ :ivar type: Azure resource type.
+ :vartype type: str
+ :param etag: Etag of the azure resource.
+ :type etag: str
+ :param kind: Required. The data connector kind.Constant filled by server. Possible values
+ include: "UebaSettings", "ToggleSettings".
+ :type kind: str or ~security_insights.models.SettingKind
+ :ivar atp_license_status: Determines whether the tenant has ATP (Advanced Threat Protection)
+ license. Possible values include: "Enabled", "Disabled".
+ :vartype atp_license_status: str or ~security_insights.models.LicenseStatus
+ :param is_enabled: Determines whether User and Entity Behavior Analytics is enabled for this
+ workspace.
+ :type is_enabled: bool
+ :ivar status_in_mcas: Determines whether User and Entity Behavior Analytics is enabled from
+ MCAS (Microsoft Cloud App Security). Possible values include: "Enabled", "Disabled".
+ :vartype status_in_mcas: str or ~security_insights.models.StatusInMCAS
+ """
+
+ _validation = {
+ 'id': {'readonly': True},
+ 'name': {'readonly': True},
+ 'type': {'readonly': True},
+ 'kind': {'required': True},
+ 'atp_license_status': {'readonly': True},
+ 'status_in_mcas': {'readonly': True},
+ }
+
+ _attribute_map = {
+ 'id': {'key': 'id', 'type': 'str'},
+ 'name': {'key': 'name', 'type': 'str'},
+ 'type': {'key': 'type', 'type': 'str'},
+ 'etag': {'key': 'etag', 'type': 'str'},
+ 'kind': {'key': 'kind', 'type': 'str'},
+ 'atp_license_status': {'key': 'properties.atpLicenseStatus', 'type': 'str'},
+ 'is_enabled': {'key': 'properties.isEnabled', 'type': 'bool'},
+ 'status_in_mcas': {'key': 'properties.statusInMcas', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(UebaSettings, self).__init__(**kwargs)
+ self.kind = 'UebaSettings' # type: str
+ self.atp_license_status = None
+ self.is_enabled = kwargs.get('is_enabled', None)
+ self.status_in_mcas = None
diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/models/_models_py3.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/models/_models_py3.py
new file mode 100644
index 00000000000..25dbbd71b16
--- /dev/null
+++ b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/models/_models_py3.py
@@ -0,0 +1,3184 @@
+# coding=utf-8
+# --------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# Code generated by Microsoft (R) AutoRest Code Generator.
+# Changes may cause incorrect behavior and will be lost if the code is regenerated.
+# --------------------------------------------------------------------------
+
+import datetime
+from typing import List, Optional, Union
+
+import msrest.serialization
+
+from ._security_insights_enums import *
+
+
+class ResourceWithEtag(msrest.serialization.Model):
+ """An azure resource object with an Etag property.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ :ivar id: Azure resource Id.
+ :vartype id: str
+ :ivar name: Azure resource name.
+ :vartype name: str
+ :ivar type: Azure resource type.
+ :vartype type: str
+ :param etag: Etag of the azure resource.
+ :type etag: str
+ """
+
+ _validation = {
+ 'id': {'readonly': True},
+ 'name': {'readonly': True},
+ 'type': {'readonly': True},
+ }
+
+ _attribute_map = {
+ 'id': {'key': 'id', 'type': 'str'},
+ 'name': {'key': 'name', 'type': 'str'},
+ 'type': {'key': 'type', 'type': 'str'},
+ 'etag': {'key': 'etag', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ *,
+ etag: Optional[str] = None,
+ **kwargs
+ ):
+ super(ResourceWithEtag, self).__init__(**kwargs)
+ self.id = None
+ self.name = None
+ self.type = None
+ self.etag = etag
+
+
+class DataConnector(ResourceWithEtag):
+ """Data connector.
+
+ You probably want to use the sub-classes and not this class directly. Known
+ sub-classes are: AwsCloudTrailDataConnector, AADDataConnector, AATPDataConnector, ASCDataConnector, MCASDataConnector, MDATPDataConnector, OfficeDataConnector, TIDataConnector.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :ivar id: Azure resource Id.
+ :vartype id: str
+ :ivar name: Azure resource name.
+ :vartype name: str
+ :ivar type: Azure resource type.
+ :vartype type: str
+ :param etag: Etag of the azure resource.
+ :type etag: str
+ :param kind: Required. The data connector kind.Constant filled by server. Possible values
+ include: "AzureActiveDirectory", "AzureSecurityCenter", "MicrosoftCloudAppSecurity",
+ "ThreatIntelligence", "Office365", "AmazonWebServicesCloudTrail",
+ "AzureAdvancedThreatProtection", "MicrosoftDefenderAdvancedThreatProtection".
+ :type kind: str or ~security_insights.models.DataConnectorKind
+ """
+
+ _validation = {
+ 'id': {'readonly': True},
+ 'name': {'readonly': True},
+ 'type': {'readonly': True},
+ 'kind': {'required': True},
+ }
+
+ _attribute_map = {
+ 'id': {'key': 'id', 'type': 'str'},
+ 'name': {'key': 'name', 'type': 'str'},
+ 'type': {'key': 'type', 'type': 'str'},
+ 'etag': {'key': 'etag', 'type': 'str'},
+ 'kind': {'key': 'kind', 'type': 'str'},
+ }
+
+ _subtype_map = {
+ 'kind': {'AmazonWebServicesCloudTrail': 'AwsCloudTrailDataConnector', 'AzureActiveDirectory': 'AADDataConnector', 'AzureAdvancedThreatProtection': 'AATPDataConnector', 'AzureSecurityCenter': 'ASCDataConnector', 'MicrosoftCloudAppSecurity': 'MCASDataConnector', 'MicrosoftDefenderAdvancedThreatProtection': 'MDATPDataConnector', 'Office365': 'OfficeDataConnector', 'ThreatIntelligence': 'TIDataConnector'}
+ }
+
+ def __init__(
+ self,
+ *,
+ etag: Optional[str] = None,
+ **kwargs
+ ):
+ super(DataConnector, self).__init__(etag=etag, **kwargs)
+ self.kind = 'DataConnector' # type: str
+
+
+class AADDataConnector(DataConnector):
+ """Represents AAD (Azure Active Directory) data connector.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :ivar id: Azure resource Id.
+ :vartype id: str
+ :ivar name: Azure resource name.
+ :vartype name: str
+ :ivar type: Azure resource type.
+ :vartype type: str
+ :param etag: Etag of the azure resource.
+ :type etag: str
+ :param kind: Required. The data connector kind.Constant filled by server. Possible values
+ include: "AzureActiveDirectory", "AzureSecurityCenter", "MicrosoftCloudAppSecurity",
+ "ThreatIntelligence", "Office365", "AmazonWebServicesCloudTrail",
+ "AzureAdvancedThreatProtection", "MicrosoftDefenderAdvancedThreatProtection".
+ :type kind: str or ~security_insights.models.DataConnectorKind
+ :param tenant_id: The tenant id to connect to, and get the data from.
+ :type tenant_id: str
+ :param state: Describe whether this data type connection is enabled or not. Possible values
+ include: "Enabled", "Disabled".
+ :type state: str or ~security_insights.models.DataTypeState
+ """
+
+ _validation = {
+ 'id': {'readonly': True},
+ 'name': {'readonly': True},
+ 'type': {'readonly': True},
+ 'kind': {'required': True},
+ }
+
+ _attribute_map = {
+ 'id': {'key': 'id', 'type': 'str'},
+ 'name': {'key': 'name', 'type': 'str'},
+ 'type': {'key': 'type', 'type': 'str'},
+ 'etag': {'key': 'etag', 'type': 'str'},
+ 'kind': {'key': 'kind', 'type': 'str'},
+ 'tenant_id': {'key': 'properties.tenantId', 'type': 'str'},
+ 'state': {'key': 'dataTypes.alerts.state', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ *,
+ etag: Optional[str] = None,
+ tenant_id: Optional[str] = None,
+ state: Optional[Union[str, "DataTypeState"]] = None,
+ **kwargs
+ ):
+ super(AADDataConnector, self).__init__(etag=etag, **kwargs)
+ self.kind = 'AzureActiveDirectory' # type: str
+ self.tenant_id = tenant_id
+ self.state = state
+
+
+class AATPDataConnector(DataConnector):
+ """Represents AATP (Azure Advanced Threat Protection) data connector.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :ivar id: Azure resource Id.
+ :vartype id: str
+ :ivar name: Azure resource name.
+ :vartype name: str
+ :ivar type: Azure resource type.
+ :vartype type: str
+ :param etag: Etag of the azure resource.
+ :type etag: str
+ :param kind: Required. The data connector kind.Constant filled by server. Possible values
+ include: "AzureActiveDirectory", "AzureSecurityCenter", "MicrosoftCloudAppSecurity",
+ "ThreatIntelligence", "Office365", "AmazonWebServicesCloudTrail",
+ "AzureAdvancedThreatProtection", "MicrosoftDefenderAdvancedThreatProtection".
+ :type kind: str or ~security_insights.models.DataConnectorKind
+ :param tenant_id: The tenant id to connect to, and get the data from.
+ :type tenant_id: str
+ :param state: Describe whether this data type connection is enabled or not. Possible values
+ include: "Enabled", "Disabled".
+ :type state: str or ~security_insights.models.DataTypeState
+ """
+
+ _validation = {
+ 'id': {'readonly': True},
+ 'name': {'readonly': True},
+ 'type': {'readonly': True},
+ 'kind': {'required': True},
+ }
+
+ _attribute_map = {
+ 'id': {'key': 'id', 'type': 'str'},
+ 'name': {'key': 'name', 'type': 'str'},
+ 'type': {'key': 'type', 'type': 'str'},
+ 'etag': {'key': 'etag', 'type': 'str'},
+ 'kind': {'key': 'kind', 'type': 'str'},
+ 'tenant_id': {'key': 'properties.tenantId', 'type': 'str'},
+ 'state': {'key': 'dataTypes.alerts.state', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ *,
+ etag: Optional[str] = None,
+ tenant_id: Optional[str] = None,
+ state: Optional[Union[str, "DataTypeState"]] = None,
+ **kwargs
+ ):
+ super(AATPDataConnector, self).__init__(etag=etag, **kwargs)
+ self.kind = 'AzureAdvancedThreatProtection' # type: str
+ self.tenant_id = tenant_id
+ self.state = state
+
+
+class ActionPropertiesBase(msrest.serialization.Model):
+ """Action property bag base.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :param logic_app_resource_id: Required. Logic App Resource Id, /subscriptions/{my-
+ subscription}/resourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my-
+ workflow-id}.
+ :type logic_app_resource_id: str
+ """
+
+ _validation = {
+ 'logic_app_resource_id': {'required': True},
+ }
+
+ _attribute_map = {
+ 'logic_app_resource_id': {'key': 'logicAppResourceId', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ *,
+ logic_app_resource_id: str,
+ **kwargs
+ ):
+ super(ActionPropertiesBase, self).__init__(**kwargs)
+ self.logic_app_resource_id = logic_app_resource_id
+
+
+class ActionRequest(ResourceWithEtag):
+ """Action for alert rule.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ :ivar id: Azure resource Id.
+ :vartype id: str
+ :ivar name: Azure resource name.
+ :vartype name: str
+ :ivar type: Azure resource type.
+ :vartype type: str
+ :param etag: Etag of the azure resource.
+ :type etag: str
+ :param logic_app_resource_id: Logic App Resource Id, /subscriptions/{my-
+ subscription}/resourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my-
+ workflow-id}.
+ :type logic_app_resource_id: str
+ :param trigger_uri: Logic App Callback URL for this specific workflow.
+ :type trigger_uri: str
+ """
+
+ _validation = {
+ 'id': {'readonly': True},
+ 'name': {'readonly': True},
+ 'type': {'readonly': True},
+ }
+
+ _attribute_map = {
+ 'id': {'key': 'id', 'type': 'str'},
+ 'name': {'key': 'name', 'type': 'str'},
+ 'type': {'key': 'type', 'type': 'str'},
+ 'etag': {'key': 'etag', 'type': 'str'},
+ 'logic_app_resource_id': {'key': 'properties.logicAppResourceId', 'type': 'str'},
+ 'trigger_uri': {'key': 'properties.triggerUri', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ *,
+ etag: Optional[str] = None,
+ logic_app_resource_id: Optional[str] = None,
+ trigger_uri: Optional[str] = None,
+ **kwargs
+ ):
+ super(ActionRequest, self).__init__(etag=etag, **kwargs)
+ self.logic_app_resource_id = logic_app_resource_id
+ self.trigger_uri = trigger_uri
+
+
+class ActionRequestProperties(ActionPropertiesBase):
+ """Action property bag.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :param logic_app_resource_id: Required. Logic App Resource Id, /subscriptions/{my-
+ subscription}/resourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my-
+ workflow-id}.
+ :type logic_app_resource_id: str
+ :param trigger_uri: Logic App Callback URL for this specific workflow.
+ :type trigger_uri: str
+ """
+
+ _validation = {
+ 'logic_app_resource_id': {'required': True},
+ }
+
+ _attribute_map = {
+ 'logic_app_resource_id': {'key': 'logicAppResourceId', 'type': 'str'},
+ 'trigger_uri': {'key': 'triggerUri', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ *,
+ logic_app_resource_id: str,
+ trigger_uri: Optional[str] = None,
+ **kwargs
+ ):
+ super(ActionRequestProperties, self).__init__(logic_app_resource_id=logic_app_resource_id, **kwargs)
+ self.trigger_uri = trigger_uri
+
+
+class Resource(msrest.serialization.Model):
+ """An azure resource object.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ :ivar id: Azure resource Id.
+ :vartype id: str
+ :ivar name: Azure resource name.
+ :vartype name: str
+ :ivar type: Azure resource type.
+ :vartype type: str
+ """
+
+ _validation = {
+ 'id': {'readonly': True},
+ 'name': {'readonly': True},
+ 'type': {'readonly': True},
+ }
+
+ _attribute_map = {
+ 'id': {'key': 'id', 'type': 'str'},
+ 'name': {'key': 'name', 'type': 'str'},
+ 'type': {'key': 'type', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(Resource, self).__init__(**kwargs)
+ self.id = None
+ self.name = None
+ self.type = None
+
+
+class ActionResponse(Resource):
+ """Action for alert rule.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ :ivar id: Azure resource Id.
+ :vartype id: str
+ :ivar name: Azure resource name.
+ :vartype name: str
+ :ivar type: Azure resource type.
+ :vartype type: str
+ :param etag: Etag of the action.
+ :type etag: str
+ :param logic_app_resource_id: Logic App Resource Id, /subscriptions/{my-
+ subscription}/resourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my-
+ workflow-id}.
+ :type logic_app_resource_id: str
+ :param workflow_id: The name of the logic app's workflow.
+ :type workflow_id: str
+ """
+
+ _validation = {
+ 'id': {'readonly': True},
+ 'name': {'readonly': True},
+ 'type': {'readonly': True},
+ }
+
+ _attribute_map = {
+ 'id': {'key': 'id', 'type': 'str'},
+ 'name': {'key': 'name', 'type': 'str'},
+ 'type': {'key': 'type', 'type': 'str'},
+ 'etag': {'key': 'etag', 'type': 'str'},
+ 'logic_app_resource_id': {'key': 'properties.logicAppResourceId', 'type': 'str'},
+ 'workflow_id': {'key': 'properties.workflowId', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ *,
+ etag: Optional[str] = None,
+ logic_app_resource_id: Optional[str] = None,
+ workflow_id: Optional[str] = None,
+ **kwargs
+ ):
+ super(ActionResponse, self).__init__(**kwargs)
+ self.etag = etag
+ self.logic_app_resource_id = logic_app_resource_id
+ self.workflow_id = workflow_id
+
+
+class ActionResponseProperties(ActionPropertiesBase):
+ """Action property bag.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :param logic_app_resource_id: Required. Logic App Resource Id, /subscriptions/{my-
+ subscription}/resourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my-
+ workflow-id}.
+ :type logic_app_resource_id: str
+ :param workflow_id: The name of the logic app's workflow.
+ :type workflow_id: str
+ """
+
+ _validation = {
+ 'logic_app_resource_id': {'required': True},
+ }
+
+ _attribute_map = {
+ 'logic_app_resource_id': {'key': 'logicAppResourceId', 'type': 'str'},
+ 'workflow_id': {'key': 'workflowId', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ *,
+ logic_app_resource_id: str,
+ workflow_id: Optional[str] = None,
+ **kwargs
+ ):
+ super(ActionResponseProperties, self).__init__(logic_app_resource_id=logic_app_resource_id, **kwargs)
+ self.workflow_id = workflow_id
+
+
+class ActionsList(msrest.serialization.Model):
+ """List all the actions.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :ivar next_link: URL to fetch the next set of actions.
+ :vartype next_link: str
+ :param value: Required. Array of actions.
+ :type value: list[~security_insights.models.ActionResponse]
+ """
+
+ _validation = {
+ 'next_link': {'readonly': True},
+ 'value': {'required': True},
+ }
+
+ _attribute_map = {
+ 'next_link': {'key': 'nextLink', 'type': 'str'},
+ 'value': {'key': 'value', 'type': '[ActionResponse]'},
+ }
+
+ def __init__(
+ self,
+ *,
+ value: List["ActionResponse"],
+ **kwargs
+ ):
+ super(ActionsList, self).__init__(**kwargs)
+ self.next_link = None
+ self.value = value
+
+
+class AlertRule(ResourceWithEtag):
+ """Alert rule.
+
+ You probably want to use the sub-classes and not this class directly. Known
+ sub-classes are: FusionAlertRule, MicrosoftSecurityIncidentCreationAlertRule, ScheduledAlertRule.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :ivar id: Azure resource Id.
+ :vartype id: str
+ :ivar name: Azure resource name.
+ :vartype name: str
+ :ivar type: Azure resource type.
+ :vartype type: str
+ :param etag: Etag of the azure resource.
+ :type etag: str
+ :param kind: Required. The alert rule kind.Constant filled by server. Possible values include:
+ "Scheduled", "MicrosoftSecurityIncidentCreation", "Fusion".
+ :type kind: str or ~security_insights.models.AlertRuleKind
+ """
+
+ _validation = {
+ 'id': {'readonly': True},
+ 'name': {'readonly': True},
+ 'type': {'readonly': True},
+ 'kind': {'required': True},
+ }
+
+ _attribute_map = {
+ 'id': {'key': 'id', 'type': 'str'},
+ 'name': {'key': 'name', 'type': 'str'},
+ 'type': {'key': 'type', 'type': 'str'},
+ 'etag': {'key': 'etag', 'type': 'str'},
+ 'kind': {'key': 'kind', 'type': 'str'},
+ }
+
+ _subtype_map = {
+ 'kind': {'Fusion': 'FusionAlertRule', 'MicrosoftSecurityIncidentCreation': 'MicrosoftSecurityIncidentCreationAlertRule', 'Scheduled': 'ScheduledAlertRule'}
+ }
+
+ def __init__(
+ self,
+ *,
+ etag: Optional[str] = None,
+ **kwargs
+ ):
+ super(AlertRule, self).__init__(etag=etag, **kwargs)
+ self.kind = 'AlertRule' # type: str
+
+
+class AlertRulesList(msrest.serialization.Model):
+ """List all the alert rules.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :ivar next_link: URL to fetch the next set of alert rules.
+ :vartype next_link: str
+ :param value: Required. Array of alert rules.
+ :type value: list[~security_insights.models.AlertRule]
+ """
+
+ _validation = {
+ 'next_link': {'readonly': True},
+ 'value': {'required': True},
+ }
+
+ _attribute_map = {
+ 'next_link': {'key': 'nextLink', 'type': 'str'},
+ 'value': {'key': 'value', 'type': '[AlertRule]'},
+ }
+
+ def __init__(
+ self,
+ *,
+ value: List["AlertRule"],
+ **kwargs
+ ):
+ super(AlertRulesList, self).__init__(**kwargs)
+ self.next_link = None
+ self.value = value
+
+
+class AlertRuleTemplate(Resource):
+ """Alert rule template.
+
+ You probably want to use the sub-classes and not this class directly. Known
+ sub-classes are: FusionAlertRuleTemplate, MicrosoftSecurityIncidentCreationAlertRuleTemplate, ScheduledAlertRuleTemplate.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :ivar id: Azure resource Id.
+ :vartype id: str
+ :ivar name: Azure resource name.
+ :vartype name: str
+ :ivar type: Azure resource type.
+ :vartype type: str
+ :param kind: Required. The alert rule kind.Constant filled by server. Possible values include:
+ "Scheduled", "MicrosoftSecurityIncidentCreation", "Fusion".
+ :type kind: str or ~security_insights.models.AlertRuleKind
+ """
+
+ _validation = {
+ 'id': {'readonly': True},
+ 'name': {'readonly': True},
+ 'type': {'readonly': True},
+ 'kind': {'required': True},
+ }
+
+ _attribute_map = {
+ 'id': {'key': 'id', 'type': 'str'},
+ 'name': {'key': 'name', 'type': 'str'},
+ 'type': {'key': 'type', 'type': 'str'},
+ 'kind': {'key': 'kind', 'type': 'str'},
+ }
+
+ _subtype_map = {
+ 'kind': {'Fusion': 'FusionAlertRuleTemplate', 'MicrosoftSecurityIncidentCreation': 'MicrosoftSecurityIncidentCreationAlertRuleTemplate', 'Scheduled': 'ScheduledAlertRuleTemplate'}
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(AlertRuleTemplate, self).__init__(**kwargs)
+ self.kind = 'AlertRuleTemplate' # type: str
+
+
+class AlertRuleTemplateDataSource(msrest.serialization.Model):
+ """alert rule template data sources.
+
+ :param connector_id: The connector id that provides the following data types.
+ :type connector_id: str
+ :param data_types: The data types used by the alert rule template.
+ :type data_types: list[str]
+ """
+
+ _attribute_map = {
+ 'connector_id': {'key': 'connectorId', 'type': 'str'},
+ 'data_types': {'key': 'dataTypes', 'type': '[str]'},
+ }
+
+ def __init__(
+ self,
+ *,
+ connector_id: Optional[str] = None,
+ data_types: Optional[List[str]] = None,
+ **kwargs
+ ):
+ super(AlertRuleTemplateDataSource, self).__init__(**kwargs)
+ self.connector_id = connector_id
+ self.data_types = data_types
+
+
+class AlertRuleTemplatesList(msrest.serialization.Model):
+ """List all the alert rule templates.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :ivar next_link: URL to fetch the next set of alert rule templates.
+ :vartype next_link: str
+ :param value: Required. Array of alert rule templates.
+ :type value: list[~security_insights.models.AlertRuleTemplate]
+ """
+
+ _validation = {
+ 'next_link': {'readonly': True},
+ 'value': {'required': True},
+ }
+
+ _attribute_map = {
+ 'next_link': {'key': 'nextLink', 'type': 'str'},
+ 'value': {'key': 'value', 'type': '[AlertRuleTemplate]'},
+ }
+
+ def __init__(
+ self,
+ *,
+ value: List["AlertRuleTemplate"],
+ **kwargs
+ ):
+ super(AlertRuleTemplatesList, self).__init__(**kwargs)
+ self.next_link = None
+ self.value = value
+
+
+class AlertsDataTypeOfDataConnector(msrest.serialization.Model):
+ """Alerts data type for data connectors.
+
+ :param state: Describe whether this data type connection is enabled or not. Possible values
+ include: "Enabled", "Disabled".
+ :type state: str or ~security_insights.models.DataTypeState
+ """
+
+ _attribute_map = {
+ 'state': {'key': 'alerts.state', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ *,
+ state: Optional[Union[str, "DataTypeState"]] = None,
+ **kwargs
+ ):
+ super(AlertsDataTypeOfDataConnector, self).__init__(**kwargs)
+ self.state = state
+
+
+class ASCDataConnector(DataConnector):
+ """Represents ASC (Azure Security Center) data connector.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :ivar id: Azure resource Id.
+ :vartype id: str
+ :ivar name: Azure resource name.
+ :vartype name: str
+ :ivar type: Azure resource type.
+ :vartype type: str
+ :param etag: Etag of the azure resource.
+ :type etag: str
+ :param kind: Required. The data connector kind.Constant filled by server. Possible values
+ include: "AzureActiveDirectory", "AzureSecurityCenter", "MicrosoftCloudAppSecurity",
+ "ThreatIntelligence", "Office365", "AmazonWebServicesCloudTrail",
+ "AzureAdvancedThreatProtection", "MicrosoftDefenderAdvancedThreatProtection".
+ :type kind: str or ~security_insights.models.DataConnectorKind
+ :param subscription_id: The subscription id to connect to, and get the data from.
+ :type subscription_id: str
+ :param state: Describe whether this data type connection is enabled or not. Possible values
+ include: "Enabled", "Disabled".
+ :type state: str or ~security_insights.models.DataTypeState
+ """
+
+ _validation = {
+ 'id': {'readonly': True},
+ 'name': {'readonly': True},
+ 'type': {'readonly': True},
+ 'kind': {'required': True},
+ }
+
+ _attribute_map = {
+ 'id': {'key': 'id', 'type': 'str'},
+ 'name': {'key': 'name', 'type': 'str'},
+ 'type': {'key': 'type', 'type': 'str'},
+ 'etag': {'key': 'etag', 'type': 'str'},
+ 'kind': {'key': 'kind', 'type': 'str'},
+ 'subscription_id': {'key': 'properties.subscriptionId', 'type': 'str'},
+ 'state': {'key': 'dataTypes.alerts.state', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ *,
+ etag: Optional[str] = None,
+ subscription_id: Optional[str] = None,
+ state: Optional[Union[str, "DataTypeState"]] = None,
+ **kwargs
+ ):
+ super(ASCDataConnector, self).__init__(etag=etag, **kwargs)
+ self.kind = 'AzureSecurityCenter' # type: str
+ self.subscription_id = subscription_id
+ self.state = state
+
+
+class DataConnectorWithAlertsProperties(msrest.serialization.Model):
+ """Data connector properties.
+
+ :param data_types: The available data types for the connector.
+ :type data_types: ~security_insights.models.AlertsDataTypeOfDataConnector
+ """
+
+ _attribute_map = {
+ 'data_types': {'key': 'dataTypes', 'type': 'AlertsDataTypeOfDataConnector'},
+ }
+
+ def __init__(
+ self,
+ *,
+ data_types: Optional["AlertsDataTypeOfDataConnector"] = None,
+ **kwargs
+ ):
+ super(DataConnectorWithAlertsProperties, self).__init__(**kwargs)
+ self.data_types = data_types
+
+
+class ASCDataConnectorProperties(DataConnectorWithAlertsProperties):
+ """ASC (Azure Security Center) data connector properties.
+
+ :param data_types: The available data types for the connector.
+ :type data_types: ~security_insights.models.AlertsDataTypeOfDataConnector
+ :param subscription_id: The subscription id to connect to, and get the data from.
+ :type subscription_id: str
+ """
+
+ _attribute_map = {
+ 'data_types': {'key': 'dataTypes', 'type': 'AlertsDataTypeOfDataConnector'},
+ 'subscription_id': {'key': 'subscriptionId', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ *,
+ data_types: Optional["AlertsDataTypeOfDataConnector"] = None,
+ subscription_id: Optional[str] = None,
+ **kwargs
+ ):
+ super(ASCDataConnectorProperties, self).__init__(data_types=data_types, **kwargs)
+ self.subscription_id = subscription_id
+
+
+class AwsCloudTrailDataConnector(DataConnector):
+ """Represents Amazon Web Services CloudTrail data connector.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :ivar id: Azure resource Id.
+ :vartype id: str
+ :ivar name: Azure resource name.
+ :vartype name: str
+ :ivar type: Azure resource type.
+ :vartype type: str
+ :param etag: Etag of the azure resource.
+ :type etag: str
+ :param kind: Required. The data connector kind.Constant filled by server. Possible values
+ include: "AzureActiveDirectory", "AzureSecurityCenter", "MicrosoftCloudAppSecurity",
+ "ThreatIntelligence", "Office365", "AmazonWebServicesCloudTrail",
+ "AzureAdvancedThreatProtection", "MicrosoftDefenderAdvancedThreatProtection".
+ :type kind: str or ~security_insights.models.DataConnectorKind
+ :param aws_role_arn: The Aws Role Arn (with CloudTrailReadOnly policy) that is used to access
+ the Aws account.
+ :type aws_role_arn: str
+ :param state: Describe whether this data type connection is enabled or not. Possible values
+ include: "Enabled", "Disabled".
+ :type state: str or ~security_insights.models.DataTypeState
+ """
+
+ _validation = {
+ 'id': {'readonly': True},
+ 'name': {'readonly': True},
+ 'type': {'readonly': True},
+ 'kind': {'required': True},
+ }
+
+ _attribute_map = {
+ 'id': {'key': 'id', 'type': 'str'},
+ 'name': {'key': 'name', 'type': 'str'},
+ 'type': {'key': 'type', 'type': 'str'},
+ 'etag': {'key': 'etag', 'type': 'str'},
+ 'kind': {'key': 'kind', 'type': 'str'},
+ 'aws_role_arn': {'key': 'properties.awsRoleArn', 'type': 'str'},
+ 'state': {'key': 'dataTypes.logs.state', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ *,
+ etag: Optional[str] = None,
+ aws_role_arn: Optional[str] = None,
+ state: Optional[Union[str, "DataTypeState"]] = None,
+ **kwargs
+ ):
+ super(AwsCloudTrailDataConnector, self).__init__(etag=etag, **kwargs)
+ self.kind = 'AmazonWebServicesCloudTrail' # type: str
+ self.aws_role_arn = aws_role_arn
+ self.state = state
+
+
+class DataConnectorDataTypeCommon(msrest.serialization.Model):
+ """Common field for data type in data connectors.
+
+ :param state: Describe whether this data type connection is enabled or not. Possible values
+ include: "Enabled", "Disabled".
+ :type state: str or ~security_insights.models.DataTypeState
+ """
+
+ _attribute_map = {
+ 'state': {'key': 'state', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ *,
+ state: Optional[Union[str, "DataTypeState"]] = None,
+ **kwargs
+ ):
+ super(DataConnectorDataTypeCommon, self).__init__(**kwargs)
+ self.state = state
+
+
+class AwsCloudTrailDataConnectorDataTypesLogs(DataConnectorDataTypeCommon):
+ """Logs data type.
+
+ :param state: Describe whether this data type connection is enabled or not. Possible values
+ include: "Enabled", "Disabled".
+ :type state: str or ~security_insights.models.DataTypeState
+ """
+
+ _attribute_map = {
+ 'state': {'key': 'state', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ *,
+ state: Optional[Union[str, "DataTypeState"]] = None,
+ **kwargs
+ ):
+ super(AwsCloudTrailDataConnectorDataTypesLogs, self).__init__(state=state, **kwargs)
+
+
+class Bookmark(ResourceWithEtag):
+ """Represents a bookmark in Azure Security Insights.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ :ivar id: Azure resource Id.
+ :vartype id: str
+ :ivar name: Azure resource name.
+ :vartype name: str
+ :ivar type: Azure resource type.
+ :vartype type: str
+ :param etag: Etag of the azure resource.
+ :type etag: str
+ :param created: The time the bookmark was created.
+ :type created: ~datetime.datetime
+ :param display_name: The display name of the bookmark.
+ :type display_name: str
+ :param labels: List of labels relevant to this bookmark.
+ :type labels: list[str]
+ :param notes: The notes of the bookmark.
+ :type notes: str
+ :param query: The query of the bookmark.
+ :type query: str
+ :param query_result: The query result of the bookmark.
+ :type query_result: str
+ :param updated: The last time the bookmark was updated.
+ :type updated: ~datetime.datetime
+ :param incident_info: Describes an incident that relates to bookmark.
+ :type incident_info: ~security_insights.models.IncidentInfo
+ :ivar email_updated_by_email: The email of the user.
+ :vartype email_updated_by_email: str
+ :ivar name_updated_by_name: The name of the user.
+ :vartype name_updated_by_name: str
+ :param object_id_updated_by_object_id: The object id of the user.
+ :type object_id_updated_by_object_id: str
+ :ivar email_created_by_email: The email of the user.
+ :vartype email_created_by_email: str
+ :ivar name_created_by_name: The name of the user.
+ :vartype name_created_by_name: str
+ :param object_id_created_by_object_id: The object id of the user.
+ :type object_id_created_by_object_id: str
+ """
+
+ _validation = {
+ 'id': {'readonly': True},
+ 'name': {'readonly': True},
+ 'type': {'readonly': True},
+ 'email_updated_by_email': {'readonly': True},
+ 'name_updated_by_name': {'readonly': True},
+ 'email_created_by_email': {'readonly': True},
+ 'name_created_by_name': {'readonly': True},
+ }
+
+ _attribute_map = {
+ 'id': {'key': 'id', 'type': 'str'},
+ 'name': {'key': 'name', 'type': 'str'},
+ 'type': {'key': 'type', 'type': 'str'},
+ 'etag': {'key': 'etag', 'type': 'str'},
+ 'created': {'key': 'properties.created', 'type': 'iso-8601'},
+ 'display_name': {'key': 'properties.displayName', 'type': 'str'},
+ 'labels': {'key': 'properties.labels', 'type': '[str]'},
+ 'notes': {'key': 'properties.notes', 'type': 'str'},
+ 'query': {'key': 'properties.query', 'type': 'str'},
+ 'query_result': {'key': 'properties.queryResult', 'type': 'str'},
+ 'updated': {'key': 'properties.updated', 'type': 'iso-8601'},
+ 'incident_info': {'key': 'properties.incidentInfo', 'type': 'IncidentInfo'},
+ 'email_updated_by_email': {'key': 'updatedBy.email', 'type': 'str'},
+ 'name_updated_by_name': {'key': 'updatedBy.name', 'type': 'str'},
+ 'object_id_updated_by_object_id': {'key': 'updatedBy.objectId', 'type': 'str'},
+ 'email_created_by_email': {'key': 'createdBy.email', 'type': 'str'},
+ 'name_created_by_name': {'key': 'createdBy.name', 'type': 'str'},
+ 'object_id_created_by_object_id': {'key': 'createdBy.objectId', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ *,
+ etag: Optional[str] = None,
+ created: Optional[datetime.datetime] = None,
+ display_name: Optional[str] = None,
+ labels: Optional[List[str]] = None,
+ notes: Optional[str] = None,
+ query: Optional[str] = None,
+ query_result: Optional[str] = None,
+ updated: Optional[datetime.datetime] = None,
+ incident_info: Optional["IncidentInfo"] = None,
+ object_id_updated_by_object_id: Optional[str] = None,
+ object_id_created_by_object_id: Optional[str] = None,
+ **kwargs
+ ):
+ super(Bookmark, self).__init__(etag=etag, **kwargs)
+ self.created = created
+ self.display_name = display_name
+ self.labels = labels
+ self.notes = notes
+ self.query = query
+ self.query_result = query_result
+ self.updated = updated
+ self.incident_info = incident_info
+ self.email_updated_by_email = None
+ self.name_updated_by_name = None
+ self.object_id_updated_by_object_id = object_id_updated_by_object_id
+ self.email_created_by_email = None
+ self.name_created_by_name = None
+ self.object_id_created_by_object_id = object_id_created_by_object_id
+
+
+class BookmarkList(msrest.serialization.Model):
+ """List all the bookmarks.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :ivar next_link: URL to fetch the next set of cases.
+ :vartype next_link: str
+ :param value: Required. Array of bookmarks.
+ :type value: list[~security_insights.models.Bookmark]
+ """
+
+ _validation = {
+ 'next_link': {'readonly': True},
+ 'value': {'required': True},
+ }
+
+ _attribute_map = {
+ 'next_link': {'key': 'nextLink', 'type': 'str'},
+ 'value': {'key': 'value', 'type': '[Bookmark]'},
+ }
+
+ def __init__(
+ self,
+ *,
+ value: List["Bookmark"],
+ **kwargs
+ ):
+ super(BookmarkList, self).__init__(**kwargs)
+ self.next_link = None
+ self.value = value
+
+
+class ClientInfo(msrest.serialization.Model):
+ """Information on the client (user or application) that made some action.
+
+ :param email: The email of the client.
+ :type email: str
+ :param name: The name of the client.
+ :type name: str
+ :param object_id: The object id of the client.
+ :type object_id: str
+ :param user_principal_name: The user principal name of the client.
+ :type user_principal_name: str
+ """
+
+ _attribute_map = {
+ 'email': {'key': 'email', 'type': 'str'},
+ 'name': {'key': 'name', 'type': 'str'},
+ 'object_id': {'key': 'objectId', 'type': 'str'},
+ 'user_principal_name': {'key': 'userPrincipalName', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ *,
+ email: Optional[str] = None,
+ name: Optional[str] = None,
+ object_id: Optional[str] = None,
+ user_principal_name: Optional[str] = None,
+ **kwargs
+ ):
+ super(ClientInfo, self).__init__(**kwargs)
+ self.email = email
+ self.name = name
+ self.object_id = object_id
+ self.user_principal_name = user_principal_name
+
+
+class DataConnectorList(msrest.serialization.Model):
+ """List all the data connectors.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :ivar next_link: URL to fetch the next set of data connectors.
+ :vartype next_link: str
+ :param value: Required. Array of data connectors.
+ :type value: list[~security_insights.models.DataConnector]
+ """
+
+ _validation = {
+ 'next_link': {'readonly': True},
+ 'value': {'required': True},
+ }
+
+ _attribute_map = {
+ 'next_link': {'key': 'nextLink', 'type': 'str'},
+ 'value': {'key': 'value', 'type': '[DataConnector]'},
+ }
+
+ def __init__(
+ self,
+ *,
+ value: List["DataConnector"],
+ **kwargs
+ ):
+ super(DataConnectorList, self).__init__(**kwargs)
+ self.next_link = None
+ self.value = value
+
+
+class DataConnectorTenantId(msrest.serialization.Model):
+ """Properties data connector on tenant level.
+
+ :param tenant_id: The tenant id to connect to, and get the data from.
+ :type tenant_id: str
+ """
+
+ _attribute_map = {
+ 'tenant_id': {'key': 'tenantId', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ *,
+ tenant_id: Optional[str] = None,
+ **kwargs
+ ):
+ super(DataConnectorTenantId, self).__init__(**kwargs)
+ self.tenant_id = tenant_id
+
+
+class ErrorAdditionalInfo(msrest.serialization.Model):
+ """The resource management error additional info.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ :ivar type: The additional info type.
+ :vartype type: str
+ :ivar info: The additional info.
+ :vartype info: object
+ """
+
+ _validation = {
+ 'type': {'readonly': True},
+ 'info': {'readonly': True},
+ }
+
+ _attribute_map = {
+ 'type': {'key': 'type', 'type': 'str'},
+ 'info': {'key': 'info', 'type': 'object'},
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(ErrorAdditionalInfo, self).__init__(**kwargs)
+ self.type = None
+ self.info = None
+
+
+class ErrorResponse(msrest.serialization.Model):
+ """Common error response for all Azure Resource Manager APIs to return error details for failed operations. (This also follows the OData error response format.).
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ :ivar code: The error code.
+ :vartype code: str
+ :ivar message: The error message.
+ :vartype message: str
+ :ivar target: The error target.
+ :vartype target: str
+ :ivar details: The error details.
+ :vartype details: list[~security_insights.models.ErrorResponse]
+ :ivar additional_info: The error additional info.
+ :vartype additional_info: list[~security_insights.models.ErrorAdditionalInfo]
+ """
+
+ _validation = {
+ 'code': {'readonly': True},
+ 'message': {'readonly': True},
+ 'target': {'readonly': True},
+ 'details': {'readonly': True},
+ 'additional_info': {'readonly': True},
+ }
+
+ _attribute_map = {
+ 'code': {'key': 'code', 'type': 'str'},
+ 'message': {'key': 'message', 'type': 'str'},
+ 'target': {'key': 'target', 'type': 'str'},
+ 'details': {'key': 'details', 'type': '[ErrorResponse]'},
+ 'additional_info': {'key': 'additionalInfo', 'type': '[ErrorAdditionalInfo]'},
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(ErrorResponse, self).__init__(**kwargs)
+ self.code = None
+ self.message = None
+ self.target = None
+ self.details = None
+ self.additional_info = None
+
+
+class FusionAlertRule(AlertRule):
+ """Represents Fusion alert rule.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :ivar id: Azure resource Id.
+ :vartype id: str
+ :ivar name: Azure resource name.
+ :vartype name: str
+ :ivar type: Azure resource type.
+ :vartype type: str
+ :param etag: Etag of the azure resource.
+ :type etag: str
+ :param kind: Required. The alert rule kind.Constant filled by server. Possible values include:
+ "Scheduled", "MicrosoftSecurityIncidentCreation", "Fusion".
+ :type kind: str or ~security_insights.models.AlertRuleKind
+ :param alert_rule_template_name: The Name of the alert rule template used to create this rule.
+ :type alert_rule_template_name: str
+ :ivar description: The description of the alert rule.
+ :vartype description: str
+ :ivar display_name: The display name for alerts created by this alert rule.
+ :vartype display_name: str
+ :param enabled: Determines whether this alert rule is enabled or disabled.
+ :type enabled: bool
+ :ivar last_modified_utc: The last time that this alert has been modified.
+ :vartype last_modified_utc: ~datetime.datetime
+ :ivar severity: The severity for alerts created by this alert rule. Possible values include:
+ "High", "Medium", "Low", "Informational".
+ :vartype severity: str or ~security_insights.models.AlertSeverity
+ :ivar tactics: The tactics of the alert rule.
+ :vartype tactics: list[str or ~security_insights.models.AttackTactic]
+ """
+
+ _validation = {
+ 'id': {'readonly': True},
+ 'name': {'readonly': True},
+ 'type': {'readonly': True},
+ 'kind': {'required': True},
+ 'description': {'readonly': True},
+ 'display_name': {'readonly': True},
+ 'last_modified_utc': {'readonly': True},
+ 'severity': {'readonly': True},
+ 'tactics': {'readonly': True},
+ }
+
+ _attribute_map = {
+ 'id': {'key': 'id', 'type': 'str'},
+ 'name': {'key': 'name', 'type': 'str'},
+ 'type': {'key': 'type', 'type': 'str'},
+ 'etag': {'key': 'etag', 'type': 'str'},
+ 'kind': {'key': 'kind', 'type': 'str'},
+ 'alert_rule_template_name': {'key': 'properties.alertRuleTemplateName', 'type': 'str'},
+ 'description': {'key': 'properties.description', 'type': 'str'},
+ 'display_name': {'key': 'properties.displayName', 'type': 'str'},
+ 'enabled': {'key': 'properties.enabled', 'type': 'bool'},
+ 'last_modified_utc': {'key': 'properties.lastModifiedUtc', 'type': 'iso-8601'},
+ 'severity': {'key': 'properties.severity', 'type': 'str'},
+ 'tactics': {'key': 'properties.tactics', 'type': '[str]'},
+ }
+
+ def __init__(
+ self,
+ *,
+ etag: Optional[str] = None,
+ alert_rule_template_name: Optional[str] = None,
+ enabled: Optional[bool] = None,
+ **kwargs
+ ):
+ super(FusionAlertRule, self).__init__(etag=etag, **kwargs)
+ self.kind = 'Fusion' # type: str
+ self.alert_rule_template_name = alert_rule_template_name
+ self.description = None
+ self.display_name = None
+ self.enabled = enabled
+ self.last_modified_utc = None
+ self.severity = None
+ self.tactics = None
+
+
+class FusionAlertRuleTemplate(AlertRuleTemplate):
+ """Represents Fusion alert rule template.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :ivar id: Azure resource Id.
+ :vartype id: str
+ :ivar name: Azure resource name.
+ :vartype name: str
+ :ivar type: Azure resource type.
+ :vartype type: str
+ :param kind: Required. The alert rule kind.Constant filled by server. Possible values include:
+ "Scheduled", "MicrosoftSecurityIncidentCreation", "Fusion".
+ :type kind: str or ~security_insights.models.AlertRuleKind
+ :param alert_rules_created_by_template_count: the number of alert rules that were created by
+ this template.
+ :type alert_rules_created_by_template_count: int
+ :ivar created_date_utc: The time that this alert rule template has been added.
+ :vartype created_date_utc: ~datetime.datetime
+ :param description: The description of the alert rule template.
+ :type description: str
+ :param display_name: The display name for alert rule template.
+ :type display_name: str
+ :param required_data_connectors: The required data connectors for this template.
+ :type required_data_connectors: list[~security_insights.models.AlertRuleTemplateDataSource]
+ :param status: The alert rule template status. Possible values include: "Installed",
+ "Available", "NotAvailable".
+ :type status: str or ~security_insights.models.TemplateStatus
+ :param severity: The severity for alerts created by this alert rule. Possible values include:
+ "High", "Medium", "Low", "Informational".
+ :type severity: str or ~security_insights.models.AlertSeverity
+ :param tactics: The tactics of the alert rule template.
+ :type tactics: list[str or ~security_insights.models.AttackTactic]
+ """
+
+ _validation = {
+ 'id': {'readonly': True},
+ 'name': {'readonly': True},
+ 'type': {'readonly': True},
+ 'kind': {'required': True},
+ 'created_date_utc': {'readonly': True},
+ }
+
+ _attribute_map = {
+ 'id': {'key': 'id', 'type': 'str'},
+ 'name': {'key': 'name', 'type': 'str'},
+ 'type': {'key': 'type', 'type': 'str'},
+ 'kind': {'key': 'kind', 'type': 'str'},
+ 'alert_rules_created_by_template_count': {'key': 'properties.alertRulesCreatedByTemplateCount', 'type': 'int'},
+ 'created_date_utc': {'key': 'properties.createdDateUTC', 'type': 'iso-8601'},
+ 'description': {'key': 'properties.description', 'type': 'str'},
+ 'display_name': {'key': 'properties.displayName', 'type': 'str'},
+ 'required_data_connectors': {'key': 'properties.requiredDataConnectors', 'type': '[AlertRuleTemplateDataSource]'},
+ 'status': {'key': 'properties.status', 'type': 'str'},
+ 'severity': {'key': 'properties.severity', 'type': 'str'},
+ 'tactics': {'key': 'properties.tactics', 'type': '[str]'},
+ }
+
+ def __init__(
+ self,
+ *,
+ alert_rules_created_by_template_count: Optional[int] = None,
+ description: Optional[str] = None,
+ display_name: Optional[str] = None,
+ required_data_connectors: Optional[List["AlertRuleTemplateDataSource"]] = None,
+ status: Optional[Union[str, "TemplateStatus"]] = None,
+ severity: Optional[Union[str, "AlertSeverity"]] = None,
+ tactics: Optional[List[Union[str, "AttackTactic"]]] = None,
+ **kwargs
+ ):
+ super(FusionAlertRuleTemplate, self).__init__(**kwargs)
+ self.kind = 'Fusion' # type: str
+ self.alert_rules_created_by_template_count = alert_rules_created_by_template_count
+ self.created_date_utc = None
+ self.description = description
+ self.display_name = display_name
+ self.required_data_connectors = required_data_connectors
+ self.status = status
+ self.severity = severity
+ self.tactics = tactics
+
+
+class Incident(ResourceWithEtag):
+ """Represents an incident in Azure Security Insights.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ :ivar id: Azure resource Id.
+ :vartype id: str
+ :ivar name: Azure resource name.
+ :vartype name: str
+ :ivar type: Azure resource type.
+ :vartype type: str
+ :param etag: Etag of the azure resource.
+ :type etag: str
+ :ivar additional_data: Additional data on the incident.
+ :vartype additional_data: ~security_insights.models.IncidentAdditionalData
+ :param classification: The reason the incident was closed. Possible values include:
+ "Undetermined", "TruePositive", "BenignPositive", "FalsePositive".
+ :type classification: str or ~security_insights.models.IncidentClassification
+ :param classification_comment: Describes the reason the incident was closed.
+ :type classification_comment: str
+ :param classification_reason: The classification reason the incident was closed with. Possible
+ values include: "SuspiciousActivity", "SuspiciousButExpected", "IncorrectAlertLogic",
+ "InaccurateData".
+ :type classification_reason: str or ~security_insights.models.IncidentClassificationReason
+ :ivar created_time_utc: The time the incident was created.
+ :vartype created_time_utc: ~datetime.datetime
+ :param description: The description of the incident.
+ :type description: str
+ :param first_activity_time_utc: The time of the first activity in the incident.
+ :type first_activity_time_utc: ~datetime.datetime
+ :ivar incident_url: The deep-link url to the incident in Azure portal.
+ :vartype incident_url: str
+ :ivar incident_number: A sequential number.
+ :vartype incident_number: int
+ :param labels: List of labels relevant to this incident.
+ :type labels: list[~security_insights.models.IncidentLabel]
+ :param last_activity_time_utc: The time of the last activity in the incident.
+ :type last_activity_time_utc: ~datetime.datetime
+ :ivar last_modified_time_utc: The last time the incident was updated.
+ :vartype last_modified_time_utc: ~datetime.datetime
+ :param owner: Describes a user that the incident is assigned to.
+ :type owner: ~security_insights.models.IncidentOwnerInfo
+ :ivar related_analytic_rule_ids: List of resource ids of Analytic rules related to the
+ incident.
+ :vartype related_analytic_rule_ids: list[str]
+ :param severity: The severity of the incident. Possible values include: "High", "Medium",
+ "Low", "Informational".
+ :type severity: str or ~security_insights.models.IncidentSeverity
+ :param status: The status of the incident. Possible values include: "New", "Active", "Closed".
+ :type status: str or ~security_insights.models.IncidentStatus
+ :param title: The title of the incident.
+ :type title: str
+ """
+
+ _validation = {
+ 'id': {'readonly': True},
+ 'name': {'readonly': True},
+ 'type': {'readonly': True},
+ 'additional_data': {'readonly': True},
+ 'created_time_utc': {'readonly': True},
+ 'incident_url': {'readonly': True},
+ 'incident_number': {'readonly': True},
+ 'last_modified_time_utc': {'readonly': True},
+ 'related_analytic_rule_ids': {'readonly': True},
+ }
+
+ _attribute_map = {
+ 'id': {'key': 'id', 'type': 'str'},
+ 'name': {'key': 'name', 'type': 'str'},
+ 'type': {'key': 'type', 'type': 'str'},
+ 'etag': {'key': 'etag', 'type': 'str'},
+ 'additional_data': {'key': 'properties.additionalData', 'type': 'IncidentAdditionalData'},
+ 'classification': {'key': 'properties.classification', 'type': 'str'},
+ 'classification_comment': {'key': 'properties.classificationComment', 'type': 'str'},
+ 'classification_reason': {'key': 'properties.classificationReason', 'type': 'str'},
+ 'created_time_utc': {'key': 'properties.createdTimeUtc', 'type': 'iso-8601'},
+ 'description': {'key': 'properties.description', 'type': 'str'},
+ 'first_activity_time_utc': {'key': 'properties.firstActivityTimeUtc', 'type': 'iso-8601'},
+ 'incident_url': {'key': 'properties.incidentUrl', 'type': 'str'},
+ 'incident_number': {'key': 'properties.incidentNumber', 'type': 'int'},
+ 'labels': {'key': 'properties.labels', 'type': '[IncidentLabel]'},
+ 'last_activity_time_utc': {'key': 'properties.lastActivityTimeUtc', 'type': 'iso-8601'},
+ 'last_modified_time_utc': {'key': 'properties.lastModifiedTimeUtc', 'type': 'iso-8601'},
+ 'owner': {'key': 'properties.owner', 'type': 'IncidentOwnerInfo'},
+ 'related_analytic_rule_ids': {'key': 'properties.relatedAnalyticRuleIds', 'type': '[str]'},
+ 'severity': {'key': 'properties.severity', 'type': 'str'},
+ 'status': {'key': 'properties.status', 'type': 'str'},
+ 'title': {'key': 'properties.title', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ *,
+ etag: Optional[str] = None,
+ classification: Optional[Union[str, "IncidentClassification"]] = None,
+ classification_comment: Optional[str] = None,
+ classification_reason: Optional[Union[str, "IncidentClassificationReason"]] = None,
+ description: Optional[str] = None,
+ first_activity_time_utc: Optional[datetime.datetime] = None,
+ labels: Optional[List["IncidentLabel"]] = None,
+ last_activity_time_utc: Optional[datetime.datetime] = None,
+ owner: Optional["IncidentOwnerInfo"] = None,
+ severity: Optional[Union[str, "IncidentSeverity"]] = None,
+ status: Optional[Union[str, "IncidentStatus"]] = None,
+ title: Optional[str] = None,
+ **kwargs
+ ):
+ super(Incident, self).__init__(etag=etag, **kwargs)
+ self.additional_data = None
+ self.classification = classification
+ self.classification_comment = classification_comment
+ self.classification_reason = classification_reason
+ self.created_time_utc = None
+ self.description = description
+ self.first_activity_time_utc = first_activity_time_utc
+ self.incident_url = None
+ self.incident_number = None
+ self.labels = labels
+ self.last_activity_time_utc = last_activity_time_utc
+ self.last_modified_time_utc = None
+ self.owner = owner
+ self.related_analytic_rule_ids = None
+ self.severity = severity
+ self.status = status
+ self.title = title
+
+
+class IncidentAdditionalData(msrest.serialization.Model):
+ """Incident additional data property bag.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ :ivar alerts_count: The number of alerts in the incident.
+ :vartype alerts_count: int
+ :ivar bookmarks_count: The number of bookmarks in the incident.
+ :vartype bookmarks_count: int
+ :ivar comments_count: The number of comments in the incident.
+ :vartype comments_count: int
+ :ivar alert_product_names: List of product names of alerts in the incident.
+ :vartype alert_product_names: list[str]
+ :ivar tactics: The tactics associated with incident.
+ :vartype tactics: list[str or ~security_insights.models.AttackTactic]
+ """
+
+ _validation = {
+ 'alerts_count': {'readonly': True},
+ 'bookmarks_count': {'readonly': True},
+ 'comments_count': {'readonly': True},
+ 'alert_product_names': {'readonly': True},
+ 'tactics': {'readonly': True},
+ }
+
+ _attribute_map = {
+ 'alerts_count': {'key': 'alertsCount', 'type': 'int'},
+ 'bookmarks_count': {'key': 'bookmarksCount', 'type': 'int'},
+ 'comments_count': {'key': 'commentsCount', 'type': 'int'},
+ 'alert_product_names': {'key': 'alertProductNames', 'type': '[str]'},
+ 'tactics': {'key': 'tactics', 'type': '[str]'},
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(IncidentAdditionalData, self).__init__(**kwargs)
+ self.alerts_count = None
+ self.bookmarks_count = None
+ self.comments_count = None
+ self.alert_product_names = None
+ self.tactics = None
+
+
+class IncidentComment(Resource):
+ """Represents an incident comment.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ :ivar id: Azure resource Id.
+ :vartype id: str
+ :ivar name: Azure resource name.
+ :vartype name: str
+ :ivar type: Azure resource type.
+ :vartype type: str
+ :ivar created_time_utc: The time the comment was created.
+ :vartype created_time_utc: ~datetime.datetime
+ :param message: The comment message.
+ :type message: str
+ :ivar author: Describes the client that created the comment.
+ :vartype author: ~security_insights.models.ClientInfo
+ """
+
+ _validation = {
+ 'id': {'readonly': True},
+ 'name': {'readonly': True},
+ 'type': {'readonly': True},
+ 'created_time_utc': {'readonly': True},
+ 'author': {'readonly': True},
+ }
+
+ _attribute_map = {
+ 'id': {'key': 'id', 'type': 'str'},
+ 'name': {'key': 'name', 'type': 'str'},
+ 'type': {'key': 'type', 'type': 'str'},
+ 'created_time_utc': {'key': 'properties.createdTimeUtc', 'type': 'iso-8601'},
+ 'message': {'key': 'properties.message', 'type': 'str'},
+ 'author': {'key': 'properties.author', 'type': 'ClientInfo'},
+ }
+
+ def __init__(
+ self,
+ *,
+ message: Optional[str] = None,
+ **kwargs
+ ):
+ super(IncidentComment, self).__init__(**kwargs)
+ self.created_time_utc = None
+ self.message = message
+ self.author = None
+
+
+class IncidentCommentList(msrest.serialization.Model):
+ """List of incident comments.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :ivar next_link: URL to fetch the next set of comments.
+ :vartype next_link: str
+ :param value: Required. Array of comments.
+ :type value: list[~security_insights.models.IncidentComment]
+ """
+
+ _validation = {
+ 'next_link': {'readonly': True},
+ 'value': {'required': True},
+ }
+
+ _attribute_map = {
+ 'next_link': {'key': 'nextLink', 'type': 'str'},
+ 'value': {'key': 'value', 'type': '[IncidentComment]'},
+ }
+
+ def __init__(
+ self,
+ *,
+ value: List["IncidentComment"],
+ **kwargs
+ ):
+ super(IncidentCommentList, self).__init__(**kwargs)
+ self.next_link = None
+ self.value = value
+
+
+class IncidentInfo(msrest.serialization.Model):
+ """Describes related incident information for the bookmark.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :param incident_id: Required. Incident Id.
+ :type incident_id: str
+ :param severity: Required. The severity of the incident. Possible values include: "Critical",
+ "High", "Medium", "Low", "Informational".
+ :type severity: str or ~security_insights.models.CaseSeverity
+ :param title: Required. The title of the incident.
+ :type title: str
+ :param relation_name: Required. Relation Name.
+ :type relation_name: str
+ """
+
+ _validation = {
+ 'incident_id': {'required': True},
+ 'severity': {'required': True},
+ 'title': {'required': True},
+ 'relation_name': {'required': True},
+ }
+
+ _attribute_map = {
+ 'incident_id': {'key': 'incidentId', 'type': 'str'},
+ 'severity': {'key': 'severity', 'type': 'str'},
+ 'title': {'key': 'title', 'type': 'str'},
+ 'relation_name': {'key': 'relationName', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ *,
+ incident_id: str,
+ severity: Union[str, "CaseSeverity"],
+ title: str,
+ relation_name: str,
+ **kwargs
+ ):
+ super(IncidentInfo, self).__init__(**kwargs)
+ self.incident_id = incident_id
+ self.severity = severity
+ self.title = title
+ self.relation_name = relation_name
+
+
+class IncidentLabel(msrest.serialization.Model):
+ """Represents an incident label.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :param label_name: Required. The name of the label.
+ :type label_name: str
+ :ivar label_type: The type of the label. Possible values include: "User", "System".
+ :vartype label_type: str or ~security_insights.models.IncidentLabelType
+ """
+
+ _validation = {
+ 'label_name': {'required': True},
+ 'label_type': {'readonly': True},
+ }
+
+ _attribute_map = {
+ 'label_name': {'key': 'labelName', 'type': 'str'},
+ 'label_type': {'key': 'labelType', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ *,
+ label_name: str,
+ **kwargs
+ ):
+ super(IncidentLabel, self).__init__(**kwargs)
+ self.label_name = label_name
+ self.label_type = None
+
+
+class IncidentList(msrest.serialization.Model):
+ """List all the incidents.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :ivar next_link: URL to fetch the next set of incidents.
+ :vartype next_link: str
+ :param value: Required. Array of incidents.
+ :type value: list[~security_insights.models.Incident]
+ """
+
+ _validation = {
+ 'next_link': {'readonly': True},
+ 'value': {'required': True},
+ }
+
+ _attribute_map = {
+ 'next_link': {'key': 'nextLink', 'type': 'str'},
+ 'value': {'key': 'value', 'type': '[Incident]'},
+ }
+
+ def __init__(
+ self,
+ *,
+ value: List["Incident"],
+ **kwargs
+ ):
+ super(IncidentList, self).__init__(**kwargs)
+ self.next_link = None
+ self.value = value
+
+
+class IncidentOwnerInfo(msrest.serialization.Model):
+ """Information on the user an incident is assigned to.
+
+ :param email: The email of the user the incident is assigned to.
+ :type email: str
+ :param assigned_to: The name of the user the incident is assigned to.
+ :type assigned_to: str
+ :param object_id: The object id of the user the incident is assigned to.
+ :type object_id: str
+ :param user_principal_name: The user principal name of the user the incident is assigned to.
+ :type user_principal_name: str
+ """
+
+ _attribute_map = {
+ 'email': {'key': 'email', 'type': 'str'},
+ 'assigned_to': {'key': 'assignedTo', 'type': 'str'},
+ 'object_id': {'key': 'objectId', 'type': 'str'},
+ 'user_principal_name': {'key': 'userPrincipalName', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ *,
+ email: Optional[str] = None,
+ assigned_to: Optional[str] = None,
+ object_id: Optional[str] = None,
+ user_principal_name: Optional[str] = None,
+ **kwargs
+ ):
+ super(IncidentOwnerInfo, self).__init__(**kwargs)
+ self.email = email
+ self.assigned_to = assigned_to
+ self.object_id = object_id
+ self.user_principal_name = user_principal_name
+
+
+class MCASDataConnector(DataConnector):
+ """Represents MCAS (Microsoft Cloud App Security) data connector.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :ivar id: Azure resource Id.
+ :vartype id: str
+ :ivar name: Azure resource name.
+ :vartype name: str
+ :ivar type: Azure resource type.
+ :vartype type: str
+ :param etag: Etag of the azure resource.
+ :type etag: str
+ :param kind: Required. The data connector kind.Constant filled by server. Possible values
+ include: "AzureActiveDirectory", "AzureSecurityCenter", "MicrosoftCloudAppSecurity",
+ "ThreatIntelligence", "Office365", "AmazonWebServicesCloudTrail",
+ "AzureAdvancedThreatProtection", "MicrosoftDefenderAdvancedThreatProtection".
+ :type kind: str or ~security_insights.models.DataConnectorKind
+ :param tenant_id: The tenant id to connect to, and get the data from.
+ :type tenant_id: str
+ :param state_data_types_alerts_state: Describe whether this data type connection is enabled or
+ not. Possible values include: "Enabled", "Disabled".
+ :type state_data_types_alerts_state: str or ~security_insights.models.DataTypeState
+ :param state_data_types_discovery_logs_state: Describe whether this data type connection is
+ enabled or not. Possible values include: "Enabled", "Disabled".
+ :type state_data_types_discovery_logs_state: str or ~security_insights.models.DataTypeState
+ """
+
+ _validation = {
+ 'id': {'readonly': True},
+ 'name': {'readonly': True},
+ 'type': {'readonly': True},
+ 'kind': {'required': True},
+ }
+
+ _attribute_map = {
+ 'id': {'key': 'id', 'type': 'str'},
+ 'name': {'key': 'name', 'type': 'str'},
+ 'type': {'key': 'type', 'type': 'str'},
+ 'etag': {'key': 'etag', 'type': 'str'},
+ 'kind': {'key': 'kind', 'type': 'str'},
+ 'tenant_id': {'key': 'properties.tenantId', 'type': 'str'},
+ 'state_data_types_alerts_state': {'key': 'dataTypes.alerts.state', 'type': 'str'},
+ 'state_data_types_discovery_logs_state': {'key': 'dataTypes.discoveryLogs.state', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ *,
+ etag: Optional[str] = None,
+ tenant_id: Optional[str] = None,
+ state_data_types_alerts_state: Optional[Union[str, "DataTypeState"]] = None,
+ state_data_types_discovery_logs_state: Optional[Union[str, "DataTypeState"]] = None,
+ **kwargs
+ ):
+ super(MCASDataConnector, self).__init__(etag=etag, **kwargs)
+ self.kind = 'MicrosoftCloudAppSecurity' # type: str
+ self.tenant_id = tenant_id
+ self.state_data_types_alerts_state = state_data_types_alerts_state
+ self.state_data_types_discovery_logs_state = state_data_types_discovery_logs_state
+
+
+class MCASDataConnectorDataTypes(AlertsDataTypeOfDataConnector):
+ """The available data types for MCAS (Microsoft Cloud App Security) data connector.
+
+ :param state: Describe whether this data type connection is enabled or not. Possible values
+ include: "Enabled", "Disabled".
+ :type state: str or ~security_insights.models.DataTypeState
+ :param state_discovery_logs_state: Describe whether this data type connection is enabled or
+ not. Possible values include: "Enabled", "Disabled".
+ :type state_discovery_logs_state: str or ~security_insights.models.DataTypeState
+ """
+
+ _attribute_map = {
+ 'state': {'key': 'alerts.state', 'type': 'str'},
+ 'state_discovery_logs_state': {'key': 'discoveryLogs.state', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ *,
+ state: Optional[Union[str, "DataTypeState"]] = None,
+ state_discovery_logs_state: Optional[Union[str, "DataTypeState"]] = None,
+ **kwargs
+ ):
+ super(MCASDataConnectorDataTypes, self).__init__(state=state, **kwargs)
+ self.state_discovery_logs_state = state_discovery_logs_state
+
+
+class MDATPDataConnector(DataConnector):
+ """Represents MDATP (Microsoft Defender Advanced Threat Protection) data connector.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :ivar id: Azure resource Id.
+ :vartype id: str
+ :ivar name: Azure resource name.
+ :vartype name: str
+ :ivar type: Azure resource type.
+ :vartype type: str
+ :param etag: Etag of the azure resource.
+ :type etag: str
+ :param kind: Required. The data connector kind.Constant filled by server. Possible values
+ include: "AzureActiveDirectory", "AzureSecurityCenter", "MicrosoftCloudAppSecurity",
+ "ThreatIntelligence", "Office365", "AmazonWebServicesCloudTrail",
+ "AzureAdvancedThreatProtection", "MicrosoftDefenderAdvancedThreatProtection".
+ :type kind: str or ~security_insights.models.DataConnectorKind
+ :param tenant_id: The tenant id to connect to, and get the data from.
+ :type tenant_id: str
+ :param state: Describe whether this data type connection is enabled or not. Possible values
+ include: "Enabled", "Disabled".
+ :type state: str or ~security_insights.models.DataTypeState
+ """
+
+ _validation = {
+ 'id': {'readonly': True},
+ 'name': {'readonly': True},
+ 'type': {'readonly': True},
+ 'kind': {'required': True},
+ }
+
+ _attribute_map = {
+ 'id': {'key': 'id', 'type': 'str'},
+ 'name': {'key': 'name', 'type': 'str'},
+ 'type': {'key': 'type', 'type': 'str'},
+ 'etag': {'key': 'etag', 'type': 'str'},
+ 'kind': {'key': 'kind', 'type': 'str'},
+ 'tenant_id': {'key': 'properties.tenantId', 'type': 'str'},
+ 'state': {'key': 'dataTypes.alerts.state', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ *,
+ etag: Optional[str] = None,
+ tenant_id: Optional[str] = None,
+ state: Optional[Union[str, "DataTypeState"]] = None,
+ **kwargs
+ ):
+ super(MDATPDataConnector, self).__init__(etag=etag, **kwargs)
+ self.kind = 'MicrosoftDefenderAdvancedThreatProtection' # type: str
+ self.tenant_id = tenant_id
+ self.state = state
+
+
+class MicrosoftSecurityIncidentCreationAlertRule(AlertRule):
+ """Represents MicrosoftSecurityIncidentCreation rule.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :ivar id: Azure resource Id.
+ :vartype id: str
+ :ivar name: Azure resource name.
+ :vartype name: str
+ :ivar type: Azure resource type.
+ :vartype type: str
+ :param etag: Etag of the azure resource.
+ :type etag: str
+ :param kind: Required. The alert rule kind.Constant filled by server. Possible values include:
+ "Scheduled", "MicrosoftSecurityIncidentCreation", "Fusion".
+ :type kind: str or ~security_insights.models.AlertRuleKind
+ :param display_names_filter: the alerts' displayNames on which the cases will be generated.
+ :type display_names_filter: list[str]
+ :param display_names_exclude_filter: the alerts' displayNames on which the cases will not be
+ generated.
+ :type display_names_exclude_filter: list[str]
+ :param product_filter: The alerts' productName on which the cases will be generated. Possible
+ values include: "Microsoft Cloud App Security", "Azure Security Center", "Azure Advanced Threat
+ Protection", "Azure Active Directory Identity Protection", "Azure Security Center for IoT".
+ :type product_filter: str or ~security_insights.models.MicrosoftSecurityProductName
+ :param severities_filter: the alerts' severities on which the cases will be generated.
+ :type severities_filter: list[str or ~security_insights.models.AlertSeverity]
+ :param alert_rule_template_name: The Name of the alert rule template used to create this rule.
+ :type alert_rule_template_name: str
+ :param description: The description of the alert rule.
+ :type description: str
+ :param display_name: The display name for alerts created by this alert rule.
+ :type display_name: str
+ :param enabled: Determines whether this alert rule is enabled or disabled.
+ :type enabled: bool
+ :ivar last_modified_utc: The last time that this alert has been modified.
+ :vartype last_modified_utc: ~datetime.datetime
+ """
+
+ _validation = {
+ 'id': {'readonly': True},
+ 'name': {'readonly': True},
+ 'type': {'readonly': True},
+ 'kind': {'required': True},
+ 'last_modified_utc': {'readonly': True},
+ }
+
+ _attribute_map = {
+ 'id': {'key': 'id', 'type': 'str'},
+ 'name': {'key': 'name', 'type': 'str'},
+ 'type': {'key': 'type', 'type': 'str'},
+ 'etag': {'key': 'etag', 'type': 'str'},
+ 'kind': {'key': 'kind', 'type': 'str'},
+ 'display_names_filter': {'key': 'properties.displayNamesFilter', 'type': '[str]'},
+ 'display_names_exclude_filter': {'key': 'properties.displayNamesExcludeFilter', 'type': '[str]'},
+ 'product_filter': {'key': 'properties.productFilter', 'type': 'str'},
+ 'severities_filter': {'key': 'properties.severitiesFilter', 'type': '[str]'},
+ 'alert_rule_template_name': {'key': 'properties.alertRuleTemplateName', 'type': 'str'},
+ 'description': {'key': 'properties.description', 'type': 'str'},
+ 'display_name': {'key': 'properties.displayName', 'type': 'str'},
+ 'enabled': {'key': 'properties.enabled', 'type': 'bool'},
+ 'last_modified_utc': {'key': 'properties.lastModifiedUtc', 'type': 'iso-8601'},
+ }
+
+ def __init__(
+ self,
+ *,
+ etag: Optional[str] = None,
+ display_names_filter: Optional[List[str]] = None,
+ display_names_exclude_filter: Optional[List[str]] = None,
+ product_filter: Optional[Union[str, "MicrosoftSecurityProductName"]] = None,
+ severities_filter: Optional[List[Union[str, "AlertSeverity"]]] = None,
+ alert_rule_template_name: Optional[str] = None,
+ description: Optional[str] = None,
+ display_name: Optional[str] = None,
+ enabled: Optional[bool] = None,
+ **kwargs
+ ):
+ super(MicrosoftSecurityIncidentCreationAlertRule, self).__init__(etag=etag, **kwargs)
+ self.kind = 'MicrosoftSecurityIncidentCreation' # type: str
+ self.display_names_filter = display_names_filter
+ self.display_names_exclude_filter = display_names_exclude_filter
+ self.product_filter = product_filter
+ self.severities_filter = severities_filter
+ self.alert_rule_template_name = alert_rule_template_name
+ self.description = description
+ self.display_name = display_name
+ self.enabled = enabled
+ self.last_modified_utc = None
+
+
+class MicrosoftSecurityIncidentCreationAlertRuleCommonProperties(msrest.serialization.Model):
+ """MicrosoftSecurityIncidentCreation rule common property bag.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :param display_names_filter: the alerts' displayNames on which the cases will be generated.
+ :type display_names_filter: list[str]
+ :param display_names_exclude_filter: the alerts' displayNames on which the cases will not be
+ generated.
+ :type display_names_exclude_filter: list[str]
+ :param product_filter: Required. The alerts' productName on which the cases will be generated.
+ Possible values include: "Microsoft Cloud App Security", "Azure Security Center", "Azure
+ Advanced Threat Protection", "Azure Active Directory Identity Protection", "Azure Security
+ Center for IoT".
+ :type product_filter: str or ~security_insights.models.MicrosoftSecurityProductName
+ :param severities_filter: the alerts' severities on which the cases will be generated.
+ :type severities_filter: list[str or ~security_insights.models.AlertSeverity]
+ """
+
+ _validation = {
+ 'product_filter': {'required': True},
+ }
+
+ _attribute_map = {
+ 'display_names_filter': {'key': 'displayNamesFilter', 'type': '[str]'},
+ 'display_names_exclude_filter': {'key': 'displayNamesExcludeFilter', 'type': '[str]'},
+ 'product_filter': {'key': 'productFilter', 'type': 'str'},
+ 'severities_filter': {'key': 'severitiesFilter', 'type': '[str]'},
+ }
+
+ def __init__(
+ self,
+ *,
+ product_filter: Union[str, "MicrosoftSecurityProductName"],
+ display_names_filter: Optional[List[str]] = None,
+ display_names_exclude_filter: Optional[List[str]] = None,
+ severities_filter: Optional[List[Union[str, "AlertSeverity"]]] = None,
+ **kwargs
+ ):
+ super(MicrosoftSecurityIncidentCreationAlertRuleCommonProperties, self).__init__(**kwargs)
+ self.display_names_filter = display_names_filter
+ self.display_names_exclude_filter = display_names_exclude_filter
+ self.product_filter = product_filter
+ self.severities_filter = severities_filter
+
+
+class MicrosoftSecurityIncidentCreationAlertRuleProperties(MicrosoftSecurityIncidentCreationAlertRuleCommonProperties):
+ """MicrosoftSecurityIncidentCreation rule property bag.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :param display_names_filter: the alerts' displayNames on which the cases will be generated.
+ :type display_names_filter: list[str]
+ :param display_names_exclude_filter: the alerts' displayNames on which the cases will not be
+ generated.
+ :type display_names_exclude_filter: list[str]
+ :param product_filter: Required. The alerts' productName on which the cases will be generated.
+ Possible values include: "Microsoft Cloud App Security", "Azure Security Center", "Azure
+ Advanced Threat Protection", "Azure Active Directory Identity Protection", "Azure Security
+ Center for IoT".
+ :type product_filter: str or ~security_insights.models.MicrosoftSecurityProductName
+ :param severities_filter: the alerts' severities on which the cases will be generated.
+ :type severities_filter: list[str or ~security_insights.models.AlertSeverity]
+ :param alert_rule_template_name: The Name of the alert rule template used to create this rule.
+ :type alert_rule_template_name: str
+ :param description: The description of the alert rule.
+ :type description: str
+ :param display_name: Required. The display name for alerts created by this alert rule.
+ :type display_name: str
+ :param enabled: Required. Determines whether this alert rule is enabled or disabled.
+ :type enabled: bool
+ :ivar last_modified_utc: The last time that this alert has been modified.
+ :vartype last_modified_utc: ~datetime.datetime
+ """
+
+ _validation = {
+ 'product_filter': {'required': True},
+ 'display_name': {'required': True},
+ 'enabled': {'required': True},
+ 'last_modified_utc': {'readonly': True},
+ }
+
+ _attribute_map = {
+ 'display_names_filter': {'key': 'displayNamesFilter', 'type': '[str]'},
+ 'display_names_exclude_filter': {'key': 'displayNamesExcludeFilter', 'type': '[str]'},
+ 'product_filter': {'key': 'productFilter', 'type': 'str'},
+ 'severities_filter': {'key': 'severitiesFilter', 'type': '[str]'},
+ 'alert_rule_template_name': {'key': 'alertRuleTemplateName', 'type': 'str'},
+ 'description': {'key': 'description', 'type': 'str'},
+ 'display_name': {'key': 'displayName', 'type': 'str'},
+ 'enabled': {'key': 'enabled', 'type': 'bool'},
+ 'last_modified_utc': {'key': 'lastModifiedUtc', 'type': 'iso-8601'},
+ }
+
+ def __init__(
+ self,
+ *,
+ product_filter: Union[str, "MicrosoftSecurityProductName"],
+ display_name: str,
+ enabled: bool,
+ display_names_filter: Optional[List[str]] = None,
+ display_names_exclude_filter: Optional[List[str]] = None,
+ severities_filter: Optional[List[Union[str, "AlertSeverity"]]] = None,
+ alert_rule_template_name: Optional[str] = None,
+ description: Optional[str] = None,
+ **kwargs
+ ):
+ super(MicrosoftSecurityIncidentCreationAlertRuleProperties, self).__init__(display_names_filter=display_names_filter, display_names_exclude_filter=display_names_exclude_filter, product_filter=product_filter, severities_filter=severities_filter, **kwargs)
+ self.alert_rule_template_name = alert_rule_template_name
+ self.description = description
+ self.display_name = display_name
+ self.enabled = enabled
+ self.last_modified_utc = None
+
+
+class MicrosoftSecurityIncidentCreationAlertRuleTemplate(AlertRuleTemplate):
+ """Represents MicrosoftSecurityIncidentCreation rule template.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :ivar id: Azure resource Id.
+ :vartype id: str
+ :ivar name: Azure resource name.
+ :vartype name: str
+ :ivar type: Azure resource type.
+ :vartype type: str
+ :param kind: Required. The alert rule kind.Constant filled by server. Possible values include:
+ "Scheduled", "MicrosoftSecurityIncidentCreation", "Fusion".
+ :type kind: str or ~security_insights.models.AlertRuleKind
+ :param alert_rules_created_by_template_count: the number of alert rules that were created by
+ this template.
+ :type alert_rules_created_by_template_count: int
+ :ivar created_date_utc: The time that this alert rule template has been added.
+ :vartype created_date_utc: ~datetime.datetime
+ :param description: The description of the alert rule template.
+ :type description: str
+ :param display_name: The display name for alert rule template.
+ :type display_name: str
+ :param required_data_connectors: The required data connectors for this template.
+ :type required_data_connectors: list[~security_insights.models.AlertRuleTemplateDataSource]
+ :param status: The alert rule template status. Possible values include: "Installed",
+ "Available", "NotAvailable".
+ :type status: str or ~security_insights.models.TemplateStatus
+ :param display_names_filter: the alerts' displayNames on which the cases will be generated.
+ :type display_names_filter: list[str]
+ :param display_names_exclude_filter: the alerts' displayNames on which the cases will not be
+ generated.
+ :type display_names_exclude_filter: list[str]
+ :param product_filter: The alerts' productName on which the cases will be generated. Possible
+ values include: "Microsoft Cloud App Security", "Azure Security Center", "Azure Advanced Threat
+ Protection", "Azure Active Directory Identity Protection", "Azure Security Center for IoT".
+ :type product_filter: str or ~security_insights.models.MicrosoftSecurityProductName
+ :param severities_filter: the alerts' severities on which the cases will be generated.
+ :type severities_filter: list[str or ~security_insights.models.AlertSeverity]
+ """
+
+ _validation = {
+ 'id': {'readonly': True},
+ 'name': {'readonly': True},
+ 'type': {'readonly': True},
+ 'kind': {'required': True},
+ 'created_date_utc': {'readonly': True},
+ }
+
+ _attribute_map = {
+ 'id': {'key': 'id', 'type': 'str'},
+ 'name': {'key': 'name', 'type': 'str'},
+ 'type': {'key': 'type', 'type': 'str'},
+ 'kind': {'key': 'kind', 'type': 'str'},
+ 'alert_rules_created_by_template_count': {'key': 'properties.alertRulesCreatedByTemplateCount', 'type': 'int'},
+ 'created_date_utc': {'key': 'properties.createdDateUTC', 'type': 'iso-8601'},
+ 'description': {'key': 'properties.description', 'type': 'str'},
+ 'display_name': {'key': 'properties.displayName', 'type': 'str'},
+ 'required_data_connectors': {'key': 'properties.requiredDataConnectors', 'type': '[AlertRuleTemplateDataSource]'},
+ 'status': {'key': 'properties.status', 'type': 'str'},
+ 'display_names_filter': {'key': 'properties.displayNamesFilter', 'type': '[str]'},
+ 'display_names_exclude_filter': {'key': 'properties.displayNamesExcludeFilter', 'type': '[str]'},
+ 'product_filter': {'key': 'properties.productFilter', 'type': 'str'},
+ 'severities_filter': {'key': 'properties.severitiesFilter', 'type': '[str]'},
+ }
+
+ def __init__(
+ self,
+ *,
+ alert_rules_created_by_template_count: Optional[int] = None,
+ description: Optional[str] = None,
+ display_name: Optional[str] = None,
+ required_data_connectors: Optional[List["AlertRuleTemplateDataSource"]] = None,
+ status: Optional[Union[str, "TemplateStatus"]] = None,
+ display_names_filter: Optional[List[str]] = None,
+ display_names_exclude_filter: Optional[List[str]] = None,
+ product_filter: Optional[Union[str, "MicrosoftSecurityProductName"]] = None,
+ severities_filter: Optional[List[Union[str, "AlertSeverity"]]] = None,
+ **kwargs
+ ):
+ super(MicrosoftSecurityIncidentCreationAlertRuleTemplate, self).__init__(**kwargs)
+ self.kind = 'MicrosoftSecurityIncidentCreation' # type: str
+ self.alert_rules_created_by_template_count = alert_rules_created_by_template_count
+ self.created_date_utc = None
+ self.description = description
+ self.display_name = display_name
+ self.required_data_connectors = required_data_connectors
+ self.status = status
+ self.display_names_filter = display_names_filter
+ self.display_names_exclude_filter = display_names_exclude_filter
+ self.product_filter = product_filter
+ self.severities_filter = severities_filter
+
+
+class OfficeConsent(Resource):
+ """Consent for Office365 tenant that already made.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ :ivar id: Azure resource Id.
+ :vartype id: str
+ :ivar name: Azure resource name.
+ :vartype name: str
+ :ivar type: Azure resource type.
+ :vartype type: str
+ :param tenant_id: The tenantId of the Office365 with the consent.
+ :type tenant_id: str
+ :ivar tenant_name: The tenant name of the Office365 with the consent.
+ :vartype tenant_name: str
+ """
+
+ _validation = {
+ 'id': {'readonly': True},
+ 'name': {'readonly': True},
+ 'type': {'readonly': True},
+ 'tenant_name': {'readonly': True},
+ }
+
+ _attribute_map = {
+ 'id': {'key': 'id', 'type': 'str'},
+ 'name': {'key': 'name', 'type': 'str'},
+ 'type': {'key': 'type', 'type': 'str'},
+ 'tenant_id': {'key': 'properties.tenantId', 'type': 'str'},
+ 'tenant_name': {'key': 'properties.tenantName', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ *,
+ tenant_id: Optional[str] = None,
+ **kwargs
+ ):
+ super(OfficeConsent, self).__init__(**kwargs)
+ self.tenant_id = tenant_id
+ self.tenant_name = None
+
+
+class OfficeConsentList(msrest.serialization.Model):
+ """List of all the office365 consents.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :ivar next_link: URL to fetch the next set of office consents.
+ :vartype next_link: str
+ :param value: Required. Array of the consents.
+ :type value: list[~security_insights.models.OfficeConsent]
+ """
+
+ _validation = {
+ 'next_link': {'readonly': True},
+ 'value': {'required': True},
+ }
+
+ _attribute_map = {
+ 'next_link': {'key': 'nextLink', 'type': 'str'},
+ 'value': {'key': 'value', 'type': '[OfficeConsent]'},
+ }
+
+ def __init__(
+ self,
+ *,
+ value: List["OfficeConsent"],
+ **kwargs
+ ):
+ super(OfficeConsentList, self).__init__(**kwargs)
+ self.next_link = None
+ self.value = value
+
+
+class OfficeDataConnector(DataConnector):
+ """Represents office data connector.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :ivar id: Azure resource Id.
+ :vartype id: str
+ :ivar name: Azure resource name.
+ :vartype name: str
+ :ivar type: Azure resource type.
+ :vartype type: str
+ :param etag: Etag of the azure resource.
+ :type etag: str
+ :param kind: Required. The data connector kind.Constant filled by server. Possible values
+ include: "AzureActiveDirectory", "AzureSecurityCenter", "MicrosoftCloudAppSecurity",
+ "ThreatIntelligence", "Office365", "AmazonWebServicesCloudTrail",
+ "AzureAdvancedThreatProtection", "MicrosoftDefenderAdvancedThreatProtection".
+ :type kind: str or ~security_insights.models.DataConnectorKind
+ :param tenant_id: The tenant id to connect to, and get the data from.
+ :type tenant_id: str
+ :param state_data_types_share_point_state: Describe whether this data type connection is
+ enabled or not. Possible values include: "Enabled", "Disabled".
+ :type state_data_types_share_point_state: str or ~security_insights.models.DataTypeState
+ :param state_data_types_exchange_state: Describe whether this data type connection is enabled
+ or not. Possible values include: "Enabled", "Disabled".
+ :type state_data_types_exchange_state: str or ~security_insights.models.DataTypeState
+ """
+
+ _validation = {
+ 'id': {'readonly': True},
+ 'name': {'readonly': True},
+ 'type': {'readonly': True},
+ 'kind': {'required': True},
+ }
+
+ _attribute_map = {
+ 'id': {'key': 'id', 'type': 'str'},
+ 'name': {'key': 'name', 'type': 'str'},
+ 'type': {'key': 'type', 'type': 'str'},
+ 'etag': {'key': 'etag', 'type': 'str'},
+ 'kind': {'key': 'kind', 'type': 'str'},
+ 'tenant_id': {'key': 'properties.tenantId', 'type': 'str'},
+ 'state_data_types_share_point_state': {'key': 'dataTypes.sharePoint.state', 'type': 'str'},
+ 'state_data_types_exchange_state': {'key': 'dataTypes.exchange.state', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ *,
+ etag: Optional[str] = None,
+ tenant_id: Optional[str] = None,
+ state_data_types_share_point_state: Optional[Union[str, "DataTypeState"]] = None,
+ state_data_types_exchange_state: Optional[Union[str, "DataTypeState"]] = None,
+ **kwargs
+ ):
+ super(OfficeDataConnector, self).__init__(etag=etag, **kwargs)
+ self.kind = 'Office365' # type: str
+ self.tenant_id = tenant_id
+ self.state_data_types_share_point_state = state_data_types_share_point_state
+ self.state_data_types_exchange_state = state_data_types_exchange_state
+
+
+class OfficeDataConnectorDataTypesExchange(DataConnectorDataTypeCommon):
+ """Exchange data type connection.
+
+ :param state: Describe whether this data type connection is enabled or not. Possible values
+ include: "Enabled", "Disabled".
+ :type state: str or ~security_insights.models.DataTypeState
+ """
+
+ _attribute_map = {
+ 'state': {'key': 'state', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ *,
+ state: Optional[Union[str, "DataTypeState"]] = None,
+ **kwargs
+ ):
+ super(OfficeDataConnectorDataTypesExchange, self).__init__(state=state, **kwargs)
+
+
+class OfficeDataConnectorDataTypesSharePoint(DataConnectorDataTypeCommon):
+ """SharePoint data type connection.
+
+ :param state: Describe whether this data type connection is enabled or not. Possible values
+ include: "Enabled", "Disabled".
+ :type state: str or ~security_insights.models.DataTypeState
+ """
+
+ _attribute_map = {
+ 'state': {'key': 'state', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ *,
+ state: Optional[Union[str, "DataTypeState"]] = None,
+ **kwargs
+ ):
+ super(OfficeDataConnectorDataTypesSharePoint, self).__init__(state=state, **kwargs)
+
+
+class Operation(msrest.serialization.Model):
+ """Operation provided by provider.
+
+ :param display: Properties of the operation.
+ :type display: ~security_insights.models.OperationDisplay
+ :param name: Name of the operation.
+ :type name: str
+ """
+
+ _attribute_map = {
+ 'display': {'key': 'display', 'type': 'OperationDisplay'},
+ 'name': {'key': 'name', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ *,
+ display: Optional["OperationDisplay"] = None,
+ name: Optional[str] = None,
+ **kwargs
+ ):
+ super(Operation, self).__init__(**kwargs)
+ self.display = display
+ self.name = name
+
+
+class OperationDisplay(msrest.serialization.Model):
+ """Properties of the operation.
+
+ :param description: Description of the operation.
+ :type description: str
+ :param operation: Operation name.
+ :type operation: str
+ :param provider: Provider name.
+ :type provider: str
+ :param resource: Resource name.
+ :type resource: str
+ """
+
+ _attribute_map = {
+ 'description': {'key': 'description', 'type': 'str'},
+ 'operation': {'key': 'operation', 'type': 'str'},
+ 'provider': {'key': 'provider', 'type': 'str'},
+ 'resource': {'key': 'resource', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ *,
+ description: Optional[str] = None,
+ operation: Optional[str] = None,
+ provider: Optional[str] = None,
+ resource: Optional[str] = None,
+ **kwargs
+ ):
+ super(OperationDisplay, self).__init__(**kwargs)
+ self.description = description
+ self.operation = operation
+ self.provider = provider
+ self.resource = resource
+
+
+class OperationsList(msrest.serialization.Model):
+ """Lists the operations available in the SecurityInsights RP.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :param next_link: URL to fetch the next set of operations.
+ :type next_link: str
+ :param value: Required. Array of operations.
+ :type value: list[~security_insights.models.Operation]
+ """
+
+ _validation = {
+ 'value': {'required': True},
+ }
+
+ _attribute_map = {
+ 'next_link': {'key': 'nextLink', 'type': 'str'},
+ 'value': {'key': 'value', 'type': '[Operation]'},
+ }
+
+ def __init__(
+ self,
+ *,
+ value: List["Operation"],
+ next_link: Optional[str] = None,
+ **kwargs
+ ):
+ super(OperationsList, self).__init__(**kwargs)
+ self.next_link = next_link
+ self.value = value
+
+
+class ScheduledAlertRule(AlertRule):
+ """Represents scheduled alert rule.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :ivar id: Azure resource Id.
+ :vartype id: str
+ :ivar name: Azure resource name.
+ :vartype name: str
+ :ivar type: Azure resource type.
+ :vartype type: str
+ :param etag: Etag of the azure resource.
+ :type etag: str
+ :param kind: Required. The alert rule kind.Constant filled by server. Possible values include:
+ "Scheduled", "MicrosoftSecurityIncidentCreation", "Fusion".
+ :type kind: str or ~security_insights.models.AlertRuleKind
+ :param query: The query that creates alerts for this rule.
+ :type query: str
+ :param query_frequency: The frequency (in ISO 8601 duration format) for this alert rule to run.
+ :type query_frequency: ~datetime.timedelta
+ :param query_period: The period (in ISO 8601 duration format) that this alert rule looks at.
+ :type query_period: ~datetime.timedelta
+ :param severity: The severity for alerts created by this alert rule. Possible values include:
+ "High", "Medium", "Low", "Informational".
+ :type severity: str or ~security_insights.models.AlertSeverity
+ :param trigger_operator: The operation against the threshold that triggers alert rule. Possible
+ values include: "GreaterThan", "LessThan", "Equal", "NotEqual".
+ :type trigger_operator: str or ~security_insights.models.TriggerOperator
+ :param trigger_threshold: The threshold triggers this alert rule.
+ :type trigger_threshold: int
+ :param alert_rule_template_name: The Name of the alert rule template used to create this rule.
+ :type alert_rule_template_name: str
+ :param description: The description of the alert rule.
+ :type description: str
+ :param display_name: The display name for alerts created by this alert rule.
+ :type display_name: str
+ :param enabled: Determines whether this alert rule is enabled or disabled.
+ :type enabled: bool
+ :ivar last_modified_utc: The last time that this alert rule has been modified.
+ :vartype last_modified_utc: ~datetime.datetime
+ :param suppression_duration: The suppression (in ISO 8601 duration format) to wait since last
+ time this alert rule been triggered.
+ :type suppression_duration: ~datetime.timedelta
+ :param suppression_enabled: Determines whether the suppression for this alert rule is enabled
+ or disabled.
+ :type suppression_enabled: bool
+ :param tactics: The tactics of the alert rule.
+ :type tactics: list[str or ~security_insights.models.AttackTactic]
+ """
+
+ _validation = {
+ 'id': {'readonly': True},
+ 'name': {'readonly': True},
+ 'type': {'readonly': True},
+ 'kind': {'required': True},
+ 'last_modified_utc': {'readonly': True},
+ }
+
+ _attribute_map = {
+ 'id': {'key': 'id', 'type': 'str'},
+ 'name': {'key': 'name', 'type': 'str'},
+ 'type': {'key': 'type', 'type': 'str'},
+ 'etag': {'key': 'etag', 'type': 'str'},
+ 'kind': {'key': 'kind', 'type': 'str'},
+ 'query': {'key': 'properties.query', 'type': 'str'},
+ 'query_frequency': {'key': 'properties.queryFrequency', 'type': 'duration'},
+ 'query_period': {'key': 'properties.queryPeriod', 'type': 'duration'},
+ 'severity': {'key': 'properties.severity', 'type': 'str'},
+ 'trigger_operator': {'key': 'properties.triggerOperator', 'type': 'str'},
+ 'trigger_threshold': {'key': 'properties.triggerThreshold', 'type': 'int'},
+ 'alert_rule_template_name': {'key': 'properties.alertRuleTemplateName', 'type': 'str'},
+ 'description': {'key': 'properties.description', 'type': 'str'},
+ 'display_name': {'key': 'properties.displayName', 'type': 'str'},
+ 'enabled': {'key': 'properties.enabled', 'type': 'bool'},
+ 'last_modified_utc': {'key': 'properties.lastModifiedUtc', 'type': 'iso-8601'},
+ 'suppression_duration': {'key': 'properties.suppressionDuration', 'type': 'duration'},
+ 'suppression_enabled': {'key': 'properties.suppressionEnabled', 'type': 'bool'},
+ 'tactics': {'key': 'properties.tactics', 'type': '[str]'},
+ }
+
+ def __init__(
+ self,
+ *,
+ etag: Optional[str] = None,
+ query: Optional[str] = None,
+ query_frequency: Optional[datetime.timedelta] = None,
+ query_period: Optional[datetime.timedelta] = None,
+ severity: Optional[Union[str, "AlertSeverity"]] = None,
+ trigger_operator: Optional[Union[str, "TriggerOperator"]] = None,
+ trigger_threshold: Optional[int] = None,
+ alert_rule_template_name: Optional[str] = None,
+ description: Optional[str] = None,
+ display_name: Optional[str] = None,
+ enabled: Optional[bool] = None,
+ suppression_duration: Optional[datetime.timedelta] = None,
+ suppression_enabled: Optional[bool] = None,
+ tactics: Optional[List[Union[str, "AttackTactic"]]] = None,
+ **kwargs
+ ):
+ super(ScheduledAlertRule, self).__init__(etag=etag, **kwargs)
+ self.kind = 'Scheduled' # type: str
+ self.query = query
+ self.query_frequency = query_frequency
+ self.query_period = query_period
+ self.severity = severity
+ self.trigger_operator = trigger_operator
+ self.trigger_threshold = trigger_threshold
+ self.alert_rule_template_name = alert_rule_template_name
+ self.description = description
+ self.display_name = display_name
+ self.enabled = enabled
+ self.last_modified_utc = None
+ self.suppression_duration = suppression_duration
+ self.suppression_enabled = suppression_enabled
+ self.tactics = tactics
+
+
+class ScheduledAlertRuleCommonProperties(msrest.serialization.Model):
+ """Schedule alert rule template property bag.
+
+ :param query: The query that creates alerts for this rule.
+ :type query: str
+ :param query_frequency: The frequency (in ISO 8601 duration format) for this alert rule to run.
+ :type query_frequency: ~datetime.timedelta
+ :param query_period: The period (in ISO 8601 duration format) that this alert rule looks at.
+ :type query_period: ~datetime.timedelta
+ :param severity: The severity for alerts created by this alert rule. Possible values include:
+ "High", "Medium", "Low", "Informational".
+ :type severity: str or ~security_insights.models.AlertSeverity
+ :param trigger_operator: The operation against the threshold that triggers alert rule. Possible
+ values include: "GreaterThan", "LessThan", "Equal", "NotEqual".
+ :type trigger_operator: str or ~security_insights.models.TriggerOperator
+ :param trigger_threshold: The threshold triggers this alert rule.
+ :type trigger_threshold: int
+ """
+
+ _attribute_map = {
+ 'query': {'key': 'query', 'type': 'str'},
+ 'query_frequency': {'key': 'queryFrequency', 'type': 'duration'},
+ 'query_period': {'key': 'queryPeriod', 'type': 'duration'},
+ 'severity': {'key': 'severity', 'type': 'str'},
+ 'trigger_operator': {'key': 'triggerOperator', 'type': 'str'},
+ 'trigger_threshold': {'key': 'triggerThreshold', 'type': 'int'},
+ }
+
+ def __init__(
+ self,
+ *,
+ query: Optional[str] = None,
+ query_frequency: Optional[datetime.timedelta] = None,
+ query_period: Optional[datetime.timedelta] = None,
+ severity: Optional[Union[str, "AlertSeverity"]] = None,
+ trigger_operator: Optional[Union[str, "TriggerOperator"]] = None,
+ trigger_threshold: Optional[int] = None,
+ **kwargs
+ ):
+ super(ScheduledAlertRuleCommonProperties, self).__init__(**kwargs)
+ self.query = query
+ self.query_frequency = query_frequency
+ self.query_period = query_period
+ self.severity = severity
+ self.trigger_operator = trigger_operator
+ self.trigger_threshold = trigger_threshold
+
+
+class ScheduledAlertRuleProperties(ScheduledAlertRuleCommonProperties):
+ """Scheduled alert rule base property bag.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :param query: The query that creates alerts for this rule.
+ :type query: str
+ :param query_frequency: The frequency (in ISO 8601 duration format) for this alert rule to run.
+ :type query_frequency: ~datetime.timedelta
+ :param query_period: The period (in ISO 8601 duration format) that this alert rule looks at.
+ :type query_period: ~datetime.timedelta
+ :param severity: The severity for alerts created by this alert rule. Possible values include:
+ "High", "Medium", "Low", "Informational".
+ :type severity: str or ~security_insights.models.AlertSeverity
+ :param trigger_operator: The operation against the threshold that triggers alert rule. Possible
+ values include: "GreaterThan", "LessThan", "Equal", "NotEqual".
+ :type trigger_operator: str or ~security_insights.models.TriggerOperator
+ :param trigger_threshold: The threshold triggers this alert rule.
+ :type trigger_threshold: int
+ :param alert_rule_template_name: The Name of the alert rule template used to create this rule.
+ :type alert_rule_template_name: str
+ :param description: The description of the alert rule.
+ :type description: str
+ :param display_name: Required. The display name for alerts created by this alert rule.
+ :type display_name: str
+ :param enabled: Required. Determines whether this alert rule is enabled or disabled.
+ :type enabled: bool
+ :ivar last_modified_utc: The last time that this alert rule has been modified.
+ :vartype last_modified_utc: ~datetime.datetime
+ :param suppression_duration: Required. The suppression (in ISO 8601 duration format) to wait
+ since last time this alert rule been triggered.
+ :type suppression_duration: ~datetime.timedelta
+ :param suppression_enabled: Required. Determines whether the suppression for this alert rule is
+ enabled or disabled.
+ :type suppression_enabled: bool
+ :param tactics: The tactics of the alert rule.
+ :type tactics: list[str or ~security_insights.models.AttackTactic]
+ """
+
+ _validation = {
+ 'display_name': {'required': True},
+ 'enabled': {'required': True},
+ 'last_modified_utc': {'readonly': True},
+ 'suppression_duration': {'required': True},
+ 'suppression_enabled': {'required': True},
+ }
+
+ _attribute_map = {
+ 'query': {'key': 'query', 'type': 'str'},
+ 'query_frequency': {'key': 'queryFrequency', 'type': 'duration'},
+ 'query_period': {'key': 'queryPeriod', 'type': 'duration'},
+ 'severity': {'key': 'severity', 'type': 'str'},
+ 'trigger_operator': {'key': 'triggerOperator', 'type': 'str'},
+ 'trigger_threshold': {'key': 'triggerThreshold', 'type': 'int'},
+ 'alert_rule_template_name': {'key': 'alertRuleTemplateName', 'type': 'str'},
+ 'description': {'key': 'description', 'type': 'str'},
+ 'display_name': {'key': 'displayName', 'type': 'str'},
+ 'enabled': {'key': 'enabled', 'type': 'bool'},
+ 'last_modified_utc': {'key': 'lastModifiedUtc', 'type': 'iso-8601'},
+ 'suppression_duration': {'key': 'suppressionDuration', 'type': 'duration'},
+ 'suppression_enabled': {'key': 'suppressionEnabled', 'type': 'bool'},
+ 'tactics': {'key': 'tactics', 'type': '[str]'},
+ }
+
+ def __init__(
+ self,
+ *,
+ display_name: str,
+ enabled: bool,
+ suppression_duration: datetime.timedelta,
+ suppression_enabled: bool,
+ query: Optional[str] = None,
+ query_frequency: Optional[datetime.timedelta] = None,
+ query_period: Optional[datetime.timedelta] = None,
+ severity: Optional[Union[str, "AlertSeverity"]] = None,
+ trigger_operator: Optional[Union[str, "TriggerOperator"]] = None,
+ trigger_threshold: Optional[int] = None,
+ alert_rule_template_name: Optional[str] = None,
+ description: Optional[str] = None,
+ tactics: Optional[List[Union[str, "AttackTactic"]]] = None,
+ **kwargs
+ ):
+ super(ScheduledAlertRuleProperties, self).__init__(query=query, query_frequency=query_frequency, query_period=query_period, severity=severity, trigger_operator=trigger_operator, trigger_threshold=trigger_threshold, **kwargs)
+ self.alert_rule_template_name = alert_rule_template_name
+ self.description = description
+ self.display_name = display_name
+ self.enabled = enabled
+ self.last_modified_utc = None
+ self.suppression_duration = suppression_duration
+ self.suppression_enabled = suppression_enabled
+ self.tactics = tactics
+
+
+class ScheduledAlertRuleTemplate(AlertRuleTemplate):
+ """Represents scheduled alert rule template.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :ivar id: Azure resource Id.
+ :vartype id: str
+ :ivar name: Azure resource name.
+ :vartype name: str
+ :ivar type: Azure resource type.
+ :vartype type: str
+ :param kind: Required. The alert rule kind.Constant filled by server. Possible values include:
+ "Scheduled", "MicrosoftSecurityIncidentCreation", "Fusion".
+ :type kind: str or ~security_insights.models.AlertRuleKind
+ :param alert_rules_created_by_template_count: the number of alert rules that were created by
+ this template.
+ :type alert_rules_created_by_template_count: int
+ :ivar created_date_utc: The time that this alert rule template has been added.
+ :vartype created_date_utc: ~datetime.datetime
+ :param description: The description of the alert rule template.
+ :type description: str
+ :param display_name: The display name for alert rule template.
+ :type display_name: str
+ :param required_data_connectors: The required data connectors for this template.
+ :type required_data_connectors: list[~security_insights.models.AlertRuleTemplateDataSource]
+ :param status: The alert rule template status. Possible values include: "Installed",
+ "Available", "NotAvailable".
+ :type status: str or ~security_insights.models.TemplateStatus
+ :param query: The query that creates alerts for this rule.
+ :type query: str
+ :param query_frequency: The frequency (in ISO 8601 duration format) for this alert rule to run.
+ :type query_frequency: ~datetime.timedelta
+ :param query_period: The period (in ISO 8601 duration format) that this alert rule looks at.
+ :type query_period: ~datetime.timedelta
+ :param severity: The severity for alerts created by this alert rule. Possible values include:
+ "High", "Medium", "Low", "Informational".
+ :type severity: str or ~security_insights.models.AlertSeverity
+ :param trigger_operator: The operation against the threshold that triggers alert rule. Possible
+ values include: "GreaterThan", "LessThan", "Equal", "NotEqual".
+ :type trigger_operator: str or ~security_insights.models.TriggerOperator
+ :param trigger_threshold: The threshold triggers this alert rule.
+ :type trigger_threshold: int
+ :param tactics: The tactics of the alert rule template.
+ :type tactics: list[str or ~security_insights.models.AttackTactic]
+ """
+
+ _validation = {
+ 'id': {'readonly': True},
+ 'name': {'readonly': True},
+ 'type': {'readonly': True},
+ 'kind': {'required': True},
+ 'created_date_utc': {'readonly': True},
+ }
+
+ _attribute_map = {
+ 'id': {'key': 'id', 'type': 'str'},
+ 'name': {'key': 'name', 'type': 'str'},
+ 'type': {'key': 'type', 'type': 'str'},
+ 'kind': {'key': 'kind', 'type': 'str'},
+ 'alert_rules_created_by_template_count': {'key': 'properties.alertRulesCreatedByTemplateCount', 'type': 'int'},
+ 'created_date_utc': {'key': 'properties.createdDateUTC', 'type': 'iso-8601'},
+ 'description': {'key': 'properties.description', 'type': 'str'},
+ 'display_name': {'key': 'properties.displayName', 'type': 'str'},
+ 'required_data_connectors': {'key': 'properties.requiredDataConnectors', 'type': '[AlertRuleTemplateDataSource]'},
+ 'status': {'key': 'properties.status', 'type': 'str'},
+ 'query': {'key': 'properties.query', 'type': 'str'},
+ 'query_frequency': {'key': 'properties.queryFrequency', 'type': 'duration'},
+ 'query_period': {'key': 'properties.queryPeriod', 'type': 'duration'},
+ 'severity': {'key': 'properties.severity', 'type': 'str'},
+ 'trigger_operator': {'key': 'properties.triggerOperator', 'type': 'str'},
+ 'trigger_threshold': {'key': 'properties.triggerThreshold', 'type': 'int'},
+ 'tactics': {'key': 'properties.tactics', 'type': '[str]'},
+ }
+
+ def __init__(
+ self,
+ *,
+ alert_rules_created_by_template_count: Optional[int] = None,
+ description: Optional[str] = None,
+ display_name: Optional[str] = None,
+ required_data_connectors: Optional[List["AlertRuleTemplateDataSource"]] = None,
+ status: Optional[Union[str, "TemplateStatus"]] = None,
+ query: Optional[str] = None,
+ query_frequency: Optional[datetime.timedelta] = None,
+ query_period: Optional[datetime.timedelta] = None,
+ severity: Optional[Union[str, "AlertSeverity"]] = None,
+ trigger_operator: Optional[Union[str, "TriggerOperator"]] = None,
+ trigger_threshold: Optional[int] = None,
+ tactics: Optional[List[Union[str, "AttackTactic"]]] = None,
+ **kwargs
+ ):
+ super(ScheduledAlertRuleTemplate, self).__init__(**kwargs)
+ self.kind = 'Scheduled' # type: str
+ self.alert_rules_created_by_template_count = alert_rules_created_by_template_count
+ self.created_date_utc = None
+ self.description = description
+ self.display_name = display_name
+ self.required_data_connectors = required_data_connectors
+ self.status = status
+ self.query = query
+ self.query_frequency = query_frequency
+ self.query_period = query_period
+ self.severity = severity
+ self.trigger_operator = trigger_operator
+ self.trigger_threshold = trigger_threshold
+ self.tactics = tactics
+
+
+class Settings(ResourceWithEtag):
+ """The Settings.
+
+ You probably want to use the sub-classes and not this class directly. Known
+ sub-classes are: ToggleSettings, UebaSettings.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :ivar id: Azure resource Id.
+ :vartype id: str
+ :ivar name: Azure resource name.
+ :vartype name: str
+ :ivar type: Azure resource type.
+ :vartype type: str
+ :param etag: Etag of the azure resource.
+ :type etag: str
+ :param kind: Required. The data connector kind.Constant filled by server. Possible values
+ include: "UebaSettings", "ToggleSettings".
+ :type kind: str or ~security_insights.models.SettingKind
+ """
+
+ _validation = {
+ 'id': {'readonly': True},
+ 'name': {'readonly': True},
+ 'type': {'readonly': True},
+ 'kind': {'required': True},
+ }
+
+ _attribute_map = {
+ 'id': {'key': 'id', 'type': 'str'},
+ 'name': {'key': 'name', 'type': 'str'},
+ 'type': {'key': 'type', 'type': 'str'},
+ 'etag': {'key': 'etag', 'type': 'str'},
+ 'kind': {'key': 'kind', 'type': 'str'},
+ }
+
+ _subtype_map = {
+ 'kind': {'ToggleSettings': 'ToggleSettings', 'UebaSettings': 'UebaSettings'}
+ }
+
+ def __init__(
+ self,
+ *,
+ etag: Optional[str] = None,
+ **kwargs
+ ):
+ super(Settings, self).__init__(etag=etag, **kwargs)
+ self.kind = 'Settings' # type: str
+
+
+class ThreatIntelligence(msrest.serialization.Model):
+ """ThreatIntelligence property bag.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ :ivar confidence: Confidence (must be between 0 and 1).
+ :vartype confidence: float
+ :ivar provider_name: Name of the provider from whom this Threat Intelligence information was
+ received.
+ :vartype provider_name: str
+ :ivar report_link: Report link.
+ :vartype report_link: str
+ :ivar threat_description: Threat description (free text).
+ :vartype threat_description: str
+ :ivar threat_name: Threat name (e.g. "Jedobot malware").
+ :vartype threat_name: str
+ :ivar threat_type: Threat type (e.g. "Botnet").
+ :vartype threat_type: str
+ """
+
+ _validation = {
+ 'confidence': {'readonly': True},
+ 'provider_name': {'readonly': True},
+ 'report_link': {'readonly': True},
+ 'threat_description': {'readonly': True},
+ 'threat_name': {'readonly': True},
+ 'threat_type': {'readonly': True},
+ }
+
+ _attribute_map = {
+ 'confidence': {'key': 'confidence', 'type': 'float'},
+ 'provider_name': {'key': 'providerName', 'type': 'str'},
+ 'report_link': {'key': 'reportLink', 'type': 'str'},
+ 'threat_description': {'key': 'threatDescription', 'type': 'str'},
+ 'threat_name': {'key': 'threatName', 'type': 'str'},
+ 'threat_type': {'key': 'threatType', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ **kwargs
+ ):
+ super(ThreatIntelligence, self).__init__(**kwargs)
+ self.confidence = None
+ self.provider_name = None
+ self.report_link = None
+ self.threat_description = None
+ self.threat_name = None
+ self.threat_type = None
+
+
+class TIDataConnector(DataConnector):
+ """Represents threat intelligence data connector.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :ivar id: Azure resource Id.
+ :vartype id: str
+ :ivar name: Azure resource name.
+ :vartype name: str
+ :ivar type: Azure resource type.
+ :vartype type: str
+ :param etag: Etag of the azure resource.
+ :type etag: str
+ :param kind: Required. The data connector kind.Constant filled by server. Possible values
+ include: "AzureActiveDirectory", "AzureSecurityCenter", "MicrosoftCloudAppSecurity",
+ "ThreatIntelligence", "Office365", "AmazonWebServicesCloudTrail",
+ "AzureAdvancedThreatProtection", "MicrosoftDefenderAdvancedThreatProtection".
+ :type kind: str or ~security_insights.models.DataConnectorKind
+ :param tenant_id: The tenant id to connect to, and get the data from.
+ :type tenant_id: str
+ :param state: Describe whether this data type connection is enabled or not. Possible values
+ include: "Enabled", "Disabled".
+ :type state: str or ~security_insights.models.DataTypeState
+ """
+
+ _validation = {
+ 'id': {'readonly': True},
+ 'name': {'readonly': True},
+ 'type': {'readonly': True},
+ 'kind': {'required': True},
+ }
+
+ _attribute_map = {
+ 'id': {'key': 'id', 'type': 'str'},
+ 'name': {'key': 'name', 'type': 'str'},
+ 'type': {'key': 'type', 'type': 'str'},
+ 'etag': {'key': 'etag', 'type': 'str'},
+ 'kind': {'key': 'kind', 'type': 'str'},
+ 'tenant_id': {'key': 'properties.tenantId', 'type': 'str'},
+ 'state': {'key': 'dataTypes.indicators.state', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ *,
+ etag: Optional[str] = None,
+ tenant_id: Optional[str] = None,
+ state: Optional[Union[str, "DataTypeState"]] = None,
+ **kwargs
+ ):
+ super(TIDataConnector, self).__init__(etag=etag, **kwargs)
+ self.kind = 'ThreatIntelligence' # type: str
+ self.tenant_id = tenant_id
+ self.state = state
+
+
+class TIDataConnectorDataTypesIndicators(DataConnectorDataTypeCommon):
+ """Data type for indicators connection.
+
+ :param state: Describe whether this data type connection is enabled or not. Possible values
+ include: "Enabled", "Disabled".
+ :type state: str or ~security_insights.models.DataTypeState
+ """
+
+ _attribute_map = {
+ 'state': {'key': 'state', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ *,
+ state: Optional[Union[str, "DataTypeState"]] = None,
+ **kwargs
+ ):
+ super(TIDataConnectorDataTypesIndicators, self).__init__(state=state, **kwargs)
+
+
+class ToggleSettings(Settings):
+ """Settings with single toggle.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :ivar id: Azure resource Id.
+ :vartype id: str
+ :ivar name: Azure resource name.
+ :vartype name: str
+ :ivar type: Azure resource type.
+ :vartype type: str
+ :param etag: Etag of the azure resource.
+ :type etag: str
+ :param kind: Required. The data connector kind.Constant filled by server. Possible values
+ include: "UebaSettings", "ToggleSettings".
+ :type kind: str or ~security_insights.models.SettingKind
+ :param is_enabled: Determines whether the setting is enable or disabled.
+ :type is_enabled: bool
+ """
+
+ _validation = {
+ 'id': {'readonly': True},
+ 'name': {'readonly': True},
+ 'type': {'readonly': True},
+ 'kind': {'required': True},
+ }
+
+ _attribute_map = {
+ 'id': {'key': 'id', 'type': 'str'},
+ 'name': {'key': 'name', 'type': 'str'},
+ 'type': {'key': 'type', 'type': 'str'},
+ 'etag': {'key': 'etag', 'type': 'str'},
+ 'kind': {'key': 'kind', 'type': 'str'},
+ 'is_enabled': {'key': 'properties.isEnabled', 'type': 'bool'},
+ }
+
+ def __init__(
+ self,
+ *,
+ etag: Optional[str] = None,
+ is_enabled: Optional[bool] = None,
+ **kwargs
+ ):
+ super(ToggleSettings, self).__init__(etag=etag, **kwargs)
+ self.kind = 'ToggleSettings' # type: str
+ self.is_enabled = is_enabled
+
+
+class UebaSettings(Settings):
+ """Represents settings for User and Entity Behavior Analytics enablement.
+
+ Variables are only populated by the server, and will be ignored when sending a request.
+
+ All required parameters must be populated in order to send to Azure.
+
+ :ivar id: Azure resource Id.
+ :vartype id: str
+ :ivar name: Azure resource name.
+ :vartype name: str
+ :ivar type: Azure resource type.
+ :vartype type: str
+ :param etag: Etag of the azure resource.
+ :type etag: str
+ :param kind: Required. The data connector kind.Constant filled by server. Possible values
+ include: "UebaSettings", "ToggleSettings".
+ :type kind: str or ~security_insights.models.SettingKind
+ :ivar atp_license_status: Determines whether the tenant has ATP (Advanced Threat Protection)
+ license. Possible values include: "Enabled", "Disabled".
+ :vartype atp_license_status: str or ~security_insights.models.LicenseStatus
+ :param is_enabled: Determines whether User and Entity Behavior Analytics is enabled for this
+ workspace.
+ :type is_enabled: bool
+ :ivar status_in_mcas: Determines whether User and Entity Behavior Analytics is enabled from
+ MCAS (Microsoft Cloud App Security). Possible values include: "Enabled", "Disabled".
+ :vartype status_in_mcas: str or ~security_insights.models.StatusInMCAS
+ """
+
+ _validation = {
+ 'id': {'readonly': True},
+ 'name': {'readonly': True},
+ 'type': {'readonly': True},
+ 'kind': {'required': True},
+ 'atp_license_status': {'readonly': True},
+ 'status_in_mcas': {'readonly': True},
+ }
+
+ _attribute_map = {
+ 'id': {'key': 'id', 'type': 'str'},
+ 'name': {'key': 'name', 'type': 'str'},
+ 'type': {'key': 'type', 'type': 'str'},
+ 'etag': {'key': 'etag', 'type': 'str'},
+ 'kind': {'key': 'kind', 'type': 'str'},
+ 'atp_license_status': {'key': 'properties.atpLicenseStatus', 'type': 'str'},
+ 'is_enabled': {'key': 'properties.isEnabled', 'type': 'bool'},
+ 'status_in_mcas': {'key': 'properties.statusInMcas', 'type': 'str'},
+ }
+
+ def __init__(
+ self,
+ *,
+ etag: Optional[str] = None,
+ is_enabled: Optional[bool] = None,
+ **kwargs
+ ):
+ super(UebaSettings, self).__init__(etag=etag, **kwargs)
+ self.kind = 'UebaSettings' # type: str
+ self.atp_license_status = None
+ self.is_enabled = is_enabled
+ self.status_in_mcas = None
diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/models/_security_insights_enums.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/models/_security_insights_enums.py
new file mode 100644
index 00000000000..ff1e2d1db57
--- /dev/null
+++ b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/models/_security_insights_enums.py
@@ -0,0 +1,182 @@
+# coding=utf-8
+# --------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# Code generated by Microsoft (R) AutoRest Code Generator.
+# Changes may cause incorrect behavior and will be lost if the code is regenerated.
+# --------------------------------------------------------------------------
+
+from enum import Enum, EnumMeta
+from six import with_metaclass
+
+class _CaseInsensitiveEnumMeta(EnumMeta):
+ def __getitem__(self, name):
+ return super().__getitem__(name.upper())
+
+ def __getattr__(cls, name):
+ """Return the enum member matching `name`
+ We use __getattr__ instead of descriptors or inserting into the enum
+ class' __dict__ in order to support `name` and `value` being both
+ properties for enum members (which live in the class' __dict__) and
+ enum members themselves.
+ """
+ try:
+ return cls._member_map_[name.upper()]
+ except KeyError:
+ raise AttributeError(name)
+
+
+class AlertRuleKind(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)):
+ """The kind of the alert rule
+ """
+
+ SCHEDULED = "Scheduled"
+ MICROSOFT_SECURITY_INCIDENT_CREATION = "MicrosoftSecurityIncidentCreation"
+ FUSION = "Fusion"
+
+class AlertSeverity(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)):
+ """The severity of the alert
+ """
+
+ HIGH = "High" #: High severity.
+ MEDIUM = "Medium" #: Medium severity.
+ LOW = "Low" #: Low severity.
+ INFORMATIONAL = "Informational" #: Informational severity.
+
+class AttackTactic(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)):
+ """The severity for alerts created by this alert rule.
+ """
+
+ INITIAL_ACCESS = "InitialAccess"
+ EXECUTION = "Execution"
+ PERSISTENCE = "Persistence"
+ PRIVILEGE_ESCALATION = "PrivilegeEscalation"
+ DEFENSE_EVASION = "DefenseEvasion"
+ CREDENTIAL_ACCESS = "CredentialAccess"
+ DISCOVERY = "Discovery"
+ LATERAL_MOVEMENT = "LateralMovement"
+ COLLECTION = "Collection"
+ EXFILTRATION = "Exfiltration"
+ COMMAND_AND_CONTROL = "CommandAndControl"
+ IMPACT = "Impact"
+
+class CaseSeverity(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)):
+ """The severity of the incident
+ """
+
+ CRITICAL = "Critical" #: Critical severity.
+ HIGH = "High" #: High severity.
+ MEDIUM = "Medium" #: Medium severity.
+ LOW = "Low" #: Low severity.
+ INFORMATIONAL = "Informational" #: Informational severity.
+
+class DataConnectorKind(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)):
+ """The kind of the data connector
+ """
+
+ AZURE_ACTIVE_DIRECTORY = "AzureActiveDirectory"
+ AZURE_SECURITY_CENTER = "AzureSecurityCenter"
+ MICROSOFT_CLOUD_APP_SECURITY = "MicrosoftCloudAppSecurity"
+ THREAT_INTELLIGENCE = "ThreatIntelligence"
+ OFFICE365 = "Office365"
+ AMAZON_WEB_SERVICES_CLOUD_TRAIL = "AmazonWebServicesCloudTrail"
+ AZURE_ADVANCED_THREAT_PROTECTION = "AzureAdvancedThreatProtection"
+ MICROSOFT_DEFENDER_ADVANCED_THREAT_PROTECTION = "MicrosoftDefenderAdvancedThreatProtection"
+
+class DataTypeState(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)):
+ """Describe whether this data type connection is enabled or not.
+ """
+
+ ENABLED = "Enabled"
+ DISABLED = "Disabled"
+
+class IncidentClassification(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)):
+ """The reason the incident was closed
+ """
+
+ UNDETERMINED = "Undetermined" #: Incident classification was undetermined.
+ TRUE_POSITIVE = "TruePositive" #: Incident was true positive.
+ BENIGN_POSITIVE = "BenignPositive" #: Incident was benign positive.
+ FALSE_POSITIVE = "FalsePositive" #: Incident was false positive.
+
+class IncidentClassificationReason(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)):
+ """The classification reason the incident was closed with
+ """
+
+ SUSPICIOUS_ACTIVITY = "SuspiciousActivity" #: Classification reason was suspicious activity.
+ SUSPICIOUS_BUT_EXPECTED = "SuspiciousButExpected" #: Classification reason was suspicious but expected.
+ INCORRECT_ALERT_LOGIC = "IncorrectAlertLogic" #: Classification reason was incorrect alert logic.
+ INACCURATE_DATA = "InaccurateData" #: Classification reason was inaccurate data.
+
+class IncidentLabelType(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)):
+ """The type of the label
+ """
+
+ USER = "User" #: Label manually created by a user.
+ SYSTEM = "System" #: Label automatically created by the system.
+
+class IncidentSeverity(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)):
+ """The severity of the incident
+ """
+
+ HIGH = "High" #: High severity.
+ MEDIUM = "Medium" #: Medium severity.
+ LOW = "Low" #: Low severity.
+ INFORMATIONAL = "Informational" #: Informational severity.
+
+class IncidentStatus(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)):
+ """The status of the incident
+ """
+
+ NEW = "New" #: An active incident which isn't being handled currently.
+ ACTIVE = "Active" #: An active incident which is being handled.
+ CLOSED = "Closed" #: A non-active incident.
+
+class LicenseStatus(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)):
+ """Determines whether the tenant has ATP (Advanced Threat Protection) license.
+ """
+
+ ENABLED = "Enabled"
+ DISABLED = "Disabled"
+
+class MicrosoftSecurityProductName(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)):
+ """The alerts' productName on which the cases will be generated
+ """
+
+ MICROSOFT_CLOUD_APP_SECURITY = "Microsoft Cloud App Security"
+ AZURE_SECURITY_CENTER = "Azure Security Center"
+ AZURE_ADVANCED_THREAT_PROTECTION = "Azure Advanced Threat Protection"
+ AZURE_ACTIVE_DIRECTORY_IDENTITY_PROTECTION = "Azure Active Directory Identity Protection"
+ AZURE_SECURITY_CENTER_FOR_IO_T = "Azure Security Center for IoT"
+
+class SettingKind(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)):
+ """The kind of the setting
+ """
+
+ UEBA_SETTINGS = "UebaSettings"
+ TOGGLE_SETTINGS = "ToggleSettings"
+
+class StatusInMCAS(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)):
+ """Determines whether User and Entity Behavior Analytics is enabled from MCAS (Microsoft Cloud App
+ Security).
+ """
+
+ ENABLED = "Enabled"
+ DISABLED = "Disabled"
+
+class TemplateStatus(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)):
+ """The alert rule template status.
+ """
+
+ INSTALLED = "Installed" #: Alert rule template installed. and can not use more then once.
+ AVAILABLE = "Available" #: Alert rule template is available.
+ NOT_AVAILABLE = "NotAvailable" #: Alert rule template is not available.
+
+class TriggerOperator(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)):
+ """The operation against the threshold that triggers alert rule.
+ """
+
+ GREATER_THAN = "GreaterThan"
+ LESS_THAN = "LessThan"
+ EQUAL = "Equal"
+ NOT_EQUAL = "NotEqual"
diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/__init__.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/__init__.py
new file mode 100644
index 00000000000..5e67996dcd4
--- /dev/null
+++ b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/__init__.py
@@ -0,0 +1,27 @@
+# coding=utf-8
+# --------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# Code generated by Microsoft (R) AutoRest Code Generator.
+# Changes may cause incorrect behavior and will be lost if the code is regenerated.
+# --------------------------------------------------------------------------
+
+from ._operation_operations import OperationOperations
+from ._alert_rule_operations import AlertRuleOperations
+from ._action_operations import ActionOperations
+from ._alert_rule_template_operations import AlertRuleTemplateOperations
+from ._bookmark_operations import BookmarkOperations
+from ._data_connector_operations import DataConnectorOperations
+from ._incident_operations import IncidentOperations
+from ._incident_comment_operations import IncidentCommentOperations
+
+__all__ = [
+ 'OperationOperations',
+ 'AlertRuleOperations',
+ 'ActionOperations',
+ 'AlertRuleTemplateOperations',
+ 'BookmarkOperations',
+ 'DataConnectorOperations',
+ 'IncidentOperations',
+ 'IncidentCommentOperations',
+]
diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_action_operations.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_action_operations.py
new file mode 100644
index 00000000000..a0eaa43cf9a
--- /dev/null
+++ b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_action_operations.py
@@ -0,0 +1,126 @@
+# coding=utf-8
+# --------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# Code generated by Microsoft (R) AutoRest Code Generator.
+# Changes may cause incorrect behavior and will be lost if the code is regenerated.
+# --------------------------------------------------------------------------
+from typing import TYPE_CHECKING
+import warnings
+
+from azure.core.exceptions import ClientAuthenticationError, HttpResponseError, ResourceExistsError, ResourceNotFoundError, map_error
+from azure.core.paging import ItemPaged
+from azure.core.pipeline import PipelineResponse
+from azure.core.pipeline.transport import HttpRequest, HttpResponse
+from azure.mgmt.core.exceptions import ARMErrorFormat
+
+from .. import models
+
+if TYPE_CHECKING:
+ # pylint: disable=unused-import,ungrouped-imports
+ from typing import Any, Callable, Dict, Generic, Iterable, Optional, TypeVar
+
+ T = TypeVar('T')
+ ClsType = Optional[Callable[[PipelineResponse[HttpRequest, HttpResponse], T, Dict[str, Any]], Any]]
+
+class ActionOperations(object):
+ """ActionOperations operations.
+
+ You should not instantiate this class directly. Instead, you should create a Client instance that
+ instantiates it for you and attaches it as an attribute.
+
+ :ivar models: Alias to model classes used in this operation group.
+ :type models: ~security_insights.models
+ :param client: Client for service requests.
+ :param config: Configuration of service client.
+ :param serializer: An object model serializer.
+ :param deserializer: An object model deserializer.
+ """
+
+ models = models
+
+ def __init__(self, client, config, serializer, deserializer):
+ self._client = client
+ self._serialize = serializer
+ self._deserialize = deserializer
+ self._config = config
+
+ def list_by_alert_rule(
+ self,
+ resource_group_name, # type: str
+ workspace_name, # type: str
+ rule_id, # type: str
+ **kwargs # type: Any
+ ):
+ # type: (...) -> Iterable["models.ActionsList"]
+ """Gets all actions of alert rule.
+
+ :param resource_group_name: The name of the resource group within the user's subscription. The
+ name is case insensitive.
+ :type resource_group_name: str
+ :param workspace_name: The name of the workspace.
+ :type workspace_name: str
+ :param rule_id: Alert rule ID.
+ :type rule_id: str
+ :keyword callable cls: A custom type or function that will be passed the direct response
+ :return: An iterator like instance of either ActionsList or the result of cls(response)
+ :rtype: ~azure.core.paging.ItemPaged[~security_insights.models.ActionsList]
+ :raises: ~azure.core.exceptions.HttpResponseError
+ """
+ cls = kwargs.pop('cls', None) # type: ClsType["models.ActionsList"]
+ error_map = {
+ 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError
+ }
+ error_map.update(kwargs.pop('error_map', {}))
+ api_version = "2020-01-01"
+ accept = "application/json"
+
+ def prepare_request(next_link=None):
+ # Construct headers
+ header_parameters = {} # type: Dict[str, Any]
+ header_parameters['Accept'] = self._serialize.header("accept", accept, 'str')
+
+ if not next_link:
+ # Construct URL
+ url = self.list_by_alert_rule.metadata['url'] # type: ignore
+ path_format_arguments = {
+ 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'),
+ 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'),
+ 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1),
+ 'ruleId': self._serialize.url("rule_id", rule_id, 'str'),
+ }
+ url = self._client.format_url(url, **path_format_arguments)
+ # Construct parameters
+ query_parameters = {} # type: Dict[str, Any]
+ query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str')
+
+ request = self._client.get(url, query_parameters, header_parameters)
+ else:
+ url = next_link
+ query_parameters = {} # type: Dict[str, Any]
+ request = self._client.get(url, query_parameters, header_parameters)
+ return request
+
+ def extract_data(pipeline_response):
+ deserialized = self._deserialize('ActionsList', pipeline_response)
+ list_of_elem = deserialized.value
+ if cls:
+ list_of_elem = cls(list_of_elem)
+ return deserialized.next_link or None, iter(list_of_elem)
+
+ def get_next(next_link=None):
+ request = prepare_request(next_link)
+
+ pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs)
+ response = pipeline_response.http_response
+
+ if response.status_code not in [200]:
+ map_error(status_code=response.status_code, response=response, error_map=error_map)
+ raise HttpResponseError(response=response, error_format=ARMErrorFormat)
+
+ return pipeline_response
+
+ return ItemPaged(
+ get_next, extract_data
+ )
+ list_by_alert_rule.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}/actions'} # type: ignore
diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_alert_rule_operations.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_alert_rule_operations.py
new file mode 100644
index 00000000000..f91eef2b673
--- /dev/null
+++ b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_alert_rule_operations.py
@@ -0,0 +1,546 @@
+# coding=utf-8
+# --------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# Code generated by Microsoft (R) AutoRest Code Generator.
+# Changes may cause incorrect behavior and will be lost if the code is regenerated.
+# --------------------------------------------------------------------------
+from typing import TYPE_CHECKING
+import warnings
+
+from azure.core.exceptions import ClientAuthenticationError, HttpResponseError, ResourceExistsError, ResourceNotFoundError, map_error
+from azure.core.paging import ItemPaged
+from azure.core.pipeline import PipelineResponse
+from azure.core.pipeline.transport import HttpRequest, HttpResponse
+from azure.mgmt.core.exceptions import ARMErrorFormat
+
+from .. import models
+
+if TYPE_CHECKING:
+ # pylint: disable=unused-import,ungrouped-imports
+ from typing import Any, Callable, Dict, Generic, Iterable, Optional, TypeVar, Union
+
+ T = TypeVar('T')
+ ClsType = Optional[Callable[[PipelineResponse[HttpRequest, HttpResponse], T, Dict[str, Any]], Any]]
+
+class AlertRuleOperations(object):
+ """AlertRuleOperations operations.
+
+ You should not instantiate this class directly. Instead, you should create a Client instance that
+ instantiates it for you and attaches it as an attribute.
+
+ :ivar models: Alias to model classes used in this operation group.
+ :type models: ~security_insights.models
+ :param client: Client for service requests.
+ :param config: Configuration of service client.
+ :param serializer: An object model serializer.
+ :param deserializer: An object model deserializer.
+ """
+
+ models = models
+
+ def __init__(self, client, config, serializer, deserializer):
+ self._client = client
+ self._serialize = serializer
+ self._deserialize = deserializer
+ self._config = config
+
+ def list(
+ self,
+ resource_group_name, # type: str
+ workspace_name, # type: str
+ **kwargs # type: Any
+ ):
+ # type: (...) -> Iterable["models.AlertRulesList"]
+ """Gets all alert rules.
+
+ :param resource_group_name: The name of the resource group within the user's subscription. The
+ name is case insensitive.
+ :type resource_group_name: str
+ :param workspace_name: The name of the workspace.
+ :type workspace_name: str
+ :keyword callable cls: A custom type or function that will be passed the direct response
+ :return: An iterator like instance of either AlertRulesList or the result of cls(response)
+ :rtype: ~azure.core.paging.ItemPaged[~security_insights.models.AlertRulesList]
+ :raises: ~azure.core.exceptions.HttpResponseError
+ """
+ cls = kwargs.pop('cls', None) # type: ClsType["models.AlertRulesList"]
+ error_map = {
+ 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError
+ }
+ error_map.update(kwargs.pop('error_map', {}))
+ api_version = "2020-01-01"
+ accept = "application/json"
+
+ def prepare_request(next_link=None):
+ # Construct headers
+ header_parameters = {} # type: Dict[str, Any]
+ header_parameters['Accept'] = self._serialize.header("accept", accept, 'str')
+
+ if not next_link:
+ # Construct URL
+ url = self.list.metadata['url'] # type: ignore
+ path_format_arguments = {
+ 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'),
+ 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'),
+ 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1),
+ }
+ url = self._client.format_url(url, **path_format_arguments)
+ # Construct parameters
+ query_parameters = {} # type: Dict[str, Any]
+ query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str')
+
+ request = self._client.get(url, query_parameters, header_parameters)
+ else:
+ url = next_link
+ query_parameters = {} # type: Dict[str, Any]
+ request = self._client.get(url, query_parameters, header_parameters)
+ return request
+
+ def extract_data(pipeline_response):
+ deserialized = self._deserialize('AlertRulesList', pipeline_response)
+ list_of_elem = deserialized.value
+ if cls:
+ list_of_elem = cls(list_of_elem)
+ return deserialized.next_link or None, iter(list_of_elem)
+
+ def get_next(next_link=None):
+ request = prepare_request(next_link)
+
+ pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs)
+ response = pipeline_response.http_response
+
+ if response.status_code not in [200]:
+ map_error(status_code=response.status_code, response=response, error_map=error_map)
+ raise HttpResponseError(response=response, error_format=ARMErrorFormat)
+
+ return pipeline_response
+
+ return ItemPaged(
+ get_next, extract_data
+ )
+ list.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules'} # type: ignore
+
+ def get(
+ self,
+ resource_group_name, # type: str
+ workspace_name, # type: str
+ rule_id, # type: str
+ **kwargs # type: Any
+ ):
+ # type: (...) -> "models.AlertRule"
+ """Gets the alert rule.
+
+ :param resource_group_name: The name of the resource group within the user's subscription. The
+ name is case insensitive.
+ :type resource_group_name: str
+ :param workspace_name: The name of the workspace.
+ :type workspace_name: str
+ :param rule_id: Alert rule ID.
+ :type rule_id: str
+ :keyword callable cls: A custom type or function that will be passed the direct response
+ :return: AlertRule, or the result of cls(response)
+ :rtype: ~security_insights.models.AlertRule
+ :raises: ~azure.core.exceptions.HttpResponseError
+ """
+ cls = kwargs.pop('cls', None) # type: ClsType["models.AlertRule"]
+ error_map = {
+ 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError
+ }
+ error_map.update(kwargs.pop('error_map', {}))
+ api_version = "2020-01-01"
+ accept = "application/json"
+
+ # Construct URL
+ url = self.get.metadata['url'] # type: ignore
+ path_format_arguments = {
+ 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'),
+ 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'),
+ 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1),
+ 'ruleId': self._serialize.url("rule_id", rule_id, 'str'),
+ }
+ url = self._client.format_url(url, **path_format_arguments)
+
+ # Construct parameters
+ query_parameters = {} # type: Dict[str, Any]
+ query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str')
+
+ # Construct headers
+ header_parameters = {} # type: Dict[str, Any]
+ header_parameters['Accept'] = self._serialize.header("accept", accept, 'str')
+
+ request = self._client.get(url, query_parameters, header_parameters)
+ pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs)
+ response = pipeline_response.http_response
+
+ if response.status_code not in [200]:
+ map_error(status_code=response.status_code, response=response, error_map=error_map)
+ raise HttpResponseError(response=response, error_format=ARMErrorFormat)
+
+ deserialized = self._deserialize('AlertRule', pipeline_response)
+
+ if cls:
+ return cls(pipeline_response, deserialized, {})
+
+ return deserialized
+ get.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}'} # type: ignore
+
+ def create_or_update(
+ self,
+ resource_group_name, # type: str
+ workspace_name, # type: str
+ rule_id, # type: str
+ alert_rule, # type: "models.AlertRule"
+ **kwargs # type: Any
+ ):
+ # type: (...) -> "models.AlertRule"
+ """Creates or updates the alert rule.
+
+ :param resource_group_name: The name of the resource group within the user's subscription. The
+ name is case insensitive.
+ :type resource_group_name: str
+ :param workspace_name: The name of the workspace.
+ :type workspace_name: str
+ :param rule_id: Alert rule ID.
+ :type rule_id: str
+ :param alert_rule: The alert rule.
+ :type alert_rule: ~security_insights.models.AlertRule
+ :keyword callable cls: A custom type or function that will be passed the direct response
+ :return: AlertRule, or the result of cls(response)
+ :rtype: ~security_insights.models.AlertRule
+ :raises: ~azure.core.exceptions.HttpResponseError
+ """
+ cls = kwargs.pop('cls', None) # type: ClsType["models.AlertRule"]
+ error_map = {
+ 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError
+ }
+ error_map.update(kwargs.pop('error_map', {}))
+ api_version = "2020-01-01"
+ content_type = kwargs.pop("content_type", "application/json")
+ accept = "application/json"
+
+ # Construct URL
+ url = self.create_or_update.metadata['url'] # type: ignore
+ path_format_arguments = {
+ 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'),
+ 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'),
+ 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1),
+ 'ruleId': self._serialize.url("rule_id", rule_id, 'str'),
+ }
+ url = self._client.format_url(url, **path_format_arguments)
+
+ # Construct parameters
+ query_parameters = {} # type: Dict[str, Any]
+ query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str')
+
+ # Construct headers
+ header_parameters = {} # type: Dict[str, Any]
+ header_parameters['Content-Type'] = self._serialize.header("content_type", content_type, 'str')
+ header_parameters['Accept'] = self._serialize.header("accept", accept, 'str')
+
+ body_content_kwargs = {} # type: Dict[str, Any]
+ body_content = self._serialize.body(alert_rule, 'AlertRule')
+ body_content_kwargs['content'] = body_content
+ request = self._client.put(url, query_parameters, header_parameters, **body_content_kwargs)
+ pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs)
+ response = pipeline_response.http_response
+
+ if response.status_code not in [200, 201]:
+ map_error(status_code=response.status_code, response=response, error_map=error_map)
+ raise HttpResponseError(response=response, error_format=ARMErrorFormat)
+
+ if response.status_code == 200:
+ deserialized = self._deserialize('AlertRule', pipeline_response)
+
+ if response.status_code == 201:
+ deserialized = self._deserialize('AlertRule', pipeline_response)
+
+ if cls:
+ return cls(pipeline_response, deserialized, {})
+
+ return deserialized
+ create_or_update.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}'} # type: ignore
+
+ def delete(
+ self,
+ resource_group_name, # type: str
+ workspace_name, # type: str
+ rule_id, # type: str
+ **kwargs # type: Any
+ ):
+ # type: (...) -> None
+ """Delete the alert rule.
+
+ :param resource_group_name: The name of the resource group within the user's subscription. The
+ name is case insensitive.
+ :type resource_group_name: str
+ :param workspace_name: The name of the workspace.
+ :type workspace_name: str
+ :param rule_id: Alert rule ID.
+ :type rule_id: str
+ :keyword callable cls: A custom type or function that will be passed the direct response
+ :return: None, or the result of cls(response)
+ :rtype: None
+ :raises: ~azure.core.exceptions.HttpResponseError
+ """
+ cls = kwargs.pop('cls', None) # type: ClsType[None]
+ error_map = {
+ 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError
+ }
+ error_map.update(kwargs.pop('error_map', {}))
+ api_version = "2020-01-01"
+ accept = "application/json"
+
+ # Construct URL
+ url = self.delete.metadata['url'] # type: ignore
+ path_format_arguments = {
+ 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'),
+ 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'),
+ 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1),
+ 'ruleId': self._serialize.url("rule_id", rule_id, 'str'),
+ }
+ url = self._client.format_url(url, **path_format_arguments)
+
+ # Construct parameters
+ query_parameters = {} # type: Dict[str, Any]
+ query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str')
+
+ # Construct headers
+ header_parameters = {} # type: Dict[str, Any]
+ header_parameters['Accept'] = self._serialize.header("accept", accept, 'str')
+
+ request = self._client.delete(url, query_parameters, header_parameters)
+ pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs)
+ response = pipeline_response.http_response
+
+ if response.status_code not in [200, 204]:
+ map_error(status_code=response.status_code, response=response, error_map=error_map)
+ raise HttpResponseError(response=response, error_format=ARMErrorFormat)
+
+ if cls:
+ return cls(pipeline_response, None, {})
+
+ delete.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}'} # type: ignore
+
+ def get_action(
+ self,
+ resource_group_name, # type: str
+ workspace_name, # type: str
+ rule_id, # type: str
+ action_id, # type: str
+ **kwargs # type: Any
+ ):
+ # type: (...) -> "models.ActionResponse"
+ """Gets the action of alert rule.
+
+ :param resource_group_name: The name of the resource group within the user's subscription. The
+ name is case insensitive.
+ :type resource_group_name: str
+ :param workspace_name: The name of the workspace.
+ :type workspace_name: str
+ :param rule_id: Alert rule ID.
+ :type rule_id: str
+ :param action_id: Action ID.
+ :type action_id: str
+ :keyword callable cls: A custom type or function that will be passed the direct response
+ :return: ActionResponse, or the result of cls(response)
+ :rtype: ~security_insights.models.ActionResponse
+ :raises: ~azure.core.exceptions.HttpResponseError
+ """
+ cls = kwargs.pop('cls', None) # type: ClsType["models.ActionResponse"]
+ error_map = {
+ 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError
+ }
+ error_map.update(kwargs.pop('error_map', {}))
+ api_version = "2020-01-01"
+ accept = "application/json"
+
+ # Construct URL
+ url = self.get_action.metadata['url'] # type: ignore
+ path_format_arguments = {
+ 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'),
+ 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'),
+ 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1),
+ 'ruleId': self._serialize.url("rule_id", rule_id, 'str'),
+ 'actionId': self._serialize.url("action_id", action_id, 'str'),
+ }
+ url = self._client.format_url(url, **path_format_arguments)
+
+ # Construct parameters
+ query_parameters = {} # type: Dict[str, Any]
+ query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str')
+
+ # Construct headers
+ header_parameters = {} # type: Dict[str, Any]
+ header_parameters['Accept'] = self._serialize.header("accept", accept, 'str')
+
+ request = self._client.get(url, query_parameters, header_parameters)
+ pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs)
+ response = pipeline_response.http_response
+
+ if response.status_code not in [200]:
+ map_error(status_code=response.status_code, response=response, error_map=error_map)
+ raise HttpResponseError(response=response, error_format=ARMErrorFormat)
+
+ deserialized = self._deserialize('ActionResponse', pipeline_response)
+
+ if cls:
+ return cls(pipeline_response, deserialized, {})
+
+ return deserialized
+ get_action.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}/actions/{actionId}'} # type: ignore
+
+ def create_or_update_action(
+ self,
+ resource_group_name, # type: str
+ workspace_name, # type: str
+ rule_id, # type: str
+ action_id, # type: str
+ etag=None, # type: Optional[str]
+ logic_app_resource_id=None, # type: Optional[str]
+ trigger_uri=None, # type: Optional[str]
+ **kwargs # type: Any
+ ):
+ # type: (...) -> "models.ActionResponse"
+ """Creates or updates the action of alert rule.
+
+ :param resource_group_name: The name of the resource group within the user's subscription. The
+ name is case insensitive.
+ :type resource_group_name: str
+ :param workspace_name: The name of the workspace.
+ :type workspace_name: str
+ :param rule_id: Alert rule ID.
+ :type rule_id: str
+ :param action_id: Action ID.
+ :type action_id: str
+ :param etag: Etag of the azure resource.
+ :type etag: str
+ :param logic_app_resource_id: Logic App Resource Id, /subscriptions/{my-
+ subscription}/resourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my-
+ workflow-id}.
+ :type logic_app_resource_id: str
+ :param trigger_uri: Logic App Callback URL for this specific workflow.
+ :type trigger_uri: str
+ :keyword callable cls: A custom type or function that will be passed the direct response
+ :return: ActionResponse, or the result of cls(response)
+ :rtype: ~security_insights.models.ActionResponse
+ :raises: ~azure.core.exceptions.HttpResponseError
+ """
+ cls = kwargs.pop('cls', None) # type: ClsType["models.ActionResponse"]
+ error_map = {
+ 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError
+ }
+ error_map.update(kwargs.pop('error_map', {}))
+
+ action = models.ActionRequest(etag=etag, logic_app_resource_id=logic_app_resource_id, trigger_uri=trigger_uri)
+ api_version = "2020-01-01"
+ content_type = kwargs.pop("content_type", "application/json")
+ accept = "application/json"
+
+ # Construct URL
+ url = self.create_or_update_action.metadata['url'] # type: ignore
+ path_format_arguments = {
+ 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'),
+ 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'),
+ 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1),
+ 'ruleId': self._serialize.url("rule_id", rule_id, 'str'),
+ 'actionId': self._serialize.url("action_id", action_id, 'str'),
+ }
+ url = self._client.format_url(url, **path_format_arguments)
+
+ # Construct parameters
+ query_parameters = {} # type: Dict[str, Any]
+ query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str')
+
+ # Construct headers
+ header_parameters = {} # type: Dict[str, Any]
+ header_parameters['Content-Type'] = self._serialize.header("content_type", content_type, 'str')
+ header_parameters['Accept'] = self._serialize.header("accept", accept, 'str')
+
+ body_content_kwargs = {} # type: Dict[str, Any]
+ body_content = self._serialize.body(action, 'ActionRequest')
+ body_content_kwargs['content'] = body_content
+ request = self._client.put(url, query_parameters, header_parameters, **body_content_kwargs)
+ pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs)
+ response = pipeline_response.http_response
+
+ if response.status_code not in [200, 201]:
+ map_error(status_code=response.status_code, response=response, error_map=error_map)
+ raise HttpResponseError(response=response, error_format=ARMErrorFormat)
+
+ if response.status_code == 200:
+ deserialized = self._deserialize('ActionResponse', pipeline_response)
+
+ if response.status_code == 201:
+ deserialized = self._deserialize('ActionResponse', pipeline_response)
+
+ if cls:
+ return cls(pipeline_response, deserialized, {})
+
+ return deserialized
+ create_or_update_action.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}/actions/{actionId}'} # type: ignore
+
+ def delete_action(
+ self,
+ resource_group_name, # type: str
+ workspace_name, # type: str
+ rule_id, # type: str
+ action_id, # type: str
+ **kwargs # type: Any
+ ):
+ # type: (...) -> None
+ """Delete the action of alert rule.
+
+ :param resource_group_name: The name of the resource group within the user's subscription. The
+ name is case insensitive.
+ :type resource_group_name: str
+ :param workspace_name: The name of the workspace.
+ :type workspace_name: str
+ :param rule_id: Alert rule ID.
+ :type rule_id: str
+ :param action_id: Action ID.
+ :type action_id: str
+ :keyword callable cls: A custom type or function that will be passed the direct response
+ :return: None, or the result of cls(response)
+ :rtype: None
+ :raises: ~azure.core.exceptions.HttpResponseError
+ """
+ cls = kwargs.pop('cls', None) # type: ClsType[None]
+ error_map = {
+ 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError
+ }
+ error_map.update(kwargs.pop('error_map', {}))
+ api_version = "2020-01-01"
+ accept = "application/json"
+
+ # Construct URL
+ url = self.delete_action.metadata['url'] # type: ignore
+ path_format_arguments = {
+ 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'),
+ 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'),
+ 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1),
+ 'ruleId': self._serialize.url("rule_id", rule_id, 'str'),
+ 'actionId': self._serialize.url("action_id", action_id, 'str'),
+ }
+ url = self._client.format_url(url, **path_format_arguments)
+
+ # Construct parameters
+ query_parameters = {} # type: Dict[str, Any]
+ query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str')
+
+ # Construct headers
+ header_parameters = {} # type: Dict[str, Any]
+ header_parameters['Accept'] = self._serialize.header("accept", accept, 'str')
+
+ request = self._client.delete(url, query_parameters, header_parameters)
+ pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs)
+ response = pipeline_response.http_response
+
+ if response.status_code not in [200, 204]:
+ map_error(status_code=response.status_code, response=response, error_map=error_map)
+ raise HttpResponseError(response=response, error_format=ARMErrorFormat)
+
+ if cls:
+ return cls(pipeline_response, None, {})
+
+ delete_action.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}/actions/{actionId}'} # type: ignore
diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_alert_rule_template_operations.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_alert_rule_template_operations.py
new file mode 100644
index 00000000000..2dad458b3f7
--- /dev/null
+++ b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_alert_rule_template_operations.py
@@ -0,0 +1,186 @@
+# coding=utf-8
+# --------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# Code generated by Microsoft (R) AutoRest Code Generator.
+# Changes may cause incorrect behavior and will be lost if the code is regenerated.
+# --------------------------------------------------------------------------
+from typing import TYPE_CHECKING
+import warnings
+
+from azure.core.exceptions import ClientAuthenticationError, HttpResponseError, ResourceExistsError, ResourceNotFoundError, map_error
+from azure.core.paging import ItemPaged
+from azure.core.pipeline import PipelineResponse
+from azure.core.pipeline.transport import HttpRequest, HttpResponse
+from azure.mgmt.core.exceptions import ARMErrorFormat
+
+from .. import models
+
+if TYPE_CHECKING:
+ # pylint: disable=unused-import,ungrouped-imports
+ from typing import Any, Callable, Dict, Generic, Iterable, Optional, TypeVar
+
+ T = TypeVar('T')
+ ClsType = Optional[Callable[[PipelineResponse[HttpRequest, HttpResponse], T, Dict[str, Any]], Any]]
+
+class AlertRuleTemplateOperations(object):
+ """AlertRuleTemplateOperations operations.
+
+ You should not instantiate this class directly. Instead, you should create a Client instance that
+ instantiates it for you and attaches it as an attribute.
+
+ :ivar models: Alias to model classes used in this operation group.
+ :type models: ~security_insights.models
+ :param client: Client for service requests.
+ :param config: Configuration of service client.
+ :param serializer: An object model serializer.
+ :param deserializer: An object model deserializer.
+ """
+
+ models = models
+
+ def __init__(self, client, config, serializer, deserializer):
+ self._client = client
+ self._serialize = serializer
+ self._deserialize = deserializer
+ self._config = config
+
+ def list(
+ self,
+ resource_group_name, # type: str
+ workspace_name, # type: str
+ **kwargs # type: Any
+ ):
+ # type: (...) -> Iterable["models.AlertRuleTemplatesList"]
+ """Gets all alert rule templates.
+
+ :param resource_group_name: The name of the resource group within the user's subscription. The
+ name is case insensitive.
+ :type resource_group_name: str
+ :param workspace_name: The name of the workspace.
+ :type workspace_name: str
+ :keyword callable cls: A custom type or function that will be passed the direct response
+ :return: An iterator like instance of either AlertRuleTemplatesList or the result of cls(response)
+ :rtype: ~azure.core.paging.ItemPaged[~security_insights.models.AlertRuleTemplatesList]
+ :raises: ~azure.core.exceptions.HttpResponseError
+ """
+ cls = kwargs.pop('cls', None) # type: ClsType["models.AlertRuleTemplatesList"]
+ error_map = {
+ 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError
+ }
+ error_map.update(kwargs.pop('error_map', {}))
+ api_version = "2020-01-01"
+ accept = "application/json"
+
+ def prepare_request(next_link=None):
+ # Construct headers
+ header_parameters = {} # type: Dict[str, Any]
+ header_parameters['Accept'] = self._serialize.header("accept", accept, 'str')
+
+ if not next_link:
+ # Construct URL
+ url = self.list.metadata['url'] # type: ignore
+ path_format_arguments = {
+ 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'),
+ 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'),
+ 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1),
+ }
+ url = self._client.format_url(url, **path_format_arguments)
+ # Construct parameters
+ query_parameters = {} # type: Dict[str, Any]
+ query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str')
+
+ request = self._client.get(url, query_parameters, header_parameters)
+ else:
+ url = next_link
+ query_parameters = {} # type: Dict[str, Any]
+ request = self._client.get(url, query_parameters, header_parameters)
+ return request
+
+ def extract_data(pipeline_response):
+ deserialized = self._deserialize('AlertRuleTemplatesList', pipeline_response)
+ list_of_elem = deserialized.value
+ if cls:
+ list_of_elem = cls(list_of_elem)
+ return deserialized.next_link or None, iter(list_of_elem)
+
+ def get_next(next_link=None):
+ request = prepare_request(next_link)
+
+ pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs)
+ response = pipeline_response.http_response
+
+ if response.status_code not in [200]:
+ map_error(status_code=response.status_code, response=response, error_map=error_map)
+ raise HttpResponseError(response=response, error_format=ARMErrorFormat)
+
+ return pipeline_response
+
+ return ItemPaged(
+ get_next, extract_data
+ )
+ list.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRuleTemplates'} # type: ignore
+
+ def get(
+ self,
+ resource_group_name, # type: str
+ workspace_name, # type: str
+ alert_rule_template_id, # type: str
+ **kwargs # type: Any
+ ):
+ # type: (...) -> "models.AlertRuleTemplate"
+ """Gets the alert rule template.
+
+ :param resource_group_name: The name of the resource group within the user's subscription. The
+ name is case insensitive.
+ :type resource_group_name: str
+ :param workspace_name: The name of the workspace.
+ :type workspace_name: str
+ :param alert_rule_template_id: Alert rule template ID.
+ :type alert_rule_template_id: str
+ :keyword callable cls: A custom type or function that will be passed the direct response
+ :return: AlertRuleTemplate, or the result of cls(response)
+ :rtype: ~security_insights.models.AlertRuleTemplate
+ :raises: ~azure.core.exceptions.HttpResponseError
+ """
+ cls = kwargs.pop('cls', None) # type: ClsType["models.AlertRuleTemplate"]
+ error_map = {
+ 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError
+ }
+ error_map.update(kwargs.pop('error_map', {}))
+ api_version = "2020-01-01"
+ accept = "application/json"
+
+ # Construct URL
+ url = self.get.metadata['url'] # type: ignore
+ path_format_arguments = {
+ 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'),
+ 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'),
+ 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1),
+ 'alertRuleTemplateId': self._serialize.url("alert_rule_template_id", alert_rule_template_id, 'str'),
+ }
+ url = self._client.format_url(url, **path_format_arguments)
+
+ # Construct parameters
+ query_parameters = {} # type: Dict[str, Any]
+ query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str')
+
+ # Construct headers
+ header_parameters = {} # type: Dict[str, Any]
+ header_parameters['Accept'] = self._serialize.header("accept", accept, 'str')
+
+ request = self._client.get(url, query_parameters, header_parameters)
+ pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs)
+ response = pipeline_response.http_response
+
+ if response.status_code not in [200]:
+ map_error(status_code=response.status_code, response=response, error_map=error_map)
+ raise HttpResponseError(response=response, error_format=ARMErrorFormat)
+
+ deserialized = self._deserialize('AlertRuleTemplate', pipeline_response)
+
+ if cls:
+ return cls(pipeline_response, deserialized, {})
+
+ return deserialized
+ get.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRuleTemplates/{alertRuleTemplateId}'} # type: ignore
diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_bookmark_operations.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_bookmark_operations.py
new file mode 100644
index 00000000000..0121790c420
--- /dev/null
+++ b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_bookmark_operations.py
@@ -0,0 +1,353 @@
+# coding=utf-8
+# --------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# Code generated by Microsoft (R) AutoRest Code Generator.
+# Changes may cause incorrect behavior and will be lost if the code is regenerated.
+# --------------------------------------------------------------------------
+import datetime
+from typing import TYPE_CHECKING
+import warnings
+
+from azure.core.exceptions import ClientAuthenticationError, HttpResponseError, ResourceExistsError, ResourceNotFoundError, map_error
+from azure.core.paging import ItemPaged
+from azure.core.pipeline import PipelineResponse
+from azure.core.pipeline.transport import HttpRequest, HttpResponse
+from azure.mgmt.core.exceptions import ARMErrorFormat
+
+from .. import models
+
+if TYPE_CHECKING:
+ # pylint: disable=unused-import,ungrouped-imports
+ from typing import Any, Callable, Dict, Generic, Iterable, List, Optional, TypeVar, Union
+
+ T = TypeVar('T')
+ ClsType = Optional[Callable[[PipelineResponse[HttpRequest, HttpResponse], T, Dict[str, Any]], Any]]
+
+class BookmarkOperations(object):
+ """BookmarkOperations operations.
+
+ You should not instantiate this class directly. Instead, you should create a Client instance that
+ instantiates it for you and attaches it as an attribute.
+
+ :ivar models: Alias to model classes used in this operation group.
+ :type models: ~security_insights.models
+ :param client: Client for service requests.
+ :param config: Configuration of service client.
+ :param serializer: An object model serializer.
+ :param deserializer: An object model deserializer.
+ """
+
+ models = models
+
+ def __init__(self, client, config, serializer, deserializer):
+ self._client = client
+ self._serialize = serializer
+ self._deserialize = deserializer
+ self._config = config
+
+ def list(
+ self,
+ resource_group_name, # type: str
+ workspace_name, # type: str
+ **kwargs # type: Any
+ ):
+ # type: (...) -> Iterable["models.BookmarkList"]
+ """Gets all bookmarks.
+
+ :param resource_group_name: The name of the resource group within the user's subscription. The
+ name is case insensitive.
+ :type resource_group_name: str
+ :param workspace_name: The name of the workspace.
+ :type workspace_name: str
+ :keyword callable cls: A custom type or function that will be passed the direct response
+ :return: An iterator like instance of either BookmarkList or the result of cls(response)
+ :rtype: ~azure.core.paging.ItemPaged[~security_insights.models.BookmarkList]
+ :raises: ~azure.core.exceptions.HttpResponseError
+ """
+ cls = kwargs.pop('cls', None) # type: ClsType["models.BookmarkList"]
+ error_map = {
+ 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError
+ }
+ error_map.update(kwargs.pop('error_map', {}))
+ api_version = "2020-01-01"
+ accept = "application/json"
+
+ def prepare_request(next_link=None):
+ # Construct headers
+ header_parameters = {} # type: Dict[str, Any]
+ header_parameters['Accept'] = self._serialize.header("accept", accept, 'str')
+
+ if not next_link:
+ # Construct URL
+ url = self.list.metadata['url'] # type: ignore
+ path_format_arguments = {
+ 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'),
+ 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'),
+ 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1),
+ }
+ url = self._client.format_url(url, **path_format_arguments)
+ # Construct parameters
+ query_parameters = {} # type: Dict[str, Any]
+ query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str')
+
+ request = self._client.get(url, query_parameters, header_parameters)
+ else:
+ url = next_link
+ query_parameters = {} # type: Dict[str, Any]
+ request = self._client.get(url, query_parameters, header_parameters)
+ return request
+
+ def extract_data(pipeline_response):
+ deserialized = self._deserialize('BookmarkList', pipeline_response)
+ list_of_elem = deserialized.value
+ if cls:
+ list_of_elem = cls(list_of_elem)
+ return deserialized.next_link or None, iter(list_of_elem)
+
+ def get_next(next_link=None):
+ request = prepare_request(next_link)
+
+ pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs)
+ response = pipeline_response.http_response
+
+ if response.status_code not in [200]:
+ map_error(status_code=response.status_code, response=response, error_map=error_map)
+ raise HttpResponseError(response=response, error_format=ARMErrorFormat)
+
+ return pipeline_response
+
+ return ItemPaged(
+ get_next, extract_data
+ )
+ list.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks'} # type: ignore
+
+ def get(
+ self,
+ resource_group_name, # type: str
+ workspace_name, # type: str
+ bookmark_id, # type: str
+ **kwargs # type: Any
+ ):
+ # type: (...) -> "models.Bookmark"
+ """Gets a bookmark.
+
+ :param resource_group_name: The name of the resource group within the user's subscription. The
+ name is case insensitive.
+ :type resource_group_name: str
+ :param workspace_name: The name of the workspace.
+ :type workspace_name: str
+ :param bookmark_id: Bookmark ID.
+ :type bookmark_id: str
+ :keyword callable cls: A custom type or function that will be passed the direct response
+ :return: Bookmark, or the result of cls(response)
+ :rtype: ~security_insights.models.Bookmark
+ :raises: ~azure.core.exceptions.HttpResponseError
+ """
+ cls = kwargs.pop('cls', None) # type: ClsType["models.Bookmark"]
+ error_map = {
+ 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError
+ }
+ error_map.update(kwargs.pop('error_map', {}))
+ api_version = "2020-01-01"
+ accept = "application/json"
+
+ # Construct URL
+ url = self.get.metadata['url'] # type: ignore
+ path_format_arguments = {
+ 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'),
+ 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'),
+ 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1),
+ 'bookmarkId': self._serialize.url("bookmark_id", bookmark_id, 'str'),
+ }
+ url = self._client.format_url(url, **path_format_arguments)
+
+ # Construct parameters
+ query_parameters = {} # type: Dict[str, Any]
+ query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str')
+
+ # Construct headers
+ header_parameters = {} # type: Dict[str, Any]
+ header_parameters['Accept'] = self._serialize.header("accept", accept, 'str')
+
+ request = self._client.get(url, query_parameters, header_parameters)
+ pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs)
+ response = pipeline_response.http_response
+
+ if response.status_code not in [200]:
+ map_error(status_code=response.status_code, response=response, error_map=error_map)
+ raise HttpResponseError(response=response, error_format=ARMErrorFormat)
+
+ deserialized = self._deserialize('Bookmark', pipeline_response)
+
+ if cls:
+ return cls(pipeline_response, deserialized, {})
+
+ return deserialized
+ get.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks/{bookmarkId}'} # type: ignore
+
+ def create_or_update(
+ self,
+ resource_group_name, # type: str
+ workspace_name, # type: str
+ bookmark_id, # type: str
+ etag=None, # type: Optional[str]
+ created=None, # type: Optional[datetime.datetime]
+ display_name=None, # type: Optional[str]
+ labels=None, # type: Optional[List[str]]
+ notes=None, # type: Optional[str]
+ query=None, # type: Optional[str]
+ query_result=None, # type: Optional[str]
+ updated=None, # type: Optional[datetime.datetime]
+ incident_info=None, # type: Optional["models.IncidentInfo"]
+ object_id=None, # type: Optional[str]
+ **kwargs # type: Any
+ ):
+ # type: (...) -> "models.Bookmark"
+ """Creates or updates the bookmark.
+
+ :param resource_group_name: The name of the resource group within the user's subscription. The
+ name is case insensitive.
+ :type resource_group_name: str
+ :param workspace_name: The name of the workspace.
+ :type workspace_name: str
+ :param bookmark_id: Bookmark ID.
+ :type bookmark_id: str
+ :param etag: Etag of the azure resource.
+ :type etag: str
+ :param created: The time the bookmark was created.
+ :type created: ~datetime.datetime
+ :param display_name: The display name of the bookmark.
+ :type display_name: str
+ :param labels: List of labels relevant to this bookmark.
+ :type labels: list[str]
+ :param notes: The notes of the bookmark.
+ :type notes: str
+ :param query: The query of the bookmark.
+ :type query: str
+ :param query_result: The query result of the bookmark.
+ :type query_result: str
+ :param updated: The last time the bookmark was updated.
+ :type updated: ~datetime.datetime
+ :param incident_info: Describes an incident that relates to bookmark.
+ :type incident_info: ~security_insights.models.IncidentInfo
+ :param object_id: The object id of the user.
+ :type object_id: str
+ :keyword callable cls: A custom type or function that will be passed the direct response
+ :return: Bookmark, or the result of cls(response)
+ :rtype: ~security_insights.models.Bookmark
+ :raises: ~azure.core.exceptions.HttpResponseError
+ """
+ cls = kwargs.pop('cls', None) # type: ClsType["models.Bookmark"]
+ error_map = {
+ 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError
+ }
+ error_map.update(kwargs.pop('error_map', {}))
+
+ bookmark = models.Bookmark(etag=etag, created=created, display_name=display_name, labels=labels, notes=notes, query=query, query_result=query_result, updated=updated, incident_info=incident_info, object_id_updated_by_object_id=object_id)
+ api_version = "2020-01-01"
+ content_type = kwargs.pop("content_type", "application/json")
+ accept = "application/json"
+
+ # Construct URL
+ url = self.create_or_update.metadata['url'] # type: ignore
+ path_format_arguments = {
+ 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'),
+ 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'),
+ 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1),
+ 'bookmarkId': self._serialize.url("bookmark_id", bookmark_id, 'str'),
+ }
+ url = self._client.format_url(url, **path_format_arguments)
+
+ # Construct parameters
+ query_parameters = {} # type: Dict[str, Any]
+ query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str')
+
+ # Construct headers
+ header_parameters = {} # type: Dict[str, Any]
+ header_parameters['Content-Type'] = self._serialize.header("content_type", content_type, 'str')
+ header_parameters['Accept'] = self._serialize.header("accept", accept, 'str')
+
+ body_content_kwargs = {} # type: Dict[str, Any]
+ body_content = self._serialize.body(bookmark, 'Bookmark')
+ body_content_kwargs['content'] = body_content
+ request = self._client.put(url, query_parameters, header_parameters, **body_content_kwargs)
+ pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs)
+ response = pipeline_response.http_response
+
+ if response.status_code not in [200, 201]:
+ map_error(status_code=response.status_code, response=response, error_map=error_map)
+ raise HttpResponseError(response=response, error_format=ARMErrorFormat)
+
+ if response.status_code == 200:
+ deserialized = self._deserialize('Bookmark', pipeline_response)
+
+ if response.status_code == 201:
+ deserialized = self._deserialize('Bookmark', pipeline_response)
+
+ if cls:
+ return cls(pipeline_response, deserialized, {})
+
+ return deserialized
+ create_or_update.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks/{bookmarkId}'} # type: ignore
+
+ def delete(
+ self,
+ resource_group_name, # type: str
+ workspace_name, # type: str
+ bookmark_id, # type: str
+ **kwargs # type: Any
+ ):
+ # type: (...) -> None
+ """Delete the bookmark.
+
+ :param resource_group_name: The name of the resource group within the user's subscription. The
+ name is case insensitive.
+ :type resource_group_name: str
+ :param workspace_name: The name of the workspace.
+ :type workspace_name: str
+ :param bookmark_id: Bookmark ID.
+ :type bookmark_id: str
+ :keyword callable cls: A custom type or function that will be passed the direct response
+ :return: None, or the result of cls(response)
+ :rtype: None
+ :raises: ~azure.core.exceptions.HttpResponseError
+ """
+ cls = kwargs.pop('cls', None) # type: ClsType[None]
+ error_map = {
+ 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError
+ }
+ error_map.update(kwargs.pop('error_map', {}))
+ api_version = "2020-01-01"
+ accept = "application/json"
+
+ # Construct URL
+ url = self.delete.metadata['url'] # type: ignore
+ path_format_arguments = {
+ 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'),
+ 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'),
+ 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1),
+ 'bookmarkId': self._serialize.url("bookmark_id", bookmark_id, 'str'),
+ }
+ url = self._client.format_url(url, **path_format_arguments)
+
+ # Construct parameters
+ query_parameters = {} # type: Dict[str, Any]
+ query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str')
+
+ # Construct headers
+ header_parameters = {} # type: Dict[str, Any]
+ header_parameters['Accept'] = self._serialize.header("accept", accept, 'str')
+
+ request = self._client.delete(url, query_parameters, header_parameters)
+ pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs)
+ response = pipeline_response.http_response
+
+ if response.status_code not in [200, 204]:
+ map_error(status_code=response.status_code, response=response, error_map=error_map)
+ raise HttpResponseError(response=response, error_format=ARMErrorFormat)
+
+ if cls:
+ return cls(pipeline_response, None, {})
+
+ delete.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks/{bookmarkId}'} # type: ignore
diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_data_connector_operations.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_data_connector_operations.py
new file mode 100644
index 00000000000..8fd8df7be38
--- /dev/null
+++ b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_data_connector_operations.py
@@ -0,0 +1,323 @@
+# coding=utf-8
+# --------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# Code generated by Microsoft (R) AutoRest Code Generator.
+# Changes may cause incorrect behavior and will be lost if the code is regenerated.
+# --------------------------------------------------------------------------
+from typing import TYPE_CHECKING
+import warnings
+
+from azure.core.exceptions import ClientAuthenticationError, HttpResponseError, ResourceExistsError, ResourceNotFoundError, map_error
+from azure.core.paging import ItemPaged
+from azure.core.pipeline import PipelineResponse
+from azure.core.pipeline.transport import HttpRequest, HttpResponse
+from azure.mgmt.core.exceptions import ARMErrorFormat
+
+from .. import models
+
+if TYPE_CHECKING:
+ # pylint: disable=unused-import,ungrouped-imports
+ from typing import Any, Callable, Dict, Generic, Iterable, Optional, TypeVar, Union
+
+ T = TypeVar('T')
+ ClsType = Optional[Callable[[PipelineResponse[HttpRequest, HttpResponse], T, Dict[str, Any]], Any]]
+
+class DataConnectorOperations(object):
+ """DataConnectorOperations operations.
+
+ You should not instantiate this class directly. Instead, you should create a Client instance that
+ instantiates it for you and attaches it as an attribute.
+
+ :ivar models: Alias to model classes used in this operation group.
+ :type models: ~security_insights.models
+ :param client: Client for service requests.
+ :param config: Configuration of service client.
+ :param serializer: An object model serializer.
+ :param deserializer: An object model deserializer.
+ """
+
+ models = models
+
+ def __init__(self, client, config, serializer, deserializer):
+ self._client = client
+ self._serialize = serializer
+ self._deserialize = deserializer
+ self._config = config
+
+ def list(
+ self,
+ resource_group_name, # type: str
+ workspace_name, # type: str
+ **kwargs # type: Any
+ ):
+ # type: (...) -> Iterable["models.DataConnectorList"]
+ """Gets all data connectors.
+
+ :param resource_group_name: The name of the resource group within the user's subscription. The
+ name is case insensitive.
+ :type resource_group_name: str
+ :param workspace_name: The name of the workspace.
+ :type workspace_name: str
+ :keyword callable cls: A custom type or function that will be passed the direct response
+ :return: An iterator like instance of either DataConnectorList or the result of cls(response)
+ :rtype: ~azure.core.paging.ItemPaged[~security_insights.models.DataConnectorList]
+ :raises: ~azure.core.exceptions.HttpResponseError
+ """
+ cls = kwargs.pop('cls', None) # type: ClsType["models.DataConnectorList"]
+ error_map = {
+ 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError
+ }
+ error_map.update(kwargs.pop('error_map', {}))
+ api_version = "2020-01-01"
+ accept = "application/json"
+
+ def prepare_request(next_link=None):
+ # Construct headers
+ header_parameters = {} # type: Dict[str, Any]
+ header_parameters['Accept'] = self._serialize.header("accept", accept, 'str')
+
+ if not next_link:
+ # Construct URL
+ url = self.list.metadata['url'] # type: ignore
+ path_format_arguments = {
+ 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'),
+ 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'),
+ 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1),
+ }
+ url = self._client.format_url(url, **path_format_arguments)
+ # Construct parameters
+ query_parameters = {} # type: Dict[str, Any]
+ query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str')
+
+ request = self._client.get(url, query_parameters, header_parameters)
+ else:
+ url = next_link
+ query_parameters = {} # type: Dict[str, Any]
+ request = self._client.get(url, query_parameters, header_parameters)
+ return request
+
+ def extract_data(pipeline_response):
+ deserialized = self._deserialize('DataConnectorList', pipeline_response)
+ list_of_elem = deserialized.value
+ if cls:
+ list_of_elem = cls(list_of_elem)
+ return deserialized.next_link or None, iter(list_of_elem)
+
+ def get_next(next_link=None):
+ request = prepare_request(next_link)
+
+ pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs)
+ response = pipeline_response.http_response
+
+ if response.status_code not in [200]:
+ map_error(status_code=response.status_code, response=response, error_map=error_map)
+ raise HttpResponseError(response=response, error_format=ARMErrorFormat)
+
+ return pipeline_response
+
+ return ItemPaged(
+ get_next, extract_data
+ )
+ list.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors'} # type: ignore
+
+ def get(
+ self,
+ resource_group_name, # type: str
+ workspace_name, # type: str
+ data_connector_id, # type: str
+ **kwargs # type: Any
+ ):
+ # type: (...) -> "models.DataConnector"
+ """Gets a data connector.
+
+ :param resource_group_name: The name of the resource group within the user's subscription. The
+ name is case insensitive.
+ :type resource_group_name: str
+ :param workspace_name: The name of the workspace.
+ :type workspace_name: str
+ :param data_connector_id: Connector ID.
+ :type data_connector_id: str
+ :keyword callable cls: A custom type or function that will be passed the direct response
+ :return: DataConnector, or the result of cls(response)
+ :rtype: ~security_insights.models.DataConnector
+ :raises: ~azure.core.exceptions.HttpResponseError
+ """
+ cls = kwargs.pop('cls', None) # type: ClsType["models.DataConnector"]
+ error_map = {
+ 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError
+ }
+ error_map.update(kwargs.pop('error_map', {}))
+ api_version = "2020-01-01"
+ accept = "application/json"
+
+ # Construct URL
+ url = self.get.metadata['url'] # type: ignore
+ path_format_arguments = {
+ 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'),
+ 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'),
+ 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1),
+ 'dataConnectorId': self._serialize.url("data_connector_id", data_connector_id, 'str'),
+ }
+ url = self._client.format_url(url, **path_format_arguments)
+
+ # Construct parameters
+ query_parameters = {} # type: Dict[str, Any]
+ query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str')
+
+ # Construct headers
+ header_parameters = {} # type: Dict[str, Any]
+ header_parameters['Accept'] = self._serialize.header("accept", accept, 'str')
+
+ request = self._client.get(url, query_parameters, header_parameters)
+ pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs)
+ response = pipeline_response.http_response
+
+ if response.status_code not in [200]:
+ map_error(status_code=response.status_code, response=response, error_map=error_map)
+ raise HttpResponseError(response=response, error_format=ARMErrorFormat)
+
+ deserialized = self._deserialize('DataConnector', pipeline_response)
+
+ if cls:
+ return cls(pipeline_response, deserialized, {})
+
+ return deserialized
+ get.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors/{dataConnectorId}'} # type: ignore
+
+ def create_or_update(
+ self,
+ resource_group_name, # type: str
+ workspace_name, # type: str
+ data_connector_id, # type: str
+ data_connector, # type: "models.DataConnector"
+ **kwargs # type: Any
+ ):
+ # type: (...) -> "models.DataConnector"
+ """Creates or updates the data connector.
+
+ :param resource_group_name: The name of the resource group within the user's subscription. The
+ name is case insensitive.
+ :type resource_group_name: str
+ :param workspace_name: The name of the workspace.
+ :type workspace_name: str
+ :param data_connector_id: Connector ID.
+ :type data_connector_id: str
+ :param data_connector: The data connector.
+ :type data_connector: ~security_insights.models.DataConnector
+ :keyword callable cls: A custom type or function that will be passed the direct response
+ :return: DataConnector, or the result of cls(response)
+ :rtype: ~security_insights.models.DataConnector
+ :raises: ~azure.core.exceptions.HttpResponseError
+ """
+ cls = kwargs.pop('cls', None) # type: ClsType["models.DataConnector"]
+ error_map = {
+ 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError
+ }
+ error_map.update(kwargs.pop('error_map', {}))
+ api_version = "2020-01-01"
+ content_type = kwargs.pop("content_type", "application/json")
+ accept = "application/json"
+
+ # Construct URL
+ url = self.create_or_update.metadata['url'] # type: ignore
+ path_format_arguments = {
+ 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'),
+ 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'),
+ 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1),
+ 'dataConnectorId': self._serialize.url("data_connector_id", data_connector_id, 'str'),
+ }
+ url = self._client.format_url(url, **path_format_arguments)
+
+ # Construct parameters
+ query_parameters = {} # type: Dict[str, Any]
+ query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str')
+
+ # Construct headers
+ header_parameters = {} # type: Dict[str, Any]
+ header_parameters['Content-Type'] = self._serialize.header("content_type", content_type, 'str')
+ header_parameters['Accept'] = self._serialize.header("accept", accept, 'str')
+
+ body_content_kwargs = {} # type: Dict[str, Any]
+ body_content = self._serialize.body(data_connector, 'DataConnector')
+ body_content_kwargs['content'] = body_content
+ request = self._client.put(url, query_parameters, header_parameters, **body_content_kwargs)
+ pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs)
+ response = pipeline_response.http_response
+
+ if response.status_code not in [200, 201]:
+ map_error(status_code=response.status_code, response=response, error_map=error_map)
+ raise HttpResponseError(response=response, error_format=ARMErrorFormat)
+
+ if response.status_code == 200:
+ deserialized = self._deserialize('DataConnector', pipeline_response)
+
+ if response.status_code == 201:
+ deserialized = self._deserialize('DataConnector', pipeline_response)
+
+ if cls:
+ return cls(pipeline_response, deserialized, {})
+
+ return deserialized
+ create_or_update.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors/{dataConnectorId}'} # type: ignore
+
+ def delete(
+ self,
+ resource_group_name, # type: str
+ workspace_name, # type: str
+ data_connector_id, # type: str
+ **kwargs # type: Any
+ ):
+ # type: (...) -> None
+ """Delete the data connector.
+
+ :param resource_group_name: The name of the resource group within the user's subscription. The
+ name is case insensitive.
+ :type resource_group_name: str
+ :param workspace_name: The name of the workspace.
+ :type workspace_name: str
+ :param data_connector_id: Connector ID.
+ :type data_connector_id: str
+ :keyword callable cls: A custom type or function that will be passed the direct response
+ :return: None, or the result of cls(response)
+ :rtype: None
+ :raises: ~azure.core.exceptions.HttpResponseError
+ """
+ cls = kwargs.pop('cls', None) # type: ClsType[None]
+ error_map = {
+ 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError
+ }
+ error_map.update(kwargs.pop('error_map', {}))
+ api_version = "2020-01-01"
+ accept = "application/json"
+
+ # Construct URL
+ url = self.delete.metadata['url'] # type: ignore
+ path_format_arguments = {
+ 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'),
+ 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'),
+ 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1),
+ 'dataConnectorId': self._serialize.url("data_connector_id", data_connector_id, 'str'),
+ }
+ url = self._client.format_url(url, **path_format_arguments)
+
+ # Construct parameters
+ query_parameters = {} # type: Dict[str, Any]
+ query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str')
+
+ # Construct headers
+ header_parameters = {} # type: Dict[str, Any]
+ header_parameters['Accept'] = self._serialize.header("accept", accept, 'str')
+
+ request = self._client.delete(url, query_parameters, header_parameters)
+ pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs)
+ response = pipeline_response.http_response
+
+ if response.status_code not in [200, 204]:
+ map_error(status_code=response.status_code, response=response, error_map=error_map)
+ raise HttpResponseError(response=response, error_format=ARMErrorFormat)
+
+ if cls:
+ return cls(pipeline_response, None, {})
+
+ delete.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors/{dataConnectorId}'} # type: ignore
diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_incident_comment_operations.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_incident_comment_operations.py
new file mode 100644
index 00000000000..ebed41e74ae
--- /dev/null
+++ b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_incident_comment_operations.py
@@ -0,0 +1,294 @@
+# coding=utf-8
+# --------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# Code generated by Microsoft (R) AutoRest Code Generator.
+# Changes may cause incorrect behavior and will be lost if the code is regenerated.
+# --------------------------------------------------------------------------
+from typing import TYPE_CHECKING
+import warnings
+
+from azure.core.exceptions import ClientAuthenticationError, HttpResponseError, ResourceExistsError, ResourceNotFoundError, map_error
+from azure.core.paging import ItemPaged
+from azure.core.pipeline import PipelineResponse
+from azure.core.pipeline.transport import HttpRequest, HttpResponse
+from azure.mgmt.core.exceptions import ARMErrorFormat
+
+from .. import models
+
+if TYPE_CHECKING:
+ # pylint: disable=unused-import,ungrouped-imports
+ from typing import Any, Callable, Dict, Generic, Iterable, Optional, TypeVar
+
+ T = TypeVar('T')
+ ClsType = Optional[Callable[[PipelineResponse[HttpRequest, HttpResponse], T, Dict[str, Any]], Any]]
+
+class IncidentCommentOperations(object):
+ """IncidentCommentOperations operations.
+
+ You should not instantiate this class directly. Instead, you should create a Client instance that
+ instantiates it for you and attaches it as an attribute.
+
+ :ivar models: Alias to model classes used in this operation group.
+ :type models: ~security_insights.models
+ :param client: Client for service requests.
+ :param config: Configuration of service client.
+ :param serializer: An object model serializer.
+ :param deserializer: An object model deserializer.
+ """
+
+ models = models
+
+ def __init__(self, client, config, serializer, deserializer):
+ self._client = client
+ self._serialize = serializer
+ self._deserialize = deserializer
+ self._config = config
+
+ def list_by_incident(
+ self,
+ resource_group_name, # type: str
+ workspace_name, # type: str
+ incident_id, # type: str
+ filter=None, # type: Optional[str]
+ orderby=None, # type: Optional[str]
+ top=None, # type: Optional[int]
+ skip_token=None, # type: Optional[str]
+ **kwargs # type: Any
+ ):
+ # type: (...) -> Iterable["models.IncidentCommentList"]
+ """Gets all incident comments.
+
+ :param resource_group_name: The name of the resource group within the user's subscription. The
+ name is case insensitive.
+ :type resource_group_name: str
+ :param workspace_name: The name of the workspace.
+ :type workspace_name: str
+ :param incident_id: Incident ID.
+ :type incident_id: str
+ :param filter: Filters the results, based on a Boolean condition. Optional.
+ :type filter: str
+ :param orderby: Sorts the results. Optional.
+ :type orderby: str
+ :param top: Returns only the first n results. Optional.
+ :type top: int
+ :param skip_token: Skiptoken is only used if a previous operation returned a partial result. If
+ a previous response contains a nextLink element, the value of the nextLink element will include
+ a skiptoken parameter that specifies a starting point to use for subsequent calls. Optional.
+ :type skip_token: str
+ :keyword callable cls: A custom type or function that will be passed the direct response
+ :return: An iterator like instance of either IncidentCommentList or the result of cls(response)
+ :rtype: ~azure.core.paging.ItemPaged[~security_insights.models.IncidentCommentList]
+ :raises: ~azure.core.exceptions.HttpResponseError
+ """
+ cls = kwargs.pop('cls', None) # type: ClsType["models.IncidentCommentList"]
+ error_map = {
+ 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError
+ }
+ error_map.update(kwargs.pop('error_map', {}))
+ api_version = "2020-01-01"
+ accept = "application/json"
+
+ def prepare_request(next_link=None):
+ # Construct headers
+ header_parameters = {} # type: Dict[str, Any]
+ header_parameters['Accept'] = self._serialize.header("accept", accept, 'str')
+
+ if not next_link:
+ # Construct URL
+ url = self.list_by_incident.metadata['url'] # type: ignore
+ path_format_arguments = {
+ 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'),
+ 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'),
+ 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1),
+ 'incidentId': self._serialize.url("incident_id", incident_id, 'str'),
+ }
+ url = self._client.format_url(url, **path_format_arguments)
+ # Construct parameters
+ query_parameters = {} # type: Dict[str, Any]
+ query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str')
+ if filter is not None:
+ query_parameters['$filter'] = self._serialize.query("filter", filter, 'str')
+ if orderby is not None:
+ query_parameters['$orderby'] = self._serialize.query("orderby", orderby, 'str')
+ if top is not None:
+ query_parameters['$top'] = self._serialize.query("top", top, 'int')
+ if skip_token is not None:
+ query_parameters['$skipToken'] = self._serialize.query("skip_token", skip_token, 'str')
+
+ request = self._client.get(url, query_parameters, header_parameters)
+ else:
+ url = next_link
+ query_parameters = {} # type: Dict[str, Any]
+ request = self._client.get(url, query_parameters, header_parameters)
+ return request
+
+ def extract_data(pipeline_response):
+ deserialized = self._deserialize('IncidentCommentList', pipeline_response)
+ list_of_elem = deserialized.value
+ if cls:
+ list_of_elem = cls(list_of_elem)
+ return deserialized.next_link or None, iter(list_of_elem)
+
+ def get_next(next_link=None):
+ request = prepare_request(next_link)
+
+ pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs)
+ response = pipeline_response.http_response
+
+ if response.status_code not in [200]:
+ map_error(status_code=response.status_code, response=response, error_map=error_map)
+ raise HttpResponseError(response=response, error_format=ARMErrorFormat)
+
+ return pipeline_response
+
+ return ItemPaged(
+ get_next, extract_data
+ )
+ list_by_incident.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/comments'} # type: ignore
+
+ def get(
+ self,
+ resource_group_name, # type: str
+ workspace_name, # type: str
+ incident_id, # type: str
+ incident_comment_id, # type: str
+ **kwargs # type: Any
+ ):
+ # type: (...) -> "models.IncidentComment"
+ """Gets an incident comment.
+
+ :param resource_group_name: The name of the resource group within the user's subscription. The
+ name is case insensitive.
+ :type resource_group_name: str
+ :param workspace_name: The name of the workspace.
+ :type workspace_name: str
+ :param incident_id: Incident ID.
+ :type incident_id: str
+ :param incident_comment_id: Incident comment ID.
+ :type incident_comment_id: str
+ :keyword callable cls: A custom type or function that will be passed the direct response
+ :return: IncidentComment, or the result of cls(response)
+ :rtype: ~security_insights.models.IncidentComment
+ :raises: ~azure.core.exceptions.HttpResponseError
+ """
+ cls = kwargs.pop('cls', None) # type: ClsType["models.IncidentComment"]
+ error_map = {
+ 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError
+ }
+ error_map.update(kwargs.pop('error_map', {}))
+ api_version = "2020-01-01"
+ accept = "application/json"
+
+ # Construct URL
+ url = self.get.metadata['url'] # type: ignore
+ path_format_arguments = {
+ 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'),
+ 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'),
+ 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1),
+ 'incidentId': self._serialize.url("incident_id", incident_id, 'str'),
+ 'incidentCommentId': self._serialize.url("incident_comment_id", incident_comment_id, 'str'),
+ }
+ url = self._client.format_url(url, **path_format_arguments)
+
+ # Construct parameters
+ query_parameters = {} # type: Dict[str, Any]
+ query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str')
+
+ # Construct headers
+ header_parameters = {} # type: Dict[str, Any]
+ header_parameters['Accept'] = self._serialize.header("accept", accept, 'str')
+
+ request = self._client.get(url, query_parameters, header_parameters)
+ pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs)
+ response = pipeline_response.http_response
+
+ if response.status_code not in [200]:
+ map_error(status_code=response.status_code, response=response, error_map=error_map)
+ raise HttpResponseError(response=response, error_format=ARMErrorFormat)
+
+ deserialized = self._deserialize('IncidentComment', pipeline_response)
+
+ if cls:
+ return cls(pipeline_response, deserialized, {})
+
+ return deserialized
+ get.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/comments/{incidentCommentId}'} # type: ignore
+
+ def create_comment(
+ self,
+ resource_group_name, # type: str
+ workspace_name, # type: str
+ incident_id, # type: str
+ incident_comment_id, # type: str
+ message=None, # type: Optional[str]
+ **kwargs # type: Any
+ ):
+ # type: (...) -> "models.IncidentComment"
+ """Creates the incident comment.
+
+ :param resource_group_name: The name of the resource group within the user's subscription. The
+ name is case insensitive.
+ :type resource_group_name: str
+ :param workspace_name: The name of the workspace.
+ :type workspace_name: str
+ :param incident_id: Incident ID.
+ :type incident_id: str
+ :param incident_comment_id: Incident comment ID.
+ :type incident_comment_id: str
+ :param message: The comment message.
+ :type message: str
+ :keyword callable cls: A custom type or function that will be passed the direct response
+ :return: IncidentComment, or the result of cls(response)
+ :rtype: ~security_insights.models.IncidentComment
+ :raises: ~azure.core.exceptions.HttpResponseError
+ """
+ cls = kwargs.pop('cls', None) # type: ClsType["models.IncidentComment"]
+ error_map = {
+ 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError
+ }
+ error_map.update(kwargs.pop('error_map', {}))
+
+ incident_comment = models.IncidentComment(message=message)
+ api_version = "2020-01-01"
+ content_type = kwargs.pop("content_type", "application/json")
+ accept = "application/json"
+
+ # Construct URL
+ url = self.create_comment.metadata['url'] # type: ignore
+ path_format_arguments = {
+ 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'),
+ 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'),
+ 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1),
+ 'incidentId': self._serialize.url("incident_id", incident_id, 'str'),
+ 'incidentCommentId': self._serialize.url("incident_comment_id", incident_comment_id, 'str'),
+ }
+ url = self._client.format_url(url, **path_format_arguments)
+
+ # Construct parameters
+ query_parameters = {} # type: Dict[str, Any]
+ query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str')
+
+ # Construct headers
+ header_parameters = {} # type: Dict[str, Any]
+ header_parameters['Content-Type'] = self._serialize.header("content_type", content_type, 'str')
+ header_parameters['Accept'] = self._serialize.header("accept", accept, 'str')
+
+ body_content_kwargs = {} # type: Dict[str, Any]
+ body_content = self._serialize.body(incident_comment, 'IncidentComment')
+ body_content_kwargs['content'] = body_content
+ request = self._client.put(url, query_parameters, header_parameters, **body_content_kwargs)
+ pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs)
+ response = pipeline_response.http_response
+
+ if response.status_code not in [201]:
+ map_error(status_code=response.status_code, response=response, error_map=error_map)
+ raise HttpResponseError(response=response, error_format=ARMErrorFormat)
+
+ deserialized = self._deserialize('IncidentComment', pipeline_response)
+
+ if cls:
+ return cls(pipeline_response, deserialized, {})
+
+ return deserialized
+ create_comment.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/comments/{incidentCommentId}'} # type: ignore
diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_incident_operations.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_incident_operations.py
new file mode 100644
index 00000000000..0a2071ac198
--- /dev/null
+++ b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_incident_operations.py
@@ -0,0 +1,381 @@
+# coding=utf-8
+# --------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# Code generated by Microsoft (R) AutoRest Code Generator.
+# Changes may cause incorrect behavior and will be lost if the code is regenerated.
+# --------------------------------------------------------------------------
+import datetime
+from typing import TYPE_CHECKING
+import warnings
+
+from azure.core.exceptions import ClientAuthenticationError, HttpResponseError, ResourceExistsError, ResourceNotFoundError, map_error
+from azure.core.paging import ItemPaged
+from azure.core.pipeline import PipelineResponse
+from azure.core.pipeline.transport import HttpRequest, HttpResponse
+from azure.mgmt.core.exceptions import ARMErrorFormat
+
+from .. import models
+
+if TYPE_CHECKING:
+ # pylint: disable=unused-import,ungrouped-imports
+ from typing import Any, Callable, Dict, Generic, Iterable, List, Optional, TypeVar, Union
+
+ T = TypeVar('T')
+ ClsType = Optional[Callable[[PipelineResponse[HttpRequest, HttpResponse], T, Dict[str, Any]], Any]]
+
+class IncidentOperations(object):
+ """IncidentOperations operations.
+
+ You should not instantiate this class directly. Instead, you should create a Client instance that
+ instantiates it for you and attaches it as an attribute.
+
+ :ivar models: Alias to model classes used in this operation group.
+ :type models: ~security_insights.models
+ :param client: Client for service requests.
+ :param config: Configuration of service client.
+ :param serializer: An object model serializer.
+ :param deserializer: An object model deserializer.
+ """
+
+ models = models
+
+ def __init__(self, client, config, serializer, deserializer):
+ self._client = client
+ self._serialize = serializer
+ self._deserialize = deserializer
+ self._config = config
+
+ def list(
+ self,
+ resource_group_name, # type: str
+ workspace_name, # type: str
+ filter=None, # type: Optional[str]
+ orderby=None, # type: Optional[str]
+ top=None, # type: Optional[int]
+ skip_token=None, # type: Optional[str]
+ **kwargs # type: Any
+ ):
+ # type: (...) -> Iterable["models.IncidentList"]
+ """Gets all incidents.
+
+ :param resource_group_name: The name of the resource group within the user's subscription. The
+ name is case insensitive.
+ :type resource_group_name: str
+ :param workspace_name: The name of the workspace.
+ :type workspace_name: str
+ :param filter: Filters the results, based on a Boolean condition. Optional.
+ :type filter: str
+ :param orderby: Sorts the results. Optional.
+ :type orderby: str
+ :param top: Returns only the first n results. Optional.
+ :type top: int
+ :param skip_token: Skiptoken is only used if a previous operation returned a partial result. If
+ a previous response contains a nextLink element, the value of the nextLink element will include
+ a skiptoken parameter that specifies a starting point to use for subsequent calls. Optional.
+ :type skip_token: str
+ :keyword callable cls: A custom type or function that will be passed the direct response
+ :return: An iterator like instance of either IncidentList or the result of cls(response)
+ :rtype: ~azure.core.paging.ItemPaged[~security_insights.models.IncidentList]
+ :raises: ~azure.core.exceptions.HttpResponseError
+ """
+ cls = kwargs.pop('cls', None) # type: ClsType["models.IncidentList"]
+ error_map = {
+ 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError
+ }
+ error_map.update(kwargs.pop('error_map', {}))
+ api_version = "2020-01-01"
+ accept = "application/json"
+
+ def prepare_request(next_link=None):
+ # Construct headers
+ header_parameters = {} # type: Dict[str, Any]
+ header_parameters['Accept'] = self._serialize.header("accept", accept, 'str')
+
+ if not next_link:
+ # Construct URL
+ url = self.list.metadata['url'] # type: ignore
+ path_format_arguments = {
+ 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'),
+ 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'),
+ 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1),
+ }
+ url = self._client.format_url(url, **path_format_arguments)
+ # Construct parameters
+ query_parameters = {} # type: Dict[str, Any]
+ query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str')
+ if filter is not None:
+ query_parameters['$filter'] = self._serialize.query("filter", filter, 'str')
+ if orderby is not None:
+ query_parameters['$orderby'] = self._serialize.query("orderby", orderby, 'str')
+ if top is not None:
+ query_parameters['$top'] = self._serialize.query("top", top, 'int')
+ if skip_token is not None:
+ query_parameters['$skipToken'] = self._serialize.query("skip_token", skip_token, 'str')
+
+ request = self._client.get(url, query_parameters, header_parameters)
+ else:
+ url = next_link
+ query_parameters = {} # type: Dict[str, Any]
+ request = self._client.get(url, query_parameters, header_parameters)
+ return request
+
+ def extract_data(pipeline_response):
+ deserialized = self._deserialize('IncidentList', pipeline_response)
+ list_of_elem = deserialized.value
+ if cls:
+ list_of_elem = cls(list_of_elem)
+ return deserialized.next_link or None, iter(list_of_elem)
+
+ def get_next(next_link=None):
+ request = prepare_request(next_link)
+
+ pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs)
+ response = pipeline_response.http_response
+
+ if response.status_code not in [200]:
+ map_error(status_code=response.status_code, response=response, error_map=error_map)
+ raise HttpResponseError(response=response, error_format=ARMErrorFormat)
+
+ return pipeline_response
+
+ return ItemPaged(
+ get_next, extract_data
+ )
+ list.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents'} # type: ignore
+
+ def get(
+ self,
+ resource_group_name, # type: str
+ workspace_name, # type: str
+ incident_id, # type: str
+ **kwargs # type: Any
+ ):
+ # type: (...) -> "models.Incident"
+ """Gets an incident.
+
+ :param resource_group_name: The name of the resource group within the user's subscription. The
+ name is case insensitive.
+ :type resource_group_name: str
+ :param workspace_name: The name of the workspace.
+ :type workspace_name: str
+ :param incident_id: Incident ID.
+ :type incident_id: str
+ :keyword callable cls: A custom type or function that will be passed the direct response
+ :return: Incident, or the result of cls(response)
+ :rtype: ~security_insights.models.Incident
+ :raises: ~azure.core.exceptions.HttpResponseError
+ """
+ cls = kwargs.pop('cls', None) # type: ClsType["models.Incident"]
+ error_map = {
+ 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError
+ }
+ error_map.update(kwargs.pop('error_map', {}))
+ api_version = "2020-01-01"
+ accept = "application/json"
+
+ # Construct URL
+ url = self.get.metadata['url'] # type: ignore
+ path_format_arguments = {
+ 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'),
+ 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'),
+ 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1),
+ 'incidentId': self._serialize.url("incident_id", incident_id, 'str'),
+ }
+ url = self._client.format_url(url, **path_format_arguments)
+
+ # Construct parameters
+ query_parameters = {} # type: Dict[str, Any]
+ query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str')
+
+ # Construct headers
+ header_parameters = {} # type: Dict[str, Any]
+ header_parameters['Accept'] = self._serialize.header("accept", accept, 'str')
+
+ request = self._client.get(url, query_parameters, header_parameters)
+ pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs)
+ response = pipeline_response.http_response
+
+ if response.status_code not in [200]:
+ map_error(status_code=response.status_code, response=response, error_map=error_map)
+ raise HttpResponseError(response=response, error_format=ARMErrorFormat)
+
+ deserialized = self._deserialize('Incident', pipeline_response)
+
+ if cls:
+ return cls(pipeline_response, deserialized, {})
+
+ return deserialized
+ get.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}'} # type: ignore
+
+ def create_or_update(
+ self,
+ resource_group_name, # type: str
+ workspace_name, # type: str
+ incident_id, # type: str
+ etag=None, # type: Optional[str]
+ classification=None, # type: Optional[Union[str, "models.IncidentClassification"]]
+ classification_comment=None, # type: Optional[str]
+ classification_reason=None, # type: Optional[Union[str, "models.IncidentClassificationReason"]]
+ description=None, # type: Optional[str]
+ first_activity_time_utc=None, # type: Optional[datetime.datetime]
+ labels=None, # type: Optional[List["models.IncidentLabel"]]
+ last_activity_time_utc=None, # type: Optional[datetime.datetime]
+ owner=None, # type: Optional["models.IncidentOwnerInfo"]
+ severity=None, # type: Optional[Union[str, "models.IncidentSeverity"]]
+ status=None, # type: Optional[Union[str, "models.IncidentStatus"]]
+ title=None, # type: Optional[str]
+ **kwargs # type: Any
+ ):
+ # type: (...) -> "models.Incident"
+ """Creates or updates the incident.
+
+ :param resource_group_name: The name of the resource group within the user's subscription. The
+ name is case insensitive.
+ :type resource_group_name: str
+ :param workspace_name: The name of the workspace.
+ :type workspace_name: str
+ :param incident_id: Incident ID.
+ :type incident_id: str
+ :param etag: Etag of the azure resource.
+ :type etag: str
+ :param classification: The reason the incident was closed.
+ :type classification: str or ~security_insights.models.IncidentClassification
+ :param classification_comment: Describes the reason the incident was closed.
+ :type classification_comment: str
+ :param classification_reason: The classification reason the incident was closed with.
+ :type classification_reason: str or ~security_insights.models.IncidentClassificationReason
+ :param description: The description of the incident.
+ :type description: str
+ :param first_activity_time_utc: The time of the first activity in the incident.
+ :type first_activity_time_utc: ~datetime.datetime
+ :param labels: List of labels relevant to this incident.
+ :type labels: list[~security_insights.models.IncidentLabel]
+ :param last_activity_time_utc: The time of the last activity in the incident.
+ :type last_activity_time_utc: ~datetime.datetime
+ :param owner: Describes a user that the incident is assigned to.
+ :type owner: ~security_insights.models.IncidentOwnerInfo
+ :param severity: The severity of the incident.
+ :type severity: str or ~security_insights.models.IncidentSeverity
+ :param status: The status of the incident.
+ :type status: str or ~security_insights.models.IncidentStatus
+ :param title: The title of the incident.
+ :type title: str
+ :keyword callable cls: A custom type or function that will be passed the direct response
+ :return: Incident, or the result of cls(response)
+ :rtype: ~security_insights.models.Incident
+ :raises: ~azure.core.exceptions.HttpResponseError
+ """
+ cls = kwargs.pop('cls', None) # type: ClsType["models.Incident"]
+ error_map = {
+ 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError
+ }
+ error_map.update(kwargs.pop('error_map', {}))
+
+ incident = models.Incident(etag=etag, classification=classification, classification_comment=classification_comment, classification_reason=classification_reason, description=description, first_activity_time_utc=first_activity_time_utc, labels=labels, last_activity_time_utc=last_activity_time_utc, owner=owner, severity=severity, status=status, title=title)
+ api_version = "2020-01-01"
+ content_type = kwargs.pop("content_type", "application/json")
+ accept = "application/json"
+
+ # Construct URL
+ url = self.create_or_update.metadata['url'] # type: ignore
+ path_format_arguments = {
+ 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'),
+ 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'),
+ 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1),
+ 'incidentId': self._serialize.url("incident_id", incident_id, 'str'),
+ }
+ url = self._client.format_url(url, **path_format_arguments)
+
+ # Construct parameters
+ query_parameters = {} # type: Dict[str, Any]
+ query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str')
+
+ # Construct headers
+ header_parameters = {} # type: Dict[str, Any]
+ header_parameters['Content-Type'] = self._serialize.header("content_type", content_type, 'str')
+ header_parameters['Accept'] = self._serialize.header("accept", accept, 'str')
+
+ body_content_kwargs = {} # type: Dict[str, Any]
+ body_content = self._serialize.body(incident, 'Incident')
+ body_content_kwargs['content'] = body_content
+ request = self._client.put(url, query_parameters, header_parameters, **body_content_kwargs)
+ pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs)
+ response = pipeline_response.http_response
+
+ if response.status_code not in [200, 201]:
+ map_error(status_code=response.status_code, response=response, error_map=error_map)
+ raise HttpResponseError(response=response, error_format=ARMErrorFormat)
+
+ if response.status_code == 200:
+ deserialized = self._deserialize('Incident', pipeline_response)
+
+ if response.status_code == 201:
+ deserialized = self._deserialize('Incident', pipeline_response)
+
+ if cls:
+ return cls(pipeline_response, deserialized, {})
+
+ return deserialized
+ create_or_update.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}'} # type: ignore
+
+ def delete(
+ self,
+ resource_group_name, # type: str
+ workspace_name, # type: str
+ incident_id, # type: str
+ **kwargs # type: Any
+ ):
+ # type: (...) -> None
+ """Delete the incident.
+
+ :param resource_group_name: The name of the resource group within the user's subscription. The
+ name is case insensitive.
+ :type resource_group_name: str
+ :param workspace_name: The name of the workspace.
+ :type workspace_name: str
+ :param incident_id: Incident ID.
+ :type incident_id: str
+ :keyword callable cls: A custom type or function that will be passed the direct response
+ :return: None, or the result of cls(response)
+ :rtype: None
+ :raises: ~azure.core.exceptions.HttpResponseError
+ """
+ cls = kwargs.pop('cls', None) # type: ClsType[None]
+ error_map = {
+ 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError
+ }
+ error_map.update(kwargs.pop('error_map', {}))
+ api_version = "2020-01-01"
+ accept = "application/json"
+
+ # Construct URL
+ url = self.delete.metadata['url'] # type: ignore
+ path_format_arguments = {
+ 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'),
+ 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'),
+ 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1),
+ 'incidentId': self._serialize.url("incident_id", incident_id, 'str'),
+ }
+ url = self._client.format_url(url, **path_format_arguments)
+
+ # Construct parameters
+ query_parameters = {} # type: Dict[str, Any]
+ query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str')
+
+ # Construct headers
+ header_parameters = {} # type: Dict[str, Any]
+ header_parameters['Accept'] = self._serialize.header("accept", accept, 'str')
+
+ request = self._client.delete(url, query_parameters, header_parameters)
+ pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs)
+ response = pipeline_response.http_response
+
+ if response.status_code not in [200, 204]:
+ map_error(status_code=response.status_code, response=response, error_map=error_map)
+ raise HttpResponseError(response=response, error_format=ARMErrorFormat)
+
+ if cls:
+ return cls(pipeline_response, None, {})
+
+ delete.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}'} # type: ignore
diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_operation_operations.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_operation_operations.py
new file mode 100644
index 00000000000..b1d3c09bbf3
--- /dev/null
+++ b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_operation_operations.py
@@ -0,0 +1,109 @@
+# coding=utf-8
+# --------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# Code generated by Microsoft (R) AutoRest Code Generator.
+# Changes may cause incorrect behavior and will be lost if the code is regenerated.
+# --------------------------------------------------------------------------
+from typing import TYPE_CHECKING
+import warnings
+
+from azure.core.exceptions import ClientAuthenticationError, HttpResponseError, ResourceExistsError, ResourceNotFoundError, map_error
+from azure.core.paging import ItemPaged
+from azure.core.pipeline import PipelineResponse
+from azure.core.pipeline.transport import HttpRequest, HttpResponse
+from azure.mgmt.core.exceptions import ARMErrorFormat
+
+from .. import models
+
+if TYPE_CHECKING:
+ # pylint: disable=unused-import,ungrouped-imports
+ from typing import Any, Callable, Dict, Generic, Iterable, Optional, TypeVar
+
+ T = TypeVar('T')
+ ClsType = Optional[Callable[[PipelineResponse[HttpRequest, HttpResponse], T, Dict[str, Any]], Any]]
+
+class OperationOperations(object):
+ """OperationOperations operations.
+
+ You should not instantiate this class directly. Instead, you should create a Client instance that
+ instantiates it for you and attaches it as an attribute.
+
+ :ivar models: Alias to model classes used in this operation group.
+ :type models: ~security_insights.models
+ :param client: Client for service requests.
+ :param config: Configuration of service client.
+ :param serializer: An object model serializer.
+ :param deserializer: An object model deserializer.
+ """
+
+ models = models
+
+ def __init__(self, client, config, serializer, deserializer):
+ self._client = client
+ self._serialize = serializer
+ self._deserialize = deserializer
+ self._config = config
+
+ def list(
+ self,
+ **kwargs # type: Any
+ ):
+ # type: (...) -> Iterable["models.OperationsList"]
+ """Lists all operations available Azure Security Insights Resource Provider.
+
+ :keyword callable cls: A custom type or function that will be passed the direct response
+ :return: An iterator like instance of either OperationsList or the result of cls(response)
+ :rtype: ~azure.core.paging.ItemPaged[~security_insights.models.OperationsList]
+ :raises: ~azure.core.exceptions.HttpResponseError
+ """
+ cls = kwargs.pop('cls', None) # type: ClsType["models.OperationsList"]
+ error_map = {
+ 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError
+ }
+ error_map.update(kwargs.pop('error_map', {}))
+ api_version = "2020-01-01"
+ accept = "application/json"
+
+ def prepare_request(next_link=None):
+ # Construct headers
+ header_parameters = {} # type: Dict[str, Any]
+ header_parameters['Accept'] = self._serialize.header("accept", accept, 'str')
+
+ if not next_link:
+ # Construct URL
+ url = self.list.metadata['url'] # type: ignore
+ # Construct parameters
+ query_parameters = {} # type: Dict[str, Any]
+ query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str')
+
+ request = self._client.get(url, query_parameters, header_parameters)
+ else:
+ url = next_link
+ query_parameters = {} # type: Dict[str, Any]
+ request = self._client.get(url, query_parameters, header_parameters)
+ return request
+
+ def extract_data(pipeline_response):
+ deserialized = self._deserialize('OperationsList', pipeline_response)
+ list_of_elem = deserialized.value
+ if cls:
+ list_of_elem = cls(list_of_elem)
+ return deserialized.next_link or None, iter(list_of_elem)
+
+ def get_next(next_link=None):
+ request = prepare_request(next_link)
+
+ pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs)
+ response = pipeline_response.http_response
+
+ if response.status_code not in [200]:
+ map_error(status_code=response.status_code, response=response, error_map=error_map)
+ raise HttpResponseError(response=response, error_format=ARMErrorFormat)
+
+ return pipeline_response
+
+ return ItemPaged(
+ get_next, extract_data
+ )
+ list.metadata = {'url': '/providers/Microsoft.SecurityInsights/operations'} # type: ignore
diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/py.typed b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/py.typed
new file mode 100644
index 00000000000..e5aff4f83af
--- /dev/null
+++ b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/py.typed
@@ -0,0 +1 @@
+# Marker file for PEP 561.
\ No newline at end of file
diff --git a/src/securityinsight/report.md b/src/securityinsight/report.md
new file mode 100644
index 00000000000..d2f533d3f36
--- /dev/null
+++ b/src/securityinsight/report.md
@@ -0,0 +1,610 @@
+# Azure CLI Module Creation Report
+
+## EXTENSION
+|CLI Extension|Command Groups|
+|---------|------------|
+|az sentinel|[groups](#CommandGroups)
+
+## GROUPS
+### Command groups in `az sentinel` extension
+|CLI Command Group|Group Swagger name|Commands|
+|---------|------------|--------|
+|az sentinel alert-rule|AlertRules|[commands](#CommandsInAlertRules)|
+|az sentinel action|Actions|[commands](#CommandsInActions)|
+|az sentinel alert-rule-template|AlertRuleTemplates|[commands](#CommandsInAlertRuleTemplates)|
+|az sentinel bookmark|Bookmarks|[commands](#CommandsInBookmarks)|
+|az sentinel data-connector|DataConnectors|[commands](#CommandsInDataConnectors)|
+|az sentinel incident|Incidents|[commands](#CommandsInIncidents)|
+|az sentinel incident-comment|IncidentComments|[commands](#CommandsInIncidentComments)|
+
+## COMMANDS
+### Commands in `az sentinel action` group
+|CLI Command|Operation Swagger name|Parameters|Examples|
+|---------|------------|--------|-----------|
+|[az sentinel action list](#ActionsListByAlertRule)|ListByAlertRule|[Parameters](#ParametersActionsListByAlertRule)|[Example](#ExamplesActionsListByAlertRule)|
+
+### Commands in `az sentinel alert-rule` group
+|CLI Command|Operation Swagger name|Parameters|Examples|
+|---------|------------|--------|-----------|
+|[az sentinel alert-rule list](#AlertRulesList)|List|[Parameters](#ParametersAlertRulesList)|[Example](#ExamplesAlertRulesList)|
+|[az sentinel alert-rule show](#AlertRulesGet)|Get|[Parameters](#ParametersAlertRulesGet)|[Example](#ExamplesAlertRulesGet)|
+|[az sentinel alert-rule create](#AlertRulesCreateOrUpdateAction)|CreateOrUpdateAction|[Parameters](#ParametersAlertRulesCreateOrUpdateAction)|[Example](#ExamplesAlertRulesCreateOrUpdateAction)|
+|[az sentinel alert-rule create](#AlertRulesCreateOrUpdate#Create)|CreateOrUpdate#Create|[Parameters](#ParametersAlertRulesCreateOrUpdate#Create)|[Example](#ExamplesAlertRulesCreateOrUpdate#Create)|
+|[az sentinel alert-rule update](#AlertRulesCreateOrUpdate#Update)|CreateOrUpdate#Update|[Parameters](#ParametersAlertRulesCreateOrUpdate#Update)|Not Found|
+|[az sentinel alert-rule delete](#AlertRulesDeleteAction)|DeleteAction|[Parameters](#ParametersAlertRulesDeleteAction)|[Example](#ExamplesAlertRulesDeleteAction)|
+|[az sentinel alert-rule delete](#AlertRulesDelete)|Delete|[Parameters](#ParametersAlertRulesDelete)|[Example](#ExamplesAlertRulesDelete)|
+|[az sentinel alert-rule get-action](#AlertRulesGetAction)|GetAction|[Parameters](#ParametersAlertRulesGetAction)|[Example](#ExamplesAlertRulesGetAction)|
+
+### Commands in `az sentinel alert-rule-template` group
+|CLI Command|Operation Swagger name|Parameters|Examples|
+|---------|------------|--------|-----------|
+|[az sentinel alert-rule-template list](#AlertRuleTemplatesList)|List|[Parameters](#ParametersAlertRuleTemplatesList)|[Example](#ExamplesAlertRuleTemplatesList)|
+|[az sentinel alert-rule-template show](#AlertRuleTemplatesGet)|Get|[Parameters](#ParametersAlertRuleTemplatesGet)|[Example](#ExamplesAlertRuleTemplatesGet)|
+
+### Commands in `az sentinel bookmark` group
+|CLI Command|Operation Swagger name|Parameters|Examples|
+|---------|------------|--------|-----------|
+|[az sentinel bookmark list](#BookmarksList)|List|[Parameters](#ParametersBookmarksList)|[Example](#ExamplesBookmarksList)|
+|[az sentinel bookmark show](#BookmarksGet)|Get|[Parameters](#ParametersBookmarksGet)|[Example](#ExamplesBookmarksGet)|
+|[az sentinel bookmark create](#BookmarksCreateOrUpdate#Create)|CreateOrUpdate#Create|[Parameters](#ParametersBookmarksCreateOrUpdate#Create)|[Example](#ExamplesBookmarksCreateOrUpdate#Create)|
+|[az sentinel bookmark update](#BookmarksCreateOrUpdate#Update)|CreateOrUpdate#Update|[Parameters](#ParametersBookmarksCreateOrUpdate#Update)|Not Found|
+|[az sentinel bookmark delete](#BookmarksDelete)|Delete|[Parameters](#ParametersBookmarksDelete)|[Example](#ExamplesBookmarksDelete)|
+
+### Commands in `az sentinel data-connector` group
+|CLI Command|Operation Swagger name|Parameters|Examples|
+|---------|------------|--------|-----------|
+|[az sentinel data-connector list](#DataConnectorsList)|List|[Parameters](#ParametersDataConnectorsList)|[Example](#ExamplesDataConnectorsList)|
+|[az sentinel data-connector show](#DataConnectorsGet)|Get|[Parameters](#ParametersDataConnectorsGet)|[Example](#ExamplesDataConnectorsGet)|
+|[az sentinel data-connector create](#DataConnectorsCreateOrUpdate#Create)|CreateOrUpdate#Create|[Parameters](#ParametersDataConnectorsCreateOrUpdate#Create)|[Example](#ExamplesDataConnectorsCreateOrUpdate#Create)|
+|[az sentinel data-connector update](#DataConnectorsCreateOrUpdate#Update)|CreateOrUpdate#Update|[Parameters](#ParametersDataConnectorsCreateOrUpdate#Update)|Not Found|
+|[az sentinel data-connector delete](#DataConnectorsDelete)|Delete|[Parameters](#ParametersDataConnectorsDelete)|[Example](#ExamplesDataConnectorsDelete)|
+
+### Commands in `az sentinel incident` group
+|CLI Command|Operation Swagger name|Parameters|Examples|
+|---------|------------|--------|-----------|
+|[az sentinel incident list](#IncidentsList)|List|[Parameters](#ParametersIncidentsList)|[Example](#ExamplesIncidentsList)|
+|[az sentinel incident show](#IncidentsGet)|Get|[Parameters](#ParametersIncidentsGet)|[Example](#ExamplesIncidentsGet)|
+|[az sentinel incident create](#IncidentsCreateOrUpdate#Create)|CreateOrUpdate#Create|[Parameters](#ParametersIncidentsCreateOrUpdate#Create)|[Example](#ExamplesIncidentsCreateOrUpdate#Create)|
+|[az sentinel incident update](#IncidentsCreateOrUpdate#Update)|CreateOrUpdate#Update|[Parameters](#ParametersIncidentsCreateOrUpdate#Update)|Not Found|
+|[az sentinel incident delete](#IncidentsDelete)|Delete|[Parameters](#ParametersIncidentsDelete)|[Example](#ExamplesIncidentsDelete)|
+
+### Commands in `az sentinel incident-comment` group
+|CLI Command|Operation Swagger name|Parameters|Examples|
+|---------|------------|--------|-----------|
+|[az sentinel incident-comment list](#IncidentCommentsListByIncident)|ListByIncident|[Parameters](#ParametersIncidentCommentsListByIncident)|[Example](#ExamplesIncidentCommentsListByIncident)|
+|[az sentinel incident-comment show](#IncidentCommentsGet)|Get|[Parameters](#ParametersIncidentCommentsGet)|[Example](#ExamplesIncidentCommentsGet)|
+|[az sentinel incident-comment create](#IncidentCommentsCreateComment)|CreateComment|[Parameters](#ParametersIncidentCommentsCreateComment)|[Example](#ExamplesIncidentCommentsCreateComment)|
+
+
+## COMMAND DETAILS
+
+### group `az sentinel action`
+#### Command `az sentinel action list`
+
+##### Example
+```
+az sentinel action list --resource-group "myRg" --rule-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --workspace-name \
+"myWorkspace"
+```
+##### Parameters
+|Option|Type|Description|Path (SDK)|Swagger name|
+|------|----|-----------|----------|------------|
+|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName|
+|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName|
+|**--rule-id**|string|Alert rule ID|rule_id|ruleId|
+
+### group `az sentinel alert-rule`
+#### Command `az sentinel alert-rule list`
+
+##### Example
+```
+az sentinel alert-rule list --resource-group "myRg" --workspace-name "myWorkspace"
+```
+##### Parameters
+|Option|Type|Description|Path (SDK)|Swagger name|
+|------|----|-----------|----------|------------|
+|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName|
+|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName|
+
+#### Command `az sentinel alert-rule show`
+
+##### Example
+```
+az sentinel alert-rule show --resource-group "myRg" --rule-id "myFirstFusionRule" --workspace-name "myWorkspace"
+```
+##### Example
+```
+az sentinel alert-rule show --resource-group "myRg" --rule-id "microsoftSecurityIncidentCreationRuleExample" \
+--workspace-name "myWorkspace"
+```
+##### Example
+```
+az sentinel alert-rule show --resource-group "myRg" --rule-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --workspace-name \
+"myWorkspace"
+```
+##### Parameters
+|Option|Type|Description|Path (SDK)|Swagger name|
+|------|----|-----------|----------|------------|
+|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName|
+|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName|
+|**--rule-id**|string|Alert rule ID|rule_id|ruleId|
+
+#### Command `az sentinel alert-rule create`
+
+##### Example
+```
+az sentinel alert-rule create --etag "\\"0300bf09-0000-0000-0000-5c37296e0000\\"" --logic-app-resource-id \
+"/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/MyAlerts" \
+--trigger-uri "https://prod-31.northcentralus.logic.azure.com:443/workflows/cd3765391efd48549fd7681ded1d48d7/triggers/m\
+anual/paths/invoke?api-version=2016-10-01&sp=%2Ftriggers%2Fmanual%2Frun&sv=1.0&sig=signature" --action-id \
+"912bec42-cb66-4c03-ac63-1761b6898c3e" --resource-group "myRg" --rule-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" \
+--workspace-name "myWorkspace"
+```
+##### Parameters
+|Option|Type|Description|Path (SDK)|Swagger name|
+|------|----|-----------|----------|------------|
+|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName|
+|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName|
+|**--rule-id**|string|Alert rule ID|rule_id|ruleId|
+|**--action-id**|string|Action ID|action_id|actionId|
+|**--etag**|string|Etag of the azure resource|etag|etag|
+|**--logic-app-resource-id**|string|Logic App Resource Id, /subscriptions/{my-subscription}/resourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my-workflow-id}.|logic_app_resource_id|logicAppResourceId|
+|**--trigger-uri**|string|Logic App Callback URL for this specific workflow.|trigger_uri|triggerUri|
+
+#### Command `az sentinel alert-rule create`
+
+##### Example
+```
+az sentinel alert-rule create --fusion-alert-rule etag="3d00c3ca-0000-0100-0000-5d42d5010000" \
+alert-rule-template-name="f71aba3d-28fb-450b-b192-4e76a83015c8" enabled=true --resource-group "myRg" --rule-id \
+"myFirstFusionRule" --workspace-name "myWorkspace"
+```
+##### Example
+```
+az sentinel alert-rule create --microsoft-security-incident-creation-alert-rule etag="\\"260097e0-0000-0d00-0000-5d6fa8\
+8f0000\\"" product-filter="Microsoft Cloud App Security" display-name="testing displayname" enabled=true \
+--resource-group "myRg" --rule-id "microsoftSecurityIncidentCreationRuleExample" --workspace-name "myWorkspace"
+```
+##### Example
+```
+az sentinel alert-rule create --scheduled-alert-rule etag="\\"0300bf09-0000-0000-0000-5c37296e0000\\"" \
+query="ProtectionStatus | extend HostCustomEntity = Computer | extend IPCustomEntity = ComputerIP_Hidden" \
+query-frequency="PT1H" query-period="P2DT1H30M" severity="High" trigger-operator="GreaterThan" trigger-threshold=0 \
+description="" display-name="Rule2" enabled=true suppression-duration="PT1H" suppression-enabled=false \
+tactics="Persistence" tactics="LateralMovement" --resource-group "myRg" --rule-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5\
+" --workspace-name "myWorkspace"
+```
+##### Parameters
+|Option|Type|Description|Path (SDK)|Swagger name|
+|------|----|-----------|----------|------------|
+|**--fusion-alert-rule**|object|Represents Fusion alert rule.|fusion_alert_rule|FusionAlertRule|
+|**--microsoft-security-incident-creation-alert-rule**|object|Represents MicrosoftSecurityIncidentCreation rule.|microsoft_security_incident_creation_alert_rule|MicrosoftSecurityIncidentCreationAlertRule|
+|**--scheduled-alert-rule**|object|Represents scheduled alert rule.|scheduled_alert_rule|ScheduledAlertRule|
+
+#### Command `az sentinel alert-rule update`
+
+##### Parameters
+|Option|Type|Description|Path (SDK)|Swagger name|
+|------|----|-----------|----------|------------|
+|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName|
+|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName|
+|**--rule-id**|string|Alert rule ID|rule_id|ruleId|
+|**--fusion-alert-rule**|object|Represents Fusion alert rule.|fusion_alert_rule|FusionAlertRule|
+|**--microsoft-security-incident-creation-alert-rule**|object|Represents MicrosoftSecurityIncidentCreation rule.|microsoft_security_incident_creation_alert_rule|MicrosoftSecurityIncidentCreationAlertRule|
+|**--scheduled-alert-rule**|object|Represents scheduled alert rule.|scheduled_alert_rule|ScheduledAlertRule|
+
+#### Command `az sentinel alert-rule delete`
+
+##### Example
+```
+az sentinel alert-rule delete --action-id "912bec42-cb66-4c03-ac63-1761b6898c3e" --resource-group "myRg" --rule-id \
+"73e01a99-5cd7-4139-a149-9f2736ff2ab5" --workspace-name "myWorkspace"
+```
+##### Parameters
+|Option|Type|Description|Path (SDK)|Swagger name|
+|------|----|-----------|----------|------------|
+|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName|
+|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName|
+|**--rule-id**|string|Alert rule ID|rule_id|ruleId|
+|**--action-id**|string|Action ID|action_id|actionId|
+
+#### Command `az sentinel alert-rule delete`
+
+##### Example
+```
+az sentinel alert-rule delete --resource-group "myRg" --rule-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" \
+--workspace-name "myWorkspace"
+```
+##### Parameters
+|Option|Type|Description|Path (SDK)|Swagger name|
+|------|----|-----------|----------|------------|
+#### Command `az sentinel alert-rule get-action`
+
+##### Example
+```
+az sentinel alert-rule get-action --action-id "912bec42-cb66-4c03-ac63-1761b6898c3e" --resource-group "myRg" --rule-id \
+"73e01a99-5cd7-4139-a149-9f2736ff2ab5" --workspace-name "myWorkspace"
+```
+##### Parameters
+|Option|Type|Description|Path (SDK)|Swagger name|
+|------|----|-----------|----------|------------|
+|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName|
+|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName|
+|**--rule-id**|string|Alert rule ID|rule_id|ruleId|
+|**--action-id**|string|Action ID|action_id|actionId|
+
+### group `az sentinel alert-rule-template`
+#### Command `az sentinel alert-rule-template list`
+
+##### Example
+```
+az sentinel alert-rule-template list --resource-group "myRg" --workspace-name "myWorkspace"
+```
+##### Parameters
+|Option|Type|Description|Path (SDK)|Swagger name|
+|------|----|-----------|----------|------------|
+|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName|
+|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName|
+
+#### Command `az sentinel alert-rule-template show`
+
+##### Example
+```
+az sentinel alert-rule-template show --alert-rule-template-id "65360bb0-8986-4ade-a89d-af3cf44d28aa" --resource-group \
+"myRg" --workspace-name "myWorkspace"
+```
+##### Parameters
+|Option|Type|Description|Path (SDK)|Swagger name|
+|------|----|-----------|----------|------------|
+|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName|
+|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName|
+|**--alert-rule-template-id**|string|Alert rule template ID|alert_rule_template_id|alertRuleTemplateId|
+
+### group `az sentinel bookmark`
+#### Command `az sentinel bookmark list`
+
+##### Example
+```
+az sentinel bookmark list --resource-group "myRg" --workspace-name "myWorkspace"
+```
+##### Parameters
+|Option|Type|Description|Path (SDK)|Swagger name|
+|------|----|-----------|----------|------------|
+|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName|
+|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName|
+
+#### Command `az sentinel bookmark show`
+
+##### Example
+```
+az sentinel bookmark show --bookmark-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" \
+--workspace-name "myWorkspace"
+```
+##### Parameters
+|Option|Type|Description|Path (SDK)|Swagger name|
+|------|----|-----------|----------|------------|
+|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName|
+|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName|
+|**--bookmark-id**|string|Bookmark ID|bookmark_id|bookmarkId|
+
+#### Command `az sentinel bookmark create`
+
+##### Example
+```
+az sentinel bookmark create --etag "\\"0300bf09-0000-0000-0000-5c37296e0000\\"" --created "2019-01-01T13:15:30Z" \
+--display-name "My bookmark" --labels "Tag1" --labels "Tag2" --notes "Found a suspicious activity" --query \
+"SecurityEvent | where TimeGenerated > ago(1d) and TimeGenerated < ago(2d)" --query-result "Security Event query \
+result" --updated "2019-01-01T13:15:30Z" --bookmark-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" \
+--workspace-name "myWorkspace"
+```
+##### Parameters
+|Option|Type|Description|Path (SDK)|Swagger name|
+|------|----|-----------|----------|------------|
+|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName|
+|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName|
+|**--bookmark-id**|string|Bookmark ID|bookmark_id|bookmarkId|
+|**--etag**|string|Etag of the azure resource|etag|etag|
+|**--created**|date-time|The time the bookmark was created|created|created|
+|**--display-name**|string|The display name of the bookmark|display_name|displayName|
+|**--labels**|array|List of labels relevant to this bookmark|labels|labels|
+|**--notes**|string|The notes of the bookmark|notes|notes|
+|**--query**|string|The query of the bookmark.|query|query|
+|**--query-result**|string|The query result of the bookmark.|query_result|queryResult|
+|**--updated**|date-time|The last time the bookmark was updated|updated|updated|
+|**--incident-info**|object|Describes an incident that relates to bookmark|incident_info|incidentInfo|
+|**--updated-by-object-id**|uuid|The object id of the user.|object_id|objectId|
+
+#### Command `az sentinel bookmark update`
+
+##### Parameters
+|Option|Type|Description|Path (SDK)|Swagger name|
+|------|----|-----------|----------|------------|
+|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName|
+|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName|
+|**--bookmark-id**|string|Bookmark ID|bookmark_id|bookmarkId|
+|**--etag**|string|Etag of the azure resource|etag|etag|
+|**--created**|date-time|The time the bookmark was created|created|created|
+|**--display-name**|string|The display name of the bookmark|display_name|displayName|
+|**--labels**|array|List of labels relevant to this bookmark|labels|labels|
+|**--notes**|string|The notes of the bookmark|notes|notes|
+|**--query**|string|The query of the bookmark.|query|query|
+|**--query-result**|string|The query result of the bookmark.|query_result|queryResult|
+|**--updated**|date-time|The last time the bookmark was updated|updated|updated|
+|**--incident-info**|object|Describes an incident that relates to bookmark|incident_info|incidentInfo|
+|**--updated-by-object-id**|uuid|The object id of the user.|object_id|objectId|
+
+#### Command `az sentinel bookmark delete`
+
+##### Example
+```
+az sentinel bookmark delete --bookmark-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" \
+--workspace-name "myWorkspace"
+```
+##### Parameters
+|Option|Type|Description|Path (SDK)|Swagger name|
+|------|----|-----------|----------|------------|
+|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName|
+|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName|
+|**--bookmark-id**|string|Bookmark ID|bookmark_id|bookmarkId|
+
+### group `az sentinel data-connector`
+#### Command `az sentinel data-connector list`
+
+##### Example
+```
+az sentinel data-connector list --resource-group "myRg" --workspace-name "myWorkspace"
+```
+##### Parameters
+|Option|Type|Description|Path (SDK)|Swagger name|
+|------|----|-----------|----------|------------|
+|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName|
+|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName|
+
+#### Command `az sentinel data-connector show`
+
+##### Example
+```
+az sentinel data-connector show --data-connector-id "763f9fa1-c2d3-4fa2-93e9-bccd4899aa12" --resource-group "myRg" \
+--workspace-name "myWorkspace"
+```
+##### Example
+```
+az sentinel data-connector show --data-connector-id "b96d014d-b5c2-4a01-9aba-a8058f629d42" --resource-group "myRg" \
+--workspace-name "myWorkspace"
+```
+##### Example
+```
+az sentinel data-connector show --data-connector-id "06b3ccb8-1384-4bcc-aec7-852f6d57161b" --resource-group "myRg" \
+--workspace-name "myWorkspace"
+```
+##### Example
+```
+az sentinel data-connector show --data-connector-id "c345bf40-8509-4ed2-b947-50cb773aaf04" --resource-group "myRg" \
+--workspace-name "myWorkspace"
+```
+##### Example
+```
+az sentinel data-connector show --data-connector-id "f0cd27d2-5f03-4c06-ba31-d2dc82dcb51d" --resource-group "myRg" \
+--workspace-name "myWorkspace"
+```
+##### Example
+```
+az sentinel data-connector show --data-connector-id "07e42cb3-e658-4e90-801c-efa0f29d3d44" --resource-group "myRg" \
+--workspace-name "myWorkspace"
+```
+##### Example
+```
+az sentinel data-connector show --data-connector-id "c345bf40-8509-4ed2-b947-50cb773aaf04" --resource-group "myRg" \
+--workspace-name "myWorkspace"
+```
+##### Example
+```
+az sentinel data-connector show --data-connector-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" \
+--workspace-name "myWorkspace"
+```
+##### Parameters
+|Option|Type|Description|Path (SDK)|Swagger name|
+|------|----|-----------|----------|------------|
+|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName|
+|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName|
+|**--data-connector-id**|string|Connector ID|data_connector_id|dataConnectorId|
+
+#### Command `az sentinel data-connector create`
+
+##### Example
+```
+az sentinel data-connector create --office-data-connector etag="\\"0300bf09-0000-0000-0000-5c37296e0000\\"" \
+tenant-id="2070ecc9-b4d5-4ae4-adaa-936fa1954fa8" --data-connector-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" \
+--resource-group "myRg" --workspace-name "myWorkspace"
+```
+##### Parameters
+|Option|Type|Description|Path (SDK)|Swagger name|
+|------|----|-----------|----------|------------|
+|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName|
+|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName|
+|**--data-connector-id**|string|Connector ID|data_connector_id|dataConnectorId|
+|**--aad-data-connector**|object|Represents AAD (Azure Active Directory) data connector.|aad_data_connector|AADDataConnector|
+|**--aatp-data-connector**|object|Represents AATP (Azure Advanced Threat Protection) data connector.|aatp_data_connector|AATPDataConnector|
+|**--asc-data-connector**|object|Represents ASC (Azure Security Center) data connector.|asc_data_connector|ASCDataConnector|
+|**--aws-cloud-trail-data-connector**|object|Represents Amazon Web Services CloudTrail data connector.|aws_cloud_trail_data_connector|AwsCloudTrailDataConnector|
+|**--mcas-data-connector**|object|Represents MCAS (Microsoft Cloud App Security) data connector.|mcas_data_connector|MCASDataConnector|
+|**--mdatp-data-connector**|object|Represents MDATP (Microsoft Defender Advanced Threat Protection) data connector.|mdatp_data_connector|MDATPDataConnector|
+|**--office-data-connector**|object|Represents office data connector.|office_data_connector|OfficeDataConnector|
+|**--ti-data-connector**|object|Represents threat intelligence data connector.|ti_data_connector|TIDataConnector|
+
+#### Command `az sentinel data-connector update`
+
+##### Parameters
+|Option|Type|Description|Path (SDK)|Swagger name|
+|------|----|-----------|----------|------------|
+|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName|
+|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName|
+|**--data-connector-id**|string|Connector ID|data_connector_id|dataConnectorId|
+|**--aad-data-connector**|object|Represents AAD (Azure Active Directory) data connector.|aad_data_connector|AADDataConnector|
+|**--aatp-data-connector**|object|Represents AATP (Azure Advanced Threat Protection) data connector.|aatp_data_connector|AATPDataConnector|
+|**--asc-data-connector**|object|Represents ASC (Azure Security Center) data connector.|asc_data_connector|ASCDataConnector|
+|**--aws-cloud-trail-data-connector**|object|Represents Amazon Web Services CloudTrail data connector.|aws_cloud_trail_data_connector|AwsCloudTrailDataConnector|
+|**--mcas-data-connector**|object|Represents MCAS (Microsoft Cloud App Security) data connector.|mcas_data_connector|MCASDataConnector|
+|**--mdatp-data-connector**|object|Represents MDATP (Microsoft Defender Advanced Threat Protection) data connector.|mdatp_data_connector|MDATPDataConnector|
+|**--office-data-connector**|object|Represents office data connector.|office_data_connector|OfficeDataConnector|
+|**--ti-data-connector**|object|Represents threat intelligence data connector.|ti_data_connector|TIDataConnector|
+
+#### Command `az sentinel data-connector delete`
+
+##### Example
+```
+az sentinel data-connector delete --data-connector-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" \
+--workspace-name "myWorkspace"
+```
+##### Parameters
+|Option|Type|Description|Path (SDK)|Swagger name|
+|------|----|-----------|----------|------------|
+|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName|
+|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName|
+|**--data-connector-id**|string|Connector ID|data_connector_id|dataConnectorId|
+
+### group `az sentinel incident`
+#### Command `az sentinel incident list`
+
+##### Example
+```
+az sentinel incident list --orderby "properties/createdTimeUtc desc" --top 1 --resource-group "myRg" --workspace-name \
+"myWorkspace"
+```
+##### Parameters
+|Option|Type|Description|Path (SDK)|Swagger name|
+|------|----|-----------|----------|------------|
+|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName|
+|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName|
+|**--filter**|string|Filters the results, based on a Boolean condition. Optional.|filter|$filter|
+|**--orderby**|string|Sorts the results. Optional.|orderby|$orderby|
+|**--top**|integer|Returns only the first n results. Optional.|top|$top|
+|**--skip-token**|string|Skiptoken is only used if a previous operation returned a partial result. If a previous response contains a nextLink element, the value of the nextLink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls. Optional.|skip_token|$skipToken|
+
+#### Command `az sentinel incident show`
+
+##### Example
+```
+az sentinel incident show --incident-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" \
+--workspace-name "myWorkspace"
+```
+##### Parameters
+|Option|Type|Description|Path (SDK)|Swagger name|
+|------|----|-----------|----------|------------|
+|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName|
+|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName|
+|**--incident-id**|string|Incident ID|incident_id|incidentId|
+
+#### Command `az sentinel incident create`
+
+##### Example
+```
+az sentinel incident create --etag "\\"0300bf09-0000-0000-0000-5c37296e0000\\"" --description "This is a demo \
+incident" --classification "FalsePositive" --classification-comment "Not a malicious activity" --classification-reason \
+"IncorrectAlertLogic" --first-activity-time-utc "2019-01-01T13:00:30Z" --last-activity-time-utc "2019-01-01T13:05:30Z" \
+--owner object-id="2046feea-040d-4a46-9e2b-91c2941bfa70" --severity "High" --status "Closed" --title "My incident" \
+--incident-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" --workspace-name "myWorkspace"
+```
+##### Parameters
+|Option|Type|Description|Path (SDK)|Swagger name|
+|------|----|-----------|----------|------------|
+|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName|
+|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName|
+|**--incident-id**|string|Incident ID|incident_id|incidentId|
+|**--etag**|string|Etag of the azure resource|etag|etag|
+|**--classification**|choice|The reason the incident was closed|classification|classification|
+|**--classification-comment**|string|Describes the reason the incident was closed|classification_comment|classificationComment|
+|**--classification-reason**|choice|The classification reason the incident was closed with|classification_reason|classificationReason|
+|**--description**|string|The description of the incident|description|description|
+|**--first-activity-time-utc**|date-time|The time of the first activity in the incident|first_activity_time_utc|firstActivityTimeUtc|
+|**--labels**|array|List of labels relevant to this incident|labels|labels|
+|**--last-activity-time-utc**|date-time|The time of the last activity in the incident|last_activity_time_utc|lastActivityTimeUtc|
+|**--owner**|object|Describes a user that the incident is assigned to|owner|owner|
+|**--severity**|choice|The severity of the incident|severity|severity|
+|**--status**|choice|The status of the incident|status|status|
+|**--title**|string|The title of the incident|title|title|
+
+#### Command `az sentinel incident update`
+
+##### Parameters
+|Option|Type|Description|Path (SDK)|Swagger name|
+|------|----|-----------|----------|------------|
+|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName|
+|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName|
+|**--incident-id**|string|Incident ID|incident_id|incidentId|
+|**--etag**|string|Etag of the azure resource|etag|etag|
+|**--classification**|choice|The reason the incident was closed|classification|classification|
+|**--classification-comment**|string|Describes the reason the incident was closed|classification_comment|classificationComment|
+|**--classification-reason**|choice|The classification reason the incident was closed with|classification_reason|classificationReason|
+|**--description**|string|The description of the incident|description|description|
+|**--first-activity-time-utc**|date-time|The time of the first activity in the incident|first_activity_time_utc|firstActivityTimeUtc|
+|**--labels**|array|List of labels relevant to this incident|labels|labels|
+|**--last-activity-time-utc**|date-time|The time of the last activity in the incident|last_activity_time_utc|lastActivityTimeUtc|
+|**--owner**|object|Describes a user that the incident is assigned to|owner|owner|
+|**--severity**|choice|The severity of the incident|severity|severity|
+|**--status**|choice|The status of the incident|status|status|
+|**--title**|string|The title of the incident|title|title|
+
+#### Command `az sentinel incident delete`
+
+##### Example
+```
+az sentinel incident delete --incident-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" \
+--workspace-name "myWorkspace"
+```
+##### Parameters
+|Option|Type|Description|Path (SDK)|Swagger name|
+|------|----|-----------|----------|------------|
+|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName|
+|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName|
+|**--incident-id**|string|Incident ID|incident_id|incidentId|
+
+### group `az sentinel incident-comment`
+#### Command `az sentinel incident-comment list`
+
+##### Example
+```
+az sentinel incident-comment list --incident-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" \
+--workspace-name "myWorkspace"
+```
+##### Parameters
+|Option|Type|Description|Path (SDK)|Swagger name|
+|------|----|-----------|----------|------------|
+|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName|
+|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName|
+|**--incident-id**|string|Incident ID|incident_id|incidentId|
+|**--filter**|string|Filters the results, based on a Boolean condition. Optional.|filter|$filter|
+|**--orderby**|string|Sorts the results. Optional.|orderby|$orderby|
+|**--top**|integer|Returns only the first n results. Optional.|top|$top|
+|**--skip-token**|string|Skiptoken is only used if a previous operation returned a partial result. If a previous response contains a nextLink element, the value of the nextLink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls. Optional.|skip_token|$skipToken|
+
+#### Command `az sentinel incident-comment show`
+
+##### Example
+```
+az sentinel incident-comment show --incident-comment-id "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014" --incident-id \
+"73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" --workspace-name "myWorkspace"
+```
+##### Parameters
+|Option|Type|Description|Path (SDK)|Swagger name|
+|------|----|-----------|----------|------------|
+|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName|
+|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName|
+|**--incident-id**|string|Incident ID|incident_id|incidentId|
+|**--incident-comment-id**|string|Incident comment ID|incident_comment_id|incidentCommentId|
+
+#### Command `az sentinel incident-comment create`
+
+##### Example
+```
+az sentinel incident-comment create --message "Some message" --incident-comment-id "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da001\
+4" --incident-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" --workspace-name "myWorkspace"
+```
+##### Parameters
+|Option|Type|Description|Path (SDK)|Swagger name|
+|------|----|-----------|----------|------------|
+|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName|
+|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName|
+|**--incident-id**|string|Incident ID|incident_id|incidentId|
+|**--incident-comment-id**|string|Incident comment ID|incident_comment_id|incidentCommentId|
+|**--message**|string|The comment message|message|message|
diff --git a/src/securityinsight/setup.cfg b/src/securityinsight/setup.cfg
new file mode 100644
index 00000000000..2fdd96e5d39
--- /dev/null
+++ b/src/securityinsight/setup.cfg
@@ -0,0 +1 @@
+#setup.cfg
\ No newline at end of file
diff --git a/src/securityinsight/setup.py b/src/securityinsight/setup.py
new file mode 100644
index 00000000000..ee9e18c7003
--- /dev/null
+++ b/src/securityinsight/setup.py
@@ -0,0 +1,58 @@
+#!/usr/bin/env python
+
+# --------------------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# --------------------------------------------------------------------------------------------
+
+
+from codecs import open
+from setuptools import setup, find_packages
+
+# HISTORY.rst entry.
+VERSION = '0.1.0'
+try:
+ from azext_sentinel.manual.version import VERSION
+except ImportError:
+ pass
+
+# The full list of classifiers is available at
+# https://pypi.python.org/pypi?%3Aaction=list_classifiers
+CLASSIFIERS = [
+ 'Development Status :: 4 - Beta',
+ 'Intended Audience :: Developers',
+ 'Intended Audience :: System Administrators',
+ 'Programming Language :: Python',
+ 'Programming Language :: Python :: 3',
+ 'Programming Language :: Python :: 3.6',
+ 'Programming Language :: Python :: 3.7',
+ 'Programming Language :: Python :: 3.8',
+ 'License :: OSI Approved :: MIT License',
+]
+
+DEPENDENCIES = []
+
+try:
+ from azext_sentinel.manual.dependency import DEPENDENCIES
+except ImportError:
+ pass
+
+with open('README.md', 'r', encoding='utf-8') as f:
+ README = f.read()
+with open('HISTORY.rst', 'r', encoding='utf-8') as f:
+ HISTORY = f.read()
+
+setup(
+ name='sentinel',
+ version=VERSION,
+ description='Microsoft Azure Command-Line Tools SecurityInsights Extension',
+ author='Microsoft Corporation',
+ author_email='azpycli@microsoft.com',
+ url='https://github.com/Azure/azure-cli-extensions/tree/master/src/sentinel',
+ long_description=README + '\n\n' + HISTORY,
+ license='MIT',
+ classifiers=CLASSIFIERS,
+ packages=find_packages(),
+ install_requires=DEPENDENCIES,
+ package_data={'azext_sentinel': ['azext_metadata.json']},
+)