diff --git a/src/securityinsight/HISTORY.rst b/src/securityinsight/HISTORY.rst index 0eb45d18800..b285e62956b 100644 --- a/src/securityinsight/HISTORY.rst +++ b/src/securityinsight/HISTORY.rst @@ -3,6 +3,10 @@ Release History =============== +0.2.0 +++++++ +Upgrade based on 2022-06-01-preview. + 0.1.2 ++++++ Rebrand the terms in help. diff --git a/src/securityinsight/README.md b/src/securityinsight/README.md index 90913a91f07..42aac1686bd 100644 --- a/src/securityinsight/README.md +++ b/src/securityinsight/README.md @@ -1,5 +1,5 @@ -# Azure CLI sentinel Extension # -This is the extension for sentinel +# Azure CLI Sentinel Extension # +This is an extension to Azure CLI to manage sentinel resources. ### How to use ### Install this extension using the below CLI command @@ -11,174 +11,277 @@ az extension add --name sentinel #### sentinel alert-rule #### ##### Create ##### ``` -az sentinel alert-rule create --etag "\\"0300bf09-0000-0000-0000-5c37296e0000\\"" \ - --logic-app-resource-id "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/MyAlerts" \ - --trigger-uri "https://prod-31.northcentralus.logic.azure.com:443/workflows/cd3765391efd48549fd7681ded1d48d7/triggers/manual/paths/invoke?api-version=2016-10-01&sp=%2Ftriggers%2Fmanual%2Frun&sv=1.0&sig=signature" \ - --action-id "912bec42-cb66-4c03-ac63-1761b6898c3e" --resource-group "myRg" \ - --rule-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --workspace-name "myWorkspace" +az sentinel alert-rule create -n myRule -w myWorkspace -g myRG \ + --ms-security-incident "{product-filter:'Microsoft Cloud App Security',display-name:testing,enabled:true}" ``` -##### Show ##### +##### List ##### ``` -az sentinel alert-rule show --resource-group "myRg" --rule-id "myFirstFusionRule" --workspace-name "myWorkspace" +az sentinel alert-rule list -w myWorkspace -g myRG ``` -##### Show ##### +##### Update ##### ``` -az sentinel alert-rule show --resource-group "myRg" --rule-id "microsoftSecurityIncidentCreationRuleExample" \ - --workspace-name "myWorkspace" +az sentinel alert-rule update -n myRule -w myWorkspace -g myRG \ + --ms-security-incident display-name=tested ``` ##### Show ##### ``` -az sentinel alert-rule show --resource-group "myRg" --rule-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" \ - --workspace-name "myWorkspace" +az sentinel alert-rule show -n myRule -w myWorkspace -g myRG +``` +##### Delete ##### +``` +az sentinel alert-rule delete -n myRule -w myWorkspace -g myRG --yes ``` + +#### sentinel alert-rule template #### ##### List ##### ``` -az sentinel alert-rule list --resource-group "myRg" --workspace-name "myWorkspace" +az sentinel alert-rule template list -w myWorkspace -g myRG ``` -##### Get-action ##### +##### Show ##### ``` -az sentinel alert-rule get-action --action-id "912bec42-cb66-4c03-ac63-1761b6898c3e" --resource-group "myRg" \ - --rule-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --workspace-name "myWorkspace" +az sentinel alert-rule template show -n myTemplate -w myWorkspace -g myRG ``` -##### Delete ##### + +#### sentinel automation-rule #### +##### Create ##### ``` -az sentinel alert-rule delete --action-id "912bec42-cb66-4c03-ac63-1761b6898c3e" --resource-group "myRg" \ - --rule-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --workspace-name "myWorkspace" +az sentinel automation-rule create -n myRule -w myWorkspace -g myRG \ + --display-name 'High severity incidents escalation' --order 1 \ + --actions "[{order:1,modify-properties:{action-configuration:{severity:High}}}]" \ + --triggering-logic "{is-enabled:true,triggers-on:Incidents,triggers-when:Created}" ``` -#### sentinel action #### ##### List ##### ``` -az sentinel action list --resource-group "myRg" --rule-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" \ - --workspace-name "myWorkspace" +az sentinel automation-rule list -w myWorkspace -g myRG ``` -#### sentinel alert-rule-template #### -##### List ##### +##### Update ##### ``` -az sentinel alert-rule-template list --resource-group "myRg" --workspace-name "myWorkspace" +az sentinel automation-rule update -n myRule -w myWorkspace -g myRG \ + --display-name 'New name' ``` ##### Show ##### ``` -az sentinel alert-rule-template show --alert-rule-template-id "65360bb0-8986-4ade-a89d-af3cf44d28aa" \ - --resource-group "myRg" --workspace-name "myWorkspace" +az sentinel automation-rule show -n myRule -w myWorkspace -g myRG ``` +##### Delete ##### +``` +az sentinel automation-rule delete -n myRule -w myWorkspace -g myRG --yes +``` + #### sentinel bookmark #### ##### Create ##### ``` -az sentinel bookmark create --etag "\\"0300bf09-0000-0000-0000-5c37296e0000\\"" --created "2019-01-01T13:15:30Z" \ - --display-name "My bookmark" --labels "Tag1" --labels "Tag2" --notes "Found a suspicious activity" \ - --query "SecurityEvent | where TimeGenerated > ago(1d) and TimeGenerated < ago(2d)" \ - --query-result "Security Event query result" --updated "2019-01-01T13:15:30Z" \ - --bookmark-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" --workspace-name "myWorkspace" +az sentinel bookmark create -n myBookmark -w myWorkspace -g myRG \ + --query-content 'SecurityEvent | where TimeGenerated > ago(1d) and TimeGenerated < ago(2d)' \ + --query-result 'Security Event query result' --display-name 'My bookmark' --notes 'Found a suspicious activity' \ + --entity-mappings "[{entity-type:Account,field-mappings:[{identifier:Fullname,value:johndoe@microsoft.com}]}]" \ + --tactics "[Execution]" --techniques "[T1609]" --labels "[Tag1,Tag2]" +``` +##### List ##### +``` +az sentinel bookmark list -w myWorkspace -g myRG ``` ##### Show ##### ``` -az sentinel bookmark show --bookmark-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" \ - --workspace-name "myWorkspace" +az sentinel bookmark show -n myBookmark -w myWorkspace -g myRG +``` +##### Delete ##### +``` +az sentinel bookmark delete -n myBookmark -w myWorkspace -g myRG --yes +``` + +#### sentinel bookmark relation #### +##### Create ##### +``` +az sentinel bookmark relation create -n myRelation -w myWorkspace -g myRG \ + --bookmark-id myBookmark --related-resource-id myIncident ``` ##### List ##### ``` -az sentinel bookmark list --resource-group "myRg" --workspace-name "myWorkspace" +az sentinel bookmark relation list -w myWorkspace -g myRG \ + --bookmark-id myBookmark +``` +##### Show ##### +``` +az sentinel bookmark relation show -n myRelation -w myWorkspace -g myRG \ + --bookmark-id myBookmark ``` ##### Delete ##### ``` -az sentinel bookmark delete --bookmark-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" \ - --workspace-name "myWorkspace" +az sentinel bookmark relation delete -n myRelation -w myWorkspace -g myRG \ + --bookmark-id myBookmark --yes ``` -#### sentinel data-connector #### + +#### sentinel incident #### ##### Create ##### ``` -az sentinel data-connector create \ - --office-data-connector etag="\\"0300bf09-0000-0000-0000-5c37296e0000\\"" tenant-id="2070ecc9-b4d5-4ae4-adaa-936fa1954fa8" \ - --data-connector-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" --workspace-name "myWorkspace" +az sentinel incident create -n myIncident -w myWorkspace -g myRG \ + --classification FalsePositive --classification-reason IncorrectAlertLogic \ + --classification-comment 'Not a malicious activity' --first-activity-time-utc 2019-01-01T13:00:30Z \ + --last-activity-time-utc 2019-01-01T13:05:30Z --severity High --status Closed --title 'My incident' \ + --description 'This is a demo incident' \ + --owner "{object-id:2046feea-040d-4a46-9e2b-91c2941bfa70}" ``` -##### Show ##### +##### List ##### ``` -az sentinel data-connector show --data-connector-id "763f9fa1-c2d3-4fa2-93e9-bccd4899aa12" --resource-group "myRg" \ - --workspace-name "myWorkspace" +az sentinel incident list -w myWorkspace -g myRG --orderby 'properties/createdTimeUtc desc' --top 1 ``` ##### Show ##### ``` -az sentinel data-connector show --data-connector-id "b96d014d-b5c2-4a01-9aba-a8058f629d42" --resource-group "myRg" \ - --workspace-name "myWorkspace" +az sentinel incident show -n myIncident -w myWorkspace -g myRG ``` -##### Show ##### +##### Delete ##### ``` -az sentinel data-connector show --data-connector-id "06b3ccb8-1384-4bcc-aec7-852f6d57161b" --resource-group "myRg" \ - --workspace-name "myWorkspace" +az sentinel incident delete -n myIncident -w myWorkspace -g myRG --yes ``` -##### Show ##### + +#### sentinel incident relation #### +##### Create ##### +``` +az sentinel incident relation create -n myRelation -w myWorkspace -g myRG \ + --incident-id myIncident --related-resource-id myBookmark +``` +##### List ##### ``` -az sentinel data-connector show --data-connector-id "c345bf40-8509-4ed2-b947-50cb773aaf04" --resource-group "myRg" \ - --workspace-name "myWorkspace" +az sentinel incident relation list -w myWorkspace -g myRG \ + --incident-id myIncident ``` ##### Show ##### ``` -az sentinel data-connector show --data-connector-id "f0cd27d2-5f03-4c06-ba31-d2dc82dcb51d" --resource-group "myRg" \ - --workspace-name "myWorkspace" +az sentinel incident relation show -n myRelation -w myWorkspace -g myRG \ + --incident-id myIncident +``` +##### Delete ##### +``` +az sentinel incident relation delete -n myRelation -w myWorkspace -g myRG \ + --incident-id myIncident --yes +``` + +#### sentinel incident comment #### +##### Create ##### +``` +az sentinel incident comment create -n myComment -w myWorkspace -g myRG \ + --incident-id myIncident --message 'Some message' +``` +##### List ##### +``` +az sentinel incident comment list -w myWorkspace -g myRG \ + --incident-id myIncident +``` +##### Update ##### +``` +az sentinel incident comment update -n myComment -w myWorkspace -g myRG \ + --incident-id myIncident --message 'Some messages' ``` ##### Show ##### ``` -az sentinel data-connector show --data-connector-id "07e42cb3-e658-4e90-801c-efa0f29d3d44" --resource-group "myRg" \ - --workspace-name "myWorkspace" +az sentinel incident comment show -n myComment -w myWorkspace -g myRG \ + --incident-id myIncident +``` +##### Delete ##### +``` +az sentinel incident comment delete -n myComment -w myWorkspace -g myRG \ + --incident-id myIncident --yes ``` + +#### sentinel enrichment domain-whois #### ##### Show ##### ``` -az sentinel data-connector show --data-connector-id "c345bf40-8509-4ed2-b947-50cb773aaf04" --resource-group "myRg" \ - --workspace-name "myWorkspace" +az sentinel enrichment domain-whois show -g myRG --domain microsoft.com ``` + +#### sentinel enrichment ip-geodata #### ##### Show ##### ``` -az sentinel data-connector show --data-connector-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" \ - --workspace-name "myWorkspace" +az sentinel enrichment ip-geodata show -g myRG --ip-address 1.2.3.4 +``` + +#### sentinel metadata #### +##### Create ##### +``` +az sentinel metadata create -n myMetadata -w myWorkspace -g myRG \ + --content-id myContent --parent-id myRule --kind AnalyticsRule ``` ##### List ##### ``` -az sentinel data-connector list --resource-group "myRg" --workspace-name "myWorkspace" +az sentinel metadata list -w myWorkspace -g myRG +``` +##### Update ##### +``` +az sentinel metadata update -n myMetadata -w myWorkspace -g myRG \ + --author "{name:cli,email:cli@microsoft.com}" +``` +##### Show ##### +``` +az sentinel metadata show -n myMetadata -w myWorkspace -g myRG ``` ##### Delete ##### ``` -az sentinel data-connector delete --data-connector-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" \ - --workspace-name "myWorkspace" +az sentinel metadata delete -n myMetadata -w myWorkspace -g myRG --yes ``` -#### sentinel incident #### + +#### sentinel onboarding-state #### ##### Create ##### ``` -az sentinel incident create --etag "\\"0300bf09-0000-0000-0000-5c37296e0000\\"" \ - --description "This is a demo incident" --classification "FalsePositive" \ - --classification-comment "Not a malicious activity" --classification-reason "IncorrectAlertLogic" \ - --first-activity-time-utc "2019-01-01T13:00:30Z" --last-activity-time-utc "2019-01-01T13:05:30Z" \ - --owner object-id="2046feea-040d-4a46-9e2b-91c2941bfa70" --severity "High" --status "Closed" --title "My incident" \ - --incident-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" --workspace-name "myWorkspace" +az sentinel onboarding-state create -n defalut -w myWorkspace -g myRG \ + --customer-managed-key false +``` +##### List ##### +``` +az sentinel onboarding-state list -w myWorkspace -g myRG ``` ##### Show ##### ``` -az sentinel incident show --incident-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" \ - --workspace-name "myWorkspace" +az sentinel onboarding-state show -n defalut -w myWorkspace -g myRG +``` +##### Delete ##### +``` +az sentinel onboarding-state delete -n defalut -w myWorkspace -g myRG --yes +``` + +#### sentinel threat-indicator #### +##### Create ##### +``` +az sentinel threat-indicator create -w myWorkspace -g myRG \ + --source 'Microsoft Sentinel' --display-name 'new schema' --confidence 78 --created-by-ref contoso@contoso.com \ + --modified '' --pattern '[url:value = 'https://www.contoso.com']' --pattern-type url --revoked false \ + --valid-from 2022-06-15T17:44:00.114052Z --valid-until '' --description 'debugging indicators' \ + --threat-tags "['new schema']" --threat-types "[compromised]" --external-references "[]" ``` ##### List ##### ``` -az sentinel incident list --orderby "properties/createdTimeUtc desc" --top 1 --resource-group "myRg" \ - --workspace-name "myWorkspace" +az sentinel threat-indicator list -w myWorkspace -g myRG +``` +##### Show ##### +``` +az sentinel threat-indicator show -n myIndictor -w myWorkspace -g myRG ``` ##### Delete ##### ``` -az sentinel incident delete --incident-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" \ - --workspace-name "myWorkspace" +az sentinel threat-indicator delete -n myIndictor -w myWorkspace -g myRG --yes ``` -#### sentinel incident-comment #### + +#### sentinel watchlist #### ##### Create ##### ``` -az sentinel incident-comment create --message "Some message" \ - --incident-comment-id "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014" --incident-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" \ - --resource-group "myRg" --workspace-name "myWorkspace" +az sentinel watchlist create -n myWatchlist -w myWorkspace -g myRG \ + --description 'Watchlist from CSV content' --display-name 'High Value Assets Watchlist' + --provider Microsoft --items-search-key header1 +``` +##### List ##### +``` +az sentinel watchlist list -w myWorkspace -g myRG +``` +##### Update ##### +``` +az sentinel watchlist update -n myWatchlist -w myWorkspace -g myRG \ + --display-name 'New name' ``` ##### Show ##### ``` -az sentinel incident-comment show --incident-comment-id "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014" \ - --incident-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" --workspace-name "myWorkspace" +az sentinel watchlist show -n myWatchlist -w myWorkspace -g myRG ``` -##### List ##### +##### Delete ##### +``` +az sentinel watchlist delete -n myWatchlist -w myWorkspace -g myRG --yes ``` -az sentinel incident-comment list --incident-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" \ - --workspace-name "myWorkspace" -``` \ No newline at end of file diff --git a/src/securityinsight/azext_sentinel/__init__.py b/src/securityinsight/azext_sentinel/__init__.py index cba11ad4731..3cd3dd1cf94 100644 --- a/src/securityinsight/azext_sentinel/__init__.py +++ b/src/securityinsight/azext_sentinel/__init__.py @@ -1,50 +1,42 @@ -# -------------------------------------------------------------------------- +# -------------------------------------------------------------------------------------------- # Copyright (c) Microsoft Corporation. All rights reserved. -# Licensed under the MIT License. See License.txt in the project root for -# license information. +# Licensed under the MIT License. See License.txt in the project root for license information. # -# Code generated by Microsoft (R) AutoRest Code Generator. -# Changes may cause incorrect behavior and will be lost if the code is -# regenerated. -# -------------------------------------------------------------------------- +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- from azure.cli.core import AzCommandsLoader -from azext_sentinel.generated._help import helps # pylint: disable=unused-import -try: - from azext_sentinel.manual._help import helps # pylint: disable=reimported -except ImportError: - pass +from azext_sentinel._help import helps # pylint: disable=unused-import -class SecurityInsightsCommandsLoader(AzCommandsLoader): +class SentinelCommandsLoader(AzCommandsLoader): def __init__(self, cli_ctx=None): from azure.cli.core.commands import CliCommandType - from azext_sentinel.generated._client_factory import cf_sentinel_cl - sentinel_custom = CliCommandType( - operations_tmpl='azext_sentinel.custom#{}', - client_factory=cf_sentinel_cl) - parent = super(SecurityInsightsCommandsLoader, self) - parent.__init__(cli_ctx=cli_ctx, custom_command_type=sentinel_custom) + custom_command_type = CliCommandType( + operations_tmpl='azext_sentinel.custom#{}') + super().__init__(cli_ctx=cli_ctx, + custom_command_type=custom_command_type) def load_command_table(self, args): - from azext_sentinel.generated.commands import load_command_table - load_command_table(self, args) + from azext_sentinel.commands import load_command_table + from azure.cli.core.aaz import load_aaz_command_table try: - from azext_sentinel.manual.commands import load_command_table as load_command_table_manual - load_command_table_manual(self, args) + from . import aaz except ImportError: - pass + aaz = None + if aaz: + load_aaz_command_table( + loader=self, + aaz_pkg_name=aaz.__name__, + args=args + ) + load_command_table(self, args) return self.command_table def load_arguments(self, command): - from azext_sentinel.generated._params import load_arguments + from azext_sentinel._params import load_arguments load_arguments(self, command) - try: - from azext_sentinel.manual._params import load_arguments as load_arguments_manual - load_arguments_manual(self, command) - except ImportError: - pass -COMMAND_LOADER_CLS = SecurityInsightsCommandsLoader +COMMAND_LOADER_CLS = SentinelCommandsLoader diff --git a/src/securityinsight/azext_sentinel/_help.py b/src/securityinsight/azext_sentinel/_help.py new file mode 100644 index 00000000000..126d5d00714 --- /dev/null +++ b/src/securityinsight/azext_sentinel/_help.py @@ -0,0 +1,11 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: disable=line-too-long +# pylint: disable=too-many-lines + +from knack.help_files import helps # pylint: disable=unused-import diff --git a/src/securityinsight/azext_sentinel/_params.py b/src/securityinsight/azext_sentinel/_params.py new file mode 100644 index 00000000000..cfcec717c9c --- /dev/null +++ b/src/securityinsight/azext_sentinel/_params.py @@ -0,0 +1,13 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: disable=too-many-lines +# pylint: disable=too-many-statements + + +def load_arguments(self, _): # pylint: disable=unused-argument + pass diff --git a/src/securityinsight/azext_sentinel/generated/_validators.py b/src/securityinsight/azext_sentinel/aaz/__init__.py similarity index 55% rename from src/securityinsight/azext_sentinel/generated/_validators.py rename to src/securityinsight/azext_sentinel/aaz/__init__.py index b33a44c1ebf..5757aea3175 100644 --- a/src/securityinsight/azext_sentinel/generated/_validators.py +++ b/src/securityinsight/azext_sentinel/aaz/__init__.py @@ -1,9 +1,6 @@ -# -------------------------------------------------------------------------- +# -------------------------------------------------------------------------------------------- # Copyright (c) Microsoft Corporation. All rights reserved. -# Licensed under the MIT License. See License.txt in the project root for -# license information. +# Licensed under the MIT License. See License.txt in the project root for license information. # -# Code generated by Microsoft (R) AutoRest Code Generator. -# Changes may cause incorrect behavior and will be lost if the code is -# regenerated. -# -------------------------------------------------------------------------- +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- diff --git a/src/securityinsight/azext_sentinel/aaz/latest/__init__.py b/src/securityinsight/azext_sentinel/aaz/latest/__init__.py new file mode 100644 index 00000000000..5757aea3175 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/__init__.py @@ -0,0 +1,6 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/__cmd_group.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/__cmd_group.py new file mode 100644 index 00000000000..ef4b32bbd02 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/__cmd_group.py @@ -0,0 +1,23 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command_group( + "sentinel", +) +class __CMDGroup(AAZCommandGroup): + """Manage Microsoft Sentinel. + """ + pass + + +__all__ = ["__CMDGroup"] diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/__init__.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/__init__.py similarity index 51% rename from src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/__init__.py rename to src/securityinsight/azext_sentinel/aaz/latest/sentinel/__init__.py index 17980852599..5a9d61963d6 100644 --- a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/__init__.py +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/__init__.py @@ -1,10 +1,11 @@ -# coding=utf-8 -# -------------------------------------------------------------------------- +# -------------------------------------------------------------------------------------------- # Copyright (c) Microsoft Corporation. All rights reserved. # Licensed under the MIT License. See License.txt in the project root for license information. -# Code generated by Microsoft (R) AutoRest Code Generator. -# Changes may cause incorrect behavior and will be lost if the code is regenerated. -# -------------------------------------------------------------------------- +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- -from ._security_insights import SecurityInsights -__all__ = ['SecurityInsights'] +# pylint: skip-file +# flake8: noqa + +from .__cmd_group import * diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/alert_rule/__cmd_group.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/alert_rule/__cmd_group.py new file mode 100644 index 00000000000..dbdb969c63f --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/alert_rule/__cmd_group.py @@ -0,0 +1,23 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command_group( + "sentinel alert-rule", +) +class __CMDGroup(AAZCommandGroup): + """Manage alert rule with sentinel. + """ + pass + + +__all__ = ["__CMDGroup"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/alert_rule/__init__.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/alert_rule/__init__.py new file mode 100644 index 00000000000..c401f439385 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/alert_rule/__init__.py @@ -0,0 +1,16 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from .__cmd_group import * +from ._create import * +from ._delete import * +from ._list import * +from ._show import * +from ._update import * diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/alert_rule/_create.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/alert_rule/_create.py new file mode 100644 index 00000000000..c3c6d2c088f --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/alert_rule/_create.py @@ -0,0 +1,1517 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel alert-rule create", + is_experimental=True, +) +class Create(AAZCommand): + """Create the alert rule. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/alertrules/{}", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return self._output() + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.rule_name = AAZStrArg( + options=["-n", "--name", "--rule-name"], + help="Name of alert rule.", + required=True, + is_experimental=True, + id_part="child_name_1", + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + id_part="name", + ) + + # define Arg Group "AlertRule" + + _args_schema = cls._args_schema + _args_schema.fusion = AAZObjectArg( + options=["--fusion"], + arg_group="AlertRule", + ) + _args_schema.ml_behavior_analytics = AAZObjectArg( + options=["--ml-behavior-analytics"], + arg_group="AlertRule", + ) + _args_schema.ms_security_incident = AAZObjectArg( + options=["--ms-security-incident"], + arg_group="AlertRule", + help="Microsoft security incident creation.", + is_experimental=True, + ) + _args_schema.nrt = AAZObjectArg( + options=["--nrt"], + arg_group="AlertRule", + ) + _args_schema.scheduled = AAZObjectArg( + options=["--scheduled"], + arg_group="AlertRule", + ) + _args_schema.threat_intelligence = AAZObjectArg( + options=["--threat-intelligence"], + arg_group="AlertRule", + ) + _args_schema.etag = AAZStrArg( + options=["--etag"], + arg_group="AlertRule", + help="Etag of the azure resource", + ) + + fusion = cls._args_schema.fusion + fusion.alert_rule_template_name = AAZStrArg( + options=["alert-rule-template-name"], + help="The Name of the alert rule template used to create this rule.", + ) + fusion.enabled = AAZBoolArg( + options=["enabled"], + help="Determines whether this alert rule is enabled or disabled.", + ) + fusion.scenario_exclusion_patterns = AAZListArg( + options=["scenario-exclusion-patterns"], + help="Configuration to exclude scenarios in fusion detection.", + ) + fusion.source_settings = AAZListArg( + options=["source-settings"], + help="Configuration for all supported source signals in fusion detection.", + ) + + scenario_exclusion_patterns = cls._args_schema.fusion.scenario_exclusion_patterns + scenario_exclusion_patterns.Element = AAZObjectArg() + + _element = cls._args_schema.fusion.scenario_exclusion_patterns.Element + _element.date_added_in_utc = AAZStrArg( + options=["date-added-in-utc"], + help="DateTime when scenario exclusion pattern is added in UTC.", + required=True, + ) + _element.exclusion_pattern = AAZStrArg( + options=["exclusion-pattern"], + help="Scenario exclusion pattern.", + required=True, + ) + + source_settings = cls._args_schema.fusion.source_settings + source_settings.Element = AAZObjectArg() + + _element = cls._args_schema.fusion.source_settings.Element + _element.enabled = AAZBoolArg( + options=["enabled"], + help="Determines whether this source signal is enabled or disabled in Fusion detection.", + required=True, + ) + _element.source_name = AAZStrArg( + options=["source-name"], + help="Name of the Fusion source signal. Refer to Fusion alert rule template for supported values.", + required=True, + ) + _element.source_sub_types = AAZListArg( + options=["source-sub-types"], + help="Configuration for all source subtypes under this source signal consumed in fusion detection.", + ) + + source_sub_types = cls._args_schema.fusion.source_settings.Element.source_sub_types + source_sub_types.Element = AAZObjectArg() + + _element = cls._args_schema.fusion.source_settings.Element.source_sub_types.Element + _element.enabled = AAZBoolArg( + options=["enabled"], + help="Determines whether this source subtype under source signal is enabled or disabled in Fusion detection.", + required=True, + ) + _element.severity_filters = AAZObjectArg( + options=["severity-filters"], + help="Severity configuration for a source subtype consumed in fusion detection.", + required=True, + ) + _element.source_sub_type_name = AAZStrArg( + options=["source-sub-type-name"], + help="The Name of the source subtype under a given source signal in Fusion detection. Refer to Fusion alert rule template for supported values.", + required=True, + ) + + severity_filters = cls._args_schema.fusion.source_settings.Element.source_sub_types.Element.severity_filters + severity_filters.filters = AAZListArg( + options=["filters"], + help="Individual Severity configuration settings for a given source subtype consumed in Fusion detection.", + ) + + filters = cls._args_schema.fusion.source_settings.Element.source_sub_types.Element.severity_filters.filters + filters.Element = AAZObjectArg() + + _element = cls._args_schema.fusion.source_settings.Element.source_sub_types.Element.severity_filters.filters.Element + _element.enabled = AAZBoolArg( + options=["enabled"], + help="Determines whether this severity is enabled or disabled for this source subtype consumed in Fusion detection.", + required=True, + ) + _element.severity = AAZStrArg( + options=["severity"], + help="The Severity for a given source subtype consumed in Fusion detection.", + required=True, + enum={"High": "High", "Informational": "Informational", "Low": "Low", "Medium": "Medium"}, + ) + + ml_behavior_analytics = cls._args_schema.ml_behavior_analytics + ml_behavior_analytics.alert_rule_template_name = AAZStrArg( + options=["alert-rule-template-name"], + help="The Name of the alert rule template used to create this rule.", + ) + ml_behavior_analytics.enabled = AAZBoolArg( + options=["enabled"], + help="Determines whether this alert rule is enabled or disabled.", + ) + + ms_security_incident = cls._args_schema.ms_security_incident + ms_security_incident.alert_rule_template_name = AAZStrArg( + options=["alert-rule-template-name"], + help="The Name of the alert rule template used to create this rule.", + ) + ms_security_incident.description = AAZStrArg( + options=["description"], + help="The description of the alert rule.", + ) + ms_security_incident.display_name = AAZStrArg( + options=["display-name"], + help="The display name for alerts created by this alert rule.", + ) + ms_security_incident.display_names_exclude_filter = AAZListArg( + options=["display-names-exclude-filter"], + help="the alerts' displayNames on which the cases will not be generated", + ) + ms_security_incident.display_names_filter = AAZListArg( + options=["display-names-filter"], + help="the alerts' displayNames on which the cases will be generated", + ) + ms_security_incident.enabled = AAZBoolArg( + options=["enabled"], + help="Determines whether this alert rule is enabled or disabled.", + ) + ms_security_incident.product_filter = AAZStrArg( + options=["product-filter"], + help="The alerts' productName on which the cases will be generated", + enum={"Azure Active Directory Identity Protection": "Azure Active Directory Identity Protection", "Azure Advanced Threat Protection": "Azure Advanced Threat Protection", "Azure Security Center": "Azure Security Center", "Azure Security Center for IoT": "Azure Security Center for IoT", "Microsoft Cloud App Security": "Microsoft Cloud App Security", "Microsoft Defender Advanced Threat Protection": "Microsoft Defender Advanced Threat Protection", "Office 365 Advanced Threat Protection": "Office 365 Advanced Threat Protection"}, + ) + ms_security_incident.severities_filter = AAZListArg( + options=["severities-filter"], + help="the alerts' severities on which the cases will be generated", + ) + + display_names_exclude_filter = cls._args_schema.ms_security_incident.display_names_exclude_filter + display_names_exclude_filter.Element = AAZStrArg() + + display_names_filter = cls._args_schema.ms_security_incident.display_names_filter + display_names_filter.Element = AAZStrArg() + + severities_filter = cls._args_schema.ms_security_incident.severities_filter + severities_filter.Element = AAZStrArg( + enum={"High": "High", "Informational": "Informational", "Low": "Low", "Medium": "Medium"}, + ) + + nrt = cls._args_schema.nrt + nrt.alert_details_override = AAZObjectArg( + options=["alert-details-override"], + help="The alert details override settings", + ) + cls._build_args_alert_details_override_create(nrt.alert_details_override) + nrt.alert_rule_template_name = AAZStrArg( + options=["alert-rule-template-name"], + help="The Name of the alert rule template used to create this rule.", + ) + nrt.custom_details = AAZDictArg( + options=["custom-details"], + help="Dictionary of string key-value pairs of columns to be attached to the alert", + ) + nrt.description = AAZStrArg( + options=["description"], + help="The description of the alert rule.", + ) + nrt.display_name = AAZStrArg( + options=["display-name"], + help="The display name for alerts created by this alert rule.", + ) + nrt.enabled = AAZBoolArg( + options=["enabled"], + help="Determines whether this alert rule is enabled or disabled.", + ) + nrt.entity_mappings = AAZListArg( + options=["entity-mappings"], + help="Array of the entity mappings of the alert rule", + ) + cls._build_args_entity_mappings_create(nrt.entity_mappings) + nrt.incident_configuration = AAZObjectArg( + options=["incident-configuration"], + help="The settings of the incidents that created from alerts triggered by this analytics rule", + ) + cls._build_args_incident_configuration_create(nrt.incident_configuration) + nrt.query = AAZStrArg( + options=["query"], + help="The query that creates alerts for this rule.", + ) + nrt.severity = AAZStrArg( + options=["severity"], + help="The severity for alerts created by this alert rule.", + enum={"High": "High", "Informational": "Informational", "Low": "Low", "Medium": "Medium"}, + ) + nrt.suppression_duration = AAZStrArg( + options=["suppression-duration"], + help="The suppression (in ISO 8601 duration format) to wait since last time this alert rule been triggered.", + ) + nrt.suppression_enabled = AAZBoolArg( + options=["suppression-enabled"], + help="Determines whether the suppression for this alert rule is enabled or disabled.", + ) + nrt.tactics = AAZListArg( + options=["tactics"], + help="The tactics of the alert rule", + ) + nrt.techniques = AAZListArg( + options=["techniques"], + help="The techniques of the alert rule", + ) + nrt.template_version = AAZStrArg( + options=["template-version"], + help="The version of the alert rule template used to create this rule - in format , where all are numbers, for example 0 <1.0.2>", + ) + + custom_details = cls._args_schema.nrt.custom_details + custom_details.Element = AAZStrArg() + + tactics = cls._args_schema.nrt.tactics + tactics.Element = AAZStrArg( + enum={"Collection": "Collection", "CommandAndControl": "CommandAndControl", "CredentialAccess": "CredentialAccess", "DefenseEvasion": "DefenseEvasion", "Discovery": "Discovery", "Execution": "Execution", "Exfiltration": "Exfiltration", "Impact": "Impact", "ImpairProcessControl": "ImpairProcessControl", "InhibitResponseFunction": "InhibitResponseFunction", "InitialAccess": "InitialAccess", "LateralMovement": "LateralMovement", "Persistence": "Persistence", "PreAttack": "PreAttack", "PrivilegeEscalation": "PrivilegeEscalation", "Reconnaissance": "Reconnaissance", "ResourceDevelopment": "ResourceDevelopment"}, + ) + + techniques = cls._args_schema.nrt.techniques + techniques.Element = AAZStrArg() + + scheduled = cls._args_schema.scheduled + scheduled.alert_details_override = AAZObjectArg( + options=["alert-details-override"], + help="The alert details override settings", + ) + cls._build_args_alert_details_override_create(scheduled.alert_details_override) + scheduled.alert_rule_template_name = AAZStrArg( + options=["alert-rule-template-name"], + help="The Name of the alert rule template used to create this rule.", + ) + scheduled.custom_details = AAZDictArg( + options=["custom-details"], + help="Dictionary of string key-value pairs of columns to be attached to the alert", + ) + scheduled.description = AAZStrArg( + options=["description"], + help="The description of the alert rule.", + ) + scheduled.display_name = AAZStrArg( + options=["display-name"], + help="The display name for alerts created by this alert rule.", + ) + scheduled.enabled = AAZBoolArg( + options=["enabled"], + help="Determines whether this alert rule is enabled or disabled.", + ) + scheduled.entity_mappings = AAZListArg( + options=["entity-mappings"], + help="Array of the entity mappings of the alert rule", + ) + cls._build_args_entity_mappings_create(scheduled.entity_mappings) + scheduled.event_grouping_settings = AAZObjectArg( + options=["event-grouping-settings"], + help="The event grouping settings.", + ) + scheduled.incident_configuration = AAZObjectArg( + options=["incident-configuration"], + help="The settings of the incidents that created from alerts triggered by this analytics rule", + ) + cls._build_args_incident_configuration_create(scheduled.incident_configuration) + scheduled.query = AAZStrArg( + options=["query"], + help="The query that creates alerts for this rule.", + ) + scheduled.query_frequency = AAZStrArg( + options=["query-frequency"], + help="The frequency (in ISO 8601 duration format) for this alert rule to run.", + ) + scheduled.query_period = AAZStrArg( + options=["query-period"], + help="The period (in ISO 8601 duration format) that this alert rule looks at.", + ) + scheduled.severity = AAZStrArg( + options=["severity"], + help="The severity for alerts created by this alert rule.", + enum={"High": "High", "Informational": "Informational", "Low": "Low", "Medium": "Medium"}, + ) + scheduled.suppression_duration = AAZStrArg( + options=["suppression-duration"], + help="The suppression (in ISO 8601 duration format) to wait since last time this alert rule been triggered.", + ) + scheduled.suppression_enabled = AAZBoolArg( + options=["suppression-enabled"], + help="Determines whether the suppression for this alert rule is enabled or disabled.", + ) + scheduled.tactics = AAZListArg( + options=["tactics"], + help="The tactics of the alert rule", + ) + scheduled.techniques = AAZListArg( + options=["techniques"], + help="The techniques of the alert rule", + ) + scheduled.template_version = AAZStrArg( + options=["template-version"], + help="The version of the alert rule template used to create this rule - in format , where all are numbers, for example 0 <1.0.2>", + ) + scheduled.trigger_operator = AAZStrArg( + options=["trigger-operator"], + help="The operation against the threshold that triggers alert rule.", + enum={"Equal": "Equal", "GreaterThan": "GreaterThan", "LessThan": "LessThan", "NotEqual": "NotEqual"}, + ) + scheduled.trigger_threshold = AAZIntArg( + options=["trigger-threshold"], + help="The threshold triggers this alert rule.", + ) + + custom_details = cls._args_schema.scheduled.custom_details + custom_details.Element = AAZStrArg() + + event_grouping_settings = cls._args_schema.scheduled.event_grouping_settings + event_grouping_settings.aggregation_kind = AAZStrArg( + options=["aggregation-kind"], + help="The event grouping aggregation kinds", + enum={"AlertPerResult": "AlertPerResult", "SingleAlert": "SingleAlert"}, + ) + + tactics = cls._args_schema.scheduled.tactics + tactics.Element = AAZStrArg( + enum={"Collection": "Collection", "CommandAndControl": "CommandAndControl", "CredentialAccess": "CredentialAccess", "DefenseEvasion": "DefenseEvasion", "Discovery": "Discovery", "Execution": "Execution", "Exfiltration": "Exfiltration", "Impact": "Impact", "ImpairProcessControl": "ImpairProcessControl", "InhibitResponseFunction": "InhibitResponseFunction", "InitialAccess": "InitialAccess", "LateralMovement": "LateralMovement", "Persistence": "Persistence", "PreAttack": "PreAttack", "PrivilegeEscalation": "PrivilegeEscalation", "Reconnaissance": "Reconnaissance", "ResourceDevelopment": "ResourceDevelopment"}, + ) + + techniques = cls._args_schema.scheduled.techniques + techniques.Element = AAZStrArg() + + threat_intelligence = cls._args_schema.threat_intelligence + threat_intelligence.alert_rule_template_name = AAZStrArg( + options=["alert-rule-template-name"], + help="The Name of the alert rule template used to create this rule.", + ) + threat_intelligence.enabled = AAZBoolArg( + options=["enabled"], + help="Determines whether this alert rule is enabled or disabled.", + ) + return cls._args_schema + + _args_alert_details_override_create = None + + @classmethod + def _build_args_alert_details_override_create(cls, _schema): + if cls._args_alert_details_override_create is not None: + _schema.alert_description_format = cls._args_alert_details_override_create.alert_description_format + _schema.alert_display_name_format = cls._args_alert_details_override_create.alert_display_name_format + _schema.alert_severity_column_name = cls._args_alert_details_override_create.alert_severity_column_name + _schema.alert_tactics_column_name = cls._args_alert_details_override_create.alert_tactics_column_name + return + + cls._args_alert_details_override_create = AAZObjectArg() + + alert_details_override_create = cls._args_alert_details_override_create + alert_details_override_create.alert_description_format = AAZStrArg( + options=["alert-description-format"], + help="the format containing columns name(s) to override the alert description", + ) + alert_details_override_create.alert_display_name_format = AAZStrArg( + options=["alert-display-name-format"], + help="the format containing columns name(s) to override the alert name", + ) + alert_details_override_create.alert_severity_column_name = AAZStrArg( + options=["alert-severity-column-name"], + help="the column name to take the alert severity from", + ) + alert_details_override_create.alert_tactics_column_name = AAZStrArg( + options=["alert-tactics-column-name"], + help="the column name to take the alert tactics from", + ) + + _schema.alert_description_format = cls._args_alert_details_override_create.alert_description_format + _schema.alert_display_name_format = cls._args_alert_details_override_create.alert_display_name_format + _schema.alert_severity_column_name = cls._args_alert_details_override_create.alert_severity_column_name + _schema.alert_tactics_column_name = cls._args_alert_details_override_create.alert_tactics_column_name + + _args_entity_mappings_create = None + + @classmethod + def _build_args_entity_mappings_create(cls, _schema): + if cls._args_entity_mappings_create is not None: + _schema.Element = cls._args_entity_mappings_create.Element + return + + cls._args_entity_mappings_create = AAZListArg() + + entity_mappings_create = cls._args_entity_mappings_create + entity_mappings_create.Element = AAZObjectArg() + + _element = cls._args_entity_mappings_create.Element + _element.entity_type = AAZStrArg( + options=["entity-type"], + help="The V3 type of the mapped entity", + enum={"Account": "Account", "AzureResource": "AzureResource", "CloudApplication": "CloudApplication", "DNS": "DNS", "File": "File", "FileHash": "FileHash", "Host": "Host", "IP": "IP", "MailCluster": "MailCluster", "MailMessage": "MailMessage", "Mailbox": "Mailbox", "Malware": "Malware", "Process": "Process", "RegistryKey": "RegistryKey", "RegistryValue": "RegistryValue", "SecurityGroup": "SecurityGroup", "SubmissionMail": "SubmissionMail", "URL": "URL"}, + ) + _element.field_mappings = AAZListArg( + options=["field-mappings"], + help="array of field mappings for the given entity mapping", + ) + + field_mappings = cls._args_entity_mappings_create.Element.field_mappings + field_mappings.Element = AAZObjectArg() + + _element = cls._args_entity_mappings_create.Element.field_mappings.Element + _element.column_name = AAZStrArg( + options=["column-name"], + help="the column name to be mapped to the identifier", + ) + _element.identifier = AAZStrArg( + options=["identifier"], + help="the V3 identifier of the entity", + ) + + _schema.Element = cls._args_entity_mappings_create.Element + + _args_incident_configuration_create = None + + @classmethod + def _build_args_incident_configuration_create(cls, _schema): + if cls._args_incident_configuration_create is not None: + _schema.create_incident = cls._args_incident_configuration_create.create_incident + _schema.grouping_configuration = cls._args_incident_configuration_create.grouping_configuration + return + + cls._args_incident_configuration_create = AAZObjectArg() + + incident_configuration_create = cls._args_incident_configuration_create + incident_configuration_create.create_incident = AAZBoolArg( + options=["create-incident"], + help="Create incidents from alerts triggered by this analytics rule", + required=True, + ) + incident_configuration_create.grouping_configuration = AAZObjectArg( + options=["grouping-configuration"], + help="Set how the alerts that are triggered by this analytics rule, are grouped into incidents", + ) + + grouping_configuration = cls._args_incident_configuration_create.grouping_configuration + grouping_configuration.enabled = AAZBoolArg( + options=["enabled"], + help="Grouping enabled", + required=True, + ) + grouping_configuration.group_by_alert_details = AAZListArg( + options=["group-by-alert-details"], + help="A list of alert details to group by (when matchingMethod is Selected)", + ) + grouping_configuration.group_by_custom_details = AAZListArg( + options=["group-by-custom-details"], + help="A list of custom details keys to group by (when matchingMethod is Selected). Only keys defined in the current alert rule may be used.", + ) + grouping_configuration.group_by_entities = AAZListArg( + options=["group-by-entities"], + help="A list of entity types to group by (when matchingMethod is Selected). Only entities defined in the current alert rule may be used.", + ) + grouping_configuration.lookback_duration = AAZStrArg( + options=["lookback-duration"], + help="Limit the group to alerts created within the lookback duration (in ISO 8601 duration format)", + required=True, + ) + grouping_configuration.matching_method = AAZStrArg( + options=["matching-method"], + help="Grouping matching method. When method is Selected at least one of groupByEntities, groupByAlertDetails, groupByCustomDetails must be provided and not empty.", + required=True, + enum={"AllEntities": "AllEntities", "AnyAlert": "AnyAlert", "Selected": "Selected"}, + ) + grouping_configuration.reopen_closed_incident = AAZBoolArg( + options=["reopen-closed-incident"], + help="Re-open closed matching incidents", + required=True, + ) + + group_by_alert_details = cls._args_incident_configuration_create.grouping_configuration.group_by_alert_details + group_by_alert_details.Element = AAZStrArg( + enum={"DisplayName": "DisplayName", "Severity": "Severity"}, + ) + + group_by_custom_details = cls._args_incident_configuration_create.grouping_configuration.group_by_custom_details + group_by_custom_details.Element = AAZStrArg() + + group_by_entities = cls._args_incident_configuration_create.grouping_configuration.group_by_entities + group_by_entities.Element = AAZStrArg( + enum={"Account": "Account", "AzureResource": "AzureResource", "CloudApplication": "CloudApplication", "DNS": "DNS", "File": "File", "FileHash": "FileHash", "Host": "Host", "IP": "IP", "MailCluster": "MailCluster", "MailMessage": "MailMessage", "Mailbox": "Mailbox", "Malware": "Malware", "Process": "Process", "RegistryKey": "RegistryKey", "RegistryValue": "RegistryValue", "SecurityGroup": "SecurityGroup", "SubmissionMail": "SubmissionMail", "URL": "URL"}, + ) + + _schema.create_incident = cls._args_incident_configuration_create.create_incident + _schema.grouping_configuration = cls._args_incident_configuration_create.grouping_configuration + + def _execute_operations(self): + self.AlertRulesCreateOrUpdate(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True) + return result + + class AlertRulesCreateOrUpdate(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200, 201]: + return self.on_200_201(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}", + **self.url_parameters + ) + + @property + def method(self): + return "PUT" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "ruleId", self.ctx.args.rule_name, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Content-Type", "application/json", + ), + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + @property + def content(self): + _content_value, _builder = self.new_content_builder( + self.ctx.args, + typ=AAZObjectType, + typ_kwargs={"flags": {"required": True, "client_flatten": True}} + ) + _builder.set_prop("etag", AAZStrType, ".etag") + _builder.set_const("kind", "Fusion", AAZStrType, ".fusion", typ_kwargs={"flags": {"required": True}}) + _builder.set_const("kind", "MLBehaviorAnalytics", AAZStrType, ".ml_behavior_analytics", typ_kwargs={"flags": {"required": True}}) + _builder.set_const("kind", "MicrosoftSecurityIncidentCreation", AAZStrType, ".ms_security_incident", typ_kwargs={"flags": {"required": True}}) + _builder.set_const("kind", "NRT", AAZStrType, ".nrt", typ_kwargs={"flags": {"required": True}}) + _builder.set_const("kind", "Scheduled", AAZStrType, ".scheduled", typ_kwargs={"flags": {"required": True}}) + _builder.set_const("kind", "ThreatIntelligence", AAZStrType, ".threat_intelligence", typ_kwargs={"flags": {"required": True}}) + _builder.discriminate_by("kind", "Fusion") + _builder.discriminate_by("kind", "MLBehaviorAnalytics") + _builder.discriminate_by("kind", "MicrosoftSecurityIncidentCreation") + _builder.discriminate_by("kind", "NRT") + _builder.discriminate_by("kind", "Scheduled") + _builder.discriminate_by("kind", "ThreatIntelligence") + + disc_fusion = _builder.get("{kind:Fusion}") + if disc_fusion is not None: + disc_fusion.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get("{kind:Fusion}.properties") + if properties is not None: + properties.set_prop("alertRuleTemplateName", AAZStrType, ".fusion.alert_rule_template_name", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("enabled", AAZBoolType, ".fusion.enabled", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("scenarioExclusionPatterns", AAZListType, ".fusion.scenario_exclusion_patterns") + properties.set_prop("sourceSettings", AAZListType, ".fusion.source_settings") + + scenario_exclusion_patterns = _builder.get("{kind:Fusion}.properties.scenarioExclusionPatterns") + if scenario_exclusion_patterns is not None: + scenario_exclusion_patterns.set_elements(AAZObjectType) + + _elements = _builder.get("{kind:Fusion}.properties.scenarioExclusionPatterns[]") + if _elements is not None: + _elements.set_prop("dateAddedInUTC", AAZStrType, ".date_added_in_utc", typ_kwargs={"flags": {"required": True}}) + _elements.set_prop("exclusionPattern", AAZStrType, ".exclusion_pattern", typ_kwargs={"flags": {"required": True}}) + + source_settings = _builder.get("{kind:Fusion}.properties.sourceSettings") + if source_settings is not None: + source_settings.set_elements(AAZObjectType) + + _elements = _builder.get("{kind:Fusion}.properties.sourceSettings[]") + if _elements is not None: + _elements.set_prop("enabled", AAZBoolType, ".enabled", typ_kwargs={"flags": {"required": True}}) + _elements.set_prop("sourceName", AAZStrType, ".source_name", typ_kwargs={"flags": {"required": True}}) + _elements.set_prop("sourceSubTypes", AAZListType, ".source_sub_types") + + source_sub_types = _builder.get("{kind:Fusion}.properties.sourceSettings[].sourceSubTypes") + if source_sub_types is not None: + source_sub_types.set_elements(AAZObjectType) + + _elements = _builder.get("{kind:Fusion}.properties.sourceSettings[].sourceSubTypes[]") + if _elements is not None: + _elements.set_prop("enabled", AAZBoolType, ".enabled", typ_kwargs={"flags": {"required": True}}) + _elements.set_prop("severityFilters", AAZObjectType, ".severity_filters", typ_kwargs={"flags": {"required": True}}) + _elements.set_prop("sourceSubTypeName", AAZStrType, ".source_sub_type_name", typ_kwargs={"flags": {"required": True}}) + + severity_filters = _builder.get("{kind:Fusion}.properties.sourceSettings[].sourceSubTypes[].severityFilters") + if severity_filters is not None: + severity_filters.set_prop("filters", AAZListType, ".filters") + + filters = _builder.get("{kind:Fusion}.properties.sourceSettings[].sourceSubTypes[].severityFilters.filters") + if filters is not None: + filters.set_elements(AAZObjectType) + + _elements = _builder.get("{kind:Fusion}.properties.sourceSettings[].sourceSubTypes[].severityFilters.filters[]") + if _elements is not None: + _elements.set_prop("enabled", AAZBoolType, ".enabled", typ_kwargs={"flags": {"required": True}}) + _elements.set_prop("severity", AAZStrType, ".severity", typ_kwargs={"flags": {"required": True}}) + + disc_ml_behavior_analytics = _builder.get("{kind:MLBehaviorAnalytics}") + if disc_ml_behavior_analytics is not None: + disc_ml_behavior_analytics.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get("{kind:MLBehaviorAnalytics}.properties") + if properties is not None: + properties.set_prop("alertRuleTemplateName", AAZStrType, ".ml_behavior_analytics.alert_rule_template_name", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("enabled", AAZBoolType, ".ml_behavior_analytics.enabled", typ_kwargs={"flags": {"required": True}}) + + disc_microsoft_security_incident_creation = _builder.get("{kind:MicrosoftSecurityIncidentCreation}") + if disc_microsoft_security_incident_creation is not None: + disc_microsoft_security_incident_creation.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get("{kind:MicrosoftSecurityIncidentCreation}.properties") + if properties is not None: + properties.set_prop("alertRuleTemplateName", AAZStrType, ".ms_security_incident.alert_rule_template_name") + properties.set_prop("description", AAZStrType, ".ms_security_incident.description") + properties.set_prop("displayName", AAZStrType, ".ms_security_incident.display_name", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("displayNamesExcludeFilter", AAZListType, ".ms_security_incident.display_names_exclude_filter") + properties.set_prop("displayNamesFilter", AAZListType, ".ms_security_incident.display_names_filter") + properties.set_prop("enabled", AAZBoolType, ".ms_security_incident.enabled", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("productFilter", AAZStrType, ".ms_security_incident.product_filter", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("severitiesFilter", AAZListType, ".ms_security_incident.severities_filter") + + display_names_exclude_filter = _builder.get("{kind:MicrosoftSecurityIncidentCreation}.properties.displayNamesExcludeFilter") + if display_names_exclude_filter is not None: + display_names_exclude_filter.set_elements(AAZStrType, ".") + + display_names_filter = _builder.get("{kind:MicrosoftSecurityIncidentCreation}.properties.displayNamesFilter") + if display_names_filter is not None: + display_names_filter.set_elements(AAZStrType, ".") + + severities_filter = _builder.get("{kind:MicrosoftSecurityIncidentCreation}.properties.severitiesFilter") + if severities_filter is not None: + severities_filter.set_elements(AAZStrType, ".") + + disc_nrt = _builder.get("{kind:NRT}") + if disc_nrt is not None: + disc_nrt.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get("{kind:NRT}.properties") + if properties is not None: + _build_schema_alert_details_override_create(properties.set_prop("alertDetailsOverride", AAZObjectType, ".nrt.alert_details_override")) + properties.set_prop("alertRuleTemplateName", AAZStrType, ".nrt.alert_rule_template_name") + properties.set_prop("customDetails", AAZDictType, ".nrt.custom_details") + properties.set_prop("description", AAZStrType, ".nrt.description") + properties.set_prop("displayName", AAZStrType, ".nrt.display_name", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("enabled", AAZBoolType, ".nrt.enabled", typ_kwargs={"flags": {"required": True}}) + _build_schema_entity_mappings_create(properties.set_prop("entityMappings", AAZListType, ".nrt.entity_mappings")) + _build_schema_incident_configuration_create(properties.set_prop("incidentConfiguration", AAZObjectType, ".nrt.incident_configuration")) + properties.set_prop("query", AAZStrType, ".nrt.query", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("severity", AAZStrType, ".nrt.severity", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("suppressionDuration", AAZStrType, ".nrt.suppression_duration", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("suppressionEnabled", AAZBoolType, ".nrt.suppression_enabled", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("tactics", AAZListType, ".nrt.tactics") + properties.set_prop("techniques", AAZListType, ".nrt.techniques") + properties.set_prop("templateVersion", AAZStrType, ".nrt.template_version") + + custom_details = _builder.get("{kind:NRT}.properties.customDetails") + if custom_details is not None: + custom_details.set_elements(AAZStrType, ".") + + tactics = _builder.get("{kind:NRT}.properties.tactics") + if tactics is not None: + tactics.set_elements(AAZStrType, ".") + + techniques = _builder.get("{kind:NRT}.properties.techniques") + if techniques is not None: + techniques.set_elements(AAZStrType, ".") + + disc_scheduled = _builder.get("{kind:Scheduled}") + if disc_scheduled is not None: + disc_scheduled.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get("{kind:Scheduled}.properties") + if properties is not None: + _build_schema_alert_details_override_create(properties.set_prop("alertDetailsOverride", AAZObjectType, ".scheduled.alert_details_override")) + properties.set_prop("alertRuleTemplateName", AAZStrType, ".scheduled.alert_rule_template_name") + properties.set_prop("customDetails", AAZDictType, ".scheduled.custom_details") + properties.set_prop("description", AAZStrType, ".scheduled.description") + properties.set_prop("displayName", AAZStrType, ".scheduled.display_name", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("enabled", AAZBoolType, ".scheduled.enabled", typ_kwargs={"flags": {"required": True}}) + _build_schema_entity_mappings_create(properties.set_prop("entityMappings", AAZListType, ".scheduled.entity_mappings")) + properties.set_prop("eventGroupingSettings", AAZObjectType, ".scheduled.event_grouping_settings") + _build_schema_incident_configuration_create(properties.set_prop("incidentConfiguration", AAZObjectType, ".scheduled.incident_configuration")) + properties.set_prop("query", AAZStrType, ".scheduled.query", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("queryFrequency", AAZStrType, ".scheduled.query_frequency", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("queryPeriod", AAZStrType, ".scheduled.query_period", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("severity", AAZStrType, ".scheduled.severity", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("suppressionDuration", AAZStrType, ".scheduled.suppression_duration", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("suppressionEnabled", AAZBoolType, ".scheduled.suppression_enabled", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("tactics", AAZListType, ".scheduled.tactics") + properties.set_prop("techniques", AAZListType, ".scheduled.techniques") + properties.set_prop("templateVersion", AAZStrType, ".scheduled.template_version") + properties.set_prop("triggerOperator", AAZStrType, ".scheduled.trigger_operator", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("triggerThreshold", AAZIntType, ".scheduled.trigger_threshold", typ_kwargs={"flags": {"required": True}}) + + custom_details = _builder.get("{kind:Scheduled}.properties.customDetails") + if custom_details is not None: + custom_details.set_elements(AAZStrType, ".") + + event_grouping_settings = _builder.get("{kind:Scheduled}.properties.eventGroupingSettings") + if event_grouping_settings is not None: + event_grouping_settings.set_prop("aggregationKind", AAZStrType, ".aggregation_kind") + + tactics = _builder.get("{kind:Scheduled}.properties.tactics") + if tactics is not None: + tactics.set_elements(AAZStrType, ".") + + techniques = _builder.get("{kind:Scheduled}.properties.techniques") + if techniques is not None: + techniques.set_elements(AAZStrType, ".") + + disc_threat_intelligence = _builder.get("{kind:ThreatIntelligence}") + if disc_threat_intelligence is not None: + disc_threat_intelligence.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get("{kind:ThreatIntelligence}.properties") + if properties is not None: + properties.set_prop("alertRuleTemplateName", AAZStrType, ".threat_intelligence.alert_rule_template_name", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("enabled", AAZBoolType, ".threat_intelligence.enabled", typ_kwargs={"flags": {"required": True}}) + + return self.serialize_content(_content_value) + + def on_200_201(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200_201 + ) + + _schema_on_200_201 = None + + @classmethod + def _build_schema_on_200_201(cls): + if cls._schema_on_200_201 is not None: + return cls._schema_on_200_201 + + cls._schema_on_200_201 = AAZObjectType() + + _schema_on_200_201 = cls._schema_on_200_201 + _schema_on_200_201.etag = AAZStrType() + _schema_on_200_201.id = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200_201.kind = AAZStrType( + flags={"required": True}, + ) + _schema_on_200_201.name = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200_201.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + _schema_on_200_201.type = AAZStrType( + flags={"read_only": True}, + ) + + system_data = cls._schema_on_200_201.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + disc_fusion = cls._schema_on_200_201.discriminate_by("kind", "Fusion") + disc_fusion.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200_201.discriminate_by("kind", "Fusion").properties + properties.alert_rule_template_name = AAZStrType( + serialized_name="alertRuleTemplateName", + flags={"required": True}, + ) + properties.description = AAZStrType( + flags={"read_only": True}, + ) + properties.display_name = AAZStrType( + serialized_name="displayName", + flags={"read_only": True}, + ) + properties.enabled = AAZBoolType( + flags={"required": True}, + ) + properties.last_modified_utc = AAZStrType( + serialized_name="lastModifiedUtc", + flags={"read_only": True}, + ) + properties.scenario_exclusion_patterns = AAZListType( + serialized_name="scenarioExclusionPatterns", + ) + properties.severity = AAZStrType( + flags={"read_only": True}, + ) + properties.source_settings = AAZListType( + serialized_name="sourceSettings", + ) + properties.tactics = AAZListType( + flags={"read_only": True}, + ) + properties.techniques = AAZListType( + flags={"read_only": True}, + ) + + scenario_exclusion_patterns = cls._schema_on_200_201.discriminate_by("kind", "Fusion").properties.scenario_exclusion_patterns + scenario_exclusion_patterns.Element = AAZObjectType() + + _element = cls._schema_on_200_201.discriminate_by("kind", "Fusion").properties.scenario_exclusion_patterns.Element + _element.date_added_in_utc = AAZStrType( + serialized_name="dateAddedInUTC", + flags={"required": True}, + ) + _element.exclusion_pattern = AAZStrType( + serialized_name="exclusionPattern", + flags={"required": True}, + ) + + source_settings = cls._schema_on_200_201.discriminate_by("kind", "Fusion").properties.source_settings + source_settings.Element = AAZObjectType() + + _element = cls._schema_on_200_201.discriminate_by("kind", "Fusion").properties.source_settings.Element + _element.enabled = AAZBoolType( + flags={"required": True}, + ) + _element.source_name = AAZStrType( + serialized_name="sourceName", + flags={"required": True}, + ) + _element.source_sub_types = AAZListType( + serialized_name="sourceSubTypes", + ) + + source_sub_types = cls._schema_on_200_201.discriminate_by("kind", "Fusion").properties.source_settings.Element.source_sub_types + source_sub_types.Element = AAZObjectType() + + _element = cls._schema_on_200_201.discriminate_by("kind", "Fusion").properties.source_settings.Element.source_sub_types.Element + _element.enabled = AAZBoolType( + flags={"required": True}, + ) + _element.severity_filters = AAZObjectType( + serialized_name="severityFilters", + flags={"required": True}, + ) + _element.source_sub_type_display_name = AAZStrType( + serialized_name="sourceSubTypeDisplayName", + flags={"read_only": True}, + ) + _element.source_sub_type_name = AAZStrType( + serialized_name="sourceSubTypeName", + flags={"required": True}, + ) + + severity_filters = cls._schema_on_200_201.discriminate_by("kind", "Fusion").properties.source_settings.Element.source_sub_types.Element.severity_filters + severity_filters.filters = AAZListType() + severity_filters.is_supported = AAZBoolType( + serialized_name="isSupported", + flags={"read_only": True}, + ) + + filters = cls._schema_on_200_201.discriminate_by("kind", "Fusion").properties.source_settings.Element.source_sub_types.Element.severity_filters.filters + filters.Element = AAZObjectType() + + _element = cls._schema_on_200_201.discriminate_by("kind", "Fusion").properties.source_settings.Element.source_sub_types.Element.severity_filters.filters.Element + _element.enabled = AAZBoolType( + flags={"required": True}, + ) + _element.severity = AAZStrType( + flags={"required": True}, + ) + + tactics = cls._schema_on_200_201.discriminate_by("kind", "Fusion").properties.tactics + tactics.Element = AAZStrType( + flags={"read_only": True}, + ) + + techniques = cls._schema_on_200_201.discriminate_by("kind", "Fusion").properties.techniques + techniques.Element = AAZStrType( + flags={"read_only": True}, + ) + + disc_ml_behavior_analytics = cls._schema_on_200_201.discriminate_by("kind", "MLBehaviorAnalytics") + disc_ml_behavior_analytics.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200_201.discriminate_by("kind", "MLBehaviorAnalytics").properties + properties.alert_rule_template_name = AAZStrType( + serialized_name="alertRuleTemplateName", + flags={"required": True}, + ) + properties.description = AAZStrType( + flags={"read_only": True}, + ) + properties.display_name = AAZStrType( + serialized_name="displayName", + flags={"read_only": True}, + ) + properties.enabled = AAZBoolType( + flags={"required": True}, + ) + properties.last_modified_utc = AAZStrType( + serialized_name="lastModifiedUtc", + flags={"read_only": True}, + ) + properties.severity = AAZStrType( + flags={"read_only": True}, + ) + properties.tactics = AAZListType( + flags={"read_only": True}, + ) + properties.techniques = AAZListType( + flags={"read_only": True}, + ) + + tactics = cls._schema_on_200_201.discriminate_by("kind", "MLBehaviorAnalytics").properties.tactics + tactics.Element = AAZStrType( + flags={"read_only": True}, + ) + + techniques = cls._schema_on_200_201.discriminate_by("kind", "MLBehaviorAnalytics").properties.techniques + techniques.Element = AAZStrType( + flags={"read_only": True}, + ) + + disc_microsoft_security_incident_creation = cls._schema_on_200_201.discriminate_by("kind", "MicrosoftSecurityIncidentCreation") + disc_microsoft_security_incident_creation.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200_201.discriminate_by("kind", "MicrosoftSecurityIncidentCreation").properties + properties.alert_rule_template_name = AAZStrType( + serialized_name="alertRuleTemplateName", + ) + properties.description = AAZStrType() + properties.display_name = AAZStrType( + serialized_name="displayName", + flags={"required": True}, + ) + properties.display_names_exclude_filter = AAZListType( + serialized_name="displayNamesExcludeFilter", + ) + properties.display_names_filter = AAZListType( + serialized_name="displayNamesFilter", + ) + properties.enabled = AAZBoolType( + flags={"required": True}, + ) + properties.last_modified_utc = AAZStrType( + serialized_name="lastModifiedUtc", + flags={"read_only": True}, + ) + properties.product_filter = AAZStrType( + serialized_name="productFilter", + flags={"required": True}, + ) + properties.severities_filter = AAZListType( + serialized_name="severitiesFilter", + ) + + display_names_exclude_filter = cls._schema_on_200_201.discriminate_by("kind", "MicrosoftSecurityIncidentCreation").properties.display_names_exclude_filter + display_names_exclude_filter.Element = AAZStrType() + + display_names_filter = cls._schema_on_200_201.discriminate_by("kind", "MicrosoftSecurityIncidentCreation").properties.display_names_filter + display_names_filter.Element = AAZStrType() + + severities_filter = cls._schema_on_200_201.discriminate_by("kind", "MicrosoftSecurityIncidentCreation").properties.severities_filter + severities_filter.Element = AAZStrType() + + disc_nrt = cls._schema_on_200_201.discriminate_by("kind", "NRT") + disc_nrt.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200_201.discriminate_by("kind", "NRT").properties + properties.alert_details_override = AAZObjectType( + serialized_name="alertDetailsOverride", + ) + _build_schema_alert_details_override_read(properties.alert_details_override) + properties.alert_rule_template_name = AAZStrType( + serialized_name="alertRuleTemplateName", + ) + properties.custom_details = AAZDictType( + serialized_name="customDetails", + ) + properties.description = AAZStrType() + properties.display_name = AAZStrType( + serialized_name="displayName", + flags={"required": True}, + ) + properties.enabled = AAZBoolType( + flags={"required": True}, + ) + properties.entity_mappings = AAZListType( + serialized_name="entityMappings", + ) + _build_schema_entity_mappings_read(properties.entity_mappings) + properties.incident_configuration = AAZObjectType( + serialized_name="incidentConfiguration", + ) + _build_schema_incident_configuration_read(properties.incident_configuration) + properties.last_modified_utc = AAZStrType( + serialized_name="lastModifiedUtc", + flags={"read_only": True}, + ) + properties.query = AAZStrType( + flags={"required": True}, + ) + properties.severity = AAZStrType( + flags={"required": True}, + ) + properties.suppression_duration = AAZStrType( + serialized_name="suppressionDuration", + flags={"required": True}, + ) + properties.suppression_enabled = AAZBoolType( + serialized_name="suppressionEnabled", + flags={"required": True}, + ) + properties.tactics = AAZListType() + properties.techniques = AAZListType() + properties.template_version = AAZStrType( + serialized_name="templateVersion", + ) + + custom_details = cls._schema_on_200_201.discriminate_by("kind", "NRT").properties.custom_details + custom_details.Element = AAZStrType() + + tactics = cls._schema_on_200_201.discriminate_by("kind", "NRT").properties.tactics + tactics.Element = AAZStrType() + + techniques = cls._schema_on_200_201.discriminate_by("kind", "NRT").properties.techniques + techniques.Element = AAZStrType() + + disc_scheduled = cls._schema_on_200_201.discriminate_by("kind", "Scheduled") + disc_scheduled.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200_201.discriminate_by("kind", "Scheduled").properties + properties.alert_details_override = AAZObjectType( + serialized_name="alertDetailsOverride", + ) + _build_schema_alert_details_override_read(properties.alert_details_override) + properties.alert_rule_template_name = AAZStrType( + serialized_name="alertRuleTemplateName", + ) + properties.custom_details = AAZDictType( + serialized_name="customDetails", + ) + properties.description = AAZStrType() + properties.display_name = AAZStrType( + serialized_name="displayName", + flags={"required": True}, + ) + properties.enabled = AAZBoolType( + flags={"required": True}, + ) + properties.entity_mappings = AAZListType( + serialized_name="entityMappings", + ) + _build_schema_entity_mappings_read(properties.entity_mappings) + properties.event_grouping_settings = AAZObjectType( + serialized_name="eventGroupingSettings", + ) + properties.incident_configuration = AAZObjectType( + serialized_name="incidentConfiguration", + ) + _build_schema_incident_configuration_read(properties.incident_configuration) + properties.last_modified_utc = AAZStrType( + serialized_name="lastModifiedUtc", + flags={"read_only": True}, + ) + properties.query = AAZStrType( + flags={"required": True}, + ) + properties.query_frequency = AAZStrType( + serialized_name="queryFrequency", + flags={"required": True}, + ) + properties.query_period = AAZStrType( + serialized_name="queryPeriod", + flags={"required": True}, + ) + properties.severity = AAZStrType( + flags={"required": True}, + ) + properties.suppression_duration = AAZStrType( + serialized_name="suppressionDuration", + flags={"required": True}, + ) + properties.suppression_enabled = AAZBoolType( + serialized_name="suppressionEnabled", + flags={"required": True}, + ) + properties.tactics = AAZListType() + properties.techniques = AAZListType() + properties.template_version = AAZStrType( + serialized_name="templateVersion", + ) + properties.trigger_operator = AAZStrType( + serialized_name="triggerOperator", + flags={"required": True}, + ) + properties.trigger_threshold = AAZIntType( + serialized_name="triggerThreshold", + flags={"required": True}, + ) + + custom_details = cls._schema_on_200_201.discriminate_by("kind", "Scheduled").properties.custom_details + custom_details.Element = AAZStrType() + + event_grouping_settings = cls._schema_on_200_201.discriminate_by("kind", "Scheduled").properties.event_grouping_settings + event_grouping_settings.aggregation_kind = AAZStrType( + serialized_name="aggregationKind", + ) + + tactics = cls._schema_on_200_201.discriminate_by("kind", "Scheduled").properties.tactics + tactics.Element = AAZStrType() + + techniques = cls._schema_on_200_201.discriminate_by("kind", "Scheduled").properties.techniques + techniques.Element = AAZStrType() + + disc_threat_intelligence = cls._schema_on_200_201.discriminate_by("kind", "ThreatIntelligence") + disc_threat_intelligence.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200_201.discriminate_by("kind", "ThreatIntelligence").properties + properties.alert_rule_template_name = AAZStrType( + serialized_name="alertRuleTemplateName", + flags={"required": True}, + ) + properties.description = AAZStrType( + flags={"read_only": True}, + ) + properties.display_name = AAZStrType( + serialized_name="displayName", + flags={"read_only": True}, + ) + properties.enabled = AAZBoolType( + flags={"required": True}, + ) + properties.last_modified_utc = AAZStrType( + serialized_name="lastModifiedUtc", + flags={"read_only": True}, + ) + properties.severity = AAZStrType( + flags={"read_only": True}, + ) + properties.tactics = AAZListType( + flags={"read_only": True}, + ) + properties.techniques = AAZListType( + flags={"read_only": True}, + ) + + tactics = cls._schema_on_200_201.discriminate_by("kind", "ThreatIntelligence").properties.tactics + tactics.Element = AAZStrType( + flags={"read_only": True}, + ) + + techniques = cls._schema_on_200_201.discriminate_by("kind", "ThreatIntelligence").properties.techniques + techniques.Element = AAZStrType( + flags={"read_only": True}, + ) + + return cls._schema_on_200_201 + + +def _build_schema_alert_details_override_create(_builder): + if _builder is None: + return + _builder.set_prop("alertDescriptionFormat", AAZStrType, ".alert_description_format") + _builder.set_prop("alertDisplayNameFormat", AAZStrType, ".alert_display_name_format") + _builder.set_prop("alertSeverityColumnName", AAZStrType, ".alert_severity_column_name") + _builder.set_prop("alertTacticsColumnName", AAZStrType, ".alert_tactics_column_name") + + +def _build_schema_entity_mappings_create(_builder): + if _builder is None: + return + _builder.set_elements(AAZObjectType) + + _elements = _builder.get("[]") + if _elements is not None: + _elements.set_prop("entityType", AAZStrType, "@EntityMappings_create.[].entity_type") + _elements.set_prop("fieldMappings", AAZListType, "@EntityMappings_create.[].field_mappings") + + field_mappings = _builder.get("[].fieldMappings") + if field_mappings is not None: + field_mappings.set_elements(AAZObjectType) + + _elements = _builder.get("[].fieldMappings[]") + if _elements is not None: + _elements.set_prop("columnName", AAZStrType, "@EntityMappings_create.[].field_mappings.[].column_name") + _elements.set_prop("identifier", AAZStrType, "@EntityMappings_create.[].field_mappings.[].identifier") + + +def _build_schema_incident_configuration_create(_builder): + if _builder is None: + return + _builder.set_prop("createIncident", AAZBoolType, ".create_incident", typ_kwargs={"flags": {"required": True}}) + _builder.set_prop("groupingConfiguration", AAZObjectType, ".grouping_configuration") + + grouping_configuration = _builder.get(".groupingConfiguration") + if grouping_configuration is not None: + grouping_configuration.set_prop("enabled", AAZBoolType, ".enabled", typ_kwargs={"flags": {"required": True}}) + grouping_configuration.set_prop("groupByAlertDetails", AAZListType, ".group_by_alert_details") + grouping_configuration.set_prop("groupByCustomDetails", AAZListType, ".group_by_custom_details") + grouping_configuration.set_prop("groupByEntities", AAZListType, ".group_by_entities") + grouping_configuration.set_prop("lookbackDuration", AAZStrType, ".lookback_duration", typ_kwargs={"flags": {"required": True}}) + grouping_configuration.set_prop("matchingMethod", AAZStrType, ".matching_method", typ_kwargs={"flags": {"required": True}}) + grouping_configuration.set_prop("reopenClosedIncident", AAZBoolType, ".reopen_closed_incident", typ_kwargs={"flags": {"required": True}}) + + group_by_alert_details = _builder.get(".groupingConfiguration.groupByAlertDetails") + if group_by_alert_details is not None: + group_by_alert_details.set_elements(AAZStrType, ".") + + group_by_custom_details = _builder.get(".groupingConfiguration.groupByCustomDetails") + if group_by_custom_details is not None: + group_by_custom_details.set_elements(AAZStrType, ".") + + group_by_entities = _builder.get(".groupingConfiguration.groupByEntities") + if group_by_entities is not None: + group_by_entities.set_elements(AAZStrType, ".") + + +_schema_alert_details_override_read = None + + +def _build_schema_alert_details_override_read(_schema): + global _schema_alert_details_override_read + if _schema_alert_details_override_read is not None: + _schema.alert_description_format = _schema_alert_details_override_read.alert_description_format + _schema.alert_display_name_format = _schema_alert_details_override_read.alert_display_name_format + _schema.alert_severity_column_name = _schema_alert_details_override_read.alert_severity_column_name + _schema.alert_tactics_column_name = _schema_alert_details_override_read.alert_tactics_column_name + return + + _schema_alert_details_override_read = AAZObjectType() + + alert_details_override_read = _schema_alert_details_override_read + alert_details_override_read.alert_description_format = AAZStrType( + serialized_name="alertDescriptionFormat", + ) + alert_details_override_read.alert_display_name_format = AAZStrType( + serialized_name="alertDisplayNameFormat", + ) + alert_details_override_read.alert_severity_column_name = AAZStrType( + serialized_name="alertSeverityColumnName", + ) + alert_details_override_read.alert_tactics_column_name = AAZStrType( + serialized_name="alertTacticsColumnName", + ) + + _schema.alert_description_format = _schema_alert_details_override_read.alert_description_format + _schema.alert_display_name_format = _schema_alert_details_override_read.alert_display_name_format + _schema.alert_severity_column_name = _schema_alert_details_override_read.alert_severity_column_name + _schema.alert_tactics_column_name = _schema_alert_details_override_read.alert_tactics_column_name + + +_schema_entity_mappings_read = None + + +def _build_schema_entity_mappings_read(_schema): + global _schema_entity_mappings_read + if _schema_entity_mappings_read is not None: + _schema.Element = _schema_entity_mappings_read.Element + return + + _schema_entity_mappings_read = AAZListType() + + entity_mappings_read = _schema_entity_mappings_read + entity_mappings_read.Element = AAZObjectType() + + _element = _schema_entity_mappings_read.Element + _element.entity_type = AAZStrType( + serialized_name="entityType", + ) + _element.field_mappings = AAZListType( + serialized_name="fieldMappings", + ) + + field_mappings = _schema_entity_mappings_read.Element.field_mappings + field_mappings.Element = AAZObjectType() + + _element = _schema_entity_mappings_read.Element.field_mappings.Element + _element.column_name = AAZStrType( + serialized_name="columnName", + ) + _element.identifier = AAZStrType() + + _schema.Element = _schema_entity_mappings_read.Element + + +_schema_incident_configuration_read = None + + +def _build_schema_incident_configuration_read(_schema): + global _schema_incident_configuration_read + if _schema_incident_configuration_read is not None: + _schema.create_incident = _schema_incident_configuration_read.create_incident + _schema.grouping_configuration = _schema_incident_configuration_read.grouping_configuration + return + + _schema_incident_configuration_read = AAZObjectType() + + incident_configuration_read = _schema_incident_configuration_read + incident_configuration_read.create_incident = AAZBoolType( + serialized_name="createIncident", + flags={"required": True}, + ) + incident_configuration_read.grouping_configuration = AAZObjectType( + serialized_name="groupingConfiguration", + ) + + grouping_configuration = _schema_incident_configuration_read.grouping_configuration + grouping_configuration.enabled = AAZBoolType( + flags={"required": True}, + ) + grouping_configuration.group_by_alert_details = AAZListType( + serialized_name="groupByAlertDetails", + ) + grouping_configuration.group_by_custom_details = AAZListType( + serialized_name="groupByCustomDetails", + ) + grouping_configuration.group_by_entities = AAZListType( + serialized_name="groupByEntities", + ) + grouping_configuration.lookback_duration = AAZStrType( + serialized_name="lookbackDuration", + flags={"required": True}, + ) + grouping_configuration.matching_method = AAZStrType( + serialized_name="matchingMethod", + flags={"required": True}, + ) + grouping_configuration.reopen_closed_incident = AAZBoolType( + serialized_name="reopenClosedIncident", + flags={"required": True}, + ) + + group_by_alert_details = _schema_incident_configuration_read.grouping_configuration.group_by_alert_details + group_by_alert_details.Element = AAZStrType() + + group_by_custom_details = _schema_incident_configuration_read.grouping_configuration.group_by_custom_details + group_by_custom_details.Element = AAZStrType() + + group_by_entities = _schema_incident_configuration_read.grouping_configuration.group_by_entities + group_by_entities.Element = AAZStrType() + + _schema.create_incident = _schema_incident_configuration_read.create_incident + _schema.grouping_configuration = _schema_incident_configuration_read.grouping_configuration + + +__all__ = ["Create"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/alert_rule/_delete.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/alert_rule/_delete.py new file mode 100644 index 00000000000..36ac241fe3f --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/alert_rule/_delete.py @@ -0,0 +1,135 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel alert-rule delete", + is_experimental=True, + confirmation="Are you sure you want to perform this operation?", +) +class Delete(AAZCommand): + """Delete the alert rule. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/alertrules/{}", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return None + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.rule_name = AAZStrArg( + options=["-n", "--name", "--rule-name"], + help="Name of alert rule.", + required=True, + is_experimental=True, + id_part="child_name_1", + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + id_part="name", + ) + return cls._args_schema + + def _execute_operations(self): + self.AlertRulesDelete(ctx=self.ctx)() + + class AlertRulesDelete(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + if session.http_response.status_code in [204]: + return self.on_204(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}", + **self.url_parameters + ) + + @property + def method(self): + return "DELETE" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "ruleId", self.ctx.args.rule_name, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + def on_200(self, session): + pass + + def on_204(self, session): + pass + + +__all__ = ["Delete"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/alert_rule/_list.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/alert_rule/_list.py new file mode 100644 index 00000000000..da3bfbab427 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/alert_rule/_list.py @@ -0,0 +1,733 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel alert-rule list", + is_experimental=True, +) +class List(AAZCommand): + """Get all alert rules. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/alertrules", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + return self.build_paging(self._execute_operations, self._output) + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + ) + return cls._args_schema + + def _execute_operations(self): + self.AlertRulesList(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance.value, client_flatten=True) + next_link = self.deserialize_output(self.ctx.vars.instance.next_link) + return result, next_link + + class AlertRulesList(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules", + **self.url_parameters + ) + + @property + def method(self): + return "GET" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + + _schema_on_200 = cls._schema_on_200 + _schema_on_200.next_link = AAZStrType( + serialized_name="nextLink", + flags={"read_only": True}, + ) + _schema_on_200.value = AAZListType( + flags={"required": True}, + ) + + value = cls._schema_on_200.value + value.Element = AAZObjectType() + + _element = cls._schema_on_200.value.Element + _element.etag = AAZStrType() + _element.id = AAZStrType( + flags={"read_only": True}, + ) + _element.kind = AAZStrType( + flags={"required": True}, + ) + _element.name = AAZStrType( + flags={"read_only": True}, + ) + _element.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + _element.type = AAZStrType( + flags={"read_only": True}, + ) + + system_data = cls._schema_on_200.value.Element.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + disc_fusion = cls._schema_on_200.value.Element.discriminate_by("kind", "Fusion") + disc_fusion.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.value.Element.discriminate_by("kind", "Fusion").properties + properties.alert_rule_template_name = AAZStrType( + serialized_name="alertRuleTemplateName", + flags={"required": True}, + ) + properties.description = AAZStrType( + flags={"read_only": True}, + ) + properties.display_name = AAZStrType( + serialized_name="displayName", + flags={"read_only": True}, + ) + properties.enabled = AAZBoolType( + flags={"required": True}, + ) + properties.last_modified_utc = AAZStrType( + serialized_name="lastModifiedUtc", + flags={"read_only": True}, + ) + properties.scenario_exclusion_patterns = AAZListType( + serialized_name="scenarioExclusionPatterns", + ) + properties.severity = AAZStrType( + flags={"read_only": True}, + ) + properties.source_settings = AAZListType( + serialized_name="sourceSettings", + ) + properties.tactics = AAZListType( + flags={"read_only": True}, + ) + properties.techniques = AAZListType( + flags={"read_only": True}, + ) + + scenario_exclusion_patterns = cls._schema_on_200.value.Element.discriminate_by("kind", "Fusion").properties.scenario_exclusion_patterns + scenario_exclusion_patterns.Element = AAZObjectType() + + _element = cls._schema_on_200.value.Element.discriminate_by("kind", "Fusion").properties.scenario_exclusion_patterns.Element + _element.date_added_in_utc = AAZStrType( + serialized_name="dateAddedInUTC", + flags={"required": True}, + ) + _element.exclusion_pattern = AAZStrType( + serialized_name="exclusionPattern", + flags={"required": True}, + ) + + source_settings = cls._schema_on_200.value.Element.discriminate_by("kind", "Fusion").properties.source_settings + source_settings.Element = AAZObjectType() + + _element = cls._schema_on_200.value.Element.discriminate_by("kind", "Fusion").properties.source_settings.Element + _element.enabled = AAZBoolType( + flags={"required": True}, + ) + _element.source_name = AAZStrType( + serialized_name="sourceName", + flags={"required": True}, + ) + _element.source_sub_types = AAZListType( + serialized_name="sourceSubTypes", + ) + + source_sub_types = cls._schema_on_200.value.Element.discriminate_by("kind", "Fusion").properties.source_settings.Element.source_sub_types + source_sub_types.Element = AAZObjectType() + + _element = cls._schema_on_200.value.Element.discriminate_by("kind", "Fusion").properties.source_settings.Element.source_sub_types.Element + _element.enabled = AAZBoolType( + flags={"required": True}, + ) + _element.severity_filters = AAZObjectType( + serialized_name="severityFilters", + flags={"required": True}, + ) + _element.source_sub_type_display_name = AAZStrType( + serialized_name="sourceSubTypeDisplayName", + flags={"read_only": True}, + ) + _element.source_sub_type_name = AAZStrType( + serialized_name="sourceSubTypeName", + flags={"required": True}, + ) + + severity_filters = cls._schema_on_200.value.Element.discriminate_by("kind", "Fusion").properties.source_settings.Element.source_sub_types.Element.severity_filters + severity_filters.filters = AAZListType() + severity_filters.is_supported = AAZBoolType( + serialized_name="isSupported", + flags={"read_only": True}, + ) + + filters = cls._schema_on_200.value.Element.discriminate_by("kind", "Fusion").properties.source_settings.Element.source_sub_types.Element.severity_filters.filters + filters.Element = AAZObjectType() + + _element = cls._schema_on_200.value.Element.discriminate_by("kind", "Fusion").properties.source_settings.Element.source_sub_types.Element.severity_filters.filters.Element + _element.enabled = AAZBoolType( + flags={"required": True}, + ) + _element.severity = AAZStrType( + flags={"required": True}, + ) + + tactics = cls._schema_on_200.value.Element.discriminate_by("kind", "Fusion").properties.tactics + tactics.Element = AAZStrType( + flags={"read_only": True}, + ) + + techniques = cls._schema_on_200.value.Element.discriminate_by("kind", "Fusion").properties.techniques + techniques.Element = AAZStrType( + flags={"read_only": True}, + ) + + disc_ml_behavior_analytics = cls._schema_on_200.value.Element.discriminate_by("kind", "MLBehaviorAnalytics") + disc_ml_behavior_analytics.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.value.Element.discriminate_by("kind", "MLBehaviorAnalytics").properties + properties.alert_rule_template_name = AAZStrType( + serialized_name="alertRuleTemplateName", + flags={"required": True}, + ) + properties.description = AAZStrType( + flags={"read_only": True}, + ) + properties.display_name = AAZStrType( + serialized_name="displayName", + flags={"read_only": True}, + ) + properties.enabled = AAZBoolType( + flags={"required": True}, + ) + properties.last_modified_utc = AAZStrType( + serialized_name="lastModifiedUtc", + flags={"read_only": True}, + ) + properties.severity = AAZStrType( + flags={"read_only": True}, + ) + properties.tactics = AAZListType( + flags={"read_only": True}, + ) + properties.techniques = AAZListType( + flags={"read_only": True}, + ) + + tactics = cls._schema_on_200.value.Element.discriminate_by("kind", "MLBehaviorAnalytics").properties.tactics + tactics.Element = AAZStrType( + flags={"read_only": True}, + ) + + techniques = cls._schema_on_200.value.Element.discriminate_by("kind", "MLBehaviorAnalytics").properties.techniques + techniques.Element = AAZStrType( + flags={"read_only": True}, + ) + + disc_microsoft_security_incident_creation = cls._schema_on_200.value.Element.discriminate_by("kind", "MicrosoftSecurityIncidentCreation") + disc_microsoft_security_incident_creation.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.value.Element.discriminate_by("kind", "MicrosoftSecurityIncidentCreation").properties + properties.alert_rule_template_name = AAZStrType( + serialized_name="alertRuleTemplateName", + ) + properties.description = AAZStrType() + properties.display_name = AAZStrType( + serialized_name="displayName", + flags={"required": True}, + ) + properties.display_names_exclude_filter = AAZListType( + serialized_name="displayNamesExcludeFilter", + ) + properties.display_names_filter = AAZListType( + serialized_name="displayNamesFilter", + ) + properties.enabled = AAZBoolType( + flags={"required": True}, + ) + properties.last_modified_utc = AAZStrType( + serialized_name="lastModifiedUtc", + flags={"read_only": True}, + ) + properties.product_filter = AAZStrType( + serialized_name="productFilter", + flags={"required": True}, + ) + properties.severities_filter = AAZListType( + serialized_name="severitiesFilter", + ) + + display_names_exclude_filter = cls._schema_on_200.value.Element.discriminate_by("kind", "MicrosoftSecurityIncidentCreation").properties.display_names_exclude_filter + display_names_exclude_filter.Element = AAZStrType() + + display_names_filter = cls._schema_on_200.value.Element.discriminate_by("kind", "MicrosoftSecurityIncidentCreation").properties.display_names_filter + display_names_filter.Element = AAZStrType() + + severities_filter = cls._schema_on_200.value.Element.discriminate_by("kind", "MicrosoftSecurityIncidentCreation").properties.severities_filter + severities_filter.Element = AAZStrType() + + disc_nrt = cls._schema_on_200.value.Element.discriminate_by("kind", "NRT") + disc_nrt.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.value.Element.discriminate_by("kind", "NRT").properties + properties.alert_details_override = AAZObjectType( + serialized_name="alertDetailsOverride", + ) + _build_schema_alert_details_override_read(properties.alert_details_override) + properties.alert_rule_template_name = AAZStrType( + serialized_name="alertRuleTemplateName", + ) + properties.custom_details = AAZDictType( + serialized_name="customDetails", + ) + properties.description = AAZStrType() + properties.display_name = AAZStrType( + serialized_name="displayName", + flags={"required": True}, + ) + properties.enabled = AAZBoolType( + flags={"required": True}, + ) + properties.entity_mappings = AAZListType( + serialized_name="entityMappings", + ) + _build_schema_entity_mappings_read(properties.entity_mappings) + properties.incident_configuration = AAZObjectType( + serialized_name="incidentConfiguration", + ) + _build_schema_incident_configuration_read(properties.incident_configuration) + properties.last_modified_utc = AAZStrType( + serialized_name="lastModifiedUtc", + flags={"read_only": True}, + ) + properties.query = AAZStrType( + flags={"required": True}, + ) + properties.severity = AAZStrType( + flags={"required": True}, + ) + properties.suppression_duration = AAZStrType( + serialized_name="suppressionDuration", + flags={"required": True}, + ) + properties.suppression_enabled = AAZBoolType( + serialized_name="suppressionEnabled", + flags={"required": True}, + ) + properties.tactics = AAZListType() + properties.techniques = AAZListType() + properties.template_version = AAZStrType( + serialized_name="templateVersion", + ) + + custom_details = cls._schema_on_200.value.Element.discriminate_by("kind", "NRT").properties.custom_details + custom_details.Element = AAZStrType() + + tactics = cls._schema_on_200.value.Element.discriminate_by("kind", "NRT").properties.tactics + tactics.Element = AAZStrType() + + techniques = cls._schema_on_200.value.Element.discriminate_by("kind", "NRT").properties.techniques + techniques.Element = AAZStrType() + + disc_scheduled = cls._schema_on_200.value.Element.discriminate_by("kind", "Scheduled") + disc_scheduled.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.value.Element.discriminate_by("kind", "Scheduled").properties + properties.alert_details_override = AAZObjectType( + serialized_name="alertDetailsOverride", + ) + _build_schema_alert_details_override_read(properties.alert_details_override) + properties.alert_rule_template_name = AAZStrType( + serialized_name="alertRuleTemplateName", + ) + properties.custom_details = AAZDictType( + serialized_name="customDetails", + ) + properties.description = AAZStrType() + properties.display_name = AAZStrType( + serialized_name="displayName", + flags={"required": True}, + ) + properties.enabled = AAZBoolType( + flags={"required": True}, + ) + properties.entity_mappings = AAZListType( + serialized_name="entityMappings", + ) + _build_schema_entity_mappings_read(properties.entity_mappings) + properties.event_grouping_settings = AAZObjectType( + serialized_name="eventGroupingSettings", + ) + properties.incident_configuration = AAZObjectType( + serialized_name="incidentConfiguration", + ) + _build_schema_incident_configuration_read(properties.incident_configuration) + properties.last_modified_utc = AAZStrType( + serialized_name="lastModifiedUtc", + flags={"read_only": True}, + ) + properties.query = AAZStrType( + flags={"required": True}, + ) + properties.query_frequency = AAZStrType( + serialized_name="queryFrequency", + flags={"required": True}, + ) + properties.query_period = AAZStrType( + serialized_name="queryPeriod", + flags={"required": True}, + ) + properties.severity = AAZStrType( + flags={"required": True}, + ) + properties.suppression_duration = AAZStrType( + serialized_name="suppressionDuration", + flags={"required": True}, + ) + properties.suppression_enabled = AAZBoolType( + serialized_name="suppressionEnabled", + flags={"required": True}, + ) + properties.tactics = AAZListType() + properties.techniques = AAZListType() + properties.template_version = AAZStrType( + serialized_name="templateVersion", + ) + properties.trigger_operator = AAZStrType( + serialized_name="triggerOperator", + flags={"required": True}, + ) + properties.trigger_threshold = AAZIntType( + serialized_name="triggerThreshold", + flags={"required": True}, + ) + + custom_details = cls._schema_on_200.value.Element.discriminate_by("kind", "Scheduled").properties.custom_details + custom_details.Element = AAZStrType() + + event_grouping_settings = cls._schema_on_200.value.Element.discriminate_by("kind", "Scheduled").properties.event_grouping_settings + event_grouping_settings.aggregation_kind = AAZStrType( + serialized_name="aggregationKind", + ) + + tactics = cls._schema_on_200.value.Element.discriminate_by("kind", "Scheduled").properties.tactics + tactics.Element = AAZStrType() + + techniques = cls._schema_on_200.value.Element.discriminate_by("kind", "Scheduled").properties.techniques + techniques.Element = AAZStrType() + + disc_threat_intelligence = cls._schema_on_200.value.Element.discriminate_by("kind", "ThreatIntelligence") + disc_threat_intelligence.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.value.Element.discriminate_by("kind", "ThreatIntelligence").properties + properties.alert_rule_template_name = AAZStrType( + serialized_name="alertRuleTemplateName", + flags={"required": True}, + ) + properties.description = AAZStrType( + flags={"read_only": True}, + ) + properties.display_name = AAZStrType( + serialized_name="displayName", + flags={"read_only": True}, + ) + properties.enabled = AAZBoolType( + flags={"required": True}, + ) + properties.last_modified_utc = AAZStrType( + serialized_name="lastModifiedUtc", + flags={"read_only": True}, + ) + properties.severity = AAZStrType( + flags={"read_only": True}, + ) + properties.tactics = AAZListType( + flags={"read_only": True}, + ) + properties.techniques = AAZListType( + flags={"read_only": True}, + ) + + tactics = cls._schema_on_200.value.Element.discriminate_by("kind", "ThreatIntelligence").properties.tactics + tactics.Element = AAZStrType( + flags={"read_only": True}, + ) + + techniques = cls._schema_on_200.value.Element.discriminate_by("kind", "ThreatIntelligence").properties.techniques + techniques.Element = AAZStrType( + flags={"read_only": True}, + ) + + return cls._schema_on_200 + + +_schema_alert_details_override_read = None + + +def _build_schema_alert_details_override_read(_schema): + global _schema_alert_details_override_read + if _schema_alert_details_override_read is not None: + _schema.alert_description_format = _schema_alert_details_override_read.alert_description_format + _schema.alert_display_name_format = _schema_alert_details_override_read.alert_display_name_format + _schema.alert_severity_column_name = _schema_alert_details_override_read.alert_severity_column_name + _schema.alert_tactics_column_name = _schema_alert_details_override_read.alert_tactics_column_name + return + + _schema_alert_details_override_read = AAZObjectType() + + alert_details_override_read = _schema_alert_details_override_read + alert_details_override_read.alert_description_format = AAZStrType( + serialized_name="alertDescriptionFormat", + ) + alert_details_override_read.alert_display_name_format = AAZStrType( + serialized_name="alertDisplayNameFormat", + ) + alert_details_override_read.alert_severity_column_name = AAZStrType( + serialized_name="alertSeverityColumnName", + ) + alert_details_override_read.alert_tactics_column_name = AAZStrType( + serialized_name="alertTacticsColumnName", + ) + + _schema.alert_description_format = _schema_alert_details_override_read.alert_description_format + _schema.alert_display_name_format = _schema_alert_details_override_read.alert_display_name_format + _schema.alert_severity_column_name = _schema_alert_details_override_read.alert_severity_column_name + _schema.alert_tactics_column_name = _schema_alert_details_override_read.alert_tactics_column_name + + +_schema_entity_mappings_read = None + + +def _build_schema_entity_mappings_read(_schema): + global _schema_entity_mappings_read + if _schema_entity_mappings_read is not None: + _schema.Element = _schema_entity_mappings_read.Element + return + + _schema_entity_mappings_read = AAZListType() + + entity_mappings_read = _schema_entity_mappings_read + entity_mappings_read.Element = AAZObjectType() + + _element = _schema_entity_mappings_read.Element + _element.entity_type = AAZStrType( + serialized_name="entityType", + ) + _element.field_mappings = AAZListType( + serialized_name="fieldMappings", + ) + + field_mappings = _schema_entity_mappings_read.Element.field_mappings + field_mappings.Element = AAZObjectType() + + _element = _schema_entity_mappings_read.Element.field_mappings.Element + _element.column_name = AAZStrType( + serialized_name="columnName", + ) + _element.identifier = AAZStrType() + + _schema.Element = _schema_entity_mappings_read.Element + + +_schema_incident_configuration_read = None + + +def _build_schema_incident_configuration_read(_schema): + global _schema_incident_configuration_read + if _schema_incident_configuration_read is not None: + _schema.create_incident = _schema_incident_configuration_read.create_incident + _schema.grouping_configuration = _schema_incident_configuration_read.grouping_configuration + return + + _schema_incident_configuration_read = AAZObjectType() + + incident_configuration_read = _schema_incident_configuration_read + incident_configuration_read.create_incident = AAZBoolType( + serialized_name="createIncident", + flags={"required": True}, + ) + incident_configuration_read.grouping_configuration = AAZObjectType( + serialized_name="groupingConfiguration", + ) + + grouping_configuration = _schema_incident_configuration_read.grouping_configuration + grouping_configuration.enabled = AAZBoolType( + flags={"required": True}, + ) + grouping_configuration.group_by_alert_details = AAZListType( + serialized_name="groupByAlertDetails", + ) + grouping_configuration.group_by_custom_details = AAZListType( + serialized_name="groupByCustomDetails", + ) + grouping_configuration.group_by_entities = AAZListType( + serialized_name="groupByEntities", + ) + grouping_configuration.lookback_duration = AAZStrType( + serialized_name="lookbackDuration", + flags={"required": True}, + ) + grouping_configuration.matching_method = AAZStrType( + serialized_name="matchingMethod", + flags={"required": True}, + ) + grouping_configuration.reopen_closed_incident = AAZBoolType( + serialized_name="reopenClosedIncident", + flags={"required": True}, + ) + + group_by_alert_details = _schema_incident_configuration_read.grouping_configuration.group_by_alert_details + group_by_alert_details.Element = AAZStrType() + + group_by_custom_details = _schema_incident_configuration_read.grouping_configuration.group_by_custom_details + group_by_custom_details.Element = AAZStrType() + + group_by_entities = _schema_incident_configuration_read.grouping_configuration.group_by_entities + group_by_entities.Element = AAZStrType() + + _schema.create_incident = _schema_incident_configuration_read.create_incident + _schema.grouping_configuration = _schema_incident_configuration_read.grouping_configuration + + +__all__ = ["List"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/alert_rule/_show.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/alert_rule/_show.py new file mode 100644 index 00000000000..adf2a5a06a0 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/alert_rule/_show.py @@ -0,0 +1,733 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel alert-rule show", + is_experimental=True, +) +class Show(AAZCommand): + """Get the alert rule. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/alertrules/{}", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return self._output() + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.rule_name = AAZStrArg( + options=["-n", "--name", "--rule-name"], + help="Name of alert rule.", + required=True, + is_experimental=True, + id_part="child_name_1", + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + id_part="name", + ) + return cls._args_schema + + def _execute_operations(self): + self.AlertRulesGet(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True) + return result + + class AlertRulesGet(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}", + **self.url_parameters + ) + + @property + def method(self): + return "GET" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "ruleId", self.ctx.args.rule_name, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + + _schema_on_200 = cls._schema_on_200 + _schema_on_200.etag = AAZStrType() + _schema_on_200.id = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200.kind = AAZStrType( + flags={"required": True}, + ) + _schema_on_200.name = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + _schema_on_200.type = AAZStrType( + flags={"read_only": True}, + ) + + system_data = cls._schema_on_200.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + disc_fusion = cls._schema_on_200.discriminate_by("kind", "Fusion") + disc_fusion.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.discriminate_by("kind", "Fusion").properties + properties.alert_rule_template_name = AAZStrType( + serialized_name="alertRuleTemplateName", + flags={"required": True}, + ) + properties.description = AAZStrType( + flags={"read_only": True}, + ) + properties.display_name = AAZStrType( + serialized_name="displayName", + flags={"read_only": True}, + ) + properties.enabled = AAZBoolType( + flags={"required": True}, + ) + properties.last_modified_utc = AAZStrType( + serialized_name="lastModifiedUtc", + flags={"read_only": True}, + ) + properties.scenario_exclusion_patterns = AAZListType( + serialized_name="scenarioExclusionPatterns", + ) + properties.severity = AAZStrType( + flags={"read_only": True}, + ) + properties.source_settings = AAZListType( + serialized_name="sourceSettings", + ) + properties.tactics = AAZListType( + flags={"read_only": True}, + ) + properties.techniques = AAZListType( + flags={"read_only": True}, + ) + + scenario_exclusion_patterns = cls._schema_on_200.discriminate_by("kind", "Fusion").properties.scenario_exclusion_patterns + scenario_exclusion_patterns.Element = AAZObjectType() + + _element = cls._schema_on_200.discriminate_by("kind", "Fusion").properties.scenario_exclusion_patterns.Element + _element.date_added_in_utc = AAZStrType( + serialized_name="dateAddedInUTC", + flags={"required": True}, + ) + _element.exclusion_pattern = AAZStrType( + serialized_name="exclusionPattern", + flags={"required": True}, + ) + + source_settings = cls._schema_on_200.discriminate_by("kind", "Fusion").properties.source_settings + source_settings.Element = AAZObjectType() + + _element = cls._schema_on_200.discriminate_by("kind", "Fusion").properties.source_settings.Element + _element.enabled = AAZBoolType( + flags={"required": True}, + ) + _element.source_name = AAZStrType( + serialized_name="sourceName", + flags={"required": True}, + ) + _element.source_sub_types = AAZListType( + serialized_name="sourceSubTypes", + ) + + source_sub_types = cls._schema_on_200.discriminate_by("kind", "Fusion").properties.source_settings.Element.source_sub_types + source_sub_types.Element = AAZObjectType() + + _element = cls._schema_on_200.discriminate_by("kind", "Fusion").properties.source_settings.Element.source_sub_types.Element + _element.enabled = AAZBoolType( + flags={"required": True}, + ) + _element.severity_filters = AAZObjectType( + serialized_name="severityFilters", + flags={"required": True}, + ) + _element.source_sub_type_display_name = AAZStrType( + serialized_name="sourceSubTypeDisplayName", + flags={"read_only": True}, + ) + _element.source_sub_type_name = AAZStrType( + serialized_name="sourceSubTypeName", + flags={"required": True}, + ) + + severity_filters = cls._schema_on_200.discriminate_by("kind", "Fusion").properties.source_settings.Element.source_sub_types.Element.severity_filters + severity_filters.filters = AAZListType() + severity_filters.is_supported = AAZBoolType( + serialized_name="isSupported", + flags={"read_only": True}, + ) + + filters = cls._schema_on_200.discriminate_by("kind", "Fusion").properties.source_settings.Element.source_sub_types.Element.severity_filters.filters + filters.Element = AAZObjectType() + + _element = cls._schema_on_200.discriminate_by("kind", "Fusion").properties.source_settings.Element.source_sub_types.Element.severity_filters.filters.Element + _element.enabled = AAZBoolType( + flags={"required": True}, + ) + _element.severity = AAZStrType( + flags={"required": True}, + ) + + tactics = cls._schema_on_200.discriminate_by("kind", "Fusion").properties.tactics + tactics.Element = AAZStrType( + flags={"read_only": True}, + ) + + techniques = cls._schema_on_200.discriminate_by("kind", "Fusion").properties.techniques + techniques.Element = AAZStrType( + flags={"read_only": True}, + ) + + disc_ml_behavior_analytics = cls._schema_on_200.discriminate_by("kind", "MLBehaviorAnalytics") + disc_ml_behavior_analytics.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.discriminate_by("kind", "MLBehaviorAnalytics").properties + properties.alert_rule_template_name = AAZStrType( + serialized_name="alertRuleTemplateName", + flags={"required": True}, + ) + properties.description = AAZStrType( + flags={"read_only": True}, + ) + properties.display_name = AAZStrType( + serialized_name="displayName", + flags={"read_only": True}, + ) + properties.enabled = AAZBoolType( + flags={"required": True}, + ) + properties.last_modified_utc = AAZStrType( + serialized_name="lastModifiedUtc", + flags={"read_only": True}, + ) + properties.severity = AAZStrType( + flags={"read_only": True}, + ) + properties.tactics = AAZListType( + flags={"read_only": True}, + ) + properties.techniques = AAZListType( + flags={"read_only": True}, + ) + + tactics = cls._schema_on_200.discriminate_by("kind", "MLBehaviorAnalytics").properties.tactics + tactics.Element = AAZStrType( + flags={"read_only": True}, + ) + + techniques = cls._schema_on_200.discriminate_by("kind", "MLBehaviorAnalytics").properties.techniques + techniques.Element = AAZStrType( + flags={"read_only": True}, + ) + + disc_microsoft_security_incident_creation = cls._schema_on_200.discriminate_by("kind", "MicrosoftSecurityIncidentCreation") + disc_microsoft_security_incident_creation.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.discriminate_by("kind", "MicrosoftSecurityIncidentCreation").properties + properties.alert_rule_template_name = AAZStrType( + serialized_name="alertRuleTemplateName", + ) + properties.description = AAZStrType() + properties.display_name = AAZStrType( + serialized_name="displayName", + flags={"required": True}, + ) + properties.display_names_exclude_filter = AAZListType( + serialized_name="displayNamesExcludeFilter", + ) + properties.display_names_filter = AAZListType( + serialized_name="displayNamesFilter", + ) + properties.enabled = AAZBoolType( + flags={"required": True}, + ) + properties.last_modified_utc = AAZStrType( + serialized_name="lastModifiedUtc", + flags={"read_only": True}, + ) + properties.product_filter = AAZStrType( + serialized_name="productFilter", + flags={"required": True}, + ) + properties.severities_filter = AAZListType( + serialized_name="severitiesFilter", + ) + + display_names_exclude_filter = cls._schema_on_200.discriminate_by("kind", "MicrosoftSecurityIncidentCreation").properties.display_names_exclude_filter + display_names_exclude_filter.Element = AAZStrType() + + display_names_filter = cls._schema_on_200.discriminate_by("kind", "MicrosoftSecurityIncidentCreation").properties.display_names_filter + display_names_filter.Element = AAZStrType() + + severities_filter = cls._schema_on_200.discriminate_by("kind", "MicrosoftSecurityIncidentCreation").properties.severities_filter + severities_filter.Element = AAZStrType() + + disc_nrt = cls._schema_on_200.discriminate_by("kind", "NRT") + disc_nrt.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.discriminate_by("kind", "NRT").properties + properties.alert_details_override = AAZObjectType( + serialized_name="alertDetailsOverride", + ) + _build_schema_alert_details_override_read(properties.alert_details_override) + properties.alert_rule_template_name = AAZStrType( + serialized_name="alertRuleTemplateName", + ) + properties.custom_details = AAZDictType( + serialized_name="customDetails", + ) + properties.description = AAZStrType() + properties.display_name = AAZStrType( + serialized_name="displayName", + flags={"required": True}, + ) + properties.enabled = AAZBoolType( + flags={"required": True}, + ) + properties.entity_mappings = AAZListType( + serialized_name="entityMappings", + ) + _build_schema_entity_mappings_read(properties.entity_mappings) + properties.incident_configuration = AAZObjectType( + serialized_name="incidentConfiguration", + ) + _build_schema_incident_configuration_read(properties.incident_configuration) + properties.last_modified_utc = AAZStrType( + serialized_name="lastModifiedUtc", + flags={"read_only": True}, + ) + properties.query = AAZStrType( + flags={"required": True}, + ) + properties.severity = AAZStrType( + flags={"required": True}, + ) + properties.suppression_duration = AAZStrType( + serialized_name="suppressionDuration", + flags={"required": True}, + ) + properties.suppression_enabled = AAZBoolType( + serialized_name="suppressionEnabled", + flags={"required": True}, + ) + properties.tactics = AAZListType() + properties.techniques = AAZListType() + properties.template_version = AAZStrType( + serialized_name="templateVersion", + ) + + custom_details = cls._schema_on_200.discriminate_by("kind", "NRT").properties.custom_details + custom_details.Element = AAZStrType() + + tactics = cls._schema_on_200.discriminate_by("kind", "NRT").properties.tactics + tactics.Element = AAZStrType() + + techniques = cls._schema_on_200.discriminate_by("kind", "NRT").properties.techniques + techniques.Element = AAZStrType() + + disc_scheduled = cls._schema_on_200.discriminate_by("kind", "Scheduled") + disc_scheduled.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.discriminate_by("kind", "Scheduled").properties + properties.alert_details_override = AAZObjectType( + serialized_name="alertDetailsOverride", + ) + _build_schema_alert_details_override_read(properties.alert_details_override) + properties.alert_rule_template_name = AAZStrType( + serialized_name="alertRuleTemplateName", + ) + properties.custom_details = AAZDictType( + serialized_name="customDetails", + ) + properties.description = AAZStrType() + properties.display_name = AAZStrType( + serialized_name="displayName", + flags={"required": True}, + ) + properties.enabled = AAZBoolType( + flags={"required": True}, + ) + properties.entity_mappings = AAZListType( + serialized_name="entityMappings", + ) + _build_schema_entity_mappings_read(properties.entity_mappings) + properties.event_grouping_settings = AAZObjectType( + serialized_name="eventGroupingSettings", + ) + properties.incident_configuration = AAZObjectType( + serialized_name="incidentConfiguration", + ) + _build_schema_incident_configuration_read(properties.incident_configuration) + properties.last_modified_utc = AAZStrType( + serialized_name="lastModifiedUtc", + flags={"read_only": True}, + ) + properties.query = AAZStrType( + flags={"required": True}, + ) + properties.query_frequency = AAZStrType( + serialized_name="queryFrequency", + flags={"required": True}, + ) + properties.query_period = AAZStrType( + serialized_name="queryPeriod", + flags={"required": True}, + ) + properties.severity = AAZStrType( + flags={"required": True}, + ) + properties.suppression_duration = AAZStrType( + serialized_name="suppressionDuration", + flags={"required": True}, + ) + properties.suppression_enabled = AAZBoolType( + serialized_name="suppressionEnabled", + flags={"required": True}, + ) + properties.tactics = AAZListType() + properties.techniques = AAZListType() + properties.template_version = AAZStrType( + serialized_name="templateVersion", + ) + properties.trigger_operator = AAZStrType( + serialized_name="triggerOperator", + flags={"required": True}, + ) + properties.trigger_threshold = AAZIntType( + serialized_name="triggerThreshold", + flags={"required": True}, + ) + + custom_details = cls._schema_on_200.discriminate_by("kind", "Scheduled").properties.custom_details + custom_details.Element = AAZStrType() + + event_grouping_settings = cls._schema_on_200.discriminate_by("kind", "Scheduled").properties.event_grouping_settings + event_grouping_settings.aggregation_kind = AAZStrType( + serialized_name="aggregationKind", + ) + + tactics = cls._schema_on_200.discriminate_by("kind", "Scheduled").properties.tactics + tactics.Element = AAZStrType() + + techniques = cls._schema_on_200.discriminate_by("kind", "Scheduled").properties.techniques + techniques.Element = AAZStrType() + + disc_threat_intelligence = cls._schema_on_200.discriminate_by("kind", "ThreatIntelligence") + disc_threat_intelligence.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.discriminate_by("kind", "ThreatIntelligence").properties + properties.alert_rule_template_name = AAZStrType( + serialized_name="alertRuleTemplateName", + flags={"required": True}, + ) + properties.description = AAZStrType( + flags={"read_only": True}, + ) + properties.display_name = AAZStrType( + serialized_name="displayName", + flags={"read_only": True}, + ) + properties.enabled = AAZBoolType( + flags={"required": True}, + ) + properties.last_modified_utc = AAZStrType( + serialized_name="lastModifiedUtc", + flags={"read_only": True}, + ) + properties.severity = AAZStrType( + flags={"read_only": True}, + ) + properties.tactics = AAZListType( + flags={"read_only": True}, + ) + properties.techniques = AAZListType( + flags={"read_only": True}, + ) + + tactics = cls._schema_on_200.discriminate_by("kind", "ThreatIntelligence").properties.tactics + tactics.Element = AAZStrType( + flags={"read_only": True}, + ) + + techniques = cls._schema_on_200.discriminate_by("kind", "ThreatIntelligence").properties.techniques + techniques.Element = AAZStrType( + flags={"read_only": True}, + ) + + return cls._schema_on_200 + + +_schema_alert_details_override_read = None + + +def _build_schema_alert_details_override_read(_schema): + global _schema_alert_details_override_read + if _schema_alert_details_override_read is not None: + _schema.alert_description_format = _schema_alert_details_override_read.alert_description_format + _schema.alert_display_name_format = _schema_alert_details_override_read.alert_display_name_format + _schema.alert_severity_column_name = _schema_alert_details_override_read.alert_severity_column_name + _schema.alert_tactics_column_name = _schema_alert_details_override_read.alert_tactics_column_name + return + + _schema_alert_details_override_read = AAZObjectType() + + alert_details_override_read = _schema_alert_details_override_read + alert_details_override_read.alert_description_format = AAZStrType( + serialized_name="alertDescriptionFormat", + ) + alert_details_override_read.alert_display_name_format = AAZStrType( + serialized_name="alertDisplayNameFormat", + ) + alert_details_override_read.alert_severity_column_name = AAZStrType( + serialized_name="alertSeverityColumnName", + ) + alert_details_override_read.alert_tactics_column_name = AAZStrType( + serialized_name="alertTacticsColumnName", + ) + + _schema.alert_description_format = _schema_alert_details_override_read.alert_description_format + _schema.alert_display_name_format = _schema_alert_details_override_read.alert_display_name_format + _schema.alert_severity_column_name = _schema_alert_details_override_read.alert_severity_column_name + _schema.alert_tactics_column_name = _schema_alert_details_override_read.alert_tactics_column_name + + +_schema_entity_mappings_read = None + + +def _build_schema_entity_mappings_read(_schema): + global _schema_entity_mappings_read + if _schema_entity_mappings_read is not None: + _schema.Element = _schema_entity_mappings_read.Element + return + + _schema_entity_mappings_read = AAZListType() + + entity_mappings_read = _schema_entity_mappings_read + entity_mappings_read.Element = AAZObjectType() + + _element = _schema_entity_mappings_read.Element + _element.entity_type = AAZStrType( + serialized_name="entityType", + ) + _element.field_mappings = AAZListType( + serialized_name="fieldMappings", + ) + + field_mappings = _schema_entity_mappings_read.Element.field_mappings + field_mappings.Element = AAZObjectType() + + _element = _schema_entity_mappings_read.Element.field_mappings.Element + _element.column_name = AAZStrType( + serialized_name="columnName", + ) + _element.identifier = AAZStrType() + + _schema.Element = _schema_entity_mappings_read.Element + + +_schema_incident_configuration_read = None + + +def _build_schema_incident_configuration_read(_schema): + global _schema_incident_configuration_read + if _schema_incident_configuration_read is not None: + _schema.create_incident = _schema_incident_configuration_read.create_incident + _schema.grouping_configuration = _schema_incident_configuration_read.grouping_configuration + return + + _schema_incident_configuration_read = AAZObjectType() + + incident_configuration_read = _schema_incident_configuration_read + incident_configuration_read.create_incident = AAZBoolType( + serialized_name="createIncident", + flags={"required": True}, + ) + incident_configuration_read.grouping_configuration = AAZObjectType( + serialized_name="groupingConfiguration", + ) + + grouping_configuration = _schema_incident_configuration_read.grouping_configuration + grouping_configuration.enabled = AAZBoolType( + flags={"required": True}, + ) + grouping_configuration.group_by_alert_details = AAZListType( + serialized_name="groupByAlertDetails", + ) + grouping_configuration.group_by_custom_details = AAZListType( + serialized_name="groupByCustomDetails", + ) + grouping_configuration.group_by_entities = AAZListType( + serialized_name="groupByEntities", + ) + grouping_configuration.lookback_duration = AAZStrType( + serialized_name="lookbackDuration", + flags={"required": True}, + ) + grouping_configuration.matching_method = AAZStrType( + serialized_name="matchingMethod", + flags={"required": True}, + ) + grouping_configuration.reopen_closed_incident = AAZBoolType( + serialized_name="reopenClosedIncident", + flags={"required": True}, + ) + + group_by_alert_details = _schema_incident_configuration_read.grouping_configuration.group_by_alert_details + group_by_alert_details.Element = AAZStrType() + + group_by_custom_details = _schema_incident_configuration_read.grouping_configuration.group_by_custom_details + group_by_custom_details.Element = AAZStrType() + + group_by_entities = _schema_incident_configuration_read.grouping_configuration.group_by_entities + group_by_entities.Element = AAZStrType() + + _schema.create_incident = _schema_incident_configuration_read.create_incident + _schema.grouping_configuration = _schema_incident_configuration_read.grouping_configuration + + +__all__ = ["Show"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/alert_rule/_update.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/alert_rule/_update.py new file mode 100644 index 00000000000..eca6cdce926 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/alert_rule/_update.py @@ -0,0 +1,1785 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel alert-rule update", + is_experimental=True, +) +class Update(AAZCommand): + """Update the alert rule. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/alertrules/{}", "2022-06-01-preview"], + ] + } + + AZ_SUPPORT_GENERIC_UPDATE = True + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return self._output() + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.rule_name = AAZStrArg( + options=["-n", "--name", "--rule-name"], + help="Name of alert rule.", + required=True, + is_experimental=True, + id_part="child_name_1", + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + id_part="name", + ) + + # define Arg Group "AlertRule" + + _args_schema = cls._args_schema + _args_schema.fusion = AAZObjectArg( + options=["--fusion"], + arg_group="AlertRule", + ) + _args_schema.ml_behavior_analytics = AAZObjectArg( + options=["--ml-behavior-analytics"], + arg_group="AlertRule", + ) + _args_schema.ms_security_incident = AAZObjectArg( + options=["--ms-security-incident"], + arg_group="AlertRule", + help="Microsoft security incident creation.", + is_experimental=True, + ) + _args_schema.nrt = AAZObjectArg( + options=["--nrt"], + arg_group="AlertRule", + ) + _args_schema.scheduled = AAZObjectArg( + options=["--scheduled"], + arg_group="AlertRule", + ) + _args_schema.threat_intelligence = AAZObjectArg( + options=["--threat-intelligence"], + arg_group="AlertRule", + ) + _args_schema.etag = AAZStrArg( + options=["--etag"], + arg_group="AlertRule", + help="Etag of the azure resource", + nullable=True, + ) + + fusion = cls._args_schema.fusion + fusion.alert_rule_template_name = AAZStrArg( + options=["alert-rule-template-name"], + help="The Name of the alert rule template used to create this rule.", + ) + fusion.enabled = AAZBoolArg( + options=["enabled"], + help="Determines whether this alert rule is enabled or disabled.", + ) + fusion.scenario_exclusion_patterns = AAZListArg( + options=["scenario-exclusion-patterns"], + help="Configuration to exclude scenarios in fusion detection.", + nullable=True, + ) + fusion.source_settings = AAZListArg( + options=["source-settings"], + help="Configuration for all supported source signals in fusion detection.", + nullable=True, + ) + + scenario_exclusion_patterns = cls._args_schema.fusion.scenario_exclusion_patterns + scenario_exclusion_patterns.Element = AAZObjectArg() + + _element = cls._args_schema.fusion.scenario_exclusion_patterns.Element + _element.date_added_in_utc = AAZStrArg( + options=["date-added-in-utc"], + help="DateTime when scenario exclusion pattern is added in UTC.", + ) + _element.exclusion_pattern = AAZStrArg( + options=["exclusion-pattern"], + help="Scenario exclusion pattern.", + ) + + source_settings = cls._args_schema.fusion.source_settings + source_settings.Element = AAZObjectArg() + + _element = cls._args_schema.fusion.source_settings.Element + _element.enabled = AAZBoolArg( + options=["enabled"], + help="Determines whether this source signal is enabled or disabled in Fusion detection.", + ) + _element.source_name = AAZStrArg( + options=["source-name"], + help="Name of the Fusion source signal. Refer to Fusion alert rule template for supported values.", + ) + _element.source_sub_types = AAZListArg( + options=["source-sub-types"], + help="Configuration for all source subtypes under this source signal consumed in fusion detection.", + nullable=True, + ) + + source_sub_types = cls._args_schema.fusion.source_settings.Element.source_sub_types + source_sub_types.Element = AAZObjectArg() + + _element = cls._args_schema.fusion.source_settings.Element.source_sub_types.Element + _element.enabled = AAZBoolArg( + options=["enabled"], + help="Determines whether this source subtype under source signal is enabled or disabled in Fusion detection.", + ) + _element.severity_filters = AAZObjectArg( + options=["severity-filters"], + help="Severity configuration for a source subtype consumed in fusion detection.", + ) + _element.source_sub_type_name = AAZStrArg( + options=["source-sub-type-name"], + help="The Name of the source subtype under a given source signal in Fusion detection. Refer to Fusion alert rule template for supported values.", + ) + + severity_filters = cls._args_schema.fusion.source_settings.Element.source_sub_types.Element.severity_filters + severity_filters.filters = AAZListArg( + options=["filters"], + help="Individual Severity configuration settings for a given source subtype consumed in Fusion detection.", + nullable=True, + ) + + filters = cls._args_schema.fusion.source_settings.Element.source_sub_types.Element.severity_filters.filters + filters.Element = AAZObjectArg() + + _element = cls._args_schema.fusion.source_settings.Element.source_sub_types.Element.severity_filters.filters.Element + _element.enabled = AAZBoolArg( + options=["enabled"], + help="Determines whether this severity is enabled or disabled for this source subtype consumed in Fusion detection.", + ) + _element.severity = AAZStrArg( + options=["severity"], + help="The Severity for a given source subtype consumed in Fusion detection.", + enum={"High": "High", "Informational": "Informational", "Low": "Low", "Medium": "Medium"}, + ) + + ml_behavior_analytics = cls._args_schema.ml_behavior_analytics + ml_behavior_analytics.alert_rule_template_name = AAZStrArg( + options=["alert-rule-template-name"], + help="The Name of the alert rule template used to create this rule.", + ) + ml_behavior_analytics.enabled = AAZBoolArg( + options=["enabled"], + help="Determines whether this alert rule is enabled or disabled.", + ) + + ms_security_incident = cls._args_schema.ms_security_incident + ms_security_incident.alert_rule_template_name = AAZStrArg( + options=["alert-rule-template-name"], + help="The Name of the alert rule template used to create this rule.", + nullable=True, + ) + ms_security_incident.description = AAZStrArg( + options=["description"], + help="The description of the alert rule.", + nullable=True, + ) + ms_security_incident.display_name = AAZStrArg( + options=["display-name"], + help="The display name for alerts created by this alert rule.", + ) + ms_security_incident.display_names_exclude_filter = AAZListArg( + options=["display-names-exclude-filter"], + help="the alerts' displayNames on which the cases will not be generated", + nullable=True, + ) + ms_security_incident.display_names_filter = AAZListArg( + options=["display-names-filter"], + help="the alerts' displayNames on which the cases will be generated", + nullable=True, + ) + ms_security_incident.enabled = AAZBoolArg( + options=["enabled"], + help="Determines whether this alert rule is enabled or disabled.", + ) + ms_security_incident.product_filter = AAZStrArg( + options=["product-filter"], + help="The alerts' productName on which the cases will be generated", + enum={"Azure Active Directory Identity Protection": "Azure Active Directory Identity Protection", "Azure Advanced Threat Protection": "Azure Advanced Threat Protection", "Azure Security Center": "Azure Security Center", "Azure Security Center for IoT": "Azure Security Center for IoT", "Microsoft Cloud App Security": "Microsoft Cloud App Security", "Microsoft Defender Advanced Threat Protection": "Microsoft Defender Advanced Threat Protection", "Office 365 Advanced Threat Protection": "Office 365 Advanced Threat Protection"}, + ) + ms_security_incident.severities_filter = AAZListArg( + options=["severities-filter"], + help="the alerts' severities on which the cases will be generated", + nullable=True, + ) + + display_names_exclude_filter = cls._args_schema.ms_security_incident.display_names_exclude_filter + display_names_exclude_filter.Element = AAZStrArg() + + display_names_filter = cls._args_schema.ms_security_incident.display_names_filter + display_names_filter.Element = AAZStrArg() + + severities_filter = cls._args_schema.ms_security_incident.severities_filter + severities_filter.Element = AAZStrArg( + enum={"High": "High", "Informational": "Informational", "Low": "Low", "Medium": "Medium"}, + ) + + nrt = cls._args_schema.nrt + nrt.alert_details_override = AAZObjectArg( + options=["alert-details-override"], + help="The alert details override settings", + nullable=True, + ) + cls._build_args_alert_details_override_update(nrt.alert_details_override) + nrt.alert_rule_template_name = AAZStrArg( + options=["alert-rule-template-name"], + help="The Name of the alert rule template used to create this rule.", + nullable=True, + ) + nrt.custom_details = AAZDictArg( + options=["custom-details"], + help="Dictionary of string key-value pairs of columns to be attached to the alert", + nullable=True, + ) + nrt.description = AAZStrArg( + options=["description"], + help="The description of the alert rule.", + nullable=True, + ) + nrt.display_name = AAZStrArg( + options=["display-name"], + help="The display name for alerts created by this alert rule.", + ) + nrt.enabled = AAZBoolArg( + options=["enabled"], + help="Determines whether this alert rule is enabled or disabled.", + ) + nrt.entity_mappings = AAZListArg( + options=["entity-mappings"], + help="Array of the entity mappings of the alert rule", + nullable=True, + ) + cls._build_args_entity_mappings_update(nrt.entity_mappings) + nrt.incident_configuration = AAZObjectArg( + options=["incident-configuration"], + help="The settings of the incidents that created from alerts triggered by this analytics rule", + nullable=True, + ) + cls._build_args_incident_configuration_update(nrt.incident_configuration) + nrt.query = AAZStrArg( + options=["query"], + help="The query that creates alerts for this rule.", + ) + nrt.severity = AAZStrArg( + options=["severity"], + help="The severity for alerts created by this alert rule.", + enum={"High": "High", "Informational": "Informational", "Low": "Low", "Medium": "Medium"}, + ) + nrt.suppression_duration = AAZStrArg( + options=["suppression-duration"], + help="The suppression (in ISO 8601 duration format) to wait since last time this alert rule been triggered.", + ) + nrt.suppression_enabled = AAZBoolArg( + options=["suppression-enabled"], + help="Determines whether the suppression for this alert rule is enabled or disabled.", + ) + nrt.tactics = AAZListArg( + options=["tactics"], + help="The tactics of the alert rule", + nullable=True, + ) + nrt.techniques = AAZListArg( + options=["techniques"], + help="The techniques of the alert rule", + nullable=True, + ) + nrt.template_version = AAZStrArg( + options=["template-version"], + help="The version of the alert rule template used to create this rule - in format , where all are numbers, for example 0 <1.0.2>", + nullable=True, + ) + + custom_details = cls._args_schema.nrt.custom_details + custom_details.Element = AAZStrArg() + + tactics = cls._args_schema.nrt.tactics + tactics.Element = AAZStrArg( + enum={"Collection": "Collection", "CommandAndControl": "CommandAndControl", "CredentialAccess": "CredentialAccess", "DefenseEvasion": "DefenseEvasion", "Discovery": "Discovery", "Execution": "Execution", "Exfiltration": "Exfiltration", "Impact": "Impact", "ImpairProcessControl": "ImpairProcessControl", "InhibitResponseFunction": "InhibitResponseFunction", "InitialAccess": "InitialAccess", "LateralMovement": "LateralMovement", "Persistence": "Persistence", "PreAttack": "PreAttack", "PrivilegeEscalation": "PrivilegeEscalation", "Reconnaissance": "Reconnaissance", "ResourceDevelopment": "ResourceDevelopment"}, + ) + + techniques = cls._args_schema.nrt.techniques + techniques.Element = AAZStrArg() + + scheduled = cls._args_schema.scheduled + scheduled.alert_details_override = AAZObjectArg( + options=["alert-details-override"], + help="The alert details override settings", + nullable=True, + ) + cls._build_args_alert_details_override_update(scheduled.alert_details_override) + scheduled.alert_rule_template_name = AAZStrArg( + options=["alert-rule-template-name"], + help="The Name of the alert rule template used to create this rule.", + nullable=True, + ) + scheduled.custom_details = AAZDictArg( + options=["custom-details"], + help="Dictionary of string key-value pairs of columns to be attached to the alert", + nullable=True, + ) + scheduled.description = AAZStrArg( + options=["description"], + help="The description of the alert rule.", + nullable=True, + ) + scheduled.display_name = AAZStrArg( + options=["display-name"], + help="The display name for alerts created by this alert rule.", + ) + scheduled.enabled = AAZBoolArg( + options=["enabled"], + help="Determines whether this alert rule is enabled or disabled.", + ) + scheduled.entity_mappings = AAZListArg( + options=["entity-mappings"], + help="Array of the entity mappings of the alert rule", + nullable=True, + ) + cls._build_args_entity_mappings_update(scheduled.entity_mappings) + scheduled.event_grouping_settings = AAZObjectArg( + options=["event-grouping-settings"], + help="The event grouping settings.", + nullable=True, + ) + scheduled.incident_configuration = AAZObjectArg( + options=["incident-configuration"], + help="The settings of the incidents that created from alerts triggered by this analytics rule", + nullable=True, + ) + cls._build_args_incident_configuration_update(scheduled.incident_configuration) + scheduled.query = AAZStrArg( + options=["query"], + help="The query that creates alerts for this rule.", + ) + scheduled.query_frequency = AAZStrArg( + options=["query-frequency"], + help="The frequency (in ISO 8601 duration format) for this alert rule to run.", + ) + scheduled.query_period = AAZStrArg( + options=["query-period"], + help="The period (in ISO 8601 duration format) that this alert rule looks at.", + ) + scheduled.severity = AAZStrArg( + options=["severity"], + help="The severity for alerts created by this alert rule.", + enum={"High": "High", "Informational": "Informational", "Low": "Low", "Medium": "Medium"}, + ) + scheduled.suppression_duration = AAZStrArg( + options=["suppression-duration"], + help="The suppression (in ISO 8601 duration format) to wait since last time this alert rule been triggered.", + ) + scheduled.suppression_enabled = AAZBoolArg( + options=["suppression-enabled"], + help="Determines whether the suppression for this alert rule is enabled or disabled.", + ) + scheduled.tactics = AAZListArg( + options=["tactics"], + help="The tactics of the alert rule", + nullable=True, + ) + scheduled.techniques = AAZListArg( + options=["techniques"], + help="The techniques of the alert rule", + nullable=True, + ) + scheduled.template_version = AAZStrArg( + options=["template-version"], + help="The version of the alert rule template used to create this rule - in format , where all are numbers, for example 0 <1.0.2>", + nullable=True, + ) + scheduled.trigger_operator = AAZStrArg( + options=["trigger-operator"], + help="The operation against the threshold that triggers alert rule.", + enum={"Equal": "Equal", "GreaterThan": "GreaterThan", "LessThan": "LessThan", "NotEqual": "NotEqual"}, + ) + scheduled.trigger_threshold = AAZIntArg( + options=["trigger-threshold"], + help="The threshold triggers this alert rule.", + ) + + custom_details = cls._args_schema.scheduled.custom_details + custom_details.Element = AAZStrArg() + + event_grouping_settings = cls._args_schema.scheduled.event_grouping_settings + event_grouping_settings.aggregation_kind = AAZStrArg( + options=["aggregation-kind"], + help="The event grouping aggregation kinds", + nullable=True, + enum={"AlertPerResult": "AlertPerResult", "SingleAlert": "SingleAlert"}, + ) + + tactics = cls._args_schema.scheduled.tactics + tactics.Element = AAZStrArg( + enum={"Collection": "Collection", "CommandAndControl": "CommandAndControl", "CredentialAccess": "CredentialAccess", "DefenseEvasion": "DefenseEvasion", "Discovery": "Discovery", "Execution": "Execution", "Exfiltration": "Exfiltration", "Impact": "Impact", "ImpairProcessControl": "ImpairProcessControl", "InhibitResponseFunction": "InhibitResponseFunction", "InitialAccess": "InitialAccess", "LateralMovement": "LateralMovement", "Persistence": "Persistence", "PreAttack": "PreAttack", "PrivilegeEscalation": "PrivilegeEscalation", "Reconnaissance": "Reconnaissance", "ResourceDevelopment": "ResourceDevelopment"}, + ) + + techniques = cls._args_schema.scheduled.techniques + techniques.Element = AAZStrArg() + + threat_intelligence = cls._args_schema.threat_intelligence + threat_intelligence.alert_rule_template_name = AAZStrArg( + options=["alert-rule-template-name"], + help="The Name of the alert rule template used to create this rule.", + ) + threat_intelligence.enabled = AAZBoolArg( + options=["enabled"], + help="Determines whether this alert rule is enabled or disabled.", + ) + return cls._args_schema + + _args_alert_details_override_update = None + + @classmethod + def _build_args_alert_details_override_update(cls, _schema): + if cls._args_alert_details_override_update is not None: + _schema.alert_description_format = cls._args_alert_details_override_update.alert_description_format + _schema.alert_display_name_format = cls._args_alert_details_override_update.alert_display_name_format + _schema.alert_severity_column_name = cls._args_alert_details_override_update.alert_severity_column_name + _schema.alert_tactics_column_name = cls._args_alert_details_override_update.alert_tactics_column_name + return + + cls._args_alert_details_override_update = AAZObjectArg( + nullable=True, + ) + + alert_details_override_update = cls._args_alert_details_override_update + alert_details_override_update.alert_description_format = AAZStrArg( + options=["alert-description-format"], + help="the format containing columns name(s) to override the alert description", + nullable=True, + ) + alert_details_override_update.alert_display_name_format = AAZStrArg( + options=["alert-display-name-format"], + help="the format containing columns name(s) to override the alert name", + nullable=True, + ) + alert_details_override_update.alert_severity_column_name = AAZStrArg( + options=["alert-severity-column-name"], + help="the column name to take the alert severity from", + nullable=True, + ) + alert_details_override_update.alert_tactics_column_name = AAZStrArg( + options=["alert-tactics-column-name"], + help="the column name to take the alert tactics from", + nullable=True, + ) + + _schema.alert_description_format = cls._args_alert_details_override_update.alert_description_format + _schema.alert_display_name_format = cls._args_alert_details_override_update.alert_display_name_format + _schema.alert_severity_column_name = cls._args_alert_details_override_update.alert_severity_column_name + _schema.alert_tactics_column_name = cls._args_alert_details_override_update.alert_tactics_column_name + + _args_entity_mappings_update = None + + @classmethod + def _build_args_entity_mappings_update(cls, _schema): + if cls._args_entity_mappings_update is not None: + _schema.Element = cls._args_entity_mappings_update.Element + return + + cls._args_entity_mappings_update = AAZListArg( + nullable=True, + ) + + entity_mappings_update = cls._args_entity_mappings_update + entity_mappings_update.Element = AAZObjectArg() + + _element = cls._args_entity_mappings_update.Element + _element.entity_type = AAZStrArg( + options=["entity-type"], + help="The V3 type of the mapped entity", + nullable=True, + enum={"Account": "Account", "AzureResource": "AzureResource", "CloudApplication": "CloudApplication", "DNS": "DNS", "File": "File", "FileHash": "FileHash", "Host": "Host", "IP": "IP", "MailCluster": "MailCluster", "MailMessage": "MailMessage", "Mailbox": "Mailbox", "Malware": "Malware", "Process": "Process", "RegistryKey": "RegistryKey", "RegistryValue": "RegistryValue", "SecurityGroup": "SecurityGroup", "SubmissionMail": "SubmissionMail", "URL": "URL"}, + ) + _element.field_mappings = AAZListArg( + options=["field-mappings"], + help="array of field mappings for the given entity mapping", + nullable=True, + ) + + field_mappings = cls._args_entity_mappings_update.Element.field_mappings + field_mappings.Element = AAZObjectArg() + + _element = cls._args_entity_mappings_update.Element.field_mappings.Element + _element.column_name = AAZStrArg( + options=["column-name"], + help="the column name to be mapped to the identifier", + nullable=True, + ) + _element.identifier = AAZStrArg( + options=["identifier"], + help="the V3 identifier of the entity", + nullable=True, + ) + + _schema.Element = cls._args_entity_mappings_update.Element + + _args_incident_configuration_update = None + + @classmethod + def _build_args_incident_configuration_update(cls, _schema): + if cls._args_incident_configuration_update is not None: + _schema.create_incident = cls._args_incident_configuration_update.create_incident + _schema.grouping_configuration = cls._args_incident_configuration_update.grouping_configuration + return + + cls._args_incident_configuration_update = AAZObjectArg( + nullable=True, + ) + + incident_configuration_update = cls._args_incident_configuration_update + incident_configuration_update.create_incident = AAZBoolArg( + options=["create-incident"], + help="Create incidents from alerts triggered by this analytics rule", + ) + incident_configuration_update.grouping_configuration = AAZObjectArg( + options=["grouping-configuration"], + help="Set how the alerts that are triggered by this analytics rule, are grouped into incidents", + nullable=True, + ) + + grouping_configuration = cls._args_incident_configuration_update.grouping_configuration + grouping_configuration.enabled = AAZBoolArg( + options=["enabled"], + help="Grouping enabled", + ) + grouping_configuration.group_by_alert_details = AAZListArg( + options=["group-by-alert-details"], + help="A list of alert details to group by (when matchingMethod is Selected)", + nullable=True, + ) + grouping_configuration.group_by_custom_details = AAZListArg( + options=["group-by-custom-details"], + help="A list of custom details keys to group by (when matchingMethod is Selected). Only keys defined in the current alert rule may be used.", + nullable=True, + ) + grouping_configuration.group_by_entities = AAZListArg( + options=["group-by-entities"], + help="A list of entity types to group by (when matchingMethod is Selected). Only entities defined in the current alert rule may be used.", + nullable=True, + ) + grouping_configuration.lookback_duration = AAZStrArg( + options=["lookback-duration"], + help="Limit the group to alerts created within the lookback duration (in ISO 8601 duration format)", + ) + grouping_configuration.matching_method = AAZStrArg( + options=["matching-method"], + help="Grouping matching method. When method is Selected at least one of groupByEntities, groupByAlertDetails, groupByCustomDetails must be provided and not empty.", + enum={"AllEntities": "AllEntities", "AnyAlert": "AnyAlert", "Selected": "Selected"}, + ) + grouping_configuration.reopen_closed_incident = AAZBoolArg( + options=["reopen-closed-incident"], + help="Re-open closed matching incidents", + ) + + group_by_alert_details = cls._args_incident_configuration_update.grouping_configuration.group_by_alert_details + group_by_alert_details.Element = AAZStrArg( + enum={"DisplayName": "DisplayName", "Severity": "Severity"}, + ) + + group_by_custom_details = cls._args_incident_configuration_update.grouping_configuration.group_by_custom_details + group_by_custom_details.Element = AAZStrArg() + + group_by_entities = cls._args_incident_configuration_update.grouping_configuration.group_by_entities + group_by_entities.Element = AAZStrArg( + enum={"Account": "Account", "AzureResource": "AzureResource", "CloudApplication": "CloudApplication", "DNS": "DNS", "File": "File", "FileHash": "FileHash", "Host": "Host", "IP": "IP", "MailCluster": "MailCluster", "MailMessage": "MailMessage", "Mailbox": "Mailbox", "Malware": "Malware", "Process": "Process", "RegistryKey": "RegistryKey", "RegistryValue": "RegistryValue", "SecurityGroup": "SecurityGroup", "SubmissionMail": "SubmissionMail", "URL": "URL"}, + ) + + _schema.create_incident = cls._args_incident_configuration_update.create_incident + _schema.grouping_configuration = cls._args_incident_configuration_update.grouping_configuration + + def _execute_operations(self): + self.AlertRulesGet(ctx=self.ctx)() + self.InstanceUpdateByJson(ctx=self.ctx)() + self.InstanceUpdateByGeneric(ctx=self.ctx)() + self.AlertRulesCreateOrUpdate(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True) + return result + + class AlertRulesGet(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}", + **self.url_parameters + ) + + @property + def method(self): + return "GET" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "ruleId", self.ctx.args.rule_name, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + _build_schema_alert_rule_read(cls._schema_on_200) + + return cls._schema_on_200 + + class AlertRulesCreateOrUpdate(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200, 201]: + return self.on_200_201(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}", + **self.url_parameters + ) + + @property + def method(self): + return "PUT" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "ruleId", self.ctx.args.rule_name, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Content-Type", "application/json", + ), + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + @property + def content(self): + _content_value, _builder = self.new_content_builder( + self.ctx.args, + value=self.ctx.vars.instance, + ) + + return self.serialize_content(_content_value) + + def on_200_201(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200_201 + ) + + _schema_on_200_201 = None + + @classmethod + def _build_schema_on_200_201(cls): + if cls._schema_on_200_201 is not None: + return cls._schema_on_200_201 + + cls._schema_on_200_201 = AAZObjectType() + _build_schema_alert_rule_read(cls._schema_on_200_201) + + return cls._schema_on_200_201 + + class InstanceUpdateByJson(AAZJsonInstanceUpdateOperation): + + def __call__(self, *args, **kwargs): + self._update_instance(self.ctx.vars.instance) + + def _update_instance(self, instance): + _instance_value, _builder = self.new_content_builder( + self.ctx.args, + value=instance, + typ=AAZObjectType + ) + _builder.set_prop("etag", AAZStrType, ".etag") + _builder.set_const("kind", "Fusion", AAZStrType, ".fusion", typ_kwargs={"flags": {"required": True}}) + _builder.set_const("kind", "MLBehaviorAnalytics", AAZStrType, ".ml_behavior_analytics", typ_kwargs={"flags": {"required": True}}) + _builder.set_const("kind", "MicrosoftSecurityIncidentCreation", AAZStrType, ".ms_security_incident", typ_kwargs={"flags": {"required": True}}) + _builder.set_const("kind", "NRT", AAZStrType, ".nrt", typ_kwargs={"flags": {"required": True}}) + _builder.set_const("kind", "Scheduled", AAZStrType, ".scheduled", typ_kwargs={"flags": {"required": True}}) + _builder.set_const("kind", "ThreatIntelligence", AAZStrType, ".threat_intelligence", typ_kwargs={"flags": {"required": True}}) + _builder.discriminate_by("kind", "Fusion") + _builder.discriminate_by("kind", "MLBehaviorAnalytics") + _builder.discriminate_by("kind", "MicrosoftSecurityIncidentCreation") + _builder.discriminate_by("kind", "NRT") + _builder.discriminate_by("kind", "Scheduled") + _builder.discriminate_by("kind", "ThreatIntelligence") + + disc_fusion = _builder.get("{kind:Fusion}") + if disc_fusion is not None: + disc_fusion.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get("{kind:Fusion}.properties") + if properties is not None: + properties.set_prop("alertRuleTemplateName", AAZStrType, ".fusion.alert_rule_template_name", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("enabled", AAZBoolType, ".fusion.enabled", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("scenarioExclusionPatterns", AAZListType, ".fusion.scenario_exclusion_patterns") + properties.set_prop("sourceSettings", AAZListType, ".fusion.source_settings") + + scenario_exclusion_patterns = _builder.get("{kind:Fusion}.properties.scenarioExclusionPatterns") + if scenario_exclusion_patterns is not None: + scenario_exclusion_patterns.set_elements(AAZObjectType) + + _elements = _builder.get("{kind:Fusion}.properties.scenarioExclusionPatterns[]") + if _elements is not None: + _elements.set_prop("dateAddedInUTC", AAZStrType, ".date_added_in_utc", typ_kwargs={"flags": {"required": True}}) + _elements.set_prop("exclusionPattern", AAZStrType, ".exclusion_pattern", typ_kwargs={"flags": {"required": True}}) + + source_settings = _builder.get("{kind:Fusion}.properties.sourceSettings") + if source_settings is not None: + source_settings.set_elements(AAZObjectType) + + _elements = _builder.get("{kind:Fusion}.properties.sourceSettings[]") + if _elements is not None: + _elements.set_prop("enabled", AAZBoolType, ".enabled", typ_kwargs={"flags": {"required": True}}) + _elements.set_prop("sourceName", AAZStrType, ".source_name", typ_kwargs={"flags": {"required": True}}) + _elements.set_prop("sourceSubTypes", AAZListType, ".source_sub_types") + + source_sub_types = _builder.get("{kind:Fusion}.properties.sourceSettings[].sourceSubTypes") + if source_sub_types is not None: + source_sub_types.set_elements(AAZObjectType) + + _elements = _builder.get("{kind:Fusion}.properties.sourceSettings[].sourceSubTypes[]") + if _elements is not None: + _elements.set_prop("enabled", AAZBoolType, ".enabled", typ_kwargs={"flags": {"required": True}}) + _elements.set_prop("severityFilters", AAZObjectType, ".severity_filters", typ_kwargs={"flags": {"required": True}}) + _elements.set_prop("sourceSubTypeName", AAZStrType, ".source_sub_type_name", typ_kwargs={"flags": {"required": True}}) + + severity_filters = _builder.get("{kind:Fusion}.properties.sourceSettings[].sourceSubTypes[].severityFilters") + if severity_filters is not None: + severity_filters.set_prop("filters", AAZListType, ".filters") + + filters = _builder.get("{kind:Fusion}.properties.sourceSettings[].sourceSubTypes[].severityFilters.filters") + if filters is not None: + filters.set_elements(AAZObjectType) + + _elements = _builder.get("{kind:Fusion}.properties.sourceSettings[].sourceSubTypes[].severityFilters.filters[]") + if _elements is not None: + _elements.set_prop("enabled", AAZBoolType, ".enabled", typ_kwargs={"flags": {"required": True}}) + _elements.set_prop("severity", AAZStrType, ".severity", typ_kwargs={"flags": {"required": True}}) + + disc_ml_behavior_analytics = _builder.get("{kind:MLBehaviorAnalytics}") + if disc_ml_behavior_analytics is not None: + disc_ml_behavior_analytics.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get("{kind:MLBehaviorAnalytics}.properties") + if properties is not None: + properties.set_prop("alertRuleTemplateName", AAZStrType, ".ml_behavior_analytics.alert_rule_template_name", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("enabled", AAZBoolType, ".ml_behavior_analytics.enabled", typ_kwargs={"flags": {"required": True}}) + + disc_microsoft_security_incident_creation = _builder.get("{kind:MicrosoftSecurityIncidentCreation}") + if disc_microsoft_security_incident_creation is not None: + disc_microsoft_security_incident_creation.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get("{kind:MicrosoftSecurityIncidentCreation}.properties") + if properties is not None: + properties.set_prop("alertRuleTemplateName", AAZStrType, ".ms_security_incident.alert_rule_template_name") + properties.set_prop("description", AAZStrType, ".ms_security_incident.description") + properties.set_prop("displayName", AAZStrType, ".ms_security_incident.display_name", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("displayNamesExcludeFilter", AAZListType, ".ms_security_incident.display_names_exclude_filter") + properties.set_prop("displayNamesFilter", AAZListType, ".ms_security_incident.display_names_filter") + properties.set_prop("enabled", AAZBoolType, ".ms_security_incident.enabled", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("productFilter", AAZStrType, ".ms_security_incident.product_filter", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("severitiesFilter", AAZListType, ".ms_security_incident.severities_filter") + + display_names_exclude_filter = _builder.get("{kind:MicrosoftSecurityIncidentCreation}.properties.displayNamesExcludeFilter") + if display_names_exclude_filter is not None: + display_names_exclude_filter.set_elements(AAZStrType, ".") + + display_names_filter = _builder.get("{kind:MicrosoftSecurityIncidentCreation}.properties.displayNamesFilter") + if display_names_filter is not None: + display_names_filter.set_elements(AAZStrType, ".") + + severities_filter = _builder.get("{kind:MicrosoftSecurityIncidentCreation}.properties.severitiesFilter") + if severities_filter is not None: + severities_filter.set_elements(AAZStrType, ".") + + disc_nrt = _builder.get("{kind:NRT}") + if disc_nrt is not None: + disc_nrt.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get("{kind:NRT}.properties") + if properties is not None: + _build_schema_alert_details_override_update(properties.set_prop("alertDetailsOverride", AAZObjectType, ".nrt.alert_details_override")) + properties.set_prop("alertRuleTemplateName", AAZStrType, ".nrt.alert_rule_template_name") + properties.set_prop("customDetails", AAZDictType, ".nrt.custom_details") + properties.set_prop("description", AAZStrType, ".nrt.description") + properties.set_prop("displayName", AAZStrType, ".nrt.display_name", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("enabled", AAZBoolType, ".nrt.enabled", typ_kwargs={"flags": {"required": True}}) + _build_schema_entity_mappings_update(properties.set_prop("entityMappings", AAZListType, ".nrt.entity_mappings")) + _build_schema_incident_configuration_update(properties.set_prop("incidentConfiguration", AAZObjectType, ".nrt.incident_configuration")) + properties.set_prop("query", AAZStrType, ".nrt.query", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("severity", AAZStrType, ".nrt.severity", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("suppressionDuration", AAZStrType, ".nrt.suppression_duration", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("suppressionEnabled", AAZBoolType, ".nrt.suppression_enabled", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("tactics", AAZListType, ".nrt.tactics") + properties.set_prop("techniques", AAZListType, ".nrt.techniques") + properties.set_prop("templateVersion", AAZStrType, ".nrt.template_version") + + custom_details = _builder.get("{kind:NRT}.properties.customDetails") + if custom_details is not None: + custom_details.set_elements(AAZStrType, ".") + + tactics = _builder.get("{kind:NRT}.properties.tactics") + if tactics is not None: + tactics.set_elements(AAZStrType, ".") + + techniques = _builder.get("{kind:NRT}.properties.techniques") + if techniques is not None: + techniques.set_elements(AAZStrType, ".") + + disc_scheduled = _builder.get("{kind:Scheduled}") + if disc_scheduled is not None: + disc_scheduled.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get("{kind:Scheduled}.properties") + if properties is not None: + _build_schema_alert_details_override_update(properties.set_prop("alertDetailsOverride", AAZObjectType, ".scheduled.alert_details_override")) + properties.set_prop("alertRuleTemplateName", AAZStrType, ".scheduled.alert_rule_template_name") + properties.set_prop("customDetails", AAZDictType, ".scheduled.custom_details") + properties.set_prop("description", AAZStrType, ".scheduled.description") + properties.set_prop("displayName", AAZStrType, ".scheduled.display_name", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("enabled", AAZBoolType, ".scheduled.enabled", typ_kwargs={"flags": {"required": True}}) + _build_schema_entity_mappings_update(properties.set_prop("entityMappings", AAZListType, ".scheduled.entity_mappings")) + properties.set_prop("eventGroupingSettings", AAZObjectType, ".scheduled.event_grouping_settings") + _build_schema_incident_configuration_update(properties.set_prop("incidentConfiguration", AAZObjectType, ".scheduled.incident_configuration")) + properties.set_prop("query", AAZStrType, ".scheduled.query", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("queryFrequency", AAZStrType, ".scheduled.query_frequency", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("queryPeriod", AAZStrType, ".scheduled.query_period", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("severity", AAZStrType, ".scheduled.severity", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("suppressionDuration", AAZStrType, ".scheduled.suppression_duration", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("suppressionEnabled", AAZBoolType, ".scheduled.suppression_enabled", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("tactics", AAZListType, ".scheduled.tactics") + properties.set_prop("techniques", AAZListType, ".scheduled.techniques") + properties.set_prop("templateVersion", AAZStrType, ".scheduled.template_version") + properties.set_prop("triggerOperator", AAZStrType, ".scheduled.trigger_operator", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("triggerThreshold", AAZIntType, ".scheduled.trigger_threshold", typ_kwargs={"flags": {"required": True}}) + + custom_details = _builder.get("{kind:Scheduled}.properties.customDetails") + if custom_details is not None: + custom_details.set_elements(AAZStrType, ".") + + event_grouping_settings = _builder.get("{kind:Scheduled}.properties.eventGroupingSettings") + if event_grouping_settings is not None: + event_grouping_settings.set_prop("aggregationKind", AAZStrType, ".aggregation_kind") + + tactics = _builder.get("{kind:Scheduled}.properties.tactics") + if tactics is not None: + tactics.set_elements(AAZStrType, ".") + + techniques = _builder.get("{kind:Scheduled}.properties.techniques") + if techniques is not None: + techniques.set_elements(AAZStrType, ".") + + disc_threat_intelligence = _builder.get("{kind:ThreatIntelligence}") + if disc_threat_intelligence is not None: + disc_threat_intelligence.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get("{kind:ThreatIntelligence}.properties") + if properties is not None: + properties.set_prop("alertRuleTemplateName", AAZStrType, ".threat_intelligence.alert_rule_template_name", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("enabled", AAZBoolType, ".threat_intelligence.enabled", typ_kwargs={"flags": {"required": True}}) + + return _instance_value + + class InstanceUpdateByGeneric(AAZGenericInstanceUpdateOperation): + + def __call__(self, *args, **kwargs): + self._update_instance_by_generic( + self.ctx.vars.instance, + self.ctx.generic_update_args + ) + + +def _build_schema_alert_details_override_update(_builder): + if _builder is None: + return + _builder.set_prop("alertDescriptionFormat", AAZStrType, ".alert_description_format") + _builder.set_prop("alertDisplayNameFormat", AAZStrType, ".alert_display_name_format") + _builder.set_prop("alertSeverityColumnName", AAZStrType, ".alert_severity_column_name") + _builder.set_prop("alertTacticsColumnName", AAZStrType, ".alert_tactics_column_name") + + +def _build_schema_entity_mappings_update(_builder): + if _builder is None: + return + _builder.set_elements(AAZObjectType) + + _elements = _builder.get("[]") + if _elements is not None: + _elements.set_prop("entityType", AAZStrType, "@EntityMappings_update.[].entity_type") + _elements.set_prop("fieldMappings", AAZListType, "@EntityMappings_update.[].field_mappings") + + field_mappings = _builder.get("[].fieldMappings") + if field_mappings is not None: + field_mappings.set_elements(AAZObjectType) + + _elements = _builder.get("[].fieldMappings[]") + if _elements is not None: + _elements.set_prop("columnName", AAZStrType, "@EntityMappings_update.[].field_mappings.[].column_name") + _elements.set_prop("identifier", AAZStrType, "@EntityMappings_update.[].field_mappings.[].identifier") + + +def _build_schema_incident_configuration_update(_builder): + if _builder is None: + return + _builder.set_prop("createIncident", AAZBoolType, ".create_incident", typ_kwargs={"flags": {"required": True}}) + _builder.set_prop("groupingConfiguration", AAZObjectType, ".grouping_configuration") + + grouping_configuration = _builder.get(".groupingConfiguration") + if grouping_configuration is not None: + grouping_configuration.set_prop("enabled", AAZBoolType, ".enabled", typ_kwargs={"flags": {"required": True}}) + grouping_configuration.set_prop("groupByAlertDetails", AAZListType, ".group_by_alert_details") + grouping_configuration.set_prop("groupByCustomDetails", AAZListType, ".group_by_custom_details") + grouping_configuration.set_prop("groupByEntities", AAZListType, ".group_by_entities") + grouping_configuration.set_prop("lookbackDuration", AAZStrType, ".lookback_duration", typ_kwargs={"flags": {"required": True}}) + grouping_configuration.set_prop("matchingMethod", AAZStrType, ".matching_method", typ_kwargs={"flags": {"required": True}}) + grouping_configuration.set_prop("reopenClosedIncident", AAZBoolType, ".reopen_closed_incident", typ_kwargs={"flags": {"required": True}}) + + group_by_alert_details = _builder.get(".groupingConfiguration.groupByAlertDetails") + if group_by_alert_details is not None: + group_by_alert_details.set_elements(AAZStrType, ".") + + group_by_custom_details = _builder.get(".groupingConfiguration.groupByCustomDetails") + if group_by_custom_details is not None: + group_by_custom_details.set_elements(AAZStrType, ".") + + group_by_entities = _builder.get(".groupingConfiguration.groupByEntities") + if group_by_entities is not None: + group_by_entities.set_elements(AAZStrType, ".") + + +_schema_alert_details_override_read = None + + +def _build_schema_alert_details_override_read(_schema): + global _schema_alert_details_override_read + if _schema_alert_details_override_read is not None: + _schema.alert_description_format = _schema_alert_details_override_read.alert_description_format + _schema.alert_display_name_format = _schema_alert_details_override_read.alert_display_name_format + _schema.alert_severity_column_name = _schema_alert_details_override_read.alert_severity_column_name + _schema.alert_tactics_column_name = _schema_alert_details_override_read.alert_tactics_column_name + return + + _schema_alert_details_override_read = AAZObjectType() + + alert_details_override_read = _schema_alert_details_override_read + alert_details_override_read.alert_description_format = AAZStrType( + serialized_name="alertDescriptionFormat", + ) + alert_details_override_read.alert_display_name_format = AAZStrType( + serialized_name="alertDisplayNameFormat", + ) + alert_details_override_read.alert_severity_column_name = AAZStrType( + serialized_name="alertSeverityColumnName", + ) + alert_details_override_read.alert_tactics_column_name = AAZStrType( + serialized_name="alertTacticsColumnName", + ) + + _schema.alert_description_format = _schema_alert_details_override_read.alert_description_format + _schema.alert_display_name_format = _schema_alert_details_override_read.alert_display_name_format + _schema.alert_severity_column_name = _schema_alert_details_override_read.alert_severity_column_name + _schema.alert_tactics_column_name = _schema_alert_details_override_read.alert_tactics_column_name + + +_schema_alert_rule_read = None + + +def _build_schema_alert_rule_read(_schema): + global _schema_alert_rule_read + if _schema_alert_rule_read is not None: + _schema.etag = _schema_alert_rule_read.etag + _schema.id = _schema_alert_rule_read.id + _schema.kind = _schema_alert_rule_read.kind + _schema.name = _schema_alert_rule_read.name + _schema.system_data = _schema_alert_rule_read.system_data + _schema.type = _schema_alert_rule_read.type + _schema.discriminate_by( + "kind", + "Fusion", + _schema_alert_rule_read.discriminate_by( + "kind", + "Fusion", + ) + ) + _schema.discriminate_by( + "kind", + "MLBehaviorAnalytics", + _schema_alert_rule_read.discriminate_by( + "kind", + "MLBehaviorAnalytics", + ) + ) + _schema.discriminate_by( + "kind", + "MicrosoftSecurityIncidentCreation", + _schema_alert_rule_read.discriminate_by( + "kind", + "MicrosoftSecurityIncidentCreation", + ) + ) + _schema.discriminate_by( + "kind", + "NRT", + _schema_alert_rule_read.discriminate_by( + "kind", + "NRT", + ) + ) + _schema.discriminate_by( + "kind", + "Scheduled", + _schema_alert_rule_read.discriminate_by( + "kind", + "Scheduled", + ) + ) + _schema.discriminate_by( + "kind", + "ThreatIntelligence", + _schema_alert_rule_read.discriminate_by( + "kind", + "ThreatIntelligence", + ) + ) + return + + _schema_alert_rule_read = AAZObjectType() + + alert_rule_read = _schema_alert_rule_read + alert_rule_read.etag = AAZStrType() + alert_rule_read.id = AAZStrType( + flags={"read_only": True}, + ) + alert_rule_read.kind = AAZStrType( + flags={"required": True}, + ) + alert_rule_read.name = AAZStrType( + flags={"read_only": True}, + ) + alert_rule_read.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + alert_rule_read.type = AAZStrType( + flags={"read_only": True}, + ) + + system_data = _schema_alert_rule_read.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + disc_fusion = _schema_alert_rule_read.discriminate_by("kind", "Fusion") + disc_fusion.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = _schema_alert_rule_read.discriminate_by("kind", "Fusion").properties + properties.alert_rule_template_name = AAZStrType( + serialized_name="alertRuleTemplateName", + flags={"required": True}, + ) + properties.description = AAZStrType( + flags={"read_only": True}, + ) + properties.display_name = AAZStrType( + serialized_name="displayName", + flags={"read_only": True}, + ) + properties.enabled = AAZBoolType( + flags={"required": True}, + ) + properties.last_modified_utc = AAZStrType( + serialized_name="lastModifiedUtc", + flags={"read_only": True}, + ) + properties.scenario_exclusion_patterns = AAZListType( + serialized_name="scenarioExclusionPatterns", + ) + properties.severity = AAZStrType( + flags={"read_only": True}, + ) + properties.source_settings = AAZListType( + serialized_name="sourceSettings", + ) + properties.tactics = AAZListType( + flags={"read_only": True}, + ) + properties.techniques = AAZListType( + flags={"read_only": True}, + ) + + scenario_exclusion_patterns = _schema_alert_rule_read.discriminate_by("kind", "Fusion").properties.scenario_exclusion_patterns + scenario_exclusion_patterns.Element = AAZObjectType() + + _element = _schema_alert_rule_read.discriminate_by("kind", "Fusion").properties.scenario_exclusion_patterns.Element + _element.date_added_in_utc = AAZStrType( + serialized_name="dateAddedInUTC", + flags={"required": True}, + ) + _element.exclusion_pattern = AAZStrType( + serialized_name="exclusionPattern", + flags={"required": True}, + ) + + source_settings = _schema_alert_rule_read.discriminate_by("kind", "Fusion").properties.source_settings + source_settings.Element = AAZObjectType() + + _element = _schema_alert_rule_read.discriminate_by("kind", "Fusion").properties.source_settings.Element + _element.enabled = AAZBoolType( + flags={"required": True}, + ) + _element.source_name = AAZStrType( + serialized_name="sourceName", + flags={"required": True}, + ) + _element.source_sub_types = AAZListType( + serialized_name="sourceSubTypes", + ) + + source_sub_types = _schema_alert_rule_read.discriminate_by("kind", "Fusion").properties.source_settings.Element.source_sub_types + source_sub_types.Element = AAZObjectType() + + _element = _schema_alert_rule_read.discriminate_by("kind", "Fusion").properties.source_settings.Element.source_sub_types.Element + _element.enabled = AAZBoolType( + flags={"required": True}, + ) + _element.severity_filters = AAZObjectType( + serialized_name="severityFilters", + flags={"required": True}, + ) + _element.source_sub_type_display_name = AAZStrType( + serialized_name="sourceSubTypeDisplayName", + flags={"read_only": True}, + ) + _element.source_sub_type_name = AAZStrType( + serialized_name="sourceSubTypeName", + flags={"required": True}, + ) + + severity_filters = _schema_alert_rule_read.discriminate_by("kind", "Fusion").properties.source_settings.Element.source_sub_types.Element.severity_filters + severity_filters.filters = AAZListType() + severity_filters.is_supported = AAZBoolType( + serialized_name="isSupported", + flags={"read_only": True}, + ) + + filters = _schema_alert_rule_read.discriminate_by("kind", "Fusion").properties.source_settings.Element.source_sub_types.Element.severity_filters.filters + filters.Element = AAZObjectType() + + _element = _schema_alert_rule_read.discriminate_by("kind", "Fusion").properties.source_settings.Element.source_sub_types.Element.severity_filters.filters.Element + _element.enabled = AAZBoolType( + flags={"required": True}, + ) + _element.severity = AAZStrType( + flags={"required": True}, + ) + + tactics = _schema_alert_rule_read.discriminate_by("kind", "Fusion").properties.tactics + tactics.Element = AAZStrType( + flags={"read_only": True}, + ) + + techniques = _schema_alert_rule_read.discriminate_by("kind", "Fusion").properties.techniques + techniques.Element = AAZStrType( + flags={"read_only": True}, + ) + + disc_ml_behavior_analytics = _schema_alert_rule_read.discriminate_by("kind", "MLBehaviorAnalytics") + disc_ml_behavior_analytics.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = _schema_alert_rule_read.discriminate_by("kind", "MLBehaviorAnalytics").properties + properties.alert_rule_template_name = AAZStrType( + serialized_name="alertRuleTemplateName", + flags={"required": True}, + ) + properties.description = AAZStrType( + flags={"read_only": True}, + ) + properties.display_name = AAZStrType( + serialized_name="displayName", + flags={"read_only": True}, + ) + properties.enabled = AAZBoolType( + flags={"required": True}, + ) + properties.last_modified_utc = AAZStrType( + serialized_name="lastModifiedUtc", + flags={"read_only": True}, + ) + properties.severity = AAZStrType( + flags={"read_only": True}, + ) + properties.tactics = AAZListType( + flags={"read_only": True}, + ) + properties.techniques = AAZListType( + flags={"read_only": True}, + ) + + tactics = _schema_alert_rule_read.discriminate_by("kind", "MLBehaviorAnalytics").properties.tactics + tactics.Element = AAZStrType( + flags={"read_only": True}, + ) + + techniques = _schema_alert_rule_read.discriminate_by("kind", "MLBehaviorAnalytics").properties.techniques + techniques.Element = AAZStrType( + flags={"read_only": True}, + ) + + disc_microsoft_security_incident_creation = _schema_alert_rule_read.discriminate_by("kind", "MicrosoftSecurityIncidentCreation") + disc_microsoft_security_incident_creation.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = _schema_alert_rule_read.discriminate_by("kind", "MicrosoftSecurityIncidentCreation").properties + properties.alert_rule_template_name = AAZStrType( + serialized_name="alertRuleTemplateName", + ) + properties.description = AAZStrType() + properties.display_name = AAZStrType( + serialized_name="displayName", + flags={"required": True}, + ) + properties.display_names_exclude_filter = AAZListType( + serialized_name="displayNamesExcludeFilter", + ) + properties.display_names_filter = AAZListType( + serialized_name="displayNamesFilter", + ) + properties.enabled = AAZBoolType( + flags={"required": True}, + ) + properties.last_modified_utc = AAZStrType( + serialized_name="lastModifiedUtc", + flags={"read_only": True}, + ) + properties.product_filter = AAZStrType( + serialized_name="productFilter", + flags={"required": True}, + ) + properties.severities_filter = AAZListType( + serialized_name="severitiesFilter", + ) + + display_names_exclude_filter = _schema_alert_rule_read.discriminate_by("kind", "MicrosoftSecurityIncidentCreation").properties.display_names_exclude_filter + display_names_exclude_filter.Element = AAZStrType() + + display_names_filter = _schema_alert_rule_read.discriminate_by("kind", "MicrosoftSecurityIncidentCreation").properties.display_names_filter + display_names_filter.Element = AAZStrType() + + severities_filter = _schema_alert_rule_read.discriminate_by("kind", "MicrosoftSecurityIncidentCreation").properties.severities_filter + severities_filter.Element = AAZStrType() + + disc_nrt = _schema_alert_rule_read.discriminate_by("kind", "NRT") + disc_nrt.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = _schema_alert_rule_read.discriminate_by("kind", "NRT").properties + properties.alert_details_override = AAZObjectType( + serialized_name="alertDetailsOverride", + ) + _build_schema_alert_details_override_read(properties.alert_details_override) + properties.alert_rule_template_name = AAZStrType( + serialized_name="alertRuleTemplateName", + ) + properties.custom_details = AAZDictType( + serialized_name="customDetails", + ) + properties.description = AAZStrType() + properties.display_name = AAZStrType( + serialized_name="displayName", + flags={"required": True}, + ) + properties.enabled = AAZBoolType( + flags={"required": True}, + ) + properties.entity_mappings = AAZListType( + serialized_name="entityMappings", + ) + _build_schema_entity_mappings_read(properties.entity_mappings) + properties.incident_configuration = AAZObjectType( + serialized_name="incidentConfiguration", + ) + _build_schema_incident_configuration_read(properties.incident_configuration) + properties.last_modified_utc = AAZStrType( + serialized_name="lastModifiedUtc", + flags={"read_only": True}, + ) + properties.query = AAZStrType( + flags={"required": True}, + ) + properties.severity = AAZStrType( + flags={"required": True}, + ) + properties.suppression_duration = AAZStrType( + serialized_name="suppressionDuration", + flags={"required": True}, + ) + properties.suppression_enabled = AAZBoolType( + serialized_name="suppressionEnabled", + flags={"required": True}, + ) + properties.tactics = AAZListType() + properties.techniques = AAZListType() + properties.template_version = AAZStrType( + serialized_name="templateVersion", + ) + + custom_details = _schema_alert_rule_read.discriminate_by("kind", "NRT").properties.custom_details + custom_details.Element = AAZStrType() + + tactics = _schema_alert_rule_read.discriminate_by("kind", "NRT").properties.tactics + tactics.Element = AAZStrType() + + techniques = _schema_alert_rule_read.discriminate_by("kind", "NRT").properties.techniques + techniques.Element = AAZStrType() + + disc_scheduled = _schema_alert_rule_read.discriminate_by("kind", "Scheduled") + disc_scheduled.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = _schema_alert_rule_read.discriminate_by("kind", "Scheduled").properties + properties.alert_details_override = AAZObjectType( + serialized_name="alertDetailsOverride", + ) + _build_schema_alert_details_override_read(properties.alert_details_override) + properties.alert_rule_template_name = AAZStrType( + serialized_name="alertRuleTemplateName", + ) + properties.custom_details = AAZDictType( + serialized_name="customDetails", + ) + properties.description = AAZStrType() + properties.display_name = AAZStrType( + serialized_name="displayName", + flags={"required": True}, + ) + properties.enabled = AAZBoolType( + flags={"required": True}, + ) + properties.entity_mappings = AAZListType( + serialized_name="entityMappings", + ) + _build_schema_entity_mappings_read(properties.entity_mappings) + properties.event_grouping_settings = AAZObjectType( + serialized_name="eventGroupingSettings", + ) + properties.incident_configuration = AAZObjectType( + serialized_name="incidentConfiguration", + ) + _build_schema_incident_configuration_read(properties.incident_configuration) + properties.last_modified_utc = AAZStrType( + serialized_name="lastModifiedUtc", + flags={"read_only": True}, + ) + properties.query = AAZStrType( + flags={"required": True}, + ) + properties.query_frequency = AAZStrType( + serialized_name="queryFrequency", + flags={"required": True}, + ) + properties.query_period = AAZStrType( + serialized_name="queryPeriod", + flags={"required": True}, + ) + properties.severity = AAZStrType( + flags={"required": True}, + ) + properties.suppression_duration = AAZStrType( + serialized_name="suppressionDuration", + flags={"required": True}, + ) + properties.suppression_enabled = AAZBoolType( + serialized_name="suppressionEnabled", + flags={"required": True}, + ) + properties.tactics = AAZListType() + properties.techniques = AAZListType() + properties.template_version = AAZStrType( + serialized_name="templateVersion", + ) + properties.trigger_operator = AAZStrType( + serialized_name="triggerOperator", + flags={"required": True}, + ) + properties.trigger_threshold = AAZIntType( + serialized_name="triggerThreshold", + flags={"required": True}, + ) + + custom_details = _schema_alert_rule_read.discriminate_by("kind", "Scheduled").properties.custom_details + custom_details.Element = AAZStrType() + + event_grouping_settings = _schema_alert_rule_read.discriminate_by("kind", "Scheduled").properties.event_grouping_settings + event_grouping_settings.aggregation_kind = AAZStrType( + serialized_name="aggregationKind", + ) + + tactics = _schema_alert_rule_read.discriminate_by("kind", "Scheduled").properties.tactics + tactics.Element = AAZStrType() + + techniques = _schema_alert_rule_read.discriminate_by("kind", "Scheduled").properties.techniques + techniques.Element = AAZStrType() + + disc_threat_intelligence = _schema_alert_rule_read.discriminate_by("kind", "ThreatIntelligence") + disc_threat_intelligence.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = _schema_alert_rule_read.discriminate_by("kind", "ThreatIntelligence").properties + properties.alert_rule_template_name = AAZStrType( + serialized_name="alertRuleTemplateName", + flags={"required": True}, + ) + properties.description = AAZStrType( + flags={"read_only": True}, + ) + properties.display_name = AAZStrType( + serialized_name="displayName", + flags={"read_only": True}, + ) + properties.enabled = AAZBoolType( + flags={"required": True}, + ) + properties.last_modified_utc = AAZStrType( + serialized_name="lastModifiedUtc", + flags={"read_only": True}, + ) + properties.severity = AAZStrType( + flags={"read_only": True}, + ) + properties.tactics = AAZListType( + flags={"read_only": True}, + ) + properties.techniques = AAZListType( + flags={"read_only": True}, + ) + + tactics = _schema_alert_rule_read.discriminate_by("kind", "ThreatIntelligence").properties.tactics + tactics.Element = AAZStrType( + flags={"read_only": True}, + ) + + techniques = _schema_alert_rule_read.discriminate_by("kind", "ThreatIntelligence").properties.techniques + techniques.Element = AAZStrType( + flags={"read_only": True}, + ) + + _schema.etag = _schema_alert_rule_read.etag + _schema.id = _schema_alert_rule_read.id + _schema.kind = _schema_alert_rule_read.kind + _schema.name = _schema_alert_rule_read.name + _schema.system_data = _schema_alert_rule_read.system_data + _schema.type = _schema_alert_rule_read.type + _schema.discriminate_by( + "kind", + "Fusion", + _schema_alert_rule_read.discriminate_by( + "kind", + "Fusion", + ) + ) + _schema.discriminate_by( + "kind", + "MLBehaviorAnalytics", + _schema_alert_rule_read.discriminate_by( + "kind", + "MLBehaviorAnalytics", + ) + ) + _schema.discriminate_by( + "kind", + "MicrosoftSecurityIncidentCreation", + _schema_alert_rule_read.discriminate_by( + "kind", + "MicrosoftSecurityIncidentCreation", + ) + ) + _schema.discriminate_by( + "kind", + "NRT", + _schema_alert_rule_read.discriminate_by( + "kind", + "NRT", + ) + ) + _schema.discriminate_by( + "kind", + "Scheduled", + _schema_alert_rule_read.discriminate_by( + "kind", + "Scheduled", + ) + ) + _schema.discriminate_by( + "kind", + "ThreatIntelligence", + _schema_alert_rule_read.discriminate_by( + "kind", + "ThreatIntelligence", + ) + ) + + +_schema_entity_mappings_read = None + + +def _build_schema_entity_mappings_read(_schema): + global _schema_entity_mappings_read + if _schema_entity_mappings_read is not None: + _schema.Element = _schema_entity_mappings_read.Element + return + + _schema_entity_mappings_read = AAZListType() + + entity_mappings_read = _schema_entity_mappings_read + entity_mappings_read.Element = AAZObjectType() + + _element = _schema_entity_mappings_read.Element + _element.entity_type = AAZStrType( + serialized_name="entityType", + ) + _element.field_mappings = AAZListType( + serialized_name="fieldMappings", + ) + + field_mappings = _schema_entity_mappings_read.Element.field_mappings + field_mappings.Element = AAZObjectType() + + _element = _schema_entity_mappings_read.Element.field_mappings.Element + _element.column_name = AAZStrType( + serialized_name="columnName", + ) + _element.identifier = AAZStrType() + + _schema.Element = _schema_entity_mappings_read.Element + + +_schema_incident_configuration_read = None + + +def _build_schema_incident_configuration_read(_schema): + global _schema_incident_configuration_read + if _schema_incident_configuration_read is not None: + _schema.create_incident = _schema_incident_configuration_read.create_incident + _schema.grouping_configuration = _schema_incident_configuration_read.grouping_configuration + return + + _schema_incident_configuration_read = AAZObjectType() + + incident_configuration_read = _schema_incident_configuration_read + incident_configuration_read.create_incident = AAZBoolType( + serialized_name="createIncident", + flags={"required": True}, + ) + incident_configuration_read.grouping_configuration = AAZObjectType( + serialized_name="groupingConfiguration", + ) + + grouping_configuration = _schema_incident_configuration_read.grouping_configuration + grouping_configuration.enabled = AAZBoolType( + flags={"required": True}, + ) + grouping_configuration.group_by_alert_details = AAZListType( + serialized_name="groupByAlertDetails", + ) + grouping_configuration.group_by_custom_details = AAZListType( + serialized_name="groupByCustomDetails", + ) + grouping_configuration.group_by_entities = AAZListType( + serialized_name="groupByEntities", + ) + grouping_configuration.lookback_duration = AAZStrType( + serialized_name="lookbackDuration", + flags={"required": True}, + ) + grouping_configuration.matching_method = AAZStrType( + serialized_name="matchingMethod", + flags={"required": True}, + ) + grouping_configuration.reopen_closed_incident = AAZBoolType( + serialized_name="reopenClosedIncident", + flags={"required": True}, + ) + + group_by_alert_details = _schema_incident_configuration_read.grouping_configuration.group_by_alert_details + group_by_alert_details.Element = AAZStrType() + + group_by_custom_details = _schema_incident_configuration_read.grouping_configuration.group_by_custom_details + group_by_custom_details.Element = AAZStrType() + + group_by_entities = _schema_incident_configuration_read.grouping_configuration.group_by_entities + group_by_entities.Element = AAZStrType() + + _schema.create_incident = _schema_incident_configuration_read.create_incident + _schema.grouping_configuration = _schema_incident_configuration_read.grouping_configuration + + +__all__ = ["Update"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/alert_rule/action/__cmd_group.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/alert_rule/action/__cmd_group.py new file mode 100644 index 00000000000..227f199b1fe --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/alert_rule/action/__cmd_group.py @@ -0,0 +1,23 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command_group( + "sentinel alert-rule action", +) +class __CMDGroup(AAZCommandGroup): + """Manage alert rule action with sentinel. + """ + pass + + +__all__ = ["__CMDGroup"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/alert_rule/action/__init__.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/alert_rule/action/__init__.py new file mode 100644 index 00000000000..c401f439385 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/alert_rule/action/__init__.py @@ -0,0 +1,16 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from .__cmd_group import * +from ._create import * +from ._delete import * +from ._list import * +from ._show import * +from ._update import * diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/alert_rule/action/_create.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/alert_rule/action/_create.py new file mode 100644 index 00000000000..54e6390a858 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/alert_rule/action/_create.py @@ -0,0 +1,266 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel alert-rule action create", + is_experimental=True, +) +class Create(AAZCommand): + """Create the action of alert rule. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/alertrules/{}/actions/{}", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return self._output() + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.action_name = AAZStrArg( + options=["-n", "--name", "--action-name"], + help="Name of action.", + required=True, + is_experimental=True, + id_part="child_name_2", + ) + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.rule_name = AAZStrArg( + options=["--rule-name"], + help="Name of alert rule.", + required=True, + is_experimental=True, + id_part="child_name_1", + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + id_part="name", + ) + + # define Arg Group "Action" + + _args_schema = cls._args_schema + _args_schema.etag = AAZStrArg( + options=["--etag"], + arg_group="Action", + help="Etag of the azure resource", + ) + + # define Arg Group "Properties" + + _args_schema = cls._args_schema + _args_schema.logic_app_resource_id = AAZStrArg( + options=["--logic-app-resource-id"], + arg_group="Properties", + help="Logic App Resource Id, /subscriptions/{my-subscription}/resourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my-workflow-id}.", + ) + _args_schema.trigger_uri = AAZStrArg( + options=["--trigger-uri"], + arg_group="Properties", + help="Logic App Callback URL for this specific workflow.", + ) + return cls._args_schema + + def _execute_operations(self): + self.ActionsCreateOrUpdate(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True) + return result + + class ActionsCreateOrUpdate(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200, 201]: + return self.on_200_201(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}/actions/{actionId}", + **self.url_parameters + ) + + @property + def method(self): + return "PUT" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "actionId", self.ctx.args.action_name, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "ruleId", self.ctx.args.rule_name, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Content-Type", "application/json", + ), + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + @property + def content(self): + _content_value, _builder = self.new_content_builder( + self.ctx.args, + typ=AAZObjectType, + typ_kwargs={"flags": {"required": True, "client_flatten": True}} + ) + _builder.set_prop("etag", AAZStrType, ".etag") + _builder.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get(".properties") + if properties is not None: + properties.set_prop("logicAppResourceId", AAZStrType, ".logic_app_resource_id", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("triggerUri", AAZStrType, ".trigger_uri", typ_kwargs={"flags": {"required": True}}) + + return self.serialize_content(_content_value) + + def on_200_201(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200_201 + ) + + _schema_on_200_201 = None + + @classmethod + def _build_schema_on_200_201(cls): + if cls._schema_on_200_201 is not None: + return cls._schema_on_200_201 + + cls._schema_on_200_201 = AAZObjectType() + + _schema_on_200_201 = cls._schema_on_200_201 + _schema_on_200_201.etag = AAZStrType() + _schema_on_200_201.id = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200_201.name = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200_201.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + _schema_on_200_201.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + _schema_on_200_201.type = AAZStrType( + flags={"read_only": True}, + ) + + properties = cls._schema_on_200_201.properties + properties.logic_app_resource_id = AAZStrType( + serialized_name="logicAppResourceId", + flags={"required": True}, + ) + properties.workflow_id = AAZStrType( + serialized_name="workflowId", + ) + + system_data = cls._schema_on_200_201.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + return cls._schema_on_200_201 + + +__all__ = ["Create"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/alert_rule/action/_delete.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/alert_rule/action/_delete.py new file mode 100644 index 00000000000..2141d371cb0 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/alert_rule/action/_delete.py @@ -0,0 +1,146 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel alert-rule action delete", + is_experimental=True, + confirmation="Are you sure you want to perform this operation?", +) +class Delete(AAZCommand): + """Delete the action of alert rule. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/alertrules/{}/actions/{}", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return None + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.action_name = AAZStrArg( + options=["-n", "--name", "--action-name"], + help="Name of action.", + required=True, + is_experimental=True, + id_part="child_name_2", + ) + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.rule_name = AAZStrArg( + options=["--rule-name"], + help="Name of alert rule.", + required=True, + is_experimental=True, + id_part="child_name_1", + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + id_part="name", + ) + return cls._args_schema + + def _execute_operations(self): + self.ActionsDelete(ctx=self.ctx)() + + class ActionsDelete(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + if session.http_response.status_code in [204]: + return self.on_204(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}/actions/{actionId}", + **self.url_parameters + ) + + @property + def method(self): + return "DELETE" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "actionId", self.ctx.args.action_name, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "ruleId", self.ctx.args.rule_name, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + def on_200(self, session): + pass + + def on_204(self, session): + pass + + +__all__ = ["Delete"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/alert_rule/action/_list.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/alert_rule/action/_list.py new file mode 100644 index 00000000000..96e4038dc15 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/alert_rule/action/_list.py @@ -0,0 +1,222 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel alert-rule action list", + is_experimental=True, +) +class List(AAZCommand): + """Get all actions of alert rule. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/alertrules/{}/actions", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + return self.build_paging(self._execute_operations, self._output) + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.rule_name = AAZStrArg( + options=["--rule-name"], + help="Name of alert rule.", + required=True, + is_experimental=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + ) + return cls._args_schema + + def _execute_operations(self): + self.ActionsListByAlertRule(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance.value, client_flatten=True) + next_link = self.deserialize_output(self.ctx.vars.instance.next_link) + return result, next_link + + class ActionsListByAlertRule(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}/actions", + **self.url_parameters + ) + + @property + def method(self): + return "GET" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "ruleId", self.ctx.args.rule_name, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + + _schema_on_200 = cls._schema_on_200 + _schema_on_200.next_link = AAZStrType( + serialized_name="nextLink", + flags={"read_only": True}, + ) + _schema_on_200.value = AAZListType( + flags={"required": True}, + ) + + value = cls._schema_on_200.value + value.Element = AAZObjectType() + + _element = cls._schema_on_200.value.Element + _element.etag = AAZStrType() + _element.id = AAZStrType( + flags={"read_only": True}, + ) + _element.name = AAZStrType( + flags={"read_only": True}, + ) + _element.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + _element.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + _element.type = AAZStrType( + flags={"read_only": True}, + ) + + properties = cls._schema_on_200.value.Element.properties + properties.logic_app_resource_id = AAZStrType( + serialized_name="logicAppResourceId", + flags={"required": True}, + ) + properties.workflow_id = AAZStrType( + serialized_name="workflowId", + ) + + system_data = cls._schema_on_200.value.Element.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + return cls._schema_on_200 + + +__all__ = ["List"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/alert_rule/action/_show.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/alert_rule/action/_show.py new file mode 100644 index 00000000000..32aa7332a80 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/alert_rule/action/_show.py @@ -0,0 +1,223 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel alert-rule action show", + is_experimental=True, +) +class Show(AAZCommand): + """Get the action of alert rule. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/alertrules/{}/actions/{}", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return self._output() + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.action_name = AAZStrArg( + options=["-n", "--name", "--action-name"], + help="Name of action.", + required=True, + is_experimental=True, + id_part="child_name_2", + ) + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.rule_name = AAZStrArg( + options=["--rule-name"], + help="Name of alert rule.", + required=True, + is_experimental=True, + id_part="child_name_1", + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + id_part="name", + ) + return cls._args_schema + + def _execute_operations(self): + self.ActionsGet(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True) + return result + + class ActionsGet(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}/actions/{actionId}", + **self.url_parameters + ) + + @property + def method(self): + return "GET" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "actionId", self.ctx.args.action_name, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "ruleId", self.ctx.args.rule_name, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + + _schema_on_200 = cls._schema_on_200 + _schema_on_200.etag = AAZStrType() + _schema_on_200.id = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200.name = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + _schema_on_200.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + _schema_on_200.type = AAZStrType( + flags={"read_only": True}, + ) + + properties = cls._schema_on_200.properties + properties.logic_app_resource_id = AAZStrType( + serialized_name="logicAppResourceId", + flags={"required": True}, + ) + properties.workflow_id = AAZStrType( + serialized_name="workflowId", + ) + + system_data = cls._schema_on_200.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + return cls._schema_on_200 + + +__all__ = ["Show"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/alert_rule/action/_update.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/alert_rule/action/_update.py new file mode 100644 index 00000000000..eb0f83d011f --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/alert_rule/action/_update.py @@ -0,0 +1,409 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel alert-rule action update", + is_experimental=True, +) +class Update(AAZCommand): + """Update the action of alert rule. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/alertrules/{}/actions/{}", "2022-06-01-preview"], + ] + } + + AZ_SUPPORT_GENERIC_UPDATE = True + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return self._output() + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.action_name = AAZStrArg( + options=["-n", "--name", "--action-name"], + help="Name of action.", + required=True, + is_experimental=True, + id_part="child_name_2", + ) + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.rule_name = AAZStrArg( + options=["--rule-name"], + help="Name of alert rule.", + required=True, + is_experimental=True, + id_part="child_name_1", + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + id_part="name", + ) + + # define Arg Group "Action" + + _args_schema = cls._args_schema + _args_schema.etag = AAZStrArg( + options=["--etag"], + arg_group="Action", + help="Etag of the azure resource", + nullable=True, + ) + + # define Arg Group "Properties" + + _args_schema = cls._args_schema + _args_schema.logic_app_resource_id = AAZStrArg( + options=["--logic-app-resource-id"], + arg_group="Properties", + help="Logic App Resource Id, /subscriptions/{my-subscription}/resourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my-workflow-id}.", + ) + _args_schema.trigger_uri = AAZStrArg( + options=["--trigger-uri"], + arg_group="Properties", + help="Logic App Callback URL for this specific workflow.", + ) + return cls._args_schema + + def _execute_operations(self): + self.ActionsGet(ctx=self.ctx)() + self.InstanceUpdateByJson(ctx=self.ctx)() + self.InstanceUpdateByGeneric(ctx=self.ctx)() + self.ActionsCreateOrUpdate(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True) + return result + + class ActionsGet(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}/actions/{actionId}", + **self.url_parameters + ) + + @property + def method(self): + return "GET" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "actionId", self.ctx.args.action_name, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "ruleId", self.ctx.args.rule_name, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + _build_schema_action_response_read(cls._schema_on_200) + + return cls._schema_on_200 + + class ActionsCreateOrUpdate(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200, 201]: + return self.on_200_201(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}/actions/{actionId}", + **self.url_parameters + ) + + @property + def method(self): + return "PUT" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "actionId", self.ctx.args.action_name, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "ruleId", self.ctx.args.rule_name, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Content-Type", "application/json", + ), + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + @property + def content(self): + _content_value, _builder = self.new_content_builder( + self.ctx.args, + value=self.ctx.vars.instance, + ) + + return self.serialize_content(_content_value) + + def on_200_201(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200_201 + ) + + _schema_on_200_201 = None + + @classmethod + def _build_schema_on_200_201(cls): + if cls._schema_on_200_201 is not None: + return cls._schema_on_200_201 + + cls._schema_on_200_201 = AAZObjectType() + _build_schema_action_response_read(cls._schema_on_200_201) + + return cls._schema_on_200_201 + + class InstanceUpdateByJson(AAZJsonInstanceUpdateOperation): + + def __call__(self, *args, **kwargs): + self._update_instance(self.ctx.vars.instance) + + def _update_instance(self, instance): + _instance_value, _builder = self.new_content_builder( + self.ctx.args, + value=instance, + typ=AAZObjectType + ) + _builder.set_prop("etag", AAZStrType, ".etag") + _builder.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get(".properties") + if properties is not None: + properties.set_prop("logicAppResourceId", AAZStrType, ".logic_app_resource_id", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("triggerUri", AAZStrType, ".trigger_uri", typ_kwargs={"flags": {"required": True}}) + + return _instance_value + + class InstanceUpdateByGeneric(AAZGenericInstanceUpdateOperation): + + def __call__(self, *args, **kwargs): + self._update_instance_by_generic( + self.ctx.vars.instance, + self.ctx.generic_update_args + ) + + +_schema_action_response_read = None + + +def _build_schema_action_response_read(_schema): + global _schema_action_response_read + if _schema_action_response_read is not None: + _schema.etag = _schema_action_response_read.etag + _schema.id = _schema_action_response_read.id + _schema.name = _schema_action_response_read.name + _schema.properties = _schema_action_response_read.properties + _schema.system_data = _schema_action_response_read.system_data + _schema.type = _schema_action_response_read.type + return + + _schema_action_response_read = AAZObjectType() + + action_response_read = _schema_action_response_read + action_response_read.etag = AAZStrType() + action_response_read.id = AAZStrType( + flags={"read_only": True}, + ) + action_response_read.name = AAZStrType( + flags={"read_only": True}, + ) + action_response_read.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + action_response_read.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + action_response_read.type = AAZStrType( + flags={"read_only": True}, + ) + + properties = _schema_action_response_read.properties + properties.logic_app_resource_id = AAZStrType( + serialized_name="logicAppResourceId", + flags={"required": True}, + ) + properties.workflow_id = AAZStrType( + serialized_name="workflowId", + ) + + system_data = _schema_action_response_read.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + _schema.etag = _schema_action_response_read.etag + _schema.id = _schema_action_response_read.id + _schema.name = _schema_action_response_read.name + _schema.properties = _schema_action_response_read.properties + _schema.system_data = _schema_action_response_read.system_data + _schema.type = _schema_action_response_read.type + + +__all__ = ["Update"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/alert_rule/template/__cmd_group.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/alert_rule/template/__cmd_group.py new file mode 100644 index 00000000000..a9c9a722ef6 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/alert_rule/template/__cmd_group.py @@ -0,0 +1,23 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command_group( + "sentinel alert-rule template", +) +class __CMDGroup(AAZCommandGroup): + """Manage alert rule template with sentinel. + """ + pass + + +__all__ = ["__CMDGroup"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/alert_rule/template/__init__.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/alert_rule/template/__init__.py new file mode 100644 index 00000000000..2df85698253 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/alert_rule/template/__init__.py @@ -0,0 +1,13 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from .__cmd_group import * +from ._list import * +from ._show import * diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/alert_rule/template/_list.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/alert_rule/template/_list.py new file mode 100644 index 00000000000..1c3dd6118d3 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/alert_rule/template/_list.py @@ -0,0 +1,698 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel alert-rule template list", + is_experimental=True, +) +class List(AAZCommand): + """Get all alert rule templates. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/alertruletemplates", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + return self.build_paging(self._execute_operations, self._output) + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + ) + return cls._args_schema + + def _execute_operations(self): + self.AlertRuleTemplatesList(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance.value, client_flatten=True) + next_link = self.deserialize_output(self.ctx.vars.instance.next_link) + return result, next_link + + class AlertRuleTemplatesList(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRuleTemplates", + **self.url_parameters + ) + + @property + def method(self): + return "GET" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + + _schema_on_200 = cls._schema_on_200 + _schema_on_200.next_link = AAZStrType( + serialized_name="nextLink", + flags={"read_only": True}, + ) + _schema_on_200.value = AAZListType( + flags={"required": True}, + ) + + value = cls._schema_on_200.value + value.Element = AAZObjectType() + + _element = cls._schema_on_200.value.Element + _element.id = AAZStrType( + flags={"read_only": True}, + ) + _element.kind = AAZStrType( + flags={"required": True}, + ) + _element.name = AAZStrType( + flags={"read_only": True}, + ) + _element.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + _element.type = AAZStrType( + flags={"read_only": True}, + ) + + system_data = cls._schema_on_200.value.Element.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + disc_fusion = cls._schema_on_200.value.Element.discriminate_by("kind", "Fusion") + disc_fusion.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.value.Element.discriminate_by("kind", "Fusion").properties + properties.alert_rules_created_by_template_count = AAZIntType( + serialized_name="alertRulesCreatedByTemplateCount", + flags={"required": True}, + ) + properties.created_date_utc = AAZStrType( + serialized_name="createdDateUTC", + flags={"read_only": True}, + ) + properties.description = AAZStrType( + flags={"required": True}, + ) + properties.display_name = AAZStrType( + serialized_name="displayName", + flags={"required": True}, + ) + properties.last_updated_date_utc = AAZStrType( + serialized_name="lastUpdatedDateUTC", + flags={"read_only": True}, + ) + properties.required_data_connectors = AAZListType( + serialized_name="requiredDataConnectors", + ) + properties.severity = AAZStrType( + flags={"required": True}, + ) + properties.source_settings = AAZListType( + serialized_name="sourceSettings", + ) + properties.status = AAZStrType( + flags={"required": True}, + ) + properties.tactics = AAZListType() + properties.techniques = AAZListType() + + required_data_connectors = cls._schema_on_200.value.Element.discriminate_by("kind", "Fusion").properties.required_data_connectors + required_data_connectors.Element = AAZObjectType() + _build_schema_alert_rule_template_data_source_read(required_data_connectors.Element) + + source_settings = cls._schema_on_200.value.Element.discriminate_by("kind", "Fusion").properties.source_settings + source_settings.Element = AAZObjectType() + + _element = cls._schema_on_200.value.Element.discriminate_by("kind", "Fusion").properties.source_settings.Element + _element.source_name = AAZStrType( + serialized_name="sourceName", + flags={"required": True}, + ) + _element.source_sub_types = AAZListType( + serialized_name="sourceSubTypes", + ) + + source_sub_types = cls._schema_on_200.value.Element.discriminate_by("kind", "Fusion").properties.source_settings.Element.source_sub_types + source_sub_types.Element = AAZObjectType() + + _element = cls._schema_on_200.value.Element.discriminate_by("kind", "Fusion").properties.source_settings.Element.source_sub_types.Element + _element.severity_filter = AAZObjectType( + serialized_name="severityFilter", + flags={"required": True}, + ) + _element.source_sub_type_display_name = AAZStrType( + serialized_name="sourceSubTypeDisplayName", + flags={"read_only": True}, + ) + _element.source_sub_type_name = AAZStrType( + serialized_name="sourceSubTypeName", + flags={"required": True}, + ) + + severity_filter = cls._schema_on_200.value.Element.discriminate_by("kind", "Fusion").properties.source_settings.Element.source_sub_types.Element.severity_filter + severity_filter.is_supported = AAZBoolType( + serialized_name="isSupported", + flags={"required": True}, + ) + severity_filter.severity_filters = AAZListType( + serialized_name="severityFilters", + ) + + severity_filters = cls._schema_on_200.value.Element.discriminate_by("kind", "Fusion").properties.source_settings.Element.source_sub_types.Element.severity_filter.severity_filters + severity_filters.Element = AAZStrType() + + tactics = cls._schema_on_200.value.Element.discriminate_by("kind", "Fusion").properties.tactics + tactics.Element = AAZStrType() + + techniques = cls._schema_on_200.value.Element.discriminate_by("kind", "Fusion").properties.techniques + techniques.Element = AAZStrType() + + disc_ml_behavior_analytics = cls._schema_on_200.value.Element.discriminate_by("kind", "MLBehaviorAnalytics") + disc_ml_behavior_analytics.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.value.Element.discriminate_by("kind", "MLBehaviorAnalytics").properties + properties.alert_rules_created_by_template_count = AAZIntType( + serialized_name="alertRulesCreatedByTemplateCount", + flags={"required": True}, + ) + properties.created_date_utc = AAZStrType( + serialized_name="createdDateUTC", + flags={"read_only": True}, + ) + properties.description = AAZStrType( + flags={"required": True}, + ) + properties.display_name = AAZStrType( + serialized_name="displayName", + flags={"required": True}, + ) + properties.last_updated_date_utc = AAZStrType( + serialized_name="lastUpdatedDateUTC", + flags={"read_only": True}, + ) + properties.required_data_connectors = AAZListType( + serialized_name="requiredDataConnectors", + ) + properties.severity = AAZStrType( + flags={"required": True}, + ) + properties.status = AAZStrType( + flags={"required": True}, + ) + properties.tactics = AAZListType() + properties.techniques = AAZListType() + + required_data_connectors = cls._schema_on_200.value.Element.discriminate_by("kind", "MLBehaviorAnalytics").properties.required_data_connectors + required_data_connectors.Element = AAZObjectType() + _build_schema_alert_rule_template_data_source_read(required_data_connectors.Element) + + tactics = cls._schema_on_200.value.Element.discriminate_by("kind", "MLBehaviorAnalytics").properties.tactics + tactics.Element = AAZStrType() + + techniques = cls._schema_on_200.value.Element.discriminate_by("kind", "MLBehaviorAnalytics").properties.techniques + techniques.Element = AAZStrType() + + disc_microsoft_security_incident_creation = cls._schema_on_200.value.Element.discriminate_by("kind", "MicrosoftSecurityIncidentCreation") + disc_microsoft_security_incident_creation.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.value.Element.discriminate_by("kind", "MicrosoftSecurityIncidentCreation").properties + properties.alert_rules_created_by_template_count = AAZIntType( + serialized_name="alertRulesCreatedByTemplateCount", + flags={"required": True}, + ) + properties.created_date_utc = AAZStrType( + serialized_name="createdDateUTC", + flags={"required": True, "read_only": True}, + ) + properties.description = AAZStrType( + flags={"required": True}, + ) + properties.display_name = AAZStrType( + serialized_name="displayName", + flags={"required": True}, + ) + properties.display_names_exclude_filter = AAZListType( + serialized_name="displayNamesExcludeFilter", + ) + properties.display_names_filter = AAZListType( + serialized_name="displayNamesFilter", + ) + properties.last_updated_date_utc = AAZStrType( + serialized_name="lastUpdatedDateUTC", + flags={"read_only": True}, + ) + properties.product_filter = AAZStrType( + serialized_name="productFilter", + flags={"required": True}, + ) + properties.required_data_connectors = AAZListType( + serialized_name="requiredDataConnectors", + ) + properties.severities_filter = AAZListType( + serialized_name="severitiesFilter", + ) + properties.status = AAZStrType( + flags={"required": True}, + ) + + display_names_exclude_filter = cls._schema_on_200.value.Element.discriminate_by("kind", "MicrosoftSecurityIncidentCreation").properties.display_names_exclude_filter + display_names_exclude_filter.Element = AAZStrType() + + display_names_filter = cls._schema_on_200.value.Element.discriminate_by("kind", "MicrosoftSecurityIncidentCreation").properties.display_names_filter + display_names_filter.Element = AAZStrType() + + required_data_connectors = cls._schema_on_200.value.Element.discriminate_by("kind", "MicrosoftSecurityIncidentCreation").properties.required_data_connectors + required_data_connectors.Element = AAZObjectType() + _build_schema_alert_rule_template_data_source_read(required_data_connectors.Element) + + severities_filter = cls._schema_on_200.value.Element.discriminate_by("kind", "MicrosoftSecurityIncidentCreation").properties.severities_filter + severities_filter.Element = AAZStrType() + + disc_nrt = cls._schema_on_200.value.Element.discriminate_by("kind", "NRT") + disc_nrt.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.value.Element.discriminate_by("kind", "NRT").properties + properties.alert_details_override = AAZObjectType( + serialized_name="alertDetailsOverride", + ) + _build_schema_alert_details_override_read(properties.alert_details_override) + properties.alert_rules_created_by_template_count = AAZIntType( + serialized_name="alertRulesCreatedByTemplateCount", + flags={"required": True}, + ) + properties.created_date_utc = AAZStrType( + serialized_name="createdDateUTC", + flags={"read_only": True}, + ) + properties.custom_details = AAZDictType( + serialized_name="customDetails", + ) + properties.description = AAZStrType( + flags={"required": True}, + ) + properties.display_name = AAZStrType( + serialized_name="displayName", + flags={"required": True}, + ) + properties.entity_mappings = AAZListType( + serialized_name="entityMappings", + ) + _build_schema_entity_mappings_read(properties.entity_mappings) + properties.last_updated_date_utc = AAZStrType( + serialized_name="lastUpdatedDateUTC", + flags={"read_only": True}, + ) + properties.query = AAZStrType( + flags={"required": True}, + ) + properties.required_data_connectors = AAZListType( + serialized_name="requiredDataConnectors", + ) + properties.severity = AAZStrType( + flags={"required": True}, + ) + properties.status = AAZStrType( + flags={"required": True}, + ) + properties.tactics = AAZListType() + properties.techniques = AAZListType() + properties.version = AAZStrType( + flags={"required": True}, + ) + + custom_details = cls._schema_on_200.value.Element.discriminate_by("kind", "NRT").properties.custom_details + custom_details.Element = AAZStrType() + + required_data_connectors = cls._schema_on_200.value.Element.discriminate_by("kind", "NRT").properties.required_data_connectors + required_data_connectors.Element = AAZObjectType() + _build_schema_alert_rule_template_data_source_read(required_data_connectors.Element) + + tactics = cls._schema_on_200.value.Element.discriminate_by("kind", "NRT").properties.tactics + tactics.Element = AAZStrType() + + techniques = cls._schema_on_200.value.Element.discriminate_by("kind", "NRT").properties.techniques + techniques.Element = AAZStrType() + + disc_scheduled = cls._schema_on_200.value.Element.discriminate_by("kind", "Scheduled") + disc_scheduled.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.value.Element.discriminate_by("kind", "Scheduled").properties + properties.alert_details_override = AAZObjectType( + serialized_name="alertDetailsOverride", + ) + _build_schema_alert_details_override_read(properties.alert_details_override) + properties.alert_rules_created_by_template_count = AAZIntType( + serialized_name="alertRulesCreatedByTemplateCount", + flags={"required": True}, + ) + properties.created_date_utc = AAZStrType( + serialized_name="createdDateUTC", + flags={"read_only": True}, + ) + properties.custom_details = AAZDictType( + serialized_name="customDetails", + ) + properties.description = AAZStrType( + flags={"required": True}, + ) + properties.display_name = AAZStrType( + serialized_name="displayName", + flags={"required": True}, + ) + properties.entity_mappings = AAZListType( + serialized_name="entityMappings", + ) + _build_schema_entity_mappings_read(properties.entity_mappings) + properties.event_grouping_settings = AAZObjectType( + serialized_name="eventGroupingSettings", + ) + properties.last_updated_date_utc = AAZStrType( + serialized_name="lastUpdatedDateUTC", + flags={"read_only": True}, + ) + properties.query = AAZStrType( + flags={"required": True}, + ) + properties.query_frequency = AAZStrType( + serialized_name="queryFrequency", + flags={"required": True}, + ) + properties.query_period = AAZStrType( + serialized_name="queryPeriod", + flags={"required": True}, + ) + properties.required_data_connectors = AAZListType( + serialized_name="requiredDataConnectors", + ) + properties.severity = AAZStrType( + flags={"required": True}, + ) + properties.status = AAZStrType( + flags={"required": True}, + ) + properties.tactics = AAZListType() + properties.techniques = AAZListType() + properties.trigger_operator = AAZStrType( + serialized_name="triggerOperator", + flags={"required": True}, + ) + properties.trigger_threshold = AAZIntType( + serialized_name="triggerThreshold", + flags={"required": True}, + ) + properties.version = AAZStrType( + flags={"required": True}, + ) + + custom_details = cls._schema_on_200.value.Element.discriminate_by("kind", "Scheduled").properties.custom_details + custom_details.Element = AAZStrType() + + event_grouping_settings = cls._schema_on_200.value.Element.discriminate_by("kind", "Scheduled").properties.event_grouping_settings + event_grouping_settings.aggregation_kind = AAZStrType( + serialized_name="aggregationKind", + ) + + required_data_connectors = cls._schema_on_200.value.Element.discriminate_by("kind", "Scheduled").properties.required_data_connectors + required_data_connectors.Element = AAZObjectType() + _build_schema_alert_rule_template_data_source_read(required_data_connectors.Element) + + tactics = cls._schema_on_200.value.Element.discriminate_by("kind", "Scheduled").properties.tactics + tactics.Element = AAZStrType() + + techniques = cls._schema_on_200.value.Element.discriminate_by("kind", "Scheduled").properties.techniques + techniques.Element = AAZStrType() + + disc_threat_intelligence = cls._schema_on_200.value.Element.discriminate_by("kind", "ThreatIntelligence") + disc_threat_intelligence.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.value.Element.discriminate_by("kind", "ThreatIntelligence").properties + properties.alert_rules_created_by_template_count = AAZIntType( + serialized_name="alertRulesCreatedByTemplateCount", + flags={"required": True}, + ) + properties.created_date_utc = AAZStrType( + serialized_name="createdDateUTC", + flags={"read_only": True}, + ) + properties.description = AAZStrType( + flags={"required": True}, + ) + properties.display_name = AAZStrType( + serialized_name="displayName", + flags={"required": True}, + ) + properties.last_updated_date_utc = AAZStrType( + serialized_name="lastUpdatedDateUTC", + flags={"read_only": True}, + ) + properties.required_data_connectors = AAZListType( + serialized_name="requiredDataConnectors", + ) + properties.severity = AAZStrType( + flags={"required": True}, + ) + properties.status = AAZStrType( + flags={"required": True}, + ) + properties.tactics = AAZListType() + properties.techniques = AAZListType() + + required_data_connectors = cls._schema_on_200.value.Element.discriminate_by("kind", "ThreatIntelligence").properties.required_data_connectors + required_data_connectors.Element = AAZObjectType() + _build_schema_alert_rule_template_data_source_read(required_data_connectors.Element) + + tactics = cls._schema_on_200.value.Element.discriminate_by("kind", "ThreatIntelligence").properties.tactics + tactics.Element = AAZStrType() + + techniques = cls._schema_on_200.value.Element.discriminate_by("kind", "ThreatIntelligence").properties.techniques + techniques.Element = AAZStrType() + + return cls._schema_on_200 + + +_schema_alert_details_override_read = None + + +def _build_schema_alert_details_override_read(_schema): + global _schema_alert_details_override_read + if _schema_alert_details_override_read is not None: + _schema.alert_description_format = _schema_alert_details_override_read.alert_description_format + _schema.alert_display_name_format = _schema_alert_details_override_read.alert_display_name_format + _schema.alert_severity_column_name = _schema_alert_details_override_read.alert_severity_column_name + _schema.alert_tactics_column_name = _schema_alert_details_override_read.alert_tactics_column_name + return + + _schema_alert_details_override_read = AAZObjectType() + + alert_details_override_read = _schema_alert_details_override_read + alert_details_override_read.alert_description_format = AAZStrType( + serialized_name="alertDescriptionFormat", + ) + alert_details_override_read.alert_display_name_format = AAZStrType( + serialized_name="alertDisplayNameFormat", + ) + alert_details_override_read.alert_severity_column_name = AAZStrType( + serialized_name="alertSeverityColumnName", + ) + alert_details_override_read.alert_tactics_column_name = AAZStrType( + serialized_name="alertTacticsColumnName", + ) + + _schema.alert_description_format = _schema_alert_details_override_read.alert_description_format + _schema.alert_display_name_format = _schema_alert_details_override_read.alert_display_name_format + _schema.alert_severity_column_name = _schema_alert_details_override_read.alert_severity_column_name + _schema.alert_tactics_column_name = _schema_alert_details_override_read.alert_tactics_column_name + + +_schema_alert_rule_template_data_source_read = None + + +def _build_schema_alert_rule_template_data_source_read(_schema): + global _schema_alert_rule_template_data_source_read + if _schema_alert_rule_template_data_source_read is not None: + _schema.connector_id = _schema_alert_rule_template_data_source_read.connector_id + _schema.data_types = _schema_alert_rule_template_data_source_read.data_types + return + + _schema_alert_rule_template_data_source_read = AAZObjectType() + + alert_rule_template_data_source_read = _schema_alert_rule_template_data_source_read + alert_rule_template_data_source_read.connector_id = AAZStrType( + serialized_name="connectorId", + ) + alert_rule_template_data_source_read.data_types = AAZListType( + serialized_name="dataTypes", + ) + + data_types = _schema_alert_rule_template_data_source_read.data_types + data_types.Element = AAZStrType() + + _schema.connector_id = _schema_alert_rule_template_data_source_read.connector_id + _schema.data_types = _schema_alert_rule_template_data_source_read.data_types + + +_schema_entity_mappings_read = None + + +def _build_schema_entity_mappings_read(_schema): + global _schema_entity_mappings_read + if _schema_entity_mappings_read is not None: + _schema.Element = _schema_entity_mappings_read.Element + return + + _schema_entity_mappings_read = AAZListType() + + entity_mappings_read = _schema_entity_mappings_read + entity_mappings_read.Element = AAZObjectType() + + _element = _schema_entity_mappings_read.Element + _element.entity_type = AAZStrType( + serialized_name="entityType", + ) + _element.field_mappings = AAZListType( + serialized_name="fieldMappings", + ) + + field_mappings = _schema_entity_mappings_read.Element.field_mappings + field_mappings.Element = AAZObjectType() + + _element = _schema_entity_mappings_read.Element.field_mappings.Element + _element.column_name = AAZStrType( + serialized_name="columnName", + ) + _element.identifier = AAZStrType() + + _schema.Element = _schema_entity_mappings_read.Element + + +__all__ = ["List"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/alert_rule/template/_show.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/alert_rule/template/_show.py new file mode 100644 index 00000000000..c7747d9e06e --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/alert_rule/template/_show.py @@ -0,0 +1,697 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel alert-rule template show", + is_experimental=True, +) +class Show(AAZCommand): + """Get the alert rule template. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/alertruletemplates/{}", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return self._output() + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.alert_rule_template_id = AAZStrArg( + options=["-n", "--name", "--alert-rule-template-id"], + help="Alert rule template ID", + required=True, + id_part="child_name_1", + ) + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + id_part="name", + ) + return cls._args_schema + + def _execute_operations(self): + self.AlertRuleTemplatesGet(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True) + return result + + class AlertRuleTemplatesGet(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRuleTemplates/{alertRuleTemplateId}", + **self.url_parameters + ) + + @property + def method(self): + return "GET" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "alertRuleTemplateId", self.ctx.args.alert_rule_template_id, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + + _schema_on_200 = cls._schema_on_200 + _schema_on_200.id = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200.kind = AAZStrType( + flags={"required": True}, + ) + _schema_on_200.name = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + _schema_on_200.type = AAZStrType( + flags={"read_only": True}, + ) + + system_data = cls._schema_on_200.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + disc_fusion = cls._schema_on_200.discriminate_by("kind", "Fusion") + disc_fusion.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.discriminate_by("kind", "Fusion").properties + properties.alert_rules_created_by_template_count = AAZIntType( + serialized_name="alertRulesCreatedByTemplateCount", + flags={"required": True}, + ) + properties.created_date_utc = AAZStrType( + serialized_name="createdDateUTC", + flags={"read_only": True}, + ) + properties.description = AAZStrType( + flags={"required": True}, + ) + properties.display_name = AAZStrType( + serialized_name="displayName", + flags={"required": True}, + ) + properties.last_updated_date_utc = AAZStrType( + serialized_name="lastUpdatedDateUTC", + flags={"read_only": True}, + ) + properties.required_data_connectors = AAZListType( + serialized_name="requiredDataConnectors", + ) + properties.severity = AAZStrType( + flags={"required": True}, + ) + properties.source_settings = AAZListType( + serialized_name="sourceSettings", + ) + properties.status = AAZStrType( + flags={"required": True}, + ) + properties.tactics = AAZListType() + properties.techniques = AAZListType() + + required_data_connectors = cls._schema_on_200.discriminate_by("kind", "Fusion").properties.required_data_connectors + required_data_connectors.Element = AAZObjectType() + _build_schema_alert_rule_template_data_source_read(required_data_connectors.Element) + + source_settings = cls._schema_on_200.discriminate_by("kind", "Fusion").properties.source_settings + source_settings.Element = AAZObjectType() + + _element = cls._schema_on_200.discriminate_by("kind", "Fusion").properties.source_settings.Element + _element.source_name = AAZStrType( + serialized_name="sourceName", + flags={"required": True}, + ) + _element.source_sub_types = AAZListType( + serialized_name="sourceSubTypes", + ) + + source_sub_types = cls._schema_on_200.discriminate_by("kind", "Fusion").properties.source_settings.Element.source_sub_types + source_sub_types.Element = AAZObjectType() + + _element = cls._schema_on_200.discriminate_by("kind", "Fusion").properties.source_settings.Element.source_sub_types.Element + _element.severity_filter = AAZObjectType( + serialized_name="severityFilter", + flags={"required": True}, + ) + _element.source_sub_type_display_name = AAZStrType( + serialized_name="sourceSubTypeDisplayName", + flags={"read_only": True}, + ) + _element.source_sub_type_name = AAZStrType( + serialized_name="sourceSubTypeName", + flags={"required": True}, + ) + + severity_filter = cls._schema_on_200.discriminate_by("kind", "Fusion").properties.source_settings.Element.source_sub_types.Element.severity_filter + severity_filter.is_supported = AAZBoolType( + serialized_name="isSupported", + flags={"required": True}, + ) + severity_filter.severity_filters = AAZListType( + serialized_name="severityFilters", + ) + + severity_filters = cls._schema_on_200.discriminate_by("kind", "Fusion").properties.source_settings.Element.source_sub_types.Element.severity_filter.severity_filters + severity_filters.Element = AAZStrType() + + tactics = cls._schema_on_200.discriminate_by("kind", "Fusion").properties.tactics + tactics.Element = AAZStrType() + + techniques = cls._schema_on_200.discriminate_by("kind", "Fusion").properties.techniques + techniques.Element = AAZStrType() + + disc_ml_behavior_analytics = cls._schema_on_200.discriminate_by("kind", "MLBehaviorAnalytics") + disc_ml_behavior_analytics.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.discriminate_by("kind", "MLBehaviorAnalytics").properties + properties.alert_rules_created_by_template_count = AAZIntType( + serialized_name="alertRulesCreatedByTemplateCount", + flags={"required": True}, + ) + properties.created_date_utc = AAZStrType( + serialized_name="createdDateUTC", + flags={"read_only": True}, + ) + properties.description = AAZStrType( + flags={"required": True}, + ) + properties.display_name = AAZStrType( + serialized_name="displayName", + flags={"required": True}, + ) + properties.last_updated_date_utc = AAZStrType( + serialized_name="lastUpdatedDateUTC", + flags={"read_only": True}, + ) + properties.required_data_connectors = AAZListType( + serialized_name="requiredDataConnectors", + ) + properties.severity = AAZStrType( + flags={"required": True}, + ) + properties.status = AAZStrType( + flags={"required": True}, + ) + properties.tactics = AAZListType() + properties.techniques = AAZListType() + + required_data_connectors = cls._schema_on_200.discriminate_by("kind", "MLBehaviorAnalytics").properties.required_data_connectors + required_data_connectors.Element = AAZObjectType() + _build_schema_alert_rule_template_data_source_read(required_data_connectors.Element) + + tactics = cls._schema_on_200.discriminate_by("kind", "MLBehaviorAnalytics").properties.tactics + tactics.Element = AAZStrType() + + techniques = cls._schema_on_200.discriminate_by("kind", "MLBehaviorAnalytics").properties.techniques + techniques.Element = AAZStrType() + + disc_microsoft_security_incident_creation = cls._schema_on_200.discriminate_by("kind", "MicrosoftSecurityIncidentCreation") + disc_microsoft_security_incident_creation.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.discriminate_by("kind", "MicrosoftSecurityIncidentCreation").properties + properties.alert_rules_created_by_template_count = AAZIntType( + serialized_name="alertRulesCreatedByTemplateCount", + flags={"required": True}, + ) + properties.created_date_utc = AAZStrType( + serialized_name="createdDateUTC", + flags={"required": True, "read_only": True}, + ) + properties.description = AAZStrType( + flags={"required": True}, + ) + properties.display_name = AAZStrType( + serialized_name="displayName", + flags={"required": True}, + ) + properties.display_names_exclude_filter = AAZListType( + serialized_name="displayNamesExcludeFilter", + ) + properties.display_names_filter = AAZListType( + serialized_name="displayNamesFilter", + ) + properties.last_updated_date_utc = AAZStrType( + serialized_name="lastUpdatedDateUTC", + flags={"read_only": True}, + ) + properties.product_filter = AAZStrType( + serialized_name="productFilter", + flags={"required": True}, + ) + properties.required_data_connectors = AAZListType( + serialized_name="requiredDataConnectors", + ) + properties.severities_filter = AAZListType( + serialized_name="severitiesFilter", + ) + properties.status = AAZStrType( + flags={"required": True}, + ) + + display_names_exclude_filter = cls._schema_on_200.discriminate_by("kind", "MicrosoftSecurityIncidentCreation").properties.display_names_exclude_filter + display_names_exclude_filter.Element = AAZStrType() + + display_names_filter = cls._schema_on_200.discriminate_by("kind", "MicrosoftSecurityIncidentCreation").properties.display_names_filter + display_names_filter.Element = AAZStrType() + + required_data_connectors = cls._schema_on_200.discriminate_by("kind", "MicrosoftSecurityIncidentCreation").properties.required_data_connectors + required_data_connectors.Element = AAZObjectType() + _build_schema_alert_rule_template_data_source_read(required_data_connectors.Element) + + severities_filter = cls._schema_on_200.discriminate_by("kind", "MicrosoftSecurityIncidentCreation").properties.severities_filter + severities_filter.Element = AAZStrType() + + disc_nrt = cls._schema_on_200.discriminate_by("kind", "NRT") + disc_nrt.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.discriminate_by("kind", "NRT").properties + properties.alert_details_override = AAZObjectType( + serialized_name="alertDetailsOverride", + ) + _build_schema_alert_details_override_read(properties.alert_details_override) + properties.alert_rules_created_by_template_count = AAZIntType( + serialized_name="alertRulesCreatedByTemplateCount", + flags={"required": True}, + ) + properties.created_date_utc = AAZStrType( + serialized_name="createdDateUTC", + flags={"read_only": True}, + ) + properties.custom_details = AAZDictType( + serialized_name="customDetails", + ) + properties.description = AAZStrType( + flags={"required": True}, + ) + properties.display_name = AAZStrType( + serialized_name="displayName", + flags={"required": True}, + ) + properties.entity_mappings = AAZListType( + serialized_name="entityMappings", + ) + _build_schema_entity_mappings_read(properties.entity_mappings) + properties.last_updated_date_utc = AAZStrType( + serialized_name="lastUpdatedDateUTC", + flags={"read_only": True}, + ) + properties.query = AAZStrType( + flags={"required": True}, + ) + properties.required_data_connectors = AAZListType( + serialized_name="requiredDataConnectors", + ) + properties.severity = AAZStrType( + flags={"required": True}, + ) + properties.status = AAZStrType( + flags={"required": True}, + ) + properties.tactics = AAZListType() + properties.techniques = AAZListType() + properties.version = AAZStrType( + flags={"required": True}, + ) + + custom_details = cls._schema_on_200.discriminate_by("kind", "NRT").properties.custom_details + custom_details.Element = AAZStrType() + + required_data_connectors = cls._schema_on_200.discriminate_by("kind", "NRT").properties.required_data_connectors + required_data_connectors.Element = AAZObjectType() + _build_schema_alert_rule_template_data_source_read(required_data_connectors.Element) + + tactics = cls._schema_on_200.discriminate_by("kind", "NRT").properties.tactics + tactics.Element = AAZStrType() + + techniques = cls._schema_on_200.discriminate_by("kind", "NRT").properties.techniques + techniques.Element = AAZStrType() + + disc_scheduled = cls._schema_on_200.discriminate_by("kind", "Scheduled") + disc_scheduled.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.discriminate_by("kind", "Scheduled").properties + properties.alert_details_override = AAZObjectType( + serialized_name="alertDetailsOverride", + ) + _build_schema_alert_details_override_read(properties.alert_details_override) + properties.alert_rules_created_by_template_count = AAZIntType( + serialized_name="alertRulesCreatedByTemplateCount", + flags={"required": True}, + ) + properties.created_date_utc = AAZStrType( + serialized_name="createdDateUTC", + flags={"read_only": True}, + ) + properties.custom_details = AAZDictType( + serialized_name="customDetails", + ) + properties.description = AAZStrType( + flags={"required": True}, + ) + properties.display_name = AAZStrType( + serialized_name="displayName", + flags={"required": True}, + ) + properties.entity_mappings = AAZListType( + serialized_name="entityMappings", + ) + _build_schema_entity_mappings_read(properties.entity_mappings) + properties.event_grouping_settings = AAZObjectType( + serialized_name="eventGroupingSettings", + ) + properties.last_updated_date_utc = AAZStrType( + serialized_name="lastUpdatedDateUTC", + flags={"read_only": True}, + ) + properties.query = AAZStrType( + flags={"required": True}, + ) + properties.query_frequency = AAZStrType( + serialized_name="queryFrequency", + flags={"required": True}, + ) + properties.query_period = AAZStrType( + serialized_name="queryPeriod", + flags={"required": True}, + ) + properties.required_data_connectors = AAZListType( + serialized_name="requiredDataConnectors", + ) + properties.severity = AAZStrType( + flags={"required": True}, + ) + properties.status = AAZStrType( + flags={"required": True}, + ) + properties.tactics = AAZListType() + properties.techniques = AAZListType() + properties.trigger_operator = AAZStrType( + serialized_name="triggerOperator", + flags={"required": True}, + ) + properties.trigger_threshold = AAZIntType( + serialized_name="triggerThreshold", + flags={"required": True}, + ) + properties.version = AAZStrType( + flags={"required": True}, + ) + + custom_details = cls._schema_on_200.discriminate_by("kind", "Scheduled").properties.custom_details + custom_details.Element = AAZStrType() + + event_grouping_settings = cls._schema_on_200.discriminate_by("kind", "Scheduled").properties.event_grouping_settings + event_grouping_settings.aggregation_kind = AAZStrType( + serialized_name="aggregationKind", + ) + + required_data_connectors = cls._schema_on_200.discriminate_by("kind", "Scheduled").properties.required_data_connectors + required_data_connectors.Element = AAZObjectType() + _build_schema_alert_rule_template_data_source_read(required_data_connectors.Element) + + tactics = cls._schema_on_200.discriminate_by("kind", "Scheduled").properties.tactics + tactics.Element = AAZStrType() + + techniques = cls._schema_on_200.discriminate_by("kind", "Scheduled").properties.techniques + techniques.Element = AAZStrType() + + disc_threat_intelligence = cls._schema_on_200.discriminate_by("kind", "ThreatIntelligence") + disc_threat_intelligence.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.discriminate_by("kind", "ThreatIntelligence").properties + properties.alert_rules_created_by_template_count = AAZIntType( + serialized_name="alertRulesCreatedByTemplateCount", + flags={"required": True}, + ) + properties.created_date_utc = AAZStrType( + serialized_name="createdDateUTC", + flags={"read_only": True}, + ) + properties.description = AAZStrType( + flags={"required": True}, + ) + properties.display_name = AAZStrType( + serialized_name="displayName", + flags={"required": True}, + ) + properties.last_updated_date_utc = AAZStrType( + serialized_name="lastUpdatedDateUTC", + flags={"read_only": True}, + ) + properties.required_data_connectors = AAZListType( + serialized_name="requiredDataConnectors", + ) + properties.severity = AAZStrType( + flags={"required": True}, + ) + properties.status = AAZStrType( + flags={"required": True}, + ) + properties.tactics = AAZListType() + properties.techniques = AAZListType() + + required_data_connectors = cls._schema_on_200.discriminate_by("kind", "ThreatIntelligence").properties.required_data_connectors + required_data_connectors.Element = AAZObjectType() + _build_schema_alert_rule_template_data_source_read(required_data_connectors.Element) + + tactics = cls._schema_on_200.discriminate_by("kind", "ThreatIntelligence").properties.tactics + tactics.Element = AAZStrType() + + techniques = cls._schema_on_200.discriminate_by("kind", "ThreatIntelligence").properties.techniques + techniques.Element = AAZStrType() + + return cls._schema_on_200 + + +_schema_alert_details_override_read = None + + +def _build_schema_alert_details_override_read(_schema): + global _schema_alert_details_override_read + if _schema_alert_details_override_read is not None: + _schema.alert_description_format = _schema_alert_details_override_read.alert_description_format + _schema.alert_display_name_format = _schema_alert_details_override_read.alert_display_name_format + _schema.alert_severity_column_name = _schema_alert_details_override_read.alert_severity_column_name + _schema.alert_tactics_column_name = _schema_alert_details_override_read.alert_tactics_column_name + return + + _schema_alert_details_override_read = AAZObjectType() + + alert_details_override_read = _schema_alert_details_override_read + alert_details_override_read.alert_description_format = AAZStrType( + serialized_name="alertDescriptionFormat", + ) + alert_details_override_read.alert_display_name_format = AAZStrType( + serialized_name="alertDisplayNameFormat", + ) + alert_details_override_read.alert_severity_column_name = AAZStrType( + serialized_name="alertSeverityColumnName", + ) + alert_details_override_read.alert_tactics_column_name = AAZStrType( + serialized_name="alertTacticsColumnName", + ) + + _schema.alert_description_format = _schema_alert_details_override_read.alert_description_format + _schema.alert_display_name_format = _schema_alert_details_override_read.alert_display_name_format + _schema.alert_severity_column_name = _schema_alert_details_override_read.alert_severity_column_name + _schema.alert_tactics_column_name = _schema_alert_details_override_read.alert_tactics_column_name + + +_schema_alert_rule_template_data_source_read = None + + +def _build_schema_alert_rule_template_data_source_read(_schema): + global _schema_alert_rule_template_data_source_read + if _schema_alert_rule_template_data_source_read is not None: + _schema.connector_id = _schema_alert_rule_template_data_source_read.connector_id + _schema.data_types = _schema_alert_rule_template_data_source_read.data_types + return + + _schema_alert_rule_template_data_source_read = AAZObjectType() + + alert_rule_template_data_source_read = _schema_alert_rule_template_data_source_read + alert_rule_template_data_source_read.connector_id = AAZStrType( + serialized_name="connectorId", + ) + alert_rule_template_data_source_read.data_types = AAZListType( + serialized_name="dataTypes", + ) + + data_types = _schema_alert_rule_template_data_source_read.data_types + data_types.Element = AAZStrType() + + _schema.connector_id = _schema_alert_rule_template_data_source_read.connector_id + _schema.data_types = _schema_alert_rule_template_data_source_read.data_types + + +_schema_entity_mappings_read = None + + +def _build_schema_entity_mappings_read(_schema): + global _schema_entity_mappings_read + if _schema_entity_mappings_read is not None: + _schema.Element = _schema_entity_mappings_read.Element + return + + _schema_entity_mappings_read = AAZListType() + + entity_mappings_read = _schema_entity_mappings_read + entity_mappings_read.Element = AAZObjectType() + + _element = _schema_entity_mappings_read.Element + _element.entity_type = AAZStrType( + serialized_name="entityType", + ) + _element.field_mappings = AAZListType( + serialized_name="fieldMappings", + ) + + field_mappings = _schema_entity_mappings_read.Element.field_mappings + field_mappings.Element = AAZObjectType() + + _element = _schema_entity_mappings_read.Element.field_mappings.Element + _element.column_name = AAZStrType( + serialized_name="columnName", + ) + _element.identifier = AAZStrType() + + _schema.Element = _schema_entity_mappings_read.Element + + +__all__ = ["Show"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/analytics_setting/__cmd_group.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/analytics_setting/__cmd_group.py new file mode 100644 index 00000000000..dc27c23fbcc --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/analytics_setting/__cmd_group.py @@ -0,0 +1,23 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command_group( + "sentinel analytics-setting", +) +class __CMDGroup(AAZCommandGroup): + """Manage security ml analytics setting with sentinel. + """ + pass + + +__all__ = ["__CMDGroup"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/analytics_setting/__init__.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/analytics_setting/__init__.py new file mode 100644 index 00000000000..c401f439385 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/analytics_setting/__init__.py @@ -0,0 +1,16 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from .__cmd_group import * +from ._create import * +from ._delete import * +from ._list import * +from ._show import * +from ._update import * diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/analytics_setting/_create.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/analytics_setting/_create.py new file mode 100644 index 00000000000..f55ced3e592 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/analytics_setting/_create.py @@ -0,0 +1,411 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel analytics-setting create", + is_experimental=True, +) +class Create(AAZCommand): + """Create the Security ML Analytics Settings. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/securitymlanalyticssettings/{}", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return self._output() + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.settings_resource_name = AAZStrArg( + options=["-n", "--name", "--settings-resource-name"], + help="Security ML Analytics Settings resource name", + required=True, + id_part="child_name_1", + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + id_part="name", + ) + + # define Arg Group "SecurityMLAnalyticsSetting" + + _args_schema = cls._args_schema + _args_schema.anomaly = AAZObjectArg( + options=["--anomaly"], + arg_group="SecurityMLAnalyticsSetting", + ) + _args_schema.etag = AAZStrArg( + options=["--etag"], + arg_group="SecurityMLAnalyticsSetting", + help="Etag of the azure resource", + ) + + anomaly = cls._args_schema.anomaly + anomaly.anomaly_settings_version = AAZIntArg( + options=["anomaly-settings-version"], + help="The anomaly settings version of the Anomaly security ml analytics settings that dictates whether job version gets updated or not.", + ) + anomaly.anomaly_version = AAZStrArg( + options=["anomaly-version"], + help="The anomaly version of the AnomalySecurityMLAnalyticsSettings.", + ) + anomaly.description = AAZStrArg( + options=["description"], + help="The description of the SecurityMLAnalyticsSettings.", + ) + anomaly.display_name = AAZStrArg( + options=["display-name"], + help="The display name for settings created by this SecurityMLAnalyticsSettings.", + ) + anomaly.enabled = AAZBoolArg( + options=["enabled"], + help="Determines whether this settings is enabled or disabled.", + ) + anomaly.frequency = AAZStrArg( + options=["frequency"], + help="The frequency that this SecurityMLAnalyticsSettings will be run.", + ) + anomaly.is_default_settings = AAZBoolArg( + options=["is-default-settings"], + help="Determines whether this anomaly security ml analytics settings is a default settings", + ) + anomaly.required_data_connectors = AAZListArg( + options=["required-data-connectors"], + help="The required data sources for this SecurityMLAnalyticsSettings", + ) + anomaly.settings_definition_id = AAZStrArg( + options=["settings-definition-id"], + help="The anomaly settings definition Id", + ) + anomaly.settings_status = AAZStrArg( + options=["settings-status"], + help="The anomaly SecurityMLAnalyticsSettings status", + enum={"Flighting": "Flighting", "Production": "Production"}, + ) + anomaly.tactics = AAZListArg( + options=["tactics"], + help="The tactics of the SecurityMLAnalyticsSettings", + ) + anomaly.techniques = AAZListArg( + options=["techniques"], + help="The techniques of the SecurityMLAnalyticsSettings", + ) + + required_data_connectors = cls._args_schema.anomaly.required_data_connectors + required_data_connectors.Element = AAZObjectArg() + + _element = cls._args_schema.anomaly.required_data_connectors.Element + _element.connector_id = AAZStrArg( + options=["connector-id"], + help="The connector id that provides the following data types", + ) + _element.data_types = AAZListArg( + options=["data-types"], + help="The data types used by the security ml analytics settings", + ) + + data_types = cls._args_schema.anomaly.required_data_connectors.Element.data_types + data_types.Element = AAZStrArg() + + tactics = cls._args_schema.anomaly.tactics + tactics.Element = AAZStrArg( + enum={"Collection": "Collection", "CommandAndControl": "CommandAndControl", "CredentialAccess": "CredentialAccess", "DefenseEvasion": "DefenseEvasion", "Discovery": "Discovery", "Execution": "Execution", "Exfiltration": "Exfiltration", "Impact": "Impact", "ImpairProcessControl": "ImpairProcessControl", "InhibitResponseFunction": "InhibitResponseFunction", "InitialAccess": "InitialAccess", "LateralMovement": "LateralMovement", "Persistence": "Persistence", "PreAttack": "PreAttack", "PrivilegeEscalation": "PrivilegeEscalation", "Reconnaissance": "Reconnaissance", "ResourceDevelopment": "ResourceDevelopment"}, + ) + + techniques = cls._args_schema.anomaly.techniques + techniques.Element = AAZStrArg() + return cls._args_schema + + def _execute_operations(self): + self.SecurityMLAnalyticsSettingsCreateOrUpdate(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True) + return result + + class SecurityMLAnalyticsSettingsCreateOrUpdate(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200, 201]: + return self.on_200_201(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/securityMLAnalyticsSettings/{settingsResourceName}", + **self.url_parameters + ) + + @property + def method(self): + return "PUT" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "settingsResourceName", self.ctx.args.settings_resource_name, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Content-Type", "application/json", + ), + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + @property + def content(self): + _content_value, _builder = self.new_content_builder( + self.ctx.args, + typ=AAZObjectType, + typ_kwargs={"flags": {"required": True, "client_flatten": True}} + ) + _builder.set_prop("etag", AAZStrType, ".etag") + _builder.set_const("kind", "Anomaly", AAZStrType, ".anomaly", typ_kwargs={"flags": {"required": True}}) + _builder.discriminate_by("kind", "Anomaly") + + disc_anomaly = _builder.get("{kind:Anomaly}") + if disc_anomaly is not None: + disc_anomaly.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get("{kind:Anomaly}.properties") + if properties is not None: + properties.set_prop("anomalySettingsVersion", AAZIntType, ".anomaly.anomaly_settings_version") + properties.set_prop("anomalyVersion", AAZStrType, ".anomaly.anomaly_version", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("description", AAZStrType, ".anomaly.description") + properties.set_prop("displayName", AAZStrType, ".anomaly.display_name", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("enabled", AAZBoolType, ".anomaly.enabled", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("frequency", AAZStrType, ".anomaly.frequency", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("isDefaultSettings", AAZBoolType, ".anomaly.is_default_settings", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("requiredDataConnectors", AAZListType, ".anomaly.required_data_connectors") + properties.set_prop("settingsDefinitionId", AAZStrType, ".anomaly.settings_definition_id") + properties.set_prop("settingsStatus", AAZStrType, ".anomaly.settings_status", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("tactics", AAZListType, ".anomaly.tactics") + properties.set_prop("techniques", AAZListType, ".anomaly.techniques") + + required_data_connectors = _builder.get("{kind:Anomaly}.properties.requiredDataConnectors") + if required_data_connectors is not None: + required_data_connectors.set_elements(AAZObjectType) + + _elements = _builder.get("{kind:Anomaly}.properties.requiredDataConnectors[]") + if _elements is not None: + _elements.set_prop("connectorId", AAZStrType, ".connector_id") + _elements.set_prop("dataTypes", AAZListType, ".data_types") + + data_types = _builder.get("{kind:Anomaly}.properties.requiredDataConnectors[].dataTypes") + if data_types is not None: + data_types.set_elements(AAZStrType, ".") + + tactics = _builder.get("{kind:Anomaly}.properties.tactics") + if tactics is not None: + tactics.set_elements(AAZStrType, ".") + + techniques = _builder.get("{kind:Anomaly}.properties.techniques") + if techniques is not None: + techniques.set_elements(AAZStrType, ".") + + return self.serialize_content(_content_value) + + def on_200_201(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200_201 + ) + + _schema_on_200_201 = None + + @classmethod + def _build_schema_on_200_201(cls): + if cls._schema_on_200_201 is not None: + return cls._schema_on_200_201 + + cls._schema_on_200_201 = AAZObjectType() + + _schema_on_200_201 = cls._schema_on_200_201 + _schema_on_200_201.etag = AAZStrType() + _schema_on_200_201.id = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200_201.kind = AAZStrType( + flags={"required": True}, + ) + _schema_on_200_201.name = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200_201.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + _schema_on_200_201.type = AAZStrType( + flags={"read_only": True}, + ) + + system_data = cls._schema_on_200_201.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + disc_anomaly = cls._schema_on_200_201.discriminate_by("kind", "Anomaly") + disc_anomaly.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200_201.discriminate_by("kind", "Anomaly").properties + properties.anomaly_settings_version = AAZIntType( + serialized_name="anomalySettingsVersion", + ) + properties.anomaly_version = AAZStrType( + serialized_name="anomalyVersion", + flags={"required": True}, + ) + properties.description = AAZStrType() + properties.display_name = AAZStrType( + serialized_name="displayName", + flags={"required": True}, + ) + properties.enabled = AAZBoolType( + flags={"required": True}, + ) + properties.frequency = AAZStrType( + flags={"required": True}, + ) + properties.is_default_settings = AAZBoolType( + serialized_name="isDefaultSettings", + flags={"required": True}, + ) + properties.last_modified_utc = AAZStrType( + serialized_name="lastModifiedUtc", + flags={"read_only": True}, + ) + properties.required_data_connectors = AAZListType( + serialized_name="requiredDataConnectors", + ) + properties.settings_definition_id = AAZStrType( + serialized_name="settingsDefinitionId", + ) + properties.settings_status = AAZStrType( + serialized_name="settingsStatus", + flags={"required": True}, + ) + properties.tactics = AAZListType() + properties.techniques = AAZListType() + + required_data_connectors = cls._schema_on_200_201.discriminate_by("kind", "Anomaly").properties.required_data_connectors + required_data_connectors.Element = AAZObjectType() + + _element = cls._schema_on_200_201.discriminate_by("kind", "Anomaly").properties.required_data_connectors.Element + _element.connector_id = AAZStrType( + serialized_name="connectorId", + ) + _element.data_types = AAZListType( + serialized_name="dataTypes", + ) + + data_types = cls._schema_on_200_201.discriminate_by("kind", "Anomaly").properties.required_data_connectors.Element.data_types + data_types.Element = AAZStrType() + + tactics = cls._schema_on_200_201.discriminate_by("kind", "Anomaly").properties.tactics + tactics.Element = AAZStrType() + + techniques = cls._schema_on_200_201.discriminate_by("kind", "Anomaly").properties.techniques + techniques.Element = AAZStrType() + + return cls._schema_on_200_201 + + +__all__ = ["Create"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/analytics_setting/_delete.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/analytics_setting/_delete.py new file mode 100644 index 00000000000..4731dcbc9fa --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/analytics_setting/_delete.py @@ -0,0 +1,134 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel analytics-setting delete", + is_experimental=True, + confirmation="Are you sure you want to perform this operation?", +) +class Delete(AAZCommand): + """Delete the Security ML Analytics Settings. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/securitymlanalyticssettings/{}", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return None + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.settings_resource_name = AAZStrArg( + options=["-n", "--name", "--settings-resource-name"], + help="Security ML Analytics Settings resource name", + required=True, + id_part="child_name_1", + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + id_part="name", + ) + return cls._args_schema + + def _execute_operations(self): + self.SecurityMLAnalyticsSettingsDelete(ctx=self.ctx)() + + class SecurityMLAnalyticsSettingsDelete(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + if session.http_response.status_code in [204]: + return self.on_204(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/securityMLAnalyticsSettings/{settingsResourceName}", + **self.url_parameters + ) + + @property + def method(self): + return "DELETE" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "settingsResourceName", self.ctx.args.settings_resource_name, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + def on_200(self, session): + pass + + def on_204(self, session): + pass + + +__all__ = ["Delete"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/analytics_setting/_list.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/analytics_setting/_list.py new file mode 100644 index 00000000000..b8954e1b923 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/analytics_setting/_list.py @@ -0,0 +1,268 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel analytics-setting list", + is_experimental=True, +) +class List(AAZCommand): + """Get all Security ML Analytics Settings. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/securitymlanalyticssettings", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + return self.build_paging(self._execute_operations, self._output) + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + ) + return cls._args_schema + + def _execute_operations(self): + self.SecurityMLAnalyticsSettingsList(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance.value, client_flatten=True) + next_link = self.deserialize_output(self.ctx.vars.instance.next_link) + return result, next_link + + class SecurityMLAnalyticsSettingsList(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/securityMLAnalyticsSettings", + **self.url_parameters + ) + + @property + def method(self): + return "GET" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + + _schema_on_200 = cls._schema_on_200 + _schema_on_200.next_link = AAZStrType( + serialized_name="nextLink", + flags={"read_only": True}, + ) + _schema_on_200.value = AAZListType( + flags={"required": True}, + ) + + value = cls._schema_on_200.value + value.Element = AAZObjectType() + + _element = cls._schema_on_200.value.Element + _element.etag = AAZStrType() + _element.id = AAZStrType( + flags={"read_only": True}, + ) + _element.kind = AAZStrType( + flags={"required": True}, + ) + _element.name = AAZStrType( + flags={"read_only": True}, + ) + _element.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + _element.type = AAZStrType( + flags={"read_only": True}, + ) + + system_data = cls._schema_on_200.value.Element.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + disc_anomaly = cls._schema_on_200.value.Element.discriminate_by("kind", "Anomaly") + disc_anomaly.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.value.Element.discriminate_by("kind", "Anomaly").properties + properties.anomaly_settings_version = AAZIntType( + serialized_name="anomalySettingsVersion", + ) + properties.anomaly_version = AAZStrType( + serialized_name="anomalyVersion", + flags={"required": True}, + ) + properties.description = AAZStrType() + properties.display_name = AAZStrType( + serialized_name="displayName", + flags={"required": True}, + ) + properties.enabled = AAZBoolType( + flags={"required": True}, + ) + properties.frequency = AAZStrType( + flags={"required": True}, + ) + properties.is_default_settings = AAZBoolType( + serialized_name="isDefaultSettings", + flags={"required": True}, + ) + properties.last_modified_utc = AAZStrType( + serialized_name="lastModifiedUtc", + flags={"read_only": True}, + ) + properties.required_data_connectors = AAZListType( + serialized_name="requiredDataConnectors", + ) + properties.settings_definition_id = AAZStrType( + serialized_name="settingsDefinitionId", + ) + properties.settings_status = AAZStrType( + serialized_name="settingsStatus", + flags={"required": True}, + ) + properties.tactics = AAZListType() + properties.techniques = AAZListType() + + required_data_connectors = cls._schema_on_200.value.Element.discriminate_by("kind", "Anomaly").properties.required_data_connectors + required_data_connectors.Element = AAZObjectType() + + _element = cls._schema_on_200.value.Element.discriminate_by("kind", "Anomaly").properties.required_data_connectors.Element + _element.connector_id = AAZStrType( + serialized_name="connectorId", + ) + _element.data_types = AAZListType( + serialized_name="dataTypes", + ) + + data_types = cls._schema_on_200.value.Element.discriminate_by("kind", "Anomaly").properties.required_data_connectors.Element.data_types + data_types.Element = AAZStrType() + + tactics = cls._schema_on_200.value.Element.discriminate_by("kind", "Anomaly").properties.tactics + tactics.Element = AAZStrType() + + techniques = cls._schema_on_200.value.Element.discriminate_by("kind", "Anomaly").properties.techniques + techniques.Element = AAZStrType() + + return cls._schema_on_200 + + +__all__ = ["List"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/analytics_setting/_show.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/analytics_setting/_show.py new file mode 100644 index 00000000000..a198633f14c --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/analytics_setting/_show.py @@ -0,0 +1,267 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel analytics-setting show", + is_experimental=True, +) +class Show(AAZCommand): + """Get the Security ML Analytics Settings. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/securitymlanalyticssettings/{}", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return self._output() + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.settings_resource_name = AAZStrArg( + options=["-n", "--name", "--settings-resource-name"], + help="Security ML Analytics Settings resource name", + required=True, + id_part="child_name_1", + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + id_part="name", + ) + return cls._args_schema + + def _execute_operations(self): + self.SecurityMLAnalyticsSettingsGet(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True) + return result + + class SecurityMLAnalyticsSettingsGet(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/securityMLAnalyticsSettings/{settingsResourceName}", + **self.url_parameters + ) + + @property + def method(self): + return "GET" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "settingsResourceName", self.ctx.args.settings_resource_name, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + + _schema_on_200 = cls._schema_on_200 + _schema_on_200.etag = AAZStrType() + _schema_on_200.id = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200.kind = AAZStrType( + flags={"required": True}, + ) + _schema_on_200.name = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + _schema_on_200.type = AAZStrType( + flags={"read_only": True}, + ) + + system_data = cls._schema_on_200.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + disc_anomaly = cls._schema_on_200.discriminate_by("kind", "Anomaly") + disc_anomaly.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.discriminate_by("kind", "Anomaly").properties + properties.anomaly_settings_version = AAZIntType( + serialized_name="anomalySettingsVersion", + ) + properties.anomaly_version = AAZStrType( + serialized_name="anomalyVersion", + flags={"required": True}, + ) + properties.description = AAZStrType() + properties.display_name = AAZStrType( + serialized_name="displayName", + flags={"required": True}, + ) + properties.enabled = AAZBoolType( + flags={"required": True}, + ) + properties.frequency = AAZStrType( + flags={"required": True}, + ) + properties.is_default_settings = AAZBoolType( + serialized_name="isDefaultSettings", + flags={"required": True}, + ) + properties.last_modified_utc = AAZStrType( + serialized_name="lastModifiedUtc", + flags={"read_only": True}, + ) + properties.required_data_connectors = AAZListType( + serialized_name="requiredDataConnectors", + ) + properties.settings_definition_id = AAZStrType( + serialized_name="settingsDefinitionId", + ) + properties.settings_status = AAZStrType( + serialized_name="settingsStatus", + flags={"required": True}, + ) + properties.tactics = AAZListType() + properties.techniques = AAZListType() + + required_data_connectors = cls._schema_on_200.discriminate_by("kind", "Anomaly").properties.required_data_connectors + required_data_connectors.Element = AAZObjectType() + + _element = cls._schema_on_200.discriminate_by("kind", "Anomaly").properties.required_data_connectors.Element + _element.connector_id = AAZStrType( + serialized_name="connectorId", + ) + _element.data_types = AAZListType( + serialized_name="dataTypes", + ) + + data_types = cls._schema_on_200.discriminate_by("kind", "Anomaly").properties.required_data_connectors.Element.data_types + data_types.Element = AAZStrType() + + tactics = cls._schema_on_200.discriminate_by("kind", "Anomaly").properties.tactics + tactics.Element = AAZStrType() + + techniques = cls._schema_on_200.discriminate_by("kind", "Anomaly").properties.techniques + techniques.Element = AAZStrType() + + return cls._schema_on_200 + + +__all__ = ["Show"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/analytics_setting/_update.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/analytics_setting/_update.py new file mode 100644 index 00000000000..06724e23643 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/analytics_setting/_update.py @@ -0,0 +1,574 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel analytics-setting update", + is_experimental=True, +) +class Update(AAZCommand): + """Update the Security ML Analytics Settings. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/securitymlanalyticssettings/{}", "2022-06-01-preview"], + ] + } + + AZ_SUPPORT_GENERIC_UPDATE = True + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return self._output() + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.settings_resource_name = AAZStrArg( + options=["-n", "--name", "--settings-resource-name"], + help="Security ML Analytics Settings resource name", + required=True, + id_part="child_name_1", + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + id_part="name", + ) + + # define Arg Group "SecurityMLAnalyticsSetting" + + _args_schema = cls._args_schema + _args_schema.anomaly = AAZObjectArg( + options=["--anomaly"], + arg_group="SecurityMLAnalyticsSetting", + ) + _args_schema.etag = AAZStrArg( + options=["--etag"], + arg_group="SecurityMLAnalyticsSetting", + help="Etag of the azure resource", + nullable=True, + ) + + anomaly = cls._args_schema.anomaly + anomaly.anomaly_settings_version = AAZIntArg( + options=["anomaly-settings-version"], + help="The anomaly settings version of the Anomaly security ml analytics settings that dictates whether job version gets updated or not.", + nullable=True, + ) + anomaly.anomaly_version = AAZStrArg( + options=["anomaly-version"], + help="The anomaly version of the AnomalySecurityMLAnalyticsSettings.", + ) + anomaly.description = AAZStrArg( + options=["description"], + help="The description of the SecurityMLAnalyticsSettings.", + nullable=True, + ) + anomaly.display_name = AAZStrArg( + options=["display-name"], + help="The display name for settings created by this SecurityMLAnalyticsSettings.", + ) + anomaly.enabled = AAZBoolArg( + options=["enabled"], + help="Determines whether this settings is enabled or disabled.", + ) + anomaly.frequency = AAZStrArg( + options=["frequency"], + help="The frequency that this SecurityMLAnalyticsSettings will be run.", + ) + anomaly.is_default_settings = AAZBoolArg( + options=["is-default-settings"], + help="Determines whether this anomaly security ml analytics settings is a default settings", + ) + anomaly.required_data_connectors = AAZListArg( + options=["required-data-connectors"], + help="The required data sources for this SecurityMLAnalyticsSettings", + nullable=True, + ) + anomaly.settings_definition_id = AAZStrArg( + options=["settings-definition-id"], + help="The anomaly settings definition Id", + nullable=True, + ) + anomaly.settings_status = AAZStrArg( + options=["settings-status"], + help="The anomaly SecurityMLAnalyticsSettings status", + enum={"Flighting": "Flighting", "Production": "Production"}, + ) + anomaly.tactics = AAZListArg( + options=["tactics"], + help="The tactics of the SecurityMLAnalyticsSettings", + nullable=True, + ) + anomaly.techniques = AAZListArg( + options=["techniques"], + help="The techniques of the SecurityMLAnalyticsSettings", + nullable=True, + ) + + required_data_connectors = cls._args_schema.anomaly.required_data_connectors + required_data_connectors.Element = AAZObjectArg() + + _element = cls._args_schema.anomaly.required_data_connectors.Element + _element.connector_id = AAZStrArg( + options=["connector-id"], + help="The connector id that provides the following data types", + nullable=True, + ) + _element.data_types = AAZListArg( + options=["data-types"], + help="The data types used by the security ml analytics settings", + nullable=True, + ) + + data_types = cls._args_schema.anomaly.required_data_connectors.Element.data_types + data_types.Element = AAZStrArg() + + tactics = cls._args_schema.anomaly.tactics + tactics.Element = AAZStrArg( + enum={"Collection": "Collection", "CommandAndControl": "CommandAndControl", "CredentialAccess": "CredentialAccess", "DefenseEvasion": "DefenseEvasion", "Discovery": "Discovery", "Execution": "Execution", "Exfiltration": "Exfiltration", "Impact": "Impact", "ImpairProcessControl": "ImpairProcessControl", "InhibitResponseFunction": "InhibitResponseFunction", "InitialAccess": "InitialAccess", "LateralMovement": "LateralMovement", "Persistence": "Persistence", "PreAttack": "PreAttack", "PrivilegeEscalation": "PrivilegeEscalation", "Reconnaissance": "Reconnaissance", "ResourceDevelopment": "ResourceDevelopment"}, + ) + + techniques = cls._args_schema.anomaly.techniques + techniques.Element = AAZStrArg() + return cls._args_schema + + def _execute_operations(self): + self.SecurityMLAnalyticsSettingsGet(ctx=self.ctx)() + self.InstanceUpdateByJson(ctx=self.ctx)() + self.InstanceUpdateByGeneric(ctx=self.ctx)() + self.SecurityMLAnalyticsSettingsCreateOrUpdate(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True) + return result + + class SecurityMLAnalyticsSettingsGet(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/securityMLAnalyticsSettings/{settingsResourceName}", + **self.url_parameters + ) + + @property + def method(self): + return "GET" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "settingsResourceName", self.ctx.args.settings_resource_name, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + _build_schema_security_ml_analytics_setting_read(cls._schema_on_200) + + return cls._schema_on_200 + + class SecurityMLAnalyticsSettingsCreateOrUpdate(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200, 201]: + return self.on_200_201(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/securityMLAnalyticsSettings/{settingsResourceName}", + **self.url_parameters + ) + + @property + def method(self): + return "PUT" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "settingsResourceName", self.ctx.args.settings_resource_name, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Content-Type", "application/json", + ), + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + @property + def content(self): + _content_value, _builder = self.new_content_builder( + self.ctx.args, + value=self.ctx.vars.instance, + ) + + return self.serialize_content(_content_value) + + def on_200_201(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200_201 + ) + + _schema_on_200_201 = None + + @classmethod + def _build_schema_on_200_201(cls): + if cls._schema_on_200_201 is not None: + return cls._schema_on_200_201 + + cls._schema_on_200_201 = AAZObjectType() + _build_schema_security_ml_analytics_setting_read(cls._schema_on_200_201) + + return cls._schema_on_200_201 + + class InstanceUpdateByJson(AAZJsonInstanceUpdateOperation): + + def __call__(self, *args, **kwargs): + self._update_instance(self.ctx.vars.instance) + + def _update_instance(self, instance): + _instance_value, _builder = self.new_content_builder( + self.ctx.args, + value=instance, + typ=AAZObjectType + ) + _builder.set_prop("etag", AAZStrType, ".etag") + _builder.set_const("kind", "Anomaly", AAZStrType, ".anomaly", typ_kwargs={"flags": {"required": True}}) + _builder.discriminate_by("kind", "Anomaly") + + disc_anomaly = _builder.get("{kind:Anomaly}") + if disc_anomaly is not None: + disc_anomaly.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get("{kind:Anomaly}.properties") + if properties is not None: + properties.set_prop("anomalySettingsVersion", AAZIntType, ".anomaly.anomaly_settings_version") + properties.set_prop("anomalyVersion", AAZStrType, ".anomaly.anomaly_version", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("description", AAZStrType, ".anomaly.description") + properties.set_prop("displayName", AAZStrType, ".anomaly.display_name", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("enabled", AAZBoolType, ".anomaly.enabled", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("frequency", AAZStrType, ".anomaly.frequency", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("isDefaultSettings", AAZBoolType, ".anomaly.is_default_settings", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("requiredDataConnectors", AAZListType, ".anomaly.required_data_connectors") + properties.set_prop("settingsDefinitionId", AAZStrType, ".anomaly.settings_definition_id") + properties.set_prop("settingsStatus", AAZStrType, ".anomaly.settings_status", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("tactics", AAZListType, ".anomaly.tactics") + properties.set_prop("techniques", AAZListType, ".anomaly.techniques") + + required_data_connectors = _builder.get("{kind:Anomaly}.properties.requiredDataConnectors") + if required_data_connectors is not None: + required_data_connectors.set_elements(AAZObjectType) + + _elements = _builder.get("{kind:Anomaly}.properties.requiredDataConnectors[]") + if _elements is not None: + _elements.set_prop("connectorId", AAZStrType, ".connector_id") + _elements.set_prop("dataTypes", AAZListType, ".data_types") + + data_types = _builder.get("{kind:Anomaly}.properties.requiredDataConnectors[].dataTypes") + if data_types is not None: + data_types.set_elements(AAZStrType, ".") + + tactics = _builder.get("{kind:Anomaly}.properties.tactics") + if tactics is not None: + tactics.set_elements(AAZStrType, ".") + + techniques = _builder.get("{kind:Anomaly}.properties.techniques") + if techniques is not None: + techniques.set_elements(AAZStrType, ".") + + return _instance_value + + class InstanceUpdateByGeneric(AAZGenericInstanceUpdateOperation): + + def __call__(self, *args, **kwargs): + self._update_instance_by_generic( + self.ctx.vars.instance, + self.ctx.generic_update_args + ) + + +_schema_security_ml_analytics_setting_read = None + + +def _build_schema_security_ml_analytics_setting_read(_schema): + global _schema_security_ml_analytics_setting_read + if _schema_security_ml_analytics_setting_read is not None: + _schema.etag = _schema_security_ml_analytics_setting_read.etag + _schema.id = _schema_security_ml_analytics_setting_read.id + _schema.kind = _schema_security_ml_analytics_setting_read.kind + _schema.name = _schema_security_ml_analytics_setting_read.name + _schema.system_data = _schema_security_ml_analytics_setting_read.system_data + _schema.type = _schema_security_ml_analytics_setting_read.type + _schema.discriminate_by( + "kind", + "Anomaly", + _schema_security_ml_analytics_setting_read.discriminate_by( + "kind", + "Anomaly", + ) + ) + return + + _schema_security_ml_analytics_setting_read = AAZObjectType() + + security_ml_analytics_setting_read = _schema_security_ml_analytics_setting_read + security_ml_analytics_setting_read.etag = AAZStrType() + security_ml_analytics_setting_read.id = AAZStrType( + flags={"read_only": True}, + ) + security_ml_analytics_setting_read.kind = AAZStrType( + flags={"required": True}, + ) + security_ml_analytics_setting_read.name = AAZStrType( + flags={"read_only": True}, + ) + security_ml_analytics_setting_read.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + security_ml_analytics_setting_read.type = AAZStrType( + flags={"read_only": True}, + ) + + system_data = _schema_security_ml_analytics_setting_read.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + disc_anomaly = _schema_security_ml_analytics_setting_read.discriminate_by("kind", "Anomaly") + disc_anomaly.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = _schema_security_ml_analytics_setting_read.discriminate_by("kind", "Anomaly").properties + properties.anomaly_settings_version = AAZIntType( + serialized_name="anomalySettingsVersion", + ) + properties.anomaly_version = AAZStrType( + serialized_name="anomalyVersion", + flags={"required": True}, + ) + properties.description = AAZStrType() + properties.display_name = AAZStrType( + serialized_name="displayName", + flags={"required": True}, + ) + properties.enabled = AAZBoolType( + flags={"required": True}, + ) + properties.frequency = AAZStrType( + flags={"required": True}, + ) + properties.is_default_settings = AAZBoolType( + serialized_name="isDefaultSettings", + flags={"required": True}, + ) + properties.last_modified_utc = AAZStrType( + serialized_name="lastModifiedUtc", + flags={"read_only": True}, + ) + properties.required_data_connectors = AAZListType( + serialized_name="requiredDataConnectors", + ) + properties.settings_definition_id = AAZStrType( + serialized_name="settingsDefinitionId", + ) + properties.settings_status = AAZStrType( + serialized_name="settingsStatus", + flags={"required": True}, + ) + properties.tactics = AAZListType() + properties.techniques = AAZListType() + + required_data_connectors = _schema_security_ml_analytics_setting_read.discriminate_by("kind", "Anomaly").properties.required_data_connectors + required_data_connectors.Element = AAZObjectType() + + _element = _schema_security_ml_analytics_setting_read.discriminate_by("kind", "Anomaly").properties.required_data_connectors.Element + _element.connector_id = AAZStrType( + serialized_name="connectorId", + ) + _element.data_types = AAZListType( + serialized_name="dataTypes", + ) + + data_types = _schema_security_ml_analytics_setting_read.discriminate_by("kind", "Anomaly").properties.required_data_connectors.Element.data_types + data_types.Element = AAZStrType() + + tactics = _schema_security_ml_analytics_setting_read.discriminate_by("kind", "Anomaly").properties.tactics + tactics.Element = AAZStrType() + + techniques = _schema_security_ml_analytics_setting_read.discriminate_by("kind", "Anomaly").properties.techniques + techniques.Element = AAZStrType() + + _schema.etag = _schema_security_ml_analytics_setting_read.etag + _schema.id = _schema_security_ml_analytics_setting_read.id + _schema.kind = _schema_security_ml_analytics_setting_read.kind + _schema.name = _schema_security_ml_analytics_setting_read.name + _schema.system_data = _schema_security_ml_analytics_setting_read.system_data + _schema.type = _schema_security_ml_analytics_setting_read.type + _schema.discriminate_by( + "kind", + "Anomaly", + _schema_security_ml_analytics_setting_read.discriminate_by( + "kind", + "Anomaly", + ) + ) + + +__all__ = ["Update"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/automation_rule/__cmd_group.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/automation_rule/__cmd_group.py new file mode 100644 index 00000000000..6eedd4328ed --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/automation_rule/__cmd_group.py @@ -0,0 +1,23 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command_group( + "sentinel automation-rule", +) +class __CMDGroup(AAZCommandGroup): + """Manage automation rule with sentinel. + """ + pass + + +__all__ = ["__CMDGroup"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/automation_rule/__init__.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/automation_rule/__init__.py new file mode 100644 index 00000000000..c401f439385 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/automation_rule/__init__.py @@ -0,0 +1,16 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from .__cmd_group import * +from ._create import * +from ._delete import * +from ._list import * +from ._show import * +from ._update import * diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/automation_rule/_create.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/automation_rule/_create.py new file mode 100644 index 00000000000..80ca9c80446 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/automation_rule/_create.py @@ -0,0 +1,791 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel automation-rule create", + is_experimental=True, +) +class Create(AAZCommand): + """Create the automation rule. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/automationrules/{}", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return self._output() + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.automation_rule_name = AAZStrArg( + options=["-n", "--name", "--automation-rule-name"], + help="Name of automation rule.", + required=True, + is_experimental=True, + id_part="child_name_1", + ) + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + id_part="name", + ) + + # define Arg Group "AutomationRuleToUpsert" + + _args_schema = cls._args_schema + _args_schema.etag = AAZStrArg( + options=["--etag"], + arg_group="AutomationRuleToUpsert", + help="Etag of the azure resource", + ) + + # define Arg Group "Properties" + + _args_schema = cls._args_schema + _args_schema.actions = AAZListArg( + options=["--actions"], + arg_group="Properties", + help="The actions to execute when the automation rule is triggered.", + ) + _args_schema.display_name = AAZStrArg( + options=["--display-name"], + arg_group="Properties", + help="The display name of the automation rule.", + ) + _args_schema.order = AAZIntArg( + options=["--order"], + arg_group="Properties", + help="The order of execution of the automation rule.", + ) + _args_schema.triggering_logic = AAZObjectArg( + options=["--triggering-logic"], + arg_group="Properties", + help="Describes automation rule triggering logic.", + ) + + actions = cls._args_schema.actions + actions.Element = AAZObjectArg() + + _element = cls._args_schema.actions.Element + _element.modify_properties = AAZObjectArg( + options=["modify-properties"], + ) + _element.run_playbook = AAZObjectArg( + options=["run-playbook"], + ) + _element.order = AAZIntArg( + options=["order"], + required=True, + ) + + modify_properties = cls._args_schema.actions.Element.modify_properties + modify_properties.action_configuration = AAZObjectArg( + options=["action-configuration"], + ) + + action_configuration = cls._args_schema.actions.Element.modify_properties.action_configuration + action_configuration.classification = AAZStrArg( + options=["classification"], + help="The reason the incident was closed", + enum={"BenignPositive": "BenignPositive", "FalsePositive": "FalsePositive", "TruePositive": "TruePositive", "Undetermined": "Undetermined"}, + ) + action_configuration.classification_comment = AAZStrArg( + options=["classification-comment"], + help="Describes the reason the incident was closed.", + ) + action_configuration.classification_reason = AAZStrArg( + options=["classification-reason"], + help="The classification reason the incident was closed with", + enum={"InaccurateData": "InaccurateData", "IncorrectAlertLogic": "IncorrectAlertLogic", "SuspiciousActivity": "SuspiciousActivity", "SuspiciousButExpected": "SuspiciousButExpected"}, + ) + action_configuration.labels = AAZListArg( + options=["labels"], + help="List of labels to add to the incident.", + ) + action_configuration.owner = AAZObjectArg( + options=["owner"], + help="Information on the user an incident is assigned to", + ) + action_configuration.severity = AAZStrArg( + options=["severity"], + help="The severity of the incident", + enum={"High": "High", "Informational": "Informational", "Low": "Low", "Medium": "Medium"}, + ) + action_configuration.status = AAZStrArg( + options=["status"], + help="The status of the incident", + enum={"Active": "Active", "Closed": "Closed", "New": "New"}, + ) + + labels = cls._args_schema.actions.Element.modify_properties.action_configuration.labels + labels.Element = AAZObjectArg() + + _element = cls._args_schema.actions.Element.modify_properties.action_configuration.labels.Element + _element.label_name = AAZStrArg( + options=["label-name"], + help="The name of the label", + required=True, + ) + + owner = cls._args_schema.actions.Element.modify_properties.action_configuration.owner + owner.assigned_to = AAZStrArg( + options=["assigned-to"], + help="The name of the user the incident is assigned to.", + ) + owner.email = AAZStrArg( + options=["email"], + help="The email of the user the incident is assigned to.", + ) + owner.object_id = AAZStrArg( + options=["object-id"], + help="The object id of the user the incident is assigned to.", + ) + owner.owner_type = AAZStrArg( + options=["owner-type"], + help="The type of the owner the incident is assigned to.", + enum={"Group": "Group", "Unknown": "Unknown", "User": "User"}, + ) + owner.user_principal_name = AAZStrArg( + options=["user-principal-name"], + help="The user principal name of the user the incident is assigned to.", + ) + + run_playbook = cls._args_schema.actions.Element.run_playbook + run_playbook.action_configuration = AAZObjectArg( + options=["action-configuration"], + ) + + action_configuration = cls._args_schema.actions.Element.run_playbook.action_configuration + action_configuration.logic_app_resource_id = AAZStrArg( + options=["logic-app-resource-id"], + help="The resource id of the playbook resource.", + ) + action_configuration.tenant_id = AAZStrArg( + options=["tenant-id"], + help="The tenant id of the playbook resource.", + ) + + triggering_logic = cls._args_schema.triggering_logic + triggering_logic.conditions = AAZListArg( + options=["conditions"], + help="The conditions to evaluate to determine if the automation rule should be triggered on a given object.", + ) + triggering_logic.expiration_time_utc = AAZStrArg( + options=["expiration-time-utc"], + help="Determines when the automation rule should automatically expire and be disabled.", + ) + triggering_logic.is_enabled = AAZBoolArg( + options=["is-enabled"], + help="Determines whether the automation rule is enabled or disabled.", + required=True, + ) + triggering_logic.triggers_on = AAZStrArg( + options=["triggers-on"], + required=True, + enum={"Incidents": "Incidents"}, + ) + triggering_logic.triggers_when = AAZStrArg( + options=["triggers-when"], + required=True, + enum={"Created": "Created", "Updated": "Updated"}, + ) + + conditions = cls._args_schema.triggering_logic.conditions + conditions.Element = AAZObjectArg() + + _element = cls._args_schema.triggering_logic.conditions.Element + _element.property = AAZObjectArg( + options=["property"], + ) + _element.property_array_changed = AAZObjectArg( + options=["property-array-changed"], + ) + _element.property_changed = AAZObjectArg( + options=["property-changed"], + ) + + property = cls._args_schema.triggering_logic.conditions.Element.property + property.condition_properties = AAZObjectArg( + options=["condition-properties"], + ) + + condition_properties = cls._args_schema.triggering_logic.conditions.Element.property.condition_properties + condition_properties.operator = AAZStrArg( + options=["operator"], + enum={"Contains": "Contains", "EndsWith": "EndsWith", "Equals": "Equals", "NotContains": "NotContains", "NotEndsWith": "NotEndsWith", "NotEquals": "NotEquals", "NotStartsWith": "NotStartsWith", "StartsWith": "StartsWith"}, + ) + condition_properties.property_name = AAZStrArg( + options=["property-name"], + help="The property to evaluate in an automation rule property condition.", + enum={"AccountAadTenantId": "AccountAadTenantId", "AccountAadUserId": "AccountAadUserId", "AccountNTDomain": "AccountNTDomain", "AccountName": "AccountName", "AccountObjectGuid": "AccountObjectGuid", "AccountPUID": "AccountPUID", "AccountSid": "AccountSid", "AccountUPNSuffix": "AccountUPNSuffix", "AlertProductNames": "AlertProductNames", "AzureResourceResourceId": "AzureResourceResourceId", "AzureResourceSubscriptionId": "AzureResourceSubscriptionId", "CloudApplicationAppId": "CloudApplicationAppId", "CloudApplicationAppName": "CloudApplicationAppName", "DNSDomainName": "DNSDomainName", "FileDirectory": "FileDirectory", "FileHashValue": "FileHashValue", "FileName": "FileName", "HostAzureID": "HostAzureID", "HostNTDomain": "HostNTDomain", "HostName": "HostName", "HostNetBiosName": "HostNetBiosName", "HostOSVersion": "HostOSVersion", "IPAddress": "IPAddress", "IncidentDescription": "IncidentDescription", "IncidentLabel": "IncidentLabel", "IncidentProviderName": "IncidentProviderName", "IncidentRelatedAnalyticRuleIds": "IncidentRelatedAnalyticRuleIds", "IncidentSeverity": "IncidentSeverity", "IncidentStatus": "IncidentStatus", "IncidentTactics": "IncidentTactics", "IncidentTitle": "IncidentTitle", "IoTDeviceId": "IoTDeviceId", "IoTDeviceModel": "IoTDeviceModel", "IoTDeviceName": "IoTDeviceName", "IoTDeviceOperatingSystem": "IoTDeviceOperatingSystem", "IoTDeviceType": "IoTDeviceType", "IoTDeviceVendor": "IoTDeviceVendor", "MailMessageDeliveryAction": "MailMessageDeliveryAction", "MailMessageDeliveryLocation": "MailMessageDeliveryLocation", "MailMessageP1Sender": "MailMessageP1Sender", "MailMessageP2Sender": "MailMessageP2Sender", "MailMessageRecipient": "MailMessageRecipient", "MailMessageSenderIP": "MailMessageSenderIP", "MailMessageSubject": "MailMessageSubject", "MailboxDisplayName": "MailboxDisplayName", "MailboxPrimaryAddress": "MailboxPrimaryAddress", "MailboxUPN": "MailboxUPN", "MalwareCategory": "MalwareCategory", "MalwareName": "MalwareName", "ProcessCommandLine": "ProcessCommandLine", "ProcessId": "ProcessId", "RegistryKey": "RegistryKey", "RegistryValueData": "RegistryValueData", "Url": "Url"}, + ) + condition_properties.property_values = AAZListArg( + options=["property-values"], + ) + + property_values = cls._args_schema.triggering_logic.conditions.Element.property.condition_properties.property_values + property_values.Element = AAZStrArg() + + property_array_changed = cls._args_schema.triggering_logic.conditions.Element.property_array_changed + property_array_changed.condition_properties = AAZObjectArg( + options=["condition-properties"], + ) + + condition_properties = cls._args_schema.triggering_logic.conditions.Element.property_array_changed.condition_properties + condition_properties.array_type = AAZStrArg( + options=["array-type"], + enum={"Alerts": "Alerts", "Comments": "Comments", "Labels": "Labels", "Tactics": "Tactics"}, + ) + condition_properties.change_type = AAZStrArg( + options=["change-type"], + enum={"Added": "Added"}, + ) + + property_changed = cls._args_schema.triggering_logic.conditions.Element.property_changed + property_changed.condition_properties = AAZObjectArg( + options=["condition-properties"], + ) + + condition_properties = cls._args_schema.triggering_logic.conditions.Element.property_changed.condition_properties + condition_properties.change_type = AAZStrArg( + options=["change-type"], + enum={"ChangedFrom": "ChangedFrom", "ChangedTo": "ChangedTo"}, + ) + condition_properties.operator = AAZStrArg( + options=["operator"], + enum={"Contains": "Contains", "EndsWith": "EndsWith", "Equals": "Equals", "NotContains": "NotContains", "NotEndsWith": "NotEndsWith", "NotEquals": "NotEquals", "NotStartsWith": "NotStartsWith", "StartsWith": "StartsWith"}, + ) + condition_properties.property_name = AAZStrArg( + options=["property-name"], + enum={"IncidentOwner": "IncidentOwner", "IncidentSeverity": "IncidentSeverity", "IncidentStatus": "IncidentStatus"}, + ) + condition_properties.property_values = AAZListArg( + options=["property-values"], + ) + + property_values = cls._args_schema.triggering_logic.conditions.Element.property_changed.condition_properties.property_values + property_values.Element = AAZStrArg() + return cls._args_schema + + def _execute_operations(self): + self.AutomationRulesCreateOrUpdate(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True) + return result + + class AutomationRulesCreateOrUpdate(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200, 201]: + return self.on_200_201(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/automationRules/{automationRuleId}", + **self.url_parameters + ) + + @property + def method(self): + return "PUT" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "automationRuleId", self.ctx.args.automation_rule_name, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Content-Type", "application/json", + ), + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + @property + def content(self): + _content_value, _builder = self.new_content_builder( + self.ctx.args, + typ=AAZObjectType, + typ_kwargs={"flags": {"client_flatten": True}} + ) + _builder.set_prop("etag", AAZStrType, ".etag") + _builder.set_prop("properties", AAZObjectType, ".", typ_kwargs={"flags": {"required": True, "client_flatten": True}}) + + properties = _builder.get(".properties") + if properties is not None: + properties.set_prop("actions", AAZListType, ".actions", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("displayName", AAZStrType, ".display_name", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("order", AAZIntType, ".order", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("triggeringLogic", AAZObjectType, ".triggering_logic", typ_kwargs={"flags": {"required": True}}) + + actions = _builder.get(".properties.actions") + if actions is not None: + actions.set_elements(AAZObjectType) + + _elements = _builder.get(".properties.actions[]") + if _elements is not None: + _elements.set_const("actionType", "ModifyProperties", AAZStrType, ".modify_properties", typ_kwargs={"flags": {"required": True}}) + _elements.set_const("actionType", "RunPlaybook", AAZStrType, ".run_playbook", typ_kwargs={"flags": {"required": True}}) + _elements.set_prop("order", AAZIntType, ".order", typ_kwargs={"flags": {"required": True}}) + _elements.discriminate_by("actionType", "ModifyProperties") + _elements.discriminate_by("actionType", "RunPlaybook") + + disc_modify_properties = _builder.get(".properties.actions[]{actionType:ModifyProperties}") + if disc_modify_properties is not None: + disc_modify_properties.set_prop("actionConfiguration", AAZObjectType, ".modify_properties.action_configuration") + + action_configuration = _builder.get(".properties.actions[]{actionType:ModifyProperties}.actionConfiguration") + if action_configuration is not None: + action_configuration.set_prop("classification", AAZStrType, ".classification") + action_configuration.set_prop("classificationComment", AAZStrType, ".classification_comment") + action_configuration.set_prop("classificationReason", AAZStrType, ".classification_reason") + action_configuration.set_prop("labels", AAZListType, ".labels") + action_configuration.set_prop("owner", AAZObjectType, ".owner") + action_configuration.set_prop("severity", AAZStrType, ".severity") + action_configuration.set_prop("status", AAZStrType, ".status") + + labels = _builder.get(".properties.actions[]{actionType:ModifyProperties}.actionConfiguration.labels") + if labels is not None: + labels.set_elements(AAZObjectType) + + _elements = _builder.get(".properties.actions[]{actionType:ModifyProperties}.actionConfiguration.labels[]") + if _elements is not None: + _elements.set_prop("labelName", AAZStrType, ".label_name", typ_kwargs={"flags": {"required": True}}) + + owner = _builder.get(".properties.actions[]{actionType:ModifyProperties}.actionConfiguration.owner") + if owner is not None: + owner.set_prop("assignedTo", AAZStrType, ".assigned_to") + owner.set_prop("email", AAZStrType, ".email") + owner.set_prop("objectId", AAZStrType, ".object_id") + owner.set_prop("ownerType", AAZStrType, ".owner_type") + owner.set_prop("userPrincipalName", AAZStrType, ".user_principal_name") + + disc_run_playbook = _builder.get(".properties.actions[]{actionType:RunPlaybook}") + if disc_run_playbook is not None: + disc_run_playbook.set_prop("actionConfiguration", AAZObjectType, ".run_playbook.action_configuration") + + action_configuration = _builder.get(".properties.actions[]{actionType:RunPlaybook}.actionConfiguration") + if action_configuration is not None: + action_configuration.set_prop("logicAppResourceId", AAZStrType, ".logic_app_resource_id") + action_configuration.set_prop("tenantId", AAZStrType, ".tenant_id") + + triggering_logic = _builder.get(".properties.triggeringLogic") + if triggering_logic is not None: + triggering_logic.set_prop("conditions", AAZListType, ".conditions") + triggering_logic.set_prop("expirationTimeUtc", AAZStrType, ".expiration_time_utc") + triggering_logic.set_prop("isEnabled", AAZBoolType, ".is_enabled", typ_kwargs={"flags": {"required": True}}) + triggering_logic.set_prop("triggersOn", AAZStrType, ".triggers_on", typ_kwargs={"flags": {"required": True}}) + triggering_logic.set_prop("triggersWhen", AAZStrType, ".triggers_when", typ_kwargs={"flags": {"required": True}}) + + conditions = _builder.get(".properties.triggeringLogic.conditions") + if conditions is not None: + conditions.set_elements(AAZObjectType) + + _elements = _builder.get(".properties.triggeringLogic.conditions[]") + if _elements is not None: + _elements.set_const("conditionType", "Property", AAZStrType, ".property", typ_kwargs={"flags": {"required": True}}) + _elements.set_const("conditionType", "PropertyArrayChanged", AAZStrType, ".property_array_changed", typ_kwargs={"flags": {"required": True}}) + _elements.set_const("conditionType", "PropertyChanged", AAZStrType, ".property_changed", typ_kwargs={"flags": {"required": True}}) + _elements.discriminate_by("conditionType", "Property") + _elements.discriminate_by("conditionType", "PropertyArrayChanged") + _elements.discriminate_by("conditionType", "PropertyChanged") + + disc_property = _builder.get(".properties.triggeringLogic.conditions[]{conditionType:Property}") + if disc_property is not None: + disc_property.set_prop("conditionProperties", AAZObjectType, ".property.condition_properties") + + condition_properties = _builder.get(".properties.triggeringLogic.conditions[]{conditionType:Property}.conditionProperties") + if condition_properties is not None: + condition_properties.set_prop("operator", AAZStrType, ".operator") + condition_properties.set_prop("propertyName", AAZStrType, ".property_name") + condition_properties.set_prop("propertyValues", AAZListType, ".property_values") + + property_values = _builder.get(".properties.triggeringLogic.conditions[]{conditionType:Property}.conditionProperties.propertyValues") + if property_values is not None: + property_values.set_elements(AAZStrType, ".") + + disc_property_array_changed = _builder.get(".properties.triggeringLogic.conditions[]{conditionType:PropertyArrayChanged}") + if disc_property_array_changed is not None: + disc_property_array_changed.set_prop("conditionProperties", AAZObjectType, ".property_array_changed.condition_properties") + + condition_properties = _builder.get(".properties.triggeringLogic.conditions[]{conditionType:PropertyArrayChanged}.conditionProperties") + if condition_properties is not None: + condition_properties.set_prop("arrayType", AAZStrType, ".array_type") + condition_properties.set_prop("changeType", AAZStrType, ".change_type") + + disc_property_changed = _builder.get(".properties.triggeringLogic.conditions[]{conditionType:PropertyChanged}") + if disc_property_changed is not None: + disc_property_changed.set_prop("conditionProperties", AAZObjectType, ".property_changed.condition_properties") + + condition_properties = _builder.get(".properties.triggeringLogic.conditions[]{conditionType:PropertyChanged}.conditionProperties") + if condition_properties is not None: + condition_properties.set_prop("changeType", AAZStrType, ".change_type") + condition_properties.set_prop("operator", AAZStrType, ".operator") + condition_properties.set_prop("propertyName", AAZStrType, ".property_name") + condition_properties.set_prop("propertyValues", AAZListType, ".property_values") + + property_values = _builder.get(".properties.triggeringLogic.conditions[]{conditionType:PropertyChanged}.conditionProperties.propertyValues") + if property_values is not None: + property_values.set_elements(AAZStrType, ".") + + return self.serialize_content(_content_value) + + def on_200_201(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200_201 + ) + + _schema_on_200_201 = None + + @classmethod + def _build_schema_on_200_201(cls): + if cls._schema_on_200_201 is not None: + return cls._schema_on_200_201 + + cls._schema_on_200_201 = AAZObjectType() + + _schema_on_200_201 = cls._schema_on_200_201 + _schema_on_200_201.etag = AAZStrType() + _schema_on_200_201.id = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200_201.name = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200_201.properties = AAZObjectType( + flags={"required": True, "client_flatten": True}, + ) + _schema_on_200_201.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + _schema_on_200_201.type = AAZStrType( + flags={"read_only": True}, + ) + + properties = cls._schema_on_200_201.properties + properties.actions = AAZListType( + flags={"required": True}, + ) + properties.created_by = AAZObjectType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + _build_schema_client_info_read(properties.created_by) + properties.created_time_utc = AAZStrType( + serialized_name="createdTimeUtc", + flags={"read_only": True}, + ) + properties.display_name = AAZStrType( + serialized_name="displayName", + flags={"required": True}, + ) + properties.last_modified_by = AAZObjectType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + _build_schema_client_info_read(properties.last_modified_by) + properties.last_modified_time_utc = AAZStrType( + serialized_name="lastModifiedTimeUtc", + flags={"read_only": True}, + ) + properties.order = AAZIntType( + flags={"required": True}, + ) + properties.triggering_logic = AAZObjectType( + serialized_name="triggeringLogic", + flags={"required": True}, + ) + + actions = cls._schema_on_200_201.properties.actions + actions.Element = AAZObjectType() + + _element = cls._schema_on_200_201.properties.actions.Element + _element.action_type = AAZStrType( + serialized_name="actionType", + flags={"required": True}, + ) + _element.order = AAZIntType( + flags={"required": True}, + ) + + disc_modify_properties = cls._schema_on_200_201.properties.actions.Element.discriminate_by("action_type", "ModifyProperties") + disc_modify_properties.action_configuration = AAZObjectType( + serialized_name="actionConfiguration", + ) + + action_configuration = cls._schema_on_200_201.properties.actions.Element.discriminate_by("action_type", "ModifyProperties").action_configuration + action_configuration.classification = AAZStrType() + action_configuration.classification_comment = AAZStrType( + serialized_name="classificationComment", + ) + action_configuration.classification_reason = AAZStrType( + serialized_name="classificationReason", + ) + action_configuration.labels = AAZListType() + action_configuration.owner = AAZObjectType() + action_configuration.severity = AAZStrType() + action_configuration.status = AAZStrType() + + labels = cls._schema_on_200_201.properties.actions.Element.discriminate_by("action_type", "ModifyProperties").action_configuration.labels + labels.Element = AAZObjectType() + + _element = cls._schema_on_200_201.properties.actions.Element.discriminate_by("action_type", "ModifyProperties").action_configuration.labels.Element + _element.label_name = AAZStrType( + serialized_name="labelName", + flags={"required": True}, + ) + _element.label_type = AAZStrType( + serialized_name="labelType", + flags={"read_only": True}, + ) + + owner = cls._schema_on_200_201.properties.actions.Element.discriminate_by("action_type", "ModifyProperties").action_configuration.owner + owner.assigned_to = AAZStrType( + serialized_name="assignedTo", + ) + owner.email = AAZStrType() + owner.object_id = AAZStrType( + serialized_name="objectId", + ) + owner.owner_type = AAZStrType( + serialized_name="ownerType", + ) + owner.user_principal_name = AAZStrType( + serialized_name="userPrincipalName", + ) + + disc_run_playbook = cls._schema_on_200_201.properties.actions.Element.discriminate_by("action_type", "RunPlaybook") + disc_run_playbook.action_configuration = AAZObjectType( + serialized_name="actionConfiguration", + ) + + action_configuration = cls._schema_on_200_201.properties.actions.Element.discriminate_by("action_type", "RunPlaybook").action_configuration + action_configuration.logic_app_resource_id = AAZStrType( + serialized_name="logicAppResourceId", + ) + action_configuration.tenant_id = AAZStrType( + serialized_name="tenantId", + ) + + triggering_logic = cls._schema_on_200_201.properties.triggering_logic + triggering_logic.conditions = AAZListType() + triggering_logic.expiration_time_utc = AAZStrType( + serialized_name="expirationTimeUtc", + ) + triggering_logic.is_enabled = AAZBoolType( + serialized_name="isEnabled", + flags={"required": True}, + ) + triggering_logic.triggers_on = AAZStrType( + serialized_name="triggersOn", + flags={"required": True}, + ) + triggering_logic.triggers_when = AAZStrType( + serialized_name="triggersWhen", + flags={"required": True}, + ) + + conditions = cls._schema_on_200_201.properties.triggering_logic.conditions + conditions.Element = AAZObjectType() + + _element = cls._schema_on_200_201.properties.triggering_logic.conditions.Element + _element.condition_type = AAZStrType( + serialized_name="conditionType", + flags={"required": True}, + ) + + disc_property = cls._schema_on_200_201.properties.triggering_logic.conditions.Element.discriminate_by("condition_type", "Property") + disc_property.condition_properties = AAZObjectType( + serialized_name="conditionProperties", + ) + + condition_properties = cls._schema_on_200_201.properties.triggering_logic.conditions.Element.discriminate_by("condition_type", "Property").condition_properties + condition_properties.operator = AAZStrType() + condition_properties.property_name = AAZStrType( + serialized_name="propertyName", + ) + condition_properties.property_values = AAZListType( + serialized_name="propertyValues", + ) + + property_values = cls._schema_on_200_201.properties.triggering_logic.conditions.Element.discriminate_by("condition_type", "Property").condition_properties.property_values + property_values.Element = AAZStrType() + + disc_property_array_changed = cls._schema_on_200_201.properties.triggering_logic.conditions.Element.discriminate_by("condition_type", "PropertyArrayChanged") + disc_property_array_changed.condition_properties = AAZObjectType( + serialized_name="conditionProperties", + ) + + condition_properties = cls._schema_on_200_201.properties.triggering_logic.conditions.Element.discriminate_by("condition_type", "PropertyArrayChanged").condition_properties + condition_properties.array_type = AAZStrType( + serialized_name="arrayType", + ) + condition_properties.change_type = AAZStrType( + serialized_name="changeType", + ) + + disc_property_changed = cls._schema_on_200_201.properties.triggering_logic.conditions.Element.discriminate_by("condition_type", "PropertyChanged") + disc_property_changed.condition_properties = AAZObjectType( + serialized_name="conditionProperties", + ) + + condition_properties = cls._schema_on_200_201.properties.triggering_logic.conditions.Element.discriminate_by("condition_type", "PropertyChanged").condition_properties + condition_properties.change_type = AAZStrType( + serialized_name="changeType", + ) + condition_properties.operator = AAZStrType() + condition_properties.property_name = AAZStrType( + serialized_name="propertyName", + ) + condition_properties.property_values = AAZListType( + serialized_name="propertyValues", + ) + + property_values = cls._schema_on_200_201.properties.triggering_logic.conditions.Element.discriminate_by("condition_type", "PropertyChanged").condition_properties.property_values + property_values.Element = AAZStrType() + + system_data = cls._schema_on_200_201.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + return cls._schema_on_200_201 + + +_schema_client_info_read = None + + +def _build_schema_client_info_read(_schema): + global _schema_client_info_read + if _schema_client_info_read is not None: + _schema.email = _schema_client_info_read.email + _schema.name = _schema_client_info_read.name + _schema.object_id = _schema_client_info_read.object_id + _schema.user_principal_name = _schema_client_info_read.user_principal_name + return + + _schema_client_info_read = AAZObjectType( + flags={"read_only": True} + ) + + client_info_read = _schema_client_info_read + client_info_read.email = AAZStrType( + flags={"read_only": True}, + ) + client_info_read.name = AAZStrType( + flags={"read_only": True}, + ) + client_info_read.object_id = AAZStrType( + serialized_name="objectId", + flags={"read_only": True}, + ) + client_info_read.user_principal_name = AAZStrType( + serialized_name="userPrincipalName", + flags={"read_only": True}, + ) + + _schema.email = _schema_client_info_read.email + _schema.name = _schema_client_info_read.name + _schema.object_id = _schema_client_info_read.object_id + _schema.user_principal_name = _schema_client_info_read.user_principal_name + + +__all__ = ["Create"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/automation_rule/_delete.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/automation_rule/_delete.py new file mode 100644 index 00000000000..828cffd08af --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/automation_rule/_delete.py @@ -0,0 +1,135 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel automation-rule delete", + is_experimental=True, + confirmation="Are you sure you want to perform this operation?", +) +class Delete(AAZCommand): + """Delete the automation rule. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/automationrules/{}", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return None + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.automation_rule_name = AAZStrArg( + options=["-n", "--name", "--automation-rule-name"], + help="Name of automation rule.", + required=True, + is_experimental=True, + id_part="child_name_1", + ) + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + id_part="name", + ) + return cls._args_schema + + def _execute_operations(self): + self.AutomationRulesDelete(ctx=self.ctx)() + + class AutomationRulesDelete(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + if session.http_response.status_code in [204]: + return self.on_204(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/automationRules/{automationRuleId}", + **self.url_parameters + ) + + @property + def method(self): + return "DELETE" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "automationRuleId", self.ctx.args.automation_rule_name, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + def on_200(self, session): + pass + + def on_204(self, session): + pass + + +__all__ = ["Delete"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/automation_rule/_list.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/automation_rule/_list.py new file mode 100644 index 00000000000..0a7b634b650 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/automation_rule/_list.py @@ -0,0 +1,420 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel automation-rule list", + is_experimental=True, +) +class List(AAZCommand): + """Get all automation rules. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/automationrules", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + return self.build_paging(self._execute_operations, self._output) + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + ) + return cls._args_schema + + def _execute_operations(self): + self.AutomationRulesList(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance.value, client_flatten=True) + next_link = self.deserialize_output(self.ctx.vars.instance.next_link) + return result, next_link + + class AutomationRulesList(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/automationRules", + **self.url_parameters + ) + + @property + def method(self): + return "GET" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + + _schema_on_200 = cls._schema_on_200 + _schema_on_200.next_link = AAZStrType( + serialized_name="nextLink", + ) + _schema_on_200.value = AAZListType() + + value = cls._schema_on_200.value + value.Element = AAZObjectType() + + _element = cls._schema_on_200.value.Element + _element.etag = AAZStrType() + _element.id = AAZStrType( + flags={"read_only": True}, + ) + _element.name = AAZStrType( + flags={"read_only": True}, + ) + _element.properties = AAZObjectType( + flags={"required": True, "client_flatten": True}, + ) + _element.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + _element.type = AAZStrType( + flags={"read_only": True}, + ) + + properties = cls._schema_on_200.value.Element.properties + properties.actions = AAZListType( + flags={"required": True}, + ) + properties.created_by = AAZObjectType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + _build_schema_client_info_read(properties.created_by) + properties.created_time_utc = AAZStrType( + serialized_name="createdTimeUtc", + flags={"read_only": True}, + ) + properties.display_name = AAZStrType( + serialized_name="displayName", + flags={"required": True}, + ) + properties.last_modified_by = AAZObjectType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + _build_schema_client_info_read(properties.last_modified_by) + properties.last_modified_time_utc = AAZStrType( + serialized_name="lastModifiedTimeUtc", + flags={"read_only": True}, + ) + properties.order = AAZIntType( + flags={"required": True}, + ) + properties.triggering_logic = AAZObjectType( + serialized_name="triggeringLogic", + flags={"required": True}, + ) + + actions = cls._schema_on_200.value.Element.properties.actions + actions.Element = AAZObjectType() + + _element = cls._schema_on_200.value.Element.properties.actions.Element + _element.action_type = AAZStrType( + serialized_name="actionType", + flags={"required": True}, + ) + _element.order = AAZIntType( + flags={"required": True}, + ) + + disc_modify_properties = cls._schema_on_200.value.Element.properties.actions.Element.discriminate_by("action_type", "ModifyProperties") + disc_modify_properties.action_configuration = AAZObjectType( + serialized_name="actionConfiguration", + ) + + action_configuration = cls._schema_on_200.value.Element.properties.actions.Element.discriminate_by("action_type", "ModifyProperties").action_configuration + action_configuration.classification = AAZStrType() + action_configuration.classification_comment = AAZStrType( + serialized_name="classificationComment", + ) + action_configuration.classification_reason = AAZStrType( + serialized_name="classificationReason", + ) + action_configuration.labels = AAZListType() + action_configuration.owner = AAZObjectType() + action_configuration.severity = AAZStrType() + action_configuration.status = AAZStrType() + + labels = cls._schema_on_200.value.Element.properties.actions.Element.discriminate_by("action_type", "ModifyProperties").action_configuration.labels + labels.Element = AAZObjectType() + + _element = cls._schema_on_200.value.Element.properties.actions.Element.discriminate_by("action_type", "ModifyProperties").action_configuration.labels.Element + _element.label_name = AAZStrType( + serialized_name="labelName", + flags={"required": True}, + ) + _element.label_type = AAZStrType( + serialized_name="labelType", + flags={"read_only": True}, + ) + + owner = cls._schema_on_200.value.Element.properties.actions.Element.discriminate_by("action_type", "ModifyProperties").action_configuration.owner + owner.assigned_to = AAZStrType( + serialized_name="assignedTo", + ) + owner.email = AAZStrType() + owner.object_id = AAZStrType( + serialized_name="objectId", + ) + owner.owner_type = AAZStrType( + serialized_name="ownerType", + ) + owner.user_principal_name = AAZStrType( + serialized_name="userPrincipalName", + ) + + disc_run_playbook = cls._schema_on_200.value.Element.properties.actions.Element.discriminate_by("action_type", "RunPlaybook") + disc_run_playbook.action_configuration = AAZObjectType( + serialized_name="actionConfiguration", + ) + + action_configuration = cls._schema_on_200.value.Element.properties.actions.Element.discriminate_by("action_type", "RunPlaybook").action_configuration + action_configuration.logic_app_resource_id = AAZStrType( + serialized_name="logicAppResourceId", + ) + action_configuration.tenant_id = AAZStrType( + serialized_name="tenantId", + ) + + triggering_logic = cls._schema_on_200.value.Element.properties.triggering_logic + triggering_logic.conditions = AAZListType() + triggering_logic.expiration_time_utc = AAZStrType( + serialized_name="expirationTimeUtc", + ) + triggering_logic.is_enabled = AAZBoolType( + serialized_name="isEnabled", + flags={"required": True}, + ) + triggering_logic.triggers_on = AAZStrType( + serialized_name="triggersOn", + flags={"required": True}, + ) + triggering_logic.triggers_when = AAZStrType( + serialized_name="triggersWhen", + flags={"required": True}, + ) + + conditions = cls._schema_on_200.value.Element.properties.triggering_logic.conditions + conditions.Element = AAZObjectType() + + _element = cls._schema_on_200.value.Element.properties.triggering_logic.conditions.Element + _element.condition_type = AAZStrType( + serialized_name="conditionType", + flags={"required": True}, + ) + + disc_property = cls._schema_on_200.value.Element.properties.triggering_logic.conditions.Element.discriminate_by("condition_type", "Property") + disc_property.condition_properties = AAZObjectType( + serialized_name="conditionProperties", + ) + + condition_properties = cls._schema_on_200.value.Element.properties.triggering_logic.conditions.Element.discriminate_by("condition_type", "Property").condition_properties + condition_properties.operator = AAZStrType() + condition_properties.property_name = AAZStrType( + serialized_name="propertyName", + ) + condition_properties.property_values = AAZListType( + serialized_name="propertyValues", + ) + + property_values = cls._schema_on_200.value.Element.properties.triggering_logic.conditions.Element.discriminate_by("condition_type", "Property").condition_properties.property_values + property_values.Element = AAZStrType() + + disc_property_array_changed = cls._schema_on_200.value.Element.properties.triggering_logic.conditions.Element.discriminate_by("condition_type", "PropertyArrayChanged") + disc_property_array_changed.condition_properties = AAZObjectType( + serialized_name="conditionProperties", + ) + + condition_properties = cls._schema_on_200.value.Element.properties.triggering_logic.conditions.Element.discriminate_by("condition_type", "PropertyArrayChanged").condition_properties + condition_properties.array_type = AAZStrType( + serialized_name="arrayType", + ) + condition_properties.change_type = AAZStrType( + serialized_name="changeType", + ) + + disc_property_changed = cls._schema_on_200.value.Element.properties.triggering_logic.conditions.Element.discriminate_by("condition_type", "PropertyChanged") + disc_property_changed.condition_properties = AAZObjectType( + serialized_name="conditionProperties", + ) + + condition_properties = cls._schema_on_200.value.Element.properties.triggering_logic.conditions.Element.discriminate_by("condition_type", "PropertyChanged").condition_properties + condition_properties.change_type = AAZStrType( + serialized_name="changeType", + ) + condition_properties.operator = AAZStrType() + condition_properties.property_name = AAZStrType( + serialized_name="propertyName", + ) + condition_properties.property_values = AAZListType( + serialized_name="propertyValues", + ) + + property_values = cls._schema_on_200.value.Element.properties.triggering_logic.conditions.Element.discriminate_by("condition_type", "PropertyChanged").condition_properties.property_values + property_values.Element = AAZStrType() + + system_data = cls._schema_on_200.value.Element.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + return cls._schema_on_200 + + +_schema_client_info_read = None + + +def _build_schema_client_info_read(_schema): + global _schema_client_info_read + if _schema_client_info_read is not None: + _schema.email = _schema_client_info_read.email + _schema.name = _schema_client_info_read.name + _schema.object_id = _schema_client_info_read.object_id + _schema.user_principal_name = _schema_client_info_read.user_principal_name + return + + _schema_client_info_read = AAZObjectType( + flags={"read_only": True} + ) + + client_info_read = _schema_client_info_read + client_info_read.email = AAZStrType( + flags={"read_only": True}, + ) + client_info_read.name = AAZStrType( + flags={"read_only": True}, + ) + client_info_read.object_id = AAZStrType( + serialized_name="objectId", + flags={"read_only": True}, + ) + client_info_read.user_principal_name = AAZStrType( + serialized_name="userPrincipalName", + flags={"read_only": True}, + ) + + _schema.email = _schema_client_info_read.email + _schema.name = _schema_client_info_read.name + _schema.object_id = _schema_client_info_read.object_id + _schema.user_principal_name = _schema_client_info_read.user_principal_name + + +__all__ = ["List"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/automation_rule/_show.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/automation_rule/_show.py new file mode 100644 index 00000000000..90054bbf44b --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/automation_rule/_show.py @@ -0,0 +1,423 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel automation-rule show", + is_experimental=True, +) +class Show(AAZCommand): + """Get the automation rule. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/automationrules/{}", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return self._output() + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.automation_rule_name = AAZStrArg( + options=["-n", "--name", "--automation-rule-name"], + help="Name of automation rule.", + required=True, + is_experimental=True, + id_part="child_name_1", + ) + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + id_part="name", + ) + return cls._args_schema + + def _execute_operations(self): + self.AutomationRulesGet(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True) + return result + + class AutomationRulesGet(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/automationRules/{automationRuleId}", + **self.url_parameters + ) + + @property + def method(self): + return "GET" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "automationRuleId", self.ctx.args.automation_rule_name, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + + _schema_on_200 = cls._schema_on_200 + _schema_on_200.etag = AAZStrType() + _schema_on_200.id = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200.name = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200.properties = AAZObjectType( + flags={"required": True, "client_flatten": True}, + ) + _schema_on_200.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + _schema_on_200.type = AAZStrType( + flags={"read_only": True}, + ) + + properties = cls._schema_on_200.properties + properties.actions = AAZListType( + flags={"required": True}, + ) + properties.created_by = AAZObjectType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + _build_schema_client_info_read(properties.created_by) + properties.created_time_utc = AAZStrType( + serialized_name="createdTimeUtc", + flags={"read_only": True}, + ) + properties.display_name = AAZStrType( + serialized_name="displayName", + flags={"required": True}, + ) + properties.last_modified_by = AAZObjectType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + _build_schema_client_info_read(properties.last_modified_by) + properties.last_modified_time_utc = AAZStrType( + serialized_name="lastModifiedTimeUtc", + flags={"read_only": True}, + ) + properties.order = AAZIntType( + flags={"required": True}, + ) + properties.triggering_logic = AAZObjectType( + serialized_name="triggeringLogic", + flags={"required": True}, + ) + + actions = cls._schema_on_200.properties.actions + actions.Element = AAZObjectType() + + _element = cls._schema_on_200.properties.actions.Element + _element.action_type = AAZStrType( + serialized_name="actionType", + flags={"required": True}, + ) + _element.order = AAZIntType( + flags={"required": True}, + ) + + disc_modify_properties = cls._schema_on_200.properties.actions.Element.discriminate_by("action_type", "ModifyProperties") + disc_modify_properties.action_configuration = AAZObjectType( + serialized_name="actionConfiguration", + ) + + action_configuration = cls._schema_on_200.properties.actions.Element.discriminate_by("action_type", "ModifyProperties").action_configuration + action_configuration.classification = AAZStrType() + action_configuration.classification_comment = AAZStrType( + serialized_name="classificationComment", + ) + action_configuration.classification_reason = AAZStrType( + serialized_name="classificationReason", + ) + action_configuration.labels = AAZListType() + action_configuration.owner = AAZObjectType() + action_configuration.severity = AAZStrType() + action_configuration.status = AAZStrType() + + labels = cls._schema_on_200.properties.actions.Element.discriminate_by("action_type", "ModifyProperties").action_configuration.labels + labels.Element = AAZObjectType() + + _element = cls._schema_on_200.properties.actions.Element.discriminate_by("action_type", "ModifyProperties").action_configuration.labels.Element + _element.label_name = AAZStrType( + serialized_name="labelName", + flags={"required": True}, + ) + _element.label_type = AAZStrType( + serialized_name="labelType", + flags={"read_only": True}, + ) + + owner = cls._schema_on_200.properties.actions.Element.discriminate_by("action_type", "ModifyProperties").action_configuration.owner + owner.assigned_to = AAZStrType( + serialized_name="assignedTo", + ) + owner.email = AAZStrType() + owner.object_id = AAZStrType( + serialized_name="objectId", + ) + owner.owner_type = AAZStrType( + serialized_name="ownerType", + ) + owner.user_principal_name = AAZStrType( + serialized_name="userPrincipalName", + ) + + disc_run_playbook = cls._schema_on_200.properties.actions.Element.discriminate_by("action_type", "RunPlaybook") + disc_run_playbook.action_configuration = AAZObjectType( + serialized_name="actionConfiguration", + ) + + action_configuration = cls._schema_on_200.properties.actions.Element.discriminate_by("action_type", "RunPlaybook").action_configuration + action_configuration.logic_app_resource_id = AAZStrType( + serialized_name="logicAppResourceId", + ) + action_configuration.tenant_id = AAZStrType( + serialized_name="tenantId", + ) + + triggering_logic = cls._schema_on_200.properties.triggering_logic + triggering_logic.conditions = AAZListType() + triggering_logic.expiration_time_utc = AAZStrType( + serialized_name="expirationTimeUtc", + ) + triggering_logic.is_enabled = AAZBoolType( + serialized_name="isEnabled", + flags={"required": True}, + ) + triggering_logic.triggers_on = AAZStrType( + serialized_name="triggersOn", + flags={"required": True}, + ) + triggering_logic.triggers_when = AAZStrType( + serialized_name="triggersWhen", + flags={"required": True}, + ) + + conditions = cls._schema_on_200.properties.triggering_logic.conditions + conditions.Element = AAZObjectType() + + _element = cls._schema_on_200.properties.triggering_logic.conditions.Element + _element.condition_type = AAZStrType( + serialized_name="conditionType", + flags={"required": True}, + ) + + disc_property = cls._schema_on_200.properties.triggering_logic.conditions.Element.discriminate_by("condition_type", "Property") + disc_property.condition_properties = AAZObjectType( + serialized_name="conditionProperties", + ) + + condition_properties = cls._schema_on_200.properties.triggering_logic.conditions.Element.discriminate_by("condition_type", "Property").condition_properties + condition_properties.operator = AAZStrType() + condition_properties.property_name = AAZStrType( + serialized_name="propertyName", + ) + condition_properties.property_values = AAZListType( + serialized_name="propertyValues", + ) + + property_values = cls._schema_on_200.properties.triggering_logic.conditions.Element.discriminate_by("condition_type", "Property").condition_properties.property_values + property_values.Element = AAZStrType() + + disc_property_array_changed = cls._schema_on_200.properties.triggering_logic.conditions.Element.discriminate_by("condition_type", "PropertyArrayChanged") + disc_property_array_changed.condition_properties = AAZObjectType( + serialized_name="conditionProperties", + ) + + condition_properties = cls._schema_on_200.properties.triggering_logic.conditions.Element.discriminate_by("condition_type", "PropertyArrayChanged").condition_properties + condition_properties.array_type = AAZStrType( + serialized_name="arrayType", + ) + condition_properties.change_type = AAZStrType( + serialized_name="changeType", + ) + + disc_property_changed = cls._schema_on_200.properties.triggering_logic.conditions.Element.discriminate_by("condition_type", "PropertyChanged") + disc_property_changed.condition_properties = AAZObjectType( + serialized_name="conditionProperties", + ) + + condition_properties = cls._schema_on_200.properties.triggering_logic.conditions.Element.discriminate_by("condition_type", "PropertyChanged").condition_properties + condition_properties.change_type = AAZStrType( + serialized_name="changeType", + ) + condition_properties.operator = AAZStrType() + condition_properties.property_name = AAZStrType( + serialized_name="propertyName", + ) + condition_properties.property_values = AAZListType( + serialized_name="propertyValues", + ) + + property_values = cls._schema_on_200.properties.triggering_logic.conditions.Element.discriminate_by("condition_type", "PropertyChanged").condition_properties.property_values + property_values.Element = AAZStrType() + + system_data = cls._schema_on_200.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + return cls._schema_on_200 + + +_schema_client_info_read = None + + +def _build_schema_client_info_read(_schema): + global _schema_client_info_read + if _schema_client_info_read is not None: + _schema.email = _schema_client_info_read.email + _schema.name = _schema_client_info_read.name + _schema.object_id = _schema_client_info_read.object_id + _schema.user_principal_name = _schema_client_info_read.user_principal_name + return + + _schema_client_info_read = AAZObjectType( + flags={"read_only": True} + ) + + client_info_read = _schema_client_info_read + client_info_read.email = AAZStrType( + flags={"read_only": True}, + ) + client_info_read.name = AAZStrType( + flags={"read_only": True}, + ) + client_info_read.object_id = AAZStrType( + serialized_name="objectId", + flags={"read_only": True}, + ) + client_info_read.user_principal_name = AAZStrType( + serialized_name="userPrincipalName", + flags={"read_only": True}, + ) + + _schema.email = _schema_client_info_read.email + _schema.name = _schema_client_info_read.name + _schema.object_id = _schema_client_info_read.object_id + _schema.user_principal_name = _schema_client_info_read.user_principal_name + + +__all__ = ["Show"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/automation_rule/_update.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/automation_rule/_update.py new file mode 100644 index 00000000000..14b70bd29b2 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/automation_rule/_update.py @@ -0,0 +1,955 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel automation-rule update", + is_experimental=True, +) +class Update(AAZCommand): + """Update the automation rule. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/automationrules/{}", "2022-06-01-preview"], + ] + } + + AZ_SUPPORT_GENERIC_UPDATE = True + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return self._output() + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.automation_rule_name = AAZStrArg( + options=["-n", "--name", "--automation-rule-name"], + help="Name of automation rule.", + required=True, + is_experimental=True, + id_part="child_name_1", + ) + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + id_part="name", + ) + + # define Arg Group "AutomationRuleToUpsert" + + _args_schema = cls._args_schema + _args_schema.etag = AAZStrArg( + options=["--etag"], + arg_group="AutomationRuleToUpsert", + help="Etag of the azure resource", + nullable=True, + ) + + # define Arg Group "Properties" + + _args_schema = cls._args_schema + _args_schema.actions = AAZListArg( + options=["--actions"], + arg_group="Properties", + help="The actions to execute when the automation rule is triggered.", + ) + _args_schema.display_name = AAZStrArg( + options=["--display-name"], + arg_group="Properties", + help="The display name of the automation rule.", + ) + _args_schema.order = AAZIntArg( + options=["--order"], + arg_group="Properties", + help="The order of execution of the automation rule.", + ) + _args_schema.triggering_logic = AAZObjectArg( + options=["--triggering-logic"], + arg_group="Properties", + help="Describes automation rule triggering logic.", + ) + + actions = cls._args_schema.actions + actions.Element = AAZObjectArg() + + _element = cls._args_schema.actions.Element + _element.modify_properties = AAZObjectArg( + options=["modify-properties"], + ) + _element.run_playbook = AAZObjectArg( + options=["run-playbook"], + ) + _element.order = AAZIntArg( + options=["order"], + ) + + modify_properties = cls._args_schema.actions.Element.modify_properties + modify_properties.action_configuration = AAZObjectArg( + options=["action-configuration"], + nullable=True, + ) + + action_configuration = cls._args_schema.actions.Element.modify_properties.action_configuration + action_configuration.classification = AAZStrArg( + options=["classification"], + help="The reason the incident was closed", + nullable=True, + enum={"BenignPositive": "BenignPositive", "FalsePositive": "FalsePositive", "TruePositive": "TruePositive", "Undetermined": "Undetermined"}, + ) + action_configuration.classification_comment = AAZStrArg( + options=["classification-comment"], + help="Describes the reason the incident was closed.", + nullable=True, + ) + action_configuration.classification_reason = AAZStrArg( + options=["classification-reason"], + help="The classification reason the incident was closed with", + nullable=True, + enum={"InaccurateData": "InaccurateData", "IncorrectAlertLogic": "IncorrectAlertLogic", "SuspiciousActivity": "SuspiciousActivity", "SuspiciousButExpected": "SuspiciousButExpected"}, + ) + action_configuration.labels = AAZListArg( + options=["labels"], + help="List of labels to add to the incident.", + nullable=True, + ) + action_configuration.owner = AAZObjectArg( + options=["owner"], + help="Information on the user an incident is assigned to", + nullable=True, + ) + action_configuration.severity = AAZStrArg( + options=["severity"], + help="The severity of the incident", + nullable=True, + enum={"High": "High", "Informational": "Informational", "Low": "Low", "Medium": "Medium"}, + ) + action_configuration.status = AAZStrArg( + options=["status"], + help="The status of the incident", + nullable=True, + enum={"Active": "Active", "Closed": "Closed", "New": "New"}, + ) + + labels = cls._args_schema.actions.Element.modify_properties.action_configuration.labels + labels.Element = AAZObjectArg() + + _element = cls._args_schema.actions.Element.modify_properties.action_configuration.labels.Element + _element.label_name = AAZStrArg( + options=["label-name"], + help="The name of the label", + ) + + owner = cls._args_schema.actions.Element.modify_properties.action_configuration.owner + owner.assigned_to = AAZStrArg( + options=["assigned-to"], + help="The name of the user the incident is assigned to.", + nullable=True, + ) + owner.email = AAZStrArg( + options=["email"], + help="The email of the user the incident is assigned to.", + nullable=True, + ) + owner.object_id = AAZStrArg( + options=["object-id"], + help="The object id of the user the incident is assigned to.", + nullable=True, + ) + owner.owner_type = AAZStrArg( + options=["owner-type"], + help="The type of the owner the incident is assigned to.", + nullable=True, + enum={"Group": "Group", "Unknown": "Unknown", "User": "User"}, + ) + owner.user_principal_name = AAZStrArg( + options=["user-principal-name"], + help="The user principal name of the user the incident is assigned to.", + nullable=True, + ) + + run_playbook = cls._args_schema.actions.Element.run_playbook + run_playbook.action_configuration = AAZObjectArg( + options=["action-configuration"], + nullable=True, + ) + + action_configuration = cls._args_schema.actions.Element.run_playbook.action_configuration + action_configuration.logic_app_resource_id = AAZStrArg( + options=["logic-app-resource-id"], + help="The resource id of the playbook resource.", + nullable=True, + ) + action_configuration.tenant_id = AAZStrArg( + options=["tenant-id"], + help="The tenant id of the playbook resource.", + nullable=True, + ) + + triggering_logic = cls._args_schema.triggering_logic + triggering_logic.conditions = AAZListArg( + options=["conditions"], + help="The conditions to evaluate to determine if the automation rule should be triggered on a given object.", + nullable=True, + ) + triggering_logic.expiration_time_utc = AAZStrArg( + options=["expiration-time-utc"], + help="Determines when the automation rule should automatically expire and be disabled.", + nullable=True, + ) + triggering_logic.is_enabled = AAZBoolArg( + options=["is-enabled"], + help="Determines whether the automation rule is enabled or disabled.", + ) + triggering_logic.triggers_on = AAZStrArg( + options=["triggers-on"], + enum={"Incidents": "Incidents"}, + ) + triggering_logic.triggers_when = AAZStrArg( + options=["triggers-when"], + enum={"Created": "Created", "Updated": "Updated"}, + ) + + conditions = cls._args_schema.triggering_logic.conditions + conditions.Element = AAZObjectArg() + + _element = cls._args_schema.triggering_logic.conditions.Element + _element.property = AAZObjectArg( + options=["property"], + ) + _element.property_array_changed = AAZObjectArg( + options=["property-array-changed"], + ) + _element.property_changed = AAZObjectArg( + options=["property-changed"], + ) + + property = cls._args_schema.triggering_logic.conditions.Element.property + property.condition_properties = AAZObjectArg( + options=["condition-properties"], + nullable=True, + ) + + condition_properties = cls._args_schema.triggering_logic.conditions.Element.property.condition_properties + condition_properties.operator = AAZStrArg( + options=["operator"], + nullable=True, + enum={"Contains": "Contains", "EndsWith": "EndsWith", "Equals": "Equals", "NotContains": "NotContains", "NotEndsWith": "NotEndsWith", "NotEquals": "NotEquals", "NotStartsWith": "NotStartsWith", "StartsWith": "StartsWith"}, + ) + condition_properties.property_name = AAZStrArg( + options=["property-name"], + help="The property to evaluate in an automation rule property condition.", + nullable=True, + enum={"AccountAadTenantId": "AccountAadTenantId", "AccountAadUserId": "AccountAadUserId", "AccountNTDomain": "AccountNTDomain", "AccountName": "AccountName", "AccountObjectGuid": "AccountObjectGuid", "AccountPUID": "AccountPUID", "AccountSid": "AccountSid", "AccountUPNSuffix": "AccountUPNSuffix", "AlertProductNames": "AlertProductNames", "AzureResourceResourceId": "AzureResourceResourceId", "AzureResourceSubscriptionId": "AzureResourceSubscriptionId", "CloudApplicationAppId": "CloudApplicationAppId", "CloudApplicationAppName": "CloudApplicationAppName", "DNSDomainName": "DNSDomainName", "FileDirectory": "FileDirectory", "FileHashValue": "FileHashValue", "FileName": "FileName", "HostAzureID": "HostAzureID", "HostNTDomain": "HostNTDomain", "HostName": "HostName", "HostNetBiosName": "HostNetBiosName", "HostOSVersion": "HostOSVersion", "IPAddress": "IPAddress", "IncidentDescription": "IncidentDescription", "IncidentLabel": "IncidentLabel", "IncidentProviderName": "IncidentProviderName", "IncidentRelatedAnalyticRuleIds": "IncidentRelatedAnalyticRuleIds", "IncidentSeverity": "IncidentSeverity", "IncidentStatus": "IncidentStatus", "IncidentTactics": "IncidentTactics", "IncidentTitle": "IncidentTitle", "IoTDeviceId": "IoTDeviceId", "IoTDeviceModel": "IoTDeviceModel", "IoTDeviceName": "IoTDeviceName", "IoTDeviceOperatingSystem": "IoTDeviceOperatingSystem", "IoTDeviceType": "IoTDeviceType", "IoTDeviceVendor": "IoTDeviceVendor", "MailMessageDeliveryAction": "MailMessageDeliveryAction", "MailMessageDeliveryLocation": "MailMessageDeliveryLocation", "MailMessageP1Sender": "MailMessageP1Sender", "MailMessageP2Sender": "MailMessageP2Sender", "MailMessageRecipient": "MailMessageRecipient", "MailMessageSenderIP": "MailMessageSenderIP", "MailMessageSubject": "MailMessageSubject", "MailboxDisplayName": "MailboxDisplayName", "MailboxPrimaryAddress": "MailboxPrimaryAddress", "MailboxUPN": "MailboxUPN", "MalwareCategory": "MalwareCategory", "MalwareName": "MalwareName", "ProcessCommandLine": "ProcessCommandLine", "ProcessId": "ProcessId", "RegistryKey": "RegistryKey", "RegistryValueData": "RegistryValueData", "Url": "Url"}, + ) + condition_properties.property_values = AAZListArg( + options=["property-values"], + nullable=True, + ) + + property_values = cls._args_schema.triggering_logic.conditions.Element.property.condition_properties.property_values + property_values.Element = AAZStrArg() + + property_array_changed = cls._args_schema.triggering_logic.conditions.Element.property_array_changed + property_array_changed.condition_properties = AAZObjectArg( + options=["condition-properties"], + nullable=True, + ) + + condition_properties = cls._args_schema.triggering_logic.conditions.Element.property_array_changed.condition_properties + condition_properties.array_type = AAZStrArg( + options=["array-type"], + nullable=True, + enum={"Alerts": "Alerts", "Comments": "Comments", "Labels": "Labels", "Tactics": "Tactics"}, + ) + condition_properties.change_type = AAZStrArg( + options=["change-type"], + nullable=True, + enum={"Added": "Added"}, + ) + + property_changed = cls._args_schema.triggering_logic.conditions.Element.property_changed + property_changed.condition_properties = AAZObjectArg( + options=["condition-properties"], + nullable=True, + ) + + condition_properties = cls._args_schema.triggering_logic.conditions.Element.property_changed.condition_properties + condition_properties.change_type = AAZStrArg( + options=["change-type"], + nullable=True, + enum={"ChangedFrom": "ChangedFrom", "ChangedTo": "ChangedTo"}, + ) + condition_properties.operator = AAZStrArg( + options=["operator"], + nullable=True, + enum={"Contains": "Contains", "EndsWith": "EndsWith", "Equals": "Equals", "NotContains": "NotContains", "NotEndsWith": "NotEndsWith", "NotEquals": "NotEquals", "NotStartsWith": "NotStartsWith", "StartsWith": "StartsWith"}, + ) + condition_properties.property_name = AAZStrArg( + options=["property-name"], + nullable=True, + enum={"IncidentOwner": "IncidentOwner", "IncidentSeverity": "IncidentSeverity", "IncidentStatus": "IncidentStatus"}, + ) + condition_properties.property_values = AAZListArg( + options=["property-values"], + nullable=True, + ) + + property_values = cls._args_schema.triggering_logic.conditions.Element.property_changed.condition_properties.property_values + property_values.Element = AAZStrArg() + return cls._args_schema + + def _execute_operations(self): + self.AutomationRulesGet(ctx=self.ctx)() + self.InstanceUpdateByJson(ctx=self.ctx)() + self.InstanceUpdateByGeneric(ctx=self.ctx)() + self.AutomationRulesCreateOrUpdate(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True) + return result + + class AutomationRulesGet(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/automationRules/{automationRuleId}", + **self.url_parameters + ) + + @property + def method(self): + return "GET" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "automationRuleId", self.ctx.args.automation_rule_name, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + _build_schema_automation_rule_read(cls._schema_on_200) + + return cls._schema_on_200 + + class AutomationRulesCreateOrUpdate(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200, 201]: + return self.on_200_201(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/automationRules/{automationRuleId}", + **self.url_parameters + ) + + @property + def method(self): + return "PUT" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "automationRuleId", self.ctx.args.automation_rule_name, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Content-Type", "application/json", + ), + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + @property + def content(self): + _content_value, _builder = self.new_content_builder( + self.ctx.args, + value=self.ctx.vars.instance, + ) + + return self.serialize_content(_content_value) + + def on_200_201(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200_201 + ) + + _schema_on_200_201 = None + + @classmethod + def _build_schema_on_200_201(cls): + if cls._schema_on_200_201 is not None: + return cls._schema_on_200_201 + + cls._schema_on_200_201 = AAZObjectType() + _build_schema_automation_rule_read(cls._schema_on_200_201) + + return cls._schema_on_200_201 + + class InstanceUpdateByJson(AAZJsonInstanceUpdateOperation): + + def __call__(self, *args, **kwargs): + self._update_instance(self.ctx.vars.instance) + + def _update_instance(self, instance): + _instance_value, _builder = self.new_content_builder( + self.ctx.args, + value=instance, + typ=AAZObjectType + ) + _builder.set_prop("etag", AAZStrType, ".etag") + _builder.set_prop("properties", AAZObjectType, ".", typ_kwargs={"flags": {"required": True, "client_flatten": True}}) + + properties = _builder.get(".properties") + if properties is not None: + properties.set_prop("actions", AAZListType, ".actions", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("displayName", AAZStrType, ".display_name", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("order", AAZIntType, ".order", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("triggeringLogic", AAZObjectType, ".triggering_logic", typ_kwargs={"flags": {"required": True}}) + + actions = _builder.get(".properties.actions") + if actions is not None: + actions.set_elements(AAZObjectType) + + _elements = _builder.get(".properties.actions[]") + if _elements is not None: + _elements.set_const("actionType", "ModifyProperties", AAZStrType, ".modify_properties", typ_kwargs={"flags": {"required": True}}) + _elements.set_const("actionType", "RunPlaybook", AAZStrType, ".run_playbook", typ_kwargs={"flags": {"required": True}}) + _elements.set_prop("order", AAZIntType, ".order", typ_kwargs={"flags": {"required": True}}) + _elements.discriminate_by("actionType", "ModifyProperties") + _elements.discriminate_by("actionType", "RunPlaybook") + + disc_modify_properties = _builder.get(".properties.actions[]{actionType:ModifyProperties}") + if disc_modify_properties is not None: + disc_modify_properties.set_prop("actionConfiguration", AAZObjectType, ".modify_properties.action_configuration") + + action_configuration = _builder.get(".properties.actions[]{actionType:ModifyProperties}.actionConfiguration") + if action_configuration is not None: + action_configuration.set_prop("classification", AAZStrType, ".classification") + action_configuration.set_prop("classificationComment", AAZStrType, ".classification_comment") + action_configuration.set_prop("classificationReason", AAZStrType, ".classification_reason") + action_configuration.set_prop("labels", AAZListType, ".labels") + action_configuration.set_prop("owner", AAZObjectType, ".owner") + action_configuration.set_prop("severity", AAZStrType, ".severity") + action_configuration.set_prop("status", AAZStrType, ".status") + + labels = _builder.get(".properties.actions[]{actionType:ModifyProperties}.actionConfiguration.labels") + if labels is not None: + labels.set_elements(AAZObjectType) + + _elements = _builder.get(".properties.actions[]{actionType:ModifyProperties}.actionConfiguration.labels[]") + if _elements is not None: + _elements.set_prop("labelName", AAZStrType, ".label_name", typ_kwargs={"flags": {"required": True}}) + + owner = _builder.get(".properties.actions[]{actionType:ModifyProperties}.actionConfiguration.owner") + if owner is not None: + owner.set_prop("assignedTo", AAZStrType, ".assigned_to") + owner.set_prop("email", AAZStrType, ".email") + owner.set_prop("objectId", AAZStrType, ".object_id") + owner.set_prop("ownerType", AAZStrType, ".owner_type") + owner.set_prop("userPrincipalName", AAZStrType, ".user_principal_name") + + disc_run_playbook = _builder.get(".properties.actions[]{actionType:RunPlaybook}") + if disc_run_playbook is not None: + disc_run_playbook.set_prop("actionConfiguration", AAZObjectType, ".run_playbook.action_configuration") + + action_configuration = _builder.get(".properties.actions[]{actionType:RunPlaybook}.actionConfiguration") + if action_configuration is not None: + action_configuration.set_prop("logicAppResourceId", AAZStrType, ".logic_app_resource_id") + action_configuration.set_prop("tenantId", AAZStrType, ".tenant_id") + + triggering_logic = _builder.get(".properties.triggeringLogic") + if triggering_logic is not None: + triggering_logic.set_prop("conditions", AAZListType, ".conditions") + triggering_logic.set_prop("expirationTimeUtc", AAZStrType, ".expiration_time_utc") + triggering_logic.set_prop("isEnabled", AAZBoolType, ".is_enabled", typ_kwargs={"flags": {"required": True}}) + triggering_logic.set_prop("triggersOn", AAZStrType, ".triggers_on", typ_kwargs={"flags": {"required": True}}) + triggering_logic.set_prop("triggersWhen", AAZStrType, ".triggers_when", typ_kwargs={"flags": {"required": True}}) + + conditions = _builder.get(".properties.triggeringLogic.conditions") + if conditions is not None: + conditions.set_elements(AAZObjectType) + + _elements = _builder.get(".properties.triggeringLogic.conditions[]") + if _elements is not None: + _elements.set_const("conditionType", "Property", AAZStrType, ".property", typ_kwargs={"flags": {"required": True}}) + _elements.set_const("conditionType", "PropertyArrayChanged", AAZStrType, ".property_array_changed", typ_kwargs={"flags": {"required": True}}) + _elements.set_const("conditionType", "PropertyChanged", AAZStrType, ".property_changed", typ_kwargs={"flags": {"required": True}}) + _elements.discriminate_by("conditionType", "Property") + _elements.discriminate_by("conditionType", "PropertyArrayChanged") + _elements.discriminate_by("conditionType", "PropertyChanged") + + disc_property = _builder.get(".properties.triggeringLogic.conditions[]{conditionType:Property}") + if disc_property is not None: + disc_property.set_prop("conditionProperties", AAZObjectType, ".property.condition_properties") + + condition_properties = _builder.get(".properties.triggeringLogic.conditions[]{conditionType:Property}.conditionProperties") + if condition_properties is not None: + condition_properties.set_prop("operator", AAZStrType, ".operator") + condition_properties.set_prop("propertyName", AAZStrType, ".property_name") + condition_properties.set_prop("propertyValues", AAZListType, ".property_values") + + property_values = _builder.get(".properties.triggeringLogic.conditions[]{conditionType:Property}.conditionProperties.propertyValues") + if property_values is not None: + property_values.set_elements(AAZStrType, ".") + + disc_property_array_changed = _builder.get(".properties.triggeringLogic.conditions[]{conditionType:PropertyArrayChanged}") + if disc_property_array_changed is not None: + disc_property_array_changed.set_prop("conditionProperties", AAZObjectType, ".property_array_changed.condition_properties") + + condition_properties = _builder.get(".properties.triggeringLogic.conditions[]{conditionType:PropertyArrayChanged}.conditionProperties") + if condition_properties is not None: + condition_properties.set_prop("arrayType", AAZStrType, ".array_type") + condition_properties.set_prop("changeType", AAZStrType, ".change_type") + + disc_property_changed = _builder.get(".properties.triggeringLogic.conditions[]{conditionType:PropertyChanged}") + if disc_property_changed is not None: + disc_property_changed.set_prop("conditionProperties", AAZObjectType, ".property_changed.condition_properties") + + condition_properties = _builder.get(".properties.triggeringLogic.conditions[]{conditionType:PropertyChanged}.conditionProperties") + if condition_properties is not None: + condition_properties.set_prop("changeType", AAZStrType, ".change_type") + condition_properties.set_prop("operator", AAZStrType, ".operator") + condition_properties.set_prop("propertyName", AAZStrType, ".property_name") + condition_properties.set_prop("propertyValues", AAZListType, ".property_values") + + property_values = _builder.get(".properties.triggeringLogic.conditions[]{conditionType:PropertyChanged}.conditionProperties.propertyValues") + if property_values is not None: + property_values.set_elements(AAZStrType, ".") + + return _instance_value + + class InstanceUpdateByGeneric(AAZGenericInstanceUpdateOperation): + + def __call__(self, *args, **kwargs): + self._update_instance_by_generic( + self.ctx.vars.instance, + self.ctx.generic_update_args + ) + + +_schema_automation_rule_read = None + + +def _build_schema_automation_rule_read(_schema): + global _schema_automation_rule_read + if _schema_automation_rule_read is not None: + _schema.etag = _schema_automation_rule_read.etag + _schema.id = _schema_automation_rule_read.id + _schema.name = _schema_automation_rule_read.name + _schema.properties = _schema_automation_rule_read.properties + _schema.system_data = _schema_automation_rule_read.system_data + _schema.type = _schema_automation_rule_read.type + return + + _schema_automation_rule_read = AAZObjectType() + + automation_rule_read = _schema_automation_rule_read + automation_rule_read.etag = AAZStrType() + automation_rule_read.id = AAZStrType( + flags={"read_only": True}, + ) + automation_rule_read.name = AAZStrType( + flags={"read_only": True}, + ) + automation_rule_read.properties = AAZObjectType( + flags={"required": True, "client_flatten": True}, + ) + automation_rule_read.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + automation_rule_read.type = AAZStrType( + flags={"read_only": True}, + ) + + properties = _schema_automation_rule_read.properties + properties.actions = AAZListType( + flags={"required": True}, + ) + properties.created_by = AAZObjectType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + _build_schema_client_info_read(properties.created_by) + properties.created_time_utc = AAZStrType( + serialized_name="createdTimeUtc", + flags={"read_only": True}, + ) + properties.display_name = AAZStrType( + serialized_name="displayName", + flags={"required": True}, + ) + properties.last_modified_by = AAZObjectType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + _build_schema_client_info_read(properties.last_modified_by) + properties.last_modified_time_utc = AAZStrType( + serialized_name="lastModifiedTimeUtc", + flags={"read_only": True}, + ) + properties.order = AAZIntType( + flags={"required": True}, + ) + properties.triggering_logic = AAZObjectType( + serialized_name="triggeringLogic", + flags={"required": True}, + ) + + actions = _schema_automation_rule_read.properties.actions + actions.Element = AAZObjectType() + + _element = _schema_automation_rule_read.properties.actions.Element + _element.action_type = AAZStrType( + serialized_name="actionType", + flags={"required": True}, + ) + _element.order = AAZIntType( + flags={"required": True}, + ) + + disc_modify_properties = _schema_automation_rule_read.properties.actions.Element.discriminate_by("action_type", "ModifyProperties") + disc_modify_properties.action_configuration = AAZObjectType( + serialized_name="actionConfiguration", + ) + + action_configuration = _schema_automation_rule_read.properties.actions.Element.discriminate_by("action_type", "ModifyProperties").action_configuration + action_configuration.classification = AAZStrType() + action_configuration.classification_comment = AAZStrType( + serialized_name="classificationComment", + ) + action_configuration.classification_reason = AAZStrType( + serialized_name="classificationReason", + ) + action_configuration.labels = AAZListType() + action_configuration.owner = AAZObjectType() + action_configuration.severity = AAZStrType() + action_configuration.status = AAZStrType() + + labels = _schema_automation_rule_read.properties.actions.Element.discriminate_by("action_type", "ModifyProperties").action_configuration.labels + labels.Element = AAZObjectType() + + _element = _schema_automation_rule_read.properties.actions.Element.discriminate_by("action_type", "ModifyProperties").action_configuration.labels.Element + _element.label_name = AAZStrType( + serialized_name="labelName", + flags={"required": True}, + ) + _element.label_type = AAZStrType( + serialized_name="labelType", + flags={"read_only": True}, + ) + + owner = _schema_automation_rule_read.properties.actions.Element.discriminate_by("action_type", "ModifyProperties").action_configuration.owner + owner.assigned_to = AAZStrType( + serialized_name="assignedTo", + ) + owner.email = AAZStrType() + owner.object_id = AAZStrType( + serialized_name="objectId", + ) + owner.owner_type = AAZStrType( + serialized_name="ownerType", + ) + owner.user_principal_name = AAZStrType( + serialized_name="userPrincipalName", + ) + + disc_run_playbook = _schema_automation_rule_read.properties.actions.Element.discriminate_by("action_type", "RunPlaybook") + disc_run_playbook.action_configuration = AAZObjectType( + serialized_name="actionConfiguration", + ) + + action_configuration = _schema_automation_rule_read.properties.actions.Element.discriminate_by("action_type", "RunPlaybook").action_configuration + action_configuration.logic_app_resource_id = AAZStrType( + serialized_name="logicAppResourceId", + ) + action_configuration.tenant_id = AAZStrType( + serialized_name="tenantId", + ) + + triggering_logic = _schema_automation_rule_read.properties.triggering_logic + triggering_logic.conditions = AAZListType() + triggering_logic.expiration_time_utc = AAZStrType( + serialized_name="expirationTimeUtc", + ) + triggering_logic.is_enabled = AAZBoolType( + serialized_name="isEnabled", + flags={"required": True}, + ) + triggering_logic.triggers_on = AAZStrType( + serialized_name="triggersOn", + flags={"required": True}, + ) + triggering_logic.triggers_when = AAZStrType( + serialized_name="triggersWhen", + flags={"required": True}, + ) + + conditions = _schema_automation_rule_read.properties.triggering_logic.conditions + conditions.Element = AAZObjectType() + + _element = _schema_automation_rule_read.properties.triggering_logic.conditions.Element + _element.condition_type = AAZStrType( + serialized_name="conditionType", + flags={"required": True}, + ) + + disc_property = _schema_automation_rule_read.properties.triggering_logic.conditions.Element.discriminate_by("condition_type", "Property") + disc_property.condition_properties = AAZObjectType( + serialized_name="conditionProperties", + ) + + condition_properties = _schema_automation_rule_read.properties.triggering_logic.conditions.Element.discriminate_by("condition_type", "Property").condition_properties + condition_properties.operator = AAZStrType() + condition_properties.property_name = AAZStrType( + serialized_name="propertyName", + ) + condition_properties.property_values = AAZListType( + serialized_name="propertyValues", + ) + + property_values = _schema_automation_rule_read.properties.triggering_logic.conditions.Element.discriminate_by("condition_type", "Property").condition_properties.property_values + property_values.Element = AAZStrType() + + disc_property_array_changed = _schema_automation_rule_read.properties.triggering_logic.conditions.Element.discriminate_by("condition_type", "PropertyArrayChanged") + disc_property_array_changed.condition_properties = AAZObjectType( + serialized_name="conditionProperties", + ) + + condition_properties = _schema_automation_rule_read.properties.triggering_logic.conditions.Element.discriminate_by("condition_type", "PropertyArrayChanged").condition_properties + condition_properties.array_type = AAZStrType( + serialized_name="arrayType", + ) + condition_properties.change_type = AAZStrType( + serialized_name="changeType", + ) + + disc_property_changed = _schema_automation_rule_read.properties.triggering_logic.conditions.Element.discriminate_by("condition_type", "PropertyChanged") + disc_property_changed.condition_properties = AAZObjectType( + serialized_name="conditionProperties", + ) + + condition_properties = _schema_automation_rule_read.properties.triggering_logic.conditions.Element.discriminate_by("condition_type", "PropertyChanged").condition_properties + condition_properties.change_type = AAZStrType( + serialized_name="changeType", + ) + condition_properties.operator = AAZStrType() + condition_properties.property_name = AAZStrType( + serialized_name="propertyName", + ) + condition_properties.property_values = AAZListType( + serialized_name="propertyValues", + ) + + property_values = _schema_automation_rule_read.properties.triggering_logic.conditions.Element.discriminate_by("condition_type", "PropertyChanged").condition_properties.property_values + property_values.Element = AAZStrType() + + system_data = _schema_automation_rule_read.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + _schema.etag = _schema_automation_rule_read.etag + _schema.id = _schema_automation_rule_read.id + _schema.name = _schema_automation_rule_read.name + _schema.properties = _schema_automation_rule_read.properties + _schema.system_data = _schema_automation_rule_read.system_data + _schema.type = _schema_automation_rule_read.type + + +_schema_client_info_read = None + + +def _build_schema_client_info_read(_schema): + global _schema_client_info_read + if _schema_client_info_read is not None: + _schema.email = _schema_client_info_read.email + _schema.name = _schema_client_info_read.name + _schema.object_id = _schema_client_info_read.object_id + _schema.user_principal_name = _schema_client_info_read.user_principal_name + return + + _schema_client_info_read = AAZObjectType( + flags={"read_only": True} + ) + + client_info_read = _schema_client_info_read + client_info_read.email = AAZStrType( + flags={"read_only": True}, + ) + client_info_read.name = AAZStrType( + flags={"read_only": True}, + ) + client_info_read.object_id = AAZStrType( + serialized_name="objectId", + flags={"read_only": True}, + ) + client_info_read.user_principal_name = AAZStrType( + serialized_name="userPrincipalName", + flags={"read_only": True}, + ) + + _schema.email = _schema_client_info_read.email + _schema.name = _schema_client_info_read.name + _schema.object_id = _schema_client_info_read.object_id + _schema.user_principal_name = _schema_client_info_read.user_principal_name + + +__all__ = ["Update"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/bookmark/__cmd_group.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/bookmark/__cmd_group.py new file mode 100644 index 00000000000..d5bfeee1719 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/bookmark/__cmd_group.py @@ -0,0 +1,23 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command_group( + "sentinel bookmark", +) +class __CMDGroup(AAZCommandGroup): + """Manage bookmark with sentinel. + """ + pass + + +__all__ = ["__CMDGroup"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/bookmark/__init__.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/bookmark/__init__.py new file mode 100644 index 00000000000..9d2c5bb51f0 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/bookmark/__init__.py @@ -0,0 +1,17 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from .__cmd_group import * +from ._create import * +from ._delete import * +from ._expand import * +from ._list import * +from ._show import * +from ._update import * diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/bookmark/_create.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/bookmark/_create.py new file mode 100644 index 00000000000..6ba25eaa059 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/bookmark/_create.py @@ -0,0 +1,559 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel bookmark create", + is_experimental=True, +) +class Create(AAZCommand): + """Create the bookmark. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/bookmarks/{}", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return self._output() + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.bookmark_id = AAZStrArg( + options=["-n", "--name", "--bookmark-id"], + help="ID of bookmark.", + required=True, + is_experimental=True, + id_part="child_name_1", + ) + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + id_part="name", + ) + + # define Arg Group "Bookmark" + + _args_schema = cls._args_schema + _args_schema.etag = AAZStrArg( + options=["--etag"], + arg_group="Bookmark", + help="Etag of the azure resource", + ) + + # define Arg Group "Properties" + + _args_schema = cls._args_schema + _args_schema.created = AAZStrArg( + options=["--created"], + arg_group="Properties", + help="The time the bookmark was created", + ) + _args_schema.created_by = AAZObjectArg( + options=["--created-by"], + arg_group="Properties", + help="Describes a user that created the bookmark", + ) + cls._build_args_user_info_create(_args_schema.created_by) + _args_schema.display_name = AAZStrArg( + options=["--display-name"], + arg_group="Properties", + help="The display name of the bookmark", + ) + _args_schema.entity_mappings = AAZListArg( + options=["--entity-mappings"], + arg_group="Properties", + help="Describes the entity mappings of the bookmark", + ) + _args_schema.event_time = AAZStrArg( + options=["--event-time"], + arg_group="Properties", + help="The bookmark event time", + ) + _args_schema.incident_info = AAZObjectArg( + options=["--incident-info"], + arg_group="Properties", + help="Describes an incident that relates to bookmark", + ) + _args_schema.labels = AAZListArg( + options=["--labels"], + arg_group="Properties", + help="List of labels relevant to this bookmark", + ) + _args_schema.notes = AAZStrArg( + options=["--notes"], + arg_group="Properties", + help="The notes of the bookmark", + ) + _args_schema.query_content = AAZStrArg( + options=["--query-content"], + arg_group="Properties", + help="The query of the bookmark.", + is_experimental=True, + ) + _args_schema.query_end_time = AAZStrArg( + options=["--query-end-time"], + arg_group="Properties", + help="The end time for the query", + ) + _args_schema.query_result = AAZStrArg( + options=["--query-result"], + arg_group="Properties", + help="The query result of the bookmark.", + ) + _args_schema.query_start_time = AAZStrArg( + options=["--query-start-time"], + arg_group="Properties", + help="The start time for the query", + ) + _args_schema.tactics = AAZListArg( + options=["--tactics"], + arg_group="Properties", + help="A list of relevant mitre attacks", + ) + _args_schema.techniques = AAZListArg( + options=["--techniques"], + arg_group="Properties", + help="A list of relevant mitre techniques", + ) + _args_schema.updated = AAZStrArg( + options=["--updated"], + arg_group="Properties", + help="The last time the bookmark was updated", + ) + _args_schema.updated_by = AAZObjectArg( + options=["--updated-by"], + arg_group="Properties", + help="Describes a user that updated the bookmark", + ) + cls._build_args_user_info_create(_args_schema.updated_by) + + entity_mappings = cls._args_schema.entity_mappings + entity_mappings.Element = AAZObjectArg() + + _element = cls._args_schema.entity_mappings.Element + _element.entity_type = AAZStrArg( + options=["entity-type"], + help="The entity type", + ) + _element.field_mappings = AAZListArg( + options=["field-mappings"], + help="Array of fields mapping for that entity type", + ) + + field_mappings = cls._args_schema.entity_mappings.Element.field_mappings + field_mappings.Element = AAZObjectArg() + + _element = cls._args_schema.entity_mappings.Element.field_mappings.Element + _element.identifier = AAZStrArg( + options=["identifier"], + help="Alert V3 identifier", + ) + _element.value = AAZStrArg( + options=["value"], + help="The value of the identifier", + ) + + incident_info = cls._args_schema.incident_info + incident_info.incident_id = AAZStrArg( + options=["incident-id"], + help="Incident Id", + ) + incident_info.relation_name = AAZStrArg( + options=["relation-name"], + help="Relation Name", + ) + incident_info.severity = AAZStrArg( + options=["severity"], + help="The severity of the incident", + enum={"High": "High", "Informational": "Informational", "Low": "Low", "Medium": "Medium"}, + ) + incident_info.title = AAZStrArg( + options=["title"], + help="The title of the incident", + ) + + labels = cls._args_schema.labels + labels.Element = AAZStrArg() + + tactics = cls._args_schema.tactics + tactics.Element = AAZStrArg( + enum={"Collection": "Collection", "CommandAndControl": "CommandAndControl", "CredentialAccess": "CredentialAccess", "DefenseEvasion": "DefenseEvasion", "Discovery": "Discovery", "Execution": "Execution", "Exfiltration": "Exfiltration", "Impact": "Impact", "ImpairProcessControl": "ImpairProcessControl", "InhibitResponseFunction": "InhibitResponseFunction", "InitialAccess": "InitialAccess", "LateralMovement": "LateralMovement", "Persistence": "Persistence", "PreAttack": "PreAttack", "PrivilegeEscalation": "PrivilegeEscalation", "Reconnaissance": "Reconnaissance", "ResourceDevelopment": "ResourceDevelopment"}, + ) + + techniques = cls._args_schema.techniques + techniques.Element = AAZStrArg() + return cls._args_schema + + _args_user_info_create = None + + @classmethod + def _build_args_user_info_create(cls, _schema): + if cls._args_user_info_create is not None: + _schema.object_id = cls._args_user_info_create.object_id + return + + cls._args_user_info_create = AAZObjectArg() + + user_info_create = cls._args_user_info_create + user_info_create.object_id = AAZStrArg( + options=["object-id"], + help="The object id of the user.", + nullable=True, + ) + + _schema.object_id = cls._args_user_info_create.object_id + + def _execute_operations(self): + self.BookmarksCreateOrUpdate(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True) + return result + + class BookmarksCreateOrUpdate(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200, 201]: + return self.on_200_201(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks/{bookmarkId}", + **self.url_parameters + ) + + @property + def method(self): + return "PUT" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "bookmarkId", self.ctx.args.bookmark_id, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Content-Type", "application/json", + ), + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + @property + def content(self): + _content_value, _builder = self.new_content_builder( + self.ctx.args, + typ=AAZObjectType, + typ_kwargs={"flags": {"required": True, "client_flatten": True}} + ) + _builder.set_prop("etag", AAZStrType, ".etag") + _builder.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get(".properties") + if properties is not None: + properties.set_prop("created", AAZStrType, ".created") + _build_schema_user_info_create(properties.set_prop("createdBy", AAZObjectType, ".created_by")) + properties.set_prop("displayName", AAZStrType, ".display_name", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("entityMappings", AAZListType, ".entity_mappings") + properties.set_prop("eventTime", AAZStrType, ".event_time") + properties.set_prop("incidentInfo", AAZObjectType, ".incident_info") + properties.set_prop("labels", AAZListType, ".labels") + properties.set_prop("notes", AAZStrType, ".notes") + properties.set_prop("query", AAZStrType, ".query_content", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("queryEndTime", AAZStrType, ".query_end_time") + properties.set_prop("queryResult", AAZStrType, ".query_result") + properties.set_prop("queryStartTime", AAZStrType, ".query_start_time") + properties.set_prop("tactics", AAZListType, ".tactics") + properties.set_prop("techniques", AAZListType, ".techniques") + properties.set_prop("updated", AAZStrType, ".updated") + _build_schema_user_info_create(properties.set_prop("updatedBy", AAZObjectType, ".updated_by")) + + entity_mappings = _builder.get(".properties.entityMappings") + if entity_mappings is not None: + entity_mappings.set_elements(AAZObjectType) + + _elements = _builder.get(".properties.entityMappings[]") + if _elements is not None: + _elements.set_prop("entityType", AAZStrType, ".entity_type") + _elements.set_prop("fieldMappings", AAZListType, ".field_mappings") + + field_mappings = _builder.get(".properties.entityMappings[].fieldMappings") + if field_mappings is not None: + field_mappings.set_elements(AAZObjectType) + + _elements = _builder.get(".properties.entityMappings[].fieldMappings[]") + if _elements is not None: + _elements.set_prop("identifier", AAZStrType, ".identifier") + _elements.set_prop("value", AAZStrType, ".value") + + incident_info = _builder.get(".properties.incidentInfo") + if incident_info is not None: + incident_info.set_prop("incidentId", AAZStrType, ".incident_id") + incident_info.set_prop("relationName", AAZStrType, ".relation_name") + incident_info.set_prop("severity", AAZStrType, ".severity") + incident_info.set_prop("title", AAZStrType, ".title") + + labels = _builder.get(".properties.labels") + if labels is not None: + labels.set_elements(AAZStrType, ".") + + tactics = _builder.get(".properties.tactics") + if tactics is not None: + tactics.set_elements(AAZStrType, ".") + + techniques = _builder.get(".properties.techniques") + if techniques is not None: + techniques.set_elements(AAZStrType, ".") + + return self.serialize_content(_content_value) + + def on_200_201(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200_201 + ) + + _schema_on_200_201 = None + + @classmethod + def _build_schema_on_200_201(cls): + if cls._schema_on_200_201 is not None: + return cls._schema_on_200_201 + + cls._schema_on_200_201 = AAZObjectType() + + _schema_on_200_201 = cls._schema_on_200_201 + _schema_on_200_201.etag = AAZStrType() + _schema_on_200_201.id = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200_201.name = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200_201.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + _schema_on_200_201.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + _schema_on_200_201.type = AAZStrType( + flags={"read_only": True}, + ) + + properties = cls._schema_on_200_201.properties + properties.created = AAZStrType() + properties.created_by = AAZObjectType( + serialized_name="createdBy", + ) + _build_schema_user_info_read(properties.created_by) + properties.display_name = AAZStrType( + serialized_name="displayName", + flags={"required": True}, + ) + properties.entity_mappings = AAZListType( + serialized_name="entityMappings", + ) + properties.event_time = AAZStrType( + serialized_name="eventTime", + ) + properties.incident_info = AAZObjectType( + serialized_name="incidentInfo", + ) + properties.labels = AAZListType() + properties.notes = AAZStrType() + properties.query = AAZStrType( + flags={"required": True}, + ) + properties.query_end_time = AAZStrType( + serialized_name="queryEndTime", + ) + properties.query_result = AAZStrType( + serialized_name="queryResult", + ) + properties.query_start_time = AAZStrType( + serialized_name="queryStartTime", + ) + properties.tactics = AAZListType() + properties.techniques = AAZListType() + properties.updated = AAZStrType() + properties.updated_by = AAZObjectType( + serialized_name="updatedBy", + ) + _build_schema_user_info_read(properties.updated_by) + + entity_mappings = cls._schema_on_200_201.properties.entity_mappings + entity_mappings.Element = AAZObjectType() + + _element = cls._schema_on_200_201.properties.entity_mappings.Element + _element.entity_type = AAZStrType( + serialized_name="entityType", + ) + _element.field_mappings = AAZListType( + serialized_name="fieldMappings", + ) + + field_mappings = cls._schema_on_200_201.properties.entity_mappings.Element.field_mappings + field_mappings.Element = AAZObjectType() + + _element = cls._schema_on_200_201.properties.entity_mappings.Element.field_mappings.Element + _element.identifier = AAZStrType() + _element.value = AAZStrType() + + incident_info = cls._schema_on_200_201.properties.incident_info + incident_info.incident_id = AAZStrType( + serialized_name="incidentId", + ) + incident_info.relation_name = AAZStrType( + serialized_name="relationName", + ) + incident_info.severity = AAZStrType() + incident_info.title = AAZStrType() + + labels = cls._schema_on_200_201.properties.labels + labels.Element = AAZStrType() + + tactics = cls._schema_on_200_201.properties.tactics + tactics.Element = AAZStrType() + + techniques = cls._schema_on_200_201.properties.techniques + techniques.Element = AAZStrType() + + system_data = cls._schema_on_200_201.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + return cls._schema_on_200_201 + + +def _build_schema_user_info_create(_builder): + if _builder is None: + return + _builder.set_prop("objectId", AAZStrType, ".object_id", typ_kwargs={"nullable": True}) + + +_schema_user_info_read = None + + +def _build_schema_user_info_read(_schema): + global _schema_user_info_read + if _schema_user_info_read is not None: + _schema.email = _schema_user_info_read.email + _schema.name = _schema_user_info_read.name + _schema.object_id = _schema_user_info_read.object_id + return + + _schema_user_info_read = AAZObjectType() + + user_info_read = _schema_user_info_read + user_info_read.email = AAZStrType( + flags={"read_only": True}, + ) + user_info_read.name = AAZStrType( + flags={"read_only": True}, + ) + user_info_read.object_id = AAZStrType( + serialized_name="objectId", + nullable=True, + ) + + _schema.email = _schema_user_info_read.email + _schema.name = _schema_user_info_read.name + _schema.object_id = _schema_user_info_read.object_id + + +__all__ = ["Create"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/bookmark/_delete.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/bookmark/_delete.py new file mode 100644 index 00000000000..e4779af49a4 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/bookmark/_delete.py @@ -0,0 +1,135 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel bookmark delete", + is_experimental=True, + confirmation="Are you sure you want to perform this operation?", +) +class Delete(AAZCommand): + """Delete the bookmark. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/bookmarks/{}", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return None + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.bookmark_id = AAZStrArg( + options=["-n", "--name", "--bookmark-id"], + help="ID of bookmark.", + required=True, + is_experimental=True, + id_part="child_name_1", + ) + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + id_part="name", + ) + return cls._args_schema + + def _execute_operations(self): + self.BookmarksDelete(ctx=self.ctx)() + + class BookmarksDelete(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + if session.http_response.status_code in [204]: + return self.on_204(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks/{bookmarkId}", + **self.url_parameters + ) + + @property + def method(self): + return "DELETE" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "bookmarkId", self.ctx.args.bookmark_id, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + def on_200(self, session): + pass + + def on_204(self, session): + pass + + +__all__ = ["Delete"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/bookmark/_expand.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/bookmark/_expand.py new file mode 100644 index 00000000000..d75e4f19859 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/bookmark/_expand.py @@ -0,0 +1,1400 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel bookmark expand", + is_experimental=True, +) +class Expand(AAZCommand): + """Expand an bookmark + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/bookmarks/{}/expand", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return self._output() + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.bookmark_id = AAZStrArg( + options=["-n", "--name", "--bookmark-id"], + help="ID of bookmark.", + required=True, + is_experimental=True, + ) + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + ) + + # define Arg Group "Parameters" + + _args_schema = cls._args_schema + _args_schema.end_time = AAZStrArg( + options=["--end-time"], + arg_group="Parameters", + help="The end date filter, so the only expansion results returned are before this date.", + ) + _args_schema.expansion_id = AAZStrArg( + options=["--expansion-id"], + arg_group="Parameters", + help="The Id of the expansion to perform.", + ) + _args_schema.start_time = AAZStrArg( + options=["--start-time"], + arg_group="Parameters", + help="The start date filter, so the only expansion results returned are after this date.", + ) + return cls._args_schema + + def _execute_operations(self): + self.BookmarkExpand(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True) + return result + + class BookmarkExpand(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks/{bookmarkId}/expand", + **self.url_parameters + ) + + @property + def method(self): + return "POST" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "bookmarkId", self.ctx.args.bookmark_id, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Content-Type", "application/json", + ), + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + @property + def content(self): + _content_value, _builder = self.new_content_builder( + self.ctx.args, + typ=AAZObjectType, + typ_kwargs={"flags": {"required": True, "client_flatten": True}} + ) + _builder.set_prop("endTime", AAZStrType, ".end_time") + _builder.set_prop("expansionId", AAZStrType, ".expansion_id") + _builder.set_prop("startTime", AAZStrType, ".start_time") + + return self.serialize_content(_content_value) + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + + _schema_on_200 = cls._schema_on_200 + _schema_on_200.meta_data = AAZObjectType( + serialized_name="metaData", + ) + _schema_on_200.value = AAZObjectType() + + meta_data = cls._schema_on_200.meta_data + meta_data.aggregations = AAZListType() + + aggregations = cls._schema_on_200.meta_data.aggregations + aggregations.Element = AAZObjectType() + + _element = cls._schema_on_200.meta_data.aggregations.Element + _element.aggregation_type = AAZStrType( + serialized_name="aggregationType", + ) + _element.count = AAZIntType( + flags={"required": True}, + ) + _element.display_name = AAZStrType( + serialized_name="displayName", + ) + _element.entity_kind = AAZStrType( + serialized_name="entityKind", + flags={"required": True}, + ) + + value = cls._schema_on_200.value + value.edges = AAZListType() + value.entities = AAZListType() + + edges = cls._schema_on_200.value.edges + edges.Element = AAZObjectType() + + _element = cls._schema_on_200.value.edges.Element + _element.target_entity_id = AAZStrType( + serialized_name="targetEntityId", + ) + + entities = cls._schema_on_200.value.entities + entities.Element = AAZObjectType() + + _element = cls._schema_on_200.value.entities.Element + _element.id = AAZStrType( + flags={"read_only": True}, + ) + _element.kind = AAZStrType( + flags={"required": True}, + ) + _element.name = AAZStrType( + flags={"read_only": True}, + ) + _element.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + _element.type = AAZStrType( + flags={"read_only": True}, + ) + + system_data = cls._schema_on_200.value.entities.Element.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + disc_account = cls._schema_on_200.value.entities.Element.discriminate_by("kind", "Account") + disc_account.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.value.entities.Element.discriminate_by("kind", "Account").properties + properties.aad_tenant_id = AAZStrType( + serialized_name="aadTenantId", + flags={"read_only": True}, + ) + properties.aad_user_id = AAZStrType( + serialized_name="aadUserId", + flags={"read_only": True}, + ) + properties.account_name = AAZStrType( + serialized_name="accountName", + flags={"read_only": True}, + ) + properties.additional_data = AAZDictType( + serialized_name="additionalData", + flags={"read_only": True}, + ) + properties.display_name = AAZStrType( + serialized_name="displayName", + flags={"read_only": True}, + ) + properties.dns_domain = AAZStrType( + serialized_name="dnsDomain", + flags={"read_only": True}, + ) + properties.friendly_name = AAZStrType( + serialized_name="friendlyName", + flags={"read_only": True}, + ) + properties.host_entity_id = AAZStrType( + serialized_name="hostEntityId", + flags={"read_only": True}, + ) + properties.is_domain_joined = AAZBoolType( + serialized_name="isDomainJoined", + flags={"read_only": True}, + ) + properties.nt_domain = AAZStrType( + serialized_name="ntDomain", + flags={"read_only": True}, + ) + properties.object_guid = AAZStrType( + serialized_name="objectGuid", + flags={"read_only": True}, + ) + properties.puid = AAZStrType( + flags={"read_only": True}, + ) + properties.sid = AAZStrType( + flags={"read_only": True}, + ) + properties.upn_suffix = AAZStrType( + serialized_name="upnSuffix", + flags={"read_only": True}, + ) + + disc_azure_resource = cls._schema_on_200.value.entities.Element.discriminate_by("kind", "AzureResource") + disc_azure_resource.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.value.entities.Element.discriminate_by("kind", "AzureResource").properties + properties.additional_data = AAZDictType( + serialized_name="additionalData", + flags={"read_only": True}, + ) + properties.friendly_name = AAZStrType( + serialized_name="friendlyName", + flags={"read_only": True}, + ) + properties.resource_id = AAZStrType( + serialized_name="resourceId", + flags={"read_only": True}, + ) + properties.subscription_id = AAZStrType( + serialized_name="subscriptionId", + flags={"read_only": True}, + ) + + disc_bookmark = cls._schema_on_200.value.entities.Element.discriminate_by("kind", "Bookmark") + disc_bookmark.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.value.entities.Element.discriminate_by("kind", "Bookmark").properties + properties.additional_data = AAZDictType( + serialized_name="additionalData", + flags={"read_only": True}, + ) + properties.created = AAZStrType() + properties.created_by = AAZObjectType( + serialized_name="createdBy", + ) + _build_schema_user_info_read(properties.created_by) + properties.display_name = AAZStrType( + serialized_name="displayName", + flags={"required": True}, + ) + properties.event_time = AAZStrType( + serialized_name="eventTime", + ) + properties.friendly_name = AAZStrType( + serialized_name="friendlyName", + flags={"read_only": True}, + ) + properties.incident_info = AAZObjectType( + serialized_name="incidentInfo", + ) + properties.labels = AAZListType() + properties.notes = AAZStrType() + properties.query = AAZStrType( + flags={"required": True}, + ) + properties.query_result = AAZStrType( + serialized_name="queryResult", + ) + properties.updated = AAZStrType() + properties.updated_by = AAZObjectType( + serialized_name="updatedBy", + ) + _build_schema_user_info_read(properties.updated_by) + + incident_info = cls._schema_on_200.value.entities.Element.discriminate_by("kind", "Bookmark").properties.incident_info + incident_info.incident_id = AAZStrType( + serialized_name="incidentId", + ) + incident_info.relation_name = AAZStrType( + serialized_name="relationName", + ) + incident_info.severity = AAZStrType() + incident_info.title = AAZStrType() + + labels = cls._schema_on_200.value.entities.Element.discriminate_by("kind", "Bookmark").properties.labels + labels.Element = AAZStrType() + + disc_cloud_application = cls._schema_on_200.value.entities.Element.discriminate_by("kind", "CloudApplication") + disc_cloud_application.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.value.entities.Element.discriminate_by("kind", "CloudApplication").properties + properties.additional_data = AAZDictType( + serialized_name="additionalData", + flags={"read_only": True}, + ) + properties.app_id = AAZIntType( + serialized_name="appId", + flags={"read_only": True}, + ) + properties.app_name = AAZStrType( + serialized_name="appName", + flags={"read_only": True}, + ) + properties.friendly_name = AAZStrType( + serialized_name="friendlyName", + flags={"read_only": True}, + ) + properties.instance_name = AAZStrType( + serialized_name="instanceName", + flags={"read_only": True}, + ) + + disc_dns_resolution = cls._schema_on_200.value.entities.Element.discriminate_by("kind", "DnsResolution") + disc_dns_resolution.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.value.entities.Element.discriminate_by("kind", "DnsResolution").properties + properties.additional_data = AAZDictType( + serialized_name="additionalData", + flags={"read_only": True}, + ) + properties.dns_server_ip_entity_id = AAZStrType( + serialized_name="dnsServerIpEntityId", + flags={"read_only": True}, + ) + properties.domain_name = AAZStrType( + serialized_name="domainName", + flags={"read_only": True}, + ) + properties.friendly_name = AAZStrType( + serialized_name="friendlyName", + flags={"read_only": True}, + ) + properties.host_ip_address_entity_id = AAZStrType( + serialized_name="hostIpAddressEntityId", + flags={"read_only": True}, + ) + properties.ip_address_entity_ids = AAZListType( + serialized_name="ipAddressEntityIds", + flags={"read_only": True}, + ) + + ip_address_entity_ids = cls._schema_on_200.value.entities.Element.discriminate_by("kind", "DnsResolution").properties.ip_address_entity_ids + ip_address_entity_ids.Element = AAZStrType( + flags={"read_only": True}, + ) + + disc_file = cls._schema_on_200.value.entities.Element.discriminate_by("kind", "File") + disc_file.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.value.entities.Element.discriminate_by("kind", "File").properties + properties.additional_data = AAZDictType( + serialized_name="additionalData", + flags={"read_only": True}, + ) + properties.directory = AAZStrType( + flags={"read_only": True}, + ) + properties.file_hash_entity_ids = AAZListType( + serialized_name="fileHashEntityIds", + flags={"read_only": True}, + ) + properties.file_name = AAZStrType( + serialized_name="fileName", + flags={"read_only": True}, + ) + properties.friendly_name = AAZStrType( + serialized_name="friendlyName", + flags={"read_only": True}, + ) + properties.host_entity_id = AAZStrType( + serialized_name="hostEntityId", + flags={"read_only": True}, + ) + + file_hash_entity_ids = cls._schema_on_200.value.entities.Element.discriminate_by("kind", "File").properties.file_hash_entity_ids + file_hash_entity_ids.Element = AAZStrType( + flags={"read_only": True}, + ) + + disc_file_hash = cls._schema_on_200.value.entities.Element.discriminate_by("kind", "FileHash") + disc_file_hash.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.value.entities.Element.discriminate_by("kind", "FileHash").properties + properties.additional_data = AAZDictType( + serialized_name="additionalData", + flags={"read_only": True}, + ) + properties.algorithm = AAZStrType( + flags={"read_only": True}, + ) + properties.friendly_name = AAZStrType( + serialized_name="friendlyName", + flags={"read_only": True}, + ) + properties.hash_value = AAZStrType( + serialized_name="hashValue", + flags={"read_only": True}, + ) + + disc_host = cls._schema_on_200.value.entities.Element.discriminate_by("kind", "Host") + disc_host.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.value.entities.Element.discriminate_by("kind", "Host").properties + properties.additional_data = AAZDictType( + serialized_name="additionalData", + flags={"read_only": True}, + ) + properties.azure_id = AAZStrType( + serialized_name="azureID", + flags={"read_only": True}, + ) + properties.dns_domain = AAZStrType( + serialized_name="dnsDomain", + flags={"read_only": True}, + ) + properties.friendly_name = AAZStrType( + serialized_name="friendlyName", + flags={"read_only": True}, + ) + properties.host_name = AAZStrType( + serialized_name="hostName", + flags={"read_only": True}, + ) + properties.is_domain_joined = AAZBoolType( + serialized_name="isDomainJoined", + flags={"read_only": True}, + ) + properties.net_bios_name = AAZStrType( + serialized_name="netBiosName", + flags={"read_only": True}, + ) + properties.nt_domain = AAZStrType( + serialized_name="ntDomain", + flags={"read_only": True}, + ) + properties.oms_agent_id = AAZStrType( + serialized_name="omsAgentID", + flags={"read_only": True}, + ) + properties.os_family = AAZStrType( + serialized_name="osFamily", + ) + properties.os_version = AAZStrType( + serialized_name="osVersion", + flags={"read_only": True}, + ) + + disc_io_t_device = cls._schema_on_200.value.entities.Element.discriminate_by("kind", "IoTDevice") + disc_io_t_device.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.value.entities.Element.discriminate_by("kind", "IoTDevice").properties + properties.additional_data = AAZDictType( + serialized_name="additionalData", + flags={"read_only": True}, + ) + properties.device_id = AAZStrType( + serialized_name="deviceId", + flags={"read_only": True}, + ) + properties.device_name = AAZStrType( + serialized_name="deviceName", + flags={"read_only": True}, + ) + properties.device_type = AAZStrType( + serialized_name="deviceType", + flags={"read_only": True}, + ) + properties.edge_id = AAZStrType( + serialized_name="edgeId", + flags={"read_only": True}, + ) + properties.firmware_version = AAZStrType( + serialized_name="firmwareVersion", + flags={"read_only": True}, + ) + properties.friendly_name = AAZStrType( + serialized_name="friendlyName", + flags={"read_only": True}, + ) + properties.host_entity_id = AAZStrType( + serialized_name="hostEntityId", + flags={"read_only": True}, + ) + properties.iot_hub_entity_id = AAZStrType( + serialized_name="iotHubEntityId", + flags={"read_only": True}, + ) + properties.iot_security_agent_id = AAZStrType( + serialized_name="iotSecurityAgentId", + flags={"read_only": True}, + ) + properties.ip_address_entity_id = AAZStrType( + serialized_name="ipAddressEntityId", + flags={"read_only": True}, + ) + properties.mac_address = AAZStrType( + serialized_name="macAddress", + flags={"read_only": True}, + ) + properties.model = AAZStrType( + flags={"read_only": True}, + ) + properties.operating_system = AAZStrType( + serialized_name="operatingSystem", + flags={"read_only": True}, + ) + properties.protocols = AAZListType( + flags={"read_only": True}, + ) + properties.serial_number = AAZStrType( + serialized_name="serialNumber", + flags={"read_only": True}, + ) + properties.source = AAZStrType( + flags={"read_only": True}, + ) + properties.threat_intelligence = AAZListType( + serialized_name="threatIntelligence", + flags={"read_only": True}, + ) + properties.vendor = AAZStrType( + flags={"read_only": True}, + ) + + protocols = cls._schema_on_200.value.entities.Element.discriminate_by("kind", "IoTDevice").properties.protocols + protocols.Element = AAZStrType( + flags={"read_only": True}, + ) + + threat_intelligence = cls._schema_on_200.value.entities.Element.discriminate_by("kind", "IoTDevice").properties.threat_intelligence + threat_intelligence.Element = AAZObjectType( + flags={"read_only": True}, + ) + _build_schema_threat_intelligence_read(threat_intelligence.Element) + + disc_ip = cls._schema_on_200.value.entities.Element.discriminate_by("kind", "Ip") + disc_ip.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.value.entities.Element.discriminate_by("kind", "Ip").properties + properties.additional_data = AAZDictType( + serialized_name="additionalData", + flags={"read_only": True}, + ) + properties.address = AAZStrType( + flags={"read_only": True}, + ) + properties.friendly_name = AAZStrType( + serialized_name="friendlyName", + flags={"read_only": True}, + ) + properties.location = AAZObjectType( + flags={"read_only": True}, + ) + properties.threat_intelligence = AAZListType( + serialized_name="threatIntelligence", + flags={"read_only": True}, + ) + + location = cls._schema_on_200.value.entities.Element.discriminate_by("kind", "Ip").properties.location + location.asn = AAZIntType( + flags={"read_only": True}, + ) + location.city = AAZStrType( + flags={"read_only": True}, + ) + location.country_code = AAZStrType( + serialized_name="countryCode", + flags={"read_only": True}, + ) + location.country_name = AAZStrType( + serialized_name="countryName", + flags={"read_only": True}, + ) + location.latitude = AAZFloatType( + flags={"read_only": True}, + ) + location.longitude = AAZFloatType( + flags={"read_only": True}, + ) + location.state = AAZStrType( + flags={"read_only": True}, + ) + + threat_intelligence = cls._schema_on_200.value.entities.Element.discriminate_by("kind", "Ip").properties.threat_intelligence + threat_intelligence.Element = AAZObjectType( + flags={"read_only": True}, + ) + _build_schema_threat_intelligence_read(threat_intelligence.Element) + + disc_mail_cluster = cls._schema_on_200.value.entities.Element.discriminate_by("kind", "MailCluster") + disc_mail_cluster.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.value.entities.Element.discriminate_by("kind", "MailCluster").properties + properties.additional_data = AAZDictType( + serialized_name="additionalData", + flags={"read_only": True}, + ) + properties.cluster_group = AAZStrType( + serialized_name="clusterGroup", + flags={"read_only": True}, + ) + properties.cluster_query_end_time = AAZStrType( + serialized_name="clusterQueryEndTime", + flags={"read_only": True}, + ) + properties.cluster_query_start_time = AAZStrType( + serialized_name="clusterQueryStartTime", + flags={"read_only": True}, + ) + properties.cluster_source_identifier = AAZStrType( + serialized_name="clusterSourceIdentifier", + flags={"read_only": True}, + ) + properties.cluster_source_type = AAZStrType( + serialized_name="clusterSourceType", + flags={"read_only": True}, + ) + properties.friendly_name = AAZStrType( + serialized_name="friendlyName", + flags={"read_only": True}, + ) + properties.is_volume_anomaly = AAZBoolType( + serialized_name="isVolumeAnomaly", + flags={"read_only": True}, + ) + properties.mail_count = AAZIntType( + serialized_name="mailCount", + flags={"read_only": True}, + ) + properties.network_message_ids = AAZListType( + serialized_name="networkMessageIds", + flags={"read_only": True}, + ) + properties.query = AAZStrType( + flags={"read_only": True}, + ) + properties.query_time = AAZStrType( + serialized_name="queryTime", + flags={"read_only": True}, + ) + properties.source = AAZStrType( + flags={"read_only": True}, + ) + properties.threats = AAZListType( + flags={"read_only": True}, + ) + + network_message_ids = cls._schema_on_200.value.entities.Element.discriminate_by("kind", "MailCluster").properties.network_message_ids + network_message_ids.Element = AAZStrType( + flags={"read_only": True}, + ) + + threats = cls._schema_on_200.value.entities.Element.discriminate_by("kind", "MailCluster").properties.threats + threats.Element = AAZStrType( + flags={"read_only": True}, + ) + + disc_mail_message = cls._schema_on_200.value.entities.Element.discriminate_by("kind", "MailMessage") + disc_mail_message.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.value.entities.Element.discriminate_by("kind", "MailMessage").properties + properties.additional_data = AAZDictType( + serialized_name="additionalData", + flags={"read_only": True}, + ) + properties.antispam_direction = AAZStrType( + serialized_name="antispamDirection", + ) + properties.body_fingerprint_bin1 = AAZIntType( + serialized_name="bodyFingerprintBin1", + ) + properties.body_fingerprint_bin2 = AAZIntType( + serialized_name="bodyFingerprintBin2", + ) + properties.body_fingerprint_bin3 = AAZIntType( + serialized_name="bodyFingerprintBin3", + ) + properties.body_fingerprint_bin4 = AAZIntType( + serialized_name="bodyFingerprintBin4", + ) + properties.body_fingerprint_bin5 = AAZIntType( + serialized_name="bodyFingerprintBin5", + ) + properties.delivery_action = AAZStrType( + serialized_name="deliveryAction", + ) + properties.delivery_location = AAZStrType( + serialized_name="deliveryLocation", + ) + properties.file_entity_ids = AAZListType( + serialized_name="fileEntityIds", + flags={"read_only": True}, + ) + properties.friendly_name = AAZStrType( + serialized_name="friendlyName", + flags={"read_only": True}, + ) + properties.internet_message_id = AAZStrType( + serialized_name="internetMessageId", + flags={"read_only": True}, + ) + properties.language = AAZStrType( + flags={"read_only": True}, + ) + properties.network_message_id = AAZStrType( + serialized_name="networkMessageId", + flags={"read_only": True}, + ) + properties.p1_sender = AAZStrType( + serialized_name="p1Sender", + flags={"read_only": True}, + ) + properties.p1_sender_display_name = AAZStrType( + serialized_name="p1SenderDisplayName", + flags={"read_only": True}, + ) + properties.p1_sender_domain = AAZStrType( + serialized_name="p1SenderDomain", + flags={"read_only": True}, + ) + properties.p2_sender = AAZStrType( + serialized_name="p2Sender", + flags={"read_only": True}, + ) + properties.p2_sender_display_name = AAZStrType( + serialized_name="p2SenderDisplayName", + flags={"read_only": True}, + ) + properties.p2_sender_domain = AAZStrType( + serialized_name="p2SenderDomain", + flags={"read_only": True}, + ) + properties.receive_date = AAZStrType( + serialized_name="receiveDate", + flags={"read_only": True}, + ) + properties.recipient = AAZStrType( + flags={"read_only": True}, + ) + properties.sender_ip = AAZStrType( + serialized_name="senderIP", + flags={"read_only": True}, + ) + properties.subject = AAZStrType( + flags={"read_only": True}, + ) + properties.threat_detection_methods = AAZListType( + serialized_name="threatDetectionMethods", + flags={"read_only": True}, + ) + properties.threats = AAZListType( + flags={"read_only": True}, + ) + properties.urls = AAZListType( + flags={"read_only": True}, + ) + + file_entity_ids = cls._schema_on_200.value.entities.Element.discriminate_by("kind", "MailMessage").properties.file_entity_ids + file_entity_ids.Element = AAZStrType( + flags={"read_only": True}, + ) + + threat_detection_methods = cls._schema_on_200.value.entities.Element.discriminate_by("kind", "MailMessage").properties.threat_detection_methods + threat_detection_methods.Element = AAZStrType( + flags={"read_only": True}, + ) + + threats = cls._schema_on_200.value.entities.Element.discriminate_by("kind", "MailMessage").properties.threats + threats.Element = AAZStrType( + flags={"read_only": True}, + ) + + urls = cls._schema_on_200.value.entities.Element.discriminate_by("kind", "MailMessage").properties.urls + urls.Element = AAZStrType( + flags={"read_only": True}, + ) + + disc_mailbox = cls._schema_on_200.value.entities.Element.discriminate_by("kind", "Mailbox") + disc_mailbox.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.value.entities.Element.discriminate_by("kind", "Mailbox").properties + properties.additional_data = AAZDictType( + serialized_name="additionalData", + flags={"read_only": True}, + ) + properties.display_name = AAZStrType( + serialized_name="displayName", + flags={"read_only": True}, + ) + properties.external_directory_object_id = AAZStrType( + serialized_name="externalDirectoryObjectId", + flags={"read_only": True}, + ) + properties.friendly_name = AAZStrType( + serialized_name="friendlyName", + flags={"read_only": True}, + ) + properties.mailbox_primary_address = AAZStrType( + serialized_name="mailboxPrimaryAddress", + flags={"read_only": True}, + ) + properties.upn = AAZStrType( + flags={"read_only": True}, + ) + + disc_malware = cls._schema_on_200.value.entities.Element.discriminate_by("kind", "Malware") + disc_malware.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.value.entities.Element.discriminate_by("kind", "Malware").properties + properties.additional_data = AAZDictType( + serialized_name="additionalData", + flags={"read_only": True}, + ) + properties.category = AAZStrType( + flags={"read_only": True}, + ) + properties.file_entity_ids = AAZListType( + serialized_name="fileEntityIds", + flags={"read_only": True}, + ) + properties.friendly_name = AAZStrType( + serialized_name="friendlyName", + flags={"read_only": True}, + ) + properties.malware_name = AAZStrType( + serialized_name="malwareName", + flags={"read_only": True}, + ) + properties.process_entity_ids = AAZListType( + serialized_name="processEntityIds", + flags={"read_only": True}, + ) + + file_entity_ids = cls._schema_on_200.value.entities.Element.discriminate_by("kind", "Malware").properties.file_entity_ids + file_entity_ids.Element = AAZStrType( + flags={"read_only": True}, + ) + + process_entity_ids = cls._schema_on_200.value.entities.Element.discriminate_by("kind", "Malware").properties.process_entity_ids + process_entity_ids.Element = AAZStrType( + flags={"read_only": True}, + ) + + disc_process = cls._schema_on_200.value.entities.Element.discriminate_by("kind", "Process") + disc_process.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.value.entities.Element.discriminate_by("kind", "Process").properties + properties.account_entity_id = AAZStrType( + serialized_name="accountEntityId", + flags={"read_only": True}, + ) + properties.additional_data = AAZDictType( + serialized_name="additionalData", + flags={"read_only": True}, + ) + properties.command_line = AAZStrType( + serialized_name="commandLine", + flags={"read_only": True}, + ) + properties.creation_time_utc = AAZStrType( + serialized_name="creationTimeUtc", + flags={"read_only": True}, + ) + properties.elevation_token = AAZStrType( + serialized_name="elevationToken", + ) + properties.friendly_name = AAZStrType( + serialized_name="friendlyName", + flags={"read_only": True}, + ) + properties.host_entity_id = AAZStrType( + serialized_name="hostEntityId", + flags={"read_only": True}, + ) + properties.host_logon_session_entity_id = AAZStrType( + serialized_name="hostLogonSessionEntityId", + flags={"read_only": True}, + ) + properties.image_file_entity_id = AAZStrType( + serialized_name="imageFileEntityId", + flags={"read_only": True}, + ) + properties.parent_process_entity_id = AAZStrType( + serialized_name="parentProcessEntityId", + flags={"read_only": True}, + ) + properties.process_id = AAZStrType( + serialized_name="processId", + flags={"read_only": True}, + ) + + disc_registry_key = cls._schema_on_200.value.entities.Element.discriminate_by("kind", "RegistryKey") + disc_registry_key.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.value.entities.Element.discriminate_by("kind", "RegistryKey").properties + properties.additional_data = AAZDictType( + serialized_name="additionalData", + flags={"read_only": True}, + ) + properties.friendly_name = AAZStrType( + serialized_name="friendlyName", + flags={"read_only": True}, + ) + properties.hive = AAZStrType( + flags={"read_only": True}, + ) + properties.key = AAZStrType( + flags={"read_only": True}, + ) + + disc_registry_value = cls._schema_on_200.value.entities.Element.discriminate_by("kind", "RegistryValue") + disc_registry_value.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.value.entities.Element.discriminate_by("kind", "RegistryValue").properties + properties.additional_data = AAZDictType( + serialized_name="additionalData", + flags={"read_only": True}, + ) + properties.friendly_name = AAZStrType( + serialized_name="friendlyName", + flags={"read_only": True}, + ) + properties.key_entity_id = AAZStrType( + serialized_name="keyEntityId", + flags={"read_only": True}, + ) + properties.value_data = AAZStrType( + serialized_name="valueData", + flags={"read_only": True}, + ) + properties.value_name = AAZStrType( + serialized_name="valueName", + flags={"read_only": True}, + ) + properties.value_type = AAZStrType( + serialized_name="valueType", + flags={"read_only": True}, + ) + + disc_security_alert = cls._schema_on_200.value.entities.Element.discriminate_by("kind", "SecurityAlert") + disc_security_alert.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.value.entities.Element.discriminate_by("kind", "SecurityAlert").properties + properties.additional_data = AAZDictType( + serialized_name="additionalData", + flags={"read_only": True}, + ) + properties.alert_display_name = AAZStrType( + serialized_name="alertDisplayName", + flags={"read_only": True}, + ) + properties.alert_link = AAZStrType( + serialized_name="alertLink", + flags={"read_only": True}, + ) + properties.alert_type = AAZStrType( + serialized_name="alertType", + flags={"read_only": True}, + ) + properties.compromised_entity = AAZStrType( + serialized_name="compromisedEntity", + flags={"read_only": True}, + ) + properties.confidence_level = AAZStrType( + serialized_name="confidenceLevel", + flags={"read_only": True}, + ) + properties.confidence_reasons = AAZListType( + serialized_name="confidenceReasons", + flags={"read_only": True}, + ) + properties.confidence_score = AAZFloatType( + serialized_name="confidenceScore", + flags={"read_only": True}, + ) + properties.confidence_score_status = AAZStrType( + serialized_name="confidenceScoreStatus", + flags={"read_only": True}, + ) + properties.description = AAZStrType( + flags={"read_only": True}, + ) + properties.end_time_utc = AAZStrType( + serialized_name="endTimeUtc", + flags={"read_only": True}, + ) + properties.friendly_name = AAZStrType( + serialized_name="friendlyName", + flags={"read_only": True}, + ) + properties.intent = AAZStrType( + flags={"read_only": True}, + ) + properties.processing_end_time = AAZStrType( + serialized_name="processingEndTime", + flags={"read_only": True}, + ) + properties.product_component_name = AAZStrType( + serialized_name="productComponentName", + flags={"read_only": True}, + ) + properties.product_name = AAZStrType( + serialized_name="productName", + flags={"read_only": True}, + ) + properties.product_version = AAZStrType( + serialized_name="productVersion", + flags={"read_only": True}, + ) + properties.provider_alert_id = AAZStrType( + serialized_name="providerAlertId", + flags={"read_only": True}, + ) + properties.remediation_steps = AAZListType( + serialized_name="remediationSteps", + flags={"read_only": True}, + ) + properties.severity = AAZStrType() + properties.start_time_utc = AAZStrType( + serialized_name="startTimeUtc", + flags={"read_only": True}, + ) + properties.status = AAZStrType( + flags={"read_only": True}, + ) + properties.system_alert_id = AAZStrType( + serialized_name="systemAlertId", + flags={"read_only": True}, + ) + properties.tactics = AAZListType( + flags={"read_only": True}, + ) + properties.time_generated = AAZStrType( + serialized_name="timeGenerated", + flags={"read_only": True}, + ) + properties.vendor_name = AAZStrType( + serialized_name="vendorName", + flags={"read_only": True}, + ) + + confidence_reasons = cls._schema_on_200.value.entities.Element.discriminate_by("kind", "SecurityAlert").properties.confidence_reasons + confidence_reasons.Element = AAZObjectType( + flags={"read_only": True}, + ) + + _element = cls._schema_on_200.value.entities.Element.discriminate_by("kind", "SecurityAlert").properties.confidence_reasons.Element + _element.reason = AAZStrType( + flags={"read_only": True}, + ) + _element.reason_type = AAZStrType( + serialized_name="reasonType", + flags={"read_only": True}, + ) + + remediation_steps = cls._schema_on_200.value.entities.Element.discriminate_by("kind", "SecurityAlert").properties.remediation_steps + remediation_steps.Element = AAZStrType( + flags={"read_only": True}, + ) + + tactics = cls._schema_on_200.value.entities.Element.discriminate_by("kind", "SecurityAlert").properties.tactics + tactics.Element = AAZStrType( + flags={"read_only": True}, + ) + + disc_security_group = cls._schema_on_200.value.entities.Element.discriminate_by("kind", "SecurityGroup") + disc_security_group.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.value.entities.Element.discriminate_by("kind", "SecurityGroup").properties + properties.additional_data = AAZDictType( + serialized_name="additionalData", + flags={"read_only": True}, + ) + properties.distinguished_name = AAZStrType( + serialized_name="distinguishedName", + flags={"read_only": True}, + ) + properties.friendly_name = AAZStrType( + serialized_name="friendlyName", + flags={"read_only": True}, + ) + properties.object_guid = AAZStrType( + serialized_name="objectGuid", + flags={"read_only": True}, + ) + properties.sid = AAZStrType( + flags={"read_only": True}, + ) + + disc_submission_mail = cls._schema_on_200.value.entities.Element.discriminate_by("kind", "SubmissionMail") + disc_submission_mail.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.value.entities.Element.discriminate_by("kind", "SubmissionMail").properties + properties.additional_data = AAZDictType( + serialized_name="additionalData", + flags={"read_only": True}, + ) + properties.friendly_name = AAZStrType( + serialized_name="friendlyName", + flags={"read_only": True}, + ) + properties.network_message_id = AAZStrType( + serialized_name="networkMessageId", + flags={"read_only": True}, + ) + properties.recipient = AAZStrType( + flags={"read_only": True}, + ) + properties.report_type = AAZStrType( + serialized_name="reportType", + flags={"read_only": True}, + ) + properties.sender = AAZStrType( + flags={"read_only": True}, + ) + properties.sender_ip = AAZStrType( + serialized_name="senderIp", + flags={"read_only": True}, + ) + properties.subject = AAZStrType( + flags={"read_only": True}, + ) + properties.submission_date = AAZStrType( + serialized_name="submissionDate", + flags={"read_only": True}, + ) + properties.submission_id = AAZStrType( + serialized_name="submissionId", + flags={"read_only": True}, + ) + properties.submitter = AAZStrType( + flags={"read_only": True}, + ) + properties.timestamp = AAZStrType( + flags={"read_only": True}, + ) + + disc_url = cls._schema_on_200.value.entities.Element.discriminate_by("kind", "Url") + disc_url.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.value.entities.Element.discriminate_by("kind", "Url").properties + properties.additional_data = AAZDictType( + serialized_name="additionalData", + flags={"read_only": True}, + ) + properties.friendly_name = AAZStrType( + serialized_name="friendlyName", + flags={"read_only": True}, + ) + properties.url = AAZStrType( + flags={"read_only": True}, + ) + + return cls._schema_on_200 + + +_schema_threat_intelligence_read = None + + +def _build_schema_threat_intelligence_read(_schema): + global _schema_threat_intelligence_read + if _schema_threat_intelligence_read is not None: + _schema.confidence = _schema_threat_intelligence_read.confidence + _schema.provider_name = _schema_threat_intelligence_read.provider_name + _schema.report_link = _schema_threat_intelligence_read.report_link + _schema.threat_description = _schema_threat_intelligence_read.threat_description + _schema.threat_name = _schema_threat_intelligence_read.threat_name + _schema.threat_type = _schema_threat_intelligence_read.threat_type + return + + _schema_threat_intelligence_read = AAZObjectType( + flags={"read_only": True} + ) + + threat_intelligence_read = _schema_threat_intelligence_read + threat_intelligence_read.confidence = AAZFloatType( + flags={"read_only": True}, + ) + threat_intelligence_read.provider_name = AAZStrType( + serialized_name="providerName", + flags={"read_only": True}, + ) + threat_intelligence_read.report_link = AAZStrType( + serialized_name="reportLink", + flags={"read_only": True}, + ) + threat_intelligence_read.threat_description = AAZStrType( + serialized_name="threatDescription", + flags={"read_only": True}, + ) + threat_intelligence_read.threat_name = AAZStrType( + serialized_name="threatName", + flags={"read_only": True}, + ) + threat_intelligence_read.threat_type = AAZStrType( + serialized_name="threatType", + flags={"read_only": True}, + ) + + _schema.confidence = _schema_threat_intelligence_read.confidence + _schema.provider_name = _schema_threat_intelligence_read.provider_name + _schema.report_link = _schema_threat_intelligence_read.report_link + _schema.threat_description = _schema_threat_intelligence_read.threat_description + _schema.threat_name = _schema_threat_intelligence_read.threat_name + _schema.threat_type = _schema_threat_intelligence_read.threat_type + + +_schema_user_info_read = None + + +def _build_schema_user_info_read(_schema): + global _schema_user_info_read + if _schema_user_info_read is not None: + _schema.email = _schema_user_info_read.email + _schema.name = _schema_user_info_read.name + _schema.object_id = _schema_user_info_read.object_id + return + + _schema_user_info_read = AAZObjectType() + + user_info_read = _schema_user_info_read + user_info_read.email = AAZStrType( + flags={"read_only": True}, + ) + user_info_read.name = AAZStrType( + flags={"read_only": True}, + ) + user_info_read.object_id = AAZStrType( + serialized_name="objectId", + nullable=True, + ) + + _schema.email = _schema_user_info_read.email + _schema.name = _schema_user_info_read.name + _schema.object_id = _schema_user_info_read.object_id + + +__all__ = ["Expand"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/bookmark/_list.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/bookmark/_list.py new file mode 100644 index 00000000000..76717510c8a --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/bookmark/_list.py @@ -0,0 +1,311 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel bookmark list", + is_experimental=True, +) +class List(AAZCommand): + """Get all bookmarks. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/bookmarks", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + return self.build_paging(self._execute_operations, self._output) + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + ) + return cls._args_schema + + def _execute_operations(self): + self.BookmarksList(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance.value, client_flatten=True) + next_link = self.deserialize_output(self.ctx.vars.instance.next_link) + return result, next_link + + class BookmarksList(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks", + **self.url_parameters + ) + + @property + def method(self): + return "GET" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + + _schema_on_200 = cls._schema_on_200 + _schema_on_200.next_link = AAZStrType( + serialized_name="nextLink", + flags={"read_only": True}, + ) + _schema_on_200.value = AAZListType( + flags={"required": True}, + ) + + value = cls._schema_on_200.value + value.Element = AAZObjectType() + + _element = cls._schema_on_200.value.Element + _element.etag = AAZStrType() + _element.id = AAZStrType( + flags={"read_only": True}, + ) + _element.name = AAZStrType( + flags={"read_only": True}, + ) + _element.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + _element.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + _element.type = AAZStrType( + flags={"read_only": True}, + ) + + properties = cls._schema_on_200.value.Element.properties + properties.created = AAZStrType() + properties.created_by = AAZObjectType( + serialized_name="createdBy", + ) + _build_schema_user_info_read(properties.created_by) + properties.display_name = AAZStrType( + serialized_name="displayName", + flags={"required": True}, + ) + properties.entity_mappings = AAZListType( + serialized_name="entityMappings", + ) + properties.event_time = AAZStrType( + serialized_name="eventTime", + ) + properties.incident_info = AAZObjectType( + serialized_name="incidentInfo", + ) + properties.labels = AAZListType() + properties.notes = AAZStrType() + properties.query = AAZStrType( + flags={"required": True}, + ) + properties.query_end_time = AAZStrType( + serialized_name="queryEndTime", + ) + properties.query_result = AAZStrType( + serialized_name="queryResult", + ) + properties.query_start_time = AAZStrType( + serialized_name="queryStartTime", + ) + properties.tactics = AAZListType() + properties.techniques = AAZListType() + properties.updated = AAZStrType() + properties.updated_by = AAZObjectType( + serialized_name="updatedBy", + ) + _build_schema_user_info_read(properties.updated_by) + + entity_mappings = cls._schema_on_200.value.Element.properties.entity_mappings + entity_mappings.Element = AAZObjectType() + + _element = cls._schema_on_200.value.Element.properties.entity_mappings.Element + _element.entity_type = AAZStrType( + serialized_name="entityType", + ) + _element.field_mappings = AAZListType( + serialized_name="fieldMappings", + ) + + field_mappings = cls._schema_on_200.value.Element.properties.entity_mappings.Element.field_mappings + field_mappings.Element = AAZObjectType() + + _element = cls._schema_on_200.value.Element.properties.entity_mappings.Element.field_mappings.Element + _element.identifier = AAZStrType() + _element.value = AAZStrType() + + incident_info = cls._schema_on_200.value.Element.properties.incident_info + incident_info.incident_id = AAZStrType( + serialized_name="incidentId", + ) + incident_info.relation_name = AAZStrType( + serialized_name="relationName", + ) + incident_info.severity = AAZStrType() + incident_info.title = AAZStrType() + + labels = cls._schema_on_200.value.Element.properties.labels + labels.Element = AAZStrType() + + tactics = cls._schema_on_200.value.Element.properties.tactics + tactics.Element = AAZStrType() + + techniques = cls._schema_on_200.value.Element.properties.techniques + techniques.Element = AAZStrType() + + system_data = cls._schema_on_200.value.Element.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + return cls._schema_on_200 + + +_schema_user_info_read = None + + +def _build_schema_user_info_read(_schema): + global _schema_user_info_read + if _schema_user_info_read is not None: + _schema.email = _schema_user_info_read.email + _schema.name = _schema_user_info_read.name + _schema.object_id = _schema_user_info_read.object_id + return + + _schema_user_info_read = AAZObjectType() + + user_info_read = _schema_user_info_read + user_info_read.email = AAZStrType( + flags={"read_only": True}, + ) + user_info_read.name = AAZStrType( + flags={"read_only": True}, + ) + user_info_read.object_id = AAZStrType( + serialized_name="objectId", + nullable=True, + ) + + _schema.email = _schema_user_info_read.email + _schema.name = _schema_user_info_read.name + _schema.object_id = _schema_user_info_read.object_id + + +__all__ = ["List"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/bookmark/_show.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/bookmark/_show.py new file mode 100644 index 00000000000..4dbc4c4a3d4 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/bookmark/_show.py @@ -0,0 +1,311 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel bookmark show", + is_experimental=True, +) +class Show(AAZCommand): + """Get a bookmark. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/bookmarks/{}", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return self._output() + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.bookmark_id = AAZStrArg( + options=["-n", "--name", "--bookmark-id"], + help="ID of bookmark.", + required=True, + is_experimental=True, + id_part="child_name_1", + ) + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + id_part="name", + ) + return cls._args_schema + + def _execute_operations(self): + self.BookmarksGet(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True) + return result + + class BookmarksGet(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks/{bookmarkId}", + **self.url_parameters + ) + + @property + def method(self): + return "GET" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "bookmarkId", self.ctx.args.bookmark_id, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + + _schema_on_200 = cls._schema_on_200 + _schema_on_200.etag = AAZStrType() + _schema_on_200.id = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200.name = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + _schema_on_200.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + _schema_on_200.type = AAZStrType( + flags={"read_only": True}, + ) + + properties = cls._schema_on_200.properties + properties.created = AAZStrType() + properties.created_by = AAZObjectType( + serialized_name="createdBy", + ) + _build_schema_user_info_read(properties.created_by) + properties.display_name = AAZStrType( + serialized_name="displayName", + flags={"required": True}, + ) + properties.entity_mappings = AAZListType( + serialized_name="entityMappings", + ) + properties.event_time = AAZStrType( + serialized_name="eventTime", + ) + properties.incident_info = AAZObjectType( + serialized_name="incidentInfo", + ) + properties.labels = AAZListType() + properties.notes = AAZStrType() + properties.query = AAZStrType( + flags={"required": True}, + ) + properties.query_end_time = AAZStrType( + serialized_name="queryEndTime", + ) + properties.query_result = AAZStrType( + serialized_name="queryResult", + ) + properties.query_start_time = AAZStrType( + serialized_name="queryStartTime", + ) + properties.tactics = AAZListType() + properties.techniques = AAZListType() + properties.updated = AAZStrType() + properties.updated_by = AAZObjectType( + serialized_name="updatedBy", + ) + _build_schema_user_info_read(properties.updated_by) + + entity_mappings = cls._schema_on_200.properties.entity_mappings + entity_mappings.Element = AAZObjectType() + + _element = cls._schema_on_200.properties.entity_mappings.Element + _element.entity_type = AAZStrType( + serialized_name="entityType", + ) + _element.field_mappings = AAZListType( + serialized_name="fieldMappings", + ) + + field_mappings = cls._schema_on_200.properties.entity_mappings.Element.field_mappings + field_mappings.Element = AAZObjectType() + + _element = cls._schema_on_200.properties.entity_mappings.Element.field_mappings.Element + _element.identifier = AAZStrType() + _element.value = AAZStrType() + + incident_info = cls._schema_on_200.properties.incident_info + incident_info.incident_id = AAZStrType( + serialized_name="incidentId", + ) + incident_info.relation_name = AAZStrType( + serialized_name="relationName", + ) + incident_info.severity = AAZStrType() + incident_info.title = AAZStrType() + + labels = cls._schema_on_200.properties.labels + labels.Element = AAZStrType() + + tactics = cls._schema_on_200.properties.tactics + tactics.Element = AAZStrType() + + techniques = cls._schema_on_200.properties.techniques + techniques.Element = AAZStrType() + + system_data = cls._schema_on_200.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + return cls._schema_on_200 + + +_schema_user_info_read = None + + +def _build_schema_user_info_read(_schema): + global _schema_user_info_read + if _schema_user_info_read is not None: + _schema.email = _schema_user_info_read.email + _schema.name = _schema_user_info_read.name + _schema.object_id = _schema_user_info_read.object_id + return + + _schema_user_info_read = AAZObjectType() + + user_info_read = _schema_user_info_read + user_info_read.email = AAZStrType( + flags={"read_only": True}, + ) + user_info_read.name = AAZStrType( + flags={"read_only": True}, + ) + user_info_read.object_id = AAZStrType( + serialized_name="objectId", + nullable=True, + ) + + _schema.email = _schema_user_info_read.email + _schema.name = _schema_user_info_read.name + _schema.object_id = _schema_user_info_read.object_id + + +__all__ = ["Show"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/bookmark/_update.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/bookmark/_update.py new file mode 100644 index 00000000000..f1ee3dea926 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/bookmark/_update.py @@ -0,0 +1,722 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel bookmark update", + is_experimental=True, +) +class Update(AAZCommand): + """Update the bookmark. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/bookmarks/{}", "2022-06-01-preview"], + ] + } + + AZ_SUPPORT_GENERIC_UPDATE = True + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return self._output() + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.bookmark_id = AAZStrArg( + options=["-n", "--name", "--bookmark-id"], + help="ID of bookmark.", + required=True, + is_experimental=True, + id_part="child_name_1", + ) + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + id_part="name", + ) + + # define Arg Group "Bookmark" + + _args_schema = cls._args_schema + _args_schema.etag = AAZStrArg( + options=["--etag"], + arg_group="Bookmark", + help="Etag of the azure resource", + nullable=True, + ) + + # define Arg Group "Properties" + + _args_schema = cls._args_schema + _args_schema.created = AAZStrArg( + options=["--created"], + arg_group="Properties", + help="The time the bookmark was created", + nullable=True, + ) + _args_schema.created_by = AAZObjectArg( + options=["--created-by"], + arg_group="Properties", + help="Describes a user that created the bookmark", + nullable=True, + ) + cls._build_args_user_info_update(_args_schema.created_by) + _args_schema.display_name = AAZStrArg( + options=["--display-name"], + arg_group="Properties", + help="The display name of the bookmark", + ) + _args_schema.entity_mappings = AAZListArg( + options=["--entity-mappings"], + arg_group="Properties", + help="Describes the entity mappings of the bookmark", + nullable=True, + ) + _args_schema.event_time = AAZStrArg( + options=["--event-time"], + arg_group="Properties", + help="The bookmark event time", + nullable=True, + ) + _args_schema.incident_info = AAZObjectArg( + options=["--incident-info"], + arg_group="Properties", + help="Describes an incident that relates to bookmark", + nullable=True, + ) + _args_schema.labels = AAZListArg( + options=["--labels"], + arg_group="Properties", + help="List of labels relevant to this bookmark", + nullable=True, + ) + _args_schema.notes = AAZStrArg( + options=["--notes"], + arg_group="Properties", + help="The notes of the bookmark", + nullable=True, + ) + _args_schema.query_content = AAZStrArg( + options=["--query-content"], + arg_group="Properties", + help="The query of the bookmark.", + is_experimental=True, + ) + _args_schema.query_end_time = AAZStrArg( + options=["--query-end-time"], + arg_group="Properties", + help="The end time for the query", + nullable=True, + ) + _args_schema.query_result = AAZStrArg( + options=["--query-result"], + arg_group="Properties", + help="The query result of the bookmark.", + nullable=True, + ) + _args_schema.query_start_time = AAZStrArg( + options=["--query-start-time"], + arg_group="Properties", + help="The start time for the query", + nullable=True, + ) + _args_schema.tactics = AAZListArg( + options=["--tactics"], + arg_group="Properties", + help="A list of relevant mitre attacks", + nullable=True, + ) + _args_schema.techniques = AAZListArg( + options=["--techniques"], + arg_group="Properties", + help="A list of relevant mitre techniques", + nullable=True, + ) + _args_schema.updated = AAZStrArg( + options=["--updated"], + arg_group="Properties", + help="The last time the bookmark was updated", + nullable=True, + ) + _args_schema.updated_by = AAZObjectArg( + options=["--updated-by"], + arg_group="Properties", + help="Describes a user that updated the bookmark", + nullable=True, + ) + cls._build_args_user_info_update(_args_schema.updated_by) + + entity_mappings = cls._args_schema.entity_mappings + entity_mappings.Element = AAZObjectArg() + + _element = cls._args_schema.entity_mappings.Element + _element.entity_type = AAZStrArg( + options=["entity-type"], + help="The entity type", + nullable=True, + ) + _element.field_mappings = AAZListArg( + options=["field-mappings"], + help="Array of fields mapping for that entity type", + nullable=True, + ) + + field_mappings = cls._args_schema.entity_mappings.Element.field_mappings + field_mappings.Element = AAZObjectArg() + + _element = cls._args_schema.entity_mappings.Element.field_mappings.Element + _element.identifier = AAZStrArg( + options=["identifier"], + help="Alert V3 identifier", + nullable=True, + ) + _element.value = AAZStrArg( + options=["value"], + help="The value of the identifier", + nullable=True, + ) + + incident_info = cls._args_schema.incident_info + incident_info.incident_id = AAZStrArg( + options=["incident-id"], + help="Incident Id", + nullable=True, + ) + incident_info.relation_name = AAZStrArg( + options=["relation-name"], + help="Relation Name", + nullable=True, + ) + incident_info.severity = AAZStrArg( + options=["severity"], + help="The severity of the incident", + nullable=True, + enum={"High": "High", "Informational": "Informational", "Low": "Low", "Medium": "Medium"}, + ) + incident_info.title = AAZStrArg( + options=["title"], + help="The title of the incident", + nullable=True, + ) + + labels = cls._args_schema.labels + labels.Element = AAZStrArg() + + tactics = cls._args_schema.tactics + tactics.Element = AAZStrArg( + enum={"Collection": "Collection", "CommandAndControl": "CommandAndControl", "CredentialAccess": "CredentialAccess", "DefenseEvasion": "DefenseEvasion", "Discovery": "Discovery", "Execution": "Execution", "Exfiltration": "Exfiltration", "Impact": "Impact", "ImpairProcessControl": "ImpairProcessControl", "InhibitResponseFunction": "InhibitResponseFunction", "InitialAccess": "InitialAccess", "LateralMovement": "LateralMovement", "Persistence": "Persistence", "PreAttack": "PreAttack", "PrivilegeEscalation": "PrivilegeEscalation", "Reconnaissance": "Reconnaissance", "ResourceDevelopment": "ResourceDevelopment"}, + ) + + techniques = cls._args_schema.techniques + techniques.Element = AAZStrArg() + return cls._args_schema + + _args_user_info_update = None + + @classmethod + def _build_args_user_info_update(cls, _schema): + if cls._args_user_info_update is not None: + _schema.object_id = cls._args_user_info_update.object_id + return + + cls._args_user_info_update = AAZObjectArg( + nullable=True, + ) + + user_info_update = cls._args_user_info_update + user_info_update.object_id = AAZStrArg( + options=["object-id"], + help="The object id of the user.", + nullable=True, + ) + + _schema.object_id = cls._args_user_info_update.object_id + + def _execute_operations(self): + self.BookmarksGet(ctx=self.ctx)() + self.InstanceUpdateByJson(ctx=self.ctx)() + self.InstanceUpdateByGeneric(ctx=self.ctx)() + self.BookmarksCreateOrUpdate(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True) + return result + + class BookmarksGet(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks/{bookmarkId}", + **self.url_parameters + ) + + @property + def method(self): + return "GET" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "bookmarkId", self.ctx.args.bookmark_id, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + _build_schema_bookmark_read(cls._schema_on_200) + + return cls._schema_on_200 + + class BookmarksCreateOrUpdate(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200, 201]: + return self.on_200_201(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks/{bookmarkId}", + **self.url_parameters + ) + + @property + def method(self): + return "PUT" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "bookmarkId", self.ctx.args.bookmark_id, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Content-Type", "application/json", + ), + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + @property + def content(self): + _content_value, _builder = self.new_content_builder( + self.ctx.args, + value=self.ctx.vars.instance, + ) + + return self.serialize_content(_content_value) + + def on_200_201(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200_201 + ) + + _schema_on_200_201 = None + + @classmethod + def _build_schema_on_200_201(cls): + if cls._schema_on_200_201 is not None: + return cls._schema_on_200_201 + + cls._schema_on_200_201 = AAZObjectType() + _build_schema_bookmark_read(cls._schema_on_200_201) + + return cls._schema_on_200_201 + + class InstanceUpdateByJson(AAZJsonInstanceUpdateOperation): + + def __call__(self, *args, **kwargs): + self._update_instance(self.ctx.vars.instance) + + def _update_instance(self, instance): + _instance_value, _builder = self.new_content_builder( + self.ctx.args, + value=instance, + typ=AAZObjectType + ) + _builder.set_prop("etag", AAZStrType, ".etag") + _builder.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get(".properties") + if properties is not None: + properties.set_prop("created", AAZStrType, ".created") + _build_schema_user_info_update(properties.set_prop("createdBy", AAZObjectType, ".created_by")) + properties.set_prop("displayName", AAZStrType, ".display_name", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("entityMappings", AAZListType, ".entity_mappings") + properties.set_prop("eventTime", AAZStrType, ".event_time") + properties.set_prop("incidentInfo", AAZObjectType, ".incident_info") + properties.set_prop("labels", AAZListType, ".labels") + properties.set_prop("notes", AAZStrType, ".notes") + properties.set_prop("query", AAZStrType, ".query_content", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("queryEndTime", AAZStrType, ".query_end_time") + properties.set_prop("queryResult", AAZStrType, ".query_result") + properties.set_prop("queryStartTime", AAZStrType, ".query_start_time") + properties.set_prop("tactics", AAZListType, ".tactics") + properties.set_prop("techniques", AAZListType, ".techniques") + properties.set_prop("updated", AAZStrType, ".updated") + _build_schema_user_info_update(properties.set_prop("updatedBy", AAZObjectType, ".updated_by")) + + entity_mappings = _builder.get(".properties.entityMappings") + if entity_mappings is not None: + entity_mappings.set_elements(AAZObjectType) + + _elements = _builder.get(".properties.entityMappings[]") + if _elements is not None: + _elements.set_prop("entityType", AAZStrType, ".entity_type") + _elements.set_prop("fieldMappings", AAZListType, ".field_mappings") + + field_mappings = _builder.get(".properties.entityMappings[].fieldMappings") + if field_mappings is not None: + field_mappings.set_elements(AAZObjectType) + + _elements = _builder.get(".properties.entityMappings[].fieldMappings[]") + if _elements is not None: + _elements.set_prop("identifier", AAZStrType, ".identifier") + _elements.set_prop("value", AAZStrType, ".value") + + incident_info = _builder.get(".properties.incidentInfo") + if incident_info is not None: + incident_info.set_prop("incidentId", AAZStrType, ".incident_id") + incident_info.set_prop("relationName", AAZStrType, ".relation_name") + incident_info.set_prop("severity", AAZStrType, ".severity") + incident_info.set_prop("title", AAZStrType, ".title") + + labels = _builder.get(".properties.labels") + if labels is not None: + labels.set_elements(AAZStrType, ".") + + tactics = _builder.get(".properties.tactics") + if tactics is not None: + tactics.set_elements(AAZStrType, ".") + + techniques = _builder.get(".properties.techniques") + if techniques is not None: + techniques.set_elements(AAZStrType, ".") + + return _instance_value + + class InstanceUpdateByGeneric(AAZGenericInstanceUpdateOperation): + + def __call__(self, *args, **kwargs): + self._update_instance_by_generic( + self.ctx.vars.instance, + self.ctx.generic_update_args + ) + + +def _build_schema_user_info_update(_builder): + if _builder is None: + return + _builder.set_prop("objectId", AAZStrType, ".object_id", typ_kwargs={"nullable": True}) + + +_schema_bookmark_read = None + + +def _build_schema_bookmark_read(_schema): + global _schema_bookmark_read + if _schema_bookmark_read is not None: + _schema.etag = _schema_bookmark_read.etag + _schema.id = _schema_bookmark_read.id + _schema.name = _schema_bookmark_read.name + _schema.properties = _schema_bookmark_read.properties + _schema.system_data = _schema_bookmark_read.system_data + _schema.type = _schema_bookmark_read.type + return + + _schema_bookmark_read = AAZObjectType() + + bookmark_read = _schema_bookmark_read + bookmark_read.etag = AAZStrType() + bookmark_read.id = AAZStrType( + flags={"read_only": True}, + ) + bookmark_read.name = AAZStrType( + flags={"read_only": True}, + ) + bookmark_read.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + bookmark_read.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + bookmark_read.type = AAZStrType( + flags={"read_only": True}, + ) + + properties = _schema_bookmark_read.properties + properties.created = AAZStrType() + properties.created_by = AAZObjectType( + serialized_name="createdBy", + ) + _build_schema_user_info_read(properties.created_by) + properties.display_name = AAZStrType( + serialized_name="displayName", + flags={"required": True}, + ) + properties.entity_mappings = AAZListType( + serialized_name="entityMappings", + ) + properties.event_time = AAZStrType( + serialized_name="eventTime", + ) + properties.incident_info = AAZObjectType( + serialized_name="incidentInfo", + ) + properties.labels = AAZListType() + properties.notes = AAZStrType() + properties.query = AAZStrType( + flags={"required": True}, + ) + properties.query_end_time = AAZStrType( + serialized_name="queryEndTime", + ) + properties.query_result = AAZStrType( + serialized_name="queryResult", + ) + properties.query_start_time = AAZStrType( + serialized_name="queryStartTime", + ) + properties.tactics = AAZListType() + properties.techniques = AAZListType() + properties.updated = AAZStrType() + properties.updated_by = AAZObjectType( + serialized_name="updatedBy", + ) + _build_schema_user_info_read(properties.updated_by) + + entity_mappings = _schema_bookmark_read.properties.entity_mappings + entity_mappings.Element = AAZObjectType() + + _element = _schema_bookmark_read.properties.entity_mappings.Element + _element.entity_type = AAZStrType( + serialized_name="entityType", + ) + _element.field_mappings = AAZListType( + serialized_name="fieldMappings", + ) + + field_mappings = _schema_bookmark_read.properties.entity_mappings.Element.field_mappings + field_mappings.Element = AAZObjectType() + + _element = _schema_bookmark_read.properties.entity_mappings.Element.field_mappings.Element + _element.identifier = AAZStrType() + _element.value = AAZStrType() + + incident_info = _schema_bookmark_read.properties.incident_info + incident_info.incident_id = AAZStrType( + serialized_name="incidentId", + ) + incident_info.relation_name = AAZStrType( + serialized_name="relationName", + ) + incident_info.severity = AAZStrType() + incident_info.title = AAZStrType() + + labels = _schema_bookmark_read.properties.labels + labels.Element = AAZStrType() + + tactics = _schema_bookmark_read.properties.tactics + tactics.Element = AAZStrType() + + techniques = _schema_bookmark_read.properties.techniques + techniques.Element = AAZStrType() + + system_data = _schema_bookmark_read.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + _schema.etag = _schema_bookmark_read.etag + _schema.id = _schema_bookmark_read.id + _schema.name = _schema_bookmark_read.name + _schema.properties = _schema_bookmark_read.properties + _schema.system_data = _schema_bookmark_read.system_data + _schema.type = _schema_bookmark_read.type + + +_schema_user_info_read = None + + +def _build_schema_user_info_read(_schema): + global _schema_user_info_read + if _schema_user_info_read is not None: + _schema.email = _schema_user_info_read.email + _schema.name = _schema_user_info_read.name + _schema.object_id = _schema_user_info_read.object_id + return + + _schema_user_info_read = AAZObjectType() + + user_info_read = _schema_user_info_read + user_info_read.email = AAZStrType( + flags={"read_only": True}, + ) + user_info_read.name = AAZStrType( + flags={"read_only": True}, + ) + user_info_read.object_id = AAZStrType( + serialized_name="objectId", + nullable=True, + ) + + _schema.email = _schema_user_info_read.email + _schema.name = _schema_user_info_read.name + _schema.object_id = _schema_user_info_read.object_id + + +__all__ = ["Update"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/bookmark/relation/__cmd_group.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/bookmark/relation/__cmd_group.py new file mode 100644 index 00000000000..2dd02e3e1f7 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/bookmark/relation/__cmd_group.py @@ -0,0 +1,23 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command_group( + "sentinel bookmark relation", +) +class __CMDGroup(AAZCommandGroup): + """Manage bookmark relation with sentinel. + """ + pass + + +__all__ = ["__CMDGroup"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/bookmark/relation/__init__.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/bookmark/relation/__init__.py new file mode 100644 index 00000000000..c401f439385 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/bookmark/relation/__init__.py @@ -0,0 +1,16 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from .__cmd_group import * +from ._create import * +from ._delete import * +from ._list import * +from ._show import * +from ._update import * diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/bookmark/relation/_create.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/bookmark/relation/_create.py new file mode 100644 index 00000000000..d87ce9787af --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/bookmark/relation/_create.py @@ -0,0 +1,266 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel bookmark relation create", + is_experimental=True, +) +class Create(AAZCommand): + """Create the bookmark relation. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/bookmarks/{}/relations/{}", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return self._output() + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.bookmark_id = AAZStrArg( + options=["--bookmark-id"], + help="Bookmark ID", + required=True, + id_part="child_name_1", + ) + _args_schema.relation_name = AAZStrArg( + options=["-n", "--name", "--relation-name"], + help="Relation Name", + required=True, + id_part="child_name_2", + ) + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + id_part="name", + ) + + # define Arg Group "Properties" + + _args_schema = cls._args_schema + _args_schema.related_resource_id = AAZStrArg( + options=["--related-resource-id"], + arg_group="Properties", + help="The resource ID of the related resource", + ) + + # define Arg Group "Relation" + + _args_schema = cls._args_schema + _args_schema.etag = AAZStrArg( + options=["--etag"], + arg_group="Relation", + help="Etag of the azure resource", + ) + return cls._args_schema + + def _execute_operations(self): + self.BookmarkRelationsCreateOrUpdate(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True) + return result + + class BookmarkRelationsCreateOrUpdate(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200, 201]: + return self.on_200_201(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks/{bookmarkId}/relations/{relationName}", + **self.url_parameters + ) + + @property + def method(self): + return "PUT" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "bookmarkId", self.ctx.args.bookmark_id, + required=True, + ), + **self.serialize_url_param( + "relationName", self.ctx.args.relation_name, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Content-Type", "application/json", + ), + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + @property + def content(self): + _content_value, _builder = self.new_content_builder( + self.ctx.args, + typ=AAZObjectType, + typ_kwargs={"flags": {"required": True, "client_flatten": True}} + ) + _builder.set_prop("etag", AAZStrType, ".etag") + _builder.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get(".properties") + if properties is not None: + properties.set_prop("relatedResourceId", AAZStrType, ".related_resource_id", typ_kwargs={"flags": {"required": True}}) + + return self.serialize_content(_content_value) + + def on_200_201(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200_201 + ) + + _schema_on_200_201 = None + + @classmethod + def _build_schema_on_200_201(cls): + if cls._schema_on_200_201 is not None: + return cls._schema_on_200_201 + + cls._schema_on_200_201 = AAZObjectType() + + _schema_on_200_201 = cls._schema_on_200_201 + _schema_on_200_201.etag = AAZStrType() + _schema_on_200_201.id = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200_201.name = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200_201.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + _schema_on_200_201.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + _schema_on_200_201.type = AAZStrType( + flags={"read_only": True}, + ) + + properties = cls._schema_on_200_201.properties + properties.related_resource_id = AAZStrType( + serialized_name="relatedResourceId", + flags={"required": True}, + ) + properties.related_resource_kind = AAZStrType( + serialized_name="relatedResourceKind", + flags={"read_only": True}, + ) + properties.related_resource_name = AAZStrType( + serialized_name="relatedResourceName", + flags={"read_only": True}, + ) + properties.related_resource_type = AAZStrType( + serialized_name="relatedResourceType", + flags={"read_only": True}, + ) + + system_data = cls._schema_on_200_201.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + return cls._schema_on_200_201 + + +__all__ = ["Create"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/bookmark/relation/_delete.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/bookmark/relation/_delete.py new file mode 100644 index 00000000000..a3a6d7133e5 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/bookmark/relation/_delete.py @@ -0,0 +1,143 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel bookmark relation delete", + is_experimental=True, + confirmation="Are you sure you want to perform this operation?", +) +class Delete(AAZCommand): + """Delete the bookmark relation. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/bookmarks/{}/relations/{}", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return None + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.bookmark_id = AAZStrArg( + options=["--bookmark-id"], + help="Bookmark ID", + required=True, + id_part="child_name_1", + ) + _args_schema.relation_name = AAZStrArg( + options=["-n", "--name", "--relation-name"], + help="Relation Name", + required=True, + id_part="child_name_2", + ) + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + id_part="name", + ) + return cls._args_schema + + def _execute_operations(self): + self.BookmarkRelationsDelete(ctx=self.ctx)() + + class BookmarkRelationsDelete(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + if session.http_response.status_code in [204]: + return self.on_204(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks/{bookmarkId}/relations/{relationName}", + **self.url_parameters + ) + + @property + def method(self): + return "DELETE" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "bookmarkId", self.ctx.args.bookmark_id, + required=True, + ), + **self.serialize_url_param( + "relationName", self.ctx.args.relation_name, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + def on_200(self, session): + pass + + def on_204(self, session): + pass + + +__all__ = ["Delete"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/bookmark/relation/_list.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/bookmark/relation/_list.py new file mode 100644 index 00000000000..7a7c369c8d5 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/bookmark/relation/_list.py @@ -0,0 +1,257 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel bookmark relation list", + is_experimental=True, +) +class List(AAZCommand): + """Get all bookmark relations. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/bookmarks/{}/relations", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + return self.build_paging(self._execute_operations, self._output) + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.bookmark_id = AAZStrArg( + options=["--bookmark-id"], + help="Bookmark ID", + required=True, + ) + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + ) + _args_schema.filter = AAZStrArg( + options=["--filter"], + help="Filters the results, based on a Boolean condition. Optional.", + ) + _args_schema.orderby = AAZStrArg( + options=["--orderby"], + help="Sorts the results. Optional.", + ) + _args_schema.skip_token = AAZStrArg( + options=["--skip-token"], + help="Skiptoken is only used if a previous operation returned a partial result. If a previous response contains a nextLink element, the value of the nextLink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls. Optional.", + ) + _args_schema.top = AAZIntArg( + options=["--top"], + help="Returns only the first n results. Optional.", + ) + return cls._args_schema + + def _execute_operations(self): + self.BookmarkRelationsList(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance.value, client_flatten=True) + next_link = self.deserialize_output(self.ctx.vars.instance.next_link) + return result, next_link + + class BookmarkRelationsList(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks/{bookmarkId}/relations", + **self.url_parameters + ) + + @property + def method(self): + return "GET" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "bookmarkId", self.ctx.args.bookmark_id, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "$filter", self.ctx.args.filter, + ), + **self.serialize_query_param( + "$orderby", self.ctx.args.orderby, + ), + **self.serialize_query_param( + "$skipToken", self.ctx.args.skip_token, + ), + **self.serialize_query_param( + "$top", self.ctx.args.top, + ), + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + + _schema_on_200 = cls._schema_on_200 + _schema_on_200.next_link = AAZStrType( + serialized_name="nextLink", + flags={"read_only": True}, + ) + _schema_on_200.value = AAZListType( + flags={"required": True}, + ) + + value = cls._schema_on_200.value + value.Element = AAZObjectType() + + _element = cls._schema_on_200.value.Element + _element.etag = AAZStrType() + _element.id = AAZStrType( + flags={"read_only": True}, + ) + _element.name = AAZStrType( + flags={"read_only": True}, + ) + _element.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + _element.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + _element.type = AAZStrType( + flags={"read_only": True}, + ) + + properties = cls._schema_on_200.value.Element.properties + properties.related_resource_id = AAZStrType( + serialized_name="relatedResourceId", + flags={"required": True}, + ) + properties.related_resource_kind = AAZStrType( + serialized_name="relatedResourceKind", + flags={"read_only": True}, + ) + properties.related_resource_name = AAZStrType( + serialized_name="relatedResourceName", + flags={"read_only": True}, + ) + properties.related_resource_type = AAZStrType( + serialized_name="relatedResourceType", + flags={"read_only": True}, + ) + + system_data = cls._schema_on_200.value.Element.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + return cls._schema_on_200 + + +__all__ = ["List"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/bookmark/relation/_show.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/bookmark/relation/_show.py new file mode 100644 index 00000000000..2694c264d58 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/bookmark/relation/_show.py @@ -0,0 +1,229 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel bookmark relation show", + is_experimental=True, +) +class Show(AAZCommand): + """Get a bookmark relation. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/bookmarks/{}/relations/{}", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return self._output() + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.bookmark_id = AAZStrArg( + options=["--bookmark-id"], + help="Bookmark ID", + required=True, + id_part="child_name_1", + ) + _args_schema.relation_name = AAZStrArg( + options=["-n", "--name", "--relation-name"], + help="Relation Name", + required=True, + id_part="child_name_2", + ) + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + id_part="name", + ) + return cls._args_schema + + def _execute_operations(self): + self.BookmarkRelationsGet(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True) + return result + + class BookmarkRelationsGet(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks/{bookmarkId}/relations/{relationName}", + **self.url_parameters + ) + + @property + def method(self): + return "GET" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "bookmarkId", self.ctx.args.bookmark_id, + required=True, + ), + **self.serialize_url_param( + "relationName", self.ctx.args.relation_name, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + + _schema_on_200 = cls._schema_on_200 + _schema_on_200.etag = AAZStrType() + _schema_on_200.id = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200.name = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + _schema_on_200.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + _schema_on_200.type = AAZStrType( + flags={"read_only": True}, + ) + + properties = cls._schema_on_200.properties + properties.related_resource_id = AAZStrType( + serialized_name="relatedResourceId", + flags={"required": True}, + ) + properties.related_resource_kind = AAZStrType( + serialized_name="relatedResourceKind", + flags={"read_only": True}, + ) + properties.related_resource_name = AAZStrType( + serialized_name="relatedResourceName", + flags={"read_only": True}, + ) + properties.related_resource_type = AAZStrType( + serialized_name="relatedResourceType", + flags={"read_only": True}, + ) + + system_data = cls._schema_on_200.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + return cls._schema_on_200 + + +__all__ = ["Show"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/bookmark/relation/_update.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/bookmark/relation/_update.py new file mode 100644 index 00000000000..e029f984b5b --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/bookmark/relation/_update.py @@ -0,0 +1,409 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel bookmark relation update", + is_experimental=True, +) +class Update(AAZCommand): + """Update the bookmark relation. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/bookmarks/{}/relations/{}", "2022-06-01-preview"], + ] + } + + AZ_SUPPORT_GENERIC_UPDATE = True + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return self._output() + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.bookmark_id = AAZStrArg( + options=["--bookmark-id"], + help="Bookmark ID", + required=True, + id_part="child_name_1", + ) + _args_schema.relation_name = AAZStrArg( + options=["-n", "--name", "--relation-name"], + help="Relation Name", + required=True, + id_part="child_name_2", + ) + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + id_part="name", + ) + + # define Arg Group "Properties" + + _args_schema = cls._args_schema + _args_schema.related_resource_id = AAZStrArg( + options=["--related-resource-id"], + arg_group="Properties", + help="The resource ID of the related resource", + ) + + # define Arg Group "Relation" + + _args_schema = cls._args_schema + _args_schema.etag = AAZStrArg( + options=["--etag"], + arg_group="Relation", + help="Etag of the azure resource", + nullable=True, + ) + return cls._args_schema + + def _execute_operations(self): + self.BookmarkRelationsGet(ctx=self.ctx)() + self.InstanceUpdateByJson(ctx=self.ctx)() + self.InstanceUpdateByGeneric(ctx=self.ctx)() + self.BookmarkRelationsCreateOrUpdate(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True) + return result + + class BookmarkRelationsGet(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks/{bookmarkId}/relations/{relationName}", + **self.url_parameters + ) + + @property + def method(self): + return "GET" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "bookmarkId", self.ctx.args.bookmark_id, + required=True, + ), + **self.serialize_url_param( + "relationName", self.ctx.args.relation_name, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + _build_schema_relation_read(cls._schema_on_200) + + return cls._schema_on_200 + + class BookmarkRelationsCreateOrUpdate(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200, 201]: + return self.on_200_201(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks/{bookmarkId}/relations/{relationName}", + **self.url_parameters + ) + + @property + def method(self): + return "PUT" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "bookmarkId", self.ctx.args.bookmark_id, + required=True, + ), + **self.serialize_url_param( + "relationName", self.ctx.args.relation_name, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Content-Type", "application/json", + ), + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + @property + def content(self): + _content_value, _builder = self.new_content_builder( + self.ctx.args, + value=self.ctx.vars.instance, + ) + + return self.serialize_content(_content_value) + + def on_200_201(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200_201 + ) + + _schema_on_200_201 = None + + @classmethod + def _build_schema_on_200_201(cls): + if cls._schema_on_200_201 is not None: + return cls._schema_on_200_201 + + cls._schema_on_200_201 = AAZObjectType() + _build_schema_relation_read(cls._schema_on_200_201) + + return cls._schema_on_200_201 + + class InstanceUpdateByJson(AAZJsonInstanceUpdateOperation): + + def __call__(self, *args, **kwargs): + self._update_instance(self.ctx.vars.instance) + + def _update_instance(self, instance): + _instance_value, _builder = self.new_content_builder( + self.ctx.args, + value=instance, + typ=AAZObjectType + ) + _builder.set_prop("etag", AAZStrType, ".etag") + _builder.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get(".properties") + if properties is not None: + properties.set_prop("relatedResourceId", AAZStrType, ".related_resource_id", typ_kwargs={"flags": {"required": True}}) + + return _instance_value + + class InstanceUpdateByGeneric(AAZGenericInstanceUpdateOperation): + + def __call__(self, *args, **kwargs): + self._update_instance_by_generic( + self.ctx.vars.instance, + self.ctx.generic_update_args + ) + + +_schema_relation_read = None + + +def _build_schema_relation_read(_schema): + global _schema_relation_read + if _schema_relation_read is not None: + _schema.etag = _schema_relation_read.etag + _schema.id = _schema_relation_read.id + _schema.name = _schema_relation_read.name + _schema.properties = _schema_relation_read.properties + _schema.system_data = _schema_relation_read.system_data + _schema.type = _schema_relation_read.type + return + + _schema_relation_read = AAZObjectType() + + relation_read = _schema_relation_read + relation_read.etag = AAZStrType() + relation_read.id = AAZStrType( + flags={"read_only": True}, + ) + relation_read.name = AAZStrType( + flags={"read_only": True}, + ) + relation_read.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + relation_read.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + relation_read.type = AAZStrType( + flags={"read_only": True}, + ) + + properties = _schema_relation_read.properties + properties.related_resource_id = AAZStrType( + serialized_name="relatedResourceId", + flags={"required": True}, + ) + properties.related_resource_kind = AAZStrType( + serialized_name="relatedResourceKind", + flags={"read_only": True}, + ) + properties.related_resource_name = AAZStrType( + serialized_name="relatedResourceName", + flags={"read_only": True}, + ) + properties.related_resource_type = AAZStrType( + serialized_name="relatedResourceType", + flags={"read_only": True}, + ) + + system_data = _schema_relation_read.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + _schema.etag = _schema_relation_read.etag + _schema.id = _schema_relation_read.id + _schema.name = _schema_relation_read.name + _schema.properties = _schema_relation_read.properties + _schema.system_data = _schema_relation_read.system_data + _schema.type = _schema_relation_read.type + + +__all__ = ["Update"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/data_connector/__cmd_group.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/data_connector/__cmd_group.py new file mode 100644 index 00000000000..a4de63a7923 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/data_connector/__cmd_group.py @@ -0,0 +1,23 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command_group( + "sentinel data-connector", +) +class __CMDGroup(AAZCommandGroup): + """Manage data connector with sentinel. + """ + pass + + +__all__ = ["__CMDGroup"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/data_connector/__init__.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/data_connector/__init__.py new file mode 100644 index 00000000000..0adac0577a6 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/data_connector/__init__.py @@ -0,0 +1,18 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from .__cmd_group import * +from ._connect import * +from ._create import * +from ._delete import * +from ._disconnect import * +from ._list import * +from ._show import * +from ._update import * diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/data_connector/_connect.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/data_connector/_connect.py new file mode 100644 index 00000000000..e2f8d997618 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/data_connector/_connect.py @@ -0,0 +1,210 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel data-connector connect", + is_experimental=True, +) +class Connect(AAZCommand): + """Connect a data connector. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/dataconnectors/{}/connect", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return None + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.data_connector_id = AAZStrArg( + options=["--data-connector-id"], + help="Connector ID", + required=True, + ) + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + ) + + # define Arg Group "ConnectBody" + + _args_schema = cls._args_schema + _args_schema.api_key = AAZStrArg( + options=["--api-key"], + arg_group="ConnectBody", + help="The API key of the audit server.", + ) + _args_schema.authorization_code = AAZStrArg( + options=["--authorization-code"], + arg_group="ConnectBody", + help="The authorization code used in OAuth 2.0 code flow to issue a token.", + ) + _args_schema.client_id = AAZStrArg( + options=["--client-id"], + arg_group="ConnectBody", + help="The client id of the OAuth 2.0 application.", + ) + _args_schema.client_secret = AAZStrArg( + options=["--client-secret"], + arg_group="ConnectBody", + help="The client secret of the OAuth 2.0 application.", + ) + _args_schema.endpoint = AAZStrArg( + options=["--endpoint"], + arg_group="ConnectBody", + help="Used in v2 logs connector. Represents the data collection ingestion endpoint in log analytics.", + ) + _args_schema.rule_immutable_id = AAZStrArg( + options=["--rule-immutable-id"], + arg_group="ConnectBody", + help="Used in v2 logs connector. The data collection rule immutable id, the rule defines the transformation and data destination.", + ) + _args_schema.kind = AAZStrArg( + options=["--kind"], + arg_group="ConnectBody", + help="The authentication kind used to poll the data", + enum={"APIKey": "APIKey", "Basic": "Basic", "OAuth2": "OAuth2"}, + ) + _args_schema.output_stream = AAZStrArg( + options=["--output-stream"], + arg_group="ConnectBody", + help="Used in v2 logs connector. The stream we are sending the data to, this is the name of the streamDeclarations defined in the DCR.", + ) + _args_schema.password = AAZStrArg( + options=["--password"], + arg_group="ConnectBody", + help="The user password in the audit log server.", + ) + _args_schema.user_name = AAZStrArg( + options=["--user-name"], + arg_group="ConnectBody", + help="The user name in the audit log server.", + ) + return cls._args_schema + + def _execute_operations(self): + self.DataConnectorsConnect(ctx=self.ctx)() + + class DataConnectorsConnect(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors/{dataConnectorId}/connect", + **self.url_parameters + ) + + @property + def method(self): + return "POST" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "dataConnectorId", self.ctx.args.data_connector_id, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Content-Type", "application/json", + ), + } + return parameters + + @property + def content(self): + _content_value, _builder = self.new_content_builder( + self.ctx.args, + typ=AAZObjectType, + typ_kwargs={"flags": {"required": True, "client_flatten": True}} + ) + _builder.set_prop("apiKey", AAZStrType, ".api_key") + _builder.set_prop("authorizationCode", AAZStrType, ".authorization_code") + _builder.set_prop("clientId", AAZStrType, ".client_id") + _builder.set_prop("clientSecret", AAZStrType, ".client_secret") + _builder.set_prop("dataCollectionEndpoint", AAZStrType, ".endpoint") + _builder.set_prop("dataCollectionRuleImmutableId", AAZStrType, ".rule_immutable_id") + _builder.set_prop("kind", AAZStrType, ".kind") + _builder.set_prop("outputStream", AAZStrType, ".output_stream") + _builder.set_prop("password", AAZStrType, ".password") + _builder.set_prop("userName", AAZStrType, ".user_name") + + return self.serialize_content(_content_value) + + def on_200(self, session): + pass + + +__all__ = ["Connect"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/data_connector/_create.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/data_connector/_create.py new file mode 100644 index 00000000000..661bd4fcae7 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/data_connector/_create.py @@ -0,0 +1,2598 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel data-connector create", + is_experimental=True, +) +class Create(AAZCommand): + """Create the data connector. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/dataconnectors/{}", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return self._output() + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.data_connector_id = AAZStrArg( + options=["-n", "--name", "--data-connector-id"], + help="Connector ID", + required=True, + id_part="child_name_1", + ) + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + id_part="name", + ) + + # define Arg Group "DataConnector" + + _args_schema = cls._args_schema + _args_schema.api_polling = AAZObjectArg( + options=["--api-polling"], + arg_group="DataConnector", + ) + _args_schema.aws_cloud_trail = AAZObjectArg( + options=["--aws-cloud-trail"], + arg_group="DataConnector", + help="Amazon web services cloud trail.", + ) + _args_schema.aws_s3 = AAZObjectArg( + options=["--aws-s3"], + arg_group="DataConnector", + help="Amazon web services s3.", + ) + _args_schema.azure_active_directory = AAZObjectArg( + options=["--azure-active-directory"], + arg_group="DataConnector", + ) + _args_schema.azure_protection = AAZObjectArg( + options=["--azure-protection"], + arg_group="DataConnector", + help="Azure advanced threat protection.", + ) + _args_schema.azure_security_center = AAZObjectArg( + options=["--azure-security-center"], + arg_group="DataConnector", + ) + _args_schema.dynamics365 = AAZObjectArg( + options=["--dynamics365"], + arg_group="DataConnector", + ) + _args_schema.generic_ui = AAZObjectArg( + options=["--generic-ui"], + arg_group="DataConnector", + ) + _args_schema.iot = AAZObjectArg( + options=["--iot"], + arg_group="DataConnector", + ) + _args_schema.cloud_app_security = AAZObjectArg( + options=["--cloud-app-security"], + arg_group="DataConnector", + help="Microsoft cloud app security.", + ) + _args_schema.defender_protection = AAZObjectArg( + options=["--defender-protection"], + arg_group="DataConnector", + help="Microsoft defender advanced threat protection.", + ) + _args_schema.microsoft_intelligence = AAZObjectArg( + options=["--microsoft-intelligence"], + arg_group="DataConnector", + help="Microsoft threat intelligence.", + ) + _args_schema.microsoft_protection = AAZObjectArg( + options=["--microsoft-protection"], + arg_group="DataConnector", + help="Microsoft threat protection.", + ) + _args_schema.office365 = AAZObjectArg( + options=["--office365"], + arg_group="DataConnector", + ) + _args_schema.office365_project = AAZObjectArg( + options=["--office365-project"], + arg_group="DataConnector", + ) + _args_schema.office_atp = AAZObjectArg( + options=["--office-atp"], + arg_group="DataConnector", + ) + _args_schema.office_irm = AAZObjectArg( + options=["--office-irm"], + arg_group="DataConnector", + ) + _args_schema.office_power_bi = AAZObjectArg( + options=["--office-power-bi"], + arg_group="DataConnector", + ) + _args_schema.threat_intelligence = AAZObjectArg( + options=["--threat-intelligence"], + arg_group="DataConnector", + ) + _args_schema.intelligence_taxii = AAZObjectArg( + options=["--intelligence-taxii"], + arg_group="DataConnector", + help="Threat intelligence taxii.", + ) + _args_schema.etag = AAZStrArg( + options=["--etag"], + arg_group="DataConnector", + help="Etag of the azure resource", + ) + + api_polling = cls._args_schema.api_polling + api_polling.connector_ui_config = AAZObjectArg( + options=["connector-ui-config"], + help="Config to describe the instructions blade", + ) + cls._build_args_codeless_ui_connector_config_properties_create(api_polling.connector_ui_config) + api_polling.polling_config = AAZObjectArg( + options=["polling-config"], + help="Config to describe the polling instructions", + ) + + polling_config = cls._args_schema.api_polling.polling_config + polling_config.auth = AAZObjectArg( + options=["auth"], + help="Describe the authentication type of the poller", + required=True, + ) + polling_config.is_active = AAZBoolArg( + options=["is-active"], + help="The poller active status", + ) + polling_config.paging = AAZObjectArg( + options=["paging"], + help="Describe the poll request paging config of the poller", + ) + polling_config.request = AAZObjectArg( + options=["request"], + help="Describe the poll request config parameters of the poller", + required=True, + ) + polling_config.response = AAZObjectArg( + options=["response"], + help="Describe the response config parameters of the poller", + ) + + auth = cls._args_schema.api_polling.polling_config.auth + auth.api_key_identifier = AAZStrArg( + options=["api-key-identifier"], + help="A prefix send in the header before the actual token", + ) + auth.api_key_name = AAZStrArg( + options=["api-key-name"], + help="The header name which the token is sent with", + ) + auth.auth_type = AAZStrArg( + options=["auth-type"], + help="The authentication type", + required=True, + ) + auth.authorization_endpoint = AAZStrArg( + options=["authorization-endpoint"], + help="The endpoint used to authorize the user, used in Oauth 2.0 flow", + ) + auth.flow_name = AAZStrArg( + options=["flow-name"], + help="Describes the flow name, for example 'AuthCode' for Oauth 2.0", + ) + auth.is_api_key_in_post_payload = AAZStrArg( + options=["is-api-key-in-post-payload"], + help="Marks if the key should sent in header", + ) + auth.is_client_secret_in_header = AAZBoolArg( + options=["is-client-secret-in-header"], + help="Marks if we should send the client secret in header or payload, used in Oauth 2.0 flow", + ) + auth.redirection_endpoint = AAZStrArg( + options=["redirection-endpoint"], + help="The redirect endpoint where we will get the authorization code, used in Oauth 2.0 flow", + ) + auth.scope = AAZStrArg( + options=["scope"], + help="The OAuth token scope", + ) + auth.token_endpoint = AAZStrArg( + options=["token-endpoint"], + help="The endpoint used to issue a token, used in Oauth 2.0 flow", + ) + + paging = cls._args_schema.api_polling.polling_config.paging + paging.next_page_para_name = AAZStrArg( + options=["next-page-para-name"], + help="Defines the name of a next page attribute", + ) + paging.next_page_token_json_path = AAZStrArg( + options=["next-page-token-json-path"], + help="Defines the path to a next page token JSON", + ) + paging.page_count_attribute_path = AAZStrArg( + options=["page-count-attribute-path"], + help="Defines the path to a page count attribute", + ) + paging.page_size = AAZIntArg( + options=["page-size"], + help="Defines the paging size", + ) + paging.page_size_para_name = AAZStrArg( + options=["page-size-para-name"], + help="Defines the name of the page size parameter", + ) + paging.page_time_stamp_attribute_path = AAZStrArg( + options=["page-time-stamp-attribute-path"], + help="Defines the path to a paging time stamp attribute", + ) + paging.page_total_count_attribute_path = AAZStrArg( + options=["page-total-count-attribute-path"], + help="Defines the path to a page total count attribute", + ) + paging.paging_type = AAZStrArg( + options=["paging-type"], + help="Describes the type. could be 'None', 'PageToken', 'PageCount', 'TimeStamp'", + required=True, + ) + paging.search_the_latest_time_stamp_from_events_list = AAZStrArg( + options=["search-the-latest-time-stamp-from-events-list"], + help="Determines whether to search for the latest time stamp in the events list", + ) + + request = cls._args_schema.api_polling.polling_config.request + request.api_endpoint = AAZStrArg( + options=["api-endpoint"], + help="Describe the endpoint we should pull the data from", + required=True, + ) + request.end_time_attribute_name = AAZStrArg( + options=["end-time-attribute-name"], + help="This will be used the query events from the end of the time window", + ) + request.http_method = AAZStrArg( + options=["http-method"], + help="The http method type we will use in the poll request, GET or POST", + required=True, + ) + request.query_parameters_template = AAZStrArg( + options=["query-parameters-template"], + help="For advanced scenarios for example user name/password embedded in nested JSON payload", + ) + request.query_time_format = AAZStrArg( + options=["query-time-format"], + help="The time format will be used the query events in a specific window", + required=True, + ) + request.query_window_in_min = AAZIntArg( + options=["query-window-in-min"], + help="The window interval we will use the pull the data", + required=True, + ) + request.rate_limit_qps = AAZIntArg( + options=["rate-limit-qps"], + help="Defines the rate limit QPS", + ) + request.retry_count = AAZIntArg( + options=["retry-count"], + help="Describe the amount of time we should try and poll the data in case of failure", + ) + request.start_time_attribute_name = AAZStrArg( + options=["start-time-attribute-name"], + help="This will be used the query events from a start of the time window", + ) + request.timeout_in_seconds = AAZIntArg( + options=["timeout-in-seconds"], + help="The number of seconds we will consider as a request timeout", + ) + + response = cls._args_schema.api_polling.polling_config.response + response.events_json_paths = AAZListArg( + options=["events-json-paths"], + help="Describes the path we should extract the data in the response", + required=True, + ) + response.is_gzip_compressed = AAZBoolArg( + options=["is-gzip-compressed"], + help="Describes if the data in the response is Gzip", + ) + response.success_status_json_path = AAZStrArg( + options=["success-status-json-path"], + help="Describes the path we should extract the status code in the response", + ) + response.success_status_value = AAZStrArg( + options=["success-status-value"], + help="Describes the path we should extract the status value in the response", + ) + + events_json_paths = cls._args_schema.api_polling.polling_config.response.events_json_paths + events_json_paths.Element = AAZStrArg() + + aws_cloud_trail = cls._args_schema.aws_cloud_trail + aws_cloud_trail.aws_role_arn = AAZStrArg( + options=["aws-role-arn"], + help="The Aws Role Arn (with CloudTrailReadOnly policy) that is used to access the Aws account.", + ) + aws_cloud_trail.data_types = AAZObjectArg( + options=["data-types"], + help="The available data types for the connector.", + ) + + data_types = cls._args_schema.aws_cloud_trail.data_types + data_types.logs = AAZObjectArg( + options=["logs"], + help="Logs data type.", + required=True, + ) + + logs = cls._args_schema.aws_cloud_trail.data_types.logs + logs.state = AAZStrArg( + options=["state"], + help="Describe whether this data type connection is enabled or not.", + required=True, + enum={"Disabled": "Disabled", "Enabled": "Enabled"}, + ) + + aws_s3 = cls._args_schema.aws_s3 + aws_s3.data_types = AAZObjectArg( + options=["data-types"], + help="The available data types for the connector.", + ) + aws_s3.destination_table = AAZStrArg( + options=["destination-table"], + help="The logs destination table name in LogAnalytics.", + ) + aws_s3.role_arn = AAZStrArg( + options=["role-arn"], + help="The Aws Role Arn that is used to access the Aws account.", + ) + aws_s3.sqs_urls = AAZListArg( + options=["sqs-urls"], + help="The AWS sqs urls for the connector.", + ) + + data_types = cls._args_schema.aws_s3.data_types + data_types.logs = AAZObjectArg( + options=["logs"], + help="Logs data type.", + required=True, + ) + + logs = cls._args_schema.aws_s3.data_types.logs + logs.state = AAZStrArg( + options=["state"], + help="Describe whether this data type connection is enabled or not.", + required=True, + enum={"Disabled": "Disabled", "Enabled": "Enabled"}, + ) + + sqs_urls = cls._args_schema.aws_s3.sqs_urls + sqs_urls.Element = AAZStrArg() + + azure_active_directory = cls._args_schema.azure_active_directory + azure_active_directory.data_types = AAZObjectArg( + options=["data-types"], + help="The available data types for the connector.", + ) + cls._build_args_alerts_data_type_of_data_connector_create(azure_active_directory.data_types) + azure_active_directory.tenant_id = AAZStrArg( + options=["tenant-id"], + help="The tenant id to connect to, and get the data from.", + ) + + azure_protection = cls._args_schema.azure_protection + azure_protection.data_types = AAZObjectArg( + options=["data-types"], + help="The available data types for the connector.", + ) + cls._build_args_alerts_data_type_of_data_connector_create(azure_protection.data_types) + azure_protection.tenant_id = AAZStrArg( + options=["tenant-id"], + help="The tenant id to connect to, and get the data from.", + ) + + azure_security_center = cls._args_schema.azure_security_center + azure_security_center.data_types = AAZObjectArg( + options=["data-types"], + help="The available data types for the connector.", + ) + cls._build_args_alerts_data_type_of_data_connector_create(azure_security_center.data_types) + azure_security_center.subscription_id = AAZStrArg( + options=["subscription-id"], + help="The subscription id to connect to, and get the data from.", + ) + + dynamics365 = cls._args_schema.dynamics365 + dynamics365.data_types = AAZObjectArg( + options=["data-types"], + help="The available data types for the connector.", + ) + dynamics365.tenant_id = AAZStrArg( + options=["tenant-id"], + help="The tenant id to connect to, and get the data from.", + ) + + data_types = cls._args_schema.dynamics365.data_types + data_types.dynamics365_cds_activities = AAZObjectArg( + options=["dynamics365-cds-activities"], + help="Common Data Service data type connection.", + required=True, + ) + + dynamics365_cds_activities = cls._args_schema.dynamics365.data_types.dynamics365_cds_activities + dynamics365_cds_activities.state = AAZStrArg( + options=["state"], + help="Describe whether this data type connection is enabled or not.", + required=True, + enum={"Disabled": "Disabled", "Enabled": "Enabled"}, + ) + + generic_ui = cls._args_schema.generic_ui + generic_ui.connector_ui_config = AAZObjectArg( + options=["connector-ui-config"], + help="Config to describe the instructions blade", + ) + cls._build_args_codeless_ui_connector_config_properties_create(generic_ui.connector_ui_config) + + iot = cls._args_schema.iot + iot.data_types = AAZObjectArg( + options=["data-types"], + help="The available data types for the connector.", + ) + cls._build_args_alerts_data_type_of_data_connector_create(iot.data_types) + iot.subscription_id = AAZStrArg( + options=["subscription-id"], + help="The subscription id to connect to, and get the data from.", + ) + + cloud_app_security = cls._args_schema.cloud_app_security + cloud_app_security.data_types = AAZObjectArg( + options=["data-types"], + help="The available data types for the connector.", + ) + cloud_app_security.tenant_id = AAZStrArg( + options=["tenant-id"], + help="The tenant id to connect to, and get the data from.", + ) + + data_types = cls._args_schema.cloud_app_security.data_types + data_types.alerts = AAZObjectArg( + options=["alerts"], + help="Alerts data type connection.", + required=True, + ) + cls._build_args_data_connector_data_type_common_create(data_types.alerts) + data_types.discovery_logs = AAZObjectArg( + options=["discovery-logs"], + help="Discovery log data type connection.", + ) + cls._build_args_data_connector_data_type_common_create(data_types.discovery_logs) + + defender_protection = cls._args_schema.defender_protection + defender_protection.data_types = AAZObjectArg( + options=["data-types"], + help="The available data types for the connector.", + ) + cls._build_args_alerts_data_type_of_data_connector_create(defender_protection.data_types) + defender_protection.tenant_id = AAZStrArg( + options=["tenant-id"], + help="The tenant id to connect to, and get the data from.", + ) + + microsoft_intelligence = cls._args_schema.microsoft_intelligence + microsoft_intelligence.data_types = AAZObjectArg( + options=["data-types"], + help="The available data types for the connector.", + ) + microsoft_intelligence.tenant_id = AAZStrArg( + options=["tenant-id"], + help="The tenant id to connect to, and get the data from.", + ) + + data_types = cls._args_schema.microsoft_intelligence.data_types + data_types.bing_safety_phishing_url = AAZObjectArg( + options=["bing-safety-phishing-url"], + help="Data type for Microsoft Threat Intelligence Platforms data connector.", + required=True, + ) + data_types.microsoft_emerging_threat_feed = AAZObjectArg( + options=["microsoft-emerging-threat-feed"], + help="Data type for Microsoft Threat Intelligence Platforms data connector.", + required=True, + ) + + bing_safety_phishing_url = cls._args_schema.microsoft_intelligence.data_types.bing_safety_phishing_url + bing_safety_phishing_url.lookback_period = AAZStrArg( + options=["lookback-period"], + help="lookback period", + required=True, + ) + bing_safety_phishing_url.state = AAZStrArg( + options=["state"], + help="Describe whether this data type connection is enabled or not.", + required=True, + enum={"Disabled": "Disabled", "Enabled": "Enabled"}, + ) + + microsoft_emerging_threat_feed = cls._args_schema.microsoft_intelligence.data_types.microsoft_emerging_threat_feed + microsoft_emerging_threat_feed.lookback_period = AAZStrArg( + options=["lookback-period"], + help="lookback period", + required=True, + ) + microsoft_emerging_threat_feed.state = AAZStrArg( + options=["state"], + help="Describe whether this data type connection is enabled or not.", + required=True, + enum={"Disabled": "Disabled", "Enabled": "Enabled"}, + ) + + microsoft_protection = cls._args_schema.microsoft_protection + microsoft_protection.data_types = AAZObjectArg( + options=["data-types"], + help="The available data types for the connector.", + ) + microsoft_protection.tenant_id = AAZStrArg( + options=["tenant-id"], + help="The tenant id to connect to, and get the data from.", + ) + + data_types = cls._args_schema.microsoft_protection.data_types + data_types.incidents = AAZObjectArg( + options=["incidents"], + help="Data type for Microsoft Threat Protection Platforms data connector.", + required=True, + ) + + incidents = cls._args_schema.microsoft_protection.data_types.incidents + incidents.state = AAZStrArg( + options=["state"], + help="Describe whether this data type connection is enabled or not.", + required=True, + enum={"Disabled": "Disabled", "Enabled": "Enabled"}, + ) + + office365 = cls._args_schema.office365 + office365.data_types = AAZObjectArg( + options=["data-types"], + help="The available data types for the connector.", + ) + office365.tenant_id = AAZStrArg( + options=["tenant-id"], + help="The tenant id to connect to, and get the data from.", + ) + + data_types = cls._args_schema.office365.data_types + data_types.exchange = AAZObjectArg( + options=["exchange"], + help="Exchange data type connection.", + required=True, + ) + data_types.share_point = AAZObjectArg( + options=["share-point"], + help="SharePoint data type connection.", + required=True, + ) + data_types.teams = AAZObjectArg( + options=["teams"], + help="Teams data type connection.", + required=True, + ) + + exchange = cls._args_schema.office365.data_types.exchange + exchange.state = AAZStrArg( + options=["state"], + help="Describe whether this data type connection is enabled or not.", + required=True, + enum={"Disabled": "Disabled", "Enabled": "Enabled"}, + ) + + share_point = cls._args_schema.office365.data_types.share_point + share_point.state = AAZStrArg( + options=["state"], + help="Describe whether this data type connection is enabled or not.", + required=True, + enum={"Disabled": "Disabled", "Enabled": "Enabled"}, + ) + + teams = cls._args_schema.office365.data_types.teams + teams.state = AAZStrArg( + options=["state"], + help="Describe whether this data type connection is enabled or not.", + required=True, + enum={"Disabled": "Disabled", "Enabled": "Enabled"}, + ) + + office365_project = cls._args_schema.office365_project + office365_project.data_types = AAZObjectArg( + options=["data-types"], + help="The available data types for the connector.", + ) + office365_project.tenant_id = AAZStrArg( + options=["tenant-id"], + help="The tenant id to connect to, and get the data from.", + ) + + data_types = cls._args_schema.office365_project.data_types + data_types.logs = AAZObjectArg( + options=["logs"], + help="Logs data type.", + required=True, + ) + + logs = cls._args_schema.office365_project.data_types.logs + logs.state = AAZStrArg( + options=["state"], + help="Describe whether this data type connection is enabled or not.", + required=True, + enum={"Disabled": "Disabled", "Enabled": "Enabled"}, + ) + + office_atp = cls._args_schema.office_atp + office_atp.data_types = AAZObjectArg( + options=["data-types"], + help="The available data types for the connector.", + ) + cls._build_args_alerts_data_type_of_data_connector_create(office_atp.data_types) + office_atp.tenant_id = AAZStrArg( + options=["tenant-id"], + help="The tenant id to connect to, and get the data from.", + ) + + office_irm = cls._args_schema.office_irm + office_irm.data_types = AAZObjectArg( + options=["data-types"], + help="The available data types for the connector.", + ) + cls._build_args_alerts_data_type_of_data_connector_create(office_irm.data_types) + office_irm.tenant_id = AAZStrArg( + options=["tenant-id"], + help="The tenant id to connect to, and get the data from.", + ) + + office_power_bi = cls._args_schema.office_power_bi + office_power_bi.data_types = AAZObjectArg( + options=["data-types"], + help="The available data types for the connector.", + ) + office_power_bi.tenant_id = AAZStrArg( + options=["tenant-id"], + help="The tenant id to connect to, and get the data from.", + ) + + data_types = cls._args_schema.office_power_bi.data_types + data_types.logs = AAZObjectArg( + options=["logs"], + help="Logs data type.", + required=True, + ) + + logs = cls._args_schema.office_power_bi.data_types.logs + logs.state = AAZStrArg( + options=["state"], + help="Describe whether this data type connection is enabled or not.", + required=True, + enum={"Disabled": "Disabled", "Enabled": "Enabled"}, + ) + + threat_intelligence = cls._args_schema.threat_intelligence + threat_intelligence.data_types = AAZObjectArg( + options=["data-types"], + help="The available data types for the connector.", + ) + threat_intelligence.tenant_id = AAZStrArg( + options=["tenant-id"], + help="The tenant id to connect to, and get the data from.", + ) + threat_intelligence.tip_lookback_period = AAZStrArg( + options=["tip-lookback-period"], + help="The lookback period for the feed to be imported.", + nullable=True, + ) + + data_types = cls._args_schema.threat_intelligence.data_types + data_types.indicators = AAZObjectArg( + options=["indicators"], + help="Data type for indicators connection.", + required=True, + ) + + indicators = cls._args_schema.threat_intelligence.data_types.indicators + indicators.state = AAZStrArg( + options=["state"], + help="Describe whether this data type connection is enabled or not.", + required=True, + enum={"Disabled": "Disabled", "Enabled": "Enabled"}, + ) + + intelligence_taxii = cls._args_schema.intelligence_taxii + intelligence_taxii.collection_id = AAZStrArg( + options=["collection-id"], + help="The collection id of the TAXII server.", + ) + intelligence_taxii.data_types = AAZObjectArg( + options=["data-types"], + help="The available data types for Threat Intelligence TAXII data connector.", + ) + intelligence_taxii.friendly_name = AAZStrArg( + options=["friendly-name"], + help="The friendly name for the TAXII server.", + ) + intelligence_taxii.password = AAZStrArg( + options=["password"], + help="The password for the TAXII server.", + ) + intelligence_taxii.polling_frequency = AAZStrArg( + options=["polling-frequency"], + help="The polling frequency for the TAXII server.", + nullable=True, + enum={"OnceADay": "OnceADay", "OnceAMinute": "OnceAMinute", "OnceAnHour": "OnceAnHour"}, + ) + intelligence_taxii.taxii_lookback_period = AAZStrArg( + options=["taxii-lookback-period"], + help="The lookback period for the TAXII server.", + nullable=True, + ) + intelligence_taxii.taxii_server = AAZStrArg( + options=["taxii-server"], + help="The API root for the TAXII server.", + ) + intelligence_taxii.tenant_id = AAZStrArg( + options=["tenant-id"], + help="The tenant id to connect to, and get the data from.", + ) + intelligence_taxii.user_name = AAZStrArg( + options=["user-name"], + help="The userName for the TAXII server.", + ) + intelligence_taxii.workspace_id = AAZStrArg( + options=["workspace-id"], + help="The workspace id.", + ) + + data_types = cls._args_schema.intelligence_taxii.data_types + data_types.taxii_client = AAZObjectArg( + options=["taxii-client"], + help="Data type for TAXII connector.", + required=True, + ) + + taxii_client = cls._args_schema.intelligence_taxii.data_types.taxii_client + taxii_client.state = AAZStrArg( + options=["state"], + help="Describe whether this data type connection is enabled or not.", + required=True, + enum={"Disabled": "Disabled", "Enabled": "Enabled"}, + ) + return cls._args_schema + + _args_alerts_data_type_of_data_connector_create = None + + @classmethod + def _build_args_alerts_data_type_of_data_connector_create(cls, _schema): + if cls._args_alerts_data_type_of_data_connector_create is not None: + _schema.alerts = cls._args_alerts_data_type_of_data_connector_create.alerts + return + + cls._args_alerts_data_type_of_data_connector_create = AAZObjectArg() + + alerts_data_type_of_data_connector_create = cls._args_alerts_data_type_of_data_connector_create + alerts_data_type_of_data_connector_create.alerts = AAZObjectArg( + options=["alerts"], + help="Alerts data type connection.", + required=True, + ) + cls._build_args_data_connector_data_type_common_create(alerts_data_type_of_data_connector_create.alerts) + + _schema.alerts = cls._args_alerts_data_type_of_data_connector_create.alerts + + _args_codeless_ui_connector_config_properties_create = None + + @classmethod + def _build_args_codeless_ui_connector_config_properties_create(cls, _schema): + if cls._args_codeless_ui_connector_config_properties_create is not None: + _schema.availability = cls._args_codeless_ui_connector_config_properties_create.availability + _schema.connectivity_criteria = cls._args_codeless_ui_connector_config_properties_create.connectivity_criteria + _schema.custom_image = cls._args_codeless_ui_connector_config_properties_create.custom_image + _schema.data_types = cls._args_codeless_ui_connector_config_properties_create.data_types + _schema.description_markdown = cls._args_codeless_ui_connector_config_properties_create.description_markdown + _schema.graph_queries = cls._args_codeless_ui_connector_config_properties_create.graph_queries + _schema.graph_queries_table_name = cls._args_codeless_ui_connector_config_properties_create.graph_queries_table_name + _schema.instruction_steps = cls._args_codeless_ui_connector_config_properties_create.instruction_steps + _schema.permissions = cls._args_codeless_ui_connector_config_properties_create.permissions + _schema.publisher = cls._args_codeless_ui_connector_config_properties_create.publisher + _schema.sample_queries = cls._args_codeless_ui_connector_config_properties_create.sample_queries + _schema.title = cls._args_codeless_ui_connector_config_properties_create.title + return + + cls._args_codeless_ui_connector_config_properties_create = AAZObjectArg() + + codeless_ui_connector_config_properties_create = cls._args_codeless_ui_connector_config_properties_create + codeless_ui_connector_config_properties_create.availability = AAZObjectArg( + options=["availability"], + help="Connector Availability Status", + required=True, + ) + codeless_ui_connector_config_properties_create.connectivity_criteria = AAZListArg( + options=["connectivity-criteria"], + help="Define the way the connector check connectivity", + required=True, + ) + codeless_ui_connector_config_properties_create.custom_image = AAZStrArg( + options=["custom-image"], + help="An optional custom image to be used when displaying the connector within Azure Sentinel's connector's gallery", + ) + codeless_ui_connector_config_properties_create.data_types = AAZListArg( + options=["data-types"], + help="Data types to check for last data received", + required=True, + ) + codeless_ui_connector_config_properties_create.description_markdown = AAZStrArg( + options=["description-markdown"], + help="Connector description", + required=True, + ) + codeless_ui_connector_config_properties_create.graph_queries = AAZListArg( + options=["graph-queries"], + help="The graph query to show the current data status", + required=True, + ) + codeless_ui_connector_config_properties_create.graph_queries_table_name = AAZStrArg( + options=["graph-queries-table-name"], + help="Name of the table the connector will insert the data to", + required=True, + ) + codeless_ui_connector_config_properties_create.instruction_steps = AAZListArg( + options=["instruction-steps"], + help="Instruction steps to enable the connector", + required=True, + ) + codeless_ui_connector_config_properties_create.permissions = AAZObjectArg( + options=["permissions"], + help="Permissions required for the connector", + required=True, + ) + codeless_ui_connector_config_properties_create.publisher = AAZStrArg( + options=["publisher"], + help="Connector publisher name", + required=True, + ) + codeless_ui_connector_config_properties_create.sample_queries = AAZListArg( + options=["sample-queries"], + help="The sample queries for the connector", + required=True, + ) + codeless_ui_connector_config_properties_create.title = AAZStrArg( + options=["title"], + help="Connector blade title", + required=True, + ) + + availability = cls._args_codeless_ui_connector_config_properties_create.availability + availability.is_preview = AAZBoolArg( + options=["is-preview"], + help="Set connector as preview", + ) + availability.status = AAZIntArg( + options=["status"], + help="The connector Availability Status", + enum={"1": 1}, + ) + + connectivity_criteria = cls._args_codeless_ui_connector_config_properties_create.connectivity_criteria + connectivity_criteria.Element = AAZObjectArg() + + _element = cls._args_codeless_ui_connector_config_properties_create.connectivity_criteria.Element + _element.type = AAZStrArg( + options=["type"], + help="type of connectivity", + enum={"IsConnectedQuery": "IsConnectedQuery"}, + ) + _element.value = AAZListArg( + options=["value"], + help="Queries for checking connectivity", + ) + + value = cls._args_codeless_ui_connector_config_properties_create.connectivity_criteria.Element.value + value.Element = AAZStrArg() + + data_types = cls._args_codeless_ui_connector_config_properties_create.data_types + data_types.Element = AAZObjectArg() + + _element = cls._args_codeless_ui_connector_config_properties_create.data_types.Element + _element.last_data_received_query = AAZStrArg( + options=["last-data-received-query"], + help="Query for indicate last data received", + ) + _element.name = AAZStrArg( + options=["name"], + help="Name of the data type to show in the graph. can be use with {{graphQueriesTableName}} placeholder", + ) + + graph_queries = cls._args_codeless_ui_connector_config_properties_create.graph_queries + graph_queries.Element = AAZObjectArg() + + _element = cls._args_codeless_ui_connector_config_properties_create.graph_queries.Element + _element.base_query = AAZStrArg( + options=["base-query"], + help="The base query for the graph", + ) + _element.legend = AAZStrArg( + options=["legend"], + help="The legend for the graph", + ) + _element.metric_name = AAZStrArg( + options=["metric-name"], + help="the metric that the query is checking", + ) + + instruction_steps = cls._args_codeless_ui_connector_config_properties_create.instruction_steps + instruction_steps.Element = AAZObjectArg() + + _element = cls._args_codeless_ui_connector_config_properties_create.instruction_steps.Element + _element.description = AAZStrArg( + options=["description"], + help="Instruction step description", + ) + _element.instructions = AAZListArg( + options=["instructions"], + help="Instruction step details", + ) + _element.title = AAZStrArg( + options=["title"], + help="Instruction step title", + ) + + instructions = cls._args_codeless_ui_connector_config_properties_create.instruction_steps.Element.instructions + instructions.Element = AAZObjectArg() + + _element = cls._args_codeless_ui_connector_config_properties_create.instruction_steps.Element.instructions.Element + _element.type = AAZStrArg( + options=["type"], + help="The kind of the setting", + required=True, + enum={"CopyableLabel": "CopyableLabel", "InfoMessage": "InfoMessage", "InstructionStepsGroup": "InstructionStepsGroup"}, + ) + + permissions = cls._args_codeless_ui_connector_config_properties_create.permissions + permissions.customs = AAZListArg( + options=["customs"], + help="Customs permissions required for the connector", + ) + permissions.resource_provider = AAZListArg( + options=["resource-provider"], + help="Resource provider permissions required for the connector", + ) + + customs = cls._args_codeless_ui_connector_config_properties_create.permissions.customs + customs.Element = AAZObjectArg() + + _element = cls._args_codeless_ui_connector_config_properties_create.permissions.customs.Element + _element.description = AAZStrArg( + options=["description"], + help="Customs permissions description", + ) + _element.name = AAZStrArg( + options=["name"], + help="Customs permissions name", + ) + + resource_provider = cls._args_codeless_ui_connector_config_properties_create.permissions.resource_provider + resource_provider.Element = AAZObjectArg() + + _element = cls._args_codeless_ui_connector_config_properties_create.permissions.resource_provider.Element + _element.permissions_display_text = AAZStrArg( + options=["permissions-display-text"], + help="Permission description text", + ) + _element.provider = AAZStrArg( + options=["provider"], + help="Provider name", + enum={"Microsoft.Authorization/policyAssignments": "Microsoft.Authorization/policyAssignments", "Microsoft.OperationalInsights/solutions": "Microsoft.OperationalInsights/solutions", "Microsoft.OperationalInsights/workspaces": "Microsoft.OperationalInsights/workspaces", "Microsoft.OperationalInsights/workspaces/datasources": "Microsoft.OperationalInsights/workspaces/datasources", "Microsoft.OperationalInsights/workspaces/sharedKeys": "Microsoft.OperationalInsights/workspaces/sharedKeys", "microsoft.aadiam/diagnosticSettings": "microsoft.aadiam/diagnosticSettings"}, + ) + _element.provider_display_name = AAZStrArg( + options=["provider-display-name"], + help="Permission provider display name", + ) + _element.required_permissions = AAZObjectArg( + options=["required-permissions"], + help="Required permissions for the connector", + ) + _element.scope = AAZStrArg( + options=["scope"], + help="Permission provider scope", + enum={"ResourceGroup": "ResourceGroup", "Subscription": "Subscription", "Workspace": "Workspace"}, + ) + + required_permissions = cls._args_codeless_ui_connector_config_properties_create.permissions.resource_provider.Element.required_permissions + required_permissions.action = AAZBoolArg( + options=["action"], + help="action permission", + ) + required_permissions.delete = AAZBoolArg( + options=["delete"], + help="delete permission", + ) + required_permissions.read = AAZBoolArg( + options=["read"], + help="read permission", + ) + required_permissions.write = AAZBoolArg( + options=["write"], + help="write permission", + ) + + sample_queries = cls._args_codeless_ui_connector_config_properties_create.sample_queries + sample_queries.Element = AAZObjectArg() + + _element = cls._args_codeless_ui_connector_config_properties_create.sample_queries.Element + _element.description = AAZStrArg( + options=["description"], + help="The sample query description", + ) + _element.query = AAZStrArg( + options=["query"], + help="the sample query", + ) + + _schema.availability = cls._args_codeless_ui_connector_config_properties_create.availability + _schema.connectivity_criteria = cls._args_codeless_ui_connector_config_properties_create.connectivity_criteria + _schema.custom_image = cls._args_codeless_ui_connector_config_properties_create.custom_image + _schema.data_types = cls._args_codeless_ui_connector_config_properties_create.data_types + _schema.description_markdown = cls._args_codeless_ui_connector_config_properties_create.description_markdown + _schema.graph_queries = cls._args_codeless_ui_connector_config_properties_create.graph_queries + _schema.graph_queries_table_name = cls._args_codeless_ui_connector_config_properties_create.graph_queries_table_name + _schema.instruction_steps = cls._args_codeless_ui_connector_config_properties_create.instruction_steps + _schema.permissions = cls._args_codeless_ui_connector_config_properties_create.permissions + _schema.publisher = cls._args_codeless_ui_connector_config_properties_create.publisher + _schema.sample_queries = cls._args_codeless_ui_connector_config_properties_create.sample_queries + _schema.title = cls._args_codeless_ui_connector_config_properties_create.title + + _args_data_connector_data_type_common_create = None + + @classmethod + def _build_args_data_connector_data_type_common_create(cls, _schema): + if cls._args_data_connector_data_type_common_create is not None: + _schema.state = cls._args_data_connector_data_type_common_create.state + return + + cls._args_data_connector_data_type_common_create = AAZObjectArg() + + data_connector_data_type_common_create = cls._args_data_connector_data_type_common_create + data_connector_data_type_common_create.state = AAZStrArg( + options=["state"], + help="Describe whether this data type connection is enabled or not.", + required=True, + enum={"Disabled": "Disabled", "Enabled": "Enabled"}, + ) + + _schema.state = cls._args_data_connector_data_type_common_create.state + + def _execute_operations(self): + self.DataConnectorsCreateOrUpdate(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True) + return result + + class DataConnectorsCreateOrUpdate(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200, 201]: + return self.on_200_201(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors/{dataConnectorId}", + **self.url_parameters + ) + + @property + def method(self): + return "PUT" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "dataConnectorId", self.ctx.args.data_connector_id, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Content-Type", "application/json", + ), + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + @property + def content(self): + _content_value, _builder = self.new_content_builder( + self.ctx.args, + typ=AAZObjectType, + typ_kwargs={"flags": {"required": True, "client_flatten": True}} + ) + _builder.set_prop("etag", AAZStrType, ".etag") + _builder.set_const("kind", "APIPolling", AAZStrType, ".api_polling", typ_kwargs={"flags": {"required": True}}) + _builder.set_const("kind", "AmazonWebServicesCloudTrail", AAZStrType, ".aws_cloud_trail", typ_kwargs={"flags": {"required": True}}) + _builder.set_const("kind", "AmazonWebServicesS3", AAZStrType, ".aws_s3", typ_kwargs={"flags": {"required": True}}) + _builder.set_const("kind", "AzureActiveDirectory", AAZStrType, ".azure_active_directory", typ_kwargs={"flags": {"required": True}}) + _builder.set_const("kind", "AzureAdvancedThreatProtection", AAZStrType, ".azure_protection", typ_kwargs={"flags": {"required": True}}) + _builder.set_const("kind", "AzureSecurityCenter", AAZStrType, ".azure_security_center", typ_kwargs={"flags": {"required": True}}) + _builder.set_const("kind", "Dynamics365", AAZStrType, ".dynamics365", typ_kwargs={"flags": {"required": True}}) + _builder.set_const("kind", "GenericUI", AAZStrType, ".generic_ui", typ_kwargs={"flags": {"required": True}}) + _builder.set_const("kind", "IOT", AAZStrType, ".iot", typ_kwargs={"flags": {"required": True}}) + _builder.set_const("kind", "MicrosoftCloudAppSecurity", AAZStrType, ".cloud_app_security", typ_kwargs={"flags": {"required": True}}) + _builder.set_const("kind", "MicrosoftDefenderAdvancedThreatProtection", AAZStrType, ".defender_protection", typ_kwargs={"flags": {"required": True}}) + _builder.set_const("kind", "MicrosoftThreatIntelligence", AAZStrType, ".microsoft_intelligence", typ_kwargs={"flags": {"required": True}}) + _builder.set_const("kind", "MicrosoftThreatProtection", AAZStrType, ".microsoft_protection", typ_kwargs={"flags": {"required": True}}) + _builder.set_const("kind", "Office365", AAZStrType, ".office365", typ_kwargs={"flags": {"required": True}}) + _builder.set_const("kind", "Office365Project", AAZStrType, ".office365_project", typ_kwargs={"flags": {"required": True}}) + _builder.set_const("kind", "OfficeATP", AAZStrType, ".office_atp", typ_kwargs={"flags": {"required": True}}) + _builder.set_const("kind", "OfficeIRM", AAZStrType, ".office_irm", typ_kwargs={"flags": {"required": True}}) + _builder.set_const("kind", "OfficePowerBI", AAZStrType, ".office_power_bi", typ_kwargs={"flags": {"required": True}}) + _builder.set_const("kind", "ThreatIntelligence", AAZStrType, ".threat_intelligence", typ_kwargs={"flags": {"required": True}}) + _builder.set_const("kind", "ThreatIntelligenceTaxii", AAZStrType, ".intelligence_taxii", typ_kwargs={"flags": {"required": True}}) + _builder.discriminate_by("kind", "APIPolling") + _builder.discriminate_by("kind", "AmazonWebServicesCloudTrail") + _builder.discriminate_by("kind", "AmazonWebServicesS3") + _builder.discriminate_by("kind", "AzureActiveDirectory") + _builder.discriminate_by("kind", "AzureAdvancedThreatProtection") + _builder.discriminate_by("kind", "AzureSecurityCenter") + _builder.discriminate_by("kind", "Dynamics365") + _builder.discriminate_by("kind", "GenericUI") + _builder.discriminate_by("kind", "IOT") + _builder.discriminate_by("kind", "MicrosoftCloudAppSecurity") + _builder.discriminate_by("kind", "MicrosoftDefenderAdvancedThreatProtection") + _builder.discriminate_by("kind", "MicrosoftThreatIntelligence") + _builder.discriminate_by("kind", "MicrosoftThreatProtection") + _builder.discriminate_by("kind", "Office365") + _builder.discriminate_by("kind", "Office365Project") + _builder.discriminate_by("kind", "OfficeATP") + _builder.discriminate_by("kind", "OfficeIRM") + _builder.discriminate_by("kind", "OfficePowerBI") + _builder.discriminate_by("kind", "ThreatIntelligence") + _builder.discriminate_by("kind", "ThreatIntelligenceTaxii") + + disc_api_polling = _builder.get("{kind:APIPolling}") + if disc_api_polling is not None: + disc_api_polling.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get("{kind:APIPolling}.properties") + if properties is not None: + _build_schema_codeless_ui_connector_config_properties_create(properties.set_prop("connectorUiConfig", AAZObjectType, ".api_polling.connector_ui_config")) + properties.set_prop("pollingConfig", AAZObjectType, ".api_polling.polling_config") + + polling_config = _builder.get("{kind:APIPolling}.properties.pollingConfig") + if polling_config is not None: + polling_config.set_prop("auth", AAZObjectType, ".auth", typ_kwargs={"flags": {"required": True}}) + polling_config.set_prop("isActive", AAZBoolType, ".is_active") + polling_config.set_prop("paging", AAZObjectType, ".paging") + polling_config.set_prop("request", AAZObjectType, ".request", typ_kwargs={"flags": {"required": True}}) + polling_config.set_prop("response", AAZObjectType, ".response") + + auth = _builder.get("{kind:APIPolling}.properties.pollingConfig.auth") + if auth is not None: + auth.set_prop("apiKeyIdentifier", AAZStrType, ".api_key_identifier") + auth.set_prop("apiKeyName", AAZStrType, ".api_key_name") + auth.set_prop("authType", AAZStrType, ".auth_type", typ_kwargs={"flags": {"required": True}}) + auth.set_prop("authorizationEndpoint", AAZStrType, ".authorization_endpoint") + auth.set_prop("flowName", AAZStrType, ".flow_name") + auth.set_prop("isApiKeyInPostPayload", AAZStrType, ".is_api_key_in_post_payload") + auth.set_prop("isClientSecretInHeader", AAZBoolType, ".is_client_secret_in_header") + auth.set_prop("redirectionEndpoint", AAZStrType, ".redirection_endpoint") + auth.set_prop("scope", AAZStrType, ".scope") + auth.set_prop("tokenEndpoint", AAZStrType, ".token_endpoint") + + paging = _builder.get("{kind:APIPolling}.properties.pollingConfig.paging") + if paging is not None: + paging.set_prop("nextPageParaName", AAZStrType, ".next_page_para_name") + paging.set_prop("nextPageTokenJsonPath", AAZStrType, ".next_page_token_json_path") + paging.set_prop("pageCountAttributePath", AAZStrType, ".page_count_attribute_path") + paging.set_prop("pageSize", AAZIntType, ".page_size") + paging.set_prop("pageSizeParaName", AAZStrType, ".page_size_para_name") + paging.set_prop("pageTimeStampAttributePath", AAZStrType, ".page_time_stamp_attribute_path") + paging.set_prop("pageTotalCountAttributePath", AAZStrType, ".page_total_count_attribute_path") + paging.set_prop("pagingType", AAZStrType, ".paging_type", typ_kwargs={"flags": {"required": True}}) + paging.set_prop("searchTheLatestTimeStampFromEventsList", AAZStrType, ".search_the_latest_time_stamp_from_events_list") + + request = _builder.get("{kind:APIPolling}.properties.pollingConfig.request") + if request is not None: + request.set_prop("apiEndpoint", AAZStrType, ".api_endpoint", typ_kwargs={"flags": {"required": True}}) + request.set_prop("endTimeAttributeName", AAZStrType, ".end_time_attribute_name") + request.set_prop("httpMethod", AAZStrType, ".http_method", typ_kwargs={"flags": {"required": True}}) + request.set_prop("queryParametersTemplate", AAZStrType, ".query_parameters_template") + request.set_prop("queryTimeFormat", AAZStrType, ".query_time_format", typ_kwargs={"flags": {"required": True}}) + request.set_prop("queryWindowInMin", AAZIntType, ".query_window_in_min", typ_kwargs={"flags": {"required": True}}) + request.set_prop("rateLimitQps", AAZIntType, ".rate_limit_qps") + request.set_prop("retryCount", AAZIntType, ".retry_count") + request.set_prop("startTimeAttributeName", AAZStrType, ".start_time_attribute_name") + request.set_prop("timeoutInSeconds", AAZIntType, ".timeout_in_seconds") + + response = _builder.get("{kind:APIPolling}.properties.pollingConfig.response") + if response is not None: + response.set_prop("eventsJsonPaths", AAZListType, ".events_json_paths", typ_kwargs={"flags": {"required": True}}) + response.set_prop("isGzipCompressed", AAZBoolType, ".is_gzip_compressed") + response.set_prop("successStatusJsonPath", AAZStrType, ".success_status_json_path") + response.set_prop("successStatusValue", AAZStrType, ".success_status_value") + + events_json_paths = _builder.get("{kind:APIPolling}.properties.pollingConfig.response.eventsJsonPaths") + if events_json_paths is not None: + events_json_paths.set_elements(AAZStrType, ".") + + disc_amazon_web_services_cloud_trail = _builder.get("{kind:AmazonWebServicesCloudTrail}") + if disc_amazon_web_services_cloud_trail is not None: + disc_amazon_web_services_cloud_trail.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get("{kind:AmazonWebServicesCloudTrail}.properties") + if properties is not None: + properties.set_prop("awsRoleArn", AAZStrType, ".aws_cloud_trail.aws_role_arn") + properties.set_prop("dataTypes", AAZObjectType, ".aws_cloud_trail.data_types", typ_kwargs={"flags": {"required": True}}) + + data_types = _builder.get("{kind:AmazonWebServicesCloudTrail}.properties.dataTypes") + if data_types is not None: + data_types.set_prop("logs", AAZObjectType, ".logs", typ_kwargs={"flags": {"required": True}}) + + logs = _builder.get("{kind:AmazonWebServicesCloudTrail}.properties.dataTypes.logs") + if logs is not None: + logs.set_prop("state", AAZStrType, ".state", typ_kwargs={"flags": {"required": True}}) + + disc_amazon_web_services_s3 = _builder.get("{kind:AmazonWebServicesS3}") + if disc_amazon_web_services_s3 is not None: + disc_amazon_web_services_s3.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get("{kind:AmazonWebServicesS3}.properties") + if properties is not None: + properties.set_prop("dataTypes", AAZObjectType, ".aws_s3.data_types", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("destinationTable", AAZStrType, ".aws_s3.destination_table", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("roleArn", AAZStrType, ".aws_s3.role_arn", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("sqsUrls", AAZListType, ".aws_s3.sqs_urls", typ_kwargs={"flags": {"required": True}}) + + data_types = _builder.get("{kind:AmazonWebServicesS3}.properties.dataTypes") + if data_types is not None: + data_types.set_prop("logs", AAZObjectType, ".logs", typ_kwargs={"flags": {"required": True}}) + + logs = _builder.get("{kind:AmazonWebServicesS3}.properties.dataTypes.logs") + if logs is not None: + logs.set_prop("state", AAZStrType, ".state", typ_kwargs={"flags": {"required": True}}) + + sqs_urls = _builder.get("{kind:AmazonWebServicesS3}.properties.sqsUrls") + if sqs_urls is not None: + sqs_urls.set_elements(AAZStrType, ".") + + disc_azure_active_directory = _builder.get("{kind:AzureActiveDirectory}") + if disc_azure_active_directory is not None: + disc_azure_active_directory.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get("{kind:AzureActiveDirectory}.properties") + if properties is not None: + _build_schema_alerts_data_type_of_data_connector_create(properties.set_prop("dataTypes", AAZObjectType, ".azure_active_directory.data_types")) + properties.set_prop("tenantId", AAZStrType, ".azure_active_directory.tenant_id", typ_kwargs={"flags": {"required": True}}) + + disc_azure_advanced_threat_protection = _builder.get("{kind:AzureAdvancedThreatProtection}") + if disc_azure_advanced_threat_protection is not None: + disc_azure_advanced_threat_protection.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get("{kind:AzureAdvancedThreatProtection}.properties") + if properties is not None: + _build_schema_alerts_data_type_of_data_connector_create(properties.set_prop("dataTypes", AAZObjectType, ".azure_protection.data_types")) + properties.set_prop("tenantId", AAZStrType, ".azure_protection.tenant_id", typ_kwargs={"flags": {"required": True}}) + + disc_azure_security_center = _builder.get("{kind:AzureSecurityCenter}") + if disc_azure_security_center is not None: + disc_azure_security_center.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get("{kind:AzureSecurityCenter}.properties") + if properties is not None: + _build_schema_alerts_data_type_of_data_connector_create(properties.set_prop("dataTypes", AAZObjectType, ".azure_security_center.data_types")) + properties.set_prop("subscriptionId", AAZStrType, ".azure_security_center.subscription_id") + + disc_dynamics365 = _builder.get("{kind:Dynamics365}") + if disc_dynamics365 is not None: + disc_dynamics365.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get("{kind:Dynamics365}.properties") + if properties is not None: + properties.set_prop("dataTypes", AAZObjectType, ".dynamics365.data_types", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("tenantId", AAZStrType, ".dynamics365.tenant_id", typ_kwargs={"flags": {"required": True}}) + + data_types = _builder.get("{kind:Dynamics365}.properties.dataTypes") + if data_types is not None: + data_types.set_prop("dynamics365CdsActivities", AAZObjectType, ".dynamics365_cds_activities", typ_kwargs={"flags": {"required": True}}) + + dynamics365_cds_activities = _builder.get("{kind:Dynamics365}.properties.dataTypes.dynamics365CdsActivities") + if dynamics365_cds_activities is not None: + dynamics365_cds_activities.set_prop("state", AAZStrType, ".state", typ_kwargs={"flags": {"required": True}}) + + disc_generic_ui = _builder.get("{kind:GenericUI}") + if disc_generic_ui is not None: + disc_generic_ui.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get("{kind:GenericUI}.properties") + if properties is not None: + _build_schema_codeless_ui_connector_config_properties_create(properties.set_prop("connectorUiConfig", AAZObjectType, ".generic_ui.connector_ui_config")) + + disc_iot = _builder.get("{kind:IOT}") + if disc_iot is not None: + disc_iot.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get("{kind:IOT}.properties") + if properties is not None: + _build_schema_alerts_data_type_of_data_connector_create(properties.set_prop("dataTypes", AAZObjectType, ".iot.data_types")) + properties.set_prop("subscriptionId", AAZStrType, ".iot.subscription_id") + + disc_microsoft_cloud_app_security = _builder.get("{kind:MicrosoftCloudAppSecurity}") + if disc_microsoft_cloud_app_security is not None: + disc_microsoft_cloud_app_security.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get("{kind:MicrosoftCloudAppSecurity}.properties") + if properties is not None: + properties.set_prop("dataTypes", AAZObjectType, ".cloud_app_security.data_types", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("tenantId", AAZStrType, ".cloud_app_security.tenant_id", typ_kwargs={"flags": {"required": True}}) + + data_types = _builder.get("{kind:MicrosoftCloudAppSecurity}.properties.dataTypes") + if data_types is not None: + _build_schema_data_connector_data_type_common_create(data_types.set_prop("alerts", AAZObjectType, ".alerts", typ_kwargs={"flags": {"required": True}})) + _build_schema_data_connector_data_type_common_create(data_types.set_prop("discoveryLogs", AAZObjectType, ".discovery_logs")) + + disc_microsoft_defender_advanced_threat_protection = _builder.get("{kind:MicrosoftDefenderAdvancedThreatProtection}") + if disc_microsoft_defender_advanced_threat_protection is not None: + disc_microsoft_defender_advanced_threat_protection.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get("{kind:MicrosoftDefenderAdvancedThreatProtection}.properties") + if properties is not None: + _build_schema_alerts_data_type_of_data_connector_create(properties.set_prop("dataTypes", AAZObjectType, ".defender_protection.data_types")) + properties.set_prop("tenantId", AAZStrType, ".defender_protection.tenant_id", typ_kwargs={"flags": {"required": True}}) + + disc_microsoft_threat_intelligence = _builder.get("{kind:MicrosoftThreatIntelligence}") + if disc_microsoft_threat_intelligence is not None: + disc_microsoft_threat_intelligence.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get("{kind:MicrosoftThreatIntelligence}.properties") + if properties is not None: + properties.set_prop("dataTypes", AAZObjectType, ".microsoft_intelligence.data_types", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("tenantId", AAZStrType, ".microsoft_intelligence.tenant_id", typ_kwargs={"flags": {"required": True}}) + + data_types = _builder.get("{kind:MicrosoftThreatIntelligence}.properties.dataTypes") + if data_types is not None: + data_types.set_prop("bingSafetyPhishingURL", AAZObjectType, ".bing_safety_phishing_url", typ_kwargs={"flags": {"required": True}}) + data_types.set_prop("microsoftEmergingThreatFeed", AAZObjectType, ".microsoft_emerging_threat_feed", typ_kwargs={"flags": {"required": True}}) + + bing_safety_phishing_url = _builder.get("{kind:MicrosoftThreatIntelligence}.properties.dataTypes.bingSafetyPhishingURL") + if bing_safety_phishing_url is not None: + bing_safety_phishing_url.set_prop("lookbackPeriod", AAZStrType, ".lookback_period", typ_kwargs={"flags": {"required": True}}) + bing_safety_phishing_url.set_prop("state", AAZStrType, ".state", typ_kwargs={"flags": {"required": True}}) + + microsoft_emerging_threat_feed = _builder.get("{kind:MicrosoftThreatIntelligence}.properties.dataTypes.microsoftEmergingThreatFeed") + if microsoft_emerging_threat_feed is not None: + microsoft_emerging_threat_feed.set_prop("lookbackPeriod", AAZStrType, ".lookback_period", typ_kwargs={"flags": {"required": True}}) + microsoft_emerging_threat_feed.set_prop("state", AAZStrType, ".state", typ_kwargs={"flags": {"required": True}}) + + disc_microsoft_threat_protection = _builder.get("{kind:MicrosoftThreatProtection}") + if disc_microsoft_threat_protection is not None: + disc_microsoft_threat_protection.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get("{kind:MicrosoftThreatProtection}.properties") + if properties is not None: + properties.set_prop("dataTypes", AAZObjectType, ".microsoft_protection.data_types", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("tenantId", AAZStrType, ".microsoft_protection.tenant_id", typ_kwargs={"flags": {"required": True}}) + + data_types = _builder.get("{kind:MicrosoftThreatProtection}.properties.dataTypes") + if data_types is not None: + data_types.set_prop("incidents", AAZObjectType, ".incidents", typ_kwargs={"flags": {"required": True}}) + + incidents = _builder.get("{kind:MicrosoftThreatProtection}.properties.dataTypes.incidents") + if incidents is not None: + incidents.set_prop("state", AAZStrType, ".state", typ_kwargs={"flags": {"required": True}}) + + disc_office365 = _builder.get("{kind:Office365}") + if disc_office365 is not None: + disc_office365.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get("{kind:Office365}.properties") + if properties is not None: + properties.set_prop("dataTypes", AAZObjectType, ".office365.data_types", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("tenantId", AAZStrType, ".office365.tenant_id", typ_kwargs={"flags": {"required": True}}) + + data_types = _builder.get("{kind:Office365}.properties.dataTypes") + if data_types is not None: + data_types.set_prop("exchange", AAZObjectType, ".exchange", typ_kwargs={"flags": {"required": True}}) + data_types.set_prop("sharePoint", AAZObjectType, ".share_point", typ_kwargs={"flags": {"required": True}}) + data_types.set_prop("teams", AAZObjectType, ".teams", typ_kwargs={"flags": {"required": True}}) + + exchange = _builder.get("{kind:Office365}.properties.dataTypes.exchange") + if exchange is not None: + exchange.set_prop("state", AAZStrType, ".state", typ_kwargs={"flags": {"required": True}}) + + share_point = _builder.get("{kind:Office365}.properties.dataTypes.sharePoint") + if share_point is not None: + share_point.set_prop("state", AAZStrType, ".state", typ_kwargs={"flags": {"required": True}}) + + teams = _builder.get("{kind:Office365}.properties.dataTypes.teams") + if teams is not None: + teams.set_prop("state", AAZStrType, ".state", typ_kwargs={"flags": {"required": True}}) + + disc_office365_project = _builder.get("{kind:Office365Project}") + if disc_office365_project is not None: + disc_office365_project.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get("{kind:Office365Project}.properties") + if properties is not None: + properties.set_prop("dataTypes", AAZObjectType, ".office365_project.data_types", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("tenantId", AAZStrType, ".office365_project.tenant_id", typ_kwargs={"flags": {"required": True}}) + + data_types = _builder.get("{kind:Office365Project}.properties.dataTypes") + if data_types is not None: + data_types.set_prop("logs", AAZObjectType, ".logs", typ_kwargs={"flags": {"required": True}}) + + logs = _builder.get("{kind:Office365Project}.properties.dataTypes.logs") + if logs is not None: + logs.set_prop("state", AAZStrType, ".state", typ_kwargs={"flags": {"required": True}}) + + disc_office_atp = _builder.get("{kind:OfficeATP}") + if disc_office_atp is not None: + disc_office_atp.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get("{kind:OfficeATP}.properties") + if properties is not None: + _build_schema_alerts_data_type_of_data_connector_create(properties.set_prop("dataTypes", AAZObjectType, ".office_atp.data_types")) + properties.set_prop("tenantId", AAZStrType, ".office_atp.tenant_id", typ_kwargs={"flags": {"required": True}}) + + disc_office_irm = _builder.get("{kind:OfficeIRM}") + if disc_office_irm is not None: + disc_office_irm.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get("{kind:OfficeIRM}.properties") + if properties is not None: + _build_schema_alerts_data_type_of_data_connector_create(properties.set_prop("dataTypes", AAZObjectType, ".office_irm.data_types")) + properties.set_prop("tenantId", AAZStrType, ".office_irm.tenant_id", typ_kwargs={"flags": {"required": True}}) + + disc_office_power_bi = _builder.get("{kind:OfficePowerBI}") + if disc_office_power_bi is not None: + disc_office_power_bi.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get("{kind:OfficePowerBI}.properties") + if properties is not None: + properties.set_prop("dataTypes", AAZObjectType, ".office_power_bi.data_types", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("tenantId", AAZStrType, ".office_power_bi.tenant_id", typ_kwargs={"flags": {"required": True}}) + + data_types = _builder.get("{kind:OfficePowerBI}.properties.dataTypes") + if data_types is not None: + data_types.set_prop("logs", AAZObjectType, ".logs", typ_kwargs={"flags": {"required": True}}) + + logs = _builder.get("{kind:OfficePowerBI}.properties.dataTypes.logs") + if logs is not None: + logs.set_prop("state", AAZStrType, ".state", typ_kwargs={"flags": {"required": True}}) + + disc_threat_intelligence = _builder.get("{kind:ThreatIntelligence}") + if disc_threat_intelligence is not None: + disc_threat_intelligence.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get("{kind:ThreatIntelligence}.properties") + if properties is not None: + properties.set_prop("dataTypes", AAZObjectType, ".threat_intelligence.data_types", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("tenantId", AAZStrType, ".threat_intelligence.tenant_id", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("tipLookbackPeriod", AAZStrType, ".threat_intelligence.tip_lookback_period", typ_kwargs={"nullable": True}) + + data_types = _builder.get("{kind:ThreatIntelligence}.properties.dataTypes") + if data_types is not None: + data_types.set_prop("indicators", AAZObjectType, ".indicators", typ_kwargs={"flags": {"required": True}}) + + indicators = _builder.get("{kind:ThreatIntelligence}.properties.dataTypes.indicators") + if indicators is not None: + indicators.set_prop("state", AAZStrType, ".state", typ_kwargs={"flags": {"required": True}}) + + disc_threat_intelligence_taxii = _builder.get("{kind:ThreatIntelligenceTaxii}") + if disc_threat_intelligence_taxii is not None: + disc_threat_intelligence_taxii.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get("{kind:ThreatIntelligenceTaxii}.properties") + if properties is not None: + properties.set_prop("collectionId", AAZStrType, ".intelligence_taxii.collection_id") + properties.set_prop("dataTypes", AAZObjectType, ".intelligence_taxii.data_types", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("friendlyName", AAZStrType, ".intelligence_taxii.friendly_name") + properties.set_prop("password", AAZStrType, ".intelligence_taxii.password") + properties.set_prop("pollingFrequency", AAZStrType, ".intelligence_taxii.polling_frequency", typ_kwargs={"flags": {"required": True}, "nullable": True}) + properties.set_prop("taxiiLookbackPeriod", AAZStrType, ".intelligence_taxii.taxii_lookback_period", typ_kwargs={"nullable": True}) + properties.set_prop("taxiiServer", AAZStrType, ".intelligence_taxii.taxii_server") + properties.set_prop("tenantId", AAZStrType, ".intelligence_taxii.tenant_id", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("userName", AAZStrType, ".intelligence_taxii.user_name") + properties.set_prop("workspaceId", AAZStrType, ".intelligence_taxii.workspace_id") + + data_types = _builder.get("{kind:ThreatIntelligenceTaxii}.properties.dataTypes") + if data_types is not None: + data_types.set_prop("taxiiClient", AAZObjectType, ".taxii_client", typ_kwargs={"flags": {"required": True}}) + + taxii_client = _builder.get("{kind:ThreatIntelligenceTaxii}.properties.dataTypes.taxiiClient") + if taxii_client is not None: + taxii_client.set_prop("state", AAZStrType, ".state", typ_kwargs={"flags": {"required": True}}) + + return self.serialize_content(_content_value) + + def on_200_201(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200_201 + ) + + _schema_on_200_201 = None + + @classmethod + def _build_schema_on_200_201(cls): + if cls._schema_on_200_201 is not None: + return cls._schema_on_200_201 + + cls._schema_on_200_201 = AAZObjectType() + + _schema_on_200_201 = cls._schema_on_200_201 + _schema_on_200_201.etag = AAZStrType() + _schema_on_200_201.id = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200_201.kind = AAZStrType( + flags={"required": True}, + ) + _schema_on_200_201.name = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200_201.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + _schema_on_200_201.type = AAZStrType( + flags={"read_only": True}, + ) + + system_data = cls._schema_on_200_201.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + disc_api_polling = cls._schema_on_200_201.discriminate_by("kind", "APIPolling") + disc_api_polling.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200_201.discriminate_by("kind", "APIPolling").properties + properties.connector_ui_config = AAZObjectType( + serialized_name="connectorUiConfig", + ) + _build_schema_codeless_ui_connector_config_properties_read(properties.connector_ui_config) + properties.polling_config = AAZObjectType( + serialized_name="pollingConfig", + ) + + polling_config = cls._schema_on_200_201.discriminate_by("kind", "APIPolling").properties.polling_config + polling_config.auth = AAZObjectType( + flags={"required": True}, + ) + polling_config.is_active = AAZBoolType( + serialized_name="isActive", + ) + polling_config.paging = AAZObjectType() + polling_config.request = AAZObjectType( + flags={"required": True}, + ) + polling_config.response = AAZObjectType() + + auth = cls._schema_on_200_201.discriminate_by("kind", "APIPolling").properties.polling_config.auth + auth.api_key_identifier = AAZStrType( + serialized_name="apiKeyIdentifier", + ) + auth.api_key_name = AAZStrType( + serialized_name="apiKeyName", + ) + auth.auth_type = AAZStrType( + serialized_name="authType", + flags={"required": True}, + ) + auth.authorization_endpoint = AAZStrType( + serialized_name="authorizationEndpoint", + ) + auth.flow_name = AAZStrType( + serialized_name="flowName", + ) + auth.is_api_key_in_post_payload = AAZStrType( + serialized_name="isApiKeyInPostPayload", + ) + auth.is_client_secret_in_header = AAZBoolType( + serialized_name="isClientSecretInHeader", + ) + auth.redirection_endpoint = AAZStrType( + serialized_name="redirectionEndpoint", + ) + auth.scope = AAZStrType() + auth.token_endpoint = AAZStrType( + serialized_name="tokenEndpoint", + ) + + paging = cls._schema_on_200_201.discriminate_by("kind", "APIPolling").properties.polling_config.paging + paging.next_page_para_name = AAZStrType( + serialized_name="nextPageParaName", + ) + paging.next_page_token_json_path = AAZStrType( + serialized_name="nextPageTokenJsonPath", + ) + paging.page_count_attribute_path = AAZStrType( + serialized_name="pageCountAttributePath", + ) + paging.page_size = AAZIntType( + serialized_name="pageSize", + ) + paging.page_size_para_name = AAZStrType( + serialized_name="pageSizeParaName", + ) + paging.page_time_stamp_attribute_path = AAZStrType( + serialized_name="pageTimeStampAttributePath", + ) + paging.page_total_count_attribute_path = AAZStrType( + serialized_name="pageTotalCountAttributePath", + ) + paging.paging_type = AAZStrType( + serialized_name="pagingType", + flags={"required": True}, + ) + paging.search_the_latest_time_stamp_from_events_list = AAZStrType( + serialized_name="searchTheLatestTimeStampFromEventsList", + ) + + request = cls._schema_on_200_201.discriminate_by("kind", "APIPolling").properties.polling_config.request + request.api_endpoint = AAZStrType( + serialized_name="apiEndpoint", + flags={"required": True}, + ) + request.end_time_attribute_name = AAZStrType( + serialized_name="endTimeAttributeName", + ) + request.http_method = AAZStrType( + serialized_name="httpMethod", + flags={"required": True}, + ) + request.query_parameters_template = AAZStrType( + serialized_name="queryParametersTemplate", + ) + request.query_time_format = AAZStrType( + serialized_name="queryTimeFormat", + flags={"required": True}, + ) + request.query_window_in_min = AAZIntType( + serialized_name="queryWindowInMin", + flags={"required": True}, + ) + request.rate_limit_qps = AAZIntType( + serialized_name="rateLimitQps", + ) + request.retry_count = AAZIntType( + serialized_name="retryCount", + ) + request.start_time_attribute_name = AAZStrType( + serialized_name="startTimeAttributeName", + ) + request.timeout_in_seconds = AAZIntType( + serialized_name="timeoutInSeconds", + ) + + response = cls._schema_on_200_201.discriminate_by("kind", "APIPolling").properties.polling_config.response + response.events_json_paths = AAZListType( + serialized_name="eventsJsonPaths", + flags={"required": True}, + ) + response.is_gzip_compressed = AAZBoolType( + serialized_name="isGzipCompressed", + ) + response.success_status_json_path = AAZStrType( + serialized_name="successStatusJsonPath", + ) + response.success_status_value = AAZStrType( + serialized_name="successStatusValue", + ) + + events_json_paths = cls._schema_on_200_201.discriminate_by("kind", "APIPolling").properties.polling_config.response.events_json_paths + events_json_paths.Element = AAZStrType() + + disc_amazon_web_services_cloud_trail = cls._schema_on_200_201.discriminate_by("kind", "AmazonWebServicesCloudTrail") + disc_amazon_web_services_cloud_trail.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200_201.discriminate_by("kind", "AmazonWebServicesCloudTrail").properties + properties.aws_role_arn = AAZStrType( + serialized_name="awsRoleArn", + ) + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + flags={"required": True}, + ) + + data_types = cls._schema_on_200_201.discriminate_by("kind", "AmazonWebServicesCloudTrail").properties.data_types + data_types.logs = AAZObjectType( + flags={"required": True}, + ) + + logs = cls._schema_on_200_201.discriminate_by("kind", "AmazonWebServicesCloudTrail").properties.data_types.logs + logs.state = AAZStrType( + flags={"required": True}, + ) + + disc_amazon_web_services_s3 = cls._schema_on_200_201.discriminate_by("kind", "AmazonWebServicesS3") + disc_amazon_web_services_s3.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200_201.discriminate_by("kind", "AmazonWebServicesS3").properties + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + flags={"required": True}, + ) + properties.destination_table = AAZStrType( + serialized_name="destinationTable", + flags={"required": True}, + ) + properties.role_arn = AAZStrType( + serialized_name="roleArn", + flags={"required": True}, + ) + properties.sqs_urls = AAZListType( + serialized_name="sqsUrls", + flags={"required": True}, + ) + + data_types = cls._schema_on_200_201.discriminate_by("kind", "AmazonWebServicesS3").properties.data_types + data_types.logs = AAZObjectType( + flags={"required": True}, + ) + + logs = cls._schema_on_200_201.discriminate_by("kind", "AmazonWebServicesS3").properties.data_types.logs + logs.state = AAZStrType( + flags={"required": True}, + ) + + sqs_urls = cls._schema_on_200_201.discriminate_by("kind", "AmazonWebServicesS3").properties.sqs_urls + sqs_urls.Element = AAZStrType() + + disc_azure_active_directory = cls._schema_on_200_201.discriminate_by("kind", "AzureActiveDirectory") + disc_azure_active_directory.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200_201.discriminate_by("kind", "AzureActiveDirectory").properties + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + ) + _build_schema_alerts_data_type_of_data_connector_read(properties.data_types) + properties.tenant_id = AAZStrType( + serialized_name="tenantId", + flags={"required": True}, + ) + + disc_azure_advanced_threat_protection = cls._schema_on_200_201.discriminate_by("kind", "AzureAdvancedThreatProtection") + disc_azure_advanced_threat_protection.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200_201.discriminate_by("kind", "AzureAdvancedThreatProtection").properties + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + ) + _build_schema_alerts_data_type_of_data_connector_read(properties.data_types) + properties.tenant_id = AAZStrType( + serialized_name="tenantId", + flags={"required": True}, + ) + + disc_azure_security_center = cls._schema_on_200_201.discriminate_by("kind", "AzureSecurityCenter") + disc_azure_security_center.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200_201.discriminate_by("kind", "AzureSecurityCenter").properties + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + ) + _build_schema_alerts_data_type_of_data_connector_read(properties.data_types) + properties.subscription_id = AAZStrType( + serialized_name="subscriptionId", + ) + + disc_dynamics365 = cls._schema_on_200_201.discriminate_by("kind", "Dynamics365") + disc_dynamics365.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200_201.discriminate_by("kind", "Dynamics365").properties + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + flags={"required": True}, + ) + properties.tenant_id = AAZStrType( + serialized_name="tenantId", + flags={"required": True}, + ) + + data_types = cls._schema_on_200_201.discriminate_by("kind", "Dynamics365").properties.data_types + data_types.dynamics365_cds_activities = AAZObjectType( + serialized_name="dynamics365CdsActivities", + flags={"required": True}, + ) + + dynamics365_cds_activities = cls._schema_on_200_201.discriminate_by("kind", "Dynamics365").properties.data_types.dynamics365_cds_activities + dynamics365_cds_activities.state = AAZStrType( + flags={"required": True}, + ) + + disc_generic_ui = cls._schema_on_200_201.discriminate_by("kind", "GenericUI") + disc_generic_ui.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200_201.discriminate_by("kind", "GenericUI").properties + properties.connector_ui_config = AAZObjectType( + serialized_name="connectorUiConfig", + ) + _build_schema_codeless_ui_connector_config_properties_read(properties.connector_ui_config) + + disc_iot = cls._schema_on_200_201.discriminate_by("kind", "IOT") + disc_iot.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200_201.discriminate_by("kind", "IOT").properties + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + ) + _build_schema_alerts_data_type_of_data_connector_read(properties.data_types) + properties.subscription_id = AAZStrType( + serialized_name="subscriptionId", + ) + + disc_microsoft_cloud_app_security = cls._schema_on_200_201.discriminate_by("kind", "MicrosoftCloudAppSecurity") + disc_microsoft_cloud_app_security.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200_201.discriminate_by("kind", "MicrosoftCloudAppSecurity").properties + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + flags={"required": True}, + ) + properties.tenant_id = AAZStrType( + serialized_name="tenantId", + flags={"required": True}, + ) + + data_types = cls._schema_on_200_201.discriminate_by("kind", "MicrosoftCloudAppSecurity").properties.data_types + data_types.alerts = AAZObjectType( + flags={"required": True}, + ) + _build_schema_data_connector_data_type_common_read(data_types.alerts) + data_types.discovery_logs = AAZObjectType( + serialized_name="discoveryLogs", + ) + _build_schema_data_connector_data_type_common_read(data_types.discovery_logs) + + disc_microsoft_defender_advanced_threat_protection = cls._schema_on_200_201.discriminate_by("kind", "MicrosoftDefenderAdvancedThreatProtection") + disc_microsoft_defender_advanced_threat_protection.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200_201.discriminate_by("kind", "MicrosoftDefenderAdvancedThreatProtection").properties + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + ) + _build_schema_alerts_data_type_of_data_connector_read(properties.data_types) + properties.tenant_id = AAZStrType( + serialized_name="tenantId", + flags={"required": True}, + ) + + disc_microsoft_threat_intelligence = cls._schema_on_200_201.discriminate_by("kind", "MicrosoftThreatIntelligence") + disc_microsoft_threat_intelligence.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200_201.discriminate_by("kind", "MicrosoftThreatIntelligence").properties + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + flags={"required": True}, + ) + properties.tenant_id = AAZStrType( + serialized_name="tenantId", + flags={"required": True}, + ) + + data_types = cls._schema_on_200_201.discriminate_by("kind", "MicrosoftThreatIntelligence").properties.data_types + data_types.bing_safety_phishing_url = AAZObjectType( + serialized_name="bingSafetyPhishingURL", + flags={"required": True}, + ) + data_types.microsoft_emerging_threat_feed = AAZObjectType( + serialized_name="microsoftEmergingThreatFeed", + flags={"required": True}, + ) + + bing_safety_phishing_url = cls._schema_on_200_201.discriminate_by("kind", "MicrosoftThreatIntelligence").properties.data_types.bing_safety_phishing_url + bing_safety_phishing_url.lookback_period = AAZStrType( + serialized_name="lookbackPeriod", + flags={"required": True}, + ) + bing_safety_phishing_url.state = AAZStrType( + flags={"required": True}, + ) + + microsoft_emerging_threat_feed = cls._schema_on_200_201.discriminate_by("kind", "MicrosoftThreatIntelligence").properties.data_types.microsoft_emerging_threat_feed + microsoft_emerging_threat_feed.lookback_period = AAZStrType( + serialized_name="lookbackPeriod", + flags={"required": True}, + ) + microsoft_emerging_threat_feed.state = AAZStrType( + flags={"required": True}, + ) + + disc_microsoft_threat_protection = cls._schema_on_200_201.discriminate_by("kind", "MicrosoftThreatProtection") + disc_microsoft_threat_protection.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200_201.discriminate_by("kind", "MicrosoftThreatProtection").properties + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + flags={"required": True}, + ) + properties.tenant_id = AAZStrType( + serialized_name="tenantId", + flags={"required": True}, + ) + + data_types = cls._schema_on_200_201.discriminate_by("kind", "MicrosoftThreatProtection").properties.data_types + data_types.incidents = AAZObjectType( + flags={"required": True}, + ) + + incidents = cls._schema_on_200_201.discriminate_by("kind", "MicrosoftThreatProtection").properties.data_types.incidents + incidents.state = AAZStrType( + flags={"required": True}, + ) + + disc_office365 = cls._schema_on_200_201.discriminate_by("kind", "Office365") + disc_office365.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200_201.discriminate_by("kind", "Office365").properties + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + flags={"required": True}, + ) + properties.tenant_id = AAZStrType( + serialized_name="tenantId", + flags={"required": True}, + ) + + data_types = cls._schema_on_200_201.discriminate_by("kind", "Office365").properties.data_types + data_types.exchange = AAZObjectType( + flags={"required": True}, + ) + data_types.share_point = AAZObjectType( + serialized_name="sharePoint", + flags={"required": True}, + ) + data_types.teams = AAZObjectType( + flags={"required": True}, + ) + + exchange = cls._schema_on_200_201.discriminate_by("kind", "Office365").properties.data_types.exchange + exchange.state = AAZStrType( + flags={"required": True}, + ) + + share_point = cls._schema_on_200_201.discriminate_by("kind", "Office365").properties.data_types.share_point + share_point.state = AAZStrType( + flags={"required": True}, + ) + + teams = cls._schema_on_200_201.discriminate_by("kind", "Office365").properties.data_types.teams + teams.state = AAZStrType( + flags={"required": True}, + ) + + disc_office365_project = cls._schema_on_200_201.discriminate_by("kind", "Office365Project") + disc_office365_project.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200_201.discriminate_by("kind", "Office365Project").properties + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + flags={"required": True}, + ) + properties.tenant_id = AAZStrType( + serialized_name="tenantId", + flags={"required": True}, + ) + + data_types = cls._schema_on_200_201.discriminate_by("kind", "Office365Project").properties.data_types + data_types.logs = AAZObjectType( + flags={"required": True}, + ) + + logs = cls._schema_on_200_201.discriminate_by("kind", "Office365Project").properties.data_types.logs + logs.state = AAZStrType( + flags={"required": True}, + ) + + disc_office_atp = cls._schema_on_200_201.discriminate_by("kind", "OfficeATP") + disc_office_atp.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200_201.discriminate_by("kind", "OfficeATP").properties + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + ) + _build_schema_alerts_data_type_of_data_connector_read(properties.data_types) + properties.tenant_id = AAZStrType( + serialized_name="tenantId", + flags={"required": True}, + ) + + disc_office_irm = cls._schema_on_200_201.discriminate_by("kind", "OfficeIRM") + disc_office_irm.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200_201.discriminate_by("kind", "OfficeIRM").properties + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + ) + _build_schema_alerts_data_type_of_data_connector_read(properties.data_types) + properties.tenant_id = AAZStrType( + serialized_name="tenantId", + flags={"required": True}, + ) + + disc_office_power_bi = cls._schema_on_200_201.discriminate_by("kind", "OfficePowerBI") + disc_office_power_bi.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200_201.discriminate_by("kind", "OfficePowerBI").properties + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + flags={"required": True}, + ) + properties.tenant_id = AAZStrType( + serialized_name="tenantId", + flags={"required": True}, + ) + + data_types = cls._schema_on_200_201.discriminate_by("kind", "OfficePowerBI").properties.data_types + data_types.logs = AAZObjectType( + flags={"required": True}, + ) + + logs = cls._schema_on_200_201.discriminate_by("kind", "OfficePowerBI").properties.data_types.logs + logs.state = AAZStrType( + flags={"required": True}, + ) + + disc_threat_intelligence = cls._schema_on_200_201.discriminate_by("kind", "ThreatIntelligence") + disc_threat_intelligence.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200_201.discriminate_by("kind", "ThreatIntelligence").properties + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + flags={"required": True}, + ) + properties.tenant_id = AAZStrType( + serialized_name="tenantId", + flags={"required": True}, + ) + properties.tip_lookback_period = AAZStrType( + serialized_name="tipLookbackPeriod", + nullable=True, + ) + + data_types = cls._schema_on_200_201.discriminate_by("kind", "ThreatIntelligence").properties.data_types + data_types.indicators = AAZObjectType( + flags={"required": True}, + ) + + indicators = cls._schema_on_200_201.discriminate_by("kind", "ThreatIntelligence").properties.data_types.indicators + indicators.state = AAZStrType( + flags={"required": True}, + ) + + disc_threat_intelligence_taxii = cls._schema_on_200_201.discriminate_by("kind", "ThreatIntelligenceTaxii") + disc_threat_intelligence_taxii.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200_201.discriminate_by("kind", "ThreatIntelligenceTaxii").properties + properties.collection_id = AAZStrType( + serialized_name="collectionId", + ) + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + flags={"required": True}, + ) + properties.friendly_name = AAZStrType( + serialized_name="friendlyName", + ) + properties.password = AAZStrType() + properties.polling_frequency = AAZStrType( + serialized_name="pollingFrequency", + flags={"required": True}, + nullable=True, + ) + properties.taxii_lookback_period = AAZStrType( + serialized_name="taxiiLookbackPeriod", + nullable=True, + ) + properties.taxii_server = AAZStrType( + serialized_name="taxiiServer", + ) + properties.tenant_id = AAZStrType( + serialized_name="tenantId", + flags={"required": True}, + ) + properties.user_name = AAZStrType( + serialized_name="userName", + ) + properties.workspace_id = AAZStrType( + serialized_name="workspaceId", + ) + + data_types = cls._schema_on_200_201.discriminate_by("kind", "ThreatIntelligenceTaxii").properties.data_types + data_types.taxii_client = AAZObjectType( + serialized_name="taxiiClient", + flags={"required": True}, + ) + + taxii_client = cls._schema_on_200_201.discriminate_by("kind", "ThreatIntelligenceTaxii").properties.data_types.taxii_client + taxii_client.state = AAZStrType( + flags={"required": True}, + ) + + return cls._schema_on_200_201 + + +def _build_schema_alerts_data_type_of_data_connector_create(_builder): + if _builder is None: + return + _build_schema_data_connector_data_type_common_create(_builder.set_prop("alerts", AAZObjectType, ".alerts", typ_kwargs={"flags": {"required": True}})) + + +def _build_schema_codeless_ui_connector_config_properties_create(_builder): + if _builder is None: + return + _builder.set_prop("availability", AAZObjectType, ".availability", typ_kwargs={"flags": {"required": True}}) + _builder.set_prop("connectivityCriteria", AAZListType, ".connectivity_criteria", typ_kwargs={"flags": {"required": True}}) + _builder.set_prop("customImage", AAZStrType, ".custom_image") + _builder.set_prop("dataTypes", AAZListType, ".data_types", typ_kwargs={"flags": {"required": True}}) + _builder.set_prop("descriptionMarkdown", AAZStrType, ".description_markdown", typ_kwargs={"flags": {"required": True}}) + _builder.set_prop("graphQueries", AAZListType, ".graph_queries", typ_kwargs={"flags": {"required": True}}) + _builder.set_prop("graphQueriesTableName", AAZStrType, ".graph_queries_table_name", typ_kwargs={"flags": {"required": True}}) + _builder.set_prop("instructionSteps", AAZListType, ".instruction_steps", typ_kwargs={"flags": {"required": True}}) + _builder.set_prop("permissions", AAZObjectType, ".permissions", typ_kwargs={"flags": {"required": True}}) + _builder.set_prop("publisher", AAZStrType, ".publisher", typ_kwargs={"flags": {"required": True}}) + _builder.set_prop("sampleQueries", AAZListType, ".sample_queries", typ_kwargs={"flags": {"required": True}}) + _builder.set_prop("title", AAZStrType, ".title", typ_kwargs={"flags": {"required": True}}) + + availability = _builder.get(".availability") + if availability is not None: + availability.set_prop("isPreview", AAZBoolType, ".is_preview") + availability.set_prop("status", AAZIntType, ".status") + + connectivity_criteria = _builder.get(".connectivityCriteria") + if connectivity_criteria is not None: + connectivity_criteria.set_elements(AAZObjectType) + + _elements = _builder.get(".connectivityCriteria[]") + if _elements is not None: + _elements.set_prop("type", AAZStrType, "@CodelessUiConnectorConfigProperties_create.connectivity_criteria.[].type") + _elements.set_prop("value", AAZListType, "@CodelessUiConnectorConfigProperties_create.connectivity_criteria.[].value") + + value = _builder.get(".connectivityCriteria[].value") + if value is not None: + value.set_elements(AAZStrType, ".") + + data_types = _builder.get(".dataTypes") + if data_types is not None: + data_types.set_elements(AAZObjectType) + + _elements = _builder.get(".dataTypes[]") + if _elements is not None: + _elements.set_prop("lastDataReceivedQuery", AAZStrType, "@CodelessUiConnectorConfigProperties_create.data_types.[].last_data_received_query") + _elements.set_prop("name", AAZStrType, "@CodelessUiConnectorConfigProperties_create.data_types.[].name") + + graph_queries = _builder.get(".graphQueries") + if graph_queries is not None: + graph_queries.set_elements(AAZObjectType) + + _elements = _builder.get(".graphQueries[]") + if _elements is not None: + _elements.set_prop("baseQuery", AAZStrType, "@CodelessUiConnectorConfigProperties_create.graph_queries.[].base_query") + _elements.set_prop("legend", AAZStrType, "@CodelessUiConnectorConfigProperties_create.graph_queries.[].legend") + _elements.set_prop("metricName", AAZStrType, "@CodelessUiConnectorConfigProperties_create.graph_queries.[].metric_name") + + instruction_steps = _builder.get(".instructionSteps") + if instruction_steps is not None: + instruction_steps.set_elements(AAZObjectType) + + _elements = _builder.get(".instructionSteps[]") + if _elements is not None: + _elements.set_prop("description", AAZStrType, "@CodelessUiConnectorConfigProperties_create.instruction_steps.[].description") + _elements.set_prop("instructions", AAZListType, "@CodelessUiConnectorConfigProperties_create.instruction_steps.[].instructions") + _elements.set_prop("title", AAZStrType, "@CodelessUiConnectorConfigProperties_create.instruction_steps.[].title") + + instructions = _builder.get(".instructionSteps[].instructions") + if instructions is not None: + instructions.set_elements(AAZObjectType) + + _elements = _builder.get(".instructionSteps[].instructions[]") + if _elements is not None: + _elements.set_prop("type", AAZStrType, "@CodelessUiConnectorConfigProperties_create.instruction_steps.[].instructions.[].type", typ_kwargs={"flags": {"required": True}}) + + permissions = _builder.get(".permissions") + if permissions is not None: + permissions.set_prop("customs", AAZListType, ".customs") + permissions.set_prop("resourceProvider", AAZListType, ".resource_provider") + + customs = _builder.get(".permissions.customs") + if customs is not None: + customs.set_elements(AAZObjectType) + + _elements = _builder.get(".permissions.customs[]") + if _elements is not None: + _elements.set_prop("description", AAZStrType, "@CodelessUiConnectorConfigProperties_create.permissions.customs.[].description") + _elements.set_prop("name", AAZStrType, "@CodelessUiConnectorConfigProperties_create.permissions.customs.[].name") + + resource_provider = _builder.get(".permissions.resourceProvider") + if resource_provider is not None: + resource_provider.set_elements(AAZObjectType) + + _elements = _builder.get(".permissions.resourceProvider[]") + if _elements is not None: + _elements.set_prop("permissionsDisplayText", AAZStrType, "@CodelessUiConnectorConfigProperties_create.permissions.resource_provider.[].permissions_display_text") + _elements.set_prop("provider", AAZStrType, "@CodelessUiConnectorConfigProperties_create.permissions.resource_provider.[].provider") + _elements.set_prop("providerDisplayName", AAZStrType, "@CodelessUiConnectorConfigProperties_create.permissions.resource_provider.[].provider_display_name") + _elements.set_prop("requiredPermissions", AAZObjectType, "@CodelessUiConnectorConfigProperties_create.permissions.resource_provider.[].required_permissions") + _elements.set_prop("scope", AAZStrType, "@CodelessUiConnectorConfigProperties_create.permissions.resource_provider.[].scope") + + required_permissions = _builder.get(".permissions.resourceProvider[].requiredPermissions") + if required_permissions is not None: + required_permissions.set_prop("action", AAZBoolType, ".action") + required_permissions.set_prop("delete", AAZBoolType, ".delete") + required_permissions.set_prop("read", AAZBoolType, ".read") + required_permissions.set_prop("write", AAZBoolType, ".write") + + sample_queries = _builder.get(".sampleQueries") + if sample_queries is not None: + sample_queries.set_elements(AAZObjectType) + + _elements = _builder.get(".sampleQueries[]") + if _elements is not None: + _elements.set_prop("description", AAZStrType, "@CodelessUiConnectorConfigProperties_create.sample_queries.[].description") + _elements.set_prop("query", AAZStrType, "@CodelessUiConnectorConfigProperties_create.sample_queries.[].query") + + +def _build_schema_data_connector_data_type_common_create(_builder): + if _builder is None: + return + _builder.set_prop("state", AAZStrType, ".state", typ_kwargs={"flags": {"required": True}}) + + +_schema_alerts_data_type_of_data_connector_read = None + + +def _build_schema_alerts_data_type_of_data_connector_read(_schema): + global _schema_alerts_data_type_of_data_connector_read + if _schema_alerts_data_type_of_data_connector_read is not None: + _schema.alerts = _schema_alerts_data_type_of_data_connector_read.alerts + return + + _schema_alerts_data_type_of_data_connector_read = AAZObjectType() + + alerts_data_type_of_data_connector_read = _schema_alerts_data_type_of_data_connector_read + alerts_data_type_of_data_connector_read.alerts = AAZObjectType( + flags={"required": True}, + ) + _build_schema_data_connector_data_type_common_read(alerts_data_type_of_data_connector_read.alerts) + + _schema.alerts = _schema_alerts_data_type_of_data_connector_read.alerts + + +_schema_codeless_ui_connector_config_properties_read = None + + +def _build_schema_codeless_ui_connector_config_properties_read(_schema): + global _schema_codeless_ui_connector_config_properties_read + if _schema_codeless_ui_connector_config_properties_read is not None: + _schema.availability = _schema_codeless_ui_connector_config_properties_read.availability + _schema.connectivity_criteria = _schema_codeless_ui_connector_config_properties_read.connectivity_criteria + _schema.custom_image = _schema_codeless_ui_connector_config_properties_read.custom_image + _schema.data_types = _schema_codeless_ui_connector_config_properties_read.data_types + _schema.description_markdown = _schema_codeless_ui_connector_config_properties_read.description_markdown + _schema.graph_queries = _schema_codeless_ui_connector_config_properties_read.graph_queries + _schema.graph_queries_table_name = _schema_codeless_ui_connector_config_properties_read.graph_queries_table_name + _schema.instruction_steps = _schema_codeless_ui_connector_config_properties_read.instruction_steps + _schema.permissions = _schema_codeless_ui_connector_config_properties_read.permissions + _schema.publisher = _schema_codeless_ui_connector_config_properties_read.publisher + _schema.sample_queries = _schema_codeless_ui_connector_config_properties_read.sample_queries + _schema.title = _schema_codeless_ui_connector_config_properties_read.title + return + + _schema_codeless_ui_connector_config_properties_read = AAZObjectType() + + codeless_ui_connector_config_properties_read = _schema_codeless_ui_connector_config_properties_read + codeless_ui_connector_config_properties_read.availability = AAZObjectType( + flags={"required": True}, + ) + codeless_ui_connector_config_properties_read.connectivity_criteria = AAZListType( + serialized_name="connectivityCriteria", + flags={"required": True}, + ) + codeless_ui_connector_config_properties_read.custom_image = AAZStrType( + serialized_name="customImage", + ) + codeless_ui_connector_config_properties_read.data_types = AAZListType( + serialized_name="dataTypes", + flags={"required": True}, + ) + codeless_ui_connector_config_properties_read.description_markdown = AAZStrType( + serialized_name="descriptionMarkdown", + flags={"required": True}, + ) + codeless_ui_connector_config_properties_read.graph_queries = AAZListType( + serialized_name="graphQueries", + flags={"required": True}, + ) + codeless_ui_connector_config_properties_read.graph_queries_table_name = AAZStrType( + serialized_name="graphQueriesTableName", + flags={"required": True}, + ) + codeless_ui_connector_config_properties_read.instruction_steps = AAZListType( + serialized_name="instructionSteps", + flags={"required": True}, + ) + codeless_ui_connector_config_properties_read.permissions = AAZObjectType( + flags={"required": True}, + ) + codeless_ui_connector_config_properties_read.publisher = AAZStrType( + flags={"required": True}, + ) + codeless_ui_connector_config_properties_read.sample_queries = AAZListType( + serialized_name="sampleQueries", + flags={"required": True}, + ) + codeless_ui_connector_config_properties_read.title = AAZStrType( + flags={"required": True}, + ) + + availability = _schema_codeless_ui_connector_config_properties_read.availability + availability.is_preview = AAZBoolType( + serialized_name="isPreview", + ) + availability.status = AAZIntType() + + connectivity_criteria = _schema_codeless_ui_connector_config_properties_read.connectivity_criteria + connectivity_criteria.Element = AAZObjectType() + + _element = _schema_codeless_ui_connector_config_properties_read.connectivity_criteria.Element + _element.type = AAZStrType() + _element.value = AAZListType() + + value = _schema_codeless_ui_connector_config_properties_read.connectivity_criteria.Element.value + value.Element = AAZStrType() + + data_types = _schema_codeless_ui_connector_config_properties_read.data_types + data_types.Element = AAZObjectType() + + _element = _schema_codeless_ui_connector_config_properties_read.data_types.Element + _element.last_data_received_query = AAZStrType( + serialized_name="lastDataReceivedQuery", + ) + _element.name = AAZStrType() + + graph_queries = _schema_codeless_ui_connector_config_properties_read.graph_queries + graph_queries.Element = AAZObjectType() + + _element = _schema_codeless_ui_connector_config_properties_read.graph_queries.Element + _element.base_query = AAZStrType( + serialized_name="baseQuery", + ) + _element.legend = AAZStrType() + _element.metric_name = AAZStrType( + serialized_name="metricName", + ) + + instruction_steps = _schema_codeless_ui_connector_config_properties_read.instruction_steps + instruction_steps.Element = AAZObjectType() + + _element = _schema_codeless_ui_connector_config_properties_read.instruction_steps.Element + _element.description = AAZStrType() + _element.instructions = AAZListType() + _element.title = AAZStrType() + + instructions = _schema_codeless_ui_connector_config_properties_read.instruction_steps.Element.instructions + instructions.Element = AAZObjectType() + + _element = _schema_codeless_ui_connector_config_properties_read.instruction_steps.Element.instructions.Element + _element.type = AAZStrType( + flags={"required": True}, + ) + + permissions = _schema_codeless_ui_connector_config_properties_read.permissions + permissions.customs = AAZListType() + permissions.resource_provider = AAZListType( + serialized_name="resourceProvider", + ) + + customs = _schema_codeless_ui_connector_config_properties_read.permissions.customs + customs.Element = AAZObjectType() + + _element = _schema_codeless_ui_connector_config_properties_read.permissions.customs.Element + _element.description = AAZStrType() + _element.name = AAZStrType() + + resource_provider = _schema_codeless_ui_connector_config_properties_read.permissions.resource_provider + resource_provider.Element = AAZObjectType() + + _element = _schema_codeless_ui_connector_config_properties_read.permissions.resource_provider.Element + _element.permissions_display_text = AAZStrType( + serialized_name="permissionsDisplayText", + ) + _element.provider = AAZStrType() + _element.provider_display_name = AAZStrType( + serialized_name="providerDisplayName", + ) + _element.required_permissions = AAZObjectType( + serialized_name="requiredPermissions", + ) + _element.scope = AAZStrType() + + required_permissions = _schema_codeless_ui_connector_config_properties_read.permissions.resource_provider.Element.required_permissions + required_permissions.action = AAZBoolType() + required_permissions.delete = AAZBoolType() + required_permissions.read = AAZBoolType() + required_permissions.write = AAZBoolType() + + sample_queries = _schema_codeless_ui_connector_config_properties_read.sample_queries + sample_queries.Element = AAZObjectType() + + _element = _schema_codeless_ui_connector_config_properties_read.sample_queries.Element + _element.description = AAZStrType() + _element.query = AAZStrType() + + _schema.availability = _schema_codeless_ui_connector_config_properties_read.availability + _schema.connectivity_criteria = _schema_codeless_ui_connector_config_properties_read.connectivity_criteria + _schema.custom_image = _schema_codeless_ui_connector_config_properties_read.custom_image + _schema.data_types = _schema_codeless_ui_connector_config_properties_read.data_types + _schema.description_markdown = _schema_codeless_ui_connector_config_properties_read.description_markdown + _schema.graph_queries = _schema_codeless_ui_connector_config_properties_read.graph_queries + _schema.graph_queries_table_name = _schema_codeless_ui_connector_config_properties_read.graph_queries_table_name + _schema.instruction_steps = _schema_codeless_ui_connector_config_properties_read.instruction_steps + _schema.permissions = _schema_codeless_ui_connector_config_properties_read.permissions + _schema.publisher = _schema_codeless_ui_connector_config_properties_read.publisher + _schema.sample_queries = _schema_codeless_ui_connector_config_properties_read.sample_queries + _schema.title = _schema_codeless_ui_connector_config_properties_read.title + + +_schema_data_connector_data_type_common_read = None + + +def _build_schema_data_connector_data_type_common_read(_schema): + global _schema_data_connector_data_type_common_read + if _schema_data_connector_data_type_common_read is not None: + _schema.state = _schema_data_connector_data_type_common_read.state + return + + _schema_data_connector_data_type_common_read = AAZObjectType() + + data_connector_data_type_common_read = _schema_data_connector_data_type_common_read + data_connector_data_type_common_read.state = AAZStrType( + flags={"required": True}, + ) + + _schema.state = _schema_data_connector_data_type_common_read.state + + +__all__ = ["Create"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/data_connector/_delete.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/data_connector/_delete.py new file mode 100644 index 00000000000..6c93f462a45 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/data_connector/_delete.py @@ -0,0 +1,134 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel data-connector delete", + is_experimental=True, + confirmation="Are you sure you want to perform this operation?", +) +class Delete(AAZCommand): + """Delete the data connector. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/dataconnectors/{}", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return None + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.data_connector_id = AAZStrArg( + options=["-n", "--name", "--data-connector-id"], + help="Connector ID", + required=True, + id_part="child_name_1", + ) + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + id_part="name", + ) + return cls._args_schema + + def _execute_operations(self): + self.DataConnectorsDelete(ctx=self.ctx)() + + class DataConnectorsDelete(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + if session.http_response.status_code in [204]: + return self.on_204(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors/{dataConnectorId}", + **self.url_parameters + ) + + @property + def method(self): + return "DELETE" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "dataConnectorId", self.ctx.args.data_connector_id, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + def on_200(self, session): + pass + + def on_204(self, session): + pass + + +__all__ = ["Delete"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/data_connector/_disconnect.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/data_connector/_disconnect.py new file mode 100644 index 00000000000..53e1b7adc79 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/data_connector/_disconnect.py @@ -0,0 +1,126 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel data-connector disconnect", + is_experimental=True, +) +class Disconnect(AAZCommand): + """Disconnect a data connector. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/dataconnectors/{}/disconnect", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return None + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.data_connector_id = AAZStrArg( + options=["--data-connector-id"], + help="Connector ID", + required=True, + ) + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + ) + return cls._args_schema + + def _execute_operations(self): + self.DataConnectorsDisconnect(ctx=self.ctx)() + + class DataConnectorsDisconnect(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors/{dataConnectorId}/disconnect", + **self.url_parameters + ) + + @property + def method(self): + return "POST" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "dataConnectorId", self.ctx.args.data_connector_id, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + def on_200(self, session): + pass + + +__all__ = ["Disconnect"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/data_connector/_list.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/data_connector/_list.py new file mode 100644 index 00000000000..a6a6604f8b3 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/data_connector/_list.py @@ -0,0 +1,1025 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel data-connector list", + is_experimental=True, +) +class List(AAZCommand): + """Get all data connectors. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/dataconnectors", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + return self.build_paging(self._execute_operations, self._output) + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + ) + return cls._args_schema + + def _execute_operations(self): + self.DataConnectorsList(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance.value, client_flatten=True) + next_link = self.deserialize_output(self.ctx.vars.instance.next_link) + return result, next_link + + class DataConnectorsList(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors", + **self.url_parameters + ) + + @property + def method(self): + return "GET" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + + _schema_on_200 = cls._schema_on_200 + _schema_on_200.next_link = AAZStrType( + serialized_name="nextLink", + flags={"read_only": True}, + ) + _schema_on_200.value = AAZListType( + flags={"required": True}, + ) + + value = cls._schema_on_200.value + value.Element = AAZObjectType() + + _element = cls._schema_on_200.value.Element + _element.etag = AAZStrType() + _element.id = AAZStrType( + flags={"read_only": True}, + ) + _element.kind = AAZStrType( + flags={"required": True}, + ) + _element.name = AAZStrType( + flags={"read_only": True}, + ) + _element.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + _element.type = AAZStrType( + flags={"read_only": True}, + ) + + system_data = cls._schema_on_200.value.Element.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + disc_api_polling = cls._schema_on_200.value.Element.discriminate_by("kind", "APIPolling") + disc_api_polling.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.value.Element.discriminate_by("kind", "APIPolling").properties + properties.connector_ui_config = AAZObjectType( + serialized_name="connectorUiConfig", + ) + _build_schema_codeless_ui_connector_config_properties_read(properties.connector_ui_config) + properties.polling_config = AAZObjectType( + serialized_name="pollingConfig", + ) + + polling_config = cls._schema_on_200.value.Element.discriminate_by("kind", "APIPolling").properties.polling_config + polling_config.auth = AAZObjectType( + flags={"required": True}, + ) + polling_config.is_active = AAZBoolType( + serialized_name="isActive", + ) + polling_config.paging = AAZObjectType() + polling_config.request = AAZObjectType( + flags={"required": True}, + ) + polling_config.response = AAZObjectType() + + auth = cls._schema_on_200.value.Element.discriminate_by("kind", "APIPolling").properties.polling_config.auth + auth.api_key_identifier = AAZStrType( + serialized_name="apiKeyIdentifier", + ) + auth.api_key_name = AAZStrType( + serialized_name="apiKeyName", + ) + auth.auth_type = AAZStrType( + serialized_name="authType", + flags={"required": True}, + ) + auth.authorization_endpoint = AAZStrType( + serialized_name="authorizationEndpoint", + ) + auth.flow_name = AAZStrType( + serialized_name="flowName", + ) + auth.is_api_key_in_post_payload = AAZStrType( + serialized_name="isApiKeyInPostPayload", + ) + auth.is_client_secret_in_header = AAZBoolType( + serialized_name="isClientSecretInHeader", + ) + auth.redirection_endpoint = AAZStrType( + serialized_name="redirectionEndpoint", + ) + auth.scope = AAZStrType() + auth.token_endpoint = AAZStrType( + serialized_name="tokenEndpoint", + ) + + paging = cls._schema_on_200.value.Element.discriminate_by("kind", "APIPolling").properties.polling_config.paging + paging.next_page_para_name = AAZStrType( + serialized_name="nextPageParaName", + ) + paging.next_page_token_json_path = AAZStrType( + serialized_name="nextPageTokenJsonPath", + ) + paging.page_count_attribute_path = AAZStrType( + serialized_name="pageCountAttributePath", + ) + paging.page_size = AAZIntType( + serialized_name="pageSize", + ) + paging.page_size_para_name = AAZStrType( + serialized_name="pageSizeParaName", + ) + paging.page_time_stamp_attribute_path = AAZStrType( + serialized_name="pageTimeStampAttributePath", + ) + paging.page_total_count_attribute_path = AAZStrType( + serialized_name="pageTotalCountAttributePath", + ) + paging.paging_type = AAZStrType( + serialized_name="pagingType", + flags={"required": True}, + ) + paging.search_the_latest_time_stamp_from_events_list = AAZStrType( + serialized_name="searchTheLatestTimeStampFromEventsList", + ) + + request = cls._schema_on_200.value.Element.discriminate_by("kind", "APIPolling").properties.polling_config.request + request.api_endpoint = AAZStrType( + serialized_name="apiEndpoint", + flags={"required": True}, + ) + request.end_time_attribute_name = AAZStrType( + serialized_name="endTimeAttributeName", + ) + request.http_method = AAZStrType( + serialized_name="httpMethod", + flags={"required": True}, + ) + request.query_parameters_template = AAZStrType( + serialized_name="queryParametersTemplate", + ) + request.query_time_format = AAZStrType( + serialized_name="queryTimeFormat", + flags={"required": True}, + ) + request.query_window_in_min = AAZIntType( + serialized_name="queryWindowInMin", + flags={"required": True}, + ) + request.rate_limit_qps = AAZIntType( + serialized_name="rateLimitQps", + ) + request.retry_count = AAZIntType( + serialized_name="retryCount", + ) + request.start_time_attribute_name = AAZStrType( + serialized_name="startTimeAttributeName", + ) + request.timeout_in_seconds = AAZIntType( + serialized_name="timeoutInSeconds", + ) + + response = cls._schema_on_200.value.Element.discriminate_by("kind", "APIPolling").properties.polling_config.response + response.events_json_paths = AAZListType( + serialized_name="eventsJsonPaths", + flags={"required": True}, + ) + response.is_gzip_compressed = AAZBoolType( + serialized_name="isGzipCompressed", + ) + response.success_status_json_path = AAZStrType( + serialized_name="successStatusJsonPath", + ) + response.success_status_value = AAZStrType( + serialized_name="successStatusValue", + ) + + events_json_paths = cls._schema_on_200.value.Element.discriminate_by("kind", "APIPolling").properties.polling_config.response.events_json_paths + events_json_paths.Element = AAZStrType() + + disc_amazon_web_services_cloud_trail = cls._schema_on_200.value.Element.discriminate_by("kind", "AmazonWebServicesCloudTrail") + disc_amazon_web_services_cloud_trail.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.value.Element.discriminate_by("kind", "AmazonWebServicesCloudTrail").properties + properties.aws_role_arn = AAZStrType( + serialized_name="awsRoleArn", + ) + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + flags={"required": True}, + ) + + data_types = cls._schema_on_200.value.Element.discriminate_by("kind", "AmazonWebServicesCloudTrail").properties.data_types + data_types.logs = AAZObjectType( + flags={"required": True}, + ) + + logs = cls._schema_on_200.value.Element.discriminate_by("kind", "AmazonWebServicesCloudTrail").properties.data_types.logs + logs.state = AAZStrType( + flags={"required": True}, + ) + + disc_amazon_web_services_s3 = cls._schema_on_200.value.Element.discriminate_by("kind", "AmazonWebServicesS3") + disc_amazon_web_services_s3.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.value.Element.discriminate_by("kind", "AmazonWebServicesS3").properties + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + flags={"required": True}, + ) + properties.destination_table = AAZStrType( + serialized_name="destinationTable", + flags={"required": True}, + ) + properties.role_arn = AAZStrType( + serialized_name="roleArn", + flags={"required": True}, + ) + properties.sqs_urls = AAZListType( + serialized_name="sqsUrls", + flags={"required": True}, + ) + + data_types = cls._schema_on_200.value.Element.discriminate_by("kind", "AmazonWebServicesS3").properties.data_types + data_types.logs = AAZObjectType( + flags={"required": True}, + ) + + logs = cls._schema_on_200.value.Element.discriminate_by("kind", "AmazonWebServicesS3").properties.data_types.logs + logs.state = AAZStrType( + flags={"required": True}, + ) + + sqs_urls = cls._schema_on_200.value.Element.discriminate_by("kind", "AmazonWebServicesS3").properties.sqs_urls + sqs_urls.Element = AAZStrType() + + disc_azure_active_directory = cls._schema_on_200.value.Element.discriminate_by("kind", "AzureActiveDirectory") + disc_azure_active_directory.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.value.Element.discriminate_by("kind", "AzureActiveDirectory").properties + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + ) + _build_schema_alerts_data_type_of_data_connector_read(properties.data_types) + properties.tenant_id = AAZStrType( + serialized_name="tenantId", + flags={"required": True}, + ) + + disc_azure_advanced_threat_protection = cls._schema_on_200.value.Element.discriminate_by("kind", "AzureAdvancedThreatProtection") + disc_azure_advanced_threat_protection.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.value.Element.discriminate_by("kind", "AzureAdvancedThreatProtection").properties + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + ) + _build_schema_alerts_data_type_of_data_connector_read(properties.data_types) + properties.tenant_id = AAZStrType( + serialized_name="tenantId", + flags={"required": True}, + ) + + disc_azure_security_center = cls._schema_on_200.value.Element.discriminate_by("kind", "AzureSecurityCenter") + disc_azure_security_center.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.value.Element.discriminate_by("kind", "AzureSecurityCenter").properties + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + ) + _build_schema_alerts_data_type_of_data_connector_read(properties.data_types) + properties.subscription_id = AAZStrType( + serialized_name="subscriptionId", + ) + + disc_dynamics365 = cls._schema_on_200.value.Element.discriminate_by("kind", "Dynamics365") + disc_dynamics365.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.value.Element.discriminate_by("kind", "Dynamics365").properties + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + flags={"required": True}, + ) + properties.tenant_id = AAZStrType( + serialized_name="tenantId", + flags={"required": True}, + ) + + data_types = cls._schema_on_200.value.Element.discriminate_by("kind", "Dynamics365").properties.data_types + data_types.dynamics365_cds_activities = AAZObjectType( + serialized_name="dynamics365CdsActivities", + flags={"required": True}, + ) + + dynamics365_cds_activities = cls._schema_on_200.value.Element.discriminate_by("kind", "Dynamics365").properties.data_types.dynamics365_cds_activities + dynamics365_cds_activities.state = AAZStrType( + flags={"required": True}, + ) + + disc_generic_ui = cls._schema_on_200.value.Element.discriminate_by("kind", "GenericUI") + disc_generic_ui.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.value.Element.discriminate_by("kind", "GenericUI").properties + properties.connector_ui_config = AAZObjectType( + serialized_name="connectorUiConfig", + ) + _build_schema_codeless_ui_connector_config_properties_read(properties.connector_ui_config) + + disc_iot = cls._schema_on_200.value.Element.discriminate_by("kind", "IOT") + disc_iot.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.value.Element.discriminate_by("kind", "IOT").properties + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + ) + _build_schema_alerts_data_type_of_data_connector_read(properties.data_types) + properties.subscription_id = AAZStrType( + serialized_name="subscriptionId", + ) + + disc_microsoft_cloud_app_security = cls._schema_on_200.value.Element.discriminate_by("kind", "MicrosoftCloudAppSecurity") + disc_microsoft_cloud_app_security.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.value.Element.discriminate_by("kind", "MicrosoftCloudAppSecurity").properties + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + flags={"required": True}, + ) + properties.tenant_id = AAZStrType( + serialized_name="tenantId", + flags={"required": True}, + ) + + data_types = cls._schema_on_200.value.Element.discriminate_by("kind", "MicrosoftCloudAppSecurity").properties.data_types + data_types.alerts = AAZObjectType( + flags={"required": True}, + ) + _build_schema_data_connector_data_type_common_read(data_types.alerts) + data_types.discovery_logs = AAZObjectType( + serialized_name="discoveryLogs", + ) + _build_schema_data_connector_data_type_common_read(data_types.discovery_logs) + + disc_microsoft_defender_advanced_threat_protection = cls._schema_on_200.value.Element.discriminate_by("kind", "MicrosoftDefenderAdvancedThreatProtection") + disc_microsoft_defender_advanced_threat_protection.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.value.Element.discriminate_by("kind", "MicrosoftDefenderAdvancedThreatProtection").properties + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + ) + _build_schema_alerts_data_type_of_data_connector_read(properties.data_types) + properties.tenant_id = AAZStrType( + serialized_name="tenantId", + flags={"required": True}, + ) + + disc_microsoft_threat_intelligence = cls._schema_on_200.value.Element.discriminate_by("kind", "MicrosoftThreatIntelligence") + disc_microsoft_threat_intelligence.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.value.Element.discriminate_by("kind", "MicrosoftThreatIntelligence").properties + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + flags={"required": True}, + ) + properties.tenant_id = AAZStrType( + serialized_name="tenantId", + flags={"required": True}, + ) + + data_types = cls._schema_on_200.value.Element.discriminate_by("kind", "MicrosoftThreatIntelligence").properties.data_types + data_types.bing_safety_phishing_url = AAZObjectType( + serialized_name="bingSafetyPhishingURL", + flags={"required": True}, + ) + data_types.microsoft_emerging_threat_feed = AAZObjectType( + serialized_name="microsoftEmergingThreatFeed", + flags={"required": True}, + ) + + bing_safety_phishing_url = cls._schema_on_200.value.Element.discriminate_by("kind", "MicrosoftThreatIntelligence").properties.data_types.bing_safety_phishing_url + bing_safety_phishing_url.lookback_period = AAZStrType( + serialized_name="lookbackPeriod", + flags={"required": True}, + ) + bing_safety_phishing_url.state = AAZStrType( + flags={"required": True}, + ) + + microsoft_emerging_threat_feed = cls._schema_on_200.value.Element.discriminate_by("kind", "MicrosoftThreatIntelligence").properties.data_types.microsoft_emerging_threat_feed + microsoft_emerging_threat_feed.lookback_period = AAZStrType( + serialized_name="lookbackPeriod", + flags={"required": True}, + ) + microsoft_emerging_threat_feed.state = AAZStrType( + flags={"required": True}, + ) + + disc_microsoft_threat_protection = cls._schema_on_200.value.Element.discriminate_by("kind", "MicrosoftThreatProtection") + disc_microsoft_threat_protection.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.value.Element.discriminate_by("kind", "MicrosoftThreatProtection").properties + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + flags={"required": True}, + ) + properties.tenant_id = AAZStrType( + serialized_name="tenantId", + flags={"required": True}, + ) + + data_types = cls._schema_on_200.value.Element.discriminate_by("kind", "MicrosoftThreatProtection").properties.data_types + data_types.incidents = AAZObjectType( + flags={"required": True}, + ) + + incidents = cls._schema_on_200.value.Element.discriminate_by("kind", "MicrosoftThreatProtection").properties.data_types.incidents + incidents.state = AAZStrType( + flags={"required": True}, + ) + + disc_office365 = cls._schema_on_200.value.Element.discriminate_by("kind", "Office365") + disc_office365.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.value.Element.discriminate_by("kind", "Office365").properties + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + flags={"required": True}, + ) + properties.tenant_id = AAZStrType( + serialized_name="tenantId", + flags={"required": True}, + ) + + data_types = cls._schema_on_200.value.Element.discriminate_by("kind", "Office365").properties.data_types + data_types.exchange = AAZObjectType( + flags={"required": True}, + ) + data_types.share_point = AAZObjectType( + serialized_name="sharePoint", + flags={"required": True}, + ) + data_types.teams = AAZObjectType( + flags={"required": True}, + ) + + exchange = cls._schema_on_200.value.Element.discriminate_by("kind", "Office365").properties.data_types.exchange + exchange.state = AAZStrType( + flags={"required": True}, + ) + + share_point = cls._schema_on_200.value.Element.discriminate_by("kind", "Office365").properties.data_types.share_point + share_point.state = AAZStrType( + flags={"required": True}, + ) + + teams = cls._schema_on_200.value.Element.discriminate_by("kind", "Office365").properties.data_types.teams + teams.state = AAZStrType( + flags={"required": True}, + ) + + disc_office365_project = cls._schema_on_200.value.Element.discriminate_by("kind", "Office365Project") + disc_office365_project.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.value.Element.discriminate_by("kind", "Office365Project").properties + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + flags={"required": True}, + ) + properties.tenant_id = AAZStrType( + serialized_name="tenantId", + flags={"required": True}, + ) + + data_types = cls._schema_on_200.value.Element.discriminate_by("kind", "Office365Project").properties.data_types + data_types.logs = AAZObjectType( + flags={"required": True}, + ) + + logs = cls._schema_on_200.value.Element.discriminate_by("kind", "Office365Project").properties.data_types.logs + logs.state = AAZStrType( + flags={"required": True}, + ) + + disc_office_atp = cls._schema_on_200.value.Element.discriminate_by("kind", "OfficeATP") + disc_office_atp.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.value.Element.discriminate_by("kind", "OfficeATP").properties + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + ) + _build_schema_alerts_data_type_of_data_connector_read(properties.data_types) + properties.tenant_id = AAZStrType( + serialized_name="tenantId", + flags={"required": True}, + ) + + disc_office_irm = cls._schema_on_200.value.Element.discriminate_by("kind", "OfficeIRM") + disc_office_irm.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.value.Element.discriminate_by("kind", "OfficeIRM").properties + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + ) + _build_schema_alerts_data_type_of_data_connector_read(properties.data_types) + properties.tenant_id = AAZStrType( + serialized_name="tenantId", + flags={"required": True}, + ) + + disc_office_power_bi = cls._schema_on_200.value.Element.discriminate_by("kind", "OfficePowerBI") + disc_office_power_bi.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.value.Element.discriminate_by("kind", "OfficePowerBI").properties + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + flags={"required": True}, + ) + properties.tenant_id = AAZStrType( + serialized_name="tenantId", + flags={"required": True}, + ) + + data_types = cls._schema_on_200.value.Element.discriminate_by("kind", "OfficePowerBI").properties.data_types + data_types.logs = AAZObjectType( + flags={"required": True}, + ) + + logs = cls._schema_on_200.value.Element.discriminate_by("kind", "OfficePowerBI").properties.data_types.logs + logs.state = AAZStrType( + flags={"required": True}, + ) + + disc_threat_intelligence = cls._schema_on_200.value.Element.discriminate_by("kind", "ThreatIntelligence") + disc_threat_intelligence.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.value.Element.discriminate_by("kind", "ThreatIntelligence").properties + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + flags={"required": True}, + ) + properties.tenant_id = AAZStrType( + serialized_name="tenantId", + flags={"required": True}, + ) + properties.tip_lookback_period = AAZStrType( + serialized_name="tipLookbackPeriod", + nullable=True, + ) + + data_types = cls._schema_on_200.value.Element.discriminate_by("kind", "ThreatIntelligence").properties.data_types + data_types.indicators = AAZObjectType( + flags={"required": True}, + ) + + indicators = cls._schema_on_200.value.Element.discriminate_by("kind", "ThreatIntelligence").properties.data_types.indicators + indicators.state = AAZStrType( + flags={"required": True}, + ) + + disc_threat_intelligence_taxii = cls._schema_on_200.value.Element.discriminate_by("kind", "ThreatIntelligenceTaxii") + disc_threat_intelligence_taxii.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.value.Element.discriminate_by("kind", "ThreatIntelligenceTaxii").properties + properties.collection_id = AAZStrType( + serialized_name="collectionId", + ) + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + flags={"required": True}, + ) + properties.friendly_name = AAZStrType( + serialized_name="friendlyName", + ) + properties.password = AAZStrType() + properties.polling_frequency = AAZStrType( + serialized_name="pollingFrequency", + flags={"required": True}, + nullable=True, + ) + properties.taxii_lookback_period = AAZStrType( + serialized_name="taxiiLookbackPeriod", + nullable=True, + ) + properties.taxii_server = AAZStrType( + serialized_name="taxiiServer", + ) + properties.tenant_id = AAZStrType( + serialized_name="tenantId", + flags={"required": True}, + ) + properties.user_name = AAZStrType( + serialized_name="userName", + ) + properties.workspace_id = AAZStrType( + serialized_name="workspaceId", + ) + + data_types = cls._schema_on_200.value.Element.discriminate_by("kind", "ThreatIntelligenceTaxii").properties.data_types + data_types.taxii_client = AAZObjectType( + serialized_name="taxiiClient", + flags={"required": True}, + ) + + taxii_client = cls._schema_on_200.value.Element.discriminate_by("kind", "ThreatIntelligenceTaxii").properties.data_types.taxii_client + taxii_client.state = AAZStrType( + flags={"required": True}, + ) + + return cls._schema_on_200 + + +_schema_alerts_data_type_of_data_connector_read = None + + +def _build_schema_alerts_data_type_of_data_connector_read(_schema): + global _schema_alerts_data_type_of_data_connector_read + if _schema_alerts_data_type_of_data_connector_read is not None: + _schema.alerts = _schema_alerts_data_type_of_data_connector_read.alerts + return + + _schema_alerts_data_type_of_data_connector_read = AAZObjectType() + + alerts_data_type_of_data_connector_read = _schema_alerts_data_type_of_data_connector_read + alerts_data_type_of_data_connector_read.alerts = AAZObjectType( + flags={"required": True}, + ) + _build_schema_data_connector_data_type_common_read(alerts_data_type_of_data_connector_read.alerts) + + _schema.alerts = _schema_alerts_data_type_of_data_connector_read.alerts + + +_schema_codeless_ui_connector_config_properties_read = None + + +def _build_schema_codeless_ui_connector_config_properties_read(_schema): + global _schema_codeless_ui_connector_config_properties_read + if _schema_codeless_ui_connector_config_properties_read is not None: + _schema.availability = _schema_codeless_ui_connector_config_properties_read.availability + _schema.connectivity_criteria = _schema_codeless_ui_connector_config_properties_read.connectivity_criteria + _schema.custom_image = _schema_codeless_ui_connector_config_properties_read.custom_image + _schema.data_types = _schema_codeless_ui_connector_config_properties_read.data_types + _schema.description_markdown = _schema_codeless_ui_connector_config_properties_read.description_markdown + _schema.graph_queries = _schema_codeless_ui_connector_config_properties_read.graph_queries + _schema.graph_queries_table_name = _schema_codeless_ui_connector_config_properties_read.graph_queries_table_name + _schema.instruction_steps = _schema_codeless_ui_connector_config_properties_read.instruction_steps + _schema.permissions = _schema_codeless_ui_connector_config_properties_read.permissions + _schema.publisher = _schema_codeless_ui_connector_config_properties_read.publisher + _schema.sample_queries = _schema_codeless_ui_connector_config_properties_read.sample_queries + _schema.title = _schema_codeless_ui_connector_config_properties_read.title + return + + _schema_codeless_ui_connector_config_properties_read = AAZObjectType() + + codeless_ui_connector_config_properties_read = _schema_codeless_ui_connector_config_properties_read + codeless_ui_connector_config_properties_read.availability = AAZObjectType( + flags={"required": True}, + ) + codeless_ui_connector_config_properties_read.connectivity_criteria = AAZListType( + serialized_name="connectivityCriteria", + flags={"required": True}, + ) + codeless_ui_connector_config_properties_read.custom_image = AAZStrType( + serialized_name="customImage", + ) + codeless_ui_connector_config_properties_read.data_types = AAZListType( + serialized_name="dataTypes", + flags={"required": True}, + ) + codeless_ui_connector_config_properties_read.description_markdown = AAZStrType( + serialized_name="descriptionMarkdown", + flags={"required": True}, + ) + codeless_ui_connector_config_properties_read.graph_queries = AAZListType( + serialized_name="graphQueries", + flags={"required": True}, + ) + codeless_ui_connector_config_properties_read.graph_queries_table_name = AAZStrType( + serialized_name="graphQueriesTableName", + flags={"required": True}, + ) + codeless_ui_connector_config_properties_read.instruction_steps = AAZListType( + serialized_name="instructionSteps", + flags={"required": True}, + ) + codeless_ui_connector_config_properties_read.permissions = AAZObjectType( + flags={"required": True}, + ) + codeless_ui_connector_config_properties_read.publisher = AAZStrType( + flags={"required": True}, + ) + codeless_ui_connector_config_properties_read.sample_queries = AAZListType( + serialized_name="sampleQueries", + flags={"required": True}, + ) + codeless_ui_connector_config_properties_read.title = AAZStrType( + flags={"required": True}, + ) + + availability = _schema_codeless_ui_connector_config_properties_read.availability + availability.is_preview = AAZBoolType( + serialized_name="isPreview", + ) + availability.status = AAZIntType() + + connectivity_criteria = _schema_codeless_ui_connector_config_properties_read.connectivity_criteria + connectivity_criteria.Element = AAZObjectType() + + _element = _schema_codeless_ui_connector_config_properties_read.connectivity_criteria.Element + _element.type = AAZStrType() + _element.value = AAZListType() + + value = _schema_codeless_ui_connector_config_properties_read.connectivity_criteria.Element.value + value.Element = AAZStrType() + + data_types = _schema_codeless_ui_connector_config_properties_read.data_types + data_types.Element = AAZObjectType() + + _element = _schema_codeless_ui_connector_config_properties_read.data_types.Element + _element.last_data_received_query = AAZStrType( + serialized_name="lastDataReceivedQuery", + ) + _element.name = AAZStrType() + + graph_queries = _schema_codeless_ui_connector_config_properties_read.graph_queries + graph_queries.Element = AAZObjectType() + + _element = _schema_codeless_ui_connector_config_properties_read.graph_queries.Element + _element.base_query = AAZStrType( + serialized_name="baseQuery", + ) + _element.legend = AAZStrType() + _element.metric_name = AAZStrType( + serialized_name="metricName", + ) + + instruction_steps = _schema_codeless_ui_connector_config_properties_read.instruction_steps + instruction_steps.Element = AAZObjectType() + + _element = _schema_codeless_ui_connector_config_properties_read.instruction_steps.Element + _element.description = AAZStrType() + _element.instructions = AAZListType() + _element.title = AAZStrType() + + instructions = _schema_codeless_ui_connector_config_properties_read.instruction_steps.Element.instructions + instructions.Element = AAZObjectType() + + _element = _schema_codeless_ui_connector_config_properties_read.instruction_steps.Element.instructions.Element + _element.type = AAZStrType( + flags={"required": True}, + ) + + permissions = _schema_codeless_ui_connector_config_properties_read.permissions + permissions.customs = AAZListType() + permissions.resource_provider = AAZListType( + serialized_name="resourceProvider", + ) + + customs = _schema_codeless_ui_connector_config_properties_read.permissions.customs + customs.Element = AAZObjectType() + + _element = _schema_codeless_ui_connector_config_properties_read.permissions.customs.Element + _element.description = AAZStrType() + _element.name = AAZStrType() + + resource_provider = _schema_codeless_ui_connector_config_properties_read.permissions.resource_provider + resource_provider.Element = AAZObjectType() + + _element = _schema_codeless_ui_connector_config_properties_read.permissions.resource_provider.Element + _element.permissions_display_text = AAZStrType( + serialized_name="permissionsDisplayText", + ) + _element.provider = AAZStrType() + _element.provider_display_name = AAZStrType( + serialized_name="providerDisplayName", + ) + _element.required_permissions = AAZObjectType( + serialized_name="requiredPermissions", + ) + _element.scope = AAZStrType() + + required_permissions = _schema_codeless_ui_connector_config_properties_read.permissions.resource_provider.Element.required_permissions + required_permissions.action = AAZBoolType() + required_permissions.delete = AAZBoolType() + required_permissions.read = AAZBoolType() + required_permissions.write = AAZBoolType() + + sample_queries = _schema_codeless_ui_connector_config_properties_read.sample_queries + sample_queries.Element = AAZObjectType() + + _element = _schema_codeless_ui_connector_config_properties_read.sample_queries.Element + _element.description = AAZStrType() + _element.query = AAZStrType() + + _schema.availability = _schema_codeless_ui_connector_config_properties_read.availability + _schema.connectivity_criteria = _schema_codeless_ui_connector_config_properties_read.connectivity_criteria + _schema.custom_image = _schema_codeless_ui_connector_config_properties_read.custom_image + _schema.data_types = _schema_codeless_ui_connector_config_properties_read.data_types + _schema.description_markdown = _schema_codeless_ui_connector_config_properties_read.description_markdown + _schema.graph_queries = _schema_codeless_ui_connector_config_properties_read.graph_queries + _schema.graph_queries_table_name = _schema_codeless_ui_connector_config_properties_read.graph_queries_table_name + _schema.instruction_steps = _schema_codeless_ui_connector_config_properties_read.instruction_steps + _schema.permissions = _schema_codeless_ui_connector_config_properties_read.permissions + _schema.publisher = _schema_codeless_ui_connector_config_properties_read.publisher + _schema.sample_queries = _schema_codeless_ui_connector_config_properties_read.sample_queries + _schema.title = _schema_codeless_ui_connector_config_properties_read.title + + +_schema_data_connector_data_type_common_read = None + + +def _build_schema_data_connector_data_type_common_read(_schema): + global _schema_data_connector_data_type_common_read + if _schema_data_connector_data_type_common_read is not None: + _schema.state = _schema_data_connector_data_type_common_read.state + return + + _schema_data_connector_data_type_common_read = AAZObjectType() + + data_connector_data_type_common_read = _schema_data_connector_data_type_common_read + data_connector_data_type_common_read.state = AAZStrType( + flags={"required": True}, + ) + + _schema.state = _schema_data_connector_data_type_common_read.state + + +__all__ = ["List"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/data_connector/_show.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/data_connector/_show.py new file mode 100644 index 00000000000..4fd4ad6ca70 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/data_connector/_show.py @@ -0,0 +1,1024 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel data-connector show", + is_experimental=True, +) +class Show(AAZCommand): + """Get a data connector. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/dataconnectors/{}", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return self._output() + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.data_connector_id = AAZStrArg( + options=["-n", "--name", "--data-connector-id"], + help="Connector ID", + required=True, + id_part="child_name_1", + ) + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + id_part="name", + ) + return cls._args_schema + + def _execute_operations(self): + self.DataConnectorsGet(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True) + return result + + class DataConnectorsGet(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors/{dataConnectorId}", + **self.url_parameters + ) + + @property + def method(self): + return "GET" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "dataConnectorId", self.ctx.args.data_connector_id, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + + _schema_on_200 = cls._schema_on_200 + _schema_on_200.etag = AAZStrType() + _schema_on_200.id = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200.kind = AAZStrType( + flags={"required": True}, + ) + _schema_on_200.name = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + _schema_on_200.type = AAZStrType( + flags={"read_only": True}, + ) + + system_data = cls._schema_on_200.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + disc_api_polling = cls._schema_on_200.discriminate_by("kind", "APIPolling") + disc_api_polling.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.discriminate_by("kind", "APIPolling").properties + properties.connector_ui_config = AAZObjectType( + serialized_name="connectorUiConfig", + ) + _build_schema_codeless_ui_connector_config_properties_read(properties.connector_ui_config) + properties.polling_config = AAZObjectType( + serialized_name="pollingConfig", + ) + + polling_config = cls._schema_on_200.discriminate_by("kind", "APIPolling").properties.polling_config + polling_config.auth = AAZObjectType( + flags={"required": True}, + ) + polling_config.is_active = AAZBoolType( + serialized_name="isActive", + ) + polling_config.paging = AAZObjectType() + polling_config.request = AAZObjectType( + flags={"required": True}, + ) + polling_config.response = AAZObjectType() + + auth = cls._schema_on_200.discriminate_by("kind", "APIPolling").properties.polling_config.auth + auth.api_key_identifier = AAZStrType( + serialized_name="apiKeyIdentifier", + ) + auth.api_key_name = AAZStrType( + serialized_name="apiKeyName", + ) + auth.auth_type = AAZStrType( + serialized_name="authType", + flags={"required": True}, + ) + auth.authorization_endpoint = AAZStrType( + serialized_name="authorizationEndpoint", + ) + auth.flow_name = AAZStrType( + serialized_name="flowName", + ) + auth.is_api_key_in_post_payload = AAZStrType( + serialized_name="isApiKeyInPostPayload", + ) + auth.is_client_secret_in_header = AAZBoolType( + serialized_name="isClientSecretInHeader", + ) + auth.redirection_endpoint = AAZStrType( + serialized_name="redirectionEndpoint", + ) + auth.scope = AAZStrType() + auth.token_endpoint = AAZStrType( + serialized_name="tokenEndpoint", + ) + + paging = cls._schema_on_200.discriminate_by("kind", "APIPolling").properties.polling_config.paging + paging.next_page_para_name = AAZStrType( + serialized_name="nextPageParaName", + ) + paging.next_page_token_json_path = AAZStrType( + serialized_name="nextPageTokenJsonPath", + ) + paging.page_count_attribute_path = AAZStrType( + serialized_name="pageCountAttributePath", + ) + paging.page_size = AAZIntType( + serialized_name="pageSize", + ) + paging.page_size_para_name = AAZStrType( + serialized_name="pageSizeParaName", + ) + paging.page_time_stamp_attribute_path = AAZStrType( + serialized_name="pageTimeStampAttributePath", + ) + paging.page_total_count_attribute_path = AAZStrType( + serialized_name="pageTotalCountAttributePath", + ) + paging.paging_type = AAZStrType( + serialized_name="pagingType", + flags={"required": True}, + ) + paging.search_the_latest_time_stamp_from_events_list = AAZStrType( + serialized_name="searchTheLatestTimeStampFromEventsList", + ) + + request = cls._schema_on_200.discriminate_by("kind", "APIPolling").properties.polling_config.request + request.api_endpoint = AAZStrType( + serialized_name="apiEndpoint", + flags={"required": True}, + ) + request.end_time_attribute_name = AAZStrType( + serialized_name="endTimeAttributeName", + ) + request.http_method = AAZStrType( + serialized_name="httpMethod", + flags={"required": True}, + ) + request.query_parameters_template = AAZStrType( + serialized_name="queryParametersTemplate", + ) + request.query_time_format = AAZStrType( + serialized_name="queryTimeFormat", + flags={"required": True}, + ) + request.query_window_in_min = AAZIntType( + serialized_name="queryWindowInMin", + flags={"required": True}, + ) + request.rate_limit_qps = AAZIntType( + serialized_name="rateLimitQps", + ) + request.retry_count = AAZIntType( + serialized_name="retryCount", + ) + request.start_time_attribute_name = AAZStrType( + serialized_name="startTimeAttributeName", + ) + request.timeout_in_seconds = AAZIntType( + serialized_name="timeoutInSeconds", + ) + + response = cls._schema_on_200.discriminate_by("kind", "APIPolling").properties.polling_config.response + response.events_json_paths = AAZListType( + serialized_name="eventsJsonPaths", + flags={"required": True}, + ) + response.is_gzip_compressed = AAZBoolType( + serialized_name="isGzipCompressed", + ) + response.success_status_json_path = AAZStrType( + serialized_name="successStatusJsonPath", + ) + response.success_status_value = AAZStrType( + serialized_name="successStatusValue", + ) + + events_json_paths = cls._schema_on_200.discriminate_by("kind", "APIPolling").properties.polling_config.response.events_json_paths + events_json_paths.Element = AAZStrType() + + disc_amazon_web_services_cloud_trail = cls._schema_on_200.discriminate_by("kind", "AmazonWebServicesCloudTrail") + disc_amazon_web_services_cloud_trail.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.discriminate_by("kind", "AmazonWebServicesCloudTrail").properties + properties.aws_role_arn = AAZStrType( + serialized_name="awsRoleArn", + ) + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + flags={"required": True}, + ) + + data_types = cls._schema_on_200.discriminate_by("kind", "AmazonWebServicesCloudTrail").properties.data_types + data_types.logs = AAZObjectType( + flags={"required": True}, + ) + + logs = cls._schema_on_200.discriminate_by("kind", "AmazonWebServicesCloudTrail").properties.data_types.logs + logs.state = AAZStrType( + flags={"required": True}, + ) + + disc_amazon_web_services_s3 = cls._schema_on_200.discriminate_by("kind", "AmazonWebServicesS3") + disc_amazon_web_services_s3.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.discriminate_by("kind", "AmazonWebServicesS3").properties + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + flags={"required": True}, + ) + properties.destination_table = AAZStrType( + serialized_name="destinationTable", + flags={"required": True}, + ) + properties.role_arn = AAZStrType( + serialized_name="roleArn", + flags={"required": True}, + ) + properties.sqs_urls = AAZListType( + serialized_name="sqsUrls", + flags={"required": True}, + ) + + data_types = cls._schema_on_200.discriminate_by("kind", "AmazonWebServicesS3").properties.data_types + data_types.logs = AAZObjectType( + flags={"required": True}, + ) + + logs = cls._schema_on_200.discriminate_by("kind", "AmazonWebServicesS3").properties.data_types.logs + logs.state = AAZStrType( + flags={"required": True}, + ) + + sqs_urls = cls._schema_on_200.discriminate_by("kind", "AmazonWebServicesS3").properties.sqs_urls + sqs_urls.Element = AAZStrType() + + disc_azure_active_directory = cls._schema_on_200.discriminate_by("kind", "AzureActiveDirectory") + disc_azure_active_directory.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.discriminate_by("kind", "AzureActiveDirectory").properties + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + ) + _build_schema_alerts_data_type_of_data_connector_read(properties.data_types) + properties.tenant_id = AAZStrType( + serialized_name="tenantId", + flags={"required": True}, + ) + + disc_azure_advanced_threat_protection = cls._schema_on_200.discriminate_by("kind", "AzureAdvancedThreatProtection") + disc_azure_advanced_threat_protection.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.discriminate_by("kind", "AzureAdvancedThreatProtection").properties + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + ) + _build_schema_alerts_data_type_of_data_connector_read(properties.data_types) + properties.tenant_id = AAZStrType( + serialized_name="tenantId", + flags={"required": True}, + ) + + disc_azure_security_center = cls._schema_on_200.discriminate_by("kind", "AzureSecurityCenter") + disc_azure_security_center.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.discriminate_by("kind", "AzureSecurityCenter").properties + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + ) + _build_schema_alerts_data_type_of_data_connector_read(properties.data_types) + properties.subscription_id = AAZStrType( + serialized_name="subscriptionId", + ) + + disc_dynamics365 = cls._schema_on_200.discriminate_by("kind", "Dynamics365") + disc_dynamics365.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.discriminate_by("kind", "Dynamics365").properties + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + flags={"required": True}, + ) + properties.tenant_id = AAZStrType( + serialized_name="tenantId", + flags={"required": True}, + ) + + data_types = cls._schema_on_200.discriminate_by("kind", "Dynamics365").properties.data_types + data_types.dynamics365_cds_activities = AAZObjectType( + serialized_name="dynamics365CdsActivities", + flags={"required": True}, + ) + + dynamics365_cds_activities = cls._schema_on_200.discriminate_by("kind", "Dynamics365").properties.data_types.dynamics365_cds_activities + dynamics365_cds_activities.state = AAZStrType( + flags={"required": True}, + ) + + disc_generic_ui = cls._schema_on_200.discriminate_by("kind", "GenericUI") + disc_generic_ui.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.discriminate_by("kind", "GenericUI").properties + properties.connector_ui_config = AAZObjectType( + serialized_name="connectorUiConfig", + ) + _build_schema_codeless_ui_connector_config_properties_read(properties.connector_ui_config) + + disc_iot = cls._schema_on_200.discriminate_by("kind", "IOT") + disc_iot.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.discriminate_by("kind", "IOT").properties + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + ) + _build_schema_alerts_data_type_of_data_connector_read(properties.data_types) + properties.subscription_id = AAZStrType( + serialized_name="subscriptionId", + ) + + disc_microsoft_cloud_app_security = cls._schema_on_200.discriminate_by("kind", "MicrosoftCloudAppSecurity") + disc_microsoft_cloud_app_security.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.discriminate_by("kind", "MicrosoftCloudAppSecurity").properties + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + flags={"required": True}, + ) + properties.tenant_id = AAZStrType( + serialized_name="tenantId", + flags={"required": True}, + ) + + data_types = cls._schema_on_200.discriminate_by("kind", "MicrosoftCloudAppSecurity").properties.data_types + data_types.alerts = AAZObjectType( + flags={"required": True}, + ) + _build_schema_data_connector_data_type_common_read(data_types.alerts) + data_types.discovery_logs = AAZObjectType( + serialized_name="discoveryLogs", + ) + _build_schema_data_connector_data_type_common_read(data_types.discovery_logs) + + disc_microsoft_defender_advanced_threat_protection = cls._schema_on_200.discriminate_by("kind", "MicrosoftDefenderAdvancedThreatProtection") + disc_microsoft_defender_advanced_threat_protection.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.discriminate_by("kind", "MicrosoftDefenderAdvancedThreatProtection").properties + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + ) + _build_schema_alerts_data_type_of_data_connector_read(properties.data_types) + properties.tenant_id = AAZStrType( + serialized_name="tenantId", + flags={"required": True}, + ) + + disc_microsoft_threat_intelligence = cls._schema_on_200.discriminate_by("kind", "MicrosoftThreatIntelligence") + disc_microsoft_threat_intelligence.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.discriminate_by("kind", "MicrosoftThreatIntelligence").properties + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + flags={"required": True}, + ) + properties.tenant_id = AAZStrType( + serialized_name="tenantId", + flags={"required": True}, + ) + + data_types = cls._schema_on_200.discriminate_by("kind", "MicrosoftThreatIntelligence").properties.data_types + data_types.bing_safety_phishing_url = AAZObjectType( + serialized_name="bingSafetyPhishingURL", + flags={"required": True}, + ) + data_types.microsoft_emerging_threat_feed = AAZObjectType( + serialized_name="microsoftEmergingThreatFeed", + flags={"required": True}, + ) + + bing_safety_phishing_url = cls._schema_on_200.discriminate_by("kind", "MicrosoftThreatIntelligence").properties.data_types.bing_safety_phishing_url + bing_safety_phishing_url.lookback_period = AAZStrType( + serialized_name="lookbackPeriod", + flags={"required": True}, + ) + bing_safety_phishing_url.state = AAZStrType( + flags={"required": True}, + ) + + microsoft_emerging_threat_feed = cls._schema_on_200.discriminate_by("kind", "MicrosoftThreatIntelligence").properties.data_types.microsoft_emerging_threat_feed + microsoft_emerging_threat_feed.lookback_period = AAZStrType( + serialized_name="lookbackPeriod", + flags={"required": True}, + ) + microsoft_emerging_threat_feed.state = AAZStrType( + flags={"required": True}, + ) + + disc_microsoft_threat_protection = cls._schema_on_200.discriminate_by("kind", "MicrosoftThreatProtection") + disc_microsoft_threat_protection.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.discriminate_by("kind", "MicrosoftThreatProtection").properties + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + flags={"required": True}, + ) + properties.tenant_id = AAZStrType( + serialized_name="tenantId", + flags={"required": True}, + ) + + data_types = cls._schema_on_200.discriminate_by("kind", "MicrosoftThreatProtection").properties.data_types + data_types.incidents = AAZObjectType( + flags={"required": True}, + ) + + incidents = cls._schema_on_200.discriminate_by("kind", "MicrosoftThreatProtection").properties.data_types.incidents + incidents.state = AAZStrType( + flags={"required": True}, + ) + + disc_office365 = cls._schema_on_200.discriminate_by("kind", "Office365") + disc_office365.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.discriminate_by("kind", "Office365").properties + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + flags={"required": True}, + ) + properties.tenant_id = AAZStrType( + serialized_name="tenantId", + flags={"required": True}, + ) + + data_types = cls._schema_on_200.discriminate_by("kind", "Office365").properties.data_types + data_types.exchange = AAZObjectType( + flags={"required": True}, + ) + data_types.share_point = AAZObjectType( + serialized_name="sharePoint", + flags={"required": True}, + ) + data_types.teams = AAZObjectType( + flags={"required": True}, + ) + + exchange = cls._schema_on_200.discriminate_by("kind", "Office365").properties.data_types.exchange + exchange.state = AAZStrType( + flags={"required": True}, + ) + + share_point = cls._schema_on_200.discriminate_by("kind", "Office365").properties.data_types.share_point + share_point.state = AAZStrType( + flags={"required": True}, + ) + + teams = cls._schema_on_200.discriminate_by("kind", "Office365").properties.data_types.teams + teams.state = AAZStrType( + flags={"required": True}, + ) + + disc_office365_project = cls._schema_on_200.discriminate_by("kind", "Office365Project") + disc_office365_project.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.discriminate_by("kind", "Office365Project").properties + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + flags={"required": True}, + ) + properties.tenant_id = AAZStrType( + serialized_name="tenantId", + flags={"required": True}, + ) + + data_types = cls._schema_on_200.discriminate_by("kind", "Office365Project").properties.data_types + data_types.logs = AAZObjectType( + flags={"required": True}, + ) + + logs = cls._schema_on_200.discriminate_by("kind", "Office365Project").properties.data_types.logs + logs.state = AAZStrType( + flags={"required": True}, + ) + + disc_office_atp = cls._schema_on_200.discriminate_by("kind", "OfficeATP") + disc_office_atp.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.discriminate_by("kind", "OfficeATP").properties + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + ) + _build_schema_alerts_data_type_of_data_connector_read(properties.data_types) + properties.tenant_id = AAZStrType( + serialized_name="tenantId", + flags={"required": True}, + ) + + disc_office_irm = cls._schema_on_200.discriminate_by("kind", "OfficeIRM") + disc_office_irm.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.discriminate_by("kind", "OfficeIRM").properties + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + ) + _build_schema_alerts_data_type_of_data_connector_read(properties.data_types) + properties.tenant_id = AAZStrType( + serialized_name="tenantId", + flags={"required": True}, + ) + + disc_office_power_bi = cls._schema_on_200.discriminate_by("kind", "OfficePowerBI") + disc_office_power_bi.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.discriminate_by("kind", "OfficePowerBI").properties + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + flags={"required": True}, + ) + properties.tenant_id = AAZStrType( + serialized_name="tenantId", + flags={"required": True}, + ) + + data_types = cls._schema_on_200.discriminate_by("kind", "OfficePowerBI").properties.data_types + data_types.logs = AAZObjectType( + flags={"required": True}, + ) + + logs = cls._schema_on_200.discriminate_by("kind", "OfficePowerBI").properties.data_types.logs + logs.state = AAZStrType( + flags={"required": True}, + ) + + disc_threat_intelligence = cls._schema_on_200.discriminate_by("kind", "ThreatIntelligence") + disc_threat_intelligence.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.discriminate_by("kind", "ThreatIntelligence").properties + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + flags={"required": True}, + ) + properties.tenant_id = AAZStrType( + serialized_name="tenantId", + flags={"required": True}, + ) + properties.tip_lookback_period = AAZStrType( + serialized_name="tipLookbackPeriod", + nullable=True, + ) + + data_types = cls._schema_on_200.discriminate_by("kind", "ThreatIntelligence").properties.data_types + data_types.indicators = AAZObjectType( + flags={"required": True}, + ) + + indicators = cls._schema_on_200.discriminate_by("kind", "ThreatIntelligence").properties.data_types.indicators + indicators.state = AAZStrType( + flags={"required": True}, + ) + + disc_threat_intelligence_taxii = cls._schema_on_200.discriminate_by("kind", "ThreatIntelligenceTaxii") + disc_threat_intelligence_taxii.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.discriminate_by("kind", "ThreatIntelligenceTaxii").properties + properties.collection_id = AAZStrType( + serialized_name="collectionId", + ) + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + flags={"required": True}, + ) + properties.friendly_name = AAZStrType( + serialized_name="friendlyName", + ) + properties.password = AAZStrType() + properties.polling_frequency = AAZStrType( + serialized_name="pollingFrequency", + flags={"required": True}, + nullable=True, + ) + properties.taxii_lookback_period = AAZStrType( + serialized_name="taxiiLookbackPeriod", + nullable=True, + ) + properties.taxii_server = AAZStrType( + serialized_name="taxiiServer", + ) + properties.tenant_id = AAZStrType( + serialized_name="tenantId", + flags={"required": True}, + ) + properties.user_name = AAZStrType( + serialized_name="userName", + ) + properties.workspace_id = AAZStrType( + serialized_name="workspaceId", + ) + + data_types = cls._schema_on_200.discriminate_by("kind", "ThreatIntelligenceTaxii").properties.data_types + data_types.taxii_client = AAZObjectType( + serialized_name="taxiiClient", + flags={"required": True}, + ) + + taxii_client = cls._schema_on_200.discriminate_by("kind", "ThreatIntelligenceTaxii").properties.data_types.taxii_client + taxii_client.state = AAZStrType( + flags={"required": True}, + ) + + return cls._schema_on_200 + + +_schema_alerts_data_type_of_data_connector_read = None + + +def _build_schema_alerts_data_type_of_data_connector_read(_schema): + global _schema_alerts_data_type_of_data_connector_read + if _schema_alerts_data_type_of_data_connector_read is not None: + _schema.alerts = _schema_alerts_data_type_of_data_connector_read.alerts + return + + _schema_alerts_data_type_of_data_connector_read = AAZObjectType() + + alerts_data_type_of_data_connector_read = _schema_alerts_data_type_of_data_connector_read + alerts_data_type_of_data_connector_read.alerts = AAZObjectType( + flags={"required": True}, + ) + _build_schema_data_connector_data_type_common_read(alerts_data_type_of_data_connector_read.alerts) + + _schema.alerts = _schema_alerts_data_type_of_data_connector_read.alerts + + +_schema_codeless_ui_connector_config_properties_read = None + + +def _build_schema_codeless_ui_connector_config_properties_read(_schema): + global _schema_codeless_ui_connector_config_properties_read + if _schema_codeless_ui_connector_config_properties_read is not None: + _schema.availability = _schema_codeless_ui_connector_config_properties_read.availability + _schema.connectivity_criteria = _schema_codeless_ui_connector_config_properties_read.connectivity_criteria + _schema.custom_image = _schema_codeless_ui_connector_config_properties_read.custom_image + _schema.data_types = _schema_codeless_ui_connector_config_properties_read.data_types + _schema.description_markdown = _schema_codeless_ui_connector_config_properties_read.description_markdown + _schema.graph_queries = _schema_codeless_ui_connector_config_properties_read.graph_queries + _schema.graph_queries_table_name = _schema_codeless_ui_connector_config_properties_read.graph_queries_table_name + _schema.instruction_steps = _schema_codeless_ui_connector_config_properties_read.instruction_steps + _schema.permissions = _schema_codeless_ui_connector_config_properties_read.permissions + _schema.publisher = _schema_codeless_ui_connector_config_properties_read.publisher + _schema.sample_queries = _schema_codeless_ui_connector_config_properties_read.sample_queries + _schema.title = _schema_codeless_ui_connector_config_properties_read.title + return + + _schema_codeless_ui_connector_config_properties_read = AAZObjectType() + + codeless_ui_connector_config_properties_read = _schema_codeless_ui_connector_config_properties_read + codeless_ui_connector_config_properties_read.availability = AAZObjectType( + flags={"required": True}, + ) + codeless_ui_connector_config_properties_read.connectivity_criteria = AAZListType( + serialized_name="connectivityCriteria", + flags={"required": True}, + ) + codeless_ui_connector_config_properties_read.custom_image = AAZStrType( + serialized_name="customImage", + ) + codeless_ui_connector_config_properties_read.data_types = AAZListType( + serialized_name="dataTypes", + flags={"required": True}, + ) + codeless_ui_connector_config_properties_read.description_markdown = AAZStrType( + serialized_name="descriptionMarkdown", + flags={"required": True}, + ) + codeless_ui_connector_config_properties_read.graph_queries = AAZListType( + serialized_name="graphQueries", + flags={"required": True}, + ) + codeless_ui_connector_config_properties_read.graph_queries_table_name = AAZStrType( + serialized_name="graphQueriesTableName", + flags={"required": True}, + ) + codeless_ui_connector_config_properties_read.instruction_steps = AAZListType( + serialized_name="instructionSteps", + flags={"required": True}, + ) + codeless_ui_connector_config_properties_read.permissions = AAZObjectType( + flags={"required": True}, + ) + codeless_ui_connector_config_properties_read.publisher = AAZStrType( + flags={"required": True}, + ) + codeless_ui_connector_config_properties_read.sample_queries = AAZListType( + serialized_name="sampleQueries", + flags={"required": True}, + ) + codeless_ui_connector_config_properties_read.title = AAZStrType( + flags={"required": True}, + ) + + availability = _schema_codeless_ui_connector_config_properties_read.availability + availability.is_preview = AAZBoolType( + serialized_name="isPreview", + ) + availability.status = AAZIntType() + + connectivity_criteria = _schema_codeless_ui_connector_config_properties_read.connectivity_criteria + connectivity_criteria.Element = AAZObjectType() + + _element = _schema_codeless_ui_connector_config_properties_read.connectivity_criteria.Element + _element.type = AAZStrType() + _element.value = AAZListType() + + value = _schema_codeless_ui_connector_config_properties_read.connectivity_criteria.Element.value + value.Element = AAZStrType() + + data_types = _schema_codeless_ui_connector_config_properties_read.data_types + data_types.Element = AAZObjectType() + + _element = _schema_codeless_ui_connector_config_properties_read.data_types.Element + _element.last_data_received_query = AAZStrType( + serialized_name="lastDataReceivedQuery", + ) + _element.name = AAZStrType() + + graph_queries = _schema_codeless_ui_connector_config_properties_read.graph_queries + graph_queries.Element = AAZObjectType() + + _element = _schema_codeless_ui_connector_config_properties_read.graph_queries.Element + _element.base_query = AAZStrType( + serialized_name="baseQuery", + ) + _element.legend = AAZStrType() + _element.metric_name = AAZStrType( + serialized_name="metricName", + ) + + instruction_steps = _schema_codeless_ui_connector_config_properties_read.instruction_steps + instruction_steps.Element = AAZObjectType() + + _element = _schema_codeless_ui_connector_config_properties_read.instruction_steps.Element + _element.description = AAZStrType() + _element.instructions = AAZListType() + _element.title = AAZStrType() + + instructions = _schema_codeless_ui_connector_config_properties_read.instruction_steps.Element.instructions + instructions.Element = AAZObjectType() + + _element = _schema_codeless_ui_connector_config_properties_read.instruction_steps.Element.instructions.Element + _element.type = AAZStrType( + flags={"required": True}, + ) + + permissions = _schema_codeless_ui_connector_config_properties_read.permissions + permissions.customs = AAZListType() + permissions.resource_provider = AAZListType( + serialized_name="resourceProvider", + ) + + customs = _schema_codeless_ui_connector_config_properties_read.permissions.customs + customs.Element = AAZObjectType() + + _element = _schema_codeless_ui_connector_config_properties_read.permissions.customs.Element + _element.description = AAZStrType() + _element.name = AAZStrType() + + resource_provider = _schema_codeless_ui_connector_config_properties_read.permissions.resource_provider + resource_provider.Element = AAZObjectType() + + _element = _schema_codeless_ui_connector_config_properties_read.permissions.resource_provider.Element + _element.permissions_display_text = AAZStrType( + serialized_name="permissionsDisplayText", + ) + _element.provider = AAZStrType() + _element.provider_display_name = AAZStrType( + serialized_name="providerDisplayName", + ) + _element.required_permissions = AAZObjectType( + serialized_name="requiredPermissions", + ) + _element.scope = AAZStrType() + + required_permissions = _schema_codeless_ui_connector_config_properties_read.permissions.resource_provider.Element.required_permissions + required_permissions.action = AAZBoolType() + required_permissions.delete = AAZBoolType() + required_permissions.read = AAZBoolType() + required_permissions.write = AAZBoolType() + + sample_queries = _schema_codeless_ui_connector_config_properties_read.sample_queries + sample_queries.Element = AAZObjectType() + + _element = _schema_codeless_ui_connector_config_properties_read.sample_queries.Element + _element.description = AAZStrType() + _element.query = AAZStrType() + + _schema.availability = _schema_codeless_ui_connector_config_properties_read.availability + _schema.connectivity_criteria = _schema_codeless_ui_connector_config_properties_read.connectivity_criteria + _schema.custom_image = _schema_codeless_ui_connector_config_properties_read.custom_image + _schema.data_types = _schema_codeless_ui_connector_config_properties_read.data_types + _schema.description_markdown = _schema_codeless_ui_connector_config_properties_read.description_markdown + _schema.graph_queries = _schema_codeless_ui_connector_config_properties_read.graph_queries + _schema.graph_queries_table_name = _schema_codeless_ui_connector_config_properties_read.graph_queries_table_name + _schema.instruction_steps = _schema_codeless_ui_connector_config_properties_read.instruction_steps + _schema.permissions = _schema_codeless_ui_connector_config_properties_read.permissions + _schema.publisher = _schema_codeless_ui_connector_config_properties_read.publisher + _schema.sample_queries = _schema_codeless_ui_connector_config_properties_read.sample_queries + _schema.title = _schema_codeless_ui_connector_config_properties_read.title + + +_schema_data_connector_data_type_common_read = None + + +def _build_schema_data_connector_data_type_common_read(_schema): + global _schema_data_connector_data_type_common_read + if _schema_data_connector_data_type_common_read is not None: + _schema.state = _schema_data_connector_data_type_common_read.state + return + + _schema_data_connector_data_type_common_read = AAZObjectType() + + data_connector_data_type_common_read = _schema_data_connector_data_type_common_read + data_connector_data_type_common_read.state = AAZStrType( + flags={"required": True}, + ) + + _schema.state = _schema_data_connector_data_type_common_read.state + + +__all__ = ["Show"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/data_connector/_update.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/data_connector/_update.py new file mode 100644 index 00000000000..1510ee484bb --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/data_connector/_update.py @@ -0,0 +1,3085 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel data-connector update", + is_experimental=True, +) +class Update(AAZCommand): + """Update the data connector. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/dataconnectors/{}", "2022-06-01-preview"], + ] + } + + AZ_SUPPORT_GENERIC_UPDATE = True + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return self._output() + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.data_connector_id = AAZStrArg( + options=["-n", "--name", "--data-connector-id"], + help="Connector ID", + required=True, + id_part="child_name_1", + ) + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + id_part="name", + ) + + # define Arg Group "DataConnector" + + _args_schema = cls._args_schema + _args_schema.api_polling = AAZObjectArg( + options=["--api-polling"], + arg_group="DataConnector", + ) + _args_schema.aws_cloud_trail = AAZObjectArg( + options=["--aws-cloud-trail"], + arg_group="DataConnector", + help="Amazon web services cloud trail.", + ) + _args_schema.aws_s3 = AAZObjectArg( + options=["--aws-s3"], + arg_group="DataConnector", + help="Amazon web services s3.", + ) + _args_schema.azure_active_directory = AAZObjectArg( + options=["--azure-active-directory"], + arg_group="DataConnector", + ) + _args_schema.azure_protection = AAZObjectArg( + options=["--azure-protection"], + arg_group="DataConnector", + help="Azure advanced threat protection.", + ) + _args_schema.azure_security_center = AAZObjectArg( + options=["--azure-security-center"], + arg_group="DataConnector", + ) + _args_schema.dynamics365 = AAZObjectArg( + options=["--dynamics365"], + arg_group="DataConnector", + ) + _args_schema.generic_ui = AAZObjectArg( + options=["--generic-ui"], + arg_group="DataConnector", + ) + _args_schema.iot = AAZObjectArg( + options=["--iot"], + arg_group="DataConnector", + ) + _args_schema.cloud_app_security = AAZObjectArg( + options=["--cloud-app-security"], + arg_group="DataConnector", + help="Microsoft cloud app security.", + ) + _args_schema.defender_protection = AAZObjectArg( + options=["--defender-protection"], + arg_group="DataConnector", + help="Microsoft defender advanced threat protection.", + ) + _args_schema.microsoft_intelligence = AAZObjectArg( + options=["--microsoft-intelligence"], + arg_group="DataConnector", + help="Microsoft threat intelligence.", + ) + _args_schema.microsoft_protection = AAZObjectArg( + options=["--microsoft-protection"], + arg_group="DataConnector", + help="Microsoft threat protection.", + ) + _args_schema.office365 = AAZObjectArg( + options=["--office365"], + arg_group="DataConnector", + ) + _args_schema.office365_project = AAZObjectArg( + options=["--office365-project"], + arg_group="DataConnector", + ) + _args_schema.office_atp = AAZObjectArg( + options=["--office-atp"], + arg_group="DataConnector", + ) + _args_schema.office_irm = AAZObjectArg( + options=["--office-irm"], + arg_group="DataConnector", + ) + _args_schema.office_power_bi = AAZObjectArg( + options=["--office-power-bi"], + arg_group="DataConnector", + ) + _args_schema.threat_intelligence = AAZObjectArg( + options=["--threat-intelligence"], + arg_group="DataConnector", + ) + _args_schema.intelligence_taxii = AAZObjectArg( + options=["--intelligence-taxii"], + arg_group="DataConnector", + help="Threat intelligence taxii.", + ) + _args_schema.etag = AAZStrArg( + options=["--etag"], + arg_group="DataConnector", + help="Etag of the azure resource", + nullable=True, + ) + + api_polling = cls._args_schema.api_polling + api_polling.connector_ui_config = AAZObjectArg( + options=["connector-ui-config"], + help="Config to describe the instructions blade", + nullable=True, + ) + cls._build_args_codeless_ui_connector_config_properties_update(api_polling.connector_ui_config) + api_polling.polling_config = AAZObjectArg( + options=["polling-config"], + help="Config to describe the polling instructions", + nullable=True, + ) + + polling_config = cls._args_schema.api_polling.polling_config + polling_config.auth = AAZObjectArg( + options=["auth"], + help="Describe the authentication type of the poller", + ) + polling_config.is_active = AAZBoolArg( + options=["is-active"], + help="The poller active status", + nullable=True, + ) + polling_config.paging = AAZObjectArg( + options=["paging"], + help="Describe the poll request paging config of the poller", + nullable=True, + ) + polling_config.request = AAZObjectArg( + options=["request"], + help="Describe the poll request config parameters of the poller", + ) + polling_config.response = AAZObjectArg( + options=["response"], + help="Describe the response config parameters of the poller", + nullable=True, + ) + + auth = cls._args_schema.api_polling.polling_config.auth + auth.api_key_identifier = AAZStrArg( + options=["api-key-identifier"], + help="A prefix send in the header before the actual token", + nullable=True, + ) + auth.api_key_name = AAZStrArg( + options=["api-key-name"], + help="The header name which the token is sent with", + nullable=True, + ) + auth.auth_type = AAZStrArg( + options=["auth-type"], + help="The authentication type", + ) + auth.authorization_endpoint = AAZStrArg( + options=["authorization-endpoint"], + help="The endpoint used to authorize the user, used in Oauth 2.0 flow", + nullable=True, + ) + auth.flow_name = AAZStrArg( + options=["flow-name"], + help="Describes the flow name, for example 'AuthCode' for Oauth 2.0", + nullable=True, + ) + auth.is_api_key_in_post_payload = AAZStrArg( + options=["is-api-key-in-post-payload"], + help="Marks if the key should sent in header", + nullable=True, + ) + auth.is_client_secret_in_header = AAZBoolArg( + options=["is-client-secret-in-header"], + help="Marks if we should send the client secret in header or payload, used in Oauth 2.0 flow", + nullable=True, + ) + auth.redirection_endpoint = AAZStrArg( + options=["redirection-endpoint"], + help="The redirect endpoint where we will get the authorization code, used in Oauth 2.0 flow", + nullable=True, + ) + auth.scope = AAZStrArg( + options=["scope"], + help="The OAuth token scope", + nullable=True, + ) + auth.token_endpoint = AAZStrArg( + options=["token-endpoint"], + help="The endpoint used to issue a token, used in Oauth 2.0 flow", + nullable=True, + ) + + paging = cls._args_schema.api_polling.polling_config.paging + paging.next_page_para_name = AAZStrArg( + options=["next-page-para-name"], + help="Defines the name of a next page attribute", + nullable=True, + ) + paging.next_page_token_json_path = AAZStrArg( + options=["next-page-token-json-path"], + help="Defines the path to a next page token JSON", + nullable=True, + ) + paging.page_count_attribute_path = AAZStrArg( + options=["page-count-attribute-path"], + help="Defines the path to a page count attribute", + nullable=True, + ) + paging.page_size = AAZIntArg( + options=["page-size"], + help="Defines the paging size", + nullable=True, + ) + paging.page_size_para_name = AAZStrArg( + options=["page-size-para-name"], + help="Defines the name of the page size parameter", + nullable=True, + ) + paging.page_time_stamp_attribute_path = AAZStrArg( + options=["page-time-stamp-attribute-path"], + help="Defines the path to a paging time stamp attribute", + nullable=True, + ) + paging.page_total_count_attribute_path = AAZStrArg( + options=["page-total-count-attribute-path"], + help="Defines the path to a page total count attribute", + nullable=True, + ) + paging.paging_type = AAZStrArg( + options=["paging-type"], + help="Describes the type. could be 'None', 'PageToken', 'PageCount', 'TimeStamp'", + ) + paging.search_the_latest_time_stamp_from_events_list = AAZStrArg( + options=["search-the-latest-time-stamp-from-events-list"], + help="Determines whether to search for the latest time stamp in the events list", + nullable=True, + ) + + request = cls._args_schema.api_polling.polling_config.request + request.api_endpoint = AAZStrArg( + options=["api-endpoint"], + help="Describe the endpoint we should pull the data from", + ) + request.end_time_attribute_name = AAZStrArg( + options=["end-time-attribute-name"], + help="This will be used the query events from the end of the time window", + nullable=True, + ) + request.http_method = AAZStrArg( + options=["http-method"], + help="The http method type we will use in the poll request, GET or POST", + ) + request.query_parameters_template = AAZStrArg( + options=["query-parameters-template"], + help="For advanced scenarios for example user name/password embedded in nested JSON payload", + nullable=True, + ) + request.query_time_format = AAZStrArg( + options=["query-time-format"], + help="The time format will be used the query events in a specific window", + ) + request.query_window_in_min = AAZIntArg( + options=["query-window-in-min"], + help="The window interval we will use the pull the data", + ) + request.rate_limit_qps = AAZIntArg( + options=["rate-limit-qps"], + help="Defines the rate limit QPS", + nullable=True, + ) + request.retry_count = AAZIntArg( + options=["retry-count"], + help="Describe the amount of time we should try and poll the data in case of failure", + nullable=True, + ) + request.start_time_attribute_name = AAZStrArg( + options=["start-time-attribute-name"], + help="This will be used the query events from a start of the time window", + nullable=True, + ) + request.timeout_in_seconds = AAZIntArg( + options=["timeout-in-seconds"], + help="The number of seconds we will consider as a request timeout", + nullable=True, + ) + + response = cls._args_schema.api_polling.polling_config.response + response.events_json_paths = AAZListArg( + options=["events-json-paths"], + help="Describes the path we should extract the data in the response", + ) + response.is_gzip_compressed = AAZBoolArg( + options=["is-gzip-compressed"], + help="Describes if the data in the response is Gzip", + nullable=True, + ) + response.success_status_json_path = AAZStrArg( + options=["success-status-json-path"], + help="Describes the path we should extract the status code in the response", + nullable=True, + ) + response.success_status_value = AAZStrArg( + options=["success-status-value"], + help="Describes the path we should extract the status value in the response", + nullable=True, + ) + + events_json_paths = cls._args_schema.api_polling.polling_config.response.events_json_paths + events_json_paths.Element = AAZStrArg() + + aws_cloud_trail = cls._args_schema.aws_cloud_trail + aws_cloud_trail.aws_role_arn = AAZStrArg( + options=["aws-role-arn"], + help="The Aws Role Arn (with CloudTrailReadOnly policy) that is used to access the Aws account.", + nullable=True, + ) + aws_cloud_trail.data_types = AAZObjectArg( + options=["data-types"], + help="The available data types for the connector.", + ) + + data_types = cls._args_schema.aws_cloud_trail.data_types + data_types.logs = AAZObjectArg( + options=["logs"], + help="Logs data type.", + ) + + logs = cls._args_schema.aws_cloud_trail.data_types.logs + logs.state = AAZStrArg( + options=["state"], + help="Describe whether this data type connection is enabled or not.", + enum={"Disabled": "Disabled", "Enabled": "Enabled"}, + ) + + aws_s3 = cls._args_schema.aws_s3 + aws_s3.data_types = AAZObjectArg( + options=["data-types"], + help="The available data types for the connector.", + ) + aws_s3.destination_table = AAZStrArg( + options=["destination-table"], + help="The logs destination table name in LogAnalytics.", + ) + aws_s3.role_arn = AAZStrArg( + options=["role-arn"], + help="The Aws Role Arn that is used to access the Aws account.", + ) + aws_s3.sqs_urls = AAZListArg( + options=["sqs-urls"], + help="The AWS sqs urls for the connector.", + ) + + data_types = cls._args_schema.aws_s3.data_types + data_types.logs = AAZObjectArg( + options=["logs"], + help="Logs data type.", + ) + + logs = cls._args_schema.aws_s3.data_types.logs + logs.state = AAZStrArg( + options=["state"], + help="Describe whether this data type connection is enabled or not.", + enum={"Disabled": "Disabled", "Enabled": "Enabled"}, + ) + + sqs_urls = cls._args_schema.aws_s3.sqs_urls + sqs_urls.Element = AAZStrArg() + + azure_active_directory = cls._args_schema.azure_active_directory + azure_active_directory.data_types = AAZObjectArg( + options=["data-types"], + help="The available data types for the connector.", + nullable=True, + ) + cls._build_args_alerts_data_type_of_data_connector_update(azure_active_directory.data_types) + azure_active_directory.tenant_id = AAZStrArg( + options=["tenant-id"], + help="The tenant id to connect to, and get the data from.", + ) + + azure_protection = cls._args_schema.azure_protection + azure_protection.data_types = AAZObjectArg( + options=["data-types"], + help="The available data types for the connector.", + nullable=True, + ) + cls._build_args_alerts_data_type_of_data_connector_update(azure_protection.data_types) + azure_protection.tenant_id = AAZStrArg( + options=["tenant-id"], + help="The tenant id to connect to, and get the data from.", + ) + + azure_security_center = cls._args_schema.azure_security_center + azure_security_center.data_types = AAZObjectArg( + options=["data-types"], + help="The available data types for the connector.", + nullable=True, + ) + cls._build_args_alerts_data_type_of_data_connector_update(azure_security_center.data_types) + azure_security_center.subscription_id = AAZStrArg( + options=["subscription-id"], + help="The subscription id to connect to, and get the data from.", + nullable=True, + ) + + dynamics365 = cls._args_schema.dynamics365 + dynamics365.data_types = AAZObjectArg( + options=["data-types"], + help="The available data types for the connector.", + ) + dynamics365.tenant_id = AAZStrArg( + options=["tenant-id"], + help="The tenant id to connect to, and get the data from.", + ) + + data_types = cls._args_schema.dynamics365.data_types + data_types.dynamics365_cds_activities = AAZObjectArg( + options=["dynamics365-cds-activities"], + help="Common Data Service data type connection.", + ) + + dynamics365_cds_activities = cls._args_schema.dynamics365.data_types.dynamics365_cds_activities + dynamics365_cds_activities.state = AAZStrArg( + options=["state"], + help="Describe whether this data type connection is enabled or not.", + enum={"Disabled": "Disabled", "Enabled": "Enabled"}, + ) + + generic_ui = cls._args_schema.generic_ui + generic_ui.connector_ui_config = AAZObjectArg( + options=["connector-ui-config"], + help="Config to describe the instructions blade", + nullable=True, + ) + cls._build_args_codeless_ui_connector_config_properties_update(generic_ui.connector_ui_config) + + iot = cls._args_schema.iot + iot.data_types = AAZObjectArg( + options=["data-types"], + help="The available data types for the connector.", + nullable=True, + ) + cls._build_args_alerts_data_type_of_data_connector_update(iot.data_types) + iot.subscription_id = AAZStrArg( + options=["subscription-id"], + help="The subscription id to connect to, and get the data from.", + nullable=True, + ) + + cloud_app_security = cls._args_schema.cloud_app_security + cloud_app_security.data_types = AAZObjectArg( + options=["data-types"], + help="The available data types for the connector.", + ) + cloud_app_security.tenant_id = AAZStrArg( + options=["tenant-id"], + help="The tenant id to connect to, and get the data from.", + ) + + data_types = cls._args_schema.cloud_app_security.data_types + data_types.alerts = AAZObjectArg( + options=["alerts"], + help="Alerts data type connection.", + ) + cls._build_args_data_connector_data_type_common_update(data_types.alerts) + data_types.discovery_logs = AAZObjectArg( + options=["discovery-logs"], + help="Discovery log data type connection.", + ) + cls._build_args_data_connector_data_type_common_update(data_types.discovery_logs) + + defender_protection = cls._args_schema.defender_protection + defender_protection.data_types = AAZObjectArg( + options=["data-types"], + help="The available data types for the connector.", + nullable=True, + ) + cls._build_args_alerts_data_type_of_data_connector_update(defender_protection.data_types) + defender_protection.tenant_id = AAZStrArg( + options=["tenant-id"], + help="The tenant id to connect to, and get the data from.", + ) + + microsoft_intelligence = cls._args_schema.microsoft_intelligence + microsoft_intelligence.data_types = AAZObjectArg( + options=["data-types"], + help="The available data types for the connector.", + ) + microsoft_intelligence.tenant_id = AAZStrArg( + options=["tenant-id"], + help="The tenant id to connect to, and get the data from.", + ) + + data_types = cls._args_schema.microsoft_intelligence.data_types + data_types.bing_safety_phishing_url = AAZObjectArg( + options=["bing-safety-phishing-url"], + help="Data type for Microsoft Threat Intelligence Platforms data connector.", + ) + data_types.microsoft_emerging_threat_feed = AAZObjectArg( + options=["microsoft-emerging-threat-feed"], + help="Data type for Microsoft Threat Intelligence Platforms data connector.", + ) + + bing_safety_phishing_url = cls._args_schema.microsoft_intelligence.data_types.bing_safety_phishing_url + bing_safety_phishing_url.lookback_period = AAZStrArg( + options=["lookback-period"], + help="lookback period", + ) + bing_safety_phishing_url.state = AAZStrArg( + options=["state"], + help="Describe whether this data type connection is enabled or not.", + enum={"Disabled": "Disabled", "Enabled": "Enabled"}, + ) + + microsoft_emerging_threat_feed = cls._args_schema.microsoft_intelligence.data_types.microsoft_emerging_threat_feed + microsoft_emerging_threat_feed.lookback_period = AAZStrArg( + options=["lookback-period"], + help="lookback period", + ) + microsoft_emerging_threat_feed.state = AAZStrArg( + options=["state"], + help="Describe whether this data type connection is enabled or not.", + enum={"Disabled": "Disabled", "Enabled": "Enabled"}, + ) + + microsoft_protection = cls._args_schema.microsoft_protection + microsoft_protection.data_types = AAZObjectArg( + options=["data-types"], + help="The available data types for the connector.", + ) + microsoft_protection.tenant_id = AAZStrArg( + options=["tenant-id"], + help="The tenant id to connect to, and get the data from.", + ) + + data_types = cls._args_schema.microsoft_protection.data_types + data_types.incidents = AAZObjectArg( + options=["incidents"], + help="Data type for Microsoft Threat Protection Platforms data connector.", + ) + + incidents = cls._args_schema.microsoft_protection.data_types.incidents + incidents.state = AAZStrArg( + options=["state"], + help="Describe whether this data type connection is enabled or not.", + enum={"Disabled": "Disabled", "Enabled": "Enabled"}, + ) + + office365 = cls._args_schema.office365 + office365.data_types = AAZObjectArg( + options=["data-types"], + help="The available data types for the connector.", + ) + office365.tenant_id = AAZStrArg( + options=["tenant-id"], + help="The tenant id to connect to, and get the data from.", + ) + + data_types = cls._args_schema.office365.data_types + data_types.exchange = AAZObjectArg( + options=["exchange"], + help="Exchange data type connection.", + ) + data_types.share_point = AAZObjectArg( + options=["share-point"], + help="SharePoint data type connection.", + ) + data_types.teams = AAZObjectArg( + options=["teams"], + help="Teams data type connection.", + ) + + exchange = cls._args_schema.office365.data_types.exchange + exchange.state = AAZStrArg( + options=["state"], + help="Describe whether this data type connection is enabled or not.", + enum={"Disabled": "Disabled", "Enabled": "Enabled"}, + ) + + share_point = cls._args_schema.office365.data_types.share_point + share_point.state = AAZStrArg( + options=["state"], + help="Describe whether this data type connection is enabled or not.", + enum={"Disabled": "Disabled", "Enabled": "Enabled"}, + ) + + teams = cls._args_schema.office365.data_types.teams + teams.state = AAZStrArg( + options=["state"], + help="Describe whether this data type connection is enabled or not.", + enum={"Disabled": "Disabled", "Enabled": "Enabled"}, + ) + + office365_project = cls._args_schema.office365_project + office365_project.data_types = AAZObjectArg( + options=["data-types"], + help="The available data types for the connector.", + ) + office365_project.tenant_id = AAZStrArg( + options=["tenant-id"], + help="The tenant id to connect to, and get the data from.", + ) + + data_types = cls._args_schema.office365_project.data_types + data_types.logs = AAZObjectArg( + options=["logs"], + help="Logs data type.", + ) + + logs = cls._args_schema.office365_project.data_types.logs + logs.state = AAZStrArg( + options=["state"], + help="Describe whether this data type connection is enabled or not.", + enum={"Disabled": "Disabled", "Enabled": "Enabled"}, + ) + + office_atp = cls._args_schema.office_atp + office_atp.data_types = AAZObjectArg( + options=["data-types"], + help="The available data types for the connector.", + nullable=True, + ) + cls._build_args_alerts_data_type_of_data_connector_update(office_atp.data_types) + office_atp.tenant_id = AAZStrArg( + options=["tenant-id"], + help="The tenant id to connect to, and get the data from.", + ) + + office_irm = cls._args_schema.office_irm + office_irm.data_types = AAZObjectArg( + options=["data-types"], + help="The available data types for the connector.", + nullable=True, + ) + cls._build_args_alerts_data_type_of_data_connector_update(office_irm.data_types) + office_irm.tenant_id = AAZStrArg( + options=["tenant-id"], + help="The tenant id to connect to, and get the data from.", + ) + + office_power_bi = cls._args_schema.office_power_bi + office_power_bi.data_types = AAZObjectArg( + options=["data-types"], + help="The available data types for the connector.", + ) + office_power_bi.tenant_id = AAZStrArg( + options=["tenant-id"], + help="The tenant id to connect to, and get the data from.", + ) + + data_types = cls._args_schema.office_power_bi.data_types + data_types.logs = AAZObjectArg( + options=["logs"], + help="Logs data type.", + ) + + logs = cls._args_schema.office_power_bi.data_types.logs + logs.state = AAZStrArg( + options=["state"], + help="Describe whether this data type connection is enabled or not.", + enum={"Disabled": "Disabled", "Enabled": "Enabled"}, + ) + + threat_intelligence = cls._args_schema.threat_intelligence + threat_intelligence.data_types = AAZObjectArg( + options=["data-types"], + help="The available data types for the connector.", + ) + threat_intelligence.tenant_id = AAZStrArg( + options=["tenant-id"], + help="The tenant id to connect to, and get the data from.", + ) + threat_intelligence.tip_lookback_period = AAZStrArg( + options=["tip-lookback-period"], + help="The lookback period for the feed to be imported.", + nullable=True, + ) + + data_types = cls._args_schema.threat_intelligence.data_types + data_types.indicators = AAZObjectArg( + options=["indicators"], + help="Data type for indicators connection.", + ) + + indicators = cls._args_schema.threat_intelligence.data_types.indicators + indicators.state = AAZStrArg( + options=["state"], + help="Describe whether this data type connection is enabled or not.", + enum={"Disabled": "Disabled", "Enabled": "Enabled"}, + ) + + intelligence_taxii = cls._args_schema.intelligence_taxii + intelligence_taxii.collection_id = AAZStrArg( + options=["collection-id"], + help="The collection id of the TAXII server.", + nullable=True, + ) + intelligence_taxii.data_types = AAZObjectArg( + options=["data-types"], + help="The available data types for Threat Intelligence TAXII data connector.", + ) + intelligence_taxii.friendly_name = AAZStrArg( + options=["friendly-name"], + help="The friendly name for the TAXII server.", + nullable=True, + ) + intelligence_taxii.password = AAZStrArg( + options=["password"], + help="The password for the TAXII server.", + nullable=True, + ) + intelligence_taxii.polling_frequency = AAZStrArg( + options=["polling-frequency"], + help="The polling frequency for the TAXII server.", + nullable=True, + enum={"OnceADay": "OnceADay", "OnceAMinute": "OnceAMinute", "OnceAnHour": "OnceAnHour"}, + ) + intelligence_taxii.taxii_lookback_period = AAZStrArg( + options=["taxii-lookback-period"], + help="The lookback period for the TAXII server.", + nullable=True, + ) + intelligence_taxii.taxii_server = AAZStrArg( + options=["taxii-server"], + help="The API root for the TAXII server.", + nullable=True, + ) + intelligence_taxii.tenant_id = AAZStrArg( + options=["tenant-id"], + help="The tenant id to connect to, and get the data from.", + ) + intelligence_taxii.user_name = AAZStrArg( + options=["user-name"], + help="The userName for the TAXII server.", + nullable=True, + ) + intelligence_taxii.workspace_id = AAZStrArg( + options=["workspace-id"], + help="The workspace id.", + nullable=True, + ) + + data_types = cls._args_schema.intelligence_taxii.data_types + data_types.taxii_client = AAZObjectArg( + options=["taxii-client"], + help="Data type for TAXII connector.", + ) + + taxii_client = cls._args_schema.intelligence_taxii.data_types.taxii_client + taxii_client.state = AAZStrArg( + options=["state"], + help="Describe whether this data type connection is enabled or not.", + enum={"Disabled": "Disabled", "Enabled": "Enabled"}, + ) + return cls._args_schema + + _args_alerts_data_type_of_data_connector_update = None + + @classmethod + def _build_args_alerts_data_type_of_data_connector_update(cls, _schema): + if cls._args_alerts_data_type_of_data_connector_update is not None: + _schema.alerts = cls._args_alerts_data_type_of_data_connector_update.alerts + return + + cls._args_alerts_data_type_of_data_connector_update = AAZObjectArg( + nullable=True, + ) + + alerts_data_type_of_data_connector_update = cls._args_alerts_data_type_of_data_connector_update + alerts_data_type_of_data_connector_update.alerts = AAZObjectArg( + options=["alerts"], + help="Alerts data type connection.", + ) + cls._build_args_data_connector_data_type_common_update(alerts_data_type_of_data_connector_update.alerts) + + _schema.alerts = cls._args_alerts_data_type_of_data_connector_update.alerts + + _args_codeless_ui_connector_config_properties_update = None + + @classmethod + def _build_args_codeless_ui_connector_config_properties_update(cls, _schema): + if cls._args_codeless_ui_connector_config_properties_update is not None: + _schema.availability = cls._args_codeless_ui_connector_config_properties_update.availability + _schema.connectivity_criteria = cls._args_codeless_ui_connector_config_properties_update.connectivity_criteria + _schema.custom_image = cls._args_codeless_ui_connector_config_properties_update.custom_image + _schema.data_types = cls._args_codeless_ui_connector_config_properties_update.data_types + _schema.description_markdown = cls._args_codeless_ui_connector_config_properties_update.description_markdown + _schema.graph_queries = cls._args_codeless_ui_connector_config_properties_update.graph_queries + _schema.graph_queries_table_name = cls._args_codeless_ui_connector_config_properties_update.graph_queries_table_name + _schema.instruction_steps = cls._args_codeless_ui_connector_config_properties_update.instruction_steps + _schema.permissions = cls._args_codeless_ui_connector_config_properties_update.permissions + _schema.publisher = cls._args_codeless_ui_connector_config_properties_update.publisher + _schema.sample_queries = cls._args_codeless_ui_connector_config_properties_update.sample_queries + _schema.title = cls._args_codeless_ui_connector_config_properties_update.title + return + + cls._args_codeless_ui_connector_config_properties_update = AAZObjectArg( + nullable=True, + ) + + codeless_ui_connector_config_properties_update = cls._args_codeless_ui_connector_config_properties_update + codeless_ui_connector_config_properties_update.availability = AAZObjectArg( + options=["availability"], + help="Connector Availability Status", + ) + codeless_ui_connector_config_properties_update.connectivity_criteria = AAZListArg( + options=["connectivity-criteria"], + help="Define the way the connector check connectivity", + ) + codeless_ui_connector_config_properties_update.custom_image = AAZStrArg( + options=["custom-image"], + help="An optional custom image to be used when displaying the connector within Azure Sentinel's connector's gallery", + nullable=True, + ) + codeless_ui_connector_config_properties_update.data_types = AAZListArg( + options=["data-types"], + help="Data types to check for last data received", + ) + codeless_ui_connector_config_properties_update.description_markdown = AAZStrArg( + options=["description-markdown"], + help="Connector description", + ) + codeless_ui_connector_config_properties_update.graph_queries = AAZListArg( + options=["graph-queries"], + help="The graph query to show the current data status", + ) + codeless_ui_connector_config_properties_update.graph_queries_table_name = AAZStrArg( + options=["graph-queries-table-name"], + help="Name of the table the connector will insert the data to", + ) + codeless_ui_connector_config_properties_update.instruction_steps = AAZListArg( + options=["instruction-steps"], + help="Instruction steps to enable the connector", + ) + codeless_ui_connector_config_properties_update.permissions = AAZObjectArg( + options=["permissions"], + help="Permissions required for the connector", + ) + codeless_ui_connector_config_properties_update.publisher = AAZStrArg( + options=["publisher"], + help="Connector publisher name", + ) + codeless_ui_connector_config_properties_update.sample_queries = AAZListArg( + options=["sample-queries"], + help="The sample queries for the connector", + ) + codeless_ui_connector_config_properties_update.title = AAZStrArg( + options=["title"], + help="Connector blade title", + ) + + availability = cls._args_codeless_ui_connector_config_properties_update.availability + availability.is_preview = AAZBoolArg( + options=["is-preview"], + help="Set connector as preview", + nullable=True, + ) + availability.status = AAZIntArg( + options=["status"], + help="The connector Availability Status", + nullable=True, + enum={"1": 1}, + ) + + connectivity_criteria = cls._args_codeless_ui_connector_config_properties_update.connectivity_criteria + connectivity_criteria.Element = AAZObjectArg() + + _element = cls._args_codeless_ui_connector_config_properties_update.connectivity_criteria.Element + _element.type = AAZStrArg( + options=["type"], + help="type of connectivity", + nullable=True, + enum={"IsConnectedQuery": "IsConnectedQuery"}, + ) + _element.value = AAZListArg( + options=["value"], + help="Queries for checking connectivity", + nullable=True, + ) + + value = cls._args_codeless_ui_connector_config_properties_update.connectivity_criteria.Element.value + value.Element = AAZStrArg() + + data_types = cls._args_codeless_ui_connector_config_properties_update.data_types + data_types.Element = AAZObjectArg() + + _element = cls._args_codeless_ui_connector_config_properties_update.data_types.Element + _element.last_data_received_query = AAZStrArg( + options=["last-data-received-query"], + help="Query for indicate last data received", + nullable=True, + ) + _element.name = AAZStrArg( + options=["name"], + help="Name of the data type to show in the graph. can be use with {{graphQueriesTableName}} placeholder", + nullable=True, + ) + + graph_queries = cls._args_codeless_ui_connector_config_properties_update.graph_queries + graph_queries.Element = AAZObjectArg() + + _element = cls._args_codeless_ui_connector_config_properties_update.graph_queries.Element + _element.base_query = AAZStrArg( + options=["base-query"], + help="The base query for the graph", + nullable=True, + ) + _element.legend = AAZStrArg( + options=["legend"], + help="The legend for the graph", + nullable=True, + ) + _element.metric_name = AAZStrArg( + options=["metric-name"], + help="the metric that the query is checking", + nullable=True, + ) + + instruction_steps = cls._args_codeless_ui_connector_config_properties_update.instruction_steps + instruction_steps.Element = AAZObjectArg() + + _element = cls._args_codeless_ui_connector_config_properties_update.instruction_steps.Element + _element.description = AAZStrArg( + options=["description"], + help="Instruction step description", + nullable=True, + ) + _element.instructions = AAZListArg( + options=["instructions"], + help="Instruction step details", + nullable=True, + ) + _element.title = AAZStrArg( + options=["title"], + help="Instruction step title", + nullable=True, + ) + + instructions = cls._args_codeless_ui_connector_config_properties_update.instruction_steps.Element.instructions + instructions.Element = AAZObjectArg() + + _element = cls._args_codeless_ui_connector_config_properties_update.instruction_steps.Element.instructions.Element + _element.type = AAZStrArg( + options=["type"], + help="The kind of the setting", + enum={"CopyableLabel": "CopyableLabel", "InfoMessage": "InfoMessage", "InstructionStepsGroup": "InstructionStepsGroup"}, + ) + + permissions = cls._args_codeless_ui_connector_config_properties_update.permissions + permissions.customs = AAZListArg( + options=["customs"], + help="Customs permissions required for the connector", + nullable=True, + ) + permissions.resource_provider = AAZListArg( + options=["resource-provider"], + help="Resource provider permissions required for the connector", + nullable=True, + ) + + customs = cls._args_codeless_ui_connector_config_properties_update.permissions.customs + customs.Element = AAZObjectArg() + + _element = cls._args_codeless_ui_connector_config_properties_update.permissions.customs.Element + _element.description = AAZStrArg( + options=["description"], + help="Customs permissions description", + nullable=True, + ) + _element.name = AAZStrArg( + options=["name"], + help="Customs permissions name", + nullable=True, + ) + + resource_provider = cls._args_codeless_ui_connector_config_properties_update.permissions.resource_provider + resource_provider.Element = AAZObjectArg() + + _element = cls._args_codeless_ui_connector_config_properties_update.permissions.resource_provider.Element + _element.permissions_display_text = AAZStrArg( + options=["permissions-display-text"], + help="Permission description text", + nullable=True, + ) + _element.provider = AAZStrArg( + options=["provider"], + help="Provider name", + nullable=True, + enum={"Microsoft.Authorization/policyAssignments": "Microsoft.Authorization/policyAssignments", "Microsoft.OperationalInsights/solutions": "Microsoft.OperationalInsights/solutions", "Microsoft.OperationalInsights/workspaces": "Microsoft.OperationalInsights/workspaces", "Microsoft.OperationalInsights/workspaces/datasources": "Microsoft.OperationalInsights/workspaces/datasources", "Microsoft.OperationalInsights/workspaces/sharedKeys": "Microsoft.OperationalInsights/workspaces/sharedKeys", "microsoft.aadiam/diagnosticSettings": "microsoft.aadiam/diagnosticSettings"}, + ) + _element.provider_display_name = AAZStrArg( + options=["provider-display-name"], + help="Permission provider display name", + nullable=True, + ) + _element.required_permissions = AAZObjectArg( + options=["required-permissions"], + help="Required permissions for the connector", + nullable=True, + ) + _element.scope = AAZStrArg( + options=["scope"], + help="Permission provider scope", + nullable=True, + enum={"ResourceGroup": "ResourceGroup", "Subscription": "Subscription", "Workspace": "Workspace"}, + ) + + required_permissions = cls._args_codeless_ui_connector_config_properties_update.permissions.resource_provider.Element.required_permissions + required_permissions.action = AAZBoolArg( + options=["action"], + help="action permission", + nullable=True, + ) + required_permissions.delete = AAZBoolArg( + options=["delete"], + help="delete permission", + nullable=True, + ) + required_permissions.read = AAZBoolArg( + options=["read"], + help="read permission", + nullable=True, + ) + required_permissions.write = AAZBoolArg( + options=["write"], + help="write permission", + nullable=True, + ) + + sample_queries = cls._args_codeless_ui_connector_config_properties_update.sample_queries + sample_queries.Element = AAZObjectArg() + + _element = cls._args_codeless_ui_connector_config_properties_update.sample_queries.Element + _element.description = AAZStrArg( + options=["description"], + help="The sample query description", + nullable=True, + ) + _element.query = AAZStrArg( + options=["query"], + help="the sample query", + nullable=True, + ) + + _schema.availability = cls._args_codeless_ui_connector_config_properties_update.availability + _schema.connectivity_criteria = cls._args_codeless_ui_connector_config_properties_update.connectivity_criteria + _schema.custom_image = cls._args_codeless_ui_connector_config_properties_update.custom_image + _schema.data_types = cls._args_codeless_ui_connector_config_properties_update.data_types + _schema.description_markdown = cls._args_codeless_ui_connector_config_properties_update.description_markdown + _schema.graph_queries = cls._args_codeless_ui_connector_config_properties_update.graph_queries + _schema.graph_queries_table_name = cls._args_codeless_ui_connector_config_properties_update.graph_queries_table_name + _schema.instruction_steps = cls._args_codeless_ui_connector_config_properties_update.instruction_steps + _schema.permissions = cls._args_codeless_ui_connector_config_properties_update.permissions + _schema.publisher = cls._args_codeless_ui_connector_config_properties_update.publisher + _schema.sample_queries = cls._args_codeless_ui_connector_config_properties_update.sample_queries + _schema.title = cls._args_codeless_ui_connector_config_properties_update.title + + _args_data_connector_data_type_common_update = None + + @classmethod + def _build_args_data_connector_data_type_common_update(cls, _schema): + if cls._args_data_connector_data_type_common_update is not None: + _schema.state = cls._args_data_connector_data_type_common_update.state + return + + cls._args_data_connector_data_type_common_update = AAZObjectArg() + + data_connector_data_type_common_update = cls._args_data_connector_data_type_common_update + data_connector_data_type_common_update.state = AAZStrArg( + options=["state"], + help="Describe whether this data type connection is enabled or not.", + enum={"Disabled": "Disabled", "Enabled": "Enabled"}, + ) + + _schema.state = cls._args_data_connector_data_type_common_update.state + + def _execute_operations(self): + self.DataConnectorsGet(ctx=self.ctx)() + self.InstanceUpdateByJson(ctx=self.ctx)() + self.InstanceUpdateByGeneric(ctx=self.ctx)() + self.DataConnectorsCreateOrUpdate(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True) + return result + + class DataConnectorsGet(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors/{dataConnectorId}", + **self.url_parameters + ) + + @property + def method(self): + return "GET" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "dataConnectorId", self.ctx.args.data_connector_id, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + _build_schema_data_connector_read(cls._schema_on_200) + + return cls._schema_on_200 + + class DataConnectorsCreateOrUpdate(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200, 201]: + return self.on_200_201(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors/{dataConnectorId}", + **self.url_parameters + ) + + @property + def method(self): + return "PUT" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "dataConnectorId", self.ctx.args.data_connector_id, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Content-Type", "application/json", + ), + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + @property + def content(self): + _content_value, _builder = self.new_content_builder( + self.ctx.args, + value=self.ctx.vars.instance, + ) + + return self.serialize_content(_content_value) + + def on_200_201(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200_201 + ) + + _schema_on_200_201 = None + + @classmethod + def _build_schema_on_200_201(cls): + if cls._schema_on_200_201 is not None: + return cls._schema_on_200_201 + + cls._schema_on_200_201 = AAZObjectType() + _build_schema_data_connector_read(cls._schema_on_200_201) + + return cls._schema_on_200_201 + + class InstanceUpdateByJson(AAZJsonInstanceUpdateOperation): + + def __call__(self, *args, **kwargs): + self._update_instance(self.ctx.vars.instance) + + def _update_instance(self, instance): + _instance_value, _builder = self.new_content_builder( + self.ctx.args, + value=instance, + typ=AAZObjectType + ) + _builder.set_prop("etag", AAZStrType, ".etag") + _builder.set_const("kind", "APIPolling", AAZStrType, ".api_polling", typ_kwargs={"flags": {"required": True}}) + _builder.set_const("kind", "AmazonWebServicesCloudTrail", AAZStrType, ".aws_cloud_trail", typ_kwargs={"flags": {"required": True}}) + _builder.set_const("kind", "AmazonWebServicesS3", AAZStrType, ".aws_s3", typ_kwargs={"flags": {"required": True}}) + _builder.set_const("kind", "AzureActiveDirectory", AAZStrType, ".azure_active_directory", typ_kwargs={"flags": {"required": True}}) + _builder.set_const("kind", "AzureAdvancedThreatProtection", AAZStrType, ".azure_protection", typ_kwargs={"flags": {"required": True}}) + _builder.set_const("kind", "AzureSecurityCenter", AAZStrType, ".azure_security_center", typ_kwargs={"flags": {"required": True}}) + _builder.set_const("kind", "Dynamics365", AAZStrType, ".dynamics365", typ_kwargs={"flags": {"required": True}}) + _builder.set_const("kind", "GenericUI", AAZStrType, ".generic_ui", typ_kwargs={"flags": {"required": True}}) + _builder.set_const("kind", "IOT", AAZStrType, ".iot", typ_kwargs={"flags": {"required": True}}) + _builder.set_const("kind", "MicrosoftCloudAppSecurity", AAZStrType, ".cloud_app_security", typ_kwargs={"flags": {"required": True}}) + _builder.set_const("kind", "MicrosoftDefenderAdvancedThreatProtection", AAZStrType, ".defender_protection", typ_kwargs={"flags": {"required": True}}) + _builder.set_const("kind", "MicrosoftThreatIntelligence", AAZStrType, ".microsoft_intelligence", typ_kwargs={"flags": {"required": True}}) + _builder.set_const("kind", "MicrosoftThreatProtection", AAZStrType, ".microsoft_protection", typ_kwargs={"flags": {"required": True}}) + _builder.set_const("kind", "Office365", AAZStrType, ".office365", typ_kwargs={"flags": {"required": True}}) + _builder.set_const("kind", "Office365Project", AAZStrType, ".office365_project", typ_kwargs={"flags": {"required": True}}) + _builder.set_const("kind", "OfficeATP", AAZStrType, ".office_atp", typ_kwargs={"flags": {"required": True}}) + _builder.set_const("kind", "OfficeIRM", AAZStrType, ".office_irm", typ_kwargs={"flags": {"required": True}}) + _builder.set_const("kind", "OfficePowerBI", AAZStrType, ".office_power_bi", typ_kwargs={"flags": {"required": True}}) + _builder.set_const("kind", "ThreatIntelligence", AAZStrType, ".threat_intelligence", typ_kwargs={"flags": {"required": True}}) + _builder.set_const("kind", "ThreatIntelligenceTaxii", AAZStrType, ".intelligence_taxii", typ_kwargs={"flags": {"required": True}}) + _builder.discriminate_by("kind", "APIPolling") + _builder.discriminate_by("kind", "AmazonWebServicesCloudTrail") + _builder.discriminate_by("kind", "AmazonWebServicesS3") + _builder.discriminate_by("kind", "AzureActiveDirectory") + _builder.discriminate_by("kind", "AzureAdvancedThreatProtection") + _builder.discriminate_by("kind", "AzureSecurityCenter") + _builder.discriminate_by("kind", "Dynamics365") + _builder.discriminate_by("kind", "GenericUI") + _builder.discriminate_by("kind", "IOT") + _builder.discriminate_by("kind", "MicrosoftCloudAppSecurity") + _builder.discriminate_by("kind", "MicrosoftDefenderAdvancedThreatProtection") + _builder.discriminate_by("kind", "MicrosoftThreatIntelligence") + _builder.discriminate_by("kind", "MicrosoftThreatProtection") + _builder.discriminate_by("kind", "Office365") + _builder.discriminate_by("kind", "Office365Project") + _builder.discriminate_by("kind", "OfficeATP") + _builder.discriminate_by("kind", "OfficeIRM") + _builder.discriminate_by("kind", "OfficePowerBI") + _builder.discriminate_by("kind", "ThreatIntelligence") + _builder.discriminate_by("kind", "ThreatIntelligenceTaxii") + + disc_api_polling = _builder.get("{kind:APIPolling}") + if disc_api_polling is not None: + disc_api_polling.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get("{kind:APIPolling}.properties") + if properties is not None: + _build_schema_codeless_ui_connector_config_properties_update(properties.set_prop("connectorUiConfig", AAZObjectType, ".api_polling.connector_ui_config")) + properties.set_prop("pollingConfig", AAZObjectType, ".api_polling.polling_config") + + polling_config = _builder.get("{kind:APIPolling}.properties.pollingConfig") + if polling_config is not None: + polling_config.set_prop("auth", AAZObjectType, ".auth", typ_kwargs={"flags": {"required": True}}) + polling_config.set_prop("isActive", AAZBoolType, ".is_active") + polling_config.set_prop("paging", AAZObjectType, ".paging") + polling_config.set_prop("request", AAZObjectType, ".request", typ_kwargs={"flags": {"required": True}}) + polling_config.set_prop("response", AAZObjectType, ".response") + + auth = _builder.get("{kind:APIPolling}.properties.pollingConfig.auth") + if auth is not None: + auth.set_prop("apiKeyIdentifier", AAZStrType, ".api_key_identifier") + auth.set_prop("apiKeyName", AAZStrType, ".api_key_name") + auth.set_prop("authType", AAZStrType, ".auth_type", typ_kwargs={"flags": {"required": True}}) + auth.set_prop("authorizationEndpoint", AAZStrType, ".authorization_endpoint") + auth.set_prop("flowName", AAZStrType, ".flow_name") + auth.set_prop("isApiKeyInPostPayload", AAZStrType, ".is_api_key_in_post_payload") + auth.set_prop("isClientSecretInHeader", AAZBoolType, ".is_client_secret_in_header") + auth.set_prop("redirectionEndpoint", AAZStrType, ".redirection_endpoint") + auth.set_prop("scope", AAZStrType, ".scope") + auth.set_prop("tokenEndpoint", AAZStrType, ".token_endpoint") + + paging = _builder.get("{kind:APIPolling}.properties.pollingConfig.paging") + if paging is not None: + paging.set_prop("nextPageParaName", AAZStrType, ".next_page_para_name") + paging.set_prop("nextPageTokenJsonPath", AAZStrType, ".next_page_token_json_path") + paging.set_prop("pageCountAttributePath", AAZStrType, ".page_count_attribute_path") + paging.set_prop("pageSize", AAZIntType, ".page_size") + paging.set_prop("pageSizeParaName", AAZStrType, ".page_size_para_name") + paging.set_prop("pageTimeStampAttributePath", AAZStrType, ".page_time_stamp_attribute_path") + paging.set_prop("pageTotalCountAttributePath", AAZStrType, ".page_total_count_attribute_path") + paging.set_prop("pagingType", AAZStrType, ".paging_type", typ_kwargs={"flags": {"required": True}}) + paging.set_prop("searchTheLatestTimeStampFromEventsList", AAZStrType, ".search_the_latest_time_stamp_from_events_list") + + request = _builder.get("{kind:APIPolling}.properties.pollingConfig.request") + if request is not None: + request.set_prop("apiEndpoint", AAZStrType, ".api_endpoint", typ_kwargs={"flags": {"required": True}}) + request.set_prop("endTimeAttributeName", AAZStrType, ".end_time_attribute_name") + request.set_prop("httpMethod", AAZStrType, ".http_method", typ_kwargs={"flags": {"required": True}}) + request.set_prop("queryParametersTemplate", AAZStrType, ".query_parameters_template") + request.set_prop("queryTimeFormat", AAZStrType, ".query_time_format", typ_kwargs={"flags": {"required": True}}) + request.set_prop("queryWindowInMin", AAZIntType, ".query_window_in_min", typ_kwargs={"flags": {"required": True}}) + request.set_prop("rateLimitQps", AAZIntType, ".rate_limit_qps") + request.set_prop("retryCount", AAZIntType, ".retry_count") + request.set_prop("startTimeAttributeName", AAZStrType, ".start_time_attribute_name") + request.set_prop("timeoutInSeconds", AAZIntType, ".timeout_in_seconds") + + response = _builder.get("{kind:APIPolling}.properties.pollingConfig.response") + if response is not None: + response.set_prop("eventsJsonPaths", AAZListType, ".events_json_paths", typ_kwargs={"flags": {"required": True}}) + response.set_prop("isGzipCompressed", AAZBoolType, ".is_gzip_compressed") + response.set_prop("successStatusJsonPath", AAZStrType, ".success_status_json_path") + response.set_prop("successStatusValue", AAZStrType, ".success_status_value") + + events_json_paths = _builder.get("{kind:APIPolling}.properties.pollingConfig.response.eventsJsonPaths") + if events_json_paths is not None: + events_json_paths.set_elements(AAZStrType, ".") + + disc_amazon_web_services_cloud_trail = _builder.get("{kind:AmazonWebServicesCloudTrail}") + if disc_amazon_web_services_cloud_trail is not None: + disc_amazon_web_services_cloud_trail.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get("{kind:AmazonWebServicesCloudTrail}.properties") + if properties is not None: + properties.set_prop("awsRoleArn", AAZStrType, ".aws_cloud_trail.aws_role_arn") + properties.set_prop("dataTypes", AAZObjectType, ".aws_cloud_trail.data_types", typ_kwargs={"flags": {"required": True}}) + + data_types = _builder.get("{kind:AmazonWebServicesCloudTrail}.properties.dataTypes") + if data_types is not None: + data_types.set_prop("logs", AAZObjectType, ".logs", typ_kwargs={"flags": {"required": True}}) + + logs = _builder.get("{kind:AmazonWebServicesCloudTrail}.properties.dataTypes.logs") + if logs is not None: + logs.set_prop("state", AAZStrType, ".state", typ_kwargs={"flags": {"required": True}}) + + disc_amazon_web_services_s3 = _builder.get("{kind:AmazonWebServicesS3}") + if disc_amazon_web_services_s3 is not None: + disc_amazon_web_services_s3.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get("{kind:AmazonWebServicesS3}.properties") + if properties is not None: + properties.set_prop("dataTypes", AAZObjectType, ".aws_s3.data_types", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("destinationTable", AAZStrType, ".aws_s3.destination_table", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("roleArn", AAZStrType, ".aws_s3.role_arn", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("sqsUrls", AAZListType, ".aws_s3.sqs_urls", typ_kwargs={"flags": {"required": True}}) + + data_types = _builder.get("{kind:AmazonWebServicesS3}.properties.dataTypes") + if data_types is not None: + data_types.set_prop("logs", AAZObjectType, ".logs", typ_kwargs={"flags": {"required": True}}) + + logs = _builder.get("{kind:AmazonWebServicesS3}.properties.dataTypes.logs") + if logs is not None: + logs.set_prop("state", AAZStrType, ".state", typ_kwargs={"flags": {"required": True}}) + + sqs_urls = _builder.get("{kind:AmazonWebServicesS3}.properties.sqsUrls") + if sqs_urls is not None: + sqs_urls.set_elements(AAZStrType, ".") + + disc_azure_active_directory = _builder.get("{kind:AzureActiveDirectory}") + if disc_azure_active_directory is not None: + disc_azure_active_directory.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get("{kind:AzureActiveDirectory}.properties") + if properties is not None: + _build_schema_alerts_data_type_of_data_connector_update(properties.set_prop("dataTypes", AAZObjectType, ".azure_active_directory.data_types")) + properties.set_prop("tenantId", AAZStrType, ".azure_active_directory.tenant_id", typ_kwargs={"flags": {"required": True}}) + + disc_azure_advanced_threat_protection = _builder.get("{kind:AzureAdvancedThreatProtection}") + if disc_azure_advanced_threat_protection is not None: + disc_azure_advanced_threat_protection.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get("{kind:AzureAdvancedThreatProtection}.properties") + if properties is not None: + _build_schema_alerts_data_type_of_data_connector_update(properties.set_prop("dataTypes", AAZObjectType, ".azure_protection.data_types")) + properties.set_prop("tenantId", AAZStrType, ".azure_protection.tenant_id", typ_kwargs={"flags": {"required": True}}) + + disc_azure_security_center = _builder.get("{kind:AzureSecurityCenter}") + if disc_azure_security_center is not None: + disc_azure_security_center.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get("{kind:AzureSecurityCenter}.properties") + if properties is not None: + _build_schema_alerts_data_type_of_data_connector_update(properties.set_prop("dataTypes", AAZObjectType, ".azure_security_center.data_types")) + properties.set_prop("subscriptionId", AAZStrType, ".azure_security_center.subscription_id") + + disc_dynamics365 = _builder.get("{kind:Dynamics365}") + if disc_dynamics365 is not None: + disc_dynamics365.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get("{kind:Dynamics365}.properties") + if properties is not None: + properties.set_prop("dataTypes", AAZObjectType, ".dynamics365.data_types", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("tenantId", AAZStrType, ".dynamics365.tenant_id", typ_kwargs={"flags": {"required": True}}) + + data_types = _builder.get("{kind:Dynamics365}.properties.dataTypes") + if data_types is not None: + data_types.set_prop("dynamics365CdsActivities", AAZObjectType, ".dynamics365_cds_activities", typ_kwargs={"flags": {"required": True}}) + + dynamics365_cds_activities = _builder.get("{kind:Dynamics365}.properties.dataTypes.dynamics365CdsActivities") + if dynamics365_cds_activities is not None: + dynamics365_cds_activities.set_prop("state", AAZStrType, ".state", typ_kwargs={"flags": {"required": True}}) + + disc_generic_ui = _builder.get("{kind:GenericUI}") + if disc_generic_ui is not None: + disc_generic_ui.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get("{kind:GenericUI}.properties") + if properties is not None: + _build_schema_codeless_ui_connector_config_properties_update(properties.set_prop("connectorUiConfig", AAZObjectType, ".generic_ui.connector_ui_config")) + + disc_iot = _builder.get("{kind:IOT}") + if disc_iot is not None: + disc_iot.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get("{kind:IOT}.properties") + if properties is not None: + _build_schema_alerts_data_type_of_data_connector_update(properties.set_prop("dataTypes", AAZObjectType, ".iot.data_types")) + properties.set_prop("subscriptionId", AAZStrType, ".iot.subscription_id") + + disc_microsoft_cloud_app_security = _builder.get("{kind:MicrosoftCloudAppSecurity}") + if disc_microsoft_cloud_app_security is not None: + disc_microsoft_cloud_app_security.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get("{kind:MicrosoftCloudAppSecurity}.properties") + if properties is not None: + properties.set_prop("dataTypes", AAZObjectType, ".cloud_app_security.data_types", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("tenantId", AAZStrType, ".cloud_app_security.tenant_id", typ_kwargs={"flags": {"required": True}}) + + data_types = _builder.get("{kind:MicrosoftCloudAppSecurity}.properties.dataTypes") + if data_types is not None: + _build_schema_data_connector_data_type_common_update(data_types.set_prop("alerts", AAZObjectType, ".alerts", typ_kwargs={"flags": {"required": True}})) + _build_schema_data_connector_data_type_common_update(data_types.set_prop("discoveryLogs", AAZObjectType, ".discovery_logs")) + + disc_microsoft_defender_advanced_threat_protection = _builder.get("{kind:MicrosoftDefenderAdvancedThreatProtection}") + if disc_microsoft_defender_advanced_threat_protection is not None: + disc_microsoft_defender_advanced_threat_protection.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get("{kind:MicrosoftDefenderAdvancedThreatProtection}.properties") + if properties is not None: + _build_schema_alerts_data_type_of_data_connector_update(properties.set_prop("dataTypes", AAZObjectType, ".defender_protection.data_types")) + properties.set_prop("tenantId", AAZStrType, ".defender_protection.tenant_id", typ_kwargs={"flags": {"required": True}}) + + disc_microsoft_threat_intelligence = _builder.get("{kind:MicrosoftThreatIntelligence}") + if disc_microsoft_threat_intelligence is not None: + disc_microsoft_threat_intelligence.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get("{kind:MicrosoftThreatIntelligence}.properties") + if properties is not None: + properties.set_prop("dataTypes", AAZObjectType, ".microsoft_intelligence.data_types", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("tenantId", AAZStrType, ".microsoft_intelligence.tenant_id", typ_kwargs={"flags": {"required": True}}) + + data_types = _builder.get("{kind:MicrosoftThreatIntelligence}.properties.dataTypes") + if data_types is not None: + data_types.set_prop("bingSafetyPhishingURL", AAZObjectType, ".bing_safety_phishing_url", typ_kwargs={"flags": {"required": True}}) + data_types.set_prop("microsoftEmergingThreatFeed", AAZObjectType, ".microsoft_emerging_threat_feed", typ_kwargs={"flags": {"required": True}}) + + bing_safety_phishing_url = _builder.get("{kind:MicrosoftThreatIntelligence}.properties.dataTypes.bingSafetyPhishingURL") + if bing_safety_phishing_url is not None: + bing_safety_phishing_url.set_prop("lookbackPeriod", AAZStrType, ".lookback_period", typ_kwargs={"flags": {"required": True}}) + bing_safety_phishing_url.set_prop("state", AAZStrType, ".state", typ_kwargs={"flags": {"required": True}}) + + microsoft_emerging_threat_feed = _builder.get("{kind:MicrosoftThreatIntelligence}.properties.dataTypes.microsoftEmergingThreatFeed") + if microsoft_emerging_threat_feed is not None: + microsoft_emerging_threat_feed.set_prop("lookbackPeriod", AAZStrType, ".lookback_period", typ_kwargs={"flags": {"required": True}}) + microsoft_emerging_threat_feed.set_prop("state", AAZStrType, ".state", typ_kwargs={"flags": {"required": True}}) + + disc_microsoft_threat_protection = _builder.get("{kind:MicrosoftThreatProtection}") + if disc_microsoft_threat_protection is not None: + disc_microsoft_threat_protection.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get("{kind:MicrosoftThreatProtection}.properties") + if properties is not None: + properties.set_prop("dataTypes", AAZObjectType, ".microsoft_protection.data_types", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("tenantId", AAZStrType, ".microsoft_protection.tenant_id", typ_kwargs={"flags": {"required": True}}) + + data_types = _builder.get("{kind:MicrosoftThreatProtection}.properties.dataTypes") + if data_types is not None: + data_types.set_prop("incidents", AAZObjectType, ".incidents", typ_kwargs={"flags": {"required": True}}) + + incidents = _builder.get("{kind:MicrosoftThreatProtection}.properties.dataTypes.incidents") + if incidents is not None: + incidents.set_prop("state", AAZStrType, ".state", typ_kwargs={"flags": {"required": True}}) + + disc_office365 = _builder.get("{kind:Office365}") + if disc_office365 is not None: + disc_office365.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get("{kind:Office365}.properties") + if properties is not None: + properties.set_prop("dataTypes", AAZObjectType, ".office365.data_types", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("tenantId", AAZStrType, ".office365.tenant_id", typ_kwargs={"flags": {"required": True}}) + + data_types = _builder.get("{kind:Office365}.properties.dataTypes") + if data_types is not None: + data_types.set_prop("exchange", AAZObjectType, ".exchange", typ_kwargs={"flags": {"required": True}}) + data_types.set_prop("sharePoint", AAZObjectType, ".share_point", typ_kwargs={"flags": {"required": True}}) + data_types.set_prop("teams", AAZObjectType, ".teams", typ_kwargs={"flags": {"required": True}}) + + exchange = _builder.get("{kind:Office365}.properties.dataTypes.exchange") + if exchange is not None: + exchange.set_prop("state", AAZStrType, ".state", typ_kwargs={"flags": {"required": True}}) + + share_point = _builder.get("{kind:Office365}.properties.dataTypes.sharePoint") + if share_point is not None: + share_point.set_prop("state", AAZStrType, ".state", typ_kwargs={"flags": {"required": True}}) + + teams = _builder.get("{kind:Office365}.properties.dataTypes.teams") + if teams is not None: + teams.set_prop("state", AAZStrType, ".state", typ_kwargs={"flags": {"required": True}}) + + disc_office365_project = _builder.get("{kind:Office365Project}") + if disc_office365_project is not None: + disc_office365_project.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get("{kind:Office365Project}.properties") + if properties is not None: + properties.set_prop("dataTypes", AAZObjectType, ".office365_project.data_types", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("tenantId", AAZStrType, ".office365_project.tenant_id", typ_kwargs={"flags": {"required": True}}) + + data_types = _builder.get("{kind:Office365Project}.properties.dataTypes") + if data_types is not None: + data_types.set_prop("logs", AAZObjectType, ".logs", typ_kwargs={"flags": {"required": True}}) + + logs = _builder.get("{kind:Office365Project}.properties.dataTypes.logs") + if logs is not None: + logs.set_prop("state", AAZStrType, ".state", typ_kwargs={"flags": {"required": True}}) + + disc_office_atp = _builder.get("{kind:OfficeATP}") + if disc_office_atp is not None: + disc_office_atp.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get("{kind:OfficeATP}.properties") + if properties is not None: + _build_schema_alerts_data_type_of_data_connector_update(properties.set_prop("dataTypes", AAZObjectType, ".office_atp.data_types")) + properties.set_prop("tenantId", AAZStrType, ".office_atp.tenant_id", typ_kwargs={"flags": {"required": True}}) + + disc_office_irm = _builder.get("{kind:OfficeIRM}") + if disc_office_irm is not None: + disc_office_irm.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get("{kind:OfficeIRM}.properties") + if properties is not None: + _build_schema_alerts_data_type_of_data_connector_update(properties.set_prop("dataTypes", AAZObjectType, ".office_irm.data_types")) + properties.set_prop("tenantId", AAZStrType, ".office_irm.tenant_id", typ_kwargs={"flags": {"required": True}}) + + disc_office_power_bi = _builder.get("{kind:OfficePowerBI}") + if disc_office_power_bi is not None: + disc_office_power_bi.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get("{kind:OfficePowerBI}.properties") + if properties is not None: + properties.set_prop("dataTypes", AAZObjectType, ".office_power_bi.data_types", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("tenantId", AAZStrType, ".office_power_bi.tenant_id", typ_kwargs={"flags": {"required": True}}) + + data_types = _builder.get("{kind:OfficePowerBI}.properties.dataTypes") + if data_types is not None: + data_types.set_prop("logs", AAZObjectType, ".logs", typ_kwargs={"flags": {"required": True}}) + + logs = _builder.get("{kind:OfficePowerBI}.properties.dataTypes.logs") + if logs is not None: + logs.set_prop("state", AAZStrType, ".state", typ_kwargs={"flags": {"required": True}}) + + disc_threat_intelligence = _builder.get("{kind:ThreatIntelligence}") + if disc_threat_intelligence is not None: + disc_threat_intelligence.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get("{kind:ThreatIntelligence}.properties") + if properties is not None: + properties.set_prop("dataTypes", AAZObjectType, ".threat_intelligence.data_types", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("tenantId", AAZStrType, ".threat_intelligence.tenant_id", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("tipLookbackPeriod", AAZStrType, ".threat_intelligence.tip_lookback_period", typ_kwargs={"nullable": True}) + + data_types = _builder.get("{kind:ThreatIntelligence}.properties.dataTypes") + if data_types is not None: + data_types.set_prop("indicators", AAZObjectType, ".indicators", typ_kwargs={"flags": {"required": True}}) + + indicators = _builder.get("{kind:ThreatIntelligence}.properties.dataTypes.indicators") + if indicators is not None: + indicators.set_prop("state", AAZStrType, ".state", typ_kwargs={"flags": {"required": True}}) + + disc_threat_intelligence_taxii = _builder.get("{kind:ThreatIntelligenceTaxii}") + if disc_threat_intelligence_taxii is not None: + disc_threat_intelligence_taxii.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get("{kind:ThreatIntelligenceTaxii}.properties") + if properties is not None: + properties.set_prop("collectionId", AAZStrType, ".intelligence_taxii.collection_id") + properties.set_prop("dataTypes", AAZObjectType, ".intelligence_taxii.data_types", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("friendlyName", AAZStrType, ".intelligence_taxii.friendly_name") + properties.set_prop("password", AAZStrType, ".intelligence_taxii.password") + properties.set_prop("pollingFrequency", AAZStrType, ".intelligence_taxii.polling_frequency", typ_kwargs={"flags": {"required": True}, "nullable": True}) + properties.set_prop("taxiiLookbackPeriod", AAZStrType, ".intelligence_taxii.taxii_lookback_period", typ_kwargs={"nullable": True}) + properties.set_prop("taxiiServer", AAZStrType, ".intelligence_taxii.taxii_server") + properties.set_prop("tenantId", AAZStrType, ".intelligence_taxii.tenant_id", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("userName", AAZStrType, ".intelligence_taxii.user_name") + properties.set_prop("workspaceId", AAZStrType, ".intelligence_taxii.workspace_id") + + data_types = _builder.get("{kind:ThreatIntelligenceTaxii}.properties.dataTypes") + if data_types is not None: + data_types.set_prop("taxiiClient", AAZObjectType, ".taxii_client", typ_kwargs={"flags": {"required": True}}) + + taxii_client = _builder.get("{kind:ThreatIntelligenceTaxii}.properties.dataTypes.taxiiClient") + if taxii_client is not None: + taxii_client.set_prop("state", AAZStrType, ".state", typ_kwargs={"flags": {"required": True}}) + + return _instance_value + + class InstanceUpdateByGeneric(AAZGenericInstanceUpdateOperation): + + def __call__(self, *args, **kwargs): + self._update_instance_by_generic( + self.ctx.vars.instance, + self.ctx.generic_update_args + ) + + +def _build_schema_alerts_data_type_of_data_connector_update(_builder): + if _builder is None: + return + _build_schema_data_connector_data_type_common_update(_builder.set_prop("alerts", AAZObjectType, ".alerts", typ_kwargs={"flags": {"required": True}})) + + +def _build_schema_codeless_ui_connector_config_properties_update(_builder): + if _builder is None: + return + _builder.set_prop("availability", AAZObjectType, ".availability", typ_kwargs={"flags": {"required": True}}) + _builder.set_prop("connectivityCriteria", AAZListType, ".connectivity_criteria", typ_kwargs={"flags": {"required": True}}) + _builder.set_prop("customImage", AAZStrType, ".custom_image") + _builder.set_prop("dataTypes", AAZListType, ".data_types", typ_kwargs={"flags": {"required": True}}) + _builder.set_prop("descriptionMarkdown", AAZStrType, ".description_markdown", typ_kwargs={"flags": {"required": True}}) + _builder.set_prop("graphQueries", AAZListType, ".graph_queries", typ_kwargs={"flags": {"required": True}}) + _builder.set_prop("graphQueriesTableName", AAZStrType, ".graph_queries_table_name", typ_kwargs={"flags": {"required": True}}) + _builder.set_prop("instructionSteps", AAZListType, ".instruction_steps", typ_kwargs={"flags": {"required": True}}) + _builder.set_prop("permissions", AAZObjectType, ".permissions", typ_kwargs={"flags": {"required": True}}) + _builder.set_prop("publisher", AAZStrType, ".publisher", typ_kwargs={"flags": {"required": True}}) + _builder.set_prop("sampleQueries", AAZListType, ".sample_queries", typ_kwargs={"flags": {"required": True}}) + _builder.set_prop("title", AAZStrType, ".title", typ_kwargs={"flags": {"required": True}}) + + availability = _builder.get(".availability") + if availability is not None: + availability.set_prop("isPreview", AAZBoolType, ".is_preview") + availability.set_prop("status", AAZIntType, ".status") + + connectivity_criteria = _builder.get(".connectivityCriteria") + if connectivity_criteria is not None: + connectivity_criteria.set_elements(AAZObjectType) + + _elements = _builder.get(".connectivityCriteria[]") + if _elements is not None: + _elements.set_prop("type", AAZStrType, "@CodelessUiConnectorConfigProperties_update.connectivity_criteria.[].type") + _elements.set_prop("value", AAZListType, "@CodelessUiConnectorConfigProperties_update.connectivity_criteria.[].value") + + value = _builder.get(".connectivityCriteria[].value") + if value is not None: + value.set_elements(AAZStrType, ".") + + data_types = _builder.get(".dataTypes") + if data_types is not None: + data_types.set_elements(AAZObjectType) + + _elements = _builder.get(".dataTypes[]") + if _elements is not None: + _elements.set_prop("lastDataReceivedQuery", AAZStrType, "@CodelessUiConnectorConfigProperties_update.data_types.[].last_data_received_query") + _elements.set_prop("name", AAZStrType, "@CodelessUiConnectorConfigProperties_update.data_types.[].name") + + graph_queries = _builder.get(".graphQueries") + if graph_queries is not None: + graph_queries.set_elements(AAZObjectType) + + _elements = _builder.get(".graphQueries[]") + if _elements is not None: + _elements.set_prop("baseQuery", AAZStrType, "@CodelessUiConnectorConfigProperties_update.graph_queries.[].base_query") + _elements.set_prop("legend", AAZStrType, "@CodelessUiConnectorConfigProperties_update.graph_queries.[].legend") + _elements.set_prop("metricName", AAZStrType, "@CodelessUiConnectorConfigProperties_update.graph_queries.[].metric_name") + + instruction_steps = _builder.get(".instructionSteps") + if instruction_steps is not None: + instruction_steps.set_elements(AAZObjectType) + + _elements = _builder.get(".instructionSteps[]") + if _elements is not None: + _elements.set_prop("description", AAZStrType, "@CodelessUiConnectorConfigProperties_update.instruction_steps.[].description") + _elements.set_prop("instructions", AAZListType, "@CodelessUiConnectorConfigProperties_update.instruction_steps.[].instructions") + _elements.set_prop("title", AAZStrType, "@CodelessUiConnectorConfigProperties_update.instruction_steps.[].title") + + instructions = _builder.get(".instructionSteps[].instructions") + if instructions is not None: + instructions.set_elements(AAZObjectType) + + _elements = _builder.get(".instructionSteps[].instructions[]") + if _elements is not None: + _elements.set_prop("type", AAZStrType, "@CodelessUiConnectorConfigProperties_update.instruction_steps.[].instructions.[].type", typ_kwargs={"flags": {"required": True}}) + + permissions = _builder.get(".permissions") + if permissions is not None: + permissions.set_prop("customs", AAZListType, ".customs") + permissions.set_prop("resourceProvider", AAZListType, ".resource_provider") + + customs = _builder.get(".permissions.customs") + if customs is not None: + customs.set_elements(AAZObjectType) + + _elements = _builder.get(".permissions.customs[]") + if _elements is not None: + _elements.set_prop("description", AAZStrType, "@CodelessUiConnectorConfigProperties_update.permissions.customs.[].description") + _elements.set_prop("name", AAZStrType, "@CodelessUiConnectorConfigProperties_update.permissions.customs.[].name") + + resource_provider = _builder.get(".permissions.resourceProvider") + if resource_provider is not None: + resource_provider.set_elements(AAZObjectType) + + _elements = _builder.get(".permissions.resourceProvider[]") + if _elements is not None: + _elements.set_prop("permissionsDisplayText", AAZStrType, "@CodelessUiConnectorConfigProperties_update.permissions.resource_provider.[].permissions_display_text") + _elements.set_prop("provider", AAZStrType, "@CodelessUiConnectorConfigProperties_update.permissions.resource_provider.[].provider") + _elements.set_prop("providerDisplayName", AAZStrType, "@CodelessUiConnectorConfigProperties_update.permissions.resource_provider.[].provider_display_name") + _elements.set_prop("requiredPermissions", AAZObjectType, "@CodelessUiConnectorConfigProperties_update.permissions.resource_provider.[].required_permissions") + _elements.set_prop("scope", AAZStrType, "@CodelessUiConnectorConfigProperties_update.permissions.resource_provider.[].scope") + + required_permissions = _builder.get(".permissions.resourceProvider[].requiredPermissions") + if required_permissions is not None: + required_permissions.set_prop("action", AAZBoolType, ".action") + required_permissions.set_prop("delete", AAZBoolType, ".delete") + required_permissions.set_prop("read", AAZBoolType, ".read") + required_permissions.set_prop("write", AAZBoolType, ".write") + + sample_queries = _builder.get(".sampleQueries") + if sample_queries is not None: + sample_queries.set_elements(AAZObjectType) + + _elements = _builder.get(".sampleQueries[]") + if _elements is not None: + _elements.set_prop("description", AAZStrType, "@CodelessUiConnectorConfigProperties_update.sample_queries.[].description") + _elements.set_prop("query", AAZStrType, "@CodelessUiConnectorConfigProperties_update.sample_queries.[].query") + + +def _build_schema_data_connector_data_type_common_update(_builder): + if _builder is None: + return + _builder.set_prop("state", AAZStrType, ".state", typ_kwargs={"flags": {"required": True}}) + + +_schema_alerts_data_type_of_data_connector_read = None + + +def _build_schema_alerts_data_type_of_data_connector_read(_schema): + global _schema_alerts_data_type_of_data_connector_read + if _schema_alerts_data_type_of_data_connector_read is not None: + _schema.alerts = _schema_alerts_data_type_of_data_connector_read.alerts + return + + _schema_alerts_data_type_of_data_connector_read = AAZObjectType() + + alerts_data_type_of_data_connector_read = _schema_alerts_data_type_of_data_connector_read + alerts_data_type_of_data_connector_read.alerts = AAZObjectType( + flags={"required": True}, + ) + _build_schema_data_connector_data_type_common_read(alerts_data_type_of_data_connector_read.alerts) + + _schema.alerts = _schema_alerts_data_type_of_data_connector_read.alerts + + +_schema_codeless_ui_connector_config_properties_read = None + + +def _build_schema_codeless_ui_connector_config_properties_read(_schema): + global _schema_codeless_ui_connector_config_properties_read + if _schema_codeless_ui_connector_config_properties_read is not None: + _schema.availability = _schema_codeless_ui_connector_config_properties_read.availability + _schema.connectivity_criteria = _schema_codeless_ui_connector_config_properties_read.connectivity_criteria + _schema.custom_image = _schema_codeless_ui_connector_config_properties_read.custom_image + _schema.data_types = _schema_codeless_ui_connector_config_properties_read.data_types + _schema.description_markdown = _schema_codeless_ui_connector_config_properties_read.description_markdown + _schema.graph_queries = _schema_codeless_ui_connector_config_properties_read.graph_queries + _schema.graph_queries_table_name = _schema_codeless_ui_connector_config_properties_read.graph_queries_table_name + _schema.instruction_steps = _schema_codeless_ui_connector_config_properties_read.instruction_steps + _schema.permissions = _schema_codeless_ui_connector_config_properties_read.permissions + _schema.publisher = _schema_codeless_ui_connector_config_properties_read.publisher + _schema.sample_queries = _schema_codeless_ui_connector_config_properties_read.sample_queries + _schema.title = _schema_codeless_ui_connector_config_properties_read.title + return + + _schema_codeless_ui_connector_config_properties_read = AAZObjectType() + + codeless_ui_connector_config_properties_read = _schema_codeless_ui_connector_config_properties_read + codeless_ui_connector_config_properties_read.availability = AAZObjectType( + flags={"required": True}, + ) + codeless_ui_connector_config_properties_read.connectivity_criteria = AAZListType( + serialized_name="connectivityCriteria", + flags={"required": True}, + ) + codeless_ui_connector_config_properties_read.custom_image = AAZStrType( + serialized_name="customImage", + ) + codeless_ui_connector_config_properties_read.data_types = AAZListType( + serialized_name="dataTypes", + flags={"required": True}, + ) + codeless_ui_connector_config_properties_read.description_markdown = AAZStrType( + serialized_name="descriptionMarkdown", + flags={"required": True}, + ) + codeless_ui_connector_config_properties_read.graph_queries = AAZListType( + serialized_name="graphQueries", + flags={"required": True}, + ) + codeless_ui_connector_config_properties_read.graph_queries_table_name = AAZStrType( + serialized_name="graphQueriesTableName", + flags={"required": True}, + ) + codeless_ui_connector_config_properties_read.instruction_steps = AAZListType( + serialized_name="instructionSteps", + flags={"required": True}, + ) + codeless_ui_connector_config_properties_read.permissions = AAZObjectType( + flags={"required": True}, + ) + codeless_ui_connector_config_properties_read.publisher = AAZStrType( + flags={"required": True}, + ) + codeless_ui_connector_config_properties_read.sample_queries = AAZListType( + serialized_name="sampleQueries", + flags={"required": True}, + ) + codeless_ui_connector_config_properties_read.title = AAZStrType( + flags={"required": True}, + ) + + availability = _schema_codeless_ui_connector_config_properties_read.availability + availability.is_preview = AAZBoolType( + serialized_name="isPreview", + ) + availability.status = AAZIntType() + + connectivity_criteria = _schema_codeless_ui_connector_config_properties_read.connectivity_criteria + connectivity_criteria.Element = AAZObjectType() + + _element = _schema_codeless_ui_connector_config_properties_read.connectivity_criteria.Element + _element.type = AAZStrType() + _element.value = AAZListType() + + value = _schema_codeless_ui_connector_config_properties_read.connectivity_criteria.Element.value + value.Element = AAZStrType() + + data_types = _schema_codeless_ui_connector_config_properties_read.data_types + data_types.Element = AAZObjectType() + + _element = _schema_codeless_ui_connector_config_properties_read.data_types.Element + _element.last_data_received_query = AAZStrType( + serialized_name="lastDataReceivedQuery", + ) + _element.name = AAZStrType() + + graph_queries = _schema_codeless_ui_connector_config_properties_read.graph_queries + graph_queries.Element = AAZObjectType() + + _element = _schema_codeless_ui_connector_config_properties_read.graph_queries.Element + _element.base_query = AAZStrType( + serialized_name="baseQuery", + ) + _element.legend = AAZStrType() + _element.metric_name = AAZStrType( + serialized_name="metricName", + ) + + instruction_steps = _schema_codeless_ui_connector_config_properties_read.instruction_steps + instruction_steps.Element = AAZObjectType() + + _element = _schema_codeless_ui_connector_config_properties_read.instruction_steps.Element + _element.description = AAZStrType() + _element.instructions = AAZListType() + _element.title = AAZStrType() + + instructions = _schema_codeless_ui_connector_config_properties_read.instruction_steps.Element.instructions + instructions.Element = AAZObjectType() + + _element = _schema_codeless_ui_connector_config_properties_read.instruction_steps.Element.instructions.Element + _element.type = AAZStrType( + flags={"required": True}, + ) + + permissions = _schema_codeless_ui_connector_config_properties_read.permissions + permissions.customs = AAZListType() + permissions.resource_provider = AAZListType( + serialized_name="resourceProvider", + ) + + customs = _schema_codeless_ui_connector_config_properties_read.permissions.customs + customs.Element = AAZObjectType() + + _element = _schema_codeless_ui_connector_config_properties_read.permissions.customs.Element + _element.description = AAZStrType() + _element.name = AAZStrType() + + resource_provider = _schema_codeless_ui_connector_config_properties_read.permissions.resource_provider + resource_provider.Element = AAZObjectType() + + _element = _schema_codeless_ui_connector_config_properties_read.permissions.resource_provider.Element + _element.permissions_display_text = AAZStrType( + serialized_name="permissionsDisplayText", + ) + _element.provider = AAZStrType() + _element.provider_display_name = AAZStrType( + serialized_name="providerDisplayName", + ) + _element.required_permissions = AAZObjectType( + serialized_name="requiredPermissions", + ) + _element.scope = AAZStrType() + + required_permissions = _schema_codeless_ui_connector_config_properties_read.permissions.resource_provider.Element.required_permissions + required_permissions.action = AAZBoolType() + required_permissions.delete = AAZBoolType() + required_permissions.read = AAZBoolType() + required_permissions.write = AAZBoolType() + + sample_queries = _schema_codeless_ui_connector_config_properties_read.sample_queries + sample_queries.Element = AAZObjectType() + + _element = _schema_codeless_ui_connector_config_properties_read.sample_queries.Element + _element.description = AAZStrType() + _element.query = AAZStrType() + + _schema.availability = _schema_codeless_ui_connector_config_properties_read.availability + _schema.connectivity_criteria = _schema_codeless_ui_connector_config_properties_read.connectivity_criteria + _schema.custom_image = _schema_codeless_ui_connector_config_properties_read.custom_image + _schema.data_types = _schema_codeless_ui_connector_config_properties_read.data_types + _schema.description_markdown = _schema_codeless_ui_connector_config_properties_read.description_markdown + _schema.graph_queries = _schema_codeless_ui_connector_config_properties_read.graph_queries + _schema.graph_queries_table_name = _schema_codeless_ui_connector_config_properties_read.graph_queries_table_name + _schema.instruction_steps = _schema_codeless_ui_connector_config_properties_read.instruction_steps + _schema.permissions = _schema_codeless_ui_connector_config_properties_read.permissions + _schema.publisher = _schema_codeless_ui_connector_config_properties_read.publisher + _schema.sample_queries = _schema_codeless_ui_connector_config_properties_read.sample_queries + _schema.title = _schema_codeless_ui_connector_config_properties_read.title + + +_schema_data_connector_data_type_common_read = None + + +def _build_schema_data_connector_data_type_common_read(_schema): + global _schema_data_connector_data_type_common_read + if _schema_data_connector_data_type_common_read is not None: + _schema.state = _schema_data_connector_data_type_common_read.state + return + + _schema_data_connector_data_type_common_read = AAZObjectType() + + data_connector_data_type_common_read = _schema_data_connector_data_type_common_read + data_connector_data_type_common_read.state = AAZStrType( + flags={"required": True}, + ) + + _schema.state = _schema_data_connector_data_type_common_read.state + + +_schema_data_connector_read = None + + +def _build_schema_data_connector_read(_schema): + global _schema_data_connector_read + if _schema_data_connector_read is not None: + _schema.etag = _schema_data_connector_read.etag + _schema.id = _schema_data_connector_read.id + _schema.kind = _schema_data_connector_read.kind + _schema.name = _schema_data_connector_read.name + _schema.system_data = _schema_data_connector_read.system_data + _schema.type = _schema_data_connector_read.type + _schema.discriminate_by( + "kind", + "APIPolling", + _schema_data_connector_read.discriminate_by( + "kind", + "APIPolling", + ) + ) + _schema.discriminate_by( + "kind", + "AmazonWebServicesCloudTrail", + _schema_data_connector_read.discriminate_by( + "kind", + "AmazonWebServicesCloudTrail", + ) + ) + _schema.discriminate_by( + "kind", + "AmazonWebServicesS3", + _schema_data_connector_read.discriminate_by( + "kind", + "AmazonWebServicesS3", + ) + ) + _schema.discriminate_by( + "kind", + "AzureActiveDirectory", + _schema_data_connector_read.discriminate_by( + "kind", + "AzureActiveDirectory", + ) + ) + _schema.discriminate_by( + "kind", + "AzureAdvancedThreatProtection", + _schema_data_connector_read.discriminate_by( + "kind", + "AzureAdvancedThreatProtection", + ) + ) + _schema.discriminate_by( + "kind", + "AzureSecurityCenter", + _schema_data_connector_read.discriminate_by( + "kind", + "AzureSecurityCenter", + ) + ) + _schema.discriminate_by( + "kind", + "Dynamics365", + _schema_data_connector_read.discriminate_by( + "kind", + "Dynamics365", + ) + ) + _schema.discriminate_by( + "kind", + "GenericUI", + _schema_data_connector_read.discriminate_by( + "kind", + "GenericUI", + ) + ) + _schema.discriminate_by( + "kind", + "IOT", + _schema_data_connector_read.discriminate_by( + "kind", + "IOT", + ) + ) + _schema.discriminate_by( + "kind", + "MicrosoftCloudAppSecurity", + _schema_data_connector_read.discriminate_by( + "kind", + "MicrosoftCloudAppSecurity", + ) + ) + _schema.discriminate_by( + "kind", + "MicrosoftDefenderAdvancedThreatProtection", + _schema_data_connector_read.discriminate_by( + "kind", + "MicrosoftDefenderAdvancedThreatProtection", + ) + ) + _schema.discriminate_by( + "kind", + "MicrosoftThreatIntelligence", + _schema_data_connector_read.discriminate_by( + "kind", + "MicrosoftThreatIntelligence", + ) + ) + _schema.discriminate_by( + "kind", + "MicrosoftThreatProtection", + _schema_data_connector_read.discriminate_by( + "kind", + "MicrosoftThreatProtection", + ) + ) + _schema.discriminate_by( + "kind", + "Office365", + _schema_data_connector_read.discriminate_by( + "kind", + "Office365", + ) + ) + _schema.discriminate_by( + "kind", + "Office365Project", + _schema_data_connector_read.discriminate_by( + "kind", + "Office365Project", + ) + ) + _schema.discriminate_by( + "kind", + "OfficeATP", + _schema_data_connector_read.discriminate_by( + "kind", + "OfficeATP", + ) + ) + _schema.discriminate_by( + "kind", + "OfficeIRM", + _schema_data_connector_read.discriminate_by( + "kind", + "OfficeIRM", + ) + ) + _schema.discriminate_by( + "kind", + "OfficePowerBI", + _schema_data_connector_read.discriminate_by( + "kind", + "OfficePowerBI", + ) + ) + _schema.discriminate_by( + "kind", + "ThreatIntelligence", + _schema_data_connector_read.discriminate_by( + "kind", + "ThreatIntelligence", + ) + ) + _schema.discriminate_by( + "kind", + "ThreatIntelligenceTaxii", + _schema_data_connector_read.discriminate_by( + "kind", + "ThreatIntelligenceTaxii", + ) + ) + return + + _schema_data_connector_read = AAZObjectType() + + data_connector_read = _schema_data_connector_read + data_connector_read.etag = AAZStrType() + data_connector_read.id = AAZStrType( + flags={"read_only": True}, + ) + data_connector_read.kind = AAZStrType( + flags={"required": True}, + ) + data_connector_read.name = AAZStrType( + flags={"read_only": True}, + ) + data_connector_read.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + data_connector_read.type = AAZStrType( + flags={"read_only": True}, + ) + + system_data = _schema_data_connector_read.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + disc_api_polling = _schema_data_connector_read.discriminate_by("kind", "APIPolling") + disc_api_polling.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = _schema_data_connector_read.discriminate_by("kind", "APIPolling").properties + properties.connector_ui_config = AAZObjectType( + serialized_name="connectorUiConfig", + ) + _build_schema_codeless_ui_connector_config_properties_read(properties.connector_ui_config) + properties.polling_config = AAZObjectType( + serialized_name="pollingConfig", + ) + + polling_config = _schema_data_connector_read.discriminate_by("kind", "APIPolling").properties.polling_config + polling_config.auth = AAZObjectType( + flags={"required": True}, + ) + polling_config.is_active = AAZBoolType( + serialized_name="isActive", + ) + polling_config.paging = AAZObjectType() + polling_config.request = AAZObjectType( + flags={"required": True}, + ) + polling_config.response = AAZObjectType() + + auth = _schema_data_connector_read.discriminate_by("kind", "APIPolling").properties.polling_config.auth + auth.api_key_identifier = AAZStrType( + serialized_name="apiKeyIdentifier", + ) + auth.api_key_name = AAZStrType( + serialized_name="apiKeyName", + ) + auth.auth_type = AAZStrType( + serialized_name="authType", + flags={"required": True}, + ) + auth.authorization_endpoint = AAZStrType( + serialized_name="authorizationEndpoint", + ) + auth.flow_name = AAZStrType( + serialized_name="flowName", + ) + auth.is_api_key_in_post_payload = AAZStrType( + serialized_name="isApiKeyInPostPayload", + ) + auth.is_client_secret_in_header = AAZBoolType( + serialized_name="isClientSecretInHeader", + ) + auth.redirection_endpoint = AAZStrType( + serialized_name="redirectionEndpoint", + ) + auth.scope = AAZStrType() + auth.token_endpoint = AAZStrType( + serialized_name="tokenEndpoint", + ) + + paging = _schema_data_connector_read.discriminate_by("kind", "APIPolling").properties.polling_config.paging + paging.next_page_para_name = AAZStrType( + serialized_name="nextPageParaName", + ) + paging.next_page_token_json_path = AAZStrType( + serialized_name="nextPageTokenJsonPath", + ) + paging.page_count_attribute_path = AAZStrType( + serialized_name="pageCountAttributePath", + ) + paging.page_size = AAZIntType( + serialized_name="pageSize", + ) + paging.page_size_para_name = AAZStrType( + serialized_name="pageSizeParaName", + ) + paging.page_time_stamp_attribute_path = AAZStrType( + serialized_name="pageTimeStampAttributePath", + ) + paging.page_total_count_attribute_path = AAZStrType( + serialized_name="pageTotalCountAttributePath", + ) + paging.paging_type = AAZStrType( + serialized_name="pagingType", + flags={"required": True}, + ) + paging.search_the_latest_time_stamp_from_events_list = AAZStrType( + serialized_name="searchTheLatestTimeStampFromEventsList", + ) + + request = _schema_data_connector_read.discriminate_by("kind", "APIPolling").properties.polling_config.request + request.api_endpoint = AAZStrType( + serialized_name="apiEndpoint", + flags={"required": True}, + ) + request.end_time_attribute_name = AAZStrType( + serialized_name="endTimeAttributeName", + ) + request.http_method = AAZStrType( + serialized_name="httpMethod", + flags={"required": True}, + ) + request.query_parameters_template = AAZStrType( + serialized_name="queryParametersTemplate", + ) + request.query_time_format = AAZStrType( + serialized_name="queryTimeFormat", + flags={"required": True}, + ) + request.query_window_in_min = AAZIntType( + serialized_name="queryWindowInMin", + flags={"required": True}, + ) + request.rate_limit_qps = AAZIntType( + serialized_name="rateLimitQps", + ) + request.retry_count = AAZIntType( + serialized_name="retryCount", + ) + request.start_time_attribute_name = AAZStrType( + serialized_name="startTimeAttributeName", + ) + request.timeout_in_seconds = AAZIntType( + serialized_name="timeoutInSeconds", + ) + + response = _schema_data_connector_read.discriminate_by("kind", "APIPolling").properties.polling_config.response + response.events_json_paths = AAZListType( + serialized_name="eventsJsonPaths", + flags={"required": True}, + ) + response.is_gzip_compressed = AAZBoolType( + serialized_name="isGzipCompressed", + ) + response.success_status_json_path = AAZStrType( + serialized_name="successStatusJsonPath", + ) + response.success_status_value = AAZStrType( + serialized_name="successStatusValue", + ) + + events_json_paths = _schema_data_connector_read.discriminate_by("kind", "APIPolling").properties.polling_config.response.events_json_paths + events_json_paths.Element = AAZStrType() + + disc_amazon_web_services_cloud_trail = _schema_data_connector_read.discriminate_by("kind", "AmazonWebServicesCloudTrail") + disc_amazon_web_services_cloud_trail.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = _schema_data_connector_read.discriminate_by("kind", "AmazonWebServicesCloudTrail").properties + properties.aws_role_arn = AAZStrType( + serialized_name="awsRoleArn", + ) + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + flags={"required": True}, + ) + + data_types = _schema_data_connector_read.discriminate_by("kind", "AmazonWebServicesCloudTrail").properties.data_types + data_types.logs = AAZObjectType( + flags={"required": True}, + ) + + logs = _schema_data_connector_read.discriminate_by("kind", "AmazonWebServicesCloudTrail").properties.data_types.logs + logs.state = AAZStrType( + flags={"required": True}, + ) + + disc_amazon_web_services_s3 = _schema_data_connector_read.discriminate_by("kind", "AmazonWebServicesS3") + disc_amazon_web_services_s3.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = _schema_data_connector_read.discriminate_by("kind", "AmazonWebServicesS3").properties + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + flags={"required": True}, + ) + properties.destination_table = AAZStrType( + serialized_name="destinationTable", + flags={"required": True}, + ) + properties.role_arn = AAZStrType( + serialized_name="roleArn", + flags={"required": True}, + ) + properties.sqs_urls = AAZListType( + serialized_name="sqsUrls", + flags={"required": True}, + ) + + data_types = _schema_data_connector_read.discriminate_by("kind", "AmazonWebServicesS3").properties.data_types + data_types.logs = AAZObjectType( + flags={"required": True}, + ) + + logs = _schema_data_connector_read.discriminate_by("kind", "AmazonWebServicesS3").properties.data_types.logs + logs.state = AAZStrType( + flags={"required": True}, + ) + + sqs_urls = _schema_data_connector_read.discriminate_by("kind", "AmazonWebServicesS3").properties.sqs_urls + sqs_urls.Element = AAZStrType() + + disc_azure_active_directory = _schema_data_connector_read.discriminate_by("kind", "AzureActiveDirectory") + disc_azure_active_directory.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = _schema_data_connector_read.discriminate_by("kind", "AzureActiveDirectory").properties + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + ) + _build_schema_alerts_data_type_of_data_connector_read(properties.data_types) + properties.tenant_id = AAZStrType( + serialized_name="tenantId", + flags={"required": True}, + ) + + disc_azure_advanced_threat_protection = _schema_data_connector_read.discriminate_by("kind", "AzureAdvancedThreatProtection") + disc_azure_advanced_threat_protection.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = _schema_data_connector_read.discriminate_by("kind", "AzureAdvancedThreatProtection").properties + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + ) + _build_schema_alerts_data_type_of_data_connector_read(properties.data_types) + properties.tenant_id = AAZStrType( + serialized_name="tenantId", + flags={"required": True}, + ) + + disc_azure_security_center = _schema_data_connector_read.discriminate_by("kind", "AzureSecurityCenter") + disc_azure_security_center.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = _schema_data_connector_read.discriminate_by("kind", "AzureSecurityCenter").properties + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + ) + _build_schema_alerts_data_type_of_data_connector_read(properties.data_types) + properties.subscription_id = AAZStrType( + serialized_name="subscriptionId", + ) + + disc_dynamics365 = _schema_data_connector_read.discriminate_by("kind", "Dynamics365") + disc_dynamics365.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = _schema_data_connector_read.discriminate_by("kind", "Dynamics365").properties + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + flags={"required": True}, + ) + properties.tenant_id = AAZStrType( + serialized_name="tenantId", + flags={"required": True}, + ) + + data_types = _schema_data_connector_read.discriminate_by("kind", "Dynamics365").properties.data_types + data_types.dynamics365_cds_activities = AAZObjectType( + serialized_name="dynamics365CdsActivities", + flags={"required": True}, + ) + + dynamics365_cds_activities = _schema_data_connector_read.discriminate_by("kind", "Dynamics365").properties.data_types.dynamics365_cds_activities + dynamics365_cds_activities.state = AAZStrType( + flags={"required": True}, + ) + + disc_generic_ui = _schema_data_connector_read.discriminate_by("kind", "GenericUI") + disc_generic_ui.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = _schema_data_connector_read.discriminate_by("kind", "GenericUI").properties + properties.connector_ui_config = AAZObjectType( + serialized_name="connectorUiConfig", + ) + _build_schema_codeless_ui_connector_config_properties_read(properties.connector_ui_config) + + disc_iot = _schema_data_connector_read.discriminate_by("kind", "IOT") + disc_iot.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = _schema_data_connector_read.discriminate_by("kind", "IOT").properties + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + ) + _build_schema_alerts_data_type_of_data_connector_read(properties.data_types) + properties.subscription_id = AAZStrType( + serialized_name="subscriptionId", + ) + + disc_microsoft_cloud_app_security = _schema_data_connector_read.discriminate_by("kind", "MicrosoftCloudAppSecurity") + disc_microsoft_cloud_app_security.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = _schema_data_connector_read.discriminate_by("kind", "MicrosoftCloudAppSecurity").properties + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + flags={"required": True}, + ) + properties.tenant_id = AAZStrType( + serialized_name="tenantId", + flags={"required": True}, + ) + + data_types = _schema_data_connector_read.discriminate_by("kind", "MicrosoftCloudAppSecurity").properties.data_types + data_types.alerts = AAZObjectType( + flags={"required": True}, + ) + _build_schema_data_connector_data_type_common_read(data_types.alerts) + data_types.discovery_logs = AAZObjectType( + serialized_name="discoveryLogs", + ) + _build_schema_data_connector_data_type_common_read(data_types.discovery_logs) + + disc_microsoft_defender_advanced_threat_protection = _schema_data_connector_read.discriminate_by("kind", "MicrosoftDefenderAdvancedThreatProtection") + disc_microsoft_defender_advanced_threat_protection.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = _schema_data_connector_read.discriminate_by("kind", "MicrosoftDefenderAdvancedThreatProtection").properties + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + ) + _build_schema_alerts_data_type_of_data_connector_read(properties.data_types) + properties.tenant_id = AAZStrType( + serialized_name="tenantId", + flags={"required": True}, + ) + + disc_microsoft_threat_intelligence = _schema_data_connector_read.discriminate_by("kind", "MicrosoftThreatIntelligence") + disc_microsoft_threat_intelligence.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = _schema_data_connector_read.discriminate_by("kind", "MicrosoftThreatIntelligence").properties + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + flags={"required": True}, + ) + properties.tenant_id = AAZStrType( + serialized_name="tenantId", + flags={"required": True}, + ) + + data_types = _schema_data_connector_read.discriminate_by("kind", "MicrosoftThreatIntelligence").properties.data_types + data_types.bing_safety_phishing_url = AAZObjectType( + serialized_name="bingSafetyPhishingURL", + flags={"required": True}, + ) + data_types.microsoft_emerging_threat_feed = AAZObjectType( + serialized_name="microsoftEmergingThreatFeed", + flags={"required": True}, + ) + + bing_safety_phishing_url = _schema_data_connector_read.discriminate_by("kind", "MicrosoftThreatIntelligence").properties.data_types.bing_safety_phishing_url + bing_safety_phishing_url.lookback_period = AAZStrType( + serialized_name="lookbackPeriod", + flags={"required": True}, + ) + bing_safety_phishing_url.state = AAZStrType( + flags={"required": True}, + ) + + microsoft_emerging_threat_feed = _schema_data_connector_read.discriminate_by("kind", "MicrosoftThreatIntelligence").properties.data_types.microsoft_emerging_threat_feed + microsoft_emerging_threat_feed.lookback_period = AAZStrType( + serialized_name="lookbackPeriod", + flags={"required": True}, + ) + microsoft_emerging_threat_feed.state = AAZStrType( + flags={"required": True}, + ) + + disc_microsoft_threat_protection = _schema_data_connector_read.discriminate_by("kind", "MicrosoftThreatProtection") + disc_microsoft_threat_protection.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = _schema_data_connector_read.discriminate_by("kind", "MicrosoftThreatProtection").properties + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + flags={"required": True}, + ) + properties.tenant_id = AAZStrType( + serialized_name="tenantId", + flags={"required": True}, + ) + + data_types = _schema_data_connector_read.discriminate_by("kind", "MicrosoftThreatProtection").properties.data_types + data_types.incidents = AAZObjectType( + flags={"required": True}, + ) + + incidents = _schema_data_connector_read.discriminate_by("kind", "MicrosoftThreatProtection").properties.data_types.incidents + incidents.state = AAZStrType( + flags={"required": True}, + ) + + disc_office365 = _schema_data_connector_read.discriminate_by("kind", "Office365") + disc_office365.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = _schema_data_connector_read.discriminate_by("kind", "Office365").properties + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + flags={"required": True}, + ) + properties.tenant_id = AAZStrType( + serialized_name="tenantId", + flags={"required": True}, + ) + + data_types = _schema_data_connector_read.discriminate_by("kind", "Office365").properties.data_types + data_types.exchange = AAZObjectType( + flags={"required": True}, + ) + data_types.share_point = AAZObjectType( + serialized_name="sharePoint", + flags={"required": True}, + ) + data_types.teams = AAZObjectType( + flags={"required": True}, + ) + + exchange = _schema_data_connector_read.discriminate_by("kind", "Office365").properties.data_types.exchange + exchange.state = AAZStrType( + flags={"required": True}, + ) + + share_point = _schema_data_connector_read.discriminate_by("kind", "Office365").properties.data_types.share_point + share_point.state = AAZStrType( + flags={"required": True}, + ) + + teams = _schema_data_connector_read.discriminate_by("kind", "Office365").properties.data_types.teams + teams.state = AAZStrType( + flags={"required": True}, + ) + + disc_office365_project = _schema_data_connector_read.discriminate_by("kind", "Office365Project") + disc_office365_project.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = _schema_data_connector_read.discriminate_by("kind", "Office365Project").properties + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + flags={"required": True}, + ) + properties.tenant_id = AAZStrType( + serialized_name="tenantId", + flags={"required": True}, + ) + + data_types = _schema_data_connector_read.discriminate_by("kind", "Office365Project").properties.data_types + data_types.logs = AAZObjectType( + flags={"required": True}, + ) + + logs = _schema_data_connector_read.discriminate_by("kind", "Office365Project").properties.data_types.logs + logs.state = AAZStrType( + flags={"required": True}, + ) + + disc_office_atp = _schema_data_connector_read.discriminate_by("kind", "OfficeATP") + disc_office_atp.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = _schema_data_connector_read.discriminate_by("kind", "OfficeATP").properties + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + ) + _build_schema_alerts_data_type_of_data_connector_read(properties.data_types) + properties.tenant_id = AAZStrType( + serialized_name="tenantId", + flags={"required": True}, + ) + + disc_office_irm = _schema_data_connector_read.discriminate_by("kind", "OfficeIRM") + disc_office_irm.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = _schema_data_connector_read.discriminate_by("kind", "OfficeIRM").properties + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + ) + _build_schema_alerts_data_type_of_data_connector_read(properties.data_types) + properties.tenant_id = AAZStrType( + serialized_name="tenantId", + flags={"required": True}, + ) + + disc_office_power_bi = _schema_data_connector_read.discriminate_by("kind", "OfficePowerBI") + disc_office_power_bi.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = _schema_data_connector_read.discriminate_by("kind", "OfficePowerBI").properties + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + flags={"required": True}, + ) + properties.tenant_id = AAZStrType( + serialized_name="tenantId", + flags={"required": True}, + ) + + data_types = _schema_data_connector_read.discriminate_by("kind", "OfficePowerBI").properties.data_types + data_types.logs = AAZObjectType( + flags={"required": True}, + ) + + logs = _schema_data_connector_read.discriminate_by("kind", "OfficePowerBI").properties.data_types.logs + logs.state = AAZStrType( + flags={"required": True}, + ) + + disc_threat_intelligence = _schema_data_connector_read.discriminate_by("kind", "ThreatIntelligence") + disc_threat_intelligence.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = _schema_data_connector_read.discriminate_by("kind", "ThreatIntelligence").properties + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + flags={"required": True}, + ) + properties.tenant_id = AAZStrType( + serialized_name="tenantId", + flags={"required": True}, + ) + properties.tip_lookback_period = AAZStrType( + serialized_name="tipLookbackPeriod", + nullable=True, + ) + + data_types = _schema_data_connector_read.discriminate_by("kind", "ThreatIntelligence").properties.data_types + data_types.indicators = AAZObjectType( + flags={"required": True}, + ) + + indicators = _schema_data_connector_read.discriminate_by("kind", "ThreatIntelligence").properties.data_types.indicators + indicators.state = AAZStrType( + flags={"required": True}, + ) + + disc_threat_intelligence_taxii = _schema_data_connector_read.discriminate_by("kind", "ThreatIntelligenceTaxii") + disc_threat_intelligence_taxii.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = _schema_data_connector_read.discriminate_by("kind", "ThreatIntelligenceTaxii").properties + properties.collection_id = AAZStrType( + serialized_name="collectionId", + ) + properties.data_types = AAZObjectType( + serialized_name="dataTypes", + flags={"required": True}, + ) + properties.friendly_name = AAZStrType( + serialized_name="friendlyName", + ) + properties.password = AAZStrType() + properties.polling_frequency = AAZStrType( + serialized_name="pollingFrequency", + flags={"required": True}, + nullable=True, + ) + properties.taxii_lookback_period = AAZStrType( + serialized_name="taxiiLookbackPeriod", + nullable=True, + ) + properties.taxii_server = AAZStrType( + serialized_name="taxiiServer", + ) + properties.tenant_id = AAZStrType( + serialized_name="tenantId", + flags={"required": True}, + ) + properties.user_name = AAZStrType( + serialized_name="userName", + ) + properties.workspace_id = AAZStrType( + serialized_name="workspaceId", + ) + + data_types = _schema_data_connector_read.discriminate_by("kind", "ThreatIntelligenceTaxii").properties.data_types + data_types.taxii_client = AAZObjectType( + serialized_name="taxiiClient", + flags={"required": True}, + ) + + taxii_client = _schema_data_connector_read.discriminate_by("kind", "ThreatIntelligenceTaxii").properties.data_types.taxii_client + taxii_client.state = AAZStrType( + flags={"required": True}, + ) + + _schema.etag = _schema_data_connector_read.etag + _schema.id = _schema_data_connector_read.id + _schema.kind = _schema_data_connector_read.kind + _schema.name = _schema_data_connector_read.name + _schema.system_data = _schema_data_connector_read.system_data + _schema.type = _schema_data_connector_read.type + _schema.discriminate_by( + "kind", + "APIPolling", + _schema_data_connector_read.discriminate_by( + "kind", + "APIPolling", + ) + ) + _schema.discriminate_by( + "kind", + "AmazonWebServicesCloudTrail", + _schema_data_connector_read.discriminate_by( + "kind", + "AmazonWebServicesCloudTrail", + ) + ) + _schema.discriminate_by( + "kind", + "AmazonWebServicesS3", + _schema_data_connector_read.discriminate_by( + "kind", + "AmazonWebServicesS3", + ) + ) + _schema.discriminate_by( + "kind", + "AzureActiveDirectory", + _schema_data_connector_read.discriminate_by( + "kind", + "AzureActiveDirectory", + ) + ) + _schema.discriminate_by( + "kind", + "AzureAdvancedThreatProtection", + _schema_data_connector_read.discriminate_by( + "kind", + "AzureAdvancedThreatProtection", + ) + ) + _schema.discriminate_by( + "kind", + "AzureSecurityCenter", + _schema_data_connector_read.discriminate_by( + "kind", + "AzureSecurityCenter", + ) + ) + _schema.discriminate_by( + "kind", + "Dynamics365", + _schema_data_connector_read.discriminate_by( + "kind", + "Dynamics365", + ) + ) + _schema.discriminate_by( + "kind", + "GenericUI", + _schema_data_connector_read.discriminate_by( + "kind", + "GenericUI", + ) + ) + _schema.discriminate_by( + "kind", + "IOT", + _schema_data_connector_read.discriminate_by( + "kind", + "IOT", + ) + ) + _schema.discriminate_by( + "kind", + "MicrosoftCloudAppSecurity", + _schema_data_connector_read.discriminate_by( + "kind", + "MicrosoftCloudAppSecurity", + ) + ) + _schema.discriminate_by( + "kind", + "MicrosoftDefenderAdvancedThreatProtection", + _schema_data_connector_read.discriminate_by( + "kind", + "MicrosoftDefenderAdvancedThreatProtection", + ) + ) + _schema.discriminate_by( + "kind", + "MicrosoftThreatIntelligence", + _schema_data_connector_read.discriminate_by( + "kind", + "MicrosoftThreatIntelligence", + ) + ) + _schema.discriminate_by( + "kind", + "MicrosoftThreatProtection", + _schema_data_connector_read.discriminate_by( + "kind", + "MicrosoftThreatProtection", + ) + ) + _schema.discriminate_by( + "kind", + "Office365", + _schema_data_connector_read.discriminate_by( + "kind", + "Office365", + ) + ) + _schema.discriminate_by( + "kind", + "Office365Project", + _schema_data_connector_read.discriminate_by( + "kind", + "Office365Project", + ) + ) + _schema.discriminate_by( + "kind", + "OfficeATP", + _schema_data_connector_read.discriminate_by( + "kind", + "OfficeATP", + ) + ) + _schema.discriminate_by( + "kind", + "OfficeIRM", + _schema_data_connector_read.discriminate_by( + "kind", + "OfficeIRM", + ) + ) + _schema.discriminate_by( + "kind", + "OfficePowerBI", + _schema_data_connector_read.discriminate_by( + "kind", + "OfficePowerBI", + ) + ) + _schema.discriminate_by( + "kind", + "ThreatIntelligence", + _schema_data_connector_read.discriminate_by( + "kind", + "ThreatIntelligence", + ) + ) + _schema.discriminate_by( + "kind", + "ThreatIntelligenceTaxii", + _schema_data_connector_read.discriminate_by( + "kind", + "ThreatIntelligenceTaxii", + ) + ) + + +__all__ = ["Update"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/enrichment/__cmd_group.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/enrichment/__cmd_group.py new file mode 100644 index 00000000000..bb6c4ba5522 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/enrichment/__cmd_group.py @@ -0,0 +1,23 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command_group( + "sentinel enrichment", +) +class __CMDGroup(AAZCommandGroup): + """Manage enrichment with sentinel. + """ + pass + + +__all__ = ["__CMDGroup"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/enrichment/__init__.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/enrichment/__init__.py new file mode 100644 index 00000000000..5a9d61963d6 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/enrichment/__init__.py @@ -0,0 +1,11 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from .__cmd_group import * diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/enrichment/domain_whois/__cmd_group.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/enrichment/domain_whois/__cmd_group.py new file mode 100644 index 00000000000..2e30df4c948 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/enrichment/domain_whois/__cmd_group.py @@ -0,0 +1,23 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command_group( + "sentinel enrichment domain-whois", +) +class __CMDGroup(AAZCommandGroup): + """Manage domain whois with sentinel. + """ + pass + + +__all__ = ["__CMDGroup"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/enrichment/domain_whois/__init__.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/enrichment/domain_whois/__init__.py new file mode 100644 index 00000000000..28d5f355813 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/enrichment/domain_whois/__init__.py @@ -0,0 +1,12 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from .__cmd_group import * +from ._show import * diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/enrichment/domain_whois/_show.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/enrichment/domain_whois/_show.py new file mode 100644 index 00000000000..c83bc0c95cd --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/enrichment/domain_whois/_show.py @@ -0,0 +1,242 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel enrichment domain-whois show", + is_experimental=True, +) +class Show(AAZCommand): + """Get whois information for a single domain name + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.securityinsights/enrichment/domain/whois/", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return self._output() + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.domain = AAZStrArg( + options=["--domain"], + help="Domain name to be enriched", + required=True, + ) + return cls._args_schema + + def _execute_operations(self): + self.DomainWhoisGet(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True) + return result + + class DomainWhoisGet(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.SecurityInsights/enrichment/domain/whois/", + **self.url_parameters + ) + + @property + def method(self): + return "GET" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "domain", self.ctx.args.domain, + required=True, + ), + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + + _schema_on_200 = cls._schema_on_200 + _schema_on_200.created = AAZStrType() + _schema_on_200.domain = AAZStrType() + _schema_on_200.expires = AAZStrType() + _schema_on_200.parsed_whois = AAZObjectType( + serialized_name="parsedWhois", + ) + _schema_on_200.server = AAZStrType() + _schema_on_200.updated = AAZStrType() + + parsed_whois = cls._schema_on_200.parsed_whois + parsed_whois.contacts = AAZObjectType() + parsed_whois.name_servers = AAZListType( + serialized_name="nameServers", + ) + parsed_whois.registrar = AAZObjectType() + parsed_whois.statuses = AAZListType() + + contacts = cls._schema_on_200.parsed_whois.contacts + contacts.admin = AAZObjectType() + _build_schema_enrichment_domain_whois_contact_read(contacts.admin) + contacts.billing = AAZObjectType() + _build_schema_enrichment_domain_whois_contact_read(contacts.billing) + contacts.registrant = AAZObjectType() + _build_schema_enrichment_domain_whois_contact_read(contacts.registrant) + contacts.tech = AAZObjectType() + _build_schema_enrichment_domain_whois_contact_read(contacts.tech) + + name_servers = cls._schema_on_200.parsed_whois.name_servers + name_servers.Element = AAZStrType() + + registrar = cls._schema_on_200.parsed_whois.registrar + registrar.abuse_contact_email = AAZStrType( + serialized_name="abuseContactEmail", + ) + registrar.abuse_contact_phone = AAZStrType( + serialized_name="abuseContactPhone", + ) + registrar.iana_id = AAZStrType( + serialized_name="ianaId", + ) + registrar.name = AAZStrType() + registrar.url = AAZStrType() + registrar.whois_server = AAZStrType( + serialized_name="whoisServer", + ) + + statuses = cls._schema_on_200.parsed_whois.statuses + statuses.Element = AAZStrType() + + return cls._schema_on_200 + + +_schema_enrichment_domain_whois_contact_read = None + + +def _build_schema_enrichment_domain_whois_contact_read(_schema): + global _schema_enrichment_domain_whois_contact_read + if _schema_enrichment_domain_whois_contact_read is not None: + _schema.city = _schema_enrichment_domain_whois_contact_read.city + _schema.country = _schema_enrichment_domain_whois_contact_read.country + _schema.email = _schema_enrichment_domain_whois_contact_read.email + _schema.fax = _schema_enrichment_domain_whois_contact_read.fax + _schema.name = _schema_enrichment_domain_whois_contact_read.name + _schema.org = _schema_enrichment_domain_whois_contact_read.org + _schema.phone = _schema_enrichment_domain_whois_contact_read.phone + _schema.postal = _schema_enrichment_domain_whois_contact_read.postal + _schema.state = _schema_enrichment_domain_whois_contact_read.state + _schema.street = _schema_enrichment_domain_whois_contact_read.street + return + + _schema_enrichment_domain_whois_contact_read = AAZObjectType() + + enrichment_domain_whois_contact_read = _schema_enrichment_domain_whois_contact_read + enrichment_domain_whois_contact_read.city = AAZStrType() + enrichment_domain_whois_contact_read.country = AAZStrType() + enrichment_domain_whois_contact_read.email = AAZStrType() + enrichment_domain_whois_contact_read.fax = AAZStrType() + enrichment_domain_whois_contact_read.name = AAZStrType() + enrichment_domain_whois_contact_read.org = AAZStrType() + enrichment_domain_whois_contact_read.phone = AAZStrType() + enrichment_domain_whois_contact_read.postal = AAZStrType() + enrichment_domain_whois_contact_read.state = AAZStrType() + enrichment_domain_whois_contact_read.street = AAZListType() + + street = _schema_enrichment_domain_whois_contact_read.street + street.Element = AAZStrType() + + _schema.city = _schema_enrichment_domain_whois_contact_read.city + _schema.country = _schema_enrichment_domain_whois_contact_read.country + _schema.email = _schema_enrichment_domain_whois_contact_read.email + _schema.fax = _schema_enrichment_domain_whois_contact_read.fax + _schema.name = _schema_enrichment_domain_whois_contact_read.name + _schema.org = _schema_enrichment_domain_whois_contact_read.org + _schema.phone = _schema_enrichment_domain_whois_contact_read.phone + _schema.postal = _schema_enrichment_domain_whois_contact_read.postal + _schema.state = _schema_enrichment_domain_whois_contact_read.state + _schema.street = _schema_enrichment_domain_whois_contact_read.street + + +__all__ = ["Show"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/enrichment/ip_geodata/__cmd_group.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/enrichment/ip_geodata/__cmd_group.py new file mode 100644 index 00000000000..cda7270b3bf --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/enrichment/ip_geodata/__cmd_group.py @@ -0,0 +1,23 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command_group( + "sentinel enrichment ip-geodata", +) +class __CMDGroup(AAZCommandGroup): + """Manage ip geodata with sentinel. + """ + pass + + +__all__ = ["__CMDGroup"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/enrichment/ip_geodata/__init__.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/enrichment/ip_geodata/__init__.py new file mode 100644 index 00000000000..28d5f355813 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/enrichment/ip_geodata/__init__.py @@ -0,0 +1,12 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from .__cmd_group import * +from ._show import * diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/enrichment/ip_geodata/_show.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/enrichment/ip_geodata/_show.py new file mode 100644 index 00000000000..6636f7d3a9b --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/enrichment/ip_geodata/_show.py @@ -0,0 +1,178 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel enrichment ip-geodata show", + is_experimental=True, +) +class Show(AAZCommand): + """Get geodata for a single IP address + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.securityinsights/enrichment/ip/geodata/", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return self._output() + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.ip_address = AAZStrArg( + options=["--ip-address"], + help="IP address (v4 or v6) to be enriched", + required=True, + ) + return cls._args_schema + + def _execute_operations(self): + self.IPGeodataGet(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True) + return result + + class IPGeodataGet(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.SecurityInsights/enrichment/ip/geodata/", + **self.url_parameters + ) + + @property + def method(self): + return "GET" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "ipAddress", self.ctx.args.ip_address, + required=True, + ), + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + + _schema_on_200 = cls._schema_on_200 + _schema_on_200.asn = AAZStrType() + _schema_on_200.carrier = AAZStrType() + _schema_on_200.city = AAZStrType() + _schema_on_200.city_cf = AAZIntType( + serialized_name="cityCf", + ) + _schema_on_200.continent = AAZStrType() + _schema_on_200.country = AAZStrType() + _schema_on_200.country_cf = AAZIntType( + serialized_name="countryCf", + ) + _schema_on_200.ip_addr = AAZStrType( + serialized_name="ipAddr", + ) + _schema_on_200.ip_routing_type = AAZStrType( + serialized_name="ipRoutingType", + ) + _schema_on_200.latitude = AAZStrType() + _schema_on_200.longitude = AAZStrType() + _schema_on_200.organization = AAZStrType() + _schema_on_200.organization_type = AAZStrType( + serialized_name="organizationType", + ) + _schema_on_200.region = AAZStrType() + _schema_on_200.state = AAZStrType() + _schema_on_200.state_cf = AAZIntType( + serialized_name="stateCf", + ) + _schema_on_200.state_code = AAZStrType( + serialized_name="stateCode", + ) + + return cls._schema_on_200 + + +__all__ = ["Show"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/entity_query/__cmd_group.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/entity_query/__cmd_group.py new file mode 100644 index 00000000000..130beedd856 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/entity_query/__cmd_group.py @@ -0,0 +1,23 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command_group( + "sentinel entity-query", +) +class __CMDGroup(AAZCommandGroup): + """Manage entity query with sentinel. + """ + pass + + +__all__ = ["__CMDGroup"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/entity_query/__init__.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/entity_query/__init__.py new file mode 100644 index 00000000000..c401f439385 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/entity_query/__init__.py @@ -0,0 +1,16 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from .__cmd_group import * +from ._create import * +from ._delete import * +from ._list import * +from ._show import * +from ._update import * diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/entity_query/_create.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/entity_query/_create.py new file mode 100644 index 00000000000..edba2948fc2 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/entity_query/_create.py @@ -0,0 +1,407 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel entity-query create", + is_experimental=True, +) +class Create(AAZCommand): + """Create the entity query. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/entityqueries/{}", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return self._output() + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.entity_query_id = AAZStrArg( + options=["-n", "--name", "--entity-query-id"], + help="entity query ID", + required=True, + id_part="child_name_1", + ) + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + id_part="name", + ) + + # define Arg Group "EntityQuery" + + _args_schema = cls._args_schema + _args_schema.activity = AAZObjectArg( + options=["--activity"], + arg_group="EntityQuery", + ) + _args_schema.etag = AAZStrArg( + options=["--etag"], + arg_group="EntityQuery", + help="Etag of the azure resource", + ) + + activity = cls._args_schema.activity + activity.content = AAZStrArg( + options=["content"], + help="The entity query content to display in timeline", + ) + activity.description = AAZStrArg( + options=["description"], + help="The entity query description", + ) + activity.enabled = AAZBoolArg( + options=["enabled"], + help="Determines whether this activity is enabled or disabled.", + ) + activity.entities_filter = AAZDictArg( + options=["entities-filter"], + help="The query applied only to entities matching to all filters", + ) + activity.input_entity_type = AAZStrArg( + options=["input-entity-type"], + help="The type of the query's source entity", + enum={"Account": "Account", "AzureResource": "AzureResource", "CloudApplication": "CloudApplication", "DNS": "DNS", "File": "File", "FileHash": "FileHash", "Host": "Host", "HuntingBookmark": "HuntingBookmark", "IP": "IP", "IoTDevice": "IoTDevice", "MailCluster": "MailCluster", "MailMessage": "MailMessage", "Mailbox": "Mailbox", "Malware": "Malware", "Process": "Process", "RegistryKey": "RegistryKey", "RegistryValue": "RegistryValue", "SecurityAlert": "SecurityAlert", "SecurityGroup": "SecurityGroup", "SubmissionMail": "SubmissionMail", "URL": "URL"}, + ) + activity.query_definitions = AAZObjectArg( + options=["query-definitions"], + help="The Activity query definitions", + ) + activity.required_input_fields_sets = AAZListArg( + options=["required-input-fields-sets"], + help="List of the fields of the source entity that are required to run the query", + ) + activity.template_name = AAZStrArg( + options=["template-name"], + help="The template id this activity was created from", + ) + activity.title = AAZStrArg( + options=["title"], + help="The entity query title", + ) + + entities_filter = cls._args_schema.activity.entities_filter + entities_filter.Element = AAZListArg() + + _element = cls._args_schema.activity.entities_filter.Element + _element.Element = AAZStrArg() + + query_definitions = cls._args_schema.activity.query_definitions + query_definitions.query = AAZStrArg( + options=["query"], + help="The Activity query to run on a given entity", + ) + + required_input_fields_sets = cls._args_schema.activity.required_input_fields_sets + required_input_fields_sets.Element = AAZListArg() + + _element = cls._args_schema.activity.required_input_fields_sets.Element + _element.Element = AAZStrArg() + return cls._args_schema + + def _execute_operations(self): + self.EntityQueriesCreateOrUpdate(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True) + return result + + class EntityQueriesCreateOrUpdate(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200, 201]: + return self.on_200_201(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entityQueries/{entityQueryId}", + **self.url_parameters + ) + + @property + def method(self): + return "PUT" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "entityQueryId", self.ctx.args.entity_query_id, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Content-Type", "application/json", + ), + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + @property + def content(self): + _content_value, _builder = self.new_content_builder( + self.ctx.args, + typ=AAZObjectType, + typ_kwargs={"flags": {"required": True, "client_flatten": True}} + ) + _builder.set_prop("etag", AAZStrType, ".etag") + _builder.set_const("kind", "Activity", AAZStrType, ".activity", typ_kwargs={"flags": {"required": True}}) + _builder.discriminate_by("kind", "Activity") + + disc_activity = _builder.get("{kind:Activity}") + if disc_activity is not None: + disc_activity.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get("{kind:Activity}.properties") + if properties is not None: + properties.set_prop("content", AAZStrType, ".activity.content") + properties.set_prop("description", AAZStrType, ".activity.description") + properties.set_prop("enabled", AAZBoolType, ".activity.enabled") + properties.set_prop("entitiesFilter", AAZDictType, ".activity.entities_filter") + properties.set_prop("inputEntityType", AAZStrType, ".activity.input_entity_type") + properties.set_prop("queryDefinitions", AAZObjectType, ".activity.query_definitions") + properties.set_prop("requiredInputFieldsSets", AAZListType, ".activity.required_input_fields_sets") + properties.set_prop("templateName", AAZStrType, ".activity.template_name") + properties.set_prop("title", AAZStrType, ".activity.title") + + entities_filter = _builder.get("{kind:Activity}.properties.entitiesFilter") + if entities_filter is not None: + entities_filter.set_elements(AAZListType) + + _elements = _builder.get("{kind:Activity}.properties.entitiesFilter{}") + if _elements is not None: + _elements.set_elements(AAZStrType, ".") + + query_definitions = _builder.get("{kind:Activity}.properties.queryDefinitions") + if query_definitions is not None: + query_definitions.set_prop("query", AAZStrType, ".query") + + required_input_fields_sets = _builder.get("{kind:Activity}.properties.requiredInputFieldsSets") + if required_input_fields_sets is not None: + required_input_fields_sets.set_elements(AAZListType) + + _elements = _builder.get("{kind:Activity}.properties.requiredInputFieldsSets[]") + if _elements is not None: + _elements.set_elements(AAZStrType, ".") + + return self.serialize_content(_content_value) + + def on_200_201(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200_201 + ) + + _schema_on_200_201 = None + + @classmethod + def _build_schema_on_200_201(cls): + if cls._schema_on_200_201 is not None: + return cls._schema_on_200_201 + + cls._schema_on_200_201 = AAZObjectType() + + _schema_on_200_201 = cls._schema_on_200_201 + _schema_on_200_201.etag = AAZStrType() + _schema_on_200_201.id = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200_201.kind = AAZStrType( + flags={"required": True}, + ) + _schema_on_200_201.name = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200_201.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + _schema_on_200_201.type = AAZStrType( + flags={"read_only": True}, + ) + + system_data = cls._schema_on_200_201.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + disc_activity = cls._schema_on_200_201.discriminate_by("kind", "Activity") + disc_activity.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200_201.discriminate_by("kind", "Activity").properties + properties.content = AAZStrType() + properties.created_time_utc = AAZStrType( + serialized_name="createdTimeUtc", + flags={"read_only": True}, + ) + properties.description = AAZStrType() + properties.enabled = AAZBoolType() + properties.entities_filter = AAZDictType( + serialized_name="entitiesFilter", + ) + properties.input_entity_type = AAZStrType( + serialized_name="inputEntityType", + ) + properties.last_modified_time_utc = AAZStrType( + serialized_name="lastModifiedTimeUtc", + flags={"read_only": True}, + ) + properties.query_definitions = AAZObjectType( + serialized_name="queryDefinitions", + ) + properties.required_input_fields_sets = AAZListType( + serialized_name="requiredInputFieldsSets", + ) + properties.template_name = AAZStrType( + serialized_name="templateName", + ) + properties.title = AAZStrType() + + entities_filter = cls._schema_on_200_201.discriminate_by("kind", "Activity").properties.entities_filter + entities_filter.Element = AAZListType() + + _element = cls._schema_on_200_201.discriminate_by("kind", "Activity").properties.entities_filter.Element + _element.Element = AAZStrType() + + query_definitions = cls._schema_on_200_201.discriminate_by("kind", "Activity").properties.query_definitions + query_definitions.query = AAZStrType() + + required_input_fields_sets = cls._schema_on_200_201.discriminate_by("kind", "Activity").properties.required_input_fields_sets + required_input_fields_sets.Element = AAZListType() + + _element = cls._schema_on_200_201.discriminate_by("kind", "Activity").properties.required_input_fields_sets.Element + _element.Element = AAZStrType() + + disc_expansion = cls._schema_on_200_201.discriminate_by("kind", "Expansion") + disc_expansion.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200_201.discriminate_by("kind", "Expansion").properties + properties.data_sources = AAZListType( + serialized_name="dataSources", + ) + properties.display_name = AAZStrType( + serialized_name="displayName", + ) + properties.input_entity_type = AAZStrType( + serialized_name="inputEntityType", + ) + properties.input_fields = AAZListType( + serialized_name="inputFields", + ) + properties.output_entity_types = AAZListType( + serialized_name="outputEntityTypes", + ) + properties.query_template = AAZStrType( + serialized_name="queryTemplate", + ) + + data_sources = cls._schema_on_200_201.discriminate_by("kind", "Expansion").properties.data_sources + data_sources.Element = AAZStrType() + + input_fields = cls._schema_on_200_201.discriminate_by("kind", "Expansion").properties.input_fields + input_fields.Element = AAZStrType() + + output_entity_types = cls._schema_on_200_201.discriminate_by("kind", "Expansion").properties.output_entity_types + output_entity_types.Element = AAZStrType() + + return cls._schema_on_200_201 + + +__all__ = ["Create"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/entity_query/_delete.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/entity_query/_delete.py new file mode 100644 index 00000000000..f91ba226a9d --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/entity_query/_delete.py @@ -0,0 +1,134 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel entity-query delete", + is_experimental=True, + confirmation="Are you sure you want to perform this operation?", +) +class Delete(AAZCommand): + """Delete the entity query. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/entityqueries/{}", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return None + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.entity_query_id = AAZStrArg( + options=["-n", "--name", "--entity-query-id"], + help="entity query ID", + required=True, + id_part="child_name_1", + ) + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + id_part="name", + ) + return cls._args_schema + + def _execute_operations(self): + self.EntityQueriesDelete(ctx=self.ctx)() + + class EntityQueriesDelete(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + if session.http_response.status_code in [204]: + return self.on_204(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entityQueries/{entityQueryId}", + **self.url_parameters + ) + + @property + def method(self): + return "DELETE" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "entityQueryId", self.ctx.args.entity_query_id, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + def on_200(self, session): + pass + + def on_204(self, session): + pass + + +__all__ = ["Delete"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/entity_query/_list.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/entity_query/_list.py new file mode 100644 index 00000000000..dfe0a277498 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/entity_query/_list.py @@ -0,0 +1,294 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel entity-query list", + is_experimental=True, +) +class List(AAZCommand): + """Get all entity queries. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/entityqueries", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + return self.build_paging(self._execute_operations, self._output) + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + ) + _args_schema.kind = AAZStrArg( + options=["--kind"], + help="The entity query kind we want to fetch", + enum={"Activity": "Activity", "Expansion": "Expansion"}, + ) + return cls._args_schema + + def _execute_operations(self): + self.EntityQueriesList(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance.value, client_flatten=True) + next_link = self.deserialize_output(self.ctx.vars.instance.next_link) + return result, next_link + + class EntityQueriesList(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entityQueries", + **self.url_parameters + ) + + @property + def method(self): + return "GET" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "kind", self.ctx.args.kind, + ), + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + + _schema_on_200 = cls._schema_on_200 + _schema_on_200.next_link = AAZStrType( + serialized_name="nextLink", + flags={"read_only": True}, + ) + _schema_on_200.value = AAZListType( + flags={"required": True}, + ) + + value = cls._schema_on_200.value + value.Element = AAZObjectType() + + _element = cls._schema_on_200.value.Element + _element.etag = AAZStrType() + _element.id = AAZStrType( + flags={"read_only": True}, + ) + _element.kind = AAZStrType( + flags={"required": True}, + ) + _element.name = AAZStrType( + flags={"read_only": True}, + ) + _element.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + _element.type = AAZStrType( + flags={"read_only": True}, + ) + + system_data = cls._schema_on_200.value.Element.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + disc_activity = cls._schema_on_200.value.Element.discriminate_by("kind", "Activity") + disc_activity.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.value.Element.discriminate_by("kind", "Activity").properties + properties.content = AAZStrType() + properties.created_time_utc = AAZStrType( + serialized_name="createdTimeUtc", + flags={"read_only": True}, + ) + properties.description = AAZStrType() + properties.enabled = AAZBoolType() + properties.entities_filter = AAZDictType( + serialized_name="entitiesFilter", + ) + properties.input_entity_type = AAZStrType( + serialized_name="inputEntityType", + ) + properties.last_modified_time_utc = AAZStrType( + serialized_name="lastModifiedTimeUtc", + flags={"read_only": True}, + ) + properties.query_definitions = AAZObjectType( + serialized_name="queryDefinitions", + ) + properties.required_input_fields_sets = AAZListType( + serialized_name="requiredInputFieldsSets", + ) + properties.template_name = AAZStrType( + serialized_name="templateName", + ) + properties.title = AAZStrType() + + entities_filter = cls._schema_on_200.value.Element.discriminate_by("kind", "Activity").properties.entities_filter + entities_filter.Element = AAZListType() + + _element = cls._schema_on_200.value.Element.discriminate_by("kind", "Activity").properties.entities_filter.Element + _element.Element = AAZStrType() + + query_definitions = cls._schema_on_200.value.Element.discriminate_by("kind", "Activity").properties.query_definitions + query_definitions.query = AAZStrType() + + required_input_fields_sets = cls._schema_on_200.value.Element.discriminate_by("kind", "Activity").properties.required_input_fields_sets + required_input_fields_sets.Element = AAZListType() + + _element = cls._schema_on_200.value.Element.discriminate_by("kind", "Activity").properties.required_input_fields_sets.Element + _element.Element = AAZStrType() + + disc_expansion = cls._schema_on_200.value.Element.discriminate_by("kind", "Expansion") + disc_expansion.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.value.Element.discriminate_by("kind", "Expansion").properties + properties.data_sources = AAZListType( + serialized_name="dataSources", + ) + properties.display_name = AAZStrType( + serialized_name="displayName", + ) + properties.input_entity_type = AAZStrType( + serialized_name="inputEntityType", + ) + properties.input_fields = AAZListType( + serialized_name="inputFields", + ) + properties.output_entity_types = AAZListType( + serialized_name="outputEntityTypes", + ) + properties.query_template = AAZStrType( + serialized_name="queryTemplate", + ) + + data_sources = cls._schema_on_200.value.Element.discriminate_by("kind", "Expansion").properties.data_sources + data_sources.Element = AAZStrType() + + input_fields = cls._schema_on_200.value.Element.discriminate_by("kind", "Expansion").properties.input_fields + input_fields.Element = AAZStrType() + + output_entity_types = cls._schema_on_200.value.Element.discriminate_by("kind", "Expansion").properties.output_entity_types + output_entity_types.Element = AAZStrType() + + return cls._schema_on_200 + + +__all__ = ["List"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/entity_query/_show.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/entity_query/_show.py new file mode 100644 index 00000000000..5ed9dc148f7 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/entity_query/_show.py @@ -0,0 +1,285 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel entity-query show", + is_experimental=True, +) +class Show(AAZCommand): + """Get an entity query. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/entityqueries/{}", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return self._output() + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.entity_query_id = AAZStrArg( + options=["-n", "--name", "--entity-query-id"], + help="entity query ID", + required=True, + id_part="child_name_1", + ) + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + id_part="name", + ) + return cls._args_schema + + def _execute_operations(self): + self.EntityQueriesGet(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True) + return result + + class EntityQueriesGet(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entityQueries/{entityQueryId}", + **self.url_parameters + ) + + @property + def method(self): + return "GET" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "entityQueryId", self.ctx.args.entity_query_id, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + + _schema_on_200 = cls._schema_on_200 + _schema_on_200.etag = AAZStrType() + _schema_on_200.id = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200.kind = AAZStrType( + flags={"required": True}, + ) + _schema_on_200.name = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + _schema_on_200.type = AAZStrType( + flags={"read_only": True}, + ) + + system_data = cls._schema_on_200.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + disc_activity = cls._schema_on_200.discriminate_by("kind", "Activity") + disc_activity.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.discriminate_by("kind", "Activity").properties + properties.content = AAZStrType() + properties.created_time_utc = AAZStrType( + serialized_name="createdTimeUtc", + flags={"read_only": True}, + ) + properties.description = AAZStrType() + properties.enabled = AAZBoolType() + properties.entities_filter = AAZDictType( + serialized_name="entitiesFilter", + ) + properties.input_entity_type = AAZStrType( + serialized_name="inputEntityType", + ) + properties.last_modified_time_utc = AAZStrType( + serialized_name="lastModifiedTimeUtc", + flags={"read_only": True}, + ) + properties.query_definitions = AAZObjectType( + serialized_name="queryDefinitions", + ) + properties.required_input_fields_sets = AAZListType( + serialized_name="requiredInputFieldsSets", + ) + properties.template_name = AAZStrType( + serialized_name="templateName", + ) + properties.title = AAZStrType() + + entities_filter = cls._schema_on_200.discriminate_by("kind", "Activity").properties.entities_filter + entities_filter.Element = AAZListType() + + _element = cls._schema_on_200.discriminate_by("kind", "Activity").properties.entities_filter.Element + _element.Element = AAZStrType() + + query_definitions = cls._schema_on_200.discriminate_by("kind", "Activity").properties.query_definitions + query_definitions.query = AAZStrType() + + required_input_fields_sets = cls._schema_on_200.discriminate_by("kind", "Activity").properties.required_input_fields_sets + required_input_fields_sets.Element = AAZListType() + + _element = cls._schema_on_200.discriminate_by("kind", "Activity").properties.required_input_fields_sets.Element + _element.Element = AAZStrType() + + disc_expansion = cls._schema_on_200.discriminate_by("kind", "Expansion") + disc_expansion.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.discriminate_by("kind", "Expansion").properties + properties.data_sources = AAZListType( + serialized_name="dataSources", + ) + properties.display_name = AAZStrType( + serialized_name="displayName", + ) + properties.input_entity_type = AAZStrType( + serialized_name="inputEntityType", + ) + properties.input_fields = AAZListType( + serialized_name="inputFields", + ) + properties.output_entity_types = AAZListType( + serialized_name="outputEntityTypes", + ) + properties.query_template = AAZStrType( + serialized_name="queryTemplate", + ) + + data_sources = cls._schema_on_200.discriminate_by("kind", "Expansion").properties.data_sources + data_sources.Element = AAZStrType() + + input_fields = cls._schema_on_200.discriminate_by("kind", "Expansion").properties.input_fields + input_fields.Element = AAZStrType() + + output_entity_types = cls._schema_on_200.discriminate_by("kind", "Expansion").properties.output_entity_types + output_entity_types.Element = AAZStrType() + + return cls._schema_on_200 + + +__all__ = ["Show"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/entity_query/_update.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/entity_query/_update.py new file mode 100644 index 00000000000..8999fb986c5 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/entity_query/_update.py @@ -0,0 +1,588 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel entity-query update", + is_experimental=True, +) +class Update(AAZCommand): + """Update the entity query. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/entityqueries/{}", "2022-06-01-preview"], + ] + } + + AZ_SUPPORT_GENERIC_UPDATE = True + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return self._output() + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.entity_query_id = AAZStrArg( + options=["-n", "--name", "--entity-query-id"], + help="entity query ID", + required=True, + id_part="child_name_1", + ) + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + id_part="name", + ) + + # define Arg Group "EntityQuery" + + _args_schema = cls._args_schema + _args_schema.activity = AAZObjectArg( + options=["--activity"], + arg_group="EntityQuery", + ) + _args_schema.etag = AAZStrArg( + options=["--etag"], + arg_group="EntityQuery", + help="Etag of the azure resource", + nullable=True, + ) + + activity = cls._args_schema.activity + activity.content = AAZStrArg( + options=["content"], + help="The entity query content to display in timeline", + nullable=True, + ) + activity.description = AAZStrArg( + options=["description"], + help="The entity query description", + nullable=True, + ) + activity.enabled = AAZBoolArg( + options=["enabled"], + help="Determines whether this activity is enabled or disabled.", + nullable=True, + ) + activity.entities_filter = AAZDictArg( + options=["entities-filter"], + help="The query applied only to entities matching to all filters", + nullable=True, + ) + activity.input_entity_type = AAZStrArg( + options=["input-entity-type"], + help="The type of the query's source entity", + nullable=True, + enum={"Account": "Account", "AzureResource": "AzureResource", "CloudApplication": "CloudApplication", "DNS": "DNS", "File": "File", "FileHash": "FileHash", "Host": "Host", "HuntingBookmark": "HuntingBookmark", "IP": "IP", "IoTDevice": "IoTDevice", "MailCluster": "MailCluster", "MailMessage": "MailMessage", "Mailbox": "Mailbox", "Malware": "Malware", "Process": "Process", "RegistryKey": "RegistryKey", "RegistryValue": "RegistryValue", "SecurityAlert": "SecurityAlert", "SecurityGroup": "SecurityGroup", "SubmissionMail": "SubmissionMail", "URL": "URL"}, + ) + activity.query_definitions = AAZObjectArg( + options=["query-definitions"], + help="The Activity query definitions", + nullable=True, + ) + activity.required_input_fields_sets = AAZListArg( + options=["required-input-fields-sets"], + help="List of the fields of the source entity that are required to run the query", + nullable=True, + ) + activity.template_name = AAZStrArg( + options=["template-name"], + help="The template id this activity was created from", + nullable=True, + ) + activity.title = AAZStrArg( + options=["title"], + help="The entity query title", + nullable=True, + ) + + entities_filter = cls._args_schema.activity.entities_filter + entities_filter.Element = AAZListArg() + + _element = cls._args_schema.activity.entities_filter.Element + _element.Element = AAZStrArg() + + query_definitions = cls._args_schema.activity.query_definitions + query_definitions.query = AAZStrArg( + options=["query"], + help="The Activity query to run on a given entity", + nullable=True, + ) + + required_input_fields_sets = cls._args_schema.activity.required_input_fields_sets + required_input_fields_sets.Element = AAZListArg() + + _element = cls._args_schema.activity.required_input_fields_sets.Element + _element.Element = AAZStrArg() + return cls._args_schema + + def _execute_operations(self): + self.EntityQueriesGet(ctx=self.ctx)() + self.InstanceUpdateByJson(ctx=self.ctx)() + self.InstanceUpdateByGeneric(ctx=self.ctx)() + self.EntityQueriesCreateOrUpdate(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True) + return result + + class EntityQueriesGet(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entityQueries/{entityQueryId}", + **self.url_parameters + ) + + @property + def method(self): + return "GET" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "entityQueryId", self.ctx.args.entity_query_id, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + _build_schema_entity_query_read(cls._schema_on_200) + + return cls._schema_on_200 + + class EntityQueriesCreateOrUpdate(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200, 201]: + return self.on_200_201(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entityQueries/{entityQueryId}", + **self.url_parameters + ) + + @property + def method(self): + return "PUT" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "entityQueryId", self.ctx.args.entity_query_id, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Content-Type", "application/json", + ), + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + @property + def content(self): + _content_value, _builder = self.new_content_builder( + self.ctx.args, + value=self.ctx.vars.instance, + ) + + return self.serialize_content(_content_value) + + def on_200_201(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200_201 + ) + + _schema_on_200_201 = None + + @classmethod + def _build_schema_on_200_201(cls): + if cls._schema_on_200_201 is not None: + return cls._schema_on_200_201 + + cls._schema_on_200_201 = AAZObjectType() + _build_schema_entity_query_read(cls._schema_on_200_201) + + return cls._schema_on_200_201 + + class InstanceUpdateByJson(AAZJsonInstanceUpdateOperation): + + def __call__(self, *args, **kwargs): + self._update_instance(self.ctx.vars.instance) + + def _update_instance(self, instance): + _instance_value, _builder = self.new_content_builder( + self.ctx.args, + value=instance, + typ=AAZObjectType + ) + _builder.set_prop("etag", AAZStrType, ".etag") + _builder.set_const("kind", "Activity", AAZStrType, ".activity", typ_kwargs={"flags": {"required": True}}) + _builder.discriminate_by("kind", "Activity") + + disc_activity = _builder.get("{kind:Activity}") + if disc_activity is not None: + disc_activity.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get("{kind:Activity}.properties") + if properties is not None: + properties.set_prop("content", AAZStrType, ".activity.content") + properties.set_prop("description", AAZStrType, ".activity.description") + properties.set_prop("enabled", AAZBoolType, ".activity.enabled") + properties.set_prop("entitiesFilter", AAZDictType, ".activity.entities_filter") + properties.set_prop("inputEntityType", AAZStrType, ".activity.input_entity_type") + properties.set_prop("queryDefinitions", AAZObjectType, ".activity.query_definitions") + properties.set_prop("requiredInputFieldsSets", AAZListType, ".activity.required_input_fields_sets") + properties.set_prop("templateName", AAZStrType, ".activity.template_name") + properties.set_prop("title", AAZStrType, ".activity.title") + + entities_filter = _builder.get("{kind:Activity}.properties.entitiesFilter") + if entities_filter is not None: + entities_filter.set_elements(AAZListType) + + _elements = _builder.get("{kind:Activity}.properties.entitiesFilter{}") + if _elements is not None: + _elements.set_elements(AAZStrType, ".") + + query_definitions = _builder.get("{kind:Activity}.properties.queryDefinitions") + if query_definitions is not None: + query_definitions.set_prop("query", AAZStrType, ".query") + + required_input_fields_sets = _builder.get("{kind:Activity}.properties.requiredInputFieldsSets") + if required_input_fields_sets is not None: + required_input_fields_sets.set_elements(AAZListType) + + _elements = _builder.get("{kind:Activity}.properties.requiredInputFieldsSets[]") + if _elements is not None: + _elements.set_elements(AAZStrType, ".") + + return _instance_value + + class InstanceUpdateByGeneric(AAZGenericInstanceUpdateOperation): + + def __call__(self, *args, **kwargs): + self._update_instance_by_generic( + self.ctx.vars.instance, + self.ctx.generic_update_args + ) + + +_schema_entity_query_read = None + + +def _build_schema_entity_query_read(_schema): + global _schema_entity_query_read + if _schema_entity_query_read is not None: + _schema.etag = _schema_entity_query_read.etag + _schema.id = _schema_entity_query_read.id + _schema.kind = _schema_entity_query_read.kind + _schema.name = _schema_entity_query_read.name + _schema.system_data = _schema_entity_query_read.system_data + _schema.type = _schema_entity_query_read.type + _schema.discriminate_by( + "kind", + "Activity", + _schema_entity_query_read.discriminate_by( + "kind", + "Activity", + ) + ) + _schema.discriminate_by( + "kind", + "Expansion", + _schema_entity_query_read.discriminate_by( + "kind", + "Expansion", + ) + ) + return + + _schema_entity_query_read = AAZObjectType() + + entity_query_read = _schema_entity_query_read + entity_query_read.etag = AAZStrType() + entity_query_read.id = AAZStrType( + flags={"read_only": True}, + ) + entity_query_read.kind = AAZStrType( + flags={"required": True}, + ) + entity_query_read.name = AAZStrType( + flags={"read_only": True}, + ) + entity_query_read.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + entity_query_read.type = AAZStrType( + flags={"read_only": True}, + ) + + system_data = _schema_entity_query_read.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + disc_activity = _schema_entity_query_read.discriminate_by("kind", "Activity") + disc_activity.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = _schema_entity_query_read.discriminate_by("kind", "Activity").properties + properties.content = AAZStrType() + properties.created_time_utc = AAZStrType( + serialized_name="createdTimeUtc", + flags={"read_only": True}, + ) + properties.description = AAZStrType() + properties.enabled = AAZBoolType() + properties.entities_filter = AAZDictType( + serialized_name="entitiesFilter", + ) + properties.input_entity_type = AAZStrType( + serialized_name="inputEntityType", + ) + properties.last_modified_time_utc = AAZStrType( + serialized_name="lastModifiedTimeUtc", + flags={"read_only": True}, + ) + properties.query_definitions = AAZObjectType( + serialized_name="queryDefinitions", + ) + properties.required_input_fields_sets = AAZListType( + serialized_name="requiredInputFieldsSets", + ) + properties.template_name = AAZStrType( + serialized_name="templateName", + ) + properties.title = AAZStrType() + + entities_filter = _schema_entity_query_read.discriminate_by("kind", "Activity").properties.entities_filter + entities_filter.Element = AAZListType() + + _element = _schema_entity_query_read.discriminate_by("kind", "Activity").properties.entities_filter.Element + _element.Element = AAZStrType() + + query_definitions = _schema_entity_query_read.discriminate_by("kind", "Activity").properties.query_definitions + query_definitions.query = AAZStrType() + + required_input_fields_sets = _schema_entity_query_read.discriminate_by("kind", "Activity").properties.required_input_fields_sets + required_input_fields_sets.Element = AAZListType() + + _element = _schema_entity_query_read.discriminate_by("kind", "Activity").properties.required_input_fields_sets.Element + _element.Element = AAZStrType() + + disc_expansion = _schema_entity_query_read.discriminate_by("kind", "Expansion") + disc_expansion.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = _schema_entity_query_read.discriminate_by("kind", "Expansion").properties + properties.data_sources = AAZListType( + serialized_name="dataSources", + ) + properties.display_name = AAZStrType( + serialized_name="displayName", + ) + properties.input_entity_type = AAZStrType( + serialized_name="inputEntityType", + ) + properties.input_fields = AAZListType( + serialized_name="inputFields", + ) + properties.output_entity_types = AAZListType( + serialized_name="outputEntityTypes", + ) + properties.query_template = AAZStrType( + serialized_name="queryTemplate", + ) + + data_sources = _schema_entity_query_read.discriminate_by("kind", "Expansion").properties.data_sources + data_sources.Element = AAZStrType() + + input_fields = _schema_entity_query_read.discriminate_by("kind", "Expansion").properties.input_fields + input_fields.Element = AAZStrType() + + output_entity_types = _schema_entity_query_read.discriminate_by("kind", "Expansion").properties.output_entity_types + output_entity_types.Element = AAZStrType() + + _schema.etag = _schema_entity_query_read.etag + _schema.id = _schema_entity_query_read.id + _schema.kind = _schema_entity_query_read.kind + _schema.name = _schema_entity_query_read.name + _schema.system_data = _schema_entity_query_read.system_data + _schema.type = _schema_entity_query_read.type + _schema.discriminate_by( + "kind", + "Activity", + _schema_entity_query_read.discriminate_by( + "kind", + "Activity", + ) + ) + _schema.discriminate_by( + "kind", + "Expansion", + _schema_entity_query_read.discriminate_by( + "kind", + "Expansion", + ) + ) + + +__all__ = ["Update"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/entity_query/template/__cmd_group.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/entity_query/template/__cmd_group.py new file mode 100644 index 00000000000..91049c1fe8f --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/entity_query/template/__cmd_group.py @@ -0,0 +1,23 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command_group( + "sentinel entity-query template", +) +class __CMDGroup(AAZCommandGroup): + """Manage entity query template with sentinel. + """ + pass + + +__all__ = ["__CMDGroup"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/entity_query/template/__init__.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/entity_query/template/__init__.py new file mode 100644 index 00000000000..2df85698253 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/entity_query/template/__init__.py @@ -0,0 +1,13 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from .__cmd_group import * +from ._list import * +from ._show import * diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/entity_query/template/_list.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/entity_query/template/_list.py new file mode 100644 index 00000000000..1bb9910b114 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/entity_query/template/_list.py @@ -0,0 +1,261 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel entity-query template list", + is_experimental=True, +) +class List(AAZCommand): + """Get all entity query templates. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/entityquerytemplates", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + return self.build_paging(self._execute_operations, self._output) + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + ) + _args_schema.kind = AAZStrArg( + options=["--kind"], + help="The entity template query kind we want to fetch", + enum={"Activity": "Activity"}, + ) + return cls._args_schema + + def _execute_operations(self): + self.EntityQueryTemplatesList(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance.value, client_flatten=True) + next_link = self.deserialize_output(self.ctx.vars.instance.next_link) + return result, next_link + + class EntityQueryTemplatesList(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entityQueryTemplates", + **self.url_parameters + ) + + @property + def method(self): + return "GET" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "kind", self.ctx.args.kind, + ), + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + + _schema_on_200 = cls._schema_on_200 + _schema_on_200.next_link = AAZStrType( + serialized_name="nextLink", + flags={"read_only": True}, + ) + _schema_on_200.value = AAZListType( + flags={"required": True}, + ) + + value = cls._schema_on_200.value + value.Element = AAZObjectType() + + _element = cls._schema_on_200.value.Element + _element.id = AAZStrType( + flags={"read_only": True}, + ) + _element.kind = AAZStrType( + flags={"required": True}, + ) + _element.name = AAZStrType( + flags={"read_only": True}, + ) + _element.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + _element.type = AAZStrType( + flags={"read_only": True}, + ) + + system_data = cls._schema_on_200.value.Element.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + disc_activity = cls._schema_on_200.value.Element.discriminate_by("kind", "Activity") + disc_activity.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.value.Element.discriminate_by("kind", "Activity").properties + properties.content = AAZStrType() + properties.data_types = AAZListType( + serialized_name="dataTypes", + ) + properties.description = AAZStrType() + properties.entities_filter = AAZDictType( + serialized_name="entitiesFilter", + ) + properties.input_entity_type = AAZStrType( + serialized_name="inputEntityType", + ) + properties.query_definitions = AAZObjectType( + serialized_name="queryDefinitions", + ) + properties.required_input_fields_sets = AAZListType( + serialized_name="requiredInputFieldsSets", + ) + properties.title = AAZStrType() + + data_types = cls._schema_on_200.value.Element.discriminate_by("kind", "Activity").properties.data_types + data_types.Element = AAZObjectType() + + _element = cls._schema_on_200.value.Element.discriminate_by("kind", "Activity").properties.data_types.Element + _element.data_type = AAZStrType( + serialized_name="dataType", + ) + + entities_filter = cls._schema_on_200.value.Element.discriminate_by("kind", "Activity").properties.entities_filter + entities_filter.Element = AAZListType() + + _element = cls._schema_on_200.value.Element.discriminate_by("kind", "Activity").properties.entities_filter.Element + _element.Element = AAZStrType() + + query_definitions = cls._schema_on_200.value.Element.discriminate_by("kind", "Activity").properties.query_definitions + query_definitions.query = AAZStrType() + query_definitions.summarize_by = AAZStrType( + serialized_name="summarizeBy", + ) + + required_input_fields_sets = cls._schema_on_200.value.Element.discriminate_by("kind", "Activity").properties.required_input_fields_sets + required_input_fields_sets.Element = AAZListType() + + _element = cls._schema_on_200.value.Element.discriminate_by("kind", "Activity").properties.required_input_fields_sets.Element + _element.Element = AAZStrType() + + return cls._schema_on_200 + + +__all__ = ["List"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/entity_query/template/_show.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/entity_query/template/_show.py new file mode 100644 index 00000000000..de178a5a286 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/entity_query/template/_show.py @@ -0,0 +1,252 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel entity-query template show", + is_experimental=True, +) +class Show(AAZCommand): + """Get an entity query. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/entityquerytemplates/{}", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return self._output() + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.entity_query_template_id = AAZStrArg( + options=["-n", "--name", "--entity-query-template-id"], + help="entity query template ID", + required=True, + id_part="child_name_1", + ) + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + id_part="name", + ) + return cls._args_schema + + def _execute_operations(self): + self.EntityQueryTemplatesGet(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True) + return result + + class EntityQueryTemplatesGet(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entityQueryTemplates/{entityQueryTemplateId}", + **self.url_parameters + ) + + @property + def method(self): + return "GET" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "entityQueryTemplateId", self.ctx.args.entity_query_template_id, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + + _schema_on_200 = cls._schema_on_200 + _schema_on_200.id = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200.kind = AAZStrType( + flags={"required": True}, + ) + _schema_on_200.name = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + _schema_on_200.type = AAZStrType( + flags={"read_only": True}, + ) + + system_data = cls._schema_on_200.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + disc_activity = cls._schema_on_200.discriminate_by("kind", "Activity") + disc_activity.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.discriminate_by("kind", "Activity").properties + properties.content = AAZStrType() + properties.data_types = AAZListType( + serialized_name="dataTypes", + ) + properties.description = AAZStrType() + properties.entities_filter = AAZDictType( + serialized_name="entitiesFilter", + ) + properties.input_entity_type = AAZStrType( + serialized_name="inputEntityType", + ) + properties.query_definitions = AAZObjectType( + serialized_name="queryDefinitions", + ) + properties.required_input_fields_sets = AAZListType( + serialized_name="requiredInputFieldsSets", + ) + properties.title = AAZStrType() + + data_types = cls._schema_on_200.discriminate_by("kind", "Activity").properties.data_types + data_types.Element = AAZObjectType() + + _element = cls._schema_on_200.discriminate_by("kind", "Activity").properties.data_types.Element + _element.data_type = AAZStrType( + serialized_name="dataType", + ) + + entities_filter = cls._schema_on_200.discriminate_by("kind", "Activity").properties.entities_filter + entities_filter.Element = AAZListType() + + _element = cls._schema_on_200.discriminate_by("kind", "Activity").properties.entities_filter.Element + _element.Element = AAZStrType() + + query_definitions = cls._schema_on_200.discriminate_by("kind", "Activity").properties.query_definitions + query_definitions.query = AAZStrType() + query_definitions.summarize_by = AAZStrType( + serialized_name="summarizeBy", + ) + + required_input_fields_sets = cls._schema_on_200.discriminate_by("kind", "Activity").properties.required_input_fields_sets + required_input_fields_sets.Element = AAZListType() + + _element = cls._schema_on_200.discriminate_by("kind", "Activity").properties.required_input_fields_sets.Element + _element.Element = AAZStrType() + + return cls._schema_on_200 + + +__all__ = ["Show"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/__cmd_group.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/__cmd_group.py new file mode 100644 index 00000000000..0068f32f032 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/__cmd_group.py @@ -0,0 +1,23 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command_group( + "sentinel incident", +) +class __CMDGroup(AAZCommandGroup): + """Manage incident with sentinel. + """ + pass + + +__all__ = ["__CMDGroup"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/__init__.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/__init__.py new file mode 100644 index 00000000000..81156f1fe9e --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/__init__.py @@ -0,0 +1,21 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from .__cmd_group import * +from ._create import * +from ._create_team import * +from ._delete import * +from ._list import * +from ._list_alert import * +from ._list_bookmark import * +from ._list_entity import * +from ._run_playbook import * +from ._show import * +from ._update import * diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/_create.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/_create.py new file mode 100644 index 00000000000..767da7c83b2 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/_create.py @@ -0,0 +1,520 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel incident create", + is_experimental=True, +) +class Create(AAZCommand): + """Create the incident. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/incidents/{}", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return self._output() + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.incident_id = AAZStrArg( + options=["-n", "--name", "--incident-id"], + help="Incident ID", + required=True, + id_part="child_name_1", + ) + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + id_part="name", + ) + + # define Arg Group "Incident" + + _args_schema = cls._args_schema + _args_schema.etag = AAZStrArg( + options=["--etag"], + arg_group="Incident", + help="Etag of the azure resource", + ) + + # define Arg Group "Properties" + + _args_schema = cls._args_schema + _args_schema.classification = AAZStrArg( + options=["--classification"], + arg_group="Properties", + help="The reason the incident was closed", + enum={"BenignPositive": "BenignPositive", "FalsePositive": "FalsePositive", "TruePositive": "TruePositive", "Undetermined": "Undetermined"}, + ) + _args_schema.classification_comment = AAZStrArg( + options=["--classification-comment"], + arg_group="Properties", + help="Describes the reason the incident was closed", + ) + _args_schema.classification_reason = AAZStrArg( + options=["--classification-reason"], + arg_group="Properties", + help="The classification reason the incident was closed with", + enum={"InaccurateData": "InaccurateData", "IncorrectAlertLogic": "IncorrectAlertLogic", "SuspiciousActivity": "SuspiciousActivity", "SuspiciousButExpected": "SuspiciousButExpected"}, + ) + _args_schema.description = AAZStrArg( + options=["--description"], + arg_group="Properties", + help="The description of the incident", + ) + _args_schema.first_activity_time_utc = AAZStrArg( + options=["--first-activity-time-utc"], + arg_group="Properties", + help="The time of the first activity in the incident", + ) + _args_schema.labels = AAZListArg( + options=["--labels"], + arg_group="Properties", + help="List of labels relevant to this incident", + ) + _args_schema.last_activity_time_utc = AAZStrArg( + options=["--last-activity-time-utc"], + arg_group="Properties", + help="The time of the last activity in the incident", + ) + _args_schema.owner = AAZObjectArg( + options=["--owner"], + arg_group="Properties", + help="Describes a user that the incident is assigned to", + ) + _args_schema.provider_incident_id = AAZStrArg( + options=["--provider-incident-id"], + arg_group="Properties", + help="The incident ID assigned by the incident provider", + ) + _args_schema.provider_name = AAZStrArg( + options=["--provider-name"], + arg_group="Properties", + help="The name of the source provider that generated the incident", + ) + _args_schema.severity = AAZStrArg( + options=["--severity"], + arg_group="Properties", + help="The severity of the incident", + enum={"High": "High", "Informational": "Informational", "Low": "Low", "Medium": "Medium"}, + ) + _args_schema.status = AAZStrArg( + options=["--status"], + arg_group="Properties", + help="The status of the incident", + enum={"Active": "Active", "Closed": "Closed", "New": "New"}, + ) + _args_schema.title = AAZStrArg( + options=["--title"], + arg_group="Properties", + help="The title of the incident", + ) + + labels = cls._args_schema.labels + labels.Element = AAZObjectArg() + + _element = cls._args_schema.labels.Element + _element.label_name = AAZStrArg( + options=["label-name"], + help="The name of the label", + required=True, + ) + + owner = cls._args_schema.owner + owner.assigned_to = AAZStrArg( + options=["assigned-to"], + help="The name of the user the incident is assigned to.", + ) + owner.email = AAZStrArg( + options=["email"], + help="The email of the user the incident is assigned to.", + ) + owner.object_id = AAZStrArg( + options=["object-id"], + help="The object id of the user the incident is assigned to.", + ) + owner.owner_type = AAZStrArg( + options=["owner-type"], + help="The type of the owner the incident is assigned to.", + enum={"Group": "Group", "Unknown": "Unknown", "User": "User"}, + ) + owner.user_principal_name = AAZStrArg( + options=["user-principal-name"], + help="The user principal name of the user the incident is assigned to.", + ) + return cls._args_schema + + def _execute_operations(self): + self.IncidentsCreateOrUpdate(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True) + return result + + class IncidentsCreateOrUpdate(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200, 201]: + return self.on_200_201(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}", + **self.url_parameters + ) + + @property + def method(self): + return "PUT" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "incidentId", self.ctx.args.incident_id, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Content-Type", "application/json", + ), + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + @property + def content(self): + _content_value, _builder = self.new_content_builder( + self.ctx.args, + typ=AAZObjectType, + typ_kwargs={"flags": {"required": True, "client_flatten": True}} + ) + _builder.set_prop("etag", AAZStrType, ".etag") + _builder.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get(".properties") + if properties is not None: + properties.set_prop("classification", AAZStrType, ".classification") + properties.set_prop("classificationComment", AAZStrType, ".classification_comment") + properties.set_prop("classificationReason", AAZStrType, ".classification_reason") + properties.set_prop("description", AAZStrType, ".description") + properties.set_prop("firstActivityTimeUtc", AAZStrType, ".first_activity_time_utc") + properties.set_prop("labels", AAZListType, ".labels") + properties.set_prop("lastActivityTimeUtc", AAZStrType, ".last_activity_time_utc") + properties.set_prop("owner", AAZObjectType, ".owner") + properties.set_prop("providerIncidentId", AAZStrType, ".provider_incident_id") + properties.set_prop("providerName", AAZStrType, ".provider_name") + properties.set_prop("severity", AAZStrType, ".severity", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("status", AAZStrType, ".status", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("title", AAZStrType, ".title", typ_kwargs={"flags": {"required": True}}) + + labels = _builder.get(".properties.labels") + if labels is not None: + labels.set_elements(AAZObjectType) + + _elements = _builder.get(".properties.labels[]") + if _elements is not None: + _elements.set_prop("labelName", AAZStrType, ".label_name", typ_kwargs={"flags": {"required": True}}) + + owner = _builder.get(".properties.owner") + if owner is not None: + owner.set_prop("assignedTo", AAZStrType, ".assigned_to") + owner.set_prop("email", AAZStrType, ".email") + owner.set_prop("objectId", AAZStrType, ".object_id") + owner.set_prop("ownerType", AAZStrType, ".owner_type") + owner.set_prop("userPrincipalName", AAZStrType, ".user_principal_name") + + return self.serialize_content(_content_value) + + def on_200_201(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200_201 + ) + + _schema_on_200_201 = None + + @classmethod + def _build_schema_on_200_201(cls): + if cls._schema_on_200_201 is not None: + return cls._schema_on_200_201 + + cls._schema_on_200_201 = AAZObjectType() + + _schema_on_200_201 = cls._schema_on_200_201 + _schema_on_200_201.etag = AAZStrType() + _schema_on_200_201.id = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200_201.name = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200_201.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + _schema_on_200_201.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + _schema_on_200_201.type = AAZStrType( + flags={"read_only": True}, + ) + + properties = cls._schema_on_200_201.properties + properties.additional_data = AAZObjectType( + serialized_name="additionalData", + flags={"read_only": True}, + ) + properties.classification = AAZStrType() + properties.classification_comment = AAZStrType( + serialized_name="classificationComment", + ) + properties.classification_reason = AAZStrType( + serialized_name="classificationReason", + ) + properties.created_time_utc = AAZStrType( + serialized_name="createdTimeUtc", + flags={"read_only": True}, + ) + properties.description = AAZStrType() + properties.first_activity_time_utc = AAZStrType( + serialized_name="firstActivityTimeUtc", + ) + properties.incident_number = AAZIntType( + serialized_name="incidentNumber", + flags={"read_only": True}, + ) + properties.incident_url = AAZStrType( + serialized_name="incidentUrl", + flags={"read_only": True}, + ) + properties.labels = AAZListType() + properties.last_activity_time_utc = AAZStrType( + serialized_name="lastActivityTimeUtc", + ) + properties.last_modified_time_utc = AAZStrType( + serialized_name="lastModifiedTimeUtc", + flags={"read_only": True}, + ) + properties.owner = AAZObjectType() + properties.provider_incident_id = AAZStrType( + serialized_name="providerIncidentId", + ) + properties.provider_name = AAZStrType( + serialized_name="providerName", + ) + properties.related_analytic_rule_ids = AAZListType( + serialized_name="relatedAnalyticRuleIds", + flags={"read_only": True}, + ) + properties.severity = AAZStrType( + flags={"required": True}, + ) + properties.status = AAZStrType( + flags={"required": True}, + ) + properties.team_information = AAZObjectType( + serialized_name="teamInformation", + ) + properties.title = AAZStrType( + flags={"required": True}, + ) + + additional_data = cls._schema_on_200_201.properties.additional_data + additional_data.alert_product_names = AAZListType( + serialized_name="alertProductNames", + flags={"read_only": True}, + ) + additional_data.alerts_count = AAZIntType( + serialized_name="alertsCount", + flags={"read_only": True}, + ) + additional_data.bookmarks_count = AAZIntType( + serialized_name="bookmarksCount", + flags={"read_only": True}, + ) + additional_data.comments_count = AAZIntType( + serialized_name="commentsCount", + flags={"read_only": True}, + ) + additional_data.provider_incident_url = AAZStrType( + serialized_name="providerIncidentUrl", + flags={"read_only": True}, + ) + additional_data.tactics = AAZListType( + flags={"read_only": True}, + ) + additional_data.techniques = AAZListType( + flags={"read_only": True}, + ) + + alert_product_names = cls._schema_on_200_201.properties.additional_data.alert_product_names + alert_product_names.Element = AAZStrType( + flags={"read_only": True}, + ) + + tactics = cls._schema_on_200_201.properties.additional_data.tactics + tactics.Element = AAZStrType( + flags={"read_only": True}, + ) + + techniques = cls._schema_on_200_201.properties.additional_data.techniques + techniques.Element = AAZStrType( + flags={"read_only": True}, + ) + + labels = cls._schema_on_200_201.properties.labels + labels.Element = AAZObjectType() + + _element = cls._schema_on_200_201.properties.labels.Element + _element.label_name = AAZStrType( + serialized_name="labelName", + flags={"required": True}, + ) + _element.label_type = AAZStrType( + serialized_name="labelType", + flags={"read_only": True}, + ) + + owner = cls._schema_on_200_201.properties.owner + owner.assigned_to = AAZStrType( + serialized_name="assignedTo", + ) + owner.email = AAZStrType() + owner.object_id = AAZStrType( + serialized_name="objectId", + ) + owner.owner_type = AAZStrType( + serialized_name="ownerType", + ) + owner.user_principal_name = AAZStrType( + serialized_name="userPrincipalName", + ) + + related_analytic_rule_ids = cls._schema_on_200_201.properties.related_analytic_rule_ids + related_analytic_rule_ids.Element = AAZStrType( + flags={"read_only": True}, + ) + + team_information = cls._schema_on_200_201.properties.team_information + team_information.description = AAZStrType( + flags={"read_only": True}, + ) + team_information.name = AAZStrType( + flags={"read_only": True}, + ) + team_information.primary_channel_url = AAZStrType( + serialized_name="primaryChannelUrl", + flags={"read_only": True}, + ) + team_information.team_creation_time_utc = AAZStrType( + serialized_name="teamCreationTimeUtc", + flags={"read_only": True}, + ) + team_information.team_id = AAZStrType( + serialized_name="teamId", + flags={"read_only": True}, + ) + + system_data = cls._schema_on_200_201.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + return cls._schema_on_200_201 + + +__all__ = ["Create"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/_create_team.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/_create_team.py new file mode 100644 index 00000000000..5042a9c3f5e --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/_create_team.py @@ -0,0 +1,231 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel incident create-team", + is_experimental=True, +) +class CreateTeam(AAZCommand): + """Create a Microsoft team to investigate the incident by sharing information and insights between participants. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/incidents/{}/createteam", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return self._output() + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.incident_id = AAZStrArg( + options=["--incident-id"], + help="Incident ID", + required=True, + ) + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + ) + + # define Arg Group "TeamProperties" + + _args_schema = cls._args_schema + _args_schema.group_ids = AAZListArg( + options=["--group-ids"], + arg_group="TeamProperties", + help="List of group IDs to add their members to the team", + ) + _args_schema.member_ids = AAZListArg( + options=["--member-ids"], + arg_group="TeamProperties", + help="List of member IDs to add to the team", + ) + _args_schema.team_description = AAZStrArg( + options=["--team-description"], + arg_group="TeamProperties", + help="The description of the team", + ) + _args_schema.team_name = AAZStrArg( + options=["--team-name"], + arg_group="TeamProperties", + help="The name of the team", + required=True, + ) + + group_ids = cls._args_schema.group_ids + group_ids.Element = AAZStrArg() + + member_ids = cls._args_schema.member_ids + member_ids.Element = AAZStrArg() + return cls._args_schema + + def _execute_operations(self): + self.IncidentsCreateTeam(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True) + return result + + class IncidentsCreateTeam(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/createTeam", + **self.url_parameters + ) + + @property + def method(self): + return "POST" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "incidentId", self.ctx.args.incident_id, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Content-Type", "application/json", + ), + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + @property + def content(self): + _content_value, _builder = self.new_content_builder( + self.ctx.args, + typ=AAZObjectType, + typ_kwargs={"flags": {"required": True, "client_flatten": True}} + ) + _builder.set_prop("groupIds", AAZListType, ".group_ids") + _builder.set_prop("memberIds", AAZListType, ".member_ids") + _builder.set_prop("teamDescription", AAZStrType, ".team_description") + _builder.set_prop("teamName", AAZStrType, ".team_name", typ_kwargs={"flags": {"required": True}}) + + group_ids = _builder.get(".groupIds") + if group_ids is not None: + group_ids.set_elements(AAZStrType, ".") + + member_ids = _builder.get(".memberIds") + if member_ids is not None: + member_ids.set_elements(AAZStrType, ".") + + return self.serialize_content(_content_value) + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + + _schema_on_200 = cls._schema_on_200 + _schema_on_200.description = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200.name = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200.primary_channel_url = AAZStrType( + serialized_name="primaryChannelUrl", + flags={"read_only": True}, + ) + _schema_on_200.team_creation_time_utc = AAZStrType( + serialized_name="teamCreationTimeUtc", + flags={"read_only": True}, + ) + _schema_on_200.team_id = AAZStrType( + serialized_name="teamId", + flags={"read_only": True}, + ) + + return cls._schema_on_200 + + +__all__ = ["CreateTeam"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/_delete.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/_delete.py new file mode 100644 index 00000000000..b2d64dac1bd --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/_delete.py @@ -0,0 +1,134 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel incident delete", + is_experimental=True, + confirmation="Are you sure you want to perform this operation?", +) +class Delete(AAZCommand): + """Delete the incident. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/incidents/{}", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return None + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.incident_id = AAZStrArg( + options=["-n", "--name", "--incident-id"], + help="Incident ID", + required=True, + id_part="child_name_1", + ) + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + id_part="name", + ) + return cls._args_schema + + def _execute_operations(self): + self.IncidentsDelete(ctx=self.ctx)() + + class IncidentsDelete(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + if session.http_response.status_code in [204]: + return self.on_204(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}", + **self.url_parameters + ) + + @property + def method(self): + return "DELETE" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "incidentId", self.ctx.args.incident_id, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + def on_200(self, session): + pass + + def on_204(self, session): + pass + + +__all__ = ["Delete"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/_list.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/_list.py new file mode 100644 index 00000000000..3ee786e78ab --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/_list.py @@ -0,0 +1,387 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel incident list", + is_experimental=True, +) +class List(AAZCommand): + """Get all incidents. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/incidents", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + return self.build_paging(self._execute_operations, self._output) + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + ) + _args_schema.filter = AAZStrArg( + options=["--filter"], + help="Filters the results, based on a Boolean condition. Optional.", + ) + _args_schema.orderby = AAZStrArg( + options=["--orderby"], + help="Sorts the results. Optional.", + ) + _args_schema.skip_token = AAZStrArg( + options=["--skip-token"], + help="Skiptoken is only used if a previous operation returned a partial result. If a previous response contains a nextLink element, the value of the nextLink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls. Optional.", + ) + _args_schema.top = AAZIntArg( + options=["--top"], + help="Returns only the first n results. Optional.", + ) + return cls._args_schema + + def _execute_operations(self): + self.IncidentsList(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance.value, client_flatten=True) + next_link = self.deserialize_output(self.ctx.vars.instance.next_link) + return result, next_link + + class IncidentsList(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents", + **self.url_parameters + ) + + @property + def method(self): + return "GET" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "$filter", self.ctx.args.filter, + ), + **self.serialize_query_param( + "$orderby", self.ctx.args.orderby, + ), + **self.serialize_query_param( + "$skipToken", self.ctx.args.skip_token, + ), + **self.serialize_query_param( + "$top", self.ctx.args.top, + ), + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + + _schema_on_200 = cls._schema_on_200 + _schema_on_200.next_link = AAZStrType( + serialized_name="nextLink", + flags={"read_only": True}, + ) + _schema_on_200.value = AAZListType( + flags={"required": True}, + ) + + value = cls._schema_on_200.value + value.Element = AAZObjectType() + + _element = cls._schema_on_200.value.Element + _element.etag = AAZStrType() + _element.id = AAZStrType( + flags={"read_only": True}, + ) + _element.name = AAZStrType( + flags={"read_only": True}, + ) + _element.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + _element.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + _element.type = AAZStrType( + flags={"read_only": True}, + ) + + properties = cls._schema_on_200.value.Element.properties + properties.additional_data = AAZObjectType( + serialized_name="additionalData", + flags={"read_only": True}, + ) + properties.classification = AAZStrType() + properties.classification_comment = AAZStrType( + serialized_name="classificationComment", + ) + properties.classification_reason = AAZStrType( + serialized_name="classificationReason", + ) + properties.created_time_utc = AAZStrType( + serialized_name="createdTimeUtc", + flags={"read_only": True}, + ) + properties.description = AAZStrType() + properties.first_activity_time_utc = AAZStrType( + serialized_name="firstActivityTimeUtc", + ) + properties.incident_number = AAZIntType( + serialized_name="incidentNumber", + flags={"read_only": True}, + ) + properties.incident_url = AAZStrType( + serialized_name="incidentUrl", + flags={"read_only": True}, + ) + properties.labels = AAZListType() + properties.last_activity_time_utc = AAZStrType( + serialized_name="lastActivityTimeUtc", + ) + properties.last_modified_time_utc = AAZStrType( + serialized_name="lastModifiedTimeUtc", + flags={"read_only": True}, + ) + properties.owner = AAZObjectType() + properties.provider_incident_id = AAZStrType( + serialized_name="providerIncidentId", + ) + properties.provider_name = AAZStrType( + serialized_name="providerName", + ) + properties.related_analytic_rule_ids = AAZListType( + serialized_name="relatedAnalyticRuleIds", + flags={"read_only": True}, + ) + properties.severity = AAZStrType( + flags={"required": True}, + ) + properties.status = AAZStrType( + flags={"required": True}, + ) + properties.team_information = AAZObjectType( + serialized_name="teamInformation", + ) + properties.title = AAZStrType( + flags={"required": True}, + ) + + additional_data = cls._schema_on_200.value.Element.properties.additional_data + additional_data.alert_product_names = AAZListType( + serialized_name="alertProductNames", + flags={"read_only": True}, + ) + additional_data.alerts_count = AAZIntType( + serialized_name="alertsCount", + flags={"read_only": True}, + ) + additional_data.bookmarks_count = AAZIntType( + serialized_name="bookmarksCount", + flags={"read_only": True}, + ) + additional_data.comments_count = AAZIntType( + serialized_name="commentsCount", + flags={"read_only": True}, + ) + additional_data.provider_incident_url = AAZStrType( + serialized_name="providerIncidentUrl", + flags={"read_only": True}, + ) + additional_data.tactics = AAZListType( + flags={"read_only": True}, + ) + additional_data.techniques = AAZListType( + flags={"read_only": True}, + ) + + alert_product_names = cls._schema_on_200.value.Element.properties.additional_data.alert_product_names + alert_product_names.Element = AAZStrType( + flags={"read_only": True}, + ) + + tactics = cls._schema_on_200.value.Element.properties.additional_data.tactics + tactics.Element = AAZStrType( + flags={"read_only": True}, + ) + + techniques = cls._schema_on_200.value.Element.properties.additional_data.techniques + techniques.Element = AAZStrType( + flags={"read_only": True}, + ) + + labels = cls._schema_on_200.value.Element.properties.labels + labels.Element = AAZObjectType() + + _element = cls._schema_on_200.value.Element.properties.labels.Element + _element.label_name = AAZStrType( + serialized_name="labelName", + flags={"required": True}, + ) + _element.label_type = AAZStrType( + serialized_name="labelType", + flags={"read_only": True}, + ) + + owner = cls._schema_on_200.value.Element.properties.owner + owner.assigned_to = AAZStrType( + serialized_name="assignedTo", + ) + owner.email = AAZStrType() + owner.object_id = AAZStrType( + serialized_name="objectId", + ) + owner.owner_type = AAZStrType( + serialized_name="ownerType", + ) + owner.user_principal_name = AAZStrType( + serialized_name="userPrincipalName", + ) + + related_analytic_rule_ids = cls._schema_on_200.value.Element.properties.related_analytic_rule_ids + related_analytic_rule_ids.Element = AAZStrType( + flags={"read_only": True}, + ) + + team_information = cls._schema_on_200.value.Element.properties.team_information + team_information.description = AAZStrType( + flags={"read_only": True}, + ) + team_information.name = AAZStrType( + flags={"read_only": True}, + ) + team_information.primary_channel_url = AAZStrType( + serialized_name="primaryChannelUrl", + flags={"read_only": True}, + ) + team_information.team_creation_time_utc = AAZStrType( + serialized_name="teamCreationTimeUtc", + flags={"read_only": True}, + ) + team_information.team_id = AAZStrType( + serialized_name="teamId", + flags={"read_only": True}, + ) + + system_data = cls._schema_on_200.value.Element.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + return cls._schema_on_200 + + +__all__ = ["List"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/_list_alert.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/_list_alert.py new file mode 100644 index 00000000000..d31a1e1eece --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/_list_alert.py @@ -0,0 +1,333 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel incident list-alert", + is_experimental=True, +) +class ListAlert(AAZCommand): + """Get all incident alerts. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/incidents/{}/alerts", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return self._output() + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.incident_id = AAZStrArg( + options=["--incident-id"], + help="Incident ID", + required=True, + ) + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + ) + return cls._args_schema + + def _execute_operations(self): + self.IncidentsListAlerts(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True) + return result + + class IncidentsListAlerts(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/alerts", + **self.url_parameters + ) + + @property + def method(self): + return "POST" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "incidentId", self.ctx.args.incident_id, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + + _schema_on_200 = cls._schema_on_200 + _schema_on_200.value = AAZListType( + flags={"required": True}, + ) + + value = cls._schema_on_200.value + value.Element = AAZObjectType() + + _element = cls._schema_on_200.value.Element + _element.id = AAZStrType( + flags={"read_only": True}, + ) + _element.kind = AAZStrType( + flags={"required": True}, + ) + _element.name = AAZStrType( + flags={"read_only": True}, + ) + _element.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + _element.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + _element.type = AAZStrType( + flags={"read_only": True}, + ) + + properties = cls._schema_on_200.value.Element.properties + properties.additional_data = AAZDictType( + serialized_name="additionalData", + flags={"read_only": True}, + ) + properties.alert_display_name = AAZStrType( + serialized_name="alertDisplayName", + flags={"read_only": True}, + ) + properties.alert_link = AAZStrType( + serialized_name="alertLink", + flags={"read_only": True}, + ) + properties.alert_type = AAZStrType( + serialized_name="alertType", + flags={"read_only": True}, + ) + properties.compromised_entity = AAZStrType( + serialized_name="compromisedEntity", + flags={"read_only": True}, + ) + properties.confidence_level = AAZStrType( + serialized_name="confidenceLevel", + flags={"read_only": True}, + ) + properties.confidence_reasons = AAZListType( + serialized_name="confidenceReasons", + flags={"read_only": True}, + ) + properties.confidence_score = AAZFloatType( + serialized_name="confidenceScore", + flags={"read_only": True}, + ) + properties.confidence_score_status = AAZStrType( + serialized_name="confidenceScoreStatus", + flags={"read_only": True}, + ) + properties.description = AAZStrType( + flags={"read_only": True}, + ) + properties.end_time_utc = AAZStrType( + serialized_name="endTimeUtc", + flags={"read_only": True}, + ) + properties.friendly_name = AAZStrType( + serialized_name="friendlyName", + flags={"read_only": True}, + ) + properties.intent = AAZStrType( + flags={"read_only": True}, + ) + properties.processing_end_time = AAZStrType( + serialized_name="processingEndTime", + flags={"read_only": True}, + ) + properties.product_component_name = AAZStrType( + serialized_name="productComponentName", + flags={"read_only": True}, + ) + properties.product_name = AAZStrType( + serialized_name="productName", + flags={"read_only": True}, + ) + properties.product_version = AAZStrType( + serialized_name="productVersion", + flags={"read_only": True}, + ) + properties.provider_alert_id = AAZStrType( + serialized_name="providerAlertId", + flags={"read_only": True}, + ) + properties.remediation_steps = AAZListType( + serialized_name="remediationSteps", + flags={"read_only": True}, + ) + properties.severity = AAZStrType() + properties.start_time_utc = AAZStrType( + serialized_name="startTimeUtc", + flags={"read_only": True}, + ) + properties.status = AAZStrType( + flags={"read_only": True}, + ) + properties.system_alert_id = AAZStrType( + serialized_name="systemAlertId", + flags={"read_only": True}, + ) + properties.tactics = AAZListType( + flags={"read_only": True}, + ) + properties.time_generated = AAZStrType( + serialized_name="timeGenerated", + flags={"read_only": True}, + ) + properties.vendor_name = AAZStrType( + serialized_name="vendorName", + flags={"read_only": True}, + ) + + confidence_reasons = cls._schema_on_200.value.Element.properties.confidence_reasons + confidence_reasons.Element = AAZObjectType( + flags={"read_only": True}, + ) + + _element = cls._schema_on_200.value.Element.properties.confidence_reasons.Element + _element.reason = AAZStrType( + flags={"read_only": True}, + ) + _element.reason_type = AAZStrType( + serialized_name="reasonType", + flags={"read_only": True}, + ) + + remediation_steps = cls._schema_on_200.value.Element.properties.remediation_steps + remediation_steps.Element = AAZStrType( + flags={"read_only": True}, + ) + + tactics = cls._schema_on_200.value.Element.properties.tactics + tactics.Element = AAZStrType( + flags={"read_only": True}, + ) + + system_data = cls._schema_on_200.value.Element.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + return cls._schema_on_200 + + +__all__ = ["ListAlert"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/_list_bookmark.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/_list_bookmark.py new file mode 100644 index 00000000000..5136451fdcc --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/_list_bookmark.py @@ -0,0 +1,291 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel incident list-bookmark", + is_experimental=True, +) +class ListBookmark(AAZCommand): + """Get all incident bookmarks. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/incidents/{}/bookmarks", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return self._output() + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.incident_id = AAZStrArg( + options=["--incident-id"], + help="Incident ID", + required=True, + ) + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + ) + return cls._args_schema + + def _execute_operations(self): + self.IncidentsListBookmarks(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True) + return result + + class IncidentsListBookmarks(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/bookmarks", + **self.url_parameters + ) + + @property + def method(self): + return "POST" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "incidentId", self.ctx.args.incident_id, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + + _schema_on_200 = cls._schema_on_200 + _schema_on_200.value = AAZListType( + flags={"required": True}, + ) + + value = cls._schema_on_200.value + value.Element = AAZObjectType() + + _element = cls._schema_on_200.value.Element + _element.id = AAZStrType( + flags={"read_only": True}, + ) + _element.kind = AAZStrType( + flags={"required": True}, + ) + _element.name = AAZStrType( + flags={"read_only": True}, + ) + _element.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + _element.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + _element.type = AAZStrType( + flags={"read_only": True}, + ) + + properties = cls._schema_on_200.value.Element.properties + properties.additional_data = AAZDictType( + serialized_name="additionalData", + flags={"read_only": True}, + ) + properties.created = AAZStrType() + properties.created_by = AAZObjectType( + serialized_name="createdBy", + ) + _build_schema_user_info_read(properties.created_by) + properties.display_name = AAZStrType( + serialized_name="displayName", + flags={"required": True}, + ) + properties.event_time = AAZStrType( + serialized_name="eventTime", + ) + properties.friendly_name = AAZStrType( + serialized_name="friendlyName", + flags={"read_only": True}, + ) + properties.incident_info = AAZObjectType( + serialized_name="incidentInfo", + ) + properties.labels = AAZListType() + properties.notes = AAZStrType() + properties.query = AAZStrType( + flags={"required": True}, + ) + properties.query_result = AAZStrType( + serialized_name="queryResult", + ) + properties.updated = AAZStrType() + properties.updated_by = AAZObjectType( + serialized_name="updatedBy", + ) + _build_schema_user_info_read(properties.updated_by) + + incident_info = cls._schema_on_200.value.Element.properties.incident_info + incident_info.incident_id = AAZStrType( + serialized_name="incidentId", + ) + incident_info.relation_name = AAZStrType( + serialized_name="relationName", + ) + incident_info.severity = AAZStrType() + incident_info.title = AAZStrType() + + labels = cls._schema_on_200.value.Element.properties.labels + labels.Element = AAZStrType() + + system_data = cls._schema_on_200.value.Element.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + return cls._schema_on_200 + + +_schema_user_info_read = None + + +def _build_schema_user_info_read(_schema): + global _schema_user_info_read + if _schema_user_info_read is not None: + _schema.email = _schema_user_info_read.email + _schema.name = _schema_user_info_read.name + _schema.object_id = _schema_user_info_read.object_id + return + + _schema_user_info_read = AAZObjectType() + + user_info_read = _schema_user_info_read + user_info_read.email = AAZStrType( + flags={"read_only": True}, + ) + user_info_read.name = AAZStrType( + flags={"read_only": True}, + ) + user_info_read.object_id = AAZStrType( + serialized_name="objectId", + nullable=True, + ) + + _schema.email = _schema_user_info_read.email + _schema.name = _schema_user_info_read.name + _schema.object_id = _schema_user_info_read.object_id + + +__all__ = ["ListBookmark"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/_list_entity.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/_list_entity.py new file mode 100644 index 00000000000..d211daab8bc --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/_list_entity.py @@ -0,0 +1,1343 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel incident list-entity", + is_experimental=True, +) +class ListEntity(AAZCommand): + """Get all incident related entities. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/incidents/{}/entities", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return self._output() + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.incident_id = AAZStrArg( + options=["--incident-id"], + help="Incident ID", + required=True, + ) + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + ) + return cls._args_schema + + def _execute_operations(self): + self.IncidentsListEntities(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True) + return result + + class IncidentsListEntities(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/entities", + **self.url_parameters + ) + + @property + def method(self): + return "POST" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "incidentId", self.ctx.args.incident_id, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + + _schema_on_200 = cls._schema_on_200 + _schema_on_200.entities = AAZListType() + _schema_on_200.meta_data = AAZListType( + serialized_name="metaData", + ) + + entities = cls._schema_on_200.entities + entities.Element = AAZObjectType() + + _element = cls._schema_on_200.entities.Element + _element.id = AAZStrType( + flags={"read_only": True}, + ) + _element.kind = AAZStrType( + flags={"required": True}, + ) + _element.name = AAZStrType( + flags={"read_only": True}, + ) + _element.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + _element.type = AAZStrType( + flags={"read_only": True}, + ) + + system_data = cls._schema_on_200.entities.Element.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + disc_account = cls._schema_on_200.entities.Element.discriminate_by("kind", "Account") + disc_account.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.entities.Element.discriminate_by("kind", "Account").properties + properties.aad_tenant_id = AAZStrType( + serialized_name="aadTenantId", + flags={"read_only": True}, + ) + properties.aad_user_id = AAZStrType( + serialized_name="aadUserId", + flags={"read_only": True}, + ) + properties.account_name = AAZStrType( + serialized_name="accountName", + flags={"read_only": True}, + ) + properties.additional_data = AAZDictType( + serialized_name="additionalData", + flags={"read_only": True}, + ) + properties.display_name = AAZStrType( + serialized_name="displayName", + flags={"read_only": True}, + ) + properties.dns_domain = AAZStrType( + serialized_name="dnsDomain", + flags={"read_only": True}, + ) + properties.friendly_name = AAZStrType( + serialized_name="friendlyName", + flags={"read_only": True}, + ) + properties.host_entity_id = AAZStrType( + serialized_name="hostEntityId", + flags={"read_only": True}, + ) + properties.is_domain_joined = AAZBoolType( + serialized_name="isDomainJoined", + flags={"read_only": True}, + ) + properties.nt_domain = AAZStrType( + serialized_name="ntDomain", + flags={"read_only": True}, + ) + properties.object_guid = AAZStrType( + serialized_name="objectGuid", + flags={"read_only": True}, + ) + properties.puid = AAZStrType( + flags={"read_only": True}, + ) + properties.sid = AAZStrType( + flags={"read_only": True}, + ) + properties.upn_suffix = AAZStrType( + serialized_name="upnSuffix", + flags={"read_only": True}, + ) + + disc_azure_resource = cls._schema_on_200.entities.Element.discriminate_by("kind", "AzureResource") + disc_azure_resource.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.entities.Element.discriminate_by("kind", "AzureResource").properties + properties.additional_data = AAZDictType( + serialized_name="additionalData", + flags={"read_only": True}, + ) + properties.friendly_name = AAZStrType( + serialized_name="friendlyName", + flags={"read_only": True}, + ) + properties.resource_id = AAZStrType( + serialized_name="resourceId", + flags={"read_only": True}, + ) + properties.subscription_id = AAZStrType( + serialized_name="subscriptionId", + flags={"read_only": True}, + ) + + disc_bookmark = cls._schema_on_200.entities.Element.discriminate_by("kind", "Bookmark") + disc_bookmark.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.entities.Element.discriminate_by("kind", "Bookmark").properties + properties.additional_data = AAZDictType( + serialized_name="additionalData", + flags={"read_only": True}, + ) + properties.created = AAZStrType() + properties.created_by = AAZObjectType( + serialized_name="createdBy", + ) + _build_schema_user_info_read(properties.created_by) + properties.display_name = AAZStrType( + serialized_name="displayName", + flags={"required": True}, + ) + properties.event_time = AAZStrType( + serialized_name="eventTime", + ) + properties.friendly_name = AAZStrType( + serialized_name="friendlyName", + flags={"read_only": True}, + ) + properties.incident_info = AAZObjectType( + serialized_name="incidentInfo", + ) + properties.labels = AAZListType() + properties.notes = AAZStrType() + properties.query = AAZStrType( + flags={"required": True}, + ) + properties.query_result = AAZStrType( + serialized_name="queryResult", + ) + properties.updated = AAZStrType() + properties.updated_by = AAZObjectType( + serialized_name="updatedBy", + ) + _build_schema_user_info_read(properties.updated_by) + + incident_info = cls._schema_on_200.entities.Element.discriminate_by("kind", "Bookmark").properties.incident_info + incident_info.incident_id = AAZStrType( + serialized_name="incidentId", + ) + incident_info.relation_name = AAZStrType( + serialized_name="relationName", + ) + incident_info.severity = AAZStrType() + incident_info.title = AAZStrType() + + labels = cls._schema_on_200.entities.Element.discriminate_by("kind", "Bookmark").properties.labels + labels.Element = AAZStrType() + + disc_cloud_application = cls._schema_on_200.entities.Element.discriminate_by("kind", "CloudApplication") + disc_cloud_application.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.entities.Element.discriminate_by("kind", "CloudApplication").properties + properties.additional_data = AAZDictType( + serialized_name="additionalData", + flags={"read_only": True}, + ) + properties.app_id = AAZIntType( + serialized_name="appId", + flags={"read_only": True}, + ) + properties.app_name = AAZStrType( + serialized_name="appName", + flags={"read_only": True}, + ) + properties.friendly_name = AAZStrType( + serialized_name="friendlyName", + flags={"read_only": True}, + ) + properties.instance_name = AAZStrType( + serialized_name="instanceName", + flags={"read_only": True}, + ) + + disc_dns_resolution = cls._schema_on_200.entities.Element.discriminate_by("kind", "DnsResolution") + disc_dns_resolution.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.entities.Element.discriminate_by("kind", "DnsResolution").properties + properties.additional_data = AAZDictType( + serialized_name="additionalData", + flags={"read_only": True}, + ) + properties.dns_server_ip_entity_id = AAZStrType( + serialized_name="dnsServerIpEntityId", + flags={"read_only": True}, + ) + properties.domain_name = AAZStrType( + serialized_name="domainName", + flags={"read_only": True}, + ) + properties.friendly_name = AAZStrType( + serialized_name="friendlyName", + flags={"read_only": True}, + ) + properties.host_ip_address_entity_id = AAZStrType( + serialized_name="hostIpAddressEntityId", + flags={"read_only": True}, + ) + properties.ip_address_entity_ids = AAZListType( + serialized_name="ipAddressEntityIds", + flags={"read_only": True}, + ) + + ip_address_entity_ids = cls._schema_on_200.entities.Element.discriminate_by("kind", "DnsResolution").properties.ip_address_entity_ids + ip_address_entity_ids.Element = AAZStrType( + flags={"read_only": True}, + ) + + disc_file = cls._schema_on_200.entities.Element.discriminate_by("kind", "File") + disc_file.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.entities.Element.discriminate_by("kind", "File").properties + properties.additional_data = AAZDictType( + serialized_name="additionalData", + flags={"read_only": True}, + ) + properties.directory = AAZStrType( + flags={"read_only": True}, + ) + properties.file_hash_entity_ids = AAZListType( + serialized_name="fileHashEntityIds", + flags={"read_only": True}, + ) + properties.file_name = AAZStrType( + serialized_name="fileName", + flags={"read_only": True}, + ) + properties.friendly_name = AAZStrType( + serialized_name="friendlyName", + flags={"read_only": True}, + ) + properties.host_entity_id = AAZStrType( + serialized_name="hostEntityId", + flags={"read_only": True}, + ) + + file_hash_entity_ids = cls._schema_on_200.entities.Element.discriminate_by("kind", "File").properties.file_hash_entity_ids + file_hash_entity_ids.Element = AAZStrType( + flags={"read_only": True}, + ) + + disc_file_hash = cls._schema_on_200.entities.Element.discriminate_by("kind", "FileHash") + disc_file_hash.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.entities.Element.discriminate_by("kind", "FileHash").properties + properties.additional_data = AAZDictType( + serialized_name="additionalData", + flags={"read_only": True}, + ) + properties.algorithm = AAZStrType( + flags={"read_only": True}, + ) + properties.friendly_name = AAZStrType( + serialized_name="friendlyName", + flags={"read_only": True}, + ) + properties.hash_value = AAZStrType( + serialized_name="hashValue", + flags={"read_only": True}, + ) + + disc_host = cls._schema_on_200.entities.Element.discriminate_by("kind", "Host") + disc_host.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.entities.Element.discriminate_by("kind", "Host").properties + properties.additional_data = AAZDictType( + serialized_name="additionalData", + flags={"read_only": True}, + ) + properties.azure_id = AAZStrType( + serialized_name="azureID", + flags={"read_only": True}, + ) + properties.dns_domain = AAZStrType( + serialized_name="dnsDomain", + flags={"read_only": True}, + ) + properties.friendly_name = AAZStrType( + serialized_name="friendlyName", + flags={"read_only": True}, + ) + properties.host_name = AAZStrType( + serialized_name="hostName", + flags={"read_only": True}, + ) + properties.is_domain_joined = AAZBoolType( + serialized_name="isDomainJoined", + flags={"read_only": True}, + ) + properties.net_bios_name = AAZStrType( + serialized_name="netBiosName", + flags={"read_only": True}, + ) + properties.nt_domain = AAZStrType( + serialized_name="ntDomain", + flags={"read_only": True}, + ) + properties.oms_agent_id = AAZStrType( + serialized_name="omsAgentID", + flags={"read_only": True}, + ) + properties.os_family = AAZStrType( + serialized_name="osFamily", + ) + properties.os_version = AAZStrType( + serialized_name="osVersion", + flags={"read_only": True}, + ) + + disc_io_t_device = cls._schema_on_200.entities.Element.discriminate_by("kind", "IoTDevice") + disc_io_t_device.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.entities.Element.discriminate_by("kind", "IoTDevice").properties + properties.additional_data = AAZDictType( + serialized_name="additionalData", + flags={"read_only": True}, + ) + properties.device_id = AAZStrType( + serialized_name="deviceId", + flags={"read_only": True}, + ) + properties.device_name = AAZStrType( + serialized_name="deviceName", + flags={"read_only": True}, + ) + properties.device_type = AAZStrType( + serialized_name="deviceType", + flags={"read_only": True}, + ) + properties.edge_id = AAZStrType( + serialized_name="edgeId", + flags={"read_only": True}, + ) + properties.firmware_version = AAZStrType( + serialized_name="firmwareVersion", + flags={"read_only": True}, + ) + properties.friendly_name = AAZStrType( + serialized_name="friendlyName", + flags={"read_only": True}, + ) + properties.host_entity_id = AAZStrType( + serialized_name="hostEntityId", + flags={"read_only": True}, + ) + properties.iot_hub_entity_id = AAZStrType( + serialized_name="iotHubEntityId", + flags={"read_only": True}, + ) + properties.iot_security_agent_id = AAZStrType( + serialized_name="iotSecurityAgentId", + flags={"read_only": True}, + ) + properties.ip_address_entity_id = AAZStrType( + serialized_name="ipAddressEntityId", + flags={"read_only": True}, + ) + properties.mac_address = AAZStrType( + serialized_name="macAddress", + flags={"read_only": True}, + ) + properties.model = AAZStrType( + flags={"read_only": True}, + ) + properties.operating_system = AAZStrType( + serialized_name="operatingSystem", + flags={"read_only": True}, + ) + properties.protocols = AAZListType( + flags={"read_only": True}, + ) + properties.serial_number = AAZStrType( + serialized_name="serialNumber", + flags={"read_only": True}, + ) + properties.source = AAZStrType( + flags={"read_only": True}, + ) + properties.threat_intelligence = AAZListType( + serialized_name="threatIntelligence", + flags={"read_only": True}, + ) + properties.vendor = AAZStrType( + flags={"read_only": True}, + ) + + protocols = cls._schema_on_200.entities.Element.discriminate_by("kind", "IoTDevice").properties.protocols + protocols.Element = AAZStrType( + flags={"read_only": True}, + ) + + threat_intelligence = cls._schema_on_200.entities.Element.discriminate_by("kind", "IoTDevice").properties.threat_intelligence + threat_intelligence.Element = AAZObjectType( + flags={"read_only": True}, + ) + _build_schema_threat_intelligence_read(threat_intelligence.Element) + + disc_ip = cls._schema_on_200.entities.Element.discriminate_by("kind", "Ip") + disc_ip.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.entities.Element.discriminate_by("kind", "Ip").properties + properties.additional_data = AAZDictType( + serialized_name="additionalData", + flags={"read_only": True}, + ) + properties.address = AAZStrType( + flags={"read_only": True}, + ) + properties.friendly_name = AAZStrType( + serialized_name="friendlyName", + flags={"read_only": True}, + ) + properties.location = AAZObjectType( + flags={"read_only": True}, + ) + properties.threat_intelligence = AAZListType( + serialized_name="threatIntelligence", + flags={"read_only": True}, + ) + + location = cls._schema_on_200.entities.Element.discriminate_by("kind", "Ip").properties.location + location.asn = AAZIntType( + flags={"read_only": True}, + ) + location.city = AAZStrType( + flags={"read_only": True}, + ) + location.country_code = AAZStrType( + serialized_name="countryCode", + flags={"read_only": True}, + ) + location.country_name = AAZStrType( + serialized_name="countryName", + flags={"read_only": True}, + ) + location.latitude = AAZFloatType( + flags={"read_only": True}, + ) + location.longitude = AAZFloatType( + flags={"read_only": True}, + ) + location.state = AAZStrType( + flags={"read_only": True}, + ) + + threat_intelligence = cls._schema_on_200.entities.Element.discriminate_by("kind", "Ip").properties.threat_intelligence + threat_intelligence.Element = AAZObjectType( + flags={"read_only": True}, + ) + _build_schema_threat_intelligence_read(threat_intelligence.Element) + + disc_mail_cluster = cls._schema_on_200.entities.Element.discriminate_by("kind", "MailCluster") + disc_mail_cluster.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.entities.Element.discriminate_by("kind", "MailCluster").properties + properties.additional_data = AAZDictType( + serialized_name="additionalData", + flags={"read_only": True}, + ) + properties.cluster_group = AAZStrType( + serialized_name="clusterGroup", + flags={"read_only": True}, + ) + properties.cluster_query_end_time = AAZStrType( + serialized_name="clusterQueryEndTime", + flags={"read_only": True}, + ) + properties.cluster_query_start_time = AAZStrType( + serialized_name="clusterQueryStartTime", + flags={"read_only": True}, + ) + properties.cluster_source_identifier = AAZStrType( + serialized_name="clusterSourceIdentifier", + flags={"read_only": True}, + ) + properties.cluster_source_type = AAZStrType( + serialized_name="clusterSourceType", + flags={"read_only": True}, + ) + properties.friendly_name = AAZStrType( + serialized_name="friendlyName", + flags={"read_only": True}, + ) + properties.is_volume_anomaly = AAZBoolType( + serialized_name="isVolumeAnomaly", + flags={"read_only": True}, + ) + properties.mail_count = AAZIntType( + serialized_name="mailCount", + flags={"read_only": True}, + ) + properties.network_message_ids = AAZListType( + serialized_name="networkMessageIds", + flags={"read_only": True}, + ) + properties.query = AAZStrType( + flags={"read_only": True}, + ) + properties.query_time = AAZStrType( + serialized_name="queryTime", + flags={"read_only": True}, + ) + properties.source = AAZStrType( + flags={"read_only": True}, + ) + properties.threats = AAZListType( + flags={"read_only": True}, + ) + + network_message_ids = cls._schema_on_200.entities.Element.discriminate_by("kind", "MailCluster").properties.network_message_ids + network_message_ids.Element = AAZStrType( + flags={"read_only": True}, + ) + + threats = cls._schema_on_200.entities.Element.discriminate_by("kind", "MailCluster").properties.threats + threats.Element = AAZStrType( + flags={"read_only": True}, + ) + + disc_mail_message = cls._schema_on_200.entities.Element.discriminate_by("kind", "MailMessage") + disc_mail_message.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.entities.Element.discriminate_by("kind", "MailMessage").properties + properties.additional_data = AAZDictType( + serialized_name="additionalData", + flags={"read_only": True}, + ) + properties.antispam_direction = AAZStrType( + serialized_name="antispamDirection", + ) + properties.body_fingerprint_bin1 = AAZIntType( + serialized_name="bodyFingerprintBin1", + ) + properties.body_fingerprint_bin2 = AAZIntType( + serialized_name="bodyFingerprintBin2", + ) + properties.body_fingerprint_bin3 = AAZIntType( + serialized_name="bodyFingerprintBin3", + ) + properties.body_fingerprint_bin4 = AAZIntType( + serialized_name="bodyFingerprintBin4", + ) + properties.body_fingerprint_bin5 = AAZIntType( + serialized_name="bodyFingerprintBin5", + ) + properties.delivery_action = AAZStrType( + serialized_name="deliveryAction", + ) + properties.delivery_location = AAZStrType( + serialized_name="deliveryLocation", + ) + properties.file_entity_ids = AAZListType( + serialized_name="fileEntityIds", + flags={"read_only": True}, + ) + properties.friendly_name = AAZStrType( + serialized_name="friendlyName", + flags={"read_only": True}, + ) + properties.internet_message_id = AAZStrType( + serialized_name="internetMessageId", + flags={"read_only": True}, + ) + properties.language = AAZStrType( + flags={"read_only": True}, + ) + properties.network_message_id = AAZStrType( + serialized_name="networkMessageId", + flags={"read_only": True}, + ) + properties.p1_sender = AAZStrType( + serialized_name="p1Sender", + flags={"read_only": True}, + ) + properties.p1_sender_display_name = AAZStrType( + serialized_name="p1SenderDisplayName", + flags={"read_only": True}, + ) + properties.p1_sender_domain = AAZStrType( + serialized_name="p1SenderDomain", + flags={"read_only": True}, + ) + properties.p2_sender = AAZStrType( + serialized_name="p2Sender", + flags={"read_only": True}, + ) + properties.p2_sender_display_name = AAZStrType( + serialized_name="p2SenderDisplayName", + flags={"read_only": True}, + ) + properties.p2_sender_domain = AAZStrType( + serialized_name="p2SenderDomain", + flags={"read_only": True}, + ) + properties.receive_date = AAZStrType( + serialized_name="receiveDate", + flags={"read_only": True}, + ) + properties.recipient = AAZStrType( + flags={"read_only": True}, + ) + properties.sender_ip = AAZStrType( + serialized_name="senderIP", + flags={"read_only": True}, + ) + properties.subject = AAZStrType( + flags={"read_only": True}, + ) + properties.threat_detection_methods = AAZListType( + serialized_name="threatDetectionMethods", + flags={"read_only": True}, + ) + properties.threats = AAZListType( + flags={"read_only": True}, + ) + properties.urls = AAZListType( + flags={"read_only": True}, + ) + + file_entity_ids = cls._schema_on_200.entities.Element.discriminate_by("kind", "MailMessage").properties.file_entity_ids + file_entity_ids.Element = AAZStrType( + flags={"read_only": True}, + ) + + threat_detection_methods = cls._schema_on_200.entities.Element.discriminate_by("kind", "MailMessage").properties.threat_detection_methods + threat_detection_methods.Element = AAZStrType( + flags={"read_only": True}, + ) + + threats = cls._schema_on_200.entities.Element.discriminate_by("kind", "MailMessage").properties.threats + threats.Element = AAZStrType( + flags={"read_only": True}, + ) + + urls = cls._schema_on_200.entities.Element.discriminate_by("kind", "MailMessage").properties.urls + urls.Element = AAZStrType( + flags={"read_only": True}, + ) + + disc_mailbox = cls._schema_on_200.entities.Element.discriminate_by("kind", "Mailbox") + disc_mailbox.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.entities.Element.discriminate_by("kind", "Mailbox").properties + properties.additional_data = AAZDictType( + serialized_name="additionalData", + flags={"read_only": True}, + ) + properties.display_name = AAZStrType( + serialized_name="displayName", + flags={"read_only": True}, + ) + properties.external_directory_object_id = AAZStrType( + serialized_name="externalDirectoryObjectId", + flags={"read_only": True}, + ) + properties.friendly_name = AAZStrType( + serialized_name="friendlyName", + flags={"read_only": True}, + ) + properties.mailbox_primary_address = AAZStrType( + serialized_name="mailboxPrimaryAddress", + flags={"read_only": True}, + ) + properties.upn = AAZStrType( + flags={"read_only": True}, + ) + + disc_malware = cls._schema_on_200.entities.Element.discriminate_by("kind", "Malware") + disc_malware.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.entities.Element.discriminate_by("kind", "Malware").properties + properties.additional_data = AAZDictType( + serialized_name="additionalData", + flags={"read_only": True}, + ) + properties.category = AAZStrType( + flags={"read_only": True}, + ) + properties.file_entity_ids = AAZListType( + serialized_name="fileEntityIds", + flags={"read_only": True}, + ) + properties.friendly_name = AAZStrType( + serialized_name="friendlyName", + flags={"read_only": True}, + ) + properties.malware_name = AAZStrType( + serialized_name="malwareName", + flags={"read_only": True}, + ) + properties.process_entity_ids = AAZListType( + serialized_name="processEntityIds", + flags={"read_only": True}, + ) + + file_entity_ids = cls._schema_on_200.entities.Element.discriminate_by("kind", "Malware").properties.file_entity_ids + file_entity_ids.Element = AAZStrType( + flags={"read_only": True}, + ) + + process_entity_ids = cls._schema_on_200.entities.Element.discriminate_by("kind", "Malware").properties.process_entity_ids + process_entity_ids.Element = AAZStrType( + flags={"read_only": True}, + ) + + disc_process = cls._schema_on_200.entities.Element.discriminate_by("kind", "Process") + disc_process.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.entities.Element.discriminate_by("kind", "Process").properties + properties.account_entity_id = AAZStrType( + serialized_name="accountEntityId", + flags={"read_only": True}, + ) + properties.additional_data = AAZDictType( + serialized_name="additionalData", + flags={"read_only": True}, + ) + properties.command_line = AAZStrType( + serialized_name="commandLine", + flags={"read_only": True}, + ) + properties.creation_time_utc = AAZStrType( + serialized_name="creationTimeUtc", + flags={"read_only": True}, + ) + properties.elevation_token = AAZStrType( + serialized_name="elevationToken", + ) + properties.friendly_name = AAZStrType( + serialized_name="friendlyName", + flags={"read_only": True}, + ) + properties.host_entity_id = AAZStrType( + serialized_name="hostEntityId", + flags={"read_only": True}, + ) + properties.host_logon_session_entity_id = AAZStrType( + serialized_name="hostLogonSessionEntityId", + flags={"read_only": True}, + ) + properties.image_file_entity_id = AAZStrType( + serialized_name="imageFileEntityId", + flags={"read_only": True}, + ) + properties.parent_process_entity_id = AAZStrType( + serialized_name="parentProcessEntityId", + flags={"read_only": True}, + ) + properties.process_id = AAZStrType( + serialized_name="processId", + flags={"read_only": True}, + ) + + disc_registry_key = cls._schema_on_200.entities.Element.discriminate_by("kind", "RegistryKey") + disc_registry_key.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.entities.Element.discriminate_by("kind", "RegistryKey").properties + properties.additional_data = AAZDictType( + serialized_name="additionalData", + flags={"read_only": True}, + ) + properties.friendly_name = AAZStrType( + serialized_name="friendlyName", + flags={"read_only": True}, + ) + properties.hive = AAZStrType( + flags={"read_only": True}, + ) + properties.key = AAZStrType( + flags={"read_only": True}, + ) + + disc_registry_value = cls._schema_on_200.entities.Element.discriminate_by("kind", "RegistryValue") + disc_registry_value.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.entities.Element.discriminate_by("kind", "RegistryValue").properties + properties.additional_data = AAZDictType( + serialized_name="additionalData", + flags={"read_only": True}, + ) + properties.friendly_name = AAZStrType( + serialized_name="friendlyName", + flags={"read_only": True}, + ) + properties.key_entity_id = AAZStrType( + serialized_name="keyEntityId", + flags={"read_only": True}, + ) + properties.value_data = AAZStrType( + serialized_name="valueData", + flags={"read_only": True}, + ) + properties.value_name = AAZStrType( + serialized_name="valueName", + flags={"read_only": True}, + ) + properties.value_type = AAZStrType( + serialized_name="valueType", + flags={"read_only": True}, + ) + + disc_security_alert = cls._schema_on_200.entities.Element.discriminate_by("kind", "SecurityAlert") + disc_security_alert.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.entities.Element.discriminate_by("kind", "SecurityAlert").properties + properties.additional_data = AAZDictType( + serialized_name="additionalData", + flags={"read_only": True}, + ) + properties.alert_display_name = AAZStrType( + serialized_name="alertDisplayName", + flags={"read_only": True}, + ) + properties.alert_link = AAZStrType( + serialized_name="alertLink", + flags={"read_only": True}, + ) + properties.alert_type = AAZStrType( + serialized_name="alertType", + flags={"read_only": True}, + ) + properties.compromised_entity = AAZStrType( + serialized_name="compromisedEntity", + flags={"read_only": True}, + ) + properties.confidence_level = AAZStrType( + serialized_name="confidenceLevel", + flags={"read_only": True}, + ) + properties.confidence_reasons = AAZListType( + serialized_name="confidenceReasons", + flags={"read_only": True}, + ) + properties.confidence_score = AAZFloatType( + serialized_name="confidenceScore", + flags={"read_only": True}, + ) + properties.confidence_score_status = AAZStrType( + serialized_name="confidenceScoreStatus", + flags={"read_only": True}, + ) + properties.description = AAZStrType( + flags={"read_only": True}, + ) + properties.end_time_utc = AAZStrType( + serialized_name="endTimeUtc", + flags={"read_only": True}, + ) + properties.friendly_name = AAZStrType( + serialized_name="friendlyName", + flags={"read_only": True}, + ) + properties.intent = AAZStrType( + flags={"read_only": True}, + ) + properties.processing_end_time = AAZStrType( + serialized_name="processingEndTime", + flags={"read_only": True}, + ) + properties.product_component_name = AAZStrType( + serialized_name="productComponentName", + flags={"read_only": True}, + ) + properties.product_name = AAZStrType( + serialized_name="productName", + flags={"read_only": True}, + ) + properties.product_version = AAZStrType( + serialized_name="productVersion", + flags={"read_only": True}, + ) + properties.provider_alert_id = AAZStrType( + serialized_name="providerAlertId", + flags={"read_only": True}, + ) + properties.remediation_steps = AAZListType( + serialized_name="remediationSteps", + flags={"read_only": True}, + ) + properties.severity = AAZStrType() + properties.start_time_utc = AAZStrType( + serialized_name="startTimeUtc", + flags={"read_only": True}, + ) + properties.status = AAZStrType( + flags={"read_only": True}, + ) + properties.system_alert_id = AAZStrType( + serialized_name="systemAlertId", + flags={"read_only": True}, + ) + properties.tactics = AAZListType( + flags={"read_only": True}, + ) + properties.time_generated = AAZStrType( + serialized_name="timeGenerated", + flags={"read_only": True}, + ) + properties.vendor_name = AAZStrType( + serialized_name="vendorName", + flags={"read_only": True}, + ) + + confidence_reasons = cls._schema_on_200.entities.Element.discriminate_by("kind", "SecurityAlert").properties.confidence_reasons + confidence_reasons.Element = AAZObjectType( + flags={"read_only": True}, + ) + + _element = cls._schema_on_200.entities.Element.discriminate_by("kind", "SecurityAlert").properties.confidence_reasons.Element + _element.reason = AAZStrType( + flags={"read_only": True}, + ) + _element.reason_type = AAZStrType( + serialized_name="reasonType", + flags={"read_only": True}, + ) + + remediation_steps = cls._schema_on_200.entities.Element.discriminate_by("kind", "SecurityAlert").properties.remediation_steps + remediation_steps.Element = AAZStrType( + flags={"read_only": True}, + ) + + tactics = cls._schema_on_200.entities.Element.discriminate_by("kind", "SecurityAlert").properties.tactics + tactics.Element = AAZStrType( + flags={"read_only": True}, + ) + + disc_security_group = cls._schema_on_200.entities.Element.discriminate_by("kind", "SecurityGroup") + disc_security_group.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.entities.Element.discriminate_by("kind", "SecurityGroup").properties + properties.additional_data = AAZDictType( + serialized_name="additionalData", + flags={"read_only": True}, + ) + properties.distinguished_name = AAZStrType( + serialized_name="distinguishedName", + flags={"read_only": True}, + ) + properties.friendly_name = AAZStrType( + serialized_name="friendlyName", + flags={"read_only": True}, + ) + properties.object_guid = AAZStrType( + serialized_name="objectGuid", + flags={"read_only": True}, + ) + properties.sid = AAZStrType( + flags={"read_only": True}, + ) + + disc_submission_mail = cls._schema_on_200.entities.Element.discriminate_by("kind", "SubmissionMail") + disc_submission_mail.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.entities.Element.discriminate_by("kind", "SubmissionMail").properties + properties.additional_data = AAZDictType( + serialized_name="additionalData", + flags={"read_only": True}, + ) + properties.friendly_name = AAZStrType( + serialized_name="friendlyName", + flags={"read_only": True}, + ) + properties.network_message_id = AAZStrType( + serialized_name="networkMessageId", + flags={"read_only": True}, + ) + properties.recipient = AAZStrType( + flags={"read_only": True}, + ) + properties.report_type = AAZStrType( + serialized_name="reportType", + flags={"read_only": True}, + ) + properties.sender = AAZStrType( + flags={"read_only": True}, + ) + properties.sender_ip = AAZStrType( + serialized_name="senderIp", + flags={"read_only": True}, + ) + properties.subject = AAZStrType( + flags={"read_only": True}, + ) + properties.submission_date = AAZStrType( + serialized_name="submissionDate", + flags={"read_only": True}, + ) + properties.submission_id = AAZStrType( + serialized_name="submissionId", + flags={"read_only": True}, + ) + properties.submitter = AAZStrType( + flags={"read_only": True}, + ) + properties.timestamp = AAZStrType( + flags={"read_only": True}, + ) + + disc_url = cls._schema_on_200.entities.Element.discriminate_by("kind", "Url") + disc_url.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.entities.Element.discriminate_by("kind", "Url").properties + properties.additional_data = AAZDictType( + serialized_name="additionalData", + flags={"read_only": True}, + ) + properties.friendly_name = AAZStrType( + serialized_name="friendlyName", + flags={"read_only": True}, + ) + properties.url = AAZStrType( + flags={"read_only": True}, + ) + + meta_data = cls._schema_on_200.meta_data + meta_data.Element = AAZObjectType() + + _element = cls._schema_on_200.meta_data.Element + _element.count = AAZIntType( + flags={"required": True}, + ) + _element.entity_kind = AAZStrType( + serialized_name="entityKind", + flags={"required": True}, + ) + + return cls._schema_on_200 + + +_schema_threat_intelligence_read = None + + +def _build_schema_threat_intelligence_read(_schema): + global _schema_threat_intelligence_read + if _schema_threat_intelligence_read is not None: + _schema.confidence = _schema_threat_intelligence_read.confidence + _schema.provider_name = _schema_threat_intelligence_read.provider_name + _schema.report_link = _schema_threat_intelligence_read.report_link + _schema.threat_description = _schema_threat_intelligence_read.threat_description + _schema.threat_name = _schema_threat_intelligence_read.threat_name + _schema.threat_type = _schema_threat_intelligence_read.threat_type + return + + _schema_threat_intelligence_read = AAZObjectType( + flags={"read_only": True} + ) + + threat_intelligence_read = _schema_threat_intelligence_read + threat_intelligence_read.confidence = AAZFloatType( + flags={"read_only": True}, + ) + threat_intelligence_read.provider_name = AAZStrType( + serialized_name="providerName", + flags={"read_only": True}, + ) + threat_intelligence_read.report_link = AAZStrType( + serialized_name="reportLink", + flags={"read_only": True}, + ) + threat_intelligence_read.threat_description = AAZStrType( + serialized_name="threatDescription", + flags={"read_only": True}, + ) + threat_intelligence_read.threat_name = AAZStrType( + serialized_name="threatName", + flags={"read_only": True}, + ) + threat_intelligence_read.threat_type = AAZStrType( + serialized_name="threatType", + flags={"read_only": True}, + ) + + _schema.confidence = _schema_threat_intelligence_read.confidence + _schema.provider_name = _schema_threat_intelligence_read.provider_name + _schema.report_link = _schema_threat_intelligence_read.report_link + _schema.threat_description = _schema_threat_intelligence_read.threat_description + _schema.threat_name = _schema_threat_intelligence_read.threat_name + _schema.threat_type = _schema_threat_intelligence_read.threat_type + + +_schema_user_info_read = None + + +def _build_schema_user_info_read(_schema): + global _schema_user_info_read + if _schema_user_info_read is not None: + _schema.email = _schema_user_info_read.email + _schema.name = _schema_user_info_read.name + _schema.object_id = _schema_user_info_read.object_id + return + + _schema_user_info_read = AAZObjectType() + + user_info_read = _schema_user_info_read + user_info_read.email = AAZStrType( + flags={"read_only": True}, + ) + user_info_read.name = AAZStrType( + flags={"read_only": True}, + ) + user_info_read.object_id = AAZStrType( + serialized_name="objectId", + nullable=True, + ) + + _schema.email = _schema_user_info_read.email + _schema.name = _schema_user_info_read.name + _schema.object_id = _schema_user_info_read.object_id + + +__all__ = ["ListEntity"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/_run_playbook.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/_run_playbook.py new file mode 100644 index 00000000000..879ed7f4913 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/_run_playbook.py @@ -0,0 +1,161 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel incident run-playbook", + is_experimental=True, +) +class RunPlaybook(AAZCommand): + """Trigger playbook on a specific incident + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/incidents/{}/runplaybook", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return None + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.incident_identifier = AAZStrArg( + options=["--incident-identifier"], + help="Identifier of incident.", + required=True, + ) + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + ) + + # define Arg Group "RequestBody" + + _args_schema = cls._args_schema + _args_schema.logic_apps_resource_id = AAZStrArg( + options=["--logic-apps-resource-id"], + arg_group="RequestBody", + help="Resource ID of logic apps.", + ) + _args_schema.tenant_id = AAZStrArg( + options=["--tenant-id"], + arg_group="RequestBody", + help="ID of tenant.", + ) + return cls._args_schema + + def _execute_operations(self): + self.IncidentsRunPlaybook(ctx=self.ctx)() + + class IncidentsRunPlaybook(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [204]: + return self.on_204(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentIdentifier}/runPlaybook", + **self.url_parameters + ) + + @property + def method(self): + return "POST" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "incidentIdentifier", self.ctx.args.incident_identifier, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Content-Type", "application/json", + ), + } + return parameters + + @property + def content(self): + _content_value, _builder = self.new_content_builder( + self.ctx.args, + typ=AAZObjectType, + typ_kwargs={"flags": {"client_flatten": True}} + ) + _builder.set_prop("logicAppsResourceId", AAZStrType, ".logic_apps_resource_id") + _builder.set_prop("tenantId", AAZStrType, ".tenant_id") + + return self.serialize_content(_content_value) + + def on_204(self, session): + pass + + +__all__ = ["RunPlaybook"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/_show.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/_show.py new file mode 100644 index 00000000000..49f6f57a7e1 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/_show.py @@ -0,0 +1,358 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel incident show", + is_experimental=True, +) +class Show(AAZCommand): + """Get an incident. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/incidents/{}", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return self._output() + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.incident_id = AAZStrArg( + options=["-n", "--name", "--incident-id"], + help="Incident ID", + required=True, + id_part="child_name_1", + ) + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + id_part="name", + ) + return cls._args_schema + + def _execute_operations(self): + self.IncidentsGet(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True) + return result + + class IncidentsGet(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}", + **self.url_parameters + ) + + @property + def method(self): + return "GET" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "incidentId", self.ctx.args.incident_id, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + + _schema_on_200 = cls._schema_on_200 + _schema_on_200.etag = AAZStrType() + _schema_on_200.id = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200.name = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + _schema_on_200.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + _schema_on_200.type = AAZStrType( + flags={"read_only": True}, + ) + + properties = cls._schema_on_200.properties + properties.additional_data = AAZObjectType( + serialized_name="additionalData", + flags={"read_only": True}, + ) + properties.classification = AAZStrType() + properties.classification_comment = AAZStrType( + serialized_name="classificationComment", + ) + properties.classification_reason = AAZStrType( + serialized_name="classificationReason", + ) + properties.created_time_utc = AAZStrType( + serialized_name="createdTimeUtc", + flags={"read_only": True}, + ) + properties.description = AAZStrType() + properties.first_activity_time_utc = AAZStrType( + serialized_name="firstActivityTimeUtc", + ) + properties.incident_number = AAZIntType( + serialized_name="incidentNumber", + flags={"read_only": True}, + ) + properties.incident_url = AAZStrType( + serialized_name="incidentUrl", + flags={"read_only": True}, + ) + properties.labels = AAZListType() + properties.last_activity_time_utc = AAZStrType( + serialized_name="lastActivityTimeUtc", + ) + properties.last_modified_time_utc = AAZStrType( + serialized_name="lastModifiedTimeUtc", + flags={"read_only": True}, + ) + properties.owner = AAZObjectType() + properties.provider_incident_id = AAZStrType( + serialized_name="providerIncidentId", + ) + properties.provider_name = AAZStrType( + serialized_name="providerName", + ) + properties.related_analytic_rule_ids = AAZListType( + serialized_name="relatedAnalyticRuleIds", + flags={"read_only": True}, + ) + properties.severity = AAZStrType( + flags={"required": True}, + ) + properties.status = AAZStrType( + flags={"required": True}, + ) + properties.team_information = AAZObjectType( + serialized_name="teamInformation", + ) + properties.title = AAZStrType( + flags={"required": True}, + ) + + additional_data = cls._schema_on_200.properties.additional_data + additional_data.alert_product_names = AAZListType( + serialized_name="alertProductNames", + flags={"read_only": True}, + ) + additional_data.alerts_count = AAZIntType( + serialized_name="alertsCount", + flags={"read_only": True}, + ) + additional_data.bookmarks_count = AAZIntType( + serialized_name="bookmarksCount", + flags={"read_only": True}, + ) + additional_data.comments_count = AAZIntType( + serialized_name="commentsCount", + flags={"read_only": True}, + ) + additional_data.provider_incident_url = AAZStrType( + serialized_name="providerIncidentUrl", + flags={"read_only": True}, + ) + additional_data.tactics = AAZListType( + flags={"read_only": True}, + ) + additional_data.techniques = AAZListType( + flags={"read_only": True}, + ) + + alert_product_names = cls._schema_on_200.properties.additional_data.alert_product_names + alert_product_names.Element = AAZStrType( + flags={"read_only": True}, + ) + + tactics = cls._schema_on_200.properties.additional_data.tactics + tactics.Element = AAZStrType( + flags={"read_only": True}, + ) + + techniques = cls._schema_on_200.properties.additional_data.techniques + techniques.Element = AAZStrType( + flags={"read_only": True}, + ) + + labels = cls._schema_on_200.properties.labels + labels.Element = AAZObjectType() + + _element = cls._schema_on_200.properties.labels.Element + _element.label_name = AAZStrType( + serialized_name="labelName", + flags={"required": True}, + ) + _element.label_type = AAZStrType( + serialized_name="labelType", + flags={"read_only": True}, + ) + + owner = cls._schema_on_200.properties.owner + owner.assigned_to = AAZStrType( + serialized_name="assignedTo", + ) + owner.email = AAZStrType() + owner.object_id = AAZStrType( + serialized_name="objectId", + ) + owner.owner_type = AAZStrType( + serialized_name="ownerType", + ) + owner.user_principal_name = AAZStrType( + serialized_name="userPrincipalName", + ) + + related_analytic_rule_ids = cls._schema_on_200.properties.related_analytic_rule_ids + related_analytic_rule_ids.Element = AAZStrType( + flags={"read_only": True}, + ) + + team_information = cls._schema_on_200.properties.team_information + team_information.description = AAZStrType( + flags={"read_only": True}, + ) + team_information.name = AAZStrType( + flags={"read_only": True}, + ) + team_information.primary_channel_url = AAZStrType( + serialized_name="primaryChannelUrl", + flags={"read_only": True}, + ) + team_information.team_creation_time_utc = AAZStrType( + serialized_name="teamCreationTimeUtc", + flags={"read_only": True}, + ) + team_information.team_id = AAZStrType( + serialized_name="teamId", + flags={"read_only": True}, + ) + + system_data = cls._schema_on_200.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + return cls._schema_on_200 + + +__all__ = ["Show"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/_update.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/_update.py new file mode 100644 index 00000000000..7b026a1e753 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/_update.py @@ -0,0 +1,673 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel incident update", + is_experimental=True, +) +class Update(AAZCommand): + """Update the incident. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/incidents/{}", "2022-06-01-preview"], + ] + } + + AZ_SUPPORT_GENERIC_UPDATE = True + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return self._output() + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.incident_id = AAZStrArg( + options=["-n", "--name", "--incident-id"], + help="Incident ID", + required=True, + id_part="child_name_1", + ) + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + id_part="name", + ) + + # define Arg Group "Incident" + + _args_schema = cls._args_schema + _args_schema.etag = AAZStrArg( + options=["--etag"], + arg_group="Incident", + help="Etag of the azure resource", + nullable=True, + ) + + # define Arg Group "Properties" + + _args_schema = cls._args_schema + _args_schema.classification = AAZStrArg( + options=["--classification"], + arg_group="Properties", + help="The reason the incident was closed", + nullable=True, + enum={"BenignPositive": "BenignPositive", "FalsePositive": "FalsePositive", "TruePositive": "TruePositive", "Undetermined": "Undetermined"}, + ) + _args_schema.classification_comment = AAZStrArg( + options=["--classification-comment"], + arg_group="Properties", + help="Describes the reason the incident was closed", + nullable=True, + ) + _args_schema.classification_reason = AAZStrArg( + options=["--classification-reason"], + arg_group="Properties", + help="The classification reason the incident was closed with", + nullable=True, + enum={"InaccurateData": "InaccurateData", "IncorrectAlertLogic": "IncorrectAlertLogic", "SuspiciousActivity": "SuspiciousActivity", "SuspiciousButExpected": "SuspiciousButExpected"}, + ) + _args_schema.description = AAZStrArg( + options=["--description"], + arg_group="Properties", + help="The description of the incident", + nullable=True, + ) + _args_schema.first_activity_time_utc = AAZStrArg( + options=["--first-activity-time-utc"], + arg_group="Properties", + help="The time of the first activity in the incident", + nullable=True, + ) + _args_schema.labels = AAZListArg( + options=["--labels"], + arg_group="Properties", + help="List of labels relevant to this incident", + nullable=True, + ) + _args_schema.last_activity_time_utc = AAZStrArg( + options=["--last-activity-time-utc"], + arg_group="Properties", + help="The time of the last activity in the incident", + nullable=True, + ) + _args_schema.owner = AAZObjectArg( + options=["--owner"], + arg_group="Properties", + help="Describes a user that the incident is assigned to", + nullable=True, + ) + _args_schema.provider_incident_id = AAZStrArg( + options=["--provider-incident-id"], + arg_group="Properties", + help="The incident ID assigned by the incident provider", + nullable=True, + ) + _args_schema.provider_name = AAZStrArg( + options=["--provider-name"], + arg_group="Properties", + help="The name of the source provider that generated the incident", + nullable=True, + ) + _args_schema.severity = AAZStrArg( + options=["--severity"], + arg_group="Properties", + help="The severity of the incident", + enum={"High": "High", "Informational": "Informational", "Low": "Low", "Medium": "Medium"}, + ) + _args_schema.status = AAZStrArg( + options=["--status"], + arg_group="Properties", + help="The status of the incident", + enum={"Active": "Active", "Closed": "Closed", "New": "New"}, + ) + _args_schema.title = AAZStrArg( + options=["--title"], + arg_group="Properties", + help="The title of the incident", + ) + + labels = cls._args_schema.labels + labels.Element = AAZObjectArg() + + _element = cls._args_schema.labels.Element + _element.label_name = AAZStrArg( + options=["label-name"], + help="The name of the label", + ) + + owner = cls._args_schema.owner + owner.assigned_to = AAZStrArg( + options=["assigned-to"], + help="The name of the user the incident is assigned to.", + nullable=True, + ) + owner.email = AAZStrArg( + options=["email"], + help="The email of the user the incident is assigned to.", + nullable=True, + ) + owner.object_id = AAZStrArg( + options=["object-id"], + help="The object id of the user the incident is assigned to.", + nullable=True, + ) + owner.owner_type = AAZStrArg( + options=["owner-type"], + help="The type of the owner the incident is assigned to.", + nullable=True, + enum={"Group": "Group", "Unknown": "Unknown", "User": "User"}, + ) + owner.user_principal_name = AAZStrArg( + options=["user-principal-name"], + help="The user principal name of the user the incident is assigned to.", + nullable=True, + ) + return cls._args_schema + + def _execute_operations(self): + self.IncidentsGet(ctx=self.ctx)() + self.InstanceUpdateByJson(ctx=self.ctx)() + self.InstanceUpdateByGeneric(ctx=self.ctx)() + self.IncidentsCreateOrUpdate(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True) + return result + + class IncidentsGet(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}", + **self.url_parameters + ) + + @property + def method(self): + return "GET" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "incidentId", self.ctx.args.incident_id, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + _build_schema_incident_read(cls._schema_on_200) + + return cls._schema_on_200 + + class IncidentsCreateOrUpdate(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200, 201]: + return self.on_200_201(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}", + **self.url_parameters + ) + + @property + def method(self): + return "PUT" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "incidentId", self.ctx.args.incident_id, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Content-Type", "application/json", + ), + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + @property + def content(self): + _content_value, _builder = self.new_content_builder( + self.ctx.args, + value=self.ctx.vars.instance, + ) + + return self.serialize_content(_content_value) + + def on_200_201(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200_201 + ) + + _schema_on_200_201 = None + + @classmethod + def _build_schema_on_200_201(cls): + if cls._schema_on_200_201 is not None: + return cls._schema_on_200_201 + + cls._schema_on_200_201 = AAZObjectType() + _build_schema_incident_read(cls._schema_on_200_201) + + return cls._schema_on_200_201 + + class InstanceUpdateByJson(AAZJsonInstanceUpdateOperation): + + def __call__(self, *args, **kwargs): + self._update_instance(self.ctx.vars.instance) + + def _update_instance(self, instance): + _instance_value, _builder = self.new_content_builder( + self.ctx.args, + value=instance, + typ=AAZObjectType + ) + _builder.set_prop("etag", AAZStrType, ".etag") + _builder.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get(".properties") + if properties is not None: + properties.set_prop("classification", AAZStrType, ".classification") + properties.set_prop("classificationComment", AAZStrType, ".classification_comment") + properties.set_prop("classificationReason", AAZStrType, ".classification_reason") + properties.set_prop("description", AAZStrType, ".description") + properties.set_prop("firstActivityTimeUtc", AAZStrType, ".first_activity_time_utc") + properties.set_prop("labels", AAZListType, ".labels") + properties.set_prop("lastActivityTimeUtc", AAZStrType, ".last_activity_time_utc") + properties.set_prop("owner", AAZObjectType, ".owner") + properties.set_prop("providerIncidentId", AAZStrType, ".provider_incident_id") + properties.set_prop("providerName", AAZStrType, ".provider_name") + properties.set_prop("severity", AAZStrType, ".severity", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("status", AAZStrType, ".status", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("title", AAZStrType, ".title", typ_kwargs={"flags": {"required": True}}) + + labels = _builder.get(".properties.labels") + if labels is not None: + labels.set_elements(AAZObjectType) + + _elements = _builder.get(".properties.labels[]") + if _elements is not None: + _elements.set_prop("labelName", AAZStrType, ".label_name", typ_kwargs={"flags": {"required": True}}) + + owner = _builder.get(".properties.owner") + if owner is not None: + owner.set_prop("assignedTo", AAZStrType, ".assigned_to") + owner.set_prop("email", AAZStrType, ".email") + owner.set_prop("objectId", AAZStrType, ".object_id") + owner.set_prop("ownerType", AAZStrType, ".owner_type") + owner.set_prop("userPrincipalName", AAZStrType, ".user_principal_name") + + return _instance_value + + class InstanceUpdateByGeneric(AAZGenericInstanceUpdateOperation): + + def __call__(self, *args, **kwargs): + self._update_instance_by_generic( + self.ctx.vars.instance, + self.ctx.generic_update_args + ) + + +_schema_incident_read = None + + +def _build_schema_incident_read(_schema): + global _schema_incident_read + if _schema_incident_read is not None: + _schema.etag = _schema_incident_read.etag + _schema.id = _schema_incident_read.id + _schema.name = _schema_incident_read.name + _schema.properties = _schema_incident_read.properties + _schema.system_data = _schema_incident_read.system_data + _schema.type = _schema_incident_read.type + return + + _schema_incident_read = AAZObjectType() + + incident_read = _schema_incident_read + incident_read.etag = AAZStrType() + incident_read.id = AAZStrType( + flags={"read_only": True}, + ) + incident_read.name = AAZStrType( + flags={"read_only": True}, + ) + incident_read.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + incident_read.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + incident_read.type = AAZStrType( + flags={"read_only": True}, + ) + + properties = _schema_incident_read.properties + properties.additional_data = AAZObjectType( + serialized_name="additionalData", + flags={"read_only": True}, + ) + properties.classification = AAZStrType() + properties.classification_comment = AAZStrType( + serialized_name="classificationComment", + ) + properties.classification_reason = AAZStrType( + serialized_name="classificationReason", + ) + properties.created_time_utc = AAZStrType( + serialized_name="createdTimeUtc", + flags={"read_only": True}, + ) + properties.description = AAZStrType() + properties.first_activity_time_utc = AAZStrType( + serialized_name="firstActivityTimeUtc", + ) + properties.incident_number = AAZIntType( + serialized_name="incidentNumber", + flags={"read_only": True}, + ) + properties.incident_url = AAZStrType( + serialized_name="incidentUrl", + flags={"read_only": True}, + ) + properties.labels = AAZListType() + properties.last_activity_time_utc = AAZStrType( + serialized_name="lastActivityTimeUtc", + ) + properties.last_modified_time_utc = AAZStrType( + serialized_name="lastModifiedTimeUtc", + flags={"read_only": True}, + ) + properties.owner = AAZObjectType() + properties.provider_incident_id = AAZStrType( + serialized_name="providerIncidentId", + ) + properties.provider_name = AAZStrType( + serialized_name="providerName", + ) + properties.related_analytic_rule_ids = AAZListType( + serialized_name="relatedAnalyticRuleIds", + flags={"read_only": True}, + ) + properties.severity = AAZStrType( + flags={"required": True}, + ) + properties.status = AAZStrType( + flags={"required": True}, + ) + properties.team_information = AAZObjectType( + serialized_name="teamInformation", + ) + properties.title = AAZStrType( + flags={"required": True}, + ) + + additional_data = _schema_incident_read.properties.additional_data + additional_data.alert_product_names = AAZListType( + serialized_name="alertProductNames", + flags={"read_only": True}, + ) + additional_data.alerts_count = AAZIntType( + serialized_name="alertsCount", + flags={"read_only": True}, + ) + additional_data.bookmarks_count = AAZIntType( + serialized_name="bookmarksCount", + flags={"read_only": True}, + ) + additional_data.comments_count = AAZIntType( + serialized_name="commentsCount", + flags={"read_only": True}, + ) + additional_data.provider_incident_url = AAZStrType( + serialized_name="providerIncidentUrl", + flags={"read_only": True}, + ) + additional_data.tactics = AAZListType( + flags={"read_only": True}, + ) + additional_data.techniques = AAZListType( + flags={"read_only": True}, + ) + + alert_product_names = _schema_incident_read.properties.additional_data.alert_product_names + alert_product_names.Element = AAZStrType( + flags={"read_only": True}, + ) + + tactics = _schema_incident_read.properties.additional_data.tactics + tactics.Element = AAZStrType( + flags={"read_only": True}, + ) + + techniques = _schema_incident_read.properties.additional_data.techniques + techniques.Element = AAZStrType( + flags={"read_only": True}, + ) + + labels = _schema_incident_read.properties.labels + labels.Element = AAZObjectType() + + _element = _schema_incident_read.properties.labels.Element + _element.label_name = AAZStrType( + serialized_name="labelName", + flags={"required": True}, + ) + _element.label_type = AAZStrType( + serialized_name="labelType", + flags={"read_only": True}, + ) + + owner = _schema_incident_read.properties.owner + owner.assigned_to = AAZStrType( + serialized_name="assignedTo", + ) + owner.email = AAZStrType() + owner.object_id = AAZStrType( + serialized_name="objectId", + ) + owner.owner_type = AAZStrType( + serialized_name="ownerType", + ) + owner.user_principal_name = AAZStrType( + serialized_name="userPrincipalName", + ) + + related_analytic_rule_ids = _schema_incident_read.properties.related_analytic_rule_ids + related_analytic_rule_ids.Element = AAZStrType( + flags={"read_only": True}, + ) + + team_information = _schema_incident_read.properties.team_information + team_information.description = AAZStrType( + flags={"read_only": True}, + ) + team_information.name = AAZStrType( + flags={"read_only": True}, + ) + team_information.primary_channel_url = AAZStrType( + serialized_name="primaryChannelUrl", + flags={"read_only": True}, + ) + team_information.team_creation_time_utc = AAZStrType( + serialized_name="teamCreationTimeUtc", + flags={"read_only": True}, + ) + team_information.team_id = AAZStrType( + serialized_name="teamId", + flags={"read_only": True}, + ) + + system_data = _schema_incident_read.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + _schema.etag = _schema_incident_read.etag + _schema.id = _schema_incident_read.id + _schema.name = _schema_incident_read.name + _schema.properties = _schema_incident_read.properties + _schema.system_data = _schema_incident_read.system_data + _schema.type = _schema_incident_read.type + + +__all__ = ["Update"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/comment/__cmd_group.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/comment/__cmd_group.py new file mode 100644 index 00000000000..77550b39cff --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/comment/__cmd_group.py @@ -0,0 +1,23 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command_group( + "sentinel incident comment", +) +class __CMDGroup(AAZCommandGroup): + """Manage incident comment with sentinel. + """ + pass + + +__all__ = ["__CMDGroup"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/comment/__init__.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/comment/__init__.py new file mode 100644 index 00000000000..c401f439385 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/comment/__init__.py @@ -0,0 +1,16 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from .__cmd_group import * +from ._create import * +from ._delete import * +from ._list import * +from ._show import * +from ._update import * diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/comment/_create.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/comment/_create.py new file mode 100644 index 00000000000..d8f46483ef0 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/comment/_create.py @@ -0,0 +1,281 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel incident comment create", + is_experimental=True, +) +class Create(AAZCommand): + """Create the incident comment. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/incidents/{}/comments/{}", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return self._output() + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.incident_comment_id = AAZStrArg( + options=["-n", "--name", "--incident-comment-id"], + help="Incident comment ID", + required=True, + id_part="child_name_2", + ) + _args_schema.incident_id = AAZStrArg( + options=["--incident-id"], + help="Incident ID", + required=True, + id_part="child_name_1", + ) + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + id_part="name", + ) + + # define Arg Group "IncidentComment" + + _args_schema = cls._args_schema + _args_schema.etag = AAZStrArg( + options=["--etag"], + arg_group="IncidentComment", + help="Etag of the azure resource", + ) + + # define Arg Group "Properties" + + _args_schema = cls._args_schema + _args_schema.message = AAZStrArg( + options=["--message"], + arg_group="Properties", + help="The comment message", + ) + return cls._args_schema + + def _execute_operations(self): + self.IncidentCommentsCreateOrUpdate(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True) + return result + + class IncidentCommentsCreateOrUpdate(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200, 201]: + return self.on_200_201(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/comments/{incidentCommentId}", + **self.url_parameters + ) + + @property + def method(self): + return "PUT" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "incidentCommentId", self.ctx.args.incident_comment_id, + required=True, + ), + **self.serialize_url_param( + "incidentId", self.ctx.args.incident_id, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Content-Type", "application/json", + ), + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + @property + def content(self): + _content_value, _builder = self.new_content_builder( + self.ctx.args, + typ=AAZObjectType, + typ_kwargs={"flags": {"required": True, "client_flatten": True}} + ) + _builder.set_prop("etag", AAZStrType, ".etag") + _builder.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get(".properties") + if properties is not None: + properties.set_prop("message", AAZStrType, ".message", typ_kwargs={"flags": {"required": True}}) + + return self.serialize_content(_content_value) + + def on_200_201(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200_201 + ) + + _schema_on_200_201 = None + + @classmethod + def _build_schema_on_200_201(cls): + if cls._schema_on_200_201 is not None: + return cls._schema_on_200_201 + + cls._schema_on_200_201 = AAZObjectType() + + _schema_on_200_201 = cls._schema_on_200_201 + _schema_on_200_201.etag = AAZStrType() + _schema_on_200_201.id = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200_201.name = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200_201.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + _schema_on_200_201.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + _schema_on_200_201.type = AAZStrType( + flags={"read_only": True}, + ) + + properties = cls._schema_on_200_201.properties + properties.author = AAZObjectType( + flags={"read_only": True}, + ) + properties.created_time_utc = AAZStrType( + serialized_name="createdTimeUtc", + flags={"read_only": True}, + ) + properties.last_modified_time_utc = AAZStrType( + serialized_name="lastModifiedTimeUtc", + flags={"read_only": True}, + ) + properties.message = AAZStrType( + flags={"required": True}, + ) + + author = cls._schema_on_200_201.properties.author + author.email = AAZStrType( + flags={"read_only": True}, + ) + author.name = AAZStrType( + flags={"read_only": True}, + ) + author.object_id = AAZStrType( + serialized_name="objectId", + flags={"read_only": True}, + ) + author.user_principal_name = AAZStrType( + serialized_name="userPrincipalName", + flags={"read_only": True}, + ) + + system_data = cls._schema_on_200_201.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + return cls._schema_on_200_201 + + +__all__ = ["Create"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/comment/_delete.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/comment/_delete.py new file mode 100644 index 00000000000..495d5589649 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/comment/_delete.py @@ -0,0 +1,144 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel incident comment delete", + is_experimental=True, + confirmation="Are you sure you want to perform this operation?", +) +class Delete(AAZCommand): + """Delete the incident comment. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/incidents/{}/comments/{}", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return None + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.incident_comment_id = AAZStrArg( + options=["-n", "--name", "--incident-comment-id"], + help="Incident comment ID", + required=True, + id_part="child_name_2", + ) + _args_schema.incident_id = AAZStrArg( + options=["--incident-id"], + help="Incident ID", + required=True, + id_part="child_name_1", + ) + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + id_part="name", + ) + return cls._args_schema + + def _execute_operations(self): + self.IncidentCommentsDelete(ctx=self.ctx)() + + class IncidentCommentsDelete(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + if session.http_response.status_code in [204]: + return self.on_204(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/comments/{incidentCommentId}", + **self.url_parameters + ) + + @property + def method(self): + return "DELETE" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "incidentCommentId", self.ctx.args.incident_comment_id, + required=True, + ), + **self.serialize_url_param( + "incidentId", self.ctx.args.incident_id, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + def on_200(self, session): + pass + + def on_204(self, session): + pass + + +__all__ = ["Delete"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/comment/_list.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/comment/_list.py new file mode 100644 index 00000000000..e1072785a75 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/comment/_list.py @@ -0,0 +1,272 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel incident comment list", + is_experimental=True, +) +class List(AAZCommand): + """Get all incident comments. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/incidents/{}/comments", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + return self.build_paging(self._execute_operations, self._output) + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.incident_id = AAZStrArg( + options=["--incident-id"], + help="Incident ID", + required=True, + ) + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + ) + _args_schema.filter = AAZStrArg( + options=["--filter"], + help="Filters the results, based on a Boolean condition. Optional.", + ) + _args_schema.orderby = AAZStrArg( + options=["--orderby"], + help="Sorts the results. Optional.", + ) + _args_schema.skip_token = AAZStrArg( + options=["--skip-token"], + help="Skiptoken is only used if a previous operation returned a partial result. If a previous response contains a nextLink element, the value of the nextLink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls. Optional.", + ) + _args_schema.top = AAZIntArg( + options=["--top"], + help="Returns only the first n results. Optional.", + ) + return cls._args_schema + + def _execute_operations(self): + self.IncidentCommentsList(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance.value, client_flatten=True) + next_link = self.deserialize_output(self.ctx.vars.instance.next_link) + return result, next_link + + class IncidentCommentsList(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/comments", + **self.url_parameters + ) + + @property + def method(self): + return "GET" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "incidentId", self.ctx.args.incident_id, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "$filter", self.ctx.args.filter, + ), + **self.serialize_query_param( + "$orderby", self.ctx.args.orderby, + ), + **self.serialize_query_param( + "$skipToken", self.ctx.args.skip_token, + ), + **self.serialize_query_param( + "$top", self.ctx.args.top, + ), + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + + _schema_on_200 = cls._schema_on_200 + _schema_on_200.next_link = AAZStrType( + serialized_name="nextLink", + flags={"read_only": True}, + ) + _schema_on_200.value = AAZListType( + flags={"required": True}, + ) + + value = cls._schema_on_200.value + value.Element = AAZObjectType() + + _element = cls._schema_on_200.value.Element + _element.etag = AAZStrType() + _element.id = AAZStrType( + flags={"read_only": True}, + ) + _element.name = AAZStrType( + flags={"read_only": True}, + ) + _element.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + _element.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + _element.type = AAZStrType( + flags={"read_only": True}, + ) + + properties = cls._schema_on_200.value.Element.properties + properties.author = AAZObjectType( + flags={"read_only": True}, + ) + properties.created_time_utc = AAZStrType( + serialized_name="createdTimeUtc", + flags={"read_only": True}, + ) + properties.last_modified_time_utc = AAZStrType( + serialized_name="lastModifiedTimeUtc", + flags={"read_only": True}, + ) + properties.message = AAZStrType( + flags={"required": True}, + ) + + author = cls._schema_on_200.value.Element.properties.author + author.email = AAZStrType( + flags={"read_only": True}, + ) + author.name = AAZStrType( + flags={"read_only": True}, + ) + author.object_id = AAZStrType( + serialized_name="objectId", + flags={"read_only": True}, + ) + author.user_principal_name = AAZStrType( + serialized_name="userPrincipalName", + flags={"read_only": True}, + ) + + system_data = cls._schema_on_200.value.Element.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + return cls._schema_on_200 + + +__all__ = ["List"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/comment/_show.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/comment/_show.py new file mode 100644 index 00000000000..46cf5939c55 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/comment/_show.py @@ -0,0 +1,244 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel incident comment show", + is_experimental=True, +) +class Show(AAZCommand): + """Get an incident comment. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/incidents/{}/comments/{}", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return self._output() + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.incident_comment_id = AAZStrArg( + options=["-n", "--name", "--incident-comment-id"], + help="Incident comment ID", + required=True, + id_part="child_name_2", + ) + _args_schema.incident_id = AAZStrArg( + options=["--incident-id"], + help="Incident ID", + required=True, + id_part="child_name_1", + ) + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + id_part="name", + ) + return cls._args_schema + + def _execute_operations(self): + self.IncidentCommentsGet(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True) + return result + + class IncidentCommentsGet(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/comments/{incidentCommentId}", + **self.url_parameters + ) + + @property + def method(self): + return "GET" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "incidentCommentId", self.ctx.args.incident_comment_id, + required=True, + ), + **self.serialize_url_param( + "incidentId", self.ctx.args.incident_id, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + + _schema_on_200 = cls._schema_on_200 + _schema_on_200.etag = AAZStrType() + _schema_on_200.id = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200.name = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + _schema_on_200.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + _schema_on_200.type = AAZStrType( + flags={"read_only": True}, + ) + + properties = cls._schema_on_200.properties + properties.author = AAZObjectType( + flags={"read_only": True}, + ) + properties.created_time_utc = AAZStrType( + serialized_name="createdTimeUtc", + flags={"read_only": True}, + ) + properties.last_modified_time_utc = AAZStrType( + serialized_name="lastModifiedTimeUtc", + flags={"read_only": True}, + ) + properties.message = AAZStrType( + flags={"required": True}, + ) + + author = cls._schema_on_200.properties.author + author.email = AAZStrType( + flags={"read_only": True}, + ) + author.name = AAZStrType( + flags={"read_only": True}, + ) + author.object_id = AAZStrType( + serialized_name="objectId", + flags={"read_only": True}, + ) + author.user_principal_name = AAZStrType( + serialized_name="userPrincipalName", + flags={"read_only": True}, + ) + + system_data = cls._schema_on_200.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + return cls._schema_on_200 + + +__all__ = ["Show"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/comment/_update.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/comment/_update.py new file mode 100644 index 00000000000..2d7a57ff4fb --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/comment/_update.py @@ -0,0 +1,424 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel incident comment update", + is_experimental=True, +) +class Update(AAZCommand): + """Update the incident comment. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/incidents/{}/comments/{}", "2022-06-01-preview"], + ] + } + + AZ_SUPPORT_GENERIC_UPDATE = True + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return self._output() + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.incident_comment_id = AAZStrArg( + options=["-n", "--name", "--incident-comment-id"], + help="Incident comment ID", + required=True, + id_part="child_name_2", + ) + _args_schema.incident_id = AAZStrArg( + options=["--incident-id"], + help="Incident ID", + required=True, + id_part="child_name_1", + ) + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + id_part="name", + ) + + # define Arg Group "IncidentComment" + + _args_schema = cls._args_schema + _args_schema.etag = AAZStrArg( + options=["--etag"], + arg_group="IncidentComment", + help="Etag of the azure resource", + nullable=True, + ) + + # define Arg Group "Properties" + + _args_schema = cls._args_schema + _args_schema.message = AAZStrArg( + options=["--message"], + arg_group="Properties", + help="The comment message", + ) + return cls._args_schema + + def _execute_operations(self): + self.IncidentCommentsGet(ctx=self.ctx)() + self.InstanceUpdateByJson(ctx=self.ctx)() + self.InstanceUpdateByGeneric(ctx=self.ctx)() + self.IncidentCommentsCreateOrUpdate(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True) + return result + + class IncidentCommentsGet(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/comments/{incidentCommentId}", + **self.url_parameters + ) + + @property + def method(self): + return "GET" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "incidentCommentId", self.ctx.args.incident_comment_id, + required=True, + ), + **self.serialize_url_param( + "incidentId", self.ctx.args.incident_id, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + _build_schema_incident_comment_read(cls._schema_on_200) + + return cls._schema_on_200 + + class IncidentCommentsCreateOrUpdate(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200, 201]: + return self.on_200_201(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/comments/{incidentCommentId}", + **self.url_parameters + ) + + @property + def method(self): + return "PUT" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "incidentCommentId", self.ctx.args.incident_comment_id, + required=True, + ), + **self.serialize_url_param( + "incidentId", self.ctx.args.incident_id, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Content-Type", "application/json", + ), + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + @property + def content(self): + _content_value, _builder = self.new_content_builder( + self.ctx.args, + value=self.ctx.vars.instance, + ) + + return self.serialize_content(_content_value) + + def on_200_201(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200_201 + ) + + _schema_on_200_201 = None + + @classmethod + def _build_schema_on_200_201(cls): + if cls._schema_on_200_201 is not None: + return cls._schema_on_200_201 + + cls._schema_on_200_201 = AAZObjectType() + _build_schema_incident_comment_read(cls._schema_on_200_201) + + return cls._schema_on_200_201 + + class InstanceUpdateByJson(AAZJsonInstanceUpdateOperation): + + def __call__(self, *args, **kwargs): + self._update_instance(self.ctx.vars.instance) + + def _update_instance(self, instance): + _instance_value, _builder = self.new_content_builder( + self.ctx.args, + value=instance, + typ=AAZObjectType + ) + _builder.set_prop("etag", AAZStrType, ".etag") + _builder.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get(".properties") + if properties is not None: + properties.set_prop("message", AAZStrType, ".message", typ_kwargs={"flags": {"required": True}}) + + return _instance_value + + class InstanceUpdateByGeneric(AAZGenericInstanceUpdateOperation): + + def __call__(self, *args, **kwargs): + self._update_instance_by_generic( + self.ctx.vars.instance, + self.ctx.generic_update_args + ) + + +_schema_incident_comment_read = None + + +def _build_schema_incident_comment_read(_schema): + global _schema_incident_comment_read + if _schema_incident_comment_read is not None: + _schema.etag = _schema_incident_comment_read.etag + _schema.id = _schema_incident_comment_read.id + _schema.name = _schema_incident_comment_read.name + _schema.properties = _schema_incident_comment_read.properties + _schema.system_data = _schema_incident_comment_read.system_data + _schema.type = _schema_incident_comment_read.type + return + + _schema_incident_comment_read = AAZObjectType() + + incident_comment_read = _schema_incident_comment_read + incident_comment_read.etag = AAZStrType() + incident_comment_read.id = AAZStrType( + flags={"read_only": True}, + ) + incident_comment_read.name = AAZStrType( + flags={"read_only": True}, + ) + incident_comment_read.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + incident_comment_read.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + incident_comment_read.type = AAZStrType( + flags={"read_only": True}, + ) + + properties = _schema_incident_comment_read.properties + properties.author = AAZObjectType( + flags={"read_only": True}, + ) + properties.created_time_utc = AAZStrType( + serialized_name="createdTimeUtc", + flags={"read_only": True}, + ) + properties.last_modified_time_utc = AAZStrType( + serialized_name="lastModifiedTimeUtc", + flags={"read_only": True}, + ) + properties.message = AAZStrType( + flags={"required": True}, + ) + + author = _schema_incident_comment_read.properties.author + author.email = AAZStrType( + flags={"read_only": True}, + ) + author.name = AAZStrType( + flags={"read_only": True}, + ) + author.object_id = AAZStrType( + serialized_name="objectId", + flags={"read_only": True}, + ) + author.user_principal_name = AAZStrType( + serialized_name="userPrincipalName", + flags={"read_only": True}, + ) + + system_data = _schema_incident_comment_read.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + _schema.etag = _schema_incident_comment_read.etag + _schema.id = _schema_incident_comment_read.id + _schema.name = _schema_incident_comment_read.name + _schema.properties = _schema_incident_comment_read.properties + _schema.system_data = _schema_incident_comment_read.system_data + _schema.type = _schema_incident_comment_read.type + + +__all__ = ["Update"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/relation/__cmd_group.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/relation/__cmd_group.py new file mode 100644 index 00000000000..360d93d62d0 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/relation/__cmd_group.py @@ -0,0 +1,23 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command_group( + "sentinel incident relation", +) +class __CMDGroup(AAZCommandGroup): + """Manage incident relation with sentinel. + """ + pass + + +__all__ = ["__CMDGroup"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/relation/__init__.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/relation/__init__.py new file mode 100644 index 00000000000..c401f439385 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/relation/__init__.py @@ -0,0 +1,16 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from .__cmd_group import * +from ._create import * +from ._delete import * +from ._list import * +from ._show import * +from ._update import * diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/relation/_create.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/relation/_create.py new file mode 100644 index 00000000000..6887615cfa3 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/relation/_create.py @@ -0,0 +1,267 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel incident relation create", + is_experimental=True, +) +class Create(AAZCommand): + """Create the incident relation. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/incidents/{}/relations/{}", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return self._output() + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.incident_id = AAZStrArg( + options=["--incident-id"], + help="Incident ID", + required=True, + id_part="child_name_1", + ) + _args_schema.relation_name = AAZStrArg( + options=["-n", "--name", "--relation-name"], + help="Relation Name", + required=True, + id_part="child_name_2", + ) + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + id_part="name", + ) + + # define Arg Group "Properties" + + _args_schema = cls._args_schema + _args_schema.related_resource_id = AAZStrArg( + options=["--related-resource-id"], + arg_group="Properties", + help="The resource ID of the related resource", + ) + + # define Arg Group "Relation" + + _args_schema = cls._args_schema + _args_schema.etag = AAZStrArg( + options=["--etag"], + arg_group="Relation", + help="Etag of the azure resource", + ) + return cls._args_schema + + def _execute_operations(self): + self.IncidentRelationsCreateOrUpdate(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True) + return result + + class IncidentRelationsCreateOrUpdate(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200, 201]: + return self.on_200_201(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/relations/{relationName}", + **self.url_parameters + ) + + @property + def method(self): + return "PUT" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "incidentId", self.ctx.args.incident_id, + required=True, + ), + **self.serialize_url_param( + "relationName", self.ctx.args.relation_name, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Content-Type", "application/json", + ), + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + @property + def content(self): + _content_value, _builder = self.new_content_builder( + self.ctx.args, + typ=AAZObjectType, + typ_kwargs={"flags": {"required": True, "client_flatten": True}} + ) + _builder.set_prop("etag", AAZStrType, ".etag") + _builder.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get(".properties") + if properties is not None: + properties.set_prop("relatedResourceId", AAZStrType, ".related_resource_id", typ_kwargs={"flags": {"required": True}}) + + return self.serialize_content(_content_value) + + def on_200_201(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200_201 + ) + + _schema_on_200_201 = None + + @classmethod + def _build_schema_on_200_201(cls): + if cls._schema_on_200_201 is not None: + return cls._schema_on_200_201 + + cls._schema_on_200_201 = AAZObjectType() + + _schema_on_200_201 = cls._schema_on_200_201 + _schema_on_200_201.etag = AAZStrType() + _schema_on_200_201.id = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200_201.name = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200_201.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + _schema_on_200_201.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + _schema_on_200_201.type = AAZStrType( + flags={"read_only": True}, + ) + + properties = cls._schema_on_200_201.properties + properties.related_resource_id = AAZStrType( + serialized_name="relatedResourceId", + flags={"required": True}, + ) + properties.related_resource_kind = AAZStrType( + serialized_name="relatedResourceKind", + flags={"read_only": True}, + ) + properties.related_resource_name = AAZStrType( + serialized_name="relatedResourceName", + flags={"read_only": True}, + ) + properties.related_resource_type = AAZStrType( + serialized_name="relatedResourceType", + flags={"read_only": True}, + ) + + system_data = cls._schema_on_200_201.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + return cls._schema_on_200_201 + + +__all__ = ["Create"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/relation/_delete.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/relation/_delete.py new file mode 100644 index 00000000000..1bfb161d6bd --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/relation/_delete.py @@ -0,0 +1,144 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel incident relation delete", + is_experimental=True, + confirmation="Are you sure you want to perform this operation?", +) +class Delete(AAZCommand): + """Delete the incident relation. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/incidents/{}/relations/{}", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return None + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.incident_id = AAZStrArg( + options=["--incident-id"], + help="Incident ID", + required=True, + id_part="child_name_1", + ) + _args_schema.relation_name = AAZStrArg( + options=["-n", "--name", "--relation-name"], + help="Relation Name", + required=True, + id_part="child_name_2", + ) + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + id_part="name", + ) + return cls._args_schema + + def _execute_operations(self): + self.IncidentRelationsDelete(ctx=self.ctx)() + + class IncidentRelationsDelete(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + if session.http_response.status_code in [204]: + return self.on_204(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/relations/{relationName}", + **self.url_parameters + ) + + @property + def method(self): + return "DELETE" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "incidentId", self.ctx.args.incident_id, + required=True, + ), + **self.serialize_url_param( + "relationName", self.ctx.args.relation_name, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + def on_200(self, session): + pass + + def on_204(self, session): + pass + + +__all__ = ["Delete"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/relation/_list.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/relation/_list.py new file mode 100644 index 00000000000..10b7ae11aca --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/relation/_list.py @@ -0,0 +1,258 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel incident relation list", + is_experimental=True, +) +class List(AAZCommand): + """Get all incident relations. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/incidents/{}/relations", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + return self.build_paging(self._execute_operations, self._output) + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.incident_id = AAZStrArg( + options=["--incident-id"], + help="Incident ID", + required=True, + ) + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + ) + _args_schema.filter = AAZStrArg( + options=["--filter"], + help="Filters the results, based on a Boolean condition. Optional.", + ) + _args_schema.orderby = AAZStrArg( + options=["--orderby"], + help="Sorts the results. Optional.", + ) + _args_schema.skip_token = AAZStrArg( + options=["--skip-token"], + help="Skiptoken is only used if a previous operation returned a partial result. If a previous response contains a nextLink element, the value of the nextLink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls. Optional.", + ) + _args_schema.top = AAZIntArg( + options=["--top"], + help="Returns only the first n results. Optional.", + ) + return cls._args_schema + + def _execute_operations(self): + self.IncidentRelationsList(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance.value, client_flatten=True) + next_link = self.deserialize_output(self.ctx.vars.instance.next_link) + return result, next_link + + class IncidentRelationsList(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/relations", + **self.url_parameters + ) + + @property + def method(self): + return "GET" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "incidentId", self.ctx.args.incident_id, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "$filter", self.ctx.args.filter, + ), + **self.serialize_query_param( + "$orderby", self.ctx.args.orderby, + ), + **self.serialize_query_param( + "$skipToken", self.ctx.args.skip_token, + ), + **self.serialize_query_param( + "$top", self.ctx.args.top, + ), + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + + _schema_on_200 = cls._schema_on_200 + _schema_on_200.next_link = AAZStrType( + serialized_name="nextLink", + flags={"read_only": True}, + ) + _schema_on_200.value = AAZListType( + flags={"required": True}, + ) + + value = cls._schema_on_200.value + value.Element = AAZObjectType() + + _element = cls._schema_on_200.value.Element + _element.etag = AAZStrType() + _element.id = AAZStrType( + flags={"read_only": True}, + ) + _element.name = AAZStrType( + flags={"read_only": True}, + ) + _element.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + _element.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + _element.type = AAZStrType( + flags={"read_only": True}, + ) + + properties = cls._schema_on_200.value.Element.properties + properties.related_resource_id = AAZStrType( + serialized_name="relatedResourceId", + flags={"required": True}, + ) + properties.related_resource_kind = AAZStrType( + serialized_name="relatedResourceKind", + flags={"read_only": True}, + ) + properties.related_resource_name = AAZStrType( + serialized_name="relatedResourceName", + flags={"read_only": True}, + ) + properties.related_resource_type = AAZStrType( + serialized_name="relatedResourceType", + flags={"read_only": True}, + ) + + system_data = cls._schema_on_200.value.Element.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + return cls._schema_on_200 + + +__all__ = ["List"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/relation/_show.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/relation/_show.py new file mode 100644 index 00000000000..82e424507dd --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/relation/_show.py @@ -0,0 +1,230 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel incident relation show", + is_experimental=True, +) +class Show(AAZCommand): + """Get an incident relation. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/incidents/{}/relations/{}", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return self._output() + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.incident_id = AAZStrArg( + options=["--incident-id"], + help="Incident ID", + required=True, + id_part="child_name_1", + ) + _args_schema.relation_name = AAZStrArg( + options=["-n", "--name", "--relation-name"], + help="Relation Name", + required=True, + id_part="child_name_2", + ) + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + id_part="name", + ) + return cls._args_schema + + def _execute_operations(self): + self.IncidentRelationsGet(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True) + return result + + class IncidentRelationsGet(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/relations/{relationName}", + **self.url_parameters + ) + + @property + def method(self): + return "GET" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "incidentId", self.ctx.args.incident_id, + required=True, + ), + **self.serialize_url_param( + "relationName", self.ctx.args.relation_name, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + + _schema_on_200 = cls._schema_on_200 + _schema_on_200.etag = AAZStrType() + _schema_on_200.id = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200.name = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + _schema_on_200.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + _schema_on_200.type = AAZStrType( + flags={"read_only": True}, + ) + + properties = cls._schema_on_200.properties + properties.related_resource_id = AAZStrType( + serialized_name="relatedResourceId", + flags={"required": True}, + ) + properties.related_resource_kind = AAZStrType( + serialized_name="relatedResourceKind", + flags={"read_only": True}, + ) + properties.related_resource_name = AAZStrType( + serialized_name="relatedResourceName", + flags={"read_only": True}, + ) + properties.related_resource_type = AAZStrType( + serialized_name="relatedResourceType", + flags={"read_only": True}, + ) + + system_data = cls._schema_on_200.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + return cls._schema_on_200 + + +__all__ = ["Show"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/relation/_update.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/relation/_update.py new file mode 100644 index 00000000000..205a6a1e40a --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/incident/relation/_update.py @@ -0,0 +1,410 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel incident relation update", + is_experimental=True, +) +class Update(AAZCommand): + """Update the incident relation. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/incidents/{}/relations/{}", "2022-06-01-preview"], + ] + } + + AZ_SUPPORT_GENERIC_UPDATE = True + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return self._output() + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.incident_id = AAZStrArg( + options=["--incident-id"], + help="Incident ID", + required=True, + id_part="child_name_1", + ) + _args_schema.relation_name = AAZStrArg( + options=["-n", "--name", "--relation-name"], + help="Relation Name", + required=True, + id_part="child_name_2", + ) + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + id_part="name", + ) + + # define Arg Group "Properties" + + _args_schema = cls._args_schema + _args_schema.related_resource_id = AAZStrArg( + options=["--related-resource-id"], + arg_group="Properties", + help="The resource ID of the related resource", + ) + + # define Arg Group "Relation" + + _args_schema = cls._args_schema + _args_schema.etag = AAZStrArg( + options=["--etag"], + arg_group="Relation", + help="Etag of the azure resource", + nullable=True, + ) + return cls._args_schema + + def _execute_operations(self): + self.IncidentRelationsGet(ctx=self.ctx)() + self.InstanceUpdateByJson(ctx=self.ctx)() + self.InstanceUpdateByGeneric(ctx=self.ctx)() + self.IncidentRelationsCreateOrUpdate(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True) + return result + + class IncidentRelationsGet(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/relations/{relationName}", + **self.url_parameters + ) + + @property + def method(self): + return "GET" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "incidentId", self.ctx.args.incident_id, + required=True, + ), + **self.serialize_url_param( + "relationName", self.ctx.args.relation_name, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + _build_schema_relation_read(cls._schema_on_200) + + return cls._schema_on_200 + + class IncidentRelationsCreateOrUpdate(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200, 201]: + return self.on_200_201(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/relations/{relationName}", + **self.url_parameters + ) + + @property + def method(self): + return "PUT" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "incidentId", self.ctx.args.incident_id, + required=True, + ), + **self.serialize_url_param( + "relationName", self.ctx.args.relation_name, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Content-Type", "application/json", + ), + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + @property + def content(self): + _content_value, _builder = self.new_content_builder( + self.ctx.args, + value=self.ctx.vars.instance, + ) + + return self.serialize_content(_content_value) + + def on_200_201(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200_201 + ) + + _schema_on_200_201 = None + + @classmethod + def _build_schema_on_200_201(cls): + if cls._schema_on_200_201 is not None: + return cls._schema_on_200_201 + + cls._schema_on_200_201 = AAZObjectType() + _build_schema_relation_read(cls._schema_on_200_201) + + return cls._schema_on_200_201 + + class InstanceUpdateByJson(AAZJsonInstanceUpdateOperation): + + def __call__(self, *args, **kwargs): + self._update_instance(self.ctx.vars.instance) + + def _update_instance(self, instance): + _instance_value, _builder = self.new_content_builder( + self.ctx.args, + value=instance, + typ=AAZObjectType + ) + _builder.set_prop("etag", AAZStrType, ".etag") + _builder.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get(".properties") + if properties is not None: + properties.set_prop("relatedResourceId", AAZStrType, ".related_resource_id", typ_kwargs={"flags": {"required": True}}) + + return _instance_value + + class InstanceUpdateByGeneric(AAZGenericInstanceUpdateOperation): + + def __call__(self, *args, **kwargs): + self._update_instance_by_generic( + self.ctx.vars.instance, + self.ctx.generic_update_args + ) + + +_schema_relation_read = None + + +def _build_schema_relation_read(_schema): + global _schema_relation_read + if _schema_relation_read is not None: + _schema.etag = _schema_relation_read.etag + _schema.id = _schema_relation_read.id + _schema.name = _schema_relation_read.name + _schema.properties = _schema_relation_read.properties + _schema.system_data = _schema_relation_read.system_data + _schema.type = _schema_relation_read.type + return + + _schema_relation_read = AAZObjectType() + + relation_read = _schema_relation_read + relation_read.etag = AAZStrType() + relation_read.id = AAZStrType( + flags={"read_only": True}, + ) + relation_read.name = AAZStrType( + flags={"read_only": True}, + ) + relation_read.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + relation_read.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + relation_read.type = AAZStrType( + flags={"read_only": True}, + ) + + properties = _schema_relation_read.properties + properties.related_resource_id = AAZStrType( + serialized_name="relatedResourceId", + flags={"required": True}, + ) + properties.related_resource_kind = AAZStrType( + serialized_name="relatedResourceKind", + flags={"read_only": True}, + ) + properties.related_resource_name = AAZStrType( + serialized_name="relatedResourceName", + flags={"read_only": True}, + ) + properties.related_resource_type = AAZStrType( + serialized_name="relatedResourceType", + flags={"read_only": True}, + ) + + system_data = _schema_relation_read.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + _schema.etag = _schema_relation_read.etag + _schema.id = _schema_relation_read.id + _schema.name = _schema_relation_read.name + _schema.properties = _schema_relation_read.properties + _schema.system_data = _schema_relation_read.system_data + _schema.type = _schema_relation_read.type + + +__all__ = ["Update"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/metadata/__cmd_group.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/metadata/__cmd_group.py new file mode 100644 index 00000000000..b6d3d8c78ce --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/metadata/__cmd_group.py @@ -0,0 +1,23 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command_group( + "sentinel metadata", +) +class __CMDGroup(AAZCommandGroup): + """Manage metadata with sentinel. + """ + pass + + +__all__ = ["__CMDGroup"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/metadata/__init__.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/metadata/__init__.py new file mode 100644 index 00000000000..c401f439385 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/metadata/__init__.py @@ -0,0 +1,16 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from .__cmd_group import * +from ._create import * +from ._delete import * +from ._list import * +from ._show import * +from ._update import * diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/metadata/_create.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/metadata/_create.py new file mode 100644 index 00000000000..09551c7e215 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/metadata/_create.py @@ -0,0 +1,681 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel metadata create", + is_experimental=True, +) +class Create(AAZCommand): + """Create a Metadata. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/metadata/{}", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return self._output() + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.metadata_name = AAZStrArg( + options=["-n", "--name", "--metadata-name"], + help="The Metadata name.", + required=True, + id_part="child_name_1", + ) + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + id_part="name", + ) + + # define Arg Group "Metadata" + + _args_schema = cls._args_schema + _args_schema.etag = AAZStrArg( + options=["--etag"], + arg_group="Metadata", + help="Etag of the azure resource", + ) + + # define Arg Group "Properties" + + _args_schema = cls._args_schema + _args_schema.author = AAZObjectArg( + options=["--author"], + arg_group="Properties", + help="The creator of the content item.", + ) + _args_schema.categories = AAZObjectArg( + options=["--categories"], + arg_group="Properties", + help="Categories for the solution content item", + ) + _args_schema.content_id = AAZStrArg( + options=["--content-id"], + arg_group="Properties", + help="Static ID for the content. Used to identify dependencies and content from solutions or community. Hard-coded/static for out of the box content and solutions. Dynamic for user-created. This is the resource name", + ) + _args_schema.content_schema_version = AAZStrArg( + options=["--content-schema-version"], + arg_group="Properties", + help="Schema version of the content. Can be used to distinguish between different flow based on the schema version", + ) + _args_schema.custom_version = AAZStrArg( + options=["--custom-version"], + arg_group="Properties", + help="The custom version of the content. A optional free text", + ) + _args_schema.dependencies = AAZObjectArg( + options=["--dependencies"], + arg_group="Properties", + help="Dependencies for the content item, what other content items it requires to work. Can describe more complex dependencies using a recursive/nested structure. For a single dependency an id/kind/version can be supplied or operator/criteria for complex formats.", + ) + cls._build_args_metadata_dependencies_create(_args_schema.dependencies) + _args_schema.first_publish_date = AAZStrArg( + options=["--first-publish-date"], + arg_group="Properties", + help="first publish date solution content item", + ) + _args_schema.icon = AAZStrArg( + options=["--icon"], + arg_group="Properties", + help="the icon identifier. this id can later be fetched from the solution template", + ) + _args_schema.kind = AAZStrArg( + options=["--kind"], + arg_group="Properties", + help="The kind of content the metadata is for.", + enum={"AnalyticsRule": "AnalyticsRule", "AnalyticsRuleTemplate": "AnalyticsRuleTemplate", "AutomationRule": "AutomationRule", "AzureFunction": "AzureFunction", "DataConnector": "DataConnector", "DataType": "DataType", "HuntingQuery": "HuntingQuery", "InvestigationQuery": "InvestigationQuery", "LogicAppsCustomConnector": "LogicAppsCustomConnector", "Parser": "Parser", "Playbook": "Playbook", "PlaybookTemplate": "PlaybookTemplate", "Solution": "Solution", "Watchlist": "Watchlist", "WatchlistTemplate": "WatchlistTemplate", "Workbook": "Workbook", "WorkbookTemplate": "WorkbookTemplate"}, + ) + _args_schema.last_publish_date = AAZStrArg( + options=["--last-publish-date"], + arg_group="Properties", + help="last publish date for the solution content item", + ) + _args_schema.parent_id = AAZStrArg( + options=["--parent-id"], + arg_group="Properties", + help="Full parent resource ID of the content item the metadata is for. This is the full resource ID including the scope (subscription and resource group)", + ) + _args_schema.preview_images = AAZListArg( + options=["--preview-images"], + arg_group="Properties", + help="preview image file names. These will be taken from the solution artifacts", + ) + _args_schema.preview_images_dark = AAZListArg( + options=["--preview-images-dark"], + arg_group="Properties", + help="preview image file names. These will be taken from the solution artifacts. used for dark theme support", + ) + _args_schema.providers = AAZListArg( + options=["--providers"], + arg_group="Properties", + help="Providers for the solution content item", + ) + _args_schema.source = AAZObjectArg( + options=["--source"], + arg_group="Properties", + help="Source of the content. This is where/how it was created.", + ) + _args_schema.support = AAZObjectArg( + options=["--support"], + arg_group="Properties", + help="Support information for the metadata - type, name, contact information", + ) + _args_schema.threat_tactics = AAZListArg( + options=["--threat-tactics"], + arg_group="Properties", + help="the tactics the resource covers", + ) + _args_schema.threat_techniques = AAZListArg( + options=["--threat-techniques"], + arg_group="Properties", + help="the techniques the resource covers, these have to be aligned with the tactics being used", + ) + _args_schema.version = AAZStrArg( + options=["--version"], + arg_group="Properties", + help="Version of the content. Default and recommended format is numeric (e.g. 1, 1.0, 1.0.0, 1.0.0.0), following ARM template best practices. Can also be any string, but then we cannot guarantee any version checks", + ) + + author = cls._args_schema.author + author.email = AAZStrArg( + options=["email"], + help="Email of author contact", + ) + author.link = AAZStrArg( + options=["link"], + help="Link for author/vendor page", + ) + author.name = AAZStrArg( + options=["name"], + help="Name of the author. Company or person.", + ) + + categories = cls._args_schema.categories + categories.domains = AAZListArg( + options=["domains"], + help="domain for the solution content item", + ) + categories.verticals = AAZListArg( + options=["verticals"], + help="Industry verticals for the solution content item", + ) + + domains = cls._args_schema.categories.domains + domains.Element = AAZStrArg() + + verticals = cls._args_schema.categories.verticals + verticals.Element = AAZStrArg() + + preview_images = cls._args_schema.preview_images + preview_images.Element = AAZStrArg() + + preview_images_dark = cls._args_schema.preview_images_dark + preview_images_dark.Element = AAZStrArg() + + providers = cls._args_schema.providers + providers.Element = AAZStrArg() + + source = cls._args_schema.source + source.kind = AAZStrArg( + options=["kind"], + help="Source type of the content", + required=True, + enum={"Community": "Community", "LocalWorkspace": "LocalWorkspace", "Solution": "Solution", "SourceRepository": "SourceRepository"}, + ) + source.name = AAZStrArg( + options=["name"], + help="Name of the content source. The repo name, solution name, LA workspace name etc.", + ) + source.source_id = AAZStrArg( + options=["source-id"], + help="ID of the content source. The solution ID, workspace ID, etc", + ) + + support = cls._args_schema.support + support.email = AAZStrArg( + options=["email"], + help="Email of support contact", + ) + support.link = AAZStrArg( + options=["link"], + help="Link for support help, like to support page to open a ticket etc.", + ) + support.name = AAZStrArg( + options=["name"], + help="Name of the support contact. Company or person.", + ) + support.tier = AAZStrArg( + options=["tier"], + help="Type of support for content item", + required=True, + enum={"Community": "Community", "Microsoft": "Microsoft", "Partner": "Partner"}, + ) + + threat_tactics = cls._args_schema.threat_tactics + threat_tactics.Element = AAZStrArg() + + threat_techniques = cls._args_schema.threat_techniques + threat_techniques.Element = AAZStrArg() + return cls._args_schema + + _args_metadata_dependencies_create = None + + @classmethod + def _build_args_metadata_dependencies_create(cls, _schema): + if cls._args_metadata_dependencies_create is not None: + _schema.content_id = cls._args_metadata_dependencies_create.content_id + _schema.criteria = cls._args_metadata_dependencies_create.criteria + _schema.kind = cls._args_metadata_dependencies_create.kind + _schema.name = cls._args_metadata_dependencies_create.name + _schema.operator = cls._args_metadata_dependencies_create.operator + _schema.version = cls._args_metadata_dependencies_create.version + return + + cls._args_metadata_dependencies_create = AAZObjectArg() + + metadata_dependencies_create = cls._args_metadata_dependencies_create + metadata_dependencies_create.content_id = AAZStrArg( + options=["content-id"], + help="Id of the content item we depend on", + ) + metadata_dependencies_create.criteria = AAZListArg( + options=["criteria"], + help="This is the list of dependencies we must fulfill, according to the AND/OR operator", + ) + metadata_dependencies_create.kind = AAZStrArg( + options=["kind"], + help="Type of the content item we depend on", + enum={"AnalyticsRule": "AnalyticsRule", "AnalyticsRuleTemplate": "AnalyticsRuleTemplate", "AutomationRule": "AutomationRule", "AzureFunction": "AzureFunction", "DataConnector": "DataConnector", "DataType": "DataType", "HuntingQuery": "HuntingQuery", "InvestigationQuery": "InvestigationQuery", "LogicAppsCustomConnector": "LogicAppsCustomConnector", "Parser": "Parser", "Playbook": "Playbook", "PlaybookTemplate": "PlaybookTemplate", "Solution": "Solution", "Watchlist": "Watchlist", "WatchlistTemplate": "WatchlistTemplate", "Workbook": "Workbook", "WorkbookTemplate": "WorkbookTemplate"}, + ) + metadata_dependencies_create.name = AAZStrArg( + options=["name"], + help="Name of the content item", + ) + metadata_dependencies_create.operator = AAZStrArg( + options=["operator"], + help="Operator used for list of dependencies in criteria array.", + enum={"AND": "AND", "OR": "OR"}, + ) + metadata_dependencies_create.version = AAZStrArg( + options=["version"], + help="Version of the the content item we depend on. Can be blank, * or missing to indicate any version fulfills the dependency. If version does not match our defined numeric format then an exact match is required.", + ) + + criteria = cls._args_metadata_dependencies_create.criteria + criteria.Element = AAZObjectArg() + cls._build_args_metadata_dependencies_create(criteria.Element) + + _schema.content_id = cls._args_metadata_dependencies_create.content_id + _schema.criteria = cls._args_metadata_dependencies_create.criteria + _schema.kind = cls._args_metadata_dependencies_create.kind + _schema.name = cls._args_metadata_dependencies_create.name + _schema.operator = cls._args_metadata_dependencies_create.operator + _schema.version = cls._args_metadata_dependencies_create.version + + def _execute_operations(self): + self.MetadataCreate(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True) + return result + + class MetadataCreate(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200, 201]: + return self.on_200_201(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/metadata/{metadataName}", + **self.url_parameters + ) + + @property + def method(self): + return "PUT" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "metadataName", self.ctx.args.metadata_name, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Content-Type", "application/json", + ), + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + @property + def content(self): + _content_value, _builder = self.new_content_builder( + self.ctx.args, + typ=AAZObjectType, + typ_kwargs={"flags": {"required": True, "client_flatten": True}} + ) + _builder.set_prop("etag", AAZStrType, ".etag") + _builder.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get(".properties") + if properties is not None: + properties.set_prop("author", AAZObjectType, ".author") + properties.set_prop("categories", AAZObjectType, ".categories") + properties.set_prop("contentId", AAZStrType, ".content_id") + properties.set_prop("contentSchemaVersion", AAZStrType, ".content_schema_version") + properties.set_prop("customVersion", AAZStrType, ".custom_version") + _build_schema_metadata_dependencies_create(properties.set_prop("dependencies", AAZObjectType, ".dependencies")) + properties.set_prop("firstPublishDate", AAZStrType, ".first_publish_date") + properties.set_prop("icon", AAZStrType, ".icon") + properties.set_prop("kind", AAZStrType, ".kind", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("lastPublishDate", AAZStrType, ".last_publish_date") + properties.set_prop("parentId", AAZStrType, ".parent_id", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("previewImages", AAZListType, ".preview_images") + properties.set_prop("previewImagesDark", AAZListType, ".preview_images_dark") + properties.set_prop("providers", AAZListType, ".providers") + properties.set_prop("source", AAZObjectType, ".source") + properties.set_prop("support", AAZObjectType, ".support") + properties.set_prop("threatAnalysisTactics", AAZListType, ".threat_tactics") + properties.set_prop("threatAnalysisTechniques", AAZListType, ".threat_techniques") + properties.set_prop("version", AAZStrType, ".version") + + author = _builder.get(".properties.author") + if author is not None: + author.set_prop("email", AAZStrType, ".email") + author.set_prop("link", AAZStrType, ".link") + author.set_prop("name", AAZStrType, ".name") + + categories = _builder.get(".properties.categories") + if categories is not None: + categories.set_prop("domains", AAZListType, ".domains") + categories.set_prop("verticals", AAZListType, ".verticals") + + domains = _builder.get(".properties.categories.domains") + if domains is not None: + domains.set_elements(AAZStrType, ".") + + verticals = _builder.get(".properties.categories.verticals") + if verticals is not None: + verticals.set_elements(AAZStrType, ".") + + preview_images = _builder.get(".properties.previewImages") + if preview_images is not None: + preview_images.set_elements(AAZStrType, ".") + + preview_images_dark = _builder.get(".properties.previewImagesDark") + if preview_images_dark is not None: + preview_images_dark.set_elements(AAZStrType, ".") + + providers = _builder.get(".properties.providers") + if providers is not None: + providers.set_elements(AAZStrType, ".") + + source = _builder.get(".properties.source") + if source is not None: + source.set_prop("kind", AAZStrType, ".kind", typ_kwargs={"flags": {"required": True}}) + source.set_prop("name", AAZStrType, ".name") + source.set_prop("sourceId", AAZStrType, ".source_id") + + support = _builder.get(".properties.support") + if support is not None: + support.set_prop("email", AAZStrType, ".email") + support.set_prop("link", AAZStrType, ".link") + support.set_prop("name", AAZStrType, ".name") + support.set_prop("tier", AAZStrType, ".tier", typ_kwargs={"flags": {"required": True}}) + + threat_analysis_tactics = _builder.get(".properties.threatAnalysisTactics") + if threat_analysis_tactics is not None: + threat_analysis_tactics.set_elements(AAZStrType, ".") + + threat_analysis_techniques = _builder.get(".properties.threatAnalysisTechniques") + if threat_analysis_techniques is not None: + threat_analysis_techniques.set_elements(AAZStrType, ".") + + return self.serialize_content(_content_value) + + def on_200_201(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200_201 + ) + + _schema_on_200_201 = None + + @classmethod + def _build_schema_on_200_201(cls): + if cls._schema_on_200_201 is not None: + return cls._schema_on_200_201 + + cls._schema_on_200_201 = AAZObjectType() + + _schema_on_200_201 = cls._schema_on_200_201 + _schema_on_200_201.etag = AAZStrType() + _schema_on_200_201.id = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200_201.name = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200_201.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + _schema_on_200_201.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + _schema_on_200_201.type = AAZStrType( + flags={"read_only": True}, + ) + + properties = cls._schema_on_200_201.properties + properties.author = AAZObjectType() + properties.categories = AAZObjectType() + properties.content_id = AAZStrType( + serialized_name="contentId", + ) + properties.content_schema_version = AAZStrType( + serialized_name="contentSchemaVersion", + ) + properties.custom_version = AAZStrType( + serialized_name="customVersion", + ) + properties.dependencies = AAZObjectType() + _build_schema_metadata_dependencies_read(properties.dependencies) + properties.first_publish_date = AAZStrType( + serialized_name="firstPublishDate", + ) + properties.icon = AAZStrType() + properties.kind = AAZStrType( + flags={"required": True}, + ) + properties.last_publish_date = AAZStrType( + serialized_name="lastPublishDate", + ) + properties.parent_id = AAZStrType( + serialized_name="parentId", + flags={"required": True}, + ) + properties.preview_images = AAZListType( + serialized_name="previewImages", + ) + properties.preview_images_dark = AAZListType( + serialized_name="previewImagesDark", + ) + properties.providers = AAZListType() + properties.source = AAZObjectType() + properties.support = AAZObjectType() + properties.threat_analysis_tactics = AAZListType( + serialized_name="threatAnalysisTactics", + ) + properties.threat_analysis_techniques = AAZListType( + serialized_name="threatAnalysisTechniques", + ) + properties.version = AAZStrType() + + author = cls._schema_on_200_201.properties.author + author.email = AAZStrType() + author.link = AAZStrType() + author.name = AAZStrType() + + categories = cls._schema_on_200_201.properties.categories + categories.domains = AAZListType() + categories.verticals = AAZListType() + + domains = cls._schema_on_200_201.properties.categories.domains + domains.Element = AAZStrType() + + verticals = cls._schema_on_200_201.properties.categories.verticals + verticals.Element = AAZStrType() + + preview_images = cls._schema_on_200_201.properties.preview_images + preview_images.Element = AAZStrType() + + preview_images_dark = cls._schema_on_200_201.properties.preview_images_dark + preview_images_dark.Element = AAZStrType() + + providers = cls._schema_on_200_201.properties.providers + providers.Element = AAZStrType() + + source = cls._schema_on_200_201.properties.source + source.kind = AAZStrType( + flags={"required": True}, + ) + source.name = AAZStrType() + source.source_id = AAZStrType( + serialized_name="sourceId", + ) + + support = cls._schema_on_200_201.properties.support + support.email = AAZStrType() + support.link = AAZStrType() + support.name = AAZStrType() + support.tier = AAZStrType( + flags={"required": True}, + ) + + threat_analysis_tactics = cls._schema_on_200_201.properties.threat_analysis_tactics + threat_analysis_tactics.Element = AAZStrType() + + threat_analysis_techniques = cls._schema_on_200_201.properties.threat_analysis_techniques + threat_analysis_techniques.Element = AAZStrType() + + system_data = cls._schema_on_200_201.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + return cls._schema_on_200_201 + + +def _build_schema_metadata_dependencies_create(_builder): + if _builder is None: + return + _builder.set_prop("contentId", AAZStrType, ".content_id") + _builder.set_prop("criteria", AAZListType, ".criteria") + _builder.set_prop("kind", AAZStrType, ".kind") + _builder.set_prop("name", AAZStrType, ".name") + _builder.set_prop("operator", AAZStrType, ".operator") + _builder.set_prop("version", AAZStrType, ".version") + + criteria = _builder.get(".criteria") + if criteria is not None: + _build_schema_metadata_dependencies_create(criteria.set_elements(AAZObjectType, ".")) + + +_schema_metadata_dependencies_read = None + + +def _build_schema_metadata_dependencies_read(_schema): + global _schema_metadata_dependencies_read + if _schema_metadata_dependencies_read is not None: + _schema.content_id = _schema_metadata_dependencies_read.content_id + _schema.criteria = _schema_metadata_dependencies_read.criteria + _schema.kind = _schema_metadata_dependencies_read.kind + _schema.name = _schema_metadata_dependencies_read.name + _schema.operator = _schema_metadata_dependencies_read.operator + _schema.version = _schema_metadata_dependencies_read.version + return + + _schema_metadata_dependencies_read = AAZObjectType() + + metadata_dependencies_read = _schema_metadata_dependencies_read + metadata_dependencies_read.content_id = AAZStrType( + serialized_name="contentId", + ) + metadata_dependencies_read.criteria = AAZListType() + metadata_dependencies_read.kind = AAZStrType() + metadata_dependencies_read.name = AAZStrType() + metadata_dependencies_read.operator = AAZStrType() + metadata_dependencies_read.version = AAZStrType() + + criteria = _schema_metadata_dependencies_read.criteria + criteria.Element = AAZObjectType() + _build_schema_metadata_dependencies_read(criteria.Element) + + _schema.content_id = _schema_metadata_dependencies_read.content_id + _schema.criteria = _schema_metadata_dependencies_read.criteria + _schema.kind = _schema_metadata_dependencies_read.kind + _schema.name = _schema_metadata_dependencies_read.name + _schema.operator = _schema_metadata_dependencies_read.operator + _schema.version = _schema_metadata_dependencies_read.version + + +__all__ = ["Create"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/metadata/_delete.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/metadata/_delete.py new file mode 100644 index 00000000000..1e023025c52 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/metadata/_delete.py @@ -0,0 +1,134 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel metadata delete", + is_experimental=True, + confirmation="Are you sure you want to perform this operation?", +) +class Delete(AAZCommand): + """Delete a Metadata. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/metadata/{}", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return None + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.metadata_name = AAZStrArg( + options=["-n", "--name", "--metadata-name"], + help="The Metadata name.", + required=True, + id_part="child_name_1", + ) + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + id_part="name", + ) + return cls._args_schema + + def _execute_operations(self): + self.MetadataDelete(ctx=self.ctx)() + + class MetadataDelete(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + if session.http_response.status_code in [204]: + return self.on_204(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/metadata/{metadataName}", + **self.url_parameters + ) + + @property + def method(self): + return "DELETE" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "metadataName", self.ctx.args.metadata_name, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + def on_200(self, session): + pass + + def on_204(self, session): + pass + + +__all__ = ["Delete"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/metadata/_list.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/metadata/_list.py new file mode 100644 index 00000000000..919cd84c73c --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/metadata/_list.py @@ -0,0 +1,361 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel metadata list", + is_experimental=True, +) +class List(AAZCommand): + """List of all metadata + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/metadata", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + return self.build_paging(self._execute_operations, self._output) + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + ) + _args_schema.filter = AAZStrArg( + options=["--filter"], + help="Filters the results, based on a Boolean condition. Optional.", + ) + _args_schema.orderby = AAZStrArg( + options=["--orderby"], + help="Sorts the results. Optional.", + ) + _args_schema.skip = AAZIntArg( + options=["--skip"], + help="Used to skip n elements in the OData query (offset). Returns a nextLink to the next page of results if there are any left.", + ) + _args_schema.top = AAZIntArg( + options=["--top"], + help="Returns only the first n results. Optional.", + ) + return cls._args_schema + + def _execute_operations(self): + self.MetadataList(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance.value, client_flatten=True) + next_link = self.deserialize_output(self.ctx.vars.instance.next_link) + return result, next_link + + class MetadataList(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/metadata", + **self.url_parameters + ) + + @property + def method(self): + return "GET" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "$filter", self.ctx.args.filter, + ), + **self.serialize_query_param( + "$orderby", self.ctx.args.orderby, + ), + **self.serialize_query_param( + "$skip", self.ctx.args.skip, + ), + **self.serialize_query_param( + "$top", self.ctx.args.top, + ), + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + + _schema_on_200 = cls._schema_on_200 + _schema_on_200.next_link = AAZStrType( + serialized_name="nextLink", + flags={"read_only": True}, + ) + _schema_on_200.value = AAZListType( + flags={"required": True}, + ) + + value = cls._schema_on_200.value + value.Element = AAZObjectType() + + _element = cls._schema_on_200.value.Element + _element.etag = AAZStrType() + _element.id = AAZStrType( + flags={"read_only": True}, + ) + _element.name = AAZStrType( + flags={"read_only": True}, + ) + _element.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + _element.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + _element.type = AAZStrType( + flags={"read_only": True}, + ) + + properties = cls._schema_on_200.value.Element.properties + properties.author = AAZObjectType() + properties.categories = AAZObjectType() + properties.content_id = AAZStrType( + serialized_name="contentId", + ) + properties.content_schema_version = AAZStrType( + serialized_name="contentSchemaVersion", + ) + properties.custom_version = AAZStrType( + serialized_name="customVersion", + ) + properties.dependencies = AAZObjectType() + _build_schema_metadata_dependencies_read(properties.dependencies) + properties.first_publish_date = AAZStrType( + serialized_name="firstPublishDate", + ) + properties.icon = AAZStrType() + properties.kind = AAZStrType( + flags={"required": True}, + ) + properties.last_publish_date = AAZStrType( + serialized_name="lastPublishDate", + ) + properties.parent_id = AAZStrType( + serialized_name="parentId", + flags={"required": True}, + ) + properties.preview_images = AAZListType( + serialized_name="previewImages", + ) + properties.preview_images_dark = AAZListType( + serialized_name="previewImagesDark", + ) + properties.providers = AAZListType() + properties.source = AAZObjectType() + properties.support = AAZObjectType() + properties.threat_analysis_tactics = AAZListType( + serialized_name="threatAnalysisTactics", + ) + properties.threat_analysis_techniques = AAZListType( + serialized_name="threatAnalysisTechniques", + ) + properties.version = AAZStrType() + + author = cls._schema_on_200.value.Element.properties.author + author.email = AAZStrType() + author.link = AAZStrType() + author.name = AAZStrType() + + categories = cls._schema_on_200.value.Element.properties.categories + categories.domains = AAZListType() + categories.verticals = AAZListType() + + domains = cls._schema_on_200.value.Element.properties.categories.domains + domains.Element = AAZStrType() + + verticals = cls._schema_on_200.value.Element.properties.categories.verticals + verticals.Element = AAZStrType() + + preview_images = cls._schema_on_200.value.Element.properties.preview_images + preview_images.Element = AAZStrType() + + preview_images_dark = cls._schema_on_200.value.Element.properties.preview_images_dark + preview_images_dark.Element = AAZStrType() + + providers = cls._schema_on_200.value.Element.properties.providers + providers.Element = AAZStrType() + + source = cls._schema_on_200.value.Element.properties.source + source.kind = AAZStrType( + flags={"required": True}, + ) + source.name = AAZStrType() + source.source_id = AAZStrType( + serialized_name="sourceId", + ) + + support = cls._schema_on_200.value.Element.properties.support + support.email = AAZStrType() + support.link = AAZStrType() + support.name = AAZStrType() + support.tier = AAZStrType( + flags={"required": True}, + ) + + threat_analysis_tactics = cls._schema_on_200.value.Element.properties.threat_analysis_tactics + threat_analysis_tactics.Element = AAZStrType() + + threat_analysis_techniques = cls._schema_on_200.value.Element.properties.threat_analysis_techniques + threat_analysis_techniques.Element = AAZStrType() + + system_data = cls._schema_on_200.value.Element.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + return cls._schema_on_200 + + +_schema_metadata_dependencies_read = None + + +def _build_schema_metadata_dependencies_read(_schema): + global _schema_metadata_dependencies_read + if _schema_metadata_dependencies_read is not None: + _schema.content_id = _schema_metadata_dependencies_read.content_id + _schema.criteria = _schema_metadata_dependencies_read.criteria + _schema.kind = _schema_metadata_dependencies_read.kind + _schema.name = _schema_metadata_dependencies_read.name + _schema.operator = _schema_metadata_dependencies_read.operator + _schema.version = _schema_metadata_dependencies_read.version + return + + _schema_metadata_dependencies_read = AAZObjectType() + + metadata_dependencies_read = _schema_metadata_dependencies_read + metadata_dependencies_read.content_id = AAZStrType( + serialized_name="contentId", + ) + metadata_dependencies_read.criteria = AAZListType() + metadata_dependencies_read.kind = AAZStrType() + metadata_dependencies_read.name = AAZStrType() + metadata_dependencies_read.operator = AAZStrType() + metadata_dependencies_read.version = AAZStrType() + + criteria = _schema_metadata_dependencies_read.criteria + criteria.Element = AAZObjectType() + _build_schema_metadata_dependencies_read(criteria.Element) + + _schema.content_id = _schema_metadata_dependencies_read.content_id + _schema.criteria = _schema_metadata_dependencies_read.criteria + _schema.kind = _schema_metadata_dependencies_read.kind + _schema.name = _schema_metadata_dependencies_read.name + _schema.operator = _schema_metadata_dependencies_read.operator + _schema.version = _schema_metadata_dependencies_read.version + + +__all__ = ["List"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/metadata/_show.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/metadata/_show.py new file mode 100644 index 00000000000..18232335898 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/metadata/_show.py @@ -0,0 +1,332 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel metadata show", + is_experimental=True, +) +class Show(AAZCommand): + """Get a Metadata. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/metadata/{}", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return self._output() + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.metadata_name = AAZStrArg( + options=["-n", "--name", "--metadata-name"], + help="The Metadata name.", + required=True, + id_part="child_name_1", + ) + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + id_part="name", + ) + return cls._args_schema + + def _execute_operations(self): + self.MetadataGet(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True) + return result + + class MetadataGet(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/metadata/{metadataName}", + **self.url_parameters + ) + + @property + def method(self): + return "GET" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "metadataName", self.ctx.args.metadata_name, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + + _schema_on_200 = cls._schema_on_200 + _schema_on_200.etag = AAZStrType() + _schema_on_200.id = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200.name = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + _schema_on_200.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + _schema_on_200.type = AAZStrType( + flags={"read_only": True}, + ) + + properties = cls._schema_on_200.properties + properties.author = AAZObjectType() + properties.categories = AAZObjectType() + properties.content_id = AAZStrType( + serialized_name="contentId", + ) + properties.content_schema_version = AAZStrType( + serialized_name="contentSchemaVersion", + ) + properties.custom_version = AAZStrType( + serialized_name="customVersion", + ) + properties.dependencies = AAZObjectType() + _build_schema_metadata_dependencies_read(properties.dependencies) + properties.first_publish_date = AAZStrType( + serialized_name="firstPublishDate", + ) + properties.icon = AAZStrType() + properties.kind = AAZStrType( + flags={"required": True}, + ) + properties.last_publish_date = AAZStrType( + serialized_name="lastPublishDate", + ) + properties.parent_id = AAZStrType( + serialized_name="parentId", + flags={"required": True}, + ) + properties.preview_images = AAZListType( + serialized_name="previewImages", + ) + properties.preview_images_dark = AAZListType( + serialized_name="previewImagesDark", + ) + properties.providers = AAZListType() + properties.source = AAZObjectType() + properties.support = AAZObjectType() + properties.threat_analysis_tactics = AAZListType( + serialized_name="threatAnalysisTactics", + ) + properties.threat_analysis_techniques = AAZListType( + serialized_name="threatAnalysisTechniques", + ) + properties.version = AAZStrType() + + author = cls._schema_on_200.properties.author + author.email = AAZStrType() + author.link = AAZStrType() + author.name = AAZStrType() + + categories = cls._schema_on_200.properties.categories + categories.domains = AAZListType() + categories.verticals = AAZListType() + + domains = cls._schema_on_200.properties.categories.domains + domains.Element = AAZStrType() + + verticals = cls._schema_on_200.properties.categories.verticals + verticals.Element = AAZStrType() + + preview_images = cls._schema_on_200.properties.preview_images + preview_images.Element = AAZStrType() + + preview_images_dark = cls._schema_on_200.properties.preview_images_dark + preview_images_dark.Element = AAZStrType() + + providers = cls._schema_on_200.properties.providers + providers.Element = AAZStrType() + + source = cls._schema_on_200.properties.source + source.kind = AAZStrType( + flags={"required": True}, + ) + source.name = AAZStrType() + source.source_id = AAZStrType( + serialized_name="sourceId", + ) + + support = cls._schema_on_200.properties.support + support.email = AAZStrType() + support.link = AAZStrType() + support.name = AAZStrType() + support.tier = AAZStrType( + flags={"required": True}, + ) + + threat_analysis_tactics = cls._schema_on_200.properties.threat_analysis_tactics + threat_analysis_tactics.Element = AAZStrType() + + threat_analysis_techniques = cls._schema_on_200.properties.threat_analysis_techniques + threat_analysis_techniques.Element = AAZStrType() + + system_data = cls._schema_on_200.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + return cls._schema_on_200 + + +_schema_metadata_dependencies_read = None + + +def _build_schema_metadata_dependencies_read(_schema): + global _schema_metadata_dependencies_read + if _schema_metadata_dependencies_read is not None: + _schema.content_id = _schema_metadata_dependencies_read.content_id + _schema.criteria = _schema_metadata_dependencies_read.criteria + _schema.kind = _schema_metadata_dependencies_read.kind + _schema.name = _schema_metadata_dependencies_read.name + _schema.operator = _schema_metadata_dependencies_read.operator + _schema.version = _schema_metadata_dependencies_read.version + return + + _schema_metadata_dependencies_read = AAZObjectType() + + metadata_dependencies_read = _schema_metadata_dependencies_read + metadata_dependencies_read.content_id = AAZStrType( + serialized_name="contentId", + ) + metadata_dependencies_read.criteria = AAZListType() + metadata_dependencies_read.kind = AAZStrType() + metadata_dependencies_read.name = AAZStrType() + metadata_dependencies_read.operator = AAZStrType() + metadata_dependencies_read.version = AAZStrType() + + criteria = _schema_metadata_dependencies_read.criteria + criteria.Element = AAZObjectType() + _build_schema_metadata_dependencies_read(criteria.Element) + + _schema.content_id = _schema_metadata_dependencies_read.content_id + _schema.criteria = _schema_metadata_dependencies_read.criteria + _schema.kind = _schema_metadata_dependencies_read.kind + _schema.name = _schema_metadata_dependencies_read.name + _schema.operator = _schema_metadata_dependencies_read.operator + _schema.version = _schema_metadata_dependencies_read.version + + +__all__ = ["Show"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/metadata/_update.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/metadata/_update.py new file mode 100644 index 00000000000..e97adc2345c --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/metadata/_update.py @@ -0,0 +1,855 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel metadata update", + is_experimental=True, +) +class Update(AAZCommand): + """Update a Metadata. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/metadata/{}", "2022-06-01-preview"], + ] + } + + AZ_SUPPORT_GENERIC_UPDATE = True + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return self._output() + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.metadata_name = AAZStrArg( + options=["-n", "--name", "--metadata-name"], + help="The Metadata name.", + required=True, + id_part="child_name_1", + ) + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + id_part="name", + ) + + # define Arg Group "Metadata" + + _args_schema = cls._args_schema + _args_schema.etag = AAZStrArg( + options=["--etag"], + arg_group="Metadata", + help="Etag of the azure resource", + nullable=True, + ) + + # define Arg Group "Properties" + + _args_schema = cls._args_schema + _args_schema.author = AAZObjectArg( + options=["--author"], + arg_group="Properties", + help="The creator of the content item.", + nullable=True, + ) + _args_schema.categories = AAZObjectArg( + options=["--categories"], + arg_group="Properties", + help="Categories for the solution content item", + nullable=True, + ) + _args_schema.content_id = AAZStrArg( + options=["--content-id"], + arg_group="Properties", + help="Static ID for the content. Used to identify dependencies and content from solutions or community. Hard-coded/static for out of the box content and solutions. Dynamic for user-created. This is the resource name", + nullable=True, + ) + _args_schema.content_schema_version = AAZStrArg( + options=["--content-schema-version"], + arg_group="Properties", + help="Schema version of the content. Can be used to distinguish between different flow based on the schema version", + nullable=True, + ) + _args_schema.custom_version = AAZStrArg( + options=["--custom-version"], + arg_group="Properties", + help="The custom version of the content. A optional free text", + nullable=True, + ) + _args_schema.dependencies = AAZObjectArg( + options=["--dependencies"], + arg_group="Properties", + help="Dependencies for the content item, what other content items it requires to work. Can describe more complex dependencies using a recursive/nested structure. For a single dependency an id/kind/version can be supplied or operator/criteria for complex formats.", + nullable=True, + ) + cls._build_args_metadata_dependencies_update(_args_schema.dependencies) + _args_schema.first_publish_date = AAZStrArg( + options=["--first-publish-date"], + arg_group="Properties", + help="first publish date solution content item", + nullable=True, + ) + _args_schema.icon = AAZStrArg( + options=["--icon"], + arg_group="Properties", + help="the icon identifier. this id can later be fetched from the solution template", + nullable=True, + ) + _args_schema.kind = AAZStrArg( + options=["--kind"], + arg_group="Properties", + help="The kind of content the metadata is for.", + enum={"AnalyticsRule": "AnalyticsRule", "AnalyticsRuleTemplate": "AnalyticsRuleTemplate", "AutomationRule": "AutomationRule", "AzureFunction": "AzureFunction", "DataConnector": "DataConnector", "DataType": "DataType", "HuntingQuery": "HuntingQuery", "InvestigationQuery": "InvestigationQuery", "LogicAppsCustomConnector": "LogicAppsCustomConnector", "Parser": "Parser", "Playbook": "Playbook", "PlaybookTemplate": "PlaybookTemplate", "Solution": "Solution", "Watchlist": "Watchlist", "WatchlistTemplate": "WatchlistTemplate", "Workbook": "Workbook", "WorkbookTemplate": "WorkbookTemplate"}, + ) + _args_schema.last_publish_date = AAZStrArg( + options=["--last-publish-date"], + arg_group="Properties", + help="last publish date for the solution content item", + nullable=True, + ) + _args_schema.parent_id = AAZStrArg( + options=["--parent-id"], + arg_group="Properties", + help="Full parent resource ID of the content item the metadata is for. This is the full resource ID including the scope (subscription and resource group)", + ) + _args_schema.preview_images = AAZListArg( + options=["--preview-images"], + arg_group="Properties", + help="preview image file names. These will be taken from the solution artifacts", + nullable=True, + ) + _args_schema.preview_images_dark = AAZListArg( + options=["--preview-images-dark"], + arg_group="Properties", + help="preview image file names. These will be taken from the solution artifacts. used for dark theme support", + nullable=True, + ) + _args_schema.providers = AAZListArg( + options=["--providers"], + arg_group="Properties", + help="Providers for the solution content item", + nullable=True, + ) + _args_schema.source = AAZObjectArg( + options=["--source"], + arg_group="Properties", + help="Source of the content. This is where/how it was created.", + nullable=True, + ) + _args_schema.support = AAZObjectArg( + options=["--support"], + arg_group="Properties", + help="Support information for the metadata - type, name, contact information", + nullable=True, + ) + _args_schema.threat_tactics = AAZListArg( + options=["--threat-tactics"], + arg_group="Properties", + help="the tactics the resource covers", + nullable=True, + ) + _args_schema.threat_techniques = AAZListArg( + options=["--threat-techniques"], + arg_group="Properties", + help="the techniques the resource covers, these have to be aligned with the tactics being used", + nullable=True, + ) + _args_schema.version = AAZStrArg( + options=["--version"], + arg_group="Properties", + help="Version of the content. Default and recommended format is numeric (e.g. 1, 1.0, 1.0.0, 1.0.0.0), following ARM template best practices. Can also be any string, but then we cannot guarantee any version checks", + nullable=True, + ) + + author = cls._args_schema.author + author.email = AAZStrArg( + options=["email"], + help="Email of author contact", + nullable=True, + ) + author.link = AAZStrArg( + options=["link"], + help="Link for author/vendor page", + nullable=True, + ) + author.name = AAZStrArg( + options=["name"], + help="Name of the author. Company or person.", + nullable=True, + ) + + categories = cls._args_schema.categories + categories.domains = AAZListArg( + options=["domains"], + help="domain for the solution content item", + nullable=True, + ) + categories.verticals = AAZListArg( + options=["verticals"], + help="Industry verticals for the solution content item", + nullable=True, + ) + + domains = cls._args_schema.categories.domains + domains.Element = AAZStrArg() + + verticals = cls._args_schema.categories.verticals + verticals.Element = AAZStrArg() + + preview_images = cls._args_schema.preview_images + preview_images.Element = AAZStrArg() + + preview_images_dark = cls._args_schema.preview_images_dark + preview_images_dark.Element = AAZStrArg() + + providers = cls._args_schema.providers + providers.Element = AAZStrArg() + + source = cls._args_schema.source + source.kind = AAZStrArg( + options=["kind"], + help="Source type of the content", + enum={"Community": "Community", "LocalWorkspace": "LocalWorkspace", "Solution": "Solution", "SourceRepository": "SourceRepository"}, + ) + source.name = AAZStrArg( + options=["name"], + help="Name of the content source. The repo name, solution name, LA workspace name etc.", + nullable=True, + ) + source.source_id = AAZStrArg( + options=["source-id"], + help="ID of the content source. The solution ID, workspace ID, etc", + nullable=True, + ) + + support = cls._args_schema.support + support.email = AAZStrArg( + options=["email"], + help="Email of support contact", + nullable=True, + ) + support.link = AAZStrArg( + options=["link"], + help="Link for support help, like to support page to open a ticket etc.", + nullable=True, + ) + support.name = AAZStrArg( + options=["name"], + help="Name of the support contact. Company or person.", + nullable=True, + ) + support.tier = AAZStrArg( + options=["tier"], + help="Type of support for content item", + enum={"Community": "Community", "Microsoft": "Microsoft", "Partner": "Partner"}, + ) + + threat_tactics = cls._args_schema.threat_tactics + threat_tactics.Element = AAZStrArg() + + threat_techniques = cls._args_schema.threat_techniques + threat_techniques.Element = AAZStrArg() + return cls._args_schema + + _args_metadata_dependencies_update = None + + @classmethod + def _build_args_metadata_dependencies_update(cls, _schema): + if cls._args_metadata_dependencies_update is not None: + _schema.content_id = cls._args_metadata_dependencies_update.content_id + _schema.criteria = cls._args_metadata_dependencies_update.criteria + _schema.kind = cls._args_metadata_dependencies_update.kind + _schema.name = cls._args_metadata_dependencies_update.name + _schema.operator = cls._args_metadata_dependencies_update.operator + _schema.version = cls._args_metadata_dependencies_update.version + return + + cls._args_metadata_dependencies_update = AAZObjectArg( + nullable=True, + ) + + metadata_dependencies_update = cls._args_metadata_dependencies_update + metadata_dependencies_update.content_id = AAZStrArg( + options=["content-id"], + help="Id of the content item we depend on", + nullable=True, + ) + metadata_dependencies_update.criteria = AAZListArg( + options=["criteria"], + help="This is the list of dependencies we must fulfill, according to the AND/OR operator", + nullable=True, + ) + metadata_dependencies_update.kind = AAZStrArg( + options=["kind"], + help="Type of the content item we depend on", + nullable=True, + enum={"AnalyticsRule": "AnalyticsRule", "AnalyticsRuleTemplate": "AnalyticsRuleTemplate", "AutomationRule": "AutomationRule", "AzureFunction": "AzureFunction", "DataConnector": "DataConnector", "DataType": "DataType", "HuntingQuery": "HuntingQuery", "InvestigationQuery": "InvestigationQuery", "LogicAppsCustomConnector": "LogicAppsCustomConnector", "Parser": "Parser", "Playbook": "Playbook", "PlaybookTemplate": "PlaybookTemplate", "Solution": "Solution", "Watchlist": "Watchlist", "WatchlistTemplate": "WatchlistTemplate", "Workbook": "Workbook", "WorkbookTemplate": "WorkbookTemplate"}, + ) + metadata_dependencies_update.name = AAZStrArg( + options=["name"], + help="Name of the content item", + nullable=True, + ) + metadata_dependencies_update.operator = AAZStrArg( + options=["operator"], + help="Operator used for list of dependencies in criteria array.", + nullable=True, + enum={"AND": "AND", "OR": "OR"}, + ) + metadata_dependencies_update.version = AAZStrArg( + options=["version"], + help="Version of the the content item we depend on. Can be blank, * or missing to indicate any version fulfills the dependency. If version does not match our defined numeric format then an exact match is required.", + nullable=True, + ) + + criteria = cls._args_metadata_dependencies_update.criteria + criteria.Element = AAZObjectArg( + nullable=True, + ) + cls._build_args_metadata_dependencies_update(criteria.Element) + + _schema.content_id = cls._args_metadata_dependencies_update.content_id + _schema.criteria = cls._args_metadata_dependencies_update.criteria + _schema.kind = cls._args_metadata_dependencies_update.kind + _schema.name = cls._args_metadata_dependencies_update.name + _schema.operator = cls._args_metadata_dependencies_update.operator + _schema.version = cls._args_metadata_dependencies_update.version + + def _execute_operations(self): + self.MetadataGet(ctx=self.ctx)() + self.InstanceUpdateByJson(ctx=self.ctx)() + self.InstanceUpdateByGeneric(ctx=self.ctx)() + self.MetadataCreate(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True) + return result + + class MetadataGet(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/metadata/{metadataName}", + **self.url_parameters + ) + + @property + def method(self): + return "GET" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "metadataName", self.ctx.args.metadata_name, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + _build_schema_metadata_model_read(cls._schema_on_200) + + return cls._schema_on_200 + + class MetadataCreate(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200, 201]: + return self.on_200_201(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/metadata/{metadataName}", + **self.url_parameters + ) + + @property + def method(self): + return "PUT" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "metadataName", self.ctx.args.metadata_name, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Content-Type", "application/json", + ), + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + @property + def content(self): + _content_value, _builder = self.new_content_builder( + self.ctx.args, + value=self.ctx.vars.instance, + ) + + return self.serialize_content(_content_value) + + def on_200_201(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200_201 + ) + + _schema_on_200_201 = None + + @classmethod + def _build_schema_on_200_201(cls): + if cls._schema_on_200_201 is not None: + return cls._schema_on_200_201 + + cls._schema_on_200_201 = AAZObjectType() + _build_schema_metadata_model_read(cls._schema_on_200_201) + + return cls._schema_on_200_201 + + class InstanceUpdateByJson(AAZJsonInstanceUpdateOperation): + + def __call__(self, *args, **kwargs): + self._update_instance(self.ctx.vars.instance) + + def _update_instance(self, instance): + _instance_value, _builder = self.new_content_builder( + self.ctx.args, + value=instance, + typ=AAZObjectType + ) + _builder.set_prop("etag", AAZStrType, ".etag") + _builder.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get(".properties") + if properties is not None: + properties.set_prop("author", AAZObjectType, ".author") + properties.set_prop("categories", AAZObjectType, ".categories") + properties.set_prop("contentId", AAZStrType, ".content_id") + properties.set_prop("contentSchemaVersion", AAZStrType, ".content_schema_version") + properties.set_prop("customVersion", AAZStrType, ".custom_version") + _build_schema_metadata_dependencies_update(properties.set_prop("dependencies", AAZObjectType, ".dependencies")) + properties.set_prop("firstPublishDate", AAZStrType, ".first_publish_date") + properties.set_prop("icon", AAZStrType, ".icon") + properties.set_prop("kind", AAZStrType, ".kind", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("lastPublishDate", AAZStrType, ".last_publish_date") + properties.set_prop("parentId", AAZStrType, ".parent_id", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("previewImages", AAZListType, ".preview_images") + properties.set_prop("previewImagesDark", AAZListType, ".preview_images_dark") + properties.set_prop("providers", AAZListType, ".providers") + properties.set_prop("source", AAZObjectType, ".source") + properties.set_prop("support", AAZObjectType, ".support") + properties.set_prop("threatAnalysisTactics", AAZListType, ".threat_tactics") + properties.set_prop("threatAnalysisTechniques", AAZListType, ".threat_techniques") + properties.set_prop("version", AAZStrType, ".version") + + author = _builder.get(".properties.author") + if author is not None: + author.set_prop("email", AAZStrType, ".email") + author.set_prop("link", AAZStrType, ".link") + author.set_prop("name", AAZStrType, ".name") + + categories = _builder.get(".properties.categories") + if categories is not None: + categories.set_prop("domains", AAZListType, ".domains") + categories.set_prop("verticals", AAZListType, ".verticals") + + domains = _builder.get(".properties.categories.domains") + if domains is not None: + domains.set_elements(AAZStrType, ".") + + verticals = _builder.get(".properties.categories.verticals") + if verticals is not None: + verticals.set_elements(AAZStrType, ".") + + preview_images = _builder.get(".properties.previewImages") + if preview_images is not None: + preview_images.set_elements(AAZStrType, ".") + + preview_images_dark = _builder.get(".properties.previewImagesDark") + if preview_images_dark is not None: + preview_images_dark.set_elements(AAZStrType, ".") + + providers = _builder.get(".properties.providers") + if providers is not None: + providers.set_elements(AAZStrType, ".") + + source = _builder.get(".properties.source") + if source is not None: + source.set_prop("kind", AAZStrType, ".kind", typ_kwargs={"flags": {"required": True}}) + source.set_prop("name", AAZStrType, ".name") + source.set_prop("sourceId", AAZStrType, ".source_id") + + support = _builder.get(".properties.support") + if support is not None: + support.set_prop("email", AAZStrType, ".email") + support.set_prop("link", AAZStrType, ".link") + support.set_prop("name", AAZStrType, ".name") + support.set_prop("tier", AAZStrType, ".tier", typ_kwargs={"flags": {"required": True}}) + + threat_analysis_tactics = _builder.get(".properties.threatAnalysisTactics") + if threat_analysis_tactics is not None: + threat_analysis_tactics.set_elements(AAZStrType, ".") + + threat_analysis_techniques = _builder.get(".properties.threatAnalysisTechniques") + if threat_analysis_techniques is not None: + threat_analysis_techniques.set_elements(AAZStrType, ".") + + return _instance_value + + class InstanceUpdateByGeneric(AAZGenericInstanceUpdateOperation): + + def __call__(self, *args, **kwargs): + self._update_instance_by_generic( + self.ctx.vars.instance, + self.ctx.generic_update_args + ) + + +def _build_schema_metadata_dependencies_update(_builder): + if _builder is None: + return + _builder.set_prop("contentId", AAZStrType, ".content_id") + _builder.set_prop("criteria", AAZListType, ".criteria") + _builder.set_prop("kind", AAZStrType, ".kind") + _builder.set_prop("name", AAZStrType, ".name") + _builder.set_prop("operator", AAZStrType, ".operator") + _builder.set_prop("version", AAZStrType, ".version") + + criteria = _builder.get(".criteria") + if criteria is not None: + _build_schema_metadata_dependencies_update(criteria.set_elements(AAZObjectType, ".")) + + +_schema_metadata_dependencies_read = None + + +def _build_schema_metadata_dependencies_read(_schema): + global _schema_metadata_dependencies_read + if _schema_metadata_dependencies_read is not None: + _schema.content_id = _schema_metadata_dependencies_read.content_id + _schema.criteria = _schema_metadata_dependencies_read.criteria + _schema.kind = _schema_metadata_dependencies_read.kind + _schema.name = _schema_metadata_dependencies_read.name + _schema.operator = _schema_metadata_dependencies_read.operator + _schema.version = _schema_metadata_dependencies_read.version + return + + _schema_metadata_dependencies_read = AAZObjectType() + + metadata_dependencies_read = _schema_metadata_dependencies_read + metadata_dependencies_read.content_id = AAZStrType( + serialized_name="contentId", + ) + metadata_dependencies_read.criteria = AAZListType() + metadata_dependencies_read.kind = AAZStrType() + metadata_dependencies_read.name = AAZStrType() + metadata_dependencies_read.operator = AAZStrType() + metadata_dependencies_read.version = AAZStrType() + + criteria = _schema_metadata_dependencies_read.criteria + criteria.Element = AAZObjectType() + _build_schema_metadata_dependencies_read(criteria.Element) + + _schema.content_id = _schema_metadata_dependencies_read.content_id + _schema.criteria = _schema_metadata_dependencies_read.criteria + _schema.kind = _schema_metadata_dependencies_read.kind + _schema.name = _schema_metadata_dependencies_read.name + _schema.operator = _schema_metadata_dependencies_read.operator + _schema.version = _schema_metadata_dependencies_read.version + + +_schema_metadata_model_read = None + + +def _build_schema_metadata_model_read(_schema): + global _schema_metadata_model_read + if _schema_metadata_model_read is not None: + _schema.etag = _schema_metadata_model_read.etag + _schema.id = _schema_metadata_model_read.id + _schema.name = _schema_metadata_model_read.name + _schema.properties = _schema_metadata_model_read.properties + _schema.system_data = _schema_metadata_model_read.system_data + _schema.type = _schema_metadata_model_read.type + return + + _schema_metadata_model_read = AAZObjectType() + + metadata_model_read = _schema_metadata_model_read + metadata_model_read.etag = AAZStrType() + metadata_model_read.id = AAZStrType( + flags={"read_only": True}, + ) + metadata_model_read.name = AAZStrType( + flags={"read_only": True}, + ) + metadata_model_read.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + metadata_model_read.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + metadata_model_read.type = AAZStrType( + flags={"read_only": True}, + ) + + properties = _schema_metadata_model_read.properties + properties.author = AAZObjectType() + properties.categories = AAZObjectType() + properties.content_id = AAZStrType( + serialized_name="contentId", + ) + properties.content_schema_version = AAZStrType( + serialized_name="contentSchemaVersion", + ) + properties.custom_version = AAZStrType( + serialized_name="customVersion", + ) + properties.dependencies = AAZObjectType() + _build_schema_metadata_dependencies_read(properties.dependencies) + properties.first_publish_date = AAZStrType( + serialized_name="firstPublishDate", + ) + properties.icon = AAZStrType() + properties.kind = AAZStrType( + flags={"required": True}, + ) + properties.last_publish_date = AAZStrType( + serialized_name="lastPublishDate", + ) + properties.parent_id = AAZStrType( + serialized_name="parentId", + flags={"required": True}, + ) + properties.preview_images = AAZListType( + serialized_name="previewImages", + ) + properties.preview_images_dark = AAZListType( + serialized_name="previewImagesDark", + ) + properties.providers = AAZListType() + properties.source = AAZObjectType() + properties.support = AAZObjectType() + properties.threat_analysis_tactics = AAZListType( + serialized_name="threatAnalysisTactics", + ) + properties.threat_analysis_techniques = AAZListType( + serialized_name="threatAnalysisTechniques", + ) + properties.version = AAZStrType() + + author = _schema_metadata_model_read.properties.author + author.email = AAZStrType() + author.link = AAZStrType() + author.name = AAZStrType() + + categories = _schema_metadata_model_read.properties.categories + categories.domains = AAZListType() + categories.verticals = AAZListType() + + domains = _schema_metadata_model_read.properties.categories.domains + domains.Element = AAZStrType() + + verticals = _schema_metadata_model_read.properties.categories.verticals + verticals.Element = AAZStrType() + + preview_images = _schema_metadata_model_read.properties.preview_images + preview_images.Element = AAZStrType() + + preview_images_dark = _schema_metadata_model_read.properties.preview_images_dark + preview_images_dark.Element = AAZStrType() + + providers = _schema_metadata_model_read.properties.providers + providers.Element = AAZStrType() + + source = _schema_metadata_model_read.properties.source + source.kind = AAZStrType( + flags={"required": True}, + ) + source.name = AAZStrType() + source.source_id = AAZStrType( + serialized_name="sourceId", + ) + + support = _schema_metadata_model_read.properties.support + support.email = AAZStrType() + support.link = AAZStrType() + support.name = AAZStrType() + support.tier = AAZStrType( + flags={"required": True}, + ) + + threat_analysis_tactics = _schema_metadata_model_read.properties.threat_analysis_tactics + threat_analysis_tactics.Element = AAZStrType() + + threat_analysis_techniques = _schema_metadata_model_read.properties.threat_analysis_techniques + threat_analysis_techniques.Element = AAZStrType() + + system_data = _schema_metadata_model_read.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + _schema.etag = _schema_metadata_model_read.etag + _schema.id = _schema_metadata_model_read.id + _schema.name = _schema_metadata_model_read.name + _schema.properties = _schema_metadata_model_read.properties + _schema.system_data = _schema_metadata_model_read.system_data + _schema.type = _schema_metadata_model_read.type + + +__all__ = ["Update"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/office_consent/__cmd_group.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/office_consent/__cmd_group.py new file mode 100644 index 00000000000..330fba8e7e1 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/office_consent/__cmd_group.py @@ -0,0 +1,23 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command_group( + "sentinel office-consent", +) +class __CMDGroup(AAZCommandGroup): + """Manage office consent with sentinel. + """ + pass + + +__all__ = ["__CMDGroup"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/office_consent/__init__.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/office_consent/__init__.py new file mode 100644 index 00000000000..054d52707ea --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/office_consent/__init__.py @@ -0,0 +1,14 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from .__cmd_group import * +from ._delete import * +from ._list import * +from ._show import * diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/office_consent/_delete.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/office_consent/_delete.py new file mode 100644 index 00000000000..c733e0dfea3 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/office_consent/_delete.py @@ -0,0 +1,134 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel office-consent delete", + is_experimental=True, + confirmation="Are you sure you want to perform this operation?", +) +class Delete(AAZCommand): + """Delete the office365 consent. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/officeconsents/{}", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return None + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.consent_id = AAZStrArg( + options=["-n", "--name", "--consent-id"], + help="consent ID", + required=True, + id_part="child_name_1", + ) + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + id_part="name", + ) + return cls._args_schema + + def _execute_operations(self): + self.OfficeConsentsDelete(ctx=self.ctx)() + + class OfficeConsentsDelete(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + if session.http_response.status_code in [204]: + return self.on_204(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/officeConsents/{consentId}", + **self.url_parameters + ) + + @property + def method(self): + return "DELETE" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "consentId", self.ctx.args.consent_id, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + def on_200(self, session): + pass + + def on_204(self, session): + pass + + +__all__ = ["Delete"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/office_consent/_list.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/office_consent/_list.py new file mode 100644 index 00000000000..c0c1e9624bc --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/office_consent/_list.py @@ -0,0 +1,210 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel office-consent list", + is_experimental=True, +) +class List(AAZCommand): + """Get all office365 consents. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/officeconsents", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + return self.build_paging(self._execute_operations, self._output) + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + ) + return cls._args_schema + + def _execute_operations(self): + self.OfficeConsentsList(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance.value, client_flatten=True) + next_link = self.deserialize_output(self.ctx.vars.instance.next_link) + return result, next_link + + class OfficeConsentsList(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/officeConsents", + **self.url_parameters + ) + + @property + def method(self): + return "GET" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + + _schema_on_200 = cls._schema_on_200 + _schema_on_200.next_link = AAZStrType( + serialized_name="nextLink", + flags={"read_only": True}, + ) + _schema_on_200.value = AAZListType( + flags={"required": True}, + ) + + value = cls._schema_on_200.value + value.Element = AAZObjectType() + + _element = cls._schema_on_200.value.Element + _element.id = AAZStrType( + flags={"read_only": True}, + ) + _element.name = AAZStrType( + flags={"read_only": True}, + ) + _element.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + _element.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + _element.type = AAZStrType( + flags={"read_only": True}, + ) + + properties = cls._schema_on_200.value.Element.properties + properties.consent_id = AAZStrType( + serialized_name="consentId", + ) + properties.tenant_id = AAZStrType( + serialized_name="tenantId", + ) + + system_data = cls._schema_on_200.value.Element.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + return cls._schema_on_200 + + +__all__ = ["List"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/office_consent/_show.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/office_consent/_show.py new file mode 100644 index 00000000000..ea319808b12 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/office_consent/_show.py @@ -0,0 +1,209 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel office-consent show", + is_experimental=True, +) +class Show(AAZCommand): + """Get an office365 consent. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/officeconsents/{}", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return self._output() + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.consent_id = AAZStrArg( + options=["-n", "--name", "--consent-id"], + help="consent ID", + required=True, + id_part="child_name_1", + ) + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + id_part="name", + ) + return cls._args_schema + + def _execute_operations(self): + self.OfficeConsentsGet(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True) + return result + + class OfficeConsentsGet(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/officeConsents/{consentId}", + **self.url_parameters + ) + + @property + def method(self): + return "GET" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "consentId", self.ctx.args.consent_id, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + + _schema_on_200 = cls._schema_on_200 + _schema_on_200.id = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200.name = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + _schema_on_200.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + _schema_on_200.type = AAZStrType( + flags={"read_only": True}, + ) + + properties = cls._schema_on_200.properties + properties.consent_id = AAZStrType( + serialized_name="consentId", + ) + properties.tenant_id = AAZStrType( + serialized_name="tenantId", + ) + + system_data = cls._schema_on_200.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + return cls._schema_on_200 + + +__all__ = ["Show"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/onboarding_state/__cmd_group.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/onboarding_state/__cmd_group.py new file mode 100644 index 00000000000..333c2550efd --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/onboarding_state/__cmd_group.py @@ -0,0 +1,23 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command_group( + "sentinel onboarding-state", +) +class __CMDGroup(AAZCommandGroup): + """Manage onboarding state with sentinel. + """ + pass + + +__all__ = ["__CMDGroup"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/onboarding_state/__init__.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/onboarding_state/__init__.py new file mode 100644 index 00000000000..c401f439385 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/onboarding_state/__init__.py @@ -0,0 +1,16 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from .__cmd_group import * +from ._create import * +from ._delete import * +from ._list import * +from ._show import * +from ._update import * diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/onboarding_state/_create.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/onboarding_state/_create.py new file mode 100644 index 00000000000..79166889b5f --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/onboarding_state/_create.py @@ -0,0 +1,244 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel onboarding-state create", + is_experimental=True, +) +class Create(AAZCommand): + """Create Sentinel onboarding state + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/onboardingstates/{}", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return self._output() + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.sentinel_onboarding_state_name = AAZStrArg( + options=["-n", "--name", "--sentinel-onboarding-state-name"], + help="The Sentinel onboarding state name. Supports - default", + required=True, + id_part="child_name_1", + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + id_part="name", + ) + + # define Arg Group "Properties" + + _args_schema = cls._args_schema + _args_schema.customer_managed_key = AAZBoolArg( + options=["--customer-managed-key"], + arg_group="Properties", + help="Flag that indicates the status of the CMK setting", + ) + + # define Arg Group "SentinelOnboardingStateParameter" + + _args_schema = cls._args_schema + _args_schema.etag = AAZStrArg( + options=["--etag"], + arg_group="SentinelOnboardingStateParameter", + help="Etag of the azure resource", + ) + return cls._args_schema + + def _execute_operations(self): + self.SentinelOnboardingStatesCreate(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True) + return result + + class SentinelOnboardingStatesCreate(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200, 201]: + return self.on_200_201(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/onboardingStates/{sentinelOnboardingStateName}", + **self.url_parameters + ) + + @property + def method(self): + return "PUT" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "sentinelOnboardingStateName", self.ctx.args.sentinel_onboarding_state_name, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Content-Type", "application/json", + ), + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + @property + def content(self): + _content_value, _builder = self.new_content_builder( + self.ctx.args, + typ=AAZObjectType, + typ_kwargs={"flags": {"client_flatten": True}} + ) + _builder.set_prop("etag", AAZStrType, ".etag") + _builder.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get(".properties") + if properties is not None: + properties.set_prop("customerManagedKey", AAZBoolType, ".customer_managed_key") + + return self.serialize_content(_content_value) + + def on_200_201(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200_201 + ) + + _schema_on_200_201 = None + + @classmethod + def _build_schema_on_200_201(cls): + if cls._schema_on_200_201 is not None: + return cls._schema_on_200_201 + + cls._schema_on_200_201 = AAZObjectType() + + _schema_on_200_201 = cls._schema_on_200_201 + _schema_on_200_201.etag = AAZStrType() + _schema_on_200_201.id = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200_201.name = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200_201.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + _schema_on_200_201.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + _schema_on_200_201.type = AAZStrType( + flags={"read_only": True}, + ) + + properties = cls._schema_on_200_201.properties + properties.customer_managed_key = AAZBoolType( + serialized_name="customerManagedKey", + ) + + system_data = cls._schema_on_200_201.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + return cls._schema_on_200_201 + + +__all__ = ["Create"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/onboarding_state/_delete.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/onboarding_state/_delete.py new file mode 100644 index 00000000000..b74e3ffb83e --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/onboarding_state/_delete.py @@ -0,0 +1,134 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel onboarding-state delete", + is_experimental=True, + confirmation="Are you sure you want to perform this operation?", +) +class Delete(AAZCommand): + """Delete Sentinel onboarding state + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/onboardingstates/{}", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return None + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.sentinel_onboarding_state_name = AAZStrArg( + options=["-n", "--name", "--sentinel-onboarding-state-name"], + help="The Sentinel onboarding state name. Supports - default", + required=True, + id_part="child_name_1", + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + id_part="name", + ) + return cls._args_schema + + def _execute_operations(self): + self.SentinelOnboardingStatesDelete(ctx=self.ctx)() + + class SentinelOnboardingStatesDelete(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + if session.http_response.status_code in [204]: + return self.on_204(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/onboardingStates/{sentinelOnboardingStateName}", + **self.url_parameters + ) + + @property + def method(self): + return "DELETE" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "sentinelOnboardingStateName", self.ctx.args.sentinel_onboarding_state_name, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + def on_200(self, session): + pass + + def on_204(self, session): + pass + + +__all__ = ["Delete"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/onboarding_state/_list.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/onboarding_state/_list.py new file mode 100644 index 00000000000..4b0461cfb33 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/onboarding_state/_list.py @@ -0,0 +1,204 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel onboarding-state list", + is_experimental=True, +) +class List(AAZCommand): + """Get all Sentinel onboarding states + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/onboardingstates", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return self._output() + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + ) + return cls._args_schema + + def _execute_operations(self): + self.SentinelOnboardingStatesList(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True) + return result + + class SentinelOnboardingStatesList(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/onboardingStates", + **self.url_parameters + ) + + @property + def method(self): + return "GET" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + + _schema_on_200 = cls._schema_on_200 + _schema_on_200.value = AAZListType( + flags={"required": True}, + ) + + value = cls._schema_on_200.value + value.Element = AAZObjectType() + + _element = cls._schema_on_200.value.Element + _element.etag = AAZStrType() + _element.id = AAZStrType( + flags={"read_only": True}, + ) + _element.name = AAZStrType( + flags={"read_only": True}, + ) + _element.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + _element.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + _element.type = AAZStrType( + flags={"read_only": True}, + ) + + properties = cls._schema_on_200.value.Element.properties + properties.customer_managed_key = AAZBoolType( + serialized_name="customerManagedKey", + ) + + system_data = cls._schema_on_200.value.Element.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + return cls._schema_on_200 + + +__all__ = ["List"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/onboarding_state/_show.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/onboarding_state/_show.py new file mode 100644 index 00000000000..0f55fe3da99 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/onboarding_state/_show.py @@ -0,0 +1,207 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel onboarding-state show", + is_experimental=True, +) +class Show(AAZCommand): + """Get Sentinel onboarding state + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/onboardingstates/{}", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return self._output() + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.sentinel_onboarding_state_name = AAZStrArg( + options=["-n", "--name", "--sentinel-onboarding-state-name"], + help="The Sentinel onboarding state name. Supports - default", + required=True, + id_part="child_name_1", + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + id_part="name", + ) + return cls._args_schema + + def _execute_operations(self): + self.SentinelOnboardingStatesGet(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True) + return result + + class SentinelOnboardingStatesGet(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/onboardingStates/{sentinelOnboardingStateName}", + **self.url_parameters + ) + + @property + def method(self): + return "GET" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "sentinelOnboardingStateName", self.ctx.args.sentinel_onboarding_state_name, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + + _schema_on_200 = cls._schema_on_200 + _schema_on_200.etag = AAZStrType() + _schema_on_200.id = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200.name = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + _schema_on_200.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + _schema_on_200.type = AAZStrType( + flags={"read_only": True}, + ) + + properties = cls._schema_on_200.properties + properties.customer_managed_key = AAZBoolType( + serialized_name="customerManagedKey", + ) + + system_data = cls._schema_on_200.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + return cls._schema_on_200 + + +__all__ = ["Show"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/onboarding_state/_update.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/onboarding_state/_update.py new file mode 100644 index 00000000000..a98c4c7dbc8 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/onboarding_state/_update.py @@ -0,0 +1,384 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel onboarding-state update", + is_experimental=True, +) +class Update(AAZCommand): + """Update Sentinel onboarding state + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/onboardingstates/{}", "2022-06-01-preview"], + ] + } + + AZ_SUPPORT_GENERIC_UPDATE = True + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return self._output() + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.sentinel_onboarding_state_name = AAZStrArg( + options=["-n", "--name", "--sentinel-onboarding-state-name"], + help="The Sentinel onboarding state name. Supports - default", + required=True, + id_part="child_name_1", + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + id_part="name", + ) + + # define Arg Group "Properties" + + _args_schema = cls._args_schema + _args_schema.customer_managed_key = AAZBoolArg( + options=["--customer-managed-key"], + arg_group="Properties", + help="Flag that indicates the status of the CMK setting", + nullable=True, + ) + + # define Arg Group "SentinelOnboardingStateParameter" + + _args_schema = cls._args_schema + _args_schema.etag = AAZStrArg( + options=["--etag"], + arg_group="SentinelOnboardingStateParameter", + help="Etag of the azure resource", + nullable=True, + ) + return cls._args_schema + + def _execute_operations(self): + self.SentinelOnboardingStatesGet(ctx=self.ctx)() + self.InstanceUpdateByJson(ctx=self.ctx)() + self.InstanceUpdateByGeneric(ctx=self.ctx)() + self.SentinelOnboardingStatesCreate(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True) + return result + + class SentinelOnboardingStatesGet(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/onboardingStates/{sentinelOnboardingStateName}", + **self.url_parameters + ) + + @property + def method(self): + return "GET" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "sentinelOnboardingStateName", self.ctx.args.sentinel_onboarding_state_name, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + _build_schema_sentinel_onboarding_state_read(cls._schema_on_200) + + return cls._schema_on_200 + + class SentinelOnboardingStatesCreate(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200, 201]: + return self.on_200_201(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/onboardingStates/{sentinelOnboardingStateName}", + **self.url_parameters + ) + + @property + def method(self): + return "PUT" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "sentinelOnboardingStateName", self.ctx.args.sentinel_onboarding_state_name, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Content-Type", "application/json", + ), + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + @property + def content(self): + _content_value, _builder = self.new_content_builder( + self.ctx.args, + value=self.ctx.vars.instance, + ) + + return self.serialize_content(_content_value) + + def on_200_201(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200_201 + ) + + _schema_on_200_201 = None + + @classmethod + def _build_schema_on_200_201(cls): + if cls._schema_on_200_201 is not None: + return cls._schema_on_200_201 + + cls._schema_on_200_201 = AAZObjectType() + _build_schema_sentinel_onboarding_state_read(cls._schema_on_200_201) + + return cls._schema_on_200_201 + + class InstanceUpdateByJson(AAZJsonInstanceUpdateOperation): + + def __call__(self, *args, **kwargs): + self._update_instance(self.ctx.vars.instance) + + def _update_instance(self, instance): + _instance_value, _builder = self.new_content_builder( + self.ctx.args, + value=instance, + typ=AAZObjectType + ) + _builder.set_prop("etag", AAZStrType, ".etag") + _builder.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get(".properties") + if properties is not None: + properties.set_prop("customerManagedKey", AAZBoolType, ".customer_managed_key") + + return _instance_value + + class InstanceUpdateByGeneric(AAZGenericInstanceUpdateOperation): + + def __call__(self, *args, **kwargs): + self._update_instance_by_generic( + self.ctx.vars.instance, + self.ctx.generic_update_args + ) + + +_schema_sentinel_onboarding_state_read = None + + +def _build_schema_sentinel_onboarding_state_read(_schema): + global _schema_sentinel_onboarding_state_read + if _schema_sentinel_onboarding_state_read is not None: + _schema.etag = _schema_sentinel_onboarding_state_read.etag + _schema.id = _schema_sentinel_onboarding_state_read.id + _schema.name = _schema_sentinel_onboarding_state_read.name + _schema.properties = _schema_sentinel_onboarding_state_read.properties + _schema.system_data = _schema_sentinel_onboarding_state_read.system_data + _schema.type = _schema_sentinel_onboarding_state_read.type + return + + _schema_sentinel_onboarding_state_read = AAZObjectType() + + sentinel_onboarding_state_read = _schema_sentinel_onboarding_state_read + sentinel_onboarding_state_read.etag = AAZStrType() + sentinel_onboarding_state_read.id = AAZStrType( + flags={"read_only": True}, + ) + sentinel_onboarding_state_read.name = AAZStrType( + flags={"read_only": True}, + ) + sentinel_onboarding_state_read.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + sentinel_onboarding_state_read.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + sentinel_onboarding_state_read.type = AAZStrType( + flags={"read_only": True}, + ) + + properties = _schema_sentinel_onboarding_state_read.properties + properties.customer_managed_key = AAZBoolType( + serialized_name="customerManagedKey", + ) + + system_data = _schema_sentinel_onboarding_state_read.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + _schema.etag = _schema_sentinel_onboarding_state_read.etag + _schema.id = _schema_sentinel_onboarding_state_read.id + _schema.name = _schema_sentinel_onboarding_state_read.name + _schema.properties = _schema_sentinel_onboarding_state_read.properties + _schema.system_data = _schema_sentinel_onboarding_state_read.system_data + _schema.type = _schema_sentinel_onboarding_state_read.type + + +__all__ = ["Update"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/setting/__cmd_group.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/setting/__cmd_group.py new file mode 100644 index 00000000000..f89894fc7b8 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/setting/__cmd_group.py @@ -0,0 +1,23 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command_group( + "sentinel setting", +) +class __CMDGroup(AAZCommandGroup): + """Manage setting with sentinel. + """ + pass + + +__all__ = ["__CMDGroup"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/setting/__init__.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/setting/__init__.py new file mode 100644 index 00000000000..c401f439385 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/setting/__init__.py @@ -0,0 +1,16 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from .__cmd_group import * +from ._create import * +from ._delete import * +from ._list import * +from ._show import * +from ._update import * diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/setting/_create.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/setting/_create.py new file mode 100644 index 00000000000..cc2dc77fa37 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/setting/_create.py @@ -0,0 +1,331 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel setting create", + is_experimental=True, +) +class Create(AAZCommand): + """Create setting. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/settings/{}", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return self._output() + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.settings_name = AAZStrArg( + options=["-n", "--name", "--settings-name"], + help="The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba", + required=True, + id_part="child_name_1", + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + id_part="name", + ) + + # define Arg Group "Settings" + + _args_schema = cls._args_schema + _args_schema.entity_analytics = AAZObjectArg( + options=["--entity-analytics"], + arg_group="Settings", + ) + _args_schema.ueba = AAZObjectArg( + options=["--ueba"], + arg_group="Settings", + ) + _args_schema.etag = AAZStrArg( + options=["--etag"], + arg_group="Settings", + help="Etag of the azure resource", + ) + + entity_analytics = cls._args_schema.entity_analytics + entity_analytics.entity_providers = AAZListArg( + options=["entity-providers"], + help="The relevant entity providers that are synced", + ) + + entity_providers = cls._args_schema.entity_analytics.entity_providers + entity_providers.Element = AAZStrArg( + enum={"ActiveDirectory": "ActiveDirectory", "AzureActiveDirectory": "AzureActiveDirectory"}, + ) + + ueba = cls._args_schema.ueba + ueba.data_sources = AAZListArg( + options=["data-sources"], + help="The relevant data sources that enriched by ueba", + ) + + data_sources = cls._args_schema.ueba.data_sources + data_sources.Element = AAZStrArg( + enum={"AuditLogs": "AuditLogs", "AzureActivity": "AzureActivity", "SecurityEvent": "SecurityEvent", "SigninLogs": "SigninLogs"}, + ) + return cls._args_schema + + def _execute_operations(self): + self.ProductSettingsUpdate(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True) + return result + + class ProductSettingsUpdate(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/settings/{settingsName}", + **self.url_parameters + ) + + @property + def method(self): + return "PUT" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "settingsName", self.ctx.args.settings_name, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Content-Type", "application/json", + ), + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + @property + def content(self): + _content_value, _builder = self.new_content_builder( + self.ctx.args, + typ=AAZObjectType, + typ_kwargs={"flags": {"required": True, "client_flatten": True}} + ) + _builder.set_prop("etag", AAZStrType, ".etag") + _builder.set_const("kind", "EntityAnalytics", AAZStrType, ".entity_analytics", typ_kwargs={"flags": {"required": True}}) + _builder.set_const("kind", "Ueba", AAZStrType, ".ueba", typ_kwargs={"flags": {"required": True}}) + _builder.discriminate_by("kind", "EntityAnalytics") + _builder.discriminate_by("kind", "Ueba") + + disc_entity_analytics = _builder.get("{kind:EntityAnalytics}") + if disc_entity_analytics is not None: + disc_entity_analytics.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get("{kind:EntityAnalytics}.properties") + if properties is not None: + properties.set_prop("entityProviders", AAZListType, ".entity_analytics.entity_providers") + + entity_providers = _builder.get("{kind:EntityAnalytics}.properties.entityProviders") + if entity_providers is not None: + entity_providers.set_elements(AAZStrType, ".") + + disc_ueba = _builder.get("{kind:Ueba}") + if disc_ueba is not None: + disc_ueba.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get("{kind:Ueba}.properties") + if properties is not None: + properties.set_prop("dataSources", AAZListType, ".ueba.data_sources") + + data_sources = _builder.get("{kind:Ueba}.properties.dataSources") + if data_sources is not None: + data_sources.set_elements(AAZStrType, ".") + + return self.serialize_content(_content_value) + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + + _schema_on_200 = cls._schema_on_200 + _schema_on_200.etag = AAZStrType() + _schema_on_200.id = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200.kind = AAZStrType( + flags={"required": True}, + ) + _schema_on_200.name = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + _schema_on_200.type = AAZStrType( + flags={"read_only": True}, + ) + + system_data = cls._schema_on_200.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + disc_anomalies = cls._schema_on_200.discriminate_by("kind", "Anomalies") + disc_anomalies.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.discriminate_by("kind", "Anomalies").properties + properties.is_enabled = AAZBoolType( + serialized_name="isEnabled", + flags={"read_only": True}, + ) + + disc_entity_analytics = cls._schema_on_200.discriminate_by("kind", "EntityAnalytics") + disc_entity_analytics.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.discriminate_by("kind", "EntityAnalytics").properties + properties.entity_providers = AAZListType( + serialized_name="entityProviders", + ) + + entity_providers = cls._schema_on_200.discriminate_by("kind", "EntityAnalytics").properties.entity_providers + entity_providers.Element = AAZStrType() + + disc_eyes_on = cls._schema_on_200.discriminate_by("kind", "EyesOn") + disc_eyes_on.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.discriminate_by("kind", "EyesOn").properties + properties.is_enabled = AAZBoolType( + serialized_name="isEnabled", + flags={"read_only": True}, + ) + + disc_ueba = cls._schema_on_200.discriminate_by("kind", "Ueba") + disc_ueba.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.discriminate_by("kind", "Ueba").properties + properties.data_sources = AAZListType( + serialized_name="dataSources", + ) + + data_sources = cls._schema_on_200.discriminate_by("kind", "Ueba").properties.data_sources + data_sources.Element = AAZStrType() + + return cls._schema_on_200 + + +__all__ = ["Create"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/setting/_delete.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/setting/_delete.py new file mode 100644 index 00000000000..925890f90f3 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/setting/_delete.py @@ -0,0 +1,134 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel setting delete", + is_experimental=True, + confirmation="Are you sure you want to perform this operation?", +) +class Delete(AAZCommand): + """Delete setting of the product. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/settings/{}", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return None + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.settings_name = AAZStrArg( + options=["-n", "--name", "--settings-name"], + help="The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba", + required=True, + id_part="child_name_1", + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + id_part="name", + ) + return cls._args_schema + + def _execute_operations(self): + self.ProductSettingsDelete(ctx=self.ctx)() + + class ProductSettingsDelete(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + if session.http_response.status_code in [204]: + return self.on_204(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/settings/{settingsName}", + **self.url_parameters + ) + + @property + def method(self): + return "DELETE" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "settingsName", self.ctx.args.settings_name, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + def on_200(self, session): + pass + + def on_204(self, session): + pass + + +__all__ = ["Delete"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/setting/_list.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/setting/_list.py new file mode 100644 index 00000000000..0da4c6a41ef --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/setting/_list.py @@ -0,0 +1,247 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel setting list", + is_experimental=True, +) +class List(AAZCommand): + """List of all the settings + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/settings", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return self._output() + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + ) + return cls._args_schema + + def _execute_operations(self): + self.ProductSettingsList(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True) + return result + + class ProductSettingsList(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/settings", + **self.url_parameters + ) + + @property + def method(self): + return "GET" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + + _schema_on_200 = cls._schema_on_200 + _schema_on_200.value = AAZListType( + flags={"required": True}, + ) + + value = cls._schema_on_200.value + value.Element = AAZObjectType() + + _element = cls._schema_on_200.value.Element + _element.etag = AAZStrType() + _element.id = AAZStrType( + flags={"read_only": True}, + ) + _element.kind = AAZStrType( + flags={"required": True}, + ) + _element.name = AAZStrType( + flags={"read_only": True}, + ) + _element.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + _element.type = AAZStrType( + flags={"read_only": True}, + ) + + system_data = cls._schema_on_200.value.Element.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + disc_anomalies = cls._schema_on_200.value.Element.discriminate_by("kind", "Anomalies") + disc_anomalies.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.value.Element.discriminate_by("kind", "Anomalies").properties + properties.is_enabled = AAZBoolType( + serialized_name="isEnabled", + flags={"read_only": True}, + ) + + disc_entity_analytics = cls._schema_on_200.value.Element.discriminate_by("kind", "EntityAnalytics") + disc_entity_analytics.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.value.Element.discriminate_by("kind", "EntityAnalytics").properties + properties.entity_providers = AAZListType( + serialized_name="entityProviders", + ) + + entity_providers = cls._schema_on_200.value.Element.discriminate_by("kind", "EntityAnalytics").properties.entity_providers + entity_providers.Element = AAZStrType() + + disc_eyes_on = cls._schema_on_200.value.Element.discriminate_by("kind", "EyesOn") + disc_eyes_on.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.value.Element.discriminate_by("kind", "EyesOn").properties + properties.is_enabled = AAZBoolType( + serialized_name="isEnabled", + flags={"read_only": True}, + ) + + disc_ueba = cls._schema_on_200.value.Element.discriminate_by("kind", "Ueba") + disc_ueba.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.value.Element.discriminate_by("kind", "Ueba").properties + properties.data_sources = AAZListType( + serialized_name="dataSources", + ) + + data_sources = cls._schema_on_200.value.Element.discriminate_by("kind", "Ueba").properties.data_sources + data_sources.Element = AAZStrType() + + return cls._schema_on_200 + + +__all__ = ["List"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/setting/_show.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/setting/_show.py new file mode 100644 index 00000000000..3d63672715a --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/setting/_show.py @@ -0,0 +1,250 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel setting show", + is_experimental=True, +) +class Show(AAZCommand): + """Get a setting. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/settings/{}", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return self._output() + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.settings_name = AAZStrArg( + options=["-n", "--name", "--settings-name"], + help="The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba", + required=True, + id_part="child_name_1", + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + id_part="name", + ) + return cls._args_schema + + def _execute_operations(self): + self.ProductSettingsGet(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True) + return result + + class ProductSettingsGet(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/settings/{settingsName}", + **self.url_parameters + ) + + @property + def method(self): + return "GET" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "settingsName", self.ctx.args.settings_name, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + + _schema_on_200 = cls._schema_on_200 + _schema_on_200.etag = AAZStrType() + _schema_on_200.id = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200.kind = AAZStrType( + flags={"required": True}, + ) + _schema_on_200.name = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + _schema_on_200.type = AAZStrType( + flags={"read_only": True}, + ) + + system_data = cls._schema_on_200.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + disc_anomalies = cls._schema_on_200.discriminate_by("kind", "Anomalies") + disc_anomalies.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.discriminate_by("kind", "Anomalies").properties + properties.is_enabled = AAZBoolType( + serialized_name="isEnabled", + flags={"read_only": True}, + ) + + disc_entity_analytics = cls._schema_on_200.discriminate_by("kind", "EntityAnalytics") + disc_entity_analytics.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.discriminate_by("kind", "EntityAnalytics").properties + properties.entity_providers = AAZListType( + serialized_name="entityProviders", + ) + + entity_providers = cls._schema_on_200.discriminate_by("kind", "EntityAnalytics").properties.entity_providers + entity_providers.Element = AAZStrType() + + disc_eyes_on = cls._schema_on_200.discriminate_by("kind", "EyesOn") + disc_eyes_on.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.discriminate_by("kind", "EyesOn").properties + properties.is_enabled = AAZBoolType( + serialized_name="isEnabled", + flags={"read_only": True}, + ) + + disc_ueba = cls._schema_on_200.discriminate_by("kind", "Ueba") + disc_ueba.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.discriminate_by("kind", "Ueba").properties + properties.data_sources = AAZListType( + serialized_name="dataSources", + ) + + data_sources = cls._schema_on_200.discriminate_by("kind", "Ueba").properties.data_sources + data_sources.Element = AAZStrType() + + return cls._schema_on_200 + + +__all__ = ["Show"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/setting/_update.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/setting/_update.py new file mode 100644 index 00000000000..a9aa8cb0454 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/setting/_update.py @@ -0,0 +1,536 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel setting update", + is_experimental=True, +) +class Update(AAZCommand): + """Update setting. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/settings/{}", "2022-06-01-preview"], + ] + } + + AZ_SUPPORT_GENERIC_UPDATE = True + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return self._output() + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.settings_name = AAZStrArg( + options=["-n", "--name", "--settings-name"], + help="The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba", + required=True, + id_part="child_name_1", + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + id_part="name", + ) + + # define Arg Group "Settings" + + _args_schema = cls._args_schema + _args_schema.entity_analytics = AAZObjectArg( + options=["--entity-analytics"], + arg_group="Settings", + ) + _args_schema.ueba = AAZObjectArg( + options=["--ueba"], + arg_group="Settings", + ) + _args_schema.etag = AAZStrArg( + options=["--etag"], + arg_group="Settings", + help="Etag of the azure resource", + nullable=True, + ) + + entity_analytics = cls._args_schema.entity_analytics + entity_analytics.entity_providers = AAZListArg( + options=["entity-providers"], + help="The relevant entity providers that are synced", + nullable=True, + ) + + entity_providers = cls._args_schema.entity_analytics.entity_providers + entity_providers.Element = AAZStrArg( + enum={"ActiveDirectory": "ActiveDirectory", "AzureActiveDirectory": "AzureActiveDirectory"}, + ) + + ueba = cls._args_schema.ueba + ueba.data_sources = AAZListArg( + options=["data-sources"], + help="The relevant data sources that enriched by ueba", + nullable=True, + ) + + data_sources = cls._args_schema.ueba.data_sources + data_sources.Element = AAZStrArg( + enum={"AuditLogs": "AuditLogs", "AzureActivity": "AzureActivity", "SecurityEvent": "SecurityEvent", "SigninLogs": "SigninLogs"}, + ) + return cls._args_schema + + def _execute_operations(self): + self.ProductSettingsGet(ctx=self.ctx)() + self.InstanceUpdateByJson(ctx=self.ctx)() + self.InstanceUpdateByGeneric(ctx=self.ctx)() + self.ProductSettingsUpdate(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True) + return result + + class ProductSettingsGet(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/settings/{settingsName}", + **self.url_parameters + ) + + @property + def method(self): + return "GET" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "settingsName", self.ctx.args.settings_name, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + _build_schema_settings_read(cls._schema_on_200) + + return cls._schema_on_200 + + class ProductSettingsUpdate(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/settings/{settingsName}", + **self.url_parameters + ) + + @property + def method(self): + return "PUT" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "settingsName", self.ctx.args.settings_name, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Content-Type", "application/json", + ), + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + @property + def content(self): + _content_value, _builder = self.new_content_builder( + self.ctx.args, + value=self.ctx.vars.instance, + ) + + return self.serialize_content(_content_value) + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + _build_schema_settings_read(cls._schema_on_200) + + return cls._schema_on_200 + + class InstanceUpdateByJson(AAZJsonInstanceUpdateOperation): + + def __call__(self, *args, **kwargs): + self._update_instance(self.ctx.vars.instance) + + def _update_instance(self, instance): + _instance_value, _builder = self.new_content_builder( + self.ctx.args, + value=instance, + typ=AAZObjectType + ) + _builder.set_prop("etag", AAZStrType, ".etag") + _builder.set_const("kind", "EntityAnalytics", AAZStrType, ".entity_analytics", typ_kwargs={"flags": {"required": True}}) + _builder.set_const("kind", "Ueba", AAZStrType, ".ueba", typ_kwargs={"flags": {"required": True}}) + _builder.discriminate_by("kind", "EntityAnalytics") + _builder.discriminate_by("kind", "Ueba") + + disc_entity_analytics = _builder.get("{kind:EntityAnalytics}") + if disc_entity_analytics is not None: + disc_entity_analytics.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get("{kind:EntityAnalytics}.properties") + if properties is not None: + properties.set_prop("entityProviders", AAZListType, ".entity_analytics.entity_providers") + + entity_providers = _builder.get("{kind:EntityAnalytics}.properties.entityProviders") + if entity_providers is not None: + entity_providers.set_elements(AAZStrType, ".") + + disc_ueba = _builder.get("{kind:Ueba}") + if disc_ueba is not None: + disc_ueba.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get("{kind:Ueba}.properties") + if properties is not None: + properties.set_prop("dataSources", AAZListType, ".ueba.data_sources") + + data_sources = _builder.get("{kind:Ueba}.properties.dataSources") + if data_sources is not None: + data_sources.set_elements(AAZStrType, ".") + + return _instance_value + + class InstanceUpdateByGeneric(AAZGenericInstanceUpdateOperation): + + def __call__(self, *args, **kwargs): + self._update_instance_by_generic( + self.ctx.vars.instance, + self.ctx.generic_update_args + ) + + +_schema_settings_read = None + + +def _build_schema_settings_read(_schema): + global _schema_settings_read + if _schema_settings_read is not None: + _schema.etag = _schema_settings_read.etag + _schema.id = _schema_settings_read.id + _schema.kind = _schema_settings_read.kind + _schema.name = _schema_settings_read.name + _schema.system_data = _schema_settings_read.system_data + _schema.type = _schema_settings_read.type + _schema.discriminate_by( + "kind", + "Anomalies", + _schema_settings_read.discriminate_by( + "kind", + "Anomalies", + ) + ) + _schema.discriminate_by( + "kind", + "EntityAnalytics", + _schema_settings_read.discriminate_by( + "kind", + "EntityAnalytics", + ) + ) + _schema.discriminate_by( + "kind", + "EyesOn", + _schema_settings_read.discriminate_by( + "kind", + "EyesOn", + ) + ) + _schema.discriminate_by( + "kind", + "Ueba", + _schema_settings_read.discriminate_by( + "kind", + "Ueba", + ) + ) + return + + _schema_settings_read = AAZObjectType() + + settings_read = _schema_settings_read + settings_read.etag = AAZStrType() + settings_read.id = AAZStrType( + flags={"read_only": True}, + ) + settings_read.kind = AAZStrType( + flags={"required": True}, + ) + settings_read.name = AAZStrType( + flags={"read_only": True}, + ) + settings_read.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + settings_read.type = AAZStrType( + flags={"read_only": True}, + ) + + system_data = _schema_settings_read.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + disc_anomalies = _schema_settings_read.discriminate_by("kind", "Anomalies") + disc_anomalies.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = _schema_settings_read.discriminate_by("kind", "Anomalies").properties + properties.is_enabled = AAZBoolType( + serialized_name="isEnabled", + flags={"read_only": True}, + ) + + disc_entity_analytics = _schema_settings_read.discriminate_by("kind", "EntityAnalytics") + disc_entity_analytics.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = _schema_settings_read.discriminate_by("kind", "EntityAnalytics").properties + properties.entity_providers = AAZListType( + serialized_name="entityProviders", + ) + + entity_providers = _schema_settings_read.discriminate_by("kind", "EntityAnalytics").properties.entity_providers + entity_providers.Element = AAZStrType() + + disc_eyes_on = _schema_settings_read.discriminate_by("kind", "EyesOn") + disc_eyes_on.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = _schema_settings_read.discriminate_by("kind", "EyesOn").properties + properties.is_enabled = AAZBoolType( + serialized_name="isEnabled", + flags={"read_only": True}, + ) + + disc_ueba = _schema_settings_read.discriminate_by("kind", "Ueba") + disc_ueba.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = _schema_settings_read.discriminate_by("kind", "Ueba").properties + properties.data_sources = AAZListType( + serialized_name="dataSources", + ) + + data_sources = _schema_settings_read.discriminate_by("kind", "Ueba").properties.data_sources + data_sources.Element = AAZStrType() + + _schema.etag = _schema_settings_read.etag + _schema.id = _schema_settings_read.id + _schema.kind = _schema_settings_read.kind + _schema.name = _schema_settings_read.name + _schema.system_data = _schema_settings_read.system_data + _schema.type = _schema_settings_read.type + _schema.discriminate_by( + "kind", + "Anomalies", + _schema_settings_read.discriminate_by( + "kind", + "Anomalies", + ) + ) + _schema.discriminate_by( + "kind", + "EntityAnalytics", + _schema_settings_read.discriminate_by( + "kind", + "EntityAnalytics", + ) + ) + _schema.discriminate_by( + "kind", + "EyesOn", + _schema_settings_read.discriminate_by( + "kind", + "EyesOn", + ) + ) + _schema.discriminate_by( + "kind", + "Ueba", + _schema_settings_read.discriminate_by( + "kind", + "Ueba", + ) + ) + + +__all__ = ["Update"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/source_control/__cmd_group.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/source_control/__cmd_group.py new file mode 100644 index 00000000000..59cf381bcb7 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/source_control/__cmd_group.py @@ -0,0 +1,23 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command_group( + "sentinel source-control", +) +class __CMDGroup(AAZCommandGroup): + """Manage source control with sentinel. + """ + pass + + +__all__ = ["__CMDGroup"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/source_control/__init__.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/source_control/__init__.py new file mode 100644 index 00000000000..e954a625544 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/source_control/__init__.py @@ -0,0 +1,17 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from .__cmd_group import * +from ._create import * +from ._delete import * +from ._list import * +from ._list_repository import * +from ._show import * +from ._update import * diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/source_control/_create.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/source_control/_create.py new file mode 100644 index 00000000000..6dac4da67bc --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/source_control/_create.py @@ -0,0 +1,585 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel source-control create", + is_experimental=True, +) +class Create(AAZCommand): + """Create a source control. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/sourcecontrols/{}", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return self._output() + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.source_control_id = AAZStrArg( + options=["-n", "--name", "--source-control-id"], + help="Source control Id", + required=True, + id_part="child_name_1", + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + id_part="name", + ) + + # define Arg Group "Properties" + + _args_schema = cls._args_schema + _args_schema.content_types = AAZListArg( + options=["--content-types"], + arg_group="Properties", + help="Array of source control content types.", + ) + _args_schema.description = AAZStrArg( + options=["--description"], + arg_group="Properties", + help="A description of the source control", + ) + _args_schema.display_name = AAZStrArg( + options=["--display-name"], + arg_group="Properties", + help="The display name of the source control", + ) + _args_schema.id = AAZStrArg( + options=["--id"], + arg_group="Properties", + help="The id (a Guid) of the source control", + ) + _args_schema.last_deployment_info = AAZObjectArg( + options=["--last-deployment-info"], + arg_group="Properties", + help="Information regarding the latest deployment for the source control.", + ) + _args_schema.repo_type = AAZStrArg( + options=["--repo-type"], + arg_group="Properties", + help="The repository type of the source control", + enum={"DevOps": "DevOps", "Github": "Github"}, + ) + _args_schema.repository = AAZObjectArg( + options=["--repository"], + arg_group="Properties", + help="Repository metadata.", + ) + _args_schema.repository_info = AAZObjectArg( + options=["--repository-info"], + arg_group="Properties", + help="Information regarding the resources created in user's repository.", + ) + _args_schema.version = AAZStrArg( + options=["--version"], + arg_group="Properties", + help="The version number associated with the source control", + enum={"V1": "V1", "V2": "V2"}, + ) + + content_types = cls._args_schema.content_types + content_types.Element = AAZStrArg( + enum={"AnalyticRule": "AnalyticRule", "Workbook": "Workbook"}, + ) + + last_deployment_info = cls._args_schema.last_deployment_info + last_deployment_info.deployment = AAZObjectArg( + options=["deployment"], + help="Deployment information.", + ) + last_deployment_info.deployment_fetch_status = AAZStrArg( + options=["deployment-fetch-status"], + help="Status while fetching the last deployment.", + enum={"NotFound": "NotFound", "Success": "Success", "Unauthorized": "Unauthorized"}, + ) + last_deployment_info.message = AAZStrArg( + options=["message"], + help="Additional details about the deployment that can be shown to the user.", + ) + + deployment = cls._args_schema.last_deployment_info.deployment + deployment.deployment_id = AAZStrArg( + options=["deployment-id"], + help="Deployment identifier.", + ) + deployment.deployment_logs_url = AAZStrArg( + options=["deployment-logs-url"], + help="Url to access repository action logs.", + ) + deployment.deployment_result = AAZStrArg( + options=["deployment-result"], + help="The outcome of the deployment.", + enum={"Canceled": "Canceled", "Failed": "Failed", "Success": "Success"}, + ) + deployment.deployment_state = AAZStrArg( + options=["deployment-state"], + help="Current status of the deployment.", + enum={"Canceling": "Canceling", "Completed": "Completed", "In_Progress": "In_Progress", "Queued": "Queued"}, + ) + deployment.deployment_time = AAZStrArg( + options=["deployment-time"], + help="The time when the deployment finished.", + ) + + repository = cls._args_schema.repository + repository.branch = AAZStrArg( + options=["branch"], + help="Branch name of repository.", + ) + repository.deployment_logs_url = AAZStrArg( + options=["deployment-logs-url"], + help="Url to access repository action logs.", + ) + repository.display_url = AAZStrArg( + options=["display-url"], + help="Display url of repository.", + ) + repository.path_mapping = AAZListArg( + options=["path-mapping"], + help="Dictionary of source control content type and path mapping.", + ) + repository.url = AAZStrArg( + options=["url"], + help="Url of repository.", + ) + + path_mapping = cls._args_schema.repository.path_mapping + path_mapping.Element = AAZObjectArg() + + _element = cls._args_schema.repository.path_mapping.Element + _element.content_type = AAZStrArg( + options=["content-type"], + help="Content type.", + enum={"AnalyticRule": "AnalyticRule", "Workbook": "Workbook"}, + ) + _element.path = AAZStrArg( + options=["path"], + help="The path to the content.", + ) + + repository_info = cls._args_schema.repository_info + repository_info.azure_dev_ops_resource_info = AAZObjectArg( + options=["azure-dev-ops-resource-info"], + help="Resources created in Azure DevOps for this source-control.", + ) + repository_info.git_hub_resource_info = AAZObjectArg( + options=["git-hub-resource-info"], + help="Resources created in GitHub for this source-control.", + ) + repository_info.webhook = AAZObjectArg( + options=["webhook"], + help="The webhook object created for the source-control.", + ) + + azure_dev_ops_resource_info = cls._args_schema.repository_info.azure_dev_ops_resource_info + azure_dev_ops_resource_info.pipeline_id = AAZStrArg( + options=["pipeline-id"], + help="Id of the pipeline created for the source-control.", + ) + azure_dev_ops_resource_info.service_connection_id = AAZStrArg( + options=["service-connection-id"], + help="Id of the service-connection created for the source-control.", + ) + + git_hub_resource_info = cls._args_schema.repository_info.git_hub_resource_info + git_hub_resource_info.app_installation_id = AAZStrArg( + options=["app-installation-id"], + help="GitHub application installation id.", + ) + + webhook = cls._args_schema.repository_info.webhook + webhook.rotate_webhook_secret = AAZBoolArg( + options=["rotate-webhook-secret"], + help="A flag to instruct the backend service to rotate webhook secret.", + ) + webhook.webhook_id = AAZStrArg( + options=["webhook-id"], + help="Unique identifier for the webhook.", + ) + webhook.webhook_secret_update_time = AAZStrArg( + options=["webhook-secret-update-time"], + help="Time when the webhook secret was updated.", + ) + webhook.webhook_url = AAZStrArg( + options=["webhook-url"], + help="URL that gets invoked by the webhook.", + ) + + # define Arg Group "SourceControl" + + _args_schema = cls._args_schema + _args_schema.etag = AAZStrArg( + options=["--etag"], + arg_group="SourceControl", + help="Etag of the azure resource", + ) + return cls._args_schema + + def _execute_operations(self): + self.SourceControlsCreate(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True) + return result + + class SourceControlsCreate(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200, 201]: + return self.on_200_201(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/sourcecontrols/{sourceControlId}", + **self.url_parameters + ) + + @property + def method(self): + return "PUT" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "sourceControlId", self.ctx.args.source_control_id, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Content-Type", "application/json", + ), + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + @property + def content(self): + _content_value, _builder = self.new_content_builder( + self.ctx.args, + typ=AAZObjectType, + typ_kwargs={"flags": {"required": True, "client_flatten": True}} + ) + _builder.set_prop("etag", AAZStrType, ".etag") + _builder.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get(".properties") + if properties is not None: + properties.set_prop("contentTypes", AAZListType, ".content_types", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("description", AAZStrType, ".description") + properties.set_prop("displayName", AAZStrType, ".display_name", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("id", AAZStrType, ".id") + properties.set_prop("lastDeploymentInfo", AAZObjectType, ".last_deployment_info") + properties.set_prop("repoType", AAZStrType, ".repo_type", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("repository", AAZObjectType, ".repository", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("repositoryResourceInfo", AAZObjectType, ".repository_info") + properties.set_prop("version", AAZStrType, ".version") + + content_types = _builder.get(".properties.contentTypes") + if content_types is not None: + content_types.set_elements(AAZStrType, ".") + + last_deployment_info = _builder.get(".properties.lastDeploymentInfo") + if last_deployment_info is not None: + last_deployment_info.set_prop("deployment", AAZObjectType, ".deployment") + last_deployment_info.set_prop("deploymentFetchStatus", AAZStrType, ".deployment_fetch_status") + last_deployment_info.set_prop("message", AAZStrType, ".message") + + deployment = _builder.get(".properties.lastDeploymentInfo.deployment") + if deployment is not None: + deployment.set_prop("deploymentId", AAZStrType, ".deployment_id") + deployment.set_prop("deploymentLogsUrl", AAZStrType, ".deployment_logs_url") + deployment.set_prop("deploymentResult", AAZStrType, ".deployment_result") + deployment.set_prop("deploymentState", AAZStrType, ".deployment_state") + deployment.set_prop("deploymentTime", AAZStrType, ".deployment_time") + + repository = _builder.get(".properties.repository") + if repository is not None: + repository.set_prop("branch", AAZStrType, ".branch") + repository.set_prop("deploymentLogsUrl", AAZStrType, ".deployment_logs_url") + repository.set_prop("displayUrl", AAZStrType, ".display_url") + repository.set_prop("pathMapping", AAZListType, ".path_mapping") + repository.set_prop("url", AAZStrType, ".url") + + path_mapping = _builder.get(".properties.repository.pathMapping") + if path_mapping is not None: + path_mapping.set_elements(AAZObjectType) + + _elements = _builder.get(".properties.repository.pathMapping[]") + if _elements is not None: + _elements.set_prop("contentType", AAZStrType, ".content_type") + _elements.set_prop("path", AAZStrType, ".path") + + repository_resource_info = _builder.get(".properties.repositoryResourceInfo") + if repository_resource_info is not None: + repository_resource_info.set_prop("azureDevOpsResourceInfo", AAZObjectType, ".azure_dev_ops_resource_info") + repository_resource_info.set_prop("gitHubResourceInfo", AAZObjectType, ".git_hub_resource_info") + repository_resource_info.set_prop("webhook", AAZObjectType, ".webhook") + + azure_dev_ops_resource_info = _builder.get(".properties.repositoryResourceInfo.azureDevOpsResourceInfo") + if azure_dev_ops_resource_info is not None: + azure_dev_ops_resource_info.set_prop("pipelineId", AAZStrType, ".pipeline_id") + azure_dev_ops_resource_info.set_prop("serviceConnectionId", AAZStrType, ".service_connection_id") + + git_hub_resource_info = _builder.get(".properties.repositoryResourceInfo.gitHubResourceInfo") + if git_hub_resource_info is not None: + git_hub_resource_info.set_prop("appInstallationId", AAZStrType, ".app_installation_id") + + webhook = _builder.get(".properties.repositoryResourceInfo.webhook") + if webhook is not None: + webhook.set_prop("rotateWebhookSecret", AAZBoolType, ".rotate_webhook_secret") + webhook.set_prop("webhookId", AAZStrType, ".webhook_id") + webhook.set_prop("webhookSecretUpdateTime", AAZStrType, ".webhook_secret_update_time") + webhook.set_prop("webhookUrl", AAZStrType, ".webhook_url") + + return self.serialize_content(_content_value) + + def on_200_201(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200_201 + ) + + _schema_on_200_201 = None + + @classmethod + def _build_schema_on_200_201(cls): + if cls._schema_on_200_201 is not None: + return cls._schema_on_200_201 + + cls._schema_on_200_201 = AAZObjectType() + + _schema_on_200_201 = cls._schema_on_200_201 + _schema_on_200_201.etag = AAZStrType() + _schema_on_200_201.id = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200_201.name = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200_201.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + _schema_on_200_201.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + _schema_on_200_201.type = AAZStrType( + flags={"read_only": True}, + ) + + properties = cls._schema_on_200_201.properties + properties.content_types = AAZListType( + serialized_name="contentTypes", + flags={"required": True}, + ) + properties.description = AAZStrType() + properties.display_name = AAZStrType( + serialized_name="displayName", + flags={"required": True}, + ) + properties.id = AAZStrType() + properties.last_deployment_info = AAZObjectType( + serialized_name="lastDeploymentInfo", + ) + properties.repo_type = AAZStrType( + serialized_name="repoType", + flags={"required": True}, + ) + properties.repository = AAZObjectType( + flags={"required": True}, + ) + properties.repository_resource_info = AAZObjectType( + serialized_name="repositoryResourceInfo", + ) + properties.version = AAZStrType() + + content_types = cls._schema_on_200_201.properties.content_types + content_types.Element = AAZStrType() + + last_deployment_info = cls._schema_on_200_201.properties.last_deployment_info + last_deployment_info.deployment = AAZObjectType() + last_deployment_info.deployment_fetch_status = AAZStrType( + serialized_name="deploymentFetchStatus", + ) + last_deployment_info.message = AAZStrType() + + deployment = cls._schema_on_200_201.properties.last_deployment_info.deployment + deployment.deployment_id = AAZStrType( + serialized_name="deploymentId", + ) + deployment.deployment_logs_url = AAZStrType( + serialized_name="deploymentLogsUrl", + ) + deployment.deployment_result = AAZStrType( + serialized_name="deploymentResult", + ) + deployment.deployment_state = AAZStrType( + serialized_name="deploymentState", + ) + deployment.deployment_time = AAZStrType( + serialized_name="deploymentTime", + ) + + repository = cls._schema_on_200_201.properties.repository + repository.branch = AAZStrType() + repository.deployment_logs_url = AAZStrType( + serialized_name="deploymentLogsUrl", + ) + repository.display_url = AAZStrType( + serialized_name="displayUrl", + ) + repository.path_mapping = AAZListType( + serialized_name="pathMapping", + ) + repository.url = AAZStrType() + + path_mapping = cls._schema_on_200_201.properties.repository.path_mapping + path_mapping.Element = AAZObjectType() + + _element = cls._schema_on_200_201.properties.repository.path_mapping.Element + _element.content_type = AAZStrType( + serialized_name="contentType", + ) + _element.path = AAZStrType() + + repository_resource_info = cls._schema_on_200_201.properties.repository_resource_info + repository_resource_info.azure_dev_ops_resource_info = AAZObjectType( + serialized_name="azureDevOpsResourceInfo", + ) + repository_resource_info.git_hub_resource_info = AAZObjectType( + serialized_name="gitHubResourceInfo", + ) + repository_resource_info.webhook = AAZObjectType() + + azure_dev_ops_resource_info = cls._schema_on_200_201.properties.repository_resource_info.azure_dev_ops_resource_info + azure_dev_ops_resource_info.pipeline_id = AAZStrType( + serialized_name="pipelineId", + ) + azure_dev_ops_resource_info.service_connection_id = AAZStrType( + serialized_name="serviceConnectionId", + ) + + git_hub_resource_info = cls._schema_on_200_201.properties.repository_resource_info.git_hub_resource_info + git_hub_resource_info.app_installation_id = AAZStrType( + serialized_name="appInstallationId", + ) + + webhook = cls._schema_on_200_201.properties.repository_resource_info.webhook + webhook.rotate_webhook_secret = AAZBoolType( + serialized_name="rotateWebhookSecret", + ) + webhook.webhook_id = AAZStrType( + serialized_name="webhookId", + ) + webhook.webhook_secret_update_time = AAZStrType( + serialized_name="webhookSecretUpdateTime", + ) + webhook.webhook_url = AAZStrType( + serialized_name="webhookUrl", + ) + + system_data = cls._schema_on_200_201.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + return cls._schema_on_200_201 + + +__all__ = ["Create"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/source_control/_delete.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/source_control/_delete.py new file mode 100644 index 00000000000..42197c756f9 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/source_control/_delete.py @@ -0,0 +1,134 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel source-control delete", + is_experimental=True, + confirmation="Are you sure you want to perform this operation?", +) +class Delete(AAZCommand): + """Delete a source control. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/sourcecontrols/{}", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return None + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.source_control_id = AAZStrArg( + options=["-n", "--name", "--source-control-id"], + help="Source control Id", + required=True, + id_part="child_name_1", + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + id_part="name", + ) + return cls._args_schema + + def _execute_operations(self): + self.SourceControlsDelete(ctx=self.ctx)() + + class SourceControlsDelete(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + if session.http_response.status_code in [204]: + return self.on_204(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/sourcecontrols/{sourceControlId}", + **self.url_parameters + ) + + @property + def method(self): + return "DELETE" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "sourceControlId", self.ctx.args.source_control_id, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + def on_200(self, session): + pass + + def on_204(self, session): + pass + + +__all__ = ["Delete"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/source_control/_list.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/source_control/_list.py new file mode 100644 index 00000000000..2878ab38f9d --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/source_control/_list.py @@ -0,0 +1,314 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel source-control list", + is_experimental=True, +) +class List(AAZCommand): + """Get all source controls, without source control items. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/sourcecontrols", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + return self.build_paging(self._execute_operations, self._output) + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + ) + return cls._args_schema + + def _execute_operations(self): + self.SourceControlsList(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance.value, client_flatten=True) + next_link = self.deserialize_output(self.ctx.vars.instance.next_link) + return result, next_link + + class SourceControlsList(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/sourcecontrols", + **self.url_parameters + ) + + @property + def method(self): + return "GET" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + + _schema_on_200 = cls._schema_on_200 + _schema_on_200.next_link = AAZStrType( + serialized_name="nextLink", + flags={"read_only": True}, + ) + _schema_on_200.value = AAZListType( + flags={"required": True}, + ) + + value = cls._schema_on_200.value + value.Element = AAZObjectType() + + _element = cls._schema_on_200.value.Element + _element.etag = AAZStrType() + _element.id = AAZStrType( + flags={"read_only": True}, + ) + _element.name = AAZStrType( + flags={"read_only": True}, + ) + _element.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + _element.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + _element.type = AAZStrType( + flags={"read_only": True}, + ) + + properties = cls._schema_on_200.value.Element.properties + properties.content_types = AAZListType( + serialized_name="contentTypes", + flags={"required": True}, + ) + properties.description = AAZStrType() + properties.display_name = AAZStrType( + serialized_name="displayName", + flags={"required": True}, + ) + properties.id = AAZStrType() + properties.last_deployment_info = AAZObjectType( + serialized_name="lastDeploymentInfo", + ) + properties.repo_type = AAZStrType( + serialized_name="repoType", + flags={"required": True}, + ) + properties.repository = AAZObjectType( + flags={"required": True}, + ) + properties.repository_resource_info = AAZObjectType( + serialized_name="repositoryResourceInfo", + ) + properties.version = AAZStrType() + + content_types = cls._schema_on_200.value.Element.properties.content_types + content_types.Element = AAZStrType() + + last_deployment_info = cls._schema_on_200.value.Element.properties.last_deployment_info + last_deployment_info.deployment = AAZObjectType() + last_deployment_info.deployment_fetch_status = AAZStrType( + serialized_name="deploymentFetchStatus", + ) + last_deployment_info.message = AAZStrType() + + deployment = cls._schema_on_200.value.Element.properties.last_deployment_info.deployment + deployment.deployment_id = AAZStrType( + serialized_name="deploymentId", + ) + deployment.deployment_logs_url = AAZStrType( + serialized_name="deploymentLogsUrl", + ) + deployment.deployment_result = AAZStrType( + serialized_name="deploymentResult", + ) + deployment.deployment_state = AAZStrType( + serialized_name="deploymentState", + ) + deployment.deployment_time = AAZStrType( + serialized_name="deploymentTime", + ) + + repository = cls._schema_on_200.value.Element.properties.repository + repository.branch = AAZStrType() + repository.deployment_logs_url = AAZStrType( + serialized_name="deploymentLogsUrl", + ) + repository.display_url = AAZStrType( + serialized_name="displayUrl", + ) + repository.path_mapping = AAZListType( + serialized_name="pathMapping", + ) + repository.url = AAZStrType() + + path_mapping = cls._schema_on_200.value.Element.properties.repository.path_mapping + path_mapping.Element = AAZObjectType() + + _element = cls._schema_on_200.value.Element.properties.repository.path_mapping.Element + _element.content_type = AAZStrType( + serialized_name="contentType", + ) + _element.path = AAZStrType() + + repository_resource_info = cls._schema_on_200.value.Element.properties.repository_resource_info + repository_resource_info.azure_dev_ops_resource_info = AAZObjectType( + serialized_name="azureDevOpsResourceInfo", + ) + repository_resource_info.git_hub_resource_info = AAZObjectType( + serialized_name="gitHubResourceInfo", + ) + repository_resource_info.webhook = AAZObjectType() + + azure_dev_ops_resource_info = cls._schema_on_200.value.Element.properties.repository_resource_info.azure_dev_ops_resource_info + azure_dev_ops_resource_info.pipeline_id = AAZStrType( + serialized_name="pipelineId", + ) + azure_dev_ops_resource_info.service_connection_id = AAZStrType( + serialized_name="serviceConnectionId", + ) + + git_hub_resource_info = cls._schema_on_200.value.Element.properties.repository_resource_info.git_hub_resource_info + git_hub_resource_info.app_installation_id = AAZStrType( + serialized_name="appInstallationId", + ) + + webhook = cls._schema_on_200.value.Element.properties.repository_resource_info.webhook + webhook.rotate_webhook_secret = AAZBoolType( + serialized_name="rotateWebhookSecret", + ) + webhook.webhook_id = AAZStrType( + serialized_name="webhookId", + ) + webhook.webhook_secret_update_time = AAZStrType( + serialized_name="webhookSecretUpdateTime", + ) + webhook.webhook_url = AAZStrType( + serialized_name="webhookUrl", + ) + + system_data = cls._schema_on_200.value.Element.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + return cls._schema_on_200 + + +__all__ = ["List"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/source_control/_list_repository.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/source_control/_list_repository.py new file mode 100644 index 00000000000..1f66005db84 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/source_control/_list_repository.py @@ -0,0 +1,187 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel source-control list-repository", + is_experimental=True, +) +class ListRepository(AAZCommand): + """Get a list of repositories metadata. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/listrepositories", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + return self.build_paging(self._execute_operations, self._output) + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + ) + _args_schema.repo_type = AAZStrArg( + options=["--repo-type"], + help="The type of repository.", + required=True, + enum={"DevOps": "DevOps", "Github": "Github"}, + ) + return cls._args_schema + + def _execute_operations(self): + self.SourceControlListRepositories(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance.value, client_flatten=True) + next_link = self.deserialize_output(self.ctx.vars.instance.next_link) + return result, next_link + + class SourceControlListRepositories(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/listRepositories", + **self.url_parameters + ) + + @property + def method(self): + return "POST" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Content-Type", "application/json", + ), + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + @property + def content(self): + _content_value, _builder = self.new_content_builder( + self.ctx.args.repo_type, + typ=AAZStrType, + typ_kwargs={"flags": {"required": True}} + ) + + return self.serialize_content(_content_value) + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + + _schema_on_200 = cls._schema_on_200 + _schema_on_200.next_link = AAZStrType( + serialized_name="nextLink", + flags={"read_only": True}, + ) + _schema_on_200.value = AAZListType( + flags={"required": True}, + ) + + value = cls._schema_on_200.value + value.Element = AAZObjectType() + + _element = cls._schema_on_200.value.Element + _element.branches = AAZListType() + _element.full_name = AAZStrType( + serialized_name="fullName", + ) + _element.url = AAZStrType() + + branches = cls._schema_on_200.value.Element.branches + branches.Element = AAZStrType() + + return cls._schema_on_200 + + +__all__ = ["ListRepository"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/source_control/_show.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/source_control/_show.py new file mode 100644 index 00000000000..1cb74c4c84a --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/source_control/_show.py @@ -0,0 +1,313 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel source-control show", + is_experimental=True, +) +class Show(AAZCommand): + """Get a source control by its identifier. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/sourcecontrols/{}", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return self._output() + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.source_control_id = AAZStrArg( + options=["-n", "--name", "--source-control-id"], + help="Source control Id", + required=True, + id_part="child_name_1", + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + id_part="name", + ) + return cls._args_schema + + def _execute_operations(self): + self.SourceControlsGet(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True) + return result + + class SourceControlsGet(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/sourcecontrols/{sourceControlId}", + **self.url_parameters + ) + + @property + def method(self): + return "GET" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "sourceControlId", self.ctx.args.source_control_id, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + + _schema_on_200 = cls._schema_on_200 + _schema_on_200.etag = AAZStrType() + _schema_on_200.id = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200.name = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + _schema_on_200.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + _schema_on_200.type = AAZStrType( + flags={"read_only": True}, + ) + + properties = cls._schema_on_200.properties + properties.content_types = AAZListType( + serialized_name="contentTypes", + flags={"required": True}, + ) + properties.description = AAZStrType() + properties.display_name = AAZStrType( + serialized_name="displayName", + flags={"required": True}, + ) + properties.id = AAZStrType() + properties.last_deployment_info = AAZObjectType( + serialized_name="lastDeploymentInfo", + ) + properties.repo_type = AAZStrType( + serialized_name="repoType", + flags={"required": True}, + ) + properties.repository = AAZObjectType( + flags={"required": True}, + ) + properties.repository_resource_info = AAZObjectType( + serialized_name="repositoryResourceInfo", + ) + properties.version = AAZStrType() + + content_types = cls._schema_on_200.properties.content_types + content_types.Element = AAZStrType() + + last_deployment_info = cls._schema_on_200.properties.last_deployment_info + last_deployment_info.deployment = AAZObjectType() + last_deployment_info.deployment_fetch_status = AAZStrType( + serialized_name="deploymentFetchStatus", + ) + last_deployment_info.message = AAZStrType() + + deployment = cls._schema_on_200.properties.last_deployment_info.deployment + deployment.deployment_id = AAZStrType( + serialized_name="deploymentId", + ) + deployment.deployment_logs_url = AAZStrType( + serialized_name="deploymentLogsUrl", + ) + deployment.deployment_result = AAZStrType( + serialized_name="deploymentResult", + ) + deployment.deployment_state = AAZStrType( + serialized_name="deploymentState", + ) + deployment.deployment_time = AAZStrType( + serialized_name="deploymentTime", + ) + + repository = cls._schema_on_200.properties.repository + repository.branch = AAZStrType() + repository.deployment_logs_url = AAZStrType( + serialized_name="deploymentLogsUrl", + ) + repository.display_url = AAZStrType( + serialized_name="displayUrl", + ) + repository.path_mapping = AAZListType( + serialized_name="pathMapping", + ) + repository.url = AAZStrType() + + path_mapping = cls._schema_on_200.properties.repository.path_mapping + path_mapping.Element = AAZObjectType() + + _element = cls._schema_on_200.properties.repository.path_mapping.Element + _element.content_type = AAZStrType( + serialized_name="contentType", + ) + _element.path = AAZStrType() + + repository_resource_info = cls._schema_on_200.properties.repository_resource_info + repository_resource_info.azure_dev_ops_resource_info = AAZObjectType( + serialized_name="azureDevOpsResourceInfo", + ) + repository_resource_info.git_hub_resource_info = AAZObjectType( + serialized_name="gitHubResourceInfo", + ) + repository_resource_info.webhook = AAZObjectType() + + azure_dev_ops_resource_info = cls._schema_on_200.properties.repository_resource_info.azure_dev_ops_resource_info + azure_dev_ops_resource_info.pipeline_id = AAZStrType( + serialized_name="pipelineId", + ) + azure_dev_ops_resource_info.service_connection_id = AAZStrType( + serialized_name="serviceConnectionId", + ) + + git_hub_resource_info = cls._schema_on_200.properties.repository_resource_info.git_hub_resource_info + git_hub_resource_info.app_installation_id = AAZStrType( + serialized_name="appInstallationId", + ) + + webhook = cls._schema_on_200.properties.repository_resource_info.webhook + webhook.rotate_webhook_secret = AAZBoolType( + serialized_name="rotateWebhookSecret", + ) + webhook.webhook_id = AAZStrType( + serialized_name="webhookId", + ) + webhook.webhook_secret_update_time = AAZStrType( + serialized_name="webhookSecretUpdateTime", + ) + webhook.webhook_url = AAZStrType( + serialized_name="webhookUrl", + ) + + system_data = cls._schema_on_200.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + return cls._schema_on_200 + + +__all__ = ["Show"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/source_control/_update.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/source_control/_update.py new file mode 100644 index 00000000000..0b2522924e0 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/source_control/_update.py @@ -0,0 +1,754 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel source-control update", + is_experimental=True, +) +class Update(AAZCommand): + """Create a source control. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/sourcecontrols/{}", "2022-06-01-preview"], + ] + } + + AZ_SUPPORT_GENERIC_UPDATE = True + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return self._output() + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.source_control_id = AAZStrArg( + options=["-n", "--name", "--source-control-id"], + help="Source control Id", + required=True, + id_part="child_name_1", + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + id_part="name", + ) + + # define Arg Group "Properties" + + _args_schema = cls._args_schema + _args_schema.content_types = AAZListArg( + options=["--content-types"], + arg_group="Properties", + help="Array of source control content types.", + ) + _args_schema.description = AAZStrArg( + options=["--description"], + arg_group="Properties", + help="A description of the source control", + nullable=True, + ) + _args_schema.display_name = AAZStrArg( + options=["--display-name"], + arg_group="Properties", + help="The display name of the source control", + ) + _args_schema.id = AAZStrArg( + options=["--id"], + arg_group="Properties", + help="The id (a Guid) of the source control", + nullable=True, + ) + _args_schema.last_deployment_info = AAZObjectArg( + options=["--last-deployment-info"], + arg_group="Properties", + help="Information regarding the latest deployment for the source control.", + nullable=True, + ) + _args_schema.repo_type = AAZStrArg( + options=["--repo-type"], + arg_group="Properties", + help="The repository type of the source control", + enum={"DevOps": "DevOps", "Github": "Github"}, + ) + _args_schema.repository = AAZObjectArg( + options=["--repository"], + arg_group="Properties", + help="Repository metadata.", + ) + _args_schema.repository_info = AAZObjectArg( + options=["--repository-info"], + arg_group="Properties", + help="Information regarding the resources created in user's repository.", + nullable=True, + ) + _args_schema.version = AAZStrArg( + options=["--version"], + arg_group="Properties", + help="The version number associated with the source control", + nullable=True, + enum={"V1": "V1", "V2": "V2"}, + ) + + content_types = cls._args_schema.content_types + content_types.Element = AAZStrArg( + enum={"AnalyticRule": "AnalyticRule", "Workbook": "Workbook"}, + ) + + last_deployment_info = cls._args_schema.last_deployment_info + last_deployment_info.deployment = AAZObjectArg( + options=["deployment"], + help="Deployment information.", + nullable=True, + ) + last_deployment_info.deployment_fetch_status = AAZStrArg( + options=["deployment-fetch-status"], + help="Status while fetching the last deployment.", + nullable=True, + enum={"NotFound": "NotFound", "Success": "Success", "Unauthorized": "Unauthorized"}, + ) + last_deployment_info.message = AAZStrArg( + options=["message"], + help="Additional details about the deployment that can be shown to the user.", + nullable=True, + ) + + deployment = cls._args_schema.last_deployment_info.deployment + deployment.deployment_id = AAZStrArg( + options=["deployment-id"], + help="Deployment identifier.", + nullable=True, + ) + deployment.deployment_logs_url = AAZStrArg( + options=["deployment-logs-url"], + help="Url to access repository action logs.", + nullable=True, + ) + deployment.deployment_result = AAZStrArg( + options=["deployment-result"], + help="The outcome of the deployment.", + nullable=True, + enum={"Canceled": "Canceled", "Failed": "Failed", "Success": "Success"}, + ) + deployment.deployment_state = AAZStrArg( + options=["deployment-state"], + help="Current status of the deployment.", + nullable=True, + enum={"Canceling": "Canceling", "Completed": "Completed", "In_Progress": "In_Progress", "Queued": "Queued"}, + ) + deployment.deployment_time = AAZStrArg( + options=["deployment-time"], + help="The time when the deployment finished.", + nullable=True, + ) + + repository = cls._args_schema.repository + repository.branch = AAZStrArg( + options=["branch"], + help="Branch name of repository.", + nullable=True, + ) + repository.deployment_logs_url = AAZStrArg( + options=["deployment-logs-url"], + help="Url to access repository action logs.", + nullable=True, + ) + repository.display_url = AAZStrArg( + options=["display-url"], + help="Display url of repository.", + nullable=True, + ) + repository.path_mapping = AAZListArg( + options=["path-mapping"], + help="Dictionary of source control content type and path mapping.", + nullable=True, + ) + repository.url = AAZStrArg( + options=["url"], + help="Url of repository.", + nullable=True, + ) + + path_mapping = cls._args_schema.repository.path_mapping + path_mapping.Element = AAZObjectArg() + + _element = cls._args_schema.repository.path_mapping.Element + _element.content_type = AAZStrArg( + options=["content-type"], + help="Content type.", + nullable=True, + enum={"AnalyticRule": "AnalyticRule", "Workbook": "Workbook"}, + ) + _element.path = AAZStrArg( + options=["path"], + help="The path to the content.", + nullable=True, + ) + + repository_info = cls._args_schema.repository_info + repository_info.azure_dev_ops_resource_info = AAZObjectArg( + options=["azure-dev-ops-resource-info"], + help="Resources created in Azure DevOps for this source-control.", + nullable=True, + ) + repository_info.git_hub_resource_info = AAZObjectArg( + options=["git-hub-resource-info"], + help="Resources created in GitHub for this source-control.", + nullable=True, + ) + repository_info.webhook = AAZObjectArg( + options=["webhook"], + help="The webhook object created for the source-control.", + nullable=True, + ) + + azure_dev_ops_resource_info = cls._args_schema.repository_info.azure_dev_ops_resource_info + azure_dev_ops_resource_info.pipeline_id = AAZStrArg( + options=["pipeline-id"], + help="Id of the pipeline created for the source-control.", + nullable=True, + ) + azure_dev_ops_resource_info.service_connection_id = AAZStrArg( + options=["service-connection-id"], + help="Id of the service-connection created for the source-control.", + nullable=True, + ) + + git_hub_resource_info = cls._args_schema.repository_info.git_hub_resource_info + git_hub_resource_info.app_installation_id = AAZStrArg( + options=["app-installation-id"], + help="GitHub application installation id.", + nullable=True, + ) + + webhook = cls._args_schema.repository_info.webhook + webhook.rotate_webhook_secret = AAZBoolArg( + options=["rotate-webhook-secret"], + help="A flag to instruct the backend service to rotate webhook secret.", + nullable=True, + ) + webhook.webhook_id = AAZStrArg( + options=["webhook-id"], + help="Unique identifier for the webhook.", + nullable=True, + ) + webhook.webhook_secret_update_time = AAZStrArg( + options=["webhook-secret-update-time"], + help="Time when the webhook secret was updated.", + nullable=True, + ) + webhook.webhook_url = AAZStrArg( + options=["webhook-url"], + help="URL that gets invoked by the webhook.", + nullable=True, + ) + + # define Arg Group "SourceControl" + + _args_schema = cls._args_schema + _args_schema.etag = AAZStrArg( + options=["--etag"], + arg_group="SourceControl", + help="Etag of the azure resource", + nullable=True, + ) + return cls._args_schema + + def _execute_operations(self): + self.SourceControlsGet(ctx=self.ctx)() + self.InstanceUpdateByJson(ctx=self.ctx)() + self.InstanceUpdateByGeneric(ctx=self.ctx)() + self.SourceControlsCreate(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True) + return result + + class SourceControlsGet(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/sourcecontrols/{sourceControlId}", + **self.url_parameters + ) + + @property + def method(self): + return "GET" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "sourceControlId", self.ctx.args.source_control_id, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + _build_schema_source_control_read(cls._schema_on_200) + + return cls._schema_on_200 + + class SourceControlsCreate(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200, 201]: + return self.on_200_201(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/sourcecontrols/{sourceControlId}", + **self.url_parameters + ) + + @property + def method(self): + return "PUT" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "sourceControlId", self.ctx.args.source_control_id, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Content-Type", "application/json", + ), + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + @property + def content(self): + _content_value, _builder = self.new_content_builder( + self.ctx.args, + value=self.ctx.vars.instance, + ) + + return self.serialize_content(_content_value) + + def on_200_201(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200_201 + ) + + _schema_on_200_201 = None + + @classmethod + def _build_schema_on_200_201(cls): + if cls._schema_on_200_201 is not None: + return cls._schema_on_200_201 + + cls._schema_on_200_201 = AAZObjectType() + _build_schema_source_control_read(cls._schema_on_200_201) + + return cls._schema_on_200_201 + + class InstanceUpdateByJson(AAZJsonInstanceUpdateOperation): + + def __call__(self, *args, **kwargs): + self._update_instance(self.ctx.vars.instance) + + def _update_instance(self, instance): + _instance_value, _builder = self.new_content_builder( + self.ctx.args, + value=instance, + typ=AAZObjectType + ) + _builder.set_prop("etag", AAZStrType, ".etag") + _builder.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get(".properties") + if properties is not None: + properties.set_prop("contentTypes", AAZListType, ".content_types", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("description", AAZStrType, ".description") + properties.set_prop("displayName", AAZStrType, ".display_name", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("id", AAZStrType, ".id") + properties.set_prop("lastDeploymentInfo", AAZObjectType, ".last_deployment_info") + properties.set_prop("repoType", AAZStrType, ".repo_type", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("repository", AAZObjectType, ".repository", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("repositoryResourceInfo", AAZObjectType, ".repository_info") + properties.set_prop("version", AAZStrType, ".version") + + content_types = _builder.get(".properties.contentTypes") + if content_types is not None: + content_types.set_elements(AAZStrType, ".") + + last_deployment_info = _builder.get(".properties.lastDeploymentInfo") + if last_deployment_info is not None: + last_deployment_info.set_prop("deployment", AAZObjectType, ".deployment") + last_deployment_info.set_prop("deploymentFetchStatus", AAZStrType, ".deployment_fetch_status") + last_deployment_info.set_prop("message", AAZStrType, ".message") + + deployment = _builder.get(".properties.lastDeploymentInfo.deployment") + if deployment is not None: + deployment.set_prop("deploymentId", AAZStrType, ".deployment_id") + deployment.set_prop("deploymentLogsUrl", AAZStrType, ".deployment_logs_url") + deployment.set_prop("deploymentResult", AAZStrType, ".deployment_result") + deployment.set_prop("deploymentState", AAZStrType, ".deployment_state") + deployment.set_prop("deploymentTime", AAZStrType, ".deployment_time") + + repository = _builder.get(".properties.repository") + if repository is not None: + repository.set_prop("branch", AAZStrType, ".branch") + repository.set_prop("deploymentLogsUrl", AAZStrType, ".deployment_logs_url") + repository.set_prop("displayUrl", AAZStrType, ".display_url") + repository.set_prop("pathMapping", AAZListType, ".path_mapping") + repository.set_prop("url", AAZStrType, ".url") + + path_mapping = _builder.get(".properties.repository.pathMapping") + if path_mapping is not None: + path_mapping.set_elements(AAZObjectType) + + _elements = _builder.get(".properties.repository.pathMapping[]") + if _elements is not None: + _elements.set_prop("contentType", AAZStrType, ".content_type") + _elements.set_prop("path", AAZStrType, ".path") + + repository_resource_info = _builder.get(".properties.repositoryResourceInfo") + if repository_resource_info is not None: + repository_resource_info.set_prop("azureDevOpsResourceInfo", AAZObjectType, ".azure_dev_ops_resource_info") + repository_resource_info.set_prop("gitHubResourceInfo", AAZObjectType, ".git_hub_resource_info") + repository_resource_info.set_prop("webhook", AAZObjectType, ".webhook") + + azure_dev_ops_resource_info = _builder.get(".properties.repositoryResourceInfo.azureDevOpsResourceInfo") + if azure_dev_ops_resource_info is not None: + azure_dev_ops_resource_info.set_prop("pipelineId", AAZStrType, ".pipeline_id") + azure_dev_ops_resource_info.set_prop("serviceConnectionId", AAZStrType, ".service_connection_id") + + git_hub_resource_info = _builder.get(".properties.repositoryResourceInfo.gitHubResourceInfo") + if git_hub_resource_info is not None: + git_hub_resource_info.set_prop("appInstallationId", AAZStrType, ".app_installation_id") + + webhook = _builder.get(".properties.repositoryResourceInfo.webhook") + if webhook is not None: + webhook.set_prop("rotateWebhookSecret", AAZBoolType, ".rotate_webhook_secret") + webhook.set_prop("webhookId", AAZStrType, ".webhook_id") + webhook.set_prop("webhookSecretUpdateTime", AAZStrType, ".webhook_secret_update_time") + webhook.set_prop("webhookUrl", AAZStrType, ".webhook_url") + + return _instance_value + + class InstanceUpdateByGeneric(AAZGenericInstanceUpdateOperation): + + def __call__(self, *args, **kwargs): + self._update_instance_by_generic( + self.ctx.vars.instance, + self.ctx.generic_update_args + ) + + +_schema_source_control_read = None + + +def _build_schema_source_control_read(_schema): + global _schema_source_control_read + if _schema_source_control_read is not None: + _schema.etag = _schema_source_control_read.etag + _schema.id = _schema_source_control_read.id + _schema.name = _schema_source_control_read.name + _schema.properties = _schema_source_control_read.properties + _schema.system_data = _schema_source_control_read.system_data + _schema.type = _schema_source_control_read.type + return + + _schema_source_control_read = AAZObjectType() + + source_control_read = _schema_source_control_read + source_control_read.etag = AAZStrType() + source_control_read.id = AAZStrType( + flags={"read_only": True}, + ) + source_control_read.name = AAZStrType( + flags={"read_only": True}, + ) + source_control_read.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + source_control_read.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + source_control_read.type = AAZStrType( + flags={"read_only": True}, + ) + + properties = _schema_source_control_read.properties + properties.content_types = AAZListType( + serialized_name="contentTypes", + flags={"required": True}, + ) + properties.description = AAZStrType() + properties.display_name = AAZStrType( + serialized_name="displayName", + flags={"required": True}, + ) + properties.id = AAZStrType() + properties.last_deployment_info = AAZObjectType( + serialized_name="lastDeploymentInfo", + ) + properties.repo_type = AAZStrType( + serialized_name="repoType", + flags={"required": True}, + ) + properties.repository = AAZObjectType( + flags={"required": True}, + ) + properties.repository_resource_info = AAZObjectType( + serialized_name="repositoryResourceInfo", + ) + properties.version = AAZStrType() + + content_types = _schema_source_control_read.properties.content_types + content_types.Element = AAZStrType() + + last_deployment_info = _schema_source_control_read.properties.last_deployment_info + last_deployment_info.deployment = AAZObjectType() + last_deployment_info.deployment_fetch_status = AAZStrType( + serialized_name="deploymentFetchStatus", + ) + last_deployment_info.message = AAZStrType() + + deployment = _schema_source_control_read.properties.last_deployment_info.deployment + deployment.deployment_id = AAZStrType( + serialized_name="deploymentId", + ) + deployment.deployment_logs_url = AAZStrType( + serialized_name="deploymentLogsUrl", + ) + deployment.deployment_result = AAZStrType( + serialized_name="deploymentResult", + ) + deployment.deployment_state = AAZStrType( + serialized_name="deploymentState", + ) + deployment.deployment_time = AAZStrType( + serialized_name="deploymentTime", + ) + + repository = _schema_source_control_read.properties.repository + repository.branch = AAZStrType() + repository.deployment_logs_url = AAZStrType( + serialized_name="deploymentLogsUrl", + ) + repository.display_url = AAZStrType( + serialized_name="displayUrl", + ) + repository.path_mapping = AAZListType( + serialized_name="pathMapping", + ) + repository.url = AAZStrType() + + path_mapping = _schema_source_control_read.properties.repository.path_mapping + path_mapping.Element = AAZObjectType() + + _element = _schema_source_control_read.properties.repository.path_mapping.Element + _element.content_type = AAZStrType( + serialized_name="contentType", + ) + _element.path = AAZStrType() + + repository_resource_info = _schema_source_control_read.properties.repository_resource_info + repository_resource_info.azure_dev_ops_resource_info = AAZObjectType( + serialized_name="azureDevOpsResourceInfo", + ) + repository_resource_info.git_hub_resource_info = AAZObjectType( + serialized_name="gitHubResourceInfo", + ) + repository_resource_info.webhook = AAZObjectType() + + azure_dev_ops_resource_info = _schema_source_control_read.properties.repository_resource_info.azure_dev_ops_resource_info + azure_dev_ops_resource_info.pipeline_id = AAZStrType( + serialized_name="pipelineId", + ) + azure_dev_ops_resource_info.service_connection_id = AAZStrType( + serialized_name="serviceConnectionId", + ) + + git_hub_resource_info = _schema_source_control_read.properties.repository_resource_info.git_hub_resource_info + git_hub_resource_info.app_installation_id = AAZStrType( + serialized_name="appInstallationId", + ) + + webhook = _schema_source_control_read.properties.repository_resource_info.webhook + webhook.rotate_webhook_secret = AAZBoolType( + serialized_name="rotateWebhookSecret", + ) + webhook.webhook_id = AAZStrType( + serialized_name="webhookId", + ) + webhook.webhook_secret_update_time = AAZStrType( + serialized_name="webhookSecretUpdateTime", + ) + webhook.webhook_url = AAZStrType( + serialized_name="webhookUrl", + ) + + system_data = _schema_source_control_read.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + _schema.etag = _schema_source_control_read.etag + _schema.id = _schema_source_control_read.id + _schema.name = _schema_source_control_read.name + _schema.properties = _schema_source_control_read.properties + _schema.system_data = _schema_source_control_read.system_data + _schema.type = _schema_source_control_read.type + + +__all__ = ["Update"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/threat_indicator/__cmd_group.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/threat_indicator/__cmd_group.py new file mode 100644 index 00000000000..a455ac42fde --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/threat_indicator/__cmd_group.py @@ -0,0 +1,23 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command_group( + "sentinel threat-indicator", +) +class __CMDGroup(AAZCommandGroup): + """Manage threat intelligence indicator with sentinel. + """ + pass + + +__all__ = ["__CMDGroup"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/threat_indicator/__init__.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/threat_indicator/__init__.py new file mode 100644 index 00000000000..5cba78806b6 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/threat_indicator/__init__.py @@ -0,0 +1,19 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from .__cmd_group import * +from ._append_tag import * +from ._create import * +from ._delete import * +from ._list import * +from ._query import * +from ._replace_tag import * +from ._show import * +from ._update import * diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/threat_indicator/_append_tag.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/threat_indicator/_append_tag.py new file mode 100644 index 00000000000..19ba203c33c --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/threat_indicator/_append_tag.py @@ -0,0 +1,162 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel threat-indicator append-tag", + is_experimental=True, +) +class AppendTag(AAZCommand): + """Append tags to a threat intelligence indicator. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/threatintelligence/main/indicators/{}/appendtags", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return None + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.name = AAZStrArg( + options=["--name"], + help="Threat intelligence indicator name field.", + required=True, + ) + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + ) + + # define Arg Group "ThreatIntelligenceAppendTags" + + _args_schema = cls._args_schema + _args_schema.intelligence_tags = AAZListArg( + options=["--intelligence-tags"], + arg_group="ThreatIntelligenceAppendTags", + help="List of tags to be appended.", + ) + + intelligence_tags = cls._args_schema.intelligence_tags + intelligence_tags.Element = AAZStrArg() + return cls._args_schema + + def _execute_operations(self): + self.ThreatIntelligenceIndicatorAppendTags(ctx=self.ctx)() + + class ThreatIntelligenceIndicatorAppendTags(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/{name}/appendTags", + **self.url_parameters + ) + + @property + def method(self): + return "POST" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "name", self.ctx.args.name, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Content-Type", "application/json", + ), + } + return parameters + + @property + def content(self): + _content_value, _builder = self.new_content_builder( + self.ctx.args, + typ=AAZObjectType, + typ_kwargs={"flags": {"required": True, "client_flatten": True}} + ) + _builder.set_prop("threatIntelligenceTags", AAZListType, ".intelligence_tags") + + threat_intelligence_tags = _builder.get(".threatIntelligenceTags") + if threat_intelligence_tags is not None: + threat_intelligence_tags.set_elements(AAZStrType, ".") + + return self.serialize_content(_content_value) + + def on_200(self, session): + pass + + +__all__ = ["AppendTag"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/threat_indicator/_create.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/threat_indicator/_create.py new file mode 100644 index 00000000000..88d9945d026 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/threat_indicator/_create.py @@ -0,0 +1,715 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel threat-indicator create", + is_experimental=True, +) +class Create(AAZCommand): + """Create a new threat intelligence indicator. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/threatintelligence/main/createindicator", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return self._output() + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + ) + + # define Arg Group "Properties" + + _args_schema = cls._args_schema + _args_schema.confidence = AAZIntArg( + options=["--confidence"], + arg_group="Properties", + help="Confidence of threat intelligence entity", + ) + _args_schema.created = AAZStrArg( + options=["--created"], + arg_group="Properties", + help="Created by", + ) + _args_schema.created_by_ref = AAZStrArg( + options=["--created-by-ref"], + arg_group="Properties", + help="Created by reference of threat intelligence entity", + ) + _args_schema.defanged = AAZBoolArg( + options=["--defanged"], + arg_group="Properties", + help="Is threat intelligence entity defanged", + ) + _args_schema.description = AAZStrArg( + options=["--description"], + arg_group="Properties", + help="Description of a threat intelligence entity", + ) + _args_schema.display_name = AAZStrArg( + options=["--display-name"], + arg_group="Properties", + help="Display name of a threat intelligence entity", + ) + _args_schema.external_id = AAZStrArg( + options=["--external-id"], + arg_group="Properties", + help="External ID of threat intelligence entity", + ) + _args_schema.external_updated_time = AAZStrArg( + options=["--external-updated-time"], + arg_group="Properties", + help="External last updated time in UTC", + ) + _args_schema.external_references = AAZListArg( + options=["--external-references"], + arg_group="Properties", + help="External References", + ) + _args_schema.granular_markings = AAZListArg( + options=["--granular-markings"], + arg_group="Properties", + help="Granular Markings", + ) + _args_schema.indicator_types = AAZListArg( + options=["--indicator-types"], + arg_group="Properties", + help="Indicator types of threat intelligence entities", + ) + _args_schema.kill_chain_phases = AAZListArg( + options=["--kill-chain-phases"], + arg_group="Properties", + help="Kill chain phases", + ) + _args_schema.labels = AAZListArg( + options=["--labels"], + arg_group="Properties", + help="Labels of threat intelligence entity", + ) + _args_schema.language = AAZStrArg( + options=["--language"], + arg_group="Properties", + help="Language of threat intelligence entity", + ) + _args_schema.last_updated_time = AAZStrArg( + options=["--last-updated-time"], + arg_group="Properties", + help="Last updated time in UTC", + ) + _args_schema.modified = AAZStrArg( + options=["--modified"], + arg_group="Properties", + help="Modified by", + ) + _args_schema.object_marking_refs = AAZListArg( + options=["--object-marking-refs"], + arg_group="Properties", + help="Threat intelligence entity object marking references", + ) + _args_schema.parsed_pattern = AAZListArg( + options=["--parsed-pattern"], + arg_group="Properties", + help="Parsed patterns", + ) + _args_schema.pattern = AAZStrArg( + options=["--pattern"], + arg_group="Properties", + help="Pattern of a threat intelligence entity", + ) + _args_schema.pattern_type = AAZStrArg( + options=["--pattern-type"], + arg_group="Properties", + help="Pattern type of a threat intelligence entity", + ) + _args_schema.pattern_version = AAZStrArg( + options=["--pattern-version"], + arg_group="Properties", + help="Pattern version of a threat intelligence entity", + ) + _args_schema.revoked = AAZBoolArg( + options=["--revoked"], + arg_group="Properties", + help="Is threat intelligence entity revoked", + ) + _args_schema.source = AAZStrArg( + options=["--source"], + arg_group="Properties", + help="Source of a threat intelligence entity", + ) + _args_schema.threat_tags = AAZListArg( + options=["--threat-tags"], + arg_group="Properties", + help="List of tags", + ) + _args_schema.threat_types = AAZListArg( + options=["--threat-types"], + arg_group="Properties", + help="Threat types", + ) + _args_schema.valid_from = AAZStrArg( + options=["--valid-from"], + arg_group="Properties", + help="Valid from", + ) + _args_schema.valid_until = AAZStrArg( + options=["--valid-until"], + arg_group="Properties", + help="Valid until", + ) + + external_references = cls._args_schema.external_references + external_references.Element = AAZObjectArg() + + _element = cls._args_schema.external_references.Element + _element.description = AAZStrArg( + options=["description"], + help="External reference description", + ) + _element.external_id = AAZStrArg( + options=["external-id"], + help="External reference ID", + ) + _element.hashes = AAZDictArg( + options=["hashes"], + help="External reference hashes", + ) + _element.source_name = AAZStrArg( + options=["source-name"], + help="External reference source name", + ) + _element.url = AAZStrArg( + options=["url"], + help="External reference URL", + ) + + hashes = cls._args_schema.external_references.Element.hashes + hashes.Element = AAZStrArg() + + granular_markings = cls._args_schema.granular_markings + granular_markings.Element = AAZObjectArg() + + _element = cls._args_schema.granular_markings.Element + _element.language = AAZStrArg( + options=["language"], + help="Language granular marking model", + ) + _element.marking_ref = AAZIntArg( + options=["marking-ref"], + help="marking reference granular marking model", + ) + _element.selectors = AAZListArg( + options=["selectors"], + help="granular marking model selectors", + ) + + selectors = cls._args_schema.granular_markings.Element.selectors + selectors.Element = AAZStrArg() + + indicator_types = cls._args_schema.indicator_types + indicator_types.Element = AAZStrArg() + + kill_chain_phases = cls._args_schema.kill_chain_phases + kill_chain_phases.Element = AAZObjectArg() + + _element = cls._args_schema.kill_chain_phases.Element + _element.kill_chain_name = AAZStrArg( + options=["kill-chain-name"], + help="Kill chainName name", + ) + _element.phase_name = AAZStrArg( + options=["phase-name"], + help="Phase name", + ) + + labels = cls._args_schema.labels + labels.Element = AAZStrArg() + + object_marking_refs = cls._args_schema.object_marking_refs + object_marking_refs.Element = AAZStrArg() + + parsed_pattern = cls._args_schema.parsed_pattern + parsed_pattern.Element = AAZObjectArg() + + _element = cls._args_schema.parsed_pattern.Element + _element.pattern_type_key = AAZStrArg( + options=["pattern-type-key"], + help="Pattern type key", + ) + _element.pattern_type_values = AAZListArg( + options=["pattern-type-values"], + help="Pattern type keys", + ) + + pattern_type_values = cls._args_schema.parsed_pattern.Element.pattern_type_values + pattern_type_values.Element = AAZObjectArg() + + _element = cls._args_schema.parsed_pattern.Element.pattern_type_values.Element + _element.value = AAZStrArg( + options=["value"], + help="Value of parsed pattern", + ) + _element.value_type = AAZStrArg( + options=["value-type"], + help="Type of the value", + ) + + threat_tags = cls._args_schema.threat_tags + threat_tags.Element = AAZStrArg() + + threat_types = cls._args_schema.threat_types + threat_types.Element = AAZStrArg() + + # define Arg Group "ThreatIntelligenceProperties" + + _args_schema = cls._args_schema + _args_schema.etag = AAZStrArg( + options=["--etag"], + arg_group="ThreatIntelligenceProperties", + help="Etag of the azure resource", + ) + return cls._args_schema + + def _execute_operations(self): + self.ThreatIntelligenceIndicatorCreateIndicator(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True) + return result + + class ThreatIntelligenceIndicatorCreateIndicator(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200, 201]: + return self.on_200_201(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/createIndicator", + **self.url_parameters + ) + + @property + def method(self): + return "POST" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Content-Type", "application/json", + ), + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + @property + def content(self): + _content_value, _builder = self.new_content_builder( + self.ctx.args, + typ=AAZObjectType, + typ_kwargs={"flags": {"required": True, "client_flatten": True}} + ) + _builder.set_prop("etag", AAZStrType, ".etag") + _builder.set_const("kind", "indicator", AAZStrType, ".", typ_kwargs={"flags": {"required": True}}) + _builder.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get(".properties") + if properties is not None: + properties.set_prop("confidence", AAZIntType, ".confidence") + properties.set_prop("created", AAZStrType, ".created") + properties.set_prop("createdByRef", AAZStrType, ".created_by_ref") + properties.set_prop("defanged", AAZBoolType, ".defanged") + properties.set_prop("description", AAZStrType, ".description") + properties.set_prop("displayName", AAZStrType, ".display_name") + properties.set_prop("externalId", AAZStrType, ".external_id") + properties.set_prop("externalLastUpdatedTimeUtc", AAZStrType, ".external_updated_time") + properties.set_prop("externalReferences", AAZListType, ".external_references") + properties.set_prop("granularMarkings", AAZListType, ".granular_markings") + properties.set_prop("indicatorTypes", AAZListType, ".indicator_types") + properties.set_prop("killChainPhases", AAZListType, ".kill_chain_phases") + properties.set_prop("labels", AAZListType, ".labels") + properties.set_prop("language", AAZStrType, ".language") + properties.set_prop("lastUpdatedTimeUtc", AAZStrType, ".last_updated_time") + properties.set_prop("modified", AAZStrType, ".modified") + properties.set_prop("objectMarkingRefs", AAZListType, ".object_marking_refs") + properties.set_prop("parsedPattern", AAZListType, ".parsed_pattern") + properties.set_prop("pattern", AAZStrType, ".pattern") + properties.set_prop("patternType", AAZStrType, ".pattern_type") + properties.set_prop("patternVersion", AAZStrType, ".pattern_version") + properties.set_prop("revoked", AAZBoolType, ".revoked") + properties.set_prop("source", AAZStrType, ".source") + properties.set_prop("threatIntelligenceTags", AAZListType, ".threat_tags") + properties.set_prop("threatTypes", AAZListType, ".threat_types") + properties.set_prop("validFrom", AAZStrType, ".valid_from") + properties.set_prop("validUntil", AAZStrType, ".valid_until") + + external_references = _builder.get(".properties.externalReferences") + if external_references is not None: + external_references.set_elements(AAZObjectType) + + _elements = _builder.get(".properties.externalReferences[]") + if _elements is not None: + _elements.set_prop("description", AAZStrType, ".description") + _elements.set_prop("externalId", AAZStrType, ".external_id") + _elements.set_prop("hashes", AAZDictType, ".hashes") + _elements.set_prop("sourceName", AAZStrType, ".source_name") + _elements.set_prop("url", AAZStrType, ".url") + + hashes = _builder.get(".properties.externalReferences[].hashes") + if hashes is not None: + hashes.set_elements(AAZStrType, ".") + + granular_markings = _builder.get(".properties.granularMarkings") + if granular_markings is not None: + granular_markings.set_elements(AAZObjectType) + + _elements = _builder.get(".properties.granularMarkings[]") + if _elements is not None: + _elements.set_prop("language", AAZStrType, ".language") + _elements.set_prop("markingRef", AAZIntType, ".marking_ref") + _elements.set_prop("selectors", AAZListType, ".selectors") + + selectors = _builder.get(".properties.granularMarkings[].selectors") + if selectors is not None: + selectors.set_elements(AAZStrType, ".") + + indicator_types = _builder.get(".properties.indicatorTypes") + if indicator_types is not None: + indicator_types.set_elements(AAZStrType, ".") + + kill_chain_phases = _builder.get(".properties.killChainPhases") + if kill_chain_phases is not None: + kill_chain_phases.set_elements(AAZObjectType) + + _elements = _builder.get(".properties.killChainPhases[]") + if _elements is not None: + _elements.set_prop("killChainName", AAZStrType, ".kill_chain_name") + _elements.set_prop("phaseName", AAZStrType, ".phase_name") + + labels = _builder.get(".properties.labels") + if labels is not None: + labels.set_elements(AAZStrType, ".") + + object_marking_refs = _builder.get(".properties.objectMarkingRefs") + if object_marking_refs is not None: + object_marking_refs.set_elements(AAZStrType, ".") + + parsed_pattern = _builder.get(".properties.parsedPattern") + if parsed_pattern is not None: + parsed_pattern.set_elements(AAZObjectType) + + _elements = _builder.get(".properties.parsedPattern[]") + if _elements is not None: + _elements.set_prop("patternTypeKey", AAZStrType, ".pattern_type_key") + _elements.set_prop("patternTypeValues", AAZListType, ".pattern_type_values") + + pattern_type_values = _builder.get(".properties.parsedPattern[].patternTypeValues") + if pattern_type_values is not None: + pattern_type_values.set_elements(AAZObjectType) + + _elements = _builder.get(".properties.parsedPattern[].patternTypeValues[]") + if _elements is not None: + _elements.set_prop("value", AAZStrType, ".value") + _elements.set_prop("valueType", AAZStrType, ".value_type") + + threat_intelligence_tags = _builder.get(".properties.threatIntelligenceTags") + if threat_intelligence_tags is not None: + threat_intelligence_tags.set_elements(AAZStrType, ".") + + threat_types = _builder.get(".properties.threatTypes") + if threat_types is not None: + threat_types.set_elements(AAZStrType, ".") + + return self.serialize_content(_content_value) + + def on_200_201(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200_201 + ) + + _schema_on_200_201 = None + + @classmethod + def _build_schema_on_200_201(cls): + if cls._schema_on_200_201 is not None: + return cls._schema_on_200_201 + + cls._schema_on_200_201 = AAZObjectType() + + _schema_on_200_201 = cls._schema_on_200_201 + _schema_on_200_201.etag = AAZStrType() + _schema_on_200_201.id = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200_201.kind = AAZStrType( + flags={"required": True}, + ) + _schema_on_200_201.name = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200_201.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + _schema_on_200_201.type = AAZStrType( + flags={"read_only": True}, + ) + + system_data = cls._schema_on_200_201.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + disc_indicator = cls._schema_on_200_201.discriminate_by("kind", "indicator") + disc_indicator.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200_201.discriminate_by("kind", "indicator").properties + properties.additional_data = AAZDictType( + serialized_name="additionalData", + flags={"read_only": True}, + ) + properties.confidence = AAZIntType() + properties.created = AAZStrType() + properties.created_by_ref = AAZStrType( + serialized_name="createdByRef", + ) + properties.defanged = AAZBoolType() + properties.description = AAZStrType() + properties.display_name = AAZStrType( + serialized_name="displayName", + ) + properties.external_id = AAZStrType( + serialized_name="externalId", + ) + properties.external_last_updated_time_utc = AAZStrType( + serialized_name="externalLastUpdatedTimeUtc", + ) + properties.external_references = AAZListType( + serialized_name="externalReferences", + ) + properties.friendly_name = AAZStrType( + serialized_name="friendlyName", + flags={"read_only": True}, + ) + properties.granular_markings = AAZListType( + serialized_name="granularMarkings", + ) + properties.indicator_types = AAZListType( + serialized_name="indicatorTypes", + ) + properties.kill_chain_phases = AAZListType( + serialized_name="killChainPhases", + ) + properties.labels = AAZListType() + properties.language = AAZStrType() + properties.last_updated_time_utc = AAZStrType( + serialized_name="lastUpdatedTimeUtc", + ) + properties.modified = AAZStrType() + properties.object_marking_refs = AAZListType( + serialized_name="objectMarkingRefs", + ) + properties.parsed_pattern = AAZListType( + serialized_name="parsedPattern", + ) + properties.pattern = AAZStrType() + properties.pattern_type = AAZStrType( + serialized_name="patternType", + ) + properties.pattern_version = AAZStrType( + serialized_name="patternVersion", + ) + properties.revoked = AAZBoolType() + properties.source = AAZStrType() + properties.threat_intelligence_tags = AAZListType( + serialized_name="threatIntelligenceTags", + ) + properties.threat_types = AAZListType( + serialized_name="threatTypes", + ) + properties.valid_from = AAZStrType( + serialized_name="validFrom", + ) + properties.valid_until = AAZStrType( + serialized_name="validUntil", + ) + + external_references = cls._schema_on_200_201.discriminate_by("kind", "indicator").properties.external_references + external_references.Element = AAZObjectType() + + _element = cls._schema_on_200_201.discriminate_by("kind", "indicator").properties.external_references.Element + _element.description = AAZStrType() + _element.external_id = AAZStrType( + serialized_name="externalId", + ) + _element.hashes = AAZDictType() + _element.source_name = AAZStrType( + serialized_name="sourceName", + ) + _element.url = AAZStrType() + + hashes = cls._schema_on_200_201.discriminate_by("kind", "indicator").properties.external_references.Element.hashes + hashes.Element = AAZStrType() + + granular_markings = cls._schema_on_200_201.discriminate_by("kind", "indicator").properties.granular_markings + granular_markings.Element = AAZObjectType() + + _element = cls._schema_on_200_201.discriminate_by("kind", "indicator").properties.granular_markings.Element + _element.language = AAZStrType() + _element.marking_ref = AAZIntType( + serialized_name="markingRef", + ) + _element.selectors = AAZListType() + + selectors = cls._schema_on_200_201.discriminate_by("kind", "indicator").properties.granular_markings.Element.selectors + selectors.Element = AAZStrType() + + indicator_types = cls._schema_on_200_201.discriminate_by("kind", "indicator").properties.indicator_types + indicator_types.Element = AAZStrType() + + kill_chain_phases = cls._schema_on_200_201.discriminate_by("kind", "indicator").properties.kill_chain_phases + kill_chain_phases.Element = AAZObjectType() + + _element = cls._schema_on_200_201.discriminate_by("kind", "indicator").properties.kill_chain_phases.Element + _element.kill_chain_name = AAZStrType( + serialized_name="killChainName", + ) + _element.phase_name = AAZStrType( + serialized_name="phaseName", + ) + + labels = cls._schema_on_200_201.discriminate_by("kind", "indicator").properties.labels + labels.Element = AAZStrType() + + object_marking_refs = cls._schema_on_200_201.discriminate_by("kind", "indicator").properties.object_marking_refs + object_marking_refs.Element = AAZStrType() + + parsed_pattern = cls._schema_on_200_201.discriminate_by("kind", "indicator").properties.parsed_pattern + parsed_pattern.Element = AAZObjectType() + + _element = cls._schema_on_200_201.discriminate_by("kind", "indicator").properties.parsed_pattern.Element + _element.pattern_type_key = AAZStrType( + serialized_name="patternTypeKey", + ) + _element.pattern_type_values = AAZListType( + serialized_name="patternTypeValues", + ) + + pattern_type_values = cls._schema_on_200_201.discriminate_by("kind", "indicator").properties.parsed_pattern.Element.pattern_type_values + pattern_type_values.Element = AAZObjectType() + + _element = cls._schema_on_200_201.discriminate_by("kind", "indicator").properties.parsed_pattern.Element.pattern_type_values.Element + _element.value = AAZStrType() + _element.value_type = AAZStrType( + serialized_name="valueType", + ) + + threat_intelligence_tags = cls._schema_on_200_201.discriminate_by("kind", "indicator").properties.threat_intelligence_tags + threat_intelligence_tags.Element = AAZStrType() + + threat_types = cls._schema_on_200_201.discriminate_by("kind", "indicator").properties.threat_types + threat_types.Element = AAZStrType() + + return cls._schema_on_200_201 + + +__all__ = ["Create"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/threat_indicator/_delete.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/threat_indicator/_delete.py new file mode 100644 index 00000000000..b861172b100 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/threat_indicator/_delete.py @@ -0,0 +1,133 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel threat-indicator delete", + is_experimental=True, + confirmation="Are you sure you want to perform this operation?", +) +class Delete(AAZCommand): + """Delete a threat intelligence indicator. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/threatintelligence/main/indicators/{}", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return None + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.name = AAZStrArg( + options=["-n", "--name"], + help="Threat intelligence indicator name field.", + required=True, + id_part="child_name_2", + ) + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + id_part="name", + ) + return cls._args_schema + + def _execute_operations(self): + self.ThreatIntelligenceIndicatorDelete(ctx=self.ctx)() + + class ThreatIntelligenceIndicatorDelete(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + if session.http_response.status_code in [204]: + return self.on_204(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/{name}", + **self.url_parameters + ) + + @property + def method(self): + return "DELETE" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "name", self.ctx.args.name, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + def on_200(self, session): + pass + + def on_204(self, session): + pass + + +__all__ = ["Delete"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/threat_indicator/_list.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/threat_indicator/_list.py new file mode 100644 index 00000000000..4ff39a36d8a --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/threat_indicator/_list.py @@ -0,0 +1,383 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel threat-indicator list", + is_experimental=True, +) +class List(AAZCommand): + """Get all threat intelligence indicators. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/threatintelligence/main/indicators", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + return self.build_paging(self._execute_operations, self._output) + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + ) + _args_schema.filter = AAZStrArg( + options=["--filter"], + help="Filters the results, based on a Boolean condition. Optional.", + ) + _args_schema.orderby = AAZStrArg( + options=["--orderby"], + help="Sorts the results. Optional.", + ) + _args_schema.skip_token = AAZStrArg( + options=["--skip-token"], + help="Skiptoken is only used if a previous operation returned a partial result. If a previous response contains a nextLink element, the value of the nextLink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls. Optional.", + ) + _args_schema.top = AAZIntArg( + options=["--top"], + help="Returns only the first n results. Optional.", + ) + return cls._args_schema + + def _execute_operations(self): + self.ThreatIntelligenceIndicatorsList(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance.value, client_flatten=True) + next_link = self.deserialize_output(self.ctx.vars.instance.next_link) + return result, next_link + + class ThreatIntelligenceIndicatorsList(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators", + **self.url_parameters + ) + + @property + def method(self): + return "GET" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "$filter", self.ctx.args.filter, + ), + **self.serialize_query_param( + "$orderby", self.ctx.args.orderby, + ), + **self.serialize_query_param( + "$skipToken", self.ctx.args.skip_token, + ), + **self.serialize_query_param( + "$top", self.ctx.args.top, + ), + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + + _schema_on_200 = cls._schema_on_200 + _schema_on_200.next_link = AAZStrType( + serialized_name="nextLink", + flags={"read_only": True}, + ) + _schema_on_200.value = AAZListType( + flags={"required": True}, + ) + + value = cls._schema_on_200.value + value.Element = AAZObjectType() + + _element = cls._schema_on_200.value.Element + _element.etag = AAZStrType() + _element.id = AAZStrType( + flags={"read_only": True}, + ) + _element.kind = AAZStrType( + flags={"required": True}, + ) + _element.name = AAZStrType( + flags={"read_only": True}, + ) + _element.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + _element.type = AAZStrType( + flags={"read_only": True}, + ) + + system_data = cls._schema_on_200.value.Element.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + disc_indicator = cls._schema_on_200.value.Element.discriminate_by("kind", "indicator") + disc_indicator.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.value.Element.discriminate_by("kind", "indicator").properties + properties.additional_data = AAZDictType( + serialized_name="additionalData", + flags={"read_only": True}, + ) + properties.confidence = AAZIntType() + properties.created = AAZStrType() + properties.created_by_ref = AAZStrType( + serialized_name="createdByRef", + ) + properties.defanged = AAZBoolType() + properties.description = AAZStrType() + properties.display_name = AAZStrType( + serialized_name="displayName", + ) + properties.external_id = AAZStrType( + serialized_name="externalId", + ) + properties.external_last_updated_time_utc = AAZStrType( + serialized_name="externalLastUpdatedTimeUtc", + ) + properties.external_references = AAZListType( + serialized_name="externalReferences", + ) + properties.friendly_name = AAZStrType( + serialized_name="friendlyName", + flags={"read_only": True}, + ) + properties.granular_markings = AAZListType( + serialized_name="granularMarkings", + ) + properties.indicator_types = AAZListType( + serialized_name="indicatorTypes", + ) + properties.kill_chain_phases = AAZListType( + serialized_name="killChainPhases", + ) + properties.labels = AAZListType() + properties.language = AAZStrType() + properties.last_updated_time_utc = AAZStrType( + serialized_name="lastUpdatedTimeUtc", + ) + properties.modified = AAZStrType() + properties.object_marking_refs = AAZListType( + serialized_name="objectMarkingRefs", + ) + properties.parsed_pattern = AAZListType( + serialized_name="parsedPattern", + ) + properties.pattern = AAZStrType() + properties.pattern_type = AAZStrType( + serialized_name="patternType", + ) + properties.pattern_version = AAZStrType( + serialized_name="patternVersion", + ) + properties.revoked = AAZBoolType() + properties.source = AAZStrType() + properties.threat_intelligence_tags = AAZListType( + serialized_name="threatIntelligenceTags", + ) + properties.threat_types = AAZListType( + serialized_name="threatTypes", + ) + properties.valid_from = AAZStrType( + serialized_name="validFrom", + ) + properties.valid_until = AAZStrType( + serialized_name="validUntil", + ) + + external_references = cls._schema_on_200.value.Element.discriminate_by("kind", "indicator").properties.external_references + external_references.Element = AAZObjectType() + + _element = cls._schema_on_200.value.Element.discriminate_by("kind", "indicator").properties.external_references.Element + _element.description = AAZStrType() + _element.external_id = AAZStrType( + serialized_name="externalId", + ) + _element.hashes = AAZDictType() + _element.source_name = AAZStrType( + serialized_name="sourceName", + ) + _element.url = AAZStrType() + + hashes = cls._schema_on_200.value.Element.discriminate_by("kind", "indicator").properties.external_references.Element.hashes + hashes.Element = AAZStrType() + + granular_markings = cls._schema_on_200.value.Element.discriminate_by("kind", "indicator").properties.granular_markings + granular_markings.Element = AAZObjectType() + + _element = cls._schema_on_200.value.Element.discriminate_by("kind", "indicator").properties.granular_markings.Element + _element.language = AAZStrType() + _element.marking_ref = AAZIntType( + serialized_name="markingRef", + ) + _element.selectors = AAZListType() + + selectors = cls._schema_on_200.value.Element.discriminate_by("kind", "indicator").properties.granular_markings.Element.selectors + selectors.Element = AAZStrType() + + indicator_types = cls._schema_on_200.value.Element.discriminate_by("kind", "indicator").properties.indicator_types + indicator_types.Element = AAZStrType() + + kill_chain_phases = cls._schema_on_200.value.Element.discriminate_by("kind", "indicator").properties.kill_chain_phases + kill_chain_phases.Element = AAZObjectType() + + _element = cls._schema_on_200.value.Element.discriminate_by("kind", "indicator").properties.kill_chain_phases.Element + _element.kill_chain_name = AAZStrType( + serialized_name="killChainName", + ) + _element.phase_name = AAZStrType( + serialized_name="phaseName", + ) + + labels = cls._schema_on_200.value.Element.discriminate_by("kind", "indicator").properties.labels + labels.Element = AAZStrType() + + object_marking_refs = cls._schema_on_200.value.Element.discriminate_by("kind", "indicator").properties.object_marking_refs + object_marking_refs.Element = AAZStrType() + + parsed_pattern = cls._schema_on_200.value.Element.discriminate_by("kind", "indicator").properties.parsed_pattern + parsed_pattern.Element = AAZObjectType() + + _element = cls._schema_on_200.value.Element.discriminate_by("kind", "indicator").properties.parsed_pattern.Element + _element.pattern_type_key = AAZStrType( + serialized_name="patternTypeKey", + ) + _element.pattern_type_values = AAZListType( + serialized_name="patternTypeValues", + ) + + pattern_type_values = cls._schema_on_200.value.Element.discriminate_by("kind", "indicator").properties.parsed_pattern.Element.pattern_type_values + pattern_type_values.Element = AAZObjectType() + + _element = cls._schema_on_200.value.Element.discriminate_by("kind", "indicator").properties.parsed_pattern.Element.pattern_type_values.Element + _element.value = AAZStrType() + _element.value_type = AAZStrType( + serialized_name="valueType", + ) + + threat_intelligence_tags = cls._schema_on_200.value.Element.discriminate_by("kind", "indicator").properties.threat_intelligence_tags + threat_intelligence_tags.Element = AAZStrType() + + threat_types = cls._schema_on_200.value.Element.discriminate_by("kind", "indicator").properties.threat_types + threat_types.Element = AAZStrType() + + return cls._schema_on_200 + + +__all__ = ["List"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/threat_indicator/_query.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/threat_indicator/_query.py new file mode 100644 index 00000000000..9139d22662f --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/threat_indicator/_query.py @@ -0,0 +1,508 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel threat-indicator query", + is_experimental=True, +) +class Query(AAZCommand): + """Query threat intelligence indicators as per filtering criteria. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/threatintelligence/main/queryindicators", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + return self.build_paging(self._execute_operations, self._output) + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + ) + + # define Arg Group "ThreatIntelligenceFilteringCriteria" + + _args_schema = cls._args_schema + _args_schema.ids = AAZListArg( + options=["--ids"], + arg_group="ThreatIntelligenceFilteringCriteria", + help="Ids of threat intelligence indicators", + ) + _args_schema.include_disabled = AAZBoolArg( + options=["--include-disabled"], + arg_group="ThreatIntelligenceFilteringCriteria", + help="Parameter to include/exclude disabled indicators.", + ) + _args_schema.keywords = AAZListArg( + options=["--keywords"], + arg_group="ThreatIntelligenceFilteringCriteria", + help="Keywords for searching threat intelligence indicators", + ) + _args_schema.max_confidence = AAZIntArg( + options=["--max-confidence"], + arg_group="ThreatIntelligenceFilteringCriteria", + help="Maximum confidence.", + ) + _args_schema.max_valid_until = AAZStrArg( + options=["--max-valid-until"], + arg_group="ThreatIntelligenceFilteringCriteria", + help="End time for ValidUntil filter.", + ) + _args_schema.min_confidence = AAZIntArg( + options=["--min-confidence"], + arg_group="ThreatIntelligenceFilteringCriteria", + help="Minimum confidence.", + ) + _args_schema.min_valid_until = AAZStrArg( + options=["--min-valid-until"], + arg_group="ThreatIntelligenceFilteringCriteria", + help="Start time for ValidUntil filter.", + ) + _args_schema.page_size = AAZIntArg( + options=["--page-size"], + arg_group="ThreatIntelligenceFilteringCriteria", + help="Page size", + ) + _args_schema.pattern_types = AAZListArg( + options=["--pattern-types"], + arg_group="ThreatIntelligenceFilteringCriteria", + help="Pattern types", + ) + _args_schema.skip_token = AAZStrArg( + options=["--skip-token"], + arg_group="ThreatIntelligenceFilteringCriteria", + help="Skip token.", + ) + _args_schema.sort_by = AAZListArg( + options=["--sort-by"], + arg_group="ThreatIntelligenceFilteringCriteria", + help="Columns to sort by and sorting order", + ) + _args_schema.sources = AAZListArg( + options=["--sources"], + arg_group="ThreatIntelligenceFilteringCriteria", + help="Sources of threat intelligence indicators", + ) + _args_schema.threat_types = AAZListArg( + options=["--threat-types"], + arg_group="ThreatIntelligenceFilteringCriteria", + help="Threat types of threat intelligence indicators", + ) + + ids = cls._args_schema.ids + ids.Element = AAZStrArg() + + keywords = cls._args_schema.keywords + keywords.Element = AAZStrArg() + + pattern_types = cls._args_schema.pattern_types + pattern_types.Element = AAZStrArg() + + sort_by = cls._args_schema.sort_by + sort_by.Element = AAZObjectArg() + + _element = cls._args_schema.sort_by.Element + _element.item_key = AAZStrArg( + options=["item-key"], + help="Column name", + ) + _element.sort_order = AAZStrArg( + options=["sort-order"], + help="Sorting order (ascending/descending/unsorted).", + enum={"ascending": "ascending", "descending": "descending", "unsorted": "unsorted"}, + ) + + sources = cls._args_schema.sources + sources.Element = AAZStrArg() + + threat_types = cls._args_schema.threat_types + threat_types.Element = AAZStrArg() + return cls._args_schema + + def _execute_operations(self): + self.ThreatIntelligenceIndicatorQueryIndicators(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance.value, client_flatten=True) + next_link = self.deserialize_output(self.ctx.vars.instance.next_link) + return result, next_link + + class ThreatIntelligenceIndicatorQueryIndicators(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/queryIndicators", + **self.url_parameters + ) + + @property + def method(self): + return "POST" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Content-Type", "application/json", + ), + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + @property + def content(self): + _content_value, _builder = self.new_content_builder( + self.ctx.args, + typ=AAZObjectType, + typ_kwargs={"flags": {"required": True, "client_flatten": True}} + ) + _builder.set_prop("ids", AAZListType, ".ids") + _builder.set_prop("includeDisabled", AAZBoolType, ".include_disabled") + _builder.set_prop("keywords", AAZListType, ".keywords") + _builder.set_prop("maxConfidence", AAZIntType, ".max_confidence") + _builder.set_prop("maxValidUntil", AAZStrType, ".max_valid_until") + _builder.set_prop("minConfidence", AAZIntType, ".min_confidence") + _builder.set_prop("minValidUntil", AAZStrType, ".min_valid_until") + _builder.set_prop("pageSize", AAZIntType, ".page_size") + _builder.set_prop("patternTypes", AAZListType, ".pattern_types") + _builder.set_prop("skipToken", AAZStrType, ".skip_token") + _builder.set_prop("sortBy", AAZListType, ".sort_by") + _builder.set_prop("sources", AAZListType, ".sources") + _builder.set_prop("threatTypes", AAZListType, ".threat_types") + + ids = _builder.get(".ids") + if ids is not None: + ids.set_elements(AAZStrType, ".") + + keywords = _builder.get(".keywords") + if keywords is not None: + keywords.set_elements(AAZStrType, ".") + + pattern_types = _builder.get(".patternTypes") + if pattern_types is not None: + pattern_types.set_elements(AAZStrType, ".") + + sort_by = _builder.get(".sortBy") + if sort_by is not None: + sort_by.set_elements(AAZObjectType) + + _elements = _builder.get(".sortBy[]") + if _elements is not None: + _elements.set_prop("itemKey", AAZStrType, ".item_key") + _elements.set_prop("sortOrder", AAZStrType, ".sort_order") + + sources = _builder.get(".sources") + if sources is not None: + sources.set_elements(AAZStrType, ".") + + threat_types = _builder.get(".threatTypes") + if threat_types is not None: + threat_types.set_elements(AAZStrType, ".") + + return self.serialize_content(_content_value) + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + + _schema_on_200 = cls._schema_on_200 + _schema_on_200.next_link = AAZStrType( + serialized_name="nextLink", + flags={"read_only": True}, + ) + _schema_on_200.value = AAZListType( + flags={"required": True}, + ) + + value = cls._schema_on_200.value + value.Element = AAZObjectType() + + _element = cls._schema_on_200.value.Element + _element.etag = AAZStrType() + _element.id = AAZStrType( + flags={"read_only": True}, + ) + _element.kind = AAZStrType( + flags={"required": True}, + ) + _element.name = AAZStrType( + flags={"read_only": True}, + ) + _element.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + _element.type = AAZStrType( + flags={"read_only": True}, + ) + + system_data = cls._schema_on_200.value.Element.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + disc_indicator = cls._schema_on_200.value.Element.discriminate_by("kind", "indicator") + disc_indicator.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.value.Element.discriminate_by("kind", "indicator").properties + properties.additional_data = AAZDictType( + serialized_name="additionalData", + flags={"read_only": True}, + ) + properties.confidence = AAZIntType() + properties.created = AAZStrType() + properties.created_by_ref = AAZStrType( + serialized_name="createdByRef", + ) + properties.defanged = AAZBoolType() + properties.description = AAZStrType() + properties.display_name = AAZStrType( + serialized_name="displayName", + ) + properties.external_id = AAZStrType( + serialized_name="externalId", + ) + properties.external_last_updated_time_utc = AAZStrType( + serialized_name="externalLastUpdatedTimeUtc", + ) + properties.external_references = AAZListType( + serialized_name="externalReferences", + ) + properties.friendly_name = AAZStrType( + serialized_name="friendlyName", + flags={"read_only": True}, + ) + properties.granular_markings = AAZListType( + serialized_name="granularMarkings", + ) + properties.indicator_types = AAZListType( + serialized_name="indicatorTypes", + ) + properties.kill_chain_phases = AAZListType( + serialized_name="killChainPhases", + ) + properties.labels = AAZListType() + properties.language = AAZStrType() + properties.last_updated_time_utc = AAZStrType( + serialized_name="lastUpdatedTimeUtc", + ) + properties.modified = AAZStrType() + properties.object_marking_refs = AAZListType( + serialized_name="objectMarkingRefs", + ) + properties.parsed_pattern = AAZListType( + serialized_name="parsedPattern", + ) + properties.pattern = AAZStrType() + properties.pattern_type = AAZStrType( + serialized_name="patternType", + ) + properties.pattern_version = AAZStrType( + serialized_name="patternVersion", + ) + properties.revoked = AAZBoolType() + properties.source = AAZStrType() + properties.threat_intelligence_tags = AAZListType( + serialized_name="threatIntelligenceTags", + ) + properties.threat_types = AAZListType( + serialized_name="threatTypes", + ) + properties.valid_from = AAZStrType( + serialized_name="validFrom", + ) + properties.valid_until = AAZStrType( + serialized_name="validUntil", + ) + + external_references = cls._schema_on_200.value.Element.discriminate_by("kind", "indicator").properties.external_references + external_references.Element = AAZObjectType() + + _element = cls._schema_on_200.value.Element.discriminate_by("kind", "indicator").properties.external_references.Element + _element.description = AAZStrType() + _element.external_id = AAZStrType( + serialized_name="externalId", + ) + _element.hashes = AAZDictType() + _element.source_name = AAZStrType( + serialized_name="sourceName", + ) + _element.url = AAZStrType() + + hashes = cls._schema_on_200.value.Element.discriminate_by("kind", "indicator").properties.external_references.Element.hashes + hashes.Element = AAZStrType() + + granular_markings = cls._schema_on_200.value.Element.discriminate_by("kind", "indicator").properties.granular_markings + granular_markings.Element = AAZObjectType() + + _element = cls._schema_on_200.value.Element.discriminate_by("kind", "indicator").properties.granular_markings.Element + _element.language = AAZStrType() + _element.marking_ref = AAZIntType( + serialized_name="markingRef", + ) + _element.selectors = AAZListType() + + selectors = cls._schema_on_200.value.Element.discriminate_by("kind", "indicator").properties.granular_markings.Element.selectors + selectors.Element = AAZStrType() + + indicator_types = cls._schema_on_200.value.Element.discriminate_by("kind", "indicator").properties.indicator_types + indicator_types.Element = AAZStrType() + + kill_chain_phases = cls._schema_on_200.value.Element.discriminate_by("kind", "indicator").properties.kill_chain_phases + kill_chain_phases.Element = AAZObjectType() + + _element = cls._schema_on_200.value.Element.discriminate_by("kind", "indicator").properties.kill_chain_phases.Element + _element.kill_chain_name = AAZStrType( + serialized_name="killChainName", + ) + _element.phase_name = AAZStrType( + serialized_name="phaseName", + ) + + labels = cls._schema_on_200.value.Element.discriminate_by("kind", "indicator").properties.labels + labels.Element = AAZStrType() + + object_marking_refs = cls._schema_on_200.value.Element.discriminate_by("kind", "indicator").properties.object_marking_refs + object_marking_refs.Element = AAZStrType() + + parsed_pattern = cls._schema_on_200.value.Element.discriminate_by("kind", "indicator").properties.parsed_pattern + parsed_pattern.Element = AAZObjectType() + + _element = cls._schema_on_200.value.Element.discriminate_by("kind", "indicator").properties.parsed_pattern.Element + _element.pattern_type_key = AAZStrType( + serialized_name="patternTypeKey", + ) + _element.pattern_type_values = AAZListType( + serialized_name="patternTypeValues", + ) + + pattern_type_values = cls._schema_on_200.value.Element.discriminate_by("kind", "indicator").properties.parsed_pattern.Element.pattern_type_values + pattern_type_values.Element = AAZObjectType() + + _element = cls._schema_on_200.value.Element.discriminate_by("kind", "indicator").properties.parsed_pattern.Element.pattern_type_values.Element + _element.value = AAZStrType() + _element.value_type = AAZStrType( + serialized_name="valueType", + ) + + threat_intelligence_tags = cls._schema_on_200.value.Element.discriminate_by("kind", "indicator").properties.threat_intelligence_tags + threat_intelligence_tags.Element = AAZStrType() + + threat_types = cls._schema_on_200.value.Element.discriminate_by("kind", "indicator").properties.threat_types + threat_types.Element = AAZStrType() + + return cls._schema_on_200 + + +__all__ = ["Query"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/threat_indicator/_replace_tag.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/threat_indicator/_replace_tag.py new file mode 100644 index 00000000000..bcdc87e2898 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/threat_indicator/_replace_tag.py @@ -0,0 +1,725 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel threat-indicator replace-tag", + is_experimental=True, +) +class ReplaceTag(AAZCommand): + """Replace tags added to a threat intelligence indicator. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/threatintelligence/main/indicators/{}/replacetags", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return self._output() + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.name = AAZStrArg( + options=["--name"], + help="Threat intelligence indicator name field.", + required=True, + ) + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + ) + + # define Arg Group "Properties" + + _args_schema = cls._args_schema + _args_schema.confidence = AAZIntArg( + options=["--confidence"], + arg_group="Properties", + help="Confidence of threat intelligence entity", + ) + _args_schema.created = AAZStrArg( + options=["--created"], + arg_group="Properties", + help="Created by", + ) + _args_schema.created_by_ref = AAZStrArg( + options=["--created-by-ref"], + arg_group="Properties", + help="Created by reference of threat intelligence entity", + ) + _args_schema.defanged = AAZBoolArg( + options=["--defanged"], + arg_group="Properties", + help="Is threat intelligence entity defanged", + ) + _args_schema.description = AAZStrArg( + options=["--description"], + arg_group="Properties", + help="Description of a threat intelligence entity", + ) + _args_schema.display_name = AAZStrArg( + options=["--display-name"], + arg_group="Properties", + help="Display name of a threat intelligence entity", + ) + _args_schema.external_id = AAZStrArg( + options=["--external-id"], + arg_group="Properties", + help="External ID of threat intelligence entity", + ) + _args_schema.external_updated_time = AAZStrArg( + options=["--external-updated-time"], + arg_group="Properties", + help="External last updated time in UTC", + ) + _args_schema.external_references = AAZListArg( + options=["--external-references"], + arg_group="Properties", + help="External References", + ) + _args_schema.granular_markings = AAZListArg( + options=["--granular-markings"], + arg_group="Properties", + help="Granular Markings", + ) + _args_schema.indicator_types = AAZListArg( + options=["--indicator-types"], + arg_group="Properties", + help="Indicator types of threat intelligence entities", + ) + _args_schema.kill_chain_phases = AAZListArg( + options=["--kill-chain-phases"], + arg_group="Properties", + help="Kill chain phases", + ) + _args_schema.labels = AAZListArg( + options=["--labels"], + arg_group="Properties", + help="Labels of threat intelligence entity", + ) + _args_schema.language = AAZStrArg( + options=["--language"], + arg_group="Properties", + help="Language of threat intelligence entity", + ) + _args_schema.last_updated_time = AAZStrArg( + options=["--last-updated-time"], + arg_group="Properties", + help="Last updated time in UTC", + ) + _args_schema.modified = AAZStrArg( + options=["--modified"], + arg_group="Properties", + help="Modified by", + ) + _args_schema.object_marking_refs = AAZListArg( + options=["--object-marking-refs"], + arg_group="Properties", + help="Threat intelligence entity object marking references", + ) + _args_schema.parsed_pattern = AAZListArg( + options=["--parsed-pattern"], + arg_group="Properties", + help="Parsed patterns", + ) + _args_schema.pattern = AAZStrArg( + options=["--pattern"], + arg_group="Properties", + help="Pattern of a threat intelligence entity", + ) + _args_schema.pattern_type = AAZStrArg( + options=["--pattern-type"], + arg_group="Properties", + help="Pattern type of a threat intelligence entity", + ) + _args_schema.pattern_version = AAZStrArg( + options=["--pattern-version"], + arg_group="Properties", + help="Pattern version of a threat intelligence entity", + ) + _args_schema.revoked = AAZBoolArg( + options=["--revoked"], + arg_group="Properties", + help="Is threat intelligence entity revoked", + ) + _args_schema.source = AAZStrArg( + options=["--source"], + arg_group="Properties", + help="Source of a threat intelligence entity", + ) + _args_schema.intelligence_tags = AAZListArg( + options=["--intelligence-tags"], + arg_group="Properties", + help="List of tags", + ) + _args_schema.threat_types = AAZListArg( + options=["--threat-types"], + arg_group="Properties", + help="Threat types", + ) + _args_schema.valid_from = AAZStrArg( + options=["--valid-from"], + arg_group="Properties", + help="Valid from", + ) + _args_schema.valid_until = AAZStrArg( + options=["--valid-until"], + arg_group="Properties", + help="Valid until", + ) + + external_references = cls._args_schema.external_references + external_references.Element = AAZObjectArg() + + _element = cls._args_schema.external_references.Element + _element.description = AAZStrArg( + options=["description"], + help="External reference description", + ) + _element.external_id = AAZStrArg( + options=["external-id"], + help="External reference ID", + ) + _element.hashes = AAZDictArg( + options=["hashes"], + help="External reference hashes", + ) + _element.source_name = AAZStrArg( + options=["source-name"], + help="External reference source name", + ) + _element.url = AAZStrArg( + options=["url"], + help="External reference URL", + ) + + hashes = cls._args_schema.external_references.Element.hashes + hashes.Element = AAZStrArg() + + granular_markings = cls._args_schema.granular_markings + granular_markings.Element = AAZObjectArg() + + _element = cls._args_schema.granular_markings.Element + _element.language = AAZStrArg( + options=["language"], + help="Language granular marking model", + ) + _element.marking_ref = AAZIntArg( + options=["marking-ref"], + help="marking reference granular marking model", + ) + _element.selectors = AAZListArg( + options=["selectors"], + help="granular marking model selectors", + ) + + selectors = cls._args_schema.granular_markings.Element.selectors + selectors.Element = AAZStrArg() + + indicator_types = cls._args_schema.indicator_types + indicator_types.Element = AAZStrArg() + + kill_chain_phases = cls._args_schema.kill_chain_phases + kill_chain_phases.Element = AAZObjectArg() + + _element = cls._args_schema.kill_chain_phases.Element + _element.kill_chain_name = AAZStrArg( + options=["kill-chain-name"], + help="Kill chainName name", + ) + _element.phase_name = AAZStrArg( + options=["phase-name"], + help="Phase name", + ) + + labels = cls._args_schema.labels + labels.Element = AAZStrArg() + + object_marking_refs = cls._args_schema.object_marking_refs + object_marking_refs.Element = AAZStrArg() + + parsed_pattern = cls._args_schema.parsed_pattern + parsed_pattern.Element = AAZObjectArg() + + _element = cls._args_schema.parsed_pattern.Element + _element.pattern_type_key = AAZStrArg( + options=["pattern-type-key"], + help="Pattern type key", + ) + _element.pattern_type_values = AAZListArg( + options=["pattern-type-values"], + help="Pattern type keys", + ) + + pattern_type_values = cls._args_schema.parsed_pattern.Element.pattern_type_values + pattern_type_values.Element = AAZObjectArg() + + _element = cls._args_schema.parsed_pattern.Element.pattern_type_values.Element + _element.value = AAZStrArg( + options=["value"], + help="Value of parsed pattern", + ) + _element.value_type = AAZStrArg( + options=["value-type"], + help="Type of the value", + ) + + intelligence_tags = cls._args_schema.intelligence_tags + intelligence_tags.Element = AAZStrArg() + + threat_types = cls._args_schema.threat_types + threat_types.Element = AAZStrArg() + + # define Arg Group "ThreatIntelligenceReplaceTags" + + _args_schema = cls._args_schema + _args_schema.etag = AAZStrArg( + options=["--etag"], + arg_group="ThreatIntelligenceReplaceTags", + help="Etag of the azure resource", + ) + return cls._args_schema + + def _execute_operations(self): + self.ThreatIntelligenceIndicatorReplaceTags(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True) + return result + + class ThreatIntelligenceIndicatorReplaceTags(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/{name}/replaceTags", + **self.url_parameters + ) + + @property + def method(self): + return "POST" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "name", self.ctx.args.name, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Content-Type", "application/json", + ), + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + @property + def content(self): + _content_value, _builder = self.new_content_builder( + self.ctx.args, + typ=AAZObjectType, + typ_kwargs={"flags": {"required": True, "client_flatten": True}} + ) + _builder.set_prop("etag", AAZStrType, ".etag") + _builder.set_const("kind", "indicator", AAZStrType, ".", typ_kwargs={"flags": {"required": True}}) + _builder.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get(".properties") + if properties is not None: + properties.set_prop("confidence", AAZIntType, ".confidence") + properties.set_prop("created", AAZStrType, ".created") + properties.set_prop("createdByRef", AAZStrType, ".created_by_ref") + properties.set_prop("defanged", AAZBoolType, ".defanged") + properties.set_prop("description", AAZStrType, ".description") + properties.set_prop("displayName", AAZStrType, ".display_name") + properties.set_prop("externalId", AAZStrType, ".external_id") + properties.set_prop("externalLastUpdatedTimeUtc", AAZStrType, ".external_updated_time") + properties.set_prop("externalReferences", AAZListType, ".external_references") + properties.set_prop("granularMarkings", AAZListType, ".granular_markings") + properties.set_prop("indicatorTypes", AAZListType, ".indicator_types") + properties.set_prop("killChainPhases", AAZListType, ".kill_chain_phases") + properties.set_prop("labels", AAZListType, ".labels") + properties.set_prop("language", AAZStrType, ".language") + properties.set_prop("lastUpdatedTimeUtc", AAZStrType, ".last_updated_time") + properties.set_prop("modified", AAZStrType, ".modified") + properties.set_prop("objectMarkingRefs", AAZListType, ".object_marking_refs") + properties.set_prop("parsedPattern", AAZListType, ".parsed_pattern") + properties.set_prop("pattern", AAZStrType, ".pattern") + properties.set_prop("patternType", AAZStrType, ".pattern_type") + properties.set_prop("patternVersion", AAZStrType, ".pattern_version") + properties.set_prop("revoked", AAZBoolType, ".revoked") + properties.set_prop("source", AAZStrType, ".source") + properties.set_prop("threatIntelligenceTags", AAZListType, ".intelligence_tags") + properties.set_prop("threatTypes", AAZListType, ".threat_types") + properties.set_prop("validFrom", AAZStrType, ".valid_from") + properties.set_prop("validUntil", AAZStrType, ".valid_until") + + external_references = _builder.get(".properties.externalReferences") + if external_references is not None: + external_references.set_elements(AAZObjectType) + + _elements = _builder.get(".properties.externalReferences[]") + if _elements is not None: + _elements.set_prop("description", AAZStrType, ".description") + _elements.set_prop("externalId", AAZStrType, ".external_id") + _elements.set_prop("hashes", AAZDictType, ".hashes") + _elements.set_prop("sourceName", AAZStrType, ".source_name") + _elements.set_prop("url", AAZStrType, ".url") + + hashes = _builder.get(".properties.externalReferences[].hashes") + if hashes is not None: + hashes.set_elements(AAZStrType, ".") + + granular_markings = _builder.get(".properties.granularMarkings") + if granular_markings is not None: + granular_markings.set_elements(AAZObjectType) + + _elements = _builder.get(".properties.granularMarkings[]") + if _elements is not None: + _elements.set_prop("language", AAZStrType, ".language") + _elements.set_prop("markingRef", AAZIntType, ".marking_ref") + _elements.set_prop("selectors", AAZListType, ".selectors") + + selectors = _builder.get(".properties.granularMarkings[].selectors") + if selectors is not None: + selectors.set_elements(AAZStrType, ".") + + indicator_types = _builder.get(".properties.indicatorTypes") + if indicator_types is not None: + indicator_types.set_elements(AAZStrType, ".") + + kill_chain_phases = _builder.get(".properties.killChainPhases") + if kill_chain_phases is not None: + kill_chain_phases.set_elements(AAZObjectType) + + _elements = _builder.get(".properties.killChainPhases[]") + if _elements is not None: + _elements.set_prop("killChainName", AAZStrType, ".kill_chain_name") + _elements.set_prop("phaseName", AAZStrType, ".phase_name") + + labels = _builder.get(".properties.labels") + if labels is not None: + labels.set_elements(AAZStrType, ".") + + object_marking_refs = _builder.get(".properties.objectMarkingRefs") + if object_marking_refs is not None: + object_marking_refs.set_elements(AAZStrType, ".") + + parsed_pattern = _builder.get(".properties.parsedPattern") + if parsed_pattern is not None: + parsed_pattern.set_elements(AAZObjectType) + + _elements = _builder.get(".properties.parsedPattern[]") + if _elements is not None: + _elements.set_prop("patternTypeKey", AAZStrType, ".pattern_type_key") + _elements.set_prop("patternTypeValues", AAZListType, ".pattern_type_values") + + pattern_type_values = _builder.get(".properties.parsedPattern[].patternTypeValues") + if pattern_type_values is not None: + pattern_type_values.set_elements(AAZObjectType) + + _elements = _builder.get(".properties.parsedPattern[].patternTypeValues[]") + if _elements is not None: + _elements.set_prop("value", AAZStrType, ".value") + _elements.set_prop("valueType", AAZStrType, ".value_type") + + threat_intelligence_tags = _builder.get(".properties.threatIntelligenceTags") + if threat_intelligence_tags is not None: + threat_intelligence_tags.set_elements(AAZStrType, ".") + + threat_types = _builder.get(".properties.threatTypes") + if threat_types is not None: + threat_types.set_elements(AAZStrType, ".") + + return self.serialize_content(_content_value) + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + + _schema_on_200 = cls._schema_on_200 + _schema_on_200.etag = AAZStrType() + _schema_on_200.id = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200.kind = AAZStrType( + flags={"required": True}, + ) + _schema_on_200.name = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + _schema_on_200.type = AAZStrType( + flags={"read_only": True}, + ) + + system_data = cls._schema_on_200.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + disc_indicator = cls._schema_on_200.discriminate_by("kind", "indicator") + disc_indicator.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.discriminate_by("kind", "indicator").properties + properties.additional_data = AAZDictType( + serialized_name="additionalData", + flags={"read_only": True}, + ) + properties.confidence = AAZIntType() + properties.created = AAZStrType() + properties.created_by_ref = AAZStrType( + serialized_name="createdByRef", + ) + properties.defanged = AAZBoolType() + properties.description = AAZStrType() + properties.display_name = AAZStrType( + serialized_name="displayName", + ) + properties.external_id = AAZStrType( + serialized_name="externalId", + ) + properties.external_last_updated_time_utc = AAZStrType( + serialized_name="externalLastUpdatedTimeUtc", + ) + properties.external_references = AAZListType( + serialized_name="externalReferences", + ) + properties.friendly_name = AAZStrType( + serialized_name="friendlyName", + flags={"read_only": True}, + ) + properties.granular_markings = AAZListType( + serialized_name="granularMarkings", + ) + properties.indicator_types = AAZListType( + serialized_name="indicatorTypes", + ) + properties.kill_chain_phases = AAZListType( + serialized_name="killChainPhases", + ) + properties.labels = AAZListType() + properties.language = AAZStrType() + properties.last_updated_time_utc = AAZStrType( + serialized_name="lastUpdatedTimeUtc", + ) + properties.modified = AAZStrType() + properties.object_marking_refs = AAZListType( + serialized_name="objectMarkingRefs", + ) + properties.parsed_pattern = AAZListType( + serialized_name="parsedPattern", + ) + properties.pattern = AAZStrType() + properties.pattern_type = AAZStrType( + serialized_name="patternType", + ) + properties.pattern_version = AAZStrType( + serialized_name="patternVersion", + ) + properties.revoked = AAZBoolType() + properties.source = AAZStrType() + properties.threat_intelligence_tags = AAZListType( + serialized_name="threatIntelligenceTags", + ) + properties.threat_types = AAZListType( + serialized_name="threatTypes", + ) + properties.valid_from = AAZStrType( + serialized_name="validFrom", + ) + properties.valid_until = AAZStrType( + serialized_name="validUntil", + ) + + external_references = cls._schema_on_200.discriminate_by("kind", "indicator").properties.external_references + external_references.Element = AAZObjectType() + + _element = cls._schema_on_200.discriminate_by("kind", "indicator").properties.external_references.Element + _element.description = AAZStrType() + _element.external_id = AAZStrType( + serialized_name="externalId", + ) + _element.hashes = AAZDictType() + _element.source_name = AAZStrType( + serialized_name="sourceName", + ) + _element.url = AAZStrType() + + hashes = cls._schema_on_200.discriminate_by("kind", "indicator").properties.external_references.Element.hashes + hashes.Element = AAZStrType() + + granular_markings = cls._schema_on_200.discriminate_by("kind", "indicator").properties.granular_markings + granular_markings.Element = AAZObjectType() + + _element = cls._schema_on_200.discriminate_by("kind", "indicator").properties.granular_markings.Element + _element.language = AAZStrType() + _element.marking_ref = AAZIntType( + serialized_name="markingRef", + ) + _element.selectors = AAZListType() + + selectors = cls._schema_on_200.discriminate_by("kind", "indicator").properties.granular_markings.Element.selectors + selectors.Element = AAZStrType() + + indicator_types = cls._schema_on_200.discriminate_by("kind", "indicator").properties.indicator_types + indicator_types.Element = AAZStrType() + + kill_chain_phases = cls._schema_on_200.discriminate_by("kind", "indicator").properties.kill_chain_phases + kill_chain_phases.Element = AAZObjectType() + + _element = cls._schema_on_200.discriminate_by("kind", "indicator").properties.kill_chain_phases.Element + _element.kill_chain_name = AAZStrType( + serialized_name="killChainName", + ) + _element.phase_name = AAZStrType( + serialized_name="phaseName", + ) + + labels = cls._schema_on_200.discriminate_by("kind", "indicator").properties.labels + labels.Element = AAZStrType() + + object_marking_refs = cls._schema_on_200.discriminate_by("kind", "indicator").properties.object_marking_refs + object_marking_refs.Element = AAZStrType() + + parsed_pattern = cls._schema_on_200.discriminate_by("kind", "indicator").properties.parsed_pattern + parsed_pattern.Element = AAZObjectType() + + _element = cls._schema_on_200.discriminate_by("kind", "indicator").properties.parsed_pattern.Element + _element.pattern_type_key = AAZStrType( + serialized_name="patternTypeKey", + ) + _element.pattern_type_values = AAZListType( + serialized_name="patternTypeValues", + ) + + pattern_type_values = cls._schema_on_200.discriminate_by("kind", "indicator").properties.parsed_pattern.Element.pattern_type_values + pattern_type_values.Element = AAZObjectType() + + _element = cls._schema_on_200.discriminate_by("kind", "indicator").properties.parsed_pattern.Element.pattern_type_values.Element + _element.value = AAZStrType() + _element.value_type = AAZStrType( + serialized_name="valueType", + ) + + threat_intelligence_tags = cls._schema_on_200.discriminate_by("kind", "indicator").properties.threat_intelligence_tags + threat_intelligence_tags.Element = AAZStrType() + + threat_types = cls._schema_on_200.discriminate_by("kind", "indicator").properties.threat_types + threat_types.Element = AAZStrType() + + return cls._schema_on_200 + + +__all__ = ["ReplaceTag"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/threat_indicator/_show.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/threat_indicator/_show.py new file mode 100644 index 00000000000..4ccf7c17c8b --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/threat_indicator/_show.py @@ -0,0 +1,353 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel threat-indicator show", + is_experimental=True, +) +class Show(AAZCommand): + """View a threat intelligence indicator by name. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/threatintelligence/main/indicators/{}", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return self._output() + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.name = AAZStrArg( + options=["-n", "--name"], + help="Threat intelligence indicator name field.", + required=True, + id_part="child_name_2", + ) + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + id_part="name", + ) + return cls._args_schema + + def _execute_operations(self): + self.ThreatIntelligenceIndicatorGet(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True) + return result + + class ThreatIntelligenceIndicatorGet(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/{name}", + **self.url_parameters + ) + + @property + def method(self): + return "GET" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "name", self.ctx.args.name, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + + _schema_on_200 = cls._schema_on_200 + _schema_on_200.etag = AAZStrType() + _schema_on_200.id = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200.kind = AAZStrType( + flags={"required": True}, + ) + _schema_on_200.name = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + _schema_on_200.type = AAZStrType( + flags={"read_only": True}, + ) + + system_data = cls._schema_on_200.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + disc_indicator = cls._schema_on_200.discriminate_by("kind", "indicator") + disc_indicator.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200.discriminate_by("kind", "indicator").properties + properties.additional_data = AAZDictType( + serialized_name="additionalData", + flags={"read_only": True}, + ) + properties.confidence = AAZIntType() + properties.created = AAZStrType() + properties.created_by_ref = AAZStrType( + serialized_name="createdByRef", + ) + properties.defanged = AAZBoolType() + properties.description = AAZStrType() + properties.display_name = AAZStrType( + serialized_name="displayName", + ) + properties.external_id = AAZStrType( + serialized_name="externalId", + ) + properties.external_last_updated_time_utc = AAZStrType( + serialized_name="externalLastUpdatedTimeUtc", + ) + properties.external_references = AAZListType( + serialized_name="externalReferences", + ) + properties.friendly_name = AAZStrType( + serialized_name="friendlyName", + flags={"read_only": True}, + ) + properties.granular_markings = AAZListType( + serialized_name="granularMarkings", + ) + properties.indicator_types = AAZListType( + serialized_name="indicatorTypes", + ) + properties.kill_chain_phases = AAZListType( + serialized_name="killChainPhases", + ) + properties.labels = AAZListType() + properties.language = AAZStrType() + properties.last_updated_time_utc = AAZStrType( + serialized_name="lastUpdatedTimeUtc", + ) + properties.modified = AAZStrType() + properties.object_marking_refs = AAZListType( + serialized_name="objectMarkingRefs", + ) + properties.parsed_pattern = AAZListType( + serialized_name="parsedPattern", + ) + properties.pattern = AAZStrType() + properties.pattern_type = AAZStrType( + serialized_name="patternType", + ) + properties.pattern_version = AAZStrType( + serialized_name="patternVersion", + ) + properties.revoked = AAZBoolType() + properties.source = AAZStrType() + properties.threat_intelligence_tags = AAZListType( + serialized_name="threatIntelligenceTags", + ) + properties.threat_types = AAZListType( + serialized_name="threatTypes", + ) + properties.valid_from = AAZStrType( + serialized_name="validFrom", + ) + properties.valid_until = AAZStrType( + serialized_name="validUntil", + ) + + external_references = cls._schema_on_200.discriminate_by("kind", "indicator").properties.external_references + external_references.Element = AAZObjectType() + + _element = cls._schema_on_200.discriminate_by("kind", "indicator").properties.external_references.Element + _element.description = AAZStrType() + _element.external_id = AAZStrType( + serialized_name="externalId", + ) + _element.hashes = AAZDictType() + _element.source_name = AAZStrType( + serialized_name="sourceName", + ) + _element.url = AAZStrType() + + hashes = cls._schema_on_200.discriminate_by("kind", "indicator").properties.external_references.Element.hashes + hashes.Element = AAZStrType() + + granular_markings = cls._schema_on_200.discriminate_by("kind", "indicator").properties.granular_markings + granular_markings.Element = AAZObjectType() + + _element = cls._schema_on_200.discriminate_by("kind", "indicator").properties.granular_markings.Element + _element.language = AAZStrType() + _element.marking_ref = AAZIntType( + serialized_name="markingRef", + ) + _element.selectors = AAZListType() + + selectors = cls._schema_on_200.discriminate_by("kind", "indicator").properties.granular_markings.Element.selectors + selectors.Element = AAZStrType() + + indicator_types = cls._schema_on_200.discriminate_by("kind", "indicator").properties.indicator_types + indicator_types.Element = AAZStrType() + + kill_chain_phases = cls._schema_on_200.discriminate_by("kind", "indicator").properties.kill_chain_phases + kill_chain_phases.Element = AAZObjectType() + + _element = cls._schema_on_200.discriminate_by("kind", "indicator").properties.kill_chain_phases.Element + _element.kill_chain_name = AAZStrType( + serialized_name="killChainName", + ) + _element.phase_name = AAZStrType( + serialized_name="phaseName", + ) + + labels = cls._schema_on_200.discriminate_by("kind", "indicator").properties.labels + labels.Element = AAZStrType() + + object_marking_refs = cls._schema_on_200.discriminate_by("kind", "indicator").properties.object_marking_refs + object_marking_refs.Element = AAZStrType() + + parsed_pattern = cls._schema_on_200.discriminate_by("kind", "indicator").properties.parsed_pattern + parsed_pattern.Element = AAZObjectType() + + _element = cls._schema_on_200.discriminate_by("kind", "indicator").properties.parsed_pattern.Element + _element.pattern_type_key = AAZStrType( + serialized_name="patternTypeKey", + ) + _element.pattern_type_values = AAZListType( + serialized_name="patternTypeValues", + ) + + pattern_type_values = cls._schema_on_200.discriminate_by("kind", "indicator").properties.parsed_pattern.Element.pattern_type_values + pattern_type_values.Element = AAZObjectType() + + _element = cls._schema_on_200.discriminate_by("kind", "indicator").properties.parsed_pattern.Element.pattern_type_values.Element + _element.value = AAZStrType() + _element.value_type = AAZStrType( + serialized_name="valueType", + ) + + threat_intelligence_tags = cls._schema_on_200.discriminate_by("kind", "indicator").properties.threat_intelligence_tags + threat_intelligence_tags.Element = AAZStrType() + + threat_types = cls._schema_on_200.discriminate_by("kind", "indicator").properties.threat_types + threat_types.Element = AAZStrType() + + return cls._schema_on_200 + + +__all__ = ["Show"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/threat_indicator/_update.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/threat_indicator/_update.py new file mode 100644 index 00000000000..cee72030410 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/threat_indicator/_update.py @@ -0,0 +1,726 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel threat-indicator update", + is_experimental=True, +) +class Update(AAZCommand): + """Update a threat Intelligence indicator. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/threatintelligence/main/indicators/{}", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return self._output() + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.name = AAZStrArg( + options=["-n", "--name"], + help="Threat intelligence indicator name field.", + required=True, + id_part="child_name_2", + ) + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + id_part="name", + ) + + # define Arg Group "Properties" + + _args_schema = cls._args_schema + _args_schema.confidence = AAZIntArg( + options=["--confidence"], + arg_group="Properties", + help="Confidence of threat intelligence entity", + ) + _args_schema.created = AAZStrArg( + options=["--created"], + arg_group="Properties", + help="Created by", + ) + _args_schema.created_by_ref = AAZStrArg( + options=["--created-by-ref"], + arg_group="Properties", + help="Created by reference of threat intelligence entity", + ) + _args_schema.defanged = AAZBoolArg( + options=["--defanged"], + arg_group="Properties", + help="Is threat intelligence entity defanged", + ) + _args_schema.description = AAZStrArg( + options=["--description"], + arg_group="Properties", + help="Description of a threat intelligence entity", + ) + _args_schema.display_name = AAZStrArg( + options=["--display-name"], + arg_group="Properties", + help="Display name of a threat intelligence entity", + ) + _args_schema.external_id = AAZStrArg( + options=["--external-id"], + arg_group="Properties", + help="External ID of threat intelligence entity", + ) + _args_schema.external_updated_time = AAZStrArg( + options=["--external-updated-time"], + arg_group="Properties", + help="External last updated time in UTC", + ) + _args_schema.external_references = AAZListArg( + options=["--external-references"], + arg_group="Properties", + help="External References", + ) + _args_schema.granular_markings = AAZListArg( + options=["--granular-markings"], + arg_group="Properties", + help="Granular Markings", + ) + _args_schema.indicator_types = AAZListArg( + options=["--indicator-types"], + arg_group="Properties", + help="Indicator types of threat intelligence entities", + ) + _args_schema.kill_chain_phases = AAZListArg( + options=["--kill-chain-phases"], + arg_group="Properties", + help="Kill chain phases", + ) + _args_schema.labels = AAZListArg( + options=["--labels"], + arg_group="Properties", + help="Labels of threat intelligence entity", + ) + _args_schema.language = AAZStrArg( + options=["--language"], + arg_group="Properties", + help="Language of threat intelligence entity", + ) + _args_schema.last_updated_time = AAZStrArg( + options=["--last-updated-time"], + arg_group="Properties", + help="Last updated time in UTC", + ) + _args_schema.modified = AAZStrArg( + options=["--modified"], + arg_group="Properties", + help="Modified by", + ) + _args_schema.object_marking_refs = AAZListArg( + options=["--object-marking-refs"], + arg_group="Properties", + help="Threat intelligence entity object marking references", + ) + _args_schema.parsed_pattern = AAZListArg( + options=["--parsed-pattern"], + arg_group="Properties", + help="Parsed patterns", + ) + _args_schema.pattern = AAZStrArg( + options=["--pattern"], + arg_group="Properties", + help="Pattern of a threat intelligence entity", + ) + _args_schema.pattern_type = AAZStrArg( + options=["--pattern-type"], + arg_group="Properties", + help="Pattern type of a threat intelligence entity", + ) + _args_schema.pattern_version = AAZStrArg( + options=["--pattern-version"], + arg_group="Properties", + help="Pattern version of a threat intelligence entity", + ) + _args_schema.revoked = AAZBoolArg( + options=["--revoked"], + arg_group="Properties", + help="Is threat intelligence entity revoked", + ) + _args_schema.source = AAZStrArg( + options=["--source"], + arg_group="Properties", + help="Source of a threat intelligence entity", + ) + _args_schema.threat_tags = AAZListArg( + options=["--threat-tags"], + arg_group="Properties", + help="List of tags", + ) + _args_schema.threat_types = AAZListArg( + options=["--threat-types"], + arg_group="Properties", + help="Threat types", + ) + _args_schema.valid_from = AAZStrArg( + options=["--valid-from"], + arg_group="Properties", + help="Valid from", + ) + _args_schema.valid_until = AAZStrArg( + options=["--valid-until"], + arg_group="Properties", + help="Valid until", + ) + + external_references = cls._args_schema.external_references + external_references.Element = AAZObjectArg() + + _element = cls._args_schema.external_references.Element + _element.description = AAZStrArg( + options=["description"], + help="External reference description", + ) + _element.external_id = AAZStrArg( + options=["external-id"], + help="External reference ID", + ) + _element.hashes = AAZDictArg( + options=["hashes"], + help="External reference hashes", + ) + _element.source_name = AAZStrArg( + options=["source-name"], + help="External reference source name", + ) + _element.url = AAZStrArg( + options=["url"], + help="External reference URL", + ) + + hashes = cls._args_schema.external_references.Element.hashes + hashes.Element = AAZStrArg() + + granular_markings = cls._args_schema.granular_markings + granular_markings.Element = AAZObjectArg() + + _element = cls._args_schema.granular_markings.Element + _element.language = AAZStrArg( + options=["language"], + help="Language granular marking model", + ) + _element.marking_ref = AAZIntArg( + options=["marking-ref"], + help="marking reference granular marking model", + ) + _element.selectors = AAZListArg( + options=["selectors"], + help="granular marking model selectors", + ) + + selectors = cls._args_schema.granular_markings.Element.selectors + selectors.Element = AAZStrArg() + + indicator_types = cls._args_schema.indicator_types + indicator_types.Element = AAZStrArg() + + kill_chain_phases = cls._args_schema.kill_chain_phases + kill_chain_phases.Element = AAZObjectArg() + + _element = cls._args_schema.kill_chain_phases.Element + _element.kill_chain_name = AAZStrArg( + options=["kill-chain-name"], + help="Kill chainName name", + ) + _element.phase_name = AAZStrArg( + options=["phase-name"], + help="Phase name", + ) + + labels = cls._args_schema.labels + labels.Element = AAZStrArg() + + object_marking_refs = cls._args_schema.object_marking_refs + object_marking_refs.Element = AAZStrArg() + + parsed_pattern = cls._args_schema.parsed_pattern + parsed_pattern.Element = AAZObjectArg() + + _element = cls._args_schema.parsed_pattern.Element + _element.pattern_type_key = AAZStrArg( + options=["pattern-type-key"], + help="Pattern type key", + ) + _element.pattern_type_values = AAZListArg( + options=["pattern-type-values"], + help="Pattern type keys", + ) + + pattern_type_values = cls._args_schema.parsed_pattern.Element.pattern_type_values + pattern_type_values.Element = AAZObjectArg() + + _element = cls._args_schema.parsed_pattern.Element.pattern_type_values.Element + _element.value = AAZStrArg( + options=["value"], + help="Value of parsed pattern", + ) + _element.value_type = AAZStrArg( + options=["value-type"], + help="Type of the value", + ) + + threat_tags = cls._args_schema.threat_tags + threat_tags.Element = AAZStrArg() + + threat_types = cls._args_schema.threat_types + threat_types.Element = AAZStrArg() + + # define Arg Group "ThreatIntelligenceProperties" + + _args_schema = cls._args_schema + _args_schema.etag = AAZStrArg( + options=["--etag"], + arg_group="ThreatIntelligenceProperties", + help="Etag of the azure resource", + ) + return cls._args_schema + + def _execute_operations(self): + self.ThreatIntelligenceIndicatorCreate(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True) + return result + + class ThreatIntelligenceIndicatorCreate(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200, 201]: + return self.on_200_201(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/{name}", + **self.url_parameters + ) + + @property + def method(self): + return "PUT" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "name", self.ctx.args.name, + required=True, + ), + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Content-Type", "application/json", + ), + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + @property + def content(self): + _content_value, _builder = self.new_content_builder( + self.ctx.args, + typ=AAZObjectType, + typ_kwargs={"flags": {"required": True, "client_flatten": True}} + ) + _builder.set_prop("etag", AAZStrType, ".etag") + _builder.set_const("kind", "indicator", AAZStrType, ".", typ_kwargs={"flags": {"required": True}}) + _builder.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get(".properties") + if properties is not None: + properties.set_prop("confidence", AAZIntType, ".confidence") + properties.set_prop("created", AAZStrType, ".created") + properties.set_prop("createdByRef", AAZStrType, ".created_by_ref") + properties.set_prop("defanged", AAZBoolType, ".defanged") + properties.set_prop("description", AAZStrType, ".description") + properties.set_prop("displayName", AAZStrType, ".display_name") + properties.set_prop("externalId", AAZStrType, ".external_id") + properties.set_prop("externalLastUpdatedTimeUtc", AAZStrType, ".external_updated_time") + properties.set_prop("externalReferences", AAZListType, ".external_references") + properties.set_prop("granularMarkings", AAZListType, ".granular_markings") + properties.set_prop("indicatorTypes", AAZListType, ".indicator_types") + properties.set_prop("killChainPhases", AAZListType, ".kill_chain_phases") + properties.set_prop("labels", AAZListType, ".labels") + properties.set_prop("language", AAZStrType, ".language") + properties.set_prop("lastUpdatedTimeUtc", AAZStrType, ".last_updated_time") + properties.set_prop("modified", AAZStrType, ".modified") + properties.set_prop("objectMarkingRefs", AAZListType, ".object_marking_refs") + properties.set_prop("parsedPattern", AAZListType, ".parsed_pattern") + properties.set_prop("pattern", AAZStrType, ".pattern") + properties.set_prop("patternType", AAZStrType, ".pattern_type") + properties.set_prop("patternVersion", AAZStrType, ".pattern_version") + properties.set_prop("revoked", AAZBoolType, ".revoked") + properties.set_prop("source", AAZStrType, ".source") + properties.set_prop("threatIntelligenceTags", AAZListType, ".threat_tags") + properties.set_prop("threatTypes", AAZListType, ".threat_types") + properties.set_prop("validFrom", AAZStrType, ".valid_from") + properties.set_prop("validUntil", AAZStrType, ".valid_until") + + external_references = _builder.get(".properties.externalReferences") + if external_references is not None: + external_references.set_elements(AAZObjectType) + + _elements = _builder.get(".properties.externalReferences[]") + if _elements is not None: + _elements.set_prop("description", AAZStrType, ".description") + _elements.set_prop("externalId", AAZStrType, ".external_id") + _elements.set_prop("hashes", AAZDictType, ".hashes") + _elements.set_prop("sourceName", AAZStrType, ".source_name") + _elements.set_prop("url", AAZStrType, ".url") + + hashes = _builder.get(".properties.externalReferences[].hashes") + if hashes is not None: + hashes.set_elements(AAZStrType, ".") + + granular_markings = _builder.get(".properties.granularMarkings") + if granular_markings is not None: + granular_markings.set_elements(AAZObjectType) + + _elements = _builder.get(".properties.granularMarkings[]") + if _elements is not None: + _elements.set_prop("language", AAZStrType, ".language") + _elements.set_prop("markingRef", AAZIntType, ".marking_ref") + _elements.set_prop("selectors", AAZListType, ".selectors") + + selectors = _builder.get(".properties.granularMarkings[].selectors") + if selectors is not None: + selectors.set_elements(AAZStrType, ".") + + indicator_types = _builder.get(".properties.indicatorTypes") + if indicator_types is not None: + indicator_types.set_elements(AAZStrType, ".") + + kill_chain_phases = _builder.get(".properties.killChainPhases") + if kill_chain_phases is not None: + kill_chain_phases.set_elements(AAZObjectType) + + _elements = _builder.get(".properties.killChainPhases[]") + if _elements is not None: + _elements.set_prop("killChainName", AAZStrType, ".kill_chain_name") + _elements.set_prop("phaseName", AAZStrType, ".phase_name") + + labels = _builder.get(".properties.labels") + if labels is not None: + labels.set_elements(AAZStrType, ".") + + object_marking_refs = _builder.get(".properties.objectMarkingRefs") + if object_marking_refs is not None: + object_marking_refs.set_elements(AAZStrType, ".") + + parsed_pattern = _builder.get(".properties.parsedPattern") + if parsed_pattern is not None: + parsed_pattern.set_elements(AAZObjectType) + + _elements = _builder.get(".properties.parsedPattern[]") + if _elements is not None: + _elements.set_prop("patternTypeKey", AAZStrType, ".pattern_type_key") + _elements.set_prop("patternTypeValues", AAZListType, ".pattern_type_values") + + pattern_type_values = _builder.get(".properties.parsedPattern[].patternTypeValues") + if pattern_type_values is not None: + pattern_type_values.set_elements(AAZObjectType) + + _elements = _builder.get(".properties.parsedPattern[].patternTypeValues[]") + if _elements is not None: + _elements.set_prop("value", AAZStrType, ".value") + _elements.set_prop("valueType", AAZStrType, ".value_type") + + threat_intelligence_tags = _builder.get(".properties.threatIntelligenceTags") + if threat_intelligence_tags is not None: + threat_intelligence_tags.set_elements(AAZStrType, ".") + + threat_types = _builder.get(".properties.threatTypes") + if threat_types is not None: + threat_types.set_elements(AAZStrType, ".") + + return self.serialize_content(_content_value) + + def on_200_201(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200_201 + ) + + _schema_on_200_201 = None + + @classmethod + def _build_schema_on_200_201(cls): + if cls._schema_on_200_201 is not None: + return cls._schema_on_200_201 + + cls._schema_on_200_201 = AAZObjectType() + + _schema_on_200_201 = cls._schema_on_200_201 + _schema_on_200_201.etag = AAZStrType() + _schema_on_200_201.id = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200_201.kind = AAZStrType( + flags={"required": True}, + ) + _schema_on_200_201.name = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200_201.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + _schema_on_200_201.type = AAZStrType( + flags={"read_only": True}, + ) + + system_data = cls._schema_on_200_201.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + disc_indicator = cls._schema_on_200_201.discriminate_by("kind", "indicator") + disc_indicator.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + + properties = cls._schema_on_200_201.discriminate_by("kind", "indicator").properties + properties.additional_data = AAZDictType( + serialized_name="additionalData", + flags={"read_only": True}, + ) + properties.confidence = AAZIntType() + properties.created = AAZStrType() + properties.created_by_ref = AAZStrType( + serialized_name="createdByRef", + ) + properties.defanged = AAZBoolType() + properties.description = AAZStrType() + properties.display_name = AAZStrType( + serialized_name="displayName", + ) + properties.external_id = AAZStrType( + serialized_name="externalId", + ) + properties.external_last_updated_time_utc = AAZStrType( + serialized_name="externalLastUpdatedTimeUtc", + ) + properties.external_references = AAZListType( + serialized_name="externalReferences", + ) + properties.friendly_name = AAZStrType( + serialized_name="friendlyName", + flags={"read_only": True}, + ) + properties.granular_markings = AAZListType( + serialized_name="granularMarkings", + ) + properties.indicator_types = AAZListType( + serialized_name="indicatorTypes", + ) + properties.kill_chain_phases = AAZListType( + serialized_name="killChainPhases", + ) + properties.labels = AAZListType() + properties.language = AAZStrType() + properties.last_updated_time_utc = AAZStrType( + serialized_name="lastUpdatedTimeUtc", + ) + properties.modified = AAZStrType() + properties.object_marking_refs = AAZListType( + serialized_name="objectMarkingRefs", + ) + properties.parsed_pattern = AAZListType( + serialized_name="parsedPattern", + ) + properties.pattern = AAZStrType() + properties.pattern_type = AAZStrType( + serialized_name="patternType", + ) + properties.pattern_version = AAZStrType( + serialized_name="patternVersion", + ) + properties.revoked = AAZBoolType() + properties.source = AAZStrType() + properties.threat_intelligence_tags = AAZListType( + serialized_name="threatIntelligenceTags", + ) + properties.threat_types = AAZListType( + serialized_name="threatTypes", + ) + properties.valid_from = AAZStrType( + serialized_name="validFrom", + ) + properties.valid_until = AAZStrType( + serialized_name="validUntil", + ) + + external_references = cls._schema_on_200_201.discriminate_by("kind", "indicator").properties.external_references + external_references.Element = AAZObjectType() + + _element = cls._schema_on_200_201.discriminate_by("kind", "indicator").properties.external_references.Element + _element.description = AAZStrType() + _element.external_id = AAZStrType( + serialized_name="externalId", + ) + _element.hashes = AAZDictType() + _element.source_name = AAZStrType( + serialized_name="sourceName", + ) + _element.url = AAZStrType() + + hashes = cls._schema_on_200_201.discriminate_by("kind", "indicator").properties.external_references.Element.hashes + hashes.Element = AAZStrType() + + granular_markings = cls._schema_on_200_201.discriminate_by("kind", "indicator").properties.granular_markings + granular_markings.Element = AAZObjectType() + + _element = cls._schema_on_200_201.discriminate_by("kind", "indicator").properties.granular_markings.Element + _element.language = AAZStrType() + _element.marking_ref = AAZIntType( + serialized_name="markingRef", + ) + _element.selectors = AAZListType() + + selectors = cls._schema_on_200_201.discriminate_by("kind", "indicator").properties.granular_markings.Element.selectors + selectors.Element = AAZStrType() + + indicator_types = cls._schema_on_200_201.discriminate_by("kind", "indicator").properties.indicator_types + indicator_types.Element = AAZStrType() + + kill_chain_phases = cls._schema_on_200_201.discriminate_by("kind", "indicator").properties.kill_chain_phases + kill_chain_phases.Element = AAZObjectType() + + _element = cls._schema_on_200_201.discriminate_by("kind", "indicator").properties.kill_chain_phases.Element + _element.kill_chain_name = AAZStrType( + serialized_name="killChainName", + ) + _element.phase_name = AAZStrType( + serialized_name="phaseName", + ) + + labels = cls._schema_on_200_201.discriminate_by("kind", "indicator").properties.labels + labels.Element = AAZStrType() + + object_marking_refs = cls._schema_on_200_201.discriminate_by("kind", "indicator").properties.object_marking_refs + object_marking_refs.Element = AAZStrType() + + parsed_pattern = cls._schema_on_200_201.discriminate_by("kind", "indicator").properties.parsed_pattern + parsed_pattern.Element = AAZObjectType() + + _element = cls._schema_on_200_201.discriminate_by("kind", "indicator").properties.parsed_pattern.Element + _element.pattern_type_key = AAZStrType( + serialized_name="patternTypeKey", + ) + _element.pattern_type_values = AAZListType( + serialized_name="patternTypeValues", + ) + + pattern_type_values = cls._schema_on_200_201.discriminate_by("kind", "indicator").properties.parsed_pattern.Element.pattern_type_values + pattern_type_values.Element = AAZObjectType() + + _element = cls._schema_on_200_201.discriminate_by("kind", "indicator").properties.parsed_pattern.Element.pattern_type_values.Element + _element.value = AAZStrType() + _element.value_type = AAZStrType( + serialized_name="valueType", + ) + + threat_intelligence_tags = cls._schema_on_200_201.discriminate_by("kind", "indicator").properties.threat_intelligence_tags + threat_intelligence_tags.Element = AAZStrType() + + threat_types = cls._schema_on_200_201.discriminate_by("kind", "indicator").properties.threat_types + threat_types.Element = AAZStrType() + + return cls._schema_on_200_201 + + +__all__ = ["Update"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/threat_indicator/metric/__cmd_group.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/threat_indicator/metric/__cmd_group.py new file mode 100644 index 00000000000..954ed04dde4 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/threat_indicator/metric/__cmd_group.py @@ -0,0 +1,23 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command_group( + "sentinel threat-indicator metric", +) +class __CMDGroup(AAZCommandGroup): + """Manage threat intelligence indicator metric with sentinel. + """ + pass + + +__all__ = ["__CMDGroup"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/threat_indicator/metric/__init__.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/threat_indicator/metric/__init__.py new file mode 100644 index 00000000000..d63ae5a6fc9 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/threat_indicator/metric/__init__.py @@ -0,0 +1,12 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from .__cmd_group import * +from ._list import * diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/threat_indicator/metric/_list.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/threat_indicator/metric/_list.py new file mode 100644 index 00000000000..1ea5b331202 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/threat_indicator/metric/_list.py @@ -0,0 +1,206 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel threat-indicator metric list", +) +class List(AAZCommand): + """Get threat intelligence indicators metrics (Indicators counts by Type, Threat Type, Source). + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/threatintelligence/main/metrics", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return self._output() + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + ) + return cls._args_schema + + def _execute_operations(self): + self.ThreatIntelligenceIndicatorMetricsList(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True) + return result + + class ThreatIntelligenceIndicatorMetricsList(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/metrics", + **self.url_parameters + ) + + @property + def method(self): + return "GET" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + + _schema_on_200 = cls._schema_on_200 + _schema_on_200.value = AAZListType( + flags={"required": True}, + ) + + value = cls._schema_on_200.value + value.Element = AAZObjectType() + + _element = cls._schema_on_200.value.Element + _element.properties = AAZObjectType() + + properties = cls._schema_on_200.value.Element.properties + properties.last_updated_time_utc = AAZStrType( + serialized_name="lastUpdatedTimeUtc", + ) + properties.pattern_type_metrics = AAZListType( + serialized_name="patternTypeMetrics", + ) + properties.source_metrics = AAZListType( + serialized_name="sourceMetrics", + ) + properties.threat_type_metrics = AAZListType( + serialized_name="threatTypeMetrics", + ) + + pattern_type_metrics = cls._schema_on_200.value.Element.properties.pattern_type_metrics + pattern_type_metrics.Element = AAZObjectType() + _build_schema_threat_intelligence_metric_entity_read(pattern_type_metrics.Element) + + source_metrics = cls._schema_on_200.value.Element.properties.source_metrics + source_metrics.Element = AAZObjectType() + _build_schema_threat_intelligence_metric_entity_read(source_metrics.Element) + + threat_type_metrics = cls._schema_on_200.value.Element.properties.threat_type_metrics + threat_type_metrics.Element = AAZObjectType() + _build_schema_threat_intelligence_metric_entity_read(threat_type_metrics.Element) + + return cls._schema_on_200 + + +_schema_threat_intelligence_metric_entity_read = None + + +def _build_schema_threat_intelligence_metric_entity_read(_schema): + global _schema_threat_intelligence_metric_entity_read + if _schema_threat_intelligence_metric_entity_read is not None: + _schema.metric_name = _schema_threat_intelligence_metric_entity_read.metric_name + _schema.metric_value = _schema_threat_intelligence_metric_entity_read.metric_value + return + + _schema_threat_intelligence_metric_entity_read = AAZObjectType() + + threat_intelligence_metric_entity_read = _schema_threat_intelligence_metric_entity_read + threat_intelligence_metric_entity_read.metric_name = AAZStrType( + serialized_name="metricName", + ) + threat_intelligence_metric_entity_read.metric_value = AAZIntType( + serialized_name="metricValue", + ) + + _schema.metric_name = _schema_threat_intelligence_metric_entity_read.metric_name + _schema.metric_value = _schema_threat_intelligence_metric_entity_read.metric_value + + +__all__ = ["List"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/watchlist/__cmd_group.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/watchlist/__cmd_group.py new file mode 100644 index 00000000000..293acf16c0b --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/watchlist/__cmd_group.py @@ -0,0 +1,23 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command_group( + "sentinel watchlist", +) +class __CMDGroup(AAZCommandGroup): + """Manage watchlist with sentinel. + """ + pass + + +__all__ = ["__CMDGroup"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/watchlist/__init__.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/watchlist/__init__.py new file mode 100644 index 00000000000..c401f439385 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/watchlist/__init__.py @@ -0,0 +1,16 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from .__cmd_group import * +from ._create import * +from ._delete import * +from ._list import * +from ._show import * +from ._update import * diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/watchlist/_create.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/watchlist/_create.py new file mode 100644 index 00000000000..4aba24fbf0c --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/watchlist/_create.py @@ -0,0 +1,481 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel watchlist create", + is_experimental=True, +) +class Create(AAZCommand): + """Create a Watchlist and its Watchlist Items (bulk creation, e.g. through text/csv content type). To create a Watchlist and its Items, we should call this endpoint with either rawContent or a valid SAR URI and contentType properties. The rawContent is mainly used for small watchlist (content size below 3.8 MB). The SAS URI enables the creation of large watchlist, where the content size can go up to 500 MB. The status of processing such large file can be polled through the URL returned in Azure-AsyncOperation header. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/watchlists/{}", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return self._output() + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.watchlist_alias = AAZStrArg( + options=["-n", "--name", "--watchlist-alias"], + help="Watchlist Alias", + required=True, + id_part="child_name_1", + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + id_part="name", + ) + + # define Arg Group "Properties" + + _args_schema = cls._args_schema + _args_schema.content_type = AAZStrArg( + options=["--content-type"], + arg_group="Properties", + help="The content type of the raw content. Example : text/csv or text/tsv ", + ) + _args_schema.created = AAZStrArg( + options=["--created"], + arg_group="Properties", + help="The time the watchlist was created", + ) + _args_schema.created_by = AAZObjectArg( + options=["--created-by"], + arg_group="Properties", + help="Describes a user that created the watchlist", + ) + cls._build_args_user_info_create(_args_schema.created_by) + _args_schema.default_duration = AAZStrArg( + options=["--default-duration"], + arg_group="Properties", + help="The default duration of a watchlist (in ISO 8601 duration format)", + ) + _args_schema.description = AAZStrArg( + options=["--description"], + arg_group="Properties", + help="A description of the watchlist", + ) + _args_schema.display_name = AAZStrArg( + options=["--display-name"], + arg_group="Properties", + help="The display name of the watchlist", + ) + _args_schema.is_deleted = AAZBoolArg( + options=["--is-deleted"], + arg_group="Properties", + help="A flag that indicates if the watchlist is deleted or not", + ) + _args_schema.items_search_key = AAZStrArg( + options=["--items-search-key"], + arg_group="Properties", + help="The search key is used to optimize query performance when using watchlists for joins with other data. For example, enable a column with IP addresses to be the designated SearchKey field, then use this field as the key field when joining to other event data by IP address.", + ) + _args_schema.labels = AAZListArg( + options=["--labels"], + arg_group="Properties", + help="List of labels relevant to this watchlist", + ) + _args_schema.skip_num = AAZIntArg( + options=["--skip-num"], + arg_group="Properties", + help="The number of lines in a csv/tsv content to skip before the header", + ) + _args_schema.provider = AAZStrArg( + options=["--provider"], + arg_group="Properties", + help="The provider of the watchlist", + ) + _args_schema.raw_content = AAZStrArg( + options=["--raw-content"], + arg_group="Properties", + help="The raw content that represents to watchlist items to create. In case of csv/tsv content type, it's the content of the file that will parsed by the endpoint", + ) + _args_schema.source = AAZStrArg( + options=["--source"], + arg_group="Properties", + help="The filename of the watchlist, called 'source'", + ) + _args_schema.source_type = AAZStrArg( + options=["--source-type"], + arg_group="Properties", + help="The sourceType of the watchlist", + enum={"Local file": "Local file", "Remote storage": "Remote storage"}, + ) + _args_schema.tenant_id = AAZStrArg( + options=["--tenant-id"], + arg_group="Properties", + help="The tenantId where the watchlist belongs to", + ) + _args_schema.updated = AAZStrArg( + options=["--updated"], + arg_group="Properties", + help="The last time the watchlist was updated", + ) + _args_schema.updated_by = AAZObjectArg( + options=["--updated-by"], + arg_group="Properties", + help="Describes a user that updated the watchlist", + ) + cls._build_args_user_info_create(_args_schema.updated_by) + _args_schema.upload_status = AAZStrArg( + options=["--upload-status"], + arg_group="Properties", + help="The status of the Watchlist upload : New, InProgress or Complete. Pls note : When a Watchlist upload status is equal to InProgress, the Watchlist cannot be deleted", + ) + _args_schema.watchlist_id = AAZStrArg( + options=["--watchlist-id"], + arg_group="Properties", + help="The id (a Guid) of the watchlist", + ) + _args_schema.watchlist_type = AAZStrArg( + options=["--watchlist-type"], + arg_group="Properties", + help="The type of the watchlist", + ) + + labels = cls._args_schema.labels + labels.Element = AAZStrArg() + + # define Arg Group "Watchlist" + + _args_schema = cls._args_schema + _args_schema.etag = AAZStrArg( + options=["--etag"], + arg_group="Watchlist", + help="Etag of the azure resource", + ) + return cls._args_schema + + _args_user_info_create = None + + @classmethod + def _build_args_user_info_create(cls, _schema): + if cls._args_user_info_create is not None: + _schema.object_id = cls._args_user_info_create.object_id + return + + cls._args_user_info_create = AAZObjectArg() + + user_info_create = cls._args_user_info_create + user_info_create.object_id = AAZStrArg( + options=["object-id"], + help="The object id of the user.", + nullable=True, + ) + + _schema.object_id = cls._args_user_info_create.object_id + + def _execute_operations(self): + self.WatchlistsCreateOrUpdate(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True) + return result + + class WatchlistsCreateOrUpdate(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200, 201]: + return self.on_200_201(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists/{watchlistAlias}", + **self.url_parameters + ) + + @property + def method(self): + return "PUT" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "watchlistAlias", self.ctx.args.watchlist_alias, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Content-Type", "application/json", + ), + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + @property + def content(self): + _content_value, _builder = self.new_content_builder( + self.ctx.args, + typ=AAZObjectType, + typ_kwargs={"flags": {"required": True, "client_flatten": True}} + ) + _builder.set_prop("etag", AAZStrType, ".etag") + _builder.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get(".properties") + if properties is not None: + properties.set_prop("contentType", AAZStrType, ".content_type") + properties.set_prop("created", AAZStrType, ".created") + _build_schema_user_info_create(properties.set_prop("createdBy", AAZObjectType, ".created_by")) + properties.set_prop("defaultDuration", AAZStrType, ".default_duration") + properties.set_prop("description", AAZStrType, ".description") + properties.set_prop("displayName", AAZStrType, ".display_name", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("isDeleted", AAZBoolType, ".is_deleted") + properties.set_prop("itemsSearchKey", AAZStrType, ".items_search_key", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("labels", AAZListType, ".labels") + properties.set_prop("numberOfLinesToSkip", AAZIntType, ".skip_num") + properties.set_prop("provider", AAZStrType, ".provider", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("rawContent", AAZStrType, ".raw_content") + properties.set_prop("source", AAZStrType, ".source") + properties.set_prop("sourceType", AAZStrType, ".source_type") + properties.set_prop("tenantId", AAZStrType, ".tenant_id") + properties.set_prop("updated", AAZStrType, ".updated") + _build_schema_user_info_create(properties.set_prop("updatedBy", AAZObjectType, ".updated_by")) + properties.set_prop("uploadStatus", AAZStrType, ".upload_status") + properties.set_prop("watchlistAlias", AAZStrType, ".watchlist_alias") + properties.set_prop("watchlistId", AAZStrType, ".watchlist_id") + properties.set_prop("watchlistType", AAZStrType, ".watchlist_type") + + labels = _builder.get(".properties.labels") + if labels is not None: + labels.set_elements(AAZStrType, ".") + + return self.serialize_content(_content_value) + + def on_200_201(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200_201 + ) + + _schema_on_200_201 = None + + @classmethod + def _build_schema_on_200_201(cls): + if cls._schema_on_200_201 is not None: + return cls._schema_on_200_201 + + cls._schema_on_200_201 = AAZObjectType() + + _schema_on_200_201 = cls._schema_on_200_201 + _schema_on_200_201.etag = AAZStrType() + _schema_on_200_201.id = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200_201.name = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200_201.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + _schema_on_200_201.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + _schema_on_200_201.type = AAZStrType( + flags={"read_only": True}, + ) + + properties = cls._schema_on_200_201.properties + properties.content_type = AAZStrType( + serialized_name="contentType", + ) + properties.created = AAZStrType() + properties.created_by = AAZObjectType( + serialized_name="createdBy", + ) + _build_schema_user_info_read(properties.created_by) + properties.default_duration = AAZStrType( + serialized_name="defaultDuration", + ) + properties.description = AAZStrType() + properties.display_name = AAZStrType( + serialized_name="displayName", + flags={"required": True}, + ) + properties.is_deleted = AAZBoolType( + serialized_name="isDeleted", + ) + properties.items_search_key = AAZStrType( + serialized_name="itemsSearchKey", + flags={"required": True}, + ) + properties.labels = AAZListType() + properties.number_of_lines_to_skip = AAZIntType( + serialized_name="numberOfLinesToSkip", + ) + properties.provider = AAZStrType( + flags={"required": True}, + ) + properties.raw_content = AAZStrType( + serialized_name="rawContent", + ) + properties.source = AAZStrType() + properties.source_type = AAZStrType( + serialized_name="sourceType", + ) + properties.tenant_id = AAZStrType( + serialized_name="tenantId", + ) + properties.updated = AAZStrType() + properties.updated_by = AAZObjectType( + serialized_name="updatedBy", + ) + _build_schema_user_info_read(properties.updated_by) + properties.upload_status = AAZStrType( + serialized_name="uploadStatus", + ) + properties.watchlist_alias = AAZStrType( + serialized_name="watchlistAlias", + ) + properties.watchlist_id = AAZStrType( + serialized_name="watchlistId", + ) + properties.watchlist_type = AAZStrType( + serialized_name="watchlistType", + ) + + labels = cls._schema_on_200_201.properties.labels + labels.Element = AAZStrType() + + system_data = cls._schema_on_200_201.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + return cls._schema_on_200_201 + + +def _build_schema_user_info_create(_builder): + if _builder is None: + return + _builder.set_prop("objectId", AAZStrType, ".object_id", typ_kwargs={"nullable": True}) + + +_schema_user_info_read = None + + +def _build_schema_user_info_read(_schema): + global _schema_user_info_read + if _schema_user_info_read is not None: + _schema.email = _schema_user_info_read.email + _schema.name = _schema_user_info_read.name + _schema.object_id = _schema_user_info_read.object_id + return + + _schema_user_info_read = AAZObjectType() + + user_info_read = _schema_user_info_read + user_info_read.email = AAZStrType( + flags={"read_only": True}, + ) + user_info_read.name = AAZStrType( + flags={"read_only": True}, + ) + user_info_read.object_id = AAZStrType( + serialized_name="objectId", + nullable=True, + ) + + _schema.email = _schema_user_info_read.email + _schema.name = _schema_user_info_read.name + _schema.object_id = _schema_user_info_read.object_id + + +__all__ = ["Create"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/watchlist/_delete.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/watchlist/_delete.py new file mode 100644 index 00000000000..740686fa5cf --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/watchlist/_delete.py @@ -0,0 +1,134 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel watchlist delete", + is_experimental=True, + confirmation="Are you sure you want to perform this operation?", +) +class Delete(AAZCommand): + """Delete a watchlist. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/watchlists/{}", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return None + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.watchlist_alias = AAZStrArg( + options=["-n", "--name", "--watchlist-alias"], + help="Watchlist Alias", + required=True, + id_part="child_name_1", + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + id_part="name", + ) + return cls._args_schema + + def _execute_operations(self): + self.WatchlistsDelete(ctx=self.ctx)() + + class WatchlistsDelete(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + if session.http_response.status_code in [204]: + return self.on_204(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists/{watchlistAlias}", + **self.url_parameters + ) + + @property + def method(self): + return "DELETE" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "watchlistAlias", self.ctx.args.watchlist_alias, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + def on_200(self, session): + pass + + def on_204(self, session): + pass + + +__all__ = ["Delete"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/watchlist/_list.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/watchlist/_list.py new file mode 100644 index 00000000000..2da7f24cc74 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/watchlist/_list.py @@ -0,0 +1,302 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel watchlist list", + is_experimental=True, +) +class List(AAZCommand): + """Get all watchlists, without watchlist items. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/watchlists", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + return self.build_paging(self._execute_operations, self._output) + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + ) + _args_schema.skip_token = AAZStrArg( + options=["--skip-token"], + help="Skiptoken is only used if a previous operation returned a partial result. If a previous response contains a nextLink element, the value of the nextLink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls. Optional.", + ) + return cls._args_schema + + def _execute_operations(self): + self.WatchlistsList(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance.value, client_flatten=True) + next_link = self.deserialize_output(self.ctx.vars.instance.next_link) + return result, next_link + + class WatchlistsList(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists", + **self.url_parameters + ) + + @property + def method(self): + return "GET" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "$skipToken", self.ctx.args.skip_token, + ), + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + + _schema_on_200 = cls._schema_on_200 + _schema_on_200.next_link = AAZStrType( + serialized_name="nextLink", + flags={"read_only": True}, + ) + _schema_on_200.value = AAZListType( + flags={"required": True}, + ) + + value = cls._schema_on_200.value + value.Element = AAZObjectType() + + _element = cls._schema_on_200.value.Element + _element.etag = AAZStrType() + _element.id = AAZStrType( + flags={"read_only": True}, + ) + _element.name = AAZStrType( + flags={"read_only": True}, + ) + _element.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + _element.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + _element.type = AAZStrType( + flags={"read_only": True}, + ) + + properties = cls._schema_on_200.value.Element.properties + properties.content_type = AAZStrType( + serialized_name="contentType", + ) + properties.created = AAZStrType() + properties.created_by = AAZObjectType( + serialized_name="createdBy", + ) + _build_schema_user_info_read(properties.created_by) + properties.default_duration = AAZStrType( + serialized_name="defaultDuration", + ) + properties.description = AAZStrType() + properties.display_name = AAZStrType( + serialized_name="displayName", + flags={"required": True}, + ) + properties.is_deleted = AAZBoolType( + serialized_name="isDeleted", + ) + properties.items_search_key = AAZStrType( + serialized_name="itemsSearchKey", + flags={"required": True}, + ) + properties.labels = AAZListType() + properties.number_of_lines_to_skip = AAZIntType( + serialized_name="numberOfLinesToSkip", + ) + properties.provider = AAZStrType( + flags={"required": True}, + ) + properties.raw_content = AAZStrType( + serialized_name="rawContent", + ) + properties.source = AAZStrType() + properties.source_type = AAZStrType( + serialized_name="sourceType", + ) + properties.tenant_id = AAZStrType( + serialized_name="tenantId", + ) + properties.updated = AAZStrType() + properties.updated_by = AAZObjectType( + serialized_name="updatedBy", + ) + _build_schema_user_info_read(properties.updated_by) + properties.upload_status = AAZStrType( + serialized_name="uploadStatus", + ) + properties.watchlist_alias = AAZStrType( + serialized_name="watchlistAlias", + ) + properties.watchlist_id = AAZStrType( + serialized_name="watchlistId", + ) + properties.watchlist_type = AAZStrType( + serialized_name="watchlistType", + ) + + labels = cls._schema_on_200.value.Element.properties.labels + labels.Element = AAZStrType() + + system_data = cls._schema_on_200.value.Element.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + return cls._schema_on_200 + + +_schema_user_info_read = None + + +def _build_schema_user_info_read(_schema): + global _schema_user_info_read + if _schema_user_info_read is not None: + _schema.email = _schema_user_info_read.email + _schema.name = _schema_user_info_read.name + _schema.object_id = _schema_user_info_read.object_id + return + + _schema_user_info_read = AAZObjectType() + + user_info_read = _schema_user_info_read + user_info_read.email = AAZStrType( + flags={"read_only": True}, + ) + user_info_read.name = AAZStrType( + flags={"read_only": True}, + ) + user_info_read.object_id = AAZStrType( + serialized_name="objectId", + nullable=True, + ) + + _schema.email = _schema_user_info_read.email + _schema.name = _schema_user_info_read.name + _schema.object_id = _schema_user_info_read.object_id + + +__all__ = ["List"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/watchlist/_show.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/watchlist/_show.py new file mode 100644 index 00000000000..749052446f6 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/watchlist/_show.py @@ -0,0 +1,294 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel watchlist show", + is_experimental=True, +) +class Show(AAZCommand): + """Get a watchlist, without its watchlist items. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/watchlists/{}", "2022-06-01-preview"], + ] + } + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return self._output() + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.watchlist_alias = AAZStrArg( + options=["-n", "--name", "--watchlist-alias"], + help="Watchlist Alias", + required=True, + id_part="child_name_1", + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + id_part="name", + ) + return cls._args_schema + + def _execute_operations(self): + self.WatchlistsGet(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True) + return result + + class WatchlistsGet(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists/{watchlistAlias}", + **self.url_parameters + ) + + @property + def method(self): + return "GET" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "watchlistAlias", self.ctx.args.watchlist_alias, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + + _schema_on_200 = cls._schema_on_200 + _schema_on_200.etag = AAZStrType() + _schema_on_200.id = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200.name = AAZStrType( + flags={"read_only": True}, + ) + _schema_on_200.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + _schema_on_200.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + _schema_on_200.type = AAZStrType( + flags={"read_only": True}, + ) + + properties = cls._schema_on_200.properties + properties.content_type = AAZStrType( + serialized_name="contentType", + ) + properties.created = AAZStrType() + properties.created_by = AAZObjectType( + serialized_name="createdBy", + ) + _build_schema_user_info_read(properties.created_by) + properties.default_duration = AAZStrType( + serialized_name="defaultDuration", + ) + properties.description = AAZStrType() + properties.display_name = AAZStrType( + serialized_name="displayName", + flags={"required": True}, + ) + properties.is_deleted = AAZBoolType( + serialized_name="isDeleted", + ) + properties.items_search_key = AAZStrType( + serialized_name="itemsSearchKey", + flags={"required": True}, + ) + properties.labels = AAZListType() + properties.number_of_lines_to_skip = AAZIntType( + serialized_name="numberOfLinesToSkip", + ) + properties.provider = AAZStrType( + flags={"required": True}, + ) + properties.raw_content = AAZStrType( + serialized_name="rawContent", + ) + properties.source = AAZStrType() + properties.source_type = AAZStrType( + serialized_name="sourceType", + ) + properties.tenant_id = AAZStrType( + serialized_name="tenantId", + ) + properties.updated = AAZStrType() + properties.updated_by = AAZObjectType( + serialized_name="updatedBy", + ) + _build_schema_user_info_read(properties.updated_by) + properties.upload_status = AAZStrType( + serialized_name="uploadStatus", + ) + properties.watchlist_alias = AAZStrType( + serialized_name="watchlistAlias", + ) + properties.watchlist_id = AAZStrType( + serialized_name="watchlistId", + ) + properties.watchlist_type = AAZStrType( + serialized_name="watchlistType", + ) + + labels = cls._schema_on_200.properties.labels + labels.Element = AAZStrType() + + system_data = cls._schema_on_200.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + return cls._schema_on_200 + + +_schema_user_info_read = None + + +def _build_schema_user_info_read(_schema): + global _schema_user_info_read + if _schema_user_info_read is not None: + _schema.email = _schema_user_info_read.email + _schema.name = _schema_user_info_read.name + _schema.object_id = _schema_user_info_read.object_id + return + + _schema_user_info_read = AAZObjectType() + + user_info_read = _schema_user_info_read + user_info_read.email = AAZStrType( + flags={"read_only": True}, + ) + user_info_read.name = AAZStrType( + flags={"read_only": True}, + ) + user_info_read.object_id = AAZStrType( + serialized_name="objectId", + nullable=True, + ) + + _schema.email = _schema_user_info_read.email + _schema.name = _schema_user_info_read.name + _schema.object_id = _schema_user_info_read.object_id + + +__all__ = ["Show"] diff --git a/src/securityinsight/azext_sentinel/aaz/latest/sentinel/watchlist/_update.py b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/watchlist/_update.py new file mode 100644 index 00000000000..8e8f9cf1ab4 --- /dev/null +++ b/src/securityinsight/azext_sentinel/aaz/latest/sentinel/watchlist/_update.py @@ -0,0 +1,639 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: skip-file +# flake8: noqa + +from azure.cli.core.aaz import * + + +@register_command( + "sentinel watchlist update", + is_experimental=True, +) +class Update(AAZCommand): + """Update a Watchlist and its Watchlist Items (bulk creation, e.g. through text/csv content type). To create a Watchlist and its Items, we should call this endpoint with either rawContent or a valid SAR URI and contentType properties. The rawContent is mainly used for small watchlist (content size below 3.8 MB). The SAS URI enables the creation of large watchlist, where the content size can go up to 500 MB. The status of processing such large file can be polled through the URL returned in Azure-AsyncOperation header. + """ + + _aaz_info = { + "version": "2022-06-01-preview", + "resources": [ + ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/watchlists/{}", "2022-06-01-preview"], + ] + } + + AZ_SUPPORT_GENERIC_UPDATE = True + + def _handler(self, command_args): + super()._handler(command_args) + self._execute_operations() + return self._output() + + _args_schema = None + + @classmethod + def _build_arguments_schema(cls, *args, **kwargs): + if cls._args_schema is not None: + return cls._args_schema + cls._args_schema = super()._build_arguments_schema(*args, **kwargs) + + # define Arg Group "" + + _args_schema = cls._args_schema + _args_schema.resource_group = AAZResourceGroupNameArg( + required=True, + ) + _args_schema.watchlist_alias = AAZStrArg( + options=["-n", "--name", "--watchlist-alias"], + help="Watchlist Alias", + required=True, + id_part="child_name_1", + ) + _args_schema.workspace_name = AAZStrArg( + options=["-w", "--workspace-name"], + help="The name of the workspace.", + required=True, + is_experimental=True, + id_part="name", + ) + + # define Arg Group "Properties" + + _args_schema = cls._args_schema + _args_schema.content_type = AAZStrArg( + options=["--content-type"], + arg_group="Properties", + help="The content type of the raw content. Example : text/csv or text/tsv ", + nullable=True, + ) + _args_schema.created = AAZStrArg( + options=["--created"], + arg_group="Properties", + help="The time the watchlist was created", + nullable=True, + ) + _args_schema.created_by = AAZObjectArg( + options=["--created-by"], + arg_group="Properties", + help="Describes a user that created the watchlist", + nullable=True, + ) + cls._build_args_user_info_update(_args_schema.created_by) + _args_schema.default_duration = AAZStrArg( + options=["--default-duration"], + arg_group="Properties", + help="The default duration of a watchlist (in ISO 8601 duration format)", + nullable=True, + ) + _args_schema.description = AAZStrArg( + options=["--description"], + arg_group="Properties", + help="A description of the watchlist", + nullable=True, + ) + _args_schema.display_name = AAZStrArg( + options=["--display-name"], + arg_group="Properties", + help="The display name of the watchlist", + ) + _args_schema.is_deleted = AAZBoolArg( + options=["--is-deleted"], + arg_group="Properties", + help="A flag that indicates if the watchlist is deleted or not", + nullable=True, + ) + _args_schema.items_search_key = AAZStrArg( + options=["--items-search-key"], + arg_group="Properties", + help="The search key is used to optimize query performance when using watchlists for joins with other data. For example, enable a column with IP addresses to be the designated SearchKey field, then use this field as the key field when joining to other event data by IP address.", + ) + _args_schema.labels = AAZListArg( + options=["--labels"], + arg_group="Properties", + help="List of labels relevant to this watchlist", + nullable=True, + ) + _args_schema.skip_num = AAZIntArg( + options=["--skip-num"], + arg_group="Properties", + help="The number of lines in a csv/tsv content to skip before the header", + nullable=True, + ) + _args_schema.provider = AAZStrArg( + options=["--provider"], + arg_group="Properties", + help="The provider of the watchlist", + ) + _args_schema.raw_content = AAZStrArg( + options=["--raw-content"], + arg_group="Properties", + help="The raw content that represents to watchlist items to create. In case of csv/tsv content type, it's the content of the file that will parsed by the endpoint", + nullable=True, + ) + _args_schema.source = AAZStrArg( + options=["--source"], + arg_group="Properties", + help="The filename of the watchlist, called 'source'", + nullable=True, + ) + _args_schema.source_type = AAZStrArg( + options=["--source-type"], + arg_group="Properties", + help="The sourceType of the watchlist", + nullable=True, + enum={"Local file": "Local file", "Remote storage": "Remote storage"}, + ) + _args_schema.tenant_id = AAZStrArg( + options=["--tenant-id"], + arg_group="Properties", + help="The tenantId where the watchlist belongs to", + nullable=True, + ) + _args_schema.updated = AAZStrArg( + options=["--updated"], + arg_group="Properties", + help="The last time the watchlist was updated", + nullable=True, + ) + _args_schema.updated_by = AAZObjectArg( + options=["--updated-by"], + arg_group="Properties", + help="Describes a user that updated the watchlist", + nullable=True, + ) + cls._build_args_user_info_update(_args_schema.updated_by) + _args_schema.upload_status = AAZStrArg( + options=["--upload-status"], + arg_group="Properties", + help="The status of the Watchlist upload : New, InProgress or Complete. Pls note : When a Watchlist upload status is equal to InProgress, the Watchlist cannot be deleted", + nullable=True, + ) + _args_schema.watchlist_id = AAZStrArg( + options=["--watchlist-id"], + arg_group="Properties", + help="The id (a Guid) of the watchlist", + nullable=True, + ) + _args_schema.watchlist_type = AAZStrArg( + options=["--watchlist-type"], + arg_group="Properties", + help="The type of the watchlist", + nullable=True, + ) + + labels = cls._args_schema.labels + labels.Element = AAZStrArg() + + # define Arg Group "Watchlist" + + _args_schema = cls._args_schema + _args_schema.etag = AAZStrArg( + options=["--etag"], + arg_group="Watchlist", + help="Etag of the azure resource", + nullable=True, + ) + return cls._args_schema + + _args_user_info_update = None + + @classmethod + def _build_args_user_info_update(cls, _schema): + if cls._args_user_info_update is not None: + _schema.object_id = cls._args_user_info_update.object_id + return + + cls._args_user_info_update = AAZObjectArg( + nullable=True, + ) + + user_info_update = cls._args_user_info_update + user_info_update.object_id = AAZStrArg( + options=["object-id"], + help="The object id of the user.", + nullable=True, + ) + + _schema.object_id = cls._args_user_info_update.object_id + + def _execute_operations(self): + self.WatchlistsGet(ctx=self.ctx)() + self.InstanceUpdateByJson(ctx=self.ctx)() + self.InstanceUpdateByGeneric(ctx=self.ctx)() + self.WatchlistsCreateOrUpdate(ctx=self.ctx)() + + def _output(self, *args, **kwargs): + result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True) + return result + + class WatchlistsGet(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200]: + return self.on_200(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists/{watchlistAlias}", + **self.url_parameters + ) + + @property + def method(self): + return "GET" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "watchlistAlias", self.ctx.args.watchlist_alias, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + def on_200(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200 + ) + + _schema_on_200 = None + + @classmethod + def _build_schema_on_200(cls): + if cls._schema_on_200 is not None: + return cls._schema_on_200 + + cls._schema_on_200 = AAZObjectType() + _build_schema_watchlist_read(cls._schema_on_200) + + return cls._schema_on_200 + + class WatchlistsCreateOrUpdate(AAZHttpOperation): + CLIENT_TYPE = "MgmtClient" + + def __call__(self, *args, **kwargs): + request = self.make_request() + session = self.client.send_request(request=request, stream=False, **kwargs) + if session.http_response.status_code in [200, 201]: + return self.on_200_201(session) + + return self.on_error(session.http_response) + + @property + def url(self): + return self.client.format_url( + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists/{watchlistAlias}", + **self.url_parameters + ) + + @property + def method(self): + return "PUT" + + @property + def error_format(self): + return "ODataV4Format" + + @property + def url_parameters(self): + parameters = { + **self.serialize_url_param( + "resourceGroupName", self.ctx.args.resource_group, + required=True, + ), + **self.serialize_url_param( + "subscriptionId", self.ctx.subscription_id, + required=True, + ), + **self.serialize_url_param( + "watchlistAlias", self.ctx.args.watchlist_alias, + required=True, + ), + **self.serialize_url_param( + "workspaceName", self.ctx.args.workspace_name, + required=True, + ), + } + return parameters + + @property + def query_parameters(self): + parameters = { + **self.serialize_query_param( + "api-version", "2022-06-01-preview", + required=True, + ), + } + return parameters + + @property + def header_parameters(self): + parameters = { + **self.serialize_header_param( + "Content-Type", "application/json", + ), + **self.serialize_header_param( + "Accept", "application/json", + ), + } + return parameters + + @property + def content(self): + _content_value, _builder = self.new_content_builder( + self.ctx.args, + value=self.ctx.vars.instance, + ) + + return self.serialize_content(_content_value) + + def on_200_201(self, session): + data = self.deserialize_http_content(session) + self.ctx.set_var( + "instance", + data, + schema_builder=self._build_schema_on_200_201 + ) + + _schema_on_200_201 = None + + @classmethod + def _build_schema_on_200_201(cls): + if cls._schema_on_200_201 is not None: + return cls._schema_on_200_201 + + cls._schema_on_200_201 = AAZObjectType() + _build_schema_watchlist_read(cls._schema_on_200_201) + + return cls._schema_on_200_201 + + class InstanceUpdateByJson(AAZJsonInstanceUpdateOperation): + + def __call__(self, *args, **kwargs): + self._update_instance(self.ctx.vars.instance) + + def _update_instance(self, instance): + _instance_value, _builder = self.new_content_builder( + self.ctx.args, + value=instance, + typ=AAZObjectType + ) + _builder.set_prop("etag", AAZStrType, ".etag") + _builder.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}}) + + properties = _builder.get(".properties") + if properties is not None: + properties.set_prop("contentType", AAZStrType, ".content_type") + properties.set_prop("created", AAZStrType, ".created") + _build_schema_user_info_update(properties.set_prop("createdBy", AAZObjectType, ".created_by")) + properties.set_prop("defaultDuration", AAZStrType, ".default_duration") + properties.set_prop("description", AAZStrType, ".description") + properties.set_prop("displayName", AAZStrType, ".display_name", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("isDeleted", AAZBoolType, ".is_deleted") + properties.set_prop("itemsSearchKey", AAZStrType, ".items_search_key", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("labels", AAZListType, ".labels") + properties.set_prop("numberOfLinesToSkip", AAZIntType, ".skip_num") + properties.set_prop("provider", AAZStrType, ".provider", typ_kwargs={"flags": {"required": True}}) + properties.set_prop("rawContent", AAZStrType, ".raw_content") + properties.set_prop("source", AAZStrType, ".source") + properties.set_prop("sourceType", AAZStrType, ".source_type") + properties.set_prop("tenantId", AAZStrType, ".tenant_id") + properties.set_prop("updated", AAZStrType, ".updated") + _build_schema_user_info_update(properties.set_prop("updatedBy", AAZObjectType, ".updated_by")) + properties.set_prop("uploadStatus", AAZStrType, ".upload_status") + properties.set_prop("watchlistAlias", AAZStrType, ".watchlist_alias") + properties.set_prop("watchlistId", AAZStrType, ".watchlist_id") + properties.set_prop("watchlistType", AAZStrType, ".watchlist_type") + + labels = _builder.get(".properties.labels") + if labels is not None: + labels.set_elements(AAZStrType, ".") + + return _instance_value + + class InstanceUpdateByGeneric(AAZGenericInstanceUpdateOperation): + + def __call__(self, *args, **kwargs): + self._update_instance_by_generic( + self.ctx.vars.instance, + self.ctx.generic_update_args + ) + + +def _build_schema_user_info_update(_builder): + if _builder is None: + return + _builder.set_prop("objectId", AAZStrType, ".object_id", typ_kwargs={"nullable": True}) + + +_schema_user_info_read = None + + +def _build_schema_user_info_read(_schema): + global _schema_user_info_read + if _schema_user_info_read is not None: + _schema.email = _schema_user_info_read.email + _schema.name = _schema_user_info_read.name + _schema.object_id = _schema_user_info_read.object_id + return + + _schema_user_info_read = AAZObjectType() + + user_info_read = _schema_user_info_read + user_info_read.email = AAZStrType( + flags={"read_only": True}, + ) + user_info_read.name = AAZStrType( + flags={"read_only": True}, + ) + user_info_read.object_id = AAZStrType( + serialized_name="objectId", + nullable=True, + ) + + _schema.email = _schema_user_info_read.email + _schema.name = _schema_user_info_read.name + _schema.object_id = _schema_user_info_read.object_id + + +_schema_watchlist_read = None + + +def _build_schema_watchlist_read(_schema): + global _schema_watchlist_read + if _schema_watchlist_read is not None: + _schema.etag = _schema_watchlist_read.etag + _schema.id = _schema_watchlist_read.id + _schema.name = _schema_watchlist_read.name + _schema.properties = _schema_watchlist_read.properties + _schema.system_data = _schema_watchlist_read.system_data + _schema.type = _schema_watchlist_read.type + return + + _schema_watchlist_read = AAZObjectType() + + watchlist_read = _schema_watchlist_read + watchlist_read.etag = AAZStrType() + watchlist_read.id = AAZStrType( + flags={"read_only": True}, + ) + watchlist_read.name = AAZStrType( + flags={"read_only": True}, + ) + watchlist_read.properties = AAZObjectType( + flags={"client_flatten": True}, + ) + watchlist_read.system_data = AAZObjectType( + serialized_name="systemData", + flags={"read_only": True}, + ) + watchlist_read.type = AAZStrType( + flags={"read_only": True}, + ) + + properties = _schema_watchlist_read.properties + properties.content_type = AAZStrType( + serialized_name="contentType", + ) + properties.created = AAZStrType() + properties.created_by = AAZObjectType( + serialized_name="createdBy", + ) + _build_schema_user_info_read(properties.created_by) + properties.default_duration = AAZStrType( + serialized_name="defaultDuration", + ) + properties.description = AAZStrType() + properties.display_name = AAZStrType( + serialized_name="displayName", + flags={"required": True}, + ) + properties.is_deleted = AAZBoolType( + serialized_name="isDeleted", + ) + properties.items_search_key = AAZStrType( + serialized_name="itemsSearchKey", + flags={"required": True}, + ) + properties.labels = AAZListType() + properties.number_of_lines_to_skip = AAZIntType( + serialized_name="numberOfLinesToSkip", + ) + properties.provider = AAZStrType( + flags={"required": True}, + ) + properties.raw_content = AAZStrType( + serialized_name="rawContent", + ) + properties.source = AAZStrType() + properties.source_type = AAZStrType( + serialized_name="sourceType", + ) + properties.tenant_id = AAZStrType( + serialized_name="tenantId", + ) + properties.updated = AAZStrType() + properties.updated_by = AAZObjectType( + serialized_name="updatedBy", + ) + _build_schema_user_info_read(properties.updated_by) + properties.upload_status = AAZStrType( + serialized_name="uploadStatus", + ) + properties.watchlist_alias = AAZStrType( + serialized_name="watchlistAlias", + ) + properties.watchlist_id = AAZStrType( + serialized_name="watchlistId", + ) + properties.watchlist_type = AAZStrType( + serialized_name="watchlistType", + ) + + labels = _schema_watchlist_read.properties.labels + labels.Element = AAZStrType() + + system_data = _schema_watchlist_read.system_data + system_data.created_at = AAZStrType( + serialized_name="createdAt", + flags={"read_only": True}, + ) + system_data.created_by = AAZStrType( + serialized_name="createdBy", + flags={"read_only": True}, + ) + system_data.created_by_type = AAZStrType( + serialized_name="createdByType", + flags={"read_only": True}, + ) + system_data.last_modified_at = AAZStrType( + serialized_name="lastModifiedAt", + flags={"read_only": True}, + ) + system_data.last_modified_by = AAZStrType( + serialized_name="lastModifiedBy", + flags={"read_only": True}, + ) + system_data.last_modified_by_type = AAZStrType( + serialized_name="lastModifiedByType", + flags={"read_only": True}, + ) + + _schema.etag = _schema_watchlist_read.etag + _schema.id = _schema_watchlist_read.id + _schema.name = _schema_watchlist_read.name + _schema.properties = _schema_watchlist_read.properties + _schema.system_data = _schema_watchlist_read.system_data + _schema.type = _schema_watchlist_read.type + + +__all__ = ["Update"] diff --git a/src/securityinsight/azext_sentinel/action.py b/src/securityinsight/azext_sentinel/action.py deleted file mode 100644 index d95d53bf711..00000000000 --- a/src/securityinsight/azext_sentinel/action.py +++ /dev/null @@ -1,17 +0,0 @@ -# -------------------------------------------------------------------------- -# Copyright (c) Microsoft Corporation. All rights reserved. -# Licensed under the MIT License. See License.txt in the project root for -# license information. -# -# Code generated by Microsoft (R) AutoRest Code Generator. -# Changes may cause incorrect behavior and will be lost if the code is -# regenerated. -# -------------------------------------------------------------------------- -# pylint: disable=wildcard-import -# pylint: disable=unused-wildcard-import - -from .generated.action import * # noqa: F403 -try: - from .manual.action import * # noqa: F403 -except ImportError: - pass diff --git a/src/securityinsight/azext_sentinel/azext_metadata.json b/src/securityinsight/azext_sentinel/azext_metadata.json index 7b33e2426b0..cce7fd18ec3 100644 --- a/src/securityinsight/azext_sentinel/azext_metadata.json +++ b/src/securityinsight/azext_sentinel/azext_metadata.json @@ -1,3 +1,4 @@ { - "azext.minCliCoreVersion": "2.11.0" + "azext.isExperimental": true, + "azext.minCliCoreVersion": "2.37.0" } \ No newline at end of file diff --git a/src/securityinsight/azext_sentinel/commands.py b/src/securityinsight/azext_sentinel/commands.py new file mode 100644 index 00000000000..b0d842e4993 --- /dev/null +++ b/src/securityinsight/azext_sentinel/commands.py @@ -0,0 +1,15 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- + +# pylint: disable=too-many-lines +# pylint: disable=too-many-statements + +# from azure.cli.core.commands import CliCommandType + + +def load_command_table(self, _): # pylint: disable=unused-argument + pass diff --git a/src/securityinsight/azext_sentinel/custom.py b/src/securityinsight/azext_sentinel/custom.py index dbe9d5f9742..86df1e48ef5 100644 --- a/src/securityinsight/azext_sentinel/custom.py +++ b/src/securityinsight/azext_sentinel/custom.py @@ -1,17 +1,14 @@ -# -------------------------------------------------------------------------- +# -------------------------------------------------------------------------------------------- # Copyright (c) Microsoft Corporation. All rights reserved. -# Licensed under the MIT License. See License.txt in the project root for -# license information. +# Licensed under the MIT License. See License.txt in the project root for license information. # -# Code generated by Microsoft (R) AutoRest Code Generator. -# Changes may cause incorrect behavior and will be lost if the code is -# regenerated. -# -------------------------------------------------------------------------- -# pylint: disable=wildcard-import -# pylint: disable=unused-wildcard-import +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- -from .generated.custom import * # noqa: F403 -try: - from .manual.custom import * # noqa: F403 -except ImportError: - pass +# pylint: disable=too-many-lines +# pylint: disable=too-many-statements + +from knack.log import get_logger + + +logger = get_logger(__name__) diff --git a/src/securityinsight/azext_sentinel/generated/__init__.py b/src/securityinsight/azext_sentinel/generated/__init__.py deleted file mode 100644 index c9cfdc73e77..00000000000 --- a/src/securityinsight/azext_sentinel/generated/__init__.py +++ /dev/null @@ -1,12 +0,0 @@ -# coding=utf-8 -# -------------------------------------------------------------------------- -# Copyright (c) Microsoft Corporation. All rights reserved. -# Licensed under the MIT License. See License.txt in the project root for -# license information. -# -# Code generated by Microsoft (R) AutoRest Code Generator. -# Changes may cause incorrect behavior and will be lost if the code is -# regenerated. -# -------------------------------------------------------------------------- - -__path__ = __import__('pkgutil').extend_path(__path__, __name__) diff --git a/src/securityinsight/azext_sentinel/generated/_client_factory.py b/src/securityinsight/azext_sentinel/generated/_client_factory.py deleted file mode 100644 index 6868ae4601c..00000000000 --- a/src/securityinsight/azext_sentinel/generated/_client_factory.py +++ /dev/null @@ -1,44 +0,0 @@ -# -------------------------------------------------------------------------- -# Copyright (c) Microsoft Corporation. All rights reserved. -# Licensed under the MIT License. See License.txt in the project root for -# license information. -# -# Code generated by Microsoft (R) AutoRest Code Generator. -# Changes may cause incorrect behavior and will be lost if the code is -# regenerated. -# -------------------------------------------------------------------------- - - -def cf_sentinel_cl(cli_ctx, *_): - from azure.cli.core.commands.client_factory import get_mgmt_service_client - from ..vendored_sdks.securityinsight import SecurityInsights - return get_mgmt_service_client(cli_ctx, - SecurityInsights) - - -def cf_alert_rule(cli_ctx, *_): - return cf_sentinel_cl(cli_ctx).alert_rule - - -def cf_action(cli_ctx, *_): - return cf_sentinel_cl(cli_ctx).action - - -def cf_alert_rule_template(cli_ctx, *_): - return cf_sentinel_cl(cli_ctx).alert_rule_template - - -def cf_bookmark(cli_ctx, *_): - return cf_sentinel_cl(cli_ctx).bookmark - - -def cf_data_connector(cli_ctx, *_): - return cf_sentinel_cl(cli_ctx).data_connector - - -def cf_incident(cli_ctx, *_): - return cf_sentinel_cl(cli_ctx).incident - - -def cf_incident_comment(cli_ctx, *_): - return cf_sentinel_cl(cli_ctx).incident_comment diff --git a/src/securityinsight/azext_sentinel/generated/_help.py b/src/securityinsight/azext_sentinel/generated/_help.py deleted file mode 100644 index 9a401f619f3..00000000000 --- a/src/securityinsight/azext_sentinel/generated/_help.py +++ /dev/null @@ -1,637 +0,0 @@ -# -------------------------------------------------------------------------- -# Copyright (c) Microsoft Corporation. All rights reserved. -# Licensed under the MIT License. See License.txt in the project root for -# license information. -# -# Code generated by Microsoft (R) AutoRest Code Generator. -# Changes may cause incorrect behavior and will be lost if the code is -# regenerated. -# -------------------------------------------------------------------------- -# pylint: disable=too-many-lines - -from knack.help_files import helps - - -helps['sentinel alert-rule'] = """ - type: group - short-summary: sentinel alert-rule -""" - -helps['sentinel alert-rule list'] = """ - type: command - short-summary: "Gets all alert rules." - examples: - - name: Get all alert rules. - text: |- - az sentinel alert-rule list --resource-group "myRg" --workspace-name "myWorkspace" -""" - -helps['sentinel alert-rule show'] = """ - type: command - short-summary: "Gets the alert rule." - examples: - - name: Get an alert rule. - text: |- - az sentinel alert-rule show --resource-group "myRg" --rule-id "myFirstFusionRule" --workspace-name \ -"myWorkspace" -""" - -helps['sentinel alert-rule create'] = """ - type: command - short-summary: "Creates or updates the action of alert rule. And Create the alert rule." - parameters: - - name: --fusion-alert-rule - short-summary: "Represents Fusion alert rule." - long-summary: | - Usage: --fusion-alert-rule alert-rule-template-name=XX enabled=XX kind=XX etag=XX - - alert-rule-template-name: The Name of the alert rule template used to create this rule. - enabled: Determines whether this alert rule is enabled or disabled. - kind: Required. The alert rule kind - etag: Etag of the azure resource - - name: --microsoft-security-incident-creation-alert-rule - short-summary: "Represents MicrosoftSecurityIncidentCreation rule." - long-summary: | - Usage: --microsoft-security-incident-creation-alert-rule display-names-filter=XX \ -display-names-exclude-filter=XX product-filter=XX severities-filter=XX alert-rule-template-name=XX description=XX \ -display-name=XX enabled=XX kind=XX etag=XX - - display-names-filter: the alerts' displayNames on which the cases will be generated - display-names-exclude-filter: the alerts' displayNames on which the cases will not be generated - product-filter: The alerts' productName on which the cases will be generated - severities-filter: the alerts' severities on which the cases will be generated - alert-rule-template-name: The Name of the alert rule template used to create this rule. - description: The description of the alert rule. - display-name: The display name for alerts created by this alert rule. - enabled: Determines whether this alert rule is enabled or disabled. - kind: Required. The alert rule kind - etag: Etag of the azure resource - - name: --scheduled-alert-rule - short-summary: "Represents scheduled alert rule." - long-summary: | - Usage: --scheduled-alert-rule query=XX query-frequency=XX query-period=XX severity=XX trigger-operator=XX \ -trigger-threshold=XX alert-rule-template-name=XX description=XX display-name=XX enabled=XX suppression-duration=XX \ -suppression-enabled=XX tactics=XX kind=XX etag=XX - - query: The query that creates alerts for this rule. - query-frequency: The frequency (in ISO 8601 duration format) for this alert rule to run. - query-period: The period (in ISO 8601 duration format) that this alert rule looks at. - severity: The severity for alerts created by this alert rule. - trigger-operator: The operation against the threshold that triggers alert rule. - trigger-threshold: The threshold triggers this alert rule. - alert-rule-template-name: The Name of the alert rule template used to create this rule. - description: The description of the alert rule. - display-name: The display name for alerts created by this alert rule. - enabled: Determines whether this alert rule is enabled or disabled. - suppression-duration: The suppression (in ISO 8601 duration format) to wait since last time this alert \ -rule been triggered. - suppression-enabled: Determines whether the suppression for this alert rule is enabled or disabled. - tactics: The tactics of the alert rule - kind: Required. The alert rule kind - etag: Etag of the azure resource - examples: - - name: Creates or updates an action of alert rule. - text: |- - az sentinel alert-rule create --etag "{etag}" \ ---logic-app-resource-id "/subscriptions/{subs}/resourceGroups/myRg/providers/Microsoft.Lo\ -gic/workflows/MyAlerts" --trigger-uri "https://xxx.northcentralus.logic.azure.com:443/workflows/xxx/triggers/\ -manual/paths/invoke?api-version=2016-10-01&sp=%2Ftriggers%2Fmanual%2Frun&sv=1.0&sig=signature" \ ---action-id "{action-id}" --resource-group "myRg" --rule-id "{rule-id}" --workspace-name "myWorkspace" - - name: Creates or updates a Fusion alert rule. - text: |- - az sentinel alert-rule create --fusion-alert-rule etag="{etag}" \ -alert-rule-template-name="{name}" enabled=true --resource-group "myRg" --rule-id \ -"myFirstFusionRule" --workspace-name "myWorkspace" - - name: Creates or updates a MicrosoftSecurityIncidentCreation rule. - text: |- - az sentinel alert-rule create --microsoft-security-incident-creation-alert-rule \ -etag="{etag}" product-filter="Microsoft Cloud App Security" display-name="testing \ -displayname" enabled=true --resource-group "myRg" --rule-id "microsoftSecurityIncidentCreationRuleExample" \ ---workspace-name "myWorkspace" - - name: Creates or updates a Scheduled alert rule. - text: |- - az sentinel alert-rule create --scheduled-alert-rule etag="{etag}" \ -query="ProtectionStatus | extend HostCustomEntity = Computer | extend IPCustomEntity = ComputerIP_Hidden" \ -query-frequency="PT1H" query-period="P2DT1H30M" severity="High" trigger-operator="GreaterThan" trigger-threshold=0 \ -description="" display-name="Rule2" enabled=true suppression-duration="PT1H" suppression-enabled=false \ -tactics="Persistence" tactics="LateralMovement" --resource-group "myRg" --rule-id "{rule-id}" \ ---workspace-name "myWorkspace" -""" - -helps['sentinel alert-rule update'] = """ - type: command - short-summary: "Update the alert rule." - parameters: - - name: --fusion-alert-rule - short-summary: "Represents Fusion alert rule." - long-summary: | - Usage: --fusion-alert-rule alert-rule-template-name=XX enabled=XX kind=XX etag=XX - - alert-rule-template-name: The Name of the alert rule template used to create this rule. - enabled: Determines whether this alert rule is enabled or disabled. - kind: Required. The alert rule kind - etag: Etag of the azure resource - - name: --microsoft-security-incident-creation-alert-rule - short-summary: "Represents MicrosoftSecurityIncidentCreation rule." - long-summary: | - Usage: --microsoft-security-incident-creation-alert-rule display-names-filter=XX \ -display-names-exclude-filter=XX product-filter=XX severities-filter=XX alert-rule-template-name=XX description=XX \ -display-name=XX enabled=XX kind=XX etag=XX - - display-names-filter: the alerts' displayNames on which the cases will be generated - display-names-exclude-filter: the alerts' displayNames on which the cases will not be generated - product-filter: The alerts' productName on which the cases will be generated - severities-filter: the alerts' severities on which the cases will be generated - alert-rule-template-name: The Name of the alert rule template used to create this rule. - description: The description of the alert rule. - display-name: The display name for alerts created by this alert rule. - enabled: Determines whether this alert rule is enabled or disabled. - kind: Required. The alert rule kind - etag: Etag of the azure resource - - name: --scheduled-alert-rule - short-summary: "Represents scheduled alert rule." - long-summary: | - Usage: --scheduled-alert-rule query=XX query-frequency=XX query-period=XX severity=XX trigger-operator=XX \ -trigger-threshold=XX alert-rule-template-name=XX description=XX display-name=XX enabled=XX suppression-duration=XX \ -suppression-enabled=XX tactics=XX kind=XX etag=XX - - query: The query that creates alerts for this rule. - query-frequency: The frequency (in ISO 8601 duration format) for this alert rule to run. - query-period: The period (in ISO 8601 duration format) that this alert rule looks at. - severity: The severity for alerts created by this alert rule. - trigger-operator: The operation against the threshold that triggers alert rule. - trigger-threshold: The threshold triggers this alert rule. - alert-rule-template-name: The Name of the alert rule template used to create this rule. - description: The description of the alert rule. - display-name: The display name for alerts created by this alert rule. - enabled: Determines whether this alert rule is enabled or disabled. - suppression-duration: The suppression (in ISO 8601 duration format) to wait since last time this alert \ -rule been triggered. - suppression-enabled: Determines whether the suppression for this alert rule is enabled or disabled. - tactics: The tactics of the alert rule - kind: Required. The alert rule kind - etag: Etag of the azure resource -""" - -helps['sentinel alert-rule delete'] = """ - type: command - short-summary: "Delete the action of alert rule. And Delete the alert rule." - examples: - - name: Delete an action of alert rule. - text: |- - az sentinel alert-rule delete --action-id "{action-id}" --resource-group \ -"myRg" --rule-id "{rule-id}" --workspace-name "myWorkspace" - - name: Delete an alert rule. - text: |- - az sentinel alert-rule delete --resource-group "myRg" --rule-id "{rule-id}" \ ---workspace-name "myWorkspace" -""" - -helps['sentinel alert-rule get-action'] = """ - type: command - short-summary: "Gets the action of alert rule." - examples: - - name: Get an action of alert rule. - text: |- - az sentinel alert-rule get-action --action-id "{action-id}" --resource-group \ -"myRg" --rule-id "{rule-id}" --workspace-name "myWorkspace" -""" - -helps['sentinel action'] = """ - type: group - short-summary: sentinel action -""" - -helps['sentinel action list'] = """ - type: command - short-summary: "Gets all actions of alert rule." - examples: - - name: Get all actions of alert rule. - text: |- - az sentinel action list --resource-group "myRg" --rule-id "{rule-id}" \ ---workspace-name "myWorkspace" -""" - -helps['sentinel alert-rule-template'] = """ - type: group - short-summary: sentinel alert-rule-template -""" - -helps['sentinel alert-rule-template list'] = """ - type: command - short-summary: "Gets all alert rule templates." - examples: - - name: Get all alert rule templates. - text: |- - az sentinel alert-rule-template list --resource-group "myRg" --workspace-name "myWorkspace" -""" - -helps['sentinel alert-rule-template show'] = """ - type: command - short-summary: "Gets the alert rule template." - examples: - - name: Get alert rule template by Id. - text: |- - az sentinel alert-rule-template show --alert-rule-template-id "{id}" \ ---resource-group "myRg" --workspace-name "myWorkspace" -""" - -helps['sentinel bookmark'] = """ - type: group - short-summary: sentinel bookmark -""" - -helps['sentinel bookmark list'] = """ - type: command - short-summary: "Gets all bookmarks." - examples: - - name: Get all bookmarks. - text: |- - az sentinel bookmark list --resource-group "myRg" --workspace-name "myWorkspace" -""" - -helps['sentinel bookmark show'] = """ - type: command - short-summary: "Gets a bookmark." - examples: - - name: Get a bookmark. - text: |- - az sentinel bookmark show --bookmark-id "{id}" --resource-group "myRg" \ ---workspace-name "myWorkspace" -""" - -helps['sentinel bookmark create'] = """ - type: command - short-summary: "Create the bookmark." - parameters: - - name: --incident-info - short-summary: "Describes an incident that relates to bookmark" - long-summary: | - Usage: --incident-info incident-id=XX severity=XX title=XX relation-name=XX - - incident-id: Required. Incident Id - severity: Required. The severity of the incident - title: Required. The title of the incident - relation-name: Required. Relation Name - examples: - - name: Creates or updates a bookmark. - text: |- - az sentinel bookmark create --etag "{etag}" --created \ -"2019-01-01T13:15:30Z" --display-name "My bookmark" --labels "Tag1" --labels "Tag2" --notes "Found a suspicious \ -activity" -q "SecurityEvent | where TimeGenerated > ago(1d) and TimeGenerated < ago(2d)" --query-result "Security \ -Event query result" --updated "2019-01-01T13:15:30Z" --bookmark-id "{id}" \ ---resource-group "myRg" --workspace-name "myWorkspace" -""" - -helps['sentinel bookmark update'] = """ - type: command - short-summary: "Update the bookmark." - parameters: - - name: --incident-info - short-summary: "Describes an incident that relates to bookmark" - long-summary: | - Usage: --incident-info incident-id=XX severity=XX title=XX relation-name=XX - - incident-id: Required. Incident Id - severity: Required. The severity of the incident - title: Required. The title of the incident - relation-name: Required. Relation Name -""" - -helps['sentinel bookmark delete'] = """ - type: command - short-summary: "Delete the bookmark." - examples: - - name: Delete a bookmark. - text: |- - az sentinel bookmark delete --bookmark-id "{id}" --resource-group \ -"myRg" --workspace-name "myWorkspace" -""" - -helps['sentinel data-connector'] = """ - type: group - short-summary: sentinel data-connector -""" - -helps['sentinel data-connector list'] = """ - type: command - short-summary: "Gets all data connectors." - examples: - - name: Get all data connectors. - text: |- - az sentinel data-connector list --resource-group "myRg" --workspace-name "myWorkspace" -""" - -helps['sentinel data-connector show'] = """ - type: command - short-summary: "Gets a data connector." - examples: - - name: Get a data connector. - text: |- - az sentinel data-connector show --data-connector-id "{id}" --resource-group "myRg" \ - --workspace-name "myWorkspace" -""" - -helps['sentinel data-connector create'] = """ - type: command - short-summary: "Create the data connector." - parameters: - - name: --aad-data-connector - short-summary: "Represents AAD (Azure Active Directory) data connector." - long-summary: | - Usage: --aad-data-connector tenant-id=XX state=XX kind=XX etag=XX - - tenant-id: The tenant id to connect to, and get the data from. - state: Describe whether this data type connection is enabled or not. - kind: Required. The data connector kind - etag: Etag of the azure resource - - name: --aatp-data-connector - short-summary: "Represents AATP (Azure Advanced Threat Protection) data connector." - long-summary: | - Usage: --aatp-data-connector tenant-id=XX state=XX kind=XX etag=XX - - tenant-id: The tenant id to connect to, and get the data from. - state: Describe whether this data type connection is enabled or not. - kind: Required. The data connector kind - etag: Etag of the azure resource - - name: --asc-data-connector - short-summary: "Represents ASC (Azure Security Center) data connector." - long-summary: | - Usage: --asc-data-connector subscription-id=XX state=XX kind=XX etag=XX - - subscription-id: The subscription id to connect to, and get the data from. - state: Describe whether this data type connection is enabled or not. - kind: Required. The data connector kind - etag: Etag of the azure resource - - name: --aws-cloud-trail-data-connector - short-summary: "Represents Amazon Web Services CloudTrail data connector." - long-summary: | - Usage: --aws-cloud-trail-data-connector aws-role-arn=XX state=XX kind=XX etag=XX - - aws-role-arn: The Aws Role Arn (with CloudTrailReadOnly policy) that is used to access the Aws account. - state: Describe whether this data type connection is enabled or not. - kind: Required. The data connector kind - etag: Etag of the azure resource - - name: --mcas-data-connector - short-summary: "Represents MCAS (Microsoft Cloud App Security) data connector." - long-summary: | - Usage: --mcas-data-connector tenant-id=XX state-data-types-alerts-state=XX state-data-types-discovery-logs-\ -state=XX kind=XX etag=XX - - tenant-id: The tenant id to connect to, and get the data from. - state-data-types-alerts-state: Describe whether this data type connection is enabled or not. - state-data-types-discovery-logs-state: Describe whether this data type connection is enabled or not. - kind: Required. The data connector kind - etag: Etag of the azure resource - - name: --mdatp-data-connector - short-summary: "Represents MDATP (Microsoft Defender Advanced Threat Protection) data connector." - long-summary: | - Usage: --mdatp-data-connector tenant-id=XX state=XX kind=XX etag=XX - - tenant-id: The tenant id to connect to, and get the data from. - state: Describe whether this data type connection is enabled or not. - kind: Required. The data connector kind - etag: Etag of the azure resource - - name: --office-data-connector - short-summary: "Represents office data connector." - long-summary: | - Usage: --office-data-connector tenant-id=XX state-data-types-share-point-state=XX \ -state-data-types-exchange-state=XX kind=XX etag=XX - - tenant-id: The tenant id to connect to, and get the data from. - state-data-types-share-point-state: Describe whether this data type connection is enabled or not. - state-data-types-exchange-state: Describe whether this data type connection is enabled or not. - kind: Required. The data connector kind - etag: Etag of the azure resource - - name: --ti-data-connector - short-summary: "Represents threat intelligence data connector." - long-summary: | - Usage: --ti-data-connector tenant-id=XX state=XX kind=XX etag=XX - - tenant-id: The tenant id to connect to, and get the data from. - state: Describe whether this data type connection is enabled or not. - kind: Required. The data connector kind - etag: Etag of the azure resource - examples: - - name: Creates or updates an Office365 data connector. - text: |- - az sentinel data-connector create --office-data-connector etag="{etag}" \ - tenant-id="{tenant-id}" --data-connector-id "{id}" --resource-group "myRg" --workspace-name "myWorkspace" -""" - -helps['sentinel data-connector update'] = """ - type: command - short-summary: "Update the data connector." - parameters: - - name: --aad-data-connector - short-summary: "Represents AAD (Azure Active Directory) data connector." - long-summary: | - Usage: --aad-data-connector tenant-id=XX state=XX kind=XX etag=XX - - tenant-id: The tenant id to connect to, and get the data from. - state: Describe whether this data type connection is enabled or not. - kind: Required. The data connector kind - etag: Etag of the azure resource - - name: --aatp-data-connector - short-summary: "Represents AATP (Azure Advanced Threat Protection) data connector." - long-summary: | - Usage: --aatp-data-connector tenant-id=XX state=XX kind=XX etag=XX - - tenant-id: The tenant id to connect to, and get the data from. - state: Describe whether this data type connection is enabled or not. - kind: Required. The data connector kind - etag: Etag of the azure resource - - name: --asc-data-connector - short-summary: "Represents ASC (Azure Security Center) data connector." - long-summary: | - Usage: --asc-data-connector subscription-id=XX state=XX kind=XX etag=XX - - subscription-id: The subscription id to connect to, and get the data from. - state: Describe whether this data type connection is enabled or not. - kind: Required. The data connector kind - etag: Etag of the azure resource - - name: --aws-cloud-trail-data-connector - short-summary: "Represents Amazon Web Services CloudTrail data connector." - long-summary: | - Usage: --aws-cloud-trail-data-connector aws-role-arn=XX state=XX kind=XX etag=XX - - aws-role-arn: The Aws Role Arn (with CloudTrailReadOnly policy) that is used to access the Aws account. - state: Describe whether this data type connection is enabled or not. - kind: Required. The data connector kind - etag: Etag of the azure resource - - name: --mcas-data-connector - short-summary: "Represents MCAS (Microsoft Cloud App Security) data connector." - long-summary: | - Usage: --mcas-data-connector tenant-id=XX state-data-types-alerts-state=XX state-data-types-discovery-logs-\ -state=XX kind=XX etag=XX - - tenant-id: The tenant id to connect to, and get the data from. - state-data-types-alerts-state: Describe whether this data type connection is enabled or not. - state-data-types-discovery-logs-state: Describe whether this data type connection is enabled or not. - kind: Required. The data connector kind - etag: Etag of the azure resource - - name: --mdatp-data-connector - short-summary: "Represents MDATP (Microsoft Defender Advanced Threat Protection) data connector." - long-summary: | - Usage: --mdatp-data-connector tenant-id=XX state=XX kind=XX etag=XX - - tenant-id: The tenant id to connect to, and get the data from. - state: Describe whether this data type connection is enabled or not. - kind: Required. The data connector kind - etag: Etag of the azure resource - - name: --office-data-connector - short-summary: "Represents office data connector." - long-summary: | - Usage: --office-data-connector tenant-id=XX state-data-types-share-point-state=XX \ -state-data-types-exchange-state=XX kind=XX etag=XX - - tenant-id: The tenant id to connect to, and get the data from. - state-data-types-share-point-state: Describe whether this data type connection is enabled or not. - state-data-types-exchange-state: Describe whether this data type connection is enabled or not. - kind: Required. The data connector kind - etag: Etag of the azure resource - - name: --ti-data-connector - short-summary: "Represents threat intelligence data connector." - long-summary: | - Usage: --ti-data-connector tenant-id=XX state=XX kind=XX etag=XX - - tenant-id: The tenant id to connect to, and get the data from. - state: Describe whether this data type connection is enabled or not. - kind: Required. The data connector kind - etag: Etag of the azure resource -""" - -helps['sentinel data-connector delete'] = """ - type: command - short-summary: "Delete the data connector." - examples: - - name: Delete a data connector. - text: |- - az sentinel data-connector delete --data-connector-id "{id}" --resource-group "myRg" \ - --workspace-name "myWorkspace" -""" - -helps['sentinel incident'] = """ - type: group - short-summary: sentinel incident -""" - -helps['sentinel incident list'] = """ - type: command - short-summary: "Gets all incidents." - examples: - - name: Get all incidents. - text: |- - az sentinel incident list --orderby "properties/createdTimeUtc desc" --top 1 --resource-group "myRg" \ ---workspace-name "myWorkspace" -""" - -helps['sentinel incident show'] = """ - type: command - short-summary: "Gets an incident." - examples: - - name: Get an incident. - text: |- - az sentinel incident show --incident-id "{id}" --resource-group "myRg" --workspace-name "myWorkspace" -""" - -helps['sentinel incident create'] = """ - type: command - short-summary: "Create the incident." - parameters: - - name: --labels - short-summary: "List of labels relevant to this incident" - long-summary: | - Usage: --labels label-name=XX - - label-name: Required. The name of the label - - Multiple actions can be specified by using more than one --labels argument. - - name: --owner - short-summary: "Describes a user that the incident is assigned to" - long-summary: | - Usage: --owner email=XX assigned-to=XX object-id=XX user-principal-name=XX - - email: The email of the user the incident is assigned to. - assigned-to: The name of the user the incident is assigned to. - object-id: The object id of the user the incident is assigned to. - user-principal-name: The user principal name of the user the incident is assigned to. - examples: - - name: Creates or updates an incident. - text: |- - az sentinel incident create --etag "{etag}" --description "This is \ -a demo incident" --classification "FalsePositive" --classification-comment "Not a malicious activity" \ ---classification-reason "IncorrectAlertLogic" --first-activity-time-utc "2019-01-01T13:00:30Z" \ ---last-activity-time-utc "2019-01-01T13:05:30Z" --owner object-id="{oid}" --severity \ -"High" --status "Closed" --title "My incident" --incident-id "{id}" --resource-group \ -"myRg" --workspace-name "myWorkspace" -""" - -helps['sentinel incident update'] = """ - type: command - short-summary: "Update the incident." - parameters: - - name: --labels - short-summary: "List of labels relevant to this incident" - long-summary: | - Usage: --labels label-name=XX - - label-name: Required. The name of the label - - Multiple actions can be specified by using more than one --labels argument. - - name: --owner - short-summary: "Describes a user that the incident is assigned to" - long-summary: | - Usage: --owner email=XX assigned-to=XX object-id=XX user-principal-name=XX - - email: The email of the user the incident is assigned to. - assigned-to: The name of the user the incident is assigned to. - object-id: The object id of the user the incident is assigned to. - user-principal-name: The user principal name of the user the incident is assigned to. -""" - -helps['sentinel incident delete'] = """ - type: command - short-summary: "Delete the incident." - examples: - - name: Delete an incident. - text: |- - az sentinel incident delete --incident-id "{id}" --resource-group \ -"myRg" --workspace-name "myWorkspace" -""" - -helps['sentinel incident-comment'] = """ - type: group - short-summary: sentinel incident-comment -""" - -helps['sentinel incident-comment list'] = """ - type: command - short-summary: "Gets all incident comments." - examples: - - name: Get all incident comments. - text: |- - az sentinel incident-comment list --incident-id "{id}" --resource-group \ -"myRg" --workspace-name "myWorkspace" -""" - -helps['sentinel incident-comment show'] = """ - type: command - short-summary: "Gets an incident comment." - examples: - - name: Get an incident comment. - text: |- - az sentinel incident-comment show --incident-comment-id "{comment-id}" \ ---incident-id "{id}" --resource-group "myRg" --workspace-name "myWorkspace" -""" - -helps['sentinel incident-comment create'] = """ - type: command - short-summary: "Creates the incident comment." - examples: - - name: Creates an incident comment. - text: |- - az sentinel incident-comment create --message "Some message" --incident-comment-id \ -"4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014" --incident-id "{id}" --resource-group "myRg" \ ---workspace-name "myWorkspace" -""" diff --git a/src/securityinsight/azext_sentinel/generated/_params.py b/src/securityinsight/azext_sentinel/generated/_params.py deleted file mode 100644 index 8cf66c08483..00000000000 --- a/src/securityinsight/azext_sentinel/generated/_params.py +++ /dev/null @@ -1,293 +0,0 @@ -# -------------------------------------------------------------------------- -# Copyright (c) Microsoft Corporation. All rights reserved. -# Licensed under the MIT License. See License.txt in the project root for -# license information. -# -# Code generated by Microsoft (R) AutoRest Code Generator. -# Changes may cause incorrect behavior and will be lost if the code is -# regenerated. -# -------------------------------------------------------------------------- -# pylint: disable=too-many-lines -# pylint: disable=too-many-statements - -from azure.cli.core.commands.parameters import ( - get_enum_type, - resource_group_name_type -) -from azext_sentinel.action import ( - AddFusionAlertRule, - AddMicrosoftSecurityIncidentCreationAlertRule, - AddScheduledAlertRule, - AddIncidentInfo, - AddAadDataConnector, - AddAatpDataConnector, - AddAscDataConnector, - AddAwsCloudTrailDataConnector, - AddMcasDataConnector, - AddMdatpDataConnector, - AddOfficeDataConnector, - AddTiDataConnector, - AddLabels, - AddOwner -) - - -def load_arguments(self, _): - - with self.argument_context('sentinel alert-rule list') as c: - c.argument('resource_group_name', resource_group_name_type) - c.argument('workspace_name', type=str, help='The name of the workspace.') - - with self.argument_context('sentinel alert-rule show') as c: - c.argument('resource_group_name', resource_group_name_type) - c.argument('workspace_name', type=str, help='The name of the workspace.', id_part='name') - c.argument('rule_id', type=str, help='Alert rule ID', id_part='child_name_1') - - with self.argument_context('sentinel alert-rule create') as c: - c.argument('resource_group_name', resource_group_name_type) - c.argument('workspace_name', type=str, help='The name of the workspace.') - c.argument('rule_id', type=str, help='Alert rule ID') - c.argument('action_id', type=str, help='Action ID') - c.argument('etag', type=str, help='Etag of the azure resource') - c.argument('logic_app_resource_id', type=str, help='Logic App Resource Id, /subscriptions/{my-subscription}/res' - 'ourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my-workflow-id}.') - c.argument('trigger_uri', type=str, help='Logic App Callback URL for this specific workflow.') - c.argument('fusion_alert_rule', action=AddFusionAlertRule, nargs='*', help='Represents Fusion alert rule.', - arg_group='AlertRule') - c.argument('microsoft_security_incident_creation_alert_rule', - action=AddMicrosoftSecurityIncidentCreationAlertRule, nargs='*', help='Represents ' - 'MicrosoftSecurityIncidentCreation rule.', arg_group='AlertRule') - c.argument('scheduled_alert_rule', action=AddScheduledAlertRule, nargs='*', help='Represents scheduled alert ' - 'rule.', arg_group='AlertRule') - - with self.argument_context('sentinel alert-rule update') as c: - c.argument('resource_group_name', resource_group_name_type) - c.argument('workspace_name', type=str, help='The name of the workspace.', id_part='name') - c.argument('rule_id', type=str, help='Alert rule ID', id_part='child_name_1') - c.argument('fusion_alert_rule', action=AddFusionAlertRule, nargs='*', help='Represents Fusion alert rule.', - arg_group='AlertRule') - c.argument('microsoft_security_incident_creation_alert_rule', - action=AddMicrosoftSecurityIncidentCreationAlertRule, nargs='*', help='Represents ' - 'MicrosoftSecurityIncidentCreation rule.', arg_group='AlertRule') - c.argument('scheduled_alert_rule', action=AddScheduledAlertRule, nargs='*', help='Represents scheduled alert ' - 'rule.', arg_group='AlertRule') - - with self.argument_context('sentinel alert-rule delete') as c: - c.argument('resource_group_name', resource_group_name_type) - c.argument('workspace_name', type=str, help='The name of the workspace.', id_part='name') - c.argument('rule_id', type=str, help='Alert rule ID', id_part='child_name_1') - c.argument('action_id', type=str, help='Action ID', id_part='child_name_2') - - with self.argument_context('sentinel alert-rule get-action') as c: - c.argument('resource_group_name', resource_group_name_type) - c.argument('workspace_name', type=str, help='The name of the workspace.', id_part='name') - c.argument('rule_id', type=str, help='Alert rule ID', id_part='child_name_1') - c.argument('action_id', type=str, help='Action ID', id_part='child_name_2') - - with self.argument_context('sentinel action list') as c: - c.argument('resource_group_name', resource_group_name_type) - c.argument('workspace_name', type=str, help='The name of the workspace.') - c.argument('rule_id', type=str, help='Alert rule ID') - - with self.argument_context('sentinel alert-rule-template list') as c: - c.argument('resource_group_name', resource_group_name_type) - c.argument('workspace_name', type=str, help='The name of the workspace.') - - with self.argument_context('sentinel alert-rule-template show') as c: - c.argument('resource_group_name', resource_group_name_type) - c.argument('workspace_name', type=str, help='The name of the workspace.', id_part='name') - c.argument('alert_rule_template_id', type=str, help='Alert rule template ID', id_part='child_name_1') - - with self.argument_context('sentinel bookmark list') as c: - c.argument('resource_group_name', resource_group_name_type) - c.argument('workspace_name', type=str, help='The name of the workspace.') - - with self.argument_context('sentinel bookmark show') as c: - c.argument('resource_group_name', resource_group_name_type) - c.argument('workspace_name', type=str, help='The name of the workspace.', id_part='name') - c.argument('bookmark_id', type=str, help='Bookmark ID', id_part='child_name_1') - - with self.argument_context('sentinel bookmark create') as c: - c.argument('resource_group_name', resource_group_name_type) - c.argument('workspace_name', type=str, help='The name of the workspace.') - c.argument('bookmark_id', type=str, help='Bookmark ID') - c.argument('etag', type=str, help='Etag of the azure resource') - c.argument('created', help='The time the bookmark was created') - c.argument('display_name', type=str, help='The display name of the bookmark') - c.argument('labels', nargs='*', help='List of labels relevant to this bookmark') - c.argument('notes', type=str, help='The notes of the bookmark') - c.argument('query_content', options_list=['-q'], type=str, help='The query of the bookmark.') - c.argument('query_result', type=str, help='The query result of the bookmark.') - c.argument('updated', help='The last time the bookmark was updated') - c.argument('incident_info', action=AddIncidentInfo, nargs='*', help='Describes an incident that relates to ' - 'bookmark') - c.argument('updated_by_object_id', help='The object id of the user.') - - with self.argument_context('sentinel bookmark update') as c: - c.argument('resource_group_name', resource_group_name_type) - c.argument('workspace_name', type=str, help='The name of the workspace.', id_part='name') - c.argument('bookmark_id', type=str, help='Bookmark ID', id_part='child_name_1') - c.argument('etag', type=str, help='Etag of the azure resource') - c.argument('created', help='The time the bookmark was created') - c.argument('display_name', type=str, help='The display name of the bookmark') - c.argument('labels', nargs='*', help='List of labels relevant to this bookmark') - c.argument('notes', type=str, help='The notes of the bookmark') - c.argument('query_content', options_list=['-q'], type=str, help='The query of the bookmark.') - c.argument('query_result', type=str, help='The query result of the bookmark.') - c.argument('updated', help='The last time the bookmark was updated') - c.argument('incident_info', action=AddIncidentInfo, nargs='*', help='Describes an incident that relates to ' - 'bookmark') - c.argument('updated_by_object_id', help='The object id of the user.') - - with self.argument_context('sentinel bookmark delete') as c: - c.argument('resource_group_name', resource_group_name_type) - c.argument('workspace_name', type=str, help='The name of the workspace.', id_part='name') - c.argument('bookmark_id', type=str, help='Bookmark ID', id_part='child_name_1') - - with self.argument_context('sentinel data-connector list') as c: - c.argument('resource_group_name', resource_group_name_type) - c.argument('workspace_name', type=str, help='The name of the workspace.') - - with self.argument_context('sentinel data-connector show') as c: - c.argument('resource_group_name', resource_group_name_type) - c.argument('workspace_name', type=str, help='The name of the workspace.', id_part='name') - c.argument('data_connector_id', type=str, help='Connector ID', id_part='child_name_1') - - with self.argument_context('sentinel data-connector create') as c: - c.argument('resource_group_name', resource_group_name_type) - c.argument('workspace_name', type=str, help='The name of the workspace.') - c.argument('data_connector_id', type=str, help='Connector ID') - c.argument('aad_data_connector', action=AddAadDataConnector, nargs='*', help='Represents AAD (Azure Active ' - 'Directory) data connector.', arg_group='DataConnector') - c.argument('aatp_data_connector', action=AddAatpDataConnector, nargs='*', help='Represents AATP (Azure ' - 'Advanced Threat Protection) data connector.', arg_group='DataConnector') - c.argument('asc_data_connector', action=AddAscDataConnector, nargs='*', help='Represents ASC (Azure Security ' - 'Center) data connector.', arg_group='DataConnector') - c.argument('aws_cloud_trail_data_connector', action=AddAwsCloudTrailDataConnector, nargs='*', help='Represents ' - 'Amazon Web Services CloudTrail data connector.', arg_group='DataConnector') - c.argument('mcas_data_connector', action=AddMcasDataConnector, nargs='*', help='Represents MCAS (Microsoft ' - 'Cloud App Security) data connector.', arg_group='DataConnector') - c.argument('mdatp_data_connector', action=AddMdatpDataConnector, nargs='*', help='Represents MDATP (Microsoft ' - 'Defender Advanced Threat Protection) data connector.', arg_group='DataConnector') - c.argument('office_data_connector', action=AddOfficeDataConnector, nargs='*', help='Represents office data ' - 'connector.', arg_group='DataConnector') - c.argument('ti_data_connector', action=AddTiDataConnector, nargs='*', help='Represents threat intelligence ' - 'data connector.', arg_group='DataConnector') - - with self.argument_context('sentinel data-connector update') as c: - c.argument('resource_group_name', resource_group_name_type) - c.argument('workspace_name', type=str, help='The name of the workspace.', id_part='name') - c.argument('data_connector_id', type=str, help='Connector ID', id_part='child_name_1') - c.argument('aad_data_connector', action=AddAadDataConnector, nargs='*', help='Represents AAD (Azure Active ' - 'Directory) data connector.', arg_group='DataConnector') - c.argument('aatp_data_connector', action=AddAatpDataConnector, nargs='*', help='Represents AATP (Azure ' - 'Advanced Threat Protection) data connector.', arg_group='DataConnector') - c.argument('asc_data_connector', action=AddAscDataConnector, nargs='*', help='Represents ASC (Azure Security ' - 'Center) data connector.', arg_group='DataConnector') - c.argument('aws_cloud_trail_data_connector', action=AddAwsCloudTrailDataConnector, nargs='*', help='Represents ' - 'Amazon Web Services CloudTrail data connector.', arg_group='DataConnector') - c.argument('mcas_data_connector', action=AddMcasDataConnector, nargs='*', help='Represents MCAS (Microsoft ' - 'Cloud App Security) data connector.', arg_group='DataConnector') - c.argument('mdatp_data_connector', action=AddMdatpDataConnector, nargs='*', help='Represents MDATP (Microsoft ' - 'Defender Advanced Threat Protection) data connector.', arg_group='DataConnector') - c.argument('office_data_connector', action=AddOfficeDataConnector, nargs='*', help='Represents office data ' - 'connector.', arg_group='DataConnector') - c.argument('ti_data_connector', action=AddTiDataConnector, nargs='*', help='Represents threat intelligence ' - 'data connector.', arg_group='DataConnector') - - with self.argument_context('sentinel data-connector delete') as c: - c.argument('resource_group_name', resource_group_name_type) - c.argument('workspace_name', type=str, help='The name of the workspace.', id_part='name') - c.argument('data_connector_id', type=str, help='Connector ID', id_part='child_name_1') - - with self.argument_context('sentinel incident list') as c: - c.argument('resource_group_name', resource_group_name_type) - c.argument('workspace_name', type=str, help='The name of the workspace.') - c.argument('filter_', options_list=['--filter'], type=str, help='Filters the results, based on a Boolean ' - 'condition. Optional.') - c.argument('orderby', type=str, help='Sorts the results. Optional.') - c.argument('top', type=int, help='Returns only the first n results. Optional.') - c.argument('skip_token', type=str, help='Skiptoken is only used if a previous operation returned a partial ' - 'result. If a previous response contains a nextLink element, the value of the nextLink element will ' - 'include a skiptoken parameter that specifies a starting point to use for subsequent calls. ' - 'Optional.') - - with self.argument_context('sentinel incident show') as c: - c.argument('resource_group_name', resource_group_name_type) - c.argument('workspace_name', type=str, help='The name of the workspace.', id_part='name') - c.argument('incident_id', type=str, help='Incident ID', id_part='child_name_1') - - with self.argument_context('sentinel incident create') as c: - c.argument('resource_group_name', resource_group_name_type) - c.argument('workspace_name', type=str, help='The name of the workspace.') - c.argument('incident_id', type=str, help='Incident ID') - c.argument('etag', type=str, help='Etag of the azure resource') - c.argument('classification', arg_type=get_enum_type(['Undetermined', 'TruePositive', 'BenignPositive', '' - 'FalsePositive']), help='The reason the incident was ' - 'closed') - c.argument('classification_comment', type=str, help='Describes the reason the incident was closed') - c.argument('classification_reason', arg_type=get_enum_type(['SuspiciousActivity', 'SuspiciousButExpected', '' - 'IncorrectAlertLogic', 'InaccurateData']), help='' - 'The classification reason the incident was closed with') - c.argument('description', type=str, help='The description of the incident') - c.argument('first_activity_time_utc', help='The time of the first activity in the incident') - c.argument('labels', action=AddLabels, nargs='*', help='List of labels relevant to this incident') - c.argument('last_activity_time_utc', help='The time of the last activity in the incident') - c.argument('owner', action=AddOwner, nargs='*', help='Describes a user that the incident is assigned to') - c.argument('severity', arg_type=get_enum_type(['High', 'Medium', 'Low', 'Informational']), help='The severity ' - 'of the incident') - c.argument('status', arg_type=get_enum_type(['New', 'Active', 'Closed']), help='The status of the incident') - c.argument('title', type=str, help='The title of the incident') - - with self.argument_context('sentinel incident update') as c: - c.argument('resource_group_name', resource_group_name_type) - c.argument('workspace_name', type=str, help='The name of the workspace.', id_part='name') - c.argument('incident_id', type=str, help='Incident ID', id_part='child_name_1') - c.argument('etag', type=str, help='Etag of the azure resource') - c.argument('classification', arg_type=get_enum_type(['Undetermined', 'TruePositive', 'BenignPositive', '' - 'FalsePositive']), help='The reason the incident was ' - 'closed') - c.argument('classification_comment', type=str, help='Describes the reason the incident was closed') - c.argument('classification_reason', arg_type=get_enum_type(['SuspiciousActivity', 'SuspiciousButExpected', '' - 'IncorrectAlertLogic', 'InaccurateData']), help='' - 'The classification reason the incident was closed with') - c.argument('description', type=str, help='The description of the incident') - c.argument('first_activity_time_utc', help='The time of the first activity in the incident') - c.argument('labels', action=AddLabels, nargs='*', help='List of labels relevant to this incident') - c.argument('last_activity_time_utc', help='The time of the last activity in the incident') - c.argument('owner', action=AddOwner, nargs='*', help='Describes a user that the incident is assigned to') - c.argument('severity', arg_type=get_enum_type(['High', 'Medium', 'Low', 'Informational']), help='The severity ' - 'of the incident') - c.argument('status', arg_type=get_enum_type(['New', 'Active', 'Closed']), help='The status of the incident') - c.argument('title', type=str, help='The title of the incident') - - with self.argument_context('sentinel incident delete') as c: - c.argument('resource_group_name', resource_group_name_type) - c.argument('workspace_name', type=str, help='The name of the workspace.', id_part='name') - c.argument('incident_id', type=str, help='Incident ID', id_part='child_name_1') - - with self.argument_context('sentinel incident-comment list') as c: - c.argument('resource_group_name', resource_group_name_type) - c.argument('workspace_name', type=str, help='The name of the workspace.') - c.argument('incident_id', type=str, help='Incident ID') - c.argument('filter_', options_list=['--filter'], type=str, help='Filters the results, based on a Boolean ' - 'condition. Optional.') - c.argument('orderby', type=str, help='Sorts the results. Optional.') - c.argument('top', type=int, help='Returns only the first n results. Optional.') - c.argument('skip_token', type=str, help='Skiptoken is only used if a previous operation returned a partial ' - 'result. If a previous response contains a nextLink element, the value of the nextLink element will ' - 'include a skiptoken parameter that specifies a starting point to use for subsequent calls. ' - 'Optional.') - - with self.argument_context('sentinel incident-comment show') as c: - c.argument('resource_group_name', resource_group_name_type) - c.argument('workspace_name', type=str, help='The name of the workspace.', id_part='name') - c.argument('incident_id', type=str, help='Incident ID', id_part='child_name_1') - c.argument('incident_comment_id', type=str, help='Incident comment ID', id_part='child_name_2') - - with self.argument_context('sentinel incident-comment create') as c: - c.argument('resource_group_name', resource_group_name_type) - c.argument('workspace_name', type=str, help='The name of the workspace.') - c.argument('incident_id', type=str, help='Incident ID') - c.argument('incident_comment_id', type=str, help='Incident comment ID') - c.argument('message', type=str, help='The comment message') diff --git a/src/securityinsight/azext_sentinel/generated/action.py b/src/securityinsight/azext_sentinel/generated/action.py deleted file mode 100644 index 6fa9f30cb9b..00000000000 --- a/src/securityinsight/azext_sentinel/generated/action.py +++ /dev/null @@ -1,433 +0,0 @@ -# -------------------------------------------------------------------------- -# Copyright (c) Microsoft Corporation. All rights reserved. -# Licensed under the MIT License. See License.txt in the project root for -# license information. -# -# Code generated by Microsoft (R) AutoRest Code Generator. -# Changes may cause incorrect behavior and will be lost if the code is -# regenerated. -# -------------------------------------------------------------------------- -# pylint: disable=protected-access - -import argparse -from collections import defaultdict -from knack.util import CLIError - - -class AddFusionAlertRule(argparse.Action): - def __call__(self, parser, namespace, values, option_string=None): - action = self.get_action(values, option_string) - namespace.fusion_alert_rule = action - - def get_action(self, values, option_string): # pylint: disable=no-self-use - try: - properties = defaultdict(list) - for (k, v) in (x.split('=', 1) for x in values): - properties[k].append(v) - properties = dict(properties) - except ValueError: - raise CLIError('usage error: {} [KEY=VALUE ...]'.format(option_string)) - d = {} - for k in properties: - kl = k.lower() - v = properties[k] - if kl == 'alert-rule-template-name': - d['alert_rule_template_name'] = v[0] - elif kl == 'enabled': - d['enabled'] = v[0] - elif kl == 'etag': - d['etag'] = v[0] - d['kind'] = 'Fusion' - return d - - -class AddMicrosoftSecurityIncidentCreationAlertRule(argparse.Action): - def __call__(self, parser, namespace, values, option_string=None): - action = self.get_action(values, option_string) - namespace.microsoft_security_incident_creation_alert_rule = action - - def get_action(self, values, option_string): # pylint: disable=no-self-use - try: - properties = defaultdict(list) - for (k, v) in (x.split('=', 1) for x in values): - properties[k].append(v) - properties = dict(properties) - except ValueError: - raise CLIError('usage error: {} [KEY=VALUE ...]'.format(option_string)) - d = {} - for k in properties: - kl = k.lower() - v = properties[k] - if kl == 'display-names-filter': - d['display_names_filter'] = v - elif kl == 'display-names-exclude-filter': - d['display_names_exclude_filter'] = v - elif kl == 'product-filter': - d['product_filter'] = v[0] - elif kl == 'severities-filter': - d['severities_filter'] = v - elif kl == 'alert-rule-template-name': - d['alert_rule_template_name'] = v[0] - elif kl == 'description': - d['description'] = v[0] - elif kl == 'display-name': - d['display_name'] = v[0] - elif kl == 'enabled': - d['enabled'] = v[0] - elif kl == 'etag': - d['etag'] = v[0] - d['kind'] = 'MicrosoftSecurityIncidentCreation' - return d - - -class AddScheduledAlertRule(argparse.Action): - def __call__(self, parser, namespace, values, option_string=None): - action = self.get_action(values, option_string) - namespace.scheduled_alert_rule = action - - def get_action(self, values, option_string): # pylint: disable=no-self-use - try: - properties = defaultdict(list) - for (k, v) in (x.split('=', 1) for x in values): - properties[k].append(v) - properties = dict(properties) - except ValueError: - raise CLIError('usage error: {} [KEY=VALUE ...]'.format(option_string)) - d = {} - for k in properties: - kl = k.lower() - v = properties[k] - if kl == 'query': - d['query'] = v[0] - elif kl == 'query-frequency': - d['query_frequency'] = v[0] - elif kl == 'query-period': - d['query_period'] = v[0] - elif kl == 'severity': - d['severity'] = v[0] - elif kl == 'trigger-operator': - d['trigger_operator'] = v[0] - elif kl == 'trigger-threshold': - d['trigger_threshold'] = v[0] - elif kl == 'alert-rule-template-name': - d['alert_rule_template_name'] = v[0] - elif kl == 'description': - d['description'] = v[0] - elif kl == 'display-name': - d['display_name'] = v[0] - elif kl == 'enabled': - d['enabled'] = v[0] - elif kl == 'suppression-duration': - d['suppression_duration'] = v[0] - elif kl == 'suppression-enabled': - d['suppression_enabled'] = v[0] - elif kl == 'tactics': - d['tactics'] = v - elif kl == 'etag': - d['etag'] = v[0] - d['kind'] = 'Scheduled' - return d - - -class AddIncidentInfo(argparse.Action): - def __call__(self, parser, namespace, values, option_string=None): - action = self.get_action(values, option_string) - namespace.incident_info = action - - def get_action(self, values, option_string): # pylint: disable=no-self-use - try: - properties = defaultdict(list) - for (k, v) in (x.split('=', 1) for x in values): - properties[k].append(v) - properties = dict(properties) - except ValueError: - raise CLIError('usage error: {} [KEY=VALUE ...]'.format(option_string)) - d = {} - for k in properties: - kl = k.lower() - v = properties[k] - if kl == 'incident-id': - d['incident_id'] = v[0] - elif kl == 'severity': - d['severity'] = v[0] - elif kl == 'title': - d['title'] = v[0] - elif kl == 'relation-name': - d['relation_name'] = v[0] - return d - - -class AddAadDataConnector(argparse.Action): - def __call__(self, parser, namespace, values, option_string=None): - action = self.get_action(values, option_string) - namespace.aad_data_connector = action - - def get_action(self, values, option_string): # pylint: disable=no-self-use - try: - properties = defaultdict(list) - for (k, v) in (x.split('=', 1) for x in values): - properties[k].append(v) - properties = dict(properties) - except ValueError: - raise CLIError('usage error: {} [KEY=VALUE ...]'.format(option_string)) - d = {} - for k in properties: - kl = k.lower() - v = properties[k] - if kl == 'tenant-id': - d['tenant_id'] = v[0] - elif kl == 'state': - d['state'] = v[0] - elif kl == 'etag': - d['etag'] = v[0] - d['kind'] = 'AzureActiveDirectory' - return d - - -class AddAatpDataConnector(argparse.Action): - def __call__(self, parser, namespace, values, option_string=None): - action = self.get_action(values, option_string) - namespace.aatp_data_connector = action - - def get_action(self, values, option_string): # pylint: disable=no-self-use - try: - properties = defaultdict(list) - for (k, v) in (x.split('=', 1) for x in values): - properties[k].append(v) - properties = dict(properties) - except ValueError: - raise CLIError('usage error: {} [KEY=VALUE ...]'.format(option_string)) - d = {} - for k in properties: - kl = k.lower() - v = properties[k] - if kl == 'tenant-id': - d['tenant_id'] = v[0] - elif kl == 'state': - d['state'] = v[0] - elif kl == 'etag': - d['etag'] = v[0] - d['kind'] = 'AzureAdvancedThreatProtection' - return d - - -class AddAscDataConnector(argparse.Action): - def __call__(self, parser, namespace, values, option_string=None): - action = self.get_action(values, option_string) - namespace.asc_data_connector = action - - def get_action(self, values, option_string): # pylint: disable=no-self-use - try: - properties = defaultdict(list) - for (k, v) in (x.split('=', 1) for x in values): - properties[k].append(v) - properties = dict(properties) - except ValueError: - raise CLIError('usage error: {} [KEY=VALUE ...]'.format(option_string)) - d = {} - for k in properties: - kl = k.lower() - v = properties[k] - if kl == 'subscription-id': - d['subscription_id'] = v[0] - elif kl == 'state': - d['state'] = v[0] - elif kl == 'etag': - d['etag'] = v[0] - d['kind'] = 'AzureSecurityCenter' - return d - - -class AddAwsCloudTrailDataConnector(argparse.Action): - def __call__(self, parser, namespace, values, option_string=None): - action = self.get_action(values, option_string) - namespace.aws_cloud_trail_data_connector = action - - def get_action(self, values, option_string): # pylint: disable=no-self-use - try: - properties = defaultdict(list) - for (k, v) in (x.split('=', 1) for x in values): - properties[k].append(v) - properties = dict(properties) - except ValueError: - raise CLIError('usage error: {} [KEY=VALUE ...]'.format(option_string)) - d = {} - for k in properties: - kl = k.lower() - v = properties[k] - if kl == 'aws-role-arn': - d['aws_role_arn'] = v[0] - elif kl == 'state': - d['state'] = v[0] - elif kl == 'etag': - d['etag'] = v[0] - d['kind'] = 'AmazonWebServicesCloudTrail' - return d - - -class AddMcasDataConnector(argparse.Action): - def __call__(self, parser, namespace, values, option_string=None): - action = self.get_action(values, option_string) - namespace.mcas_data_connector = action - - def get_action(self, values, option_string): # pylint: disable=no-self-use - try: - properties = defaultdict(list) - for (k, v) in (x.split('=', 1) for x in values): - properties[k].append(v) - properties = dict(properties) - except ValueError: - raise CLIError('usage error: {} [KEY=VALUE ...]'.format(option_string)) - d = {} - for k in properties: - kl = k.lower() - v = properties[k] - if kl == 'tenant-id': - d['tenant_id'] = v[0] - elif kl == 'state-data-types-alerts-state': - d['state_data_types_alerts_state'] = v[0] - elif kl == 'state-data-types-discovery-logs-state': - d['state_data_types_discovery_logs_state'] = v[0] - elif kl == 'etag': - d['etag'] = v[0] - d['kind'] = 'MicrosoftCloudAppSecurity' - return d - - -class AddMdatpDataConnector(argparse.Action): - def __call__(self, parser, namespace, values, option_string=None): - action = self.get_action(values, option_string) - namespace.mdatp_data_connector = action - - def get_action(self, values, option_string): # pylint: disable=no-self-use - try: - properties = defaultdict(list) - for (k, v) in (x.split('=', 1) for x in values): - properties[k].append(v) - properties = dict(properties) - except ValueError: - raise CLIError('usage error: {} [KEY=VALUE ...]'.format(option_string)) - d = {} - for k in properties: - kl = k.lower() - v = properties[k] - if kl == 'tenant-id': - d['tenant_id'] = v[0] - elif kl == 'state': - d['state'] = v[0] - elif kl == 'etag': - d['etag'] = v[0] - d['kind'] = 'MicrosoftDefenderAdvancedThreatProtection' - return d - - -class AddOfficeDataConnector(argparse.Action): - def __call__(self, parser, namespace, values, option_string=None): - action = self.get_action(values, option_string) - namespace.office_data_connector = action - - def get_action(self, values, option_string): # pylint: disable=no-self-use - try: - properties = defaultdict(list) - for (k, v) in (x.split('=', 1) for x in values): - properties[k].append(v) - properties = dict(properties) - except ValueError: - raise CLIError('usage error: {} [KEY=VALUE ...]'.format(option_string)) - d = { - 'dataTypes': { - 'sharePoint': {'state': 'Disabled'}, - 'exchange': {'state': 'Disabled'} - } - } - for k in properties: - kl = k.lower() - v = properties[k] - if kl == 'tenant-id': - d['tenantId'] = v[0] - elif kl == 'sharepoint-enabled': - d['dataTypes']['sharePoint']['state'] = 'Enabled' - elif kl == 'exchange-enabled': - d['dataTypes']['exchange']['state'] = 'Enabled' - elif kl == 'etag': - d['etag'] = v[0] - d['kind'] = 'Office365' - print(d) - return d - - -class AddTiDataConnector(argparse.Action): - def __call__(self, parser, namespace, values, option_string=None): - action = self.get_action(values, option_string) - namespace.ti_data_connector = action - - def get_action(self, values, option_string): # pylint: disable=no-self-use - try: - properties = defaultdict(list) - for (k, v) in (x.split('=', 1) for x in values): - properties[k].append(v) - properties = dict(properties) - except ValueError: - raise CLIError('usage error: {} [KEY=VALUE ...]'.format(option_string)) - d = {} - for k in properties: - kl = k.lower() - v = properties[k] - if kl == 'tenant-id': - d['tenant_id'] = v[0] - elif kl == 'state': - d['state'] = v[0] - elif kl == 'etag': - d['etag'] = v[0] - d['kind'] = 'ThreatIntelligence' - return d - - -class AddLabels(argparse._AppendAction): - def __call__(self, parser, namespace, values, option_string=None): - action = self.get_action(values, option_string) - super(AddLabels, self).__call__(parser, namespace, action, option_string) - - def get_action(self, values, option_string): # pylint: disable=no-self-use - try: - properties = defaultdict(list) - for (k, v) in (x.split('=', 1) for x in values): - properties[k].append(v) - properties = dict(properties) - except ValueError: - raise CLIError('usage error: {} [KEY=VALUE ...]'.format(option_string)) - d = {} - for k in properties: - kl = k.lower() - v = properties[k] - if kl == 'label-name': - d['label_name'] = v[0] - return d - - -class AddOwner(argparse.Action): - def __call__(self, parser, namespace, values, option_string=None): - action = self.get_action(values, option_string) - namespace.owner = action - - def get_action(self, values, option_string): # pylint: disable=no-self-use - try: - properties = defaultdict(list) - for (k, v) in (x.split('=', 1) for x in values): - properties[k].append(v) - properties = dict(properties) - except ValueError: - raise CLIError('usage error: {} [KEY=VALUE ...]'.format(option_string)) - d = {} - for k in properties: - kl = k.lower() - v = properties[k] - if kl == 'email': - d['email'] = v[0] - elif kl == 'assigned-to': - d['assigned_to'] = v[0] - elif kl == 'object-id': - d['object_id'] = v[0] - elif kl == 'user-principal-name': - d['user_principal_name'] = v[0] - return d diff --git a/src/securityinsight/azext_sentinel/generated/commands.py b/src/securityinsight/azext_sentinel/generated/commands.py deleted file mode 100644 index f8dac3f83d6..00000000000 --- a/src/securityinsight/azext_sentinel/generated/commands.py +++ /dev/null @@ -1,100 +0,0 @@ -# -------------------------------------------------------------------------- -# Copyright (c) Microsoft Corporation. All rights reserved. -# Licensed under the MIT License. See License.txt in the project root for -# license information. -# -# Code generated by Microsoft (R) AutoRest Code Generator. -# Changes may cause incorrect behavior and will be lost if the code is -# regenerated. -# -------------------------------------------------------------------------- -# pylint: disable=too-many-statements -# pylint: disable=too-many-locals - -from azure.cli.core.commands import CliCommandType - - -def load_command_table(self, _): - - from azext_sentinel.generated._client_factory import cf_alert_rule - sentinel_alert_rule = CliCommandType( - operations_tmpl='azext_sentinel.vendored_sdks.securityinsight.operations._alert_rule_operations#AlertRuleOperat' - 'ions.{}', - client_factory=cf_alert_rule) - with self.command_group('sentinel alert-rule', sentinel_alert_rule, client_factory=cf_alert_rule, - is_experimental=True) as g: - g.custom_command('list', 'sentinel_alert_rule_list') - g.custom_show_command('show', 'sentinel_alert_rule_show') - g.custom_command('create', 'sentinel_alert_rule_create') - g.generic_update_command('update', setter_arg_name='alert_rule', - custom_func_name='sentinel_alert_rule_update') - g.custom_command('delete', 'sentinel_alert_rule_delete', confirmation=True) - g.custom_command('get-action', 'sentinel_alert_rule_get_action') - - from azext_sentinel.generated._client_factory import cf_action - sentinel_action = CliCommandType( - operations_tmpl='azext_sentinel.vendored_sdks.securityinsight.operations._action_operations#ActionOperations.{}' - '', - client_factory=cf_action) - with self.command_group('sentinel action', sentinel_action, client_factory=cf_action, is_experimental=True) as g: - g.custom_command('list', 'sentinel_action_list') - - from azext_sentinel.generated._client_factory import cf_alert_rule_template - sentinel_alert_rule_template = CliCommandType( - operations_tmpl='azext_sentinel.vendored_sdks.securityinsight.operations._alert_rule_template_operations#AlertR' - 'uleTemplateOperations.{}', - client_factory=cf_alert_rule_template) - with self.command_group('sentinel alert-rule-template', sentinel_alert_rule_template, - client_factory=cf_alert_rule_template, is_experimental=True) as g: - g.custom_command('list', 'sentinel_alert_rule_template_list') - g.custom_show_command('show', 'sentinel_alert_rule_template_show') - - from azext_sentinel.generated._client_factory import cf_bookmark - sentinel_bookmark = CliCommandType( - operations_tmpl='azext_sentinel.vendored_sdks.securityinsight.operations._bookmark_operations#BookmarkOperation' - 's.{}', - client_factory=cf_bookmark) - with self.command_group('sentinel bookmark', sentinel_bookmark, client_factory=cf_bookmark, - is_experimental=True) as g: - g.custom_command('list', 'sentinel_bookmark_list') - g.custom_show_command('show', 'sentinel_bookmark_show') - g.custom_command('create', 'sentinel_bookmark_create') - g.custom_command('update', 'sentinel_bookmark_update') - g.custom_command('delete', 'sentinel_bookmark_delete', confirmation=True) - - from azext_sentinel.generated._client_factory import cf_data_connector - sentinel_data_connector = CliCommandType( - operations_tmpl='azext_sentinel.vendored_sdks.securityinsight.operations._data_connector_operations#DataConnect' - 'orOperations.{}', - client_factory=cf_data_connector) - with self.command_group('sentinel data-connector', sentinel_data_connector, client_factory=cf_data_connector, - is_experimental=True) as g: - g.custom_command('list', 'sentinel_data_connector_list') - g.custom_show_command('show', 'sentinel_data_connector_show') - g.custom_command('create', 'sentinel_data_connector_create') - g.generic_update_command('update', setter_arg_name='data_connector', custom_func_name='' - 'sentinel_data_connector_update') - g.custom_command('delete', 'sentinel_data_connector_delete', confirmation=True) - - from azext_sentinel.generated._client_factory import cf_incident - sentinel_incident = CliCommandType( - operations_tmpl='azext_sentinel.vendored_sdks.securityinsight.operations._incident_operations#IncidentOperation' - 's.{}', - client_factory=cf_incident) - with self.command_group('sentinel incident', sentinel_incident, client_factory=cf_incident, - is_experimental=True) as g: - g.custom_command('list', 'sentinel_incident_list') - g.custom_show_command('show', 'sentinel_incident_show') - g.custom_command('create', 'sentinel_incident_create') - g.custom_command('update', 'sentinel_incident_update') - g.custom_command('delete', 'sentinel_incident_delete', confirmation=True) - - from azext_sentinel.generated._client_factory import cf_incident_comment - sentinel_incident_comment = CliCommandType( - operations_tmpl='azext_sentinel.vendored_sdks.securityinsight.operations._incident_comment_operations#IncidentC' - 'ommentOperations.{}', - client_factory=cf_incident_comment) - with self.command_group('sentinel incident-comment', sentinel_incident_comment, client_factory=cf_incident_comment, - is_experimental=True) as g: - g.custom_command('list', 'sentinel_incident_comment_list') - g.custom_show_command('show', 'sentinel_incident_comment_show') - g.custom_command('create', 'sentinel_incident_comment_create') diff --git a/src/securityinsight/azext_sentinel/generated/custom.py b/src/securityinsight/azext_sentinel/generated/custom.py deleted file mode 100644 index f0bd94de342..00000000000 --- a/src/securityinsight/azext_sentinel/generated/custom.py +++ /dev/null @@ -1,433 +0,0 @@ -# -------------------------------------------------------------------------- -# Copyright (c) Microsoft Corporation. All rights reserved. -# Licensed under the MIT License. See License.txt in the project root for -# license information. -# -# Code generated by Microsoft (R) AutoRest Code Generator. -# Changes may cause incorrect behavior and will be lost if the code is -# regenerated. -# -------------------------------------------------------------------------- -# pylint: disable=too-many-lines -# pylint: disable=unused-argument - -from knack.util import CLIError - - -def sentinel_alert_rule_list(client, - resource_group_name, - workspace_name): - return client.list(resource_group_name=resource_group_name, - workspace_name=workspace_name) - - -def sentinel_alert_rule_show(client, - resource_group_name, - workspace_name, - rule_id): - return client.get(resource_group_name=resource_group_name, - workspace_name=workspace_name, - rule_id=rule_id) - - -def sentinel_alert_rule_create(client, - resource_group_name, - workspace_name, - rule_id, - action_id=None, - etag=None, - logic_app_resource_id=None, - trigger_uri=None, - fusion_alert_rule=None, - microsoft_security_incident_creation_alert_rule=None, - scheduled_alert_rule=None): - all_alert_rule = [] - if fusion_alert_rule is not None: - all_alert_rule.append(fusion_alert_rule) - if microsoft_security_incident_creation_alert_rule is not None: - all_alert_rule.append(microsoft_security_incident_creation_alert_rule) - if scheduled_alert_rule is not None: - all_alert_rule.append(scheduled_alert_rule) - if len(all_alert_rule) > 1: - raise CLIError('at most one of fusion_alert_rule, microsoft_security_incident_creation_alert_rule, ' - 'scheduled_alert_rule is needed for alert_rule!') - alert_rule = all_alert_rule[0] if len(all_alert_rule) == 1 else None - if resource_group_name and workspace_name is not None and rule_id is not None and action_id is not None: - return client.create_or_update_action(resource_group_name=resource_group_name, - workspace_name=workspace_name, - rule_id=rule_id, - action_id=action_id, - etag=etag, - logic_app_resource_id=logic_app_resource_id, - trigger_uri=trigger_uri) - return client.create_or_update(resource_group_name=resource_group_name, - workspace_name=workspace_name, - rule_id=rule_id, - alert_rule=alert_rule) - - -def sentinel_alert_rule_update(instance, - resource_group_name, - workspace_name, - rule_id, - fusion_alert_rule=None, - microsoft_security_incident_creation_alert_rule=None, - scheduled_alert_rule=None): - return instance - - -def sentinel_alert_rule_delete(client, - resource_group_name, - workspace_name, - rule_id, - action_id=None): - if resource_group_name and workspace_name is not None and rule_id is not None and action_id is not None: - return client.delete_action(resource_group_name=resource_group_name, - workspace_name=workspace_name, - rule_id=rule_id, - action_id=action_id) - return client.delete(resource_group_name=resource_group_name, - workspace_name=workspace_name, - rule_id=rule_id) - - -def sentinel_alert_rule_get_action(client, - resource_group_name, - workspace_name, - rule_id, - action_id): - return client.get_action(resource_group_name=resource_group_name, - workspace_name=workspace_name, - rule_id=rule_id, - action_id=action_id) - - -def sentinel_action_list(client, - resource_group_name, - workspace_name, - rule_id): - return client.list_by_alert_rule(resource_group_name=resource_group_name, - workspace_name=workspace_name, - rule_id=rule_id) - - -def sentinel_alert_rule_template_list(client, - resource_group_name, - workspace_name): - return client.list(resource_group_name=resource_group_name, - workspace_name=workspace_name) - - -def sentinel_alert_rule_template_show(client, - resource_group_name, - workspace_name, - alert_rule_template_id): - return client.get(resource_group_name=resource_group_name, - workspace_name=workspace_name, - alert_rule_template_id=alert_rule_template_id) - - -def sentinel_bookmark_list(client, - resource_group_name, - workspace_name): - return client.list(resource_group_name=resource_group_name, - workspace_name=workspace_name) - - -def sentinel_bookmark_show(client, - resource_group_name, - workspace_name, - bookmark_id): - return client.get(resource_group_name=resource_group_name, - workspace_name=workspace_name, - bookmark_id=bookmark_id) - - -def sentinel_bookmark_create(client, - resource_group_name, - workspace_name, - bookmark_id, - etag=None, - created=None, - display_name=None, - labels=None, - notes=None, - query_content=None, - query_result=None, - updated=None, - incident_info=None, - updated_by_object_id=None): - return client.create_or_update(resource_group_name=resource_group_name, - workspace_name=workspace_name, - bookmark_id=bookmark_id, - etag=etag, - created=created, - display_name=display_name, - labels=labels, - notes=notes, - query=query_content, - query_result=query_result, - updated=updated, - incident_info=incident_info, - object_id=updated_by_object_id) - - -def sentinel_bookmark_update(client, - resource_group_name, - workspace_name, - bookmark_id, - etag=None, - created=None, - display_name=None, - labels=None, - notes=None, - query_content=None, - query_result=None, - updated=None, - incident_info=None, - updated_by_object_id=None): - return client.create_or_update(resource_group_name=resource_group_name, - workspace_name=workspace_name, - bookmark_id=bookmark_id, - etag=etag, - created=created, - display_name=display_name, - labels=labels, - notes=notes, - query=query_content, - query_result=query_result, - updated=updated, - incident_info=incident_info, - object_id=updated_by_object_id) - - -def sentinel_bookmark_delete(client, - resource_group_name, - workspace_name, - bookmark_id): - return client.delete(resource_group_name=resource_group_name, - workspace_name=workspace_name, - bookmark_id=bookmark_id) - - -def sentinel_data_connector_list(client, - resource_group_name, - workspace_name): - return client.list(resource_group_name=resource_group_name, - workspace_name=workspace_name) - - -def sentinel_data_connector_show(client, - resource_group_name, - workspace_name, - data_connector_id): - return client.get(resource_group_name=resource_group_name, - workspace_name=workspace_name, - data_connector_id=data_connector_id) - - -def sentinel_data_connector_create(client, - resource_group_name, - workspace_name, - data_connector_id, - aad_data_connector=None, - aatp_data_connector=None, - asc_data_connector=None, - aws_cloud_trail_data_connector=None, - mcas_data_connector=None, - mdatp_data_connector=None, - office_data_connector=None, - ti_data_connector=None): - all_data_connector = [] - if aad_data_connector is not None: - all_data_connector.append(aad_data_connector) - if aatp_data_connector is not None: - all_data_connector.append(aatp_data_connector) - if asc_data_connector is not None: - all_data_connector.append(asc_data_connector) - if aws_cloud_trail_data_connector is not None: - all_data_connector.append(aws_cloud_trail_data_connector) - if mcas_data_connector is not None: - all_data_connector.append(mcas_data_connector) - if mdatp_data_connector is not None: - all_data_connector.append(mdatp_data_connector) - if office_data_connector is not None: - all_data_connector.append(office_data_connector) - if ti_data_connector is not None: - all_data_connector.append(ti_data_connector) - if len(all_data_connector) > 1: - raise CLIError('at most one of aad_data_connector, aatp_data_connector, asc_data_connector, ' - 'aws_cloud_trail_data_connector, mcas_data_connector, mdatp_data_connector, ' - 'office_data_connector, ti_data_connector is needed for data_connector!') - if len(all_data_connector) != 1: - raise CLIError('data_connector is required. but none of aad_data_connector, aatp_data_connector, ' - 'asc_data_connector, aws_cloud_trail_data_connector, mcas_data_connector, mdatp_data_connector, ' - 'office_data_connector, ti_data_connector is provided!') - data_connector = all_data_connector[0] if len(all_data_connector) == 1 else None - return client.create_or_update(resource_group_name=resource_group_name, - workspace_name=workspace_name, - data_connector_id=data_connector_id, - data_connector=data_connector) - - -def sentinel_data_connector_update(instance, - resource_group_name, - workspace_name, - data_connector_id, - aad_data_connector=None, - aatp_data_connector=None, - asc_data_connector=None, - aws_cloud_trail_data_connector=None, - mcas_data_connector=None, - mdatp_data_connector=None, - office_data_connector=None, - ti_data_connector=None): - return instance - - -def sentinel_data_connector_delete(client, - resource_group_name, - workspace_name, - data_connector_id): - return client.delete(resource_group_name=resource_group_name, - workspace_name=workspace_name, - data_connector_id=data_connector_id) - - -def sentinel_incident_list(client, - resource_group_name, - workspace_name, - filter_=None, - orderby=None, - top=None, - skip_token=None): - return client.list(resource_group_name=resource_group_name, - workspace_name=workspace_name, - filter=filter_, - orderby=orderby, - top=top, - skip_token=skip_token) - - -def sentinel_incident_show(client, - resource_group_name, - workspace_name, - incident_id): - return client.get(resource_group_name=resource_group_name, - workspace_name=workspace_name, - incident_id=incident_id) - - -def sentinel_incident_create(client, - resource_group_name, - workspace_name, - incident_id, - etag=None, - classification=None, - classification_comment=None, - classification_reason=None, - description=None, - first_activity_time_utc=None, - labels=None, - last_activity_time_utc=None, - owner=None, - severity=None, - status=None, - title=None): - return client.create_or_update(resource_group_name=resource_group_name, - workspace_name=workspace_name, - incident_id=incident_id, - etag=etag, - classification=classification, - classification_comment=classification_comment, - classification_reason=classification_reason, - description=description, - first_activity_time_utc=first_activity_time_utc, - labels=labels, - last_activity_time_utc=last_activity_time_utc, - owner=owner, - severity=severity, - status=status, - title=title) - - -def sentinel_incident_update(client, - resource_group_name, - workspace_name, - incident_id, - etag=None, - classification=None, - classification_comment=None, - classification_reason=None, - description=None, - first_activity_time_utc=None, - labels=None, - last_activity_time_utc=None, - owner=None, - severity=None, - status=None, - title=None): - return client.create_or_update(resource_group_name=resource_group_name, - workspace_name=workspace_name, - incident_id=incident_id, - etag=etag, - classification=classification, - classification_comment=classification_comment, - classification_reason=classification_reason, - description=description, - first_activity_time_utc=first_activity_time_utc, - labels=labels, - last_activity_time_utc=last_activity_time_utc, - owner=owner, - severity=severity, - status=status, - title=title) - - -def sentinel_incident_delete(client, - resource_group_name, - workspace_name, - incident_id): - return client.delete(resource_group_name=resource_group_name, - workspace_name=workspace_name, - incident_id=incident_id) - - -def sentinel_incident_comment_list(client, - resource_group_name, - workspace_name, - incident_id, - filter_=None, - orderby=None, - top=None, - skip_token=None): - return client.list_by_incident(resource_group_name=resource_group_name, - workspace_name=workspace_name, - incident_id=incident_id, - filter=filter_, - orderby=orderby, - top=top, - skip_token=skip_token) - - -def sentinel_incident_comment_show(client, - resource_group_name, - workspace_name, - incident_id, - incident_comment_id): - return client.get(resource_group_name=resource_group_name, - workspace_name=workspace_name, - incident_id=incident_id, - incident_comment_id=incident_comment_id) - - -def sentinel_incident_comment_create(client, - resource_group_name, - workspace_name, - incident_id, - incident_comment_id, - message=None): - return client.create_comment(resource_group_name=resource_group_name, - workspace_name=workspace_name, - incident_id=incident_id, - incident_comment_id=incident_comment_id, - message=message) diff --git a/src/securityinsight/azext_sentinel/manual/__init__.py b/src/securityinsight/azext_sentinel/manual/__init__.py deleted file mode 100644 index c9cfdc73e77..00000000000 --- a/src/securityinsight/azext_sentinel/manual/__init__.py +++ /dev/null @@ -1,12 +0,0 @@ -# coding=utf-8 -# -------------------------------------------------------------------------- -# Copyright (c) Microsoft Corporation. All rights reserved. -# Licensed under the MIT License. See License.txt in the project root for -# license information. -# -# Code generated by Microsoft (R) AutoRest Code Generator. -# Changes may cause incorrect behavior and will be lost if the code is -# regenerated. -# -------------------------------------------------------------------------- - -__path__ = __import__('pkgutil').extend_path(__path__, __name__) diff --git a/src/securityinsight/azext_sentinel/manual/_help.py b/src/securityinsight/azext_sentinel/manual/_help.py deleted file mode 100644 index cba8105ea2c..00000000000 --- a/src/securityinsight/azext_sentinel/manual/_help.py +++ /dev/null @@ -1,181 +0,0 @@ -# -------------------------------------------------------------------------------------------- -# Copyright (c) Microsoft Corporation. All rights reserved. -# Licensed under the MIT License. See License.txt in the project root for license information. -# -------------------------------------------------------------------------------------------- -# pylint: disable=too-many-lines - -from knack.help_files import helps - -helps['sentinel'] = """ - type: group - short-summary: Manage Security Insight -""" - -helps['sentinel data-connector create'] = """ - type: command - short-summary: "Create the data connector." - parameters: - - name: --aad-data-connector - short-summary: "Represents AAD (Azure Active Directory) data connector." - long-summary: | - Usage: --aad-data-connector tenant-id=XX state=XX kind=XX etag=XX - - tenant-id: The tenant id to connect to, and get the data from. - state: Describe whether this data type connection is enabled or not. - kind: Required. The data connector kind - etag: Etag of the azure resource - - name: --aatp-data-connector - short-summary: "Represents Microsoft Defender for Identity data connector." - long-summary: | - Usage: --aatp-data-connector tenant-id=XX state=XX kind=XX etag=XX - - tenant-id: The tenant id to connect to, and get the data from. - state: Describe whether this data type connection is enabled or not. - kind: Required. The data connector kind - etag: Etag of the azure resource - - name: --asc-data-connector - short-summary: "Represents Microsoft Defender for Cloud data connector." - long-summary: | - Usage: --asc-data-connector subscription-id=XX state=XX kind=XX etag=XX - - subscription-id: The subscription id to connect to, and get the data from. - state: Describe whether this data type connection is enabled or not. - kind: Required. The data connector kind - etag: Etag of the azure resource - - name: --aws-cloud-trail-data-connector - short-summary: "Represents Amazon Web Services CloudTrail data connector." - long-summary: | - Usage: --aws-cloud-trail-data-connector aws-role-arn=XX state=XX kind=XX etag=XX - - aws-role-arn: The Aws Role Arn (with CloudTrailReadOnly policy) that is used to access the Aws account. - state: Describe whether this data type connection is enabled or not. - kind: Required. The data connector kind - etag: Etag of the azure resource - - name: --mcas-data-connector - short-summary: "Represents Microsoft Defender for Cloud Apps data connector." - long-summary: | - Usage: --mcas-data-connector tenant-id=XX state-data-types-alerts-state=XX state-data-types-discovery-logs-\ -state=XX kind=XX etag=XX - - tenant-id: The tenant id to connect to, and get the data from. - state-data-types-alerts-state: Describe whether this data type connection is enabled or not. - state-data-types-discovery-logs-state: Describe whether this data type connection is enabled or not. - kind: Required. The data connector kind - etag: Etag of the azure resource - - name: --mdatp-data-connector - short-summary: "Represents Microsoft Defender for Endpoint data connector." - long-summary: | - Usage: --mdatp-data-connector tenant-id=XX state=XX kind=XX etag=XX - - tenant-id: The tenant id to connect to, and get the data from. - state: Describe whether this data type connection is enabled or not. - kind: Required. The data connector kind - etag: Etag of the azure resource - - name: --office-data-connector - short-summary: "Represents office data connector." - long-summary: | - Usage: --office-data-connector tenant-id=XX state-data-types-share-point-state=XX \ -state-data-types-exchange-state=XX kind=XX etag=XX - - tenant-id: The tenant id to connect to, and get the data from. - state-data-types-share-point-state: Describe whether this data type connection is enabled or not. - state-data-types-exchange-state: Describe whether this data type connection is enabled or not. - kind: Required. The data connector kind - etag: Etag of the azure resource - - name: --ti-data-connector - short-summary: "Represents threat intelligence data connector." - long-summary: | - Usage: --ti-data-connector tenant-id=XX state=XX kind=XX etag=XX - - tenant-id: The tenant id to connect to, and get the data from. - state: Describe whether this data type connection is enabled or not. - kind: Required. The data connector kind - etag: Etag of the azure resource - examples: - - name: Creates or updates an Office365 data connector. - text: |- - az sentinel data-connector create --office-data-connector etag="{etag}" \ - tenant-id="{tenant-id}" --data-connector-id "{id}" --resource-group "myRg" --workspace-name "myWorkspace" -""" - -helps['sentinel data-connector update'] = """ - type: command - short-summary: "Update the data connector." - parameters: - - name: --aad-data-connector - short-summary: "Represents AAD (Azure Active Directory) data connector." - long-summary: | - Usage: --aad-data-connector tenant-id=XX state=XX kind=XX etag=XX - - tenant-id: The tenant id to connect to, and get the data from. - state: Describe whether this data type connection is enabled or not. - kind: Required. The data connector kind - etag: Etag of the azure resource - - name: --aatp-data-connector - short-summary: "Represents Microsoft Defender for Identity data connector." - long-summary: | - Usage: --aatp-data-connector tenant-id=XX state=XX kind=XX etag=XX - - tenant-id: The tenant id to connect to, and get the data from. - state: Describe whether this data type connection is enabled or not. - kind: Required. The data connector kind - etag: Etag of the azure resource - - name: --asc-data-connector - short-summary: "Represents Microsoft Defender for Cloud data connector." - long-summary: | - Usage: --asc-data-connector subscription-id=XX state=XX kind=XX etag=XX - - subscription-id: The subscription id to connect to, and get the data from. - state: Describe whether this data type connection is enabled or not. - kind: Required. The data connector kind - etag: Etag of the azure resource - - name: --aws-cloud-trail-data-connector - short-summary: "Represents Amazon Web Services CloudTrail data connector." - long-summary: | - Usage: --aws-cloud-trail-data-connector aws-role-arn=XX state=XX kind=XX etag=XX - - aws-role-arn: The Aws Role Arn (with CloudTrailReadOnly policy) that is used to access the Aws account. - state: Describe whether this data type connection is enabled or not. - kind: Required. The data connector kind - etag: Etag of the azure resource - - name: --mcas-data-connector - short-summary: "Represents Microsoft Defender for Cloud Apps data connector." - long-summary: | - Usage: --mcas-data-connector tenant-id=XX state-data-types-alerts-state=XX state-data-types-discovery-logs-\ -state=XX kind=XX etag=XX - - tenant-id: The tenant id to connect to, and get the data from. - state-data-types-alerts-state: Describe whether this data type connection is enabled or not. - state-data-types-discovery-logs-state: Describe whether this data type connection is enabled or not. - kind: Required. The data connector kind - etag: Etag of the azure resource - - name: --mdatp-data-connector - short-summary: "Represents Microsoft Defender for Endpoint data connector." - long-summary: | - Usage: --mdatp-data-connector tenant-id=XX state=XX kind=XX etag=XX - - tenant-id: The tenant id to connect to, and get the data from. - state: Describe whether this data type connection is enabled or not. - kind: Required. The data connector kind - etag: Etag of the azure resource - - name: --office-data-connector - short-summary: "Represents office data connector." - long-summary: | - Usage: --office-data-connector tenant-id=XX state-data-types-share-point-state=XX \ -state-data-types-exchange-state=XX kind=XX etag=XX - - tenant-id: The tenant id to connect to, and get the data from. - state-data-types-share-point-state: Describe whether this data type connection is enabled or not. - state-data-types-exchange-state: Describe whether this data type connection is enabled or not. - kind: Required. The data connector kind - etag: Etag of the azure resource - - name: --ti-data-connector - short-summary: "Represents threat intelligence data connector." - long-summary: | - Usage: --ti-data-connector tenant-id=XX state=XX kind=XX etag=XX - - tenant-id: The tenant id to connect to, and get the data from. - state: Describe whether this data type connection is enabled or not. - kind: Required. The data connector kind - etag: Etag of the azure resource -""" diff --git a/src/securityinsight/azext_sentinel/manual/_params.py b/src/securityinsight/azext_sentinel/manual/_params.py deleted file mode 100644 index fa718718d51..00000000000 --- a/src/securityinsight/azext_sentinel/manual/_params.py +++ /dev/null @@ -1,49 +0,0 @@ -# -------------------------------------------------------------------------- -# Copyright (c) Microsoft Corporation. All rights reserved. -# Licensed under the MIT License. See License.txt in the project root for -# license information. -# -# Code generated by Microsoft (R) AutoRest Code Generator. -# Changes may cause incorrect behavior and will be lost if the code is -# regenerated. -# -------------------------------------------------------------------------- -# pylint: disable=too-many-lines -# pylint: disable=too-many-statements - -from azure.cli.core.commands.parameters import resource_group_name_type -from azext_sentinel.action import AddIncidentInfo - - -def load_arguments(self, _): - - with self.argument_context('sentinel bookmark create') as c: - c.argument('resource_group_name', resource_group_name_type) - c.argument('workspace_name', type=str, help='The name of the workspace.') - c.argument('bookmark_id', type=str, help='Bookmark ID') - c.argument('etag', type=str, help='Etag of the azure resource') - c.argument('created', help='The time the bookmark was created') - c.argument('display_name', type=str, help='The display name of the bookmark') - c.argument('labels', nargs='*', help='List of labels relevant to this bookmark') - c.argument('notes', type=str, help='The notes of the bookmark') - c.argument('query_content', options_list=['-q'], type=str, help='The query of the bookmark.') - c.argument('query_result', type=str, help='The query result of the bookmark.') - c.argument('updated', help='The last time the bookmark was updated') - c.argument('incident_info', action=AddIncidentInfo, nargs='*', help='Describes an incident that relates to ' - 'bookmark') - c.argument('updated_by_object_id', help='The object id of the user.') - - with self.argument_context('sentinel bookmark update') as c: - c.argument('resource_group_name', resource_group_name_type) - c.argument('workspace_name', type=str, help='The name of the workspace.', id_part='name') - c.argument('bookmark_id', type=str, help='Bookmark ID', id_part='child_name_1') - c.argument('etag', type=str, help='Etag of the azure resource') - c.argument('created', help='The time the bookmark was created') - c.argument('display_name', type=str, help='The display name of the bookmark') - c.argument('labels', nargs='*', help='List of labels relevant to this bookmark') - c.argument('notes', type=str, help='The notes of the bookmark') - c.argument('query_content', options_list=['-q'], type=str, help='The query of the bookmark.') - c.argument('query_result', type=str, help='The query result of the bookmark.') - c.argument('updated', help='The last time the bookmark was updated') - c.argument('incident_info', action=AddIncidentInfo, nargs='*', help='Describes an incident that relates to ' - 'bookmark') - c.argument('updated_by_object_id', help='The object id of the user.') diff --git a/src/securityinsight/azext_sentinel/tests/__init__.py b/src/securityinsight/azext_sentinel/tests/__init__.py index 50e0627daff..5757aea3175 100644 --- a/src/securityinsight/azext_sentinel/tests/__init__.py +++ b/src/securityinsight/azext_sentinel/tests/__init__.py @@ -1,114 +1,6 @@ -# coding=utf-8 -# -------------------------------------------------------------------------- +# -------------------------------------------------------------------------------------------- # Copyright (c) Microsoft Corporation. All rights reserved. -# Licensed under the MIT License. See License.txt in the project root for -# license information. +# Licensed under the MIT License. See License.txt in the project root for license information. # -# Code generated by Microsoft (R) AutoRest Code Generator. -# Changes may cause incorrect behavior and will be lost if the code is -# regenerated. -# -------------------------------------------------------------------------- -import inspect -import logging -import os -import sys -import traceback -import datetime as dt - -from azure.core.exceptions import AzureError -from azure.cli.testsdk.exceptions import CliTestError, CliExecutionError, JMESPathCheckAssertionError - - -logger = logging.getLogger('azure.cli.testsdk') -logger.addHandler(logging.StreamHandler()) -__path__ = __import__('pkgutil').extend_path(__path__, __name__) -exceptions = [] -test_map = dict() -SUCCESSED = "successed" -FAILED = "failed" - - -def try_manual(func): - def import_manual_function(origin_func): - from importlib import import_module - decorated_path = inspect.getfile(origin_func) - module_path = __path__[0] - if not decorated_path.startswith(module_path): - raise Exception("Decorator can only be used in submodules!") - manual_path = os.path.join( - decorated_path[module_path.rfind(os.path.sep) + 1:]) - manual_file_path, manual_file_name = os.path.split(manual_path) - module_name, _ = os.path.splitext(manual_file_name) - manual_module = "..manual." + \ - ".".join(manual_file_path.split(os.path.sep) + [module_name, ]) - return getattr(import_module(manual_module, package=__name__), origin_func.__name__) - - def get_func_to_call(): - func_to_call = func - try: - func_to_call = import_manual_function(func) - func_to_call = import_manual_function(func) - logger.info("Found manual override for %s(...)", func.__name__) - except (ImportError, AttributeError): - pass - return func_to_call - - def wrapper(*args, **kwargs): - func_to_call = get_func_to_call() - logger.info("running %s()...", func.__name__) - try: - test_map[func.__name__] = dict() - test_map[func.__name__]["result"] = SUCCESSED - test_map[func.__name__]["error_message"] = "" - test_map[func.__name__]["error_stack"] = "" - test_map[func.__name__]["error_normalized"] = "" - test_map[func.__name__]["start_dt"] = dt.datetime.utcnow() - ret = func_to_call(*args, **kwargs) - except (AssertionError, AzureError, CliTestError, CliExecutionError, SystemExit, - JMESPathCheckAssertionError) as e: - test_map[func.__name__]["end_dt"] = dt.datetime.utcnow() - test_map[func.__name__]["result"] = FAILED - test_map[func.__name__]["error_message"] = str(e).replace("\r\n", " ").replace("\n", " ")[:500] - test_map[func.__name__]["error_stack"] = traceback.format_exc().replace( - "\r\n", " ").replace("\n", " ")[:500] - logger.info("--------------------------------------") - logger.info("step exception: %s", e) - logger.error("--------------------------------------") - logger.error("step exception in %s: %s", func.__name__, e) - logger.info(traceback.format_exc()) - exceptions.append((func.__name__, sys.exc_info())) - else: - test_map[func.__name__]["end_dt"] = dt.datetime.utcnow() - return ret - - if inspect.isclass(func): - return get_func_to_call() - return wrapper - - -def calc_coverage(filename): - filename = filename.split(".")[0] - coverage_name = filename + "_coverage.md" - with open(coverage_name, "w") as f: - f.write("|Scenario|Result|ErrorMessage|ErrorStack|ErrorNormalized|StartDt|EndDt|\n") - total = len(test_map) - covered = 0 - for k, v in test_map.items(): - if not k.startswith("step_"): - total -= 1 - continue - if v["result"] == SUCCESSED: - covered += 1 - f.write("|{step_name}|{result}|{error_message}|{error_stack}|{error_normalized}|{start_dt}|" - "{end_dt}|\n".format(step_name=k, **v)) - f.write("Coverage: {}/{}\n".format(covered, total)) - print("Create coverage\n", file=sys.stderr) - - -def raise_if(): - if exceptions: - if len(exceptions) <= 1: - raise exceptions[0][1][1] - message = "{}\nFollowed with exceptions in other steps:\n".format(str(exceptions[0][1][1])) - message += "\n".join(["{}: {}".format(h[0], h[1][1]) for h in exceptions[1:]]) - raise exceptions[0][1][0](message).with_traceback(exceptions[0][1][2]) +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- diff --git a/src/securityinsight/azext_sentinel/tests/latest/__init__.py b/src/securityinsight/azext_sentinel/tests/latest/__init__.py index c9cfdc73e77..5757aea3175 100644 --- a/src/securityinsight/azext_sentinel/tests/latest/__init__.py +++ b/src/securityinsight/azext_sentinel/tests/latest/__init__.py @@ -1,12 +1,6 @@ -# coding=utf-8 -# -------------------------------------------------------------------------- +# -------------------------------------------------------------------------------------------- # Copyright (c) Microsoft Corporation. All rights reserved. -# Licensed under the MIT License. See License.txt in the project root for -# license information. +# Licensed under the MIT License. See License.txt in the project root for license information. # -# Code generated by Microsoft (R) AutoRest Code Generator. -# Changes may cause incorrect behavior and will be lost if the code is -# regenerated. -# -------------------------------------------------------------------------- - -__path__ = __import__('pkgutil').extend_path(__path__, __name__) +# Code generated by aaz-dev-tools +# -------------------------------------------------------------------------------------------- diff --git a/src/securityinsight/azext_sentinel/tests/latest/recordings/test_sentinel.yaml b/src/securityinsight/azext_sentinel/tests/latest/recordings/test_sentinel.yaml deleted file mode 100644 index 2f31b1220ac..00000000000 --- a/src/securityinsight/azext_sentinel/tests/latest/recordings/test_sentinel.yaml +++ /dev/null @@ -1,16789 +0,0 @@ -interactions: -- request: - body: null - headers: - Accept: - - '*/*' - Accept-Encoding: - - gzip, deflate - Connection: - - keep-alive - User-Agent: - - python-requests/2.22.0 - method: GET - uri: https://aka.ms/azure-cli-extension-index-v1 - response: - body: - string: '' - headers: - cache-control: - - max-age=0, no-cache, no-store - connection: - - keep-alive - content-length: - - '0' - date: - - Tue, 16 Mar 2021 09:03:09 GMT - expires: - - Tue, 16 Mar 2021 09:03:09 GMT - location: - - https://azcliextensionsync.blob.core.windows.net/index1/index.json - pragma: - - no-cache - request-context: - - appId=cid-v1:b47e5e27-bf85-45ba-a97c-0377ce0e5779 - server: - - Kestrel - strict-transport-security: - - max-age=31536000 ; includeSubDomains - x-powered-by: - - ASP.NET - x-response-cache-status: - - 'True' - status: - code: 301 - message: Moved Permanently -- request: - body: null - headers: - Accept: - - '*/*' - Accept-Encoding: - - gzip, deflate - Connection: - - keep-alive - User-Agent: - - python-requests/2.22.0 - method: GET - uri: https://azcliextensionsync.blob.core.windows.net/index1/index.json - response: - body: - string: "{\n \"extensions\": {\n \"account\": [\n {\n \"downloadUrl\": - \"https://azurecliprod.blob.core.windows.net/cli-extensions/account-0.1.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"account-0.1.0-py2.py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isExperimental\": true,\n \"azext.minCliCoreVersion\": - \"2.3.1\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"account\",\n \"summary\": \"Microsoft Azure Command-Line - Tools SubscriptionClient Extension\",\n \"version\": \"0.1.0\"\n - \ },\n \"sha256Digest\": \"badd35099d52efc5d8c337eee3ce3958005e6bfbb0c83798a74458b90ea6046b\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/account-0.2.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"account-0.2.0-py2.py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isExperimental\": true,\n \"azext.minCliCoreVersion\": - \"2.3.1\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"account\",\n \"summary\": \"Microsoft Azure Command-Line - Tools SubscriptionClient Extension\",\n \"version\": \"0.2.0\"\n - \ },\n \"sha256Digest\": \"a5613056e59cccaf4de58d9b108b0103f1b5a698345e6261b5bf83b3ff7637cf\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/account-0.2.1-py3-none-any.whl\",\n - \ \"filename\": \"account-0.2.1-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isExperimental\": true,\n \"azext.minCliCoreVersion\": - \"2.3.1\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/account\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"account\",\n \"summary\": \"Microsoft Azure Command-Line - Tools SubscriptionClient Extension\",\n \"version\": \"0.2.1\"\n - \ },\n \"sha256Digest\": \"aba36f7a6f109d2bd1b1624ebcfdfd07a97e9a0b05b051d0af7d2ddb4d2f3c89\"\n - \ }\n ],\n \"acrtransfer\": [\n {\n \"downloadUrl\": - \"https://azcliprod.blob.core.windows.net/cli-extensions/acrtransfer-1.0.0-py3-none-any.whl\",\n - \ \"filename\": \"acrtransfer-1.0.0-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isPreview\": true,\n \"azext.minCliCoreVersion\": - \"2.0.67\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"KraterDev@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/acrtransfer\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"acrtransfer\",\n \"summary\": \"Microsoft Azure Command-Line - Tools Acrtransfer Extension\",\n \"version\": \"1.0.0\"\n - \ },\n \"sha256Digest\": \"8fadff19781b34ab246a15a5c222fd6af53ea93f7778fbf933d1ccd082f3e362\"\n - \ }\n ],\n \"ad\": [\n {\n \"downloadUrl\": - \"https://azcliprod.blob.core.windows.net/cli-extensions/ad-0.1.0-py3-none-any.whl\",\n - \ \"filename\": \"ad-0.1.0-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.minCliCoreVersion\": \"2.15.0\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/ad\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"ad\",\n \"summary\": \"Microsoft Azure Command-Line Tools - DomainServicesResourceProvider Extension\",\n \"version\": - \"0.1.0\"\n },\n \"sha256Digest\": \"61df234e10759e9916c1d447ab02b82637de10fd97c31a17252e1f5183853883\"\n - \ }\n ],\n \"aem\": [\n {\n \"downloadUrl\": - \"https://azurecliprod.blob.core.windows.net/cli-extensions/aem-0.1.1-py2.py3-none-any.whl\",\n - \ \"filename\": \"aem-0.1.1-py2.py3-none-any.whl\",\n \"metadata\": - {\n \"azext.minCliCoreVersion\": \"2.0.30\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"yugangw@microsoft.com\",\n - \ \"name\": \"Yugang Wang\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.29.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"aem\",\n \"summary\": \"Manage Azure Enhanced Monitoring - Extensions for SAP\",\n \"version\": \"0.1.1\"\n },\n - \ \"sha256Digest\": \"4ac7b8a4a89eda68d9d1a07cc5edd9b1a2b88421e2aa9a9e5b86a241f127775f\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/aem-0.2.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"aem-0.2.0-py2.py3-none-any.whl\",\n \"metadata\": - {\n \"azext.minCliCoreVersion\": \"2.0.30\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"yugangw@microsoft.com\",\n - \ \"name\": \"Yugang Wang\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"aem\",\n \"summary\": \"Manage Azure Enhanced Monitoring - Extensions for SAP\",\n \"version\": \"0.2.0\"\n },\n - \ \"sha256Digest\": \"3ae49bb9f6b07cdaae840079c95e3d30c7e8bc27ba68d542e8e122cf4c14ce00\"\n - \ },\n {\n \"downloadUrl\": \"https://azcliprod.blob.core.windows.net/cli-extensions/aem-0.2.1-py2.py3-none-any.whl\",\n - \ \"filename\": \"aem-0.2.1-py2.py3-none-any.whl\",\n \"metadata\": - {\n \"azext.minCliCoreVersion\": \"2.19.1\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"yugangw@microsoft.com\",\n \"name\": - \"Yugang Wang\",\n \"role\": \"author\"\n - \ }\n ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"aem\",\n \"summary\": \"Manage Azure Enhanced Monitoring - Extensions for SAP\",\n \"version\": \"0.2.1\"\n },\n - \ \"sha256Digest\": \"fb11a2b2b46c5bae831216969bc333a74c7f2a1f77fb8fae7427b911d27bdd41\"\n - \ }\n ],\n \"ai-examples\": [\n {\n \"downloadUrl\": - \"https://azurecliprod.blob.core.windows.net/cli-extensions/ai_examples-0.1.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"ai_examples-0.1.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.81\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.5\",\n \"Programming Language :: Python - :: 3.6\",\n \"Programming Language :: Python :: 3.7\",\n - \ \"Programming Language :: Python :: 3.8\",\n \"License - :: OSI Approved :: MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"mabooe@microsoft.com\",\n \"name\": \"Matthew - Booe\",\n \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/ai-examples\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"ai-examples\",\n \"summary\": \"Add AI powered examples - to help content.\",\n \"version\": \"0.1.0\"\n },\n - \ \"sha256Digest\": \"3bf63937122345abe28f6d6ddcac8c76491ae992910a6516bcb506e099e59f8b\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/ai_examples-0.2.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"ai_examples-0.2.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.2.0\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.5\",\n \"Programming Language :: Python - :: 3.6\",\n \"Programming Language :: Python :: 3.7\",\n - \ \"Programming Language :: Python :: 3.8\",\n \"License - :: OSI Approved :: MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"mabooe@microsoft.com\",\n \"name\": \"Matthew - Booe\",\n \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/ai-examples\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"ai-examples\",\n \"summary\": \"Add AI powered examples - to help content.\",\n \"version\": \"0.2.0\"\n },\n - \ \"sha256Digest\": \"1e976b938f377e35618525154b46725fa66f17883a6fb233fb2f9d427a34421b\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/ai_examples-0.2.1-py2.py3-none-any.whl\",\n - \ \"filename\": \"ai_examples-0.2.1-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.2.0\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.5\",\n \"Programming Language :: Python - :: 3.6\",\n \"Programming Language :: Python :: 3.7\",\n - \ \"Programming Language :: Python :: 3.8\",\n \"License - :: OSI Approved :: MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"mabooe@microsoft.com\",\n \"name\": \"Matthew - Booe\",\n \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/ai-examples\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"ai-examples\",\n \"summary\": \"Add AI powered examples - to help content.\",\n \"version\": \"0.2.1\"\n },\n - \ \"sha256Digest\": \"f45d5a3726924c8a7ae03f2fce1ea4c0221291cf5c815dd54bbc7cd867f1edc2\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/ai_examples-0.2.2-py2.py3-none-any.whl\",\n - \ \"filename\": \"ai_examples-0.2.2-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.2.0\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.5\",\n \"Programming Language :: Python - :: 3.6\",\n \"Programming Language :: Python :: 3.7\",\n - \ \"Programming Language :: Python :: 3.8\",\n \"License - :: OSI Approved :: MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"mabooe@microsoft.com\",\n \"name\": \"Matthew - Booe\",\n \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/ai-examples\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"ai-examples\",\n \"summary\": \"Add AI powered examples - to help content.\",\n \"version\": \"0.2.2\"\n },\n - \ \"sha256Digest\": \"6f5da7c8783d6c295b0bc290284609d2e4d60618e208529ec224cde6137254e7\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/ai_examples-0.2.3-py2.py3-none-any.whl\",\n - \ \"filename\": \"ai_examples-0.2.3-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.2.0\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.5\",\n \"Programming Language :: Python - :: 3.6\",\n \"Programming Language :: Python :: 3.7\",\n - \ \"Programming Language :: Python :: 3.8\",\n \"License - :: OSI Approved :: MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"mabooe@microsoft.com\",\n \"name\": \"Matthew - Booe\",\n \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/ai-examples\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"ai-examples\",\n \"summary\": \"Add AI powered examples - to help content.\",\n \"version\": \"0.2.3\"\n },\n - \ \"sha256Digest\": \"b4e02c629f2d5613553460c0c1923d638753b355cda5cd7e6ed11b573eaf6d01\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/ai_examples-0.2.4-py2.py3-none-any.whl\",\n - \ \"filename\": \"ai_examples-0.2.4-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.2.0\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.5\",\n \"Programming Language :: Python - :: 3.6\",\n \"Programming Language :: Python :: 3.7\",\n - \ \"Programming Language :: Python :: 3.8\",\n \"License - :: OSI Approved :: MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"mabooe@microsoft.com\",\n \"name\": \"Matthew - Booe\",\n \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/ai-examples\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"ai-examples\",\n \"summary\": \"Add AI powered examples - to help content.\",\n \"version\": \"0.2.4\"\n },\n - \ \"sha256Digest\": \"acb73b45ea35b909a0e25ca8757a1434d9ba109ebb3d54698850f5258e76132c\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/ai_examples-0.2.5-py2.py3-none-any.whl\",\n - \ \"filename\": \"ai_examples-0.2.5-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.2.0\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.5\",\n \"Programming Language :: Python - :: 3.6\",\n \"Programming Language :: Python :: 3.7\",\n - \ \"Programming Language :: Python :: 3.8\",\n \"License - :: OSI Approved :: MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"mabooe@microsoft.com\",\n \"name\": \"Matthew - Booe\",\n \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/ai-examples\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"ai-examples\",\n \"summary\": \"Add AI powered examples - to help content.\",\n \"version\": \"0.2.5\"\n },\n - \ \"sha256Digest\": \"badbdf5fc2e0b4a85c4124d3fc92859b582adf8f30f5727440ce81942140099a\"\n - \ }\n ],\n \"aks-preview\": [\n {\n \"downloadUrl\": - \"https://azurecliaks.blob.core.windows.net/azure-cli-extension/aks_preview-0.4.35-py2.py3-none-any.whl\",\n - \ \"filename\": \"aks_preview-0.4.35-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.49\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/aks-preview\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"aks-preview\",\n \"summary\": \"Provides a preview for - upcoming AKS features\",\n \"version\": \"0.4.35\"\n },\n - \ \"sha256Digest\": \"1f5eac9040d0c71650e349264e2161bef7c409ed037d3aa1241ea14f438f668a\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/aks_preview-0.4.36-py2.py3-none-any.whl\",\n - \ \"filename\": \"aks_preview-0.4.36-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.49\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/aks-preview\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"aks-preview\",\n \"summary\": \"Provides a preview for - upcoming AKS features\",\n \"version\": \"0.4.36\"\n },\n - \ \"sha256Digest\": \"ea288c9a118ff077caba6110c395864f5c569d87ab395f02a1b11eefd00d3db6\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/aks_preview-0.4.37-py2.py3-none-any.whl\",\n - \ \"filename\": \"aks_preview-0.4.37-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.49\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/aks-preview\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"aks-preview\",\n \"summary\": \"Provides a preview for - upcoming AKS features\",\n \"version\": \"0.4.37\"\n },\n - \ \"sha256Digest\": \"80d04f0d477b987dd462e6c1fb3fdbe7441c7ea1e3c75fb8593847d43b4a1e3b\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/aks_preview-0.4.38-py2.py3-none-any.whl\",\n - \ \"filename\": \"aks_preview-0.4.38-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.49\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/aks-preview\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"aks-preview\",\n \"summary\": \"Provides a preview for - upcoming AKS features\",\n \"version\": \"0.4.38\"\n },\n - \ \"sha256Digest\": \"1ded28b781b6be42b7006fa1a9784d33a90cef43690034dfd22f890519737570\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/aks_preview-0.4.39-py2.py3-none-any.whl\",\n - \ \"filename\": \"aks_preview-0.4.39-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.49\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/aks-preview\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"aks-preview\",\n \"summary\": \"Provides a preview for - upcoming AKS features\",\n \"version\": \"0.4.39\"\n },\n - \ \"sha256Digest\": \"0fdcf5377dcd987221405a3cce324cf823d6f22f0cedd0ea6dc7e3b357be50c4\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/aks_preview-0.4.40-py2.py3-none-any.whl\",\n - \ \"filename\": \"aks_preview-0.4.40-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.49\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/aks-preview\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"aks-preview\",\n \"summary\": \"Provides a preview for - upcoming AKS features\",\n \"version\": \"0.4.40\"\n },\n - \ \"sha256Digest\": \"ea0e3e82ed682134734460b8a6489c4e586cfca97706cc2037d9ace16491c286\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/aks_preview-0.4.41-py2.py3-none-any.whl\",\n - \ \"filename\": \"aks_preview-0.4.41-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.49\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/aks-preview\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"aks-preview\",\n \"summary\": \"Provides a preview for - upcoming AKS features\",\n \"version\": \"0.4.41\"\n },\n - \ \"sha256Digest\": \"f2c6b7d062f3798400b274926e70123fe02ea8bd6a94f645bbf5c1474ce42e33\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/aks_preview-0.4.42-py2.py3-none-any.whl\",\n - \ \"filename\": \"aks_preview-0.4.42-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.49\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/aks-preview\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"aks-preview\",\n \"summary\": \"Provides a preview for - upcoming AKS features\",\n \"version\": \"0.4.42\"\n },\n - \ \"sha256Digest\": \"8b7b592b640b4e46410cf97600106c277506403487e083a3496c33c634e63a06\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/aks_preview-0.4.43-py2.py3-none-any.whl\",\n - \ \"filename\": \"aks_preview-0.4.43-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.49\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/aks-preview\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"aks-preview\",\n \"summary\": \"Provides a preview for - upcoming AKS features\",\n \"version\": \"0.4.43\"\n },\n - \ \"sha256Digest\": \"d351dc69bac520400beffaa571dccdd1fd37534c28309fa703ae59802d25cad5\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/aks_preview-0.4.44-py2.py3-none-any.whl\",\n - \ \"filename\": \"aks_preview-0.4.44-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.49\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/aks-preview\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"aks-preview\",\n \"summary\": \"Provides a preview for - upcoming AKS features\",\n \"version\": \"0.4.44\"\n },\n - \ \"sha256Digest\": \"544d8dbab694fd5a2e04a1cac310e36881682e309c5df772f037451e3d7da51c\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/aks_preview-0.4.45-py2.py3-none-any.whl\",\n - \ \"filename\": \"aks_preview-0.4.45-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.49\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/aks-preview\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"aks-preview\",\n \"summary\": \"Provides a preview for - upcoming AKS features\",\n \"version\": \"0.4.45\"\n },\n - \ \"sha256Digest\": \"78b8536cf5b4349d47a3d1742d36514f99780ef8eff31336d8cb5dfc2e5c6080\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/aks_preview-0.4.47-py2.py3-none-any.whl\",\n - \ \"filename\": \"aks_preview-0.4.47-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.49\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/aks-preview\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"aks-preview\",\n \"summary\": \"Provides a preview for - upcoming AKS features\",\n \"version\": \"0.4.47\"\n },\n - \ \"sha256Digest\": \"042b4acfecdc98059907abce1224c0865f1a61abd566fdc00e09a61436a52e27\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/aks_preview-0.4.49-py2.py3-none-any.whl\",\n - \ \"filename\": \"aks_preview-0.4.49-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.49\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/aks-preview\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"aks-preview\",\n \"summary\": \"Provides a preview for - upcoming AKS features\",\n \"version\": \"0.4.49\"\n },\n - \ \"sha256Digest\": \"ccd0ec11a5fe08427547eb65111ab5c4bab5a59d2eb8d90173d3afa242260518\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/aks_preview-0.4.50-py2.py3-none-any.whl\",\n - \ \"filename\": \"aks_preview-0.4.50-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.49\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/aks-preview\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"aks-preview\",\n \"summary\": \"Provides a preview for - upcoming AKS features\",\n \"version\": \"0.4.50\"\n },\n - \ \"sha256Digest\": \"4c00426e0e993c1a1205a9e09500025cadf287b5ba9c7248027bd91922a94688\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/aks_preview-0.4.51-py2.py3-none-any.whl\",\n - \ \"filename\": \"aks_preview-0.4.51-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.49\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/aks-preview\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"aks-preview\",\n \"summary\": \"Provides a preview for - upcoming AKS features\",\n \"version\": \"0.4.51\"\n },\n - \ \"sha256Digest\": \"60db16bbf0149d80545044dbcb6a353822f867876b2a2547e584432775bd2bf7\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/aks_preview-0.4.52-py2.py3-none-any.whl\",\n - \ \"filename\": \"aks_preview-0.4.52-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.49\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/aks-preview\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"aks-preview\",\n \"summary\": \"Provides a preview for - upcoming AKS features\",\n \"version\": \"0.4.52\"\n },\n - \ \"sha256Digest\": \"7ca39f7f93274649857adc648ae2c7f971d846a99917e6c42b514075d19eb93f\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/aks_preview-0.4.53-py2.py3-none-any.whl\",\n - \ \"filename\": \"aks_preview-0.4.53-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.49\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/aks-preview\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"aks-preview\",\n \"summary\": \"Provides a preview for - upcoming AKS features\",\n \"version\": \"0.4.53\"\n },\n - \ \"sha256Digest\": \"8a71bf3f14338831750c4d086be49b09dbc65e40aedbbc9bc8c558ca8dcb1b21\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/aks_preview-0.4.54-py2.py3-none-any.whl\",\n - \ \"filename\": \"aks_preview-0.4.54-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.49\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/aks-preview\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"aks-preview\",\n \"summary\": \"Provides a preview for - upcoming AKS features\",\n \"version\": \"0.4.54\"\n },\n - \ \"sha256Digest\": \"a12d1907641e8212e0fb4e5f2a6eb85154252a2cd92a1539bf7b809c3b3aa840\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/aks_preview-0.4.55-py2.py3-none-any.whl\",\n - \ \"filename\": \"aks_preview-0.4.55-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.49\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/aks-preview\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"aks-preview\",\n \"summary\": \"Provides a preview for - upcoming AKS features\",\n \"version\": \"0.4.55\"\n },\n - \ \"sha256Digest\": \"d6fa0ec6dfffa82941d9b93415b317f5aee42191c3f6193fbc5842f36822cc48\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/aks_preview-0.4.56-py2.py3-none-any.whl\",\n - \ \"filename\": \"aks_preview-0.4.56-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.49\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/aks-preview\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"aks-preview\",\n \"summary\": \"Provides a preview for - upcoming AKS features\",\n \"version\": \"0.4.56\"\n },\n - \ \"sha256Digest\": \"b03984389a701e3bdfd0327a5428e2b73394daadca15c072173efd367cc7350e\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/aks_preview-0.4.57-py2.py3-none-any.whl\",\n - \ \"filename\": \"aks_preview-0.4.57-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.49\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/aks-preview\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"aks-preview\",\n \"summary\": \"Provides a preview for - upcoming AKS features\",\n \"version\": \"0.4.57\"\n },\n - \ \"sha256Digest\": \"2f80ce7345874f6dc791c25b59bfccdd8d1df2fc5a58eee89c12d5bee36e09f2\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/aks_preview-0.4.58-py2.py3-none-any.whl\",\n - \ \"filename\": \"aks_preview-0.4.58-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.49\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/aks-preview\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"aks-preview\",\n \"summary\": \"Provides a preview for - upcoming AKS features\",\n \"version\": \"0.4.58\"\n },\n - \ \"sha256Digest\": \"6c0e9eeff259f87d5db5deab028bd0c875103d4f94af3b4f872167330de14c2d\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/aks_preview-0.4.59-py2.py3-none-any.whl\",\n - \ \"filename\": \"aks_preview-0.4.59-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.49\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/aks-preview\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"aks-preview\",\n \"summary\": \"Provides a preview for - upcoming AKS features\",\n \"version\": \"0.4.59\"\n },\n - \ \"sha256Digest\": \"33f4caf55366ac68d8b914bf0d06b695ea90d37ea1a26752c5c4ce7345f60b7d\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/aks_preview-0.4.60-py2.py3-none-any.whl\",\n - \ \"filename\": \"aks_preview-0.4.60-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.49\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/aks-preview\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"aks-preview\",\n \"summary\": \"Provides a preview for - upcoming AKS features\",\n \"version\": \"0.4.60\"\n },\n - \ \"sha256Digest\": \"5baa213387c341a054dd8bc8a610f6f4ce0507d5fb1b96b13b0025c1cffb32a3\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/aks_preview-0.4.61-py2.py3-none-any.whl\",\n - \ \"filename\": \"aks_preview-0.4.61-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.49\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/aks-preview\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"aks-preview\",\n \"summary\": \"Provides a preview for - upcoming AKS features\",\n \"version\": \"0.4.61\"\n },\n - \ \"sha256Digest\": \"e40833b2de89ae4884d0d88741ed6949d6a3b8e970c946e1ff4aed1ca5215b57\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/aks_preview-0.4.62-py2.py3-none-any.whl\",\n - \ \"filename\": \"aks_preview-0.4.62-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.49\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/aks-preview\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"aks-preview\",\n \"summary\": \"Provides a preview for - upcoming AKS features\",\n \"version\": \"0.4.62\"\n },\n - \ \"sha256Digest\": \"41538793759b3aae977c3c0e6263a271b20ea130467d89c0dee19877198f0703\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/aks_preview-0.4.63-py2.py3-none-any.whl\",\n - \ \"filename\": \"aks_preview-0.4.63-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.49\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/aks-preview\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"aks-preview\",\n \"summary\": \"Provides a preview for - upcoming AKS features\",\n \"version\": \"0.4.63\"\n },\n - \ \"sha256Digest\": \"ad7e574b1728797189c3e7185ff56e09e835086bd8876c4ef8cbdc54ffe1bc77\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/aks_preview-0.4.64-py2.py3-none-any.whl\",\n - \ \"filename\": \"aks_preview-0.4.64-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.49\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/aks-preview\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"aks-preview\",\n \"summary\": \"Provides a preview for - upcoming AKS features\",\n \"version\": \"0.4.64\"\n },\n - \ \"sha256Digest\": \"507a299bddcb9199f589be12ad0761e03c8386ed2b4ca26782199e9c1f18bf49\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/aks_preview-0.4.65-py2.py3-none-any.whl\",\n - \ \"filename\": \"aks_preview-0.4.65-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.49\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/aks-preview\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"aks-preview\",\n \"summary\": \"Provides a preview for - upcoming AKS features\",\n \"version\": \"0.4.65\"\n },\n - \ \"sha256Digest\": \"3c1d2f8daedab5d6e6adea1ee1f0222be411f64b2b960ce270feb2aa5955145f\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/aks_preview-0.4.66-py2.py3-none-any.whl\",\n - \ \"filename\": \"aks_preview-0.4.66-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.49\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/aks-preview\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"aks-preview\",\n \"summary\": \"Provides a preview for - upcoming AKS features\",\n \"version\": \"0.4.66\"\n },\n - \ \"sha256Digest\": \"ff66452ee3ea3bd31da976107f59006a11ada4e565328fdd56c36c876680b826\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/aks_preview-0.4.67-py2.py3-none-any.whl\",\n - \ \"filename\": \"aks_preview-0.4.67-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.49\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/aks-preview\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"aks-preview\",\n \"summary\": \"Provides a preview for - upcoming AKS features\",\n \"version\": \"0.4.67\"\n },\n - \ \"sha256Digest\": \"1ae0b48d36ea387f25311bbd24f3170c98ed2e3fd1d2a8d07ed32759f0d92828\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/aks_preview-0.4.68-py2.py3-none-any.whl\",\n - \ \"filename\": \"aks_preview-0.4.68-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.49\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/aks-preview\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"aks-preview\",\n \"summary\": \"Provides a preview for - upcoming AKS features\",\n \"version\": \"0.4.68\"\n },\n - \ \"sha256Digest\": \"a281f668a6a9aca42b30fe81914621cce0b7ed8b5dc6c011d299f81ab7c213aa\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/aks_preview-0.4.69-py2.py3-none-any.whl\",\n - \ \"filename\": \"aks_preview-0.4.69-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.49\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/aks-preview\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"aks-preview\",\n \"summary\": \"Provides a preview for - upcoming AKS features\",\n \"version\": \"0.4.69\"\n },\n - \ \"sha256Digest\": \"d670fa4333caf852f4fb298cac96617f24101af8a01af505eb6730936280598a\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/aks_preview-0.4.70-py2.py3-none-any.whl\",\n - \ \"filename\": \"aks_preview-0.4.70-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.49\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/aks-preview\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"aks-preview\",\n \"summary\": \"Provides a preview for - upcoming AKS features\",\n \"version\": \"0.4.70\"\n },\n - \ \"sha256Digest\": \"ae85aefb746698433f3175f87ab8f53c866aafd5f4d68d7277336e6bedeaffd8\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/aks_preview-0.4.71-py2.py3-none-any.whl\",\n - \ \"filename\": \"aks_preview-0.4.71-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.49\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/aks-preview\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"aks-preview\",\n \"summary\": \"Provides a preview for - upcoming AKS features\",\n \"version\": \"0.4.71\"\n },\n - \ \"sha256Digest\": \"a122cfbcc9eb43d3e89e4a19e7f7641e95d6c3184e486bf790b6cdd088c98c79\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/aks_preview-0.4.72-py2.py3-none-any.whl\",\n - \ \"filename\": \"aks_preview-0.4.72-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.49\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/aks-preview\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"aks-preview\",\n \"summary\": \"Provides a preview for - upcoming AKS features\",\n \"version\": \"0.4.72\"\n },\n - \ \"sha256Digest\": \"5d8ec45db6137170926753fe13f7afa8bc66b7b2d8e1af420bb4615b20b471bf\"\n - \ },\n {\n \"downloadUrl\": \"https://azcliprod.blob.core.windows.net/cli-extensions/aks_preview-0.4.73-py2.py3-none-any.whl\",\n - \ \"filename\": \"aks_preview-0.4.73-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.49\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/aks-preview\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"aks-preview\",\n \"summary\": \"Provides a preview for - upcoming AKS features\",\n \"version\": \"0.4.73\"\n },\n - \ \"sha256Digest\": \"d5cd928c82d0f65dbdefc651b2925bfba8710d14d9ecb2aab50ce3b6b461a3c5\"\n - \ },\n {\n \"downloadUrl\": \"https://azcliprod.blob.core.windows.net/cli-extensions/aks_preview-0.5.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"aks_preview-0.5.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.49\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/aks-preview\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"aks-preview\",\n \"summary\": \"Provides a preview for - upcoming AKS features\",\n \"version\": \"0.5.0\"\n },\n - \ \"sha256Digest\": \"abb67e21afe5760a77dc90832ff3790da7041e19240b5e16829b27562b538917\"\n - \ },\n {\n \"downloadUrl\": \"https://azcliprod.blob.core.windows.net/cli-extensions/aks_preview-0.5.1-py2.py3-none-any.whl\",\n - \ \"filename\": \"aks_preview-0.5.1-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.49\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/aks-preview\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"aks-preview\",\n \"summary\": \"Provides a preview for - upcoming AKS features\",\n \"version\": \"0.5.1\"\n },\n - \ \"sha256Digest\": \"18a96ea0a9a7402715bd8896901e9b9b1a69ae40f8791755337178fdb3d2dd8b\"\n - \ },\n {\n \"downloadUrl\": \"https://azcliprod.blob.core.windows.net/cli-extensions/aks_preview-0.5.2-py2.py3-none-any.whl\",\n - \ \"filename\": \"aks_preview-0.5.2-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.49\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/aks-preview\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"aks-preview\",\n \"summary\": \"Provides a preview for - upcoming AKS features\",\n \"version\": \"0.5.2\"\n },\n - \ \"sha256Digest\": \"8a0d406acb640b0f9e2a5c2aba6ec1038aa14178e28cacb07f213127da4c7d4a\"\n - \ },\n {\n \"downloadUrl\": \"https://azcliprod.blob.core.windows.net/cli-extensions/aks_preview-0.5.3-py2.py3-none-any.whl\",\n - \ \"filename\": \"aks_preview-0.5.3-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.49\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/aks-preview\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"aks-preview\",\n \"summary\": \"Provides a preview for - upcoming AKS features\",\n \"version\": \"0.5.3\"\n },\n - \ \"sha256Digest\": \"a5ee5bd051e5e3909dd84593ff6c5ae9aa37eb4fd68ffa23db1011894c15ba9d\"\n - \ },\n {\n \"downloadUrl\": \"https://azcliprod.blob.core.windows.net/cli-extensions/aks_preview-0.5.4-py2.py3-none-any.whl\",\n - \ \"filename\": \"aks_preview-0.5.4-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.49\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/aks-preview\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"aks-preview\",\n \"summary\": \"Provides a preview for - upcoming AKS features\",\n \"version\": \"0.5.4\"\n },\n - \ \"sha256Digest\": \"9d917bb16488f2e0c07b8448675105ce726e836f3070cb1669394ce174893ec4\"\n - \ },\n {\n \"downloadUrl\": \"https://azcliprod.blob.core.windows.net/cli-extensions/aks_preview-0.5.5-py2.py3-none-any.whl\",\n - \ \"filename\": \"aks_preview-0.5.5-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.49\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/aks-preview\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"aks-preview\",\n \"summary\": \"Provides a preview for - upcoming AKS features\",\n \"version\": \"0.5.5\"\n },\n - \ \"sha256Digest\": \"17a72fbfd8ddafbe11cedadb5f2fd9b514d700ecc3854ece5c257c5c7e443182\"\n - \ }\n ],\n \"alertsmanagement\": [\n {\n - \ \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/alertsmanagement-0.1.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"alertsmanagement-0.1.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isExperimental\": - true,\n \"azext.minCliCoreVersion\": \"2.3.1\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"fey@microsoft.com\",\n \"name\": \"Github:qwordy\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"alertsmanagement\",\n \"summary\": \"Microsoft Azure - Command-Line Tools Alerts Extension\",\n \"version\": \"0.1.0\"\n - \ },\n \"sha256Digest\": \"80ab78574debff9d8a9106bac3929cb552adea1371ea24f06073669fef708fcd\"\n - \ }\n ],\n \"alias\": [\n {\n \"downloadUrl\": - \"https://azurecliprod.blob.core.windows.net/cli-extensions/alias-0.5.2-py2.py3-none-any.whl\",\n - \ \"filename\": \"alias-0.5.2-py2.py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isPreview\": true,\n \"azext.minCliCoreVersion\": - \"2.0.50.dev0\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 2\",\n \"Programming Language - :: Python :: 2.7\",\n \"Programming Language :: Python - :: 3\",\n \"Programming Language :: Python :: 3.4\",\n - \ \"Programming Language :: Python :: 3.5\",\n \"Programming - Language :: Python :: 3.6\",\n \"License :: OSI Approved - :: MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"t-chwong@microsoft.com\",\n \"name\": - \"Ernest Wong\",\n \"role\": \"author\"\n - \ }\n ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"extras\": [],\n \"generator\": \"bdist_wheel - (0.29.0)\",\n \"license\": \"MIT\",\n \"metadata_version\": - \"2.0\",\n \"name\": \"alias\",\n \"run_requires\": - [\n {\n \"requires\": [\n - \ \"jinja2 (~=2.10)\"\n ]\n - \ }\n ],\n \"summary\": - \"Support for command aliases\",\n \"version\": \"0.5.2\"\n - \ },\n \"sha256Digest\": \"05f82d75026e780d27bd34a1be57f4ec0f425500d8ab4ee7e92fee07b944da33\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/alias-0.5.1-py2.py3-none-any.whl\",\n - \ \"filename\": \"alias-0.5.1-py2.py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isPreview\": true,\n \"azext.minCliCoreVersion\": - \"2.0.31.dev0\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 2\",\n \"Programming Language - :: Python :: 2.7\",\n \"Programming Language :: Python - :: 3\",\n \"Programming Language :: Python :: 3.4\",\n - \ \"Programming Language :: Python :: 3.5\",\n \"Programming - Language :: Python :: 3.6\",\n \"License :: OSI Approved - :: MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"t-chwong@microsoft.com\",\n \"name\": - \"Ernest Wong\",\n \"role\": \"author\"\n - \ }\n ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"extras\": [],\n \"generator\": \"bdist_wheel - (0.30.0)\",\n \"license\": \"MIT\",\n \"metadata_version\": - \"2.0\",\n \"name\": \"alias\",\n \"run_requires\": - [\n {\n \"requires\": [\n - \ \"jinja2 (~=2.10)\"\n ]\n - \ }\n ],\n \"summary\": - \"Support for command aliases\",\n \"version\": \"0.5.1\"\n - \ },\n \"sha256Digest\": \"81b9a7f1824bffcbd6e72680891476151dde868e030cdbf1bfd9135e1a8f3447\"\n - \ }\n ],\n \"application-insights\": [\n {\n - \ \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/application_insights-0.1.3-py2.py3-none-any.whl\",\n - \ \"filename\": \"application_insights-0.1.3-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.79\",\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"aleldeib@microsoft.com\",\n \"name\": - \"Ace Eldeib\",\n \"role\": \"author\"\n - \ }\n ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/application-insights\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"application-insights\",\n \"summary\": \"Support for - managing Application Insights components and querying metrics, events, and - logs from such components.\",\n \"version\": \"0.1.3\"\n - \ },\n \"sha256Digest\": \"e5b8104da5d9f241a0599adeb3b1d2f910f00991f47d4f4c4095285de3a82f00\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/application_insights-0.1.4-py2.py3-none-any.whl\",\n - \ \"filename\": \"application_insights-0.1.4-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.79\",\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"aleldeib@microsoft.com\",\n \"name\": - \"Ace Eldeib\",\n \"role\": \"author\"\n - \ }\n ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/application-insights\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"application-insights\",\n \"summary\": \"Support for - managing Application Insights components and querying metrics, events, and - logs from such components.\",\n \"version\": \"0.1.4\"\n - \ },\n \"sha256Digest\": \"8b4ef4870b16a15fd81af385c3dff762e7af52333e212a68b5ec5f42663a6078\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/application_insights-0.1.5-py2.py3-none-any.whl\",\n - \ \"filename\": \"application_insights-0.1.5-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.79\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"aleldeib@microsoft.com\",\n - \ \"name\": \"Ace Eldeib\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/application-insights\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"application-insights\",\n \"summary\": \"Support for - managing Application Insights components and querying metrics, events, and - logs from such components.\",\n \"version\": \"0.1.5\"\n - \ },\n \"sha256Digest\": \"effa0a37f1e8b2506d4849a2208d69f06a6683809e5da809bea63bd0f940da2f\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/application_insights-0.1.6-py2.py3-none-any.whl\",\n - \ \"filename\": \"application_insights-0.1.6-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.79\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"aleldeib@microsoft.com\",\n - \ \"name\": \"Ace Eldeib\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/application-insights\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"application-insights\",\n \"summary\": \"Support for - managing Application Insights components and querying metrics, events, and - logs from such components.\",\n \"version\": \"0.1.6\"\n - \ },\n \"sha256Digest\": \"271db7f2036eb245d3d00d5010468330e4ed97e7ed9756598e61a1960d37ac44\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/application_insights-0.1.7-py2.py3-none-any.whl\",\n - \ \"filename\": \"application_insights-0.1.7-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.79\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"aleldeib@microsoft.com\",\n - \ \"name\": \"Ace Eldeib\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/application-insights\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"application-insights\",\n \"summary\": \"Support for - managing Application Insights components and querying metrics, events, and - logs from such components.\",\n \"version\": \"0.1.7\"\n - \ },\n \"sha256Digest\": \"6cb8c879d0960e6f41e1273c309253d7d7ca42089694fcf5e500d0a27ae89b59\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/application_insights-0.1.8-py2.py3-none-any.whl\",\n - \ \"filename\": \"application_insights-0.1.8-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.79\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"aleldeib@microsoft.com\",\n - \ \"name\": \"Ace Eldeib\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/application-insights\"\n - \ }\n }\n },\n - \ \"extras\": [],\n \"generator\": \"bdist_wheel - (0.30.0)\",\n \"license\": \"MIT\",\n \"metadata_version\": - \"2.0\",\n \"name\": \"application-insights\",\n \"run_requires\": - [\n {\n \"requires\": [\n - \ \"isodate (~=0.6.0)\"\n ]\n - \ }\n ],\n \"summary\": - \"Support for managing Application Insights components and querying metrics, - events, and logs from such components.\",\n \"version\": - \"0.1.8\"\n },\n \"sha256Digest\": \"f2f041e166f0b587e7c92252ef59e3bcecb8721f15c5e96f4496871a85a81f61\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/application_insights-0.1.9-py2.py3-none-any.whl\",\n - \ \"filename\": \"application_insights-0.1.9-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.79\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"aleldeib@microsoft.com\",\n - \ \"name\": \"Ace Eldeib\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/application-insights\"\n - \ }\n }\n },\n - \ \"extras\": [],\n \"generator\": \"bdist_wheel - (0.30.0)\",\n \"license\": \"MIT\",\n \"metadata_version\": - \"2.0\",\n \"name\": \"application-insights\",\n \"run_requires\": - [\n {\n \"requires\": [\n - \ \"isodate (~=0.6.0)\"\n ]\n - \ }\n ],\n \"summary\": - \"Support for managing Application Insights components and querying metrics, - events, and logs from such components.\",\n \"version\": - \"0.1.9\"\n },\n \"sha256Digest\": \"4ed371e2e02a31133bec6d416dd98c0de3e1ffbf56089e034abc36609c9dfa97\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/application_insights-0.1.10-py2.py3-none-any.whl\",\n - \ \"filename\": \"application_insights-0.1.10-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.79\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"aleldeib@microsoft.com\",\n - \ \"name\": \"Ace Eldeib\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/application-insights\"\n - \ }\n }\n },\n - \ \"extras\": [],\n \"generator\": \"bdist_wheel - (0.30.0)\",\n \"license\": \"MIT\",\n \"metadata_version\": - \"2.0\",\n \"name\": \"application-insights\",\n \"run_requires\": - [\n {\n \"requires\": [\n - \ \"isodate (~=0.6.0)\"\n ]\n - \ }\n ],\n \"summary\": - \"Support for managing Application Insights components and querying metrics, - events, and logs from such components.\",\n \"version\": - \"0.1.10\"\n },\n \"sha256Digest\": \"4f6ef254677ae32523f44af0f6b99bbdf6e5a8d1c894c7d2d72f4c8f8f359fb0\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/application_insights-0.1.11-py2.py3-none-any.whl\",\n - \ \"filename\": \"application_insights-0.1.11-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.79\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"aleldeib@microsoft.com\",\n - \ \"name\": \"Ace Eldeib\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/application-insights\"\n - \ }\n }\n },\n - \ \"extras\": [],\n \"generator\": \"bdist_wheel - (0.30.0)\",\n \"license\": \"MIT\",\n \"metadata_version\": - \"2.0\",\n \"name\": \"application-insights\",\n \"run_requires\": - [\n {\n \"requires\": [\n - \ \"isodate (~=0.6.0)\"\n ]\n - \ }\n ],\n \"summary\": - \"Support for managing Application Insights components and querying metrics, - events, and logs from such components.\",\n \"version\": - \"0.1.11\"\n },\n \"sha256Digest\": \"ffb9b4daf395966226786cc55bce2beff7d9a22ccec739cb21910ff03f582e90\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/application_insights-0.1.12-py2.py3-none-any.whl\",\n - \ \"filename\": \"application_insights-0.1.12-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.79\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"aleldeib@microsoft.com\",\n - \ \"name\": \"Ace Eldeib\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/application-insights\"\n - \ }\n }\n },\n - \ \"extras\": [],\n \"generator\": \"bdist_wheel - (0.30.0)\",\n \"license\": \"MIT\",\n \"metadata_version\": - \"2.0\",\n \"name\": \"application-insights\",\n \"run_requires\": - [\n {\n \"requires\": [\n - \ \"isodate (~=0.6.0)\"\n ]\n - \ }\n ],\n \"summary\": - \"Support for managing Application Insights components and querying metrics, - events, and logs from such components.\",\n \"version\": - \"0.1.12\"\n },\n \"sha256Digest\": \"94ecdd71a1007df791a193e9273e902c39caa53dc965823c019d41cd679ee27c\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/application_insights-0.1.13-py2.py3-none-any.whl\",\n - \ \"filename\": \"application_insights-0.1.13-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.79\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"aleldeib@microsoft.com\",\n - \ \"name\": \"Ace Eldeib\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/application-insights\"\n - \ }\n }\n },\n - \ \"extras\": [],\n \"generator\": \"bdist_wheel - (0.30.0)\",\n \"license\": \"MIT\",\n \"metadata_version\": - \"2.0\",\n \"name\": \"application-insights\",\n \"run_requires\": - [\n {\n \"requires\": [\n - \ \"isodate (~=0.6.0)\"\n ]\n - \ }\n ],\n \"summary\": - \"Support for managing Application Insights components and querying metrics, - events, and logs from such components.\",\n \"version\": - \"0.1.13\"\n },\n \"sha256Digest\": \"b1d5d31cfbd8a75595943d7248e585d63d0a1c6b43c69febbd7162239af98933\"\n - \ }\n ],\n \"arcappliance\": [\n {\n \"downloadUrl\": - \"https://arcplatformcliextprod.blob.core.windows.net/arcappliance/arcappliance-0.1.1-py2.py3-none-any.whl\",\n - \ \"filename\": \"arcappliance-0.1.1-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.67\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"arcplatform-core@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://msazure.visualstudio.com/AzureArcPlatform/_git/arcappliance-cli-extensions\"\n - \ }\n }\n },\n - \ \"extras\": [],\n \"generator\": \"bdist_wheel - (0.30.0)\",\n \"license\": \"MIT\",\n \"metadata_version\": - \"2.0\",\n \"name\": \"arcappliance\",\n \"run_requires\": - [\n {\n \"requires\": [\n - \ \"jsonschema (==3.2.0)\",\n \"kubernetes - (==11.0.0)\"\n ]\n }\n ],\n - \ \"summary\": \"Microsoft Azure Command-Line Tools Arcappliance - Extension\",\n \"version\": \"0.1.1\"\n },\n - \ \"sha256Digest\": \"1df8467bc8b14890e7ca6e26a3702d0c4a81ef2f6d1c6a7e3ba931473b86aeab\"\n - \ },\n {\n \"downloadUrl\": \"https://arcplatformcliextprod.blob.core.windows.net/arcappliance/arcappliance-0.1.2-py2.py3-none-any.whl\",\n - \ \"filename\": \"arcappliance-0.1.2-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.67\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"appliance@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://msazure.visualstudio.com/AzureArcPlatform/_git/arcappliance-cli-extensions\"\n - \ }\n }\n },\n - \ \"extras\": [],\n \"generator\": \"bdist_wheel - (0.30.0)\",\n \"license\": \"MIT\",\n \"metadata_version\": - \"2.0\",\n \"name\": \"arcappliance\",\n \"run_requires\": - [\n {\n \"requires\": [\n - \ \"jsonschema (==3.2.0)\",\n \"kubernetes - (==11.0.0)\"\n ]\n }\n ],\n - \ \"summary\": \"Microsoft Azure Command-Line Tools Arcappliance - Extension\",\n \"version\": \"0.1.2\"\n },\n - \ \"sha256Digest\": \"80ef17a397fdd045850cbf7823c0eb8d7354290d409a095a5f708a1f837f2b09\"\n - \ }\n ],\n \"attestation\": [\n {\n \"downloadUrl\": - \"https://azurecliprod.blob.core.windows.net/cli-extensions/attestation-0.1.0-py3-none-any.whl\",\n - \ \"filename\": \"attestation-0.1.0-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isExperimental\": true,\n \"azext.minCliCoreVersion\": - \"2.3.1\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/attestation\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"attestation\",\n \"summary\": \"Microsoft Azure Command-Line - Tools AttestationManagementClient Extension\",\n \"version\": - \"0.1.0\"\n },\n \"sha256Digest\": \"1d4e9b832a3f50b33428d565478a2e655c81d49277c07dc909f1485b62ba5372\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/attestation-0.2.0-py3-none-any.whl\",\n - \ \"filename\": \"attestation-0.2.0-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isExperimental\": true,\n \"azext.minCliCoreVersion\": - \"2.11.0\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/attestation\"\n - \ }\n }\n },\n - \ \"extras\": [],\n \"generator\": \"bdist_wheel - (0.30.0)\",\n \"license\": \"MIT\",\n \"metadata_version\": - \"2.0\",\n \"name\": \"attestation\",\n \"run_requires\": - [\n {\n \"requires\": [\n - \ \"pyjwt (==1.7.1)\"\n ]\n - \ }\n ],\n \"summary\": - \"Microsoft Azure Command-Line Tools AttestationManagementClient Extension\",\n - \ \"version\": \"0.2.0\"\n },\n \"sha256Digest\": - \"895328b45d8bcfe45e4937885572cd1f39d23bc49f88314713a462bf1a367cc9\"\n }\n - \ ],\n \"automation\": [\n {\n \"downloadUrl\": - \"https://azurecliprod.blob.core.windows.net/cli-extensions/automation-0.1.0-py3-none-any.whl\",\n - \ \"filename\": \"automation-0.1.0-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isExperimental\": true,\n \"azext.minCliCoreVersion\": - \"2.13.0\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/automation\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"automation\",\n \"summary\": \"Microsoft Azure Command-Line - Tools AutomationClient Extension\",\n \"version\": \"0.1.0\"\n - \ },\n \"sha256Digest\": \"779f996ffab9fd76438d8938216fcbeb6f9aecad3a23bd2097731182607e4d7a\"\n - \ }\n ],\n \"azure-batch-cli-extensions\": [\n {\n - \ \"downloadUrl\": \"https://github.com/Azure/azure-batch-cli-extensions/releases/download/azure-batch-cli-extensions-2.5.3/azure_batch_cli_extensions-2.5.3-py2.py3-none-any.whl\",\n - \ \"filename\": \"azure_batch_cli_extensions-2.5.3-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.maxCliCoreVersion\": - \"2.0.58\",\n \"azext.minCliCoreVersion\": \"2.0.24\",\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-batch-cli-extensions\"\n - \ }\n }\n },\n - \ \"extras\": [],\n \"generator\": \"bdist_wheel - (0.30.0)\",\n \"license\": \"MIT\",\n \"metadata_version\": - \"2.0\",\n \"name\": \"azure-batch-cli-extensions\",\n - \ \"run_requires\": [\n {\n \"requires\": - [\n \"azure-batch-extensions (<4.1,>=4.0.0)\",\n - \ \"pycparser (==2.18)\"\n ]\n - \ }\n ],\n \"summary\": - \"Additional commands for working with Azure Batch service\",\n \"version\": - \"2.5.3\"\n },\n \"sha256Digest\": \"cc30b985edd5de0233d4fd283cfa29390d119c223b2f819ca36e071f759d5485\"\n - \ },\n {\n \"downloadUrl\": \"https://github.com/Azure/azure-batch-cli-extensions/releases/download/azure-batch-cli-extensions-3.0.4/azure_batch_cli_extensions-3.0.4-py2.py3-none-any.whl\",\n - \ \"filename\": \"azure_batch_cli_extensions-3.0.4-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.maxCliCoreVersion\": - \"2.1.0\",\n \"azext.minCliCoreVersion\": \"2.0.59\",\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-batch-cli-extensions\"\n - \ }\n }\n },\n - \ \"extras\": [],\n \"generator\": \"bdist_wheel - (0.30.0)\",\n \"license\": \"MIT\",\n \"metadata_version\": - \"2.0\",\n \"name\": \"azure-batch-cli-extensions\",\n - \ \"run_requires\": [\n {\n \"requires\": - [\n \"azure-batch-extensions (<5.1,>=5.0.0)\",\n - \ \"pycparser (==2.18)\"\n ]\n - \ }\n ],\n \"summary\": - \"Additional commands for working with Azure Batch service\",\n \"version\": - \"3.0.4\"\n },\n \"sha256Digest\": \"9e76b7242934ceb8ae48c65f5469312522a034f4abf66d4771fb721aee04a502\"\n - \ },\n {\n \"downloadUrl\": \"https://github.com/Azure/azure-batch-cli-extensions/releases/download/azure-batch-cli-extensions-4.0.0/azure_batch_cli_extensions-4.0.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"azure_batch_cli_extensions-4.0.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.maxCliCoreVersion\": - \"2.1.0\",\n \"azext.minCliCoreVersion\": \"2.0.69\",\n - \ \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 2\",\n \"Programming Language - :: Python :: 2.7\",\n \"Programming Language :: Python - :: 3\",\n \"Programming Language :: Python :: 3.4\",\n - \ \"Programming Language :: Python :: 3.5\",\n \"Programming - Language :: Python :: 3.6\",\n \"License :: OSI Approved - :: MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-batch-cli-extensions\"\n - \ }\n }\n },\n - \ \"extras\": [],\n \"generator\": \"bdist_wheel - (0.30.0)\",\n \"license\": \"MIT\",\n \"metadata_version\": - \"2.0\",\n \"name\": \"azure-batch-cli-extensions\",\n - \ \"run_requires\": [\n {\n \"requires\": - [\n \"azure-batch-extensions (<6.1,>=6.0.0)\",\n - \ \"pycparser (==2.18)\"\n ]\n - \ }\n ],\n \"summary\": - \"Additional commands for working with Azure Batch service\",\n \"version\": - \"4.0.0\"\n },\n \"sha256Digest\": \"3045dc24858b9acfed13a517038830ddc643aef779de0d14617c49c9fd2dcbd5\"\n - \ },\n {\n \"downloadUrl\": \"https://github.com/Azure/azure-batch-cli-extensions/releases/download/azure-batch-cli-extensions-5.0.1/azure_batch_cli_extensions-5.0.1-py2.py3-none-any.whl\",\n - \ \"filename\": \"azure_batch_cli_extensions-5.0.1-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.maxCliCoreVersion\": - \"3.0.0\",\n \"azext.minCliCoreVersion\": \"2.0.73\",\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-batch-cli-extensions\"\n - \ }\n }\n },\n - \ \"extras\": [],\n \"generator\": \"bdist_wheel - (0.30.0)\",\n \"license\": \"MIT\",\n \"metadata_version\": - \"2.0\",\n \"name\": \"azure-batch-cli-extensions\",\n - \ \"run_requires\": [\n {\n \"requires\": - [\n \"azure-batch-extensions (<7.1,>=7.0.0)\",\n - \ \"pycparser (==2.18)\"\n ]\n - \ }\n ],\n \"summary\": - \"Additional commands for working with Azure Batch service\",\n \"version\": - \"5.0.1\"\n },\n \"sha256Digest\": \"bf07b63782e0f6446302971afaf8b5ec5bb6dbc00449bf3276511993abf8cd61\"\n - \ },\n {\n \"downloadUrl\": \"https://github.com/Azure/azure-batch-cli-extensions/releases/download/azure-batch-cli-extensions-6.0.0/azure_batch_cli_extensions-6.0.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"azure_batch_cli_extensions-6.0.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.maxCliCoreVersion\": - \"3.0.0\",\n \"azext.minCliCoreVersion\": \"2.0.74\",\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-batch-cli-extensions\"\n - \ }\n }\n },\n - \ \"extras\": [],\n \"generator\": \"bdist_wheel - (0.30.0)\",\n \"license\": \"MIT\",\n \"metadata_version\": - \"2.0\",\n \"name\": \"azure-batch-cli-extensions\",\n - \ \"run_requires\": [\n {\n \"requires\": - [\n \"azure-batch-extensions (<8.1,>=8.0.0)\",\n - \ \"pycparser (==2.18)\"\n ]\n - \ }\n ],\n \"summary\": - \"Additional commands for working with Azure Batch service\",\n \"version\": - \"6.0.0\"\n },\n \"sha256Digest\": \"6955a0d960d9c4df6935b9058f67c8c42872c8716d8d2a4f76e9e6ce72eb66ab\"\n - \ }\n ],\n \"azure-cli-ml\": [\n {\n \"downloadUrl\": - \"https://azurecliext.blob.core.windows.net/release/azure_cli_ml-1.24.0-py3-none-any.whl\",\n - \ \"filename\": \"azure_cli_ml-1.24.0-py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.minCliCoreVersion\": - \"2.3.1\",\n \"classifiers\": [\n \"Development - Status :: 3 - Alpha\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python :: 3.5\",\n \"Programming - Language :: Python :: 3.6\",\n \"Programming Language - :: Python :: 3.7\",\n \"Programming Language :: Python - :: 3.8\"\n ],\n \"description_content_type\": - \"text/x-rst\",\n \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\",\n - \ \"license\": \"LICENSE.txt\"\n },\n - \ \"project_urls\": {\n \"Home\": - \"https://docs.microsoft.com/python/api/overview/azure/ml/?view=azure-ml-py\"\n - \ }\n }\n },\n - \ \"extras\": [],\n \"generator\": \"bdist_wheel - (0.30.0)\",\n \"license\": \"Proprietary https://aka.ms/azureml-preview-sdk-license - \",\n \"metadata_version\": \"2.0\",\n \"name\": - \"azure-cli-ml\",\n \"requires_python\": \">=3.5,<4\",\n - \ \"run_requires\": [\n {\n \"requires\": - [\n \"adal (>=1.2.1)\",\n \"azureml-cli-common - (~=1.24.0)\",\n \"cryptography (<=3.3.2)\",\n - \ \"docker (>=3.7.2)\",\n \"msrest - (>=0.6.6)\",\n \"pyyaml (>=5.1.0)\",\n \"requests - (>=2.21.0)\"\n ]\n }\n ],\n - \ \"summary\": \"Microsoft Azure Command-Line Tools AzureML - Command Module\",\n \"test_requires\": [\n {\n - \ \"requires\": [\n \"azure-keyvault\",\n - \ \"mock\",\n \"nose\",\n - \ \"unittest-xml-reporting\"\n ]\n - \ }\n ],\n \"version\": - \"1.24.0\"\n },\n \"sha256Digest\": \"eae5ad381bcfd883ff2eb8232ae8cda761810393175f341188f5c1367f45517c\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliext.blob.core.windows.net/release/azure_cli_ml-1.5.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"azure_cli_ml-1.5.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.minCliCoreVersion\": - \"2.0.28\",\n \"classifiers\": [\n \"Development - Status :: 3 - Alpha\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python :: 3.5\",\n \"Programming - Language :: Python :: 3.6\",\n \"Programming Language - :: Python :: 3.7\",\n \"Programming Language :: Python - :: 3.8\"\n ],\n \"description_content_type\": - \"text/x-rst\",\n \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\",\n - \ \"license\": \"LICENSE.txt\"\n },\n - \ \"project_urls\": {\n \"Home\": - \"https://docs.microsoft.com/azure/machine-learning/service/\"\n }\n - \ }\n },\n \"extras\": - [],\n \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"Proprietary https://aka.ms/azureml-preview-sdk-license \",\n \"metadata_version\": - \"2.0\",\n \"name\": \"azure-cli-ml\",\n \"requires_python\": - \">=3.5,<4\",\n \"run_requires\": [\n {\n - \ \"requires\": [\n \"adal - (>=1.2.1)\",\n \"azureml-cli-common (~=1.5.0)\",\n - \ \"docker (>=3.7.2)\",\n \"msrest - (>=0.6.6)\",\n \"pyyaml (>=5.1.0)\",\n \"requests - (>=2.21.0)\"\n ]\n }\n ],\n - \ \"summary\": \"Microsoft Azure Command-Line Tools AzureML - Command Module\",\n \"test_requires\": [\n {\n - \ \"requires\": [\n \"azure-keyvault\",\n - \ \"mock\",\n \"nose\",\n - \ \"unittest-xml-reporting\"\n ]\n - \ }\n ],\n \"version\": - \"1.5.0\"\n },\n \"sha256Digest\": \"a535f01501a06f70d26a75f5ccde2d32640d3c7efec302fc2fc454bfb867e946\"\n - \ }\n ],\n \"azure-devops\": [\n {\n \"downloadUrl\": - \"https://github.com/Azure/azure-devops-cli-extension/releases/download/20190805.1/azure_devops-0.12.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"azure_devops-0.12.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.minCliCoreVersion\": - \"2.0.49\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 2\",\n \"Programming Language - :: Python :: 2.7\",\n \"Programming Language :: Python - :: 3\",\n \"Programming Language :: Python :: 3.4\",\n - \ \"Programming Language :: Python :: 3.5\",\n \"Programming - Language :: Python :: 3.6\",\n \"License :: OSI Approved - :: MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"VSTS_Social@microsoft.com\",\n \"name\": - \"Microsoft\",\n \"role\": \"author\"\n - \ }\n ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Microsoft/azure-devops-cli-extension\"\n - \ }\n }\n },\n - \ \"extras\": [],\n \"generator\": \"bdist_wheel - (0.30.0)\",\n \"license\": \"MIT\",\n \"metadata_version\": - \"2.0\",\n \"name\": \"azure-devops\",\n \"run_requires\": - [\n {\n \"requires\": [\n - \ \"distro (==1.3.0)\",\n \"msrest - (<0.7.0,>=0.6.0)\",\n \"python-dateutil (==2.7.3)\"\n - \ ]\n }\n ],\n - \ \"summary\": \"Tools for managing Azure DevOps.\",\n \"version\": - \"0.12.0\"\n },\n \"sha256Digest\": \"2abdfd1b760e1968176cd4043e2db7edf951978c6a2182eb5e79bb0c8070af4c\"\n - \ },\n {\n \"downloadUrl\": \"https://github.com/Azure/azure-devops-cli-extension/releases/download/20200113.1/azure_devops-0.17.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"azure_devops-0.17.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.minCliCoreVersion\": - \"2.0.69\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 2\",\n \"Programming Language - :: Python :: 2.7\",\n \"Programming Language :: Python - :: 3\",\n \"Programming Language :: Python :: 3.4\",\n - \ \"Programming Language :: Python :: 3.5\",\n \"Programming - Language :: Python :: 3.6\",\n \"License :: OSI Approved - :: MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"VSTS_Social@microsoft.com\",\n \"name\": - \"Microsoft\",\n \"role\": \"author\"\n - \ }\n ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Microsoft/azure-devops-cli-extension\"\n - \ }\n }\n },\n - \ \"extras\": [],\n \"generator\": \"bdist_wheel - (0.30.0)\",\n \"license\": \"MIT\",\n \"metadata_version\": - \"2.0\",\n \"name\": \"azure-devops\",\n \"run_requires\": - [\n {\n \"requires\": [\n - \ \"distro (==1.3.0)\",\n \"msrest - (<0.7.0,>=0.6.0)\",\n \"python-dateutil (==2.7.3)\"\n - \ ]\n }\n ],\n - \ \"summary\": \"Tools for managing Azure DevOps.\",\n \"version\": - \"0.17.0\"\n },\n \"sha256Digest\": \"1e891afc8b6ee52c62c4f99802d77728ff60e89e4c08972325178cc4fdac6be9\"\n - \ },\n {\n \"downloadUrl\": \"https://github.com/Azure/azure-devops-cli-extension/releases/download/20200401.4/azure_devops-0.18.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"azure_devops-0.18.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.minCliCoreVersion\": - \"2.2.0\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"VSTS_Social@microsoft.com\",\n - \ \"name\": \"Microsoft\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Microsoft/azure-devops-cli-extension\"\n - \ }\n }\n },\n - \ \"extras\": [],\n \"generator\": \"bdist_wheel - (0.30.0)\",\n \"license\": \"MIT\",\n \"metadata_version\": - \"2.0\",\n \"name\": \"azure-devops\",\n \"run_requires\": - [\n {\n \"requires\": [\n - \ \"distro (==1.3.0)\",\n \"msrest - (<0.7.0,>=0.6.0)\",\n \"python-dateutil (==2.7.3)\"\n - \ ]\n }\n ],\n - \ \"summary\": \"Tools for managing Azure DevOps.\",\n \"version\": - \"0.18.0\"\n },\n \"sha256Digest\": \"21fd9bf9c01a315184f11d7f709f354075118c298fd662472273cb003bfbe23e\"\n - \ }\n ],\n \"azure-firewall\": [\n {\n - \ \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/azure_firewall-0.1.3-py2.py3-none-any.whl\",\n - \ \"filename\": \"azure_firewall-0.1.3-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.46\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/azure-firewall\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"azure-firewall\",\n \"summary\": \"Manage Azure Firewall - resources.\",\n \"version\": \"0.1.3\"\n },\n - \ \"sha256Digest\": \"116c1324206e8aa0e7cffdd719a12e87b2977a061fcd9fb96ae4b6fbe223e93f\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/azure_firewall-0.1.9-py2.py3-none-any.whl\",\n - \ \"filename\": \"azure_firewall-0.1.9-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.67\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/azure-firewall\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"azure-firewall\",\n \"summary\": \"Manage Azure Firewall - resources.\",\n \"version\": \"0.1.9\"\n },\n - \ \"sha256Digest\": \"f20c18b5b176dd39815dee4d344368774b58bb2f4f03c28b89ee08212e45856a\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/azure_firewall-0.2.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"azure_firewall-0.2.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.67\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/azure-firewall\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"azure-firewall\",\n \"summary\": \"Manage Azure Firewall - resources.\",\n \"version\": \"0.2.0\"\n },\n - \ \"sha256Digest\": \"7934510bc2ed4d83c8dbee7d2d22c3de2332b96020e2f45515035153f94a246f\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/azure_firewall-0.3.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"azure_firewall-0.3.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.67\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/azure-firewall\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"azure-firewall\",\n \"summary\": \"Manage Azure Firewall - resources.\",\n \"version\": \"0.3.0\"\n },\n - \ \"sha256Digest\": \"12e5f8567ba8a74988f50ec6ed3539fad5b9e491727b0bc2c16e7acc34f49423\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/azure_firewall-0.3.1-py2.py3-none-any.whl\",\n - \ \"filename\": \"azure_firewall-0.3.1-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.67\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/azure-firewall\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"azure-firewall\",\n \"summary\": \"Manage Azure Firewall - resources.\",\n \"version\": \"0.3.1\"\n },\n - \ \"sha256Digest\": \"32e10a4e96a891151959680ff3cbf3e28ea0cf38e49ac062c49c668d00e5d7d7\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/azure_firewall-0.4.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"azure_firewall-0.4.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.67\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/azure-firewall\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"azure-firewall\",\n \"summary\": \"Manage Azure Firewall - resources.\",\n \"version\": \"0.4.0\"\n },\n - \ \"sha256Digest\": \"5c79cedfc5abf134f4b47ad5d867ff5852d2ba17f710d44a2101fe0aa51b1a48\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/azure_firewall-0.5.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"azure_firewall-0.5.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.67\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/azure-firewall\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"azure-firewall\",\n \"summary\": \"Manage Azure Firewall - resources.\",\n \"version\": \"0.5.0\"\n },\n - \ \"sha256Digest\": \"ceb70fe380937e5cb42998648a3218313b1425286705743275a808bb15d70d03\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/azure_firewall-0.5.1-py2.py3-none-any.whl\",\n - \ \"filename\": \"azure_firewall-0.5.1-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.67\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/azure-firewall\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"azure-firewall\",\n \"summary\": \"Manage Azure Firewall - resources.\",\n \"version\": \"0.5.1\"\n },\n - \ \"sha256Digest\": \"40581d4aaf52a8a1f8deccf3be641385348251b34ffeb4c65193111150002699\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/azure_firewall-0.6.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"azure_firewall-0.6.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.67\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/azure-firewall\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"azure-firewall\",\n \"summary\": \"Manage Azure Firewall - resources.\",\n \"version\": \"0.6.0\"\n },\n - \ \"sha256Digest\": \"b22c81a341f1742ebb2c32c45af1470b12bfe2d03907d43206cf8d0860e058f6\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/azure_firewall-0.6.1-py2.py3-none-any.whl\",\n - \ \"filename\": \"azure_firewall-0.6.1-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.67\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/azure-firewall\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"azure-firewall\",\n \"summary\": \"Manage Azure Firewall - resources.\",\n \"version\": \"0.6.1\"\n },\n - \ \"sha256Digest\": \"4bf18f81d1b97d458181154f51803103745182cf68972180507aa8c291c60a94\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/azure_firewall-0.6.2-py2.py3-none-any.whl\",\n - \ \"filename\": \"azure_firewall-0.6.2-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.67\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/azure-firewall\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"azure-firewall\",\n \"summary\": \"Manage Azure Firewall - resources.\",\n \"version\": \"0.6.2\"\n },\n - \ \"sha256Digest\": \"30539d78089ae73cbc012d487de7b9e9717096e2abf960ca4e7057ef77222a25\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/azure_firewall-0.7.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"azure_firewall-0.7.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.67\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/azure-firewall\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"azure-firewall\",\n \"summary\": \"Manage Azure Firewall - resources.\",\n \"version\": \"0.7.0\"\n },\n - \ \"sha256Digest\": \"b6ac17ae8f18d9c702cece94822c0d00dbc13b7ed60a7831281e2e5391cefe39\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/azure_firewall-0.8.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"azure_firewall-0.8.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.15.0\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/azure-firewall\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"azure-firewall\",\n \"summary\": \"Manage Azure Firewall - resources.\",\n \"version\": \"0.8.0\"\n },\n - \ \"sha256Digest\": \"897e1ff2ff69b6f2969dc97e97847a25b7a9060091024a96e0e2ca0876c0cd53\"\n - \ },\n {\n \"downloadUrl\": \"https://azcliprod.blob.core.windows.net/cli-extensions/azure_firewall-0.9.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"azure_firewall-0.9.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.15.0\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/azure-firewall\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"azure-firewall\",\n \"summary\": \"Manage Azure Firewall - resources.\",\n \"version\": \"0.9.0\"\n },\n - \ \"sha256Digest\": \"ea9f1a318e27266652bb6121d93ff5595b2ffe1227efc3ca1ab69b29349bb9d2\"\n - \ }\n ],\n \"azure-iot\": [\n {\n \"downloadUrl\": - \"https://github.com/Azure/azure-iot-cli-extension/releases/download/v0.10.10/azure_iot-0.10.10-py3-none-any.whl\",\n - \ \"filename\": \"azure_iot-0.10.10-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.minCliCoreVersion\": \"2.3.1\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"iotupx@microsoft.com\",\n \"name\": \"Microsoft\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/azure/azure-iot-cli-extension\"\n - \ }\n }\n },\n - \ \"extras\": [],\n \"generator\": \"bdist_wheel - (0.30.0)\",\n \"license\": \"MIT\",\n \"metadata_version\": - \"2.0\",\n \"name\": \"azure-iot\",\n \"requires_python\": - \">=3.6,<4\",\n \"run_requires\": [\n {\n - \ \"requires\": [\n \"jsonschema - (==3.0.2)\",\n \"paho-mqtt (==1.5.0)\",\n \"setuptools\"\n - \ ]\n }\n ],\n - \ \"summary\": \"The Azure IoT extension for Azure CLI.\",\n - \ \"version\": \"0.10.10\"\n },\n \"sha256Digest\": - \"77a82d1b60fa1664a15cef6dff7bfbdb65b0675d101a2b015aa7eb855064a520\"\n },\n - \ {\n \"downloadUrl\": \"https://github.com/Azure/azure-iot-cli-extension/releases/download/v0.9.7/azure_iot-0.9.7-py2.py3-none-any.whl\",\n - \ \"filename\": \"azure_iot-0.9.7-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.minCliCoreVersion\": - \"2.0.70\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.5\",\n \"Programming Language :: Python - :: 3.6\",\n \"Programming Language :: Python :: 3.7\",\n - \ \"Programming Language :: Python :: 3.8\",\n \"License - :: OSI Approved :: MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"iotupx@microsoft.com\",\n \"name\": \"Microsoft\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/azure/azure-iot-cli-extension\"\n - \ }\n }\n },\n - \ \"extras\": [],\n \"generator\": \"bdist_wheel - (0.30.0)\",\n \"license\": \"MIT\",\n \"metadata_version\": - \"2.0\",\n \"name\": \"azure-iot\",\n \"run_requires\": - [\n {\n \"requires\": [\n - \ \"jsonschema (==3.0.2)\",\n \"paho-mqtt - (==1.5.0)\",\n \"setuptools\"\n ]\n - \ }\n ],\n \"summary\": - \"The Azure IoT extension for Azure CLI.\",\n \"version\": - \"0.9.7\"\n },\n \"sha256Digest\": \"1b4d44540a4feb487bb88aae4bdb4231045f0b23ad84f0e8792e859302183303\"\n - \ },\n {\n \"downloadUrl\": \"https://github.com/Azure/azure-iot-cli-extension/releases/download/v0.9.4/azure_iot-0.9.4-py2.py3-none-any.whl\",\n - \ \"filename\": \"azure_iot-0.9.4-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.minCliCoreVersion\": - \"2.0.70\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.5\",\n \"Programming Language :: Python - :: 3.6\",\n \"Programming Language :: Python :: 3.7\",\n - \ \"Programming Language :: Python :: 3.8\",\n \"License - :: OSI Approved :: MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"iotupx@microsoft.com\",\n \"name\": \"Microsoft\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/azure/azure-iot-cli-extension\"\n - \ }\n }\n },\n - \ \"extras\": [],\n \"generator\": \"bdist_wheel - (0.30.0)\",\n \"license\": \"MIT\",\n \"metadata_version\": - \"2.0\",\n \"name\": \"azure-iot\",\n \"run_requires\": - [\n {\n \"requires\": [\n - \ \"jsonschema (==3.0.2)\",\n \"paho-mqtt - (==1.5.0)\",\n \"setuptools\"\n ]\n - \ }\n ],\n \"summary\": - \"The Azure IoT extension for Azure CLI.\",\n \"version\": - \"0.9.4\"\n },\n \"sha256Digest\": \"bbf330942daac0035bd9bb9a0fdeaf297124ec8cd98e28e46adb2bf34070295b\"\n - \ }\n ],\n \"baremetal-infrastructure\": [\n {\n - \ \"downloadUrl\": \"https://github.com/Azure/azure-baremetalinfrastructure-cli-extension/releases/download/0.0.2/baremetal_infrastructure-0.0.2-py2.py3-none-any.whl\",\n - \ \"filename\": \"baremetal_infrastructure-0.0.2-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.minCliCoreVersion\": - \"2.12.0\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 2\",\n \"Programming Language - :: Python :: 2.7\",\n \"Programming Language :: Python - :: 3\",\n \"Programming Language :: Python :: 3.4\",\n - \ \"Programming Language :: Python :: 3.5\",\n \"Programming - Language :: Python :: 3.6\",\n \"License :: OSI Approved - :: MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-baremetalinfrastructure-cli-extension\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"baremetal-infrastructure\",\n \"summary\": \"Additional - commands for working with BareMetal instances.\",\n \"version\": - \"0.0.2\"\n },\n \"sha256Digest\": \"171799d3db711b431365366cc26f3a5b186cb94381f01c2d5f7b3f392892d591\"\n - \ }\n ],\n \"blockchain\": [\n {\n \"downloadUrl\": - \"https://azurecliprod.blob.core.windows.net/cli-extensions/blockchain-0.1.0-py3-none-any.whl\",\n - \ \"filename\": \"blockchain-0.1.0-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isExperimental\": true,\n \"azext.minCliCoreVersion\": - \"2.3.1\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"blockchain\",\n \"summary\": \"Microsoft Azure Command-Line - Tools BlockchainManagementClient Extension\",\n \"version\": - \"0.1.0\"\n },\n \"sha256Digest\": \"ba0001dffaf39d133604c4281ed9c943f178a16a91d31f5889bf1587d9871049\"\n - \ }\n ],\n \"blueprint\": [\n {\n \"downloadUrl\": - \"https://azurecliprod.blob.core.windows.net/cli-extensions/blueprint-0.1.0-py3-none-any.whl\",\n - \ \"filename\": \"blueprint-0.1.0-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isExperimental\": true,\n \"azext.minCliCoreVersion\": - \"2.3.0\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"blueprint\",\n \"summary\": \"Microsoft Azure Command-Line - Tools Blueprint Extension\",\n \"version\": \"0.1.0\"\n - \ },\n \"sha256Digest\": \"98c1874110e2c77c62cf0d180133ea0b29ed08a86189ee292b909369597e694b\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/blueprint-0.1.1-py3-none-any.whl\",\n - \ \"filename\": \"blueprint-0.1.1-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isExperimental\": true,\n \"azext.minCliCoreVersion\": - \"2.3.0\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"blueprint\",\n \"summary\": \"Microsoft Azure Command-Line - Tools Blueprint Extension\",\n \"version\": \"0.1.1\"\n - \ },\n \"sha256Digest\": \"4508b6143f69e6ac388ad37b3e3af82f49c9b5625e12d341963cc2faf02e368f\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/blueprint-0.2.0-py3-none-any.whl\",\n - \ \"filename\": \"blueprint-0.2.0-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isExperimental\": true,\n \"azext.minCliCoreVersion\": - \"2.3.0\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"blueprint\",\n \"summary\": \"Microsoft Azure Command-Line - Tools Blueprint Extension\",\n \"version\": \"0.2.0\"\n - \ },\n \"sha256Digest\": \"fcbbe61db268b9b5452b0d9055c5fc8b725a63193290957c2681de5fe2e6f1ff\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/blueprint-0.2.1-py3-none-any.whl\",\n - \ \"filename\": \"blueprint-0.2.1-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isExperimental\": true,\n \"azext.minCliCoreVersion\": - \"2.3.0\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/blueprint\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"blueprint\",\n \"summary\": \"Microsoft Azure Command-Line - Tools Blueprint Extension\",\n \"version\": \"0.2.1\"\n - \ },\n \"sha256Digest\": \"120bd04db8b31bbc5631ce086739763cca3144c2e314b8e1347f1d633e894a09\"\n - \ }\n ],\n \"cli-translator\": [\n {\n - \ \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/cli_translator-0.1.0-py3-none-any.whl\",\n - \ \"filename\": \"cli_translator-0.1.0-py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isExperimental\": - true,\n \"azext.minCliCoreVersion\": \"2.11.0\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/cli-translator\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"cli-translator\",\n \"summary\": \"Translate ARM template - to executable Azure CLI scripts.\",\n \"version\": \"0.1.0\"\n - \ },\n \"sha256Digest\": \"8a4d19ed89cd63e1cc461715b7b0a1a989d2b480adc1b3b4f5747eef0327b85b\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/cli_translator-0.2.0-py3-none-any.whl\",\n - \ \"filename\": \"cli_translator-0.2.0-py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isExperimental\": - true,\n \"azext.minCliCoreVersion\": \"2.13.0\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/cli-translator\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"cli-translator\",\n \"summary\": \"Translate ARM template - to executable Azure CLI scripts.\",\n \"version\": \"0.2.0\"\n - \ },\n \"sha256Digest\": \"ee07cbcde217d2b1ab226ef5aeea8e44510b704fb5e3976638dcf2f978f722e4\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/cli_translator-0.3.0-py3-none-any.whl\",\n - \ \"filename\": \"cli_translator-0.3.0-py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isExperimental\": - true,\n \"azext.minCliCoreVersion\": \"2.13.0\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/cli-translator\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"cli-translator\",\n \"summary\": \"Translate ARM template - to executable Azure CLI scripts.\",\n \"version\": \"0.3.0\"\n - \ },\n \"sha256Digest\": \"9ea6162d37fc3390be4dce64cb05c5c588070104f3e92a701ab475473565a8a9\"\n - \ }\n ],\n \"codespaces\": [\n {\n \"downloadUrl\": - \"https://azurecliprod.blob.core.windows.net/cli-extensions/codespaces-0.1.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"codespaces-0.1.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.3.1\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"codespaces\",\n \"summary\": \"The Azure CLI Codespaces - extension\",\n \"version\": \"0.1.0\"\n },\n - \ \"sha256Digest\": \"d859256dac3177970bb631e149bcabd19d47fa9e972fb331662413b5cfe0ce32\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/codespaces-0.2.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"codespaces-0.2.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.3.1\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"codespaces\",\n \"summary\": \"The Azure CLI Codespaces - extension\",\n \"version\": \"0.2.0\"\n },\n - \ \"sha256Digest\": \"793f4dbf828efc9474cc2d6aa314b0968c25321978b0dceaf33005f02c5f1bd7\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/codespaces-0.2.1-py2.py3-none-any.whl\",\n - \ \"filename\": \"codespaces-0.2.1-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.3.1\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"codespaces\",\n \"summary\": \"The Azure CLI Codespaces - extension\",\n \"version\": \"0.2.1\"\n },\n - \ \"sha256Digest\": \"30569dd2124bec69abb6e6ae99c5a73059d767434bfe36d6f72a35b4f0e904f3\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/codespaces-0.3.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"codespaces-0.3.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.3.1\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"codespaces\",\n \"summary\": \"The Azure CLI Codespaces - extension\",\n \"version\": \"0.3.0\"\n },\n - \ \"sha256Digest\": \"04d6fc97d8f1d49a54121198a32508118b7102aa69fa6bd31af25103a3af5a4c\"\n - \ }\n ],\n \"communication\": [\n {\n \"downloadUrl\": - \"https://azurecliprod.blob.core.windows.net/cli-extensions/communication-0.1.0-py3-none-any.whl\",\n - \ \"filename\": \"communication-0.1.0-py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isExperimental\": - true,\n \"azext.minCliCoreVersion\": \"2.11.0\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/communication\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"communication\",\n \"summary\": \"Microsoft Azure Command-Line - Tools CommunicationServiceManagementClient Extension\",\n \"version\": - \"0.1.0\"\n },\n \"sha256Digest\": \"a16e8262b53791aad9e74a4f3d4804a5bafbe415df3c7651776e98b787bf6226\"\n - \ }\n ],\n \"confluent\": [\n {\n \"downloadUrl\": - \"https://azcliprod.blob.core.windows.net/cli-extensions/confluent-0.1.0-py3-none-any.whl\",\n - \ \"filename\": \"confluent-0.1.0-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isExperimental\": true,\n \"azext.minCliCoreVersion\": - \"2.17.0\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/confluent\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"confluent\",\n \"summary\": \"Microsoft Azure Command-Line - Tools ConfluentManagementClient Extension\",\n \"version\": - \"0.1.0\"\n },\n \"sha256Digest\": \"4a6ffd3d10898183b66b0933064bc6d9bbade0e9af32be3348412b75310e07cb\"\n - \ }\n ],\n \"connectedk8s\": [\n {\n \"downloadUrl\": - \"https://azurecliprod.blob.core.windows.net/cli-extensions/connectedk8s-0.1.5-py3-none-any.whl\",\n - \ \"filename\": \"connectedk8s-0.1.5-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isPreview\": true,\n \"azext.minCliCoreVersion\": - \"2.0.67\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"k8connect@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"extras\": [],\n \"generator\": \"bdist_wheel - (0.30.0)\",\n \"license\": \"MIT\",\n \"metadata_version\": - \"2.0\",\n \"name\": \"connectedk8s\",\n \"run_requires\": - [\n {\n \"requires\": [\n - \ \"kubernetes\",\n \"pycryptodome\"\n - \ ]\n }\n ],\n - \ \"summary\": \"Microsoft Azure Command-Line Tools Connectedk8s - Extension\",\n \"version\": \"0.1.5\"\n },\n - \ \"sha256Digest\": \"1b529c1fedb5db9dee3dc877ca036f5373d307ca8a07c278d07126531b1c55b6\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/connectedk8s-0.2.0-py3-none-any.whl\",\n - \ \"filename\": \"connectedk8s-0.2.0-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isPreview\": true,\n \"azext.minCliCoreVersion\": - \"2.0.67\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"k8connect@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"extras\": [],\n \"generator\": \"bdist_wheel - (0.30.0)\",\n \"license\": \"MIT\",\n \"metadata_version\": - \"2.0\",\n \"name\": \"connectedk8s\",\n \"run_requires\": - [\n {\n \"requires\": [\n - \ \"kubernetes\",\n \"pycryptodome\"\n - \ ]\n }\n ],\n - \ \"summary\": \"Microsoft Azure Command-Line Tools Connectedk8s - Extension\",\n \"version\": \"0.2.0\"\n },\n - \ \"sha256Digest\": \"d306355d5568f9f5b201db9f5bda28fc0b142c6b70164a87bf56974239749ebd\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/connectedk8s-0.2.1-py3-none-any.whl\",\n - \ \"filename\": \"connectedk8s-0.2.1-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isPreview\": true,\n \"azext.minCliCoreVersion\": - \"2.0.67\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"k8connect@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"extras\": [],\n \"generator\": \"bdist_wheel - (0.30.0)\",\n \"license\": \"MIT\",\n \"metadata_version\": - \"2.0\",\n \"name\": \"connectedk8s\",\n \"run_requires\": - [\n {\n \"requires\": [\n - \ \"kubernetes\",\n \"pycryptodome\"\n - \ ]\n }\n ],\n - \ \"summary\": \"Microsoft Azure Command-Line Tools Connectedk8s - Extension\",\n \"version\": \"0.2.1\"\n },\n - \ \"sha256Digest\": \"e910b1a0abee28121d5c216821c5d88cefc87030eb3068e699135314ecb0f8c9\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/connectedk8s-0.2.3-py3-none-any.whl\",\n - \ \"filename\": \"connectedk8s-0.2.3-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isPreview\": true,\n \"azext.minCliCoreVersion\": - \"2.0.67\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"k8connect@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"extras\": [],\n \"generator\": \"bdist_wheel - (0.30.0)\",\n \"license\": \"MIT\",\n \"metadata_version\": - \"2.0\",\n \"name\": \"connectedk8s\",\n \"run_requires\": - [\n {\n \"requires\": [\n - \ \"kubernetes\",\n \"pycryptodome\"\n - \ ]\n }\n ],\n - \ \"summary\": \"Microsoft Azure Command-Line Tools Connectedk8s - Extension\",\n \"version\": \"0.2.3\"\n },\n - \ \"sha256Digest\": \"9660bbd577c66af1bcebeeaaec9cabb61cd27a0b58c6fe9a9a795d6a73777ee9\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/connectedk8s-0.2.4-py3-none-any.whl\",\n - \ \"filename\": \"connectedk8s-0.2.4-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isPreview\": true,\n \"azext.minCliCoreVersion\": - \"2.0.67\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"k8connect@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"extras\": [],\n \"generator\": \"bdist_wheel - (0.30.0)\",\n \"license\": \"MIT\",\n \"metadata_version\": - \"2.0\",\n \"name\": \"connectedk8s\",\n \"run_requires\": - [\n {\n \"requires\": [\n - \ \"kubernetes\",\n \"pycryptodome\"\n - \ ]\n }\n ],\n - \ \"summary\": \"Microsoft Azure Command-Line Tools Connectedk8s - Extension\",\n \"version\": \"0.2.4\"\n },\n - \ \"sha256Digest\": \"4de66f7e8cecdfab8c91bf4f37347770fb17e087454159d3a5c81e0205f2da2c\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/connectedk8s-0.2.5-py3-none-any.whl\",\n - \ \"filename\": \"connectedk8s-0.2.5-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isPreview\": true,\n \"azext.minCliCoreVersion\": - \"2.0.67\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"k8connect@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"extras\": [],\n \"generator\": \"bdist_wheel - (0.30.0)\",\n \"license\": \"MIT\",\n \"metadata_version\": - \"2.0\",\n \"name\": \"connectedk8s\",\n \"run_requires\": - [\n {\n \"requires\": [\n - \ \"kubernetes\",\n \"pycryptodome\"\n - \ ]\n }\n ],\n - \ \"summary\": \"Microsoft Azure Command-Line Tools Connectedk8s - Extension\",\n \"version\": \"0.2.5\"\n },\n - \ \"sha256Digest\": \"0c23ebd04c37b26219cd224134e8af675130cc346808ae008cd5cfc4f3b1bd84\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/connectedk8s-0.2.6-py3-none-any.whl\",\n - \ \"filename\": \"connectedk8s-0.2.6-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isPreview\": true,\n \"azext.minCliCoreVersion\": - \"2.0.67\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"k8connect@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"extras\": [],\n \"generator\": \"bdist_wheel - (0.30.0)\",\n \"license\": \"MIT\",\n \"metadata_version\": - \"2.0\",\n \"name\": \"connectedk8s\",\n \"run_requires\": - [\n {\n \"requires\": [\n - \ \"kubernetes\",\n \"pycryptodome\"\n - \ ]\n }\n ],\n - \ \"summary\": \"Microsoft Azure Command-Line Tools Connectedk8s - Extension\",\n \"version\": \"0.2.6\"\n },\n - \ \"sha256Digest\": \"165411ce6ecdda8a4705bd9e93998b1ffdf6ddc88b01ed0ce12a3c100d1b9549\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/connectedk8s-0.2.7-py3-none-any.whl\",\n - \ \"filename\": \"connectedk8s-0.2.7-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isPreview\": true,\n \"azext.minCliCoreVersion\": - \"2.0.67\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"k8connect@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"extras\": [],\n \"generator\": \"bdist_wheel - (0.30.0)\",\n \"license\": \"MIT\",\n \"metadata_version\": - \"2.0\",\n \"name\": \"connectedk8s\",\n \"run_requires\": - [\n {\n \"requires\": [\n - \ \"kubernetes (==11.0.0)\",\n \"pycryptodome - (==3.9.8)\"\n ]\n }\n ],\n - \ \"summary\": \"Microsoft Azure Command-Line Tools Connectedk8s - Extension\",\n \"version\": \"0.2.7\"\n },\n - \ \"sha256Digest\": \"115bbeb79206632301a20dc4b1d6604f5c126c82c0ba1a9a58131a66da30a7dc\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/connectedk8s-0.2.8-py3-none-any.whl\",\n - \ \"filename\": \"connectedk8s-0.2.8-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isPreview\": true,\n \"azext.minCliCoreVersion\": - \"2.0.67\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"k8connect@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/connectedk8s\"\n - \ }\n }\n },\n - \ \"extras\": [],\n \"generator\": \"bdist_wheel - (0.30.0)\",\n \"license\": \"MIT\",\n \"metadata_version\": - \"2.0\",\n \"name\": \"connectedk8s\",\n \"run_requires\": - [\n {\n \"requires\": [\n - \ \"kubernetes (==11.0.0)\",\n \"pycryptodome - (==3.9.8)\"\n ]\n }\n ],\n - \ \"summary\": \"Microsoft Azure Command-Line Tools Connectedk8s - Extension\",\n \"version\": \"0.2.8\"\n },\n - \ \"sha256Digest\": \"a0f8d12304b097a65d2b22f4e47faa6c6899e680bab77dfb41e72d2722e7e7d6\"\n - \ },\n {\n \"downloadUrl\": \"https://azcliprod.blob.core.windows.net/cli-extensions/connectedk8s-0.2.9-py3-none-any.whl\",\n - \ \"filename\": \"connectedk8s-0.2.9-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isPreview\": true,\n \"azext.minCliCoreVersion\": - \"2.0.67\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"k8connect@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/connectedk8s\"\n - \ }\n }\n },\n - \ \"extras\": [],\n \"generator\": \"bdist_wheel - (0.30.0)\",\n \"license\": \"MIT\",\n \"metadata_version\": - \"2.0\",\n \"name\": \"connectedk8s\",\n \"run_requires\": - [\n {\n \"requires\": [\n - \ \"kubernetes (==11.0.0)\",\n \"pycryptodome - (==3.9.8)\"\n ]\n }\n ],\n - \ \"summary\": \"Microsoft Azure Command-Line Tools Connectedk8s - Extension\",\n \"version\": \"0.2.9\"\n },\n - \ \"sha256Digest\": \"55377bea57ae6288a501ea65ff2c68b2961ac7582da9b7646960faf17583e3dd\"\n - \ },\n {\n \"downloadUrl\": \"https://azcliprod.blob.core.windows.net/cli-extensions/connectedk8s-1.0.0-py3-none-any.whl\",\n - \ \"filename\": \"connectedk8s-1.0.0-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.minCliCoreVersion\": \"2.0.67\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"k8connect@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/connectedk8s\"\n - \ }\n }\n },\n - \ \"extras\": [],\n \"generator\": \"bdist_wheel - (0.30.0)\",\n \"license\": \"MIT\",\n \"metadata_version\": - \"2.0\",\n \"name\": \"connectedk8s\",\n \"run_requires\": - [\n {\n \"requires\": [\n - \ \"kubernetes (==11.0.0)\",\n \"pycryptodome - (==3.9.8)\"\n ]\n }\n ],\n - \ \"summary\": \"Microsoft Azure Command-Line Tools Connectedk8s - Extension\",\n \"version\": \"1.0.0\"\n },\n - \ \"sha256Digest\": \"9eb34e10523ee5bbd9a4be03915532da7acc3be11631fb646807085c09380c59\"\n - \ }\n ],\n \"connectedmachine\": [\n {\n - \ \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/connectedmachine-0.1.1-py2.py3-none-any.whl\",\n - \ \"filename\": \"connectedmachine-0.1.1-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.67\",\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"connectedmachine\",\n \"summary\": \"Microsoft Azure - Command-Line Tools Connectedmachine Extension\",\n \"version\": - \"0.1.1\"\n },\n \"sha256Digest\": \"0f4d009da4e091aece74cd53833fe63e5af18d68fcf6308a08155ee5284f12fb\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/connectedmachine-0.2.0-py3-none-any.whl\",\n - \ \"filename\": \"connectedmachine-0.2.0-py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isExperimental\": - true,\n \"azext.minCliCoreVersion\": \"2.11.0\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/connectedmachine\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"connectedmachine\",\n \"summary\": \"Microsoft Azure - Command-Line Tools ConnectedMachine Extension\",\n \"version\": - \"0.2.0\"\n },\n \"sha256Digest\": \"b9a2f3ea3fb7a4c981fad30ff670ff3ca1f8fbef0aede36a8e8a20050b1a245d\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/connectedmachine-0.3.0-py3-none-any.whl\",\n - \ \"filename\": \"connectedmachine-0.3.0-py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isExperimental\": - true,\n \"azext.minCliCoreVersion\": \"2.11.0\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/connectedmachine\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"connectedmachine\",\n \"summary\": \"Microsoft Azure - Command-Line Tools ConnectedMachine Extension\",\n \"version\": - \"0.3.0\"\n },\n \"sha256Digest\": \"591bed0d6a6251028471bac6a9ebf0f641d7765bf04b13271aae29c37491ba55\"\n - \ }\n ],\n \"connection-monitor-preview\": [\n {\n - \ \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/connection_monitor_preview-0.1.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"connection_monitor_preview-0.1.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.maxCliCoreVersion\": \"2.0.82\",\n \"azext.minCliCoreVersion\": - \"2.0.80\",\n \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/connection-monitor-preview\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"connection-monitor-preview\",\n \"summary\": \"Microsoft - Azure Command-Line Connection Monitor V2 Extension\",\n \"version\": - \"0.1.0\"\n },\n \"sha256Digest\": \"9a796d5187571990d27feb9efeedde38c194f13ea21cbf9ec06131196bfd821d\"\n - \ }\n ],\n \"cosmosdb-preview\": [\n {\n - \ \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/cosmosdb_preview-0.1.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"cosmosdb_preview-0.1.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.17.1\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"kakhandr@microsoft.com\",\n \"name\": - \"Kalyan khandrika\",\n \"role\": \"author\"\n - \ }\n ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"cosmosdb-preview\",\n \"summary\": \"Microsoft Azure - Command-Line Tools Cosmosdb-preview Extension\",\n \"version\": - \"0.1.0\"\n },\n \"sha256Digest\": \"83be5a723d6a0063c4cd17db52a172ef8f9453435d316ef0abbd2ca2dd8e6ca8\"\n - \ },\n {\n \"downloadUrl\": \"https://azcliprod.blob.core.windows.net/cli-extensions/cosmosdb_preview-0.2.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"cosmosdb_preview-0.2.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.17.1\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"kakhandr@microsoft.com\",\n \"name\": - \"Kalyan khandrika\",\n \"role\": \"author\"\n - \ }\n ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"cosmosdb-preview\",\n \"summary\": \"Microsoft Azure - Command-Line Tools Cosmosdb-preview Extension\",\n \"version\": - \"0.2.0\"\n },\n \"sha256Digest\": \"d8199ccce62c5c7f8670ddf7eb27493fa1c5079ed152607c958fc2b53201fc83\"\n - \ },\n {\n \"downloadUrl\": \"https://azcliprod.blob.core.windows.net/cli-extensions/cosmosdb_preview-0.3.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"cosmosdb_preview-0.3.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.17.1\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"kakhandr@microsoft.com\",\n \"name\": - \"Kalyan khandrika\",\n \"role\": \"author\"\n - \ }\n ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"cosmosdb-preview\",\n \"summary\": \"Microsoft Azure - Command-Line Tools Cosmosdb-preview Extension\",\n \"version\": - \"0.3.0\"\n },\n \"sha256Digest\": \"079af4056ab89f7e27d2a3b6b22c4147b47ce3a27f744ce8b3cde38998afa89e\"\n - \ },\n {\n \"downloadUrl\": \"https://azcliprod.blob.core.windows.net/cli-extensions/cosmosdb_preview-0.4.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"cosmosdb_preview-0.4.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.17.1\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"kakhandr@microsoft.com\",\n \"name\": - \"Kalyan khandrika\",\n \"role\": \"author\"\n - \ }\n ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"cosmosdb-preview\",\n \"summary\": \"Microsoft Azure - Command-Line Tools Cosmosdb-preview Extension\",\n \"version\": - \"0.4.0\"\n },\n \"sha256Digest\": \"751699f42dffaef4a365aeea0ddcc5432a3bafeb0550ee6ff628df1b0a9e02bd\"\n - \ },\n {\n \"downloadUrl\": \"https://azcliprod.blob.core.windows.net/cli-extensions/cosmosdb_preview-0.5.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"cosmosdb_preview-0.5.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.17.1\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"kakhandr@microsoft.com\",\n \"name\": - \"Kalyan khandrika\",\n \"role\": \"author\"\n - \ }\n ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"cosmosdb-preview\",\n \"summary\": \"Microsoft Azure - Command-Line Tools Cosmosdb-preview Extension\",\n \"version\": - \"0.5.0\"\n },\n \"sha256Digest\": \"dd61fd0b1e3b67b63bf731886995743798b72f6c9b00c3c8a589b3cb1b7be3cf\"\n - \ }\n ],\n \"costmanagement\": [\n {\n - \ \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/costmanagement-0.1.0-py3-none-any.whl\",\n - \ \"filename\": \"costmanagement-0.1.0-py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isExperimental\": - true,\n \"azext.minCliCoreVersion\": \"2.3.1\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"costmanagement\",\n \"summary\": \"Microsoft Azure Command-Line - Tools CostManagementClient Extension\",\n \"version\": - \"0.1.0\"\n },\n \"sha256Digest\": \"d5c8be4d6f3e59a44da32af66f8855c24d9855c5b7bdd2f6571c8721afa20223\"\n - \ },\n {\n \"downloadUrl\": \"https://azcliprod.blob.core.windows.net/cli-extensions/costmanagement-0.1.1-py3-none-any.whl\",\n - \ \"filename\": \"costmanagement-0.1.1-py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.minCliCoreVersion\": - \"2.3.1\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/costmanagement\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"costmanagement\",\n \"summary\": \"Microsoft Azure Command-Line - Tools CostManagementClient Extension\",\n \"version\": - \"0.1.1\"\n },\n \"sha256Digest\": \"0a6e0ee27fd5896b45eabf0c9227e63b3c1bbc4975adf4cb566647396fa511f2\"\n - \ }\n ],\n \"csvmware\": [\n {\n \"downloadUrl\": - \"https://github.com/Azure/az-csvmware-cli/releases/download/0.3.0/csvmware-0.3.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"csvmware-0.3.0-py2.py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isPreview\": true,\n \"azext.minCliCoreVersion\": - \"2.0.67\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 2\",\n \"Programming Language - :: Python :: 2.7\",\n \"Programming Language :: Python - :: 3\",\n \"Programming Language :: Python :: 3.4\",\n - \ \"Programming Language :: Python :: 3.5\",\n \"Programming - Language :: Python :: 3.6\",\n \"License :: OSI Approved - :: MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"shimitta@microsoft.com\",\n \"name\": - \"Shivam Mittal\",\n \"role\": \"author\"\n - \ }\n ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/az-vmware-cli\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"csvmware\",\n \"summary\": \"Manage Azure VMware Solution - by CloudSimple.\",\n \"version\": \"0.3.0\"\n },\n - \ \"sha256Digest\": \"dfb9767f05ac13c762ea9dc4327169e63a5c11879123544b200edb9a2c9a8a42\"\n - \ }\n ],\n \"custom-providers\": [\n {\n - \ \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/custom_providers-0.1.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"custom_providers-0.1.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isExperimental\": - true,\n \"azext.minCliCoreVersion\": \"2.3.1\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.4\",\n \"Programming - Language :: Python :: 3.5\",\n \"Programming Language - :: Python :: 3.6\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"custom-providers\",\n \"summary\": \"Microsoft Azure - Command-Line Tools Custom Providers Extension\",\n \"version\": - \"0.1.0\"\n },\n \"sha256Digest\": \"7da462aaa336184b53d7b0b831c0fa77c4239dabe4e70fa4e500e250cf11a8ec\"\n - \ }\n ],\n \"databox\": [\n {\n \"downloadUrl\": - \"https://azurecliprod.blob.core.windows.net/cli-extensions/databox-0.1.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"databox-0.1.0-py2.py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isExperimental\": true,\n \"azext.minCliCoreVersion\": - \"2.3.1\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"Programming Language :: Python :: 3.7\",\n \"Programming - Language :: Python :: 3.8\",\n \"License :: OSI Approved - :: MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"databox\",\n \"summary\": \"Microsoft Azure Command-Line - Tools DataBox Extension\",\n \"version\": \"0.1.0\"\n },\n - \ \"sha256Digest\": \"93cac253cd79728eb333715ae56111ffaa287c9d650e924ea07875ab36906974\"\n - \ },\n {\n \"downloadUrl\": \"https://azcliprod.blob.core.windows.net/cli-extensions/databox-0.1.1-py2.py3-none-any.whl\",\n - \ \"filename\": \"databox-0.1.1-py2.py3-none-any.whl\",\n \"metadata\": - {\n \"azext.minCliCoreVersion\": \"2.3.1\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.4\",\n \"Programming - Language :: Python :: 3.5\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/databox\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"databox\",\n \"summary\": \"Microsoft Azure Command-Line - Tools DataBox Extension\",\n \"version\": \"0.1.1\"\n },\n - \ \"sha256Digest\": \"210ab818a566ec69c923c1bc11f8f50295c19c30be378ab67be340a70e921aa1\"\n - \ }\n ],\n \"databricks\": [\n {\n \"downloadUrl\": - \"https://azurecliprod.blob.core.windows.net/cli-extensions/databricks-0.1.0-py3-none-any.whl\",\n - \ \"filename\": \"databricks-0.1.0-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isExprimental\": true,\n \"azext.minCliCoreVersion\": - \"2.3.1\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"databricks\",\n \"summary\": \"Microsoft Azure Command-Line - Tools DatabricksClient Extension\",\n \"version\": \"0.1.0\"\n - \ },\n \"sha256Digest\": \"36130c36c5d4dd7a76952c3d5b443cf2a76447ccce41094e0b625b85139a366a\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/databricks-0.2.0-py3-none-any.whl\",\n - \ \"filename\": \"databricks-0.2.0-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isExprimental\": true,\n \"azext.minCliCoreVersion\": - \"2.3.1\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"databricks\",\n \"summary\": \"Microsoft Azure Command-Line - Tools DatabricksClient Extension\",\n \"version\": \"0.2.0\"\n - \ },\n \"sha256Digest\": \"229272c5b6abcfc37abe86600db356c54ef664b6681b2f8b705aa50be472b1bc\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/databricks-0.3.0-py3-none-any.whl\",\n - \ \"filename\": \"databricks-0.3.0-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isPreview\": true,\n \"azext.minCliCoreVersion\": - \"2.3.1\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"databricks\",\n \"summary\": \"Microsoft Azure Command-Line - Tools DatabricksClient Extension\",\n \"version\": \"0.3.0\"\n - \ },\n \"sha256Digest\": \"daf76d6aea0025d4783926d25fa813b74c1bcaa67bf8d937cc0d72529d06b9fe\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/databricks-0.4.0-py3-none-any.whl\",\n - \ \"filename\": \"databricks-0.4.0-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isPreview\": true,\n \"azext.minCliCoreVersion\": - \"2.3.1\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"databricks\",\n \"summary\": \"Microsoft Azure Command-Line - Tools DatabricksClient Extension\",\n \"version\": \"0.4.0\"\n - \ },\n \"sha256Digest\": \"db716fa7a65bfb977ea4d6eb4c5ad56c5dfd39062f0d179c5d3aceff959c2a26\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/databricks-0.5.0-py3-none-any.whl\",\n - \ \"filename\": \"databricks-0.5.0-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isPreview\": true,\n \"azext.minCliCoreVersion\": - \"2.3.1\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"databricks\",\n \"summary\": \"Microsoft Azure Command-Line - Tools DatabricksClient Extension\",\n \"version\": \"0.5.0\"\n - \ },\n \"sha256Digest\": \"9a7bca2c8828959ed048b883da9c2b62c1597f5c6bd475c5269c30a27282080f\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/databricks-0.6.0-py3-none-any.whl\",\n - \ \"filename\": \"databricks-0.6.0-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isPreview\": true,\n \"azext.minCliCoreVersion\": - \"2.3.1\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"databricks\",\n \"summary\": \"Microsoft Azure Command-Line - Tools DatabricksClient Extension\",\n \"version\": \"0.6.0\"\n - \ },\n \"sha256Digest\": \"46a77fcd4b31191ce2b2d58e58af982415ea91787628426bd2b3d567da273411\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/databricks-0.7.0-py3-none-any.whl\",\n - \ \"filename\": \"databricks-0.7.0-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.minCliCoreVersion\": \"2.3.1\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"databricks\",\n \"summary\": \"Microsoft Azure Command-Line - Tools DatabricksClient Extension\",\n \"version\": \"0.7.0\"\n - \ },\n \"sha256Digest\": \"236f561c6a20141ae854d1dd64a6e5a0b4636d98517e5ba245401882cc7fbd92\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/databricks-0.7.1-py3-none-any.whl\",\n - \ \"filename\": \"databricks-0.7.1-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.minCliCoreVersion\": \"2.3.1\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/databricks\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"databricks\",\n \"summary\": \"Microsoft Azure Command-Line - Tools DatabricksClient Extension\",\n \"version\": \"0.7.1\"\n - \ },\n \"sha256Digest\": \"f086792f8910601c68fbe303f7831f77c79486fdf8e44039b1505d2344bac197\"\n - \ },\n {\n \"downloadUrl\": \"https://azcliprod.blob.core.windows.net/cli-extensions/databricks-0.7.2-py3-none-any.whl\",\n - \ \"filename\": \"databricks-0.7.2-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.minCliCoreVersion\": \"2.3.1\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/databricks\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"databricks\",\n \"summary\": \"Microsoft Azure Command-Line - Tools DatabricksClient Extension\",\n \"version\": \"0.7.2\"\n - \ },\n \"sha256Digest\": \"daf595a051a47dded0fbe18a289e454f221eaaae11d1aadaa3f45612aff1b05f\"\n - \ }\n ],\n \"datafactory\": [\n {\n \"downloadUrl\": - \"https://azurecliprod.blob.core.windows.net/cli-extensions/datafactory-0.1.0-py3-none-any.whl\",\n - \ \"filename\": \"datafactory-0.1.0-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isExperimental\": true,\n \"azext.minCliCoreVersion\": - \"2.3.1\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/datafactory\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"datafactory\",\n \"summary\": \"Microsoft Azure Command-Line - Tools DataFactoryManagementClient Extension\",\n \"version\": - \"0.1.0\"\n },\n \"sha256Digest\": \"f49b145f8125cde30aedf5080af90e26277ad1527cfb13cff0d72838298241d3\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/datafactory-0.2.0-py3-none-any.whl\",\n - \ \"filename\": \"datafactory-0.2.0-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isExperimental\": true,\n \"azext.minCliCoreVersion\": - \"2.11.0\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/datafactory\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"datafactory\",\n \"summary\": \"Microsoft Azure Command-Line - Tools DataFactoryManagementClient Extension\",\n \"version\": - \"0.2.0\"\n },\n \"sha256Digest\": \"7cadaec354c8cbd4eae3465e385685807f619c8e7a2a093e6d4c68a9466b1e6a\"\n - \ }\n ],\n \"datashare\": [\n {\n \"downloadUrl\": - \"https://azurecliprod.blob.core.windows.net/cli-extensions/datashare-0.1.0-py3-none-any.whl\",\n - \ \"filename\": \"datashare-0.1.0-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isExperimental\": true,\n \"azext.minCliCoreVersion\": - \"2.3.1\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"datashare\",\n \"summary\": \"Microsoft Azure Command-Line - Tools DataShareManagementClient Extension\",\n \"version\": - \"0.1.0\"\n },\n \"sha256Digest\": \"803c3637f752b0fb77eb5272a544abafe44942ff920a020ff7ea179ace329342\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/datashare-0.1.1-py3-none-any.whl\",\n - \ \"filename\": \"datashare-0.1.1-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isExperimental\": true,\n \"azext.minCliCoreVersion\": - \"2.3.1\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"datashare\",\n \"summary\": \"Microsoft Azure Command-Line - Tools DataShareManagementClient Extension\",\n \"version\": - \"0.1.1\"\n },\n \"sha256Digest\": \"c0a2b603c0abd320bc3df0a4d6c38945fd894737804690dad98896e2446763f4\"\n - \ }\n ],\n \"db-up\": [\n {\n \"downloadUrl\": - \"https://azurecliprod.blob.core.windows.net/cli-extensions/db_up-0.1.13-py2.py3-none-any.whl\",\n - \ \"filename\": \"db_up-0.1.13-py2.py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isPreview\": true,\n \"azext.minCliCoreVersion\": - \"2.0.46\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 2\",\n \"Programming Language - :: Python :: 2.7\",\n \"Programming Language :: Python - :: 3\",\n \"Programming Language :: Python :: 3.4\",\n - \ \"Programming Language :: Python :: 3.5\",\n \"Programming - Language :: Python :: 3.6\",\n \"License :: OSI Approved - :: MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/db-up\"\n - \ }\n }\n },\n - \ \"extras\": [],\n \"generator\": \"bdist_wheel - (0.30.0)\",\n \"license\": \"MIT\",\n \"metadata_version\": - \"2.0\",\n \"name\": \"db-up\",\n \"run_requires\": - [\n {\n \"requires\": [\n - \ \"Cython (==0.29.6)\",\n \"mysql-connector-python - (==8.0.13)\",\n \"psycopg2-binary (==2.7.7)\"\n - \ ]\n }\n ],\n - \ \"summary\": \"Additional commands to simplify Azure Database - workflows.\",\n \"version\": \"0.1.13\"\n },\n - \ \"sha256Digest\": \"df397272396c684972d1185e16439159427795b305f67e47fc37447a0c4d1257\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/db_up-0.1.14-py2.py3-none-any.whl\",\n - \ \"filename\": \"db_up-0.1.14-py2.py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isPreview\": true,\n \"azext.minCliCoreVersion\": - \"2.0.46\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/db-up\"\n - \ }\n }\n },\n - \ \"extras\": [],\n \"generator\": \"bdist_wheel - (0.30.0)\",\n \"license\": \"MIT\",\n \"metadata_version\": - \"2.0\",\n \"name\": \"db-up\",\n \"run_requires\": - [\n {\n \"requires\": [\n - \ \"Cython (==0.29.17)\",\n \"mysql-connector-python - (==8.0.13)\",\n \"psycopg2-binary (==2.8.5)\"\n - \ ]\n }\n ],\n - \ \"summary\": \"Additional commands to simplify Azure Database - workflows.\",\n \"version\": \"0.1.14\"\n },\n - \ \"sha256Digest\": \"2f456a810be680ccc5dd7658b955410582063d56573ff3c38386d5ba2aacf7ee\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/db_up-0.1.15-py2.py3-none-any.whl\",\n - \ \"filename\": \"db_up-0.1.15-py2.py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isPreview\": true,\n \"azext.minCliCoreVersion\": - \"2.0.46\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/db-up\"\n - \ }\n }\n },\n - \ \"extras\": [],\n \"generator\": \"bdist_wheel - (0.30.0)\",\n \"license\": \"MIT\",\n \"metadata_version\": - \"2.0\",\n \"name\": \"db-up\",\n \"run_requires\": - [\n {\n \"requires\": [\n - \ \"Cython (==0.29.17)\",\n \"mysql-connector-python - (==8.0.13)\",\n \"psycopg2-binary (==2.8.5)\"\n - \ ]\n }\n ],\n - \ \"summary\": \"Additional commands to simplify Azure Database - workflows.\",\n \"version\": \"0.1.15\"\n },\n - \ \"sha256Digest\": \"7c8db14999b2b5a4d4b9ae870562505a120896f39c64c20501502f5fdd897911\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/db_up-0.2.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"db_up-0.2.0-py2.py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isPreview\": true,\n \"azext.minCliCoreVersion\": - \"2.0.46\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/db-up\"\n - \ }\n }\n },\n - \ \"extras\": [],\n \"generator\": \"bdist_wheel - (0.30.0)\",\n \"license\": \"MIT\",\n \"metadata_version\": - \"2.0\",\n \"name\": \"db-up\",\n \"run_requires\": - [\n {\n \"requires\": [\n - \ \"Cython (==0.29.17)\",\n \"mysql-connector-python - (==8.0.13)\",\n \"psycopg2-binary (==2.8.5)\"\n - \ ]\n }\n ],\n - \ \"summary\": \"Additional commands to simplify Azure Database - workflows.\",\n \"version\": \"0.2.0\"\n },\n - \ \"sha256Digest\": \"3e5b22cfbe3a0ec63aba3040e541d6819dbb1fbdc5b49286edfd143c79a2b8cb\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/db_up-0.2.1-py2.py3-none-any.whl\",\n - \ \"filename\": \"db_up-0.2.1-py2.py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isPreview\": true,\n \"azext.minCliCoreVersion\": - \"2.0.46\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/db-up\"\n - \ }\n }\n },\n - \ \"extras\": [],\n \"generator\": \"bdist_wheel - (0.30.0)\",\n \"license\": \"MIT\",\n \"metadata_version\": - \"2.0\",\n \"name\": \"db-up\",\n \"run_requires\": - [\n {\n \"requires\": [\n - \ \"Cython (==0.29.17)\",\n \"mysql-connector-python - (==8.0.14)\",\n \"psycopg2-binary (==2.8.5)\"\n - \ ]\n }\n ],\n - \ \"summary\": \"Additional commands to simplify Azure Database - workflows.\",\n \"version\": \"0.2.1\"\n },\n - \ \"sha256Digest\": \"384b3806d49973cc91688ced691785d83cd7c3557016edc9161c151262ae2ab5\"\n - \ }\n ],\n \"deploy-to-azure\": [\n {\n - \ \"downloadUrl\": \"https://github.com/Azure/deploy-to-azure-cli-extension/releases/download/20200318.1/deploy_to_azure-0.2.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"deploy_to_azure-0.2.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.60\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"VSTS_Social@microsoft.com\",\n - \ \"name\": \"Microsoft\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/deploy-to-azure-cli-extension\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"deploy-to-azure\",\n \"summary\": \"Deploy to Azure using - Github Actions.\",\n \"version\": \"0.2.0\"\n },\n - \ \"sha256Digest\": \"f925080ee7abc3aef733d4c6313170bdedaa9569af1b95427383bc3c59e4ceb8\"\n - \ }\n ],\n \"desktopvirtualization\": [\n {\n - \ \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/desktopvirtualization-0.1.0-py3-none-any.whl\",\n - \ \"filename\": \"desktopvirtualization-0.1.0-py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isExperimental\": - true,\n \"azext.minCliCoreVersion\": \"2.3.1\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/desktopvirtualization\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"desktopvirtualization\",\n \"summary\": \"Microsoft Azure - Command-Line Tools DesktopVirtualizationAPIClient Extension\",\n \"version\": - \"0.1.0\"\n },\n \"sha256Digest\": \"d73c88fe0df98871a221495e000c39fbb22975fdc5066668c9ea0f578ff9a1a9\"\n - \ }\n ],\n \"dev-spaces\": [\n {\n \"downloadUrl\": - \"https://azuredevspacestools.blob.core.windows.net/azdssetup/LKS/dev_spaces-1.0.5-py2.py3-none-any.whl\",\n - \ \"filename\": \"dev_spaces-1.0.5-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.minCliCoreVersion\": - \"2.1.0\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 2\",\n \"Programming Language - :: Python :: 2.7\",\n \"Programming Language :: Python - :: 3\",\n \"Programming Language :: Python :: 3.4\",\n - \ \"Programming Language :: Python :: 3.5\",\n \"Programming - Language :: Python :: 3.6\",\n \"License :: OSI Approved - :: MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azds-azcli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"dev-spaces\",\n \"summary\": \"Dev Spaces provides a - rapid, iterative Kubernetes development experience for teams.\",\n \"version\": - \"1.0.5\"\n },\n \"sha256Digest\": \"6d481b89be4fe8835143433bb0b7c5ba2aba230433bc9ba483c0d26c5ef682a0\"\n - \ },\n {\n \"downloadUrl\": \"https://azuredevspacestools.blob.core.windows.net/azdssetup/LKS/dev_spaces-1.0.4-py2.py3-none-any.whl\",\n - \ \"filename\": \"dev_spaces-1.0.4-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.minCliCoreVersion\": - \"2.0.63\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 2\",\n \"Programming Language - :: Python :: 2.7\",\n \"Programming Language :: Python - :: 3\",\n \"Programming Language :: Python :: 3.4\",\n - \ \"Programming Language :: Python :: 3.5\",\n \"Programming - Language :: Python :: 3.6\",\n \"License :: OSI Approved - :: MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azds-azcli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"dev-spaces\",\n \"summary\": \"Dev Spaces provides a - rapid, iterative Kubernetes development experience for teams.\",\n \"version\": - \"1.0.4\"\n },\n \"sha256Digest\": \"713600593e7e5c4e317e99d46110485c527740a74d90f01fa9b2ed52cdd42034\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/dev_spaces-1.0.6-py2.py3-none-any.whl\",\n - \ \"filename\": \"dev_spaces-1.0.6-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.minCliCoreVersion\": - \"2.1.0\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 2\",\n \"Programming Language - :: Python :: 2.7\",\n \"Programming Language :: Python - :: 3\",\n \"Programming Language :: Python :: 3.4\",\n - \ \"Programming Language :: Python :: 3.5\",\n \"Programming - Language :: Python :: 3.6\",\n \"License :: OSI Approved - :: MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azds-azcli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/dev-spaces\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"dev-spaces\",\n \"summary\": \"Dev Spaces provides a - rapid, iterative Kubernetes development experience for teams.\",\n \"version\": - \"1.0.6\"\n },\n \"sha256Digest\": \"71041808b27cd9d33fd905c5080c97f61291816f2dddd6dcdb2e66b9fb6ebf59\"\n - \ }\n ],\n \"dev-spaces-preview\": [\n {\n - \ \"downloadUrl\": \"https://azuredevspacestools.blob.core.windows.net/azdssetup/LKS/dev_spaces_preview-0.1.6-py2.py3-none-any.whl\",\n - \ \"filename\": \"dev_spaces_preview-0.1.6-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.maxCliCoreVersion\": \"2.0.62\",\n \"azext.minCliCoreVersion\": - \"2.0.32\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 2\",\n \"Programming Language - :: Python :: 2.7\",\n \"Programming Language :: Python - :: 3\",\n \"Programming Language :: Python :: 3.4\",\n - \ \"Programming Language :: Python :: 3.5\",\n \"Programming - Language :: Python :: 3.6\",\n \"License :: OSI Approved - :: MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azds-azcli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"dev-spaces-preview\",\n \"summary\": \"Dev Spaces provides - a rapid, iterative Kubernetes development experience for teams.\",\n \"version\": - \"0.1.6\"\n },\n \"sha256Digest\": \"16661d66a3b4a04d429d456ba8a8d0b3b6ceb7b32691ff3a1dcc4144c005c798\"\n - \ }\n ],\n \"dms-preview\": [\n {\n \"downloadUrl\": - \"https://azcliorcas.blob.core.windows.net/azclipath/dms_preview-0.11.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"dms_preview-0.11.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.43\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"arpavlic@microsoft.com\",\n - \ \"name\": \"Artyom Pavlichenko\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/dms-preview\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"dms-preview\",\n \"summary\": \"Support for new Database - Migration Service scenarios.\",\n \"version\": \"0.11.0\"\n - \ },\n \"sha256Digest\": \"ef19e5c19976506a8f8910ec04bc785ebeffb5a4c8764047e4e4d42f812b0845\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/dms_preview-0.12.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"dms_preview-0.12.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.43\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"arpavlic@microsoft.com\",\n - \ \"name\": \"Artyom Pavlichenko\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/dms-preview\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"dms-preview\",\n \"summary\": \"Support for new Database - Migration Service scenarios.\",\n \"version\": \"0.12.0\"\n - \ },\n \"sha256Digest\": \"5e2fd9a8e413fd13a280fbba9964658a5569af2e49e802bd12116ec01e5dd0ae\"\n - \ }\n ],\n \"eventgrid\": [\n {\n \"downloadUrl\": - \"https://eventgridcliextension.blob.core.windows.net/cli/eventgrid-0.4.4-py2.py3-none-any.whl\",\n - \ \"filename\": \"eventgrid-0.4.4-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.49\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"ahamad@microsoft.com\",\n - \ \"name\": \"Ashraf Hamad.\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"eventgrid\",\n \"summary\": \"Microsoft Azure Command-Line - Tools EventGrid Command Module.\",\n \"version\": \"0.4.4\"\n - \ },\n \"sha256Digest\": \"c91ac92ab27a7127c9def51e096f749986b57acf209b357eaf1494d3dbfb33f9\"\n - \ },\n {\n \"downloadUrl\": \"https://eventgridcliextension.blob.core.windows.net/cli/eventgrid-0.4.6-py2.py3-none-any.whl\",\n - \ \"filename\": \"eventgrid-0.4.6-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.49\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"rgrandhi@microsoft.com\",\n - \ \"name\": \"Ramesh Grandhi.\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"eventgrid\",\n \"summary\": \"Microsoft Azure Command-Line - Tools EventGrid Command Module.\",\n \"version\": \"0.4.6\"\n - \ },\n \"sha256Digest\": \"6ef9f9cf895b5dcdf9a38c2490a0c81e8254de4302dc7139fb6a4fcf2203318d\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/eventgrid-0.4.7-py2.py3-none-any.whl\",\n - \ \"filename\": \"eventgrid-0.4.7-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.49\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"ahamad@microsoft.com\",\n - \ \"name\": \"Ashraf Hamad.\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"eventgrid\",\n \"summary\": \"Microsoft Azure Command-Line - Tools EventGrid Command Module.\",\n \"version\": \"0.4.7\"\n - \ },\n \"sha256Digest\": \"f1bff60574d25ccc04eb2038081771b626651d144d9ab01be2b7410e1b02f56a\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/eventgrid-0.4.8-py2.py3-none-any.whl\",\n - \ \"filename\": \"eventgrid-0.4.8-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.49\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"ahamad@microsoft.com\",\n - \ \"name\": \"Ashraf Hamad.\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"eventgrid\",\n \"summary\": \"Microsoft Azure Command-Line - Tools EventGrid Command Module.\",\n \"version\": \"0.4.8\"\n - \ },\n \"sha256Digest\": \"8f307569c920e1b75d4b6dfb47ad80c0cd49bf54a3a65139b57edff8a4776d45\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/eventgrid-0.4.9-py2.py3-none-any.whl\",\n - \ \"filename\": \"eventgrid-0.4.9-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.49\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"ahamad@microsoft.com\",\n - \ \"name\": \"Ashraf Hamad.\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"eventgrid\",\n \"summary\": \"Microsoft Azure Command-Line - Tools EventGrid Command Module.\",\n \"version\": \"0.4.9\"\n - \ },\n \"sha256Digest\": \"1682f61dbb8350611dfeb1f2486158732264eeb35e22af8d7daf39839a720839\"\n - \ }\n ],\n \"express-route-cross-connection\": [\n - \ {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/express_route_cross_connection-0.1.1-py2.py3-none-any.whl\",\n - \ \"filename\": \"express_route_cross_connection-0.1.1-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.minCliCoreVersion\": - \"2.0.41\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 2\",\n \"Programming Language - :: Python :: 2.7\",\n \"Programming Language :: Python - :: 3\",\n \"Programming Language :: Python :: 3.4\",\n - \ \"Programming Language :: Python :: 3.5\",\n \"Programming - Language :: Python :: 3.6\",\n \"License :: OSI Approved - :: MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/express-route-cross-connection\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"express-route-cross-connection\",\n \"summary\": \"Manage - customer ExpressRoute circuits using an ExpressRoute cross-connection.\",\n - \ \"version\": \"0.1.1\"\n },\n \"sha256Digest\": - \"b83f723baae0ea04557a87f358fa2131baf15d45cd3aba7a9ab42d14ec80df38\"\n }\n - \ ],\n \"footprint\": [\n {\n \"downloadUrl\": - \"https://azurecliprod.blob.core.windows.net/cli-extensions/footprint-0.1.0-py3-none-any.whl\",\n - \ \"filename\": \"footprint-0.1.0-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isExperimental\": true,\n \"azext.minCliCoreVersion\": - \"2.3.1\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/footprint\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"footprint\",\n \"summary\": \"Microsoft Azure Command-Line - Tools FootprintMonitoringManagementClient Extension\",\n \"version\": - \"0.1.0\"\n },\n \"sha256Digest\": \"69b0e9a19682f12c67af509071177e442349e1e2ae2f07f1e15d5a3f4136aa95\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/footprint-1.0.0-py3-none-any.whl\",\n - \ \"filename\": \"footprint-1.0.0-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isExperimental\": true,\n \"azext.minCliCoreVersion\": - \"2.11.0\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/footprint\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"footprint\",\n \"summary\": \"Microsoft Azure Command-Line - Tools FootprintMonitoringManagementClient Extension\",\n \"version\": - \"1.0.0\"\n },\n \"sha256Digest\": \"4aa59288bf46cfd68519f1f7f63d3e33af16d80632b84c283cc7152129260b2c\"\n - \ }\n ],\n \"front-door\": [\n {\n \"downloadUrl\": - \"https://azurecliafd.blob.core.windows.net/azure-cli-extension/front_door-1.0.2-py2.py3-none-any.whl\",\n - \ \"filename\": \"front_door-1.0.2-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.minCliCoreVersion\": - \"2.0.68\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 2\",\n \"Programming Language - :: Python :: 2.7\",\n \"Programming Language :: Python - :: 3\",\n \"Programming Language :: Python :: 3.4\",\n - \ \"Programming Language :: Python :: 3.5\",\n \"Programming - Language :: Python :: 3.6\",\n \"License :: OSI Approved - :: MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/front-door\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"front-door\",\n \"summary\": \"Manage networking Front - Doors.\",\n \"version\": \"1.0.2\"\n },\n - \ \"sha256Digest\": \"a009045bab5dec0dfcd9715e2993ed0fa7a59b4bc6633d388415f482ed9cbc46\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/front_door-1.0.3-py2.py3-none-any.whl\",\n - \ \"filename\": \"front_door-1.0.3-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.minCliCoreVersion\": - \"2.0.68\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 2\",\n \"Programming Language - :: Python :: 2.7\",\n \"Programming Language :: Python - :: 3\",\n \"Programming Language :: Python :: 3.4\",\n - \ \"Programming Language :: Python :: 3.5\",\n \"Programming - Language :: Python :: 3.6\",\n \"License :: OSI Approved - :: MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/front-door\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"front-door\",\n \"summary\": \"Manage networking Front - Doors.\",\n \"version\": \"1.0.3\"\n },\n - \ \"sha256Digest\": \"e483de77921937c210e03ed32e161d0384f162c8b253bd03fe8da1927b4160d7\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/front_door-1.0.4-py2.py3-none-any.whl\",\n - \ \"filename\": \"front_door-1.0.4-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.minCliCoreVersion\": - \"2.0.68\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 2\",\n \"Programming Language - :: Python :: 2.7\",\n \"Programming Language :: Python - :: 3\",\n \"Programming Language :: Python :: 3.4\",\n - \ \"Programming Language :: Python :: 3.5\",\n \"Programming - Language :: Python :: 3.6\",\n \"License :: OSI Approved - :: MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/front-door\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"front-door\",\n \"summary\": \"Manage networking Front - Doors.\",\n \"version\": \"1.0.4\"\n },\n - \ \"sha256Digest\": \"49f509e8b56f4a1ef1870bac7273376df5e7fbfe1c25e10cf236e9448d66683c\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/front_door-1.0.5-py3-none-any.whl\",\n - \ \"filename\": \"front_door-1.0.5-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.minCliCoreVersion\": \"2.0.68\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/front-door\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"front-door\",\n \"summary\": \"Manage networking Front - Doors.\",\n \"version\": \"1.0.5\"\n },\n - \ \"sha256Digest\": \"cd55a87740de19cbd66444bdb398fd4a64115aeff92d52d2704a19ea2f083c60\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/front_door-1.0.6-py3-none-any.whl\",\n - \ \"filename\": \"front_door-1.0.6-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.minCliCoreVersion\": \"2.0.68\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/front-door\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"front-door\",\n \"summary\": \"Manage networking Front - Doors.\",\n \"version\": \"1.0.6\"\n },\n - \ \"sha256Digest\": \"fbf965d7146884a87f481138dc06153dc95fd486f9dfeb40c1f11ce4667e203e\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/front_door-1.0.7-py3-none-any.whl\",\n - \ \"filename\": \"front_door-1.0.7-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.minCliCoreVersion\": \"2.0.68\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/front-door\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"front-door\",\n \"summary\": \"Manage networking Front - Doors.\",\n \"version\": \"1.0.7\"\n },\n - \ \"sha256Digest\": \"9a97ac67c089d1e3a753fa55fa80e44b8f8a89bcae42442c19e34b035ae96231\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/front_door-1.0.8-py3-none-any.whl\",\n - \ \"filename\": \"front_door-1.0.8-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.minCliCoreVersion\": \"2.0.68\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/front-door\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"front-door\",\n \"summary\": \"Manage networking Front - Doors.\",\n \"version\": \"1.0.8\"\n },\n - \ \"sha256Digest\": \"ccc7b5eba917945af589fed41dd6435eb1fe96385ae0a80c1b3bbb4db03b77a5\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/front_door-1.0.9-py3-none-any.whl\",\n - \ \"filename\": \"front_door-1.0.9-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.minCliCoreVersion\": \"2.0.68\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/front-door\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"front-door\",\n \"summary\": \"Manage networking Front - Doors.\",\n \"version\": \"1.0.9\"\n },\n - \ \"sha256Digest\": \"064aa0c647e0dd320fd1eba50257387fd27e125838a2cf5b58121cc1c5eefc45\"\n - \ },\n {\n \"downloadUrl\": \"https://azcliprod.blob.core.windows.net/cli-extensions/front_door-1.0.11-py3-none-any.whl\",\n - \ \"filename\": \"front_door-1.0.11-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.minCliCoreVersion\": \"2.0.68\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/front-door\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"front-door\",\n \"summary\": \"Manage networking Front - Doors.\",\n \"version\": \"1.0.11\"\n },\n - \ \"sha256Digest\": \"7f9ea186e512e6a81f3199a18cd19b5065cf9f17faedacd2936e24350ee7be14\"\n - \ }\n ],\n \"fzf\": [\n {\n \"downloadUrl\": - \"https://pahealy.blob.core.windows.net/azext-fzf/fzf-1.0.2-py2.py3-none-any.whl\",\n - \ \"filename\": \"fzf-1.0.2-py2.py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isExperimental\": true,\n \"azext.isPreview\": - false,\n \"azext.maxCliCoreVersion\": \"2.99.0\",\n \"azext.minCliCoreVersion\": - \"2.9.0\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"patrick.healy@microsoft.com\",\n - \ \"name\": \"Patrick W. Healy\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/phealy/azure-cli-fzf\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"fzf\",\n \"summary\": \"Microsoft Azure Command-Line - Tools fzf Extension\",\n \"version\": \"1.0.2\"\n },\n - \ \"sha256Digest\": \"87fc41624d52af36251c67f8f307e4e3b3789f8664e917d6d5bf4305fbb64e6d\"\n - \ }\n ],\n \"guestconfig\": [\n {\n \"downloadUrl\": - \"https://azurecliprod.blob.core.windows.net/cli-extensions/guestconfig-0.1.0-py3-none-any.whl\",\n - \ \"filename\": \"guestconfig-0.1.0-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isExperimental\": true,\n \"azext.minCliCoreVersion\": - \"2.3.1\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/guestconfig\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"guestconfig\",\n \"summary\": \"Microsoft Azure Command-Line - Tools GuestConfigurationClient Extension\",\n \"version\": - \"0.1.0\"\n },\n \"sha256Digest\": \"0cf21ef88d49458157dae77e5bb25dfdfff8c12e76d15a19d468b408f4ab61c5\"\n - \ }\n ],\n \"hack\": [\n {\n \"downloadUrl\": - \"https://azhackcli.blob.core.windows.net/whl/hack-0.4.2-py2.py3-none-any.whl\",\n - \ \"filename\": \"hack-0.4.2-py2.py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isPreview\": true,\n \"azext.minCliCoreVersion\": - \"2.0.67\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"chrhar@microsoft.com\",\n - \ \"name\": \"Christopher Harrison\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"hack\",\n \"summary\": \"Microsoft Azure Command-Line - Tools Hack Extension\",\n \"version\": \"0.4.2\"\n },\n - \ \"sha256Digest\": \"6b91fae1e3f102bcafd342055e2c743af7231925f2a3a9878db486869f97499c\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/hack-0.4.3-py2.py3-none-any.whl\",\n - \ \"filename\": \"hack-0.4.3-py2.py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isPreview\": true,\n \"azext.minCliCoreVersion\": - \"2.0.67\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"Programming Language :: Python :: 3.7\",\n \"Programming - Language :: Python :: 3.8\",\n \"Programming Language - :: Python :: 3.9\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"chrhar@microsoft.com\",\n \"name\": \"Christopher - Harrison\",\n \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/hack\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"hack\",\n \"summary\": \"Microsoft Azure Command-Line - Tools Hack Extension\",\n \"version\": \"0.4.3\"\n },\n - \ \"sha256Digest\": \"bd608002fbab185c137cbbe4de73f7dbc1a438236c96ea53ddc22e27aa7fa013\"\n - \ }\n ],\n \"hardware-security-modules\": [\n {\n - \ \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/hardware_security_modules-0.1.0-py3-none-any.whl\",\n - \ \"filename\": \"hardware_security_modules-0.1.0-py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isExperimental\": - true,\n \"azext.minCliCoreVersion\": \"2.3.1\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"hardware-security-modules\",\n \"summary\": \"Microsoft - Azure Command-Line Tools AzureDedicatedHSMResourceProvider Extension\",\n - \ \"version\": \"0.1.0\"\n },\n \"sha256Digest\": - \"dafa526a4bce243940432e91f6f28d2254bdcc1a90eaa0f097493f9d79a23b36\"\n }\n - \ ],\n \"healthbot\": [\n {\n \"downloadUrl\": - \"https://azcliprod.blob.core.windows.net/cli-extensions/healthbot-0.1.0-py3-none-any.whl\",\n - \ \"filename\": \"healthbot-0.1.0-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isExperimental\": true,\n \"azext.minCliCoreVersion\": - \"2.15.0\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/healthbot\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"healthbot\",\n \"summary\": \"Microsoft Azure Command-Line - Tools HealthbotClient Extension\",\n \"version\": \"0.1.0\"\n - \ },\n \"sha256Digest\": \"9134fad2511516e714a5db346d63865af0badf0599ade3f1c15faca0055585a3\"\n - \ }\n ],\n \"healthcareapis\": [\n {\n - \ \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/healthcareapis-0.1.3-py2.py3-none-any.whl\",\n - \ \"filename\": \"healthcareapis-0.1.3-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.minCliCoreVersion\": - \"2.0.67\",\n \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"healthcareapis\",\n \"summary\": \"Microsoft Azure Command-Line - Tools HealthCareApis Extension\",\n \"version\": \"0.1.3\"\n - \ },\n \"sha256Digest\": \"2bc0f7c9642cb0afe682218761205d2b7ffe842a397fd679ad462506f2846ce0\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/healthcareapis-0.2.0-py3-none-any.whl\",\n - \ \"filename\": \"healthcareapis-0.2.0-py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.minCliCoreVersion\": - \"2.3.1\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"healthcareapis\",\n \"summary\": \"Microsoft Azure Command-Line - Tools HealthcareApisManagementClient Extension\",\n \"version\": - \"0.2.0\"\n },\n \"sha256Digest\": \"460655a4287a7e4ecf69fac32c95628df9ce776a802f061a81f54f7d89aca0ba\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/healthcareapis-0.3.0-py3-none-any.whl\",\n - \ \"filename\": \"healthcareapis-0.3.0-py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.minCliCoreVersion\": - \"2.11.0\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/healthcareapis\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"healthcareapis\",\n \"summary\": \"Microsoft Azure Command-Line - Tools HealthcareApisManagementClient Extension\",\n \"version\": - \"0.3.0\"\n },\n \"sha256Digest\": \"6dcb79765e87026db4f6e09f4a85e9d6a523fb9928a5586c3cb5e16cc1e1f3be\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/healthcareapis-0.3.1-py3-none-any.whl\",\n - \ \"filename\": \"healthcareapis-0.3.1-py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.minCliCoreVersion\": - \"2.11.0\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/healthcareapis\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"healthcareapis\",\n \"summary\": \"Microsoft Azure Command-Line - Tools HealthcareApisManagementClient Extension\",\n \"version\": - \"0.3.1\"\n },\n \"sha256Digest\": \"c1804f41528fdfb2ccc355a3a7e28c961fb1a783c767d855b886db0483897e33\"\n - \ }\n ],\n \"hpc-cache\": [\n {\n \"downloadUrl\": - \"https://azurecliprod.blob.core.windows.net/cli-extensions/hpc_cache-0.1.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"hpc_cache-0.1.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isExperimental\": - true,\n \"azext.isPreview\": true,\n \"azext.minCliCoreVersion\": - \"2.3.0\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"hpc-cache\",\n \"summary\": \"Microsoft Azure Command-Line - Tools StorageCache Extension\",\n \"version\": \"0.1.0\"\n - \ },\n \"sha256Digest\": \"0961683cd21f09622399f54b62389fc5d529f861c2280c4751ae977c83da9ae0\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/hpc_cache-0.1.1-py2.py3-none-any.whl\",\n - \ \"filename\": \"hpc_cache-0.1.1-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isExperimental\": - true,\n \"azext.isPreview\": true,\n \"azext.minCliCoreVersion\": - \"2.3.0\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"hpc-cache\",\n \"summary\": \"Microsoft Azure Command-Line - Tools StorageCache Extension\",\n \"version\": \"0.1.1\"\n - \ },\n \"sha256Digest\": \"16f3648054ccadb1d8e3110ac7febd238f1583b1c559cd19395096e9b7588be4\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/hpc_cache-0.1.2-py2.py3-none-any.whl\",\n - \ \"filename\": \"hpc_cache-0.1.2-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isExperimental\": - true,\n \"azext.isPreview\": true,\n \"azext.minCliCoreVersion\": - \"2.3.0\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/hpc-cache\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"hpc-cache\",\n \"summary\": \"Microsoft Azure Command-Line - Tools StorageCache Extension\",\n \"version\": \"0.1.2\"\n - \ },\n \"sha256Digest\": \"6ca5b80e7c705bca73ec1ecfc791d82721fa19d12e4449be4d27933901a9e471\"\n - \ }\n ],\n \"image-copy-extension\": [\n {\n - \ \"downloadUrl\": \"https://files.pythonhosted.org/packages/48/6f/7fa75dfa7c015c0b58f18473b4aa8d565be8606d9740d4442b32b17df913/image_copy_extension-0.2.3-py2.py3-none-any.whl\",\n - \ \"filename\": \"image_copy_extension-0.2.3-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.minCliCoreVersion\": - \"2.0.24\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 2\",\n \"Programming Language - :: Python :: 2.7\",\n \"Programming Language :: Python - :: 3\",\n \"Programming Language :: Python :: 3.4\",\n - \ \"Programming Language :: Python :: 3.5\",\n \"Programming - Language :: Python :: 3.6\",\n \"License :: OSI Approved - :: MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"tamir.kamara@microsoft.com\",\n \"name\": - \"Tamir Kamara\",\n \"role\": \"author\"\n - \ }\n ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"image-copy-extension\",\n \"summary\": \"Support for - copying managed vm images between regions\",\n \"version\": - \"0.2.3\"\n },\n \"sha256Digest\": \"8a88c2600f9dad5f38ca6128ab8efaa38a974fbb7fe8c875fc50b7bb7d37bd54\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/image_copy_extension-0.2.4-py2.py3-none-any.whl\",\n - \ \"filename\": \"image_copy_extension-0.2.4-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.minCliCoreVersion\": - \"2.0.24\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"tamir.kamara@microsoft.com\",\n - \ \"name\": \"Tamir Kamara\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"image-copy-extension\",\n \"summary\": \"Support for - copying managed vm images between regions\",\n \"version\": - \"0.2.4\"\n },\n \"sha256Digest\": \"174e2437b20a979257a93017209ba1ff5d1969ea1eca7f3cbe57e8d11c75f4f4\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/image_copy_extension-0.2.5-py2.py3-none-any.whl\",\n - \ \"filename\": \"image_copy_extension-0.2.5-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.minCliCoreVersion\": - \"2.0.24\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"tamir.kamara@microsoft.com\",\n - \ \"name\": \"Tamir Kamara\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"image-copy-extension\",\n \"summary\": \"Support for - copying managed vm images between regions\",\n \"version\": - \"0.2.5\"\n },\n \"sha256Digest\": \"14216b9664365a03ccd6d2cb469a32ab1e38f1d1e9b2735d27725cdc5300b148\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/image_copy_extension-0.2.6-py2.py3-none-any.whl\",\n - \ \"filename\": \"image_copy_extension-0.2.6-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.minCliCoreVersion\": - \"2.0.24\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"tamir.kamara@microsoft.com\",\n - \ \"name\": \"Tamir Kamara\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"image-copy-extension\",\n \"summary\": \"Support for - copying managed vm images between regions\",\n \"version\": - \"0.2.6\"\n },\n \"sha256Digest\": \"69cc6fac34625677c94fb276dc97caca8769295db51dc480da4b194a0ec94720\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/image_copy_extension-0.2.7-py2.py3-none-any.whl\",\n - \ \"filename\": \"image_copy_extension-0.2.7-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.minCliCoreVersion\": - \"2.0.24\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"tamir.kamara@microsoft.com\",\n - \ \"name\": \"Tamir Kamara\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"image-copy-extension\",\n \"summary\": \"Support for - copying managed vm images between regions\",\n \"version\": - \"0.2.7\"\n },\n \"sha256Digest\": \"565cf4411a6b12d2940365a7d4d578422709a2c38f95a253e5f6e82ab9bd6bdd\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/image_copy_extension-0.2.8-py2.py3-none-any.whl\",\n - \ \"filename\": \"image_copy_extension-0.2.8-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.minCliCoreVersion\": - \"2.0.24\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"tamir.kamara@microsoft.com\",\n - \ \"name\": \"Tamir Kamara\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/image-copy\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"image-copy-extension\",\n \"summary\": \"Support for - copying managed vm images between regions\",\n \"version\": - \"0.2.8\"\n },\n \"sha256Digest\": \"b57f554b77e68d414b9f79016311a3e5c180f76206557909319edcad9ada5240\"\n - \ }\n ],\n \"import-export\": [\n {\n \"downloadUrl\": - \"https://azurecliprod.blob.core.windows.net/cli-extensions/import_export-0.1.0-py3-none-any.whl\",\n - \ \"filename\": \"import_export-0.1.0-py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isExperimental\": - true,\n \"azext.minCliCoreVersion\": \"2.3.1\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"import-export\",\n \"summary\": \"Microsoft Azure Command-Line - Tools StorageImportExport Extension\",\n \"version\": \"0.1.0\"\n - \ },\n \"sha256Digest\": \"6a5a1a1a23c7ff90e01b1f0a33d04874d750845e6cda56badce4ce99a518ef55\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/import_export-0.1.1-py3-none-any.whl\",\n - \ \"filename\": \"import_export-0.1.1-py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isExperimental\": - true,\n \"azext.minCliCoreVersion\": \"2.3.1\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"import-export\",\n \"summary\": \"Microsoft Azure Command-Line - Tools StorageImportExport Extension\",\n \"version\": \"0.1.1\"\n - \ },\n \"sha256Digest\": \"0680948362e12138c9582e68e471533482749bd660bfe3c8c2a4d856e90927b0\"\n - \ }\n ],\n \"interactive\": [\n {\n \"downloadUrl\": - \"https://azurecliprod.blob.core.windows.net/cli-extensions/interactive-0.4.1-py2.py3-none-any.whl\",\n - \ \"filename\": \"interactive-0.4.1-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.maxCliCoreVersion\": \"2.0.61\",\n \"azext.minCliCoreVersion\": - \"2.0.50.dev0\",\n \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli\"\n - \ }\n }\n },\n - \ \"extras\": [],\n \"generator\": \"bdist_wheel - (0.30.0)\",\n \"license\": \"MIT\",\n \"metadata_version\": - \"2.0\",\n \"name\": \"interactive\",\n \"run_requires\": - [\n {\n \"requires\": [\n - \ \"prompt-toolkit (~=1.0.15)\"\n ]\n - \ }\n ],\n \"summary\": - \"Microsoft Azure Command-Line Interactive Shell\",\n \"version\": - \"0.4.1\"\n },\n \"sha256Digest\": \"22b940493972b77c62606b0ae3c834283209d8619bb740e69dd115530a328e3b\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/interactive-0.4.3-py2.py3-none-any.whl\",\n - \ \"filename\": \"interactive-0.4.3-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.62\",\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli\"\n - \ }\n }\n },\n - \ \"extras\": [],\n \"generator\": \"bdist_wheel - (0.30.0)\",\n \"license\": \"MIT\",\n \"metadata_version\": - \"2.0\",\n \"name\": \"interactive\",\n \"run_requires\": - [\n {\n \"requires\": [\n - \ \"prompt-toolkit (~=1.0.15)\"\n ]\n - \ }\n ],\n \"summary\": - \"Microsoft Azure Command-Line Interactive Shell\",\n \"version\": - \"0.4.3\"\n },\n \"sha256Digest\": \"ba78a45ec9753a42e1e805dc9cf3b309df264c6201dfd1dabcc6c00b22599fe8\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/interactive-0.4.4-py2.py3-none-any.whl\",\n - \ \"filename\": \"interactive-0.4.4-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.62\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\"\n - \ ],\n \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli\"\n - \ }\n }\n },\n - \ \"extras\": [],\n \"generator\": \"bdist_wheel - (0.30.0)\",\n \"license\": \"MIT\",\n \"metadata_version\": - \"2.0\",\n \"name\": \"interactive\",\n \"run_requires\": - [\n {\n \"requires\": [\n - \ \"prompt-toolkit (~=1.0.15)\"\n ]\n - \ }\n ],\n \"summary\": - \"Microsoft Azure Command-Line Interactive Shell\",\n \"version\": - \"0.4.4\"\n },\n \"sha256Digest\": \"1e66bc1f117fac90f320c072a08f527b8570f5a6725670a1fb4d05f2c7eb7a31\"\n - \ }\n ],\n \"internet-analyzer\": [\n {\n - \ \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/internet_analyzer-0.1.0rc5-py2.py3-none-any.whl\",\n - \ \"filename\": \"internet_analyzer-0.1.0rc5-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.67\",\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"internet-analyzer\",\n \"summary\": \"Microsoft Azure - Command-Line Tools Internet Analyzer Extension\",\n \"version\": - \"0.1.0rc5\"\n },\n \"sha256Digest\": \"7e5ee753abece69fb917f3a96be4a3d8117ffbbbd75d18c2e54c74c0fe2b952e\"\n - \ }\n ],\n \"ip-group\": [\n {\n \"downloadUrl\": - \"https://azurecliprod.blob.core.windows.net/cli-extensions/ip_group-0.1.1-py2.py3-none-any.whl\",\n - \ \"filename\": \"ip_group-0.1.1-py2.py3-none-any.whl\",\n \"metadata\": - {\n \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"ip-group\",\n \"summary\": \"Microsoft Azure Command-Line - Tools IpGroup Extension\",\n \"version\": \"0.1.1\"\n },\n - \ \"sha256Digest\": \"477d7f58fe44a4ecb0ced3497262d7ccd8bb7677d70582b6fccf645e91d25ad4\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/ip_group-0.1.2-py2.py3-none-any.whl\",\n - \ \"filename\": \"ip_group-0.1.2-py2.py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isPreview\": true,\n \"azext.minCliCoreVersion\": - \"2.0.67\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 2\",\n \"Programming Language - :: Python :: 2.7\",\n \"Programming Language :: Python - :: 3\",\n \"Programming Language :: Python :: 3.4\",\n - \ \"Programming Language :: Python :: 3.5\",\n \"Programming - Language :: Python :: 3.6\",\n \"Programming Language - :: Python :: 3.7License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"ip-group\",\n \"summary\": \"Microsoft Azure Command-Line - Tools IpGroup Extension\",\n \"version\": \"0.1.2\"\n },\n - \ \"sha256Digest\": \"afba2d8a8a612863b63f504d6cff6d559610b961e4c77dc2fd49b9fe03ec67a2\"\n - \ }\n ],\n \"k8s-configuration\": [\n {\n - \ \"downloadUrl\": \"https://azcliprod.blob.core.windows.net/cli-extensions/k8s_configuration-1.0.0-py3-none-any.whl\",\n - \ \"filename\": \"k8s_configuration-1.0.0-py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.minCliCoreVersion\": - \"2.15.0\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/k8s-configuration\"\n - \ }\n }\n },\n - \ \"extras\": [],\n \"generator\": \"bdist_wheel - (0.30.0)\",\n \"license\": \"MIT\",\n \"metadata_version\": - \"2.0\",\n \"name\": \"k8s-configuration\",\n \"run_requires\": - [\n {\n \"requires\": [\n - \ \"pycryptodome (~=3.9.8)\"\n ]\n - \ }\n ],\n \"summary\": - \"Microsoft Azure Command-Line Tools K8s-configuration Extension\",\n \"version\": - \"1.0.0\"\n },\n \"sha256Digest\": \"80b79b09d9caa8e1813dad25703c442aec35e01d60a3ea13389ebaec3e94933c\"\n - \ }\n ],\n \"k8sconfiguration\": [\n {\n - \ \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/k8sconfiguration-0.1.7-py2.py3-none-any.whl\",\n - \ \"filename\": \"k8sconfiguration-0.1.7-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.67\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"k8sconfiguration\",\n \"summary\": \"Microsoft Azure - Command-Line Tools K8sconfiguration Extension\",\n \"version\": - \"0.1.7\"\n },\n \"sha256Digest\": \"6440f1f1bebda0b3288ab95654a107e3f803d1ad2a23276cd5e27abe6a71dd60\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/k8sconfiguration-0.1.8-py2.py3-none-any.whl\",\n - \ \"filename\": \"k8sconfiguration-0.1.8-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.3.1\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"k8sconfiguration\",\n \"summary\": \"Microsoft Azure - Command-Line Tools K8sconfiguration Extension\",\n \"version\": - \"0.1.8\"\n },\n \"sha256Digest\": \"9d4b9d9dfcd8793297af670de10254804f5ce6d1bac6b0ad8e872cc5fdc5f761\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/k8sconfiguration-0.2.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"k8sconfiguration-0.2.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.3.1\",\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/k8sconfiguration\"\n - \ }\n }\n },\n - \ \"extras\": [],\n \"generator\": \"bdist_wheel - (0.30.0)\",\n \"license\": \"MIT\",\n \"metadata_version\": - \"2.0\",\n \"name\": \"k8sconfiguration\",\n \"run_requires\": - [\n {\n \"requires\": [\n - \ \"paramiko (~=2.6.0)\",\n \"pycryptodome - (~=3.9.8)\"\n ]\n }\n ],\n - \ \"summary\": \"Microsoft Azure Command-Line Tools K8sconfiguration - Extension\",\n \"version\": \"0.2.0\"\n },\n - \ \"sha256Digest\": \"ae3ec26beb84e821a169f02479cfc337b82141738bef7a0b09422d3676add9ae\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/k8sconfiguration-0.2.1-py2.py3-none-any.whl\",\n - \ \"filename\": \"k8sconfiguration-0.2.1-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.3.1\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/k8sconfiguration\"\n - \ }\n }\n },\n - \ \"extras\": [],\n \"generator\": \"bdist_wheel - (0.30.0)\",\n \"license\": \"MIT\",\n \"metadata_version\": - \"2.0\",\n \"name\": \"k8sconfiguration\",\n \"run_requires\": - [\n {\n \"requires\": [\n - \ \"paramiko (~=2.6.0)\",\n \"pycryptodome - (~=3.9.8)\"\n ]\n }\n ],\n - \ \"summary\": \"Microsoft Azure Command-Line Tools K8sconfiguration - Extension\",\n \"version\": \"0.2.1\"\n },\n - \ \"sha256Digest\": \"a9ae3e56d1289c340ebcb2790775801a9a932d6f5edba66689bada001e35f9ba\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/k8sconfiguration-0.2.2-py2.py3-none-any.whl\",\n - \ \"filename\": \"k8sconfiguration-0.2.2-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.15.0\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/k8sconfiguration\"\n - \ }\n }\n },\n - \ \"extras\": [],\n \"generator\": \"bdist_wheel - (0.30.0)\",\n \"license\": \"MIT\",\n \"metadata_version\": - \"2.0\",\n \"name\": \"k8sconfiguration\",\n \"run_requires\": - [\n {\n \"requires\": [\n - \ \"paramiko (~=2.6.0)\",\n \"pycryptodome - (~=3.9.8)\"\n ]\n }\n ],\n - \ \"summary\": \"Microsoft Azure Command-Line Tools K8sconfiguration - Extension\",\n \"version\": \"0.2.2\"\n },\n - \ \"sha256Digest\": \"8692905679d9a800326aea7698818778b6f0ce4761232e20e8fc39c67ccb28d3\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/k8sconfiguration-0.2.3-py2.py3-none-any.whl\",\n - \ \"filename\": \"k8sconfiguration-0.2.3-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.15.0\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/k8sconfiguration\"\n - \ }\n }\n },\n - \ \"extras\": [],\n \"generator\": \"bdist_wheel - (0.30.0)\",\n \"license\": \"MIT\",\n \"metadata_version\": - \"2.0\",\n \"name\": \"k8sconfiguration\",\n \"run_requires\": - [\n {\n \"requires\": [\n - \ \"paramiko (~=2.6.0)\",\n \"pycryptodome - (~=3.9.8)\"\n ]\n }\n ],\n - \ \"summary\": \"Microsoft Azure Command-Line Tools K8sconfiguration - Extension\",\n \"version\": \"0.2.3\"\n },\n - \ \"sha256Digest\": \"65f87fadf798e66d87bfd3add12807140523cc324d5ca3dcf03bee2ce6e0839f\"\n - \ },\n {\n \"downloadUrl\": \"https://azcliprod.blob.core.windows.net/cli-extensions/k8sconfiguration-0.2.4-py3-none-any.whl\",\n - \ \"filename\": \"k8sconfiguration-0.2.4-py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.15.0\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/k8sconfiguration\"\n - \ }\n }\n },\n - \ \"extras\": [],\n \"generator\": \"bdist_wheel - (0.30.0)\",\n \"license\": \"MIT\",\n \"metadata_version\": - \"2.0\",\n \"name\": \"k8sconfiguration\",\n \"run_requires\": - [\n {\n \"requires\": [\n - \ \"pycryptodome (~=3.9.8)\"\n ]\n - \ }\n ],\n \"summary\": - \"Microsoft Azure Command-Line Tools K8sconfiguration Extension\",\n \"version\": - \"0.2.4\"\n },\n \"sha256Digest\": \"39940729eb7820da63d543861395b11552e86673a884bd9d1603a0fbf09e30d7\"\n - \ }\n ],\n \"kusto\": [\n {\n \"downloadUrl\": - \"https://azurecliprod.blob.core.windows.net/cli-extensions/kusto-0.1.0-py3-none-any.whl\",\n - \ \"filename\": \"kusto-0.1.0-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isExperimental\": true,\n \"azext.minCliCoreVersion\": - \"2.3.1\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"kusto\",\n \"summary\": \"Microsoft Azure Command-Line - Tools KustoManagementClient Extension\",\n \"version\": - \"0.1.0\"\n },\n \"sha256Digest\": \"ffa47cb6f8f850e75412dffa6a5e52f857d5e7ca217322ce176eea81d24768e8\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/kusto-0.1.1-py3-none-any.whl\",\n - \ \"filename\": \"kusto-0.1.1-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isExperimental\": true,\n \"azext.minCliCoreVersion\": - \"2.3.1\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/kusto\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"kusto\",\n \"summary\": \"Microsoft Azure Command-Line - Tools KustoManagementClient Extension\",\n \"version\": - \"0.1.1\"\n },\n \"sha256Digest\": \"e6febb41b7a6dc6ec752825fe2af9506ff40c227bfcea9a3af5e6ded115003d1\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/kusto-0.2.0-py3-none-any.whl\",\n - \ \"filename\": \"kusto-0.2.0-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isExperimental\": true,\n \"azext.minCliCoreVersion\": - \"2.11.0\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/kusto\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"kusto\",\n \"summary\": \"Microsoft Azure Command-Line - Tools KustoManagementClient Extension\",\n \"version\": - \"0.2.0\"\n },\n \"sha256Digest\": \"5738e9b48c17008688080a6b3cfd37b67dfe597a538c874ec75dddcc8e18935a\"\n - \ }\n ],\n \"log-analytics\": [\n {\n \"downloadUrl\": - \"https://azurecliprod.blob.core.windows.net/cli-extensions/log_analytics-0.1.4-py2.py3-none-any.whl\",\n - \ \"filename\": \"log_analytics-0.1.4-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"aleldeib@microsoft.com\",\n - \ \"name\": \"Ace Eldeib\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/log-analytics\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"log-analytics\",\n \"summary\": \"Support for Azure Log - Analytics query capabilities.\",\n \"version\": \"0.1.4\"\n - \ },\n \"sha256Digest\": \"6f4789fff8581a52e13bcf8f13fdc16b47662fac69e1fc3ea49280de1a8e65bc\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/log_analytics-0.2.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"log_analytics-0.2.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 2\",\n \"Programming Language - :: Python :: 2.7\",\n \"Programming Language :: Python - :: 3\",\n \"Programming Language :: Python :: 3.4\",\n - \ \"Programming Language :: Python :: 3.5\",\n \"Programming - Language :: Python :: 3.6\",\n \"License :: OSI Approved - :: MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"aleldeib@microsoft.com\",\n \"name\": - \"Ace Eldeib\",\n \"role\": \"author\"\n - \ }\n ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/log-analytics\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"log-analytics\",\n \"summary\": \"Support for Azure Log - Analytics query capabilities.\",\n \"version\": \"0.2.0\"\n - \ },\n \"sha256Digest\": \"28a24f605e80c6fc56408add14981e5b4572077f2b5f0c55208f4105624cc91b\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/log_analytics-0.2.1-py2.py3-none-any.whl\",\n - \ \"filename\": \"log_analytics-0.2.1-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.0\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"aleldeib@microsoft.com\",\n - \ \"name\": \"Ace Eldeib\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/log-analytics\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"log-analytics\",\n \"summary\": \"Support for Azure Log - Analytics query capabilities.\",\n \"version\": \"0.2.1\"\n - \ },\n \"sha256Digest\": \"23751654f76334e97c3ae3b10dd4e6896785cbf5c7c9442d3f979ebd6b9c6c21\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/log_analytics-0.2.2-py2.py3-none-any.whl\",\n - \ \"filename\": \"log_analytics-0.2.2-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.0\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"aleldeib@microsoft.com\",\n - \ \"name\": \"Ace Eldeib\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/log-analytics\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"log-analytics\",\n \"summary\": \"Support for Azure Log - Analytics query capabilities.\",\n \"version\": \"0.2.2\"\n - \ },\n \"sha256Digest\": \"c04c42a26d50db82d14f76e209184b18d4cce17b458817ac607e3ff975641eb2\"\n - \ }\n ],\n \"log-analytics-solution\": [\n {\n - \ \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/log_analytics_solution-0.1.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"log_analytics_solution-0.1.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isExperimental\": - true,\n \"azext.minCliCoreVersion\": \"2.3.0\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.4\",\n \"Programming - Language :: Python :: 3.5\",\n \"Programming Language - :: Python :: 3.6\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"log-analytics-solution\",\n \"summary\": \"Microsoft - Azure Command-Line Tools Operations Extension\",\n \"version\": - \"0.1.0\"\n },\n \"sha256Digest\": \"844bf0a063b4e244bfe14e215c82d7d70327540b7bf446b7cb1d97ebb8a98119\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/log_analytics_solution-0.1.1-py2.py3-none-any.whl\",\n - \ \"filename\": \"log_analytics_solution-0.1.1-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isExperimental\": - true,\n \"azext.minCliCoreVersion\": \"2.3.0\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.4\",\n \"Programming - Language :: Python :: 3.5\",\n \"Programming Language - :: Python :: 3.6\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"log-analytics-solution\",\n \"summary\": \"Support for - Azure Log Analytics Solution\",\n \"version\": \"0.1.1\"\n - \ },\n \"sha256Digest\": \"0c85556a82ef5850c9f90b58380c5cde6a70a2bd2a464c0a8e429c77152a87bd\"\n - \ }\n ],\n \"logic\": [\n {\n \"downloadUrl\": - \"https://azurecliprod.blob.core.windows.net/cli-extensions/logic-0.1.0-py3-none-any.whl\",\n - \ \"filename\": \"logic-0.1.0-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isExperimental\": true,\n \"azext.minCliCoreVersion\": - \"2.3.1\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"logic\",\n \"summary\": \"Microsoft Azure Command-Line - Tools LogicManagementClient Extension\",\n \"version\": - \"0.1.0\"\n },\n \"sha256Digest\": \"b02dea64e03adb7cf17a7afafc28844949c0f3a030f4eb005059452f0ac68040\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/logic-0.1.1-py3-none-any.whl\",\n - \ \"filename\": \"logic-0.1.1-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isExperimental\": true,\n \"azext.minCliCoreVersion\": - \"2.3.1\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/logic\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"logic\",\n \"summary\": \"Microsoft Azure Command-Line - Tools LogicManagementClient Extension\",\n \"version\": - \"0.1.1\"\n },\n \"sha256Digest\": \"906b43b34be4ed38c883a4f2031ff7b2b0547f51b16c8553f050afc2986ec939\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/logic-0.1.2-py3-none-any.whl\",\n - \ \"filename\": \"logic-0.1.2-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isExperimental\": true,\n \"azext.minCliCoreVersion\": - \"2.15.0\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/logic\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"logic\",\n \"summary\": \"Microsoft Azure Command-Line - Tools LogicManagementClient Extension\",\n \"version\": - \"0.1.2\"\n },\n \"sha256Digest\": \"35127cc723edf1c6311354326ebae9aa5b0d72d11141fddf3efc8fb84eadac81\"\n - \ },\n {\n \"downloadUrl\": \"https://azcliprod.blob.core.windows.net/cli-extensions/logic-0.1.3-py3-none-any.whl\",\n - \ \"filename\": \"logic-0.1.3-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isPreview\": true,\n \"azext.minCliCoreVersion\": - \"2.15.0\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/logic\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"logic\",\n \"summary\": \"Microsoft Azure Command-Line - Tools LogicManagementClient Extension\",\n \"version\": - \"0.1.3\"\n },\n \"sha256Digest\": \"38a1e8285fa8ad34632094b749aa1bea703440c946f01fc546306b8e934f389a\"\n - \ }\n ],\n \"maintenance\": [\n {\n \"downloadUrl\": - \"https://mrpcliextensionrelease.blob.core.windows.net/cliextension/maintenance-1.0.1-py2.py3-none-any.whl\",\n - \ \"filename\": \"maintenance-1.0.1-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.minCliCoreVersion\": - \"2.0.47\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 2\",\n \"Programming Language - :: Python :: 2.7\",\n \"Programming Language :: Python - :: 3\",\n \"Programming Language :: Python :: 3.4\",\n - \ \"Programming Language :: Python :: 3.5\",\n \"Programming - Language :: Python :: 3.6\",\n \"License :: OSI Approved - :: MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"abkmr@microsoft.com\",\n \"name\": \"Abhishek - Kumar\",\n \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"maintenance\",\n \"summary\": \"Support for Azure maintenance - management.\",\n \"version\": \"1.0.1\"\n },\n - \ \"sha256Digest\": \"3e0fb5392bd29e53e7afde543d1a0ef5d33a6032f01322fd75b7afe7016c34fc\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/maintenance-1.1.0-py3-none-any.whl\",\n - \ \"filename\": \"maintenance-1.1.0-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isPreview\": true,\n \"azext.minCliCoreVersion\": - \"2.3.1\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/maintenance\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"maintenance\",\n \"summary\": \"Microsoft Azure Command-Line - Tools MaintenanceClient Extension\",\n \"version\": \"1.1.0\"\n - \ },\n \"sha256Digest\": \"351c717a37e6fb9b29d22cdca3b0744a452a1116e83f9e57e794464311708c97\"\n - \ }\n ],\n \"managementpartner\": [\n {\n - \ \"downloadUrl\": \"https://files.pythonhosted.org/packages/28/08/0fde582cf50eaf1ef304b35674b9b22f6731d95b2e41339eba4d35583b18/managementpartner-0.1.2-py2.py3-none-any.whl\",\n - \ \"filename\": \"managementpartner-0.1.2-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"classifiers\": [\n - \ \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"jefl@microsoft.com\",\n \"name\": - \"Jeffrey Li\",\n \"role\": \"author\"\n - \ }\n ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.29.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"managementpartner\",\n \"summary\": \"Support for Management - Partner preview\",\n \"version\": \"0.1.2\"\n },\n - \ \"sha256Digest\": \"f7ec0984b4d5a4c9192aa3ab6b78c867fc38cf620effef1804d89c9d1d9f204f\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/managementpartner-0.1.3-py2.py3-none-any.whl\",\n - \ \"filename\": \"managementpartner-0.1.3-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - false,\n \"azext.minCliCoreVersion\": \"2.0.67\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"jefl@microsoft.com\",\n \"name\": - \"Jeffrey Li\",\n \"role\": \"author\"\n - \ }\n ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"managementpartner\",\n \"summary\": \"Support for Management - Partner preview\",\n \"version\": \"0.1.3\"\n },\n - \ \"sha256Digest\": \"22ddf4b1cdc77e99262cb6089c4d96040065828a1d38a2709fdb945d3c851839\"\n - \ }\n ],\n \"mesh\": [\n {\n \"downloadUrl\": - \"https://meshcli.blob.core.windows.net/cli/mesh-0.10.6-py2.py3-none-any.whl\",\n - \ \"filename\": \"mesh-0.10.6-py2.py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isPreview\": true,\n \"azext.minCliCoreVersion\": - \"2.0.67\",\n \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"extras\": [],\n \"generator\": \"bdist_wheel - (0.30.0)\",\n \"license\": \"MIT\",\n \"metadata_version\": - \"2.0\",\n \"name\": \"mesh\",\n \"run_requires\": - [\n {\n \"requires\": [\n - \ \"sfmergeutility (==0.1.6)\"\n ]\n - \ }\n ],\n \"summary\": - \"Support for Microsoft Azure Service Fabric Mesh - Public Preview\",\n \"version\": - \"0.10.6\"\n },\n \"sha256Digest\": \"07b6356cd15294c0bc0b31cfde1cdb2b92516b00728980d7a53557bb49273842\"\n - \ }\n ],\n \"mixed-reality\": [\n {\n \"downloadUrl\": - \"https://test-files.pythonhosted.org/packages/e4/fa/14628eb512ef4f0c38e4e6c8ee2d0624e03d352ca0ec1b1167a32f9de9a3/mixed_reality-0.0.1-py2.py3-none-any.whl\",\n - \ \"filename\": \"mixed_reality-0.0.1-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"classifiers\": [\n - \ \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"xiangyul@microsoft.com\",\n - \ \"name\": \"Xiangyu Luo\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"mixed-reality\",\n \"summary\": \"Mixed Reality Azure - CLI Extension.\",\n \"version\": \"0.0.1\"\n },\n - \ \"sha256Digest\": \"c5b7ef47d8db578920bcbda371a47edd19f8f681088823c2622dcb9332417587\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/mixed_reality-0.0.2-py2.py3-none-any.whl\",\n - \ \"filename\": \"mixed_reality-0.0.2-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.30\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"xiangyul@microsoft.com\",\n - \ \"name\": \"Xiangyu Luo\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"mixed-reality\",\n \"summary\": \"Mixed Reality Azure - CLI Extension.\",\n \"version\": \"0.0.2\"\n },\n - \ \"sha256Digest\": \"30449391c1d1e9d67210d0ef81109a11a0f74a24a6f07644c17aed58cf056173\"\n - \ }\n ],\n \"monitor-control-service\": [\n {\n - \ \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/monitor_control_service-0.1.0-py3-none-any.whl\",\n - \ \"filename\": \"monitor_control_service-0.1.0-py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.15.0\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/monitor-control-service\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"monitor-control-service\",\n \"summary\": \"Microsoft - Azure Command-Line Tools MonitorClient Extension\",\n \"version\": - \"0.1.0\"\n },\n \"sha256Digest\": \"71604e21a29c5bd84916a890cdf6e09dd7a0623867871d5ac8a0f5c2bed179dd\"\n - \ }\n ],\n \"netappfiles-preview\": [\n {\n - \ \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/netappfiles_preview-0.3.2-py2.py3-none-any.whl\",\n - \ \"filename\": \"netappfiles_preview-0.3.2-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.56\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/netappfiles-preview\"\n - \ }\n }\n },\n - \ \"extras\": [],\n \"generator\": \"bdist_wheel - (0.30.0)\",\n \"license\": \"MIT\",\n \"metadata_version\": - \"2.0\",\n \"name\": \"netappfiles-preview\",\n \"run_requires\": - [\n {\n \"requires\": [\n - \ \"msrest\"\n ]\n - \ }\n ],\n \"summary\": - \"Provides a preview for upcoming Azure NetApp Files (ANF) features.\",\n - \ \"version\": \"0.3.2\"\n },\n \"sha256Digest\": - \"d581bfefe3eb7fbceeed12c192ebdf5993fcf04ede7267d053aa416596bd0b53\"\n }\n - \ ],\n \"next\": [\n {\n \"downloadUrl\": - \"https://azcliprod.blob.core.windows.net/cli-extensions/next-0.1.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"next-0.1.0-py2.py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isExperimental\": true,\n \"azext.minCliCoreVersion\": - \"2.19.0\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"next\",\n \"summary\": \"Microsoft Azure Command-Line - Tools Next Extension\",\n \"version\": \"0.1.0\"\n },\n - \ \"sha256Digest\": \"038d673501dd3b3c04314d0f69f01cfdd52e6ca3f44820a45d20dc3dd58317dd\"\n - \ },\n {\n \"downloadUrl\": \"https://azcliprod.blob.core.windows.net/cli-extensions/next-0.1.1-py2.py3-none-any.whl\",\n - \ \"filename\": \"next-0.1.1-py2.py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isExperimental\": true,\n \"azext.minCliCoreVersion\": - \"2.20.0\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"next\",\n \"summary\": \"Microsoft Azure Command-Line - Tools Next Extension\",\n \"version\": \"0.1.1\"\n },\n - \ \"sha256Digest\": \"dee069e3a0efafbec8154fbf91ced5cee1f782599a726ac5937b9adc297d3c8a\"\n - \ },\n {\n \"downloadUrl\": \"https://azcliprod.blob.core.windows.net/cli-extensions/next-0.1.2-py2.py3-none-any.whl\",\n - \ \"filename\": \"next-0.1.2-py2.py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isExperimental\": true,\n \"azext.minCliCoreVersion\": - \"2.20.0\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"next\",\n \"summary\": \"Microsoft Azure Command-Line - Tools Next Extension\",\n \"version\": \"0.1.2\"\n },\n - \ \"sha256Digest\": \"3bd9bc4ddf96fdb0ce17da57700fd40fc2a7aca56c0277ff95376256baeab4c8\"\n - \ }\n ],\n \"notification-hub\": [\n {\n - \ \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/notification_hub-0.1.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"notification_hub-0.1.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.67\",\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"notification-hub\",\n \"summary\": \"Microsoft Azure - Command-Line Tools Notification Hub Extension\",\n \"version\": - \"0.1.0\"\n },\n \"sha256Digest\": \"6f8ae57c43f53380db7944d5244121b3b757f996f6ecca394696106fd2c1d875\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/notification_hub-0.2.0-py3-none-any.whl\",\n - \ \"filename\": \"notification_hub-0.2.0-py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isExperimental\": - true,\n \"azext.minCliCoreVersion\": \"2.3.1\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"notification-hub\",\n \"summary\": \"Microsoft Azure - Command-Line Tools Notification Hub Extension\",\n \"version\": - \"0.2.0\"\n },\n \"sha256Digest\": \"a8d0333e6c8ecc8846dcf162f01ce3d1f7a84cc4a431ec44cb5f48bd498b6d1b\"\n - \ }\n ],\n \"offazure\": [\n {\n \"downloadUrl\": - \"https://azcliprod.blob.core.windows.net/cli-extensions/offazure-0.1.0-py3-none-any.whl\",\n - \ \"filename\": \"offazure-0.1.0-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isExperimental\": true,\n \"azext.minCliCoreVersion\": - \"2.15.0\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/offazure\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"offazure\",\n \"summary\": \"Microsoft Azure Command-Line - Tools AzureMigrateV2 Extension\",\n \"version\": \"0.1.0\"\n - \ },\n \"sha256Digest\": \"1918817070ae9e0ceef57b93366d18b6e8bf577fd632e7da999e1e2abbb53656\"\n - \ }\n ],\n \"peering\": [\n {\n \"downloadUrl\": - \"https://azurecliprod.blob.core.windows.net/cli-extensions/peering-0.1.0rc2-py2.py3-none-any.whl\",\n - \ \"filename\": \"peering-0.1.0rc2-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.67\",\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"peering\",\n \"summary\": \"Microsoft Azure Command-Line - Tools Peering Extension\",\n \"version\": \"0.1.0rc2\"\n - \ },\n \"sha256Digest\": \"1b73d60427e5e84971e244a5884b7f14e0e05e65792e9ecc7483695d1b596992\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/peering-0.2.0-py3-none-any.whl\",\n - \ \"filename\": \"peering-0.2.0-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isExperimental\": true,\n \"azext.minCliCoreVersion\": - \"2.3.1\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"peering\",\n \"summary\": \"Microsoft Azure Command-Line - Tools PeeringManagementClient Extension\",\n \"version\": - \"0.2.0\"\n },\n \"sha256Digest\": \"dd301c22107f961692a4acdbb5a98d28a7e86e7fb8619f2322884a2bc5507241\"\n - \ },\n {\n \"downloadUrl\": \"https://azcliprod.blob.core.windows.net/cli-extensions/peering-0.2.1-py3-none-any.whl\",\n - \ \"filename\": \"peering-0.2.1-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.minCliCoreVersion\": \"2.3.1\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/peering\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"peering\",\n \"summary\": \"Microsoft Azure Command-Line - Tools PeeringManagementClient Extension\",\n \"version\": - \"0.2.1\"\n },\n \"sha256Digest\": \"b068c12b47f17304af51431a2ae975339b7d4601a180e83916efae73d7c42600\"\n - \ }\n ],\n \"portal\": [\n {\n \"downloadUrl\": - \"https://azurecliprod.blob.core.windows.net/cli-extensions/portal-0.1.0-py3-none-any.whl\",\n - \ \"filename\": \"portal-0.1.0-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isExperimental\": true,\n \"azext.minCliCoreVersion\": - \"2.3.1\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"portal\",\n \"summary\": \"Microsoft Azure Command-Line - Tools Portal Extension\",\n \"version\": \"0.1.0\"\n },\n - \ \"sha256Digest\": \"89fdc138db22055fc09cf30a46050205a9e842d8fe386a3d8773ea563b074083\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/portal-0.1.1-py3-none-any.whl\",\n - \ \"filename\": \"portal-0.1.1-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isExperimental\": true,\n \"azext.minCliCoreVersion\": - \"2.3.1\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"portal\",\n \"summary\": \"Microsoft Azure Command-Line - Tools Portal Extension\",\n \"version\": \"0.1.1\"\n },\n - \ \"sha256Digest\": \"a3fc71fd6f0390850a60947cc1bff31d6346fc3f79e3ac8947add577c10c31a3\"\n - \ }\n ],\n \"powerbidedicated\": [\n {\n - \ \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/powerbidedicated-0.1.1-py2.py3-none-any.whl\",\n - \ \"filename\": \"powerbidedicated-0.1.1-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.maxCliCoreVersion\": \"3.0.0\",\n \"azext.minCliCoreVersion\": - \"2.0.67\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 2\",\n \"Programming Language - :: Python :: 2.7\",\n \"Programming Language :: Python - :: 3\",\n \"Programming Language :: Python :: 3.4\",\n - \ \"Programming Language :: Python :: 3.5\",\n \"Programming - Language :: Python :: 3.6\",\n \"License :: OSI Approved - :: MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"powerbidedicated\",\n \"summary\": \"Microsoft Azure - Command-Line Tools PowerBIDedicated Extension\",\n \"version\": - \"0.1.1\"\n },\n \"sha256Digest\": \"a7373b5005814f9d6d0151622c8356b37758a7548aa2fb8cad3ddc4368c5e05f\"\n - \ },\n {\n \"downloadUrl\": \"https://azcliprod.blob.core.windows.net/cli-extensions/powerbidedicated-0.2.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"powerbidedicated-0.2.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.maxCliCoreVersion\": \"3.0.0\",\n \"azext.minCliCoreVersion\": - \"2.0.67\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 2\",\n \"Programming Language - :: Python :: 2.7\",\n \"Programming Language :: Python - :: 3\",\n \"Programming Language :: Python :: 3.4\",\n - \ \"Programming Language :: Python :: 3.5\",\n \"Programming - Language :: Python :: 3.6\",\n \"License :: OSI Approved - :: MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/powerbidedicated\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"powerbidedicated\",\n \"summary\": \"Microsoft Azure - Command-Line Tools PowerBIDedicated Extension\",\n \"version\": - \"0.2.0\"\n },\n \"sha256Digest\": \"127cb7b69076d07254aee3b57720409455e601ad431d3e12d713d886578ce1bf\"\n - \ }\n ],\n \"providerhub\": [\n {\n \"downloadUrl\": - \"https://azurecliprod.blob.core.windows.net/cli-extensions/providerhub-0.1.0-py3-none-any.whl\",\n - \ \"filename\": \"providerhub-0.1.0-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isExperimental\": true,\n \"azext.minCliCoreVersion\": - \"2.15.0\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/providerhub\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"providerhub\",\n \"summary\": \"Microsoft Azure Command-Line - Tools Providerhub Extension\",\n \"version\": \"0.1.0\"\n - \ },\n \"sha256Digest\": \"9385d61fe18f10c379e7a7c57a1ded34dd0f5b15bcf021777e4d51d288b703fe\"\n - \ }\n ],\n \"quantum\": [\n {\n \"downloadUrl\": - \"https://azcliprod.blob.core.windows.net/cli-extensions/quantum-0.1.0-py3-none-any.whl\",\n - \ \"filename\": \"quantum-0.1.0-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isPreview\": true,\n \"azext.minCliCoreVersion\": - \"2.5.1\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"que-contacts@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation, Quantum - Team\",\n \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"quantum\",\n \"summary\": \"Microsoft Azure Command-Line - Tools Quantum Extension\",\n \"version\": \"0.1.0\"\n },\n - \ \"sha256Digest\": \"ac71362fb4834e02f26644403b4aac166def6488474e4f201ce3243b12b2424f\"\n - \ },\n {\n \"downloadUrl\": \"https://azcliprod.blob.core.windows.net/cli-extensions/quantum-0.2.0-py3-none-any.whl\",\n - \ \"filename\": \"quantum-0.2.0-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isPreview\": true,\n \"azext.minCliCoreVersion\": - \"2.5.1\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"que-contacts@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation, Quantum - Team\",\n \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"quantum\",\n \"summary\": \"Microsoft Azure Command-Line - Tools Quantum Extension\",\n \"version\": \"0.2.0\"\n },\n - \ \"sha256Digest\": \"49f14768df82cf63f8be1a4bdc69ecd531149c7603f05d1951431c006dcc3660\"\n - \ }\n ],\n \"rdbms-connect\": [\n {\n \"downloadUrl\": - \"https://azcliprod.blob.core.windows.net/cli-extensions/rdbms_connect-0.1.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"rdbms_connect-0.1.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.19.0\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/rdbms-connect\"\n - \ }\n }\n },\n - \ \"extras\": [],\n \"generator\": \"bdist_wheel - (0.30.0)\",\n \"license\": \"MIT\",\n \"metadata_version\": - \"2.0\",\n \"name\": \"rdbms-connect\",\n \"run_requires\": - [\n {\n \"requires\": [\n - \ \"mycli (==1.22.2)\",\n \"pgcli - (==3.0.0)\",\n \"setproctitle (==1.2.2)\"\n - \ ]\n }\n ],\n - \ \"summary\": \"Support for testing connection to Azure - Database for MySQL & PostgreSQL servers.\",\n \"version\": - \"0.1.0\"\n },\n \"sha256Digest\": \"fd80779e01d5afa74da88dda0339b9068e5ca3390d2dea78b034002c62b713b4\"\n - \ },\n {\n \"downloadUrl\": \"https://azcliprod.blob.core.windows.net/cli-extensions/rdbms_connect-0.1.1-py2.py3-none-any.whl\",\n - \ \"filename\": \"rdbms_connect-0.1.1-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.19.0\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/rdbms-connect\"\n - \ }\n }\n },\n - \ \"extras\": [],\n \"generator\": \"bdist_wheel - (0.30.0)\",\n \"license\": \"MIT\",\n \"metadata_version\": - \"2.0\",\n \"name\": \"rdbms-connect\",\n \"run_requires\": - [\n {\n \"requires\": [\n - \ \"mycli (==1.22.2)\",\n \"pgcli - (==3.0.0)\",\n \"setproctitle (==1.2.2)\"\n - \ ]\n }\n ],\n - \ \"summary\": \"Support for testing connection to Azure - Database for MySQL & PostgreSQL servers.\",\n \"version\": - \"0.1.1\"\n },\n \"sha256Digest\": \"83e3110a82f414274564d97ae5ba1088557376d5cc68cc358152135c283acf15\"\n - \ },\n {\n \"downloadUrl\": \"https://azcliprod.blob.core.windows.net/cli-extensions/rdbms_connect-0.1.2-py2.py3-none-any.whl\",\n - \ \"filename\": \"rdbms_connect-0.1.2-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.19.0\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/rdbms-connect\"\n - \ }\n }\n },\n - \ \"extras\": [],\n \"generator\": \"bdist_wheel - (0.30.0)\",\n \"license\": \"MIT\",\n \"metadata_version\": - \"2.0\",\n \"name\": \"rdbms-connect\",\n \"run_requires\": - [\n {\n \"requires\": [\n - \ \"mycli (==1.22.2)\",\n \"pgcli - (==3.0.0)\",\n \"setproctitle (==1.2.2)\"\n - \ ]\n }\n ],\n - \ \"summary\": \"Support for testing connection to Azure - Database for MySQL & PostgreSQL servers.\",\n \"version\": - \"0.1.2\"\n },\n \"sha256Digest\": \"c738cd82edc1c9ad31ba0250eab982ef344d01e50e11dfec9c5b96ccdd5d1b6b\"\n - \ }\n ],\n \"redisenterprise\": [\n {\n - \ \"downloadUrl\": \"https://azcliprod.blob.core.windows.net/cli-extensions/redisenterprise-0.1.0-py3-none-any.whl\",\n - \ \"filename\": \"redisenterprise-0.1.0-py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.15.0\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/redisenterprise\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"redisenterprise\",\n \"summary\": \"Microsoft Azure Command-Line - Tools RedisEnterpriseManagementClient Extension\",\n \"version\": - \"0.1.0\"\n },\n \"sha256Digest\": \"22b1965e5a148ce4eb2d45bf48880caa21becb165810b1b93658886cd5e39515\"\n - \ }\n ],\n \"resource-graph\": [\n {\n - \ \"downloadUrl\": \"https://files.pythonhosted.org/packages/bd/c1/3df175a9a6a0c6aeae1ca1a7499955d75dd03452b5ba75f6df01a02b7c7f/resource_graph-1.0.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"resource_graph-1.0.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - false,\n \"azext.minCliCoreVersion\": \"2.0.45\",\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"ilidemi@microsoft.com\",\n \"name\": - \"Ilia Demianenko\",\n \"role\": \"author\"\n - \ },\n {\n \"email\": - \"earc@microsoft.com\",\n \"name\": \"Azure - Resource Graph\",\n \"role\": \"maintainer\"\n - \ }\n ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/resource-graph\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"resource-graph\",\n \"summary\": \"Support for querying - Azure resources with Resource Graph.\",\n \"version\": - \"1.0.0\"\n },\n \"sha256Digest\": \"76f10264a7c6d78664c34e73d390565ce66e639fd39ffdfad149da8fc499112d\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/resource_graph-1.1.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"resource_graph-1.1.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.3.1\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.4\",\n \"Programming - Language :: Python :: 3.5\",\n \"Programming Language - :: Python :: 3.6\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"description_content_type\": - \"text/markdown\",\n \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"ilidemi@microsoft.com\",\n - \ \"name\": \"Ilia Demianenko\",\n \"role\": - \"author\"\n },\n {\n - \ \"email\": \"earc@microsoft.com\",\n \"name\": - \"Azure Resource Graph\",\n \"role\": \"maintainer\"\n - \ }\n ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/resource-graph\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"resource-graph\",\n \"summary\": \"Support for querying - Azure resources with Resource Graph.\",\n \"version\": - \"1.1.0\"\n },\n \"sha256Digest\": \"1eaef63df8a22666f88f322829f3470efb790e36d35376c1705b40fb03464549\"\n - \ }\n ],\n \"resource-mover\": [\n {\n - \ \"downloadUrl\": \"https://azcliprod.blob.core.windows.net/cli-extensions/resource_mover-0.1.0-py3-none-any.whl\",\n - \ \"filename\": \"resource_mover-0.1.0-py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isExperimental\": - true,\n \"azext.minCliCoreVersion\": \"2.15.0\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/resource-mover\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"resource-mover\",\n \"summary\": \"Microsoft Azure Command-Line - Tools ResourceMoverServiceAPI Extension\",\n \"version\": - \"0.1.0\"\n },\n \"sha256Digest\": \"f86ecfcde11e6016da9b107e191b1feaba6896f395d989e5962c6fe6ac34c593\"\n - \ }\n ],\n \"sap-hana\": [\n {\n \"downloadUrl\": - \"https://github.com/Azure/azure-hanaonazure-cli-extension/releases/download/0.6.4/sap_hana-0.6.4-py2.py3-none-any.whl\",\n - \ \"filename\": \"sap_hana-0.6.4-py2.py3-none-any.whl\",\n \"metadata\": - {\n \"azext.minCliCoreVersion\": \"2.0.46\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-hanaonazure-cli-extension\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"sap-hana\",\n \"summary\": \"Additional commands for - working with SAP HanaOnAzure instances.\",\n \"version\": - \"0.6.4\"\n },\n \"sha256Digest\": \"352266a3e0857574c25f0d1930bfb2c0d79329bee2400f6431a37c6162337b12\"\n - \ }\n ],\n \"scheduled-query\": [\n {\n - \ \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/scheduled_query-0.1.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"scheduled_query-0.1.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.67\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"scheduled-query\",\n \"summary\": \"Microsoft Azure Command-Line - Tools Scheduled_query Extension\",\n \"version\": \"0.1.0\"\n - \ },\n \"sha256Digest\": \"5529213e41055f70c53407498b618c7d48cea70a0ce0aca069e0dd9bb818f549\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/scheduled_query-0.2.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"scheduled_query-0.2.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.67\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"scheduled-query\",\n \"summary\": \"Microsoft Azure Command-Line - Tools Scheduled_query Extension\",\n \"version\": \"0.2.0\"\n - \ },\n \"sha256Digest\": \"d9cba80c47b0b8b3e3ad86a257eb53598611698efab6687a11f81c2b036b1083\"\n - \ },\n {\n \"downloadUrl\": \"https://azcliprod.blob.core.windows.net/cli-extensions/scheduled_query-0.2.1-py2.py3-none-any.whl\",\n - \ \"filename\": \"scheduled_query-0.2.1-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.67\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"scheduled-query\",\n \"summary\": \"Microsoft Azure Command-Line - Tools Scheduled_query Extension\",\n \"version\": \"0.2.1\"\n - \ },\n \"sha256Digest\": \"f7a7ee6f9c11260c8cfff54f36ec68b2a3b235767ceb8ff281280523f2eda696\"\n - \ },\n {\n \"downloadUrl\": \"https://azcliprod.blob.core.windows.net/cli-extensions/scheduled_query-0.2.2-py2.py3-none-any.whl\",\n - \ \"filename\": \"scheduled_query-0.2.2-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.67\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"scheduled-query\",\n \"summary\": \"Microsoft Azure Command-Line - Tools Scheduled_query Extension\",\n \"version\": \"0.2.2\"\n - \ },\n \"sha256Digest\": \"17f2dfaa317f735eee708b4365e107a29b3fb796f8d6a9505388ec30c73bf930\"\n - \ }\n ],\n \"sentinel\": [\n {\n \"downloadUrl\": - \"https://azurecliprod.blob.core.windows.net/cli-extensions/sentinel-0.1.0-py3-none-any.whl\",\n - \ \"filename\": \"sentinel-0.1.0-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isExperimental\": true,\n \"azext.minCliCoreVersion\": - \"2.11.0\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/sentinel\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"sentinel\",\n \"summary\": \"Microsoft Azure Command-Line - Tools SecurityInsights Extension\",\n \"version\": \"0.1.0\"\n - \ },\n \"sha256Digest\": \"0c0de10af8cc7c91704dc29afa2bc178f18bf4e28612d6d0c5d7c594bd05d4c9\"\n - \ }\n ],\n \"spring-cloud\": [\n {\n \"downloadUrl\": - \"https://azurecliprod.blob.core.windows.net/cli-extensions/spring_cloud-0.1.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"spring_cloud-0.1.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.maxCliCoreVersion\": \"2.1.0\",\n \"azext.minCliCoreVersion\": - \"2.0.67\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 2\",\n \"Programming Language - :: Python :: 2.7\",\n \"Programming Language :: Python - :: 3\",\n \"Programming Language :: Python :: 3.4\",\n - \ \"Programming Language :: Python :: 3.5\",\n \"Programming - Language :: Python :: 3.6\",\n \"License :: OSI Approved - :: MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"spring-cloud\",\n \"summary\": \"Microsoft Azure Command-Line - Tools spring-cloud Extension\",\n \"version\": \"0.1.0\"\n - \ },\n \"sha256Digest\": \"1042caa1c3b6c85c2e5360bf57de4d26f71afd80ecae6b14cf45fbfe73b5cf0e\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/spring_cloud-0.1.1-py2.py3-none-any.whl\",\n - \ \"filename\": \"spring_cloud-0.1.1-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.maxCliCoreVersion\": \"2.1.0\",\n \"azext.minCliCoreVersion\": - \"2.0.67\",\n \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"spring-cloud\",\n \"summary\": \"Microsoft Azure Command-Line - Tools spring-cloud Extension\",\n \"version\": \"0.1.1\"\n - \ },\n \"sha256Digest\": \"f42d8c99ace9b4df29eea79ac7a588b1fcaecd381b1a80c7dbdd920756f8d209\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/spring_cloud-0.2.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"spring_cloud-0.2.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.maxCliCoreVersion\": \"2.1.0\",\n \"azext.minCliCoreVersion\": - \"2.0.67\",\n \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"spring-cloud\",\n \"summary\": \"Microsoft Azure Command-Line - Tools spring-cloud Extension\",\n \"version\": \"0.2.0\"\n - \ },\n \"sha256Digest\": \"b39aa8c49b316b1870e79db0526be2db772b179f9f517f72af898d9c3cc3310d\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/spring_cloud-0.2.1-py2.py3-none-any.whl\",\n - \ \"filename\": \"spring_cloud-0.2.1-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.maxCliCoreVersion\": \"2.1.0\",\n \"azext.minCliCoreVersion\": - \"2.0.67\",\n \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"spring-cloud\",\n \"summary\": \"Microsoft Azure Command-Line - Tools spring-cloud Extension\",\n \"version\": \"0.2.1\"\n - \ },\n \"sha256Digest\": \"dfb974346cf9f62d8f9564756d6661cd758904d1e7035ca61c7227d6b0fc6cf1\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/spring_cloud-0.2.2-py2.py3-none-any.whl\",\n - \ \"filename\": \"spring_cloud-0.2.2-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.67\",\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"spring-cloud\",\n \"summary\": \"Microsoft Azure Command-Line - Tools spring-cloud Extension\",\n \"version\": \"0.2.2\"\n - \ },\n \"sha256Digest\": \"ab81ea74ecb86edaa1b4e5938e1136dbf6788b237b141c5905b121646edd9f5b\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/spring_cloud-0.2.3-py2.py3-none-any.whl\",\n - \ \"filename\": \"spring_cloud-0.2.3-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.67\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"spring-cloud\",\n \"summary\": \"Microsoft Azure Command-Line - Tools spring-cloud Extension\",\n \"version\": \"0.2.3\"\n - \ },\n \"sha256Digest\": \"c4af1e193256ae2b04fc9c46a414c3203944b458b2a8959654c55450ec9ea76d\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/spring_cloud-0.2.4-py2.py3-none-any.whl\",\n - \ \"filename\": \"spring_cloud-0.2.4-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.67\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"spring-cloud\",\n \"summary\": \"Microsoft Azure Command-Line - Tools spring-cloud Extension\",\n \"version\": \"0.2.4\"\n - \ },\n \"sha256Digest\": \"9e18d1d44c7f63c970bbc70d29f6c5719c4062c5defa5a63165db13d8623fc70\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/spring_cloud-0.2.5-py2.py3-none-any.whl\",\n - \ \"filename\": \"spring_cloud-0.2.5-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.67\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"spring-cloud\",\n \"summary\": \"Microsoft Azure Command-Line - Tools spring-cloud Extension\",\n \"version\": \"0.2.5\"\n - \ },\n \"sha256Digest\": \"281fc1babe47793e0bcccbe004ea4771802038eead1e8c3b553461b8062be912\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/spring_cloud-0.2.6-py2.py3-none-any.whl\",\n - \ \"filename\": \"spring_cloud-0.2.6-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.67\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"spring-cloud\",\n \"summary\": \"Microsoft Azure Command-Line - Tools spring-cloud Extension\",\n \"version\": \"0.2.6\"\n - \ },\n \"sha256Digest\": \"f3fdb9cd98dcd887a7f84dcc5eff38c8b6384b464fa0734965df9f379acaacd8\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/spring_cloud-0.3.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"spring_cloud-0.3.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.67\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"spring-cloud\",\n \"summary\": \"Microsoft Azure Command-Line - Tools spring-cloud Extension\",\n \"version\": \"0.3.0\"\n - \ },\n \"sha256Digest\": \"9c719fe1c6f539ba663283bd2eb8464aa9bcbf2d35617ac58408c6133f824f38\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/spring_cloud-0.3.1-py2.py3-none-any.whl\",\n - \ \"filename\": \"spring_cloud-0.3.1-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.67\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"spring-cloud\",\n \"summary\": \"Microsoft Azure Command-Line - Tools spring-cloud Extension\",\n \"version\": \"0.3.1\"\n - \ },\n \"sha256Digest\": \"a720deecb978406fb081c148078ee8831780cefefe965556852c00f8e1fc36c7\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/spring_cloud-0.4.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"spring_cloud-0.4.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.67\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"spring-cloud\",\n \"summary\": \"Microsoft Azure Command-Line - Tools spring-cloud Extension\",\n \"version\": \"0.4.0\"\n - \ },\n \"sha256Digest\": \"c09d2a188fe5e41f7fd9835c1efd0c3065b55f2b9efde39b6f2ff399be567eec\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/spring_cloud-0.5.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"spring_cloud-0.5.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.67\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"spring-cloud\",\n \"summary\": \"Microsoft Azure Command-Line - Tools spring-cloud Extension\",\n \"version\": \"0.5.0\"\n - \ },\n \"sha256Digest\": \"b2a36656b073f9cf588755508757fcd2cd7e0f8d573b7e43fc5fa3adb315a063\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/spring_cloud-0.5.1-py2.py3-none-any.whl\",\n - \ \"filename\": \"spring_cloud-0.5.1-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.67\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"spring-cloud\",\n \"summary\": \"Microsoft Azure Command-Line - Tools spring-cloud Extension\",\n \"version\": \"0.5.1\"\n - \ },\n \"sha256Digest\": \"79fd3b7b6928ea53b63a040412420398e138097e960a3afdfa76da051f140f19\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/spring_cloud-1.0.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"spring_cloud-1.0.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - false,\n \"azext.minCliCoreVersion\": \"2.0.67\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"spring-cloud\",\n \"summary\": \"Microsoft Azure Command-Line - Tools spring-cloud Extension\",\n \"version\": \"1.0.0\"\n - \ },\n \"sha256Digest\": \"698aa10606de4ec9eec580747a2d6d38c755633261241d75618badc53fe1e0f4\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/spring_cloud-1.0.1-py2.py3-none-any.whl\",\n - \ \"filename\": \"spring_cloud-1.0.1-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - false,\n \"azext.minCliCoreVersion\": \"2.0.67\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"spring-cloud\",\n \"summary\": \"Microsoft Azure Command-Line - Tools spring-cloud Extension\",\n \"version\": \"1.0.1\"\n - \ },\n \"sha256Digest\": \"d2b766d594c89a19abba3a7b2df6224d1af15fd9202b31fe5d57b9d9970b399c\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/spring_cloud-1.1.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"spring_cloud-1.1.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - false,\n \"azext.minCliCoreVersion\": \"2.0.67\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"spring-cloud\",\n \"summary\": \"Microsoft Azure Command-Line - Tools spring-cloud Extension\",\n \"version\": \"1.1.0\"\n - \ },\n \"sha256Digest\": \"a4fa97d6241fab2a66d8dd80e0d6a68ea17d849bb7404349ad6203c71fb89ba9\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/spring_cloud-1.1.1-py2.py3-none-any.whl\",\n - \ \"filename\": \"spring_cloud-1.1.1-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - false,\n \"azext.minCliCoreVersion\": \"2.0.67\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"spring-cloud\",\n \"summary\": \"Microsoft Azure Command-Line - Tools spring-cloud Extension\",\n \"version\": \"1.1.1\"\n - \ },\n \"sha256Digest\": \"ed63f4464f80e47df33b336ede149e1bc0f3b985dd033ee3541fffbaa9ad5f59\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/spring_cloud-1.2.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"spring_cloud-1.2.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - false,\n \"azext.minCliCoreVersion\": \"2.0.67\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/spring-cloud\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"spring-cloud\",\n \"summary\": \"Microsoft Azure Command-Line - Tools spring-cloud Extension\",\n \"version\": \"1.2.0\"\n - \ },\n \"sha256Digest\": \"241c7485bfc3792efe8cd728df2ce8aa3a52eb078b7eab43a1dd2fd6322b413a\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/spring_cloud-2.0.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"spring_cloud-2.0.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - false,\n \"azext.minCliCoreVersion\": \"2.0.67\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/spring-cloud\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"spring-cloud\",\n \"summary\": \"Microsoft Azure Command-Line - Tools spring-cloud Extension\",\n \"version\": \"2.0.0\"\n - \ },\n \"sha256Digest\": \"c1e2931b439dea0bea043aec7817b454d510c944552a7bf084fd9916ab513142\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/spring_cloud-2.0.1-py2.py3-none-any.whl\",\n - \ \"filename\": \"spring_cloud-2.0.1-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - false,\n \"azext.minCliCoreVersion\": \"2.0.67\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/spring-cloud\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"spring-cloud\",\n \"summary\": \"Microsoft Azure Command-Line - Tools spring-cloud Extension\",\n \"version\": \"2.0.1\"\n - \ },\n \"sha256Digest\": \"82e4d6c55a28dd7de155504e6836981a390e26562ca684bdf9240324bf428665\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/spring_cloud-2.1.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"spring_cloud-2.1.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - false,\n \"azext.minCliCoreVersion\": \"2.0.67\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/spring-cloud\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"spring-cloud\",\n \"summary\": \"Microsoft Azure Command-Line - Tools spring-cloud Extension\",\n \"version\": \"2.1.0\"\n - \ },\n \"sha256Digest\": \"4d6714f950fc8f3097d4ec1e1a6eb52f564f3fd543195cb3e5da2b47f187fa92\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/spring_cloud-2.1.1-py2.py3-none-any.whl\",\n - \ \"filename\": \"spring_cloud-2.1.1-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - false,\n \"azext.minCliCoreVersion\": \"2.0.67\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/spring-cloud\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"spring-cloud\",\n \"summary\": \"Microsoft Azure Command-Line - Tools spring-cloud Extension\",\n \"version\": \"2.1.1\"\n - \ },\n \"sha256Digest\": \"a9775975158941a59479571440dcf6555c6dabfff576ed5ffaf98bd25e49fe12\"\n - \ },\n {\n \"downloadUrl\": \"https://azcliprod.blob.core.windows.net/cli-extensions/spring_cloud-2.1.2-py2.py3-none-any.whl\",\n - \ \"filename\": \"spring_cloud-2.1.2-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - false,\n \"azext.minCliCoreVersion\": \"2.0.67\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/spring-cloud\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"spring-cloud\",\n \"summary\": \"Microsoft Azure Command-Line - Tools spring-cloud Extension\",\n \"version\": \"2.1.2\"\n - \ },\n \"sha256Digest\": \"a07a8718562169a6ec1524e2a111ab5f926b05db91f484ae2ff2397218afe171\"\n - \ },\n {\n \"downloadUrl\": \"https://azcliprod.blob.core.windows.net/cli-extensions/spring_cloud-2.2.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"spring_cloud-2.2.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - false,\n \"azext.minCliCoreVersion\": \"2.0.67\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/spring-cloud\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"spring-cloud\",\n \"summary\": \"Microsoft Azure Command-Line - Tools spring-cloud Extension\",\n \"version\": \"2.2.0\"\n - \ },\n \"sha256Digest\": \"88ba35a78eb607d24d1c6ac72aa770990e961e3db17ed70278d99a60eee8830e\"\n - \ },\n {\n \"downloadUrl\": \"https://azcliprod.blob.core.windows.net/cli-extensions/spring_cloud-2.2.1-py2.py3-none-any.whl\",\n - \ \"filename\": \"spring_cloud-2.2.1-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - false,\n \"azext.minCliCoreVersion\": \"2.0.67\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/spring-cloud\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"spring-cloud\",\n \"summary\": \"Microsoft Azure Command-Line - Tools spring-cloud Extension\",\n \"version\": \"2.2.1\"\n - \ },\n \"sha256Digest\": \"d12cf4e756b518d4caf799fc59e312a28fd105fe5c5ddaa62ceb22929ec2dc63\"\n - \ },\n {\n \"downloadUrl\": \"https://azcliprod.blob.core.windows.net/cli-extensions/spring_cloud-2.3.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"spring_cloud-2.3.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - false,\n \"azext.minCliCoreVersion\": \"2.0.67\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/spring-cloud\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"spring-cloud\",\n \"summary\": \"Microsoft Azure Command-Line - Tools spring-cloud Extension\",\n \"version\": \"2.3.0\"\n - \ },\n \"sha256Digest\": \"6c776b16405b4c01bfd8af78307914eb5f050bb3793d7bf6549b2eca645d02f4\"\n - \ }\n ],\n \"ssh\": [\n {\n \"downloadUrl\": - \"https://azurecliprod.blob.core.windows.net/cli-extensions/ssh-0.1.0-py3-none-any.whl\",\n - \ \"filename\": \"ssh-0.1.0-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isPreview\": true,\n \"azext.minCliCoreVersion\": - \"2.4.0\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"ryrossit@microsoft.com\",\n - \ \"name\": \"Ryan Rossiter\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/ssh\"\n - \ }\n }\n },\n - \ \"extras\": [],\n \"generator\": \"bdist_wheel - (0.30.0)\",\n \"license\": \"MIT\",\n \"metadata_version\": - \"2.0\",\n \"name\": \"ssh\",\n \"run_requires\": - [\n {\n \"requires\": [\n - \ \"cryptography (==2.8.0)\",\n \"paramiko - (==2.6.0)\"\n ]\n }\n ],\n - \ \"summary\": \"SSH into VMs\",\n \"version\": - \"0.1.0\"\n },\n \"sha256Digest\": \"cf39bfcf542db4a7a3acf119f4ea71f17626eaaac7fe480d058962fec3d3ff25\"\n - \ }\n ],\n \"stack-hci\": [\n {\n \"downloadUrl\": - \"https://azurecliprod.blob.core.windows.net/cli-extensions/stack_hci-0.1.0-py3-none-any.whl\",\n - \ \"filename\": \"stack_hci-0.1.0-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isExperimental\": true,\n \"azext.minCliCoreVersion\": - \"2.3.1\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/stack-hci\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"stack-hci\",\n \"summary\": \"Microsoft Azure Command-Line - Tools AzureStackHCIClient Extension\",\n \"version\": \"0.1.0\"\n - \ },\n \"sha256Digest\": \"9095702d720e24173616232ffab42bdf121dd82eeda48becd52d141f73c35bb3\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/stack_hci-0.1.1-py3-none-any.whl\",\n - \ \"filename\": \"stack_hci-0.1.1-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isExperimental\": true,\n \"azext.minCliCoreVersion\": - \"2.3.1\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/stack-hci\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"stack-hci\",\n \"summary\": \"Microsoft Azure Command-Line - Tools AzureStackHCIClient Extension\",\n \"version\": \"0.1.1\"\n - \ },\n \"sha256Digest\": \"dc6bc793de093c9e2be98d68379f7178ee67231058ece34bbf2f8e2d9f89f2e0\"\n - \ },\n {\n \"downloadUrl\": \"https://azcliprod.blob.core.windows.net/cli-extensions/stack_hci-0.1.2-py3-none-any.whl\",\n - \ \"filename\": \"stack_hci-0.1.2-py3-none-any.whl\",\n \"metadata\": - {\n \"azext.minCliCoreVersion\": \"2.3.1\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/stack-hci\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"stack-hci\",\n \"summary\": \"Microsoft Azure Command-Line - Tools AzureStackHCIClient Extension\",\n \"version\": \"0.1.2\"\n - \ },\n \"sha256Digest\": \"c9c2359f5684f7c59600e55b2e99cdcd913f59dc2d7e5cc7d5e493b13b1248d1\"\n - \ }\n ],\n \"storage-blob-preview\": [\n {\n - \ \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/storage_blob_preview-0.1.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"storage_blob_preview-0.1.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.9.1\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"storage-blob-preview\",\n \"summary\": \"Microsoft Azure - Command-Line Tools Storage-blob-preview Extension\",\n \"version\": - \"0.1.0\"\n },\n \"sha256Digest\": \"3407bc6ea0425aab5c5a495c447b0d9ec4f4a360f08bdfd68cfd7a6504789231\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/storage_blob_preview-0.2.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"storage_blob_preview-0.2.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.12.0\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"storage-blob-preview\",\n \"summary\": \"Microsoft Azure - Command-Line Tools Storage-blob-preview Extension\",\n \"version\": - \"0.2.0\"\n },\n \"sha256Digest\": \"fc96b22fd656fcba97b8ee3283a1bead65b941aae10c174f597703ad7d8a5114\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/storage_blob_preview-0.3.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"storage_blob_preview-0.3.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.12.0\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"storage-blob-preview\",\n \"summary\": \"Microsoft Azure - Command-Line Tools Storage-blob-preview Extension\",\n \"version\": - \"0.3.0\"\n },\n \"sha256Digest\": \"daec951de77a200f3479c00ebf1015534891592cfd4bbf7873c5784bdd3f57a0\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/storage_blob_preview-0.4.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"storage_blob_preview-0.4.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.14.0\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"storage-blob-preview\",\n \"summary\": \"Microsoft Azure - Command-Line Tools Storage-blob-preview Extension\",\n \"version\": - \"0.4.0\"\n },\n \"sha256Digest\": \"03ef575ccf01776e99f8adb1882c77ee41278ff18901556424c753279724c9a3\"\n - \ },\n {\n \"downloadUrl\": \"https://azcliprod.blob.core.windows.net/cli-extensions/storage_blob_preview-0.4.1-py2.py3-none-any.whl\",\n - \ \"filename\": \"storage_blob_preview-0.4.1-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.16.0\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"storage-blob-preview\",\n \"summary\": \"Microsoft Azure - Command-Line Tools Storage-blob-preview Extension\",\n \"version\": - \"0.4.1\"\n },\n \"sha256Digest\": \"4cb5caa42e4c70db8ea5b33ad663246419003af30234f93ccef9aa2252e294d3\"\n - \ },\n {\n \"downloadUrl\": \"https://azcliprod.blob.core.windows.net/cli-extensions/storage_blob_preview-0.5.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"storage_blob_preview-0.5.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.16.0\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"storage-blob-preview\",\n \"summary\": \"Microsoft Azure - Command-Line Tools Storage-blob-preview Extension\",\n \"version\": - \"0.5.0\"\n },\n \"sha256Digest\": \"a3303da3925f8ad83c8eeced02f6b8897b355a3cc249424a7e70c621ee0d3642\"\n - \ }\n ],\n \"storage-preview\": [\n {\n - \ \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/storage_preview-0.2.8-py2.py3-none-any.whl\",\n - \ \"filename\": \"storage_preview-0.2.8-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.52\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/storage-preview\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"storage-preview\",\n \"summary\": \"Provides a preview - for upcoming storage features.\",\n \"version\": \"0.2.8\"\n - \ },\n \"sha256Digest\": \"a3d48247051e95847ded28217433c4b98fc02d6ee21eedfcb24dd43f7360569d\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/storage_preview-0.2.9-py2.py3-none-any.whl\",\n - \ \"filename\": \"storage_preview-0.2.9-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.67\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/storage-preview\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"storage-preview\",\n \"summary\": \"Provides a preview - for upcoming storage features.\",\n \"version\": \"0.2.9\"\n - \ },\n \"sha256Digest\": \"880e01de0fab8893770497ef9410559ae223a1f09dbd6a23712226ab4e2d5ecb\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/storage_preview-0.2.10-py2.py3-none-any.whl\",\n - \ \"filename\": \"storage_preview-0.2.10-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.67\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/storage-preview\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"storage-preview\",\n \"summary\": \"Provides a preview - for upcoming storage features.\",\n \"version\": \"0.2.10\"\n - \ },\n \"sha256Digest\": \"8c87013be456849f27ea7f76df284e998e6f3911d3de478ec19abe84bb30fbe9\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/storage_preview-0.2.11-py2.py3-none-any.whl\",\n - \ \"filename\": \"storage_preview-0.2.11-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.67\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/storage-preview\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"storage-preview\",\n \"summary\": \"Provides a preview - for upcoming storage features.\",\n \"version\": \"0.2.11\"\n - \ },\n \"sha256Digest\": \"b00ccc8846bbb389b95064e7e9b547cbd877b0a596b8c36d86982be435695d5c\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/storage_preview-0.2.12-py2.py3-none-any.whl\",\n - \ \"filename\": \"storage_preview-0.2.12-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.67\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/storage-preview\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"storage-preview\",\n \"summary\": \"Provides a preview - for upcoming storage features.\",\n \"version\": \"0.2.12\"\n - \ },\n \"sha256Digest\": \"5bd273bf4c1952f4576faf05ed80fd73b25f0f4d0be81fe0bbf471019705a6bb\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/storage_preview-0.3.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"storage_preview-0.3.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.6.0\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/storage-preview\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"storage-preview\",\n \"summary\": \"Provides a preview - for upcoming storage features.\",\n \"version\": \"0.3.0\"\n - \ },\n \"sha256Digest\": \"7fb50e37a0e271c118124b4488474e3c2957cffe1b319660bd3df91534911008\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/storage_preview-0.4.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"storage_preview-0.4.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.13.0\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/storage-preview\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"storage-preview\",\n \"summary\": \"Provides a preview - for upcoming storage features.\",\n \"version\": \"0.4.0\"\n - \ },\n \"sha256Digest\": \"822137d0987829d27537f36923d31d69371e756f8adc686ccdd5a2e03a40ab5f\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/storage_preview-0.5.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"storage_preview-0.5.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.13.0\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/storage-preview\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"storage-preview\",\n \"summary\": \"Provides a preview - for upcoming storage features.\",\n \"version\": \"0.5.0\"\n - \ },\n \"sha256Digest\": \"7ec8887f3f83a4f67613a22f1eea7f9c5968c9b108d74c7299eacc400e40c710\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/storage_preview-0.6.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"storage_preview-0.6.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.13.0\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/storage-preview\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"storage-preview\",\n \"summary\": \"Provides a preview - for upcoming storage features.\",\n \"version\": \"0.6.0\"\n - \ },\n \"sha256Digest\": \"9431e5bba2ddd8d7850c1e3b4fc2a29dd0cc38322f1b04247bf7f7a5f3aacf4a\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/storage_preview-0.6.1-py2.py3-none-any.whl\",\n - \ \"filename\": \"storage_preview-0.6.1-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.13.0\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/storage-preview\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"storage-preview\",\n \"summary\": \"Provides a preview - for upcoming storage features.\",\n \"version\": \"0.6.1\"\n - \ },\n \"sha256Digest\": \"93cf02038cb209c2baee6e2a4bf17e0c8a8f55eb2c86c7678163499f84c31a75\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/storage_preview-0.7.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"storage_preview-0.7.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.13.0\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/storage-preview\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"storage-preview\",\n \"summary\": \"Provides a preview - for upcoming storage features.\",\n \"version\": \"0.7.0\"\n - \ },\n \"sha256Digest\": \"3b2a463e7852cd1153372b3dd9522c007dee8daff53ccf26fda0c84b642e8367\"\n - \ }\n ],\n \"storagesync\": [\n {\n \"downloadUrl\": - \"https://azurecliprod.blob.core.windows.net/cli-extensions/storagesync-0.1.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"storagesync-0.1.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isExperimental\": - true,\n \"azext.minCliCoreVersion\": \"2.3.1\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"storagesync\",\n \"summary\": \"Microsoft Azure Command-Line - Tools MicrosoftStorageSync Extension\",\n \"version\": - \"0.1.0\"\n },\n \"sha256Digest\": \"a1d15edfcc18d9d301dea843cd7dce9845b8da6f6b1beb47a1bba35ff46eadde\"\n - \ },\n {\n \"downloadUrl\": \"https://azcliprod.blob.core.windows.net/cli-extensions/storagesync-0.1.1-py2.py3-none-any.whl\",\n - \ \"filename\": \"storagesync-0.1.1-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.minCliCoreVersion\": - \"2.3.1\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 2\",\n \"Programming Language - :: Python :: 2.7\",\n \"Programming Language :: Python - :: 3\",\n \"Programming Language :: Python :: 3.4\",\n - \ \"Programming Language :: Python :: 3.5\",\n \"Programming - Language :: Python :: 3.6\",\n \"License :: OSI Approved - :: MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/storagesync\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"storagesync\",\n \"summary\": \"Microsoft Azure Command-Line - Tools MicrosoftStorageSync Extension\",\n \"version\": - \"0.1.1\"\n },\n \"sha256Digest\": \"06d5e71b42edf721c5624cfd286b8593c68316f2b0ea4edf60c7a74835a695e2\"\n - \ }\n ],\n \"stream-analytics\": [\n {\n - \ \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/stream_analytics-0.1.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"stream_analytics-0.1.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isExperimental\": - true,\n \"azext.minCliCoreVersion\": \"2.3.1\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.5\",\n \"Programming - Language :: Python :: 3.6\",\n \"Programming Language - :: Python :: 3.7\",\n \"Programming Language :: Python - :: 3.8\",\n \"License :: OSI Approved :: MIT License\"\n - \ ],\n \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"stream-analytics\",\n \"summary\": \"Microsoft Azure - Command-Line Tools stream-analytics Extension\",\n \"version\": - \"0.1.0\"\n },\n \"sha256Digest\": \"e3a9048f289d1b870637e4b13c0ee1e877827834e1f71d31cb8161bacc441388\"\n - \ }\n ],\n \"subscription\": [\n {\n \"downloadUrl\": - \"https://azurecliprod.blob.core.windows.net/cli-extensions/subscription-0.1.3-py2.py3-none-any.whl\",\n - \ \"filename\": \"subscription-0.1.3-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"classifiers\": [\n - \ \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"wilcob@microsoft.com\",\n - \ \"name\": \"Wilco Bauwer\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"subscription\",\n \"summary\": \"Support for subscription - management preview.\",\n \"version\": \"0.1.3\"\n },\n - \ \"sha256Digest\": \"74388eb7d4976c620bd41ef577cdb9284cd9a3e38dc4756796d091a7c8193267\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/subscription-0.1.4-py2.py3-none-any.whl\",\n - \ \"filename\": \"subscription-0.1.4-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.30\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"wilcob@microsoft.com\",\n - \ \"name\": \"Wilco Bauwer\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"subscription\",\n \"summary\": \"Support for subscription - management preview.\",\n \"version\": \"0.1.4\"\n },\n - \ \"sha256Digest\": \"0f28407be656e9930d06240b95bf1ccc8ebbbc9fc961cbd9e4b0575e1867b03d\"\n - \ }\n ],\n \"support\": [\n {\n \"downloadUrl\": - \"https://azurecliprod.blob.core.windows.net/cli-extensions/support-0.1.1-py2.py3-none-any.whl\",\n - \ \"filename\": \"support-0.1.1-py2.py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isPreview\": true,\n \"azext.minCliCoreVersion\": - \"2.0.81\",\n \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/azure/azure-cli-extensions/tree/master/src/support\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"support\",\n \"summary\": \"Microsoft Azure Command-Line - Tools Support Extension\",\n \"version\": \"0.1.1\"\n },\n - \ \"sha256Digest\": \"e74e1b769155a08226d103781dbec7a20b517c37f4b75871172b2769e37676fa\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/support-1.0.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"support-1.0.0-py2.py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isPreview\": false,\n \"azext.minCliCoreVersion\": - \"2.0.81\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 2\",\n \"Programming Language - :: Python :: 2.7\",\n \"Programming Language :: Python - :: 3\",\n \"Programming Language :: Python :: 3.4\",\n - \ \"Programming Language :: Python :: 3.5\",\n \"Programming - Language :: Python :: 3.6\",\n \"License :: OSI Approved - :: MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/azure/azure-cli-extensions/tree/master/src/support\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"support\",\n \"summary\": \"Microsoft Azure Command-Line - Tools Support Extension\",\n \"version\": \"1.0.0\"\n },\n - \ \"sha256Digest\": \"3646b584af5fb68e57a153991cdbf049cd6f8e471c36b28c7f3bb642ecc341d8\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/support-1.0.1-py2.py3-none-any.whl\",\n - \ \"filename\": \"support-1.0.1-py2.py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isPreview\": false,\n \"azext.minCliCoreVersion\": - \"2.0.81\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 2\",\n \"Programming Language - :: Python :: 2.7\",\n \"Programming Language :: Python - :: 3\",\n \"Programming Language :: Python :: 3.4\",\n - \ \"Programming Language :: Python :: 3.5\",\n \"Programming - Language :: Python :: 3.6\",\n \"License :: OSI Approved - :: MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/azure/azure-cli-extensions/tree/master/src/support\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"support\",\n \"summary\": \"Microsoft Azure Command-Line - Tools Support Extension\",\n \"version\": \"1.0.1\"\n },\n - \ \"sha256Digest\": \"5490c5dbe52b0457b51a327426cad741005f8afc24c13cefefb9fe8694a558f7\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/support-1.0.2-py2.py3-none-any.whl\",\n - \ \"filename\": \"support-1.0.2-py2.py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isPreview\": false,\n \"azext.minCliCoreVersion\": - \"2.0.81\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 2\",\n \"Programming Language - :: Python :: 2.7\",\n \"Programming Language :: Python - :: 3\",\n \"Programming Language :: Python :: 3.4\",\n - \ \"Programming Language :: Python :: 3.5\",\n \"Programming - Language :: Python :: 3.6\",\n \"License :: OSI Approved - :: MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/azure/azure-cli-extensions/tree/master/src/support\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"support\",\n \"summary\": \"Microsoft Azure Command-Line - Tools Support Extension\",\n \"version\": \"1.0.2\"\n },\n - \ \"sha256Digest\": \"815e9ed05789f4cd00eb00cbae0e6339e7519c0c6d816bf3aa302af534acef5b\"\n - \ }\n ],\n \"synapse\": [\n {\n \"downloadUrl\": - \"https://azurecliprod.blob.core.windows.net/cli-extensions/synapse-0.1.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"synapse-0.1.0-py2.py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isPreview\": true,\n \"azext.minCliCoreVersion\": - \"2.0.67\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 2\",\n \"Programming Language - :: Python :: 2.7\",\n \"Programming Language :: Python - :: 3\",\n \"Programming Language :: Python :: 3.4\",\n - \ \"Programming Language :: Python :: 3.5\",\n \"Programming - Language :: Python :: 3.6\",\n \"License :: OSI Approved - :: MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"synapse\",\n \"summary\": \"Microsoft Azure Command-Line - Tools Synapse Extension\",\n \"version\": \"0.1.0\"\n },\n - \ \"sha256Digest\": \"bdeb2f4830fc35ff15b4ec473927619ed6a5ab46e4c797f2cb7605e59a32aa36\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/synapse-0.2.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"synapse-0.2.0-py2.py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isPreview\": true,\n \"azext.minCliCoreVersion\": - \"2.0.67\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 2\",\n \"Programming Language - :: Python :: 2.7\",\n \"Programming Language :: Python - :: 3\",\n \"Programming Language :: Python :: 3.4\",\n - \ \"Programming Language :: Python :: 3.5\",\n \"Programming - Language :: Python :: 3.6\",\n \"License :: OSI Approved - :: MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"synapse\",\n \"summary\": \"Microsoft Azure Command-Line - Tools Synapse Extension\",\n \"version\": \"0.2.0\"\n },\n - \ \"sha256Digest\": \"4731f2418d29ba818dd971acc71d695ff1641208e6441c719b38c4c21577c2e3\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/synapse-0.3.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"synapse-0.3.0-py2.py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isPreview\": true,\n \"azext.minCliCoreVersion\": - \"2.0.67\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 2\",\n \"Programming Language - :: Python :: 2.7\",\n \"Programming Language :: Python - :: 3\",\n \"Programming Language :: Python :: 3.4\",\n - \ \"Programming Language :: Python :: 3.5\",\n \"Programming - Language :: Python :: 3.6\",\n \"License :: OSI Approved - :: MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"synapse\",\n \"summary\": \"Microsoft Azure Command-Line - Tools Synapse Extension\",\n \"version\": \"0.3.0\"\n },\n - \ \"sha256Digest\": \"11b7dac7ba18b63c84294e86531301d516c9ae44e9899d0344926c945b5fc9c4\"\n - \ }\n ],\n \"timeseriesinsights\": [\n {\n - \ \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/timeseriesinsights-0.1.0-py3-none-any.whl\",\n - \ \"filename\": \"timeseriesinsights-0.1.0-py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isExperimental\": - true,\n \"azext.minCliCoreVersion\": \"2.3.1\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"Programming Language :: Python :: 3.7\",\n \"Programming - Language :: Python :: 3.8\",\n \"License :: OSI Approved - :: MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/src/timeseriesinsights\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"timeseriesinsights\",\n \"summary\": \"Microsoft Azure - Command-Line Tools TimeSeriesInsightsClient Extension\",\n \"version\": - \"0.1.0\"\n },\n \"sha256Digest\": \"a1cd9f9177ff31010638048d3737dc39fac144d9ca107fe4eafc4339386d71cd\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/timeseriesinsights-0.1.1-py3-none-any.whl\",\n - \ \"filename\": \"timeseriesinsights-0.1.1-py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isExperimental\": - true,\n \"azext.minCliCoreVersion\": \"2.3.1\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"Programming Language :: Python :: 3.7\",\n \"Programming - Language :: Python :: 3.8\",\n \"License :: OSI Approved - :: MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/src/timeseriesinsights\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"timeseriesinsights\",\n \"summary\": \"Microsoft Azure - Command-Line Tools TimeSeriesInsightsClient Extension\",\n \"version\": - \"0.1.1\"\n },\n \"sha256Digest\": \"3276b876cad87ef8b29e6af58294fc7ff20b9d2d0187ce84e2b15ba8917b00d9\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/timeseriesinsights-0.1.2-py3-none-any.whl\",\n - \ \"filename\": \"timeseriesinsights-0.1.2-py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isExperimental\": - true,\n \"azext.minCliCoreVersion\": \"2.3.1\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"Programming Language :: Python :: 3.7\",\n \"Programming - Language :: Python :: 3.8\",\n \"License :: OSI Approved - :: MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/src/timeseriesinsights\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"timeseriesinsights\",\n \"summary\": \"Microsoft Azure - Command-Line Tools TimeSeriesInsightsClient Extension\",\n \"version\": - \"0.1.2\"\n },\n \"sha256Digest\": \"3caba62be85114e44cd61c8541df49c7ff67b76b8c26e53e198b00a98a907417\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/timeseriesinsights-0.1.3-py3-none-any.whl\",\n - \ \"filename\": \"timeseriesinsights-0.1.3-py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isExperimental\": - true,\n \"azext.minCliCoreVersion\": \"2.3.1\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"Programming Language :: Python :: 3.7\",\n \"Programming - Language :: Python :: 3.8\",\n \"License :: OSI Approved - :: MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/src/timeseriesinsights\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"timeseriesinsights\",\n \"summary\": \"Microsoft Azure - Command-Line Tools TimeSeriesInsightsClient Extension\",\n \"version\": - \"0.1.3\"\n },\n \"sha256Digest\": \"84009856e1a9e6e6b178425099c2e1eaa4753ba5e375426a504f92bd4b9a21aa\"\n - \ },\n {\n \"downloadUrl\": \"https://azcliprod.blob.core.windows.net/cli-extensions/timeseriesinsights-0.2.0-py3-none-any.whl\",\n - \ \"filename\": \"timeseriesinsights-0.2.0-py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isExperimental\": - true,\n \"azext.minCliCoreVersion\": \"2.11.0\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 3\",\n - \ \"Programming Language :: Python :: 3.6\",\n \"Programming - Language :: Python :: 3.7\",\n \"Programming Language - :: Python :: 3.8\",\n \"License :: OSI Approved :: - MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"azpycli@microsoft.com\",\n \"name\": - \"Microsoft Corporation\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/timeseriesinsights\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"timeseriesinsights\",\n \"summary\": \"Microsoft Azure - Command-Line Tools TimeSeriesInsightsClient Extension\",\n \"version\": - \"0.2.0\"\n },\n \"sha256Digest\": \"79f257abed8ac699a395e1c61351cd2c68f3a1844d3369aca5b346b2b1c0aa10\"\n - \ },\n {\n \"downloadUrl\": \"https://azcliprod.blob.core.windows.net/cli-extensions/timeseriesinsights-0.2.1-py3-none-any.whl\",\n - \ \"filename\": \"timeseriesinsights-0.2.1-py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.minCliCoreVersion\": - \"2.11.0\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.6\",\n \"Programming Language :: Python - :: 3.7\",\n \"Programming Language :: Python :: 3.8\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/timeseriesinsights\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"timeseriesinsights\",\n \"summary\": \"Microsoft Azure - Command-Line Tools TimeSeriesInsightsClient Extension\",\n \"version\": - \"0.2.1\"\n },\n \"sha256Digest\": \"6ec3fe5ff3d92c3c2c8ba581af679567bfc430dd38fa70945b43378cf9b81ff2\"\n - \ }\n ],\n \"virtual-network-tap\": [\n {\n - \ \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/virtual_network_tap-0.1.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"virtual_network_tap-0.1.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.46\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/virtual-network-tap\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"virtual-network-tap\",\n \"summary\": \"Manage virtual - network taps (VTAP).\",\n \"version\": \"0.1.0\"\n },\n - \ \"sha256Digest\": \"7e3f634f8eb701cf6fef504159785bc90e6f5bd2482e459469dd9ab30601aa35\"\n - \ }\n ],\n \"virtual-wan\": [\n {\n \"downloadUrl\": - \"https://azurecliprod.blob.core.windows.net/cli-extensions/virtual_wan-0.1.2-py2.py3-none-any.whl\",\n - \ \"filename\": \"virtual_wan-0.1.2-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.67\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/virtual-wan\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"virtual-wan\",\n \"summary\": \"Manage virtual WAN, hubs, - VPN gateways and VPN sites.\",\n \"version\": \"0.1.2\"\n - \ },\n \"sha256Digest\": \"35d7b9f8b62167957708902b19a6c2f97ceaafa28abcba815b39a2d9040066f8\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/virtual_wan-0.1.3-py2.py3-none-any.whl\",\n - \ \"filename\": \"virtual_wan-0.1.3-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.67\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/virtual-wan\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"virtual-wan\",\n \"summary\": \"Manage virtual WAN, hubs, - VPN gateways and VPN sites.\",\n \"version\": \"0.1.3\"\n - \ },\n \"sha256Digest\": \"10bc530d54677c0f24363326f28b0476a3324198417117e3effa031c20d6c2cb\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/virtual_wan-0.2.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"virtual_wan-0.2.0-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.67\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/virtual-wan\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"virtual-wan\",\n \"summary\": \"Manage virtual WAN, hubs, - VPN gateways and VPN sites.\",\n \"version\": \"0.2.0\"\n - \ },\n \"sha256Digest\": \"45b52f87cd76a269d8e6151782a437692cea3725b4f64d9d4d64cc2c4b49288f\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/virtual_wan-0.2.1-py2.py3-none-any.whl\",\n - \ \"filename\": \"virtual_wan-0.2.1-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.67\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/virtual-wan\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"virtual-wan\",\n \"summary\": \"Manage virtual WAN, hubs, - VPN gateways and VPN sites.\",\n \"version\": \"0.2.1\"\n - \ },\n \"sha256Digest\": \"db108cf3fb9f3a49aea87f35d658b0bdc9c2321122b9a1ec1f58f4fecb0ebe90\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/virtual_wan-0.2.2-py2.py3-none-any.whl\",\n - \ \"filename\": \"virtual_wan-0.2.2-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.67\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/virtual-wan\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"virtual-wan\",\n \"summary\": \"Manage virtual WAN, hubs, - VPN gateways and VPN sites.\",\n \"version\": \"0.2.2\"\n - \ },\n \"sha256Digest\": \"0b141457b8c3f57061f300dae18472ec9da96f4b4f9ddb9239a4a5dbda7c1ffd\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/virtual_wan-0.2.3-py2.py3-none-any.whl\",\n - \ \"filename\": \"virtual_wan-0.2.3-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.67\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/virtual-wan\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"virtual-wan\",\n \"summary\": \"Manage virtual WAN, hubs, - VPN gateways and VPN sites.\",\n \"version\": \"0.2.3\"\n - \ },\n \"sha256Digest\": \"21e1333af42c80c094099212db57b5e7171afee8690f0de211fdf359e3f1da16\"\n - \ },\n {\n \"downloadUrl\": \"https://azcliprod.blob.core.windows.net/cli-extensions/virtual_wan-0.2.4-py2.py3-none-any.whl\",\n - \ \"filename\": \"virtual_wan-0.2.4-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - true,\n \"azext.minCliCoreVersion\": \"2.0.67\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/virtual-wan\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"virtual-wan\",\n \"summary\": \"Manage virtual WAN, hubs, - VPN gateways and VPN sites.\",\n \"version\": \"0.2.4\"\n - \ },\n \"sha256Digest\": \"236668a188121738975f85148957ce843dd43c8644f76c915dde9d2f8233c9e4\"\n - \ }\n ],\n \"vm-repair\": [\n {\n \"downloadUrl\": - \"https://azurecomputeaidrepair.blob.core.windows.net/prod/vm_repair-0.2.6-py2.py3-none-any.whl\",\n - \ \"filename\": \"vm_repair-0.2.6-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"classifiers\": [\n - \ \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"caiddev@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/vm-repair\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"vm-repair\",\n \"summary\": \"Auto repair commands to - fix VMs.\",\n \"version\": \"0.2.6\"\n },\n - \ \"sha256Digest\": \"3556adeb1053262aa1aa0203b53423252afbd89b3e455255c2a2964a3be9a78e\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/vm_repair-0.2.7-py2.py3-none-any.whl\",\n - \ \"filename\": \"vm_repair-0.2.7-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"classifiers\": [\n - \ \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"caiddev@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/vm-repair\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"vm-repair\",\n \"summary\": \"Auto repair commands to - fix VMs.\",\n \"version\": \"0.2.7\"\n },\n - \ \"sha256Digest\": \"4949871a99d5ef62ffdad72d35bfa75a483f1a714bf8d7ca84f134f86a5e9578\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/vm_repair-0.3.1-py2.py3-none-any.whl\",\n - \ \"filename\": \"vm_repair-0.3.1-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - false,\n \"azext.minCliCoreVersion\": \"2.0.67\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"caiddev@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/vm-repair\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"vm-repair\",\n \"summary\": \"Auto repair commands to - fix VMs.\",\n \"version\": \"0.3.1\"\n },\n - \ \"sha256Digest\": \"4c893d48469b70772318c989ecac03e1ac494dc0c97652d1827a8ad55d8e8b51\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/vm_repair-0.3.2-py2.py3-none-any.whl\",\n - \ \"filename\": \"vm_repair-0.3.2-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - false,\n \"azext.minCliCoreVersion\": \"2.0.67\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"caiddev@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/vm-repair\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"vm-repair\",\n \"summary\": \"Auto repair commands to - fix VMs.\",\n \"version\": \"0.3.2\"\n },\n - \ \"sha256Digest\": \"b7837a3129ff2614d27c2acbd254e97d83ac1540745225d2b156c897bb065125\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/vm_repair-0.3.3-py2.py3-none-any.whl\",\n - \ \"filename\": \"vm_repair-0.3.3-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - false,\n \"azext.minCliCoreVersion\": \"2.0.67\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"caiddev@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/vm-repair\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"vm-repair\",\n \"summary\": \"Auto repair commands to - fix VMs.\",\n \"version\": \"0.3.3\"\n },\n - \ \"sha256Digest\": \"04ddc34a525af5b313f9dd1b5b446e5aa2a79d242451cf09f7670147c7aadd42\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/vm_repair-0.3.4-py2.py3-none-any.whl\",\n - \ \"filename\": \"vm_repair-0.3.4-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - false,\n \"azext.minCliCoreVersion\": \"2.0.67\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"caiddev@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/vm-repair\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"vm-repair\",\n \"summary\": \"Auto repair commands to - fix VMs.\",\n \"version\": \"0.3.4\"\n },\n - \ \"sha256Digest\": \"b5964a8ed60193dc73e9109763af7cbb0162c029dbd81ed9ec5a7f20fa48ee7d\"\n - \ },\n {\n \"downloadUrl\": \"https://azcliprod.blob.core.windows.net/cli-extensions/vm_repair-0.3.5-py2.py3-none-any.whl\",\n - \ \"filename\": \"vm_repair-0.3.5-py2.py3-none-any.whl\",\n - \ \"metadata\": {\n \"azext.isPreview\": - false,\n \"azext.minCliCoreVersion\": \"2.0.67\",\n \"classifiers\": - [\n \"Development Status :: 4 - Beta\",\n \"Intended - Audience :: Developers\",\n \"Intended Audience :: - System Administrators\",\n \"Programming Language :: - Python\",\n \"Programming Language :: Python :: 2\",\n - \ \"Programming Language :: Python :: 2.7\",\n \"Programming - Language :: Python :: 3\",\n \"Programming Language - :: Python :: 3.4\",\n \"Programming Language :: Python - :: 3.5\",\n \"Programming Language :: Python :: 3.6\",\n - \ \"License :: OSI Approved :: MIT License\"\n ],\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"caiddev@microsoft.com\",\n - \ \"name\": \"Microsoft Corporation\",\n - \ \"role\": \"author\"\n }\n - \ ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/vm-repair\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"vm-repair\",\n \"summary\": \"Auto repair commands to - fix VMs.\",\n \"version\": \"0.3.5\"\n },\n - \ \"sha256Digest\": \"70112e8c4ce186f0c494e89680d751f8f4c6dc906c47cc44b8b5cdf0e19d2e50\"\n - \ }\n ],\n \"vmware\": [\n {\n \"downloadUrl\": - \"https://github.com/virtustream/az-vmware-cli/releases/download/0.7.2/vmware-0.7.2-py2.py3-none-any.whl\",\n - \ \"filename\": \"vmware-0.7.2-py2.py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isPreview\": false,\n \"azext.minCliCoreVersion\": - \"2.0.66\",\n \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/az-vmware-cli\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"vmware\",\n \"summary\": \"Azure VMware Solution commands.\",\n - \ \"version\": \"0.7.2\"\n },\n \"sha256Digest\": - \"b84b027fe8d836f8969893480cef63b05b85db1a59f6ef11063e52be530fd9ff\"\n },\n - \ {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/vmware-1.0.0-py2.py3-none-any.whl\",\n - \ \"filename\": \"vmware-1.0.0-py2.py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isPreview\": false,\n \"azext.minCliCoreVersion\": - \"2.0.66\",\n \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/az-vmware-cli\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"vmware\",\n \"summary\": \"Azure VMware Solution commands.\",\n - \ \"version\": \"1.0.0\"\n },\n \"sha256Digest\": - \"e1775b05e22e3afb70ad395bc3cff1cb7fdfc9a90836b61e13d4c54843577ddb\"\n },\n - \ {\n \"downloadUrl\": \"https://azcliprod.blob.core.windows.net/cli-extensions/vmware-2.0.1-py2.py3-none-any.whl\",\n - \ \"filename\": \"vmware-2.0.1-py2.py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isPreview\": false,\n \"azext.minCliCoreVersion\": - \"2.11.0\",\n \"description_content_type\": \"text/markdown\",\n - \ \"extensions\": {\n \"python.details\": - {\n \"contacts\": [\n {\n - \ \"email\": \"azpycli@microsoft.com\",\n - \ \"name\": \"Microsoft\",\n \"role\": - \"author\"\n }\n ],\n - \ \"document_names\": {\n \"description\": - \"DESCRIPTION.rst\"\n },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/az-vmware-cli\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"vmware\",\n \"summary\": \"Azure VMware Solution commands.\",\n - \ \"version\": \"2.0.1\"\n },\n \"sha256Digest\": - \"9201be5570c050b7f048f25b70ee0a2229bf73ad048aea036b484166631bc8e5\"\n }\n - \ ],\n \"webapp\": [\n {\n \"downloadUrl\": - \"https://github.com/Nking92/azure-cli-extensions/raw/whl-files/dist/webapp-0.2.24-py2.py3-none-any.whl\",\n - \ \"filename\": \"webapp-0.2.24-py2.py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isPreview\": true,\n \"azext.minCliCoreVersion\": - \"2.0.46\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 2\",\n \"Programming Language - :: Python :: 2.7\",\n \"Programming Language :: Python - :: 3\",\n \"Programming Language :: Python :: 3.4\",\n - \ \"Programming Language :: Python :: 3.5\",\n \"Programming - Language :: Python :: 3.6\",\n \"License :: OSI Approved - :: MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"sisirap@microsoft.com\",\n \"name\": - \"Sisira Panchagnula\",\n \"role\": \"author\"\n - \ }\n ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/webapp\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"webapp\",\n \"summary\": \"Additional commands for Azure - AppService.\",\n \"version\": \"0.2.24\"\n },\n - \ \"sha256Digest\": \"797abb3d8b41547ed3c2bcc8e01e30cbb5d487262cd2f285e755419bd1c03bed\"\n - \ },\n {\n \"downloadUrl\": \"https://azurecliprod.blob.core.windows.net/cli-extensions/webapp-0.3.1-py2.py3-none-any.whl\",\n - \ \"filename\": \"webapp-0.3.1-py2.py3-none-any.whl\",\n \"metadata\": - {\n \"azext.isPreview\": true,\n \"azext.minCliCoreVersion\": - \"2.0.46\",\n \"classifiers\": [\n \"Development - Status :: 4 - Beta\",\n \"Intended Audience :: Developers\",\n - \ \"Intended Audience :: System Administrators\",\n - \ \"Programming Language :: Python\",\n \"Programming - Language :: Python :: 2\",\n \"Programming Language - :: Python :: 2.7\",\n \"Programming Language :: Python - :: 3\",\n \"Programming Language :: Python :: 3.4\",\n - \ \"Programming Language :: Python :: 3.5\",\n \"Programming - Language :: Python :: 3.6\",\n \"License :: OSI Approved - :: MIT License\"\n ],\n \"extensions\": - {\n \"python.details\": {\n \"contacts\": - [\n {\n \"email\": - \"sisirap@microsoft.com\",\n \"name\": - \"Sisira Panchagnula\",\n \"role\": \"author\"\n - \ }\n ],\n \"document_names\": - {\n \"description\": \"DESCRIPTION.rst\"\n - \ },\n \"project_urls\": - {\n \"Home\": \"https://github.com/Azure/azure-cli-extensions/tree/master/src/webapp\"\n - \ }\n }\n },\n - \ \"generator\": \"bdist_wheel (0.30.0)\",\n \"license\": - \"MIT\",\n \"metadata_version\": \"2.0\",\n \"name\": - \"webapp\",\n \"summary\": \"Additional commands for Azure - AppService.\",\n \"version\": \"0.3.1\"\n },\n - \ \"sha256Digest\": \"1cd5bb1a8ad02a5f7c8c72a01692637fed434b24ea359d21caf919ed5323941a\"\n - \ }\n ]\n },\n \"formatVersion\": \"1\"\n}" - headers: - content-length: - - '818218' - content-md5: - - vpj8zM01YJHfgC/g3TZt8Q== - content-type: - - application/json - date: - - Tue, 16 Mar 2021 09:03:10 GMT - etag: - - '0x8D8E8214593E3E7' - last-modified: - - Tue, 16 Mar 2021 02:14:47 GMT - server: - - Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0 - x-ms-blob-type: - - BlockBlob - x-ms-lease-status: - - unlocked - x-ms-version: - - '2009-09-19' - status: - code: 200 - message: OK -- request: - body: null - headers: - Accept: - - '*/*' - Accept-Encoding: - - gzip, deflate - Connection: - - keep-alive - User-Agent: - - python-requests/2.22.0 - method: GET - uri: https://azurecliprod.blob.core.windows.net/cli-extensions/log_analytics_solution-0.1.1-py2.py3-none-any.whl - response: - body: - string: !!binary | - UEsDBBQAAAAIAGIR6lBg7Nqe1AEAAOEFAAAoAAAAYXpleHRfbG9nX2FuYWx5dGljc19zb2x1dGlv - bi9fX2luaXRfXy5webVTTW+bQBC98ytG8iEgOfyASBws0kMlnEhx7qvtMthbLbtod4hMqv73js1H - ihMTtVLmACy8efNm5rGC2y+MaAW5azqv9weCWCWw1cq74Cri975xXpJ2NoWNMXAGBfAY0L9gmXJu - oRXagCW0tkQPdEDYfn8eX6ewQ5wOdCTQ9oxpvPuJisA7R1A5D6bH8Hc+1X1Npv/SzqPKuxrka+sx - VUanynkWUHPPBJvX3NW1tGUonOTOJjAeSRi3F9JK05FWQQRn2rNecUDTjASn5wCwgqYz2tIdlDrI - Hwaz1rY8r9seFkWRMjIEKNx+MzLuBsK5gvhSUnIXRcBRYgVCaKtJiDigqdbA3QhFx+zBWWQYDPFB - v3zpOUfdudFDmeeuwcvUpe6ZEi2JSipyvhv5VHUlYaL++LNQbSCumV0oiqe8U7gGe4MGQXVjsptF - iT3l6tfvm/WMZa48uyo5mbJCy4Xjz5e2htNCknTaz7iZ4T7X8V/RNyWGPQriGWWLI03ebGNY5Fvm - yZ6DgaTfh/fGWRrthY3eM/+176WiE8wjtd6e55fOiebyOauteX1h9H6P/Sf1opFe1nPxE+9c+LVy - /Cfnj9vt5uFeFI+b+29PIi927N7PPRL9AVBLAwQUAAAACABiEepQBhVKAjUBAABKAwAALwAAAGF6 - ZXh0X2xvZ19hbmFseXRpY3Nfc29sdXRpb24vX2NsaWVudF9mYWN0b3J5LnB5tVLBTsMwDL33K6zt - sqGSD0DigHZCYuIA9yhK3S7QxJXjTitfj7uy9rIJLvjU+L28V/tlDff/WMUadtQNHJqDwMZvYR88 - U6ZatM8dsZNAycBT28KZlIExIx+xMnr3JXhMGSvoU4UMckDYP79f2gbeEOeDnARCOnM6pg/0Akwk - UBNDO3EU11OcPFX+Xycvigpr8LVtqbEuuXaQ4LPN1Paj/8a3wXo5lXBntw8FaNVMEdxXz2gUNJ7G - D4rRpSqPHUxia+eFeIAQdXkCDYqNTRQ77kyHtBNtkTNHTJUKVTZXn9lQh9PKs6q6BqOSL1qvM7af - sd0ixyg9p1uOyzi3ZcoxmGPQJG1yER9X82Mw1y6tyrPvL6XPhXrW/5ChU8nLevOqXKDJbbVdMplp - V2L4GfRvyZlZqfgGUEsDBBQAAAAIAGIR6lDp2QZ8gAIAAIUKAAAlAAAAYXpleHRfbG9nX2FuYWx5 - dGljc19zb2x1dGlvbi9faGVscC5webWVTW/bMAyG7/4VRHrodlByHQLkMKxAUaDZgGXDDuswKDLt - aJElQR9tvK3/fZSdpGmSNjGy+GTR1EvyoWhdgDC51OUohoK9yy6AnfEh+Q/G1k6WswBvxFsYS+GM - N0Ugu7PG8SCN7sN7paBx8uDQo7vHvE97b6VA7TGHqHN0EGYI45svK3MfJojrRVgEkLrxsc78QhHA - GROgMA5U60PfaVW1Mc9dOenbWkkdhpBLz6cKR8EYVnFdMzKj3+OQ7Cx5KaPLrHCmgrnmYt6fobI/ - C6nQg6wIW4Bk8QC7GlFHIsZatyzLGsfvl5XRMiQUpmRcc1UHKTx4o2KicfkDRtDr9bJQWxxC6Uy0 - mZ+RAvOxqrirh9QwetG5h2CAXniJ8LpoP0uKxyUAwiEPuJWHaEPuZNL4An8xLi54ZQnWMANgoHmF - BzeBKSAFpTJ14NQH52kzQMAFwf3LmsXy4b8PVL6shg4YnWYTnUDWIIVx/XlpuG7Wd3ebuoytBNhW - KvQp8NLDHOvRPVcRd3Y+GDf3lguE3sDHqRdO2qTkB38mcXpz9Thwm5HJ/CyTxwENzb2kKfODLe31 - yPY/WWwHlqsb7ZtxHazjkuK31ftHIv7Y69L+aPOj2w9fG2fgGnAhfaCfWaeTsNr+wqYT2t5W0b3t - KS+YLFUSvJ1+d2GZo8JjWV41vh1H6cCmEwC2qR8GuAdZF0IE4eE4PtcYKCmaQuWBT00MzQXjLQpZ - SLqYumBLWmdgloo5OzFFc3YcsVvyBE73efqhEqv9gn51Vz+h3PxrAWWyKmh5G+0juo51IIiIzqEO - z0KcQDzB6JgF/5+x00WxCWtcT56Ld8tsC/TJub1+EptT9w9QSwMEFAAAAAgAYhHqUJ77endcAwAA - 8AoAACcAAABhemV4dF9sb2dfYW5hbHl0aWNzX3NvbHV0aW9uL19wYXJhbXMucHm1Vk2P2zYQvetX - DJCDbEBS74u6gOEghYF1mmKdXIpA4FJjiV2aFMiRHffXZ0itZCdxtAu40cmcGc7nm0e/gfwXfskb - WNn25FTdEMzkHDZKOuvtjljuWusEKWsKWGoN0ciDQ4/ugFXBd++VROOxgs5U6IAahM16O4gLeEAc - D/SFQJlo0zr7L0oCZy3BzjrQvQ3r+bTvY7L7X1x5e9LK0B1UyotHjQs+YU7W5tqa+oo+qPbCnPJg - 6KcMPAnCPRrySbJzdg/iv85hIbUqpA0/7J7tKl+0wok9EjoPas/tJiBR+5JOLfYXn4yQT4VwdRfd - DVar+/XyWbYdbYvyILSqBNmzu2cJlkfrnnwrJJY8QNs5/qGqJPFWd6HdpeE8YPG945ltg9aXWnla - /JPmebBLM0hzk37OEnjha1C3i/R98G13cfba1rkwQp9ISQ9D+ALWBL6xna7gEQec9GAIN9MXI8Uv - HfzF3MeSQ/w5o/FCCdx5xqMHKRh3ntGnSB0Ysuk8SZIKd5yoqMqx8TOPepdBOb9LYipHRQ0E2Tib - UlpD+IVm6d4aRQHVV0sF6ZAHks5BcPS7sTBZqNowOGaptjKuAKdyVg5hZmONESU8ih9GNBjkzwZp - Tj+ZVT+e2I8XxrNl3d56gi6su3B4x8stO6fotOKs0L1ziNkoy+BjG2Dns4nRpSvumOBdcmtufyCX - 4MAdmAw2os1gGZZmKXku0eOqEabGreOFUKbO4NPm8lof9yyZCPseKUBj048p+nr4+/5TpzkT8ag0 - +1l6j96HfkfdsjoII7HaNmF2H5wlpi/uC+doSG2EPnJHJmP2tXRke3bL4N7WSi7b1m+43TWOod4K - EistvFc79ToYPG/kN+cMKmwdyrD5gVQXshgFs0ZVuNi6DufXPQcKYocjE123arUwZds9MuwadOkE - vj4MRmAuiCDcj+R/Btk7PtVCa3SnUZqBins6PkzF9VA31NtX4mzVSZqsozd5qYppJvtr8/BnX+Jv - v1+y1R9hx7jOHynpf6/36lNwjUhGw0gix5+QyPjoLKYfmykG4hb1XXUw3ID12wtSgjMpjc57Ej42 - SjbRbGTYo+K/K9x8fp2f+I9KoPQQ6wbO7iKbXeHsV+7jaxft1jwr1HhbnrdmwNA/3hL/K1BLAwQU - AAAACABiEepQyla8fpYCAACYCAAAKwAAAGF6ZXh0X2xvZ19hbmFseXRpY3Nfc29sdXRpb24vX3Zh - bGlkYXRvcnMucHm1Vc1unDAQvvMU0+wBUCkPsBKHKO1hpUQ9NLcqQo4xrBubQbZJs336jiEY6JKs - eogPaD3/88033h18+cAT7eAGu5ORzdFBwlO4k9ygxdqR3HRomJPY5nCtFAxGFoywwjyLKiffW8lF - a0UFfVsJA+4o4O5wP4lz+CFEuLgXB7IdbDqDvwR3YBAd1GhAjTakp5sec1L4D+28NqhBW2rHsT+9 - oQIRlQWpqWuq1JbPTMmqJD32hotSVhl0zFixFi0uY8inlvGnvHdSTbFubg/fjEEz6sdkutEuV9iw - lqmTkzwkvsXmepLdkbYRWrTuRkn6LgNwJXOO/gdqzdrKegnZlDXjDs1pitcIV/pkpZ8awVyOZtmg - sP2j5UZ2HnDfQBRVooahceZE+RvNk+0YX7WccE1tt0yLQZXuowjoyHqW5ZuO+8HOnx0c6oEIm3aE - PRFhKCKD3rPCAbPAZushEzgE23nmvB0qZPTV4fZUkwtlp3Pd/lywhmLJiGTl6s8S8WJjBB5dP8mS - u5c0O3MPsRuDfVfMxawVpVecewfzItbTnuffOzFuOVOH1g47Hp+7ulNHXqHlLRMfvbgAz8opjT5g - PoZJosy0ckncW1ohEP6ypwdl5tCSZcQw3VsHj6/UwjogDTRTuga/eFH1Dr4KJ4yWLfHvKIiGZs1F - YMoIVp1AvEjrbHCcG6EXhWkizdnLcrHtJXb/xPsZr+kQP8CnAt4ly3+AuOiurcCi6j17AoDzX4H1 - UAYcx0oW6M1ken2TCIY3XqvlVmTvPpHpjNYG3JZSnKXNKWlyEcHsHZA9gPHDihj31L9CPiyW50+A - iWgXsGHj76Xdij4h3jy6YLtsJEijDY8p81AlFFsav9zwGa6SK/peatMbplfRX1BLAwQUAAAACABi - EepQX83kTEEAAABMAAAAMAAAAGF6ZXh0X2xvZ19hbmFseXRpY3Nfc29sdXRpb24vYXpleHRfbWV0 - YWRhdGEuanNvbqvmUgACpcSq1IoSvcxi14qC1KLM3NS8ksQcJSuFkqLSVB1kFbmZec45mc75Ralh - qUXFmfl5QEVKRnrGegZKXLUAUEsDBBQAAAAIAGIR6lBl/oGg4wEAANkFAAAoAAAAYXpleHRfbG9n - X2FuYWx5dGljc19zb2x1dGlvbi9jb21tYW5kcy5webVUwW7bMAy9+ysI5JAESPwBAXIYehqwYofm - LmgS7WiTRUOkm7jD/n1SHMfdkCZAgfBiknp8j6QEz2D9QCtm8ERtH129F1iYJTw7E4mpkpSPLUUt - jkIJX7yHE4ghImN8RVum2m/OYGC00AWLEWSP8Px1N6ZLeEG8BHIUcOGEaSP9RCMQiQQqiuAHTDpP - UTNoJvqHTp742967IBuwjvUPj9sU4VqI1p5CfeU8HzU69OsM5FsAFi3YYJCbKE9Gey6qSA3oty5i - abwrDWWHmgSxDK5Jt5Buw7unIbXrWxxKSpXgSUNV2gjFfsSaSjH5Lm+Ri6KwWIEnbdWZU0nuYsHo - qxWo5aYoIJmnWumgfS/O8KV+IoLtfz0sTmXZqMXhnbCSpvXbuX7Do6jrjOUrBpsmtIrtLy6n2sSr - 69PO3iXLqQE1ZWcvY/L7hPz9Z766tPTvYrbvN7Ic5j042UPewbhqVUfq2sW8oeAkv0mq15f2YSyf - r+5uaurimt3obAWOFR7TSC6vQfvtLna4BM1Qby6kdWk6FmrG61zMTcT02lJnZ0+dR/jgBhKQuza/ - FFaB1EE7GYRuSHStPUsM3gMkLHocJAbvkxIrMBQqd/6LfKTKezpM0jnKwjXKPdVbE3jHkmny9z7P - X1BLAwQUAAAACABiEepQW4zlZVgCAAB7CwAAJgAAAGF6ZXh0X2xvZ19hbmFseXRpY3Nfc29sdXRp - b24vY3VzdG9tLnB53VRNb9QwEL3nV4zSQ3dFd7mvtAeEBEKicCj3yOvMpqaOxxrblFDx37GTbEpo - tGxKixA5xF/z8eY9j89g9YxfdgavyTasqmsPC7mESyWZHO193GdLLLwis4ZXWkNr5IDRIX/Bch19 - 3yuJxmEJwZTI4K8RLt99Omyv4QpxWPivHpRpbSzTZ5QemMjDnhh0ZxPP46rucsbwz1y5bbQyfgOl - cmKncRtXuPJEK02mmjhPR7Uwzcp54bFG490xqxTuuAFJoacsggmR1JXgKqQsWbZnqkF8C4xrqdVa - UpwErzSoOmrkwZU3haHiVqhonJW4B8kYMRY1GeWJC01VIYzQjVfSFY50SBwvYrAY/yKDk7+oPgWW - WFRMwRZG1DjH/ZC58I2d5XhLfOOsiIkHBKqcEyCRnTI/Cm0qc/uBzCzIVgtT2LDTyl0jP9KdqQzS - z3b2onKznfobtH0TbyUuN1nruqOygS3cDXHOD0yebyZIPU+Z40kaftqNdVhkrzCd3Y0w5ZPS5ptp - yQfX7/fR80RV/iBuEi3ujkQc05H39Ear/OPl1VuhNXLzMocXxy5qPmia/IYHM38Yu6Y2hKQyAcnz - e/BZ928HRh/Y/NzDi368gK5B1303x0YOtoyzi6k+3M7pzfHVHnMEVnAcPbLbJvmX/ZvS5f5335S5 - jk/XJCdI+FeEaytKv4NkJWr8nyT7lf0Oy2/J72g4nfxjLB+ordA/Ma9/QuoY4oiYnoOId/GU9ccn - 8FQCJnlPjdcDVfspi81Q+7iQNvGuKcYup9a2nKDmENGFnZOsbIt9mf0AUEsDBBQAAAAIAGIR6lDs - IYJ1fwAAAFkBAAAuAAAAYXpleHRfbG9nX2FuYWx5dGljc19zb2x1dGlvbi90ZXN0cy9fX2luaXRf - Xy5webWPQQ7CMAwE77xipV7gQP6AOCHRE3wAJS41CnHkuAh+j9UKflDfdj3rlTvsV5xNh6PUj/J9 - NGzjDj1HlSaDua9V9GYsJeCQM2aoQamRvigFz545UmmUMJVEChsJ/en6swMuRH9hbwOXmakqD4oG - FTEMosgL43tXz6XTz6/6+RdQSwMEFAAAAAgAYhHqUOwhgnV/AAAAWQEAADUAAABhemV4dF9sb2df - YW5hbHl0aWNzX3NvbHV0aW9uL3Rlc3RzL2xhdGVzdC9fX2luaXRfXy5webWPQQ7CMAwE77xipV7g - QP6AOCHRE3wAJS41CnHkuAh+j9UKflDfdj3rlTvsV5xNh6PUj/J9NGzjDj1HlSaDua9V9GYsJeCQ - M2aoQamRvigFz545UmmUMJVEChsJ/en6swMuRH9hbwOXmakqD4oGFTEMosgL43tXz6XTz6/6+RdQ - SwMEFAAAAAgAYhHqUILSZh52BAAAKBcAAFEAAABhemV4dF9sb2dfYW5hbHl0aWNzX3NvbHV0aW9u - L3Rlc3RzL2xhdGVzdC90ZXN0X2xvZ19hbmFseXRpY3Nfc29sdXRpb25fc2NlbmFyaW8ucHntV1Fv - 2zgMfs+vILIH2bjYW723AsHt0BuGAi12WPuWBYJqK44ax/JJcrssyH8fZdeO47hp2jTFcDg9JJFE - UuT3URTzDrwjjt47OJPZQol4asAJXbgUoZJaTgyuq0wqZoRMffgrSaAQ0qC45uqORz7qXoiQp5pH - kKcRV2CmHC7Pr6tlH644ryfmhwGRFjKZkrc8NKCkNDCRCpJSBvdxNi/PRPNHjbwn5hifAamrX3kq - jOHa9HoTJefAfuaK04jfGSkT7Wt0kSkhqRXR8KCDwMj7C6Zi/o3rTGIQDWU/TIRfiEezSsG5erBz - jesDQC2Zq5B/UTLP/lE8Y4ort7QxS1k483Mjkkr57OL8s1JS9Xq9689X1/Tv828wxAj8jJmpz260 - /Xaq+a0UqdPepHQiEk6pOwDi+8R10VaYMK3ha8ZLunXTxQ1/3dNeD3B86nTbwU8254YrmuL3kKgH - KRpbMXpC3AO0g+doU8wjmsiwiGdIql8PJiI+AUsLSsSUpSxZGBFqqmWSWylH82QygLb3WyvBACrD - FTB2WG1/do85of08i5jhzrLetMO6Q05r3cHm5r1UM6QKT7GBoFxhL1QcDVHF0kjOix1nLUkGEHxw - W3ZUjLpbMbRlgm2hoCWk85vKi5gbilMdKpFZ16mInPa5CaN4vzNqsw31NpKxStqBxaABvX+ra3Ls - WLldaI5IxRA1i4yTMeY+OZOpYSLlSpMndAo4rc5Ok38AcQh+bgi1OCmkXLKmvN6vrIfzyKkTGEry - wIthqeIVeCksNy3iWgJLTAj84VVqnvUIyAa6W4PUBduv7y9LzlNdFOv39TEavAw+9ZdNdlZ94haU - ytxkuaEipZYHpxP8R1J5HUedRSJC2uv1EcH5uJ3jSqYx3VN3dHI6bmbGGnVhpqWLWL64Mt+Y0Fw7 - VZF0gWngSp1unL2mh/2EucSSb98fGXt1MkKVEhVvj1BAGlQVN6dk93Hpym5J7HIj83bprbOrv9yB - 3KoPjStUx1pic61y7vRzzWJuMZHqFJqGBT5o6R1LRNSH4dBK+PxHyItL/psjHhwd8tcAe20QK/g6 - 3nmuDdzwRv+ksRzUFRmKKHdS8jro7p/LLwF1X0A7NQ2LNcz44mSI+ZnzEzLYFgunPJzp4agEw04c - UlRqfGiWGw/AirjjF6Knp/IeunHyPGsb2kcd6mmH/qbjpX6WsNTP8ptE6ClX1lL9KDzThpJRHhpr - 4evl1ReWJFwt3jde2H2tWc7QypJY3rCikwfqVi8Gv3x9ngX/E/kUlPkUvBVLTUyCGpPgAEz+T8hj - gN/d8wXrznGPVryDzu5mMOjqBoPntYNv1gK2eumg3YA/1TcH243zEV+v7r6AeOagF6vk56m36mNZ - Wz4eduGCAx4rvHoGk+ffHC8M9AtvRn8W/6uH39v3+jsZ9/f1NOFpbKbOaOyivyeHurc/a3tFEhSh - wBvHEvGEP/dp8ha7nDyCJ8EjrgQv9qUuaNWpu/7dvmIVQ65e6NujxfaNvfsdru6H/9DVLWL5BVBL - AwQUAAAACABiEepQiWp/RKQAAACSAQAANgAAAGF6ZXh0X2xvZ19hbmFseXRpY3Nfc29sdXRpb24v - dmVuZG9yZWRfc2Rrcy9fX2luaXRfXy5webWPMQ7CMAxF957CUoe2A7kDYkKiE+xWlJg20MaR4yK4 - PVEruEE9+X9/23o1HHasqoYTp4+EYVRoXQd9cMKZ71p8SSxWA0cDx2mCNZRBKJO8yJuyewmOYiYP - S/QkoCNBf779bANXor/Qt0KIayYJP8gpCLPCnQWmLVPmRc3bz3J+V/IKMcyFUBHbJj0HLGC8iKPc - dMaTm6wQRjtTTtZRi2uP2FVfUEsDBBQAAAAIAGIR6lAGAuXUOgEAAO4CAABLAAAAYXpleHRfbG9n - X2FuYWx5dGljc19zb2x1dGlvbi92ZW5kb3JlZF9zZGtzL29wZXJhdGlvbnNtYW5hZ2VtZW50L19f - aW5pdF9fLnB5rZAxa8MwEIV3/4qDDEmh8dwlQwilBJoGktKlFKHIZ1tF1pnTOW3+fWW5MenQdokG - ge4+vffuJmCosL5adFLO77IJzK92otiK2hPbqhaYmRvYWMMUqJRY55ZYiyWfw9I5SFAAxoB8xCKP - fx+tQR+wgM4XyCA1wmb9fC7nsEccH/IpYH1iWqZ3NAJMJFASRyU3UJGI72ZwzSYpXoFQoccYJRod - ThcRZ7sbWHZCOwwygA8DSNynW9XaVxig0Scwukvqhph76wPW+miJQfsCPmwc74DgKOrYMmU0vZwN - UYZxtM+vu/ysZGogV4Z8aatuWDbYJu5dYNviUAgb7XWFDXpZOdvfl/hZg0ZcNSOvTPrwv2SmlHZO - KVjA6/R3bHoLf3R/5Jq+ncc7IoeLuV7ud/v19imLlt+dZDuWvwBQSwMEFAAAAAgAYhHqULp6rKyp - AwAA3goAAFEAAABhemV4dF9sb2dfYW5hbHl0aWNzX3NvbHV0aW9uL3ZlbmRvcmVkX3Nka3Mvb3Bl - cmF0aW9uc21hbmFnZW1lbnQvX2NvbmZpZ3VyYXRpb24ucHmtVktv2zgQvutXDJyDLcBm9lAsCmFd - IHAfCLZJAyftVaGlkcVWIrUk5dZd7H/fIWXZopo0RVAdDA81833zps4gU7mQ22Vri8XL6AwWv+0h - sJVq9lpsSwuzLIYrkWllVGHpXDdKcyuUZHBRVeCVDGg0qHeYM7J9LzKUBnNoZY4abIlwdXnXHzO4 - RTwK9psFIb1Oo9VnzCxopSwUShNS1WmRBsl1xxqdefdyhC1KJFeIaLMfuDhbx3DRWrVGYzvFd52i - 0s67VcnlFg3UfA8Zbz16prR21Bss+U4oDVzm8FVQeBuEShGOKLyPmYMThmA0HunZ701+oVUNtaGM - Wv691cRXU8otXDhhpWQhtm1XgajTZTvUhsRe8dOb9e3lh+soirKKGwMfGuz0zRWXfIs1SruqhPsd - os1+JIiTCOiZTCbBsavOT1C9zbWySCnjFjilseGa12jJT2hdZ1gFmUbuVYShClCsMkPgFK7h1EfA - T6cej1urxaa1aFjkDxKP6WBy4hS8MgmsTgJIpP+5d9VXzrvmiZWUrtj010fMOji7bzBES2qVJ/cX - QS0GDN4M1MY17V8DHeZ/U55ZscM0F66zlN6/uh+6bdqNybRoXAJTkSfUozRFw9OhL/C1FFlJ8yT+ - abHad8zCvy2Gre/jCVAY3JXhCVy+dkmpjSuKBVV0aC5HH9eXPl9IDbUHN9A0fzQkVTXM0Q+uG6uH - odEc78g3nUoqeQI3BxGceCwHqbpyUNJUq7OgBiP7EXpvkTrdBNYHEbzpI+gD8JH5Y+AH10MYHwF7 - COxBT0mEDTeYtrpKaOl12fy4ft/PVNfHORaQpkIKm6azrhaHx2BVzIdtMB/nfh4max6GNw8dnB+9 - WV4riTTbRzbabsNuo4l0GkngjeaCduUnXrX4RmulZ5ObfqhhOrCeQt3SwpTKrVOPwybxkGkUwzPY - RghPMgZJegZfYP8kW1CDZ7AF9r/O9szYAvsn2fybvqcDkv4UljAtrW1Mcn5eHy+GbieyTNXTU9eZ - lq6Q2S/eTnM/DjE7jkpPGJ8Az+DW0k6jjyL/AeA2MrvZ25KW3gv2B/vzxZxu/S/Y3wBuGTZKVeBX - df8hQfPI28qevCRa9gWxSXlFC53iu9MtRuF7nucpXWw6pQCknU19uIt6W9uFOsZ3Ssf5v/9NWfdJ - Mzvc1nH8c0S/2he3r/9evFV60UU1jUduDId4ORzpUG08gcvxTIbq4fgsw3EKVcPeX4az8IjqATWQ - o/8BUEsDBBQAAAAIAGIR6lBHv6w0wQMAAMgNAABgAAAAYXpleHRfbG9nX2FuYWx5dGljc19zb2x1 - dGlvbi92ZW5kb3JlZF9zZGtzL29wZXJhdGlvbnNtYW5hZ2VtZW50L19vcGVyYXRpb25zX21hbmFn - ZW1lbnRfY2xpZW50LnB5vVZRb9s2EH73rzgkD7UBWWgGDBiEZoDhAEWwZhvc9lmlqZPNVhI9knLm - Dv3vPZKyRNrRmhRp9WCY5Hfffbw78ngJXBai2Vy3ppz/NrmE+bN9RLaUu4MSm62BKZ/BneBKalka - mlc7qZgRsklhUVXgQBoUalR7LFKyfSM4NhoLaJsCFZgtwt3tu+N0Cm8R+4H514BoHGan5EfkBpSU - BkqpiKnyKELQuPZeJ5dOXoGwwQZJCjlaHwKJ09UMFq2RK9TGA197oFRW3XLLmg1qqNkBOGsdO5dK - Wddr3LK9kApYU8C9oO2tESpJPKJ0GrmlE5poFPbu0+cN/qRUsoZaU0hNaqNKQch5JbAhGTVF38Db - mz+WbiLE9ouoBKvEZ1QJ3Ni0dKOOOM25bEqxaX0Wj1Z/7dBP6DvWsA3WxO59LEN4xyF7dO9VVq2b - GIhGsYOHhdaSC/Z0w0jUY0zPIMeFmlJa6clkwium9f/EYdpHfZZNgL6Li4sBHWiDLjcOlIk9U+BD - nkEk2xY5+MSmHktQc9hhD39sUgJP+piHbEgJDOGI/QRg9rlVmNab2gTBq3uvwWT6UKoHAYNNzoLs - ZiNZH9U2yvMEpd8stAdlR+cjEh5X3WOkn3J9l/jRYh/kD3Zh1YwqDOFPkBS49nw7plgNXGFBSLpn - iG45DKBB+l+4One3p7/EjLQF3tgLl/4unHtP54s/ZMvoeGYfFt0V56SGHpwZyLVtHK8CTOp+c8aN - 2GNeCHu7S3X4/UMoW7drzZXY2Q3losioT1AnC2dDLXC/FXxLPU3802J18J6FWy3D9uP2E7Gk8G4b - z8DtjQ1KrYGUGJClZ7Mxer+6dfHCPaoDdNc/NaqqCmN0Jl0bFW6NeumetKm8YTVm8Hc3BDvs00FQ - mw4KmmwVj3JwYn/CfrTILTaDVTcEZzrCHpCfmI+Rd9JjGreD9CGyB5XSENZMY96qKrOd0UXz/erN - 8QL3dVxgCXkuGmHyfOpz0X0aqzIJyyA5jX0SByuJt5fEApNezfWfskFqJJPQU+qvC7h+7M0//QHK - ZoOkllRMx6UkTvQs7UMX7CGNlQ0Ls2HL/j7IfQemTf/3KYO9K6BPCf2hd6FfIgeF4OQgFQZrPZ3Z - 55jQoqHT3nCc7hNXerMvcTDZTuR0irQ9cNfw4peXV7/Or67mL6/mO4V7gfcvYnzev5UIPryippHM - 2YlNgaFV+N46tYsN+9ZrfZ031PMqTLs3YBTM5FR5ci7rRPFIXyUZ3+qWP0VT3DAjVWNt8MfpCp6R - 4ZF8VodfAVBLAwQUAAAACABiEepQeb37Be0AAADtAQAASgAAAGF6ZXh0X2xvZ19hbmFseXRpY3Nf - c29sdXRpb24vdmVuZG9yZWRfc2Rrcy9vcGVyYXRpb25zbWFuYWdlbWVudC92ZXJzaW9uLnB5rZBB - bsIwEEX3OcUX2cACi+66YYFQhZAKSKHq3rEniavgicYObW5fJ1FRD4B3M3p+/9s5DFvn620fq/Vr - lmP9tJNke+4GcXUTsTQrnJwRDlzFtJeORUfHXmHXtpigAKFAcier0t13Z8gHsui9JUFsCKfjx99a - 4Ur0GOJPhPMT0wl/kYkQ5oiKJZnamUpEmm9zapZP9SyhJk+pSgoqh38Vl8UKuz5yQSHO4GEGWcZ2 - +0b7mgJueoDR/WQ3LDJGl9Tou2OB9hbfLj2vJLScPK6aOppR50LSCD3i1XM/P/t8K67HyxlbLDbq - RW0WWfYLUEsDBBQAAAAIAGIR6lAajO4KGQIAAJEKAABSAAAAYXpleHRfbG9nX2FuYWx5dGljc19z - b2x1dGlvbi92ZW5kb3JlZF9zZGtzL29wZXJhdGlvbnNtYW5hZ2VtZW50L21vZGVscy9fX2luaXRf - Xy5wea1TTW/aQBC9+1eMxAGQCJdcqko5IBpVkYKCQm5VZS3rsdnK3rFm1yn+912vgTYx+KPgA9LO - vnnzdnhvBJIipZOHwsZ3X4IR3N3sc2RLyktWyc7CRE5hpSSTodi6OufEwirSc1ikKXiQAUaD/I7R - 3PU+K4naYASFjpDB7hBWT2/H8hw2iKeD3VtQ2mNypl8oLTCRhZjYMaU1yiHcOaunBiMvL0JIUKOT - 4gZty38kTl6nsCgsvaKxNfB7DSSu1C13QidoIBMlSFF4dknM1egt7sS7IgahI/it3PO2CCk5HhV7 - jbKiU8bRMJ7Gz2+7/MBy+TUA98VMGczDzA1NTZiX96Ayt30LC87eMMtTN30tWGRokds7qj2s0BiR - 4CMz8axRedxLzKsNDyPyP+0tK6EdOkNtF8aQVKJ7ytmWNVOObBWaq5qflbF9CZakY5UUPEjyh6bh - oi+0d8t+ybGP0BPsmzLOQmU7ekNp0c15RK2Flbue0FT0Je25wibe7wy9sWGyKbUV+4P7n3yLP0zP - hG1Y0G4SsoEBGxiu/w7WVaEaHKgrwnRlkHqEqH+AusPTMzj9QjMkMB1hOWBzt8Lo0rPX1WUQhKFI - 0zCEB/jhx4zPhWU8q+8+u3o8a9ZO4bjUdOisL88asvXy71N7wqqNNKEfbNVx3TayxZ5H8GnljcLB - esf68d/8fPa2ahSdiRq1htDzBmkI8WZw1Z/BH1BLAwQUAAAACABiEepQE1cV4owKAADdPwAAUQAA - AGF6ZXh0X2xvZ19hbmFseXRpY3Nfc29sdXRpb24vdmVuZG9yZWRfc2Rrcy9vcGVyYXRpb25zbWFu - YWdlbWVudC9tb2RlbHMvX21vZGVscy5wee1bX28buRF/96cgkgc7B5/yWghNASNprznE1yA2+hIE - Br1LS6xXyy3JtU8X+D57Z/hvSS4lrWI5d0GjB1tLzgyHMz/ODMnVc1KJmreLV72++fEvR8/Jjwf7 - gLDXoltLvlhqclK9IOe8kkKJGw3tshOSai7aGTlrGmKIFJFMMXnH6hnwvuMVaxWrSd/WTBK9ZOT8 - 7aVvnpELxsKD/lUT3hqaTor/sEoTKYQmN0KCpMZSAQU8r+yoR8+NejUjC9YyUAUGul5HKp58eEHO - ei0+MKUt4U+WUEjU7vWStgumyIquSUV7I70SUuLQ12xJ77iQhLY1uecwvWtGGgFy+I3RsUJxXIEY - ycLws8Ma/+hGihVZKTCpnoFVOW34b2buhK/A+JqcgxZNQsZ+rViHJMrT/FPr7l8ds676u5Rgz6Oj - qqFKkTO5umSrrgHd31NJV0wzeWJkvpgfEfg8e/YsdBAtSIdc8P/swznRjnN2ZEjnHRKSFojn5i8R - 1lKdFzCzdHrdMUemtIx572jTQ6v5h37P2MnblvysxS1rI0GOx0sCha06V1Rrya97za5WtCOvyGfT - jJ9jHPx4Tj4f37I1/LfPp+QYBeIzCDt+OB3ozRgxg20oczzY8Wt2Q66ueMv11dWJYs3NKfnhh9t7 - KhfK2RY/qgfHnJTccEqQ6cUsyAjcAzMQzIylXxHbN1swfeKn84toWUZsLZtS+7lYco+M143oawOW - HA9Dz2ySxR8GmSDonClFF6wo+RK8zbCDXIsalqRotaSVTvFlCOZkoK2ZprxRBi+U3MB3CAOS/bfH - 1RABxTH+Tn/rJZutFis9E35VqBVtQasVa/VshUqpWa6sXTiTIWZGiyFjGyLIFAd4BIhyeVMBZK2Y - YsIrm2Ei19iHmpNxiBm8eoHZQGJa6ITJBfdcL0kIUyZKgEkKFjlOPV8zHwKB+Cx+TIKIH2hOspEx - bkEQj/jqDMEFc0fUp0ESeMG5YIcPgoVGztggd2wDP9ZmL2xfStuXR2w4zGjxwkKvxAvI9mche2U1 - iflcU8waqPYK0zhgvITM85Yw7UaJWXzTwUJ10fpTl5qpGdKV5uZUiNVO9Yx+mFC6Ns9DADtTSlTc - rMQSKjCqUg71ikGEEk1vaylD828KmLxuoCaiEvJ326xJJ7q+8aUV5mNT3cGU48KIL1ohcWkvXW5W - rMWKFBCXQY3fUUl4PSdQk4leVoy8feOQAj0GLNgbUGbobbEQOPAx48nKCcNlo0rgiuDsuSxFhuhG - VMZ4EatvihA9UGXsULsCTjRnak7eh+/G2EUfEXFtal2AF1ZrrLYocMYOQVUNzBgurF4w1h2v08Iq - Gt9KmprwitoNM8iWLVQNvLYTSNYsr83yk4zWCB94uJQ9i1dpKL620Li1uonmYXfscHq4MABPW+LG - vuVg0M7Rm+ct9B4rMU9o28I3uDLmjFoj3h3ee0TEK0qeGvF4DW7BSFUsWscdBsKlDm+vLBxGZiyE - 0MFUGVtiwwmBdDBkHlLLazoaOKzrbUvaSCssa9Nu9tYQRTlG2LAbgm1rr3CfGkVo2D4LWdudGkZg - s1Mzqz9J9LTrYDttdLiyodgKn5kkHvW+rf0ezjTStjLbMmtkveSQJoZJx0EoH2Gc9jfFj5TTxQCr - 3t4xoCDLraFkjocrDnZgZ+qiSfXOoJtNak/4vuNK5xBG/zbQjr4uw9nXpymM3M773YiVbFgKWPjb - E54jZ7RrVUne5eixgi0NKvbxUSns0/SCc/c+/2N5iKfDDFp3Km6m7+6HQV+L9oYvevm9Xvwz14uJ - l/6EFWOi3/ea8ZurGTf47yBhLZH9/1A3bjDm5soxXd0HrR2fPEA/eXE6rSQ11ah14mCZKRWpj8Jg - nlZfeTNe+VwQF8ZGznCnEcfVJJwWRY3Hc5aKR3k/2A+MI3t7GxbftaTjeBFfUCqVrhw+RcnQ4EgB - Lzj9Smkgs66I24lp9xc1ufUTVGeJtCQ9s5Cfce6Fn9WQAV1tgqrkhgIDWoVq1jViHdltEGylTExS - Jbdu2Z54HueinZQjg+xMd24af+QWabthfO4x/b42utyR9zKTDTJ8a1yMF0Gcp8OSXYe0GHovTOe2 - DB4b3Gdx3xbxWVQdPnV+nX1kmgcLrs0zYsn7m4T54DYSMTi3nI0zH5ZLAL/yU+mRi/ZM2NP3ymkC - 33e3vDH9f8X9cqLDU+2Y00GecoU8za45VF85Ki5CnRasjT6euhWLYWI3poHTPX/2xA8vP3sB8DWM - 9hChofhmRc0VrIL1nLyxXwgsOAppjoYTPH8xiwgPcmOUBRFT0RUm4cacjqp9N1dOtZjFN0VcuT6P - AGAQ9SRvaTjdM/phRhtQ6aaVg3Nfj2eHEwZ29i6dR6idR69ZlXCeHTA4ngyVHsrR0QlA/n7Jq0wr - whWB7/jqF2jNdBWLH6Rk4gM7VEWudo+awKh4805rvORvIP+c5oIj4r3urf18R6UGtm2BsZ9IzBfa - tvAFPWPGofFgx9s50qaC3899vJn2JiksghAnU6bIHgWmATApV2yMdPVcuAPN70efX//oU9OFikeF - x3ifZnprXumPwHeKzJ+S2NRQEPke/ibuGZ2OOmdYoHzB6agZZmrO83BCtSae8j6Z4l96rBvm8P0c - 9487x0X0J+Pgc0T/GRge0q0uQC7JOPgcccTQ/OIj4zE2HpFPvLBv41AYPZDvLa1TSntWDEtZurP+ - ONBxc3AE1dWylLwioVD30MAAIYVqUoF6eDqL3Pga5AHC8qTSaC9YPwJSxixTcbXLsyObgydHb8lP - zUPbI7kRt21nGL9YH4ayL7ZWEDDxNwjkH3h3GKrzrr9uuFr6a8LAxEG3peib2lQl9qjZ/rYC5Xsy - LJxP7oW8VR2t2C8w+gubZII1Lt1htMYivaIKy55Wcc3vmFVFL7k0dwN6HcSe4vAWhFYabdd42LHY - +RsBPx3YTbz3X22ZYwZb0KZhMhsIFAv2SFLkIGt8K7sS5mzMvvUanvH9T8QFugyGWpMeX2luxf2p - mc5a9KRhYHXqbiPYqtPx6XMueDxu3Vd6s59Zi0Vn/ZLWuaPteMHbI0tsd7irMs4vfrJsL/8aI+Bv - ePYOVhx5OJ2ZVf1Jf4oRXJbkqtC4/WY0snyW6gbn7hCBU8x4TdPBNllxkHmS04VgrDzZREYsJ6nI - fONEFdt2kwC01JjT2W9DrN14fxoS2r4XpluD7bd3YRqC83AIX3ipD/nCxN/W6aVdEIHqA10SdPwM - 7UUahB4XguJAukGHdJO5/5VitOc2Yva4PvR79zpopOYFSyhbDvk5Bi5nl3AAHzRRxp7r6CeB1S34 - CqEAeFbuKAkaei3wZ4oVJgknDaCRmpYH+vR3FgXVzbl+vgWW7Abc1VbjWW6Y38BA8DeDVi/zImew - NHmDGhnktmubgYSKdBa9qQ+uB/BDIryNLilSl7kTupKe6ZR2by+LIDvoxeqEveVmJVxCCAQfwmLb - kVIOdUFZwE0sK3R/CL3xNQ06IjuNHDstPZn0/bsFPiYP7n3tWXRRlnbKbnzM9WPB+qOf+oz9s+Ho - c2z50TFowTm7c+iuK82wyifdYapCBo5D5tbryv1uKv1UDns1GaQeFKeHvXz8H1BLAwQUAAAACABi - EepQ4QSnvO4KAABHQAAAVQAAAGF6ZXh0X2xvZ19hbmFseXRpY3Nfc29sdXRpb24vdmVuZG9yZWRf - c2Rrcy9vcGVyYXRpb25zbWFuYWdlbWVudC9tb2RlbHMvX21vZGVsc19weTMucHntG11v2zjyPb+C - aB+SFK77ejDOCwTt3m4WzV6RBPdSFIEiMTY3sqgTqWS9Qe633wy/RFK0LDvJtgXah1Qi54szw5nh - UH5Ncl6wajFv5c3bfxy8Jm+f7R8Qe8/rdcMWS0mO8mNyxvKGC34jYbypeZNJxqspOSlLooAEaaig - zR0tpoD7keW0ErQgbVXQhsglJWenl3Z4Si4odS/yT0lYpWDqhv9Bc0kaziW54Q1QKjUUQMD7SnM9 - eK3EKyhZ0IqCKMDoeu2JeHR+TE5ayc+pkBrwFw3IG5Tu/TKrFlSQVbYmedYq6jlvGmR9TZfZHeMN - yaqC3DNY3jUlJQc67EbJmCM5JoBMQx376fMq/+Cm4SuyEqBSOQWtsqxkf6m1E7YC5UtyBlKUARj9 - M6c1gggL86uU9b9rqk31c9OAPg8O8jITgpw0q0u6qkuQ/VPWZCsqaXOkaB7PDgj8e/XqlZsgkpMa - seD/k/MzIg3m9ECBzmoEJBUAz9RfwrWmaktgquHkuqYGTMjGx73LyhZG1X9o9widnFbkN8lvaeUR - MjiWEgisxbnKpGzYdSvp1SqryZw8qGH8d4jMD2fk4fCWruF//T4hh0gQ34HY4eOkg1c8fAQ9kMZ4 - 1PwLekOurljF5NXVkaDlzYS8mXTLnv/OKzrxpDcDb97c3mfNQhyTtz8RHJo5MUQLRjxKmWxCkMHx - 1PFzVDpkAJgqq8yVEOGE1vhci+O8433J20I5TOwT3cx0lNYfO5pA6IwKkS1okvIlWJziBLnmBWxL - Xskmy2XoYwpgRjrYgsqMlUL5TEZu4BlCQUP/2+KO8JzFIP4v+6tt6HS1WMkptztDrLIKpFrRSk5X - KJSYxsLqzTPazRQ33230gOc2SQajHEmRGuszMZux/qKVO9fMNprwZxtxjvqRpjPsBSaFBrNDzVVK - uGdySVy0UsECtJJQymFo/ILaSAjAJ/5rEEssoxmJOGP4glju4RWREyc07kFPHCXQvFLa7GCLvp2G - eorfQLevA8trsxWGd9PwDvEVh4nN31toFX8P6fkocq+0JD6eGfJRHdRO0RoZ+rtIvQ9Ea8PFR7FD - e0Rst1yz2fw17Lv/dtqEqtCYKznCCSMJzJkn5xtnLpKdCMFzpvZjyjcwvGYMihflF4KXrS6sFMx/ - MvDM6xIKpKyBZF6Va1Lzui1tnYXJWZV6sBS/SmKLije4wZcmUQtaYXkKfhc5HLvLGsKKGYECjbdN - TsnpB+MvMKNcBmedryl4nUIdBr5GOFFtobB0bHFYnlNbLA0R+XXJc6U8D9UOeX7dQUXoUMiC/SWj - YkY+uWel7KSNCL9WhS+4DZZutNAWN8p2oVV0yBg0tFzA644VYZXl8deUxma+pHTdCqLNC2UDK/QC - gp3LCrUJG5oV6D7wctm01N+rrhIbgDE7dhPM4/YIYuQwwQDeBqLHrrWhk87Aq/cBeOsrPo4bG8Dr - TOljeqMe7hbrjYp7gU+bQNdxGxv5kpKMjXysADMi1WQV259QLp+asGuByWD3OoBuYQDSvQwH1E6h - cWhN722PidvfQ1tbUUtsbzWuDtwQTRlGWndEgrNsK/Dw6kVqOFPzptDHN4zE6vimokCQ9rO6hjO2 - kuFKh2RNfKpSujd7WtiDnRrMqlyd1bRC5ZJBuugW7QejmEO/CNgUR0JMEwu0eDvHggQts5eCNe5T - KiQWuO8W6Xxr7GYJmcOaw4GxrvyRCRm7M9q6hHG0e9q1beUaupQ53H7soZIN2wKPBLoFdGAUdC3y - htWxJ2nCGgYF+/yktPZlfCm6vRHwOc1ilP8oYk+KrKEdx7pO+vTfMXjPqxu2aJsfZeS3XEYGVvoG - C8lAvh+l5HdXSm6w31cpJgNZvudycoNSNxeU4S5/1pLyxQP1i9es4ypVVaRqg3WaGVOo2mgM6qnk - lVXjlc0Jfr2s6HT3H358DcJqklSfn9GUz+VTpz9QTtPqmzP/XibkY0nsUTWlrhy+eElR+ZEAXDD6 - lZAApk3hjxM1bi91Yu0HXh0l1BT1SEN2xbEVfhNdJjQ1CooSKwoUqAUqaF3ytae3jrCmMjJZpcw6 - cGqxOMZEWyF7Ctma9swyvubJaVgxNgepeVsjXW7Jf5HKOhp21K/Lk04cp8WUXrv06GYv1ORQJvcV - brO5HfPwtFeNSqEbQ8XE290T57HJ0+gTE+3zH0rDrJlYIebPxHAP0YbCuaeMXk6OrJtO+jYmzLs4 - Ojptjz88h2l81+PzxiLgbzxABzK81BE6ZPKSh+gBiz7tGO3KsNgxLlzB5hSOZh57NvM9RZ9UHaZ5 - f7DAj+8eLAF4dNwePYdIfo5RMAEbYD0jH/QDgX2VQb7LXIfPXuOikzu6vqM5EmMdzC3C8BzvWLue - toxoPood8rBiefb6ysPQHeuVjueTv+swjGHOPPXd0qwr9s5dTR61K5Tf6at35rntzPs4K+XoUcvB - 4ERuaX3Za6aAz98vWR5JRZgg8IwfjIHUVOY++Y5KRN6hQ31kqnhvaEElXtRnBX4TUFJMtBFhD3in - a2673l7RgWMDfmwX4uO5sQE8J6eP2A3u0f8OLGacPVCzGQs1tPOuMK45dnNYqfRRXD2GAC64zp20 - IUDnUPNOdreTLky780dj9O9vjMpsIXyu8Oqf3tRswXL5WdXJ8OdLEKfKDEh+gr+BeXq9U2MM7RR7 - 9E4Vm7EJ0LoTijWyB/xigu/b9HVr+NHl/XpdXvT+gA++e/APgPAYHoDB5YLsg+8ehu+aezeU+76x - dwcZV2SbySDS3n1lK9K310jGFeJJ1MY1N4HrxYRmg0Q3saX17NSfyXyZSlkeAah8MocAgSSTJAe2 - 2KlFbPxu8hmC8ajiaCdnHnQkz2lGO4ZS1ljv8G3W0zrYq/d9/dj8MxzBFbmh46H/Sb5jpb+FzSFQ - 4q8XyL/wRtFV6HV7XTKxtJeHDomBbEveloWqRnTjWf8qA+lbMCyej+55cyvqLKe/A/djnVycNi5N - a1pioZ5nAsudSjDJ7qgWRS5Zo24K5NqRnSB77YaaWlatsemx2PrrArscqE8/2Udd3ihmi6wsaRMx - AsGcPoLU2NHq39WuuOpv6S9H3Tt+BDoBN0OTAas1afEr6IrfT9Ry1rwlJQWtZ2ar01Ut/V50TLjP - t2hzudnOtMJis3iXFbGhNT9n7Z4mhg1uqouzi1802rt/+h7wE3biQYs9C4cr06K/6I84nMmCHOUG - h+9LPc1HKa4z7hYSuMQIVw09w69IQm/s8mDsL92M0/fOoRCi1ZPbEk5ezFH2uZfHPOl1LvMGesC4 - IA2FT/3Au/Fq1eW3Xe9SByPv93eX6iJ112lPfAaIeG7hp0V4n+dIoPgAF0Qgu0J9xwZxyMQjP6pu - kCE8ae5+2+gdvBWZHW4W7QG+cBKJWUITQldHdo0Oy+jFdeWdJELpc+39sjC/BVuhKyyoFKa3BAOt - 5PhrxxwzhqEGrhGqljn48HcaCdFVsz8+Bzf0BsxV5f1Vblhfh0Dwp4daLvXpp9M0+YASKc+t1jod - ceHJzFtVLFx3zg9Z8da7uQhNZlp2KTnDJW0/Yyad7FnvXEccMDcLYbKDAzh3m21Lfnmuu8uE3/i0 - 3PS5m/XvbtAQUXuyb7SwVWnntxMcTIqbg8cktRdcf7Iv3s45ced70aSs4CHJ8UQ7c/s9ZmLF6kdE - vdG4F9pXh+qL9ocHcuy2e1AXBUZdfIpEhvZD6uAd527Xm3Ypz3uf6ag+/wVmWvf73Vj+H1BLAwQU - AAAACABiEepQrf1ovcIBAACqAwAAVwAAAGF6ZXh0X2xvZ19hbmFseXRpY3Nfc29sdXRpb24vdmVu - ZG9yZWRfc2Rrcy9vcGVyYXRpb25zbWFuYWdlbWVudC9tb2RlbHMvX3BhZ2VkX21vZGVscy5wea1R - y27bMBC86ysW9kFy4PBcGE0BI4eiQIIWaW9FoVDUSmYtcgVy5UQN/O9dUY3q9hwe+BjszA5n12Co - tr69Gbi5fpet4frNlojdUj8G2x4YCrOBe2sCRWpY8NBT0GzJK9h3HaSiCAEjhhPWSrh31qCPWMPg - awzAB4T7T99eYQVfEZcHPzNYn2r6QD/RMAQihoaCKHVzlVTI281ds3WyVyO06FGsSKNqvLBYPGxg - PzA9YOS58ONcSGFyd3vQvsUITo9g9JDUDYUwta7woE+WAmhfw5OV71UIHYmObZJHM8nZKDIBl/bq - bcPPmkAOXJRIWfW6lRmDdZI6wxfdYp1lmel0jPC5x3kSCS7SvtllIGu1WqVzD38EDHnWVgxPyYLl - xBScTgJpCVr+SA3skvLucZGG9/rXEFC51rGiVzQ67aWbQ8/KSSRdVAvjwyNQNQ1yMZIupWYOthoY - S6d7uIGXBE8r9/jMZWf9Md/BS37EUc4E3k3YFnIee5ywyCE/b/8SzSBz81zKJ/GSe9LdgJfE74u9 - H/k58c+zrRobKEvrLZdlEbFrtnClQxvluDo+TTdJdGkYB5Ep/s19CxNtoxaV//nZb1BLAwQUAAAA - CABiEepQEl0hbT8BAABrAwAAVgAAAGF6ZXh0X2xvZ19hbmFseXRpY3Nfc29sdXRpb24vdmVuZG9y - ZWRfc2Rrcy9vcGVyYXRpb25zbWFuYWdlbWVudC9vcGVyYXRpb25zL19faW5pdF9fLnB5rZCxbsJA - DIb3PIUlBkAqmbswIIaqEqgSdKuq03FxEleXc+S70PL2vSRKBKK0HfBm+/Pv356A4YxcsWxCvnhM - JrC4W0SxNdcnoaIMMDNz2JIR9pyHWJeaRQdil8LKWuggD4Ie5YhZGmc3ZNB5zKBxGQqEEmH7/DqU - U9gjjkn4CkCuY2rhDzQBhDlAzhKVbE9FIuZVvzWZdPYyhAIdRitx0eF0ZnG2m8OqCbxDH3rwqQdZ - WnfrUrsCPVT6BEY3nbphkXb1AUt9JBbQLoNPiucdECxHHco7j6aVIx9lBMf16X2fn+TCFaTKs23a - i73iGvuXe6Aqvj/Afui9jK1hrNJOF1ihC0p7z4b0LZHtSK7OwF8VDbucikb+obm+QK9Vr2fPmEQp - ba1SsIS3BGJMf7h4+tC3/rrjmrvlbSAvKu/JN1BLAwQUAAAACABiEepQwK6h29QHAAC3OwAAcQAA - AGF6ZXh0X2xvZ19hbmFseXRpY3Nfc29sdXRpb24vdmVuZG9yZWRfc2Rrcy9vcGVyYXRpb25zbWFu - YWdlbWVudC9vcGVyYXRpb25zL19tYW5hZ2VtZW50X2Fzc29jaWF0aW9uc19vcGVyYXRpb25zLnB5 - 7Rr9j9s09Pf+FVaH1Ha0uTskJAgU6TQ+hLQBOjYkdBuZm7itURoH2+mtTLe/nffsfDhp0vbYgXaQ - Stsl8fv+8ntOHpFQRDxZzTO9nH02eERm9/YDYk9EupN8tdZkHE7IMx5KocRSw3OZCkk1F4lHLuOY - GCBFJFNMblnkAe5THrJEsYhkScQk0WtGnn3/vHjskZ8ZK2/0G014YmBSKX5noSZSCE2WQgKl2EIB - BNxvLNfBIyNexMiKJQxEAUaLnSPi+GpCLjMtrpjSFvA7CygkSvdkTZMVU2RDdySkmaEeCimR9YKt - 6ZYLSWgSkRsO6i0YiQXQ4UsjY4jkuAIykpXsvfs1/oBvwMSaZBmPBkspNmSjwLzaS3nKYp6AABbg - ScxZoq/oDWiaCrDTwIJ7XgGxAXFjNRgMwpgqRZ7RhK7YBpAulRIhNwZVP6bMOlSNxQI9MPEHBH7D - 4fAYAhHlpTcwSL+KjKi1yOKIJAJdqzRNNCAyEnG0cbwDQ3JFjERTssg0CSXDdZorlCOFDACptm7I - QbgJDLIDJughqjUN1/iUKryRHMixXBI/pZJugA/S9AvaiI6RCoEFLvwjA7uC6C68SJZ8BfDmb2a1 - I2JZYlmCNRxY4jTmfzLpk0sANla0xnfWaigRO4TkruZofEshLFMebJlUIFKp0WXKyS/2mYdSG4OT - LY0z5pPhJ+cXn84uLmbnF7NUsi1nN0Ov8K61k40RMi+DBR9GbEmCgCdcB8FYsXg5zfWe5gaaOopN - a/JC9BgS+ENML7CYwMFeNFZLTACoqDSAHAYA5rKrAzoGArg27RvCWW1QNnNRaR9zpYPFLlDZQoWS - pxgG4xK3wAdzZEqLTbBmFGqdmv8gEjYlkt7Mv6WxgsvHj8scCSyPPL1yJ1wxCFu2hYJk6mRrwhlh - TOgijCuRV6lzMiEHpwhGDpFXV8Qn+YWThFALaRRBudXC8Mjzp0ltIUSMFvABQGcysQLZ7Md9wpQq - QmORrBSPMMtZZVfHtVEJ3OTQtKhPfMmW/uuyMOXezLO3oi4gNiTwVF/akuoLY0UFpq0q2VevvYqh - VcFvt+dPBktzpp6ig8A/eyUZNo6KPYaFlpmjj9S7lFXxQN7RPzPJvM1qo71Kok3J3LNJ6p0gjqO1 - JO8aW4i3v3dUMlGumHKE8k2t9l/jXvqMKQWcv5FSyG/ehMzY78sTpe4k8NVrNyXK60e2nskMAufF - 1dPyeSZjUywgf9vS1NswTSOq6fUIIEevSryU6nVgO4mAylWGsmHle1vL65FL6/to5DcLlQdUx0On - fHguRsCj4ZQcWJ0CBy1Hk5LpbZtiedX0cnGRJfzDetKqxWTQajWTL0xDHpfLkLNyF1QLqP9t5+r1 - CErqLC+po1eldJUxDEZuDqf8FjZwHpWKt4qa15tyzd53Crq3fD26DDGcjJAgdQrNownEs98ViF4i - 8mXNOUUXl9s7yIsa+MmvRUULvzezjZpZtFmONuORNZKWY+zfPPzvYjyZuOwblfYwGy9LIZTZuI40 - 6VKHGhsEMfS4GaQZ9KqmD8Nt6ag+FndW4LZ626LVo7/BsxH9jdXDQYBdnWJJtLe35PfN7FgxbdOi - GbfTfQUnDrG8ODeoIedxzmmKPmR0c2AfH7hOKGh60H/pTAVmUrAtMLn+5Pz8Vd38psiSY3VxvNf9 - TEtGDvvapjk3zj4q2nxOQKq6UA06e8zHoxP2nVGriCgGtAQ1dkXG0ZvA8cjezjR2xXKJ1+xp9uk2 - koNBA8YlZ9YO7iFYdcw24pPRmQuhzt7WN4rbM5hgtxzT86ycRr1qWKpsd9benY1uq/bTDjyBkEGe - /y2tJ2goMhmyYCVFlgYJxPmUVLtuQCva+WIsbEnM29S0dFz+4H2b2SdG6rMXRuT2nsnpPi20wv7E - Knmgdd1vWlu098lzwMcrHNhsi2qBiAHCxhUqhodglT0NPE6k1JwFQBFQXPMtc7pA7NLaGUKRaAp2 - wAM+eQGx164h+QEAmjwP0mrhXTjYh3Eg17x41KBcQbaQqQLDJ1V2mwmkXXY7vVY2VVmKBxD2aAYd - 0ZYGlXeKxGmq78hx7z1yPwTdzxDUNfZ0Tjvv58D/wFhTa2kP6Tou63VxUavZ1WVHN9UxMzX3lgcy - L03rXIvi8R1WY6ydXYxb6vawY/M0jHAPfRPELFnp9fzzc7jlSXF7MUWjgOuSuRz9dj17efPSC16O - X05effzRnoRFVTsknKt3AV+I2Ll2xCLPIctO4VeaANOywa+2doTfqfqVNFv0q6118Nu05cgh5gd2 - z+GRTqkf0VtE/bdG9BZEEELjnG1iuxX9CxKuqVRM2xdi/cD/IAb+hYh25QLeYDej7euCpii4PHZH - /PZx9L7OFtLs9LOFaU32/qThHzppeHhnC5291l3OFYrN0bQqsL7X+rhHD2/dtuO2AsbK6dw20f7W - icXZ2849+dY9zYDYY/d1hvG+ZxRfG1lOO2o4Clt8u9DxTq4/qujm3c/bR+dtjO27j9cF1sMcjk+Y - X2016afWfmrtp9Z+ar3vqbUfF7v0+QDGxbvOcHnj2b8ifp8ZKW+x7zob4XJjq/5fDT34bcIHMfEU - XwYeHXfqnxBmnf1/P+H0E07/RvFhDU2Yav3E1E9M/cTUT0wfynu+ftTq0ucBjlr9p7j461+Q3fEF - mduX/B/Gw78AUEsDBBQAAAAIAGIR6lCyPzuqlAcAALg3AABzAAAAYXpleHRfbG9nX2FuYWx5dGlj - c19zb2x1dGlvbi92ZW5kb3JlZF9zZGtzL29wZXJhdGlvbnNtYW5hZ2VtZW50L29wZXJhdGlvbnMv - X21hbmFnZW1lbnRfY29uZmlndXJhdGlvbnNfb3BlcmF0aW9ucy5wee1ae2/bNhD/35+CcAbY7mwl - KTBg0+oCQdYNBZpuyNoBQ5KptETbLGRRIyknbpF+9h0fkihZchw0HZpNBhJI4j1+9+DxzvIBCllE - k8U0k/PJ970DNHmwDwg7ZemG08VSomE4Qmc05EywuYTnPGUcS8oSD53EMdJEAnEiCF+TyAPeVzQk - iSARypKIcCSXBJ29fJM/9tDvhBQ38kYimmialLP3JJSIMybRnHGQFBsqoID7ldHaO9DwIoIWJCEA - BRTNNg7E4fkInWSSnRMhDeEvhpBxhe50iZMFEWiFNyjEmZYeMs6V6hlZ4jVlHOEkQtcUzJsRFDOQ - Q+caY6jEUQFiOCnUew/r/B5dgYslyjIa9eacrdBKgHull9KUxDQBAIbgNKYkkef4GixNGfipZ8g9 - L6dYAdxY9Hq9MMZCoDOc4AVZAdMpS+Z0kZlAil9TYq+GbKZiMPJ7CD79fv9uFsSKS6+n2f5kGRJL - lsURSpgKr5A4kRRchSKq/BxvwJlUII1qjGaZRCEnah1boyxTSIAQSxMKS0J1cqANKFFRwlLicKme - YqFuOAVxxCLxU8zxCvQomX4uW7GrbIXkgjD+nYFvAbpLr00FetdkxOYFlxFY4YElimP6gXAfnQCx - 9qMJgLNWYYnILiZ31bLRNYbUTGmwJlwApMKik5SiP8wzT6HWDkdrHGfER/2nR8ffTY6PJ0fHk5ST - NSXXfS+Pr/GTyRM0LRJGPYzIHAUBTagMgqEg8Xxs7R5bB40dw8YVvJA/WoT6KE4vMJygwVzUVgtO - ICil1IgcBUDmqqsSOg4Cuibra+CMNQqbviitj6mQwWwTiGwmQk5TlQbDgjfnB3dkQrJVsCQY6p2Y - vmYJGSOOr6c/41jA5ZMnxR4JjA67wWwQzgmkLVlDUdK1smXLaTg6eRWVi8krDbqHKIcrT0gK2Vc1 - xkf2wtmIUBNxFEHZlUxrsXuoLm3GWKy84AOBzHhiIJkKoM4LXbIQjlmyEDRSO52UvnXCGxXEdQ11 - r/rI52TuvyuKk42oNbuUziA/OOgUz0xp9Zn2owDnltXs+TuvVGhM8Ns8+pvmk5SIVypIEKOt4gxH - SAlAJYfkmWMRl5uUlFmBPuEPGSfearGSXolpVaj3zFb19gLkWM7Rp9px4m2fIyUqTAURDixf12z/ - nTpXz4gQoPsF54y/uAmJ9uGzPXG3Cnj+zt0axfWBqWs8g+R5e/6qeJ7xWBcN2MdN29VbEYkjLPHF - ACgHVwVfiuUyMF1FgPkiU9hUBfxY2d8DV9bLaODXC5YHUod9p4x4LkdAo/4Y7VgdgwbJB6NC6W2T - YbZ6ehauUgl/qq40WjHqNXpN7xkiYS8Xy7Bv+SYoF5T9t62rFwMorRNbWgdXBbrSGZrDusMpw7kP - nEeF4Y1Qbc0p1sx9K9Ct5YvBSajSSYME1Ck0kjoRD98LgF4w0nklOHlHZ/0d2MIGcfIrWdGg72ay - EhPDNrFsExoZJ0k+VL2cp/4dD0cjV32t2u5W42UppDIZVplGbeZg7YMghn43g20Gfavux9TxdKc9 - hneS8zZG27BVs7+ms5b9tdXdSaC6O0GSaOt8sff13bEg0myLet6Otw0cOcJsea5JU5qHVtNYxZDg - 1Y7zvOcGIZfpQR8mMxHoqcG0wuji6dHRVdX9usiiu+ricKsLGheKHPWVg3Oqg30ntOkUAaoqqJqc - LeXDwV4nz6ARpAICjUFFYb7n8HXgxGTrbBq6wFzhFY/q07pJZK9Xo3HF6bWdp4iqO/og8dHg0KUQ - hx+rR8XtIcyza6o26GExm3rl2FR677CtSxvclq2oGX4CxgNbAxraULCRZTwkwYKzLA0SyPUxKk/e - oNIM2eWYmcJom9a0CJ598Lmt7anGffhWg27rnpxO1NAL1acYQ3c2ststbIMPfPQGJKgrNcKZhtUQ - IU2k2lioHZ4iK72q6dWMivU3BFAOBJV0TZyeUHVszQqhXNSB7YyDj95CFjpWVkfPEtVrIK4juENy - A5Y86D6MC9YT+aOa7JKyQUyZLD4qd72eUFriZSfc0h6RpeqLCvMVjgpN0wYp45VvqboLHCRfoIPu - xqSHGpPaBqMvPw+BZkfWo5yAKt3vbmuHRVnPLyqlvbxsab1aBqz6IfRIhqtxVWteTX5RBVsV1DbF - DaW933LKakXqsL0JYpIs5HL6wxHc0iS/PR4rp0Dwkikf/HUxuby+9ILL4eXo6ttvthCumqO6C+vO - Q6B/ZxvQTaENUP+tKbSBEUBINUq+gSLYzP4jCpeYCyLN+59upn0UM+2MRZtiQd2o3SjNN+N1KGp5 - 6E6xbRPXQw3Qabb/AD2uoO/G6S82Tj++Abq1S7jP8JyfsvqQhfWtQ/sB5uvDjzsO2lt3+oZUIg83 - c3/uTP2TRrPvYLwHdf4GvuWdUjda7z9ad7PhnbOhyvd7D4IF1+Oc3fYYrkyN6UaqbqTqRqp8uZtl - 2uz5CmaZ+44XtonqXtF9TvNum8X7Nu1quXbAPN5uXL3o/Upa8fznVnv04dVfZmXVprR7q9W13t1r - mf9qa6/2YdfXd31919e3LXc/2PsfDgTdD/bUp3vDcO83DO55+ujGmH8AUEsDBBQAAAAIAGIR6lDR - SuSHRwUAAIcPAABZAAAAYXpleHRfbG9nX2FuYWx5dGljc19zb2x1dGlvbi92ZW5kb3JlZF9zZGtz - L29wZXJhdGlvbnNtYW5hZ2VtZW50L29wZXJhdGlvbnMvX29wZXJhdGlvbnMucHmtV1tv2zYUfvev - IJwHy4XMJAUGDEJTIMguKJCuRXYBhiBQaOnYZiuJGkk5cYfut+/wIomSPLcDqodEJs/1O985pM5I - JnJeba8avVl9Pzsjq2/2oLEbUR8k3+40ibIlecszKZTYaFyXtZBMc1FRcl0UxAopIkGB3ENOUfeW - Z1ApyElT5SCJ3gF5++a3dpmSXwG6H/pZE15ZmVqKD5BpIoXQZCMkWiqcFErg79J5nZ3Z8HIgW6gA - Q0FH60MQYnS3JNeNFnegtBP82QkKaaK72bFqC4qU7EAy1ljrmZDSuF7Dju25kIRVOXnimN4aSCHQ - Dt/YGDNjjis0I6FzT78t+DNeIsSaNA3PZxspSlIqhFfTmtdQ8AoDcAI3BYdK37EnzLQWiFMozT41 - Eqj9m8JzBrUBT/Wqosl/lBJRdkqUtlslplio2WyWFUwp8q4GV24VibWpzzKZEXzm83m/RUT3Smd2 - +0/RELUTTZGTSpgSY0SV5ggXybnBujggoFwR6yUm60aTTILZZz4xr5QBCjLtyuFFuCUIOaATUymm - Nct2ZpUp80NyNAc+kqRmkpXox9hMWttG3TAWCYal/KtBxDD0UF5UG75Fefu/cdkRsem0nMGBDm5x - VvBPIBNyjcIWLwdosDdQyeGUUrjr1fieIT1rnu5BKgypy+i65uQPt0ZN1BZwsmdFAwmZv7y4/G51 - ebm6uFzVEvYcnua0raPDydWdXHUEMIs5bEia8orrNI0UFJvY5x17gOIgsXgQL/LEmjCP0aSp00QP - 7mW022miQG9lJBQ4QLHQ3VAwAAjljmU/Cs5lY2KzL332BVc66mRbeUy/UVqU6Q4Yzjh19YuoICaS - PV39xAqFry9edD2ROpu+cTzot2gXyYqcFm60sD3jBVsXELTcW1axLZQGNTvNrt+/mbZayCaO1BlG - lhD/EnQRDjWW5zg3tbCufQOMra2FKExKCQroRlbKCrv2NQPfzhxMQVRbxXPTptADFdQm74THHsYQ - JSSRsEkeOwR8OXz79dYFFleiT/XKTbtEuPmGbd3j8/qR9g5dCrbFuHanAdb2I/RTBuvQ+Q309KGG - vnLkHzdYy22pae+q7ApFXfvQztR73Mjv/7faQxAC4wqwkImdlcljP7xfnZr1tJd7/RhSr3s3/MZ+ - wFpA6jkQVfCsUzxlPlpKB5w1D56CZpp3MsNd85y50SMbpMjvd7eT/UYWtr+x5Uxn0RI0y5lm9wvc - WTzMThq0pAGsnpqIYfDykPYC6OTvz1+Uul/goFj5QbF4aCPrZxG1GtF8PFTm8WTOxGSBYS6WwxSw - pjBFyaHQwfiV2QzEQlx8hw/23dpJRCYi94vrzLDHIoHQ1Hj/smQ8/6AQnzEVgsFJ28uQH/ItnVKe - T7M/4vd5VaqVU1151RXPXUW0jMxViJo/l9FyOQ5jNO++7I42NVIOoqHixG6YHrO4pAVeHRvsWLwC - 2kYwLfJV+Tn9Vat/lGpOzXPtuN+Wdsd3jzMwJIq5LCmo8snEN49f6yLzF5wt6Aj5Gk9IGU8TXY4M - mpHb+RqMHV6hfMUKVN7iR8zpsdNH9p/TapR0dzqNkjHJR145NtQCVp44sWdjTrR2KQ5d3ajUfg+4 - Cy65f3lx8TBlAzzXGEU/i6PWxvKYKO0bB7U6d56jthiuWYIumRqyJ4YxN0bFF8Sfxt3mGfkhuFhN - TmtfZ3u7uLKk77YMJnhDODZXvHgwdAZ3gvaiOTopoxEz4unNj+ZQYx2hyjj0LDTugoL5XEOXdm9w - 6pjw7MGTkMU5fn/uuUH5vPuWpMeuYuf9+b34PPsXUEsDBBQAAAAIAGIR6lDErCzc+QkAADldAABj - AAAAYXpleHRfbG9nX2FuYWx5dGljc19zb2x1dGlvbi92ZW5kb3JlZF9zZGtzL29wZXJhdGlvbnNt - YW5hZ2VtZW50L29wZXJhdGlvbnMvX3NvbHV0aW9uc19vcGVyYXRpb25zLnB57Vttb9s4Ev7uX0Gk - B9jZk5XkgAP2fHWBoLe3KNC0RdoecEhzKm3RNheyqCWppN5F9rfvDKkXUpad90vSyMBmLXE4MxwO - Oc88TV6QqYh5Oh/nejb8sfeCDO/sA8pei2wl+XyhyWC6S474VAolZhrey0xIqrlIQ3KYJMQIKSKZ - YvKMxSHMfcunLFUsJnkaM0n0gpGjN5/K1yH5yFj1oL9pwlMjk0nxC5tqIoXQZCYkaEqsFEjA89Ja - 7b0w7sWMzFnKwBUwNFk5Lg6Od8lhrsUxU9oK/mwFhUTvXi9oOmeKLOmKTGlutE+FlGh6whb0jAtJ - aBqTcw7LmzCSCNDDZ8bHKarjCtRIVpkP7zb4Pb6EEGuS5zzuzaRYkqWC8Oow4xlLeAoOWIHXCWep - PqbnsNJMQJx8aZGA8LwUfnv8/gO8YTIg78QHO+bK099yycpJIZXLqKHg8PionGbnhWE5tISoJKrX - 600TqhT5KJIct0q9z5hNFTUQE9zb3VGPwGdnZ6dFhojqa9gzcv8VOVELkScxSQXmCbiZag4xJzHH - DUtWsCtcEWM3IJNck6lkOE6L6BSTpgwEqbZ7Wohwk2VkBUZwu6nWdLrAt1Thg+SgjhWejDIq6RLs - oM5RqRunY9pDlkI+/JpDGMF1V16kMz4HefP/3K6OiFk1yyr05sAQpwn/jckROQRhEzgbYmfMmxKz - bZPc0WIaP6OQ4xmPzphU4FK1osOMk//YdyF6bQJOzmiSsxHZ+dv+wd+HBwfD/YNhJtkZZ+c7Ybmh - Nk42E8i4Sgl8GbMZiSKech1FA8WSWVCsOygCFDgLCzx/IWGMCvzgzDCyM8GC/dIYrWaCQK2lIeQY - ADHXnC/oBAjk2lbfcM6uBn0zX3rO8m3ORUJGeRbjNwwHWB1UGkotAd6lIpdTFs2lyLMopUsGESoO - TPFoNp5p8A6CmCstltGCUbhu1fidSEFA0vPxv2mi4OsPP1QnK7KeFecQPy/sNssc8uXz8dvqfS4T - E0NcVsP3EAxT+EJP+iDVP63mZFQvIntTR1TO8yVsECbD794i+yqfqKnkGTr0Ju6PmnsXgtbBjhPR - 0J0R8XgnIFtGA7CgZX838K2WUf0Zg/oOgrfJcEv4dzZsijEUQCn5FiUsnevF+B/78MjT8vEAd0rD - NqVj2f/fyfDL+Zcw+jL4snv617+seVhu8TbnvDTYWUsLu/JK7UXbdhZHKCw2CtXCf5gmrfu322vN - lToBq2G4AOUqqgdw5y82jp704XwNi/PVP628qxdsZhSJ4JzFcvedV9XCW10tDkY1Zp83Oro2fNI/ - nE5Zpo2T4HUGsMScpr1fFLi+bSI4oSGIw0+rjLVP/yeZLqhUTFscV2vjMy/JS7RR7F5U1BvI95GX - RS1OfBsu1dBOGxbThjy2IddygDgjxB8Hg91d17x/r1xiJrR3w8CftLtpOdRENEoAi+V0jpjKlHi8 - uy5dj507LOe25o6d5t8iDZuNW6Qxuj2lJiJeVQP4gBertoWp6QoOD9z7ul+Cn03aEY4oBj+K3aqE - iufmSc5ybY9w84wF6+ELPHd3HdUWQzZ1ox+Dwm6A+cLockth6bkbXuoMAUboXEUGPVskR06gnJ76 - Wy0pB/sWOYQI3I+YUrAVP0kp5E/fcHvA0mCtiAeVIce8Mx7DmjCxLvdtPCbglu9VQ9Ga9UG9na2O - oC167usszzA9j5y4r+H5gWvbVe5Fjelcpm0qe72GjKuuxibN8v7/gCRFbzH+JPPLAApgy9fGw73P - xr2qvQjr9VkB6CAksWtQpltrkSwQc8t6RuQTTMFvCNBxeilEjBDRAjpOHaJYHSEjjx0INY0knBYF - uO6MhbVFDXd/u0E4TU3HvJiOyGfYsGoZBIFBU3FjQovKel/sEp26h+caGqkY11Z0Re+PPjpx8225 - mv6wDeNyvtRh3bgtaQoHFnFDWJzjUlfTq5jDRdeoMGWldno16L9pHFsP7Z74N2KhbSJEYo6ZXaFp - dMusN67DFq0drwA11ltpW8r6IqSJSOeKx8wY9q6B6oQ1Q23TGryAvDbtYd01B8TkvnmbilI0wJyl - tRNl0110cCgMwQWcQJNqDPYYdmpeF6CRXalp/ap+F5K46vltQK1U3Z+D6drwWnRelmKviitsbE6r - YxQD69xrf7hEgvkZVYkRHuJz1etbr06um0N1p+G5fgPDDUYlXFv99X07dSKDhcwFTCNDUIy+bixq - L69obaOCV1/dC7O++G05yBMHM1ypE225r8ZtRcCvFe5dNPbLgydYXyRjp2r4JdKvIP6jL4q5aQqJ - 93a9qFTDHkyY4a0e4VmPZJ6mcMAikWuEVFW9vVtAgJ82UGBWfYfAwG7j5eDAkVsHCPhJpID1JXQF - rjRjCn2J9jOn74eyktd8ySCw/UbKOAh8+0Svlai4SWWu2lH5IoJUWgjclvriHVT+tyPWUi3cBJ5i - c123aK7o04E7t1W0eNHEYdW9PHChduCc1mBTUgYNI9aFjQwNdraGpBmR/p7Lk6i9330a5mKvPN7m - dMP4GmFysZdJccbxAO5VdHtYE7hH1XW1V559NOOwGhf9C5cUuxsqTNN5iTBvxYR5fEDjdv9A9XQx - MJbwx4a+bQN/1rFmHWvWsWYda9axZnfCmpm7+M6oM3OxP0HybP9xkmf7z4w8ux1ldg3ocj3GzJwR - QtsYsLUh8j5NVnYhiHzRJ6LyDP9lH3+34TlTZxiLETkuF4OPDR1WAsmsE5hvzvhpU0tHdXVUV0d1 - PQDV9XAEV9UpdqRWR2p1pNaNSK0nRWXBVrDbU1n3/Ztc1suOieqYqO+YieoooE3reQQU0HX5GXtj - XZmg+X4pmdswIUUduREDgtWt2IR7KmrXYzb+ZXyxv9+j1tmNtuHyD0zcOvO8eY2OkXgwRgLT/xI2 - AkW2MxE34AFQ6en9cwnGzFPhB7aB9vvlBx4vEXDbJn5brbFxvbx573rzx96bNxrJx9ibO/n/IO04 - 3D3HTEvOzlqBSjlmoUqORb1FqsMmd4ZNygJs8MQ2tOGAkqvAjmYKjBARzEZfq4Qt/hqw+OtPh9eH - 5leCTfXSltWRsEcGYEdd9159dSJYIg3nXzXWb+ASOOhW3HBNqr8NMGwp/4+x7l+BFsNz0nFiHSf2 - /XJiN/7trI5M27SeJ0imIRTqmLS2X266zLXn9LtN+N6tiI8Z3CccLp/JKvIr2ZXx/l0B/AbfiF4Z - 9mgL67hlakjeFCBXlg3EROgFmXGpTJHSKzz6lSq94DIu3ldBe0JNRIf4r4z4PxhBzZl6izl27/jf - t+esRH6/3UD7ndI1CHfUIHRAvgPyHZDvgPxTBPJ+OXx6sP6S0vbgSL8N2ruG24D9s8LwHVTuoPIj - hMre+XgaQLmDoR0M7WBoB0M7GPpwMLS1bFwHhN4IYf4JUEsDBBQAAAAIAJUR6lCQJwRdyAIAAJsH - AAA2AAAAbG9nX2FuYWx5dGljc19zb2x1dGlvbi0wLjEuMS5kaXN0LWluZm8vREVTQ1JJUFRJT04u - cnN0pVVNT9tAEL3vrxiRAy2NbbhG4oCAQiRSJNKqh1KJtT2xV6x3rf0ATJX/3vE6dpMqEBA+ROvN - zLw3z7NvR3Dy7A3C6dUUpC4irrhsnMhsZLX0TmgF508OlW1XI/a9FBZqnt3zAoGWC23AlQj723P3 - AfvkMYgYY9jnz1BpJRwlbuTAkMPYaDSCS/0IToO3CPTKpso6LiWBEepQlP4WqggMUpSU0baR6ari - Kmd3d3eM0P4F8zyHKFK8whdaDSkBfaoy6XPM4StyR/rYdncEV7qAk4HxvFdoRqUKrFC5CevWL0RO - 4FelSW2hFvr3p9K52k6SJNeZjSuRGW31wsXEP0EVeZvw9tN0v9FKtERQL0XpbNKTtp/hlh2cP/Gq - lmgnB6EB4npqiDoCf0Hm4dPVkiuojc595kAv4Ho2vyCl0TTJqVaOC4XG9mK+/ukg6zBvGdATRaSb - 9ibDqDDa1zBrblYbF+G9D+vTI9fUNIkD6BDwqM29palD2EusT21mRB1aT/7MfTo9WyZmvTBtbwAt - E2rvQeRUMlnVnA1qX9doeFuMy2kv7YBHlX726280N8u9gZPjhYV7bI4fuPQ4TA4J/6POXxM+hMJu - LX1X5p1ahunux62l/AbCZyhxF+HdfPOuyk6mWziuk7lAR6VoAqQFnmrvwpDaGjOxEHQgP8TRluQR - H2V4JayD1ovosLTctmNZOuT/UV8fXSCSPQ0INN7YgiT0EPr28PaIrUPPmvna6/uLvS5fJ9V0AY32 - UPKH9p6wHu2YnAY52XkhaG+BmKd0j0DagK5RtTZOPhRCgTvovbEQrvRp8MSTNTfMpIgGY7dJhxAz - xuIYJlnJVUHXQTFh7AY70Euirk3Djjcfxg7jo/iIfdl82AHNYG0w42GiW4uMap9S/yWa8WpAxsM/ - K/OkS2d1x2w6Wuu0nTN2cIdb4KYkvOCSZiLwbVv5C1BLAwQUAAAACACVEepQ9u2MH6QBAAA7AwAA - NAAAAGxvZ19hbmFseXRpY3Nfc29sdXRpb24tMC4xLjEuZGlzdC1pbmZvL21ldGFkYXRhLmpzb26N - ksFu2zAQRH+F4KkFKllp0h58ipIUqAAnMSrfisJgqLXMguQK5NKpYujfS0oy4EsQXwSK+2Z3OOSR - Sy28VzsFzvMl+80f4AAaOwOWWE2CgmfLJbthGbsDEvwL45UlsA00rAyNAishAbMsdXkPqXtPYFjZ - GGWVJycIJ3rtsHXCxO2WrYRtg2hHwbqnPdqPibS6vhDLby4Fv10Kfk/gSkmwfqw91xUru87hIQYQ - /x+rDZvL/E9E4V8Mxyu0KfAj78ZWeRPTVXrakmhJSBov5MjBxEJccvHW9VKrW6OkQ487yiWaNNwK - Awl4PBXYPboOY8Jqys+hHgER4izHh2SjQRnSLW+TeprbgJdOdaMq0g8/6vtf1XpTPT/lzhMfoioe - 6y9I2gY3e/2J0+w9UeeXi0WraB9ekrNF+RYcLET6ZtF3dnbwYUjNWrAwPoPU4KWJj2L7ugfQ7FOR - Xxd58Tl513N06XzVJu2YGFUjSGwP8bnNXr/mxXkSGttMWKF7UtJnHnU4ReGDMcL1CapDF0MitkPH - Rq9shS0rTzJWn8nORhX5VX7Fh/9QSwMEFAAAAAgAlRHqUEmWP5wfAAAAHQAAADQAAABsb2dfYW5h - bHl0aWNzX3NvbHV0aW9uLTAuMS4xLmRpc3QtaW5mby90b3BfbGV2ZWwudHh0S6xKrSiJz8lPj0/M - S8ypLMlMLo4vzs8pLcnMz+MCAFBLAwQUAAAACACVEepQ9t3Svl8AAABuAAAALAAAAGxvZ19hbmFs - eXRpY3Nfc29sdXRpb24tMC4xLjEuZGlzdC1pbmZvL1dIRUVMC89ITc3RDUstKs7Mz7NSMNQz4HJP - zUstSizJL7JSSErJLC6JLwepUdAw0DM20DPQ5ArKzy/R9SzWDSgtSs3JTLJSKCkqTeUKSUy3Uiio - NNLNy89L1U3Mq4SJGCNEuABQSwMEFAAAAAgAlRHqUENT7z21AwAAXAoAAC8AAABsb2dfYW5hbHl0 - aWNzX3NvbHV0aW9uLTAuMS4xLmRpc3QtaW5mby9NRVRBREFUQaVWTW/bRhC9768YRAe3rkk6bdoD - gQBV5dQmItlGlDSHpoBX5IhcmNwl9sMOXfi/d5ZflQLLshAeBHJ3Zt6b2TezWqDlGbc8+Au1EUrG - 8HN4yi55hTGUKg+45GVjRWoCo0pnyYKNlqfh6/A1W7qq4rqJYenqWmkLa6Vh+uA0wlzlMB0CwHII - cKEqDGqeE0RhbW3iKMqFLdwqTFUVta4R979BWooAv1qUHtCwqbOF0jEsRKqVUWsLM6UJk7dhu90A - Ky7KGPhD3ZD779Vg64OzuUgpGAEvko/suuSWyFYxfLp8f3n1+ZLNSm6MWAskkDO8w1LVFUoLS8ut - MxDH8AYC+INqtmWaSKKYYQZTlwmUKXrL3p+Ktd922RiLFUyzSkhhLCWkvnG71irXvKL9HOZc5o7K - 5z2vG0paHmDq33451D58c7DHrwd7/Lbl0Z+U37paJjCta63uqGxxe3bDNmOTXmuzebJDsPBuUBBM - 2MdCGKh5eusJ0KsXqy0Qjp72PYJRficgQgzhiD9ApaSgE9rGg9GHSE0mcKHuwSpwlAN9skQay8uS - wAh1DErbviSewYrUct+mQUKtuMzYzc0NI7T/jXmWQRBIas5dveldWvREpqXzMvsTSboajV+d7OhI - WFCoHL3UY9a977CM4e9KUbWFXKt/fhi6N1OpCbcaLUIZONN1cd/LfdEiQbnkhTXRQNr8CF/Y8buv - vKpLNPFxmwBxnWmijsB3lHk8urrkEkgdmUstqDVcLZbnVGnUTTRT0nIhfQ/2xXz+6CDtML8woCcI - qG7K6RSDXCtXw6L50C+ct9+D2eAe2KYmJY6go8G90reGVIfwKjJuZVIt6jb16N+lWyVnj5HeDEzL - W0CPkRe/yChk1MccR2B4RSOmHYC8TIbSjngU6fPw7of646uRk+W5gVts3t7x0uGoHCr8pzp7rvCt - KeyvpevCHFjLVt2D3DzlFxA+wxL3Ed7PN+ui7GX6BMdNMudoKRQpoDTAV8rZVqSmxtRPtuz7OJqC - ZsT3MpzTFQN+FlGzeG5PYxlq8m+ob0oXiORAA1oaL0yhJPTW9OXmvsU2oRfNcuPz8GDPl68rVbKG - Rjko+J2/J4xDc0KTBjmN81zQ2hoxW9E9AqsG6JaXfozTHGpNgdvD/tlEHULIGAtDiNOCrki6DvKY - sQ/YgV4QdaUb9nb7Yaz7F/bT9sOOSYO1xpS3ivYjMqjdivIvUJ/0AjkZd/rhSZdOf8dsTzQ/abvJ - 2MGdPgGXUOEFL0kTLV+fyn9QSwMEFAAAAAgAlRHqUMq3pHbZBQAArg4AAC0AAABsb2dfYW5hbHl0 - aWNzX3NvbHV0aW9uLTAuMS4xLmRpc3QtaW5mby9SRUNPUkS9l8muo0gWhvct9ZvALeZhUQsmM9gY - sMEYNijMYDPPGPz0RSqzMp2qm+WbrasWEkgHiP/jxDl/BOARz0NQ1NcAVKBYhjTsg74uxiGtqz+C - IK3SIQjemgXqbwAjqT9LehvcDoHNThstbrmCZmLcOXq9TErG4zKZO6K5U1vsUo1XCCUR8r//Af+q - EBZpXA1BAsKh7pYnIXUjwHM40ah21OfGOseYuHdvNSlwpkScd1ORe+bY6X4rqRBDYK90bnHRPI2O - DKilCfBJMIDkjMgZ4DLbP25XKhjNe6i2Uh/Ni2ODiuEgjGLxV8M3oANl/yRgnDQ28reuqTf7aePR - 9GzoQOQTbIOlZ2zg9nnF32sjN2IEwhgEeSUwgSKNwJqjZ5Fh5yrlckcPk6S0trlIrkI6XnTEimvH - GltNV0UziXQ+nzwIw16KfL1ZxgNYlcBb1tfV92mXGJDnqe9lkWXAj8W8sZoXlrvTKbZkkhuEndnf - RDojTAKiqRc6YV2WoIqev2RrC0MWioSXk3q6y7wOAzYn0IA4VVo3uEGwMAuoefwcr2VFsPQrhbEf - 6vJpfJk3SZzYzGMgT0KzGxGChUU43MSE5yaR17BZSh5aBXVHC8JYnH0x/hD3Q/9ee3TzKMDibSth - wbQU3BBpjaHqApnhsFnjcmZLJ80c1Mfe6SGceNUdX2UK8OX6f1b7cvrFg0EfxhXo0vqJxFb5+USj - WeoPO4HE1FQ9HfItoCMcblVnV1SDo2LUluwtHSJZjHmBMsVVVHdxFPRR/m6eIzoPQftgetvmN8Hp - cCTmdE8WwUUWuPtmz8QktUUd17keOIhAXrnDz3J1E3fgS7xfqxRc43I1qPcYVCfv7I2EzOJJl8DF - uAXHXLb9O3s+ik4aT/U1T3xxmwykB9Hkq+b7CENYV0l6Hb/eeSLRI41DTV1/PHz/iLZTm2638p71 - 0rPh5P4+6VU6sColvq7dg9HMZ6TjRzT4Ef7m5k9kvGLMLm5dlAezy+ZSa6xG6GFKcBA+latEYLqc - X+4SErcShJO/WRfvkk1x1/+cHXnM9ZM/aZFIyUXltAqpdWq8Z5bCtc85NWj3jSp2zN3b6RDx0uo/ - gFDWUVy8W7ZYDROozPM7hxPdWuD3KqwbERNzDecnrj9fjSbB8GMf+/k6US9Xz99g+Xp9Qqlv2Lw/ - EF6w60zsQFqH/Mwy8HFLHh8T7sD6ZQJkIRX8dmQglMKJV5b42yxBs+BPPL6YcMsdaXMh7ZfOrXOa - dgT7EjRITKFZMlwowj/d7oRWhysPQX5ibpo1EP0zQxiQkf5Y0LANAk6k0gd1bvu9spldweNajRXs - Bx10QrauvhCLf0Lp/gi+VzshbyrYTd3Aw4G2KGAW3ZEzynt8rC+uSAUbR2oR0mGa03KHGPoT0vOM - 89TjoO/rMP3W+z+eeTZGirzt6o1Dw+WlsMbzFusyq+HyZJpkDgOGFPeBcs6Omk2se0SMebWa/++s - PxnmL2iD65Ac5XBqbyVhrC7VlPT+pFue6xx81MkiIRDczXksCCZftx4YRXwu7btMKe5ZSEapZJVl - +I1Ikda/smUqShM3Jgwm+uyleXAeVuWrbbKfPdl/v/eLhOXWYcl5+8YuuyUMsWVDlo6YGjJBuk59 - VlKZJPc+a0qZvm5tcYZa6d7ngpE3dD2itB/gtErqP0TpKBxU01aN/VvXD38LEv1enHyLvXdW7T/q - q3PYlZ0TJia1zGQ4BP1yPZd+d2muOoSyBP1hPV2yOZGzue8ttsmK4yaubq2iIAC5CUOgeWlFPERU - EayO5muTij0ldtt6/SsgsQ8LHSTBOIgQ9OEXXEWSdt8THvV7mDQ0zldTZQ+nBnG4FQy2XY7IRXQT - YuTv+iXfg6RbrRpFPizy7k5f0uGgN/g5zs6gG2i/rUonyDc4yLWkFJXuek79k0wZs25BDPbxXA91 - ExTxFBdvw/x9ZufolKEIfz/v4lPIo3GFMevHniZ+FEdw8RLb1k/bS1eij3Xjsq5AfwFQSwECFAMU - AAAACABiEepQYOzantQBAADhBQAAKAAAAAAAAAAAAAAApIEAAAAAYXpleHRfbG9nX2FuYWx5dGlj - c19zb2x1dGlvbi9fX2luaXRfXy5weVBLAQIUAxQAAAAIAGIR6lAGFUoCNQEAAEoDAAAvAAAAAAAA - AAAAAACkgRoCAABhemV4dF9sb2dfYW5hbHl0aWNzX3NvbHV0aW9uL19jbGllbnRfZmFjdG9yeS5w - eVBLAQIUAxQAAAAIAGIR6lDp2QZ8gAIAAIUKAAAlAAAAAAAAAAAAAACkgZwDAABhemV4dF9sb2df - YW5hbHl0aWNzX3NvbHV0aW9uL19oZWxwLnB5UEsBAhQDFAAAAAgAYhHqUJ77endcAwAA8AoAACcA - AAAAAAAAAAAAAKSBXwYAAGF6ZXh0X2xvZ19hbmFseXRpY3Nfc29sdXRpb24vX3BhcmFtcy5weVBL - AQIUAxQAAAAIAGIR6lDKVrx+lgIAAJgIAAArAAAAAAAAAAAAAACkgQAKAABhemV4dF9sb2dfYW5h - bHl0aWNzX3NvbHV0aW9uL192YWxpZGF0b3JzLnB5UEsBAhQDFAAAAAgAYhHqUF/N5ExBAAAATAAA - ADAAAAAAAAAAAAAAAKSB3wwAAGF6ZXh0X2xvZ19hbmFseXRpY3Nfc29sdXRpb24vYXpleHRfbWV0 - YWRhdGEuanNvblBLAQIUAxQAAAAIAGIR6lBl/oGg4wEAANkFAAAoAAAAAAAAAAAAAACkgW4NAABh - emV4dF9sb2dfYW5hbHl0aWNzX3NvbHV0aW9uL2NvbW1hbmRzLnB5UEsBAhQDFAAAAAgAYhHqUFuM - 5WVYAgAAewsAACYAAAAAAAAAAAAAAKSBlw8AAGF6ZXh0X2xvZ19hbmFseXRpY3Nfc29sdXRpb24v - Y3VzdG9tLnB5UEsBAhQDFAAAAAgAYhHqUOwhgnV/AAAAWQEAAC4AAAAAAAAAAAAAAKSBMxIAAGF6 - ZXh0X2xvZ19hbmFseXRpY3Nfc29sdXRpb24vdGVzdHMvX19pbml0X18ucHlQSwECFAMUAAAACABi - EepQ7CGCdX8AAABZAQAANQAAAAAAAAAAAAAApIH+EgAAYXpleHRfbG9nX2FuYWx5dGljc19zb2x1 - dGlvbi90ZXN0cy9sYXRlc3QvX19pbml0X18ucHlQSwECFAMUAAAACABiEepQgtJmHnYEAAAoFwAA - UQAAAAAAAAAAAAAApIHQEwAAYXpleHRfbG9nX2FuYWx5dGljc19zb2x1dGlvbi90ZXN0cy9sYXRl - c3QvdGVzdF9sb2dfYW5hbHl0aWNzX3NvbHV0aW9uX3NjZW5hcmlvLnB5UEsBAhQDFAAAAAgAYhHq - UIlqf0SkAAAAkgEAADYAAAAAAAAAAAAAAKSBtRgAAGF6ZXh0X2xvZ19hbmFseXRpY3Nfc29sdXRp - b24vdmVuZG9yZWRfc2Rrcy9fX2luaXRfXy5weVBLAQIUAxQAAAAIAGIR6lAGAuXUOgEAAO4CAABL - AAAAAAAAAAAAAACkga0ZAABhemV4dF9sb2dfYW5hbHl0aWNzX3NvbHV0aW9uL3ZlbmRvcmVkX3Nk - a3Mvb3BlcmF0aW9uc21hbmFnZW1lbnQvX19pbml0X18ucHlQSwECFAMUAAAACABiEepQunqsrKkD - AADeCgAAUQAAAAAAAAAAAAAApIFQGwAAYXpleHRfbG9nX2FuYWx5dGljc19zb2x1dGlvbi92ZW5k - b3JlZF9zZGtzL29wZXJhdGlvbnNtYW5hZ2VtZW50L19jb25maWd1cmF0aW9uLnB5UEsBAhQDFAAA - AAgAYhHqUEe/rDTBAwAAyA0AAGAAAAAAAAAAAAAAAKSBaB8AAGF6ZXh0X2xvZ19hbmFseXRpY3Nf - c29sdXRpb24vdmVuZG9yZWRfc2Rrcy9vcGVyYXRpb25zbWFuYWdlbWVudC9fb3BlcmF0aW9uc19t - YW5hZ2VtZW50X2NsaWVudC5weVBLAQIUAxQAAAAIAGIR6lB5vfsF7QAAAO0BAABKAAAAAAAAAAAA - AACkgacjAABhemV4dF9sb2dfYW5hbHl0aWNzX3NvbHV0aW9uL3ZlbmRvcmVkX3Nka3Mvb3BlcmF0 - aW9uc21hbmFnZW1lbnQvdmVyc2lvbi5weVBLAQIUAxQAAAAIAGIR6lAajO4KGQIAAJEKAABSAAAA - AAAAAAAAAACkgfwkAABhemV4dF9sb2dfYW5hbHl0aWNzX3NvbHV0aW9uL3ZlbmRvcmVkX3Nka3Mv - b3BlcmF0aW9uc21hbmFnZW1lbnQvbW9kZWxzL19faW5pdF9fLnB5UEsBAhQDFAAAAAgAYhHqUBNX - FeKMCgAA3T8AAFEAAAAAAAAAAAAAAKSBhScAAGF6ZXh0X2xvZ19hbmFseXRpY3Nfc29sdXRpb24v - dmVuZG9yZWRfc2Rrcy9vcGVyYXRpb25zbWFuYWdlbWVudC9tb2RlbHMvX21vZGVscy5weVBLAQIU - AxQAAAAIAGIR6lDhBKe87goAAEdAAABVAAAAAAAAAAAAAACkgYAyAABhemV4dF9sb2dfYW5hbHl0 - aWNzX3NvbHV0aW9uL3ZlbmRvcmVkX3Nka3Mvb3BlcmF0aW9uc21hbmFnZW1lbnQvbW9kZWxzL19t - b2RlbHNfcHkzLnB5UEsBAhQDFAAAAAgAYhHqUK39aL3CAQAAqgMAAFcAAAAAAAAAAAAAAKSB4T0A - AGF6ZXh0X2xvZ19hbmFseXRpY3Nfc29sdXRpb24vdmVuZG9yZWRfc2Rrcy9vcGVyYXRpb25zbWFu - YWdlbWVudC9tb2RlbHMvX3BhZ2VkX21vZGVscy5weVBLAQIUAxQAAAAIAGIR6lASXSFtPwEAAGsD - AABWAAAAAAAAAAAAAACkgRhAAABhemV4dF9sb2dfYW5hbHl0aWNzX3NvbHV0aW9uL3ZlbmRvcmVk - X3Nka3Mvb3BlcmF0aW9uc21hbmFnZW1lbnQvb3BlcmF0aW9ucy9fX2luaXRfXy5weVBLAQIUAxQA - AAAIAGIR6lDArqHb1AcAALc7AABxAAAAAAAAAAAAAACkgctBAABhemV4dF9sb2dfYW5hbHl0aWNz - X3NvbHV0aW9uL3ZlbmRvcmVkX3Nka3Mvb3BlcmF0aW9uc21hbmFnZW1lbnQvb3BlcmF0aW9ucy9f - bWFuYWdlbWVudF9hc3NvY2lhdGlvbnNfb3BlcmF0aW9ucy5weVBLAQIUAxQAAAAIAGIR6lCyPzuq - lAcAALg3AABzAAAAAAAAAAAAAACkgS5KAABhemV4dF9sb2dfYW5hbHl0aWNzX3NvbHV0aW9uL3Zl - bmRvcmVkX3Nka3Mvb3BlcmF0aW9uc21hbmFnZW1lbnQvb3BlcmF0aW9ucy9fbWFuYWdlbWVudF9j - b25maWd1cmF0aW9uc19vcGVyYXRpb25zLnB5UEsBAhQDFAAAAAgAYhHqUNFK5IdHBQAAhw8AAFkA - AAAAAAAAAAAAAKSBU1IAAGF6ZXh0X2xvZ19hbmFseXRpY3Nfc29sdXRpb24vdmVuZG9yZWRfc2Rr - cy9vcGVyYXRpb25zbWFuYWdlbWVudC9vcGVyYXRpb25zL19vcGVyYXRpb25zLnB5UEsBAhQDFAAA - AAgAYhHqUMSsLNz5CQAAOV0AAGMAAAAAAAAAAAAAAKSBEVgAAGF6ZXh0X2xvZ19hbmFseXRpY3Nf - c29sdXRpb24vdmVuZG9yZWRfc2Rrcy9vcGVyYXRpb25zbWFuYWdlbWVudC9vcGVyYXRpb25zL19z - b2x1dGlvbnNfb3BlcmF0aW9ucy5weVBLAQIUAxQAAAAIAJUR6lCQJwRdyAIAAJsHAAA2AAAAAAAA - AAAAAACkgYtiAABsb2dfYW5hbHl0aWNzX3NvbHV0aW9uLTAuMS4xLmRpc3QtaW5mby9ERVNDUklQ - VElPTi5yc3RQSwECFAMUAAAACACVEepQ9u2MH6QBAAA7AwAANAAAAAAAAAAAAAAApIGnZQAAbG9n - X2FuYWx5dGljc19zb2x1dGlvbi0wLjEuMS5kaXN0LWluZm8vbWV0YWRhdGEuanNvblBLAQIUAxQA - AAAIAJUR6lBJlj+cHwAAAB0AAAA0AAAAAAAAAAAAAACkgZ1nAABsb2dfYW5hbHl0aWNzX3NvbHV0 - aW9uLTAuMS4xLmRpc3QtaW5mby90b3BfbGV2ZWwudHh0UEsBAhQDFAAAAAgAlRHqUPbd0r5fAAAA - bgAAACwAAAAAAAAAAAAAAKSBDmgAAGxvZ19hbmFseXRpY3Nfc29sdXRpb24tMC4xLjEuZGlzdC1p - bmZvL1dIRUVMUEsBAhQDFAAAAAgAlRHqUENT7z21AwAAXAoAAC8AAAAAAAAAAAAAAKSBt2gAAGxv - Z19hbmFseXRpY3Nfc29sdXRpb24tMC4xLjEuZGlzdC1pbmZvL01FVEFEQVRBUEsBAhQDFAAAAAgA - lRHqUMq3pHbZBQAArg4AAC0AAAAAAAAAAAAAAKSBuWwAAGxvZ19hbmFseXRpY3Nfc29sdXRpb24t - MC4xLjEuZGlzdC1pbmZvL1JFQ09SRFBLBQYAAAAAHwAfAHkNAADdcgAAAAA= - headers: - accept-ranges: - - bytes - content-length: - - '32876' - content-md5: - - ujQT2Z9BY+0tKLbWmJhNvg== - content-type: - - application/octet-stream - date: - - Tue, 16 Mar 2021 09:03:13 GMT - etag: - - '"0x8D82476C76F2963"' - last-modified: - - Fri, 10 Jul 2020 02:13:04 GMT - server: - - Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0 - x-ms-blob-type: - - BlockBlob - x-ms-creation-time: - - Fri, 10 Jul 2020 02:13:04 GMT - x-ms-lease-state: - - available - x-ms-lease-status: - - unlocked - x-ms-server-encrypted: - - 'true' - x-ms-version: - - '2019-02-02' - status: - code: 200 - message: OK -- request: - body: '{"location": "westus", "properties": {"sku": {"name": "PerGB2018"}, "retentionInDays": - 30, "workspaceCapping": {}}}' - headers: - Accept: - - application/json - Accept-Encoding: - - gzip, deflate - CommandName: - - monitor log-analytics workspace create - Connection: - - keep-alive - Content-Length: - - '115' - Content-Type: - - application/json - ParameterSetName: - - -g -n -l - User-Agent: - - AZURECLI/2.20.0 azsdk-python-mgmt-loganalytics/8.0.0 Python/3.8.0 (Windows-10-10.0.19041-SP0) - method: PUT - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002?api-version=2021-12-01-preview - response: - body: - string: "{\r\n \"properties\": {\r\n \"source\": \"Azure\",\r\n \"customerId\": - \"d3e307fe-e47a-4372-91b9-fa12ebead80b\",\r\n \"provisioningState\": \"Creating\",\r\n - \ \"sku\": {\r\n \"name\": \"pergb2018\",\r\n \"maxCapacityReservationLevel\": - 3000,\r\n \"lastSkuUpdate\": \"Tue, 16 Mar 2021 09:03:27 GMT\"\r\n },\r\n - \ \"retentionInDays\": 30,\r\n \"features\": {\r\n \"legacy\": 0,\r\n - \ \"searchVersion\": 1,\r\n \"enableLogAccessUsingOnlyResourcePermissions\": - true\r\n },\r\n \"workspaceCapping\": {\r\n \"dailyQuotaGb\": -1.0,\r\n - \ \"quotaNextResetTime\": \"Wed, 17 Mar 2021 03:00:00 GMT\",\r\n \"dataIngestionStatus\": - \"RespectQuota\"\r\n },\r\n \"publicNetworkAccessForIngestion\": \"Enabled\",\r\n - \ \"publicNetworkAccessForQuery\": \"Enabled\",\r\n \"createdDate\": - \"Tue, 16 Mar 2021 09:03:27 GMT\",\r\n \"modifiedDate\": \"Tue, 16 Mar - 2021 09:03:27 GMT\"\r\n },\r\n \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/clitest000001/providers/microsoft.operationalinsights/workspaces/clitestws-000002\",\r\n - \ \"name\": \"clitestws-000002\",\r\n \"type\": \"Microsoft.OperationalInsights/workspaces\",\r\n - \ \"location\": \"westus\"\r\n}" - headers: - cache-control: - - no-cache - content-length: - - '1169' - content-type: - - application/json - date: - - Tue, 16 Mar 2021 09:03:28 GMT - pragma: - - no-cache - server: - - Microsoft-IIS/10.0 - - Microsoft-IIS/10.0 - strict-transport-security: - - max-age=31536000; includeSubDomains - x-content-type-options: - - nosniff - x-ms-ratelimit-remaining-subscription-writes: - - '1199' - x-powered-by: - - ASP.NET - - ASP.NET - status: - code: 201 - message: Created -- request: - body: null - headers: - Accept: - - '*/*' - Accept-Encoding: - - gzip, deflate - CommandName: - - monitor log-analytics workspace create - Connection: - - keep-alive - ParameterSetName: - - -g -n -l - User-Agent: - - AZURECLI/2.20.0 azsdk-python-mgmt-loganalytics/8.0.0 Python/3.8.0 (Windows-10-10.0.19041-SP0) - method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002?api-version=2021-12-01-preview - response: - body: - string: "{\r\n \"properties\": {\r\n \"source\": \"Azure\",\r\n \"customerId\": - \"d3e307fe-e47a-4372-91b9-fa12ebead80b\",\r\n \"provisioningState\": \"Succeeded\",\r\n - \ \"sku\": {\r\n \"name\": \"pergb2018\",\r\n \"maxCapacityReservationLevel\": - 3000,\r\n \"lastSkuUpdate\": \"Tue, 16 Mar 2021 09:03:27 GMT\"\r\n },\r\n - \ \"retentionInDays\": 30,\r\n \"features\": {\r\n \"legacy\": 0,\r\n - \ \"searchVersion\": 1,\r\n \"enableLogAccessUsingOnlyResourcePermissions\": - true\r\n },\r\n \"workspaceCapping\": {\r\n \"dailyQuotaGb\": -1.0,\r\n - \ \"quotaNextResetTime\": \"Wed, 17 Mar 2021 03:00:00 GMT\",\r\n \"dataIngestionStatus\": - \"RespectQuota\"\r\n },\r\n \"publicNetworkAccessForIngestion\": \"Enabled\",\r\n - \ \"publicNetworkAccessForQuery\": \"Enabled\",\r\n \"createdDate\": - \"Tue, 16 Mar 2021 09:03:27 GMT\",\r\n \"modifiedDate\": \"Tue, 16 Mar - 2021 09:03:29 GMT\"\r\n },\r\n \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/clitest000001/providers/microsoft.operationalinsights/workspaces/clitestws-000002\",\r\n - \ \"name\": \"clitestws-000002\",\r\n \"type\": \"Microsoft.OperationalInsights/workspaces\",\r\n - \ \"location\": \"westus\"\r\n}" - headers: - cache-control: - - no-cache - content-length: - - '1170' - content-type: - - application/json - date: - - Tue, 16 Mar 2021 09:03:58 GMT - pragma: - - no-cache - server: - - Microsoft-IIS/10.0 - - Microsoft-IIS/10.0 - strict-transport-security: - - max-age=31536000; includeSubDomains - transfer-encoding: - - chunked - vary: - - Accept-Encoding - x-content-type-options: - - nosniff - x-powered-by: - - ASP.NET - - ASP.NET - status: - code: 200 - message: OK -- request: - body: null - headers: - Accept: - - application/json - Accept-Encoding: - - gzip, deflate - CommandName: - - monitor log-analytics solution create - Connection: - - keep-alive - ParameterSetName: - - --resource-group --solution-type --workspace - User-Agent: - - AZURECLI/2.20.0 azsdk-python-mgmt-loganalytics/8.0.0 Python/3.8.0 (Windows-10-10.0.19041-SP0) - method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002?api-version=2021-12-01-preview - response: - body: - string: "{\r\n \"properties\": {\r\n \"source\": \"Azure\",\r\n \"customerId\": - \"d3e307fe-e47a-4372-91b9-fa12ebead80b\",\r\n \"provisioningState\": \"Succeeded\",\r\n - \ \"sku\": {\r\n \"name\": \"pergb2018\",\r\n \"maxCapacityReservationLevel\": - 3000,\r\n \"lastSkuUpdate\": \"Tue, 16 Mar 2021 09:03:27 GMT\"\r\n },\r\n - \ \"retentionInDays\": 30,\r\n \"features\": {\r\n \"legacy\": 0,\r\n - \ \"searchVersion\": 1,\r\n \"enableLogAccessUsingOnlyResourcePermissions\": - true\r\n },\r\n \"workspaceCapping\": {\r\n \"dailyQuotaGb\": -1.0,\r\n - \ \"quotaNextResetTime\": \"Wed, 17 Mar 2021 03:00:00 GMT\",\r\n \"dataIngestionStatus\": - \"RespectQuota\"\r\n },\r\n \"publicNetworkAccessForIngestion\": \"Enabled\",\r\n - \ \"publicNetworkAccessForQuery\": \"Enabled\",\r\n \"createdDate\": - \"Tue, 16 Mar 2021 09:03:27 GMT\",\r\n \"modifiedDate\": \"Tue, 16 Mar - 2021 09:03:29 GMT\"\r\n },\r\n \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/clitest000001/providers/microsoft.operationalinsights/workspaces/clitestws-000002\",\r\n - \ \"name\": \"clitestws-000002\",\r\n \"type\": \"Microsoft.OperationalInsights/workspaces\",\r\n - \ \"location\": \"westus\"\r\n}" - headers: - cache-control: - - no-cache - content-length: - - '1170' - content-type: - - application/json - date: - - Tue, 16 Mar 2021 09:04:01 GMT - pragma: - - no-cache - server: - - Microsoft-IIS/10.0 - - Microsoft-IIS/10.0 - strict-transport-security: - - max-age=31536000; includeSubDomains - transfer-encoding: - - chunked - vary: - - Accept-Encoding - x-content-type-options: - - nosniff - x-powered-by: - - ASP.NET - - ASP.NET - status: - code: 200 - message: OK -- request: - body: '{"location": "westus", "plan": {"name": "SecurityInsights(clitestws-000002)", - "publisher": "Microsoft", "promotionCode": "", "product": "OMSGallery/SecurityInsights"}, - "properties": {"workspaceResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/microsoft.OperationalInsights/workspaces/clitestws-000002"}}' - headers: - Accept: - - application/json - Accept-Encoding: - - gzip, deflate - CommandName: - - monitor log-analytics solution create - Connection: - - keep-alive - Content-Length: - - '420' - Content-Type: - - application/json; charset=utf-8 - ParameterSetName: - - --resource-group --solution-type --workspace - User-Agent: - - python/3.8.0 (Windows-10-10.0.19041-SP0) msrest/0.6.21 msrest_azure/0.6.3 - azure-mgmt-operationsmanagement/0.1.0 Azure-SDK-For-Python AZURECLI/2.20.0 - accept-language: - - en-US - method: PUT - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/clitest000001/providers/Microsoft.OperationsManagement/solutions/SecurityInsights%28clitestws-000002%29?api-version=2015-11-01-preview - response: - body: - string: "{\r\n \"plan\": {\r\n \"name\": \"SecurityInsights(clitestws-000002)\",\r\n - \ \"publisher\": \"Microsoft\",\r\n \"promotionCode\": \"\",\r\n \"product\": - \"OMSGallery/SecurityInsights\"\r\n },\r\n \"properties\": {\r\n \"workspaceResourceId\": - \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/microsoft.OperationalInsights/workspaces/clitestws-000002\",\r\n - \ \"provisioningState\": \"Succeeded\",\r\n \"creationTime\": \"Mon, - 01 Jan 0001 00:00:00 GMT\",\r\n \"sku\": {\r\n \"name\": \"PerGB\"\r\n - \ },\r\n \"lastModifiedTime\": \"Mon, 01 Jan 0001 00:00:00 GMT\",\r\n - \ \"containedResources\": []\r\n },\r\n \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/clitest000001/providers/Microsoft.OperationsManagement/solutions/SecurityInsights(clitestws-000002)\",\r\n - \ \"name\": \"SecurityInsights(clitestws-000002)\",\r\n \"type\": \"Microsoft.OperationsManagement/solutions\",\r\n - \ \"location\": \"West US\"\r\n}" - headers: - cache-control: - - no-cache - cachecontrol: - - no-cache - content-length: - - '1040' - content-type: - - application/json; charset=utf-8 - date: - - Tue, 16 Mar 2021 09:04:08 GMT - expires: - - '-1' - pragma: - - no-cache - server: - - Microsoft-IIS/10.0 - - Microsoft-IIS/10.0 - strict-transport-security: - - max-age=31536000; includeSubDomains - x-ams-apiversion: - - WebAPI1.0 - x-content-type-options: - - nosniff - x-ms-ratelimit-remaining-subscription-writes: - - '1199' - x-powered-by: - - ASP.NET - - ASP.NET - status: - code: 201 - message: Created -- request: - body: '{"etag": "3d00c3ca-0000-0100-0000-5d42d5010000", "kind": "Fusion", "properties": - {"alertRuleTemplateName": "f71aba3d-28fb-450b-b192-4e76a83015c8", "enabled": - true}}' - headers: - Accept: - - application/json - Accept-Encoding: - - gzip, deflate - CommandName: - - sentinel alert-rule create - Connection: - - keep-alive - Content-Length: - - '164' - Content-Type: - - application/json - ParameterSetName: - - --fusion-alert-rule --resource-group --rule-id --workspace-name - User-Agent: - - AZURECLI/2.20.0 azsdk-python-securityinsights/unknown Python/3.8.0 (Windows-10-10.0.19041-SP0) - method: PUT - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/alertRules/myFirstFusionRule?api-version=2020-01-01 - response: - body: - string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/alertRules/myFirstFusionRule","name":"myFirstFusionRule","etag":"\"00002c33-0000-0100-0000-6050748e0000\"","type":"Microsoft.SecurityInsights/alertRules","kind":"Fusion","properties":{"displayName":"Advanced - Multistage Attack Detection","description":"Using Fusion technology based - on machine learning, Azure Sentinel automatically detects multistage attacks - by identifying combinations of anomalous behaviors and suspicious activities - observed at various stages of the kill chain. On the basis of these discoveries, - Azure Sentinel generates incidents that would otherwise be very difficult - to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, - which is why this detection is turned ON by default.\n\nThere are a total - of 90 Fusion incident types detected by Azure Sentinel.\n\nTo detect these - multistage attacks, the following data connectors must be configured:\n- Azure - Active Directory Identity Protection.\n- Microsoft Cloud App Security.\n- - Microsoft Defender for Endpoint.\n- Azure Defender.\n- Palo Alto Networks.\n\nFor - a full list and description of each scenario that is supported for these multistage - attacks, go to https://aka.ms/SentinelFusion.","alertRuleTemplateName":"f71aba3d-28fb-450b-b192-4e76a83015c8","tactics":["Collection","CommandAndControl","DefenseEvasion","Discovery","Execution","Exfiltration","Impact","InitialAccess","LateralMovement","Persistence","PrivilegeEscalation"],"severity":"High","enabled":true,"lastModifiedUtc":"2021-03-16T09:04:14.5466874Z"}}' - headers: - cache-control: - - no-cache - content-length: - - '1774' - content-type: - - application/json; charset=utf-8 - date: - - Tue, 16 Mar 2021 09:04:14 GMT - expires: - - '-1' - pragma: - - no-cache - server: - - Kestrel - strict-transport-security: - - max-age=31536000; includeSubDomains - x-content-type-options: - - nosniff - x-ms-ratelimit-remaining-subscription-writes: - - '1198' - status: - code: 201 - message: Created -- request: - body: '{"etag": "260097e0-0000-0d00-0000-5d6fa88f0000", "kind": "MicrosoftSecurityIncidentCreation", - "properties": {"productFilter": "Microsoft Cloud App Security", "displayName": - "testing displayname", "enabled": true}}' - headers: - Accept: - - application/json - Accept-Encoding: - - gzip, deflate - CommandName: - - sentinel alert-rule create - Connection: - - keep-alive - Content-Length: - - '213' - Content-Type: - - application/json - ParameterSetName: - - --microsoft-security-incident-creation-alert-rule --resource-group --rule-id - --workspace-name - User-Agent: - - AZURECLI/2.20.0 azsdk-python-securityinsights/unknown Python/3.8.0 (Windows-10-10.0.19041-SP0) - method: PUT - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/alertRules/microsoftSecurityIncidentCreationRuleExample?api-version=2020-01-01 - response: - body: - string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/alertRules/microsoftSecurityIncidentCreationRuleExample","name":"microsoftSecurityIncidentCreationRuleExample","etag":"\"00003233-0000-0100-0000-605074900000\"","type":"Microsoft.SecurityInsights/alertRules","kind":"MicrosoftSecurityIncidentCreation","properties":{"productFilter":"Microsoft - Cloud App Security","severitiesFilter":null,"displayNamesFilter":null,"displayNamesExcludeFilter":null,"displayName":"testing - displayname","enabled":true,"description":null,"tactics":null,"alertRuleTemplateName":null,"lastModifiedUtc":"2021-03-16T09:04:16.3379524Z"}}' - headers: - cache-control: - - no-cache - content-length: - - '814' - content-type: - - application/json; charset=utf-8 - date: - - Tue, 16 Mar 2021 09:04:15 GMT - expires: - - '-1' - pragma: - - no-cache - server: - - Kestrel - strict-transport-security: - - max-age=31536000; includeSubDomains - x-content-type-options: - - nosniff - x-ms-ratelimit-remaining-subscription-writes: - - '1198' - status: - code: 201 - message: Created -- request: - body: null - headers: - Accept: - - application/json - Accept-Encoding: - - gzip, deflate - CommandName: - - sentinel alert-rule show - Connection: - - keep-alive - ParameterSetName: - - --resource-group --rule-id --workspace-name - User-Agent: - - AZURECLI/2.20.0 azsdk-python-securityinsights/unknown Python/3.8.0 (Windows-10-10.0.19041-SP0) - method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/alertRules/myFirstFusionRule?api-version=2020-01-01 - response: - body: - string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/alertRules/myFirstFusionRule","name":"myFirstFusionRule","etag":"\"00002c33-0000-0100-0000-6050748e0000\"","type":"Microsoft.SecurityInsights/alertRules","kind":"Fusion","properties":{"displayName":"Advanced - Multistage Attack Detection","description":"Using Fusion technology based - on machine learning, Azure Sentinel automatically detects multistage attacks - by identifying combinations of anomalous behaviors and suspicious activities - observed at various stages of the kill chain. On the basis of these discoveries, - Azure Sentinel generates incidents that would otherwise be very difficult - to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, - which is why this detection is turned ON by default.\n\nThere are a total - of 90 Fusion incident types detected by Azure Sentinel.\n\nTo detect these - multistage attacks, the following data connectors must be configured:\n- Azure - Active Directory Identity Protection.\n- Microsoft Cloud App Security.\n- - Microsoft Defender for Endpoint.\n- Azure Defender.\n- Palo Alto Networks.\n\nFor - a full list and description of each scenario that is supported for these multistage - attacks, go to https://aka.ms/SentinelFusion.","alertRuleTemplateName":"f71aba3d-28fb-450b-b192-4e76a83015c8","tactics":["Collection","CommandAndControl","DefenseEvasion","Discovery","Execution","Exfiltration","Impact","InitialAccess","LateralMovement","Persistence","PrivilegeEscalation"],"severity":"High","enabled":true,"lastModifiedUtc":"2021-03-16T09:04:14.5466874Z"}}' - headers: - cache-control: - - no-cache - content-length: - - '1774' - content-type: - - application/json; charset=utf-8 - date: - - Tue, 16 Mar 2021 09:04:17 GMT - expires: - - '-1' - pragma: - - no-cache - server: - - Kestrel - strict-transport-security: - - max-age=31536000; includeSubDomains - transfer-encoding: - - chunked - vary: - - Accept-Encoding - x-content-type-options: - - nosniff - status: - code: 200 - message: OK -- request: - body: null - headers: - Accept: - - application/json - Accept-Encoding: - - gzip, deflate - CommandName: - - sentinel alert-rule show - Connection: - - keep-alive - ParameterSetName: - - --resource-group --rule-id --workspace-name - User-Agent: - - AZURECLI/2.20.0 azsdk-python-securityinsights/unknown Python/3.8.0 (Windows-10-10.0.19041-SP0) - method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/alertRules/microsoftSecurityIncidentCreationRuleExample?api-version=2020-01-01 - response: - body: - string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/alertRules/microsoftSecurityIncidentCreationRuleExample","name":"microsoftSecurityIncidentCreationRuleExample","etag":"\"00003233-0000-0100-0000-605074900000\"","type":"Microsoft.SecurityInsights/alertRules","kind":"MicrosoftSecurityIncidentCreation","properties":{"productFilter":"Microsoft - Cloud App Security","severitiesFilter":null,"displayNamesFilter":null,"displayNamesExcludeFilter":null,"displayName":"testing - displayname","enabled":true,"description":null,"tactics":null,"alertRuleTemplateName":null,"lastModifiedUtc":"2021-03-16T09:04:16.3379524Z"}}' - headers: - cache-control: - - no-cache - content-length: - - '814' - content-type: - - application/json; charset=utf-8 - date: - - Tue, 16 Mar 2021 09:04:19 GMT - expires: - - '-1' - pragma: - - no-cache - server: - - Kestrel - strict-transport-security: - - max-age=31536000; includeSubDomains - transfer-encoding: - - chunked - vary: - - Accept-Encoding - x-content-type-options: - - nosniff - status: - code: 200 - message: OK -- request: - body: null - headers: - Accept: - - application/json - Accept-Encoding: - - gzip, deflate - CommandName: - - sentinel alert-rule list - Connection: - - keep-alive - ParameterSetName: - - --resource-group --workspace-name - User-Agent: - - AZURECLI/2.20.0 azsdk-python-securityinsights/unknown Python/3.8.0 (Windows-10-10.0.19041-SP0) - method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/alertRules?api-version=2020-01-01 - response: - body: - string: '{"value":[{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/alertRules/myFirstFusionRule","name":"myFirstFusionRule","etag":"\"00002c33-0000-0100-0000-6050748e0000\"","type":"Microsoft.SecurityInsights/alertRules","kind":"Fusion","properties":{"displayName":"Advanced - Multistage Attack Detection","description":"Using Fusion technology based - on machine learning, Azure Sentinel automatically detects multistage attacks - by identifying combinations of anomalous behaviors and suspicious activities - observed at various stages of the kill chain. On the basis of these discoveries, - Azure Sentinel generates incidents that would otherwise be very difficult - to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, - which is why this detection is turned ON by default.\n\nThere are a total - of 90 Fusion incident types detected by Azure Sentinel.\n\nTo detect these - multistage attacks, the following data connectors must be configured:\n- Azure - Active Directory Identity Protection.\n- Microsoft Cloud App Security.\n- - Microsoft Defender for Endpoint.\n- Azure Defender.\n- Palo Alto Networks.\n\nFor - a full list and description of each scenario that is supported for these multistage - attacks, go to https://aka.ms/SentinelFusion.","alertRuleTemplateName":"f71aba3d-28fb-450b-b192-4e76a83015c8","tactics":["Collection","CommandAndControl","DefenseEvasion","Discovery","Execution","Exfiltration","Impact","InitialAccess","LateralMovement","Persistence","PrivilegeEscalation"],"severity":"High","enabled":true,"lastModifiedUtc":"2021-03-16T09:04:14.5466874Z"}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/alertRules/microsoftSecurityIncidentCreationRuleExample","name":"microsoftSecurityIncidentCreationRuleExample","etag":"\"00003233-0000-0100-0000-605074900000\"","type":"Microsoft.SecurityInsights/alertRules","kind":"MicrosoftSecurityIncidentCreation","properties":{"productFilter":"Microsoft - Cloud App Security","severitiesFilter":null,"displayNamesFilter":null,"displayNamesExcludeFilter":null,"displayName":"testing - displayname","enabled":true,"description":null,"tactics":null,"alertRuleTemplateName":null,"lastModifiedUtc":"2021-03-16T09:04:16.3379524Z"}}]}' - headers: - cache-control: - - no-cache - content-length: - - '2601' - content-type: - - application/json; charset=utf-8 - date: - - Tue, 16 Mar 2021 09:04:20 GMT - expires: - - '-1' - pragma: - - no-cache - server: - - Kestrel - strict-transport-security: - - max-age=31536000; includeSubDomains - transfer-encoding: - - chunked - vary: - - Accept-Encoding - x-content-type-options: - - nosniff - status: - code: 200 - message: OK -- request: - body: null - headers: - Accept: - - application/json - Accept-Encoding: - - gzip, deflate - CommandName: - - sentinel alert-rule delete - Connection: - - keep-alive - Content-Length: - - '0' - ParameterSetName: - - -y --resource-group --rule-id --workspace-name - User-Agent: - - AZURECLI/2.20.0 azsdk-python-securityinsights/unknown Python/3.8.0 (Windows-10-10.0.19041-SP0) - method: DELETE - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/alertRules/myFirstFusionRule?api-version=2020-01-01 - response: - body: - string: '{}' - headers: - cache-control: - - no-cache - content-length: - - '2' - content-type: - - application/json; charset=utf-8 - date: - - Tue, 16 Mar 2021 09:04:23 GMT - expires: - - '-1' - pragma: - - no-cache - server: - - Kestrel - strict-transport-security: - - max-age=31536000; includeSubDomains - transfer-encoding: - - chunked - vary: - - Accept-Encoding - x-content-type-options: - - nosniff - x-ms-ratelimit-remaining-subscription-deletes: - - '14999' - status: - code: 200 - message: OK -- request: - body: null - headers: - Accept: - - application/json - Accept-Encoding: - - gzip, deflate - CommandName: - - sentinel alert-rule-template show - Connection: - - keep-alive - ParameterSetName: - - --alert-rule-template-id --resource-group --workspace-name - User-Agent: - - AZURECLI/2.20.0 azsdk-python-securityinsights/unknown Python/3.8.0 (Windows-10-10.0.19041-SP0) - method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/alertRuleTemplates/65360bb0-8986-4ade-a89d-af3cf44d28aa?api-version=2020-01-01 - response: - body: - string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65360bb0-8986-4ade-a89d-af3cf44d28aa","name":"65360bb0-8986-4ade-a89d-af3cf44d28aa","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Low","query":"let - timeframe = 1d;\nlet EventNameList = dynamic([\"CreateNetworkAclEntry\",\"CreateRoute\",\"CreateRouteTable\",\"CreateInternetGateway\",\"CreateNatGateway\"]);\nAWSCloudTrail\n| - where TimeGenerated > ago(timeframe)\n| where EventName in~ (EventNameList)\n| - summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) - by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, - UserAgent, \nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, - AWSRegion, EventSource, AdditionalEventData, ResponseElements\n| extend timestamp - = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity - = SourceIpAddress","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Changes - to Amazon VPC settings","description":"Amazon Virtual Private Cloud (Amazon - VPC) lets you provision a logically isolated section of the AWS Cloud where - you can launch AWS resources\nin a virtual network that you define.\nThis - identifies changes to Amazon VPC (Virtual Private Cloud) settings such as - new ACL entries,routes, routetable or Gateways.\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 - \nand AWS VPC API Docs: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/OperationList-query-vpc.html","tactics":["PrivilegeEscalation","LateralMovement"],"lastUpdatedDateUTC":"2020-11-19T00:00:00Z","createdDateUTC":"2019-02-27T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AWS","dataTypes":["AWSCloudTrail"]}],"alertRulesCreatedByTemplateCount":0}}' - headers: - cache-control: - - no-cache - content-length: - - '2329' - content-type: - - application/json; charset=utf-8 - date: - - Tue, 16 Mar 2021 09:04:23 GMT - expires: - - '-1' - pragma: - - no-cache - server: - - Kestrel - strict-transport-security: - - max-age=31536000; includeSubDomains - transfer-encoding: - - chunked - vary: - - Accept-Encoding - x-content-type-options: - - nosniff - status: - code: 200 - message: OK -- request: - body: null - headers: - Accept: - - application/json - Accept-Encoding: - - gzip, deflate - CommandName: - - sentinel alert-rule-template list - Connection: - - keep-alive - ParameterSetName: - - --resource-group --workspace-name - User-Agent: - - AZURECLI/2.20.0 azsdk-python-securityinsights/unknown Python/3.8.0 (Windows-10-10.0.19041-SP0) - method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/alertRuleTemplates?api-version=2020-01-01 - response: - body: - string: '{"value":[{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/738702fd-0a66-42c7-8586-e30f0583f8fe","name":"738702fd-0a66-42c7-8586-e30f0583f8fe","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"High","query":"DeviceEvents\n| - where ActionType has \"ExploitGuardNonMicrosoftSignedBlocked\"\n| where InitiatingProcessFileName - contains \"svchost.exe\" and FileName contains \"NetSetupSvc.dll\"\n| extend - timestamp = TimeGenerated, AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), - InitiatingProcessAccountUpn, InitiatingProcessAccountName),\nHostCustomEntity - = DeviceName, FileHashCustomEntity = InitiatingProcessSHA1, FileHashType = - \"SHA1\"","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"FileHash","fieldMappings":[{"identifier":"Algorithm","columnName":"FileHashType"},{"identifier":"Value","columnName":"FileHashCustomEntity"}]}],"displayName":"TEARDROP - memory-only dropper","description":"Identifies SolarWinds TEARDROP memory-only - dropper IOCs in Window''s defender Exploit Guard activity\nReferences:\n- - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\n- - https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f","tactics":["Execution","Persistence"],"lastUpdatedDateUTC":"2021-01-31T00:00:00Z","createdDateUTC":"2020-12-15T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"MicrosoftThreatProtection","dataTypes":["DeviceEvents"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4696e072-aca8-4a4f-bf05-89fddc5ac3c9","name":"4696e072-aca8-4a4f-bf05-89fddc5ac3c9","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Low","query":"let - auditLookback = 1d;\nAuditLogs\n| where TimeGenerated > ago(auditLookback)\n| - where OperationName has ''StsRefreshTokenValidFrom''\n| where TargetResources[0].modifiedProperties - != ''[]''\n| where TargetResources[0].modifiedProperties !has ''DirectorySync''\n| - extend TargetResourcesModProps = TargetResources[0].modifiedProperties\n| - mv-expand TargetResourcesModProps\n| where tostring(TargetResourcesModProps.displayName) - =~ ''StsRefreshTokensValidFrom''\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), - tostring(InitiatedBy.app.displayName))\n| where InitiatingUserOrApp !in (''Microsoft - Cloud App Security'')\n| extend targetUserOrApp = TargetResources[0].userPrincipalName\n| - extend eventName = tostring(TargetResourcesModProps.displayName)\n| extend - oldStsRefreshValidFrom = todatetime(parse_json(tostring(TargetResourcesModProps.oldValue))[0])\n| - extend newStsRefreshValidFrom = todatetime(parse_json(tostring(TargetResourcesModProps.newValue))[0])\n| - extend tokenMinutesAdded = datetime_diff(''minute'',newStsRefreshValidFrom,oldStsRefreshValidFrom)\n| - extend tokenMinutesRemaining = datetime_diff(''minute'',TimeGenerated,newStsRefreshValidFrom)\n| - project-reorder Result, AADOperationType\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), - tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n| - extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, - IPCustomEntity = InitiatingIpAddress","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Interactive - STS refresh token modifications","description":"This will show Active Directory - Security Token Service (STS) refresh token modifications by Service Principals - and Applications other than DirectorySync. Refresh tokens are used to validate - identification and obtain access tokens.\nThis event is most often generated - when legitimate administrators troubleshoot frequent AAD user sign-ins but - may also be generated as a result of malicious token extensions. Confirm that - the activity is related to an administrator legitimately modifying STS refresh - tokens and check the new token validation time period for high values.\nFor - in-depth documentation of AAD Security Tokens, see https://docs.microsoft.com/azure/active-directory/develop/security-tokens.\nFor - further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.","tactics":["CredentialAccess"],"lastUpdatedDateUTC":"2020-12-04T00:00:00Z","createdDateUTC":"2020-12-04T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AzureActiveDirectory","dataTypes":["AuditLogs"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69b7723c-2889-469f-8b55-a2d355ed9c87","name":"69b7723c-2889-469f-8b55-a2d355ed9c87","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| - where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| - where Active == true\n// Picking up only IOC''s that contain the entities - we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) - or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As - there is potentially more than 1 indicator type for matching IP, taking NetworkIP - first, then others if that is empty.\n// Taking the first non-empty value - based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), - NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) - and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity - = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, - TI_ipEntity)\n| join (\n DnsEvents | where TimeGenerated >= ago(dt_lookBack)\n | - where SubType =~ \"LookupQuery\" and isnotempty(IPAddresses)\n | extend - SingleIP = split(IPAddresses, \",\")\n | mvexpand SingleIP\n | extend - SingleIP = tostring(SingleIP)\n // renaming time column so it is clear - the log this came from\n | extend DNS_TimeGenerated = TimeGenerated\n)\non - $left.TI_ipEntity == $right.SingleIP\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, - *) by IndicatorId\n| project LatestIndicatorTime, Description, ActivityGroupNames, - IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated,\nTI_ipEntity, - Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, - NetworkSourceIP, EmailSourceIpAddress\n| extend timestamp = DNS_TimeGenerated, - IPCustomEntity = ClientIP, HostCustomEntity = Computer, URLCustomEntity = - Url","queryFrequency":"PT1H","queryPeriod":"P14D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]},{"entityType":"URL","fieldMappings":[{"identifier":"Url","columnName":"URLCustomEntity"}]}],"displayName":"(Preview) - TI map IP entity to DnsEvents","description":"Identifies a match in DnsEvents - from any IP IOC from TI","tactics":["Impact"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2019-08-27T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"ThreatIntelligence","dataTypes":["ThreatIntelligenceIndicator"]},{"connectorId":"ThreatIntelligenceTaxii","dataTypes":["ThreatIntelligenceIndicator"]},{"connectorId":"DNS","dataTypes":["DnsEvents"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d25b1998-a592-4bc5-8a3a-92b39eedb1bc","name":"d25b1998-a592-4bc5-8a3a-92b39eedb1bc","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Low","query":"let - timeframe = 1d;\nAWSCloudTrail\n| where TimeGenerated > ago(timeframe)\n| - where EventName =~ \"ConsoleLogin\" \n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed), - LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)\n| where - MFAUsed !~ \"Yes\" and LoginResult !~ \"Failure\"\n| summarize StartTimeUtc - = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, - LoginResult, MFAUsed, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, - \nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion\n| - extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, - IPCustomEntity = SourceIpAddress","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Login - to AWS Management Console without MFA","description":"Multi-Factor Authentication - (MFA) helps you to prevent credential compromise. This alert identifies logins - to the AWS Management Console without MFA.\nYou can limit this detection to - trigger for adminsitrative accounts if you do not have MFA enabled on all - accounts.\nThis is done by looking at the eventName ConsoleLogin and if the - AdditionalEventData field indicates MFA was NOT used \nand the ResponseElements - field indicates NOT a Failure. Thereby indicating that a non-MFA login was - successful.","tactics":["DefenseEvasion","PrivilegeEscalation","Persistence","InitialAccess"],"lastUpdatedDateUTC":"2020-11-19T00:00:00Z","createdDateUTC":"2019-02-27T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AWS","dataTypes":["AWSCloudTrail"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884be6e7-e568-418e-9c12-89229865ffde","name":"884be6e7-e568-418e-9c12-89229865ffde","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - timeframe = ago(1h);\nlet FailureThreshold = 15;\nlet FailedLogins = Okta_CL\n| - where TimeGenerated > timeframe\n| where eventType_s =~ \"user.session.start\" - and outcome_reason_s =~ \"VERIFICATION_ERROR\"\n| summarize count() by actor_alternateId_s, - client_ipAddress_s, bin(TimeGenerated, 5m)\n| where count_ > FailureThreshold\n| - project client_ipAddress_s, actor_alternateId_s;\nOkta_CL\n| where TimeGenerated - > timeframe\n| join kind=inner (FailedLogins) on client_ipAddress_s, actor_alternateId_s\n| - where eventType_s =~ \"user.session.start\" and outcome_reason_s =~ \"VERIFICATION_ERROR\"\n| - summarize count() by actor_alternateId_s, ClientIP = client_ipAddress_s, City - = client_geographicalContext_city_s, Country = client_geographicalContext_country_s, - published_t\n| sort by published_t desc\n| extend timestamp = published_t, - IPCustomEntity = ClientIP, AccountCustomEntity = actor_alternateId_s","queryFrequency":"PT1H","queryPeriod":"PT1H","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Failed - Logins from Unknown or Invalid User","description":"This query searches for - numerous login attempts to the management console with an unknown or invalid - user name","tactics":["CredentialAccess"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2020-07-08T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"OktaSSO","dataTypes":["Okta_CL"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884c4957-70ea-4f57-80b9-1bca3890315b","name":"884c4957-70ea-4f57-80b9-1bca3890315b","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - timeFrame = 1d;\nlet timeBin = 10m;\nlet failedThreshold = 100;\nW3CIISLog\n| - where TimeGenerated >= ago(timeFrame)\n| where scStatus in (\"401\",\"403\")\n| - where csUserName != \"-\"\n// Handling Exchange specific items in IIS logs - to remove the unique log identifier in the URI\n| extend csUriQuery = iff(csUriQuery - startswith \"MailboxId=\", tostring(split(csUriQuery, \"&\")[0]) , csUriQuery - )\n| extend csUriQuery = iff(csUriQuery startswith \"X-ARR-CACHE-HIT=\", strcat(tostring(split(csUriQuery, - \"&\")[0]),tostring(split(csUriQuery, \"&\")[1])) , csUriQuery )\n| extend - scStatusFull = strcat(scStatus, \".\",scSubStatus) \n// Map common IIS codes\n| - extend scStatusFull_Friendly = case(\nscStatusFull == \"401.0\", \"Access - denied.\",\nscStatusFull == \"401.1\", \"Logon failed.\",\nscStatusFull == - \"401.2\", \"Logon failed due to server configuration.\",\nscStatusFull == - \"401.3\", \"Unauthorized due to ACL on resource.\",\nscStatusFull == \"401.4\", - \"Authorization failed by filter.\",\nscStatusFull == \"401.5\", \"Authorization - failed by ISAPI/CGI application.\",\nscStatusFull == \"403.0\", \"Forbidden.\",\nscStatusFull - == \"403.4\", \"SSL required.\",\n\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\")\n// - Mapping to Hex so can be mapped using website in comments above\n| extend - scWin32Status_Hex = tohex(tolong(scWin32Status)) \n// Map common win32 codes\n| - extend scWin32Status_Friendly = case(\nscWin32Status_Hex =~ \"775\", \"The - referenced account is currently locked out and cannot be logged on to.\",\nscWin32Status_Hex - =~ \"52e\", \"Logon failure: Unknown user name or bad password.\",\nscWin32Status_Hex - =~ \"532\", \"Logon failure: The specified account password has expired.\",\nscWin32Status_Hex - =~ \"533\", \"Logon failure: Account currently disabled.\", \nscWin32Status_Hex - =~ \"2ee2\", \"The request has timed out.\", \nscWin32Status_Hex =~ \"0\", - \"The operation completed successfully.\", \nscWin32Status_Hex =~ \"1\", \"Incorrect - function.\", \nscWin32Status_Hex =~ \"2\", \"The system cannot find the file - specified.\", \nscWin32Status_Hex =~ \"3\", \"The system cannot find the path - specified.\", \nscWin32Status_Hex =~ \"4\", \"The system cannot open the file.\", - \nscWin32Status_Hex =~ \"5\", \"Access is denied.\", \nscWin32Status_Hex =~ - \"8009030e\", \"SEC_E_NO_CREDENTIALS\", \nscWin32Status_Hex =~ \"8009030C\", - \"SEC_E_LOGON_DENIED\", \n\"See - https://msdn.microsoft.com/library/cc231199.aspx\")\n// - decode URI when available\n| extend decodedUriQuery = url_decode(csUriQuery)\n// - Count of failed logons by a user\n| summarize makeset(decodedUriQuery), makeset(cIP), - makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), - makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), - makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount - = count() by bin(TimeGenerated, timeBin), csUserName, Computer, sIP\n| where - FailedConnectionsCount >= failedThreshold\n| project TimeGenerated, csUserName, - set_decodedUriQuery, Computer, set_sSiteName, sIP, set_cIP, set_sPort, set_csUserAgent, - set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, - set_scWin32Status_Friendly, FailedConnectionsCount\n| order by FailedConnectionsCount\n| - extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity - = Computer","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]}],"displayName":"High - count of failed logons by a user","description":"Identifies when 100 or more - failed attempts by a given user in 10 minutes occur on the IIS Server.\nThis - could be indicative of attempted brute force based on known account information.\nThis - could also simply indicate a misconfigured service or device. \nReferences:\nIIS - status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\nWin32 - Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx","tactics":["CredentialAccess"],"lastUpdatedDateUTC":"2020-11-19T00:00:00Z","createdDateUTC":"2019-03-19T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AzureMonitor(IIS)","dataTypes":["W3CIISLog"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/28b42356-45af-40a6-a0b4-a554cdfd5d8a","name":"28b42356-45af-40a6-a0b4-a554cdfd5d8a","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - failureCountThreshold = 5;\nlet successCountThreshold = 1;\nlet timeRange - = 1d;\nlet authenticationWindow = 20m;\nSigninLogs\n| where TimeGenerated - >= ago(timeRange)\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\n| - extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\n| - extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\n| - where AppDisplayName contains \"Azure Portal\"\n// Split out failure versus - non-failure types\n| extend FailureOrSuccess = iff(ResultType in (\"0\", \"50125\", - \"50140\", \"70043\", \"70044\"), \"Success\", \"Failure\")\n| summarize StartTimeUtc - = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), IPAddress = makeset(IPAddress), - makeset(OS), makeset(Browser), makeset(City), \nmakeset(ResultType), FailureCount - = countif(FailureOrSuccess==\"Failure\"), SuccessCount = countif(FailureOrSuccess==\"Success\") - \nby bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName, - AppDisplayName\n| where FailureCount >= failureCountThreshold and SuccessCount - >= successCountThreshold\n| mvexpand IPAddress\n| extend IPAddress = tostring(IPAddress)\n| - extend timestamp = StartTimeUtc, AccountCustomEntity = UserPrincipalName, - IPCustomEntity = IPAddress","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Brute - force attack against Azure Portal","description":"Identifies evidence of brute - force activity against Azure Portal by highlighting multiple authentication - failures \nand by a successful authentication within a given time window. - \n(The query does not enforce any sequence - eg requiring the successful authentication - to occur last.)\nDefault Failure count is 5, Default Success count is 1 and - default Time Window is 20 minutes.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.","tactics":["CredentialAccess"],"lastUpdatedDateUTC":"2020-11-19T00:00:00Z","createdDateUTC":"2019-04-02T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AzureActiveDirectory","dataTypes":["SigninLogs"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/62085097-d113-459f-9ea7-30216f2ee6af","name":"62085097-d113-459f-9ea7-30216f2ee6af","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Low","query":"let - starttime = 3d;\nlet SecEvents = materialize ( SecurityEvent | where TimeGenerated - >= ago(starttime)\n| where EventID in (4722,4723) | where TargetUserName !endswith - \"$\"\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, - TargetSid, SubjectAccount, SubjectUserSid);\nlet userEnable = SecEvents\n| - extend EventID4722Time = TimeGenerated\n// 4722: User Account Enabled\n| where - EventID == 4722\n| project Time_Event4722 = TimeGenerated, TargetAccount, - TargetSid, SubjectAccount_Event4722 = SubjectAccount, SubjectUserSid_Event4722 - = SubjectUserSid, Activity_4722 = Activity, Computer_4722 = Computer;\nlet - userPwdSet = SecEvents\n// 4723: Attempt made by user to set password\n| where - EventID == 4723\n| project Time_Event4723 = TimeGenerated, TargetAccount, - TargetSid, SubjectAccount_Event4723 = SubjectAccount, SubjectUserSid_Event4723 - = SubjectUserSid, Activity_4723 = Activity, Computer_4723 = Computer;\nuserEnable - | join kind=leftouter userPwdSet on TargetAccount, TargetSid\n| extend PasswordSetAttemptDelta_Min - = datetime_diff(''minute'', Time_Event4723, Time_Event4722)\n| where PasswordSetAttemptDelta_Min - > 2880 or isempty(PasswordSetAttemptDelta_Min)\n| project-away TargetAccount1, - TargetSid1\n| extend Reason = @\"User either has not yet attempted to set - the initial password after account was enabled or it occurred after 48 hours\"\n| - order by Time_Event4722 asc \n| extend timestamp = Time_Event4722, AccountCustomEntity - = TargetAccount, HostCustomEntity = Computer_4722\n| project-reorder Time_Event4722, - Time_Event4723, PasswordSetAttemptDelta_Min, TargetAccount, TargetSid","queryFrequency":"P1D","queryPeriod":"P3D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"},{"identifier":"Sid","columnName":"TargetSid"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]}],"displayName":"AD - user enabled and password not set within 48 hours","description":"Identifies - when an account is enabled with a default password and the password is not - set by the user within 48 hours.\nEffectively, there is an event 4722 indicating - an account was enabled and within 48 hours, no event 4723 occurs which \nindicates - there was no attempt by the user to set the password. This will show any attempts - (success or fail) that occur \nafter 48 hours, which can indicate too long - of a time period in setting the password to something that only the user knows.\nIt - is recommended that this time period is adjusted per your internal company - policy.","tactics":["Persistence"],"lastUpdatedDateUTC":"2021-02-05T00:00:00Z","createdDateUTC":"2019-01-28T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"SecurityEvents","dataTypes":["SecurityEvent"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/11b4c19d-2a79-4da3-af38-b067e1273dee","name":"11b4c19d-2a79-4da3-af38-b067e1273dee","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"High","query":"let - timeframe = 1d;\n(union isfuzzy=true\n(Event\n| where TimeGenerated >= ago(timeframe)\n| - where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID in (17,18)\n| - extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| - extend NamedPipe = EventDetail.[5].[\"#text\"]\n| extend ProcessDetail = EventDetail.[6].[\"#text\"]\n| - where NamedPipe contains ''583da945-62af-10e8-4902-a8f205c72b2e''\n| extend - Account = UserName\n| project-away EventDetail, EvData\n),\n(\n SecurityEvent\n| - where TimeGenerated >= ago(timeframe)\n| where EventID == ''5145''\n| where - AccessList has ''%%4418'' // presence of CreatePipeInstance value \n| - where RelativeTargetName contains ''583da945-62af-10e8-4902-a8f205c72b2e''\n)\n)\n| - extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity - = Computer","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]}],"displayName":"Solorigate - Named Pipe","description":"Identifies a match across various data feeds for - named pipe IOCs related to the Solorigate incident.","tactics":["LateralMovement"],"lastUpdatedDateUTC":"2021-01-16T00:00:00Z","createdDateUTC":"2020-12-30T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"SecurityEvents","dataTypes":["SecurityEvent"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9736e5f1-7b6e-4bfb-a708-e53ff1d182c3","name":"9736e5f1-7b6e-4bfb-a708-e53ff1d182c3","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Low","query":"let - timeframe = 1d;\nlet tokens = dynamic([\"416\",\"208\",\"128\",\"120\",\"96\",\"80\",\"72\",\"64\",\"48\",\"44\",\"40\",\"g5\",\"gs5\",\"g4\",\"gs4\",\"nc12\",\"nc24\",\"nv12\"]);\nlet - operationList = dynamic([\"Create or Update Virtual Machine\", \"Create Deployment\"]);\nAzureActivity\n| - where TimeGenerated >= ago(timeframe)\n| where OperationName in (operationList)\n| - where ActivityStatus == \"Accepted\" \n| where isnotempty(Properties)\n| extend - vmSize = tolower(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).hardwareProfile)).vmSize))\n| - where isnotempty(vmSize)\n| where vmSize has_any (tokens) \n| extend ComputerName - = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).osProfile)).computerName)\n| - extend clientIpAddress = tostring(parse_json(HTTPRequest).clientIpAddress)\n| - project TimeGenerated, OperationName, ActivityStatus, Caller, CallerIpAddress, - ComputerName, vmSize\n| extend timestamp = TimeGenerated, AccountCustomEntity - = Caller, IPCustomEntity = CallerIpAddress","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":1,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Creation - of expensive computes in Azure","description":"Identifies the creation of - large size/expensive VMs (GPU or with large no of virtual CPUs) in Azure.\nAdversary - may create new or update existing virtual machines sizes to evade defenses - \nor use it for cryptomining purposes.\nFor Windows/Linux Vm Sizes - https://docs.microsoft.com/azure/virtual-machines/windows/sizes - \nAzure VM Naming Conventions - https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions","tactics":["DefenseEvasion"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2020-08-28T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AzureActivity","dataTypes":["AzureActivity"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f15370f4-c6fa-42c5-9be4-1d308f40284e","name":"f15370f4-c6fa-42c5-9be4-1d308f40284e","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| - where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| - where Active == true\n// Picking up only IOC''s that contain the entities - we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) - or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As - there is potentially more than 1 indicator type for matching IP, taking NetworkIP - first, then others if that is empty.\n// Taking the first non-empty value - based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), - NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) - and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity - = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, - TI_ipEntity)\n| join (\n OfficeActivity | where TimeGenerated >= ago(dt_lookBack)\n // - renaming time column so it is clear the log this came from\n | extend OfficeActivity_TimeGenerated - = TimeGenerated\n)\non $left.TI_ipEntity == $right.ClientIP\n| summarize LatestIndicatorTime - = arg_max(TimeGenerated, *) by IndicatorId\n| project LatestIndicatorTime, - Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, - ConfidenceScore, OfficeActivity_TimeGenerated,\nTI_ipEntity, ClientIP, UserId, - Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, - NetworkSourceIP, EmailSourceIpAddress\n| extend timestamp = OfficeActivity_TimeGenerated, - IPCustomEntity = ClientIP, AccountCustomEntity = UserId, URLCustomEntity = - Url","queryFrequency":"PT1H","queryPeriod":"P14D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]},{"entityType":"URL","fieldMappings":[{"identifier":"Url","columnName":"URLCustomEntity"}]}],"displayName":"(Preview) - TI map IP entity to OfficeActivity","description":"Identifies a match in OfficeActivity - from any IP IOC from TI","tactics":["Impact"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2019-08-27T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"ThreatIntelligence","dataTypes":["ThreatIntelligenceIndicator"]},{"connectorId":"ThreatIntelligenceTaxii","dataTypes":["ThreatIntelligenceIndicator"]},{"connectorId":"Office365","dataTypes":["OfficeActivity"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ffcd575b-3d54-482a-a6d8-d0de13b6ac63","name":"ffcd575b-3d54-482a-a6d8-d0de13b6ac63","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet emailregex = @''^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$'';\nThreatIntelligenceIndicator\n| - where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| - where Active == true\n//Filtering the table for Email related IOCs\n| where - isnotempty(EmailRecipient)\n| join (\n CommonSecurityLog | where TimeGenerated - >= ago(dt_lookBack) and isnotempty(DestinationUserID)\n // Filtering PAN - Logs for specific event type to match relevant email entities\n | where - DeviceVendor == \"Palo Alto Networks\" and DeviceEventClassID == \"wildfire\" - and ApplicationProtocol in (\"smtp\",\"pop3\")\n | extend DestinationUserID - = tolower(DestinationUserID)\n | where DestinationUserID matches regex - emailregex\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\n)\non - $left.EmailRecipient == $right.DestinationUserID\n| summarize LatestIndicatorTime - = arg_max(TimeGenerated, *) by IndicatorId\n| project LatestIndicatorTime, - Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, - ConfidenceScore, CommonSecurityLog_TimeGenerated,\nEmailSenderName, EmailSourceDomain, - EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserID, - DeviceEventClassID, LogSeverity, DeviceAction,\nSourceIP, SourcePort, DestinationIP, - DestinationPort, Protocol, ApplicationProtocol\n| extend timestamp = CommonSecurityLog_TimeGenerated, - AccountCustomEntity = DestinationUserID, IPCustomEntity = SourceIP, URLCustomEntity - = Url","queryFrequency":"PT1H","queryPeriod":"P14D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]},{"entityType":"URL","fieldMappings":[{"identifier":"Url","columnName":"URLCustomEntity"}]}],"displayName":"(Preview) - TI map Email entity to CommonSecurityLog","description":"Identifies a match - in CommonSecurityLog table from any Email IOC from TI","tactics":["Impact"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2019-08-28T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"PaloAltoNetworks","dataTypes":["CommonSecurityLog"]},{"connectorId":"ThreatIntelligence","dataTypes":["ThreatIntelligenceIndicator"]},{"connectorId":"ThreatIntelligenceTaxii","dataTypes":["ThreatIntelligenceIndicator"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/18e6a87e-9d06-4a4e-8b59-3469cd49552d","name":"18e6a87e-9d06-4a4e-8b59-3469cd49552d","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"(union - isfuzzy=true (SecurityEvent \n| where EventID == 4662 // You need to create - a SACL on the ADFS Policy Store DKM group for this event to be created. \n| - where ObjectServer == ''DS''\n| where OperationType == ''Object Access''\n//| - where ObjectName contains '' ago(auditLookback)\n| where OperationName =~ \"Set federation settings on - domain\"\n//| where Result =~ \"success\" // commenting out, as it may be - interesting to capture failed attempts\n| mv-expand TargetResources\n| extend - modifiedProperties = parse_json(TargetResources).modifiedProperties\n| mv-expand - modifiedProperties\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName)\n| - mv-expand AdditionalDetails\n),\n(\nAuditLogs\n| where TimeGenerated > ago(auditLookback)\n| - where OperationName =~ \"Set domain authentication\"\n//| where Result =~ - \"success\" // commenting out, as it may be interesting to capture failed - attempts\n| mv-expand TargetResources\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\n| - mv-expand modifiedProperties\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName), - NewDomainValue=tostring(parse_json(modifiedProperties).newValue)\n| where - NewDomainValue has \"Federated\"\n)\n)\n| extend UserAgent = iff(AdditionalDetails.key - == \"User-Agent\",tostring(AdditionalDetails.value),\"\")\n| extend InitiatingUserOrApp - = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), - tostring(InitiatedBy.app.displayName))\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), - tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n| - project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, - targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, - TenantId, AADTenantId\n| extend timestamp = TimeGenerated, AccountCustomEntity - = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Modified - domain federation trust settings","description":"This will alert when a user - or application modifies the federation settings on the domain or Update domain - authentication from Managed to Federated.\nFor example, this alert will trigger - when a new Active Directory Federated Service (ADFS) TrustedRealm object, - such as a signing certificate, is added to the domain.\nModification to domain - federation settings should be rare. Confirm the added or modified target domain/URL - is legitimate administrator behavior.\nTo understand why an authorized user - may update settings for a federated domain in Office 365, Azure, or Intune, - see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\nFor - details on security realms that accept security tokens, see the ADFS Proxy - Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\nFor - further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.","tactics":["CredentialAccess"],"lastUpdatedDateUTC":"2021-02-09T00:00:00Z","createdDateUTC":"2020-12-11T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AzureActiveDirectory","dataTypes":["AuditLogs"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65c78944-930b-4cae-bd79-c3664ae30ba7","name":"65c78944-930b-4cae-bd79-c3664ae30ba7","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - timeframe = 1h;\n(union isfuzzy=true\n(AuditLogs \n| where TimeGenerated >= - ago(timeframe) \n| where OperationName =~ \"Disable Strong Authentication\"\n| - extend IPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) - \n| extend InitiatedByUser = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), - \n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\n| - extend Targetprop = todynamic(TargetResources)\n| extend TargetUser = tostring(Targetprop[0].userPrincipalName) - \n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) - by User = TargetUser, InitiatedByUser , Operation = OperationName , CorrelationId, - IPAddress, Category, Source = SourceSystem , AADTenantId, Type\n),\n(AWSCloudTrail\n| - where TimeGenerated >= ago(timeframe)\n| where EventName in~ (\"DeactivateMFADevice\", - \"DeleteVirtualMFADevice\") \n| extend InstanceProfileName = tostring(parse_json(RequestParameters).InstanceProfileName)\n| - extend TargetUser = tostring(parse_json(RequestParameters).userName)\n| summarize - StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User - = TargetUser, Source = EventSource , Operation = EventName , TenantorInstance_Detail - = InstanceProfileName, IPAddress = SourceIpAddress\n)\n)\n| extend timestamp - = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = IPAddress","queryFrequency":"PT1H","queryPeriod":"PT1H","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"MFA - disabled for a user","description":"Multi-Factor Authentication (MFA) helps - prevent credential compromise. This alert identifies when an attempt has been - made to diable MFA for a user ","tactics":["CredentialAccess"],"lastUpdatedDateUTC":"2020-12-23T00:00:00Z","createdDateUTC":"2019-12-16T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AzureActiveDirectory","dataTypes":["AuditLogs"]},{"connectorId":"AWS","dataTypes":["AWSCloudTrail"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/66276b14-32c5-4226-88e3-080dacc31ce1","name":"66276b14-32c5-4226-88e3-080dacc31ce1","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - timeframe = 1d;\nlet AccountAllowList = dynamic([''SYSTEM'']);\nlet SubCategoryList - = dynamic([\"Logoff\", \"Account Lockout\", \"User Account Management\", \"Authorization - Policy Change\"]); // Add any Category in the list to be allowed or disallowed\nlet - tokens = dynamic([\"clear\", \"remove\", \"success:disable\",\"failure:disable\"]); - \n(union isfuzzy=true\n(\nSecurityEvent\n| where TimeGenerated >= ago(timeframe)\n//| - where Process =~ \"auditpol.exe\" \n| where CommandLine has_any (tokens)\n| - where AccountType !~ \"Machine\" and Account !in~ (AccountAllowList)\n| parse - CommandLine with * \"/subcategory:\" subcategorytoken\n| extend SubCategory - = tostring(split(subcategorytoken, \"\\\"\")[1]) , Toggle = tostring(split(subcategorytoken, - \"\\\"\")[2])\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion - or !in~ for exclusion\n| where Toggle !in~ (\"/failure:disable\", \" /success:enable - /failure:disable\") // use this filter if required to exclude certain toggles\n| - project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, - Process, ParentProcessName, CommandLine, SubCategory, Toggle\n| extend timestamp - = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\n),\n(\nDeviceProcessEvents\n| - where TimeGenerated >= ago(timeframe)\n// | where InitiatingProcessFileName - =~ \"auditpol.exe\" \n| where InitiatingProcessCommandLine has_any (tokens)\n| - where AccountName !in~ (AccountAllowList)\n| parse InitiatingProcessCommandLine - with * \"/subcategory:\" subcategorytoken\n| extend SubCategory = tostring(split(subcategorytoken, - \"\\\"\")[1]) , Toggle = tostring(split(subcategorytoken, \"\\\"\")[2])\n| - where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for - exclusion\n| where Toggle !in~ (\"/failure:disable\", \" /success:enable /failure:disable\") - // use this filter if required to exclude certain toggles\n| project TimeGenerated, - DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, - InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine, - SubCategory, Toggle\n| extend timestamp = TimeGenerated, AccountCustomEntity - = AccountName, HostCustomEntity = DeviceName\n),\n(\nEvent\n| where TimeGenerated - > ago(timeframe)\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where - EventID == 1\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\n| - mv-expand bagexpansion=array EventData\n| evaluate bag_unpack(EventData)\n| - extend Key=tostring([''@Name'']), Value=[''#text'']\n| evaluate pivot(Key, - any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, - EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\n// - | where OriginalFileName =~ \"auditpol.exe\"\n| where CommandLine has_any - (tokens)\n| where User !in~ (AccountAllowList)\n| parse CommandLine with * - \"/subcategory:\" subcategorytoken\n| extend SubCategory = tostring(split(subcategorytoken, - \"\\\"\")[1]) , Toggle = tostring(split(subcategorytoken, \"\\\"\")[2])\n| - where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for - exclusion\n| where Toggle !in~ (\"/failure:disable\", \" /success:enable /failure:disable\") - // use this filter if required to exclude certain toggles\n| project TimeGenerated, - Computer, User, Process, ParentImage, CommandLine, SubCategory, Toggle\n| - extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity - = Computer\n)\n)","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]}],"displayName":"Audit - policy manipulation using auditpol utility","description":"This detects attempt - to manipulate audit policies using auditpol command.\nThis technique was seen - in relation to Solorigate attack but the results can indicate potential malicious - activity used in different attacks.\nThe process name in each data source - is commented out as an adversary could rename it. It is advisable to keep - process name commented but \nif the results show unrelated false positives, - users may want to uncomment it.\nRefer to auditpol syntax: https://docs.microsoft.com/windows-server/administration/windows-commands/auditpol \nRefer - to our M365 blog for details on use during the Solorigate attack:\nhttps://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/","tactics":["Execution"],"lastUpdatedDateUTC":"2021-02-02T00:00:00Z","createdDateUTC":"2021-01-15T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"SecurityEvents","dataTypes":["SecurityEvent"]},{"connectorId":"MicrosoftThreatProtection","dataTypes":["DeviceProcessEvents"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80733eb7-35b2-45b6-b2b8-3c51df258206","name":"80733eb7-35b2-45b6-b2b8-3c51df258206","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Low","query":"let - timeframe = 1d;\nlet DomainList = dynamic([\"monerohash.com\", \"do-dear.com\", - \"xmrminerpro.com\", \"secumine.net\", \"xmrpool.com\", \"minexmr.org\", \"hashanywhere.com\", - \"xmrget.com\", \n\"mininglottery.eu\", \"minergate.com\", \"moriaxmr.com\", - \"multipooler.com\", \"moneropools.com\", \"xmrpool.eu\", \"coolmining.club\", - \"supportxmr.com\",\n\"minexmr.com\", \"hashvault.pro\", \"xmrpool.net\", - \"crypto-pool.fr\", \"xmr.pt\", \"miner.rocks\", \"walpool.com\", \"herominers.com\", - \"gntl.co.uk\", \"semipool.com\", \n\"coinfoundry.org\", \"cryptoknight.cc\", - \"fairhash.org\", \"baikalmine.com\", \"tubepool.xyz\", \"fairpool.xyz\", - \"asiapool.io\", \"coinpoolit.webhop.me\", \"nanopool.org\", \n\"moneropool.com\", - \"miner.center\", \"prohash.net\", \"poolto.be\", \"cryptoescrow.eu\", \"monerominers.net\", - \"cryptonotepool.org\", \"extrmepool.org\", \"webcoin.me\", \n\"kippo.eu\", - \"hashinvest.ws\", \"monero.farm\", \"supportxmr.com\", \"xmrpool.eu\", \"linux-repository-updates.com\", - \"1gh.com\", \"dwarfpool.com\", \"hash-to-coins.com\", \n\"hashvault.pro\", - \"pool-proxy.com\", \"hashfor.cash\", \"fairpool.cloud\", \"litecoinpool.org\", - \"mineshaft.ml\", \"abcxyz.stream\", \"moneropool.ru\", \"cryptonotepool.org.uk\",\n\"extremepool.org\", - \"extremehash.com\", \"hashinvest.net\", \"unipool.pro\", \"crypto-pools.org\", - \"monero.net\", \"backup-pool.com\", \"mooo.com\", \"freeyy.me\", \"cryptonight.net\",\n\"shscrypto.net\"]);\nSyslog\n| - where TimeGenerated >= ago(timeframe)\n| where ProcessName contains \"squid\"\n| - extend URL = extract(\"(([A-Z]+ [a-z]{4,5}:\\\\/\\\\/)|[A-Z]+ )([^ :]*)\",3,SyslogMessage), - \n SourceIP = extract(\"([0-9]+ )(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3}))\",2,SyslogMessage), - \n Status = extract(\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\",1,SyslogMessage), - \n HTTP_Status_Code = extract(\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\",8,SyslogMessage),\n User - = extract(\"(CONNECT |GET )([^ ]* )([^ ]+)\",3,SyslogMessage),\n RemotePort - = extract(\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\",4,SyslogMessage),\n Domain - = extract(\"(([A-Z]+ [a-z]{4,5}:\\\\/\\\\/)|[A-Z]+ )([^ :\\\\/]*)\",3,SyslogMessage),\n Bytes - = toint(extract(\"([A-Z]+\\\\/[0-9]{3} )([0-9]+)\",2,SyslogMessage)),\n contentType - = extract(\"([a-z/]+$)\",1,SyslogMessage)\n| extend TLD = extract(\"\\\\.[a-z]*$\",0,Domain)\n| - where HTTP_Status_Code == ''200''\n| where Domain contains \".\"\n| where - Domain has_any (DomainList)\n| extend timestamp = TimeGenerated, URLCustomEntity - = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]},{"entityType":"URL","fieldMappings":[{"identifier":"Url","columnName":"URLCustomEntity"}]}],"displayName":"Squid - proxy events related to mining pools","description":"Checks for Squid proxy - events in Syslog associated with common mining pools .This query presumes - the default Squid log format is being used. \n http://www.squid-cache.org/Doc/config/access_log/","tactics":["CommandAndControl"],"lastUpdatedDateUTC":"2020-11-19T00:00:00Z","createdDateUTC":"2019-07-12T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"Syslog","dataTypes":["Syslog"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bff093b2-500e-4ae5-bb49-a5b1423cbd5b","name":"bff093b2-500e-4ae5-bb49-a5b1423cbd5b","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Low","query":"OfficeActivity\n| - where OfficeWorkload =~ \"MicrosoftTeams\"\n| where Operation =~ \"MemberAdded\"\n| - extend UPN = tostring(parse_json(Members)[0].UPN)\n| where UPN contains (\"#EXT#\")\n| - project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName\n| - join (\n OfficeActivity\n| where OfficeWorkload =~ \"MicrosoftTeams\"\n| where - Operation =~ \"MemberRemoved\"\n| extend UPN = tostring(parse_json(Members)[0].UPN)\n| - where UPN contains (\"#EXT#\")\n| project TimeDeleted=TimeGenerated, Operation, - UPN, UserWhoDeleted = UserId, TeamName\n) on UPN\n| where TimeDeleted > TimeAdded\n| - project TimeAdded, TimeDeleted, UPN, UserWhoAdded, UserWhoDeleted, TeamName\n| - extend timestamp = TimeAdded, AccountCustomEntity = UPN","queryFrequency":"PT1H","queryPeriod":"PT1H","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]}],"displayName":"External - user added and removed in short timeframe","description":"This detection flags - the occurances of external user accounts that are added to a Team and then - removed within\none hour.This data is a part of Office 365 Connector in Azure - Sentinel.","tactics":["Persistence"],"lastUpdatedDateUTC":"2021-01-28T00:00:00Z","createdDateUTC":"2020-09-13T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"Office365","dataTypes":["OfficeActivity - (Teams)"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/be52662c-3b23-435a-a6fa-f39bdfc849e6","name":"be52662c-3b23-435a-a6fa-f39bdfc849e6","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - timeframe = ago(1h);\nlet threshold = 10;\nQualysHostDetection_CL\n| where - TimeGenerated >= timeframe\n| mv-expand todynamic(Detections_s)\n| where Detections_s.Severity - == \"5\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), - count() by NetBios_s, IPAddress\n| where count_ >= threshold\n| extend timestamp - = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress","queryFrequency":"PT1H","queryPeriod":"PT1H","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"High - Number of Urgent Vulnerabilities Detected","description":"This Creates an - incident when a host has a high number of Urgent, severity 5, vulnerabilities - detected.","tactics":["InitialAccess"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2020-06-20T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"QualysVulnerabilityManagement","dataTypes":["QualysHostDetection_CL"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b783df9c-4088-452e-a791-0c4fca47a109","name":"b783df9c-4088-452e-a791-0c4fca47a109","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Anomaly","properties":{"severity":"Informational","anomalyDefinitionVersion":"1.0.0","techniques":["T1568"],"customizableObservations":{"multiSelectObservations":null,"singleSelectObservations":null,"prioritizeExcludeObservations":[{"prioritize":null,"exclude":".lan, - .home","dataType":"string","name":"Top level domain","description":"Give comma - separated TLDs to exclude from source data within double quotes, example: - \".lan, .home\"","sequenceNumber":0,"rerun":"RerunAlways"}],"thresholdObservations":[{"minimum":"0.0","maximum":"1.0","value":"0.9","name":"Score","description":"Generate - an anomaly when the anomaly score is greater than or equal to the chosen value.","sequenceNumber":0,"rerun":"RerunAlways"}]},"frequency":"P1D","displayName":"(Preview) - Domain generation algorithm (DGA) on DNS domains","description":"This machine - learning model indicates potential DGA domains in the second-level-domain - (SLD) from the last day in the DNS logs.\nThe algorithm applies to the DNS - records that resolve to IPv4 and IPv6 addresses.","tactics":["CommandAndControl"],"lastUpdatedDateUTC":"2021-02-05T00:00:00Z","createdDateUTC":"2021-02-05T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"DNS","dataTypes":["DnsEvents"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d82e1987-4356-4a7b-bc5e-064f29b143c0","name":"d82e1987-4356-4a7b-bc5e-064f29b143c0","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"SecurityEvent\n| - where EventID == 4688\n| where Process =~ ''rundll32.exe'' \n| where CommandLine - has_all (''Execute'',''RegRead'',''window.close'')\n| project TimeGenerated, - Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, - _ResourceId\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, - AccountCustomEntity = Account","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]}],"displayName":"NOBELIUM - - suspicious rundll32.exe execution of vbscript","description":"This query - idenifies when rundll32.exe executes a specific set of inline VBScript commands\n - References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/","tactics":["Persistence"],"lastUpdatedDateUTC":"2021-03-04T00:00:00Z","createdDateUTC":"2021-03-03T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"SecurityEvents","dataTypes":["SecurityEvent"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/48607a29-a26a-4abf-8078-a06dbdd174a4","name":"48607a29-a26a-4abf-8078-a06dbdd174a4","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - timeRange = 3d;\nlet lookBack = 7d;\nlet authenticationWindow = 20m;\nlet - authenticationThreshold = 5;\nlet isGUID = \"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\";\nlet - failureCodes = dynamic([50053, 50126, 50055]); // invalid password, account - is locked - too many sign ins, expired password\nlet successCodes = dynamic([0, - 50055, 50057, 50155, 50105, 50133, 50005, 50076, 50079, 50173, 50158, 50072, - 50074, 53003, 53000, 53001, 50129]);\n// Lookup up resolved identities from - last 7 days\nlet identityLookup = SigninLogs\n| where TimeGenerated >= ago(lookBack)\n| - where not(Identity matches regex isGUID)\n| where isnotempty(UserId)\n| summarize - by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName;\n// - collect window threshold breaches\nSigninLogs\n| where TimeGenerated > ago(timeRange)\n| - where ResultType in(failureCodes)\n| summarize StartTime = min(TimeGenerated), - EndTime = max(TimeGenerated), make_set(ClientAppUsed), count() by bin(TimeGenerated, - authenticationWindow), IPAddress, AppDisplayName, UserPrincipalName\n| summarize - FailedPrincipalCount = dcount(UserPrincipalName) by bin(TimeGenerated, authenticationWindow), - IPAddress, AppDisplayName\n| where FailedPrincipalCount >= authenticationThreshold\n| - summarize WindowThresholdBreaches = count() by IPAddress\n| join kind= inner - (\n// where we breached a threshold, join the details back on all failure - data\n SigninLogs\n| where TimeGenerated > ago(timeRange)\n| where ResultType - in(failureCodes)\n| extend FullLocation = strcat(Location,''|'', LocationDetails.state, - ''|'', LocationDetails.city)\n| summarize StartTime = min(TimeGenerated), - EndTime = max(TimeGenerated), make_set(ClientAppUsed), make_set(FullLocation), - FailureCount = count() by IPAddress, AppDisplayName, UserPrincipalName, UserDisplayName, - Identity, UserId\n// lookup any unresolved identities\n| extend UnresolvedUserId - = iff(Identity matches regex isGUID, UserId, \"\")\n| join kind= leftouter - (\n identityLookup \n) on $left.UnresolvedUserId==$right.UserId\n| extend - UserDisplayName=iff(isempty(lu_UserDisplayName), UserDisplayName, lu_UserDisplayName)\n| - extend UserPrincipalName=iff(isempty(lu_UserPrincipalName), UserPrincipalName, - lu_UserPrincipalName)\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), - make_set(UserPrincipalName), make_set(UserDisplayName), make_set(set_ClientAppUsed), - make_set(set_FullLocation), make_list(FailureCount) by IPAddress, AppDisplayName\n| - extend FailedPrincipalCount = arraylength(set_UserPrincipalName)\n) on IPAddress\n| - project IPAddress, StartTime, EndTime, TargetedApplication=AppDisplayName, - FailedPrincipalCount, UserPrincipalNames=set_UserPrincipalName, UserDisplayNames=set_UserDisplayName, - ClientAppsUsed=set_set_ClientAppUsed, Locations=set_set_FullLocation, FailureCountByPrincipal=list_FailureCount, - WindowThresholdBreaches\n| join kind= inner (\nSigninLogs // get data on success - vs. failure history for each IP\n| where TimeGenerated > ago(timeRange)\n| - where ResultType in(successCodes) or ResultType in(failureCodes) // success - or failure types\n| summarize GlobalSuccessPrincipalCount = dcountif(UserPrincipalName, - (ResultType in(successCodes))), ResultTypeSuccesses = make_set_if(ResultType, - (ResultType in(successCodes))), GlobalFailPrincipalCount = dcountif(UserPrincipalName, - (ResultType in(failureCodes))), ResultTypeFailures = make_set_if(ResultType, - (ResultType in(failureCodes))) by IPAddress\n| where GlobalFailPrincipalCount - > GlobalSuccessPrincipalCount // where the number of failed principals is - greater than success - eliminates FPs from IPs who authenticate successfully - alot and as a side effect have alot of failures\n) on IPAddress\n| project-away - IPAddress1\n| extend timestamp=StartTime, IPCustomEntity = IPAddress","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Password - spray attack against Azure AD application","description":"Identifies evidence - of password spray activity against Azure AD applications by looking for failures - from multiple accounts from the same\nIP address within a time window. If - the number of accounts breaches the threshold just once, all failures from - the IP address within the time range\nare bought into the result. Details - on whether there were successful authentications by the IP address within - the time window are also included.\nThis can be an indicator that an attack - was successful.\nThe default failure acccount threshold is 5, Default time - window for failures is 20m and default look back window is 3 days\nNote: Due - to the number of possible accounts involved in a password spray it is not - possible to map identities to a custom entity.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.","tactics":["CredentialAccess"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2020-03-26T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AzureActiveDirectory","dataTypes":["SigninLogs"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/83ba3057-9ea3-4759-bf6a-933f2e5bc7ee","name":"83ba3057-9ea3-4759-bf6a-933f2e5bc7ee","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - current = 1d;\nlet auditLookback = 7d;\n// Setting threshold to 3 as a default, - change as needed. \n// Any operation that has been initiated by a user or - app more than 3 times in the past 7 days will be excluded\nlet threshold = - 3;\n// Gather initial data from lookback period, excluding current, adjust - current to more than a single day if no results\nlet AuditTrail = AuditLogs - | where TimeGenerated >= ago(auditLookback) and TimeGenerated < ago(current)\n// - 2 other operations that can be part of malicious activity in this situation - are \n// \"Add OAuth2PermissionGrant\" and \"Add service principal\", extend - the filter below to capture these too\n| where OperationName has \"Consent - to application\"\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), - \ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\n| - extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\n| - summarize max(TimeGenerated), OperationCount = count() by OperationName, InitiatedBy, - TargetResourceName\n// only including operations by initiated by a user or - app that is above the threshold so we produce only rare and has not occurred - in last 7 days\n| where OperationCount > threshold\n;\n// Gather current period - of audit data\nlet RecentConsent = AuditLogs | where TimeGenerated >= ago(current)\n| - where OperationName has \"Consent to application\"\n| extend IpAddress = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)), - \ntostring(parse_json(tostring(InitiatedBy.user)).ipAddress), tostring(parse_json(tostring(InitiatedBy.app)).ipAddress))\n| - extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), - \ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\n| - extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\n| - parse TargetResources.[0].modifiedProperties with * \"ConsentType: \" ConsentType - \"]\" *\n| project TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, - Category, OperationName, ConsentType , CorrelationId, Type;\n// Exclude previously - seen audit activity for \"Consent to application\" that was seen in the lookback - period\n// First for rare InitiatedBy\nlet RareConsentBy = RecentConsent | - join kind= leftanti AuditTrail on OperationName, InitiatedBy \n| extend Reason - = \"Previously unseen user consenting\";\n// Second for rare TargetResourceName\nlet - RareConsentApp = RecentConsent | join kind= leftanti AuditTrail on OperationName, - TargetResourceName\n| extend Reason = \"Previously unseen app granted consent\";\nRareConsentBy - | union RareConsentApp\n| summarize Reason = makeset(Reason) by TimeGenerated, - InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, - CorrelationId, Type\n| extend timestamp = TimeGenerated, AccountCustomEntity - = InitiatedBy, HostCustomEntity = TargetResourceName, IPCustomEntity = IpAddress","queryFrequency":"P1D","queryPeriod":"P7D","triggerOperator":"GreaterThan","triggerThreshold":3,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Rare - application consent","description":"This will alert when the \"Consent to - application\" operation occurs by a user that has not done this operation - before or rarely does this.\nThis could indicate that permissions to access - the listed Azure App were provided to a malicious actor. \nConsent to application, - Add service principal and Add OAuth2PermissionGrant should typically be rare - events. \nThis may help detect the Oauth2 attack that can be initiated by - this publicly available tool - https://github.com/fireeye/PwnAuth\nFor further - information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.","tactics":["Persistence","LateralMovement","Collection"],"lastUpdatedDateUTC":"2020-12-19T00:00:00Z","createdDateUTC":"2019-07-04T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AzureActiveDirectory","dataTypes":["AuditLogs"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e1ce0eab-10d1-4aae-863f-9a383345ba88","name":"e1ce0eab-10d1-4aae-863f-9a383345ba88","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Low","query":"let - timeframe = 1d;\nlet threshold = 15;\nSyslog\n| where TimeGenerated >= ago(timeframe)\n| - where SyslogMessage contains \"Failed password for invalid user\"\n| where - ProcessName =~ \"sshd\" \n| parse kind=relaxed SyslogMessage with * \"invalid - user\" user \" from \" ip \" port\" port \" ssh2\"\n| project user, ip, port, - SyslogMessage, EventTime\n| summarize EventTimes = make_list(EventTime), PerHourCount - = count() by ip, bin(EventTime, 4h), user\n| where PerHourCount > threshold\n| - mvexpand EventTimes\n| extend EventTimes = tostring(EventTimes) \n| summarize - StartTimeUtc = min(EventTimes), EndTimeUtc = max(EventTimes), UserList = makeset(user), - sum(PerHourCount) by IPAddress = ip\n| extend UserList = tostring(UserList) - \n| extend timestamp = StartTimeUtc, IPCustomEntity = IPAddress, AccountCustomEntity - = UserList","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"SSH - - Potential Brute Force","description":"Identifies an IP address that had - 15 failed attempts to sign in via SSH in a 4 hour block during a 24 hour time - period.","tactics":["CredentialAccess"],"lastUpdatedDateUTC":"2020-11-19T00:00:00Z","createdDateUTC":"2019-02-20T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"Syslog","dataTypes":["Syslog"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532c1811-79ee-4d9f-8d4d-6304c840daa1","name":"532c1811-79ee-4d9f-8d4d-6304c840daa1","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"MicrosoftSecurityIncidentCreation","properties":{"productFilter":"Azure - Active Directory Identity Protection","displayName":"Create incidents based - on Azure Active Directory Identity Protection alerts","description":"Create - incidents based on all alerts generated in Azure Active Directory Identity - Protection","lastUpdatedDateUTC":"2019-07-16T00:00:00Z","createdDateUTC":"2019-07-16T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AzureActiveDirectoryIdentityProtection","dataTypes":["SecurityAlert - (IPC)"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65360bb0-8986-4ade-a89d-af3cf44d28aa","name":"65360bb0-8986-4ade-a89d-af3cf44d28aa","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Low","query":"let - timeframe = 1d;\nlet EventNameList = dynamic([\"CreateNetworkAclEntry\",\"CreateRoute\",\"CreateRouteTable\",\"CreateInternetGateway\",\"CreateNatGateway\"]);\nAWSCloudTrail\n| - where TimeGenerated > ago(timeframe)\n| where EventName in~ (EventNameList)\n| - summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) - by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, - UserAgent, \nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, - AWSRegion, EventSource, AdditionalEventData, ResponseElements\n| extend timestamp - = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity - = SourceIpAddress","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Changes - to Amazon VPC settings","description":"Amazon Virtual Private Cloud (Amazon - VPC) lets you provision a logically isolated section of the AWS Cloud where - you can launch AWS resources\nin a virtual network that you define.\nThis - identifies changes to Amazon VPC (Virtual Private Cloud) settings such as - new ACL entries,routes, routetable or Gateways.\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 - \nand AWS VPC API Docs: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/OperationList-query-vpc.html","tactics":["PrivilegeEscalation","LateralMovement"],"lastUpdatedDateUTC":"2020-11-19T00:00:00Z","createdDateUTC":"2019-02-27T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AWS","dataTypes":["AWSCloudTrail"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ec21493c-2684-4acd-9bc2-696dbad72426","name":"ec21493c-2684-4acd-9bc2-696dbad72426","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\n//Create a list of TLDs in our - threat feed for later validation of extracted domains\nlet list_tlds = ThreatIntelligenceIndicator\n | - where TimeGenerated > ago(ioc_lookBack)\n | where isnotempty(DomainName)\n | - extend DomainName = tolower(DomainName)\n | extend parts = split(DomainName, - ''.'')\n | extend tld = parts[(array_length(parts)-1)]\n | summarize - count() by tostring(tld)\n | summarize make_list(tld);\n ThreatIntelligenceIndicator\n | - where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n | - summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | - where Active == true\n // Picking up only IOC''s that contain the entities - we want\n | where isnotempty(DomainName)\n | join (\n CommonSecurityLog\n | - extend IngestionTime = ingestion_time()\n | where IngestionTime > ago(dt_lookBack)\n | - where DeviceVendor =~ ''Palo Alto Networks''\n | where DeviceEventClassID - =~ ''url''\n //Uncomment the line below to only alert on allowed connections\n //| - where DeviceAction !~ \"block-url\"\n //Extract domain from RequestURL, - if not present extarct it from AdditionalExtentions\n | extend PA_Url - = columnifexists(\"RequestURL\", \"None\")\n | extend PA_Url = iif(isempty(PA_Url) - and AdditionalExtensions !startswith \"PanOS\", extract(\"([^\\\"]+)\", 1, - tolower(AdditionalExtensions)), trim(''\"'', PA_Url))\n | extend PA_Url - = iif(PA_Url !startswith \"http://\" and ApplicationProtocol !~ \"ssl\", strcat(''http://'', - PA_Url), iif(PA_Url !startswith \"https://\" and ApplicationProtocol =~ \"ssl\", - strcat(''https://'', PA_Url), PA_Url))\n | extend Domain = trim(@\"\"\"\",tostring(parse_url(PA_Url).Host))\n | - where isnotempty(Domain)\n | extend Domain = tolower(Domain)\n | - extend parts = split(Domain, ''.'')\n //Split out the TLD for the purpose - of checking if we have any TI indicators with this TLD to match on\n | - extend tld = parts[(array_length(parts)-1)]\n //Validate parsed domain - by checking TLD against TLDs from threat feed and drop domains where there - is no chance of a match\n | where tld in~ (list_tlds)\n | extend - CSL_TimeGenerated = TimeGenerated\n ) on $left.DomainName==$right.Domain\n | - project LatestIndicatorTime, Description, ActivityGroupNames, PA_Url, Domain, - IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, CSL_TimeGenerated, - DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, - ApplicationProtocol, RequestMethod\n | extend timestamp = CSL_TimeGenerated, - IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity - = PA_Url","queryFrequency":"PT1H","queryPeriod":"P14D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]},{"entityType":"URL","fieldMappings":[{"identifier":"Url","columnName":"URLCustomEntity"}]}],"displayName":"(Preview) - TI map Domain entity to PaloAlto","description":"Identifies a match in Palo - Alto data in CommonSecurityLog table from any Domain IOC from TI","tactics":["Impact"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2019-08-28T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"PaloAltoNetworks","dataTypes":["CommonSecurityLog"]},{"connectorId":"ThreatIntelligence","dataTypes":["ThreatIntelligenceIndicator"]},{"connectorId":"ThreatIntelligenceTaxii","dataTypes":["ThreatIntelligenceIndicator"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e","name":"f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Low","query":"// - Replace these with the usename or emails of your VIP users you wish to monitor - for.\nlet vips = dynamic([''vip1@email.com'',''vip2@email.com'']);\nlet timeframe - = 1d;\nLAQueryLogs\n| where TimeGenerated > ago(timeframe)\n| where QueryText - has_any (vips)\n| project TimeGenerated, AADEmail, RequestClientApp, QueryText, - ResponseRowCount, RequestTarget\n| extend timestamp = TimeGenerated, AccountCustomEntity - = AADEmail","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]}],"displayName":"Users - searching for VIP user activity","description":"This query monitors for users - running Log Analytics queries that contain filters \nfor specific, defined - VIP user accounts. Use this detection to alert for users specifically \nsearching - for activity of sensitive users.","tactics":["Collection","Exfiltration"],"lastUpdatedDateUTC":"2021-01-21T00:00:00Z","createdDateUTC":"2020-09-16T00:00:00Z","status":"Available","alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d0bd9611-2fc1-42cb-af4e-793b6f28ba92","name":"d0bd9611-2fc1-42cb-af4e-793b6f28ba92","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Anomaly","properties":{"severity":"Informational","anomalyDefinitionVersion":"1.0.1","techniques":["T1030"],"customizableObservations":{"multiSelectObservations":null,"singleSelectObservations":null,"prioritizeExcludeObservations":null,"thresholdObservations":[{"minimum":"0","maximum":"1","value":"0.87","name":"Score","description":"Generate - an anomaly when score is greater than the chosen value","sequenceNumber":0,"rerun":"NotRequired"}]},"frequency":"P1D","displayName":"(Preview) - Excessive upload via Palo Alto GlobalProtect","description":"This algorithm - detects unusually high volume of upload per user account via Palo Alto VPN - solution. The model is trained on the previous 14 days of the VPN logs. It - indicates anomalous high volume of upload in the last day.","tactics":["Exfiltration"],"lastUpdatedDateUTC":"2021-02-22T00:00:00Z","createdDateUTC":"2020-11-02T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"PaloAltoNetworks","dataTypes":["CommonSecurityLog"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532f62c1-fba6-4baa-bbb6-4a32a4ef32fa","name":"532f62c1-fba6-4baa-bbb6-4a32a4ef32fa","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\n//Create a list of TLDs in our - threat feed for later validation\nlet list_tlds = ThreatIntelligenceIndicator\n| - where TimeGenerated > ago(ioc_lookBack)\n| where isnotempty(DomainName)\n| - extend parts = split(DomainName, ''.'')\n| extend tld = parts[(array_length(parts)-1)]\n| - summarize count() by tostring(tld)\n| summarize make_list(tld);\nThreatIntelligenceIndicator\n| - where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| - where Active == true\n// Picking up only IOC''s that contain the entities - we want\n| where isnotempty(DomainName)\n| join (\n Syslog\n | where - TimeGenerated > ago(dt_lookBack)\n //Extract domain patterns from syslog - message\n | extend domain = extract(\"(([a-z0-9]+(-[a-z0-9]+)*\\\\.)+[a-z]{2,})\",1, - tolower(SyslogMessage))\n | where isnotempty(domain)\n | extend parts - = split(domain, ''.'')\n //Split out the TLD\n | extend tld = parts[(array_length(parts)-1)]\n //Validate - parsed domain by checking if the TLD is in the list of TLDs in our threat - feed\n | where tld in~ (list_tlds)\n | extend Syslog_TimeGenerated = - TimeGenerated\n) on $left.DomainName==$right.domain\n| summarize LatestIndicatorTime - = arg_max(TimeGenerated, *) by IndicatorId\n| project LatestIndicatorTime, - Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, - ConfidenceScore, Syslog_TimeGenerated, SyslogMessage, Computer, ProcessName, - domain, HostIP, Url\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity - = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url","queryFrequency":"PT1H","queryPeriod":"P14D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]},{"entityType":"URL","fieldMappings":[{"identifier":"Url","columnName":"URLCustomEntity"}]}],"displayName":"(Preview) - TI map Domain entity to Syslog","description":"Identifies a match in Syslog - table from any Domain IOC from TI","tactics":["Impact"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2019-08-28T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"Syslog","dataTypes":["Syslog"]},{"connectorId":"ThreatIntelligence","dataTypes":["ThreatIntelligenceIndicator"]},{"connectorId":"ThreatIntelligenceTaxii","dataTypes":["ThreatIntelligenceIndicator"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a9956d3a-07a9-44a6-a279-081a85020cae","name":"a9956d3a-07a9-44a6-a279-081a85020cae","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - timeframe = ago(1h);\nlet threshold = 15;\nlet rejectedAccess = SymantecVIP\n| - where TimeGenerated > timeframe\n| where isnotempty(RADIUSAuth)\n| where RADIUSAuth - =~ \"Reject\"\n| summarize Total = count() by ClientIP, bin(TimeGenerated, - 15m)\n| where Total > threshold\n| project ClientIP;\nSymantecVIP\n| where - TimeGenerated > timeframe\n| where isnotempty(RADIUSAuth)\n| where RADIUSAuth - =~ \"Reject\"\n| join kind=inner rejectedAccess() on ClientIP\n| summarize - StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by ClientIP, - User\n| extend timestamp = StartTime, IPCustomEntity = ClientIP, AccountCustomEntity - = User","queryFrequency":"PT1H","queryPeriod":"PT1H","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"ClientDeniedAccess","description":"Creates - an incident in the event a Client has an excessive amounts of denied access - requests.","tactics":["CredentialAccess"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2020-06-06T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"SymantecVIP","dataTypes":["Syslog"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2dd4a3a-ebac-4994-9499-1a859938c947","name":"f2dd4a3a-ebac-4994-9499-1a859938c947","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - starttime = 14d;\nlet endtime = 1d;\nlet timeframe = 1h;\nlet scorethreshold - = 5;\nlet bytessentperhourthreshold = 10;\nlet PrivateIPregex = @''^127\\.|^10\\.|^172\\.1[6-9]\\.|^172\\.2[0-9]\\.|^172\\.3[0-1]\\.|^192\\.168\\.'';\nlet - TimeSeriesData = (union isfuzzy=true\n(\nVMConnection\n| where TimeGenerated - between (startofday(ago(starttime))..startofday(ago(endtime)))\n| where isnotempty(DestinationIP) - and isnotempty(SourceIP)\n| extend DestinationIpType = iff(DestinationIp matches - regex PrivateIPregex,\"private\" ,\"public\" )\n| where DestinationIpType - == \"public\" | extend DeviceVendor = \"VMConnection\"\n| project TimeGenerated, - BytesSent, DeviceVendor\n| make-series TotalBytesSent=sum(BytesSent) on TimeGenerated - from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe - by DeviceVendor\n),\n(\nCommonSecurityLog\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\n| - where isnotempty(DestinationIP) and isnotempty(SourceIP)\n| extend DestinationIpType - = iff(DestinationIP matches regex PrivateIPregex,\"private\" ,\"public\" )\n| - where DestinationIpType == \"public\"\n| project TimeGenerated, SentBytes, - DeviceVendor\n| make-series TotalBytesSent=sum(SentBytes) on TimeGenerated - from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe - by DeviceVendor\n)\n);\n//Filter anomolies against TimeSeriesData\nlet TimeSeriesAlerts - = materialize(TimeSeriesData\n| extend (anomalies, score, baseline) = series_decompose_anomalies(TotalBytesSent, - scorethreshold, -1, ''linefit'')\n| mv-expand TotalBytesSent to typeof(double), - TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), - baseline to typeof(long)\n| where anomalies > 0 | extend AnomalyHour = TimeGenerated\n| - extend TotalBytesSentinMBperHour = round(((TotalBytesSent / 1024)/1024),2), - baselinebytessentperHour = round(((baseline / 1024)/1024),2), score = round(score,2)\n| - project DeviceVendor, AnomalyHour, TimeGenerated, TotalBytesSentinMBperHour, - baselinebytessentperHour, anomalies, score);\nlet AnomalyHours = materialize(TimeSeriesAlerts | - where TimeGenerated > ago(2d) | project TimeGenerated);\n//Union of all BaseLogs - aggregated per hour\nlet BaseLogs = (union isfuzzy=true\n(\nCommonSecurityLog\n| - where isnotempty(DestinationIP) and isnotempty(SourceIP)\n| where TimeGenerated - > ago(2d)\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column - and round to hour\n| where DateHour in ((AnomalyHours)) //filter the dataset - to only selected anomaly hours\n| extend DestinationIpType = iff(DestinationIP - matches regex PrivateIPregex,\"private\" ,\"public\" )\n| where DestinationIpType - == \"public\"\n| extend SentBytesinMB = ((SentBytes / 1024)/1024), ReceivedBytesinMB - = ((ReceivedBytes / 1024)/1024)\n| summarize HourlyCount = count(), TimeGeneratedMax=arg_max(TimeGenerated, - *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = - make_set(DestinationPort,100), TotalSentBytesinMB = sum(SentBytesinMB), TotalReceivedBytesinMB - = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\n| - where TotalSentBytesinMB > bytessentperhourthreshold\n| sort by TimeGeneratedHour - asc, TotalSentBytesinMB desc\n| extend Rank=row_number(1, prev(TimeGeneratedHour) - != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\n| where - Rank < 10 // Selecting Top 10 records with Highest BytesSent in each Hour\n| - project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, - DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\n),\n(\nVMConnection\n| - where isnotempty(DestinationIp) and isnotempty(SourceIp)\n| where TimeGenerated - > ago(2d)\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column - and round to hour\n| where DateHour in ((AnomalyHours)) //filter the dataset - to only selected anomaly hours\n| extend SourceIP = SourceIp, DestinationIP - = DestinationIp\n| extend DestinationIpType = iff(DestinationIp matches regex - PrivateIPregex,\"private\" ,\"public\" )\n| where DestinationIpType == \"public\" - | extend DeviceVendor = \"VMConnection\"\n| extend SentBytesinMB = ((BytesSent - / 1024)/1024), ReceivedBytesinMB = ((BytesReceived / 1024)/1024)\n| summarize - HourlyCount = count(),TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, - 100), DestinationPortList = make_set(DestinationPort, 100), TotalSentBytesinMB - = sum(SentBytesinMB),TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, - DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\n| where TotalSentBytesinMB - > bytessentperhourthreshold\n| sort by TimeGeneratedHour asc, TotalSentBytesinMB - desc\n| extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) - // Ranking the dataset per Hourly Partition\n| where Rank < 10 // Selecting - Top 10 records with Highest BytesSent in each Hour\n| project DeviceVendor, - TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, - TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\n)\n);\n// Join against base - logs to retrive records associated with the hour of anomoly\nTimeSeriesAlerts\n| - where TimeGenerated > ago(2d)\n| join (\n BaseLogs | extend AnomalyHour - = TimeGeneratedHour\n) on DeviceVendor, AnomalyHour | sort by score desc\n| - project DeviceVendor, AnomalyHour,TimeGeneratedMax, SourceIP, DestinationIPList, - DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, TotalBytesSentinMBperHour, - baselinebytessentperHour, score, anomalies\n| summarize EventCount = count(), - StartTimeUtc= min(TimeGeneratedMax), EndTimeUtc= max(TimeGeneratedMax), SourceIPMax= - arg_max(SourceIP,*), TotalBytesSentinMB = sum(TotalSentBytesinMB), TotalBytesReceivedinMB - = sum(TotalReceivedBytesinMB), SourceIPList = make_set(SourceIP, 100), DestinationIPList - = make_set(DestinationIPList, 100) by AnomalyHour,TotalBytesSentinMBperHour, - baselinebytessentperHour, score, anomalies\n| project DeviceVendor, AnomalyHour, - StartTimeUtc, EndTimeUtc, SourceIPMax, SourceIPList, DestinationIPList, DestinationPortList, - TotalBytesSentinMB, TotalBytesReceivedinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, - score, anomalies, EventCount\n| extend timestamp =EndTimeUtc, IPCustomEntity - = SourceIPMax","queryFrequency":"P1D","queryPeriod":"P14D","triggerOperator":"GreaterThan","triggerThreshold":1,"entityMappings":[{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Time - series anomaly for data size transferred to public internet","description":"Identifies - anomalous data transfer to public networks. The query leverages built-in KQL - anomaly detection algorithms that detects large deviations from a baseline - pattern.\nA sudden increase in data transferred to unknown public networks - is an indication of data exfiltration attempts and should be investigated.\nThe - higher the score, the further it is from the baseline value.\nThe output is - aggregated to provide summary view of unique source IP to destination IP address - and port bytes sent traffic observed in the flagged anomaly hour.\nThe source - IP addresses which were sending less than bytessentperhourthreshold have been - exluded whose value can be adjusted as needed .\nYou may have to run queries - for individual source IP addresses from SourceIPlist to determine if anything - looks suspicious","tactics":["Exfiltration"],"lastUpdatedDateUTC":"2021-01-21T00:00:00Z","createdDateUTC":"2019-05-07T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"CiscoASA","dataTypes":["CommonSecurityLog"]},{"connectorId":"PaloAltoNetworks","dataTypes":["CommonSecurityLog"]},{"connectorId":"AzureMonitor(VMInsights)","dataTypes":["VMConnection"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a50766a7-0674-4ccb-8845-15dc55a80ba1","name":"a50766a7-0674-4ccb-8845-15dc55a80ba1","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| - where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| - where Active == true\n// Picking up only IOC''s that contain the entities - we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) - or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As - there is potentially more than 1 indicator type for matching IP, taking NetworkIP - first, then others if that is empty.\n// Taking the first non-empty value - based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), - NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) - and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity - = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, - TI_ipEntity)\n| join (\n WireData | where TimeGenerated >= ago(dt_lookBack)\n | - where isnotempty(RemoteIP)\n // renaming time column so it is clear the - log this came from\n | extend WireData_TimeGenerated = TimeGenerated\n)\non - $left.TI_ipEntity == $right.RemoteIP\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, - *) by IndicatorId\n| project LatestIndicatorTime, Description, ActivityGroupNames, - IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, WireData_TimeGenerated,\nTI_ipEntity, - Computer, LocalIP, RemoteIP, ProcessName, ApplicationProtocol, LocalPortNumber, - NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\n| - extend timestamp = WireData_TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity - = Computer, URLCustomEntity = Url","queryFrequency":"PT1H","queryPeriod":"P14D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]},{"entityType":"URL","fieldMappings":[{"identifier":"Url","columnName":"URLCustomEntity"}]}],"displayName":"(Preview) - TI map IP entity to WireData","description":"Identifies a match in WireData - from any IP IOC from TI","tactics":["Impact"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2019-08-27T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"ThreatIntelligence","dataTypes":["ThreatIntelligenceIndicator"]},{"connectorId":"ThreatIntelligenceTaxii","dataTypes":["ThreatIntelligenceIndicator"]},{"connectorId":"AzureMonitor(WireData)","dataTypes":["WireData"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6491be0-ab2d-439d-95d6-ad8ea39277c5","name":"d6491be0-ab2d-439d-95d6-ad8ea39277c5","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Low","query":"let - timeframe = 1d;\nlet SensitiveOperationList = dynamic(\n[\"VaultDelete\", - \"KeyDelete\", \"SecretDelete\", \"SecretPurge\", \"KeyPurge\", \"SecretBackup\", - \"KeyBackup\"]);\nAzureDiagnostics\n| where TimeGenerated > ago(timeframe)\n| - extend ResultType = columnifexists(\"ResultType\", \"NoResultType\")\n| extend - requestUri_s = columnifexists(\"requestUri_s\", \"None\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g - = columnifexists(\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\", - \"None\")\n| extend id_s = columnifexists(\"id_s\", \"None\"), CallerIPAddress - = columnifexists(\"CallerIPAddress\", \"None\"), clientInfo_s = columnifexists(\"clientInfo_s\", - \"None\")\n| where ResultType !~ \"None\" and isnotempty(ResultType)\n| where - identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g - !~ \"None\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\n| - where id_s !~ \"None\" and isnotempty(id_s)\n| where CallerIPAddress !~ \"None\" - and isnotempty(CallerIPAddress)\n| where clientInfo_s !~ \"None\" and isnotempty(clientInfo_s)\n| - where requestUri_s !~ \"None\" and isnotempty(requestUri_s)\n| where ResourceType - =~ \"VAULTS\" and ResultType =~ \"Success\" \n| where OperationName in~ (SensitiveOperationList) \n| - summarize EventCount=count(), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), - TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), - RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= - arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, - clientInfo_s\n| extend timestamp = StartTimeUtc, IPCustomEntity = CallerIPMax, - AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Sensitive - Azure Key Vault operations","description":"Identifies when sensitive Azure - Key Vault operations are used. This includes: VaultDelete, KeyDelete, SecretDelete, - SecretPurge, KeyPurge, SecretBackup, KeyBackup. \nAny Backup operations should - match with expected scheduled backup activity.","tactics":["Impact"],"lastUpdatedDateUTC":"2021-01-16T00:00:00Z","createdDateUTC":"2019-07-01T00:00:00Z","status":"Available","alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/04384937-e927-4595-8f3c-89ff58ed231f","name":"04384937-e927-4595-8f3c-89ff58ed231f","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Low","query":"let - detectionTime = 30d;\nlet IPs = dynamic ([\"199.249.230.\",\"185.220.101.\",\"23.129.64.\",\"109.70.100.\",\"185.220.102.\"]);\nOfficeActivity\n| - where TimeGenerated > ago(detectionTime)\n| where RecordType in (\"AzureActiveDirectoryAccountLogon\", - \"AzureActiveDirectoryStsLogon\") \n| where Operation != ''UserLoggedIn''\n| - extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \"UserAgent\", - extractjson(\"$[0].Value\", ExtendedProperties, typeof(string)),\"\")\n| mv-expand - parse_json(ExtendedProperties)\n| where ExtendedProperties.Name =~ \"RequestType\"\n| - extend RequestType = ExtendedProperties.Value\n| where ClientIP has_any (IPs)\n| - summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), - lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), - attemptedAccounts=make_set(UserId) by UserAgent\n| where authAttempts > 2500\n| - extend timestamp = firstAttempt\n| sort by uniqueAccounts","queryFrequency":"P7D","queryPeriod":"P14D","triggerOperator":"GreaterThan","triggerThreshold":0,"displayName":"Possible - STRONTIUM attempted credential harvesting - Sept 2020","description":"Surfaces - potential STRONTIUM group Office365 credential harvesting attempts within - OfficeActivity Logon events.\nReferences: https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/.","tactics":["CredentialAccess"],"lastUpdatedDateUTC":"2020-12-09T00:00:00Z","createdDateUTC":"2020-09-10T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"Office365","dataTypes":["OfficeActivity"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/427e4c9e-8cf4-4094-a684-a2d060dbca38","name":"427e4c9e-8cf4-4094-a684-a2d060dbca38","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - timeframe = ago(1h);\nlet threshold = 50;\nSophosXGFirewall\n| where TimeGenerated - >= timeframe\n| where Log_Type =~ \"Firewall\"\n| where not(ipv4_is_match(\"10.0.0.0\",Src_IP,8) - or ipv4_is_match(\"172.16.0.0\",Src_IP,12) or ipv4_is_match(\"192.168.0.0\",Src_IP,16))\n| - summarize dcount(Dst_Port) by Src_IP, bin(TimeGenerated, 5m)\n| where dcount_Dst_Port - > threshold\n| extend timestamp = TimeGenerated, IPCustomEntity = Src_IP","queryFrequency":"PT1H","queryPeriod":"PT1H","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Port - Scan Detected","description":"This alert creates an incident when a source - IP addresses attempt to communicate with a large amount of distinct ports - within a short period.","tactics":["Discovery"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2020-07-08T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"SophosXGFirewall","dataTypes":["Syslog"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/00cb180c-08a8-4e55-a276-63fb1442d5b5","name":"00cb180c-08a8-4e55-a276-63fb1442d5b5","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - cmdTokens0 = dynamic([''vbscript'',''jscript'']);\nlet cmdTokens1 = dynamic([''mshtml'',''RunHTMLApplication'']);\nlet - cmdTokens2 = dynamic([''Execute'',''CreateObject'',''RegRead'',''window.close'']);\nSecurityEvent\n| - where TimeGenerated >= ago(14d)\n| where EventID == 4688\n| where CommandLine - has @''\\Microsoft\\Windows\\CurrentVersion''\n| where not(CommandLine has_any - (@''\\Software\\Microsoft\\Windows\\CurrentVersion\\Run'', @''\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce''))\n// - If you are receiving false positives, then it may help to make the query more - strict by uncommenting one or both of the lines below to refine the matches\n//| - where CommandLine has_any (cmdTokens0)\n//| where CommandLine has_all (cmdTokens1)\n| - where CommandLine has_all (cmdTokens2)\n| project TimeGenerated, Computer, - Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\n| - extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity - = Account","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]}],"displayName":"NOBELIUM - - Script payload stored in Registry","description":"This query idenifies when - a process execution commandline indicates that a registry value is written - to allow for later execution a malicious script\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/","tactics":["Execution"],"lastUpdatedDateUTC":"2021-03-04T00:00:00Z","createdDateUTC":"2021-03-03T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"SecurityEvents","dataTypes":["SecurityEvent"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d023f64-8225-41a2-9570-2bd7c2c4535e","name":"3d023f64-8225-41a2-9570-2bd7c2c4535e","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - timeframe = 1d;\nlet spanoftime = 10m;\nlet threshold = 0;\nSecurityEvent - \n| where TimeGenerated > ago(2*timeframe) \n// A user account was enabled\n| - where EventID == 4722\n| where AccountType =~ \"User\"\n| project EnableTime - = TimeGenerated, EnableEventID = EventID, EnableActivity = Activity, Computer, - UserPrincipalName, \nAccountUsedToEnable = SubjectAccount, SIDofAccountUsedToEnable - = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\n| join - kind= inner (\n SecurityEvent\n | where TimeGenerated > ago(timeframe) \n // - A user account was disabled \n | where EventID == 4725\n| where AccountType - == \"User\"\n| project DisableTime = TimeGenerated, DisableEventID = EventID, - DisableActivity = Activity, Computer, UserPrincipalName, \nAccountUsedToDisable - = SubjectAccount, SIDofAccountUsedToDisable = SubjectUserSid, TargetAccount - = tolower(TargetAccount), TargetSid\n) on Computer, TargetAccount\n| where - DisableTime - EnableTime < spanoftime\n| extend TimeDelta = DisableTime - - EnableTime\n| where tolong(TimeDelta) >= threshold\n| project TimeDelta, EnableTime, - EnableEventID, EnableActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, - AccountUsedToEnable, SIDofAccountUsedToEnable, \nDisableTime, DisableEventID, - DisableActivity, AccountUsedToDisable, SIDofAccountUsedToDisable\n| extend - timestamp = EnableTime, AccountCustomEntity = AccountUsedToEnable, HostCustomEntity - = Computer","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"},{"identifier":"Sid","columnName":"SIDofAccountUsedToEnable"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]}],"displayName":"User - account enabled and disabled within 10 mins","description":"Identifies when - a user account is enabled and then disabled within 10 minutes. This can be - an indication of compromise and\nan adversary attempting to hide in the noise.","tactics":["Persistence","PrivilegeEscalation"],"lastUpdatedDateUTC":"2021-01-16T00:00:00Z","createdDateUTC":"2019-02-14T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"SecurityEvents","dataTypes":["SecurityEvent"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/707494a5-8e44-486b-90f8-155d1797a8eb","name":"707494a5-8e44-486b-90f8-155d1797a8eb","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - auditLookbackStart = 2d;\nlet auditLookbackEnd = 1d;\nAuditLogs\n| where TimeGenerated - >= ago(auditLookbackStart)\n| where OperationName =~ \"Consent to application\" - \n| where Result =~ \"success\"\n| mv-expand target = TargetResources\n| extend - targetResourceName = tostring(target.displayName)\n| extend targetResourceID - = tostring(target.id)\n| extend targetResourceType = tostring(target.type)\n| - extend targetModifiedProp = TargetResources[0].modifiedProperties\n| extend - isAdminConsent = targetModifiedProp[0].newValue\n| extend Consent_ServicePrincipalNames - = targetModifiedProp[5].newValue\n| extend Consent_Permissions = targetModifiedProp[4].newValue\n| - extend Consent_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), - tostring(InitiatedBy.app.displayName))\n| extend Consent_InitiatingIpAddress - = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), - tostring(InitiatedBy.app.ipAddress))\n| join ( \nAuditLogs\n| where TimeGenerated >= - ago(auditLookbackEnd)\n| where OperationName =~ \"Add service principal credentials\"\n| - where Result =~ \"success\"\n| mv-expand target = TargetResources\n| extend - targetResourceName = tostring(target.displayName)\n| extend targetResourceID - = tostring(target.id)\n| extend targetModifiedProp = TargetResources[0].modifiedProperties\n| - extend Credential_KeyDescription = targetModifiedProp[0].newValue\n| extend - UpdatedProperties = targetModifiedProp[1].newValue\n| extend Credential_ServicePrincipalNames - = targetModifiedProp[2].newValue\n| extend Credential_InitiatingUserOrApp - = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), - tostring(InitiatedBy.app.displayName))\n| extend Credential_InitiatingIpAddress - = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), - tostring(InitiatedBy.app.ipAddress))\n) on targetResourceName, targetResourceID\n| - extend TimeConsent = TimeGenerated, TimeCred = TimeGenerated1\n| where TimeConsent - > TimeCred \n| project TimeConsent, TimeCred, Consent_InitiatingUserOrApp, - Credential_InitiatingUserOrApp, targetResourceName, targetResourceType, isAdminConsent, - Consent_ServicePrincipalNames, Credential_ServicePrincipalNames, Consent_Permissions, - Credential_KeyDescription, Consent_InitiatingIpAddress, Credential_InitiatingIpAddress\n| - extend timestamp = TimeConsent, AccountCustomEntity = Consent_InitiatingUserOrApp, - IPCustomEntity = Consent_InitiatingIpAddress","queryFrequency":"P1D","queryPeriod":"P2D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Credential - added after admin consented to Application","description":"This query will - identify instances where Service Principal credentials were added to an application - by one user after the application was granted admin consent rights by another - user.\n If a threat actor obtains access to an account with sufficient privileges - and adds the alternate authentication material triggering this event, the - threat actor can now authenticate as the Application or Service Principal - using this credential.\n Additional information on OAuth Credential Grants - can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow.\n - For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities","tactics":["CredentialAccess"],"lastUpdatedDateUTC":"2021-02-17T00:00:00Z","createdDateUTC":"2021-02-12T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AzureActiveDirectory","dataTypes":["AuditLogs"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/610d3850-c26f-4f20-8d86-f10fdf2425f5","name":"610d3850-c26f-4f20-8d86-f10fdf2425f5","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Low","query":"let - timeframe = 1d;\nlet EventNameList = dynamic([\"UpdateTrail\",\"DeleteTrail\",\"StopLogging\",\"DeleteFlowLogs\",\"DeleteEventBus\"]);\nAWSCloudTrail\n| - where TimeGenerated > ago(timeframe)\n| where EventName in~ (EventNameList)\n| - summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) - by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, - UserAgent, \nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, - AWSRegion, EventSource\n| extend timestamp = StartTimeUtc, AccountCustomEntity - = UserIdentityUserName, IPCustomEntity = SourceIpAddress","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Changes - made to AWS CloudTrail logs","description":"Attackers often try to hide their - steps by deleting or stopping the collection of logs that could show their - activity. \nThis alert identifies any manipulation of AWS CloudTrail, Cloudwatch/EventBridge - or VPC Flow logs.\nMore Information: AWS CloudTrail API: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html\nAWS - Cloudwatch/Eventbridge API: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_Operations.html\nAWS - DelteteFlowLogs API : https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html - ","tactics":["DefenseEvasion"],"lastUpdatedDateUTC":"2020-11-19T00:00:00Z","createdDateUTC":"2019-02-27T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AWS","dataTypes":["AWSCloudTrail"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2cfc3c6e-f424-4b88-9cc9-c89f482d016a","name":"2cfc3c6e-f424-4b88-9cc9-c89f482d016a","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"High","query":"let - auditLookback = 1h;\nAuditLogs\n| where TimeGenerated > ago(auditLookback)\n| - where OperationName has_any (\"Add service principal\", \"Certificates and - secrets management\") // captures \"Add service principal\", \"Add service - principal credentials\", and \"Update application - Certificates and secrets - management\" events\n| where Result =~ \"success\"\n| mv-expand target = TargetResources\n| - where tostring(InitiatedBy.user.userPrincipalName) has \"@\" or tostring(InitiatedBy.app.displayName) - has \"@\"\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\n| - extend targetId = tostring(TargetResources[0].id)\n| extend targetType = tostring(TargetResources[0].type)\n| - extend keyEvents = TargetResources[0].modifiedProperties\n| mv-expand keyEvents\n| - where keyEvents.displayName =~ \"KeyDescription\"\n| extend new_value_set - = parse_json(tostring(keyEvents.newValue))\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\n| - where old_value_set == \"[]\"\n| parse new_value_set with * \"KeyIdentifier=\" - keyIdentifier:string \",KeyType=\" keyType:string \",KeyUsage=\" keyUsage:string - \",DisplayName=\" keyDisplayName:string \"]\" *\n| where keyUsage == \"Verify\" or - keyUsage == \"\"\n| extend UserAgent = iff(AdditionalDetails[0].key == \"User-Agent\",tostring(AdditionalDetails[0].value),\"\")\n| - extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), - tostring(InitiatedBy.app.displayName))\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), - tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n// - The below line is currently commented out but Azure Sentinel users can modify - this query to show only Application or only Service Principal events in their - environment\n//| where targetType =~ \"Application\" // or targetType =~ \"ServicePrincipal\"\n| - project-away new_value_set, old_value_set\n| project-reorder TimeGenerated, - OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, - targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, - TenantId\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, - IPCustomEntity = InitiatingIpAddress","queryFrequency":"PT1H","queryPeriod":"PT1H","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"First - access credential added to Application or Service Principal where no credential - was present","description":"This will alert when an admin or app owner account - adds a new credential to an Application or Service Principal where there was - no previous verify KeyCredential associated.\nIf a threat actor obtains access - to an account with sufficient privileges and adds the alternate authentication - material triggering this event, the threat actor can now authenticate as the - Application or Service Principal using this credential.\nAdditional information - on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\nFor - further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.","tactics":["CredentialAccess"],"lastUpdatedDateUTC":"2021-01-16T00:00:00Z","createdDateUTC":"2020-11-30T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AzureActiveDirectory","dataTypes":["AuditLogs"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d722831e-88f5-4e25-b106-4ef6e29f8c13","name":"d722831e-88f5-4e25-b106-4ef6e29f8c13","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Low","query":"// - a threshold can be enabled, see commented line below for PrevSeenCount\nlet - threshold = 2;\nlet uploadOp = ''FileUploaded'';\n// Extensions that are interesting. - Add/Remove to this list as you see fit\nlet execExt = dynamic([''exe'', ''inf'', - ''gzip'', ''cmd'', ''bat'']);\nlet starttime = 8d;\nlet endtime = 1d;\nOfficeActivity - | where TimeGenerated >= ago(endtime)\n// Limited to File Uploads due to potential - noise, comment out the Operation statement below to include any operation - type\n// Additional, but potentially noisy operation types that include Uploads - and Downloads can be included by adding the following - Operation contains - \"upload\" or Operation contains \"download\"\n| where Operation =~ uploadOp\n| - where SourceFileExtension has_any (execExt)\n| project TimeGenerated, OfficeId, - OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, - UserAgent, Site_Url, SourceRelativeUrl, SourceFileName\n| join kind= leftanti - (\nOfficeActivity | where TimeGenerated between (ago(starttime) .. ago(endtime))\n| - where Operation =~ uploadOp\n| where SourceFileExtension has_any (execExt)\n| - summarize SourceRelativeUrl = make_set(SourceRelativeUrl), UserId = make_set(UserId) - , PrevSeenCount = count() by SourceFileName\n// To exclude previous matches - when only above a specific count, change threshold above and uncomment the - line below\n//| where PrevSeenCount > threshold\n| mvexpand SourceRelativeUrl, - UserId\n| extend SourceRelativeUrl = tostring(SourceRelativeUrl), UserId = - tostring(UserId)\n) on SourceFileName, SourceRelativeUrl, UserId \n| extend - SiteUrlUserFolder = tolower(split(Site_Url, ''/'')[-2])\n| extend UserIdUserFolderFormat - = tolower(replace(''@|\\\\.'', ''_'',UserId))\n// identify when UserId is - not a match to the specific site url personal folder reference\n| extend UserIdDiffThanUserFolder - = iff(Site_Url has ''/personal/'' and SiteUrlUserFolder != UserIdUserFolderFormat, - true , false ) \n| summarize TimeGenerated = make_list(TimeGenerated), StartTime - = min(TimeGenerated), EndTime = max(TimeGenerated), \nUserAgents = make_list(UserAgent), - OfficeIds = make_list(OfficeId), SourceRelativeUrls = make_list(SourceRelativeUrl), - FileNames = make_list(SourceFileName)\nby OfficeWorkload, RecordType, Operation, - UserType, UserKey, UserId, ClientIP, Site_Url, SiteUrlUserFolder, UserIdUserFolderFormat, - UserIdDiffThanUserFolder\n| extend timestamp = StartTime, AccountCustomEntity - = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url","queryFrequency":"P1D","queryPeriod":"P8D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]},{"entityType":"URL","fieldMappings":[{"identifier":"Url","columnName":"URLCustomEntity"}]}],"displayName":"New - executable via Office FileUploaded Operation","description":"Identifies when - executable file types are uploaded to Office services such as SharePoint and - OneDrive.\nList currently includes ''exe'', ''inf'', ''gzip'', ''cmd'', ''bat'' - file extensions.\nAdditionally, identifies when a given user is uploading - these files to another users workspace.\nThis may be indication of a staging - location for malware or other malicious activity.","tactics":["CommandAndControl"],"lastUpdatedDateUTC":"2020-11-22T00:00:00Z","createdDateUTC":"2020-02-27T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"Office365","dataTypes":["OfficeActivity"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dcdf9bfc-c239-4764-a9f9-3612e6dff49c","name":"dcdf9bfc-c239-4764-a9f9-3612e6dff49c","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"// - Adjust this to use a longer timeframe to identify ADFS servers\nlet lookback - = 6d;\n// Adjust this to adjust the key export detection timeframe\nlet timeframe - = 1d;\n// Start be identifying ADFS servers to reduce FP chance\nlet ADFS_Servers - = (\nEvent\n| where TimeGenerated > ago(timeframe+lookback)\n| where Source - == \"Microsoft-Windows-Sysmon\"\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\n| - mv-expand bagexpansion=array EventData\n| evaluate bag_unpack(EventData)\n| - extend Key=tostring([''@Name'']), Value=[''#text'']\n| evaluate pivot(Key, - any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, - EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\n| - extend process = split(Image, ''\\\\'', -1)[-1]\n| where process =~ \"Microsoft.IdentityServer.ServiceHost.exe\"\n| - summarize by Computer);\n// Look for ADFS servers where Named Pipes event - are present\nEvent\n| where TimeGenerated > ago(timeframe)\n| where Source - == \"Microsoft-Windows-Sysmon\"\n| where Computer in~ (ADFS_Servers)\n| extend - RenderedDescription = tostring(split(RenderedDescription, \":\")[0])\n| extend - EventData = parse_xml(EventData).DataItem.EventData.Data\n| mv-expand bagexpansion=array - EventData\n| evaluate bag_unpack(EventData)\n| extend Key=tostring([''@Name'']), - Value=[''#text'']\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, - EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, - MG, ManagementGroupName, Type, _ResourceId)\n| extend RuleName = column_ifexists(\"RuleName\", - \"\"), TechniqueId = column_ifexists(\"TechniqueId\", \"\"), TechniqueName - = column_ifexists(\"TechniqueName\", \"\")\n| parse RuleName with * ''technique_id='' - TechniqueId '','' * ''technique_name='' TechniqueName\n| where EventID in - (17,18)\n// Look for Pipe related to querying the WID\n| where PipeName == - \"\\\\MICROSOFT##WID\\\\tsql\\\\query\"\n| extend process = split(Image, ''\\\\'', - -1)[-1]\n// Exclude expected processes\n| where process !in (\"Microsoft.IdentityServer.ServiceHost.exe\", - \"Microsoft.Identity.Health.Adfs.PshSurrogate.exe\", \"AzureADConnect.exe\", - \"Microsoft.Tri.Sensor.exe\", \"wsmprovhost.exe\",\"mmc.exe\", \"sqlservr.exe\")\n| - extend Operation = RenderedDescription\n| project-reorder TimeGenerated, EventType, - Operation, process, Image, Computer, UserName\n| extend HostCustomEntity = - Computer, AccountCustomEntity = UserName","queryFrequency":"P1D","queryPeriod":"P7D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]}],"displayName":"ADFS - Key Export (Sysmon)","description":"This detection uses Sysmon telemetry to - detect potential ADFS certificate material export. \nIn order to use this - query you need to be collecting Sysmon EventIdD 17 and 18.\nIf you do not - have Sysmon data in your workspace this query will raise an error stating:\nFailed - to resolve scalar expression named \"[@Name]","tactics":["Collection"],"lastUpdatedDateUTC":"2021-01-16T00:00:00Z","createdDateUTC":"2020-12-19T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"SecurityEvents","dataTypes":["SecurityEvent"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/30fa312c-31eb-43d8-b0cc-bcbdfb360822","name":"30fa312c-31eb-43d8-b0cc-bcbdfb360822","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet emailregex = @''^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$'';\nThreatIntelligenceIndicator\n| - where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| - where Active == true\n//Filtering the table for Email related IOCs\n| where - isnotempty(EmailRecipient)\n| join (\n SigninLogs | where TimeGenerated - >= ago(dt_lookBack) and isnotempty(UserPrincipalName)\n //Normalizing the - column to lower case for exact match with EmailRecipient column\n | extend - UserPrincipalName = tolower(UserPrincipalName)\n | where UserPrincipalName - matches regex emailregex\n | extend StatusCode = tostring(Status.errorCode), - StatusDetails = tostring(Status.additionalDetails)\n | extend Region = - tostring(LocationDetails[\"countryOrRegion\"]), State = tostring(LocationDetails[\"state\"]), - City = tostring(LocationDetails[\"city\"])\n // renaming timestamp column - so it is clear the log this came from SigninLogs table\n | extend SigninLogs_TimeGenerated - = TimeGenerated\n)\non $left.EmailRecipient == $right.UserPrincipalName\n| - summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| - project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, - ThreatType, Url, ExpirationDateTime, ConfidenceScore, SigninLogs_TimeGenerated,\nEmailSenderName, - EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, - IPAddress, UserPrincipalName, AppDisplayName,\nStatusCode, StatusDetails, - NetworkIP, NetworkDestinationIP, NetworkSourceIP\n| extend timestamp = SigninLogs_TimeGenerated, - AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity - = Url","queryFrequency":"PT1H","queryPeriod":"P14D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]},{"entityType":"URL","fieldMappings":[{"identifier":"Url","columnName":"URLCustomEntity"}]}],"displayName":"(Preview) - TI map Email entity to SigninLogs","description":"Identifies a match in SigninLogs - table from any Email IOC from TI","tactics":["Impact"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2019-08-28T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"ThreatIntelligence","dataTypes":["ThreatIntelligenceIndicator"]},{"connectorId":"ThreatIntelligenceTaxii","dataTypes":["ThreatIntelligenceIndicator"]},{"connectorId":"AzureActiveDirectory","dataTypes":["SigninLogs"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75bf9902-0789-47c1-a5d8-f57046aa72df","name":"75bf9902-0789-47c1-a5d8-f57046aa72df","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - timeframe = 1d;\nlet procList = dynamic([\"cmd.exe\",\"ftp.exe\",\"schtasks.exe\",\"powershell.exe\",\"rundll32.exe\",\"regsvr32.exe\",\"msiexec.exe\"]);\nlet - ProcessCreationEvents=() {\nlet processEvents=SecurityEvent\n| where EventID==4688\n| - where isnotempty(CommandLine)\n| project TimeGenerated, Computer, Account - = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,\nFileName - = Process, CommandLine, ParentProcessName;\nprocessEvents};\nProcessCreationEvents - \n| where TimeGenerated >= ago(timeframe)\n| where FileName in~ (procList)\n| - where CommandLine contains \":\\\\recycler\"\n| project StartTimeUtc = TimeGenerated, - Computer, Account, NewProcessName, FileName, CommandLine, ParentProcessName\n| - extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity - = Computer","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]}],"displayName":"Malware - in the recycle bin","description":"Identifies malware that has been hidden - in the recycle bin.\nReferences: https://azure.microsoft.com/blog/how-azure-security-center-helps-reveal-a-cyberattack/.","tactics":["DefenseEvasion"],"lastUpdatedDateUTC":"2020-11-19T00:00:00Z","createdDateUTC":"2018-09-14T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"SecurityEvents","dataTypes":["SecurityEvent"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23005e87-2d3a-482b-b03d-edbebd1ae151","name":"23005e87-2d3a-482b-b03d-edbebd1ae151","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - exchange_servers = (\nW3CIISLog\n| where TimeGenerated > ago(14d)\n| where - sSiteName =~ \"Exchange Back End\"\n| summarize by Computer);\nW3CIISLog\n| - where TimeGenerated > ago(1d)\n| where Computer in (exchange_servers)\n| where - csUriQuery startswith \"t=\"\n| project-reorder TimeGenerated, Computer, csUriStem, - csUriQuery, csUserName, csUserAgent, cIP\n| extend timestamp = TimeGenerated, - AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity - = cIP","queryFrequency":"P1D","queryPeriod":"P14D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"HAFNIUM - Suspicious Exchange Request","description":"This query looks for suspicious - request patterns to Exchange servers that fit a pattern observed by HAFNIUM - actors.\nThe same query can be run on HTTPProxy logs from on-premise hosted - Exchange servers.\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/","tactics":["InitialAccess"],"lastUpdatedDateUTC":"2021-03-02T00:00:00Z","createdDateUTC":"2021-03-02T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AzureMonitor(IIS)","dataTypes":["W3CIISLog"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3ff0fffb-d963-40c0-b235-3404f915add7","name":"3ff0fffb-d963-40c0-b235-3404f915add7","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - timeframe = 14d;\nGitHubAudit\n| where TimeGenerated > ago(timeframe)\n| where - Action == \"org.disable_two_factor_requirement\"\n| project TimeGenerated, - Action, Actor, Country, IPaddress, Repository\n| extend AccountCustomEntity - = Actor, IPCustomEntity = IPaddress","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"GitHub - Two Factor Auth Disable","description":"Two-factor authentication is a process - where a user is prompted during the sign-in process for an additional form - of identification, such as to enter a code on their cellphone or to provide - a fingerprint scan. Two factor authentication reduces the risk of account - takeover. Attacker will want to disable such security tools in order to go - undetected. ","tactics":["DefenseEvasion"],"lastUpdatedDateUTC":"2021-01-16T00:00:00Z","createdDateUTC":"2020-06-02T00:00:00Z","status":"Available","alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0558155e-4556-447e-9a22-828f2a7de06b","name":"0558155e-4556-447e-9a22-828f2a7de06b","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - timeframe = ago(1h);\nProofPointTAPMessagesDelivered_CL\n| where TimeGenerated - >= timeframe\n| mv-expand todynamic(threatsInfoMap_s)\n| mv-expand todynamic(messageParts_s)\n| - extend threatType = tostring(threatsInfoMap_s.threatType), classification - = tostring(threatsInfoMap_s.classification)\n| extend filename = tostring(messageParts_s.filename)\n| - where threatType =~ \"attachment\" and classification =~ \"malware\"\n| summarize - filenames = make_set(filename), StartTime = min(TimeGenerated), EndTime = - max(TimeGenerated), count() by TimeGenerated, Sender = sender_s, SenderIPAddress - = senderIP_s, Recipient = recipient_s, threatType, classification, Subject - = subject_s\n| extend timestamp = StartTime, AccountCustomEntity = Recipient, - IPCustomEntity = SenderIPAddress","queryFrequency":"PT1H","queryPeriod":"PT1H","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Malware - attachment delivered","description":"This query identifies a message containing - a malware attachment that was delivered.","tactics":["InitialAccess"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2020-06-20T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"ProofpointTAP","dataTypes":["ProofPointTAPMessagesDelivered_CL"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/473d57e6-f787-435c-a16b-b38b51fa9a4b","name":"473d57e6-f787-435c-a16b-b38b51fa9a4b","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"High","query":"let - servicelist = dynamic([''Services\\\\HealthService'', ''Services\\\\Sense'', - ''Services\\\\WinDefend'', ''Services\\\\MsSecFlt'', ''Services\\\\DiagTrack'', - ''Services\\\\SgrmBroker'', ''Services\\\\SgrmAgent'', ''Services\\\\AATPSensorUpdater'' - , ''Services\\\\AATPSensor'', ''Services\\\\mpssvc'']);\nlet filename = dynamic([\"subinacl.exe\",''SetACL.exe'']);\nlet - parameters = dynamic ([''/deny=SYSTEM'', ''/deny=S-1-5-18'', ''/grant=SYSTEM=r'', - ''/grant=S-1-5-18=r'', ''n:SYSTEM;p:READ'', ''n1:SYSTEM;ta:remtrst;w:dacl'']);\nlet - FullAccess = dynamic([''A;CI;KA;;;SY'', ''A;ID;KA;;;SY'', ''A;CIID;KA;;;SY'']);\nlet - ReadAccess = dynamic([''A;CI;KR;;;SY'', ''A;ID;KR;;;SY'', ''A;CIID;KR;;;SY'']);\nlet - DenyAccess = dynamic([''D;CI;KR;;;SY'', ''D;ID;KR;;;SY'', ''D;CIID;KR;;;SY'']);\nlet - timeframe = 1d;\n(union isfuzzy=true\n(\nSecurityEvent\n| where TimeGenerated - >= ago(timeframe)\n| where EventID == 4670\n| where ObjectType == ''Key''\n| - where ObjectName has_any (servicelist)\n| parse EventData with * ''OldSd\">'' - OldSd \"<\" *\n| parse EventData with * ''NewSd\">'' NewSd \"<\" *\n| extend - Reason = case( (OldSd has '';;;SY'' and NewSd !has '';;;SY''), ''System Account - is removed'', (OldSd has_any (FullAccess) and NewSd has_any (ReadAccess)) - , ''System permission has been changed to read from full access'', (OldSd - has_any (FullAccess) and NewSd has_any (DenyAccess)), ''System account has - been given denied permission'', ''None'')\n| project TimeGenerated, Computer, - Account, ProcessName, ProcessId, ObjectName, EventData, Activity, HandleId, - SubjectLogonId, OldSd, NewSd , Reason\n),\n(\nSecurityEvent\n| where TimeGenerated - >= ago(timeframe)\n| where EventID == 4688\n| extend ProcessName = tostring(split(NewProcessName, - ''\\\\'')[-1])\n| where ProcessName in~ (filename) \n| where CommandLine has_any - (servicelist) and CommandLine has_any (parameters)\n| project TimeGenerated, - Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, - EventID, Activity, CommandLine, EventSourceName, Type\n),\n(\nDeviceProcessEvents\n| - where TimeGenerated >= ago(timeframe)\n| where InitiatingProcessFileName in~ - (filename) \n| where InitiatingProcessCommandLine has_any(servicelist) and - InitiatingProcessCommandLine has_any (parameters)\n| extend Account = iff(isnotempty(InitiatingProcessAccountUpn), - InitiatingProcessAccountUpn, InitiatingProcessAccountName), Computer = DeviceName\n| - project TimeGenerated, Computer, Account, AccountDomain, ProcessName = InitiatingProcessFileName, - ProcessNameFullPath = FolderPath, Activity = ActionType, CommandLine = InitiatingProcessCommandLine, - Type, InitiatingProcessParentFileName\n)\n)\n| extend timestamp = TimeGenerated, - AccountCustomEntity = Account, HostCustomEntity = Computer","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]}],"displayName":"Security - Service Registry ACL Modification","description":"Identifies attempts to modify - registry ACL to evade security solutions. In the Solorigate attack, the attackers - were found modifying registry permissions so services.exe cannot access the - relevant registry keys to start the service.\n The detection leverages Security - Event as well as MDE data to identify when specific security services registry - permissions are modified. \n Only some portions of this detection are related - to Solorigate, it also includes coverage for some common tools that perform - this activity. \n Reference on guidance for enabling registry auditing:\n - - https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing-faq\n - - https://docs.microsoft.com/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events\n - - https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-registry\n - - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4670\n - - For the event 4670 to be created the audit policy for the registry must have - auditing enabled for Write DAC and/or Write Owner\n - https://github.com/OTRF/Set-AuditRule - \n - https://docs.microsoft.com/dotnet/api/system.security.accesscontrol.registryrights?view=dotnet-plat-ext-5.0","tactics":["DefenseEvasion"],"lastUpdatedDateUTC":"2021-01-20T00:00:00Z","createdDateUTC":"2021-01-20T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"SecurityEvents","dataTypes":["SecurityEvent"]},{"connectorId":"MicrosoftThreatProtection","dataTypes":["DeviceProcessEvents"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5e45930c-09b1-4430-b2d1-cc75ada0dc0f","name":"5e45930c-09b1-4430-b2d1-cc75ada0dc0f","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| - where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| - where Active == true\n// Picking up only IOC''s that contain the entities - we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) - or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As - there is potentially more than 1 indicator type for matching IP, taking NetworkIP - first, then others if that is empty.\n// Taking the first non-empty value - based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), - NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) - and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity - = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, - TI_ipEntity)\n| join (\n W3CIISLog\n | where TimeGenerated >= ago(dt_lookBack)\n | - where isnotempty(cIP)\n // renaming time column so it is clear the log - this came from\n | extend W3CIISLog_TimeGenerated = TimeGenerated\n)\non - $left.TI_ipEntity == $right.cIP\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, - *) by IndicatorId\n| project LatestIndicatorTime, Description, ActivityGroupNames, - IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nW3CIISLog_TimeGenerated, - TI_ipEntity, Computer, sSiteName, cIP, sIP, sPort, csMethod, csUserName, scStatus, - scSubStatus, scWin32Status,\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, - EmailSourceIpAddress\n| extend timestamp = W3CIISLog_TimeGenerated, IPCustomEntity - = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName, URLCustomEntity - = Url","queryFrequency":"PT1H","queryPeriod":"P14D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]},{"entityType":"URL","fieldMappings":[{"identifier":"Url","columnName":"URLCustomEntity"}]}],"displayName":"(Preview) - TI map IP entity to W3CIISLog","description":"Identifies a match in W3CIISLog - from any IP IOC from TI","tactics":["Impact"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2019-08-27T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"ThreatIntelligence","dataTypes":["ThreatIntelligenceIndicator"]},{"connectorId":"ThreatIntelligenceTaxii","dataTypes":["ThreatIntelligenceIndicator"]},{"connectorId":"AzureMonitor(IIS)","dataTypes":["W3CIISLog"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7564d76-ec6b-4519-a66b-fcc80c42332b","name":"a7564d76-ec6b-4519-a66b-fcc80c42332b","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - timeframe = 1h;\nlet WellKnownLocalSID = \"S-1-5-32-5[0-9][0-9]$\";\nlet WellKnownGroupSID - = \"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\";\nlet - GroupAddition = SecurityEvent \n| where TimeGenerated > ago(timeframe)\n// - 4728 - A member was added to a security-enabled global group\n// 4732 - A - member was added to a security-enabled local group\n// 4756 - A member was - added to a security-enabled universal group \n| where EventID in (\"4728\", - \"4732\", \"4756\") \n| where AccountType =~ \"User\" and MemberName == \"-\"\n// - Exclude Remote Desktop Users group: S-1-5-32-555\n| where TargetSid !in (\"S-1-5-32-555\")\n| - where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex - WellKnownGroupSID\n| project GroupAddTime = TimeGenerated, GroupAddEventID - = EventID, GroupAddActivity = Activity, GroupAddComputer = Computer, GroupAddTargetAccount - = TargetAccount, \nGroupAddTargetSid = TargetSid, GroupAddSubjectAccount = - SubjectAccount, GroupAddSubjectUserSid = SubjectUserSid, GroupSid = MemberSid;\nlet - GroupCreated = SecurityEvent\n| where TimeGenerated > ago(timeframe)\n// 4727 - - A security-enabled global group was created\n// 4731 - A security-enabled - local group was created\n// 4754 - A security-enabled universal group was - created\n| where EventID in (\"4727\", \"4731\", \"4754\")\n| where AccountType - =~ \"User\"\n| project GroupCreateTime = TimeGenerated, GroupCreateEventID - = EventID, GroupCreateActivity = Activity, GroupCreateComputer = Computer, - GroupCreateTargetAccount = TargetAccount, \nGroupCreateSubjectAccount = SubjectAccount, - GroupCreateSubjectUserSid = SubjectUserSid, GroupSid = TargetSid;\nGroupCreated\n| - join (\nGroupAddition\n) on GroupSid \n| extend timestamp = GroupCreateTime, - AccountCustomEntity = GroupCreateSubjectAccount, HostCustomEntity = GroupCreateComputer","queryFrequency":"PT1H","queryPeriod":"PT1H","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"},{"identifier":"Sid","columnName":"GroupCreateSubjectUserSid"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]}],"displayName":"Group - created then added to built in domain local or global group","description":"Identifies - when a recently created Group was added to a privileged built in domain local - group or global group such as the \nEnterprise Admins, Cert Publishers or - DnsAdmins. Be sure to verify this is an expected addition.\nReferences: For - AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups.","tactics":["Persistence","PrivilegeEscalation"],"lastUpdatedDateUTC":"2021-01-16T00:00:00Z","createdDateUTC":"2019-02-27T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"SecurityEvents","dataTypes":["SecurityEvent"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5436f471-b03d-41cb-b333-65891f887c43","name":"5436f471-b03d-41cb-b333-65891f887c43","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Informational","query":"GitHubRepo\n| - where Action == \"vulnerabilityAlert\"\n| project TimeGenerated, DismmisedAt, - Reason, vulnerableManifestFilename, Description, Link, PublishedAt, Severity, - Summary","queryFrequency":"PT1H","queryPeriod":"PT1H","triggerOperator":"GreaterThan","triggerThreshold":0,"displayName":"GitHub - Security Vulnerability in Repository","description":"This alerts when there - is a new security vulnerability in a GitHub repository.","lastUpdatedDateUTC":"2021-01-16T00:00:00Z","createdDateUTC":"2020-06-10T00:00:00Z","status":"Available","alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cecdbd4c-4902-403c-8d4b-32eb1efe460b","name":"cecdbd4c-4902-403c-8d4b-32eb1efe460b","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"High","query":"let - domains = dynamic([\"incomeupdate.com\",\"zupertech.com\",\"databasegalore.com\",\"panhardware.com\",\"avsvmcloud.com\",\"digitalcollege.org\",\"freescanonline.com\",\"deftsecurity.com\",\"thedoccloud.com\",\"virtualdataserver.com\",\"lcomputers.com\",\"webcodez.com\",\"globalnetworkissues.com\",\"kubecloud.com\",\"seobundlekit.com\",\"solartrackingsystem.net\",\"virtualwebdata.com\"]);\nlet - timeframe = 6h;\n(union isfuzzy=true\n(CommonSecurityLog \n | where TimeGenerated - >= ago(timeframe) \n | parse Message with * ''('' DNSName '')'' * \n | where - DNSName in~ (domains) or DestinationHostName has_any (domains) or RequestURL - has_any(domains)\n | extend AccountCustomEntity = SourceUserID, HostCustomEntity - = DeviceName, IPCustomEntity = SourceIP\n ),\n(DnsEvents \n | where TimeGenerated - >= ago(timeframe) \n | extend DNSName = Name\n | where isnotempty(DNSName)\n | - where DNSName in~ (domains)\n | extend IPCustomEntity = ClientIP\n ),\n(VMConnection - \n | where TimeGenerated >= ago(timeframe) \n | parse RemoteDnsCanonicalNames - with * ''[\"'' DNSName ''\"]'' *\n | where isnotempty(DNSName)\n | where - DNSName in~ (domains)\n | extend IPCustomEntity = RemoteIp\n ),\n(DeviceNetworkEvents - \n | where TimeGenerated >= ago(timeframe) \n | where isnotempty(RemoteUrl) - \n | where RemoteUrl has_any (domains) \n | extend DNSName = RemoteUrl\n | - extend IPCustomEntity = RemoteIP \n | extend HostCustomEntity = DeviceName - \n ) \n )","queryFrequency":"PT6H","queryPeriod":"PT6H","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]},{"entityType":"DNS","fieldMappings":[{"identifier":"DomainName","columnName":"DNSName"}]}],"displayName":"Solorigate - Network Beacon","description":"Identifies a match across various data feeds - for domains IOCs related to the Solorigate incident.\n References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, - \n https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1","tactics":["CommandAndControl"],"lastUpdatedDateUTC":"2021-01-16T00:00:00Z","createdDateUTC":"2020-12-17T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"DNS","dataTypes":["DnsEvents"]},{"connectorId":"AzureMonitor(VMInsights)","dataTypes":["VMConnection"]},{"connectorId":"CiscoASA","dataTypes":["CommonSecurityLog"]},{"connectorId":"PaloAltoNetworks","dataTypes":["CommonSecurityLog"]},{"connectorId":"MicrosoftThreatProtection","dataTypes":["DeviceNetworkEvents"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb8a3481-dd14-4e76-8dcc-bbec8776d695","name":"bb8a3481-dd14-4e76-8dcc-bbec8776d695","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - DomainNames = dynamic([''onetechcompany.com'', ''reyweb.com'', ''srfnetwork.org'']);\nlet - IPList = dynamic([''185.225.69.69'']);\nlet IPRegex = ''[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}'';\n(union - isfuzzy=true\n(CommonSecurityLog\n| where SourceIP in (IPList) or DestinationIP - in (IPList) or DestinationHostName in~ (DomainNames) or RequestURL has_any - (DomainNames) or Message has_any (IPList)\n| parse Message with * ''('' DNSName - '')'' * \n| extend MessageIP = extract(IPRegex, 0, Message)\n| extend IPMatch - = case(SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", - MessageIP in (IPList), \"Message\", RequestURL in (DomainNames), \"RequestUrl\", - \"NoMatch\") \n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch - == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, IPMatch - == \"Message\", MessageIP, \"NoMatch\"), AccountCustomEntity = SourceUserID\n),\n(DnsEvents\n| - where IPAddresses in (IPList) or Name in~ (DomainNames) \n| extend DestinationIPAddress - = IPAddresses, DNSName = Name, Host = Computer\n| extend timestamp = TimeGenerated, - IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\n),\n(VMConnection\n| - where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames - has_any (DomainNames)\n| parse RemoteDnsCanonicalNames with * ''[\"'' DNSName - ''\"]'' *\n| extend IPMatch = case( SourceIp in (IPList), \"SourceIP\", DestinationIp - in (IPList), \"DestinationIP\", \"None\") \n| extend timestamp = TimeGenerated, - IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIp, IPMatch == \"DestinationIP\", - DestinationIp, \"NoMatch\"), HostCustomEntity = Computer\n),\n(OfficeActivity\n| - where ClientIP in (IPList)\n| extend timestamp = TimeGenerated, IPCustomEntity - = ClientIP, AccountCustomEntity = UserId\n),\n(DeviceNetworkEvents\n| where - RemoteUrl has_any (DomainNames) or RemoteIP in (IPList)\n| extend timestamp - = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity - = DeviceName\n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| - where Category == \"AzureFirewallDnsProxy\"\n| parse msg_s with \"DNS Request: - \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class - \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO - \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size - \" \" Response_Duration\n| where Request_Name has_any (DomainNames) \n| extend - timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP\n),\n(AzureDiagnostics - \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| - parse msg_s with Protocol ''request from '' SourceHost '':'' SourcePort ''to - '' DestinationHost '':'' DestinationPort ''. Action:'' Action\n| where isnotempty(DestinationHost)\n| - where DestinationHost has_any (DomainNames) \n| extend timestamp = TimeGenerated, - DNSName = DestinationHost, IPCustomEntity = SourceHost\n)\n)","queryFrequency":"PT6H","queryPeriod":"PT6H","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]},{"entityType":"DNS","fieldMappings":[{"identifier":"DomainName","columnName":"DNSName"}]}],"displayName":"NOBELIUM - - Domain and IP IOCs - March 2021","description":"Identifies a match across - various data feeds for domains and IP IOCs related to NOBELIUM.\n References: - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/","tactics":["CommandAndControl"],"lastUpdatedDateUTC":"2021-03-04T00:00:00Z","createdDateUTC":"2021-03-04T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"DNS","dataTypes":["DnsEvents"]},{"connectorId":"AzureMonitor(VMInsights)","dataTypes":["VMConnection"]},{"connectorId":"CiscoASA","dataTypes":["CommonSecurityLog"]},{"connectorId":"PaloAltoNetworks","dataTypes":["CommonSecurityLog"]},{"connectorId":"MicrosoftThreatProtection","dataTypes":["DeviceNetworkEvents"]},{"connectorId":"Office365","dataTypes":["OfficeActivity"]},{"connectorId":"AzureFirewall","dataTypes":["AzureDiagnostics"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2d3e33c6-d8e6-4b51-92d6-dbe8bd9efb05","name":"2d3e33c6-d8e6-4b51-92d6-dbe8bd9efb05","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Anomaly","properties":{"severity":"Informational","anomalyDefinitionVersion":"1.0.0","techniques":["Unknown"],"customizableObservations":{"multiSelectObservations":[{"supportedValues":["Fraction - of failed signins","Number of failed signins","Failed signins to successful - signins ratio","Number of signins with incorrect passwords","Incorrect passwords - to correct passwords ratio","Fraction of incorrect password signins","Distinct - number of app ids","Distinct number of client apps","Distinct number of ip - addresses","Distinct number of opperating systems","Distinct number of browsers","Distinct - number of cities","Distinct number of states","Distinct number of countries"],"values":["Fraction - of failed signins","Number of failed signins","Failed signins to successful - signins ratio","Number of signins with incorrect passwords","Incorrect passwords - to correct passwords ratio","Fraction of incorrect password signins","Distinct - number of app ids","Distinct number of client apps","Distinct number of ip - addresses","Distinct number of opperating systems","Distinct number of browsers","Distinct - number of cities","Distinct number of states","Distinct number of countries"],"supportedValuesKql":null,"valuesKql":null,"name":"Top - reason for high anomaly score","description":"Include only anomalies where - the top reason is one of these values.","sequenceNumber":0,"rerun":"RerunAlways"}],"singleSelectObservations":null,"prioritizeExcludeObservations":null,"thresholdObservations":[{"minimum":"0.0","maximum":"1.0","value":"0.5","name":"Score","description":"Generate - an anomaly when the anomaly score is greater than or equal to the chosen value.","sequenceNumber":0,"rerun":"RerunAlways"}]},"frequency":"P1D","displayName":"(Preview) - Anomalous Azure AD sign-in sessions","description":"The machine learning model - groups the Azure AD sign-in logs on a per-user basis.\nThe model is trained - on the previous 6 days of user sign-in behavior.\nIt indicates anomalous user - sign-in sessions in the last day.\n\nAn autoencoder model is used.\nIts aim - is to compress the user sign-in sessions into a bottleneck encoding.\nIt then - attempts to reconstruct the input sessions as best it can from the bottleneck - encoding.\nThe sessions with high reconstruction errors are assumed to be - anomalous.","tactics":["InitialAccess"],"lastUpdatedDateUTC":"2020-11-02T00:00:00Z","createdDateUTC":"2020-11-02T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AzureActiveDirectory","dataTypes":["SigninLogs"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2","name":"4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet emailregex = @''^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$'';\nThreatIntelligenceIndicator\n| - where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| - where Active == true\n//Filtering the table for Email related IOCs\n| where - isnotempty(EmailRecipient)\n| join (\n OfficeActivity | where TimeGenerated - >= ago(dt_lookBack) and isnotempty(UserId)\n | where UserId matches regex - emailregex\n | extend OfficeActivity_TimeGenerated = TimeGenerated\n)\non - $left.EmailRecipient == $right.UserId\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, - *) by IndicatorId\n| project LatestIndicatorTime, Description, ActivityGroupNames, - IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, OfficeActivity_TimeGenerated,\nEmailSenderName, - EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, - UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters\n| - extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = UserId, - IPCustomEntity = ClientIP, URLCustomEntity = Url","queryFrequency":"PT1H","queryPeriod":"P14D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]},{"entityType":"URL","fieldMappings":[{"identifier":"Url","columnName":"URLCustomEntity"}]}],"displayName":"(Preview) - TI map Email entity to OfficeActivity","description":"Identifies a match in - OfficeActivity table from any Email IOC from TI","tactics":["Impact"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2019-08-28T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"Office365","dataTypes":["OfficeActivity"]},{"connectorId":"ThreatIntelligence","dataTypes":["ThreatIntelligenceIndicator"]},{"connectorId":"ThreatIntelligenceTaxii","dataTypes":["ThreatIntelligenceIndicator"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/154fde9f-ae00-4422-a8da-ef00b11da3fc","name":"154fde9f-ae00-4422-a8da-ef00b11da3fc","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Low","query":"let - SeverityTable=datatable(Severity:string,Level:int) [\n\"low\", 1,\n\"medium\", - 2,\n\"high\", 3,\n\"critical\", 4\n];\nafad_parser\n| where MessageType == - 0\n| lookup kind=leftouter SeverityTable on Severity\n| order by Level","queryFrequency":"PT2H","queryPeriod":"PT2H","triggerOperator":"GreaterThan","triggerThreshold":0,"displayName":"Alsid - Indicators of Exposures","description":"Searches for triggered Indicators - of Exposures","tactics":["CredentialAccess"],"lastUpdatedDateUTC":"2020-11-05T00:00:00Z","createdDateUTC":"2020-11-05T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AlsidForAD","dataTypes":["AlsidForADLog_CL"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f948a32f-226c-4116-bddd-d95e91d97eb9","name":"f948a32f-226c-4116-bddd-d95e91d97eb9","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"High","query":"let - detectionTime = 1d;\nlet joinLookback = 14d;\nAuditLogs\n| where TimeGenerated - > ago(detectionTime)\n| where LoggedByService =~ \"Core Directory\"\n| where - Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Consent - to application\"\n| where TargetResources has \"mailboxsettings\"\n| extend - AppDisplayName = TargetResources.[0].displayName\n| extend AppClientId = tolower(TargetResources.[0].id)\n| - where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\"] - with (format=\"csv\")))\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\n| - parse ConsentFull with * \"ConsentType: \" GrantConsentType \", Scope: \" - GrantScope1 \"]\" *\n| where ConsentFull contains \"contacts.read\" and ConsentFull - contains \"user.read\" and ConsentFull contains \"mail.read\" and ConsentFull - contains \"notes.read.all\" and ConsentFull contains \"mailboxsettings.readwrite\" - and ConsentFull contains \"Files.ReadWrite.All\"\n| where GrantConsentType - != \"AllPrincipals\" // NOTE: we are ignoring if OAuth application was granted - to all users via an admin - but admin due diligence should be audited occasionally\n| - extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, - InitiatedBy.app.ipAddress)\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, - InitiatedBy.app.displayName)\n| extend GrantUserAgent = iff(AdditionalDetails[0].key - =~ \"User-Agent\", AdditionalDetails[0].value, \"\")\n| project TimeGenerated, - GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, - GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\n| - join kind = leftouter (AuditLogs\n| where TimeGenerated > ago(joinLookback)\n| - where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| - where OperationName =~ \"Add service principal\"\n| extend AppClientId = tolower(TargetResources[0].id)\n| - extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue - has \"AddressType\", TargetResources[0].modifiedProperties[1].newValue, \"\")\n| - distinct AppClientId, tostring(AppReplyURLs)\n)\non AppClientId\n| join kind - = innerunique (AuditLogs\n| where TimeGenerated > ago(joinLookback)\n| where - LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| - where OperationName =~ \"Add OAuth2PermissionGrant\" or OperationName =~ \"Add - delegated permission grant\"\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\n| - extend GrantOperation = OperationName\n| project GrantAuthentication, GrantOperation, - CorrelationId\n) on CorrelationId\n| project TimeGenerated, GrantConsentType, - GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, - GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, - CorrelationId, ConsentFull\n| extend timestamp = TimeGenerated, AccountCustomEntity - = GrantInitiatedBy, IPCustomEntity = GrantIpAddress","queryFrequency":"P1D","queryPeriod":"P14D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Suspicious - application consent similar to O365 Attack Toolkit","description":"This will - alert when a user consents to provide a previously-unknown Azure application - with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\nThe - default permissions/scope for the MDSec O365 Attack toolkit are contacts.read, - user.read, mail.read, notes.read.all, mailboxsettings.readwrite, and files.readwrite.all.\nConsent - to applications with these permissions should be rare, especially as the knownApplications - list is expanded, especially as the knownApplications list is expanded. Public - contributions to expand this filter are welcome!\nFor further information - on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.","tactics":["CredentialAccess","DefenseEvasion"],"lastUpdatedDateUTC":"2020-12-03T00:00:00Z","createdDateUTC":"2020-06-26T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AzureActiveDirectory","dataTypes":["AuditLogs"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/45b903c5-6f56-4969-af10-ae62ac709718","name":"45b903c5-6f56-4969-af10-ae62ac709718","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - starttime = 14d;\nlet endtime = 1d;\nSecurityEvent\n| where TimeGenerated - >= ago(endtime) \n| where EventID == 4624 and LogonType == 10\n| summarize - StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount - = count() \nby Account = tolower(Account), Computer = toupper(Computer), IpAddress, - AccountType, Activity, LogonTypeName, ProcessName\n// use left anti to exclude - anything from the previous 14 days that is not rare\n| join kind=leftanti - (\nSecurityEvent\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\n| - where EventID == 4624\n| summarize by Computer = toupper(Computer), IpAddress, - Account = tolower(Account)\n) on Account, Computer\n| summarize StartTime - = min(StartTime), EndTime = max(EndTime), ConnectionCount = sum(ConnectionCount) \nby - Account, Computer, IpAddress, AccountType, Activity, LogonTypeName, ProcessName\n| - extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity - = Computer, IPCustomEntity = IpAddress","queryFrequency":"P1D","queryPeriod":"P14D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Rare - RDP Connections","description":"Identifies when an RDP connection is new or - rare related to any logon type by a given account today based on comparison - with the previous 14 days.\nRDP connections are indicated by the EventID 4624 - with LogonType = 10","tactics":["LateralMovement"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2020-01-14T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"SecurityEvents","dataTypes":["SecurityEvent"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/327cd4ed-ca42-454b-887c-54e1c91363c6","name":"327cd4ed-ca42-454b-887c-54e1c91363c6","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"MicrosoftSecurityIncidentCreation","properties":{"productFilter":"Microsoft - Defender Advanced Threat Protection","displayName":"Create incidents based - on Microsoft Defender Advanced Threat Protection alerts","description":"Create - incidents based on all alerts generated in Microsoft Defender Advanced Threat - Protection","lastUpdatedDateUTC":"2019-10-24T00:00:00Z","createdDateUTC":"2019-10-24T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"MicrosoftDefenderAdvancedThreatProtection","dataTypes":["SecurityAlert - (MDATP)"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4915c713-ab38-432e-800b-8e2d46933de6","name":"4915c713-ab38-432e-800b-8e2d46933de6","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - PrivateIPregex = @''^127\\.|^10\\.|^172\\.1[6-9]\\.|^172\\.2[0-9]\\.|^172\\.3[0-1]\\.|^192\\.168\\.''; - \nlet avgthreshold = 0;\nlet probabilityLimit = 0.01;\nlet startime = 7d;\nlet - ssh_logins = Syslog\n| where TimeGenerated >= ago(startime)\n| where Facility - contains \"auth\" and ProcessName =~ \"sshd\"\n| where SyslogMessage has \"Accepted\"\n| - extend SourceIP = extract(\"(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.(([0-9]{1,3})))\",1,SyslogMessage) - \n| where isnotempty(SourceIP)\n| extend ipType = iff(SourceIP matches regex - PrivateIPregex,\"private\" ,\"public\");\nssh_logins \n| summarize privatecount=countif(ipType==\"private\"), - publiccount=countif(ipType==\"public\") by HostName, HostIP, bin(EventTime, - 1d)\n| summarize \npublicIPLoginHistory = make_list(pack(''IPCount'', publiccount, ''logon_time'', - EventTime)),\nprivateIPLoginHistory = make_list(pack(''IPCount'', privatecount, - ''logon_time'', EventTime)) by HostName, HostIP\n| mv-apply publicIPLoginHistory - = publicIPLoginHistory on\n(\n order by todatetime(publicIPLoginHistory[''logon_time'']) - asc\n | summarize publicIPLoginCountList=make_list(toint(publicIPLoginHistory[''IPCount''])), - publicAverage=avg(toint(publicIPLoginHistory[''IPCount''])), publicStd=stdev(toint(publicIPLoginHistory[''IPCount''])), - maxPublicLoginCount=max(toint(publicIPLoginHistory[''IPCount'']))\n)\n| mv-apply - privateIPLoginHistory = privateIPLoginHistory on\n(\n order by todatetime(privateIPLoginHistory[''logon_time'']) - asc\n | summarize privateIPLoginCountList=make_list(toint(privateIPLoginHistory[''IPCount''])), - privateAverage=avg(toint(privateIPLoginHistory[''IPCount''])), privateStd=stdev(toint(privateIPLoginHistory[''IPCount'']))\n)\n// - Some logins from private IPs\n| where privateAverage > avgthreshold\n// There - is a non-zero number of logins from public IPs\n| where publicAverage > avgthreshold\n// - Approximate probability of seeing login from a public IP is < 1%\n| extend - probabilityPublic = publicAverage / (privateAverage + publicAverage)\n| where - probabilityPublic < probabilityLimit\n// Today has the highest number of logins - from public IPs that we''ve seen in the last week\n| extend publicLoginCountToday - = publicIPLoginCountList[-1]\n| where publicLoginCountToday >= maxPublicLoginCount\n| - extend HostCustomEntity = HostName\n// Optionally retrieve the original raw - data for those logins that we''ve identified as potentially suspect\n// | - join kind=rightsemi (\n// ssh_logins\n// | where ipType == \"public\"\n// ) - on HostName","queryFrequency":"P1D","queryPeriod":"P7D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]}],"displayName":"New - internet-exposed SSH endpoints","description":"Looks for SSH endpoints with - a history of sign-ins only from private IP addresses are accessed from a public - IP address.","tactics":["InitialAccess"],"lastUpdatedDateUTC":"2020-11-19T00:00:00Z","createdDateUTC":"2019-08-27T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"Syslog","dataTypes":["Syslog"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f041e01d-840d-43da-95c8-4188f6cef546","name":"f041e01d-840d-43da-95c8-4188f6cef546","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - LearningPeriod = 7d;\nlet RunTime = 1h;\nlet StartTime = 1h;\nlet EndRunTime - = StartTime - RunTime;\nlet EndLearningTime = StartTime + LearningPeriod;\nlet - GitHubCountryCodeLogs = (GitHubAudit\n| where Country != \"\");\n GitHubCountryCodeLogs\n| - where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime))\n| summarize - makeset(Country) by Actor\n| join kind=innerunique (\n GitHubCountryCodeLogs\n | - where TimeGenerated between (ago(StartTime) .. ago(EndRunTime))\n | distinct - Country, Actor \n) on Actor \n| where set_Country !contains Country\n| extend - AccountCustomEntity = Actor , timestamp = TimeGenerated","queryFrequency":"P1D","queryPeriod":"P7D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]}],"displayName":"GitHub - Activites from a New Country","description":"Detect activities from a location - that was not recently or was never visited by the user or by any user in your - organization.","tactics":["InitialAccess"],"lastUpdatedDateUTC":"2021-01-16T00:00:00Z","createdDateUTC":"2020-06-02T00:00:00Z","status":"Available","alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/85aca4d1-5d15-4001-abd9-acb86ca1786a","name":"85aca4d1-5d15-4001-abd9-acb86ca1786a","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\n//Create a list of TLDs in our - threat feed for later validation\nlet list_tlds = ThreatIntelligenceIndicator\n| - where TimeGenerated > ago(ioc_lookBack)\n| where isnotempty(DomainName)\n| - extend parts = split(DomainName, ''.'')\n| extend tld = parts[(array_length(parts)-1)]\n| - summarize count() by tostring(tld)\n| summarize make_list(tld);\nThreatIntelligenceIndicator\n| - where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| - where Active == true\n// Picking up only IOC''s that contain the entities - we want\n| where isnotempty(DomainName)\n| join (\n DnsEvents\n | where - TimeGenerated > ago(dt_lookBack)\n //Extract domain patterns from syslog - message\n | where isnotempty(Name)\n | extend parts = split(Name, ''.'')\n //Split - out the TLD\n | extend tld = parts[(array_length(parts)-1)]\n //Validate - parsed domain by checking if the TLD is in the list of TLDs in our threat - feed\n | where tld in~ (list_tlds)\n | extend DNS_TimeGenerated = TimeGenerated\n) - on $left.DomainName==$right.Name\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, - *) by IndicatorId\n| project LatestIndicatorTime, Description, ActivityGroupNames, - IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, - Computer, ClientIP, Name, QueryType\n| extend timestamp = DNS_TimeGenerated, - HostCustomEntity = Computer, IPCustomEntity = ClientIP, URLCustomEntity = - Url","queryFrequency":"PT1H","queryPeriod":"P14D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]},{"entityType":"URL","fieldMappings":[{"identifier":"Url","columnName":"URLCustomEntity"}]}],"displayName":"(Preview) - TI map Domain entity to DnsEvent","description":"Identifies a match in DnsEvent - table from any Domain IOC from TI","tactics":["Impact"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2019-08-28T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"DNS","dataTypes":["DnsEvents"]},{"connectorId":"ThreatIntelligence","dataTypes":["ThreatIntelligenceIndicator"]},{"connectorId":"ThreatIntelligenceTaxii","dataTypes":["ThreatIntelligenceIndicator"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b8266f81-2715-41a6-9062-42486cbc9c73","name":"b8266f81-2715-41a6-9062-42486cbc9c73","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - timeframe = 1h;\nlet threshold = 200;\nInfobloxNIOS\n| where TimeGenerated - >= ago(timeframe)\n| where ProcessName =~ \"named\" and Log_Type =~ \"client\"\n| - where isnotempty(ResponseCode)\n| where ResponseCode =~ \"NXDOMAIN\"\n| summarize - count() by Client_IP, bin(TimeGenerated,15m)\n| where count_ > threshold\n| - join kind=inner (InfobloxNIOS\n | where TimeGenerated >= ago(timeframe)\n | - where ProcessName =~ \"named\" and Log_Type =~ \"client\"\n | where isnotempty(ResponseCode)\n | - where ResponseCode =~ \"NXDOMAIN\"\n ) on Client_IP\n| extend timestamp - = TimeGenerated, IPCustomEntity = Client_IP","queryFrequency":"PT1H","queryPeriod":"PT1H","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Excessive - NXDOMAIN DNS Queries","description":"This creates an incident in the event - a client generates excessive amounts of DNS queries for non-existent domains.","tactics":["CommandAndControl"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2020-06-06T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"InfobloxNIOS","dataTypes":["Syslog"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f0be259a-34ac-4946-aa15-ca2b115d5feb","name":"f0be259a-34ac-4946-aa15-ca2b115d5feb","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Low","query":"let - starttime = 2d;\nlet endtime = 1d;\nlet TimeDeltaThreshold = 10;\nlet TotalEventsThreshold - = 15;\nlet PercentBeaconThreshold = 80;\nlet PrivateIPregex = @''^127\\.|^10\\.|^172\\.1[6-9]\\.|^172\\.2[0-9]\\.|^172\\.3[0-1]\\.|^192\\.168\\.'';\nCommonSecurityLog\n| - where DeviceVendor == \"Palo Alto Networks\" and Activity == \"TRAFFIC\"\n| - where TimeGenerated between (ago(starttime)..ago(endtime))\n| extend DestinationIPType - = iff(DestinationIP matches regex PrivateIPregex,\"private\" ,\"public\" )\n| - where DestinationIPType == \"public\"\n| project TimeGenerated, DeviceName, - SourceUserID, SourceIP, SourcePort, DestinationIP, DestinationPort, ReceivedBytes, - SentBytes\n| sort by SourceIP asc,TimeGenerated asc, DestinationIP asc, DestinationPort - asc\n| serialize\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP - = next(SourceIP, 1)\n| extend TimeDeltainSeconds = datetime_diff(''second'',nextTimeGenerated,TimeGenerated)\n| - where SourceIP == nextSourceIP\n//Whitelisting criteria/ threshold criteria\n| - where TimeDeltainSeconds > TimeDeltaThreshold \n| project TimeGenerated, TimeDeltainSeconds, - DeviceName, SourceUserID, SourceIP, SourcePort, DestinationIP, DestinationPort, - ReceivedBytes, SentBytes\n| summarize count(), sum(ReceivedBytes), sum(SentBytes), - make_list(TimeDeltainSeconds) \nby TimeDeltainSeconds, bin(TimeGenerated, - 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\n| - summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, - TimeDeltainSeconds), TotalEvents=sum(count_), TotalSentBytes = sum(sum_SentBytes), - TotalReceivedBytes = sum(sum_ReceivedBytes) \nby bin(TimeGenerated, 1h), DeviceName, - SourceUserID, SourceIP, DestinationIP, DestinationPort\n| where TotalEvents - > TotalEventsThreshold \n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) - * 100\n| where BeaconPercent > PercentBeaconThreshold\n| extend timestamp - = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = SourceUserID, - HostCustomEntity = DeviceName","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Palo - Alto - potential beaconing detected","description":"Identifies beaconing patterns - from Palo Alto Network traffic logs based on recurrent timedelta patterns. - \nThe query leverages various KQL functions to calculate time deltas and then - compares it with total events observed in a day to find percentage of beaconing. - \nThis outbound beaconing pattern to untrusted public networks should be investigated - for any malware callbacks or data exfiltration attempts.\nReference Blog:\nhttp://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/","tactics":["CommandAndControl"],"lastUpdatedDateUTC":"2020-11-19T00:00:00Z","createdDateUTC":"2019-05-07T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"PaloAltoNetworks","dataTypes":["CommonSecurityLog"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2d8a60aa-c15e-442e-9ce3-ee924889d2a6","name":"2d8a60aa-c15e-442e-9ce3-ee924889d2a6","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Low","query":"eset_CL\n| - where event_type_s == \"Threat_Event\"\n| extend HostCustomEntity = hostname_s, - AccountCustomEntity = username_s, IPCustomEntity = ipv4_s","queryFrequency":"PT5M","queryPeriod":"PT5M","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Threats - detected by Eset","description":"Escalates threats detected by Eset.","tactics":["Execution","CredentialAccess","PrivilegeEscalation"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2020-07-09T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"EsetSMC","dataTypes":["eset_CL"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a5fe9489-cf8b-47ae-a87e-8f3a13e4203e","name":"a5fe9489-cf8b-47ae-a87e-8f3a13e4203e","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Low","query":"let - SeverityTable=datatable(Severity:string,Level:int) [\n\"low\", 1,\n\"medium\", - 2,\n\"high\", 3,\n\"critical\", 4\n];\nlet codeNameList = datatable(Codename:string)[\"C-PRIV-ACCOUNTS-SPN\", - \"C-NATIVE-ADM-GROUP-MEMBERS\", \"C-KRBTGT-PASSWORD\", \"C-PROTECTED-USERS-GROUP-UNUSED\", - \"C-ADMINCOUNT-ACCOUNT-PROPS\", \"C-ADM-ACC-USAGE\", \"C-LAPS-UNSECURE-CONFIG\", - \"C-DISABLED-ACCOUNTS-PRIV-GROUPS\"];\nafad_parser\n| where MessageType == - 0 and Codename in~ (codeNameList)\n| lookup kind=leftouter SeverityTable on - Severity\n| order by Level","queryFrequency":"PT2H","queryPeriod":"PT2H","triggerOperator":"GreaterThan","triggerThreshold":0,"displayName":"Alsid - privileged accounts issues","description":"Searches for triggered Indicators - of Exposures related to privileged accounts issues","tactics":["CredentialAccess"],"lastUpdatedDateUTC":"2020-12-07T00:00:00Z","createdDateUTC":"2020-11-05T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AlsidForAD","dataTypes":["AlsidForADLog_CL"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90586451-7ba8-4c1e-9904-7d1b7c3cc4d6","name":"90586451-7ba8-4c1e-9904-7d1b7c3cc4d6","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"MicrosoftSecurityIncidentCreation","properties":{"productFilter":"Azure - Security Center","displayName":"Create incidents based on Azure Security Center - alerts","description":"Create incidents based on all alerts generated in Azure - Security Center","lastUpdatedDateUTC":"2019-07-16T00:00:00Z","createdDateUTC":"2019-07-16T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AzureSecurityCenter","dataTypes":["SecurityAlert - (ASC)"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf","name":"b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| - where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| - where Active == true\n// Picking up only IOC''s that contain the entities - we want\n| where isnotempty(Url)\n| join (\n Syslog\n | where TimeGenerated - >= ago(dt_lookBack)\n // Extract URL from the Syslog message but only take - messages that include URLs\n | extend Url = extract(\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\(\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\", - 1,SyslogMessage)\n | where isnotempty(Url)\n | extend Syslog_TimeGenerated - = TimeGenerated\n) on Url\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, - *) by IndicatorId\n| project LatestIndicatorTime, Description, ActivityGroupNames, - IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Syslog_TimeGenerated, - SyslogMessage, Computer, ProcessName, Url, HostIP\n| extend timestamp = Syslog_TimeGenerated, - HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url","queryFrequency":"PT1H","queryPeriod":"P14D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]},{"entityType":"URL","fieldMappings":[{"identifier":"Url","columnName":"URLCustomEntity"}]}],"displayName":"(Preview) - TI map URL entity to Syslog data","description":"Identifies a match in Syslog - data from any URL IOC from TI","tactics":["Impact"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2019-08-27T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"Syslog","dataTypes":["Syslog"]},{"connectorId":"ThreatIntelligence","dataTypes":["ThreatIntelligenceIndicator"]},{"connectorId":"ThreatIntelligenceTaxii","dataTypes":["ThreatIntelligenceIndicator"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/26a3b261-b997-4374-94ea-6c37f67f4f39","name":"26a3b261-b997-4374-94ea-6c37f67f4f39","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"High","query":"let - timeframe = 1d;\nlet DomainNames = dynamic([\"asyspy256.ddns.net\",\"hotkillmail9sddcc.ddns.net\",\"rosaf112.ddns.net\",\"cvdfhjh1231.myftp.biz\",\"sz2016rose.ddns.net\",\"dffwescwer4325.myftp.biz\",\"cvdfhjh1231.ddns.net\"]);\nlet - SHA1Hash = dynamic ([\"53a44c2396d15c3a03723fa5e5db54cafd527635\", \"9c5e496921e3bc882dc40694f1dcc3746a75db19\", - \"aeb573accfd95758550cf30bf04f389a92922844\", \"79ef78a797403a4ed1a616c68e07fff868a8650a\", - \"4f6f38b4cec35e895d91c052b1f5a83d665c2196\", \"1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d\", - \"e841a63e47361a572db9a7334af459ddca11347a\", \"c28f606df28a9bc8df75a4d5e5837fc5522dd34d\", - \"2e94b305d6812a9f96e6781c888e48c7fb157b6b\", \"dd44133716b8a241957b912fa6a02efde3ce3025\", - \"8793bf166cb89eb55f0593404e4e933ab605e803\", \"a39b57032dbb2335499a51e13470a7cd5d86b138\", - \"41cc2b15c662bc001c0eb92f6cc222934f0beeea\", \"d209430d6af54792371174e70e27dd11d3def7a7\", - \"1c6452026c56efd2c94cea7e0f671eb55515edb0\", \"c6b41d3afdcdcaf9f442bbe772f5da871801fd5a\", - \"4923d460e22fbbf165bbbaba168e5a46b8157d9f\", \"f201504bd96e81d0d350c3a8332593ee1c9e09de\", - \"ddd2db1127632a2a52943a2fe516a2e7d05d70d2\"]);\nlet SHA256Hash = dynamic - ([\"9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd\", \"7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b\", - \"657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5\", \"2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29\", - \"52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77\", \"a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3\", - \"5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022\", \"6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883\", - \"3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e\", \"1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7\", - \"fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1\", \"7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c\", - \"178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945\", \"51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9\", - \"889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79\", \"332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf\", - \"44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08\", \"63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef\", - \"056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070\"]);\nlet - SigNames = dynamic([\"TrojanDropper:Win32/BlackMould.A!dha\", \"Trojan:Win32/BlackMould.B!dha\", - \"Trojan:Win32/QuarkBandit.A!dha\", \"Trojan:Win32/Sidelod.A!dha\"]);\n(union - isfuzzy=true\n(CommonSecurityLog \n| where TimeGenerated >= ago(timeframe) - \n| parse Message with * ''('' DNSName '')'' * \n| where isnotempty(FileHash)\n| - where FileHash in (SHA256Hash) or DNSName in~ (DomainNames)\n| extend Account - = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\n),\n(DnsEvents - \n| where TimeGenerated >= ago(timeframe) \n| extend DNSName = Name\n| where - isnotempty(DNSName)\n| where DNSName in~ (DomainNames)\n| extend IPAddress - = ClientIP\n),\n(VMConnection \n| where TimeGenerated >= ago(timeframe) \n| - parse RemoteDnsCanonicalNames with * ''[\"'' DNSName ''\"]'' *\n| where isnotempty(DNSName)\n| - where DNSName in~ (DomainNames)\n| extend IPAddress = RemoteIp\n),\n(Event\n//This - query uses sysmon data depending on table name used this may need updataing\n| - where TimeGenerated >= ago(3d)\n| where Source == \"Microsoft-Windows-Sysmon\"\n| - extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| - extend Hashes = EventDetail.[16].[\"#text\"]\n| parse Hashes with * ''SHA1='' - SHA1 '','' * \n| where isnotempty(Hashes)\n| where Hashes in (SHA1Hash) \n| - extend Account = UserName\n),\n(SecurityAlert\n| where TimeGenerated >= ago(timeframe)\n| - where Entities has_any (SigNames)\n| extend Computer = tostring(parse_json(Entities)[0].HostName) - \n)\n)\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, - HostCustomEntity = Computer, IPCustomEntity = IPAddress","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Known - GALLIUM domains and hashes","description":"GALLIUM command and control domains - and hash values for tools and malware used by GALLIUM. \n Matches domain name - IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, - VMConnection and SecurityEvents dataTypes.\n References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ - ","tactics":["CommandAndControl","CredentialAccess"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2019-12-06T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"DNS","dataTypes":["DnsEvents"]},{"connectorId":"AzureMonitor(VMInsights)","dataTypes":["VMConnection"]},{"connectorId":"CiscoASA","dataTypes":["CommonSecurityLog"]},{"connectorId":"PaloAltoNetworks","dataTypes":["CommonSecurityLog"]},{"connectorId":"SecurityEvents","dataTypes":["SecurityEvent"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0625fcce-6d52-491e-8c68-1d9b801d25b9","name":"0625fcce-6d52-491e-8c68-1d9b801d25b9","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Low","query":"Event\n| - where EventLog =~ \"Application\"\n| where Source startswith \"MSExchange\"\n| - where EventLevelName =~ \"error\"\n| where (RenderedDescription startswith - \"Watson report\" and RenderedDescription contains \"umworkerprocess\" and - RenderedDescription contains \"TextFormattingRunProperties\") or RenderedDescription - startswith \"An unhandled exception occurred in a UM worker process\" or RenderedDescription - startswith \"The Microsoft Exchange Unified Messaging service\"\n| where RenderedDescription - !contains \"System.OutOfMemoryException\"\n| extend timestamp = TimeGenerated, - HostCustomEntity = Computer","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]}],"displayName":"HAFNIUM - Suspicious UM Service Error.","description":"This query looks for errors that - may indicate that an attacker is attempting to exploit a vulnerability in - the service. \nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/","tactics":["InitialAccess"],"lastUpdatedDateUTC":"2021-03-02T00:00:00Z","createdDateUTC":"2021-03-02T00:00:00Z","status":"Available","alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2560515c-07d1-434e-87fb-ebe3af267760","name":"2560515c-07d1-434e-87fb-ebe3af267760","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"AuditLogs\n| - where Category =~ \"ApplicationManagement\"\n| where ActivityDisplayName has_any - (\"Add delegated permission grant\",\"Add app role assignment to service principal\")\n| - where Result =~ \"success\"\n| where tostring(InitiatedBy.user.userPrincipalName) - has \"@\" or tostring(InitiatedBy.app.displayName) has \"@\"\n| extend props - = parse_json(tostring(TargetResources[0].modifiedProperties))\n| mv-expand - props\n| extend UserAgent = tostring(AdditionalDetails[0].value)\n| extend - InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n| - extend UserIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\n| - extend DisplayName = tostring(props.displayName)\n| extend Permissions = tostring(parse_json(tostring(props.newValue)))\n| - where Permissions has_any (\"Mail.Read\", \"Mail.ReadWrite\")\n| extend PermissionsAddedTo - = tostring(TargetResources[0].displayName)\n| extend Type = tostring(TargetResources[0].type)\n| - project-away props\n| join kind=leftouter(\n AuditLogs\n | where ActivityDisplayName - has \"Consent to application\"\n | extend AppName = tostring(TargetResources[0].displayName)\n | - extend AppId = tostring(TargetResources[0].id)\n | project AppName, AppId, - CorrelationId) on CorrelationId\n| project-reorder TimeGenerated, OperationName, - InitiatingUser, UserIPAddress, UserAgent, PermissionsAddedTo, Permissions, - AppName, AppId, CorrelationId\n| extend timestamp = TimeGenerated, AccountCustomEntity - = InitiatingUser, IPCustomEntity = UserIPAddress","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Mail.Read - Permissions Granted to Application","description":"This query look for applications - that have been granted (Delegated or App/Role) permissions to Read Mail (Permissions - field has Mail.Read) and subsequently has been consented to. This can help - identify applications that have been abused to gain access to mailboxes.","tactics":["Persistence"],"lastUpdatedDateUTC":"2021-01-27T00:00:00Z","createdDateUTC":"2020-12-19T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AzureActiveDirectory","dataTypes":["AuditLogs"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a4025a76-6490-4e6b-bb69-d02be4b03f07","name":"a4025a76-6490-4e6b-bb69-d02be4b03f07","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| - where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| - where Active == true\n// Picking up only IOC''s that contain the entities - we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) - or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As - there is potentially more than 1 indicator type for matching IP, taking NetworkIP - first, then others if that is empty.\n// Taking the first non-empty value - based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), - NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) - and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity - = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, - TI_ipEntity)\n| join (\n AzureNetworkAnalytics_CL\n | where TimeGenerated - >= ago(dt_lookBack)\n // renaming time column so it is clear the log this - came from\n | extend AzureNetworkAnalytics_CL_TimeGenerated = TimeGenerated\n // - NSG Flow Logs have additional information concat with Public IP, removing - onlp Public IP\n | extend PIPs = split(PublicIPs_s, ''|'', 0)\n | extend - PIP = tostring(PIPs[0])\n)\non $left.TI_ipEntity == $right.PIP\n| summarize - LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n// Set to - alert on Allowed NSG Flows from TI Public IP IOC\n| where FlowStatus_s == - \"A\"\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, - ThreatType, Url, ExpirationDateTime, ConfidenceScore, AzureNetworkAnalytics_CL_TimeGenerated,\nTI_ipEntity, - Computer, FlowDirection_s, FlowStatus_s, FlowType_s, SrcPublicIPs_s, DestPublicIPs_s, - PublicIPs_s, L7Protocol_s, DestPort_d, NetworkIP, NetworkDestinationIP, NetworkSourceIP, - EmailSourceIpAddress\n| extend timestamp = AzureNetworkAnalytics_CL_TimeGenerated, - IPCustomEntity = TI_ipEntity, HostCustomEntity = Computer, URLCustomEntity - = Url","queryFrequency":"PT1H","queryPeriod":"P14D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]},{"entityType":"URL","fieldMappings":[{"identifier":"Url","columnName":"URLCustomEntity"}]}],"displayName":"(Preview) - TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs)","description":"Identifies - a match in AzureNetworkAnalytics_CL (NSG Flow Logs) from any IP IOC from TI - that was Allowed","tactics":["Impact"],"lastUpdatedDateUTC":"2021-01-16T00:00:00Z","createdDateUTC":"2019-08-27T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"ThreatIntelligence","dataTypes":["ThreatIntelligenceIndicator"]},{"connectorId":"ThreatIntelligenceTaxii","dataTypes":["ThreatIntelligenceIndicator"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/01f64465-b1ef-41ea-a7f5-31553a11ad43","name":"01f64465-b1ef-41ea-a7f5-31553a11ad43","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - timeframe = 1d;\nlet endpointData = \n(SecurityEvent\n | where TimeGenerated - >= ago(timeframe) \n | where EventID == 4688\n | extend shortFileName = - tostring(split(NewProcessName, ''\\\\'')[-1])\n );\n// Correlate suspect - executables seen in TrendMicro rule updates with similar activity on endpoints\nCommonSecurityLog\n| - where TimeGenerated >= ago(timeframe)\n| where DeviceVendor =~ \"Trend Micro\"\n| - where Activity =~ \"Deny List updated\" \n| where RequestURL endswith \".exe\"\n| - project TimeGenerated, Activity , RequestURL , SourceIP, DestinationIP\n| - extend suspectExeName = tolower(tostring(split(RequestURL, ''/'')[-1]))\n| - join (endpointData) on $left.suspectExeName == $right.shortFileName \n| extend - timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity - = TargetUserName, HostCustomEntity = Computer, URLCustomEntity = RequestURL","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]},{"entityType":"URL","fieldMappings":[{"identifier":"Url","columnName":"URLCustomEntity"}]}],"displayName":"Network - endpoint to host executable correlation","description":"Correlates blocked - URLs hosting [malicious] executables with host endpoint data\nto identify - potential instances of executables of the same name having been recently run.","tactics":["Execution"],"lastUpdatedDateUTC":"2020-11-19T00:00:00Z","createdDateUTC":"2019-07-08T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"TrendMicro","dataTypes":["CommonSecurityLog"]},{"connectorId":"SecurityEvents","dataTypes":["SecurityEvent"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9fb57e58-3ed8-4b89-afcf-c8e786508b1c","name":"9fb57e58-3ed8-4b89-afcf-c8e786508b1c","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Low","query":"let - szOperationNames = dynamic([\"Create or Update Virtual Machine\", \"Create - Deployment\"]);\nlet starttime = 14d;\nlet endtime = 1d;\nlet RareCaller = - AzureActivity\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\n| - where OperationName in~ (szOperationNames)\n| project ResourceGroup, Caller, - OperationName, CallerIpAddress\n| join kind=rightantisemi (\nAzureActivity\n| - where TimeGenerated > ago(endtime)\n| where OperationName in~ (szOperationNames)\n| - summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), - ActivityStatus = makeset(ActivityStatus), OperationIds = makeset(OperationId), - CallerIpAddress = makeset(CallerIpAddress) \nby ResourceId, Caller, OperationName, - Resource, ResourceGroup\n) on Caller, ResourceGroup \n| mvexpand CallerIpAddress\n| - where isnotempty(CallerIpAddress);\nlet Counts = RareCaller | summarize ActivityCountByCaller - = count() by Caller;\nRareCaller | join kind= inner (Counts) on Caller | project-away - Caller1\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, - IPCustomEntity = tostring(CallerIpAddress)\n| sort by ActivityCountByCaller - desc nulls last","queryFrequency":"P1D","queryPeriod":"P14D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Suspicious - Resource deployment","description":"Identifies when a rare Resource and ResourceGroup - deployment occurs by a previously unseen Caller.","tactics":["Impact"],"lastUpdatedDateUTC":"2020-11-19T00:00:00Z","createdDateUTC":"2019-02-05T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AzureActivity","dataTypes":["AzureActivity"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fb9e0b51-8867-48d7-86f4-6e76f2176bf8","name":"fb9e0b51-8867-48d7-86f4-6e76f2176bf8","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Low","query":"let - SeverityTable=datatable(Severity:string,Level:int) [\n\"low\", 1,\n\"medium\", - 2,\n\"high\", 3,\n\"critical\", 4\n];\nlet codeNameList = datatable(Codename:string)[\"C-ACCOUNTS-DANG-SID-HISTORY\", - \"C-PRE-WIN2000-ACCESS-MEMBERS\", \"C-PASSWORD-DONT-EXPIRE\", \"C-SLEEPING-ACCOUNTS\", - \"C-DANG-PRIMGROUPID\", \"C-PASSWORD-NOT-REQUIRED\", \"C-USER-PASSWORD\"];\nafad_parser\n| - where MessageType == 0 and Codename in~ (codeNameList)\n| lookup kind=leftouter - SeverityTable on Severity\n| order by Level","queryFrequency":"PT2H","queryPeriod":"PT2H","triggerOperator":"GreaterThan","triggerThreshold":0,"displayName":"Alsid - user accounts issues","description":"Searches for triggered Indicators of - Exposures related to user accounts issues","tactics":["CredentialAccess"],"lastUpdatedDateUTC":"2020-12-07T00:00:00Z","createdDateUTC":"2020-11-05T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AlsidForAD","dataTypes":["AlsidForADLog_CL"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2f561e20-d97b-4b13-b02d-18b34af6e87c","name":"2f561e20-d97b-4b13-b02d-18b34af6e87c","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - timeframe = 1d;\nlet cmdList = dynamic([\"Set-CASMailbox\",\"ActiveSyncAllowedDeviceIDs\",\"add\"]);\n(union - isfuzzy=true\n(\nSecurityEvent\n| where TimeGenerated >= ago(timeframe)\n| - where CommandLine has_all (cmdList)\n| project Type, TimeGenerated, Computer, - Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine\n| - extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity - = Computer\n),\n(\nDeviceProcessEvents\n| where TimeGenerated >= ago(timeframe)\n| - where InitiatingProcessCommandLine has_all (cmdList)\n| project Type, TimeGenerated, - DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, - InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine\n| - extend timestamp = TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity - = DeviceName\n),\n(\nEvent\n| where TimeGenerated > ago(timeframe)\n| where - Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 1\n| extend EventData - = parse_xml(EventData).DataItem.EventData.Data\n| mv-expand bagexpansion=array - EventData\n| evaluate bag_unpack(EventData)\n| extend Key=tostring([''@Name'']), - Value=[''#text'']\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, - EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, - MG, ManagementGroupName, Type, _ResourceId)\n| where TimeGenerated >= ago(timeframe)\n| - where CommandLine has_all (cmdList)\n| extend Type = strcat(Type, \": \", - Source)\n| project Type, TimeGenerated, Computer, User, Process, ParentImage, - CommandLine\n| extend timestamp = TimeGenerated, AccountCustomEntity = User, - HostCustomEntity = Computer\n)\n)","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]}],"displayName":"Email - access via active sync","description":"This query detects attempts to add - attacker devices as allowed IDs for active sync using the Set-CASMailbox command.\nThis - technique was seen in relation to Solorigate attack but the results can indicate - potential malicious activity used in different attacks.\n- Note that this - query can be changed to use the KQL \"has_all\" operator, which hasn''t yet - been documented officially, but will be soon.\n In short, \"has_all\" will - only match when the referenced field has all strings in the list.\n- Refer - to Set-CASMailbox syntax: https://docs.microsoft.com/powershell/module/exchange/set-casmailbox?view=exchange-ps ","tactics":["PrivilegeEscalation"],"lastUpdatedDateUTC":"2021-02-10T00:00:00Z","createdDateUTC":"2021-02-02T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"SecurityEvents","dataTypes":["SecurityEvent"]},{"connectorId":"MicrosoftThreatProtection","dataTypes":["DeviceProcessEvents"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aa1eff90-29d4-49dc-a3ea-b65199f516db","name":"aa1eff90-29d4-49dc-a3ea-b65199f516db","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Low","query":"let - timeframe = 1d;\nSecurityEvent\n| where TimeGenerated > ago(timeframe) \n| - where EventID == 4720\n| where AccountType == \"User\"\n| project CreatedUserTime - = TimeGenerated, CreatedUserEventID = EventID, CreatedUserActivity = Activity, - Computer = toupper(Computer), \nCreatedUser = tolower(TargetAccount), CreatedUserSid - = TargetSid, AccountUsedToCreateUser = strcat(SubjectAccount), SidofAccountUsedToCreateUser - = SubjectUserSid\n| join (\nSecurityEvent \n| where TimeGenerated > ago(timeframe) - \n| where AccountType == \"User\"\n// 4732 - A member was added to a security-enabled - local group\n| where EventID == 4732\n//TargetSid is the builin Admins group: - S-1-5-32-544\n| where TargetSid == \"S-1-5-32-544\"\n| project GroupAddTime - = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, Computer - = toupper(Computer), GroupName = tolower(TargetAccount), \nGroupSid = TargetSid, - AccountThatAddedUser = SubjectAccount, SIDofAccountThatAddedUser = SubjectUserSid, - CreatedUserSid = MemberSid\n)\non CreatedUserSid\n//Create User first, then - the add to the group.\n| project Computer, CreatedUserTime, CreatedUserEventID, - CreatedUserActivity, CreatedUser, CreatedUserSid, GroupAddTime, GroupAddEventID, - \nGroupAddActivity, AccountUsedToCreateUser, GroupName, GroupSid, AccountThatAddedUser, - SIDofAccountThatAddedUser \n| extend timestamp = CreatedUserTime, AccountCustomEntity - = CreatedUser, HostCustomEntity = Computer","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"},{"identifier":"Sid","columnName":"CreatedUserSid"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]}],"displayName":"New - user created and added to the built-in administrators group","description":"Identifies - when a user account was created and then added to the builtin Administrators - group in the same day.\nThis should be monitored closely and all additions - reviewed.","tactics":["Persistence","PrivilegeEscalation"],"lastUpdatedDateUTC":"2021-01-16T00:00:00Z","createdDateUTC":"2019-02-22T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"SecurityEvents","dataTypes":["SecurityEvent"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/200f05a2-db6e-4ff7-be83-bbc30b44755f","name":"200f05a2-db6e-4ff7-be83-bbc30b44755f","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Anomaly","properties":{"severity":"Informational","anomalyDefinitionVersion":"1.2.1","techniques":["T1001"],"customizableObservations":{"multiSelectObservations":null,"singleSelectObservations":null,"prioritizeExcludeObservations":null,"thresholdObservations":[{"minimum":"0","maximum":"1","value":"0.07","name":"Score","description":"Generate - an anomaly when score is greater than the chosen value","sequenceNumber":1,"rerun":"NotRequired"}]},"frequency":"P1D","displayName":"(Preview) - Suspicious volume of logins to user account","description":"This algorithm - detects an unusually high volume of successful logins per user account. The - model is trained on the previous 21 days of security event ID 4624 on an account. - It indicates anomalous high volume of successful logins in the last day","tactics":["InitialAccess"],"lastUpdatedDateUTC":"2021-02-22T00:00:00Z","createdDateUTC":"2020-12-05T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"SecurityEvents","dataTypes":["SecurityEvents"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd0a6029-ecef-4507-89c4-fc355ac52111","name":"dd0a6029-ecef-4507-89c4-fc355ac52111","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\n//Create a list of TLDs in our - threat feed for later validation of extracted domains\nlet list_tlds = ThreatIntelligenceIndicator\n | - where TimeGenerated > ago(ioc_lookBack)\n | where isnotempty(DomainName)\n | - extend DomainName = tolower(DomainName)\n | extend parts = split(DomainName, - ''.'')\n | extend tld = parts[(array_length(parts)-1)]\n | summarize - count() by tostring(tld)\n | summarize make_list(tld);\n ThreatIntelligenceIndicator\n | - where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n | - summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | - where Active == true\n // Picking up only IOC''s that contain the entities - we want\n | where isnotempty(DomainName)\n | join (\n CommonSecurityLog\n | - extend IngestionTime = ingestion_time()\n | where IngestionTime > ago(dt_lookBack)\n | - where DeviceEventClassID =~ ''url''\n //Uncomment the line below to - only alert on allowed connections\n //| where DeviceAction !~ \"block-url\"\n //Extract - domain from RequestURL, if not present extarct it from AdditionalExtentions\n | - extend PA_Url = columnifexists(\"RequestURL\", \"None\")\n | extend - PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \"PanOS\", - extract(\"([^\\\"]+)\", 1, tolower(AdditionalExtensions)), trim(''\"'', PA_Url))\n | - extend PA_Url = iif(PA_Url !startswith \"http://\" and ApplicationProtocol - !~ \"ssl\", strcat(''http://'', PA_Url), iif(PA_Url !startswith \"https://\" - and ApplicationProtocol =~ \"ssl\", strcat(''https://'', PA_Url), PA_Url))\n | - extend Domain = trim(@\"\"\"\",tostring(parse_url(PA_Url).Host))\n | - where isnotempty(Domain)\n | extend Domain = tolower(Domain)\n | - extend parts = split(Domain, ''.'')\n //Split out the TLD for the purpose - of checking if we have any TI indicators with this TLD to match on\n | - extend tld = parts[(array_length(parts)-1)]\n //Validate parsed domain - by checking TLD against TLDs from threat feed and drop domains where there - is no chance of a match\n | where tld in~ (list_tlds)\n | extend - CSL_TimeGenerated = TimeGenerated\n ) on $left.DomainName==$right.Domain\n | - project LatestIndicatorTime, Description, ActivityGroupNames, PA_Url, Domain, - IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, CSL_TimeGenerated, - DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, - ApplicationProtocol, RequestMethod\n | extend timestamp = CSL_TimeGenerated, - IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity - = PA_Url","queryFrequency":"PT1H","queryPeriod":"P14D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]},{"entityType":"URL","fieldMappings":[{"identifier":"Url","columnName":"URLCustomEntity"}]}],"displayName":"(Preview) - TI map Domain entity to CommonSecurityLog","description":"Identifies a match - in CommonSecurityLog table from any Domain IOC from TI","tactics":["Impact"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2019-08-28T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"ThreatIntelligence","dataTypes":["ThreatIntelligenceIndicator"]},{"connectorId":"ThreatIntelligenceTaxii","dataTypes":["ThreatIntelligenceIndicator"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5dd76a87-9f87-4576-bab3-268b0e2b338b","name":"5dd76a87-9f87-4576-bab3-268b0e2b338b","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - threshold = 5;\nlet szSharePointFileOperation = \"SharePointFileOperation\";\nlet - szOperations = dynamic([\"FileDownloaded\", \"FileUploaded\"]);\nlet starttime - = 14d;\nlet endtime = 1d;\nlet historicalActivity =\nOfficeActivity\n| where - TimeGenerated between(ago(starttime)..ago(endtime))\n| where RecordType =~ - szSharePointFileOperation\n| where Operation in~ (szOperations)\n| where isnotempty(UserAgent)\n| - summarize historicalCount = count() by UserAgent, RecordType, Operation;\nlet - recentActivity = OfficeActivity\n| where RecordType =~ szSharePointFileOperation\n| - where Operation in~ (szOperations)\n| where TimeGenerated > ago(endtime)\n| - where isnotempty(UserAgent)\n| summarize min(Start_Time), max(Start_Time), - recentCount = count() by UserAgent, RecordType, Operation;\nlet RareUserAgent - = recentActivity | join kind = leftanti (historicalActivity) on UserAgent\n| - order by recentCount desc, UserAgent\n// More than 3 downloads/uploads from - a new user agent today\n| where recentCount > threshold;\nOfficeActivity \n| - where TimeGenerated > ago(endtime) \n| where RecordType =~ szSharePointFileOperation - \n| where Operation in~ (szOperations)\n| where isnotempty(UserAgent)\n| join - kind= inner (RareUserAgent)\non UserAgent, RecordType, Operation \n| where - Start_Time between(min_Start_Time .. max_Start_Time)\n| summarize StartTimeUtc - = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, - UserAgent, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, - UserAgentSeenCount = recentCount\n| extend timestamp = StartTimeUtc, AccountCustomEntity - = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\n| order by - UserAgentSeenCount desc, UserAgent asc, Operation asc, UserId asc","queryFrequency":"P1D","queryPeriod":"P14D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]},{"entityType":"URL","fieldMappings":[{"identifier":"Url","columnName":"URLCustomEntity"}]}],"displayName":"SharePointFileOperation - via devices with previously unseen user agents","description":"Identifies - if the number of documents uploaded or downloaded from device(s) associated\nwith - a previously unseen user agent exceeds a threshold (default is 5).","tactics":["Exfiltration"],"lastUpdatedDateUTC":"2020-11-19T00:00:00Z","createdDateUTC":"2019-08-23T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"Office365","dataTypes":["OfficeActivity"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84cf1d59-f620-4fee-b569-68daf7008b7b","name":"84cf1d59-f620-4fee-b569-68daf7008b7b","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - timeframe = ago(1h);\nlet threshold = 10;\nQualysHostDetection_CL\n| where - TimeGenerated >= timeframe\n| mv-expand todynamic(Detections_s)\n| extend - Status = tostring(Detections_s.Status), Vulnerability = tostring(Detections_s.Results), - Severity = tostring(Detections_s.Severity)\n| where Status =~ \"New\" and - Severity == \"5\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), - dcount(NetBios_s) by tostring(Detections_s.QID)\n| where dcount_NetBios_s - >= threshold\n| extend timestamp = StartTime","queryFrequency":"PT1H","queryPeriod":"PT1H","triggerOperator":"GreaterThan","triggerThreshold":0,"displayName":"New - High Severity Vulnerability Detected Across Multiple Hosts","description":"This - creates an incident when a new high severity vulnerability is detected across - multilple hosts","tactics":["InitialAccess"],"lastUpdatedDateUTC":"2020-06-20T00:00:00Z","createdDateUTC":"2020-06-20T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"QualysVulnerabilityManagement","dataTypes":["QualysHostDetection_CL"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7ee72a9e-2e54-459c-bc8a-8c08a6532a63","name":"7ee72a9e-2e54-459c-bc8a-8c08a6532a63","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"High","query":"let - timeframe = 1d;\nlet IPList = dynamic([\"154.223.45.38\",\"185.141.207.140\",\"185.234.73.19\",\"216.245.210.106\",\"51.91.48.210\",\"46.255.230.229\"]);\n(union - isfuzzy=true\n(CommonSecurityLog\n| where TimeGenerated >= ago(timeframe) - \n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\n| where SourceIP - in (IPList) or DestinationIP in (IPList) or Message has_any (IPList)\n| extend - IPMatch = case(SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), - \"DestinationIP\", \"Message\") \n| summarize StartTimeUtc = min(TimeGenerated), - EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, - DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, - DeviceName, IPMatch\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch - == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"IP - in Message Field\") \n),\n(OfficeActivity\n| where TimeGenerated >= ago(timeframe) - \n|extend SourceIPAddress = ClientIP, Account = UserId\n| where SourceIPAddress - in (IPList)\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress - , AccountCustomEntity = Account\n),\n(DnsEvents \n| where TimeGenerated >= - ago(timeframe) \n| extend DestinationIPAddress = IPAddresses, Host = Computer\n| - where DestinationIPAddress has_any (IPList) \n| extend timestamp = TimeGenerated, - IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\n),\n(VMConnection - \n| where TimeGenerated >= ago(timeframe) \n| where isnotempty(SourceIp) or - isnotempty(DestinationIp) \n| where SourceIp in (IPList) or DestinationIp - in (IPList) \n| extend IPMatch = case( SourceIp in (IPList), \"SourceIP\", - DestinationIp in (IPList), \"DestinationIP\", \"None\") \n| extend timestamp - = TimeGenerated , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIp, - IPMatch == \"DestinationIP\", DestinationIp, \"None\"), Host = Computer\n),\n(Event\n| - where TimeGenerated >= ago(timeframe)\n| where Source == \"Microsoft-Windows-Sysmon\"\n| - where EventID == 3\n| extend EvData = parse_xml(EventData)\n| extend EventDetail - = EvData.DataItem.EventData.Data\n| extend SourceIP = EventDetail.[9].[\"#text\"], - DestinationIP = EventDetail.[14].[\"#text\"]\n| where SourceIP in (IPList) - or DestinationIP in (IPList) \n| extend IPMatch = case( SourceIP in (IPList), - \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"None\") \n| - extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity - = Computer , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch - == \"DestinationIP\", DestinationIP, \"None\")\n), \n(WireData \n| where TimeGenerated - >= ago(timeframe)\n| where isnotempty(RemoteIP)\n| where RemoteIP in (IPList)\n| - extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity - = Computer\n),\n(SigninLogs\n| where TimeGenerated >= ago(timeframe)\n| where - isnotempty(IPAddress)\n| where IPAddress in (IPList)\n| extend timestamp = - TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\n),\n(W3CIISLog - \n| where TimeGenerated >= ago(timeframe)\n| where isnotempty(cIP)\n| where - cIP in (IPList)\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, - HostCustomEntity = Computer, AccountCustomEntity = csUserName\n),\n(AzureActivity - \n| where TimeGenerated >= ago(timeframe)\n| where isnotempty(CallerIpAddress)\n| - where CallerIpAddress in (IPList)\n| extend timestamp = TimeGenerated, IPCustomEntity - = CallerIpAddress, AccountCustomEntity = Caller\n),\n(\nAWSCloudTrail\n| where - TimeGenerated >= ago(timeframe)\n| where isnotempty(SourceIpAddress)\n| where - SourceIpAddress in (IPList)\n| extend timestamp = TimeGenerated, IPCustomEntity - = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\n)\n)","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Known - IRIDIUM IP","description":"IRIDIUM command and control IP. Identifies a match - across various data feeds for IP IOCs related to the IRIDIUM activity group.","tactics":["CommandAndControl"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2019-12-16T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"Office365","dataTypes":["OfficeActivity"]},{"connectorId":"DNS","dataTypes":["DnsEvents"]},{"connectorId":"AzureMonitor(VMInsights)","dataTypes":["VMConnection"]},{"connectorId":"CiscoASA","dataTypes":["CommonSecurityLog"]},{"connectorId":"PaloAltoNetworks","dataTypes":["CommonSecurityLog"]},{"connectorId":"SecurityEvents","dataTypes":["SecurityEvent"]},{"connectorId":"AzureActiveDirectory","dataTypes":["SigninLogs"]},{"connectorId":"AzureMonitor(WireData)","dataTypes":["WireData"]},{"connectorId":"AzureMonitor(IIS)","dataTypes":["W3CIISLog"]},{"connectorId":"AzureActivity","dataTypes":["AzureActivity"]},{"connectorId":"AWS","dataTypes":["AWSCloudTrail"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/157c0cfc-d76d-463b-8755-c781608cdc1a","name":"157c0cfc-d76d-463b-8755-c781608cdc1a","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - PrivateIPregex = @''^127\\.|^10\\.|^172\\.1[6-9]\\.|^172\\.2[0-9]\\.|^172\\.3[0-1]\\.|^192\\.168\\.'';\nlet - endtime = 1d;\nCommonSecurityLog\n| where TimeGenerated >= ago(endtime) \n| - where DeviceVendor =~ \"Cisco\"\n| where DeviceAction =~ \"denied\"\n| extend - SourceIPType = iff(SourceIP matches regex PrivateIPregex,\"private\" ,\"public\" - )\n| where SourceIPType == \"public\"\n| summarize count() by SourceIP\n| - join (\n // Successful signins from IPs blocked by the firewall solution - are suspect\n // Include fully successful sign-ins, but also ones that - failed only at MFA stage\n // as that supposes the password was sucessfully - guessed.\n SigninLogs\n | where ResultType in (\"0\", \"50074\", \"50076\") - \n) on $left.SourceIP == $right.IPAddress\n| extend timestamp = TimeGenerated, - IPCustomEntity = SourceIP, AccountCustomEntity = UserPrincipalName","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Cisco - - firewall block but success logon to Azure AD","description":"Correlate IPs - blocked by a Cisco firewall appliance with successful Azure Active Directory - signins. \nBecause the IP was blocked by the firewall, that same IP logging - on successfully to AAD is potentially suspect\nand could indicate credential - compromise for the user account.","tactics":["InitialAccess"],"lastUpdatedDateUTC":"2020-11-19T00:00:00Z","createdDateUTC":"2019-07-08T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"CiscoASA","dataTypes":["CommonSecurityLog"]},{"connectorId":"AzureActiveDirectory","dataTypes":["SigninLogs"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a04cf847-a832-4c60-b687-b0b6147da219","name":"a04cf847-a832-4c60-b687-b0b6147da219","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"High","query":"let - timeframe = 1d;\nlet IPList = dynamic([\"45.63.52.41\",\"140.82.17.161\",\"207.148.101.95\",\"45.32.87.51\",\"66.42.98.156\",\"45.76.144.105\",\"217.163.28.35\",\"45.32.141.174\",\"149.28.165.249\",\"209.250.225.247\",\"45.63.100.115\",\"95.179.229.230\",\"209.250.233.247\",\"45.77.121.232\",\"45.76.175.65\",\"104.238.160.237\",\"45.77.181.97\",\"95.179.192.125\",\"149.28.93.184\",\"140.82.16.81\",\"45.76.173.103\",\"45.77.255.22\",\"45.32.11.71\",\"149.28.77.26\",\"45.32.54.50\",\"104.156.233.156\",\"45.32.21.118\",\"45.63.62.109\",\"45.77.244.202\",\"149.248.11.205\",\"104.238.190.244\"]);\nlet - IOCTerms = \"\\\\?lang=[/..]*/dev/cmdb/sslvpn_websession|/dana-na/jam/[/..]*home/webserver/htdocs/dana/html5acc/guacamole[/..]*etc/passwd\\\\?\";\n(union - isfuzzy=true\n(CommonSecurityLog\n| where TimeGenerated >= ago(1d) \n| where - isnotempty(SourceIP) or isnotempty(DestinationIP)\n| where SourceIP in (IPList) - or DestinationIP in (IPList) or Message has_any (IPList)\n| extend IPMatch - = case(\nSourceIP in (IPList), \"SourceIP\", \nDestinationIP in (IPList), - \"DestinationIP\",\n\"Message\") \n| where Message matches regex IOCTerms\n| - summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) - by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, - SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\n| extend - timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, - IPMatch == \"DestinationIP\", DestinationIP, \"IP in Message Field\") \n),\n(OfficeActivity\n| - where TimeGenerated >= ago(1d) \n| where isnotempty(UserAgent) and ClientIP - in (IPList)\n| where UserAgent contains \"ExchangeServicesClient/0.0.0.0\"\n| - summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) - by SourceIP = ClientIP, Account = UserId, Type, RecordType, OfficeWorkload, - UserAgent, OfficeObjectId, IPMatch = \"ClientIP\"\n| extend timestamp = StartTimeUtc, - AccountCustomEntity = Account, IPCustomEntity = SourceIP\n)\n)","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Known - Manganese IP and UserAgent activity","description":"Matches IP plus UserAgent - IOCs in OfficeActivity data, along with IP plus Connection string information - in the CommonSecurityLog data related to Manganese group activity.\nReferences: - \nhttps://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/\nhttps://fortiguard.com/psirt/FG-IR-18-384","tactics":["InitialAccess","Collection"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2019-10-02T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"Office365","dataTypes":["OfficeActivity"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/02ef8d7e-fc3a-4d86-a457-650fa571d8d2","name":"02ef8d7e-fc3a-4d86-a457-650fa571d8d2","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - timeFrame = 1d;\nlet logonDiff = 10m;\nSigninLogs \n| where TimeGenerated - >= ago(timeFrame) \n| where ResultType == \"0\" \n| where AppDisplayName !in - (\"Office 365 Exchange Online\", \"Skype for Business Online\")\n| project - SuccessLogonTime = TimeGenerated, UserPrincipalName, SuccessIPAddress = IPAddress, - AppDisplayName, SuccessIPBlock = strcat(split(IPAddress, \".\")[0], \".\", - split(IPAddress, \".\")[1])\n| join kind= inner (\n SigninLogs \n | - where TimeGenerated >= ago(timeFrame) \n | where ResultType !in (\"0\", - \"50140\") \n | where ResultDescription !~ \"Other\" \n | where AppDisplayName - !in (\"Office 365 Exchange Online\", \"Skype for Business Online\")\n | - project FailedLogonTime = TimeGenerated, UserPrincipalName, FailedIPAddress - = IPAddress, AppDisplayName, ResultType, ResultDescription\n) on UserPrincipalName, - AppDisplayName \n| where SuccessLogonTime < FailedLogonTime and FailedLogonTime - - SuccessLogonTime <= logonDiff and FailedIPAddress !startswith SuccessIPBlock\n| - summarize FailedLogonTime = max(FailedLogonTime), SuccessLogonTime = max(SuccessLogonTime) - by UserPrincipalName, SuccessIPAddress, AppDisplayName, FailedIPAddress, ResultType, - ResultDescription \n| extend timestamp = SuccessLogonTime, AccountCustomEntity - = UserPrincipalName, IPCustomEntity = SuccessIPAddress","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Successful - logon from IP and failure from a different IP","description":"Identifies when - a user account successfully logs onto an Azure App from one IP and within - 10 mins failed to logon to the same App via a different IP.\nThis may indicate - a malicious attempt at password guessing based on knowledge of the users account.","tactics":["CredentialAccess","InitialAccess"],"lastUpdatedDateUTC":"2020-11-19T00:00:00Z","createdDateUTC":"2019-02-19T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AzureActiveDirectory","dataTypes":["SigninLogs"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90d3f6ec-80fb-48e0-9937-2c70c9df9bad","name":"90d3f6ec-80fb-48e0-9937-2c70c9df9bad","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Low","query":"let - timeframe = 1d;\nlet DomainList = dynamic([\"tor2web.org\", \"tor2web.com\", - \"torlink.co\", \"onion.to\", \"onion.ink\", \"onion.cab\", \"onion.nu\", - \"onion.link\", \n\"onion.it\", \"onion.city\", \"onion.direct\", \"onion.top\", - \"onion.casa\", \"onion.plus\", \"onion.rip\", \"onion.dog\", \"tor2web.fi\", - \n\"tor2web.blutmagie.de\", \"onion.sh\", \"onion.lu\", \"onion.pet\", \"t2w.pw\", - \"tor2web.ae.org\", \"tor2web.io\", \"tor2web.xyz\", \"onion.lt\", \n\"s1.tor-gateways.de\", - \"s2.tor-gateways.de\", \"s3.tor-gateways.de\", \"s4.tor-gateways.de\", \"s5.tor-gateways.de\", - \"hiddenservice.net\"]);\nSyslog\n| where TimeGenerated >= ago(timeframe)\n| - where ProcessName contains \"squid\"\n| extend URL = extract(\"(([A-Z]+ [a-z]{4,5}:\\\\/\\\\/)|[A-Z]+ - )([^ :]*)\",3,SyslogMessage), \n SourceIP = extract(\"([0-9]+ )(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3}))\",2,SyslogMessage), - \n Status = extract(\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\",1,SyslogMessage), - \n HTTP_Status_Code = extract(\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\",8,SyslogMessage),\n User - = extract(\"(CONNECT |GET )([^ ]* )([^ ]+)\",3,SyslogMessage),\n RemotePort - = extract(\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\",4,SyslogMessage),\n Domain - = extract(\"(([A-Z]+ [a-z]{4,5}:\\\\/\\\\/)|[A-Z]+ )([^ :\\\\/]*)\",3,SyslogMessage),\n Bytes - = toint(extract(\"([A-Z]+\\\\/[0-9]{3} )([0-9]+)\",2,SyslogMessage)),\n contentType - = extract(\"([a-z/]+$)\",1,SyslogMessage)\n| extend TLD = extract(\"\\\\.[a-z]*$\",0,Domain)\n| - where HTTP_Status_Code == \"200\"\n| where Domain contains \".\"\n| where - Domain has_any (DomainList)\n| extend timestamp = TimeGenerated, URLCustomEntity - = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]},{"entityType":"URL","fieldMappings":[{"identifier":"Url","columnName":"URLCustomEntity"}]}],"displayName":"Squid - proxy events for ToR proxies","description":"Check for Squid proxy events - associated with common ToR proxies. This query presumes the default squid - log format is being used.\nhttp://www.squid-cache.org/Doc/config/access_log/","tactics":["CommandAndControl"],"lastUpdatedDateUTC":"2020-11-19T00:00:00Z","createdDateUTC":"2019-07-12T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"Syslog","dataTypes":["Syslog"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b4ceb583-4c44-4555-8ecf-39f572e827ba","name":"b4ceb583-4c44-4555-8ecf-39f572e827ba","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - starttime = 14d;\nlet endtime = 1d;\nlet timeframe = 1h;\nlet scorethreshold - = 1.5;\nlet percentthreshold = 50;\n// Preparing the time series data aggregated - hourly count of MailItemsAccessd Operation in the form of multi-value array - to use with time series anomaly function.\nlet TimeSeriesData =\nOfficeActivity\n| - where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\n| - where OfficeWorkload=~ \"Exchange\" and Operation =~ \"MailItemsAccessed\" - and ResultStatus =~ \"Succeeded\"\n| project TimeGenerated, Operation, MailboxOwnerUPN\n| - make-series Total=count() on TimeGenerated from startofday(ago(starttime)) - to startofday(ago(endtime)) step timeframe;\nlet TimeSeriesAlerts = TimeSeriesData\n| - extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, - -1, ''linefit'')\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), - anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\n| - where anomalies > 0\n| project TimeGenerated, Total, baseline, anomalies, - score;\n// Joining the flagged outlier from the previous step with the original - dataset to present contextual information\n// during the anomalyhour to analysts - to conduct investigation or informed decisions.\nTimeSeriesAlerts | where - TimeGenerated > ago(2d)\n// Join against base logs since specified timeframe - to retrive records associated with the hour of anomoly\n| join (\n OfficeActivity\n| - where TimeGenerated > ago(2d)\n| where OfficeWorkload=~ \"Exchange\" and Operation - =~ \"MailItemsAccessed\" and ResultStatus =~ \"Succeeded\"\n) on TimeGenerated","queryFrequency":"P1D","queryPeriod":"P14D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Exchange - workflow MailItemsAccessed operation anomaly","description":"Identifies anomalous - increases in Exchange mail items accessed operations.\nThe query leverages - KQL built-in anomaly detection algorithms to find large deviations from baseline - patterns.\nSudden increases in execution frequency of sensitive actions should - be further investigated for malicious activity.\nManually change scorethreshold - from 1.5 to 3 or higher to reduce the noise based on outliers flagged from - the query criteria.\nRead more about MailItemsAccessed- https://docs.microsoft.com/microsoft-365/compliance/advanced-audit?view=o365-worldwide#mailitemsaccessed","tactics":["Collection"],"lastUpdatedDateUTC":"2021-01-16T00:00:00Z","createdDateUTC":"2020-12-10T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"Office365","dataTypes":["OfficeActivity"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8c2ef238-67a0-497d-b1dd-5c8a0f533e25","name":"8c2ef238-67a0-497d-b1dd-5c8a0f533e25","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Low","query":"let - timeframe = 1d;\nlet EventNameList = dynamic([\"AuthorizeDBSecurityGroupIngress\",\"CreateDBSecurityGroup\",\"DeleteDBSecurityGroup\",\"RevokeDBSecurityGroupIngress\"]);\nAWSCloudTrail\n| - where TimeGenerated > ago(timeframe)\n| where EventName in~ (EventNameList)\n| - summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) - by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, - UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, - AWSRegion, EventSource, AdditionalEventData, ResponseElements\n| extend timestamp - = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity - = SourceIpAddress","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Changes - to internet facing AWS RDS Database instances","description":"Amazon Relational - Database Service (RDS) is scalable relational database in the cloud. \nIf - your organization have one or more AWS RDS Databases running, monitoring changes - to especially internet facing AWS RDS (Relational Database Service) \nOnce - alerts triggered, validate if changes observed are authorized and adhere to - change control policy. \nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255\nand - RDS API Reference Docs: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Operations.html","tactics":["Persistence"],"lastUpdatedDateUTC":"2020-11-19T00:00:00Z","createdDateUTC":"2019-02-27T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AWS","dataTypes":["AWSCloudTrail"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09551db0-e147-4a0c-9e7b-918f88847605","name":"09551db0-e147-4a0c-9e7b-918f88847605","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"High","query":"let - timeframe = 1d;\nlet tokens = dynamic([\"SSL_HandShaking\", \"ASN2_TYPE_new\", - \"sql_blob_open\", \"cmsSetLogHandlerTHR\", \"ntSystemInfo\", \"SetWebFilterString\", - \"CleanupBrokerString\", \"glInitSampler\", \"deflateSuffix\", \"ntWindowsProc\"]);\nlet - DomainNames = dynamic([''codevexillium.org'', ''angeldonationblog.com'', ''investbooking.de'', - ''krakenfolio.com'']);\nlet SHA256Hash = dynamic([''58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495'',''e0e59bfc22876c170af65dcbf19f744ae560cc43b720b23b9d248f4505c02f3e'',''3d3195697521973efe0097a320cbce0f0f98d29d50e044f4505e1fbc043e8cf9'', - ''0a2d81164d524be7022ba8fd4e1e8e01bfd65407148569d172e2171b5cd76cd4'', ''96d7a93f6691303d39a9cc270b8814151dfec5683e12094537fd580afdf2e5fe'',''dc4cf164635db06b2a0b62d313dbd186350bca6fc88438617411a68df13ec83c'', - ''46efd5179e43c9cbf07dcec22ce0d5527e2402655aee3afc016e5c260650284a'', ''95e42a94d4df1e7e472998f43b9879eb34aaa93f3705d7d3ef9e3b97349d7008'', - ''9d5320e883264a80ea214077f44b1d4b22155446ad5083f4b27d2ab5bd127ef5'', ''9fd05063ad203581a126232ac68027ca731290d17bd43b5d3311e8153c893fe3'', - ''ada7e80c9d09f3efb39b729af238fcdf375383caaf0e9e0aed303931dc73b720'', ''edb1597789c7ed784b85367a36440bf05267ac786efe5a4044ec23e490864cee'', - ''33665ce1157ddb7cd7e905e3356b39245dfba17b7a658bdbf02b6968656b9998'', ''3ab770458577eb72bd6239fe97c35e7eb8816bce5a4b47da7bd0382622854f7c'', - ''b630ad8ffa11003693ce8431d2f1c6b8b126cd32b657a4bfa9c0dbe70b007d6c'', ''53f3e55c1217dafb8801af7087e7d68b605e2b6dde6368fceea14496c8a9f3e5'', - ''99c95b5272c5b11093eed3ef2272e304b7a9311a22ff78caeb91632211fcb777'', ''f21abadef52b4dbd01ad330efb28ef50f8205f57916a26daf5de02249c0f24ef'', - ''2cbdea62e26d06080d114bbd922d6368807d7c6b950b1421d0aa030eca7e85da'', ''079659fac6bd9a1ce28384e7e3a465be4380acade3b4a4a4f0e67fd0260e9447'']);\nlet - SigNames = dynamic([\"Backdoor:Script/ComebackerCompile.A!dha\", \"Trojan:Win64/Comebacker.A!dha\", - \"Trojan:Win64/Comebacker.A.gen!dha\", \"Trojan:Win64/Comebacker.B.gen!dha\", - \"Trojan:Win32/Comebacker.C.gen!dha\", \"Trojan:Win32/Klackring.A!dha\", \"Trojan:Win32/Klackring.B!dha\"]);\n(union - isfuzzy=true\n(CommonSecurityLog \n| where TimeGenerated >= ago(timeframe) - \n| parse Message with * ''('' DNSName '')'' * \n| where isnotempty(FileHash)\n| - where FileHash in~ (SHA256Hash) or DNSName in~ (DomainNames)\n| extend Account - = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\n| project Type, - TimeGenerated, Computer, Account, IPAddress, FileHash, DNSName\n),\n(DnsEvents - \n| where TimeGenerated >= ago(timeframe) \n| extend DNSName = Name\n| where - isnotempty(DNSName)\n| where DNSName in~ (DomainNames)\n| extend DataType - = \"DnsEvents\", IPAddress = ClientIP\n| project Type, TimeGenerated, Computer, - IPAddress, DNSName\n),\n(VMConnection \n| where TimeGenerated >= ago(timeframe) - \n| parse RemoteDnsCanonicalNames with * ''[\"'' DNSName ''\"]'' *\n| where - isnotempty(DNSName)\n| where DNSName in~ (DomainNames)\n| extend IPAddress - = RemoteIp\n| project Type, TimeGenerated, Computer, IPAddress, DNSName \n),\n(Event\n//This - query uses sysmon data depending on table name used this may need updataing\n| - where TimeGenerated >= ago(timeframe)\n| where Source == \"Microsoft-Windows-Sysmon\"\n| - extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| - extend Hashes = EventDetail.[16].[\"#text\"]\n| where isnotempty(Hashes)\n| - parse Hashes with * ''SHA256='' SHA256 '','' * \n| where SHA256 in~ (SHA256Hash) - \n| extend Type = strcat(Type, \": \", Source), Account = UserName, FileHash - = Hashes\n| project Type, TimeGenerated, Computer, Account, FileHash\n),\n(DeviceFileEvents - \n| where TimeGenerated >= ago(timeframe) \n| where SHA256 in~ (SHA256Hash)\n| - extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, - CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\n| project Type, - TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\n),\n(DeviceNetworkEvents - \n| where TimeGenerated >= ago(timeframe) \n| where RemoteUrl in~ (DomainNames)\n| - extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName\n| - project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl\n),\n(SecurityAlert\n| - where TimeGenerated >= ago(timeframe)\n| where Entities has_any (SigNames)\n| - extend Computer = tostring(parse_json(Entities)[0].HostName) \n| project Type, - TimeGenerated, Computer\n),\n(DeviceProcessEvents \n| where TimeGenerated - >= ago(timeframe) \n| where FileName =~ \"powershell.exe\" or FileName =~ - \"rundll32.exe\"\n| where (ProcessCommandLine has \"is64bitoperatingsystem\" - and ProcessCommandLine has \"Debug\\\\Browse\") or (ProcessCommandLine has_any - (tokens))\n| extend Computer = DeviceName, Account = AccountName, CommandLine - = ProcessCommandLine\n| project Type, TimeGenerated, Computer, Account, CommandLine, - FileName\n),\n(SecurityEvent\n| where TimeGenerated >= ago(timeframe) \n| - where ProcessName has_any (\"powershell.exe\", \"rundll32.exe\")\n| where - (CommandLine has \"is64bitoperatingsystem\" and CommandLine has \"Debug\\\\Browse\") - or (CommandLine has_any (tokens))\n| project Type, TimeGenerated, Computer, - Account, ProcessName, CommandLine \n)\n)\n| extend timestamp = TimeGenerated, - AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity - = IPAddress","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Known - ZINC Comebacker and Klackring malware hashes","description":"ZINC attacks - against security researcher campaign malware hashes.","tactics":["CommandAndControl","Execution"],"lastUpdatedDateUTC":"2021-02-01T00:00:00Z","createdDateUTC":"2021-01-28T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"DNS","dataTypes":["DnsEvents"]},{"connectorId":"AzureMonitor(VMInsights)","dataTypes":["VMConnection"]},{"connectorId":"CiscoASA","dataTypes":["CommonSecurityLog"]},{"connectorId":"PaloAltoNetworks","dataTypes":["CommonSecurityLog"]},{"connectorId":"SecurityEvents","dataTypes":["SecurityEvent"]},{"connectorId":"MicrosoftThreatProtection","dataTypes":["DeviceProcessEvents"]},{"connectorId":"MicrosoftThreatProtection","dataTypes":["DeviceFileEvents"]},{"connectorId":"MicrosoftThreatProtection","dataTypes":["DeviceNetworkEvents"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7427ed7-04b4-4e3b-b323-08b981b9b4bf","name":"a7427ed7-04b4-4e3b-b323-08b981b9b4bf","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| - where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| - where Active == true\n| where isnotempty(FileHashValue)\n| join (\n SecurityEvent - | where TimeGenerated >= ago(dt_lookBack)\n | where EventID in (\"8003\",\"8002\",\"8005\")\n | - where isnotempty(FileHash)\n | extend SecurityEvent_TimeGenerated = TimeGenerated, - Event = EventID\n)\non $left.FileHashValue == $right.FileHash\n| summarize - LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| project - LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, - Url, ExpirationDateTime, ConfidenceScore,\nSecurityEvent_TimeGenerated, Process, - FileHash, Computer, Account, Event\n| extend timestamp = SecurityEvent_TimeGenerated, - AccountCustomEntity = Account, HostCustomEntity = Computer, URLCustomEntity - = Url","queryFrequency":"PT1H","queryPeriod":"P14D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"URL","fieldMappings":[{"identifier":"Url","columnName":"URLCustomEntity"}]}],"displayName":"(Preview) - TI map File Hash to Security Event","description":"Identifies a match in Security - Event data from any File Hash IOC from TI","tactics":["Impact"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2019-08-27T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"SecurityEvents","dataTypes":["SecurityEvent"]},{"connectorId":"ThreatIntelligence","dataTypes":["ThreatIntelligenceIndicator"]},{"connectorId":"ThreatIntelligenceTaxii","dataTypes":["ThreatIntelligenceIndicator"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6","name":"e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - startdate = 1d;\nlet threshold = 15;\n// Below pulls messages from syslog-authpriv - logs where there was an authentication failure with an unknown user.\n// IP - address of system attempting logon is also extracted from the SyslogMessage - field. Some of these messages\n// are aggregated.\nlet authfail = Syslog\n| - where TimeGenerated >= ago(startdate) \n| where Facility =~ \"authpriv\" // - looks at authpriv messages\n| where SyslogMessage contains \"authentication - failure\" and SyslogMessage contains \" uid=0\"\n| parse SyslogMessage with - * \"rhost=\" ExternalIP\n| project TimeGenerated, Computer, ProcessName, HostIP, - ExternalIP, ProcessID; \n// Below pulls messages from syslog-authpriv logs - that show each instance an unknown user tried to logon. \nlet userfail = Syslog - \n| where TimeGenerated >= ago(startdate)\n| where Facility =~ \"authpriv\" - \n| where SyslogMessage contains \"user unknown\"\n| project TimeGenerated, - Computer, HostIP, ProcessID;\n// Join the two log messages above\nlet userauthfail - = authfail | join (userfail) on Computer, HostIP, ProcessID\n| project TimeGenerated, - Computer, HostIP, ExternalIP, ProcessID ;\n// Extract the EventTime of the - first logon attempt\nlet firstfail = userauthfail\n| summarize arg_min(TimeGenerated, - *) by Computer, ExternalIP\n| project Computer, ExternalIP, FirstLogonAttempt - = TimeGenerated;\n// Extract the EventTime of the last logon attempt\nlet - lastfail = userauthfail\n| summarize arg_max(TimeGenerated, *) by Computer, - ExternalIP\n| project Computer, ExternalIP, LatestLogonAttempt = TimeGenerated;\n// - Join first and last logon attempt data and calculate the time between them - (AttemptPeriodLength).\nlet faildates = firstfail | join (lastfail) on Computer, - ExternalIP\n| project ExternalIP, Computer, FirstLogonAttempt, LatestLogonAttempt, - TimeBetweenLogonAttempts = LatestLogonAttempt - FirstLogonAttempt;\n// Count - the number of failed logon attempts by External IP and internal machine\nlet - totalfails = userauthfail\n| summarize StartTimeUtc = min(TimeGenerated), - EndTimeUtc = max(TimeGenerated), TotalLogonAttempts = count() by ExternalIP, - Computer, HostIP\n| project StartTimeUtc, EndTimeUtc, ExternalIP, Computer, - HostIP, TotalLogonAttempts;\n// Combine total attempts with timing data from - above\nlet finalfails = totalfails | join (faildates) on Computer, ExternalIP\n| - project StartTimeUtc, EndTimeUtc, SourceAddress = ExternalIP, DestinationHost - = Computer, DestinationIP = HostIP, TotalLogonAttempts, FirstLogonAttempt, - LatestLogonAttempt, TimeBetweenLogonAttempts\n| order by DestinationHost asc - nulls last;\nfinalfails \n| where TotalLogonAttempts >= threshold\n| extend - timestamp = StartTimeUtc, HostCustomEntity = DestinationHost, IPCustomEntity - = DestinationIP","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Failed - logon attempts in authpriv","description":"Identifies failed logon attempts - from unknown users in Syslog authpriv logs. The unknown user means the account - that tried to log in \nisn''t provisioned on the machine. A few hits could - indicate someone attempting to access a machine they aren''t authorized to - access. \nIf there are many of hits, especially from outside your network, - it could indicate a brute force attack. \nDefault threshold for logon attempts - is 15.","tactics":["CredentialAccess"],"lastUpdatedDateUTC":"2020-11-19T00:00:00Z","createdDateUTC":"2019-02-14T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"Syslog","dataTypes":["Syslog"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a22740ec-fc1e-4c91-8de6-c29c6450ad00","name":"a22740ec-fc1e-4c91-8de6-c29c6450ad00","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"SigninLogs\n| - where ResultType == 500121\n| where Status has \"MFA Denied; user declined - the authentication\"\n| extend AccountCustomEntity = AlternateSignInName\n| - extend IPCustomEntity = IPAddress\n| extend URLCustomEntity = ClientAppUsed","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]},{"entityType":"URL","fieldMappings":[{"identifier":"Url","columnName":"URLCustomEntity"}]}],"displayName":"Explicit - MFA Deny","description":"User explicitly denies MFA push, indicating that - login was not expected and the account''s password may be compromised.","tactics":["CredentialAccess"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2020-10-14T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AzureActiveDirectory","dataTypes":["SigninLogs"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/68271db2-cbe9-4009-b1d3-bb3b5fe5713c","name":"68271db2-cbe9-4009-b1d3-bb3b5fe5713c","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Low","query":"let - detectionTime = 30d;\nlet User_Agents = dynamic ([\"Mozilla/5.0 (Windows NT - 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70\", \n\"Mozilla/5.0 - (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/605.1.15 (KHTML, like Gecko) - Version/12.0.1 Safari/605.1.15\", \n\"Mozilla/5.0 (Windows NT 10.0; Win64; - x64; rv:63.0) Gecko/20100101 Firefox/63.0\", \n\"Mozilla/5.0 (Windows NT 10.0; - Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\", - \n\"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like - Gecko) Chrome/70.0.3538.110 Safari/537.36\"]);\nOfficeActivity\n| where TimeGenerated - > ago(detectionTime)\n| where RecordType in (\"AzureActiveDirectoryAccountLogon\", - \"AzureActiveDirectoryStsLogon\") \n| where Operation != ''UserLoggedIn''\n| - extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \"UserAgent\", - extractjson(\"$[0].Value\", ExtendedProperties, typeof(string)),\"\")\n| mv-expand - parse_json(ExtendedProperties)\n| where ExtendedProperties.Name =~ \"RequestType\"\n| - extend RequestType = todynamic(ExtendedProperties).Value\n| where UserAgent - =~ \"ms-office\" or UserAgent has_any (User_Agents)\n| summarize authAttempts=dcount(TimeGenerated), - firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), - uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\n| - where authAttempts > 500\n| extend timestamp = firstAttempt\n| sort by uniqueAccounts","queryFrequency":"P7D","queryPeriod":"P14D","triggerOperator":"GreaterThan","triggerThreshold":0,"displayName":"Possible - STRONTIUM attempted credential harvesting - Oct 2020","description":"Surfaces - potential STRONTIUM group Office365 credential harvesting attempts within - OfficeActivity Logon events.","tactics":["CredentialAccess"],"lastUpdatedDateUTC":"2020-12-09T00:00:00Z","createdDateUTC":"2020-09-10T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"Office365","dataTypes":["OfficeActivity"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fc1b7e7a-bc24-42c3-ad67-5c76c8fcb2d6","name":"fc1b7e7a-bc24-42c3-ad67-5c76c8fcb2d6","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Anomaly","properties":{"severity":"Informational","anomalyDefinitionVersion":"1.0.0","techniques":["T1001"],"customizableObservations":{"multiSelectObservations":null,"singleSelectObservations":null,"prioritizeExcludeObservations":[{"prioritize":null,"exclude":".txt,.jpg,.mp4","dataType":"string","name":"File - extension","description":"Give comma separated file extension to exclude from - source data within double quotes, example: \".txt,.jpg,.mp4\"","sequenceNumber":2,"rerun":"RerunAlways"}],"thresholdObservations":[{"minimum":"5","maximum":"100","value":"10","name":"Minimum - number of downgrades","description":"Generate an anomaly when number of downgrade - label is greater than the chosen value","sequenceNumber":1,"rerun":"RerunAlways"}]},"frequency":"P1D","displayName":"(Preview) - Unusual mass downgrade AIP label","description":"This algorithm detects unusual - high volume of downgrade label activity in Azure Information Protection (AIP) - logs.\nIt considers \"AIP\" workload records for a given number of days and - determines the sequence of activity performed on documents along with the - label applied to classify unusual volume of downgrade activity.","tactics":["InitialAccess"],"lastUpdatedDateUTC":"2020-11-18T00:00:00Z","createdDateUTC":"2020-11-18T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AzureInformationProtection","dataTypes":["InformationProtectionLogs_CL"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8ee967a2-a645-4832-85f4-72b635bcb3a6","name":"8ee967a2-a645-4832-85f4-72b635bcb3a6","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - timeframe = 1d;\n//Adjust this threshold to fit the environment\nlet signin_threshold - = 5;\n//Make a list of all IPs with failed signins to AAD above our threshold\nlet - suspicious_signins =\nSigninLogs\n| where TimeGenerated >= ago(timeframe)\n| - where ResultType !in (\"0\", \"50125\", \"50140\")\n| where IPAddress != \"127.0.0.1\"\n| - summarize count() by IPAddress\n| where count_ > signin_threshold\n| summarize - make_list(IPAddress);\n//See if any of these IPs have sucessfully logged into - *nix hosts\nlet linux_logons =\nSyslog\n| where TimeGenerated >= ago(timeframe)\n| - where Facility contains \"auth\" and ProcessName != \"sudo\"\n| where SyslogMessage - has \"Accepted\"\n| extend SourceIP = extract(\"(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.(([0-9]{1,3})))\",1,SyslogMessage)\n| - where SourceIP in (suspicious_signins)\n| extend Reason = \"Multiple failed - AAD logins from IP address\"\n| project TimeGenerated, Computer, HostIP, IpAddress - = SourceIP, SyslogMessage, Facility, ProcessName, Reason;\n//See if any of - these IPs have sucessfully logged into Windows hosts\nlet win_logons =\nSecurityEvent\n| - where TimeGenerated >= ago(timeframe)\n| where EventID == 4624\n| where LogonType - in (10, 7, 3)\n| where IpAddress != \"-\"\n| where IpAddress in (suspicious_signins)\n| - extend Reason = \"Multiple failed AAD logins from IP address\"\n| project - TimeGenerated, Account, AccountType, Computer, Activity, EventID, LogonProcessName, - IpAddress, LogonTypeName, TargetUserSid, Reason;\nunion isfuzzy=true linux_logons,win_logons\n| - extend timestamp = TimeGenerated, AccountCustomEntity = Account, IPCustomEntity - = IpAddress, HostCustomEntity = Computer","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Failed - AzureAD logons but success logon to host","description":"Identifies a list - of IP addresses with a minimum number (default of 5) of failed logon attempts - to Azure Active Directory.\nUses that list to identify any successful remote - logons to hosts from these IPs within the same timeframe.","tactics":["InitialAccess","CredentialAccess"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2019-08-20T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AzureActiveDirectory","dataTypes":["SigninLogs"]},{"connectorId":"SecurityEvents","dataTypes":["SecurityEvent"]},{"connectorId":"Syslog","dataTypes":["Syslog"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/543c9254-eb6f-4fdd-858d-783e0e3d5cb9","name":"543c9254-eb6f-4fdd-858d-783e0e3d5cb9","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Anomaly","properties":{"severity":"Informational","anomalyDefinitionVersion":"1.0.0","techniques":["T1001"],"customizableObservations":{"multiSelectObservations":null,"singleSelectObservations":null,"prioritizeExcludeObservations":[{"prioritize":null,"exclude":".msg,.jpg,.txt","dataType":"string","name":"File - extension","description":"Give comma separated file extension to exclude from - source data, for example: .txt,.jpg,.mp4","sequenceNumber":2,"rerun":"RerunAlways"}],"thresholdObservations":[{"minimum":"0","maximum":"1","value":"0.9","name":"Score","description":"Generate - an anomaly when the error percentile is greater than chosen value","sequenceNumber":1,"rerun":"NotRequired"}]},"frequency":"P1D","displayName":"(Preview) - Suspicious number of protected documents accessed","description":"This algorithm - is to detect high volume of access to protected documents in Azure Information - Protection (AIP) logs. \nIt considers AIP workload records for a given number - of days and determines whether the user performed unusual access to protected - documents in a day given his/her historical behavior.","tactics":["InitialAccess"],"lastUpdatedDateUTC":"2021-02-24T00:00:00Z","createdDateUTC":"2021-02-03T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AzureInformationProtection","dataTypes":["InformationProtectionLogs_CL"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4a3073ac-7383-48a9-90a8-eb6716183a54","name":"4a3073ac-7383-48a9-90a8-eb6716183a54","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - excludeProcs = dynamic([@\"\\SolarWinds\\Orion\\APM\\APMServiceControl.exe\", - @\"\\SolarWinds\\Orion\\ExportToPDFCmd.Exe\", @\"\\SolarWinds.Credentials\\SolarWinds.Credentials.Orion.WebApi.exe\", - @\"\\SolarWinds\\Orion\\Topology\\SolarWinds.Orion.Topology.Calculator.exe\", - @\"\\SolarWinds\\Orion\\Database-Maint.exe\", @\"\\SolarWinds.Orion.ApiPoller.Service\\SolarWinds.Orion.ApiPoller.Service.exe\", - @\"\\Windows\\SysWOW64\\WerFault.exe\"]);\nDeviceProcessEvents\n| where InitiatingProcessFileName - =~ \"solarwinds.businesslayerhost.exe\"\n| where not(FolderPath has_any (excludeProcs))\n| - extend\n timestamp = TimeGenerated,\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), - InitiatingProcessAccountUpn, InitiatingProcessAccountName),\n HostCustomEntity - = DeviceName,\n FileHashCustomEntity = MD5","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"FileHash","fieldMappings":[{"identifier":"Algorithm","columnName":"MD5"},{"identifier":"Value","columnName":"FileHashCustomEntity"}]}],"displayName":"SUNBURST - suspicious SolarWinds child processes","description":"Identifies suspicious - child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence - of the SUNBURST backdoor\nReferences:\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\n- - https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f","tactics":["Execution","Persistence"],"lastUpdatedDateUTC":"2021-01-31T00:00:00Z","createdDateUTC":"2020-12-15T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"MicrosoftThreatProtection","dataTypes":["DeviceProcessEvents"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6c360107-f3ee-4b91-9f43-f4cfd90441cf","name":"6c360107-f3ee-4b91-9f43-f4cfd90441cf","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Low","query":"let - timeframe = 1d;\nSecurityEvent\n| where TimeGenerated >= ago(timeframe) \n| - where EventID == 4738\n// 2089 value indicates the Don''t Expire Password - value has been set\n| where UserAccountControl has \"%%2089\" \n| extend Value_2089 - = iff(UserAccountControl has \"%%2089\",\"''Don''t Expire Password'' - Enabled\", - \"Not Changed\")\n// 2050 indicates that the Password Not Required value is - NOT set, this often shows up at the same time as a 2089 and is the recommended - value. This value may not be in the event. \n| extend Value_2050 = iff(UserAccountControl - has \"%%2050\",\"''Password Not Required'' - Disabled\", \"Not Changed\")\n// - If value %%2082 is present in the 4738 event, this indicates the account has - been configured to logon WITHOUT a password. Generally you should only see - this value when an account is created and only in Event 4720: Account Creation - Event. \n| extend Value_2082 = iff(UserAccountControl has \"%%2082\",\"''Password - Not Required'' - Enabled\", \"Not Changed\")\n| project StartTime = TimeGenerated, - EventID, Activity, Computer, TargetAccount, TargetSid, AccountType, UserAccountControl, - Value_2089, Value_2050, Value_2082, SubjectAccount\n| extend timestamp = StartTime, - AccountCustomEntity = TargetAccount, HostCustomEntity = Computer","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"},{"identifier":"Sid","columnName":"TargetSid"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]}],"displayName":"AD - account with Don''t Expire Password","description":"Identifies whenever a - user account has the setting \"Password Never Expires\" in the user account - properties selected.\nThis is indicated in Security event 4738 in the EventData - item labeled UserAccountControl with an included value of %%2089.\n%%2089 - resolves to \"Don''t Expire Password - Enabled\".","tactics":["Persistence"],"lastUpdatedDateUTC":"2021-01-16T00:00:00Z","createdDateUTC":"2019-01-28T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"SecurityEvents","dataTypes":["SecurityEvent"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2ca4e7fc-c61a-49e5-9736-5da8035c47e0","name":"2ca4e7fc-c61a-49e5-9736-5da8035c47e0","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - timeframe = ago(1h);\nlet threshold = 8;\nCarbonBlackNotifications_CL\n| where - TimeGenerated > timeframe\n| where threatHunterInfo_score_d >= threshold\n| - extend eventTime = datetime(1970-01-01) + tolong(threatHunterInfo_time_d/1000) - * 1sec\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), - count() by eventTime, Threat_Name = threatHunterInfo_reportName_s, Device_Name - = deviceInfo_deviceName_s, Internal_IP = deviceInfo_internalIpAddress_s, - External_IP = deviceInfo_externalIpAddress_s, Threat_Score = threatHunterInfo_score_d\n| - project-away count_\n| extend timestamp = StartTime, HostCustomEntity = Device_Name, - IPCustomEntity = Internal_IP","queryFrequency":"PT1H","queryPeriod":"PT1H","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Critical - Threat Detected","description":"This creates an incident in the event a critical - threat was identified on a Carbon Black managed endpoint.","tactics":["LateralMovement"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2020-06-20T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"VMwareCarbonBlack","dataTypes":["CarbonBlackNotifications_CL"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4acd3a04-2fad-4efc-8a4b-51476594cec4","name":"4acd3a04-2fad-4efc-8a4b-51476594cec4","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - triThreshold = 500;\nlet startTime = 6h;\nlet dgaLengthThreshold = 8;\n// - fetch the alexa top 1M domains\nlet top1M = (externaldata (Position:int, - Domain:string) [@\"http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip\"] with - (format=\"csv\", zipPattern=\"*.csv\"));\n// extract tri grams that are above - our threshold - i.e. are common\nlet triBaseline = top1M\n| extend Domain - = tolower(extract(\"([^.]*).{0,7}$\", 1, Domain))\n| extend AllTriGrams = - array_concat(extract_all(\"(...)\", Domain), extract_all(\"(...)\", substring(Domain, - 1)), extract_all(\"(...)\", substring(Domain, 2)))\n| mvexpand Trigram=AllTriGrams\n| - summarize triCount=count() by tostring(Trigram)\n| sort by triCount desc\n| - where triCount > triThreshold\n| distinct Trigram;\n// collect domain information - from common security log, filter and extract the DGA candidate and its trigrams\nlet - allDataSummarized = CommonSecurityLog\n| where TimeGenerated > ago(startTime)\n| - where isnotempty(DestinationHostName)\n| extend Name = tolower(DestinationHostName)\n| - distinct Name\n| where Name has \".\"\n| where Name !endswith \".home\" and - Name !endswith \".lan\"\n// extract DGA candidate\n| extend DGADomain = extract(\"([^.]*).{0,7}$\", - 1, Name)\n| where strlen(DGADomain) > dgaLengthThreshold\n// throw out domains - with number in them\n| where DGADomain matches regex \"^[A-Za-z]{0,}$\"\n// - extract the tri grams from summarized data\n| extend AllTriGrams = array_concat(extract_all(\"(...)\", - DGADomain), extract_all(\"(...)\", substring(DGADomain, 1)), extract_all(\"(...)\", - substring(DGADomain, 2)));\n// throw out domains that have repeating tri''s - and/or >=3 repeating letters\nlet nonRepeatingTris = allDataSummarized\n| - join kind=leftanti\n(\n allDataSummarized\n | mvexpand AllTriGrams\n | - summarize count() by tostring(AllTriGrams), DGADomain\n | where count_ - > 1\n | distinct DGADomain\n)\non DGADomain;\n// find domains that do not - have a common tri in the baseline\nlet dataWithRareTris = nonRepeatingTris\n| - join kind=leftanti\n(\n nonRepeatingTris\n | mvexpand AllTriGrams\n | - extend Trigram = tostring(AllTriGrams)\n | distinct Trigram, DGADomain\n | - join kind=inner\n (\n triBaseline\n )\n on Trigram\n | - distinct DGADomain\n)\non DGADomain;\ndataWithRareTris\n// join DGAs back - on connection data\n| join kind=inner\n(\n CommonSecurityLog\n | where - TimeGenerated > ago(startTime)\n | where isnotempty(DestinationHostName)\n | - extend DestinationHostName = tolower(DestinationHostName)\n | project-rename - Name=DestinationHostName, DataSource=DeviceVendor\n | summarize StartTime=min(TimeGenerated), - EndTime=max(TimeGenerated) by Name, SourceIP, DestinationIP, DataSource\n)\non - Name\n| project StartTime, EndTime, Name, DGADomain, SourceIP, DestinationIP, - DataSource\n| extend timestamp=StartTime, IPCustomEntity=SourceIP","queryFrequency":"PT6H","queryPeriod":"PT6H","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]},{"entityType":"DNS","fieldMappings":[{"identifier":"DomainName","columnName":"Name"}]}],"displayName":"Possible - contact with a domain generated by a DGA","description":"Identifies contacts - with domains names in CommonSecurityLog that might have been generated by - a Domain Generation Algorithm (DGA). DGAs can be used\nby malware to generate - rendezvous points that are difficult to predict in advance. This detection - uses the Alexa Top 1 million domain names to build a model\nof what normal - domains look like. It uses this to identify domains that may have been randomly - generated by an algorithm.\nThe triThreshold is set to 500 - increase this - to report on domains that are less likely to have been randomly generated, - decrease it for more likely.\nThe start time and end time look back over 6 - hours of data and the dgaLengthThreshold is set to 8 - meaning domains whose - length is 8 or more are reported.","tactics":["CommandAndControl"],"lastUpdatedDateUTC":"2020-11-19T00:00:00Z","createdDateUTC":"2020-03-27T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"Zscaler","dataTypes":["CommonSecurityLog"]},{"connectorId":"Barracuda","dataTypes":["CommonSecurityLog"]},{"connectorId":"CEF","dataTypes":["CommonSecurityLog"]},{"connectorId":"CheckPoint","dataTypes":["CommonSecurityLog"]},{"connectorId":"CiscoASA","dataTypes":["CommonSecurityLog"]},{"connectorId":"F5","dataTypes":["CommonSecurityLog"]},{"connectorId":"Fortinet","dataTypes":["CommonSecurityLog"]},{"connectorId":"PaloAltoNetworks","dataTypes":["CommonSecurityLog"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/78422ef2-62bf-48ca-9bab-72c69818a425","name":"78422ef2-62bf-48ca-9bab-72c69818a425","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Low","query":"let - endtime = 1d;\nlet starttime = 8d;\nlet threshold = 2.0;\nSecurityEvent\n| - where TimeGenerated >= ago(endtime) \n| where EventID == 4624 and LogonType - == 10\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), - ComputerCountToday = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet - = makeset(ProcessName) \nby Account, IpAddress, AccountType, Activity, LogonTypeName\n| - join kind=inner (\nSecurityEvent\n| where TimeGenerated >= ago(starttime) - and TimeGenerated < ago(endtime) \n| where EventID == 4624 and LogonType == - 10\n| summarize ComputerCountPrev7Days = dcount(Computer) by Account, IpAddress\n) - on Account, IpAddress\n| extend Ratio = ComputerCountToday/(ComputerCountPrev7Days*1.0)\n// - Where the ratio of today to previous 7 days is more than double.\n| where - Ratio > threshold\n| project StartTimeUtc, EndTimeUtc, Account, IpAddress, - ComputerSet, ComputerCountToday, ComputerCountPrev7Days, Ratio, AccountType, - Activity, LogonTypeName, ProcessSet\n| extend timestamp = StartTimeUtc, AccountCustomEntity - = Account, IPCustomEntity = IpAddress","queryFrequency":"P1D","queryPeriod":"P8D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Multiple - RDP connections from Single System","description":"Identifies when an RDP - connection is made to multiple systems and above the normal for the previous - 7 days. \nConnections from the same system with the same account within the - same day.\nRDP connections are indicated by the EventID 4624 with LogonType - = 10","tactics":["LateralMovement"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2019-10-21T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"SecurityEvents","dataTypes":["SecurityEvent"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc","name":"a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet emailregex = @''^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$'';\nThreatIntelligenceIndicator\n| - where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| - where Active == true\n//Filtering the table for Email related IOCs\n| where - isnotempty(EmailRecipient)\n| join (\n SecurityAlert | where TimeGenerated - >= ago(dt_lookBack)\n // Converting Entities into dynamic data type and - use mv-expand to unpack the array\n | extend EntitiesDynamicArray = parse_json(Entities) - | mv-expand EntitiesDynamicArray\n // Parsing relevant entity column to - filter type account and creating new column by combining account and UPNSuffix\n | - extend Entitytype = tostring(parse_json(EntitiesDynamicArray).Type), EntityName - = tostring(parse_json(EntitiesDynamicArray).Name),\n EntityUPNSuffix = - tostring(parse_json(EntitiesDynamicArray).UPNSuffix)\n | where Entitytype - =~ \"account\"\n | extend EntityEmail = tolower(strcat(EntityName, \"@\", - EntityUPNSuffix))\n | where EntityEmail matches regex emailregex\n | - extend SecurityAlert_TimeGenerated = TimeGenerated\n)\non $left.EmailRecipient - == $right.EntityEmail\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, - *) by IndicatorId\n| project LatestIndicatorTime, Description, ActivityGroupNames, - IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, SecurityAlert_TimeGenerated,\nEmailSenderName, - EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, - EntityEmail, AlertName, AlertType,\nAlertSeverity, Entities, ProviderName, - VendorName\n| extend timestamp = SecurityAlert_TimeGenerated, AccountCustomEntity - = EntityEmail, URLCustomEntity = Url","queryFrequency":"PT1H","queryPeriod":"P14D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"URL","fieldMappings":[{"identifier":"Url","columnName":"URLCustomEntity"}]}],"displayName":"(Preview) - TI map Email entity to SecurityAlert","description":"Identifies a match in - SecurityAlert table from any Email IOC from TI which will extend coverage - to datatypes such as MCAS, StorageThreatProtection and many others","tactics":["Impact"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2019-08-28T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AzureSecurityCenter","dataTypes":["SecurityAlert"]},{"connectorId":"ThreatIntelligence","dataTypes":["ThreatIntelligenceIndicator"]},{"connectorId":"ThreatIntelligenceTaxii","dataTypes":["ThreatIntelligenceIndicator"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5d33fc63-b83b-4913-b95e-94d13f0d379f","name":"5d33fc63-b83b-4913-b95e-94d13f0d379f","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet fileHashIndicators = ThreatIntelligenceIndicator\n| - where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| - where Active == true\n| where isnotempty(FileHashValue);\n// Handle matches - against both lower case and uppercase versions of the hash:\n( fileHashIndicators - | extend FileHashValue = tolower(FileHashValue)\n |union (fileHashIndicators - | extend FileHashValue = toupper(FileHashValue)))\n| join (\n CommonSecurityLog - | where TimeGenerated >= ago(dt_lookBack)\n | where isnotempty(FileHash)\n | - extend CommonSecurityLog_TimeGenerated = TimeGenerated\n)\non $left.FileHashValue - == $right.FileHash\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, - *) by IndicatorId\n| project LatestIndicatorTime, Description, ActivityGroupNames, - IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nCommonSecurityLog_TimeGenerated, - SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, - DeviceName, DeviceAction,\nRequestURL, DestinationUserName, DestinationUserID, - ApplicationProtocol, Activity\n| extend timestamp = CommonSecurityLog_TimeGenerated, - IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity - = SourceUserName, URLCustomEntity = Url","queryFrequency":"PT1H","queryPeriod":"P14D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]},{"entityType":"URL","fieldMappings":[{"identifier":"Url","columnName":"URLCustomEntity"}]}],"displayName":"(Preview) - TI map File Hash to CommonSecurityLog Event","description":"Identifies a match - in CommonSecurityLog Event data from any FileHash IOC from TI","tactics":["Impact"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2019-08-30T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"PaloAltoNetworks","dataTypes":["CommonSecurityLog"]},{"connectorId":"ThreatIntelligence","dataTypes":["ThreatIntelligenceIndicator"]},{"connectorId":"ThreatIntelligenceTaxii","dataTypes":["ThreatIntelligenceIndicator"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/00282588-11e7-436d-90e8-011256c3c691","name":"00282588-11e7-436d-90e8-011256c3c691","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"High","query":"let - timeframe = ago(1h);\nlet threshold = 100;\nTrendMicro_XDR_CL \n| where - TimeGenerated >= timeframe\n| where modelSeverity_s == ''medium'' or modelSeverity_s == - ''low''\n| extend AccountCustomEntity = impactScope_account_s, HostCustomEntity - = impactScope_hostname_s, IPCustomEntity = impactScope_host_s","queryFrequency":"PT1H","queryPeriod":"PT1H","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Create - Incident for XDR Alerts (Medium & Low)","description":"This Query creates - an incident based on Trend Micro XDR Workbench Alerts and maps the impacted - entities for Azure Sentinel usage. (Medium & Low Serverity Alerts)","lastUpdatedDateUTC":"2020-12-10T00:00:00Z","createdDateUTC":"2020-12-10T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"TrendMicroXDR","dataTypes":["TrendMicro_XDR_CL"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/46ac55ae-47b8-414a-8f94-89ccd1962178","name":"46ac55ae-47b8-414a-8f94-89ccd1962178","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - mode = ''Blocked''; \nlet successCode = dynamic([''200'', ''101'',''204'', - ''400'',''504'',''304'',''401'',''500'']);\nlet minTime = ago(1d);\nlet maxSessionWindow - = 1h;\nlet sessionBin = maxSessionWindow/2.0;\nAzureDiagnostics\n| where TimeGenerated - > minTime\n| where Category == ''ApplicationGatewayFirewallLog''\n| where - action_s == mode\n| sort by hostname_s asc, clientIp_s asc, TimeGenerated - asc\n| extend SessionStarted = row_window_session(TimeGenerated, maxSessionWindow, - 10m, ((clientIp_s != prev(clientIp_s)) or (hostname_s != prev(hostname_s))))\n| - summarize minTime = min(TimeGenerated), maxTime = max(TimeGenerated), SessionBlockedCount=count() by - hostname_s, clientIp_s, SessionStarted\n| extend duration = maxTime - minTime\n| - extend TimeKey = bin(SessionStarted, sessionBin)\n| join kind = inner(\nAzureDiagnostics\n| - where TimeGenerated > minTime\n| where Category == ''ApplicationGatewayAccessLog''\n| - where httpStatus_d in (successCode) or isempty(httpStatus_d)\n| extend TimeKey - = range(bin(TimeGenerated-maxSessionWindow, sessionBin), bin(TimeGenerated, - sessionBin), sessionBin)\n| mv-expand TimeKey to typeof(datetime)\n) on $left.hostname_s - == $right.host_s, $left.clientIp_s == $right.clientIP_s, TimeKey\n| where - (TimeGenerated - SessionStarted) between (0m .. duration)\n| extend originalRequestUriWithArgs_s - = column_ifexists(\"originalRequestUriWithArgs_s\", \"\")\n| extend serverStatus_s - = column_ifexists(\"serverStatus_s\", \"\")\n| extend timestamp = SessionStarted, - IPCustomEntity = clientIP_s\n| summarize SuccessfulAccessLogCount = count(), - UserAgents = make_set(userAgent_s), RequestURIs = make_set(requestUri_s) , - OriginalRequestURIs = make_set(originalRequestUriWithArgs_s), \nSuccessCodes - = make_set(httpStatus_d), SuccessCodes_BackendServer = make_set(serverStatus_s) - by timestamp, hostname_s, IPCustomEntity, SessionBlockedCount\n| extend BlockvsSuccessRatio - = SessionBlockedCount/SuccessfulAccessLogCount\n| sort by BlockvsSuccessRatio - desc, timestamp asc\n| where SessionBlockedCount > SuccessfulAccessLogCount","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"A - potentially malicious web request was executed against a web server","description":"Detects - unobstructed Web Application Firewall (WAF) activity in sessions where the - WAF blocked incoming requests by computing the \nratio between blocked requests - and unobstructed WAF requests in these sessions (BlockvsSuccessRatio metric). - A high ratio value for \na given client IP and hostname calls for further - investigation of the WAF data in that session, due to the significantly high - number \nof blocked requests and a few unobstructed logs which may be malicious - but have passed undetected through the WAF. The successCode \nvariable defines - what the detection thinks is a successful status code, and should be altered - to fit the environment.","tactics":["InitialAccess"],"lastUpdatedDateUTC":"2021-01-20T00:00:00Z","createdDateUTC":"2020-11-16T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"WAF","dataTypes":["AzureDiagnostics"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d500e6d-c984-43a3-9f39-7edec8dcc04d","name":"4d500e6d-c984-43a3-9f39-7edec8dcc04d","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Low","query":"let - timeRange = 1d;\nlet scriptExtensions = dynamic([\".php\", \".aspx\", \".asp\", - \".cfml\"]);\n//The number of URI''s seen to be suspicious, higher = less - likely to be suspicious\nlet uriThreshold = 1;\nCommonSecurityLog\n| where - TimeGenerated >= ago(timeRange)\n// Only look at connections that were allowed - through the web proxy\n| where DeviceVendor =~ \"Zscaler\" and DeviceAction - =~ \"Allowed\"\n// Only look where some data was exchanged.\n| where SentBytes - > 0 and ReceivedBytes > 0\n// Extract the Domain\n| extend Domain = iff(countof(DestinationHostName,''.'') - >= 2, strcat(split(DestinationHostName,''.'')[-2], ''.'',split(DestinationHostName,''.'')[-1]), - DestinationHostName)\n| extend GetData=iff(RequestURL == \"?\", 1, 0)\n| summarize - StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), makelist(RequestURL), - makelist(DestinationIP), makelist(SourceIP), numOfConnections = count(), make_set(RequestMethod), - max(GetData), max(RequestContext) by Domain\n// Determine the number of URIs - that have been visited for the domain\n| extend destinationURI = arraylength(list_RequestURL)\n| - where destinationURI <= uriThreshold\n| where tostring(list_RequestURL) has_any(scriptExtensions)\n//Remove - matches with referer\n| where max_RequestContext == \"\"\n//Keep requests - where data was trasferred either in a GET with parameters or a POST\n| where - set_RequestMethod in~ (\"POST\") or max_GetData == 1\n//Defeat email click - tracking, may increase FN''s while decreasing FP''s\n| where list_RequestURL - !has \"click\" and set_RequestMethod !has \"GET\"\n| mvexpand list_RequestURL, - list_DestinationIP\n| extend RequestURL = tostring(list_RequestURL), DestinationIP - = tostring(list_DestinationIP), ClientIP = tostring(list_SourceIP)\n//Extend - custom entitites for incidents\n| extend timestamp = StartTimeUtc, IPCustomEntity - = DestinationIP\n| project-away list_RequestURL, list_DestinationIP, list_SourceIP, - destinationURI, Domain, StartTimeUtc, EndTimeUtc, max_GetData, max_RequestContext","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Request - for single resource on domain","description":"This will look for connections - to a domain where only a single file is requested, this is unusual as most - modern web applications require additional recources. This type of activity - is often assocaited with malware beaconing or tracking URL''s delivered in - emails. Developed for Zscaler but applicable to any outbound web logging.","tactics":["CommandAndControl"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2020-03-17T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"Zscaler","dataTypes":["CommonSecurityLog"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/155f40c6-610d-497d-85fc-3cf06ec13256","name":"155f40c6-610d-497d-85fc-3cf06ec13256","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"High","query":"let - timeframe = 1d;\nlet DomainNames = dynamic([\"yahoo-verification.org\",\"support-servics.com\",\"verification-live.com\",\"com-mailbox.com\",\"com-myaccuants.com\",\"notification-accountservice.com\",\n\"accounts-web-mail.com\",\"customer-certificate.com\",\"session-users-activities.com\",\"user-profile-credentials.com\",\"verify-linke.com\",\"support-servics.net\",\"verify-linkedin.net\", - \n\"yahoo-verification.net\",\"yahoo-verify.net\",\"outlook-verify.net\",\"com-users.net\",\"verifiy-account.net\",\"te1egram.net\",\"account-verifiy.net\",\"myaccount-services.net\",\n\"com-identifier-servicelog.name\",\"microsoft-update.bid\",\"outlook-livecom.bid\",\"update-microsoft.bid\",\"documentsfilesharing.cloud\",\"com-microsoftonline.club\",\n\"confirm-session-identifier.info\",\"session-management.info\",\"confirmation-service.info\",\"document-share.info\",\"broadcast-news.info\",\"customize-identity.info\",\"webemail.info\",\n\"com-identifier-servicelog.info\",\"documentsharing.info\",\"notification-accountservice.info\",\"identifier-activities.info\",\"documentofficupdate.info\",\"recoveryusercustomer.info\",\n\"serverbroadcast.info\",\"account-profile-users.info\",\"account-service-management.info\",\"accounts-manager.info\",\"activity-confirmation-service.info\",\"com-accountidentifier.info\",\n\"com-privacy-help.info\",\"com-sessionidentifier.info\",\"com-useraccount.info\",\"confirmation-users-service.info\",\"confirm-identity.info\",\"confirm-session-identification.info\",\n\"continue-session-identifier.info\",\"customer-recovery.info\",\"customers-activities.info\",\"elitemaildelivery.info\",\"email-delivery.info\",\"identify-user-session.info\",\n\"message-serviceprovider.info\",\"notificationapp.info\",\"notification-manager.info\",\"recognized-activity.info\",\"recover-customers-service.info\",\"recovery-session-change.info\",\n\"service-recovery-session.info\",\"service-session-continue.info\",\"session-mail-customers.info\",\"session-managment.info\",\"session-verify-user.info\",\"shop-sellwear.info\",\n\"supportmailservice.info\",\"terms-service-notification.info\",\"user-activity-issues.info\",\"useridentity-confirm.info\",\"users-issue-services.info\",\"verify-user-session.info\",\n\"login-gov.info\",\"notification-signal-agnecy.info\",\"notifications-center.info\",\"identifier-services-sessions.info\",\"customers-manager.info\",\"session-manager.info\",\n\"customer-managers.info\",\"confirmation-recovery-options.info\",\"service-session-confirm.info\",\"session-recovery-options.info\",\"services-session-confirmation.info\",\n\"notification-managers.info\",\"activities-services-notification.info\",\"activities-recovery-options.info\",\"activity-session-recovery.info\",\"customers-services.info\",\n\"sessions-notification.info\",\"download-teamspeak.info\",\"services-issue-notification.info\",\"microsoft-upgrade.mobi\",\"broadcastnews.pro\",\"mobile-messengerplus.network\"]);\nlet - IPList = dynamic([\"51.91.200.147\"]);\nlet IPRegex = ''[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}'';\n(union - isfuzzy=true\n(CommonSecurityLog \n| where TimeGenerated >= ago(timeframe)\n| - parse Message with * ''('' DNSName '')'' * \n| extend MessageIP = extract(IPRegex, - 0, Message)\n| extend RequestURLIP = extract(IPRegex, 0, Message)\n| where - (isnotempty(SourceIP) and SourceIP in (IPList)) or (isnotempty(DestinationIP) - and DestinationIP in (IPList)) \nor (isnotempty(DNSName) and DNSName in~ (DomainNames)) - or (isnotempty(DestinationHostName) and DestinationHostName in~ (DomainNames)) - or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames) or RequestURLIP - in (IPList))) \nor (isnotempty(Message) and MessageIP in (IPList))\n| extend - IPMatch = case(SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), - \"DestinationIP\", MessageIP in (IPList), \"Message\", RequestURLIP in (IPList), - \"RequestUrl\", \"NoMatch\") \n| extend timestamp = TimeGenerated , IPCustomEntity - = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP,IPMatch - == \"Message\", MessageIP,\nIPMatch == \"RequestUrl\", RequestURLIP,\"NoMatch\"), - Account = SourceUserID, Host = DeviceName\n),\n(DnsEvents \n| where TimeGenerated - >= ago(timeframe) \n| extend DestinationIPAddress = IPAddresses, DNSName = - Name, Host = Computer\n| where DestinationIPAddress in (IPList) or DNSName - in~ (DomainNames) \n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, - HostCustomEntity = Host),\n(VMConnection \n| where TimeGenerated >= ago(timeframe) - \n| parse RemoteDnsCanonicalNames with * ''[\"'' DNSName ''\"]'' *\n| where - isnotempty(SourceIP) or isnotempty(DestinationIP) or isnotempty(DNSName)\n| - where SourceIP in (IPList) or DestinationIP in (IPList) or DNSName in~ (DomainNames)\n| - extend IPMatch = case( SourceIP in (IPList), \"SourceIP\", DestinationIP in - (IPList), \"DestinationIP\", \"None\") \n| extend timestamp = TimeGenerated - , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", - DestinationIP, \"None\"), Host = Computer),\n(OfficeActivity\n| where TimeGenerated - >= ago(timeframe)\n| extend SourceIPAddress = ClientIP, Account = UserId\n| - where SourceIPAddress in (IPList)\n| extend timestamp = TimeGenerated , IPCustomEntity - = SourceIPAddress , AccountCustomEntity = Account )\n)","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Known - Phosphorus group domains/IP","description":"Matches domain name IOCs related - to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity - and VMConnection dataTypes.\nReferences: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.","tactics":["CommandAndControl"],"lastUpdatedDateUTC":"2020-11-19T00:00:00Z","createdDateUTC":"2020-10-20T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"DNS","dataTypes":["DnsEvents"]},{"connectorId":"AzureMonitor(VMInsights)","dataTypes":["VMConnection"]},{"connectorId":"CiscoASA","dataTypes":["CommonSecurityLog"]},{"connectorId":"PaloAltoNetworks","dataTypes":["CommonSecurityLog"]},{"connectorId":"Office365","dataTypes":["OfficeActivity"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8675dd7a-795e-4d56-a79c-fc848c5ee61c","name":"8675dd7a-795e-4d56-a79c-fc848c5ee61c","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - timeframe = ago(1h);\nProofPointTAPClicksPermitted_CL\n| where TimeGenerated - >= timeframe\n| where classification_s =~ \"malware\"\n| summarize StartTime - = min(TimeGenerated), EndTime = max(TimeGenerated), count() by TimeGenerated, - Sender = sender_s, SenderIPAddress = senderIP_s, Recipient = recipient_s, - TimeClicked = clickTime_t, URLClicked = url_s\n| extend timestamp = StartTime, - AccountCustomEntity = Recipient, IPCustomEntity = SenderIPAddress, URLCustomEntity - = URLClicked","queryFrequency":"PT1H","queryPeriod":"PT1H","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]},{"entityType":"URL","fieldMappings":[{"identifier":"Url","columnName":"URLCustomEntity"}]}],"displayName":"Malware - Link Clicked","description":"This query identifies a user clicking on an email - link whose threat category is classified as a malware","tactics":["InitialAccess"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2020-06-20T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"ProofpointTAP","dataTypes":["ProofPointTAPClicksPermitted_CL"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fbfbf530-506b-49a4-81ad-4030885a195c","name":"fbfbf530-506b-49a4-81ad-4030885a195c","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - alertTimeWindow = 1h;\nlet logTimeWindow = 7d;\n// Define script extensions - that suit your web application environment - a sample are provided below\nlet - scriptExtensions = dynamic([\".php\", \".jsp\", \".js\", \".aspx\", \".asmx\", - \".asax\", \".cfm\", \".shtml\"]); \nlet alertData = materialize(SecurityAlert - \n| where TimeGenerated > ago(alertTimeWindow) \n| where ProviderName == \"MDATP\" - \n// Parse and expand the alert JSON \n| extend alertData = parse_json(Entities) - \n| mvexpand alertData);\nlet fileData = alertData\n// Extract web script - files from MDATP alerts - our malicious web scripts - candidate webshells\n| - where alertData.Type =~ \"file\" \n| where alertData.Name has_any(scriptExtensions) - \n| extend FileName = tostring(alertData.Name), Directory = tostring(alertData.Directory);\nlet - hostData = alertData\n// Extract server details from alerts and map to alert - id\n| where alertData.Type =~ \"host\"\n| project HostName = tostring(alertData.HostName), - DnsDomain = tostring(alertData.DnsDomain), SystemAlertId\n| distinct HostName, - DnsDomain, SystemAlertId;\n// Join the files on their impacted servers\nlet - webshellData = fileData\n| join kind=inner (hostData) on SystemAlertId \n| - project TimeGenerated, FileName, Directory, HostName, DnsDomain;\nwebshellData\n| - join ( \n// Find requests that were made to this file on the impacted server - in the W3CIISLog table \nW3CIISLog \n| where TimeGenerated > ago(logTimeWindow) - \n// Restrict to accesses to script extensions \n| where csUriStem has_any(scriptExtensions)\n| - extend splitUriStem = split(csUriStem, \"/\") \n| extend FileName = splitUriStem[-1], - HostName = sComputerName\n// Summarize potential attacker activity\n| summarize - count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), RequestUserAgents=make_set(csUserAgent), - ReqestMethods=make_set(csMethod), RequestStatusCodes=make_set(scStatus), RequestCookies=make_set(csCookie), - RequestReferers=make_set(csReferer), RequestQueryStrings=make_set(csUriQuery) - by AttackerIP=cIP, SiteName=sSiteName, ShellLocation=csUriStem, tostring(FileName), - HostName \n) on FileName, HostName\n| project StartTime, EndTime, AttackerIP, - RequestUserAgents, HostName, SiteName, ShellLocation, ReqestMethods, RequestStatusCodes, - RequestCookies, RequestReferers, RequestQueryStrings, RequestCount = count_\n// - Expose the attacker ip address as a custom entity\n| extend timestamp=StartTime, - IPCustomEntity = AttackerIP, HostCustomEntity = HostName","queryFrequency":"PT1H","queryPeriod":"P7D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Malicious - web application requests linked with Microsoft Defender for Endpoint (formerly - Microsoft Defender ATP) alerts","description":"Takes Microsoft Defender for - Endpoint (formerly Microsoft Defender ATP) alerts where web scripts are present - in the evidence and correlates with requests made to those scripts\nin the - WCSIISLog to surface new alerts for potentially malicious web request activity.\nThe - lookback for alerts is set to 1h and the lookback for W3CIISLogs is set to - 7d. A sample set of popular web script extensions\nhas been provided in scriptExtensions - that should be tailored to your environment.","tactics":["Persistence"],"lastUpdatedDateUTC":"2021-01-19T00:00:00Z","createdDateUTC":"2020-05-21T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"MicrosoftDefenderAdvancedThreatProtection","dataTypes":["SecurityAlert"]},{"connectorId":"AzureMonitor(IIS)","dataTypes":["W3CIISLog"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/03e04c97-8cae-48b3-9d2f-4ab262e4ffff","name":"03e04c97-8cae-48b3-9d2f-4ab262e4ffff","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - scriptExtensions = dynamic([\".php\", \".jsp\", \".js\", \".aspx\", \".asmx\", - \".asax\", \".cfm\", \".shtml\"]);\nhttp_proxy_oab_CL\n| where Message contains - \"Download failed and temporary file\"\n| extend File = extract(\"([^\\\\\\\\]*)(\\\\\\\\[^'']*)\",2,Message)\n| - extend Extension = strcat(\".\",split(file, \".\")[-1])\n| extend InteractiveFile - = iif(ext in (scriptExtensions), \"Yes\", \"No\")\n// Uncomment the following - line to alert only on interactive file download type\n//| where InteractiveFile - =~ \"Yes\"\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\n","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]}],"displayName":"HAFNIUM - Suspicious File Downloads.","description":"This query looks for messages related - to file downloads of suspicious file types. This query uses the Exchange HttpProxy - AOBGeneratorLog, you will need to onboard this log as a custom log under the - table http_proxy_oab_CL before using this query. \nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/","tactics":["InitialAccess"],"lastUpdatedDateUTC":"2021-03-02T00:00:00Z","createdDateUTC":"2021-03-02T00:00:00Z","status":"Available","alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/194dd92e-d6e7-4249-85a5-273350a7f5ce","name":"194dd92e-d6e7-4249-85a5-273350a7f5ce","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - timeframe = 1d;\nOfficeActivity\n| where TimeGenerated >= ago(timeframe)\n| - where UserType in~ (\"Admin\",\"DcAdmin\") \n// Only admin or global-admin - can disable audit logging\n| where Operation =~ \"Set-AdminAuditLogConfig\" - \n| extend AdminAuditLogEnabledValue = tostring(parse_json(tostring(parse_json(tostring(array_slice(parse_json(Parameters),3,3)))[0])).Value)\n| - where AdminAuditLogEnabledValue =~ \"False\" \n| summarize StartTimeUtc = - min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() - by Operation, UserType, UserId, ClientIP, ResultStatus, Parameters, AdminAuditLogEnabledValue\n| - extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity - = ClientIP","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Exchange - AuditLog disabled","description":"Identifies when the exchange audit logging - has been disabled which may be an adversary attempt\nto evade detection or - avoid other defenses.","tactics":["DefenseEvasion"],"lastUpdatedDateUTC":"2020-11-19T00:00:00Z","createdDateUTC":"2019-04-15T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"Office365","dataTypes":["OfficeActivity"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7efc75ce-e2a4-400f-a8b1-283d3b0f2c60","name":"7efc75ce-e2a4-400f-a8b1-283d3b0f2c60","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Low","query":"let - timeframe = 1d;\nlet WellKnownLocalSID = \"S-1-5-32-5[0-9][0-9]$\";\nlet WellKnownGroupSID - = \"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\";\nlet - AC_Add = \nSecurityEvent\n| where TimeGenerated >= ago(timeframe)\n// Event - ID related to member addition.\n| where EventID in (4728, 4732,4756) \n| where - TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \n| - parse EventData with * ''\"MemberName\">'' AccountAdded \",OU\" * \n| where - isnotempty(AccountAdded)\n| extend GroupAddedTo = TargetUserName, AddingAccount - = Account \n| extend AccountAdded_GroupAddedTo_AddingAccount = strcat(AccountAdded, - \"||\", GroupAddedTo, \"||\", AddingAccount )\n| project AccountAdded_GroupAddedTo_AddingAccount, - AccountAddedTime = TimeGenerated;\nlet AC_Remove = \nSecurityEvent\n| where - TimeGenerated >= ago(timeframe)\n// Event IDs related to member removal.\n| - where EventID in (4729,4733,4757)\n| where TargetSid matches regex WellKnownLocalSID - or TargetSid matches regex WellKnownGroupSID \n| parse EventData with * ''\"MemberName\">'' - AccountRemoved \",OU\" * \n| where isnotempty(AccountRemoved)\n| extend GroupRemovedFrom - = TargetUserName, RemovingAccount = Account\n| extend AccountRemoved_GroupRemovedFrom_RemovingAccount - = strcat(AccountRemoved, \"||\", GroupRemovedFrom, \"||\", RemovingAccount)\n| - project AccountRemoved_GroupRemovedFrom_RemovingAccount, AccountRemovedTime - = TimeGenerated, Computer, RemovedAccountId = tolower(AccountRemoved), \nRemovedByUser - = SubjectUserName, RemovedByUserLogonId = SubjectLogonId, GroupRemovedFrom - = TargetUserName, TargetDomainName; \nAC_Add \n| join kind= inner AC_Remove - on $left.AccountAdded_GroupAddedTo_AddingAccount == $right.AccountRemoved_GroupRemovedFrom_RemovingAccount - \n| extend DurationinSecondAfter_Removed = datetime_diff (''second'', AccountRemovedTime, - AccountAddedTime)\n| where DurationinSecondAfter_Removed > 0\n| project-away - AccountRemoved_GroupRemovedFrom_RemovingAccount\n| extend timestamp = AccountAddedTime, - AccountCustomEntity = RemovedAccountId, HostCustomEntity = Computer","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]}],"displayName":"Account - added and removed from privileged groups","description":"Identifies accounts - that are added to privileged group and then quickly removed, which could be - a sign of compromise.'' ","tactics":["Persistence","PrivilegeEscalation"],"lastUpdatedDateUTC":"2020-11-19T00:00:00Z","createdDateUTC":"2019-04-03T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"SecurityEvents","dataTypes":["SecurityEvent"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/472b7cf4-bf1a-4061-b9ab-9fe4894e3c17","name":"472b7cf4-bf1a-4061-b9ab-9fe4894e3c17","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Low","query":"let - SeverityTable=datatable(Severity:string,Level:int) [\n\"low\", 1,\n\"medium\", - 2,\n\"high\", 3,\n\"critical\", 4\n];\nlet codeNameList = datatable(Codename:string)[\"C-CLEARTEXT-PASSWORD\", - \"C-PASSWORD-DONT-EXPIRE\", \"C-USER-REVER-PWDS\", \"C-PASSWORD-POLICY\", - \"C-USER-PASSWORD\", \"C-KRBTGT-PASSWORD\", \"C-AAD-SSO-PASSWORD\", \"C-REVER-PWD-GPO\"];\nafad_parser\n| - where MessageType == 0 and Codename in~ (codeNameList)\n| lookup kind=leftouter - SeverityTable on Severity\n| order by Level","queryFrequency":"PT2H","queryPeriod":"PT2H","triggerOperator":"GreaterThan","triggerThreshold":0,"displayName":"Alsid - Password issues","description":"Searches for triggered Indicators of Exposures - related to password issues","tactics":["CredentialAccess"],"lastUpdatedDateUTC":"2020-12-07T00:00:00Z","createdDateUTC":"2020-11-05T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AlsidForAD","dataTypes":["AlsidForADLog_CL"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95a15f39-d9cc-4667-8cdd-58f3113691c9","name":"95a15f39-d9cc-4667-8cdd-58f3113691c9","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - lookback = 14d;\nlet timeframe = 1d;\nSecurityEvent\n| where TimeGenerated - > ago(lookback) and TimeGenerated < ago(timeframe)\n| where EventID == 4688\n| - where ParentProcessName has_any (\"umworkerprocess.exe\", \"UMService.exe\")\n| - join kind=rightanti (\nSecurityEvent\n| where TimeGenerated > ago(timeframe)\n| - where ParentProcessName has_any (\"umworkerprocess.exe\", \"UMService.exe\")\n| - where EventID == 4688) on NewProcessName\n| extend timestamp = TimeGenerated, - AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity - = IpAddress","queryFrequency":"P1D","queryPeriod":"P14D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"HAFNIUM - New UM Service Child Process","description":"This query looks for new processes - being spawned by the Exchange UM service where that process has not previously - been observed before. \nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/","tactics":["InitialAccess"],"lastUpdatedDateUTC":"2021-03-02T00:00:00Z","createdDateUTC":"2021-03-02T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"SecurityEvents","dataTypes":["SecurityEvent"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7cb8f77d-c52f-4e46-b82f-3cf2e106224a","name":"7cb8f77d-c52f-4e46-b82f-3cf2e106224a","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - lookBack_long = 14d;\nlet lookBack_med = 7d;\nlet lookBack = 1d;\nSigninLogs\n| - where TimeGenerated >= startofday(ago(lookBack_long))\n| extend locationString - = strcat(tostring(LocationDetails[\"countryOrRegion\"]), \"/\", tostring(LocationDetails[\"state\"]), - \"/\", tostring(LocationDetails[\"city\"]), \";\") \n| project TimeGenerated, - AppDisplayName , UserPrincipalName, locationString \n// Create time series - \n| make-series dLocationCount = dcount(locationString) on TimeGenerated in - range(startofday(ago(lookBack_long)),now(), 1d) \nby UserPrincipalName, AppDisplayName - \n// Compute best fit line for each entry \n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount) - \n// Chart the 3 most interesting lines \n// A 0-value slope corresponds - to an account being completely stable over time for a given Azure Active Directory - application\n| where Slope > 0.3\n| top 50 by Slope desc\n| join kind = leftsemi - (\nSigninLogs\n| where TimeGenerated >= startofday(ago(lookBack_med))\n| extend - locationString = strcat(tostring(LocationDetails[\"countryOrRegion\"]), \"/\", - tostring(LocationDetails[\"state\"]), \"/\", tostring(LocationDetails[\"city\"]), - \";\") \n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString - \n| make-series dLocationCount = dcount(locationString) on TimeGenerated in - range(startofday(ago(lookBack_med)) ,now(), 1d) \nby UserPrincipalName, AppDisplayName - \n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount) - \n| top 50 by Slope desc\n| where Slope > 0.3\n) on UserPrincipalName, AppDisplayName\n| - join kind = leftsemi (\nSigninLogs\n| where TimeGenerated >= startofday(ago(lookBack))\n| - extend locationString = strcat(tostring(LocationDetails[\"countryOrRegion\"]), - \"/\", tostring(LocationDetails[\"state\"]), \"/\", tostring(LocationDetails[\"city\"]), - \";\") \n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString - \n| make-series dLocationCount = dcount(locationString) on TimeGenerated in - range(startofday(ago(lookBack)) ,now(), 1d) \nby UserPrincipalName, AppDisplayName - \n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount) - \n| top 50 by Slope desc\n// Higher threshold requirement on last day anomaly\n| - where Slope > 5\n) on UserPrincipalName, AppDisplayName\n| extend timestamp - = TimeGenerated, AccountCustomEntity = UserPrincipalName","queryFrequency":"P1D","queryPeriod":"P14D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]}],"displayName":"Anomalous - sign-in location by user account and authenticating application","description":"This - query over Azure Active Directory sign-in considers all user sign-ins for - each Azure Active \nDirectory application and picks out the most anomalous - change in location profile for a user within an \nindividual application. - An alert is generated for recent sign-ins that have location counts that are - anomalous\nover last day but also over the last 7-day and 14-day periods.","tactics":["InitialAccess"],"lastUpdatedDateUTC":"2020-11-19T00:00:00Z","createdDateUTC":"2019-02-05T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AzureActiveDirectory","dataTypes":["SigninLogs"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/79f29feb-6a9d-4cdf-baaa-2daf480a5da1","name":"79f29feb-6a9d-4cdf-baaa-2daf480a5da1","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Low","query":"let - timeframe = 1h;\nlet last1h = CommonSecurityLog \n| where TimeGenerated >= - ago(timeframe)\n| where isempty(CommunicationDirection) \n| where DeviceEventClassID - == \"733100\"\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, - \"]\")[0]),\"[ \")[1])\n| extend splitMessage = split(Message, \".\")\n| extend - DropRate = tostring(split(tostring(splitMessage[0]),\"] \")[1])\n| extend - CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\" \")[0]),\"is - \")\n| extend CurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\" - \")[0])\n| extend MaxConfiguredBurstRate = toint(CurrentBurstRate[2])\n| extend - CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\" \")[1]),\"is - \")\n| extend CurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\" - \")[0])\n| extend MaxConfiguredAvgRate = toint(CurrentAvgRate[2])\n| extend - CumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\" \")[2]),\"is - \")[1])\n| summarize last1hCumTotal = sum(CumulativeTotal), last1hAvgRatePerSec - = avg(CurrentAvgRatePerSec), last1hAvgBurstRatePerSec = avg(CurrentBurstRatePerSec) - by DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\nlet - prev6h = CommonSecurityLog \n| where TimeGenerated between (ago(6h) .. ago(1h))\n| - where isempty(CommunicationDirection) \n| where DeviceEventClassID == \"733100\"\n| - extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \"]\")[0]),\"[ - \")[1])\n| extend splitMessage = split(Message, \".\")\n| extend DropRate - = tostring(split(tostring(splitMessage[0]),\"] \")[1])\n| extend CurrentBurstRate - = split(tostring(split(tostring(splitMessage[1]),\" \")[0]),\"is \")\n| extend - prevCurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\" - \")[0])\n| extend prevMaxConfiguredBurstRate = toint(CurrentBurstRate[2])\n| - extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\" \")[1]),\"is - \")\n| extend prevCurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\" - \")[0])\n| extend prevMaxConfiguredAvgRate = toint(CurrentAvgRate[2])\n| extend - prevCumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\" \")[2]),\"is - \")[1])\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), - prev6hCumTotal = sum(prevCumulativeTotal), prev6hAvgRatePerSec = avg(prevCurrentAvgRatePerSec), - prev6hAvgBurstRatePerSec = avg(prevCurrentBurstRatePerSec) \nby DeviceName, - DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\nlast1h | join - (\n prev6h \n) on DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, - DropRate\n| project StartTimeUtc, EndTimeUtc, DeviceName, DeviceEventClassID, - SourceIP, SourceOfDropRateCount, DropRate, last1hCumTotal, prev6hCumTotal, - prev6hAvgCumTotal = prev6hCumTotal/6, last1hAvgRatePerSec, prev6hAvgRatePerSec, - last1hAvgBurstRatePerSec, prev6hAvgBurstRatePerSec\n// Select only events - that indicate a doubling of the expected rate in the last hour over the previous - 6 hours\n| where last1hCumTotal > 2*prev6hAvgCumTotal or last1hAvgRatePerSec - > 2*prev6hAvgRatePerSec or last1hAvgBurstRatePerSec > 2*prev6hAvgBurstRatePerSec\n| - extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, HostCustomEntity - = DeviceName","queryFrequency":"PT1H","queryPeriod":"PT6H","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Cisco - ASA - average attack detection rate increase","description":"This will help - you determine if Cisco ASA devices are under heavier attack than normal over - the last hour versus the previous 6 hours based on DeviceEventClassID 733100\nReferences: - https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\nDetails - on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html","tactics":["Discovery","Impact"],"lastUpdatedDateUTC":"2020-11-19T00:00:00Z","createdDateUTC":"2019-02-28T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"CiscoASA","dataTypes":["CommonSecurityLog"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7b907bf7-77d4-41d0-a208-5643ff75bf9a","name":"7b907bf7-77d4-41d0-a208-5643ff75bf9a","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - timeframe = 1d;\nlet Keywords = dynamic([\"helpdesk\", \" alert\", \" suspicious\", - \"fake\", \"malicious\", \"phishing\", \"spam\", \"do not click\", \"do not - open\", \"hijacked\", \"Fatal\"]);\nOfficeActivity\n| where TimeGenerated - >= ago(timeframe)\n| where Operation =~ \"New-InboxRule\"\n| where Parameters - has \"Deleted Items\" or Parameters has \"Junk Email\" \n| extend Events=todynamic(Parameters)\n| - parse Events with * \"SubjectContainsWords\" SubjectContainsWords ''}''*\n| - parse Events with * \"BodyContainsWords\" BodyContainsWords ''}''*\n| parse - Events with * \"SubjectOrBodyContainsWords\" SubjectOrBodyContainsWords ''}''*\n| - where SubjectContainsWords has_any (Keywords)\n or BodyContainsWords has_any - (Keywords)\n or SubjectOrBodyContainsWords has_any (Keywords)\n| extend ClientIPAddress - = case( ClientIP has \".\", tostring(split(ClientIP,\":\")[0]), ClientIP has - \"[\", tostring(trim_start(@''[[]'',tostring(split(ClientIP,\"]\")[0]))), - ClientIP )\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, - (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords - )))\n| extend RuleDetail = case(OfficeObjectId contains ''/'' , tostring(split(OfficeObjectId, - ''/'')[-1]) , tostring(split(OfficeObjectId, ''\\\\'')[-1]))\n| summarize - count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) - by Operation, UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, - OfficeObjectId, RuleDetail\n| extend timestamp = StartTimeUtc, IPCustomEntity - = ClientIPAddress, AccountCustomEntity = UserId , HostCustomEntity = OriginatingServer","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Malicious - Inbox Rule","description":"Often times after the initial compromise the attackers - create inbox rules to delete emails that contain certain keywords. \n This - is done so as to limit ability to warn compromised users that they''ve been - compromised. Below is a sample query that tries to detect this.\nReference: - https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/","tactics":["Persistence","DefenseEvasion"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2020-03-02T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"Office365","dataTypes":["OfficeActivity"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6d7214d9-4a28-44df-aafb-0910b9e6ae3e","name":"6d7214d9-4a28-44df-aafb-0910b9e6ae3e","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Low","query":"AzureActivity\n| - extend message = tostring(parse_json(Properties).message)\n| extend AppId - = tostring(parse_json(Claims).appid)\n| where AppId contains \"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\"\n| - where OperationName =~ \"Microsoft.Portal/consoles/write\"\n| extend timestamp - = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"New - CloudShell User","description":"Identifies when a user creates an Azure CloudShell - for the first time.\nMonitor this activity to ensure only expected user are - using CloudShell","tactics":["Execution"],"lastUpdatedDateUTC":"2020-12-19T00:00:00Z","createdDateUTC":"2020-12-17T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AzureActivity","dataTypes":["AzureActivity"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cf3ede88-a429-493b-9108-3e46d3c741f7","name":"cf3ede88-a429-493b-9108-3e46d3c741f7","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Low","query":"let - timeRange = 6h;\nlet authenticationWindow = 1h;\nlet authenticationThreshold - = 5;\nSecurityEvent\n| where TimeGenerated > ago(timeRange)\n| where EventID - == 4624 or EventID == 4625\n| where IpAddress != \"-\" and isnotempty(Account)\n| - extend Outcome = iff(EventID == 4624, \"Success\", \"Failure\")\n// bin outcomes - into 5 minute windows to reduce the volume of data\n| summarize OutcomeCount=count() - by Account, IpAddress, Computer, Outcome, bin(TimeGenerated, 5m)\n| project - TimeGenerated, Account, IpAddress, Computer, Outcome, OutcomeCount\n// sort - ready for sessionizing - by account and time of the authentication outcome\n| - sort by Account asc, TimeGenerated asc\n| serialize \n// sessionize into failure - groupings until either the account changes or there is a success\n| extend - SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, - Account != prev(Account) or prev(Outcome) == \"Success\")\n// count the failures - in each session\n| summarize FailureCountBeforeSuccess=sumif(OutcomeCount, - Outcome == \"Failure\"), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), - makelist(Outcome), makeset(Computer), makeset(IpAddress) by SessionStartedUtc, - Account\n// the session must not start with a success, and must end with one\n| - where array_index_of(list_Outcome, \"Success\") != 0\n| where array_index_of(list_Outcome, - \"Success\") == array_length(list_Outcome) - 1\n| project-away SessionStartedUtc, - list_Outcome \n// where the number of failures before the success is above - the threshold \n| where FailureCountBeforeSuccess >= authenticationThreshold\n// - expand out ip and computer for customer entity assignment\n| mvexpand set_IpAddress, - set_Computer\n| extend IpAddress = tostring(set_IpAddress), Computer = tostring(set_Computer)\n| - extend timestamp=StartTime, AccountCustomEntity=Account, HostCustomEntity=Computer, - IPCustomEntity=IpAddress","queryFrequency":"PT6H","queryPeriod":"PT6H","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"SecurityEvent - - Multiple authentication failures followed by a success","description":"Identifies - accounts who have failed to logon to the domain multiple times in a row, followed - by a successful authentication\nwithin a short time frame. Multiple failed - attempts followed by a success can be an indication of a brute force attempt - or\npossible mis-configuration of a service account within an environment.\nThe - lookback is set to 6h and the authentication window and threshold are set - to 1h and 5, meaning we need to see a minimum\nof 5 failures followed by a - success for an account within 1 hour to surface an alert.","tactics":["CredentialAccess"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2020-04-03T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"SecurityEvents","dataTypes":["SecurityEvent"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7a58b253-0ef2-4248-b4e5-c350f15a8346","name":"7a58b253-0ef2-4248-b4e5-c350f15a8346","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Low","query":"let - timeframe = ago(1h);\nlet threshold = 100;\nSymantecProxySG \n| where TimeGenerated - >= timeframe\n| where sc_filter_result =~ \"DENIED\"\n| summarize StartTime - = min(TimeGenerated), EndTime = max(TimeGenerated), count() by c_ip, cs_host\n| - where count_ > threshold\n| extend timestamp = StartTime, HostCustomEntity - = cs_host, IPCustomEntity = c_ip","queryFrequency":"PT1H","queryPeriod":"PT1H","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Excessive - Denied Proxy Traffic","description":"This alert creates an incident when a - client generates an excessive amounts of denied proxy traffic.","tactics":["DefenseEvasion"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2020-06-06T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"SymantecProxySG","dataTypes":["Syslog"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75ea5c39-93e5-489b-b1e1-68fa6c9d2d04","name":"75ea5c39-93e5-489b-b1e1-68fa6c9d2d04","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - timeframe = 1d;\nlet threshold = 3;\nSigninLogs\n| where TimeGenerated >= - ago(timeframe)\n| where ResultType == \"50057\"\n| where ResultDescription - =~ \"User account is disabled. The account has been disabled by an administrator.\"\n| - summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), - count(), applicationCount = dcount(AppDisplayName), \napplicationSet = makeset(AppDisplayName) - by UserPrincipalName, IPAddress\n| where applicationCount >= threshold\n| - extend timestamp = StartTimeUtc, AccountCustomEntity = UserPrincipalName, - IPCustomEntity = IPAddress","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Attempts - to sign in to disabled accounts","description":"Identifies failed attempts - to sign in to disabled accounts across multiple Azure Applications.\nDefault - threshold for Azure Applications attempted to sign in to is 3.\nReferences: - https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n50057 - - User account is disabled. The account has been disabled by an administrator.","tactics":["InitialAccess"],"lastUpdatedDateUTC":"2020-11-19T00:00:00Z","createdDateUTC":"2019-02-11T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AzureActiveDirectory","dataTypes":["SigninLogs"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/32555639-b639-4c2b-afda-c0ae0abefa55","name":"32555639-b639-4c2b-afda-c0ae0abefa55","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Low","query":"let - timeframe = 1d;\nAWSCloudTrail\n| where TimeGenerated > ago(timeframe)\n| - where EventName =~ \"GetCallerIdentity\" and UserIdentityType =~ \"AssumedRole\" - \n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) - by SourceIpAddress, EventName, EventTypeName, UserIdentityType, UserIdentityAccountId, - UserIdentityPrincipalid, \nUserAgent, UserIdentityUserName, SessionMfaAuthenticated,AWSRegion, - EventSource, AdditionalEventData, ResponseElements\n| extend timestamp = StartTimeUtc, - AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\n| - sort by EndTimeUtc desc nulls last","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Monitor - AWS Credential abuse or hijacking","description":"Looking for GetCallerIdentity - Events where the UserID Type is AssumedRole \nAn attacker who has assumed - the role of a legitimate account can call the GetCallerIdentity function to - determine what account they are using.\nA legitimate user using legitimate - credentials would not need to call GetCallerIdentity since they should already - know what account they are using.\nMore Information: https://duo.com/decipher/trailblazer-hunts-compromised-credentials-in-aws\nAWS - STS GetCallerIdentity API: https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html - ","tactics":["Discovery"],"lastUpdatedDateUTC":"2020-11-19T00:00:00Z","createdDateUTC":"2019-02-27T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AWS","dataTypes":["AWSCloudTrail"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/910124df-913c-47e3-a7cd-29e1643fa55e","name":"910124df-913c-47e3-a7cd-29e1643fa55e","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"//Adjust - this threshold to fit environment\nlet signin_threshold = 5; \n//Make a list - of IPs with failed AWS console logins\nlet aws_fails = AWSCloudTrail\n| where - TimeGenerated >= ago(1d)\n| where EventName == \"ConsoleLogin\"\n| extend - LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \n| where - LoginResult != \"Success\"\n| where SourceIpAddress != \"127.0.0.1\"\n| summarize - count() by SourceIpAddress\n| where count_ > signin_threshold\n| summarize - make_list(SourceIpAddress);\n//See if any of those IPs have sucessfully logged - into Azure AD.\nSigninLogs\n| where TimeGenerated >= ago(1d)\n| where ResultType - !in (\"0\", \"50125\", \"50140\")\n| where IPAddress in (aws_fails) \n| extend - Reason = \"Multiple failed AWS Console logins from IP address\"\n| extend - timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity - = IPAddress","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Failed - AWS Console logons but success logon to AzureAD","description":"Identifies - a list of IP addresses with a minimum numbe(default of 5) of failed logon - attempts to AWS Console.\nUses that list to identify any successful Azure - Active Directory logons from these IPs within the same timeframe.","tactics":["InitialAccess","CredentialAccess"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2019-08-20T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AzureActiveDirectory","dataTypes":["SigninLogs"]},{"connectorId":"AWS","dataTypes":["AWSCloudTrail"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fb0f4a93-d8ad-4b54-9931-85bdb7550f90","name":"fb0f4a93-d8ad-4b54-9931-85bdb7550f90","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - timeframe = ago(1h);\nSymantecProxySG\n| where TimeGenerated >= timeframe\n| - mv-expand cs_categories\n| where cs_categories has_any (\"Suspicious\",\"phishing\", - \"hacking\")\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), - count() by sc_filter_result, cs_userdn, c_ip, cs_host, Computer, tostring(cs_categories)\n| - extend timestamp = StartTime, AccountCustomEntity = cs_userdn, IPCustomEntity - = c_ip, HostCustomEntity = Computer","queryFrequency":"PT1H","queryPeriod":"PT1H","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"User - Accessed Suspicious URL Categories","description":"Creates an incident in - the event the requested URL accessed by the user has been identified as Suspicious, - Phishing, or Hacking.","tactics":["DefenseEvasion"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2020-06-06T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"SymantecProxySG","dataTypes":["Syslog"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bfb1c90f-8006-4325-98be-c7fffbc254d6","name":"bfb1c90f-8006-4325-98be-c7fffbc254d6","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - timeRange = 1d;\nlet s_threshold = 30;\nlet l_threshold = 3;\nSigninLogs\n| - where TimeGenerated >= ago(timeRange)\n| where OperationName =~ \"Sign-in - activity\"\n// Error codes that we want to look at as they are related to - the use of incorrect password.\n| where ResultType in (\"50126\", \"50053\" - , \"50055\", \"50056\")\n| extend OS = DeviceDetail.operatingSystem, Browser - = DeviceDetail.browser \n| extend LocationString= strcat(tostring(LocationDetails[\"countryOrRegion\"]), - \"/\", tostring(LocationDetails[\"state\"]), \"/\", tostring(LocationDetails[\"city\"]))\n| - summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated),LocationCount=dcount(LocationString), - Location = make_set(LocationString), \nIPAddress = make_set(IPAddress), IPAddressCount - = dcount(IPAddress), AppDisplayName = make_set(AppDisplayName), ResultDescription - = make_set(ResultDescription), \nBrowser = make_set(Browser), OS = make_set(OS), - SigninCount = count() by UserPrincipalName \n// - Setting a generic threshold - Can be different for different environment\n| - where SigninCount > s_threshold and LocationCount >= l_threshold\n| extend - tostring(Location), tostring(IPAddress), tostring(AppDisplayName), tostring(ResultDescription), - tostring(Browser), tostring(OS)\n| distinct *\n| extend timestamp = StartTime, - AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Distributed - Password cracking attempts in AzureAD","description":"Identifies distributed - password cracking attempts from the Azure Active Directory SigninLogs.\nThe - query looks for unusually high number of failed password attempts coming from - multiple locations for a user account.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n50053 Account - is locked because the user tried to sign in too many times with an incorrect - user ID or password.\n50055 Invalid password, entered expired password.\n50056 Invalid - or null password - Password does not exist in store for this user.\n50126 Invalid - username or password, or invalid on-premises username or password.","tactics":["CredentialAccess"],"lastUpdatedDateUTC":"2020-11-19T00:00:00Z","createdDateUTC":"2019-02-11T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AzureActiveDirectory","dataTypes":["SigninLogs"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ef88eb96-861c-43a0-ab16-f3835a97c928","name":"ef88eb96-861c-43a0-ab16-f3835a97c928","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - timeframe = 1d;\nlet regexEmpire = @\"SetDelay|GetDelay|Set-LostLimit|Get-LostLimit|Set-Killdate|Get-Killdate|Set-WorkingHours|Get-WorkingHours|Get-Sysinfo|Add-Servers|Invoke-ShellCommand|Start-AgentJob|Update-Profile|Get-FilePart|Encrypt-Bytes|Decrypt-Bytes|Encode-Packet|Decode-Packet|Send-Message|Process-Packet|Process-Tasking|Get-Task|Start-Negotiate|Invoke-DllInjection|Invoke-ReflectivePEInjection|Invoke-Shellcode|Invoke-ShellcodeMSIL|Get-ChromeDump|Get-ClipboardContents|Get-IndexedItem|Get-Keystrokes|Invoke-Inveigh|Invoke-NetRipper|local:Invoke-PatchDll|Invoke-NinjaCopy|Get-Win32Types|Get-Win32Constants|Get-Win32Functions|Sub-SignedIntAsUnsigned|Add-SignedIntAsUnsigned|Compare-Val1GreaterThanVal2AsUInt|Convert-UIntToInt|Test-MemoryRangeValid|Write-BytesToMemory|Get-DelegateType|Get-ProcAddress|Enable-SeDebugPrivilege|Invoke-CreateRemoteThread|Get-ImageNtHeaders|Get-PEBasicInfo|Get-PEDetailedInfo|Import-DllInRemoteProcess|Get-RemoteProcAddress|Copy-Sections|Update-MemoryAddresses|Import-DllImports|Get-VirtualProtectValue|Update-MemoryProtectionFlags|Update-ExeFunctions|Copy-ArrayOfMemAddresses|Get-MemoryProcAddress|Invoke-MemoryLoadLibrary|Invoke-MemoryFreeLibrary|Out-Minidump|Get-VaultCredential|Invoke-DCSync|Translate-Name|Get-NetDomain|Get-NetForest|Get-NetForestDomain|Get-DomainSearcher|Get-NetComputer|Get-NetGroupMember|Get-NetUser|Invoke-Mimikatz|Invoke-PowerDump|Invoke-TokenManipulation|Exploit-JMXConsole|Exploit-JBoss|Invoke-Thunderstruck|Invoke-VoiceTroll|Set-WallPaper|Invoke-PsExec|Invoke-SSHCommand|Invoke-PSInject|Invoke-RunAs|Invoke-SendMail|Invoke-Rule|Get-OSVersion|Select-EmailItem|View-Email|Get-OutlookFolder|Get-EmailItems|Invoke-MailSearch|Get-SubFolders|Get-GlobalAddressList|Invoke-SearchGAL|Get-SMTPAddress|Disable-SecuritySettings|Reset-SecuritySettings|Get-OutlookInstance|New-HoneyHash|Set-MacAttribute|Invoke-PatchDll|Get-SecurityPackages|Install-SSP|Invoke-BackdoorLNK|New-ElevatedPersistenceOption|New-UserPersistenceOption|Add-Persistence|Invoke-CallbackIEX|Add-PSFirewallRules|Invoke-EventLoop|Invoke-PortBind|Invoke-DNSLoop|Invoke-PacketKnock|Invoke-CallbackLoop|Invoke-BypassUAC|Get-DecryptedCpassword|Get-GPPInnerFields|Invoke-WScriptBypassUAC|Get-ModifiableFile|Get-ServiceUnquoted|Get-ServiceFilePermission|Get-ServicePermission|Invoke-ServiceUserAdd|Invoke-ServiceCMD|Write-UserAddServiceBinary|Write-CMDServiceBinary|Write-ServiceEXE|Write-ServiceEXECMD|Restore-ServiceEXE|Invoke-ServiceStart|Invoke-ServiceStop|Invoke-ServiceEnable|Invoke-ServiceDisable|Get-ServiceDetail|Find-DLLHijack|Find-PathHijack|Write-HijackDll|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-VulnAutoRun|Get-VulnSchTask|Get-UnattendedInstallFile|Get-Webconfig|Get-ApplicationHost|Write-UserAddMSI|Invoke-AllChecks|Invoke-ThreadedFunction|Test-Login|Get-UserAgent|Test-Password|Get-ComputerDetails|Find-4648Logons|Find-4624Logons|Find-AppLockerLogs|Find-PSScriptsInPSAppLog|Find-RDPClientConnections|Get-SystemDNSServer|Invoke-Paranoia|Invoke-WinEnum{|Get-SPN|Invoke-ARPScan|Invoke-Portscan|Invoke-ReverseDNSLookup|Invoke-SMBScanner|New-InMemoryModule|Add-Win32Type|Export-PowerViewCSV|Get-MacAttribute|Copy-ClonedFile|Get-IPAddress|Convert-NameToSid|Convert-SidToName|Convert-NT4toCanonical|Get-Proxy|Get-PathAcl|Get-NameField|Convert-LDAPProperty|Get-NetDomainController|Add-NetUser|Add-NetGroupUser|Get-UserProperty|Find-UserField|Get-UserEvent|Get-ObjectAcl|Add-ObjectAcl|Invoke-ACLScanner|Get-GUIDMap|Get-ADObject|Set-ADObject|Get-ComputerProperty|Find-ComputerField|Get-NetOU|Get-NetSite|Get-NetSubnet|Get-DomainSID|Get-NetGroup|Get-NetFileServer|SplitPath|Get-DFSshare|Get-DFSshareV1|Get-DFSshareV2|Get-GptTmpl|Get-GroupsXML|Get-NetGPO|Get-NetGPOGroup|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Invoke-ImpersonateUser|Create-ProcessWithToken|Free-AllTokens|Enum-AllTokens|Invoke-RevertToSelf|Set-Speaker(\\$Volume){\\$wshShell|Local:Get-RandomString|Local:Invoke-PsExecCmd|Get-GPPPassword|Local:Inject-BypassStuff|Local:Invoke-CopyFile\\(\\$sSource,|ind-Fruit|New-IPv4Range|New-IPv4RangeFromCIDR|Parse-Hosts|Parse-ILHosts|Exclude-Hosts|Get-TopPort|Parse-Ports|Parse-IpPorts|Remove-Ports|Write-PortscanOut|Convert-SwitchtoBool|Get-ForeignUser|Get-ForeignGroup\";\nlet - ProcessCreationEvents=() {\nlet processEvents=SecurityEvent\n| where EventID==4688\n| - where isnotempty(CommandLine)\n| project TimeGenerated, Computer, Account - = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, - CommandLine, ParentProcessName;\nprocessEvents};\nlet decodedPS = ProcessCreationEvents\n| - where TimeGenerated >= ago(timeframe) \n| where CommandLine contains \" -encodedCommand\"\n| - parse kind=regex flags=i CommandLine with * \"-EncodedCommand \" encodedCommand\n| - project StartTimeUtc = TimeGenerated, encodedCommand = tostring(split(encodedCommand, - '' '')[0]), CommandLine\n// Note: currently the base64_decodestring function - is limited to supporting UTF8\n| extend decodedCommand = translate(''\\0'','''', - base64_decodestring(substring(encodedCommand, 0, strlen(encodedCommand) - (strlen(encodedCommand) - %8)))), encodedCommand, CommandLine , strlen(encodedCommand);\n(decodedPS\n| - union \n(ProcessCreationEvents\n| where TimeGenerated >= ago(timeframe)\n| - where FileName in~ (\"powershell.exe\",\"powershell_ise.exe\")\n| where CommandLine - !contains \"-encodedcommand\")\n| extend StartTimeUtc = TimeGenerated\n)\n| - where CommandLine matches regex regexEmpire\n| extend timestamp = StartTimeUtc, - AccountCustomEntity = Account, HostCustomEntity = Computer","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]}],"displayName":"Powershell - Empire cmdlets seen in command line","description":"Identifies instances of - PowerShell Empire cmdlets in powershell process command line data.","tactics":["Execution","Persistence"],"lastUpdatedDateUTC":"2020-11-19T00:00:00Z","createdDateUTC":"2019-01-25T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"SecurityEvents","dataTypes":["SecurityEvent"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a0907abe-6925-4d90-af2b-c7e89dc201a6","name":"a0907abe-6925-4d90-af2b-c7e89dc201a6","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - starttime = 10d;\nlet endtime = 1d;\nlet threshold = 100;\nlet nxDomainDnsEvents - = DnsEvents \n| where ResultCode == 3 \n| where QueryType in (\"A\", \"AAAA\")\n| - where ipv4_is_match(\"127.0.0.1\", ClientIP) == False\n| where Name !contains - \"/\"\n| where Name contains \".\";\nnxDomainDnsEvents\n| where TimeGenerated - > ago(endtime)\n| extend sld = tostring(split(Name, \".\")[-2])\n| summarize - StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld) - by ClientIP\n| where dcount_sld > threshold\n// Filter out previously seen - IPs\n| join kind=leftanti (nxDomainDnsEvents\n | where TimeGenerated between(ago(starttime)..ago(endtime))\n | - extend sld = tostring(split(Name, \".\")[-2])\n | summarize dcount(sld) - by ClientIP\n | where dcount_sld > threshold ) on ClientIP\n// Pull out - sample NXDomain responses for those remaining potentially infected IPs\n| - join kind = inner (nxDomainDnsEvents | summarize by Name, ClientIP) on ClientIP\n| - summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), - sampleNXDomainList=make_list(Name, 100) by ClientIP, dcount_sld\n| extend - timestamp = StartTimeUtc, IPCustomEntity = ClientIP","queryFrequency":"P1D","queryPeriod":"P10D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Potential - DGA detected","description":"Identifies clients with a high NXDomain count - which could be indicative of a DGA (cycling through possible C2 domains\nwhere - most C2s are not live). Alert is generated when a new IP address is seen (based - on not being seen associated with \nNXDomain records in prior 10-day baseline - period).","tactics":["CommandAndControl"],"lastUpdatedDateUTC":"2020-11-19T00:00:00Z","createdDateUTC":"2019-02-07T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"DNS","dataTypes":["DnsEvents"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5efb0cfd-063d-417a-803b-562eae5b0301","name":"5efb0cfd-063d-417a-803b-562eae5b0301","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - starttime = 14d;\nlet endtime = 6h;\n// Ignore Build/Releases with less/equal - this number\nlet ServiceConnectionThreshold = 3;\n// New Connections need - to exhibit execution of more \"new\" connections than this number.\nlet NewConnectionThreshold - = 1;\n// List of Builds/Releases to ignore in your space\nlet BypassDefIds - = datatable(DefId:string, Type:string, ProjectName:string)\n[\n//\"103\", - \"Release\", \"ProjectA\",\n//\"42\", \"Release\", \"ProjectB\",\n//\"122\", - \"Build\", \"ProjectB\"\n];\nlet HistoricDefs = AzureDevOpsAuditing\n| where - TimeGenerated between (ago(starttime) .. ago(endtime))\n| where OperationName - == \"Library.ServiceConnectionExecuted\" \n| extend DefId = tostring(Data.DefinitionId), - Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\n| - summarize HistoricCount = dcount(tostring(ConnectionId)), ConnectionNames - = make_set(tostring(Data.ConnectionName)) \n by DefId = tostring(DefId), - Type = tostring(Type), ProjectId, ProjectName, ActorUPN;\nAzureDevOpsAuditing\n| - where TimeGenerated >= ago(endtime)\n| where OperationName == \"Library.ServiceConnectionExecuted\" - \n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), - ConnectionId = tostring(Data.ConnectionId)\n| parse ScopeDisplayName with - OrganizationName '' (Organization)''\n| summarize CurrentCount = dcount(tostring(ConnectionId)), - ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), - EndTime = max(TimeGenerated) \n by OrganizationName, DefId = tostring(DefId), - Type = tostring(Type), ProjectId, ProjectName, ActorUPN\n| where CurrentCount - > ServiceConnectionThreshold\n| join (HistoricDefs) on ProjectId, DefId, Type, - ActorUPN\n| join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type - == $right.Type and $left.ProjectName == $right.ProjectName\n| extend link - = iff(\nType == \"Build\", strcat(''https://dev.azure.com/'', OrganizationName, - ''/'', ProjectName, ''/_build?definitionId='', DefId),\nstrcat(''https://dev.azure.com/'', - OrganizationName, ''/'', ProjectName, ''/_release?_a=releases&view=mine&definitionId='', - DefId))\n| where CurrentCount >= HistoricCount + NewConnectionThreshold\n| - project StartTime, OrganizationName, ProjectName, DefId, link, RecentDistinctServiceConnections - = CurrentCount, HistoricDistinctServiceConnections = HistoricCount, \n RecentConnections - = ConnectionNames, HistoricConnections = ConnectionNames1, ActorUPN\n| extend - timestamp = StartTime, AccountCustomEntity = ActorUPN","queryFrequency":"PT6H","queryPeriod":"P14D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]}],"displayName":"Azure - DevOps Service Conection Addition/Abuse - Historic Allowlist","description":"This - detection builds a allowlist of historic service connection use by Builds - and Releases and compares to recent history, flagging growth of service connection - use in non manually allowlisted, non historically allowlisted Build/Release - runs.\nThis is to determine if someone is hijacking a build/release and adding - many service connections in order to abuse or dump credentials from service - connections.","tactics":["Persistence","Impact"],"lastUpdatedDateUTC":"2021-01-16T00:00:00Z","createdDateUTC":"2020-06-05T00:00:00Z","status":"Available","alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2b701288-b428-4fb8-805e-e4372c574786","name":"2b701288-b428-4fb8-805e-e4372c574786","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"//The - bigger the window the better the data sample size, as we use IP prevalence, - more sample data is better.\nlet timeRange = 30d;\n//The minimum number of - countries that the account has been accessed from [default: 2]\nlet minimumCountries - = 2;\n//The delta (%) between the largest in-use IP and the smallest [default: - 90]\nlet deltaThreshold = 95;\n//The maximum (%) threshold that the country - appears in login data [default: 10]\nlet countryPrevalenceThreshold = 10;\n//The - time to project forward after the last login activity [default: 60min]\nlet - projectedEndTime = 60min; \n//Get Teams successful signins globally\nlet signinData - =\n SigninLogs\n | where TimeGenerated >= ago(timeRange)\n | where AppDisplayName - has \"Teams\"\n | where ConditionalAccessStatus =~ \"success\"\n | extend - country = tostring(LocationDetails[''countryOrRegion''])\n | where isnotempty(country) - and isnotempty(IPAddress);\n// Collect successful signins to teams\nlet loginEvents - = \n signinData\n | summarize count(), country=any(country), make_list(TimeGenerated) - by IPAddress, UserPrincipalName;\n//Calcualte delta between logins\nlet loginDelta - =\n loginEvents\n | summarize max(count_), min(count_) by UserPrincipalName\n | - extend delta = toreal(max_count_ - min_count_) / max_count_ * 100\n | where - delta >= deltaThreshold;\n//Count number of countries used to sign in\nlet - countryCount =\n loginEvents\n | summarize Countries = dcount(country) by - UserPrincipalName;\n//Join delta and sign in counts to successful logins\nloginDelta\n| - join kind=rightouter (\n loginEvents\n) on UserPrincipalName\n| join kind=rightouter - (\n countryCount\n) on UserPrincipalName\n//Check where the record meets - the minimum required countries\n| where Countries >= minimumCountries\n| join - kind=leftouter (\n signinData\n | summarize count() by country\n | - join (\n //Now get the total number of logins from any country and - join it to the previous count in a single table\n signinData\n | - summarize count() by country\n | summarize sum(count_), make_list(country)\n | - mv-expand list_country\n | extend country = tostring(list_country)\n ) - on country\n | summarize by country, count_, sum_count_\n //Now - calculate each countries prevalence within login events\n | extend prevalence - = toreal(count_) / toreal(sum_count_) * 100\n | project-away sum_count_\n | - order by prevalence\n) on country\n//The % that suspicious country is prevalent - in data, this can be configured, less than 10% is uncommon\n| where prevalence - < countryPrevalenceThreshold\n| where min_count_ == count_\n//Login start - and end times from the JSON object, this is the activity window the suspicious - IP was active within\n| extend EventTimes = list_TimeGenerated\n| extend SuspiciousIP - = IPAddress\n| project UserPrincipalName, SuspiciousIP, UserIPDelta = delta, - SuspiciousLoginCountry = country, SuspiciousCountryPrevalence = prevalence, - EventTimes\n//Teams join to collect operations the user account has performed - within the given time range\n| join kind=inner( \n OfficeActivity \n | where - TimeGenerated >= ago(timeRange)\n | where Operation in~ (\"TeamsAdminAction\", - \"MemberAdded\", \"MemberRemoved\", \"MemberRoleChanged\", \"AppInstalled\", - \"BotAddedToTeam\")\n | project Operation, UserId=tolower(UserId), OperationTime=TimeGenerated\n) - on $left.UserPrincipalName == $right.UserId\n| mv-expand StartTime = EventTimes\n| - extend StartTime = make_datetime(StartTime)\n//The end time is projected 60 - minutes forward, in case actions took place within the last hour of the final - login for the suspicious IP\n| extend ProjectedEndTime = make_datetime(StartTime - + projectedEndTime)\n//Limit to operations carried out by the user account - in the timeframe the IP was active\n| where OperationTime between (StartTime - .. ProjectedEndTime)\n| project UserPrincipalName, SuspiciousIP, StartTime, - ProjectedEndTime, OperationTime, Operation, SuspiciousLoginCountry, SuspiciousCountryPrevalence\n//Filter - on suspicious actions\n| extend activitySummary = pack(tostring(StartTime), - pack(\"Operation\",tostring(Operation), \"OperationTime\", OperationTime))\n| - summarize make_bag(activitySummary) by UserPrincipalName, SuspiciousIP, SuspiciousLoginCountry, - SuspiciousCountryPrevalence\n| extend IPCustomEntity = SuspiciousIP, AccountCustomEntity - = UserPrincipalName","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Anomalous - login followed by Teams action","description":"Detects anomalous IP address - usage by user accounts and then checks to see if a suspicious Teams action - is performed.\nQuery calculates IP usage Delta for each user account and selects - accounts where a delta >= 90% is observed between the most and least used - IP.\nTo further reduce results the query performs a prevalence check on the - lowest used IP''s country, only keeping IP''s where the country is unusual - for the tenant (dynamic ranges)\nFinally the user accounts activity within - Teams logs is checked for suspicious commands (modifying user privileges or - admin actions) during the period the suspicious IP was active.","tactics":["InitialAccess","Persistence"],"lastUpdatedDateUTC":"2020-12-21T00:00:00Z","createdDateUTC":"2020-06-30T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"Office365","dataTypes":["OfficeActivity"]},{"connectorId":"AzureActiveDirectory","dataTypes":["SigninLogs"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c775a46b-21b1-46d7-afa6-37e3e577a27b","name":"c775a46b-21b1-46d7-afa6-37e3e577a27b","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - timeframe = ago(1h);\nlet threshold = 15;\nSymantecVIP\n| where TimeGenerated - > timeframe\n| where isnotempty(RADIUSAuth)\n| where RADIUSAuth =~ \"Reject\"\n| - summarize Total = count() by bin(TimeGenerated, 15m), User, ClientIP\n| where - Total > threshold\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, - AccountCustomEntity = User","queryFrequency":"PT1H","queryPeriod":"PT1H","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Excessive - Failed Authentication from Invalid Inputs","description":"Creates an incident - in the event that a user generates an excessive amount of failed authentications - due to invalid inputs, indications of a potential brute force.","tactics":["CredentialAccess"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2020-06-06T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"SymantecVIP","dataTypes":["Syslog"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8a602940-4153-4045-a741-3bf15591ae29","name":"8a602940-4153-4045-a741-3bf15591ae29","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Anomaly","properties":{"severity":"Informational","anomalyDefinitionVersion":"1.2.1","techniques":["T1001"],"customizableObservations":{"multiSelectObservations":null,"singleSelectObservations":null,"prioritizeExcludeObservations":null,"thresholdObservations":[{"minimum":"0","maximum":"1","value":"0.4","name":"Score","description":"Generate - an anomaly when score is greater than the chosen value","sequenceNumber":1,"rerun":"NotRequired"}]},"frequency":"P1D","displayName":"(Preview) - Attempted computer bruteforce","description":"This algorithm detects an unusually - high volume of failed login attempts to each computer. The model is trained - on the previous 21 days of security event ID 4625 on a computer. It indicates - anomalous high volume of failed login attempts in the last day.","tactics":["InitialAccess"],"lastUpdatedDateUTC":"2021-02-22T00:00:00Z","createdDateUTC":"2020-12-08T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"SecurityEvents","dataTypes":["SecurityEvents"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/106813db-679e-4382-a51b-1bfc463befc3","name":"106813db-679e-4382-a51b-1bfc463befc3","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| - where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| - summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| - where Active == true\n// Picking up only IOC''s that contain the entities - we want\n| where isnotempty(Url)\n| join (\n CommonSecurityLog\n | extend - IngestionTime = ingestion_time()\n | where IngestionTime > ago(dt_lookBack)\n // - Select on Palo Alto logs\n | where DeviceVendor =~ \"Palo Alto Networks\"\n | - where DeviceEventClassID =~ ''url''\n //Uncomment the line below to only - alert on allowed connections\n //| where DeviceAction !~ \"block-url\"\n //Select - logs where URL data is populated\n | extend PA_Url = columnifexists(\"RequestURL\", - \"None\")\n | extend PA_Url = iif(isempty(PA_Url), extract(\"([^\\\"]+)\", - 1, tolower(AdditionalExtensions)), trim(''\"'', PA_Url))\n | extend PA_Url - = iif(PA_Url !startswith \"http://\" and ApplicationProtocol !~ \"ssl\", strcat(''http://'', - PA_Url), iif(PA_Url !startswith \"https://\" and ApplicationProtocol =~ \"ssl\", - strcat(''https://'', PA_Url), PA_Url))\n | where isnotempty(PA_Url)\n | - extend CSL_TimeGenerated = TimeGenerated\n) on $left.Url == $right.PA_Url\n| - project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, - ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, SourceIP, CSL_TimeGenerated, - PA_Url, DeviceName\n| extend timestamp = CSL_TimeGenerated, IPCustomEntity - = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url","queryFrequency":"PT1H","queryPeriod":"P14D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]},{"entityType":"URL","fieldMappings":[{"identifier":"Url","columnName":"URLCustomEntity"}]}],"displayName":"(Preview) - TI map URL entity to PaloAlto data","description":"Identifies a match in PaloAlto - data from any URL IOC from TI","tactics":["Impact"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2019-08-27T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"PaloAltoNetworks","dataTypes":["CommonSecurityLog"]},{"connectorId":"ThreatIntelligence","dataTypes":["ThreatIntelligenceIndicator"]},{"connectorId":"ThreatIntelligenceTaxii","dataTypes":["ThreatIntelligenceIndicator"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06","name":"97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - LearningPeriod = 7d; \nlet BinTime = 1h; \nlet RunTime = 1h; \nlet StartTime - = 1h; \nlet NumberOfStds = 3; \nlet MinThreshold = 10.0; \nlet EndRunTime - = StartTime - RunTime; \nlet EndLearningTime = StartTime + LearningPeriod; - \nlet GitHubFailedSSOLogins = (SigninLogs \n| where AppDisplayName == \"GitHub.com\" - \n| where ResultType != 0); \nGitHubFailedSSOLogins \n| where TimeGenerated - between (ago(EndLearningTime) .. ago(StartTime)) \n| summarize FailedLoginsCountInBinTime - = count() by UserPrincipalName, bin(TimeGenerated, BinTime) \n| summarize - AvgOfFailedLoginsInLearning = avg(FailedLoginsCountInBinTime), StdOfFailedLoginsInLearning - = stdev(FailedLoginsCountInBinTime) by UserPrincipalName\n| extend LearningThreshold - = max_of(AvgOfFailedLoginsInLearning + StdOfFailedLoginsInLearning * NumberOfStds, - MinThreshold) \n| join kind=innerunique ( \n GitHubFailedSSOLogins \n | - where TimeGenerated between (ago(StartTime) .. ago(EndRunTime)) \n | summarize - FailedLoginsCountInRunTime = count() by User = Identity, UserPrincipalName, - bin(TimeGenerated, BinTime)\n) on UserPrincipalName \n| where FailedLoginsCountInRunTime - > LearningThreshold\n| extend AccountCustomEntity = UserPrincipalName , timestamp - = TimeGenerated","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]}],"displayName":"Brute - Force Attack against GitHub Account","description":"Attackers who are trying - to guess your users'' passwords or use brute-force methods to get in. If your - organization is using SSO with Azure Active Directory, authentication logs - to GitHub.com will be generated. Using the following query can help you identify - a sudden increase in failed logon attempt of users.","tactics":["CredentialAccess"],"lastUpdatedDateUTC":"2021-01-20T00:00:00Z","createdDateUTC":"2020-06-02T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AzureActiveDirectory","dataTypes":["SigninLogs"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f71aba3d-28fb-450b-b192-4e76a83015c8","name":"f71aba3d-28fb-450b-b192-4e76a83015c8","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Fusion","properties":{"severity":"High","displayName":"Advanced - Multistage Attack Detection","description":"Using Fusion technology based - on machine learning, Azure Sentinel automatically detects multistage attacks - by identifying combinations of anomalous behaviors and suspicious activities - observed at various stages of the kill chain. On the basis of these discoveries, - Azure Sentinel generates incidents that would otherwise be very difficult - to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, - which is why this detection is turned ON by default.\n\nThere are a total - of 90 Fusion incident types detected by Azure Sentinel.\n\nTo detect these - multistage attacks, the following data connectors must be configured:\n- Azure - Active Directory Identity Protection.\n- Microsoft Cloud App Security.\n- - Microsoft Defender for Endpoint.\n- Azure Defender.\n- Palo Alto Networks.\n\nFor - a full list and description of each scenario that is supported for these multistage - attacks, go to https://aka.ms/SentinelFusion.","tactics":["Collection","CommandAndControl","DefenseEvasion","Discovery","Execution","Exfiltration","Impact","InitialAccess","LateralMovement","Persistence","PrivilegeEscalation"],"lastUpdatedDateUTC":"2021-02-09T00:00:00Z","createdDateUTC":"2019-07-25T00:00:00Z","status":"Available","alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/643c2025-9604-47c5-833f-7b4b9378a1f5","name":"643c2025-9604-47c5-833f-7b4b9378a1f5","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"//Adjust - this threshold to fit your environment\nlet signin_threshold = 5; \n//Make - a list of IPs with AAD signin failures above our threshold\nlet Suspicious_signins - = \nSigninLogs\n| where TimeGenerated >= ago(1d)\n| where ResultType !in (\"0\", - \"50125\", \"50140\")\n| where IPAddress != \"127.0.0.1\"\n| summarize count() - by IPAddress\n| where count_ > signin_threshold\n| summarize make_list(IPAddress);\n//See - if any of those IPs have sucessfully logged into the AWS console\nAWSCloudTrail\n| - where TimeGenerated > ago(1d)\n| where EventName =~ \"ConsoleLogin\"\n| extend - LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \n| where - LoginResult =~ \"Success\"\n| where SourceIpAddress in (Suspicious_signins)\n| - extend Reason = \"Multiple failed AAD logins from IP address\"\n| extend MFAUsed - = tostring(parse_json(AdditionalEventData).MFAUsed)\n| extend User = iif(isempty(UserIdentityUserName), - UserIdentityType, UserIdentityUserName) \n| summarize StartTimeUtc = min(TimeGenerated), - EndTimeUtc = max(TimeGenerated) by Reason, LoginResult, EventTypeName, UserIdentityType, - User, AWSRegion, SourceIpAddress, UserAgent, MFAUsed\n| extend timestamp = - StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = SourceIpAddress","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Failed - AzureAD logons but success logon to AWS Console","description":"Identifies - a list of IP addresses with a minimum number(defualt of 5) of failed logon - attempts to Azure Active Directory.\nUses that list to identify any successful - AWS Console logons from these IPs within the same timeframe.","tactics":["InitialAccess","CredentialAccess"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2019-08-20T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AzureActiveDirectory","dataTypes":["SigninLogs"]},{"connectorId":"AWS","dataTypes":["AWSCloudTrail"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2fc5d810-c9cc-491a-b564-841427ae0e50","name":"2fc5d810-c9cc-491a-b564-841427ae0e50","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet emailregex = @''^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$'';\nThreatIntelligenceIndicator\n| - where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| - where Active == true\n//Filtering the table for Email related IOCs\n| where - isnotempty(EmailRecipient)\n| join (\n SecurityEvent | where TimeGenerated - >= ago(dt_lookBack) and isnotempty(TargetUserName)\n //Normalizing the - column to lower case for exact match with EmailRecipient column\n | extend - TargetUserName = tolower(TargetUserName)\n // renaming timestamp column - so it is clear the log this came from SecurityEvent table\n | extend SecurityEvent_TimeGenerated - = TimeGenerated\n)\non $left.EmailRecipient == $right.TargetUserName\n| summarize - LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| project - LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, - Url, ExpirationDateTime, ConfidenceScore, SecurityEvent_TimeGenerated,\nEmailSenderName, - EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, - Computer, EventID, TargetUserName, Activity, IpAddress, AccountType,\nLogonTypeName, - LogonProcessName, Status, SubStatus\n| extend timestamp = SecurityEvent_TimeGenerated, - AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress, HostCustomEntity - = Computer, URLCustomEntity = Url","queryFrequency":"PT1H","queryPeriod":"P14D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]},{"entityType":"URL","fieldMappings":[{"identifier":"Url","columnName":"URLCustomEntity"}]}],"displayName":"(Preview) - TI map Email entity to SecurityEvent","description":"Identifies a match in - SecurityEvent table from any Email IOC from TI","tactics":["Impact"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2019-08-28T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"ThreatIntelligence","dataTypes":["ThreatIntelligenceIndicator"]},{"connectorId":"ThreatIntelligenceTaxii","dataTypes":["ThreatIntelligenceIndicator"]},{"connectorId":"SecurityEvents","dataTypes":["SecurityEvent"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fa118b98-de46-4e94-87f9-8e6d5060b60b","name":"fa118b98-de46-4e94-87f9-8e6d5060b60b","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"MLBehaviorAnalytics","properties":{"severity":"Medium","displayName":"(Preview) - Anomalous SSH Login Detection","description":"This detection uses machine - learning (ML) to identify anomalous Secure Shell (SSH) login activity, based - on syslog data. Scenarios include:\n\n*\tUnusual IP - This IP address has - not or has rarely been seen in last 30 days.\n*\tUnusual Geo - The IP address, - city, country and ASN have not (or rarely) been seen in last 30 days.\n*\tNew - user - A new user logs in from an IP address and geo location, both or either - of which are not expected to be seen in the last 30 days.\n\nAllow 7 days - after this alert is enabled for Azure Sentinel to build a profile of normal - activity for your environment.\n\nThis detection requires a specific configuration - of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-syslog#configure-the-syslog-connector-for-anomalous-ssh-login-detection)","tactics":["InitialAccess"],"lastUpdatedDateUTC":"2020-07-16T00:00:00Z","createdDateUTC":"2019-08-05T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"Syslog","dataTypes":["Syslog"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/40ba9493-4183-4eee-974f-87fe39c8f267","name":"40ba9493-4183-4eee-974f-87fe39c8f267","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"MicrosoftSecurityIncidentCreation","properties":{"productFilter":"Azure - Advanced Threat Protection","displayName":"Create incidents based on Azure - Advanced Threat Protection alerts","description":"Create incidents based on - all alerts generated in Azure Advanced Threat Protection","lastUpdatedDateUTC":"2019-07-16T00:00:00Z","createdDateUTC":"2019-07-16T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AzureAdvancedThreatProtection","dataTypes":["SecurityAlert - (AATP)"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ffe3625d-a933-4f63-b192-7e6ebf3be5fb","name":"ffe3625d-a933-4f63-b192-7e6ebf3be5fb","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Anomaly","properties":{"severity":"Informational","anomalyDefinitionVersion":"1.2.1","techniques":["T1001"],"customizableObservations":{"multiSelectObservations":null,"singleSelectObservations":null,"prioritizeExcludeObservations":null,"thresholdObservations":[{"minimum":"0","maximum":"1","value":"0.1","name":"Score","description":"Generate - an anomaly when score is greater than the chosen value","sequenceNumber":1,"rerun":"NotRequired"}]},"frequency":"P1D","displayName":"(Preview) - Attempted user account bruteforce","description":"This algorithm detects an - unusually high volume of failed login attempts per user account. The model - is trained on the previous 21 days of security event ID 4625 on an account. - It indicates anomalous high volume of failed login attempts in the last day.","tactics":["InitialAccess"],"lastUpdatedDateUTC":"2021-02-22T00:00:00Z","createdDateUTC":"2020-12-08T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"SecurityEvents","dataTypes":["SecurityEvents"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d3980830-dd9d-40a5-911f-76b44dfdce16","name":"d3980830-dd9d-40a5-911f-76b44dfdce16","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - RunTime = 1h;\nSigninLogs\n| where TimeGenerated > ago(RunTime)\n| where AppDisplayName - == \"GitHub.com\"\n| where ResultType == 0\n| summarize CountOfLocations = - dcount(Location), Locations = make_set(Location), BurstStartTime = min(TimeGenerated), - BurstEndTime = max(TimeGenerated) by UserPrincipalName\n| where CountOfLocations - > 1\n| extend timestamp = BurstStartTime, AccountCustomEntity = UserPrincipalName","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]}],"displayName":"GitHub - Signin Burst from Multiple Locations","description":"This alerts when there - Signin burst from multiple locations in GitHub (AAD SSO).","tactics":["CredentialAccess"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2020-06-02T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AzureActiveDirectory","dataTypes":["SigninLogs"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3c144f9-8051-47d4-ac29-ffb0c312c910","name":"a3c144f9-8051-47d4-ac29-ffb0c312c910","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"High","query":"let - SunburstMD5=dynamic([\"b91ce2fa41029f6955bff20079468448\",\"02af7cec58b9a5da1c542b5a32151ba1\",\"2c4a910a1299cdae2a4e55988a2f102e\",\"846e27a652a5e1bfbd0ddd38a16dc865\",\"4f2eb62fa529c0283b28d05ddd311fae\"]);\nlet - SupernovaMD5=\"56ceb6d0011d87b6e4d7023d7ef85676\";\nDeviceFileEvents\n| where - MD5 in(SunburstMD5) or MD5 in(SupernovaMD5)\n| extend\n timestamp = TimeGenerated,\n AccountCustomEntity - = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, - InitiatingProcessAccountName),\n HostCustomEntity = DeviceName,\n FileHashCustomEntity - = MD5","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"FileHash","fieldMappings":[{"identifier":"Algorithm","columnName":"MD5"},{"identifier":"Value","columnName":"FileHashCustomEntity"}]}],"displayName":"SUNBURST - and SUPERNOVA backdoor hashes","description":"Identifies SolarWinds SUNBURST - and SUPERNOVA backdoor file hash IOCs in DeviceFileEvents\nReferences:\n- - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\n- - https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f","tactics":["Execution","Persistence"],"lastUpdatedDateUTC":"2021-01-31T00:00:00Z","createdDateUTC":"2020-12-15T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"MicrosoftThreatProtection","dataTypes":["DeviceFileEvents"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ba144bf8-75b8-406f-9420-ed74397f9479","name":"ba144bf8-75b8-406f-9420-ed74397f9479","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - timeframe = 1d;\n//Set a threshold of failed AAD signins from an IP address - within 1 day above which we want to deem those logins suspicious.\nlet signin_threshold - = 5; \n//Make a list of IPs with AAD signin failures above our threshold.\nlet - suspicious_signins = \n SigninLogs\n | where TimeGenerated >= ago(timeframe)\n //Looking - for logon failure results\n | where ResultType !in (\"0\", \"50125\", \"50140\")\n //Exclude - localhost addresses to reduce the chance of FPs\n | where IPAddress != - \"127.0.0.1\"\n | summarize count() by IPAddress\n | where count_ > signin_threshold\n | - summarize make_list(IPAddress);\n//See if any of those IPs have sucessfully - logged into PA VPNs during the same timeperiod\nCommonSecurityLog\n | where - TimeGenerated > ago(timeframe)\n //Select only PA VPN sucessful logons\n | - where DeviceVendor == \"Palo Alto Networks\" and DeviceEventClassID == \"globalprotect\"\n | - where Message has \"GlobalProtect gateway user authentication succeeded\"\n //Parse - out the logon source IP from the Message field to match on\n | extend SourceIP - = extract(\"Login from: ([^,]+)\", 1, Message) \n | where SourceIP in (suspicious_signins)\n | - extend Reason = \"Multiple failed AAD logins from SourceIP\"\n //Parse - out other useful information from Message field\n | extend User = extract(\"User - name: ([^,]+)\", 1, Message) \n | extend ClientOS = extract(\"Client OS - version: ([^,\\\"]+)\", 1, Message)\n | extend Location = extract(\"Source - region: ([^,]{2})\",1, Message)\n | project TimeGenerated, Reason, SourceIP, - User, ClientOS, Location, Message, DeviceName, ReceiptTime, DeviceVendor, - DeviceEventClassID, Computer, FileName\n | extend AccountCustomEntity = - User, IPCustomEntity = SourceIP, timestamp = TimeGenerated, HostCustomEntity - = DeviceName","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"IP - with multiple failed Azure AD logins successfully logs in to Palo Alto VPN","description":"This - query creates a list of IP addresses with a number failed login attempts to - AAD \nabove a set threshold. It then looks for any successful Palo Alto VPN - logins from any\nof these IPs within the same timeframe.","tactics":["InitialAccess","CredentialAccess"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2019-09-04T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AzureActiveDirectory","dataTypes":["SigninLogs"]},{"connectorId":"PaloAltoNetworks","dataTypes":["CommonSecurityLog"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9f86885f-f31f-4e66-a39d-352771ee789e","name":"9f86885f-f31f-4e66-a39d-352771ee789e","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - timeframe = ago(1h);\nCarbonBlackEvents_CL\n| where TimeGenerated > timeframe\n| - extend eventTime = datetime(1970-01-01) + tolong(eventTime_d/1000) * 1sec\n| - where targetApp_effectiveReputation_s =~ \"KNOWN_MALWARE\"\n| summarize StartTime - = min(TimeGenerated), EndTime = max(TimeGenerated), count() by eventTime, - deviceDetails_deviceName_s, deviceDetails_deviceIpAddress_s, processDetails_fullUserName_s, - processDetails_targetName_s\n| extend timestamp = StartTime, AccountCustomEntity - = processDetails_fullUserName_s, HostCustomEntity = deviceDetails_deviceName_s, - IPCustomEntity = deviceDetails_deviceIpAddress_s","queryFrequency":"PT1H","queryPeriod":"PT1H","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Known - Malware Detected","description":"This creates an incident when a known Malware - is detected on a endpoint managed by a Carbon Black.","tactics":["Execution"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2020-06-20T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"VMwareCarbonBlack","dataTypes":["CarbonBlackEvents_CL"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9c712bb2-08dc-44d3-b66b-af154dfc1c4f","name":"9c712bb2-08dc-44d3-b66b-af154dfc1c4f","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Anomaly","properties":{"severity":"Informational","anomalyDefinitionVersion":"1.2.1","techniques":["T1001"],"customizableObservations":{"multiSelectObservations":null,"singleSelectObservations":null,"prioritizeExcludeObservations":null,"thresholdObservations":[{"minimum":"0","maximum":"1","value":"0.07","name":"Score","description":"Generate - an anomaly when score is greater than the chosen value","sequenceNumber":1,"rerun":"NotRequired"}]},"frequency":"P1D","displayName":"(Preview) - Suspicious volume of logins to computer","description":"This algorithm detects - an unusually high volume of successful logins per computer. The model is trained - on the previous 21 days of security event ID 4624 on a computer. It indicates - anomalous high volume of successful logins in the last day","tactics":["InitialAccess"],"lastUpdatedDateUTC":"2021-02-22T00:00:00Z","createdDateUTC":"2020-11-19T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"SecurityEvents","dataTypes":["SecurityEvents"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/957cb240-f45d-4491-9ba5-93430a3c08be","name":"957cb240-f45d-4491-9ba5-93430a3c08be","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Low","query":"let - timeframe = 1d;\nOfficeActivity\n| where TimeGenerated >= ago(timeframe)\n| - where Operation in~ ( \"Add-MailboxPermission\", \"Add-MailboxFolderPermission\", - \"Set-Mailbox\", \"New-ManagementRoleAssignment\")\nand not(UserId has_any - (''NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)'',''devilfish-applicationaccount'') - and Operation in~ ( \"Add-MailboxPermission\", \"Set-Mailbox\"))\n| extend - timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = - ClientIP","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Rare - and potentially high-risk Office operations","description":"Identifies Office - operations that are typically rare and can provide capabilities useful to - attackers.","tactics":["Persistence","Collection"],"lastUpdatedDateUTC":"2020-11-19T00:00:00Z","createdDateUTC":"2019-02-13T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"Office365","dataTypes":["OfficeActivity"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/44a555d8-ecee-4a25-95ce-055879b4b14b","name":"44a555d8-ecee-4a25-95ce-055879b4b14b","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - timeFrame = 1d;\nlet timeBin = 10m;\nlet portThreshold = 30;\nW3CIISLog\n| - where TimeGenerated >= ago(timeFrame)\n| extend scStatusFull = strcat(scStatus, - \".\",scSubStatus) \n// Map common IIS codes\n| extend scStatusFull_Friendly - = case(\nscStatusFull == \"401.0\", \"Access denied.\",\nscStatusFull == \"401.1\", - \"Logon failed.\",\nscStatusFull == \"401.2\", \"Logon failed due to server - configuration.\",\nscStatusFull == \"401.3\", \"Unauthorized due to ACL on - resource.\",\nscStatusFull == \"401.4\", \"Authorization failed by filter.\",\nscStatusFull - == \"401.5\", \"Authorization failed by ISAPI/CGI application.\",\nscStatusFull - == \"403.0\", \"Forbidden.\",\nscStatusFull == \"403.4\", \"SSL required.\",\n\"See - - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\")\n// - Mapping to Hex so can be mapped using website in comments above\n| extend - scWin32Status_Hex = tohex(tolong(scWin32Status)) \n// Map common win32 codes\n| - extend scWin32Status_Friendly = case(\nscWin32Status_Hex =~ \"775\", \"The - referenced account is currently locked out and cannot be logged on to.\",\nscWin32Status_Hex - =~ \"52e\", \"Logon failure: Unknown user name or bad password.\",\nscWin32Status_Hex - =~ \"532\", \"Logon failure: The specified account password has expired.\",\nscWin32Status_Hex - =~ \"533\", \"Logon failure: Account currently disabled.\", \nscWin32Status_Hex - =~ \"2ee2\", \"The request has timed out.\", \nscWin32Status_Hex =~ \"0\", - \"The operation completed successfully.\", \nscWin32Status_Hex =~ \"1\", \"Incorrect - function.\", \nscWin32Status_Hex =~ \"2\", \"The system cannot find the file - specified.\", \nscWin32Status_Hex =~ \"3\", \"The system cannot find the path - specified.\", \nscWin32Status_Hex =~ \"4\", \"The system cannot open the file.\", - \nscWin32Status_Hex =~ \"5\", \"Access is denied.\", \nscWin32Status_Hex =~ - \"8009030e\", \"SEC_E_NO_CREDENTIALS\", \nscWin32Status_Hex =~ \"8009030C\", - \"SEC_E_LOGON_DENIED\", \n\"See - https://msdn.microsoft.com/library/cc231199.aspx\")\n// - decode URI when available\n| extend decodedUriQuery = url_decode(csUriQuery)\n// - Count of attempts by client IP on many ports\n| summarize makeset(sPort), - makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), - makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), - makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), - ConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, - sIP\n| extend portCount = arraylength(set_sPort)\n| where portCount >= portThreshold\n| - project TimeGenerated, cIP, set_sPort, set_csUserName, set_decodedUriQuery, - Computer, set_sSiteName, sIP, set_csUserAgent, set_csMethod, set_scStatusFull, - set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, - ConnectionsCount, portCount\n| order by portCount\n| extend timestamp = TimeGenerated, - IPCustomEntity = cIP","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"High - count of connections by client IP on many ports","description":"Identifies - when 30 or more ports are used for a given client IP in 10 minutes occurring - on the IIS server.\nThis could be indicative of attempted port scanning or - exploit attempt at internet facing web applications. \nThis could also simply - indicate a misconfigured service or device.\nReferences:\nIIS status code - mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\nWin32 - Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx","tactics":["InitialAccess"],"lastUpdatedDateUTC":"2020-11-19T00:00:00Z","createdDateUTC":"2019-03-19T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AzureMonitor(IIS)","dataTypes":["W3CIISLog"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fbd72eb8-087e-466b-bd54-1ca6ea08c6d3","name":"fbd72eb8-087e-466b-bd54-1ca6ea08c6d3","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - timeframe = 1d;\nlet opList = OfficeActivity \n| where TimeGenerated >= ago(timeframe) - \n| summarize by Operation\n//| where Operation startswith \"Remove-\" or - Operation startswith \"Disable-\"\n| where Operation has_any (\"Remove\", - \"Disable\")\n| where Operation contains \"AntiPhish\" or Operation contains - \"SafeAttachment\" or Operation contains \"SafeLinks\" or Operation contains - \"Dlp\" or Operation contains \"Audit\"\n| summarize make_set(Operation);\nOfficeActivity\n| - where TimeGenerated >= ago(timeframe)\n// Only admin or global-admin can disable/remove - policy\n| where RecordType =~ \"ExchangeAdmin\"\n| where UserType in~ (\"Admin\",\"DcAdmin\")\n// - Pass in interesting Operation list\n| where Operation in~ (opList)\n| extend - ClientIPOnly = case( \nClientIP has \".\", tostring(split(ClientIP,\":\")[0]), - \nClientIP has \"[\", tostring(trim_start(@''[[]'',tostring(split(ClientIP,\"]\")[0]))),\nClientIP\n) \n| - extend Port = case(\nClientIP has \".\", (split(ClientIP,\":\")[1]),\nClientIP - has \"[\", tostring(split(ClientIP,\"]:\")[1]),\nClientIP\n)\n| summarize - StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount - = count() by Operation, UserType, UserId, ClientIP = ClientIPOnly, Port, ResultStatus, - Parameters\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, - IPCustomEntity = ClientIP","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Office - policy tampering","description":"Identifies if any tampering is done to either - auditlog, ATP Safelink, SafeAttachment, AntiPhish or Dlp policy. \nAn adversary - may use this technique to evade detection or avoid other policy based defenses.\nReferences: - https://docs.microsoft.com/powershell/module/exchange/advanced-threat-protection/remove-antiphishrule?view=exchange-ps.","tactics":["Persistence","DefenseEvasion"],"lastUpdatedDateUTC":"2020-12-19T00:00:00Z","createdDateUTC":"2019-04-15T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"Office365","dataTypes":["OfficeActivity"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c7bfadd4-34a6-4fa5-82f8-3691a32261e8","name":"c7bfadd4-34a6-4fa5-82f8-3691a32261e8","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Low","query":"let - timeframe = 1d;\nlet EventNameList = dynamic([\"ApplySecurityGroupsToLoadBalancer\", - \"SetSecurityGroups\"]);\nAWSCloudTrail\n| where TimeGenerated >= ago(timeframe)\n| - where EventName in~ (EventNameList)\n| extend User = iif(isnotempty(UserIdentityUserName), - UserIdentityUserName, SessionIssuerUserName)\n| summarize EventCount=count(), - StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \nby EventSource, - EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, - AWSRegion,\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, - ResponseElements\n| extend timestamp = StartTimeUtc, AccountCustomEntity = - User , IPCustomEntity = SourceIpAddress","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Changes - to AWS Elastic Load Balancer security groups","description":"Elastic Load - Balancer distributes incoming traffic across multiple instances in multiple - availability Zones. This increases the fault tolerance of your applications. - \n Unwanted changes to Elastic Load Balancer specific security groups could - open your environment to attack and hence needs monitoring.\n More information: - https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 - \n and https://aws.amazon.com/elasticloadbalancing/.","tactics":["Persistence"],"lastUpdatedDateUTC":"2020-11-19T00:00:00Z","createdDateUTC":"2019-02-27T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AWS","dataTypes":["AWSCloudTrail"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70b12a3b-4896-42cb-910c-5ffaf8d7987d","name":"70b12a3b-4896-42cb-910c-5ffaf8d7987d","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"High","query":"let - timeframe = 1d;\nlet DomainNames = dynamic([\"seoulhobi.biz\", \"reader.cash\", - \"pieceview.club\", \"app-wallet.com\", \"bigwnet.com\", \"bitwoll.com\", - \"cexrout.com\", \"change-pw.com\", \"checkprofie.com\", \"cloudwebappservice.com\", - \"ctquast.com\", \"dataviewering.com\", \"day-post.com\", \"dialy-post.com\", - \"documentviewingcom.com\", \"dovvn-mail.com\", \"down-error.com\", \"drivecheckingcom.com\", - \"drog-service.com\", \"encodingmail.com\", \"filinvestment.com\", \"foldershareing.com\", - \"golangapis.com\", \"hotrnall.com\", \"lh-logins.com\", \"login-use.com\", - \"mail-down.com\", \"matmiho.com\", \"mihomat.com\", \"natwpersonal-online.com\", - \"nidlogin.com\", \"nid-login.com\", \"nidlogon.com\", \"pw-change.com\", - \"rnaii.com\", \"rnailm.com\", \"sec-live.com\", \"secrityprocessing.com\", - \"securitedmode.com\", \"securytingmail.com\", \"set-login.com\", \"usrchecking.com\", - \"com-serviceround.info\", \"mai1.info\", \"reviewer.mobi\", \"files-download.net\", - \"fixcool.net\", \"hanrnaii.net\", \"office356-us.org\", \"smtper.org\"]);\n(union - isfuzzy=true\n(CommonSecurityLog \n| where TimeGenerated >= ago(timeframe) - \n| parse Message with * ''('' DNSName '')'' * \n| where isnotempty(FileHash)\n| - where DNSName in~ (DomainNames)\n| extend Account = SourceUserID, Computer - = DeviceName, IPAddress = SourceIP\n),\n(DnsEvents \n| where TimeGenerated - >= ago(timeframe) \n| extend DNSName = Name\n| where isnotempty(DNSName)\n| - where DNSName in~ (DomainNames)\n| extend IPAddress = ClientIP\n),\n(VMConnection - \n| where TimeGenerated >= ago(timeframe) \n| parse RemoteDnsCanonicalNames - with * ''[\"'' DNSName ''\"]'' *\n| where isnotempty(DNSName)\n| where DNSName in~ - (DomainNames)\n| extend IPAddress = RemoteIp\n)\n)\n| extend timestamp = TimeGenerated, - AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity - = IPAddress","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"THALLIUM - domains included in DCU takedown","description":"THALLIUM spearphishing and - command and control domains included in December 2019 DCU/MSTIC takedown. - \n Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, - DnsEvents, VMConnection and SecurityEvents dataTypes.\n References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ - ","tactics":["CommandAndControl","CredentialAccess"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2020-01-06T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"DNS","dataTypes":["DnsEvents"]},{"connectorId":"AzureMonitor(VMInsights)","dataTypes":["VMConnection"]},{"connectorId":"CiscoASA","dataTypes":["CommonSecurityLog"]},{"connectorId":"PaloAltoNetworks","dataTypes":["CommonSecurityLog"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2acc91c3-17c2-4388-938e-4eac2d5894e8","name":"2acc91c3-17c2-4388-938e-4eac2d5894e8","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"High","query":"let - timeframe = 1d;\nW3CIISLog\n| where TimeGenerated >= ago(timeframe)\n| where - csMethod == ''GET''\n| where isnotempty(csUriStem) and isnotempty(csUriQuery)\n| - where csUriStem contains \"logoimagehandler.ashx\"\n| where csUriQuery contains - \"codes\" and csUriQuery contains \"clazz\" and csUriQuery contains \"method\" - and csUriQuery contains \"args\"\n| extend timestamp = TimeGenerated, IPCustomEntity - = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"SUPERNOVA - webshell","description":"Identifies SUPERNOVA webshell based on W3CIISLog - data.\n References:\n - https://unit42.paloaltonetworks.com/solarstorm-supernova/","tactics":["Persistence","PrivilegeEscalation"],"lastUpdatedDateUTC":"2021-01-07T00:00:00Z","createdDateUTC":"2021-01-07T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AzureMonitor(IIS)","dataTypes":["W3CIISLog"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6190dde-8fd2-456a-ac5b-0a32400b0464","name":"d6190dde-8fd2-456a-ac5b-0a32400b0464","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - timeframe = 1d;\nlet ProcessCreationEvents=() {\nlet processEvents=SecurityEvent\n| - where EventID==4688\n| where isnotempty(CommandLine)\n| project TimeGenerated, - Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName - = Process, CommandLine, ParentProcessName;\nprocessEvents;\n};\nProcessCreationEvents - \n| where TimeGenerated > ago(timeframe) \n| where CommandLine contains \".decode(''base64'')\"\n or - CommandLine contains \"base64 --decode\"\n or CommandLine contains - \".decode64(\" \n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc - = max(TimeGenerated), CountToday = count() by Computer, Account, AccountDomain, - FileName, CommandLine, ParentProcessName \n| extend timestamp = StartTimeUtc, - AccountCustomEntity = Account, HostCustomEntity = Computer","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]}],"displayName":"Process - executed from binary hidden in Base64 encoded file","description":"Encoding - malicious software is a technique used to obfuscate files from detection. - \nThe first CommandLine component is looking for Python decoding base64. \nThe - second CommandLine component is looking for Bash/sh command line base64 decoding.\nThe - third one is looking for Ruby decoding base64.","tactics":["Execution","DefenseEvasion"],"lastUpdatedDateUTC":"2020-11-19T00:00:00Z","createdDateUTC":"2019-01-24T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"SecurityEvents","dataTypes":["SecurityEvent"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/712fab52-2a7d-401e-a08c-ff939cc7c25e","name":"712fab52-2a7d-401e-a08c-ff939cc7c25e","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| - where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| - where Active == true\n// Picking up only IOC''s that contain the entities - we want\n| where isnotempty(Url)\n| join (\n AuditLogs\n | where TimeGenerated - >= ago(dt_lookBack)\n // Extract the URL that is contained within the JSON - data\n | extend Url = extract(\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\(\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\", - 1,tostring(TargetResources))\n | where isnotempty(Url)\n | extend userPrincipalName - = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n | - extend TargetResourceDisplayName = tostring(TargetResources[0].displayName)\n | - extend Audit_TimeGenerated = TimeGenerated\n) on Url\n| summarize LatestIndicatorTime - = arg_max(TimeGenerated, *) by IndicatorId\n| project LatestIndicatorTime, - Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, - ConfidenceScore,\nAudit_TimeGenerated, OperationName, Identity, userPrincipalName, - TargetResourceDisplayName, Url\n| extend timestamp = Audit_TimeGenerated, - AccountCustomEntity = userPrincipalName, HostCustomEntity = TargetResourceDisplayName, - URLCustomEntity = Url","queryFrequency":"PT1H","queryPeriod":"P14D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"URL","fieldMappings":[{"identifier":"Url","columnName":"URLCustomEntity"}]}],"displayName":"(Preview) - TI map URL entity to AuditLogs","description":"Identifies a match in AuditLogs - from any URL IOC from TI","tactics":["Impact"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2019-08-27T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AzureActiveDirectory","dataTypes":["AuditLogs"]},{"connectorId":"ThreatIntelligence","dataTypes":["ThreatIntelligenceIndicator"]},{"connectorId":"ThreatIntelligenceTaxii","dataTypes":["ThreatIntelligenceIndicator"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23de46ea-c425-4a77-b456-511ae4855d69","name":"23de46ea-c425-4a77-b456-511ae4855d69","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Low","query":"let - starttime = 14d;\nlet endtime = 1d;\n// The number of operations below which - an IP address is considered an unusual source of role assignment operations\nlet - alertOperationThreshold = 5;\nlet SensitiveOperationList = dynamic(\n[\"List - keys\", \"List Storage Account Keys\", \"Register Subscription\", \"Create - or Update Snapshot\", \"Create or Update Network Security Group\"]);\nlet - SensitiveActivity = AzureActivity\n| where OperationName in~ (SensitiveOperationList)\n| - where ActivityStatus =~ \"Succeeded\";\nSensitiveActivity\n| where TimeGenerated - between (ago(starttime) .. ago(endtime))\n| summarize count() by CallerIpAddress, - Caller\n| where count_ >= alertOperationThreshold\n| join kind = rightanti - ( \nSensitiveActivity\n| where TimeGenerated >= ago(endtime)\n| summarize - StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp - = makelist(TimeGenerated), ActivityStatus = makelist(ActivityStatus), \nOperationIds - = makelist(OperationId), CorrelationIds = makelist(CorrelationId), Resources - = makelist(Resource), ResourceGroups = makelist(ResourceGroup), ResourceIds - = makelist(ResourceId), ActivityCountByCallerIPAddress = count() \nby CallerIpAddress, - Caller, OperationName\n) on CallerIpAddress, Caller\n| extend timestamp = - StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress","queryFrequency":"P1D","queryPeriod":"P14D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Rare - subscription-level operations in Azure","description":"This query looks for - a few sensitive subscription-level events based on Azure Activity Logs. \n - For example this monitors for the operation name ''Create or Update Snapshot'' - which is used for creating backups but could be misused by attackers \n to - dump hashes or extract sensitive information from the disk.","tactics":["CredentialAccess","Persistence"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2019-08-24T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AzureActivity","dataTypes":["AzureActivity"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b93c5af-d20b-4236-b696-a28b8c51407f","name":"4b93c5af-d20b-4236-b696-a28b8c51407f","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - timeframe = 1d;\nlet spanoftime = 10m;\nlet threshold = 0;\nSecurityEvent - \n| where TimeGenerated > ago(2*timeframe) \n// A user account was created\n| - where EventID == 4720\n| where AccountType =~ \"User\"\n| project creationTime - = TimeGenerated, CreateEventID = EventID, CreateActivity = Activity, Computer, - TargetUserName, UserPrincipalName, \nAccountUsedToCreate = SubjectAccount, - SIDofAccountUsedToCreate = SubjectUserSid, TargetAccount = tolower(TargetAccount), - TargetSid\n| join kind= inner (\n SecurityEvent\n | where TimeGenerated - > ago(timeframe) \n // A user account was deleted \n | where EventID == - 4726\n| where AccountType == \"User\"\n| project deletionTime = TimeGenerated, - DeleteEventID = EventID, DeleteActivity = Activity, Computer, TargetUserName, - UserPrincipalName, \nAccountUsedToDelete = SubjectAccount, SIDofAccountUsedToDelete - = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\n) on - Computer, TargetAccount\n| where deletionTime - creationTime < spanoftime\n| - extend TimeDelta = deletionTime - creationTime\n| where tolong(TimeDelta) - >= threshold\n| project TimeDelta, creationTime, CreateEventID, CreateActivity, - Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToCreate, - SIDofAccountUsedToCreate,\ndeletionTime, DeleteEventID, DeleteActivity, AccountUsedToDelete, - SIDofAccountUsedToDelete\n| extend timestamp = creationTime, AccountCustomEntity - = AccountUsedToCreate, HostCustomEntity = Computer","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"},{"identifier":"Sid","columnName":"SIDofAccountUsedToCreate"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]}],"displayName":"User - account created and deleted within 10 mins","description":"Identifies when - a user account is created and then deleted within 10 minutes. This can be - an indication of compromise and\nan adversary attempting to hide in the noise.","tactics":["Persistence","PrivilegeEscalation"],"lastUpdatedDateUTC":"2021-01-16T00:00:00Z","createdDateUTC":"2019-02-14T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"SecurityEvents","dataTypes":["SecurityEvent"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e","name":"f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - timeframe = ago(1h);\nlet threshold = 1;\nAzureDiagnostics\n | where TimeGenerated - >= timeframe\n | where OperationName in (\"AzureFirewallApplicationRuleLog\",\"AzureFirewallNetworkRuleLog\")\n | - extend msg_s_replaced0 = replace(@\"\\s\\s\",@\" \",msg_s)\n | extend msg_s_replaced1 - = replace(@\"\\.\\s\",@\" \",msg_s_replaced0)\n | extend msg_a = split(msg_s_replaced1,\" - \")\n | extend srcAddr_a = split(msg_a[3],\":\") , destAddr_a = split(msg_a[5],\":\")\n | - extend protocol = tostring(msg_a[0]), srcIp = tostring(srcAddr_a[0]), srcPort - = tostring(srcAddr_a[1]), destIp = tostring(destAddr_a[0]), destPort = tostring(destAddr_a[1]), - action = tostring(msg_a[7])\n | where action == \"Deny\"\n | extend - url = iff(destIp matches regex \"\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+\",\"\",destIp)\n | - summarize StartTime = min(TimeGenerated), count() by srcIp, destIp, url, action, - protocol\n | where count_ >= [\"threshold\"]\n | extend timestamp = - StartTime, URLCustomEntity = url, IPCustomEntity = srcIp","queryFrequency":"PT1H","queryPeriod":"PT1H","triggerOperator":"GreaterThan","triggerThreshold":1,"entityMappings":[{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]},{"entityType":"URL","fieldMappings":[{"identifier":"Url","columnName":"URLCustomEntity"}]}],"displayName":"Several - deny actions registered","description":"Identifies attack pattern when attacker - tries to move, or scan, from resource to resource on the network and creates - an incident when a source has more than 1 registered deny action in Azure - Firewall.","tactics":["Discovery","LateralMovement","CommandAndControl"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2020-10-19T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AzureFirewall","dataTypes":["AzureDiagnostics"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/57e56fc9-417a-4f41-a579-5475aea7b8ce","name":"57e56fc9-417a-4f41-a579-5475aea7b8ce","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - timeframe = 1h;\nlet threshold = 1000;\nInfobloxNIOS\n| where TimeGenerated - >= ago(timeframe)\n| where ProcessName =~ \"dhcpd\" and Log_Type =~ \"DHCPREQUEST\"\n| - summarize count() by ServerIP, bin(TimeGenerated,5m)\n| where count_ > threshold\n| - join kind=inner (InfobloxNIOS\n | where ProcessName =~ \"dhcpd\" and Log_Type - =~ \"DHCPREQUEST\"\n | where TimeGenerated >= ago(timeframe)\n ) on - ServerIP\n| extend timestamp = TimeGenerated, IPCustomEntity = ServerIP","queryFrequency":"PT1H","queryPeriod":"PT1H","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Potential - DHCP Starvation Attack","description":"This creates an incident in the event - that an excessive amount of DHCPREQUEST have been recieved by a DHCP Server - and could potentially be an indication of a DHCP Starvation Attack.","tactics":["InitialAccess"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2020-06-06T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"InfobloxNIOS","dataTypes":["Syslog"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0dd422ee-e6af-4204-b219-f59ac172e4c6","name":"0dd422ee-e6af-4204-b219-f59ac172e4c6","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"ThreatIntelligence","properties":{"severity":"Medium","displayName":"(Preview) - Microsoft Threat Intelligence Analytics","description":"This rule generates - an alert when a Microsoft Threat Intelligence Indicator gets matched with - your event logs. The alerts are very high fidelity and are turned ON by default. - \n\nNote : It is advised to turn off any custom alert rules which match the - threat intelligence indicators with the same event logs matched by this analytics - to prevent duplicate alerts.","tactics":["Persistence","LateralMovement"],"lastUpdatedDateUTC":"2020-09-15T00:00:00Z","createdDateUTC":"2020-06-02T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"CEF","dataTypes":["CommonSecurityLog"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508","name":"e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - timeframe = ago(1h);\nlet FailureThreshold = 15;\nlet FailedEvents = Okta_CL\n| - where TimeGenerated > timeframe\n| where eventType_s =~ \"user.session.start\"and - outcome_reason_s in (\"VERIFICATION_ERROR\",\"INVALID_CREDENTIALS\")\n| summarize - dcount(actor_alternateId_s) by client_ipAddress_s, bin(TimeGenerated, 5m)\n| - where dcount_actor_alternateId_s > FailureThreshold\n| project client_ipAddress_s, - TimeGenerated;\nOkta_CL\n| where TimeGenerated > timeframe\n| where eventType_s - =~ \"user.session.start\"and outcome_reason_s in (\"VERIFICATION_ERROR\",\"INVALID_CREDENTIALS\")\n| - summarize Users = make_set(actor_alternateId_s) by client_ipAddress_s, City - = client_geographicalContext_city_s, Country = client_geographicalContext_country_s, - bin(TimeGenerated, 5m)\n| join kind=inner (FailedEvents) on client_ipAddress_s, - TimeGenerated\n| sort by TimeGenerated desc\n| extend timestamp = TimeGenerated, - IPCustomEntity = client_ipAddress_s","queryFrequency":"PT1H","queryPeriod":"PT1H","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Potential - Password Spray Attack","description":"This query searches for failed attempts - to log into the Okta console from more than 15 various users within a 5 minute - timeframe from the same source. This is a potential indication of a password - spray attack","tactics":["CredentialAccess"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2020-07-08T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"OktaSSO","dataTypes":["Okta_CL"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e","name":"7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"High","query":"let - scriptExtensions = dynamic([\".php\", \".jsp\", \".js\", \".aspx\", \".asmx\", - \".asax\", \".cfm\", \".shtml\"]);\nunion isfuzzy=true\n(SecurityEvent\n| - where EventID == 4663\n| where Process has_any (\"umworkerprocess.exe\", \"UMService.exe\")\n| - where ObjectName has_any (scriptExtensions)\n| where AccessMask in (''0x2'',''0x100'', - ''0x10'', ''0x4'')),\n(DeviceFileEvents\n| where ActionType =~ \"FileCreated\"\n| - where InitiatingProcessFileName has_any (\"umworkerprocess.exe\", \"UMService.exe\")\n| - where FileName has_any(scriptExtensions))\n| extend timestamp = TimeGenerated, - AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity - = IpAddress","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"InitiatingProcessAccountUpn"}]},{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"DeviceName"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"HAFNIUM - UM Service writing suspicious file.","description":"This query looks for the - Exchange server UM process writing suspicious files that may be indicative - of webshells.\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/","tactics":["InitialAccess"],"lastUpdatedDateUTC":"2021-03-02T00:00:00Z","createdDateUTC":"2021-03-02T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"SecurityEvents","dataTypes":["SecurityEvent"]},{"connectorId":"MicrosoftThreatProtection","dataTypes":["DeviceFileEvents"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1572e66b-20a7-4012-9ec4-77ec4b101bc8","name":"1572e66b-20a7-4012-9ec4-77ec4b101bc8","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - starttime = 1d;\nlet endtime = 1h;\nlet prev23hThreshold = 4;\nlet prev1hThreshold - = 15;\nlet Kerbevent =\nSecurityEvent\n| where TimeGenerated >= ago(starttime)\n| - where EventID == 4769\n| parse EventData with * ''TicketEncryptionType\">'' - TicketEncryptionType \"<\" *\n| where TicketEncryptionType == ''0x17''\n| - parse EventData with * ''TicketOptions\">'' TicketOptions \"<\" *\n| where - TicketOptions == ''0x40810000''\n| parse EventData with * ''Status\">'' Status - \"<\" *\n| where Status == ''0x0''\n| parse EventData with * ''ServiceName\">'' - ServiceName \"<\" *\n| where ServiceName !contains \"$\" and ServiceName !contains - \"krbtgt\" \n| parse EventData with * ''TargetUserName\">'' TargetUserName - \"<\" *\n| where TargetUserName !contains \"$@\" and TargetUserName !contains - ServiceName\n| parse EventData with * ''IpAddress\">::ffff:'' ClientIPAddress - \"<\" *;\nlet Kerbevent23h = Kerbevent\n| where TimeGenerated >= ago(starttime) - and TimeGenerated < ago(endtime)\n| summarize ServiceNameCountPrev23h = dcount(ServiceName), - ServiceNameSet23h = makeset(ServiceName) \nby Computer, TargetUserName,TargetDomainName, - ClientIPAddress, TicketOptions, TicketEncryptionType, Status\n| where ServiceNameCountPrev23h - < prev23hThreshold;\nlet Kerbevent1h = \nKerbevent\n| where TimeGenerated - >= ago(endtime)\n| summarize min(TimeGenerated), max(TimeGenerated), ServiceNameCountPrev1h - = dcount(ServiceName), ServiceNameSet1h = makeset(ServiceName) \nby Computer, - TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, - Status;\nKerbevent1h \n| join kind=leftanti\n(\nKerbevent23h\n) on TargetUserName, - TargetDomainName\n// Threshold value set above is based on testing, this value - may need to be changed for your environment.\n| where ServiceNameCountPrev1h - > prev1hThreshold\n| project StartTimeUtc = min_TimeGenerated, EndTimeUtc - = max_TimeGenerated, TargetUserName, Computer, ClientIPAddress, TicketOptions, - \nTicketEncryptionType, Status, ServiceNameCountPrev1h, ServiceNameSet1h, - TargetDomainName\n| extend timestamp = StartTimeUtc, AccountCustomEntity = - strcat(TargetDomainName,\"\\\\\", TargetUserName), HostCustomEntity = Computer, - IPCustomEntity = ClientIPAddress","queryFrequency":"PT1H","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Potential - Kerberoasting","description":"A service principal name (SPN) is used to uniquely - identify a service instance in a Windows environment. \nEach SPN is usually - associated with a service account. Organizations may have used service accounts - with weak passwords in their environment. \nAn attacker can try requesting - Kerberos ticket-granting service (TGS) service tickets for any SPN from a - domain controller (DC) which contains \na hash of the Service account. This - can then be used for offline cracking. This hunting query looks for accounts - that are generating excessive \nrequests to different resources within the - last hour compared with the previous 24 hours. Normal users would not make - an unusually large number \nof request within a small time window. This is - based on 4769 events which can be very noisy so environment based tweaking - might be needed.","tactics":["CredentialAccess"],"lastUpdatedDateUTC":"2020-11-22T00:00:00Z","createdDateUTC":"2019-04-01T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"SecurityEvents","dataTypes":["SecurityEvent"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0914adab-90b5-47a3-a79f-7cdcac843aa7","name":"0914adab-90b5-47a3-a79f-7cdcac843aa7","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Low","query":"let - starttime = 14d;\nlet timeframe = 1d;\nlet scorethreshold = 3;\nlet baselinethreshold - = 5;\nlet OperationList = dynamic(\n[\"SecretGet\", \"KeyGet\", \"VaultGet\"]);\nlet - TimeSeriesData = AzureDiagnostics\n| where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\n| - extend ResultType = columnifexists(\"ResultType\", \"None\"), CallerIPAddress - = columnifexists(\"CallerIPAddress\", \"None\")\n| where ResultType !~ \"None\" - and isnotempty(ResultType)\n| where CallerIPAddress !~ \"None\" and isnotempty(CallerIPAddress)\n| - where ResourceType =~ \"VAULTS\" and ResultType =~ \"Success\"\n| where OperationName - in (OperationList)\n| project TimeGenerated, OperationName, Resource, CallerIPAddress\n| - make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) - to startofday(now()) step timeframe by Resource;\n//Filter anomolies against - TimeSeriesData\nlet TimeSeriesAlerts = TimeSeriesData\n| extend (anomalies, - score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, - -1, ''linefit'')\n| mv-expand HourlyCount to typeof(double), TimeGenerated - to typeof(datetime), anomalies to typeof(double),score to typeof(double), - baseline to typeof(long)\n| where anomalies > 0 | extend AnomalyHour = TimeGenerated\n| - where baseline > baselinethreshold // Filtering low count events per baselinethreshold\n| - project Resource, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, - score;\nlet AnomalyHours = TimeSeriesAlerts | where TimeGenerated > ago(2d) - | project TimeGenerated;\n// Filter the alerts since specified timeframe\nTimeSeriesAlerts\n| - where TimeGenerated > ago(2d)\n// Join against base logs since specified timeframe - to retrive records associated with the hour of anomoly\n| join (\nAzureDiagnostics\n| - where TimeGenerated > ago(timeframe)\n| extend DateHour = bin(TimeGenerated, - 1h) // create a new column and round to hour\n| where DateHour in ((AnomalyHours)) - //filter the dataset to only selected anomaly hours\n| extend ResultType = - columnifexists(\"ResultType\", \"NoResultType\")\n| extend requestUri_s = - columnifexists(\"requestUri_s\", \"None\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g - = columnifexists(\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\", - \"None\")\n| extend id_s = columnifexists(\"id_s\", \"None\"), CallerIPAddress - = columnifexists(\"CallerIPAddress\", \"None\"), clientInfo_s = columnifexists(\"clientInfo_s\", - \"None\")\n| where ResultType !~ \"None\" and isnotempty(ResultType)\n| where - identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g - !~ \"None\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\n| - where id_s !~ \"None\" and isnotempty(id_s)\n| where CallerIPAddress !~ \"None\" - and isnotempty(CallerIPAddress)\n| where clientInfo_s !~ \"None\" and isnotempty(clientInfo_s)\n| - where requestUri_s !~ \"None\" and isnotempty(requestUri_s)\n| where ResourceType - =~ \"VAULTS\" and ResultType =~ \"Success\"\n| where OperationName in (OperationList)\n| - summarize PerOperationCount=count(), LatestAnomalyTime = arg_max(TimeGenerated,*) - by bin(TimeGenerated,1h), Resource, OperationName, id_s, CallerIPAddress, - identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, - requestUri_s, clientInfo_s\n) on Resource, TimeGenerated\n| summarize EventCount=count(), - OperationNameList = make_set(OperationName), RequestURLList = make_set(requestUri_s, - 100), AccountList = make_set(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, - 100), AccountMax = arg_max(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g,*) - by Resource, id_s, clientInfo_s, LatestAnomalyTime\n| extend timestamp = LatestAnomalyTime, - IPCustomEntity = CallerIPAddress, AccountCustomEntity = AccountMax","queryFrequency":"P1D","queryPeriod":"P14D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Azure - Key Vault access TimeSeries anomaly","description":"Indentifies a sudden increase - in count of Azure Key Vault secret or vault access operations by CallerIPAddress. - The query leverages a built-in KQL anomaly detection algorithm\nto find large - deviations from baseline Azure Key Vault access patterns. Any sudden increase - in the count of Azure Key Vault accesses can be an\nindication of adversary - dumping credentials via automated methods. If you are seeing any noise, try - filtering known source(IP/Account) and user-agent combinations.\nTimeSeries - Reference Blog: https://techcommunity.microsoft.com/t5/azure-sentinel/looking-for-unknown-anomalies-what-is-normal-time-series/ba-p/555052","tactics":["CredentialAccess"],"lastUpdatedDateUTC":"2021-01-16T00:00:00Z","createdDateUTC":"2019-07-01T00:00:00Z","status":"Available","alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500415fb-bba7-4227-a08a-9857fb61b6a7","name":"500415fb-bba7-4227-a08a-9857fb61b6a7","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - timeframe = 1d;\nOfficeActivity\n| where TimeGenerated >= ago(timeframe)\n| - where OfficeWorkload == \"Exchange\"\n| where Operation in~ (\"New-TransportRule\", - \"Set-TransportRule\")\n| extend p = parse_json(Parameters)\n| extend RuleName - = case(\n Operation =~ \"Set-TransportRule\", tostring(OfficeObjectId),\n Operation - =~ \"New-TransportRule\", tostring(p[1].Value),\n \"Unknown\"\n ) \n| mvexpand - p\n| where (p.Name =~ \"BlindCopyTo\" or p.Name =~ \"RedirectMessageTo\") - and isnotempty(p.Value)\n| extend RedirectTo = p.Value\n| extend ClientIPOnly - = case( \n ClientIP has \".\" and ClientIP has \":\", tostring(split(ClientIP,\":\")[0]), - \n ClientIP has \".\" and ClientIP has \"-\", tostring(split(ClientIP,\"-\")[0]), - \n ClientIP has \"[\", tostring(trim_start(@''[[]'',tostring(split(ClientIP,\"]\")[0]))),\n ClientIP\n ) \n| - extend Port = case(\n ClientIP has \".\" and ClientIP has \":\", (split(ClientIP,\":\")[1]),\n ClientIP - has \".\" and ClientIP has \"-\", (split(ClientIP,\"-\")[1]),\n ClientIP - has \"[\" and ClientIP has \":\", tostring(split(ClientIP,\"]:\")[1]),\n ClientIP - has \"[\" and ClientIP has \"-\", tostring(split(ClientIP,\"]-\")[1]),\n ClientIP\n )\n| - extend ClientIP = ClientIPOnly\n| project TimeGenerated, RedirectTo, ClientIP, - Port, UserId, Operation, RuleName\n| extend timestamp = TimeGenerated, AccountCustomEntity - = UserId, IPCustomEntity = ClientIP","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Mail - redirect via ExO transport rule","description":"Identifies when Exchange Online - transport rule configured to forward emails.\nThis could be an adversary mailbox - configured to collect mail from multiple user accounts.","tactics":["Collection","Exfiltration"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2020-05-05T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"Office365","dataTypes":["OfficeActivity"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f845881e-2500-44dc-8ed7-b372af3e1e25","name":"f845881e-2500-44dc-8ed7-b372af3e1e25","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Low","query":"let - timeFrame = 1d;\nlet short_uaLength = 5;\nlet long_uaLength = 1000;\nlet c_threshold - = 100;\nW3CIISLog \n| where TimeGenerated >= ago(timeFrame)\n// Exclude local - IPs as these create noise\n| where cIP !startswith \"192.168.\" and cIP != - \"::1\"\n| where isnotempty(csUserAgent) and csUserAgent !in~ (\"-\", \"MSRPC\") - and (string_size(csUserAgent) <= short_uaLength or string_size(csUserAgent) - >= long_uaLength)\n| extend csUserAgent_size = string_size(csUserAgent)\n| - summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), - ConnectionCount = count() by Computer, sSiteName, sPort, csUserAgent, csUserAgent_size, - csUserName , csMethod, csUriStem, sIP, cIP, scStatus, scSubStatus, scWin32Status\n| - where ConnectionCount < c_threshold\n| extend timestamp = StartTimeUtc, AccountCustomEntity - = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Anomalous - User Agent connection attempt","description":"Identifies connection attempts - (success or fail) from clients with very short or very long User Agent strings - and with less than 100 connection attempts.","tactics":["InitialAccess"],"lastUpdatedDateUTC":"2020-11-19T00:00:00Z","createdDateUTC":"2019-02-20T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AzureMonitor(IIS)","dataTypes":["W3CIISLog"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cca3b4d9-ac39-4109-8b93-65bb284003e6","name":"cca3b4d9-ac39-4109-8b93-65bb284003e6","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet emailregex = @''^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$'';\nThreatIntelligenceIndicator\n| - where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| - where Active == true\n//Filtering the table for Email related IOCs\n| where - isnotempty(EmailRecipient)\n| join (\n AzureActivity | where TimeGenerated - >= ago(dt_lookBack) and isnotempty(Caller)\n | extend Caller = tolower(Caller)\n | - where Caller matches regex emailregex\n | extend AzureActivity_TimeGenerated - = TimeGenerated\n)\non $left.EmailRecipient == $right.Caller\n| summarize - LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| project - LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, - ExpirationDateTime, ConfidenceScore, Url, AzureActivity_TimeGenerated,\nEmailSenderName, - EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, - Caller, Level, CallerIpAddress, Category, OperationName,\nOperationNameValue, - ActivityStatus, ResourceGroup, SubscriptionId\n| extend timestamp = AzureActivity_TimeGenerated, - AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress, URLCustomEntity - = Url","queryFrequency":"PT1H","queryPeriod":"P14D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]},{"entityType":"URL","fieldMappings":[{"identifier":"Url","columnName":"URLCustomEntity"}]}],"displayName":"(Preview) - TI map Email entity to AzureActivity","description":"Identifies a match in - AzureActivity table from any Email IOC from TI","tactics":["Impact"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2019-08-28T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AzureActivity","dataTypes":["AzureActivity"]},{"connectorId":"ThreatIntelligence","dataTypes":["ThreatIntelligenceIndicator"]},{"connectorId":"ThreatIntelligenceTaxii","dataTypes":["ThreatIntelligenceIndicator"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d94d4a9-dc96-410a-8dea-4d4d4584188b","name":"4d94d4a9-dc96-410a-8dea-4d4d4584188b","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - timeframe = 1h;\nlet OperationList = dynamic([\"Add member to role\",\"Add - member to role in PIM requested (permanent)\"]);\nlet PrivilegedGroups = dynamic([\"UserAccountAdmins\",\"PrivilegedRoleAdmins\",\"TenantAdmins\"]);\nAuditLogs\n| - where TimeGenerated >= ago(timeframe)\n| where LoggedByService =~ \"Core Directory\"\n| - where Category =~ \"RoleManagement\"\n| where OperationName in~ (OperationList)\n| - mv-expand TargetResources\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\n| - mv-expand modifiedProperties\n| extend DisplayName = tostring(parse_json(modifiedProperties).displayName), - GroupName = trim(@''\"'',tostring(parse_json(modifiedProperties).newValue))\n| - extend AppId = tostring(parse_json(parse_json(InitiatedBy).app).appId), InitiatedByDisplayName - = tostring(parse_json(parse_json(InitiatedBy).app).displayName), ServicePrincipalId - = tostring(parse_json(parse_json(InitiatedBy).app).servicePrincipalId), ServicePrincipalName - = tostring(parse_json(parse_json(InitiatedBy).app).servicePrincipalName)\n| - where DisplayName =~ \"Role.WellKnownObjectName\"\n| where GroupName in~ (PrivilegedGroups)\n// - If you want to still alert for operations from PIM, remove below filtering - for MS-PIM.\n| where InitiatedByDisplayName != \"MS-PIM\"\n| project TimeGenerated, - AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, - ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName\n| extend - timestamp = TimeGenerated, AccountCustomEntity = ServicePrincipalName","queryFrequency":"PT1H","queryPeriod":"PT1H","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]}],"displayName":"User - added to Azure Active Directory Privileged Groups","description":"This will - alert when a user is added to any of the Privileged Groups.\nFor further information - on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\nFor - Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles","tactics":["Persistence","PrivilegeEscalation"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2020-07-15T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AzureActiveDirectory","dataTypes":["AuditLogs"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500c103a-0319-4d56-8e99-3cec8d860757","name":"500c103a-0319-4d56-8e99-3cec8d860757","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - lookBack = 1d;\nSigninLogs \n| where TimeGenerated >= ago(lookBack)\n| where - ResultType == \"50057\" \n| where ResultDescription == \"User account is disabled. - The account has been disabled by an administrator.\" \n| summarize StartTimeUtc - = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), disabledAccountLoginAttempts - = count(), \ndisabledAccountsTargeted = dcount(UserPrincipalName), applicationsTargeted - = dcount(AppDisplayName), disabledAccountSet = makeset(UserPrincipalName), - \napplicationSet = makeset(AppDisplayName) by IPAddress\n| order by disabledAccountLoginAttempts - desc\n| join kind= leftouter (\n // Consider these IPs suspicious - and - alert any related successful sign-ins\n SigninLogs\n | where TimeGenerated - >= ago(lookBack)\n | where ResultType == 0\n | summarize successfulAccountSigninCount - = dcount(UserPrincipalName), successfulAccountSigninSet = makeset(UserPrincipalName, - 15) by IPAddress\n // Assume IPs associated with sign-ins from 100+ distinct - user accounts are safe\n | where successfulAccountSigninCount < 100\n) - on IPAddress \n// IPs from which attempts to authenticate as disabled user - accounts originated, and had a non-zero success rate for some other account\n| - where successfulAccountSigninCount != 0\n| project StartTimeUtc, EndTimeUtc, - IPAddress, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, - applicationSet, \nsuccessfulAccountSigninCount, successfulAccountSigninSet\n| - order by disabledAccountLoginAttempts\n| extend timestamp = StartTimeUtc, - IPCustomEntity = IPAddress","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Sign-ins - from IPs that attempt sign-ins to disabled accounts","description":"Identifies - IPs with failed attempts to sign in to one or more disabled accounts signed - in successfully to another account.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n50057 - - User account is disabled. The account has been disabled by an administrator.","tactics":["InitialAccess","Persistence"],"lastUpdatedDateUTC":"2020-11-19T00:00:00Z","createdDateUTC":"2019-02-11T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AzureActiveDirectory","dataTypes":["SigninLogs"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/34663177-8abf-4db1-b0a4-5683ab273f44","name":"34663177-8abf-4db1-b0a4-5683ab273f44","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Low","query":"let - timeframe = ago(1h);\nlet threshold = 20;\nPulseConnectSecure\n| where TimeGenerated - >= timeframe\n| where Messages contains \"Login failed\"\n| summarize StartTime - = min(TimeGenerated), EndTime = max(TimeGenerated), count() by User, Source_IP\n| - where count_ > threshold\n| extend timestamp = StartTime, AccountCustomEntity - = User, IPCustomEntity = Source_IP","queryFrequency":"PT1H","queryPeriod":"PT1H","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"PulseConnectSecure - - Potential Brute Force Attempts","description":"This query identifies evidence - of potential brute force attack by looking at multiple failed attempts to - log into the VPN server","tactics":["CredentialAccess"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2020-06-06T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"PulseConnectSecure","dataTypes":["Syslog"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/15ae38a2-2e29-48f7-883f-863fb25a5a06","name":"15ae38a2-2e29-48f7-883f-863fb25a5a06","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - starttime = 8d;\nlet endtime = 1d;\nlet threshold = 10;\nDnsEvents \n| where - TimeGenerated > ago(endtime)\n| where Name contains \"in-addr.arpa\" \n| summarize - StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(Name) - by ClientIP\n| where dcount_Name > threshold\n| project StartTimeUtc, EndTimeUtc, - ClientIP , dcount_Name \n| join kind=leftanti (DnsEvents \n | where TimeGenerated - between(ago(starttime)..ago(endtime))\n | where Name contains \"in-addr.arpa\" - \n | summarize dcount(Name) by ClientIP, bin(TimeGenerated, 1d)\n | - where dcount_Name > threshold\n | project ClientIP , dcount_Name \n) on - ClientIP\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP","queryFrequency":"P1D","queryPeriod":"P8D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Rare - client observed with high reverse DNS lookup count","description":"Identifies - clients with a high reverse DNS counts which could be carrying out reconnaissance - or discovery activity.\nAlert is generated if the IP performing such reverse - DNS lookups was not seen doing so in the preceding 7-day period.","tactics":["Discovery"],"lastUpdatedDateUTC":"2020-11-19T00:00:00Z","createdDateUTC":"2019-02-07T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"DNS","dataTypes":["DnsEvents"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/24f8c234-d1ff-40ec-8b73-96b17a3a9c1c","name":"24f8c234-d1ff-40ec-8b73-96b17a3a9c1c","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Low","query":"let - timeframe =1d;\nlet EventCountThreshold = 25;\nlet OperationList = dynamic(\n[\"SecretGet\", - \"KeyGet\", \"VaultGet\"]);\nAzureDiagnostics\n| where TimeGenerated > ago(timeframe)\n| - extend ResultType = columnifexists(\"ResultType\", \"None\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g - = columnifexists(\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\", - \"None\")\n| where ResultType !~ \"None\" and isnotempty(ResultType)\n| where - identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g - !~ \"None\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\n| - where ResourceType =~ \"VAULTS\" and ResultType =~ \"Success\"\n| where OperationName - in (OperationList) \n| summarize count() by identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, - OperationName\n| where count_ > EventCountThreshold \n| join (\nAzureDiagnostics\n| - where TimeGenerated > ago(timeframe)\n| extend ResultType = columnifexists(\"ResultType\", - \"NoResultType\")\n| extend requestUri_s = columnifexists(\"requestUri_s\", - \"None\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g - = columnifexists(\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\", - \"None\")\n| extend id_s = columnifexists(\"id_s\", \"None\"), CallerIPAddress - = columnifexists(\"CallerIPAddress\", \"None\"), clientInfo_s = columnifexists(\"clientInfo_s\", - \"None\")\n| where ResultType !~ \"None\" and isnotempty(ResultType)\n| where - identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g - !~ \"None\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\n| - where id_s !~ \"None\" and isnotempty(id_s)\n| where CallerIPAddress !~ \"None\" - and isnotempty(CallerIPAddress)\n| where clientInfo_s !~ \"None\" and isnotempty(clientInfo_s)\n| - where requestUri_s !~ \"None\" and isnotempty(requestUri_s)\n| where OperationName - in~ (OperationList) \n) on identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g - \n| summarize EventCount=sum(count_), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), - TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), - RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= - arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, - clientInfo_s\n| extend timestamp = EndTimeUtc, IPCustomEntity = CallerIPMax, - AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Mass - secret retrieval from Azure Key Vault","description":"Identifies mass secret - retrieval from Azure Key Vault observed by a single user. \nMass secret retrival - crossing a certain threshold is an indication of credential dump operations - or mis-configured applications. \nYou can tweak the EventCountThreshold based - on average count seen in your environment \nand also filter any known sources - (IP/Account) and useragent combinations based on historical analysis to further - reduce noise","tactics":["CredentialAccess"],"lastUpdatedDateUTC":"2021-01-16T00:00:00Z","createdDateUTC":"2019-07-01T00:00:00Z","status":"Available","alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/39198934-62a0-4781-8416-a81265c03fd6","name":"39198934-62a0-4781-8416-a81265c03fd6","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - detectionTime = 1d;\nlet joinLookback = 14d;\nAuditLogs\n| where TimeGenerated - > ago(detectionTime)\n| where LoggedByService =~ \"Core Directory\"\n| where - Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Consent - to application\"\n| where TargetResources has \"offline\"\n| extend AppDisplayName - = TargetResources.[0].displayName\n| extend AppClientId = tolower(TargetResources.[0].id)\n| - where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\"] - with (format=\"csv\")))\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\n| - parse ConsentFull with * \"ConsentType: \" GrantConsentType \", Scope: \" - GrantScope1 \"]\" *\n| where ConsentFull contains \"user.read\" and ConsentFull - contains \"offline_access\" and ConsentFull contains \"mail.readwrite\" and - ConsentFull contains \"mail.send\" and ConsentFull contains \"files.read.all\"\n| - where GrantConsentType != \"AllPrincipals\" // NOTE: we are ignoring if OAuth - application was granted to all users via an admin - but admin due diligence - should be audited occasionally\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), - InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress)\n| extend GrantInitiatedBy - = iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, - InitiatedBy.app.displayName)\n| extend GrantUserAgent = iff(AdditionalDetails[0].key - =~ \"User-Agent\", AdditionalDetails[0].value, \"\")\n| project TimeGenerated, - GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, - GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\n| - join kind = leftouter (AuditLogs\n| where TimeGenerated > ago(joinLookback)\n| - where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| - where OperationName =~ \"Add service principal\"\n| extend AppClientId = tolower(TargetResources[0].id)\n| - extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue - has \"AddressType\", TargetResources[0].modifiedProperties[1].newValue, \"\")\n| - distinct AppClientId, tostring(AppReplyURLs)\n)\non AppClientId\n| join kind - = innerunique (AuditLogs\n| where TimeGenerated > ago(joinLookback)\n| where - LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| - where OperationName =~ \"Add OAuth2PermissionGrant\" or OperationName =~ \"Add - delegated permission grant\"\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\n| - extend GrantOperation = OperationName\n| project GrantAuthentication, GrantOperation, - CorrelationId\n) on CorrelationId\n| project TimeGenerated, GrantConsentType, - GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, - GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, - CorrelationId, ConsentFull\n| extend timestamp = TimeGenerated, AccountCustomEntity - = GrantInitiatedBy, IPCustomEntity = GrantIpAddress","queryFrequency":"P1D","queryPeriod":"P14D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Suspicious - application consent similar to PwnAuth","description":"This will alert when - a user consents to provide a previously-unknown Azure application with the - same OAuth permissions used by the FireEye PwnAuth toolkit (https://github.com/fireeye/PwnAuth).\nThe - default permissions/scope for the PwnAuth toolkit are user.read, offline_access, - mail.readwrite, mail.send, and files.read.all.\nConsent to applications with - these permissions should be rare, especially as the knownApplications list - is expanded. Public contributions to expand this filter are welcome!\nFor - further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.","tactics":["CredentialAccess","DefenseEvasion"],"lastUpdatedDateUTC":"2020-12-03T00:00:00Z","createdDateUTC":"2020-06-26T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AzureActiveDirectory","dataTypes":["AuditLogs"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3df4a32-4805-4c6d-8699-f3c888af2f67","name":"a3df4a32-4805-4c6d-8699-f3c888af2f67","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"High","query":"let - TimeFrame = ago(1d);\nlet Alert1 = \nSecurityAlert\n| where TimeGenerated - > TimeFrame\n| where AlertName == \"Unfamiliar sign-in properties\"\n| extend - UserPrincipalName = tostring(parse_json(ExtendedProperties).[\"User Account\"])\n| - extend Alert1Time = TimeGenerated\n| extend Alert1 = AlertName\n| extend Alert1Severity - = AlertSeverity\n;\nlet Alert2 = \nSecurityAlert\n| where TimeGenerated > - TimeFrame\n| where AlertName == \"Atypical travel\"\n| extend UserPrincipalName - = tostring(parse_json(ExtendedProperties).[\"User Account\"])\n| extend Alert2Time - = TimeGenerated\n| extend Alert2 = AlertName\n| extend Alert2Severity = AlertSeverity\n| - extend CurrentLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[1].Location)).CountryCode), - \"|\", tostring(parse_json(tostring(parse_json(Entities)[1].Location)).State), - \"|\", tostring(parse_json(tostring(parse_json(Entities)[1].Location)).City))\n| - extend PreviousLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[2].Location)).CountryCode), - \"|\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).State), - \"|\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).City))\n| - extend CurrentIPAddress = tostring(parse_json(Entities)[1].Address)\n| extend - PreviousIPAddress = tostring(parse_json(Entities)[2].Address)\n;\nAlert1\n| - join kind=inner Alert2 on UserPrincipalName\n| where abs(datetime_diff(''minute'', - Alert1Time, Alert2Time)) <=10\n| extend TimeDelta = Alert1Time - Alert2Time\n| - project UserPrincipalName, Alert1, Alert1Time, Alert1Severity, Alert2, Alert2Time, - Alert2Severity, TimeDelta, CurrentLocation, PreviousLocation, CurrentIPAddress, - PreviousIPAddress\n| extend AccountCustomEntity = UserPrincipalName\n| extend - IPCustomEntity = CurrentIPAddress","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Correlate - Unfamiliar sign-in properties and atypical travel alerts","description":"When - a user has both an Unfamiliar sign-in properties alert and an Atypical travel - alert within 20 minutes, the alert should be handled with a higher severity","tactics":["InitialAccess"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2020-09-19T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AzureActiveDirectoryIdentityProtection","dataTypes":["SecurityAlert - (IPC)"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3174a9ec-d0ad-4152-8307-94ed04fa450a","name":"3174a9ec-d0ad-4152-8307-94ed04fa450a","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"High","query":"let - timeframe = 1d;\nlet SHA256Hash = \"1174fd03271f80f5e2a6435c72bdd0272a6e3a37049f6190abf125b216a83471\" - ;\n(union isfuzzy=true\n(CommonSecurityLog \n| where TimeGenerated >= ago(timeframe) - \n| parse Message with * ''('' DNSName '')'' * \n| where isnotempty(FileHash)\n| - where FileHash in (SHA256Hash) \n| extend Account = SourceUserID, Computer - = DeviceName, IPAddress = SourceIP\n),\n(Event\n//This query uses sysmon data - depending on table name used this may need updataing\n| where TimeGenerated - >= ago(3d)\n| where Source == \"Microsoft-Windows-Sysmon\"\n| extend EvData - = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| - extend Hashes = EventDetail.[16].[\"#text\"]\n| parse Hashes with * ''SHA256='' - SHA265 '','' * \n| where isnotempty(Hashes)\n| where Hashes in (SHA256Hash) - \n| extend Account = UserName\n)\n)\n| extend timestamp = TimeGenerated, AccountCustomEntity - = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Known - ZINC related maldoc hash","description":"Document hash used by ZINC in highly - targeted spear phishing campaign.","tactics":["CommandAndControl","CredentialAccess"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2020-10-30T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"CiscoASA","dataTypes":["CommonSecurityLog"]},{"connectorId":"PaloAltoNetworks","dataTypes":["CommonSecurityLog"]},{"connectorId":"SecurityEvents","dataTypes":["SecurityEvent"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3533f74c-9207-4047-96e2-0eb9383be587","name":"3533f74c-9207-4047-96e2-0eb9383be587","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Low","query":"let - detectionTime = 1d;\nlet joinLookback = 14d;\nAuditLogs\n| where TimeGenerated - > ago(detectionTime)\n| where LoggedByService =~ \"Core Directory\"\n| where - Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Consent - to application\"\n| where TargetResources has \"offline\"\n| extend AppDisplayName - = TargetResources.[0].displayName\n| extend AppClientId = tolower(TargetResources.[0].id)\n| - where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\"] - with (format=\"csv\")))\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\n| - parse ConsentFull with * \"ConsentType: \" GrantConsentType \", Scope: \" - GrantScope1 \"]\" *\n| where ConsentFull contains \"offline_access\" and ConsentFull - contains \"Files.Read\" or ConsentFull contains \"Mail.Read\" or ConsentFull - contains \"Notes.Read\" or ConsentFull contains \"ChannelMessage.Read\" or - ConsentFull contains \"Chat.Read\" or ConsentFull contains \"TeamsActivity.Read\" - or ConsentFull contains \"Group.Read\" or ConsentFull contains \"EWS.AccessAsUser.All\" - or ConsentFull contains \"EAS.AccessAsUser.All\"\n| where GrantConsentType - != \"AllPrincipals\" // NOTE: we are ignoring if OAuth application was granted - to all users via an admin - but admin due diligence should be audited occasionally\n| - extend GrantIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), - InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\n| extend GrantInitiatedBy - = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, - InitiatedBy.app.displayName))\n| extend GrantUserAgent = tostring(iff(AdditionalDetails[0].key - =~ \"User-Agent\", AdditionalDetails[0].value, \"\"))\n| project TimeGenerated, - GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, - GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\n| - join kind = leftouter (AuditLogs\n| where TimeGenerated > ago(joinLookback)\n| - where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| - where OperationName =~ \"Add service principal\"\n| extend AppClientId = tolower(TargetResources[0].id)\n| - extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue - has \"AddressType\", TargetResources[0].modifiedProperties[1].newValue, \"\")\n| - distinct AppClientId, tostring(AppReplyURLs)\n)\non AppClientId\n| join kind - = innerunique (AuditLogs\n| where TimeGenerated > ago(joinLookback)\n| where - LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| - where OperationName =~ \"Add OAuth2PermissionGrant\" or OperationName =~ \"Add - delegated permission grant\"\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\n| - extend GrantOperation = OperationName\n| project GrantAuthentication, GrantOperation, - CorrelationId\n) on CorrelationId\n| project TimeGenerated, GrantConsentType, - GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, - GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, - CorrelationId, ConsentFull\n| extend timestamp = TimeGenerated, AccountCustomEntity - = GrantInitiatedBy, IPCustomEntity = GrantIpAddress","queryFrequency":"P1D","queryPeriod":"P14D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Suspicious - application consent for offline access","description":"This will alert when - a user consents to provide a previously-unknown Azure application with offline - access via OAuth.\nOffline access will provide the Azure App with access to - the listed resources without requiring two-factor authentication.\nConsent - to applications with offline access and read capabilities should be rare, - especially as the knownApplications list is expanded. Public contributions - to expand this filter are welcome!\nFor further information on AuditLogs please - see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.","tactics":["CredentialAccess"],"lastUpdatedDateUTC":"2020-12-09T00:00:00Z","createdDateUTC":"2020-06-26T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AzureActiveDirectory","dataTypes":["AuditLogs"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c87fb346-ea3a-4c64-ba92-3dd383e0f0b5","name":"c87fb346-ea3a-4c64-ba92-3dd383e0f0b5","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"High","query":"let - timeframe = 1d;\nlet DomainNames = \"miniodaum.ml\";\nlet SHA256Hash = dynamic - ([\"53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0dfd44771762257\", \"0897c80df8b80b4c49bf1ccf876f5f782849608b830c3b5cb3ad212dc3e19eff\"]);\n(union - isfuzzy=true\n(CommonSecurityLog \n| where TimeGenerated >= ago(timeframe) - \n| parse Message with * ''('' DNSName '')'' * \n| where isnotempty(FileHash)\n| - where FileHash in (SHA256Hash) or DNSName =~ DomainNames\n| extend Account - = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\n),\n(DnsEvents - \n| where TimeGenerated >= ago(timeframe) \n| extend DNSName = Name\n| where - isnotempty(DNSName)\n| where DNSName =~ DomainNames\n| extend IPAddress = - ClientIP\n),\n(VMConnection \n| where TimeGenerated >= ago(timeframe) \n| - parse RemoteDnsCanonicalNames with * ''[\"'' DNSName ''\"]'' *\n| where isnotempty(DNSName)\n| - where DNSName =~ DomainNames\n| extend IPAddress = RemoteIp\n)\n)\n| extend - timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity - = Computer, IPCustomEntity = IPAddress","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Known - CERIUM domains and hashes","description":"CERIUM malicious webserver and hash - values for maldocs and malware. \n Matches domain name IOCs related to the - CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection - dataTypes.","tactics":["CommandAndControl","CredentialAccess"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2020-10-30T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"DNS","dataTypes":["DnsEvents"]},{"connectorId":"AzureMonitor(VMInsights)","dataTypes":["VMConnection"]},{"connectorId":"CiscoASA","dataTypes":["CommonSecurityLog"]},{"connectorId":"PaloAltoNetworks","dataTypes":["CommonSecurityLog"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f30a47c1-65fb-42b1-a7f4-00941c12550b","name":"f30a47c1-65fb-42b1-a7f4-00941c12550b","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| - where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| - where Active == true\n// Picking up only IOC''s that contain the entities - we want\n| where isnotempty(Url)\n| join (\n SecurityAlert\n | where TimeGenerated - >= ago(dt_lookBack)\n // Extract URL from JSON data\n | extend Url = extract(\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\(\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\", - 1,Entities)\n // We only want alerts that actually contain URL data\n | - where isnotempty(Url)\n // Extract hostname from JSON data for entity mapping\n | - extend Compromised_Host = tostring(parse_json(ExtendedProperties).[\"Compromised - Host\"])\n | extend Alert_TimeGenerated = TimeGenerated\n) on Url\n| summarize - LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| project - LatestIndicatorTime, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, - ConfidenceScore, Alert_TimeGenerated,\nAlertName, AlertSeverity, Description, - Url, Compromised_Host\n| extend timestamp = Alert_TimeGenerated, HostCustomEntity - = Compromised_Host, URLCustomEntity = Url","queryFrequency":"PT1H","queryPeriod":"P14D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"URL","fieldMappings":[{"identifier":"Url","columnName":"URLCustomEntity"}]}],"displayName":"(Preview) - TI map URL entity to SecurityAlert data","description":"Identifies a match - in SecurityAlert data from any URL IOC from TI","tactics":["Impact"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2019-08-27T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"MicrosoftCloudAppSecurity","dataTypes":["SecurityAlert"]},{"connectorId":"AzureSecurityCenter","dataTypes":["SecurityAlert"]},{"connectorId":"ThreatIntelligence","dataTypes":["ThreatIntelligenceIndicator"]},{"connectorId":"ThreatIntelligenceTaxii","dataTypes":["ThreatIntelligenceIndicator"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06107abb-1b68-4fdc-841b-8a1ff9301467","name":"06107abb-1b68-4fdc-841b-8a1ff9301467","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Anomaly","properties":{"severity":"Informational","anomalyDefinitionVersion":"1.0.1","techniques":["T1030"],"customizableObservations":{"multiSelectObservations":null,"singleSelectObservations":null,"prioritizeExcludeObservations":null,"thresholdObservations":[{"minimum":"0","maximum":"1","value":"0.87","name":"Score","description":"Generate - an anomaly when score is greater than the chosen value","sequenceNumber":0,"rerun":"NotRequired"}]},"frequency":"P1D","displayName":"(Preview) - Excessive Downloads via Palo Alto GlobalProtect","description":"This algorithm - detects unusually high volume of download per user account via Palo Alto VPN - solution. The model is trained on the previous 14 days of the VPN logs. It - indicates anomalous high volume of downloads in the last day.","tactics":["Exfiltration"],"lastUpdatedDateUTC":"2021-02-22T00:00:00Z","createdDateUTC":"2020-11-02T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"PaloAltoNetworks","dataTypes":["CommonSecurityLog"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/87890d78-3e05-43ec-9ab9-ba32f4e01250","name":"87890d78-3e05-43ec-9ab9-ba32f4e01250","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\n//Create a list of TLDs in our - threat feed for later validation\nlet list_tlds = ThreatIntelligenceIndicator\n| - where TimeGenerated > ago(ioc_lookBack)\n| where isnotempty(DomainName)\n| - extend parts = split(DomainName, ''.'')\n| extend tld = parts[(array_length(parts)-1)]\n| - summarize count() by tostring(tld)\n| summarize make_list(tld);\nThreatIntelligenceIndicator\n| - where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| - where Active == true\n// Picking up only IOC''s that contain the entities - we want\n| where isnotempty(DomainName)\n| join (\n SecurityAlert\n | - where TimeGenerated > ago(dt_lookBack)\n //Extract domain patterns from - message\n | extend domain = extract(\"(([a-z0-9]+(-[a-z0-9]+)*\\\\.)+[a-z]{2,})\", - 1, tolower(Entities))\n | where isnotempty(domain)\n | extend parts - = split(domain, ''.'')\n //Split out the TLD\n | extend tld = parts[(array_length(parts)-1)]\n //Validate - parsed domain by checking if the TLD is in the list of TLDs in our threat - feed\n | where tld in~ (list_tlds)\n // Converting Entities into dynamic - data type and use mv-expand to unpack the array\n | extend EntitiesDynamicArray - = parse_json(Entities) | mv-expand EntitiesDynamicArray\n // Parsing relevant - entity column extract hostname and IP address\n | extend EntityType = tostring(parse_json(EntitiesDynamicArray).Type), - EntityAddress = tostring(EntitiesDynamicArray.Address), EntityHostName = tostring(EntitiesDynamicArray.HostName)\n | - extend HostName = iif(EntityType == ''host'', EntityHostName, '''')\n | - extend IP_addr = iif(EntityType == ''ip'', EntityAddress, '''')\n | extend - Alert_TimeGenerated = TimeGenerated\n | extend Alert_Description = Description\n) - on $left.DomainName==$right.domain\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, - *) by IndicatorId\n| project LatestIndicatorTime, Description, ActivityGroupNames, - IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Alert_TimeGenerated, - AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, - HostName, IP_addr, Url\n| extend timestamp = Alert_TimeGenerated, HostCustomEntity - = HostName, IPCustomEntity = IP_addr, URLCustomEntity = Url","queryFrequency":"PT1H","queryPeriod":"P14D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]},{"entityType":"URL","fieldMappings":[{"identifier":"Url","columnName":"URLCustomEntity"}]}],"displayName":"(Preview) - TI map Domain entity to SecurityAlert","description":"Identifies a match in - SecurityAlert table from any Domain IOC from TI","tactics":["Impact"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2019-08-28T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"ThreatIntelligence","dataTypes":["ThreatIntelligenceIndicator"]},{"connectorId":"ThreatIntelligenceTaxii","dataTypes":["ThreatIntelligenceIndicator"]},{"connectorId":"MicrosoftCloudAppSecurity","dataTypes":["SecurityAlert"]},{"connectorId":"AzureSecurityCenter","dataTypes":["SecurityAlert"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5b72f527-e3f6-4a00-9908-8e4fee14da9f","name":"5b72f527-e3f6-4a00-9908-8e4fee14da9f","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Low","query":"let - timeframe = 1h;\nCommonSecurityLog \n| where TimeGenerated > ago(timeframe) - \n| where isnotempty(DestinationPort) and DeviceAction !in (\"reset-both\", - \"deny\") \n// filter out common usage ports. Add ports that are legitimate - for your environment\n| where DestinationPort !in (\"443\", \"53\", \"389\", - \"80\", \"0\", \"880\", \"8888\", \"8080\")\n| where ApplicationProtocol == - \"incomplete\" \n// filter out IANA ephemeral or negotiated ports as per https://en.wikipedia.org/wiki/Ephemeral_port\n| - where DestinationPort !between (toint(49512) .. toint(65535)) \n| where Computer - != \"\" \n| where DestinationIP !startswith \"10.\"\n// Filter out any graceful - reset reasons of AGED OUT which occurs when a TCP session closes with a FIN - due to aging out. \n| where AdditionalExtensions !has \"reason=aged-out\" - \n// Filter out any TCP FIN which occurs when a TCP FIN is used to gracefully - close half or both sides of a connection.\n| where AdditionalExtensions !has - \"reason=tcp-fin\" \n// Uncomment one of the following where clauses to trigger - on specific TCP reset reasons\n// See Palo Alto article for details - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK\n// - TCP RST-server - Occurs when the server sends a TCP reset to the client\n// - | where AdditionalExtensions has \"reason=tcp-rst-from-server\" \n// TCP - RST-client - Occurs when the client sends a TCP reset to the server\n// | - where AdditionalExtensions has \"reason=tcp-rst-from-client\" \n| extend - reason = tostring(split(AdditionalExtensions, \";\")[3])\n| summarize StartTimeUtc - = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by DeviceName, - SourceUserID, SourceIP, ApplicationProtocol, reason, DestinationPort, Protocol, - DeviceVendor, DeviceProduct, DeviceAction, DestinationIP\n| where count_ >= - 10\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), - makeset(DestinationIP), totalcount = sum(count_) by DeviceName, SourceUserID, - SourceIP, ApplicationProtocol, reason, DestinationPort, Protocol, DeviceVendor, - DeviceProduct, DeviceAction\n| extend timestamp = StartTimeUtc, IPCustomEntity - = SourceIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName","queryFrequency":"PT1H","queryPeriod":"PT1H","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Palo - Alto - possible internal to external port scanning","description":"Identifies - a list of internal Source IPs (10.x.x.x Hosts) that have triggered 10 or more - non-graceful tcp server resets from one or more Destination IPs which \nresults - in an \"ApplicationProtocol = incomplete\" designation. The server resets - coupled with an \"Incomplete\" ApplicationProtocol designation can be an indication - \nof internal to external port scanning or probing attack. \nReferences: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK - and\nhttps://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTaCAK","tactics":["Discovery"],"lastUpdatedDateUTC":"2020-11-19T00:00:00Z","createdDateUTC":"2019-02-28T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"PaloAltoNetworks","dataTypes":["CommonSecurityLog"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69a45b05-71f5-45ca-8944-2e038747fb39","name":"69a45b05-71f5-45ca-8944-2e038747fb39","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - endtime = 1d;\nlet starttime = 8d;\n// The threshold below excludes matching - on RDP connection computer counts of 5 or more by a given account and IP in - a given day. Change the threshold as needed.\nlet threshold = 5;\nSecurityEvent\n| - where TimeGenerated >= ago(endtime) \n| where EventID == 4624 and LogonType - == 10\n// Labeling the first RDP connection time, computer and ip\n| extend - FirstHop = TimeGenerated, FirstComputer = toupper(Computer), FirstIPAddress - = IpAddress, Account = tolower(Account) \n| join kind=inner (\nSecurityEvent\n| - where TimeGenerated >= ago(endtime) \n| where EventID == 4624 and LogonType - == 10\n// Labeling the second RDP connection time, computer and ip\n| extend - SecondHop = TimeGenerated, SecondComputer = toupper(Computer), SecondIPAddress - = IpAddress, Account = tolower(Account)\n) on Account\n// Make sure that the - first connection is after the second connection --> SecondHop > FirstHop\n// - Then identify only RDP to another computer from within the first RDP connection - by only choosing matches where the Computer names do not match --> FirstComputer - != SecondComputer\n// Then make sure the IPAddresses do not match by excluding - connections from the same computers with first hop RDP connections to multiple - computers --> FirstIPAddress != SecondIPAddress\n| where FirstComputer != - SecondComputer and FirstIPAddress != SecondIPAddress and SecondHop > FirstHop\n// - where the second hop occurs within 30 minutes of the first hop\n| where SecondHop - <= FirstHop+30m\n| distinct Account, FirstHop, FirstComputer, FirstIPAddress, - SecondHop, SecondComputer, SecondIPAddress, AccountType, Activity, LogonTypeName, - ProcessName\n// use left anti to exclude anything from the previous 7 days - where the Account and IP has connected 5 or more computers.\n| join kind=leftanti - (\nSecurityEvent\n| where TimeGenerated >= ago(starttime) and TimeGenerated - < ago(endtime) \n| where EventID == 4624 and LogonType == 10\n| summarize - makeset(Computer), ComputerCount = dcount(Computer) by bin(TimeGenerated, - 1d), Account = tolower(Account), IpAddress\n// Connection count to computer - by same account and IP to exclude counts of 5 or more on a given day\n| where - ComputerCount >= threshold\n| mvexpand set_Computer\n| extend Computer = toupper(set_Computer)\n) - on Account, $left.SecondComputer == $right.Computer, $left.SecondIPAddress - == $right.IpAddress\n| summarize FirstHopFirstSeen = min(FirstHop), FirstHopLastSeen - = max(FirstHop) by Account, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, - \nSecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName\n| extend - timestamp = FirstHopFirstSeen, AccountCustomEntity = Account, HostCustomEntity - = FirstComputer, IPCustomEntity = FirstIPAddress","queryFrequency":"P1D","queryPeriod":"P8D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"RDP - Nesting","description":"Identifies when an RDP connection is made to a first - system and then an RDP connection is made from the first system \nto another - system with the same account within the 60 minutes. Additionally, if historically - daily \nRDP connections are indicated by the logged EventID 4624 with LogonType - = 10","tactics":["LateralMovement"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2019-10-21T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"SecurityEvents","dataTypes":["SecurityEvent"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84ad2f8a-b64c-49bc-b669-bdb4fd3071e9","name":"84ad2f8a-b64c-49bc-b669-bdb4fd3071e9","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Low","query":"eset_CL\n| - where event_type_s == ''FilteredWebsites_Event''\n| extend AccountCustomEntity - = username_s, URLCustomEntity = object_uri_s, HostCustomEntity = hostname_s, - IPCustomEntity = ipv4_s","queryFrequency":"PT5M","queryPeriod":"PT5M","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]},{"entityType":"URL","fieldMappings":[{"identifier":"Url","columnName":"URLCustomEntity"}]}],"displayName":"Web - sites blocked by Eset","description":"Create alert on web sites blocked by - Eset.","tactics":["Exfiltration","CommandAndControl","InitialAccess"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2020-07-09T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"EsetSMC","dataTypes":["eset_CL"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/223db5c1-1bf8-47d8-8806-bed401b356a4","name":"223db5c1-1bf8-47d8-8806-bed401b356a4","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Low","query":"let - timeRange = 1d;\nlet lookBack = 7d;\nlet threshold_Failed = 5;\nlet threshold_FailedwithSingleIP - = 20;\nlet threshold_IPAddressCount = 2;\nlet isGUID = \"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\";\nlet - azPortalSignins = materialize(SigninLogs\n| where TimeGenerated >= ago(lookBack)\n// - Azure Portal only\n| where AppDisplayName =~ \"Azure Portal\")\n;\nlet successPortalSignins - = azPortalSignins\n| where TimeGenerated >= ago(timeRange)\n// Azure Portal - only and exclude non-failure Result Types\n| where ResultType in (\"0\", \"50125\", - \"50140\")\n// Tagging identities not resolved to friendly names\n//| extend - Unresolved = iff(Identity matches regex isGUID, true, false)\n| distinct TimeGenerated, - UserPrincipalName, Id, ResultType\n;\nlet failPortalSignins = azPortalSignins\n| - where TimeGenerated >= ago(timeRange)\n// Azure Portal only and exclude non-failure - Result Types\n| where ResultType !in (\"0\", \"50125\", \"50140\")\n// Tagging - identities not resolved to friendly names\n| extend Unresolved = iff(Identity - matches regex isGUID, true, false)\n;\n// Verify there is no success for the - same connection attempt after the fail\nlet failnoSuccess = failPortalSignins - | join kind= leftouter (\n successPortalSignins \n) on UserPrincipalName, - Id\n| where TimeGenerated > TimeGenerated1\n| project-away TimeGenerated1, - UserPrincipalName1, Id1, ResultType1\n;\n// Lookup up resolved identities - from last 7 days\nlet identityLookup = azPortalSignins\n| where TimeGenerated - >= ago(lookBack)\n| where not(Identity matches regex isGUID)\n| summarize - by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName;\n// - Join resolved names to unresolved list from portal signins\nlet unresolvedNames - = failnoSuccess | where Unresolved == true | join kind= inner (\n identityLookup - \n) on UserId\n| extend UserDisplayName = lu_UserDisplayName, UserPrincipalName - = lu_UserPrincipalName\n| project-away lu_UserDisplayName, lu_UserPrincipalName;\n// - Join Signins that had resolved names with list of unresolved that now have - a resolved name\nlet u_azPortalSignins = failnoSuccess | where Unresolved - == false | union unresolvedNames;\nu_azPortalSignins\n| extend Status = strcat(ResultType, - \": \", ResultDescription), OS = tostring(DeviceDetail.operatingSystem), Browser - = tostring(DeviceDetail.browser)\n| extend FullLocation = strcat(Location,''|'', - LocationDetails.state, ''|'', LocationDetails.city)\n| summarize TimeGenerated - = makelist(TimeGenerated), Status = makelist(Status), IPAddresses = makelist(IPAddress), - IPAddressCount = dcount(IPAddress), FailedLogonCount = count()\nby UserPrincipalName, - UserId, UserDisplayName, AppDisplayName, Browser, OS, FullLocation\n| mvexpand - TimeGenerated, IPAddresses, Status\n| extend TimeGenerated = todatetime(tostring(TimeGenerated)), - IPAddress = tostring(IPAddresses), Status = tostring(Status)\n| project-away - IPAddresses\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) - by UserPrincipalName, UserId, UserDisplayName, Status, FailedLogonCount, IPAddress, - IPAddressCount, AppDisplayName, Browser, OS, FullLocation\n| where (IPAddressCount - >= threshold_IPAddressCount and FailedLogonCount >= threshold_Failed) or FailedLogonCount - >= threshold_FailedwithSingleIP\n| extend timestamp = StartTime, AccountCustomEntity - = UserPrincipalName, IPCustomEntity = IPAddress","queryFrequency":"P1D","queryPeriod":"P7D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Failed - login attempts to Azure Portal","description":"Identifies failed login attempts - in the Azure Active Directory SigninLogs to the Azure Portal. Many failed - logon \nattempts or some failed logon attempts from multiple IPs could indicate - a potential brute force attack. \nThe following are excluded due to success - and non-failure results:\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n0 - - successful logon\n50125 - Sign-in was interrupted due to a password reset - or password registration entry.\n50140 - This error occurred due to ''Keep - me signed in'' interrupt when the user was signing-in.","tactics":["CredentialAccess"],"lastUpdatedDateUTC":"2020-11-19T00:00:00Z","createdDateUTC":"2019-02-11T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AzureActiveDirectory","dataTypes":["SigninLogs"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1ce5e766-26ab-4616-b7c8-3b33ae321e80","name":"1ce5e766-26ab-4616-b7c8-3b33ae321e80","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - timeframe = 1d;\n//Adjust this threshold to fit environment\nlet signin_threshold - = 5; \n//Make a list of IPs with failed Windows host logins above threshold\nlet - win_fails = \nSecurityEvent\n| where TimeGenerated >= ago(timeframe)\n| where - EventID == 4625\n| where LogonType in (10, 7, 3)\n| where IpAddress != \"-\"\n| - summarize count() by IpAddress\n| where count_ > signin_threshold\n| summarize - make_list(IpAddress);\n//Make a list of IPs with failed *nix host logins above - threshold\nlet nix_fails = \nSyslog\n| where TimeGenerated > ago(timeframe)\n| - where Facility contains ''auth'' and ProcessName != ''sudo''\n| extend SourceIP - = extract(\"(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.(([0-9]{1,3})))\",1,SyslogMessage)\n| - where SourceIP != \"\" and SourceIP != \"127.0.0.1\"\n| summarize count() - by SourceIP\n| where count_ > signin_threshold\n| summarize make_list(SourceIP);\n//See - if any of the IPs with failed host logins hve had a sucessful Azure AD login\nSigninLogs\n| - where TimeGenerated > ago(timeframe)\n| where ResultType !in (\"0\", \"50125\", - \"50140\")\n| where IPAddress in (win_fails) or IPAddress in (nix_fails)\n| - extend Reason= \"Multiple failed host logins from IP address with successful - Azure AD login\"\n| extend timstamp = TimeGenerated, AccountCustomEntity = - UserPrincipalName, IPCustomEntity = IPAddress","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Failed - host logons but success logon to AzureAD","description":"Identifies a list - of IP addresses with a minimum number(default of 5) of failed logon attempts - to remote hosts.\nUses that list to identify any successful logons to Azure - Active Directory from these IPs within the same timeframe.","tactics":["InitialAccess","CredentialAccess"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2019-08-20T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AzureActiveDirectory","dataTypes":["SigninLogs"]},{"connectorId":"SecurityEvents","dataTypes":["SecurityEvent"]},{"connectorId":"Syslog","dataTypes":["Syslog"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d564ff12-8f53-41b8-8649-44f76b37b99f","name":"d564ff12-8f53-41b8-8649-44f76b37b99f","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - timeframe = 14d;\n// How many greater than Service Connections you want to - view per build/release\nlet ServiceConnectionThreshold = 4;\nlet BypassDefIds - = datatable(DefId:string, Type:string, ProjectName:string)\n[\n//\"103\", - \"Release\", \"ProjectA\",\n//\"42\", \"Release\", \"ProjectB\",\n//\"122\", - \"Build\", \"ProjectB\"\n];\nAzureDevOpsAuditing\n| where TimeGenerated >= - ago(timeframe)\n| where OperationName == \"Library.ServiceConnectionExecuted\" - \n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), - ConnectionId = tostring(Data.ConnectionId)\n| parse ScopeDisplayName with - OrganizationName '' (Organization)''\n| summarize CurrentCount = dcount(tostring(ConnectionId)), - ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), - EndTime = max(TimeGenerated) \n by OrganizationName, tostring(DefId), tostring(Type), - ProjectId, ProjectName\n| where CurrentCount > ServiceConnectionThreshold\n| - join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type == - $right.Type and $left.ProjectName == $right.ProjectName\n| extend link = iif(\n Type - == \"Build\", strcat(''https://dev.azure.com/'', OrganizationName, ''/'', - ProjectName, ''/_build?definitionId='', DefId),\n strcat(''https://dev.azure.com/'', - OrganizationName, ''/'', ProjectName, ''/_release?_a=releases&view=mine&definitionId='', - DefId))\n| extend timestamp = StartTime","queryFrequency":"P1D","queryPeriod":"P14D","triggerOperator":"GreaterThan","triggerThreshold":0,"displayName":"Azure - DevOps Service Conection Abuse","description":"Flags builds/releases that - use a large number of service connections if they aren''t manually allowlisted.\nThis - is to determine if someone is hijacking a build/release and adding many service - connections in order to abuse \nor dump credentials from service connections.","tactics":["Persistence","Impact"],"lastUpdatedDateUTC":"2021-01-16T00:00:00Z","createdDateUTC":"2020-06-05T00:00:00Z","status":"Available","alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f110287e-1358-490d-8147-ed804b328514","name":"f110287e-1358-490d-8147-ed804b328514","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| - where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| - where Active == true\n// Picking up only IOC''s that contain the entities - we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) - or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As - there is potentially more than 1 indicator type for matching IP, taking NetworkIP - first, then others if that is empty.\n// Taking the first non-empty value - based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), - NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) - and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity - = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, - TI_ipEntity)\n| join (\n AWSCloudTrail | where TimeGenerated >= ago(dt_lookBack)\n // - renaming time column so it is clear the log this came from\n | extend AWSCloudTrail_TimeGenerated - = TimeGenerated\n)\non $left.TI_ipEntity == $right.SourceIpAddress\n| summarize - LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| project - LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, - Url, ExpirationDateTime, ConfidenceScore, AWSCloudTrail_TimeGenerated,\nTI_ipEntity, - EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, - UserIdentityUserName, SourceIpAddress,\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, - EmailSourceIpAddress\n| extend timestamp = AWSCloudTrail_TimeGenerated, IPCustomEntity - = SourceIpAddress, AccountCustomEntity = UserIdentityUserName, URLCustomEntity - = Url","queryFrequency":"PT1H","queryPeriod":"P14D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]},{"entityType":"URL","fieldMappings":[{"identifier":"Url","columnName":"URLCustomEntity"}]}],"displayName":"(Preview) - TI map IP entity to AWSCloudTrail","description":"Identifies a match in AWSCloudTrail - from any IP IOC from TI","tactics":["Impact"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2019-08-27T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"ThreatIntelligence","dataTypes":["ThreatIntelligenceIndicator"]},{"connectorId":"ThreatIntelligenceTaxii","dataTypes":["ThreatIntelligenceIndicator"]},{"connectorId":"AWS","dataTypes":["AWSCloudTrail"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2954d424-f786-4677-9ffc-c24c44c6e7d5","name":"2954d424-f786-4677-9ffc-c24c44c6e7d5","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"High","query":"let - timeframe = ago(3h);\nlet threshold = 2;\nOkta_CL\n| where published_t >= - timeframe\n| where eventType_s =~ \"user.session.start\"\n| where outcome_result_s - =~ \"SUCCESS\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), - NumOfCountries = dcount(client_geographicalContext_country_s) by actor_alternateId_s\n| - where NumOfCountries >= threshold\n| extend timestamp = StartTime, AccountCustomEntity - = actor_alternateId_s","queryFrequency":"PT1H","queryPeriod":"PT1H","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]}],"displayName":"User - Login from Different Countries within 3 hours","description":"This query searches - for successful user logins to the Okta Console from different countries within - 3 hours","tactics":["InitialAccess"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2020-07-08T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"OktaSSO","dataTypes":["Okta_CL"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2eb15bd-8a88-4b24-9281-e133edfba315","name":"f2eb15bd-8a88-4b24-9281-e133edfba315","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| - where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| - where Active == true\n// Picking up only IOC''s that contain the entities - we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) - or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As - there is potentially more than 1 indicator type for matching IP, taking NetworkIP - first, then others if that is empty.\n// Taking the first non-empty value - based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), - NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) - and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity - = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, - TI_ipEntity)\n| join (\n SigninLogs | where TimeGenerated >= ago(dt_lookBack)\n | - extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\n | - extend Region = tostring(LocationDetails[\"countryOrRegion\"]), State = tostring(LocationDetails[\"state\"]), - City = tostring(LocationDetails[\"city\"])\n // renaming time column so - it is clear the log this came from\n | extend SigninLogs_TimeGenerated - = TimeGenerated\n)\non $left.TI_ipEntity == $right.IPAddress\n| summarize - LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| project - LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, - Url, ExpirationDateTime, ConfidenceScore, SigninLogs_TimeGenerated,\nTI_ipEntity, - IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDetails, NetworkIP, - NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\n| extend timestamp - = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity - = IPAddress, URLCustomEntity = Url","queryFrequency":"PT1H","queryPeriod":"P14D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]},{"entityType":"URL","fieldMappings":[{"identifier":"Url","columnName":"URLCustomEntity"}]}],"displayName":"(Preview) - TI map IP entity to SigninLogs","description":"Identifies a match in SigninLogs - from any IP IOC from TI","tactics":["Impact"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2019-08-27T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"ThreatIntelligence","dataTypes":["ThreatIntelligenceIndicator"]},{"connectorId":"ThreatIntelligenceTaxii","dataTypes":["ThreatIntelligenceIndicator"]},{"connectorId":"AzureActiveDirectory","dataTypes":["SigninLogs"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/074ce265-f684-41cd-af07-613c5f3e6d0d","name":"074ce265-f684-41cd-af07-613c5f3e6d0d","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"High","query":"let - timeframe = 1d;\nlet DomainNames = dynamic([\"irf.services\",\"microsoft-onthehub.com\",\"msofficelab.com\",\"com-mailbox.com\",\"my-sharefile.com\",\"my-sharepoints.com\",\n\"accounts-web-mail.com\",\"customer-certificate.com\",\"session-users-activities.com\",\"user-profile-credentials.com\",\"verify-linke.com\",\"support-servics.net\",\n\"onedrive-sharedfile.com\",\"onedrv-live.com\",\"transparencyinternational-my-sharepoint.com\",\"transparencyinternational-my-sharepoints.com\",\"soros-my-sharepoint.com\"]);\n(union - isfuzzy=true\n(CommonSecurityLog \n| where TimeGenerated >= ago(timeframe) - \n| parse Message with * ''('' DNSName '')'' * \n| extend Account = SourceUserID, - Host = DeviceName, IPAddress = SourceIP),\n(DnsEvents \n| where TimeGenerated - >= ago(timeframe) \n| extend IPAddress = ClientIP, DNSName = Name, Host = - Computer),\n(VMConnection \n| where TimeGenerated >= ago(timeframe) \n| parse - RemoteDnsCanonicalNames with * ''[\"'' DNSName ''\"]'' *\n| extend IPAddress - = RemoteIp, Host = Computer)\n)\n| where isnotempty(DNSName)\n| where DNSName in~ - (DomainNames)\n| extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, - AccountCustomEntity = Account, HostCustomEntity = Host","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Known - STRONTIUM group domains - July 2019","description":"Matches domain name IOCs - related to Strontium group activity published July 2019 with CommonSecurityLog, - DnsEvents and VMConnection dataTypes.\nReferences: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.","tactics":["CommandAndControl"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2019-07-25T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"DNS","dataTypes":["DnsEvents"]},{"connectorId":"AzureMonitor(VMInsights)","dataTypes":["VMConnection"]},{"connectorId":"CiscoASA","dataTypes":["CommonSecurityLog"]},{"connectorId":"PaloAltoNetworks","dataTypes":["CommonSecurityLog"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b3cfc7c0-092c-481c-a55b-34a3979758cb","name":"b3cfc7c0-092c-481c-a55b-34a3979758cb","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"MicrosoftSecurityIncidentCreation","properties":{"productFilter":"Microsoft - Cloud App Security","displayName":"Create incidents based on Microsoft Cloud - App Security alerts","description":"Create incidents based on all alerts generated - in Microsoft Cloud App Security","lastUpdatedDateUTC":"2019-07-16T00:00:00Z","createdDateUTC":"2019-07-16T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"MicrosoftCloudAppSecurity","dataTypes":["SecurityAlert - (MCAS)"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/173f8699-6af5-484a-8b06-8c47ba89b380","name":"173f8699-6af5-484a-8b06-8c47ba89b380","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Low","query":"// - Adjust this value to change how many Teams should be deleted before including\nlet - max_delete_count = 3;\n// Adjust this value to change the timewindow the query - runs over\n OfficeActivity\n| where OfficeWorkload =~ \"MicrosoftTeams\" - \n| where Operation =~ \"TeamDeleted\"\n| summarize StartTime = min(TimeGenerated), - EndTime = max(TimeGenerated), DeletedTeams = make_set(TeamName) by UserId\n| - where array_length(DeletedTeams) > max_delete_count\n| extend timestamp = - StartTime, AccountCustomEntity = UserId","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]}],"displayName":"Multiple - Teams deleted by a single user","description":"This detection flags the occurrences - of deleting multiple teams within an hour.\nThis data is a part of Office - 365 Connector in Azure Sentinel.","tactics":["Impact"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2020-09-13T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"Office365","dataTypes":["OfficeActivity - (Teams)"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a35f2c18-1b97-458f-ad26-e033af18eb99","name":"a35f2c18-1b97-458f-ad26-e033af18eb99","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Low","query":"let - timeframe = 1d;\n// For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups\nlet - WellKnownLocalSID = \"S-1-5-32-5[0-9][0-9]$\";\nlet WellKnownGroupSID = \"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\";\nSecurityEvent - \n| where TimeGenerated > ago(timeframe)\n// When MemberName contains ''-'' - this indicates addition of a group to a group\n| where AccountType == \"User\" - and MemberName != \"-\"\n// 4728 - A member was added to a security-enabled - global group\n// 4732 - A member was added to a security-enabled local group\n// - 4756 - A member was added to a security-enabled universal group\n| where EventID - in (4728, 4732, 4756) \n| where TargetSid matches regex WellKnownLocalSID - or TargetSid matches regex WellKnownGroupSID\n// Exclude Remote Desktop Users - group: S-1-5-32-555\n| where TargetSid !in (\"S-1-5-32-555\")\n| extend SimpleMemberName - = tostring(split(tostring(split(MemberName, \",\")[0]),\"CN=\")[1])\n| project - StartTimeUtc = TimeGenerated, EventID, Activity, Computer, SimpleMemberName, - MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, - SubjectUserName, SubjectUserSid\n| extend timestamp = StartTimeUtc, AccountCustomEntity - = SimpleMemberName, HostCustomEntity = Computer","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]}],"displayName":"User - account added to built in domain local or global group","description":"Identifies - when a user account has been added to a privileged built in domain local group - or global group \nsuch as the Enterprise Admins, Cert Publishers or DnsAdmins. - Be sure to verify this is an expected addition.","tactics":["Persistence","PrivilegeEscalation"],"lastUpdatedDateUTC":"2020-11-19T00:00:00Z","createdDateUTC":"2019-02-14T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"SecurityEvents","dataTypes":["SecurityEvent"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4f19d4e3-ec5f-4abc-9e61-819eb131758c","name":"4f19d4e3-ec5f-4abc-9e61-819eb131758c","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Low","query":"let - timeframe = 1d;\nlet EventNameList = dynamic([ \"AuthorizeSecurityGroupEgress\", - \"AuthorizeSecurityGroupIngress\", \"RevokeSecurityGroupEgress\", \"RevokeSecurityGroupIngress\"]);\nAWSCloudTrail\n| - where TimeGenerated >= ago(timeframe)\n| where EventName in~ (EventNameList)\n| - extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, - SessionIssuerUserName)\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), - EndTimeUtc = max(TimeGenerated) \nby EventSource, EventName, UserIdentityType, - User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion, \nAdditionalEventData, - UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\n| extend - timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Changes - to AWS Security Group ingress and egress settings","description":"A Security - Group acts as a virtual firewall of an instance to control inbound and outbound - traffic. \n Hence, ingress and egress settings changes to AWS Security Group - should be monitored as these can expose the enviornment to new attack vectors.\nMore - information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255.","tactics":["Persistence"],"lastUpdatedDateUTC":"2020-11-19T00:00:00Z","createdDateUTC":"2019-02-27T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AWS","dataTypes":["AWSCloudTrail"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/737a2ce1-70a3-4968-9e90-3e6aca836abf","name":"737a2ce1-70a3-4968-9e90-3e6aca836abf","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"MLBehaviorAnalytics","properties":{"severity":"Medium","displayName":"(Preview) - Anomalous RDP Login Detections","description":"This detection uses machine - learning (ML) to identify anomalous Remote Desktop Protocol (RDP) login activity, - based on Windows Security Event data. Scenarios include:\n\n*\tUnusual IP - - This IP address has not or has rarely been seen in last 30 days.\n*\tUnusual - Geo - The IP address, city, country and ASN have not (or rarely) been seen - in last 30 days.\n*\tNew user - A new user logs in from an IP address and - geo location, both or either of which are not expected to be seen in the last - 30 days.\n\nAllow 7 days after this alert is enabled for Azure Sentinel to - build a profile of normal activity for your environment.\t\n\nThis detection - requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events)","tactics":["InitialAccess"],"lastUpdatedDateUTC":"2020-07-16T00:00:00Z","createdDateUTC":"2020-04-02T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"SecurityEvents","dataTypes":["SecurityEvent"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9713e3c0-1410-468d-b79e-383448434b2d","name":"9713e3c0-1410-468d-b79e-383448434b2d","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| - where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| - where Active == true\n// Picking up only IOC''s that contain the entities - we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) - or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As - there is potentially more than 1 indicator type for matching IP, taking NetworkIP - first, then others if that is empty.\n// Taking the first non-empty value - based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), - NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) - and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity - = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, - TI_ipEntity)\n| join (\n VMConnection\n | where TimeGenerated >= ago(dt_lookBack)\n // - renaming time column so it is clear the log this came from\n | extend VMConnection_TimeGenerated - = TimeGenerated\n)\non $left.TI_ipEntity == $right.RemoteIp\n| summarize LatestIndicatorTime - = arg_max(TimeGenerated, *) by IndicatorId\n| project LatestIndicatorTime, - Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, - ConfidenceScore, VMConnection_TimeGenerated,\nTI_ipEntity, Computer, Direction, - ProcessName, SourceIp, DestinationIp, RemoteIp, Protocol, DestinationPort, - NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\n| - extend timestamp = VMConnection_TimeGenerated, IPCustomEntity = RemoteIp, - HostCustomEntity = Computer, URLCustomEntity = Url","queryFrequency":"PT1H","queryPeriod":"P14D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]},{"entityType":"URL","fieldMappings":[{"identifier":"Url","columnName":"URLCustomEntity"}]}],"displayName":"(Preview) - TI map IP entity to VMConnection","description":"Identifies a match in VMConnection - from any IP IOC from TI","tactics":["Impact"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2019-08-27T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"ThreatIntelligence","dataTypes":["ThreatIntelligenceIndicator"]},{"connectorId":"ThreatIntelligenceTaxii","dataTypes":["ThreatIntelligenceIndicator"]},{"connectorId":"AzureMonitor(VMInsights)","dataTypes":["VMConnection"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/19e01883-15d8-4eb6-a7a5-3276cd668388","name":"19e01883-15d8-4eb6-a7a5-3276cd668388","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - timeFrame = 1d;\nlet timeBin = 1m;\nlet failedThreshold = 20;\nW3CIISLog\n| - where TimeGenerated >= ago(timeFrame)\n| where scStatus in (\"401\",\"403\")\n| - where csUserName != \"-\"\n| extend scStatusFull = strcat(scStatus, \".\",scSubStatus) - \n// Map common IIS codes\n| extend scStatusFull_Friendly = case(\nscStatusFull - == \"401.0\", \"Access denied.\",\nscStatusFull == \"401.1\", \"Logon failed.\",\nscStatusFull - == \"401.2\", \"Logon failed due to server configuration.\",\nscStatusFull - == \"401.3\", \"Unauthorized due to ACL on resource.\",\nscStatusFull == \"401.4\", - \"Authorization failed by filter.\",\nscStatusFull == \"401.5\", \"Authorization - failed by ISAPI/CGI application.\",\nscStatusFull == \"403.0\", \"Forbidden.\",\nscStatusFull - == \"403.4\", \"SSL required.\",\n\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\")\n// - Mapping to Hex so can be mapped using website in comments above\n| extend - scWin32Status_Hex = tohex(tolong(scWin32Status)) \n// Map common win32 codes\n| - extend scWin32Status_Friendly = case(\nscWin32Status_Hex =~ \"775\", \"The - referenced account is currently locked out and cannot be logged on to.\",\nscWin32Status_Hex - =~ \"52e\", \"Logon failure: Unknown user name or bad password.\",\nscWin32Status_Hex - =~ \"532\", \"Logon failure: The specified account password has expired.\",\nscWin32Status_Hex - =~ \"533\", \"Logon failure: Account currently disabled.\", \nscWin32Status_Hex - =~ \"2ee2\", \"The request has timed out.\", \nscWin32Status_Hex =~ \"0\", - \"The operation completed successfully.\", \nscWin32Status_Hex =~ \"1\", \"Incorrect - function.\", \nscWin32Status_Hex =~ \"2\", \"The system cannot find the file - specified.\", \nscWin32Status_Hex =~ \"3\", \"The system cannot find the path - specified.\", \nscWin32Status_Hex =~ \"4\", \"The system cannot open the file.\", - \nscWin32Status_Hex =~ \"5\", \"Access is denied.\", \nscWin32Status_Hex =~ - \"8009030e\", \"SEC_E_NO_CREDENTIALS\", \nscWin32Status_Hex =~ \"8009030C\", - \"SEC_E_LOGON_DENIED\", \n\"See - https://msdn.microsoft.com/library/cc231199.aspx\")\n// - decode URI when available\n| extend decodedUriQuery = url_decode(csUriQuery)\n// - Count of failed attempts from same client IP\n| summarize makeset(decodedUriQuery), - makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), - makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), - makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount - = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\n| where FailedConnectionsCount - >= failedThreshold\n| project TimeGenerated, cIP, set_csUserName, set_decodedUriQuery, - Computer, set_sSiteName, sIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, - set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, - FailedConnectionsCount\n| order by FailedConnectionsCount\n| extend timestamp - = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = cIP","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"High - count of failed attempts from same client IP","description":"Identifies when - 20 or more failed attempts from a given client IP in 1 minute occur on the - IIS server.\nThis could be indicative of an attempted brute force. This could - also simply indicate a misconfigured service or device.\nRecommendations: - Validate that these are expected connections from the given Client IP. If - the client IP is not recognized, \npotentially block these connections at - the edge device.\nIf these are expected connections, verify the credentials - are properly configured on the system, service, application or device \nthat - is associated with the client IP.\nReferences:\nIIS status code mapping: https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\nWin32 - Status code mapping: https://msdn.microsoft.com/library/cc231199.aspx","tactics":["CredentialAccess"],"lastUpdatedDateUTC":"2020-11-19T00:00:00Z","createdDateUTC":"2019-03-19T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AzureMonitor(IIS)","dataTypes":["W3CIISLog"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e70fa6e0-796a-4e85-9420-98b17b0bb749","name":"e70fa6e0-796a-4e85-9420-98b17b0bb749","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"High","query":"DeviceInfo\n| - extend DeviceName = tolower(DeviceName)\n| join (SecurityAlert\n| where ProviderName - =~ \"MDATP\"\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\n| - where ThreatName has \"Solorigate\"\n| extend HostCustomEntity = tolower(CompromisedEntity)\n) - on $left.DeviceName == $right.HostCustomEntity\n| project TimeGenerated, DisplayName, - ThreatName, CompromisedEntity, PublicIP, MachineGroup, AlertSeverity, Description, - LoggedOnUsers, DeviceId, TenantId\n| extend timestamp = TimeGenerated, IPCustomEntity - = PublicIP","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Solorigate - Defender Detections","description":"Surfaces any Defender Alert for Solorigate - Events. In Azure Sentinel the SecurityAlerts table includes only the Device - Name of the affected device, this query joins the DeviceInfo table to clearly - connect other information such as \n Device group, ip, logged on users etc. - This way, the Sentinel user can have all the pertinent device info in one - view for all the the Solarigate Defender alerts.","tactics":["InitialAccess"],"lastUpdatedDateUTC":"2021-01-16T00:00:00Z","createdDateUTC":"2020-12-17T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"MicrosoftDefenderAdvancedThreatProtection","dataTypes":["SecurityAlert - (MDATP)"]},{"connectorId":"MicrosoftThreatProtection","dataTypes":["DeviceInfo"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7249500f-3038-4b83-8549-9cd8dfa2d498","name":"7249500f-3038-4b83-8549-9cd8dfa2d498","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"High","query":"let - timeframe = 1d;\nlet DomainNames = dynamic([\"de-ma.online\", \"g20saudi.000webhostapp.com\", - \"ksat20.000webhostapp.com\"]);\nlet EmailAddresses = dynamic([\"munichconference1962@gmail.com\",\"munichconference@outlook.de\", - \"munichconference@outlook.com\", \"t20saudiarabia@gmail.com\", \"t20saudiarabia@hotmail.com\", - \"t20saudiarabia@outlook.sa\"]);\n(union isfuzzy=true\n(CommonSecurityLog - \n| where TimeGenerated >= ago(timeframe)\n| parse Message with * ''('' DNSName - '')'' * \n| extend MessageIP = extract(IPRegex, 0, Message)\n| extend RequestURLIP - = extract(IPRegex, 0, Message)\n| where (isnotempty(DNSName) and DNSName has_any - (DomainNames)) \n or (isnotempty(DestinationHostName) and DestinationHostName - has_any (DomainNames)) \n or (isnotempty(RequestURL) and (RequestURL has_any - (DomainNames)))\n| extend timestamp = TimeGenerated , AccountCustomEntity - = SourceUserID, HostCustomEntity = DeviceName\n),\n(DnsEvents \n| where TimeGenerated - >= ago(timeframe) \n| extend DestinationIPAddress = IPAddresses, DNSName = - Name, Host = Computer\n| where DNSName has_any (DomainNames) \n| extend timestamp - = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = - Host),\n(VMConnection \n| where TimeGenerated >= ago(timeframe) \n| parse - RemoteDnsCanonicalNames with * ''[\"'' DNSName ''\"]'' *\n| where isnotempty(DNSName)\n| - where DNSName has_any (DomainNames)\n| extend timestamp = TimeGenerated , - HostCustomEntity = Computer),\n(SecurityAlert\n| where TimeGenerated >= ago(timeframe) - \n| where ProviderName =~ ''OATP''\n| extend UPN = case(isnotempty(parse_json(Entities)[0].Upn), - parse_json(Entities)[0].Upn, \n isnotempty(parse_json(Entities)[1].Upn), - parse_json(Entities)[1].Upn,\n isnotempty(parse_json(Entities)[2].Upn), - parse_json(Entities)[2].Upn,\n isnotempty(parse_json(Entities)[3].Upn), - parse_json(Entities)[3].Upn,\n isnotempty(parse_json(Entities)[4].Upn), - parse_json(Entities)[4].Upn,\n isnotempty(parse_json(Entities)[5].Upn), - parse_json(Entities)[5].Upn,\n isnotempty(parse_json(Entities)[6].Upn), - parse_json(Entities)[6].Upn,\n isnotempty(parse_json(Entities)[7].Upn), - parse_json(Entities)[7].Upn,\n isnotempty(parse_json(Entities)[8].Upn), - parse_json(Entities)[8].Upn,\n parse_json(Entities)[9].Upn)\n| - where Entities has_any (EmailAddresses)\n| extend timestamp = TimeGenerated, - AccountCustomEntity = tostring(UPN)),\n(AzureDiagnostics\n| where TimeGenerated - >= ago(timeframe) \n| where ResourceType =~ \"AZUREFIREWALLS\"\n| where msg_s - has_any (DomainNames)\n| extend timestamp = TimeGenerated))","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Known - PHOSPHORUS group domains/IP - October 2020","description":"Matches IOCs related - to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, - DnsEvents, OfficeActivity and VMConnection dataTypes.\nReferences: ","tactics":["CommandAndControl","InitialAccess"],"lastUpdatedDateUTC":"2020-11-19T00:00:00Z","createdDateUTC":"2020-10-20T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"DNS","dataTypes":["DnsEvents"]},{"connectorId":"AzureMonitor(VMInsights)","dataTypes":["VMConnection"]},{"connectorId":"CiscoASA","dataTypes":["CommonSecurityLog - (Cisco)"]},{"connectorId":"PaloAltoNetworks","dataTypes":["CommonSecurityLog - (PaloAlto)"]},{"connectorId":"Zscaler","dataTypes":["CommonSecurityLog (Zscaler)"]},{"connectorId":"Fortinet","dataTypes":["CommonSecurityLog - (Fortinet)"]},{"connectorId":"OfficeATP","dataTypes":["SecurityAlert (OATP)"]},{"connectorId":"AzureFirewall","dataTypes":["AzureDiagnostics - (Azure Firewall)"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d8de9e6-263e-4845-8618-cd23a4f58b70","name":"4d8de9e6-263e-4845-8618-cd23a4f58b70","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - starttime = 14d;\nlet endtime = 3h;\n// Add full UPN (user@domain.com) to - Authorized Bypassers to ignore policy bypasses by certain authorized users\nlet - AuthorizedBypassers = dynamic([''foo@baz.com'', ''test@foo.com'']);\nlet historicBypassers - = AzureDevOpsAuditing\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\n| - where OperationName == ''Git.RefUpdatePoliciesBypassed''\n| distinct ActorUPN;\nAzureDevOpsAuditing\n| - where TimeGenerated >= ago(endtime)\n| where OperationName == ''Git.RefUpdatePoliciesBypassed''\n| - where ActorUPN !in (historicBypassers) and ActorUPN !in (AuthorizedBypassers)\n| - parse ScopeDisplayName with OrganizationName ''(Organization)''\n| project - TimeGenerated, ActorUPN, IpAddress, UserAgent, OrganizationName, ProjectName, - RepoName = Data.RepoName, AlertDetails = Details, Branch = Data.Name, \n BypassReason - = Data.BypassReason, PRLink = strcat(''https://dev.azure.com/'', OrganizationName, - ''/'', ProjectName, ''/_git/'', Data.RepoName, ''/pullrequest/'', Data.PullRequestId)\n| - extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity - = IpAddress","queryFrequency":"PT3H","queryPeriod":"P14D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Azure - DevOps Pull Request Policy Bypassing - Historic Allowlist","description":"This - detection builds a Allowlist of historic PR policy bypasses and compares to - recent history, flagging a non manually allowlisted, non historic pull request - bypass.","tactics":["Persistence"],"lastUpdatedDateUTC":"2021-01-16T00:00:00Z","createdDateUTC":"2020-06-05T00:00:00Z","status":"Available","alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee1d718b-9ed9-4a71-90cd-a483a4f008df","name":"ee1d718b-9ed9-4a71-90cd-a483a4f008df","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"MicrosoftSecurityIncidentCreation","properties":{"productFilter":"Office - 365 Advanced Threat Protection","displayName":"Create incidents based on Office - 365 Advanced Threat Protection alerts","description":"Create incidents based - on all alerts generated in Office 365 Advanced Threat Protection","lastUpdatedDateUTC":"2020-09-01T00:00:00Z","createdDateUTC":"2020-04-20T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"OfficeATP","dataTypes":["SecurityAlert - (OATP)"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e0eb51-1f11-461a-999b-cd0ebe5c7a72","name":"a2e0eb51-1f11-461a-999b-cd0ebe5c7a72","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"MicrosoftSecurityIncidentCreation","properties":{"productFilter":"Azure - Security Center for IoT","displayName":"Create incidents based on Azure Security - Center for IoT alerts","description":"Create incidents based on all alerts - generated in Azure Security Center for IoT","lastUpdatedDateUTC":"2019-12-24T00:00:00Z","createdDateUTC":"2019-12-24T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"IoT","dataTypes":["SecurityAlert - (ASC for IoT)"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ac891683-53c3-4f86-86b4-c361708e2b2b","name":"ac891683-53c3-4f86-86b4-c361708e2b2b","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"High","query":"let - timeframe = 3d;\n// Allowlisted UPNs should likely stay empty\nlet AllowlistedUpns - = datatable(UPN:string)[''foo@bar.com'', ''test@foo.com''];\n// Operation - Name parts that will alert\nlet HasAnyBlocklist = datatable(OperationNamePart:string)[''Security.'',''Project.'',''AuditLog.'',''Extension.''];\n// - Distinct Operation Names that will flag\nlet HasExactBlocklist = datatable(OperationName:string)[''Group.UpdateGroupMembership.Add'',''Library.ServiceConnectionExecuted'',''Pipelines.PipelineModified'',\n''Release.ReleasePipelineModified'', - ''Git.RefUpdatePoliciesBypassed''];\nAzureDevOpsAuditing\n| where TimeGenerated - >= ago(timeframe)\n| where AuthenticationMechanism startswith \"PAT\" and - (OperationName has_any (HasAnyBlocklist) or OperationName in (HasExactBlocklist))\n and - ActorUPN !in (AllowlistedUpns)\n| project TimeGenerated, AuthenticationMechanism, - ProjectName, ActorUPN, ActorDisplayName, IpAddress, UserAgent, OperationName, - Details, Data\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, - IPCustomEntity = IpAddress","queryFrequency":"PT1H","queryPeriod":"PT3H","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Azure - DevOps Personal Access Token (PAT) misuse","description":"This Alert detects - whenever a PAT is used in ways that PATs are not normally used. May require - Allowlisting and baselining.\nReference - https://docs.microsoft.com/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops&tabs=preview-page\nUse - this query for baselining:\nAzureDevOpsAuditing\n| distinct OperationName","tactics":["Execution","Impact"],"lastUpdatedDateUTC":"2021-01-16T00:00:00Z","createdDateUTC":"2020-06-05T00:00:00Z","status":"Available","alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0b9ae89d-8cad-461c-808f-0494f70ad5c4","name":"0b9ae89d-8cad-461c-808f-0494f70ad5c4","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Low","query":"let - timeframe = 1d;\nlet PerUserThreshold = 5;\nlet TotalThreshold = 100;\nlet - action = dynamic([\"change\", \"changed\", \"reset\"]);\nlet pWord = dynamic([\"password\", - \"credentials\"]);\nlet PasswordResetMultiDataSource =\n(union isfuzzy=true\n(//Password - reset events\n//4723: An attempt was made to change an account''s password\n//4724: - An attempt was made to reset an accounts password\nSecurityEvent\n| where - TimeGenerated >= ago(timeframe)\n| where EventID in (\"4723\",\"4724\")\n| - project TimeGenerated, Computer, AccountType, Account, Type),\n(//Azure Active - Directory Password reset events\nAuditLogs\n| where TimeGenerated >= ago(timeframe)\n| - where OperationName has_any (pWord) and OperationName has_any (action)\n| - extend AccountType = tostring(TargetResources[0].type), Account = tostring(TargetResources[0].userPrincipalName), - \nTargetResourceName = tolower(tostring(TargetResources[0].displayName))\n| - project TimeGenerated, AccountType, Account, Computer = TargetResourceName, - Type),\n(//OfficeActive ActiveDirectory Password reset events\nOfficeActivity\n| - where TimeGenerated >= ago(timeframe)\n| where OfficeWorkload == \"AzureActiveDirectory\" - \n| where (ExtendedProperties has_any (pWord) or ModifiedProperties has_any - (pWord)) and (ExtendedProperties has_any (action) or ModifiedProperties has_any - (action))\n| extend AccountType = UserType, Account = OfficeObjectId \n| project - TimeGenerated, AccountType, Account, Type, Computer = \"\"),\n(// Unix syslog - password reset events\nSyslog\n| where TimeGenerated >= ago(timeframe)\n| - where Facility in (\"auth\",\"authpriv\")\n| where SyslogMessage has_any (pWord) - and SyslogMessage has_any (action)\n| extend AccountType = iif(SyslogMessage - contains \"root\", \"Root\", \"Non-Root\")\n| parse SyslogMessage with * \"password - changed for\" Account\n| project TimeGenerated, AccountType, Account, Computer - = HostName, Type),\n(SigninLogs\n| where TimeGenerated >= ago(timeframe)\n| - where OperationName =~ \"Sign-in activity\" and ResultType has_any (\"50125\", - \"50133\")\n| project TimeGenerated, AccountType = AppDisplayName, Computer - = IPAddress, Account = UserPrincipalName, Type\n)\n);\nlet pwrmd = PasswordResetMultiDataSource\n| - project TimeGenerated, Computer, AccountType, Account, Type;\n(union isfuzzy=true \n(pwrmd\n| - summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), - Computer = makeset(Computer), AccountType = makeset(AccountType), Total=count() - by Account, Type\n| where Total > PerUserThreshold\n| extend ResetPivot = - \"PerUserReset\"), \n(pwrmd\n| summarize StartTimeUtc = min(TimeGenerated), - EndTimeUtc = max(TimeGenerated), Computer = makeset(Computer), Account = tostring(makeset(Account)), - AccountType = makeset(AccountType), Total=count() by Type\n| where Total > - TotalThreshold\n| extend ResetPivot = \"TotalUserReset\")\n)\n| extend timestamp - = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = tostring(Computer)","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]}],"displayName":"Multiple - Password Reset by user","description":"This query will determine multiple - password resets by user across multiple data sources. \nAccount manipulation - including password reset may aid adversaries in maintaining access to credentials - \nand certain permission levels within an environment.","tactics":["InitialAccess","CredentialAccess"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2019-09-03T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AzureActiveDirectory","dataTypes":["AuditLogs"]},{"connectorId":"SecurityEvents","dataTypes":["SecurityEvent"]},{"connectorId":"Syslog","dataTypes":["Syslog"]},{"connectorId":"Office365","dataTypes":["OfficeActivity"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6ee72a9e-2e54-459c-bc9a-9c09a6502a63","name":"6ee72a9e-2e54-459c-bc9a-9c09a6502a63","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"High","query":"let - timeframe = 1d; \nlet IPList = dynamic([\"216.24.185.74\", \"107.175.189.159\", - \"192.210.132.102\", \"67.230.163.214\", \n \"199.19.110.240\", \"107.148.130.176\", - \"154.212.129.218\", \"172.86.75.54\", \"45.61.136.199\", \n \"149.28.150.195\", - \"108.61.214.194\", \"144.202.98.198\", \"149.28.84.98\", \"103.99.209.78\", - \n \"45.61.136.2\", \"176.122.162.149\", \"192.3.80.245\", \"149.28.23.32\", - \"107.182.18.149\", \"107.174.45.134\", \n \"149.248.18.104\", \"65.49.192.74\", - \"156.255.2.154\", \"45.76.6.149\", \"8.9.11.130\", \"140.238.27.255\", \n \"107.182.24.70\", - \"176.122.188.254\", \"192.161.161.108\", \"64.64.234.24\", \"104.224.185.36\", - \n \"104.233.224.227\", \"104.36.69.105\", \"119.28.139.120\", \"161.117.39.130\", - \"66.42.100.42\", \"45.76.31.159\", \n \"149.248.8.134\", \"216.24.182.48\", - \"66.42.103.222\", \"218.89.236.11\", \"180.150.227.249\", \"47.75.80.23\",\n \"124.156.164.19\", - \"149.248.62.83\", \"150.109.76.174\", \"222.209.187.207\", \"218.38.191.38\", - \n \"119.28.226.59\", \"66.42.98.220\", \"74.82.201.8\", \"173.242.122.198\", - \"45.32.130.72\", \"89.35.178.10\", \n \"89.43.60.113\"]); \n(union isfuzzy=true - \n(CommonSecurityLog \n| where TimeGenerated >= ago(timeframe) \n| where - isnotempty(SourceIP) or isnotempty(DestinationIP) \n| where SourceIP in (IPList) - or DestinationIP in (IPList) or Message has_any (IPList) \n| extend IPMatch - = case(SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", - \"Message\") \n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc - = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, - Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, - IPMatch \n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch - == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"IP - in Message Field\") \n), \n(OfficeActivity \n| where TimeGenerated >= ago(timeframe) \n|extend - SourceIPAddress = ClientIP, Account = UserId \n| where SourceIPAddress in - (IPList) \n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress - , AccountCustomEntity = Account \n), \n(DnsEvents \n| where TimeGenerated - >= ago(timeframe) \n| extend DestinationIPAddress = IPAddresses, Host = - Computer \n| where DestinationIPAddress has_any (IPList) \n| extend timestamp - = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = - Host \n), \n(VMConnection \n| where TimeGenerated >= ago(timeframe) \n| - where isnotempty(SourceIp) or isnotempty(DestinationIp) \n| where SourceIp - in (IPList) or DestinationIp in (IPList) \n| extend IPMatch = case( SourceIp - in (IPList), \"SourceIP\", DestinationIp in (IPList), \"DestinationIP\", \"None\") \n| - extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \"SourceIP\", - SourceIp, IPMatch == \"DestinationIP\", DestinationIp, \"None\"), Host = Computer - \n), \n(Event \n| where TimeGenerated >= ago(timeframe) \n| where Source == - \"Microsoft-Windows-Sysmon\" \n| where EventID == 3 \n| extend EvData = parse_xml(EventData) - \n| extend EventDetail = EvData.DataItem.EventData.Data \n| extend SourceIP - = EventDetail.[9].[\"#text\"], DestinationIP = EventDetail.[14].[\"#text\"] - \n| where SourceIP in (IPList) or DestinationIP in (IPList) \n| extend IPMatch - = case( SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", - \"None\") \n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, - HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \"SourceIP\", - SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"None\") \n), \n(WireData \n| - where TimeGenerated >= ago(timeframe) \n| where isnotempty(RemoteIP) \n| where - RemoteIP in (IPList) \n| extend timestamp = TimeGenerated, IPCustomEntity - = RemoteIP, HostCustomEntity = Computer \n), \n(SigninLogs \n| where TimeGenerated - >= ago(timeframe) \n| where isnotempty(IPAddress) \n| where IPAddress in (IPList) - \n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, - IPCustomEntity = IPAddress \n), \n(W3CIISLog \n| where TimeGenerated >= ago(timeframe) - \n| where isnotempty(cIP) \n| where cIP in (IPList) \n| extend timestamp = - TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity - = csUserName \n), \n(AzureActivity \n| where TimeGenerated >= ago(timeframe) - \n| where isnotempty(CallerIpAddress) \n| where CallerIpAddress in (IPList) - \n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity - = Caller \n), \n( \nAWSCloudTrail \n| where TimeGenerated >= ago(timeframe) - \n| where isnotempty(SourceIpAddress) \n| where SourceIpAddress in (IPList) - \n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity - = UserIdentityUserName \n), \n( \nDeviceNetworkEvents \n| where TimeGenerated - >= ago(timeframe) \n| where isnotempty(RemoteIP) \n| where RemoteIP in (IPList) \n| - extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity - = DeviceName \n) \n)","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Known - Barium IP","description":"Identifies a match across various data feeds for - IP IOCs related to the Barium activity group. \n References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer'' - ","tactics":["CommandAndControl"],"lastUpdatedDateUTC":"2020-12-22T00:00:00Z","createdDateUTC":"2020-11-11T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"Office365","dataTypes":["OfficeActivity"]},{"connectorId":"DNS","dataTypes":["DnsEvents"]},{"connectorId":"AzureMonitor(VMInsights)","dataTypes":["VMConnection"]},{"connectorId":"CiscoASA","dataTypes":["CommonSecurityLog"]},{"connectorId":"PaloAltoNetworks","dataTypes":["CommonSecurityLog"]},{"connectorId":"SecurityEvents","dataTypes":["SecurityEvent"]},{"connectorId":"AzureActiveDirectory","dataTypes":["SigninLogs"]},{"connectorId":"AzureMonitor(WireData)","dataTypes":["WireData"]},{"connectorId":"AzureMonitor(IIS)","dataTypes":["W3CIISLog"]},{"connectorId":"AzureActivity","dataTypes":["AzureActivity"]},{"connectorId":"AWS","dataTypes":["AWSCloudTrail"]},{"connectorId":"MicrosoftThreatProtection","dataTypes":["DeviceNetworkEvents"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a83ef0f4-dace-4767-bce3-ebd32599d2a0","name":"a83ef0f4-dace-4767-bce3-ebd32599d2a0","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Low","query":"let - timeframe = 1d;\nDnsEvents\n| where TimeGenerated > ago(timeframe)\n| where - Name contains \".\"\n| where Name has_any (\"tor2web.org\", \"tor2web.com\", - \"torlink.co\", \"onion.to\", \"onion.ink\", \"onion.cab\", \"onion.nu\", - \"onion.link\", \n\"onion.it\", \"onion.city\", \"onion.direct\", \"onion.top\", - \"onion.casa\", \"onion.plus\", \"onion.rip\", \"onion.dog\", \"tor2web.fi\", - \n\"tor2web.blutmagie.de\", \"onion.sh\", \"onion.lu\", \"onion.pet\", \"t2w.pw\", - \"tor2web.ae.org\", \"tor2web.io\", \"tor2web.xyz\", \"onion.lt\", \n\"s1.tor-gateways.de\", - \"s2.tor-gateways.de\", \"s3.tor-gateways.de\", \"s4.tor-gateways.de\", \"s5.tor-gateways.de\", - \"hiddenservice.net\")\n| extend timestamp = TimeGenerated, IPCustomEntity - = ClientIP, HostCustomEntity = Computer","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"DNS - events related to ToR proxies","description":"Identifies IP addresses performing - DNS lookups associated with common ToR proxies.","tactics":["Exfiltration"],"lastUpdatedDateUTC":"2020-11-19T00:00:00Z","createdDateUTC":"2019-02-07T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"DNS","dataTypes":["DnsEvents"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3255ec41-6bd6-4f35-84b1-c032b18bbfcb","name":"3255ec41-6bd6-4f35-84b1-c032b18bbfcb","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Low","query":"let - starttime = 1d;\nlet TimeDeltaThresholdInSeconds = 60; // we ignore beacons - diffs that fall below this threshold \nlet TotalBeaconsThreshold = 4; // minimum - number of beacons required in a session to surface a row\nlet JitterTolerance - = 0.2; // tolerance to jitter, e.g. - 0.2 = 20% jitter is tolerated either - side of the periodicity\nlet PrivateIPregex = @\"^127\\.|^10\\.|^172\\.1[6-9]\\.|^172\\.2[0-9]\\.|^172\\.3[0-1]\\.|^192\\.168\\.\"; - // exclude destinations that fall into this category\nCommonSecurityLog\n| - where DeviceVendor == \"Fortinet\"\n| where TimeGenerated > ago(starttime)\n// - eliminate bad data\n| where isnotempty(SourceIP) and isnotempty(DestinationIP) - and SourceIP != \"0.0.0.0\"\n// filter out deny, close, rst and SNMP to reduce - data volume\n| where DeviceAction !in (\"close\", \"client-rst\", \"server-rst\", - \"deny\") and DestinationPort != 161\n// map input fields\n| project TimeGenerated - , SourceIP, DestinationIP, DestinationPort, ReceivedBytes, SentBytes, DeviceAction - \n// where destination IPs are public\n| extend DestinationIPType = iff(DestinationIP - matches regex PrivateIPregex,\"private\" ,\"public\" )\n| where DestinationIPType - == \"public\"\n// sort into source->destination ''sessions''\n| sort by SourceIP - asc, DestinationIP asc, DestinationPort asc, TimeGenerated asc\n| serialize\n// - time diff the contact times between source and destination to get a list of - deltas\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP - = next(SourceIP, 1), nextDestIP = next(DestinationIP, 1), nextDestPort = next(DestinationPort, - 1)\n| extend TimeDeltainSeconds = datetime_diff(\"second\",nextTimeGenerated,TimeGenerated)\n| - where SourceIP == nextSourceIP and DestinationIP == nextDestIP and DestinationPort - == nextDestPort\n// remove small time deltas below the set threshold\n| where - TimeDeltainSeconds > TimeDeltaThresholdInSeconds\n| project TimeGenerated, - TimeDeltainSeconds, SourceIP, DestinationIP, DestinationPort, ReceivedBytes, - SentBytes, DeviceAction \n// summarize the deltas by source->destination\n| - summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), - sum(ReceivedBytes), sum(SentBytes), makelist(TimeDeltainSeconds), makeset(DeviceAction) - by SourceIP, DestinationIP, DestinationPort\n// get some statistical properties - of the delta distribution and smooth any outliers (e.g. laptop shut overnight, - working hours)\n| extend series_stats(list_TimeDeltainSeconds), outliers=series_outliers(list_TimeDeltainSeconds)\n// - expand the deltas and the outliers\n| mvexpand list_TimeDeltainSeconds to - typeof(double), outliers to typeof(double)\n// replace outliers with the average - of the distribution\n| extend list_TimeDeltainSeconds_normalized=iff(outliers - > 1.5 or outliers < -1.5, series_stats_list_TimeDeltainSeconds_avg , list_TimeDeltainSeconds)\n// - summarize with the smoothed distribution\n| summarize BeaconCount=count(), - makelist(list_TimeDeltainSeconds), list_TimeDeltainSeconds_normalized=makelist(list_TimeDeltainSeconds_normalized), - makeset(set_DeviceAction) by StartTime, EndTime, SourceIP, DestinationIP, - DestinationPort, sum_ReceivedBytes, sum_SentBytes\n// get stats on the smoothed - distribution\n| extend series_stats(list_TimeDeltainSeconds_normalized)\n// - match jitter tolerance on smoothed distrib\n| extend MaxJitter = (series_stats_list_TimeDeltainSeconds_normalized_avg*JitterTolerance)\n| - where series_stats_list_TimeDeltainSeconds_normalized_stdev < MaxJitter\n// - where the minimum beacon threshold is satisfied and there was some data transfer\n| - where BeaconCount > TotalBeaconsThreshold and (sum_SentBytes > 0 or sum_ReceivedBytes - > 0)\n// final projection\n| project StartTime, EndTime, SourceIP, DestinationIP, - DestinationPort, BeaconCount, TimeDeltasInSeconds=list_list_TimeDeltainSeconds, - Periodicity=series_stats_list_TimeDeltainSeconds_normalized_avg, ReceivedBytes=sum_ReceivedBytes, - SentBytes=sum_SentBytes, Actions=set_set_DeviceAction\n// where periodicity - is order of magnitude larger than time delta threshold (eliminates FPs whose - periodicity is close to the values we ignored)\n| where Periodicity >= (10*TimeDeltaThresholdInSeconds)\n| - extend timestamp = StartTime, IPCustomEntity = DestinationIP","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Fortinet - - Beacon pattern detected","description":"Identifies patterns in the time - deltas of contacts between internal and external IPs in Fortinet network data - that are consistent with beaconing.\n Accounts for randomness (jitter) and - seasonality such as working hours that may have been introduced into the beacon - pattern.\n The lookback is set to 1d, the minimum granularity in time deltas - is set to 60 seconds and the minimum number of beacons required to emit a\n - detection is set to 4.\n Increase the lookback period to capture beacons with - larger periodicities.\n The jitter tolerance is set to 0.2 - This means we - account for an overall 20% deviation from the infered beacon periodicity. - Seasonality is dealt with\n automatically using series_outliers.\n Note: In - large environments it may be necessary to reduce the lookback period to get - fast query times.","tactics":["CommandAndControl"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2020-03-31T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"Fortinet","dataTypes":["CommonSecurityLog"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/826bb2f8-7894-4785-9a6b-a8a855d8366f","name":"826bb2f8-7894-4785-9a6b-a8a855d8366f","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - EventNameList = dynamic([\"AttachUserPolicy\",\"AttachRolePolicy\",\"AttachGroupPolicy\"]);\nlet - createPolicy = \"CreatePolicy\";\nlet timeframe = 1d;\nlet lookback = 14d;\n// - Creating Master table with all the events to use with materialize for better - performance\nlet EventInfo = AWSCloudTrail\n| where TimeGenerated >= ago(lookback)\n| - where EventName in (EventNameList) or EventName == createPolicy;\n//Checking - for Policy creation event with Full Admin Privileges since lookback period.\nlet - FullAdminPolicyEvents = materialize( EventInfo\n| where TimeGenerated >= - ago(lookback)\n| where EventName == createPolicy\n| extend PolicyName = tostring(parse_json(RequestParameters).policyName)\n| - extend Statement = parse_json(tostring((parse_json(RequestParameters).policyDocument))).Statement\n| - mvexpand Statement\n| extend Action = parse_json(Statement).Action , Effect - = tostring(parse_json(Statement).Effect), Resource = tostring(parse_json(Statement).Resource)\n| - mvexpand Action\n| extend Action = tostring(Action)\n| where Effect =~ \"Allow\" - and Action == \"*\" and Resource == \"*\"\n| distinct TimeGenerated, EventName, - PolicyName, SourceIpAddress, UserIdentityArn, UserIdentityUserName\n| extend - UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, - tostring(split(UserIdentityArn,''/'')[-1]))\n| project-rename StartTime = - TimeGenerated );\nlet PolicyAttach = materialize( EventInfo\n| where TimeGenerated - >= ago(timeframe)\n| where EventName in (EventNameList)\n| extend PolicyName - = tostring(split(tostring(parse_json(RequestParameters).policyArn),\"/\")[1])\n| - summarize AttachEventCount=count(), StartTime = min(TimeGenerated), EndTime - = max(TimeGenerated) by EventSource, EventName, UserIdentityType , UserIdentityArn, - SourceIpAddress, UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, - tostring(split(UserIdentityArn,''/'')[-1])), PolicyName\n| extend AttachEvent - = pack(\"StartTime\", StartTime, \"EndTime\", EndTime, \"EventName\", EventName, - \"UserIdentityType\", UserIdentityType, \"UserIdentityArn\", UserIdentityArn, - \"SourceIpAddress\", SourceIpAddress, \"UserIdentityUserName\", UserIdentityUserName)\n| - project EventSource, PolicyName, AttachEvent, AttachEventCount\n);\n// Joining - the list of PolicyNames and checking if it has been attached to any Roles/Users/Groups.\n// - These Roles/Users/Groups will be Privileged and can be used by adversaries - as pivot point for privilege escalation via multiple ways.\nFullAdminPolicyEvents\n| - join kind=leftouter\n(\n PolicyAttach\n)\non PolicyName\n| project-away - PolicyName1\n| extend timestamp = StartTime, IPCustomEntity = SourceIpAddress, - AccountCustomEntity = UserIdentityUserName","queryFrequency":"P1D","queryPeriod":"P14D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Full - Admin policy created and then attached to Roles, Users or Groups","description":"Identity - and Access Management (IAM) securely manages access to AWS services and resources. - \nIdentifies when a policy is created with Full Administrators Access (Allow-Action:*,Resource:*). - \nThis policy can be attached to role,user or group and may be used by an - adversary to escalate a normal user privileges to an adminsitrative level.\nAWS - IAM Policy Grammar: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html\nand - AWS IAM API at https://docs.aws.amazon.com/IAM/latest/APIReference/API_Operations.html","tactics":["PrivilegeEscalation"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2020-04-27T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AWS","dataTypes":["AWSCloudTrail"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/79566f41-df67-4e10-a703-c38a6213afd8","name":"79566f41-df67-4e10-a703-c38a6213afd8","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - auditLookback = 1h;\nAuditLogs\n| where TimeGenerated > ago(auditLookback)\n| - where OperationName has_any (\"Add service principal\", \"Certificates and - secrets management\") // captures \"Add service principal\", \"Add service - principal credentials\", and \"Update application - Certificates and secrets - management\" events\n| where Result =~ \"success\"\n| mv-expand target = TargetResources\n| - where tostring(InitiatedBy.user.userPrincipalName) has \"@\" or tostring(InitiatedBy.app.displayName) - has \"@\"\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\n| - extend targetId = tostring(TargetResources[0].id)\n| extend targetType = tostring(TargetResources[0].type)\n| - extend keyEvents = TargetResources[0].modifiedProperties\n| mv-expand keyEvents\n| - where keyEvents.displayName =~ \"KeyDescription\"\n| extend new_value_set - = parse_json(tostring(keyEvents.newValue))\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\n| - where old_value_set != \"[]\"\n| extend diff = set_difference(new_value_set, - old_value_set)\n| where isnotempty(diff)\n| parse diff with * \"KeyIdentifier=\" - keyIdentifier:string \",KeyType=\" keyType:string \",KeyUsage=\" keyUsage:string - \",DisplayName=\" keyDisplayName:string \"]\" *\n| where keyUsage == \"Verify\" or - keyUsage == \"\"\n| extend UserAgent = iff(AdditionalDetails[0].key == \"User-Agent\",tostring(AdditionalDetails[0].value),\"\")\n| - extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), - tostring(InitiatedBy.app.displayName))\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), - tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n// - The below line is currently commented out but Azure Sentinel users can modify - this query to show only Application or only Service Principal events in their - environment\n//| where targetType =~ \"Application\" // or targetType =~ \"ServicePrincipal\"\n| - project-away diff, new_value_set, old_value_set\n| project-reorder TimeGenerated, - OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, - targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, - TenantId\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, - IPCustomEntity = InitiatingIpAddress","queryFrequency":"PT1H","queryPeriod":"PT1H","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"New - access credential added to Application or Service Principal","description":"This - will alert when an admin or app owner account adds a new credential to an - Application or Service Principal where a verify KeyCredential was already - present for the app.\nIf a threat actor obtains access to an account with - sufficient privileges and adds the alternate authentication material triggering - this event, the threat actor can now authenticate as the Application or Service - Principal using this credential.\nAdditional information on OAuth Credential - Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\nFor - further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.","tactics":["CredentialAccess"],"lastUpdatedDateUTC":"2021-01-31T00:00:00Z","createdDateUTC":"2020-11-30T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AzureActiveDirectory","dataTypes":["AuditLogs"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d645a88-2724-41a7-adea-db74c439cf79","name":"3d645a88-2724-41a7-adea-db74c439cf79","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - timeframe = ago(1h);\nlet threshold = 5000;\nSophosXGFirewall\n| where TimeGenerated - >= timeframe\n| where Log_Type =~ \"Firewall\" and Status =~ \"Deny\"\n| summarize - count() by Src_IP, bin(TimeGenerated,5m)\n| where count_ > threshold\n| extend - timestamp = TimeGenerated, IPCustomEntity = Src_IP","queryFrequency":"PT1H","queryPeriod":"PT1H","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Excessive - Amount of Denied Connections from a Single Source","description":"This creates - an incident in the event that a single source IP address generates a excessive - amount of denied connections.","tactics":["Impact"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2020-07-08T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"SophosXGFirewall","dataTypes":["Syslog"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a357535e-f722-4afe-b375-cff362b2b376","name":"a357535e-f722-4afe-b375-cff362b2b376","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - endtime = 1d;\n(union isfuzzy=true\n(OfficeActivity | where TimeGenerated - >= ago(endtime) | where UserAgent != \"\"),\n(OfficeActivity\n| where TimeGenerated - >= ago(endtime)\n| where RecordType in (\"AzureActiveDirectory\", \"AzureActiveDirectoryStsLogon\")\n| - extend OperationName = Operation\n| parse ExtendedProperties with * ''User-Agent\\\\\":\\\\\"'' - UserAgent2 ''\\\\'' *\n| parse ExtendedProperties with * ''UserAgent\", \"Value\": - \"'' UserAgent1 ''\"'' *\n| where isnotempty(UserAgent1) or isnotempty(UserAgent2)\n| - extend UserAgent = iff( RecordType == ''AzureActiveDirectoryStsLogon'', UserAgent1, - UserAgent2)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) - by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\n),\n(AzureDiagnostics\n| - where TimeGenerated >= ago(endtime)\n| where ResourceType =~ \"APPLICATIONGATEWAYS\" - \n| where OperationName =~ \"ApplicationGatewayAccess\" \n| extend ClientIP - = columnifexists(\"clientIP_s\", \"None\"), UserAgent = columnifexists(\"userAgent_s\", - \"None\")\n| where UserAgent != ''-''\n| summarize StartTime = min(TimeGenerated), - EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, requestUri_s, - httpMethod_s, host_s, requestQuery_s, Type\n),\n(\nW3CIISLog\n| where TimeGenerated - >= ago(endtime)\n| where isnotempty(csUserAgent)\n| summarize StartTime = - min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, - SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\n),\n(\nAWSCloudTrail\n| - where TimeGenerated >= ago(endtime)\n| where isnotempty(UserAgent)\n| summarize - StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, - SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, - EventName\n),\n(SigninLogs\n| where TimeGenerated >= ago(endtime)\n| where - isnotempty(UserAgent)\n| summarize StartTime = min(TimeGenerated), EndTime - = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, - Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, - ClientAppUsed\n),\n(AADNonInteractiveUserSignInLogs \n| where TimeGenerated - >= ago(endtime)\n| where isnotempty(UserAgent)\n| summarize StartTime = min(TimeGenerated), - EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = - UserPrincipalName, Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), - AppDisplayName, ClientAppUsed\n)\n)\n// Likely artefact of hardcoding\n| where - UserAgent startswith \"User\" or UserAgent startswith ''\\\"''\n// Incorrect - casing\nor (UserAgent startswith \"Mozilla\" and not(UserAgent containscs - \"Mozilla\"))\n// Incorrect casing\nor UserAgent containscs \"(Compatible;\"\n// - Missing MSIE version\nor UserAgent matches regex @\"MSIE\\s?;\"\n// Incorrect - spacing around MSIE version\nor UserAgent matches regex @\"MSIE(?:\\d|.{1,5}?\\d\\s;)\"\n| - extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity - = Account","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Malformed - user agent","description":"Malware authors will sometimes hardcode user agent - string values when writing the network communication component of their malware.\nMalformed - user agents can be an indication of such malware.","tactics":["InitialAccess","CommandAndControl","Execution"],"lastUpdatedDateUTC":"2021-02-10T00:00:00Z","createdDateUTC":"2019-01-25T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"WAF","dataTypes":["AzureDiagnostics"]},{"connectorId":"Office365","dataTypes":["OfficeActivity"]},{"connectorId":"AzureActiveDirectory","dataTypes":["SigninLogs"]},{"connectorId":"AWS","dataTypes":["AWSCloudTrail"]},{"connectorId":"AzureMonitor(IIS)","dataTypes":["W3CIISLog"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/89e6adbd-612c-4fbe-bc3d-32f81baf3b6c","name":"89e6adbd-612c-4fbe-bc3d-32f81baf3b6c","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - timeframe = 4h;\n// Change to true to monitor for Project Administrator adds - to *any* project\nlet MonitorAllProjects = false;\n// If MonitorAllProjects - is false, trigger only on Project Administrator add for the following projects\nlet - ProjectsToMonitor = dynamic(['''','''']);\nAzureDevOpsAuditing\n| - where TimeGenerated >= ago(timeframe)\n| where Area == \"Group\" and OperationName - == \"Group.UpdateGroupMembership.Add\"\n| where Details has ''Administrators''\n| - where Details has \"was added as a member of group\" and (Details endswith - ''\\\\Project Administrators'' or Details endswith ''\\\\Project Collection - Administrators'')\n| parse Details with AddedIdentity '' was added as a member - of group ['' EntityName '']\\\\'' GroupName\n| extend Level = iif(GroupName - == ''Project Collection Administrators'', ''Organization'', ''Project''), - AddedIdentityId = Data.MemberId\n| extend Severity = iif(Level == ''Organization'', - ''High'', ''Medium''), AlertDetails = strcat(''At '', TimeGenerated, '' UTC - '', ActorUPN, ''/'', ActorDisplayName, '' added '', AddedIdentity, '' to the - '', EntityName, '' '', Level)\n| where MonitorAllProjects == true or EntityName - in (ProjectsToMonitor) or Level == ''Organization''\n| project TimeGenerated, - Severity, Adder = ActorUPN, AddedIdentity, AddedIdentityId, AlertDetails, - Level, EntityName, GroupName, ActorAuthType = AuthenticationMechanism, \n ActorIpAddress - = IpAddress, ActorUserAgent = UserAgent, RawDetails = Details\n| extend timestamp - = TimeGenerated, AccountCustomEntity = Adder, IPCustomEntity = ActorIpAddress","queryFrequency":"PT4H","queryPeriod":"PT4H","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Azure - DevOps Administrator Group Monitoring","description":"This detection monitors - for additions to project or project collection administration groups in an - Azure DevOps Organization.","tactics":["Persistence"],"lastUpdatedDateUTC":"2021-01-16T00:00:00Z","createdDateUTC":"2020-06-05T00:00:00Z","status":"Available","alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/795edf2d-cf3e-45b5-8452-fe6c9e6a582e","name":"795edf2d-cf3e-45b5-8452-fe6c9e6a582e","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - timeframe = 1h;\nCommonSecurityLog \n| where TimeGenerated >= ago(timeframe)\n| - where isempty(CommunicationDirection) \n| where DeviceEventClassID in (\"733101\",\"733102\",\"733103\",\"733104\",\"733105\")\n| - extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity - = DeviceName","queryFrequency":"PT1H","queryPeriod":"PT1H","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Cisco - ASA - threat detection message fired","description":"Identifies when the Cisco - ASA Threat Detection engine fired an alert based on malicious activity occurring - on the network inicated by DeviceEventClassID 733101-733105\nResources: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\nDetails - on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html","tactics":["Discovery","Impact"],"lastUpdatedDateUTC":"2020-11-19T00:00:00Z","createdDateUTC":"2019-02-28T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"CiscoASA","dataTypes":["CommonSecurityLog"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2441bce9-02e4-407b-8cc7-7d597f38b8b0","name":"2441bce9-02e4-407b-8cc7-7d597f38b8b0","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| - where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| - where Active == true\n// Picking up only IOC''s that contain the entities - we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) - or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As - there is potentially more than 1 indicator type for matching IP, taking NetworkIP - first, then others if that is empty.\n// Taking the first non-empty value - based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), - NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) - and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity - = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, - TI_ipEntity)\n| join (\n AzureActivity | where TimeGenerated >= ago(dt_lookBack)\n // - renaming time column so it is clear the log this came from\n | extend AzureActivity_TimeGenerated - = TimeGenerated\n)\non $left.TI_ipEntity == $right.CallerIpAddress\n| summarize - LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| project - LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, - Url, ExpirationDateTime, ConfidenceScore, AzureActivity_TimeGenerated,\nTI_ipEntity, - CallerIpAddress, Caller, OperationName, ActivityStatus, Category, ResourceId, - NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\n| - extend timestamp = AzureActivity_TimeGenerated, IPCustomEntity = CallerIpAddress, - AccountCustomEntity = Caller, URLCustomEntity = Url","queryFrequency":"PT1H","queryPeriod":"P14D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]},{"entityType":"URL","fieldMappings":[{"identifier":"Url","columnName":"URLCustomEntity"}]}],"displayName":"(Preview) - TI map IP entity to AzureActivity","description":"Identifies a match in AzureActivity - from any IP IOC from TI","tactics":["Impact"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2019-08-27T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"ThreatIntelligence","dataTypes":["ThreatIntelligenceIndicator"]},{"connectorId":"ThreatIntelligenceTaxii","dataTypes":["ThreatIntelligenceIndicator"]},{"connectorId":"AzureActivity","dataTypes":["AzureActivity"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7","name":"4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - threshold = 50;\nlet szSharePointFileOperation = \"SharePointFileOperation\";\nlet - szOperations = dynamic([\"FileDownloaded\", \"FileUploaded\"]);\nlet starttime - = 14d;\nlet endtime = 1d;\nlet historicalActivity =\nOfficeActivity\n| where - TimeGenerated between(ago(starttime)..ago(endtime))\n| where RecordType =~ - szSharePointFileOperation\n| where Operation in~ (szOperations)\n| summarize - historicalCount = count() by ClientIP, RecordType, Operation;\nlet recentActivity - = OfficeActivity\n| where TimeGenerated > ago(endtime)\n| where RecordType - =~ szSharePointFileOperation\n| where Operation in~ (szOperations)\n| summarize - min(Start_Time), max(Start_Time), recentCount = count() by ClientIP, RecordType, - Operation;\nlet RareIP = recentActivity | join kind= leftanti ( historicalActivity - ) on ClientIP, RecordType, Operation\n// More than 50 downloads/uploads from - a new IP\n| where recentCount > threshold;\nOfficeActivity \n| where TimeGenerated - >= ago(endtime) \n| where RecordType =~ szSharePointFileOperation\n| where - Operation in~ (szOperations)\n| join kind= inner (RareIP) on ClientIP, RecordType, - Operation\n| where Start_Time between(min_Start_Time .. max_Start_Time)\n| - summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) - by RecordType, Operation, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, - OfficeObjectId, UserAgent, IPSeenCount = recentCount\n| extend timestamp = - StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity - = Site_Url\n| order by IPSeenCount desc, ClientIP asc, Operation asc, UserId - asc","queryFrequency":"P1D","queryPeriod":"P14D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]},{"entityType":"URL","fieldMappings":[{"identifier":"Url","columnName":"URLCustomEntity"}]}],"displayName":"SharePointFileOperation - via previously unseen IPs","description":"Identifies when the volume of documents - uploaded to or downloaded from Sharepoint by new IP addresses\nexceeds a threshold - (default is 50).","tactics":["Exfiltration"],"lastUpdatedDateUTC":"2020-11-19T00:00:00Z","createdDateUTC":"2019-08-23T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"Office365","dataTypes":["OfficeActivity"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0febd8cc-1b8d-45ed-87b3-e1e8a57d14cd","name":"0febd8cc-1b8d-45ed-87b3-e1e8a57d14cd","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"High","query":"let - timeframe = ago(1h);\nlet threshold = 100;\nTrendMicro_XDR_CL \n| where - TimeGenerated >= timeframe\n| where modelSeverity_s == ''high'' or modelSeverity_s == - ''critical''\n| extend AccountCustomEntity = impactScope_account_s, HostCustomEntity - = impactScope_hostname_s, IPCustomEntity = impactScope_host_s","queryFrequency":"PT1H","queryPeriod":"PT1H","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Create - Incident for XDR Alerts (Critical & High)","description":"This Query creates - an incident based on Trend Micro XDR Workbench Alerts and maps the impacted - entities for Azure Sentinel usage. (Critical & High Serverity Alerts)","lastUpdatedDateUTC":"2020-12-10T00:00:00Z","createdDateUTC":"2020-12-10T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"TrendMicroXDR","dataTypes":["TrendMicro_XDR_CL"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/50574fac-f8d1-4395-81c7-78a463ff0c52","name":"50574fac-f8d1-4395-81c7-78a463ff0c52","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Low","query":"let - auditLookback = 1h;\nSigninLogs\n| where TimeGenerated > ago(auditLookback)\n| - where AppId =~ \"1b730954-1685-4b74-9bfd-dac224a7b894\" // AppDisplayName - IS Azure Active Directory PowerShell\n| where TokenIssuerType =~ \"AzureAD\"\n| - where ResourceIdentity !in (\"00000002-0000-0000-c000-000000000000\", \"00000003-0000-0000-c000-000000000000\") - // ResourceDisplayName IS NOT Windows Azure Active Directory OR Microsoft - Graph\n| where Status.errorCode == 0 // Success\n| project-reorder IPAddress, - UserAgent, ResourceDisplayName, UserDisplayName, UserId, UserPrincipalName\n| - order by TimeGenerated desc\n// New entity mapping\n| extend timestamp = TimeGenerated, - AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress","queryFrequency":"PT1H","queryPeriod":"PT1H","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Azure - Active Directory PowerShell accessing non-AAD resources","description":"This - will alert when a user or application signs in using Azure Active Directory - PowerShell to access non-Active Directory resources, such as the Azure Key - Vault, which may be undesired or unauthorized behavior.\nFor capabilities - and expected behavior of the Azure Active Directory PowerShell module, see: - https://docs.microsoft.com/powershell/module/azuread/?view=azureadps-2.0.\nFor - further information on Azure Active Directory Signin activity reports, see: - https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins.","tactics":["InitialAccess"],"lastUpdatedDateUTC":"2021-01-16T00:00:00Z","createdDateUTC":"2020-12-11T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AzureActiveDirectory","dataTypes":["SigninLogs"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0d76e9cf-788d-4a69-ac7d-f234826b5bed","name":"0d76e9cf-788d-4a69-ac7d-f234826b5bed","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Low","query":"let - timeframe = 1d;\nDnsEvents\n| where TimeGenerated > ago(timeframe)\n| where - Name contains \".\"\n| where Name has_any (\"monerohash.com\", \"do-dear.com\", - \"xmrminerpro.com\", \"secumine.net\", \"xmrpool.com\", \"minexmr.org\", \"hashanywhere.com\", - \n\"xmrget.com\", \"mininglottery.eu\", \"minergate.com\", \"moriaxmr.com\", - \"multipooler.com\", \"moneropools.com\", \"xmrpool.eu\", \"coolmining.club\", - \n\"supportxmr.com\", \"minexmr.com\", \"hashvault.pro\", \"xmrpool.net\", - \"crypto-pool.fr\", \"xmr.pt\", \"miner.rocks\", \"walpool.com\", \"herominers.com\", - \n\"gntl.co.uk\", \"semipool.com\", \"coinfoundry.org\", \"cryptoknight.cc\", - \"fairhash.org\", \"baikalmine.com\", \"tubepool.xyz\", \"fairpool.xyz\", - \"asiapool.io\", \n\"coinpoolit.webhop.me\", \"nanopool.org\", \"moneropool.com\", - \"miner.center\", \"prohash.net\", \"poolto.be\", \"cryptoescrow.eu\", \"monerominers.net\", - \"cryptonotepool.org\", \n\"extrmepool.org\", \"webcoin.me\", \"kippo.eu\", - \"hashinvest.ws\", \"monero.farm\", \"supportxmr.com\", \"xmrpool.eu\", \"linux-repository-updates.com\", - \"1gh.com\", \n\"dwarfpool.com\", \"hash-to-coins.com\", \"hashvault.pro\", - \"pool-proxy.com\", \"hashfor.cash\", \"fairpool.cloud\", \"litecoinpool.org\", - \"mineshaft.ml\", \"abcxyz.stream\", \n\"moneropool.ru\", \"cryptonotepool.org.uk\", - \"extremepool.org\", \"extremehash.com\", \"hashinvest.net\", \"unipool.pro\", - \"crypto-pools.org\", \"monero.net\", \n\"backup-pool.com\", \"mooo.com\", - \"freeyy.me\", \"cryptonight.net\", \"shscrypto.net\")\n| extend timestamp - = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"DNS - events related to mining pools","description":"Identifies IP addresses that - may be performing DNS lookups associated with common currency mining pools.","tactics":["Execution","Impact"],"lastUpdatedDateUTC":"2020-11-19T00:00:00Z","createdDateUTC":"2019-02-07T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"DNS","dataTypes":["DnsEvents"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9649e203-3cb7-47ff-89a9-42f2a5eefe31","name":"9649e203-3cb7-47ff-89a9-42f2a5eefe31","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Low","query":"let - SeverityTable=datatable(Severity:string,Level:int) [\n\"low\", 1,\n\"medium\", - 2,\n\"high\", 3,\n\"critical\", 4\n];\nlet codeNameList = datatable(Codename:string)[\"C-PRIV-ACCOUNTS-SPN\", - \"C-SDPROP-CONSISTENCY\", \"C-DANG-PRIMGROUPID\", \"C-GPO-HARDENING\", \"C-DC-ACCESS-CONSISTENCY\", - \"C-DANGEROUS-TRUST-RELATIONSHIP\", \"C-UNCONST-DELEG\", \"C-ABNORMAL-ENTRIES-IN-SCHEMA\"];\nafad_parser\n| - where MessageType == 0 and Codename in~ (codeNameList)\n| lookup kind=leftouter - SeverityTable on Severity\n| order by Level","queryFrequency":"PT2H","queryPeriod":"PT2H","triggerOperator":"GreaterThan","triggerThreshold":0,"displayName":"Alsid - Active Directory attacks pathways","description":"Searches for triggered Indicators - of Exposures related to Active Directory attacks pathways","tactics":["CredentialAccess"],"lastUpdatedDateUTC":"2020-12-07T00:00:00Z","createdDateUTC":"2020-11-05T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AlsidForAD","dataTypes":["AlsidForADLog_CL"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3af9285d-bb98-4a35-ad29-5ea39ba0c628","name":"3af9285d-bb98-4a35-ad29-5ea39ba0c628","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Low","query":"let - timeRange = ago(1d);\nlet threshold = 1;\nSigninLogs\n| where TimeGenerated - >= timeRange\n| where ConditionalAccessStatus == 1 or ConditionalAccessStatus - =~ \"failure\"\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser - \n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\n| - extend ConditionalAccessPol0Name = tostring(ConditionalAccessPolicies[0].displayName)\n| - extend ConditionalAccessPol1Name = tostring(ConditionalAccessPolicies[1].displayName)\n| - extend ConditionalAccessPol2Name = tostring(ConditionalAccessPolicies[2].displayName)\n| - extend Status = strcat(StatusCode, \": \", ResultDescription) \n| summarize - StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Status - = makelist(Status), StatusDetails = makelist(StatusDetails), IPAddresses = - makelist(IPAddress), IPAddressCount = dcount(IPAddress) , CorrelationIds = - makelist(CorrelationId) by UserPrincipalName, AppDisplayName, tostring(Browser), - tostring(OS), Location, ConditionalAccessPol0Name, ConditionalAccessPol1Name, - ConditionalAccessPol2Name\n| where IPAddressCount > threshold and StatusDetails - !has \"MFA successfully completed\"\n| mvexpand IPAddresses, Status, StatusDetails, - CorrelationIds\n| extend Status = strcat(Status, \" \", StatusDetails)\n| - summarize IPAddresses = makeset(IPAddresses), Status = makeset(Status), CorrelationIds - = makeset(CorrelationIds) by StartTimeUtc, EndTimeUtc, UserPrincipalName, - AppDisplayName, tostring(Browser), tostring(OS), Location, ConditionalAccessPol0Name, - ConditionalAccessPol1Name, ConditionalAccessPol2Name, IPAddressCount\n| extend - timestamp = StartTimeUtc, AccountCustomEntity = UserPrincipalName, IPCustomEntity - = tostring(IPAddresses)","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Attempt - to bypass conditional access rule in Azure AD","description":"Identifies an - attempt to Bypass conditional access rule(s) in Azure Active Directory.\nThe - ConditionalAccessStatus column value details if there was an attempt to bypass - Conditional Access\nor if the Conditional access rule was not satisfied (ConditionalAccessStatus - == 1).\nReferences: \nhttps://docs.microsoft.com/azure/active-directory/conditional-access/overview\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\nConditionalAccessStatus - == 0 // Success\nConditionalAccessStatus == 1 // Failure\nConditionalAccessStatus - == 2 // Not Applied\nConditionalAccessStatus == 3 // unknown","tactics":["InitialAccess","Persistence"],"lastUpdatedDateUTC":"2020-11-19T00:00:00Z","createdDateUTC":"2019-02-11T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AzureActiveDirectory","dataTypes":["SigninLogs"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70b12a3b-4899-42cb-910c-5ffaf9d7997d","name":"70b12a3b-4899-42cb-910c-5ffaf9d7997d","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"High","query":"let - timeframe = 1d; \nlet DomainNames = dynamic([\"0.ns1.dns-info.gq\", \"1.ns1.dns-info.gq\", - \"10.ns1.dns-info.gq\", \"102.ns1.dns-info.gq\", \n \"104.ns1.dns-info.gq\", - \"11.ns1.dns-info.gq\", \"110.ns1.dns-info.gq\", \"115.ns1.dns-info.gq\", - \"116.ns1.dns-info.gq\", \n \"117.ns1.dns-info.gq\", \"118.ns1.dns-info.gq\", - \"12.ns1.dns-info.gq\", \"120.ns1.dns-info.gq\", \"122.ns1.dns-info.gq\", - \n \"123.ns1.dns-info.gq\", \"128.ns1.dns-info.gq\", \"13.ns1.dns-info.gq\", - \"134.ns1.dns-info.gq\", \"135.ns1.dns-info.gq\", \n \"138.ns1.dns-info.gq\", - \"14.ns1.dns-info.gq\", \"144.ns1.dns-info.gq\", \"15.ns1.dns-info.gq\", \"153.ns1.dns-info.gq\", - \n \"157.ns1.dns-info.gq\", \"16.ns1.dns-info.gq\", \"17.ns1.dns-info.gq\", - \"18.ns1.dns-info.gq\", \"19.ns1.dns-info.gq\", \n \"1a9604fa.ns1.feedsdns.com\", - \"1c7606b6.ns1.steamappstore.com\", \"2.ns1.dns-info.gq\", \"20.ns1.dns-info.gq\", - \n \"201.ns1.dns-info.gq\", \"202.ns1.dns-info.gq\", \"204.ns1.dns-info.gq\", - \"207.ns1.dns-info.gq\", \"21.ns1.dns-info.gq\", \n \"210.ns1.dns-info.gq\", - \"211.ns1.dns-info.gq\", \"216.ns1.dns-info.gq\", \"22.ns1.dns-info.gq\", - \"220.ns1.dns-info.gq\", \n \"223.ns1.dns-info.gq\", \"23.ns1.dns-info.gq\", - \"24.ns1.dns-info.gq\", \"25.ns1.dns-info.gq\", \"26.ns1.dns-info.gq\", \n \"27.ns1.dns-info.gq\", - \"28.ns1.dns-info.gq\", \"29.ns1.dns-info.gq\", \"3.ns1.dns-info.gq\", \"30.ns1.dns-info.gq\", - \n \"31.ns1.dns-info.gq\", \"32.ns1.dns-info.gq\", \"33.ns1.dns-info.gq\", - \"34.ns1.dns-info.gq\", \"35.ns1.dns-info.gq\", \n \"36.ns1.dns-info.gq\", - \"37.ns1.dns-info.gq\", \"39.ns1.dns-info.gq\", \"3d6fe4b2.ns1.steamappstore.com\", - \n \"4.ns1.dns-info.gq\", \"40.ns1.dns-info.gq\", \"42.ns1.dns-info.gq\", - \"43.ns1.dns-info.gq\", \"44.ns1.dns-info.gq\", \n \"45.ns1.dns-info.gq\", - \"46.ns1.dns-info.gq\", \"48.ns1.dns-info.gq\", \"5.ns1.dns-info.gq\", \"50.ns1.dns-info.gq\", - \n \"50417.service.gstatic.dnset.com\", \"51.ns1.dns-info.gq\", \"52.ns1.dns-info.gq\", - \"53.ns1.dns-info.gq\",\n \"54.ns1.dns-info.gq\", \"55.ns1.dns-info.gq\", - \"56.ns1.dns-info.gq\", \"57.ns1.dns-info.gq\", \"58.ns1.dns-info.gq\", \n \"6.ns1.dns-info.gq\", - \"60.ns1.dns-info.gq\", \"62.ns1.dns-info.gq\", \"63.ns1.dns-info.gq\", \"64.ns1.dns-info.gq\", - \n \"65.ns1.dns-info.gq\", \"67.ns1.dns-info.gq\", \"7.ns1.dns-info.gq\", - \"70.ns1.dns-info.gq\", \"71.ns1.dns-info.gq\",\n \"73.ns1.dns-info.gq\", - \"77.ns1.dns-info.gq\", \"77075.service.gstatic.dnset.com\", \"7c1947fa.ns1.steamappstore.com\",\n \"8.ns1.dns-info.gq\", - \"81.ns1.dns-info.gq\", \"86.ns1.dns-info.gq\", \"87.ns1.dns-info.gq\", \"9.ns1.dns-info.gq\", - \n \"94343.service.gstatic.dnset.com\", \"9939.service.gstatic.dnset.com\", - \"aa.ns.mircosoftdoc.com\", \n \"aaa.feeds.api.ns1.feedsdns.com\", \"aaa.googlepublic.feeds.ns1.dns-info.gq\", - \n \"aaa.resolution.174547._get.cache.up.sourcedns.tk\", \"acc.microsoftonetravel.com\", - \n \"accounts.longmusic.com\", \"admin.dnstemplog.com\", \"agent.updatenai.com\", - \n \"alibaba.zzux.com\", \"api.feedsdns.com\", \"app.portomnail.com\", \"asia.updatenai.com\", - \n \"battllestategames.com\", \"bguha.serveuser.com\", \"binann-ce.com\", - \"bing.dsmtp.com\", \n \"blog.cdsend.xyz\", \"brives.minivineyapp.com\", - \"bsbana.dynamic-dns.net\", \n \"californiaforce.000webhostapp.com\", \"californiafroce.000webhostapp.com\", - \n \"cdn.freetcp.com\", \"cdsend.xyz\", \"cipla.zzux.com\", \"cloudfeeddns.com\", - \"comcleanner.info\",\n \"cs.microsoftsonline.net\", \"dns-info.gq\", \"dns05.cf\", - \"dns22.ml\", \"dns224.com\", \n \"dnsdist.org\", \"dnstemplog.com\", \"doc.mircosoftdoc.com\", - \"dropdns.com\", \n \"eshop.cdn.freetcp.com\", \"exchange.dumb1.com\", \"exchange.misecure.com\", - \"exchange.mrbasic.com\",\n \"facebookdocs.com\", \"facebookint.com\", \"facebookvi.com\", - \"feed.ns1.dns-info.gq\", \"feedsdns.com\", \n \"firejun.freeddns.com\", - \"ftp.dns-info.dyndns.pro\", \"goallbandungtravel.com\", \"goodhk.azurewebsites.net\", - \n \"googlepublic.feed.ns1.dns-info.gq\", \"gp.spotifylite.cloud\", \"gskytop.com\", - \"gstatic.dnset.com\", \n \"gxxservice.com\", \"helpdesk.cdn.freetcp.com\", - \"id.serveuser.com\", \"infestexe.com\", \"item.itemdb.com\",\n \"m.mircosoftdoc.com\", - \"mail.transferdkim.xyz\", \"mcafee.updatenai.com\", \"mecgjm.mircosoftdoc.com\",\n \"microdocs.ga\", - \"microsock.website\", \"microsocks.net\", \"microsoft.sendsmtp.com\", \n \"microsoftbook.dns05.com\", - \"microsoftcontactcenter.com\", \"microsoftdocs.dns05.com\", \"microsoftdocs.ml\", - \n \"microsoftonetravel.com\", \"microsoftonlines.net\", \"microsoftprod.com\", - \"microsofts.dns1.us\", \"microsoftsonline.net\",\n \"minivineyapp.com\", - \"mircosoftdoc.com\", \"mircosoftdocs.com\", \"mlcrosoft.ninth.biz\", \"mlcrosoft.site\", - \n \"mm.portomnail.com\", \"msdnupdate.com\", \"msecdn.cloud\", \"mtnl1.dynamic-dns.net\", - \"ns.gstatic.dnset.com\", \n \"ns.microsoftprod.com\", \"ns.steamappstore.com\", - \"ns1.cdn.freetcp.com\", \"ns1.comcleanner.info\", \"ns1.dns-info.gq\", \n \"ns1.dns05.cf\", - \"ns1.dnstemplog.com\", \"ns1.dropdns.com\", \"ns1.microsoftonetravel.com\", - \n \"ns1.microsoftonlines.net\", \"ns1.microsoftprod.com\", \"ns1.microsoftsonline.net\", - \"ns1.mlcrosoft.site\", \n \"ns1.teams.wikaba.com\", \"ns1.windowsdefende.com\", - \"ns2.comcleanner.info\", \"ns2.dnstemplog.com\", \n \"ns2.microsoftonetravel.com\", - \"ns2.microsoftprod.com\", \"ns2.microsoftsonline.net\", \"ns2.mlcrosoft.site\", - \n \"ns2.windowsdefende.com\", \"ns3.microsoftprod.com\", \"ns3.mlcrosoft.site\", - \"nutrition.mrbasic.com\", \n \"nutrition.youdontcare.com\", \"online.mlcrosoft.site\", - \"online.msdnupdate.com\", \"outlookservce.site\", \n \"owa.jetos.com\", - \"owa.otzo.com\", \"pornotime.co\", \"portomnail.com\", \n \"post.1a0.066e063ac.7c1947fa.ns1.steamappstore.com\", - \"pricingdmdk.com\", \"prod.microsoftprod.com\", \n \"product.microsoftprod.com\", - \"ptcl.yourtrap.com\", \"query.api.sourcedns.tk\", \"rb.itemdb.com\", \"redditcdn.com\", - \n \"rss.otzo.com\", \"secure.msdnupdate.com\", \"service.dns22.ml\", \"service.gstatic.dnset.com\", - \"service04.dns04.com\", \n \"settings.teams.wikaba.com\", \"sip.outlookservce.site\", - \"sixindent.epizy.com\", \"soft.msdnupdate.com\", \"sourcedns.ml\", \n \"sourcedns.tk\", - \"sport.msdnupdate.com\", \"spotifylite.cloud\", \"static.misecure.com\", - \"steamappstore.com\", \n \"store.otzo.com\", \"survey.outlookservce.site\", - \"team.itemdb.com\", \"temp221.com\", \"test.microsoftprod.com\", \n \"thisisaaa.000webhostapp.com\", - \"token.dns04.com\", \"token.dns05.com\", \"transferdkim.xyz\", \n \"travelsanignacio.com\", - \"update08.com\", \"updated08.com\", \"updatenai.com\", \"wantforspeed.com\",\n \"web.mircosoftdoc.com\", - \"webmail.pornotime.co\", \"webwhois.team.itemdb.com\", \"windowsdefende.com\", - \"wnswindows.com\",\n \"ashcrack.freetcp.com\", \"battllestategames.com\", - \"binannce.com\", \"cdsend.xyz\", \"comcleanner.info\", \"microsock.website\", - \n \"microsocks.net\", \"microsoftsonline.net\", \"mlcrosoft.site\", \"notify.serveuser.com\", - \"ns1.microsoftprod.com\", \n \"ns2.microsoftprod.com\", \"pricingdmdk.com\", - \"steamappstore.com\", \"update08.com\", \"wnswindows.com\", \n \"youtube.dns05.com\", - \"z1.zalofilescdn.com\", \"z2.zalofilescdn.com\", \"zalofilescdn.com\"]); - \n(union isfuzzy=true \n (CommonSecurityLog \n | where TimeGenerated >= ago(timeframe) \n - | parse Message with * ''('' DNSName '')'' * \n | where DNSName in~ (DomainNames) - \n | extend Account = SourceUserID, Computer = DeviceName, IPAddress = DestinationIP - \n ), \n (DnsEvents \n | where TimeGenerated >= ago(timeframe) \n | extend - DNSName = Name \n | where isnotempty(DNSName) \n | where DNSName in~ (DomainNames) - \n | extend IPAddress = ClientIP \n ), \n (VMConnection \n | where TimeGenerated - >= ago(timeframe) \n | parse RemoteDnsCanonicalNames with * ''[\"'' DNSName - ''\"]'' * \n | where isnotempty(DNSName) \n | where DNSName in~ (DomainNames) - \n | extend IPAddress = RemoteIp \n ), \n ( \n DeviceNetworkEvents \n | where - isnotempty(RemoteUrl) \n | where RemoteUrl in~ (DomainNames) \n | extend - IPAddress = RemoteIP \n | extend Computer = DeviceName \n ) \n ) \n | extend - timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity - = Computer, IPCustomEntity = IPAddress","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Known - Barium domains","description":"Identifies a match across various data feeds - for domains IOCs related to the Barium activity group.\n References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer","tactics":["CommandAndControl"],"lastUpdatedDateUTC":"2020-12-22T00:00:00Z","createdDateUTC":"2020-11-11T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"DNS","dataTypes":["DnsEvents"]},{"connectorId":"AzureMonitor(VMInsights)","dataTypes":["VMConnection"]},{"connectorId":"CiscoASA","dataTypes":["CommonSecurityLog"]},{"connectorId":"PaloAltoNetworks","dataTypes":["CommonSecurityLog"]},{"connectorId":"MicrosoftThreatProtection","dataTypes":["DeviceNetworkEvents"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2c55fe7a-b06f-4029-a5b9-c54a2320d7b8","name":"2c55fe7a-b06f-4029-a5b9-c54a2320d7b8","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - starttime = 14d;\nlet endtime = 1d;\nlet timeframe = 1h;\nlet TotalEventsThreshold - = 5;\nlet ExeList = dynamic([\"powershell.exe\",\"cmd.exe\",\"wmic.exe\",\"psexec.exe\",\"cacls.exe\",\"rundll.exe\"]);\nlet - TimeSeriesData =\nSecurityEvent\n| where EventID == 4688 | extend Process - = tolower(Process)\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\n| - where Process in (ExeList)\n| project TimeGenerated, Computer, AccountType, - Account, Process\n| make-series Total=count() on TimeGenerated from ago(starttime) - to ago(endtime) step timeframe by Process;\nlet TimeSeriesAlerts = materialize(TimeSeriesData\n| - extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 1.5, - -1, ''linefit'')\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), - anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\n| - where anomalies > 0\n| project Process, TimeGenerated, Total, baseline, anomalies, - score\n| where Total > TotalEventsThreshold);\nlet AnomalyHours = materialize(TimeSeriesAlerts | - where TimeGenerated > ago(2d) | project TimeGenerated);\nTimeSeriesAlerts\n| - where TimeGenerated > ago(2d)\n| join (\nSecurityEvent\n| where TimeGenerated - between (startofday(ago(starttime))..startofday(ago(endtime)))\n| extend DateHour - = bin(TimeGenerated, 1h) // create a new column and round to hour\n| where - DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly - hours\n| where EventID == 4688 | extend Process = tolower(Process)\n| summarize - CommandlineCount = count() by bin(TimeGenerated, 1h), Process, CommandLine, - Computer, Account\n) on Process, TimeGenerated\n| project AnomalyHour = TimeGenerated, - Computer, Account, Process, CommandLine, CommandlineCount, Total, baseline, - anomalies, score\n| extend timestamp = AnomalyHour, AccountCustomEntity = - Account, HostCustomEntity = Computer","queryFrequency":"PT1H","queryPeriod":"P14D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]}],"displayName":"Process - execution frequency anomaly","description":"Identifies anomalous spike in - frequency of executions of sensitive processes which are often leveraged as - attack vectors.\nThe query leverages KQL built-in anomaly detection algorithms - to find large deviations from baseline patterns.\nSudden increases in execution - frequency of sensitive processes should be further investigated for malicious - activity.\nTune the values from 1.5 to 3 in series_decompose_anomalies for - further outliers or based on custom threshold values for score.","tactics":["Execution"],"lastUpdatedDateUTC":"2021-01-21T00:00:00Z","createdDateUTC":"2019-05-07T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"SecurityEvents","dataTypes":["SecurityEvent"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ce1e7025-866c-41f3-9b08-ec170e05e73e","name":"ce1e7025-866c-41f3-9b08-ec170e05e73e","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - SunburstURL=dynamic([\"panhardware.com\",\"databasegalore.com\",\"avsvmcloud.com\",\"freescanonline.com\",\"thedoccloud.com\",\"deftsecurity.com\"]);\nDeviceNetworkEvents\n| - where ActionType == \"ConnectionSuccess\"\n| where RemoteUrl in(SunburstURL)\n| - extend\n timestamp = TimeGenerated,\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), - InitiatingProcessAccountUpn, InitiatingProcessAccountName),\n HostCustomEntity - = DeviceName,\n FileHashCustomEntity = InitiatingProcessMD5,\n URLCustomEntity - = RemoteUrl,\n IPCustomEntity = RemoteIP","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]},{"entityType":"URL","fieldMappings":[{"identifier":"Url","columnName":"URLCustomEntity"}]},{"entityType":"FileHash","fieldMappings":[{"identifier":"Algorithm","columnName":"MD5"},{"identifier":"Value","columnName":"FileHashCustomEntity"}]}],"displayName":"SUNBURST - network beacons","description":"Identifies SolarWinds SUNBURST domain beacon - IOCs in DeviceNetworkEvents\nReferences:\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\n- - https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f","tactics":["Execution","Persistence"],"lastUpdatedDateUTC":"2021-01-31T00:00:00Z","createdDateUTC":"2020-12-15T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"MicrosoftThreatProtection","dataTypes":["DeviceNetworkEvents"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06a9b845-6a95-4432-a78b-83919b28c375","name":"06a9b845-6a95-4432-a78b-83919b28c375","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - starttime = 14d;\nlet endtime = 1d;\nlet timeframe = 1h;\nlet scorethreshold - = 5;\nlet percentotalthreshold = 50;\nlet TimeSeriesData = CommonSecurityLog\n| - where isnotempty(DestinationIP) and isnotempty(SourceIP)\n| where TimeGenerated - between (startofday(ago(starttime))..startofday(ago(endtime)))\n| project - TimeGenerated,SourceIP, DestinationIP, DeviceVendor\n| make-series Total=count() - on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) - step timeframe by DeviceVendor;\n// Filtering specific records associated - with spikes as outliers\nlet TimeSeriesAlerts=materialize(TimeSeriesData\n| - extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, - -1, ''linefit'')\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), - anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\n| - where anomalies > 0 | extend score = round(score,2), AnomalyHour = TimeGenerated\n| - project DeviceVendor,AnomalyHour, TimeGenerated, Total, baseline, anomalies, - score);\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated - > ago(2d) | project TimeGenerated);\n// Join anomalies with Base Data to popalate - associated records for investigation - Results sorted by score in descending - order\nTimeSeriesAlerts\n| where TimeGenerated > ago(2d)\n| join (\n CommonSecurityLog\n| - where isnotempty(DestinationIP) and isnotempty(SourceIP)\n| where TimeGenerated - > ago(2d)\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column - and round to hour\n| where DateHour in ((AnomalyHours)) //filter the dataset - to only selected anomaly hours\n| summarize HourlyCount = count(), TimeGeneratedMax - = arg_max(TimeGenerated, *), DestinationIPlist = make_set(DestinationIP, 100), - DestinationPortlist = make_set(DestinationPort, 100) by DeviceVendor, SourceIP, - TimeGeneratedHour= bin(TimeGenerated, 1h)\n| extend AnomalyHour = TimeGeneratedHour\n) - on AnomalyHour, DeviceVendor\n| extend PercentTotal = round((HourlyCount / - Total) * 100, 3)\n| where PercentTotal > percentotalthreshold\n| project DeviceVendor - , AnomalyHour, TimeGeneratedMax, SourceIP, DestinationIPlist, DestinationPortlist, - HourlyCount, PercentTotal, Total, baseline, score, anomalies\n| summarize - HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), - SourceIPlist = make_set(SourceIP, 100), SourceIPMax= arg_max(SourceIP, *), - DestinationIPlist = make_set(DestinationIPlist, 100), DestinationPortlist - = make_set(DestinationPortlist, 100) by DeviceVendor , AnomalyHour, Total, - baseline, score, anomalies\n| project DeviceVendor , AnomalyHour, EndTimeUtc, - SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, - Total, baseline, score, anomalies\n| extend timestamp= EndTimeUtc , IPCustomEntity - = SourceIPMax","queryFrequency":"P1D","queryPeriod":"P14D","triggerOperator":"GreaterThan","triggerThreshold":3,"entityMappings":[{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Time - series anomaly detection for total volume of traffic","description":"Identifies - anamalous spikes in network traffic logs as compared to baseline or normal - historical patterns.\nThe query leverages a KQL built-in anomaly detection - algorithm to find large deviations from baseline patterns.\nSudden increases - in network traffic volume may be an indication of data exfiltration attempts - and should be investigated.\nThe higher the score, the further it is from - the baseline value.\nThe output is aggregated to provide summary view of unique - source IP to destination IP address and port traffic observed in the flagged - anomaly hour.\nThe source IP addresses which were sending less than percentotalthreshold - of the total traffic have been exluded whose value can be adjusted as needed - .\nYou may have to run queries for individual source IP addresses from SourceIPlist - to determine if anything looks suspicious","tactics":["Exfiltration"],"lastUpdatedDateUTC":"2021-01-21T00:00:00Z","createdDateUTC":"2019-05-07T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"Barracuda","dataTypes":["CommonSecurityLog"]},{"connectorId":"CEF","dataTypes":["CommonSecurityLog"]},{"connectorId":"CheckPoint","dataTypes":["CommonSecurityLog"]},{"connectorId":"CiscoASA","dataTypes":["CommonSecurityLog"]},{"connectorId":"F5","dataTypes":["CommonSecurityLog"]},{"connectorId":"Fortinet","dataTypes":["CommonSecurityLog"]},{"connectorId":"PaloAltoNetworks","dataTypes":["CommonSecurityLog"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/871ba14c-88ef-48aa-ad38-810f26760ca3","name":"871ba14c-88ef-48aa-ad38-810f26760ca3","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - timeframe = 7d;\nOfficeActivity\n| where TimeGenerated >= ago(timeframe)\n| - where Operation =~ \"Set-Mailbox\"\n| where Parameters has \"ForwardingSmtpAddress\"\n| - extend parsed = parse_json(Parameters)\n| mv-expand parsed\n| where parsed.Name - == \"ForwardingSmtpAddress\"\n| extend parameterName = tostring(parsed.Name), - fwdingDestination = tostring(parsed.Value)\n| where isnotempty(fwdingDestination)\n| - extend ClientIPOnly = case( \nClientIP has \".\" and ClientIP has '':'', tostring(split(ClientIP,\":\")[0]), - \nClientIP has \".\" and ClientIP has ''-'', tostring(split(ClientIP,\"-\")[0]), - \nClientIP has '']-'', tostring(trim_start(@''[[]'',tostring(split(ClientIP,\"]\")[0]))),\nClientIP - has '']:'', tostring(trim_start(@''[[]'',tostring(split(ClientIP,\"]\")[0]))),\nisempty(ClientIP) - and ClientIP_ has \".\" and ClientIP_ has '':'', tostring(split(ClientIP_,\":\")[0]), - \nisempty(ClientIP) and ClientIP_ has \".\" and ClientIP_ has ''-'', tostring(split(ClientIP_,\"-\")[0]), - \nisempty(ClientIP) and ClientIP_ has '']-'', tostring(trim_start(@''[[]'',tostring(split(ClientIP_,\"]\")[0]))),\nisempty(ClientIP) - and ClientIP_ has '']:'', tostring(trim_start(@''[[]'',tostring(split(ClientIP_,\"]\")[0]))),\nisnotempty(ClientIP), - ClientIP,\nisnotempty(ClientIP_), ClientIP_,\n\"IP Not Available\"\n) \n| - extend Port = case(\nClientIP has \".\" and ClientIP has '':'', tostring(split(ClientIP,\":\")[1]), - \nClientIP has \".\" and ClientIP has ''-'', tostring(split(ClientIP,\"-\")[1]), - \nClientIP has '']-'', tostring(split(ClientIP,\"]-\")[1]), \nClientIP has - '']:'', tostring(split(ClientIP,\"]:\")[1]), \nisempty(ClientIP) and ClientIP_ - has \".\" and ClientIP_ has '':'', tostring(split(ClientIP_,\":\")[1]), \nisempty(ClientIP) - and ClientIP_ has \".\" and ClientIP_ has ''-'', tostring(split(ClientIP_,\"-\")[1]), - \nisempty(ClientIP) and ClientIP_ has '']-'', tostring(split(ClientIP_,\"]-\")[1]),\nisempty(ClientIP) - and ClientIP_ has '']:'', tostring(split(ClientIP_,\"]:\")[1]),\nisnotempty(ClientIP), - ClientIP,\nisnotempty(ClientIP_), ClientIP_,\n\"IP Not Available\"\n)\n| extend - UserId = iff(isempty(UserId), UserId_, UserId)\n| summarize StartTimeUtc = - min(TimeGenerated), EndTimeUtc = max(TimeGenerated), DistinctUserCount = dcount(UserId), - UserId = make_set(UserId), \nPorts = make_set(Port), EventCount = count() - by fwdingDestination, ClientIP = ClientIPOnly \n| where DistinctUserCount - > 1\n| mv-expand UserId\n| extend UserId = tostring(UserId), Ports = tostring(Ports)\n| - distinct StartTimeUtc, EndTimeUtc, UserId, DistinctUserCount, ClientIP, Ports, - fwdingDestination, EventCount\n| extend timestamp = StartTimeUtc, AccountCustomEntity - = UserId, IPCustomEntity = ClientIP","queryFrequency":"P1D","queryPeriod":"P7D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Multiple - users email forwarded to same destination","description":"Identifies when - multiple (more than one) users mailboxes are configured to forward to the - same destination. \nThis could be an attacker-controlled destination mailbox - configured to collect mail from multiple compromised user accounts.","tactics":["Collection","Exfiltration"],"lastUpdatedDateUTC":"2020-11-19T00:00:00Z","createdDateUTC":"2019-08-23T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"Office365","dataTypes":["OfficeActivity"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b","name":"36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| - where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| - where Active == true\n// Picking up only IOC''s that contain the entities - we want\n| where isnotempty(Url)\n| join (\n OfficeActivity\n | where TimeGenerated - >= ago(dt_lookBack)\n //Extract the Url from a number of potential fields\n | - extend Url = iif(OfficeWorkload == \"AzureActiveDirectory\",extract(\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\(\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\", - 1,ModifiedProperties),tostring(parse_json(ModifiedProperties)[12].NewValue))\n | - where isnotempty(Url)\n // Ensure we get a clean URL\n | extend Url = tostring(split(Url, - '';'')[0])\n | extend Office_TimeGenerated = TimeGenerated\n // Project - a single user identity that we can use for entity mapping\n | extend User - = iif(isnotempty(UserId), UserId, iif(isnotempty(Actor), tostring(parse_json(Actor)[0].ID), - tostring(parse_json(Parameters)[0].Vlaue))) \n) on Url\n| summarize LatestIndicatorTime - = arg_max(TimeGenerated, *) by IndicatorId\n| project LatestIndicatorTime, - Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, - ConfidenceScore, Operation, \nUserType, OfficeWorkload, Parameters, Office_TimeGenerated, - Url, User\n| extend timestamp = Office_TimeGenerated, AccountCustomEntity - = User, URLCustomEntity = Url","queryFrequency":"PT1H","queryPeriod":"P14D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"URL","fieldMappings":[{"identifier":"Url","columnName":"URLCustomEntity"}]}],"displayName":"(Preview) - TI map URL entity to OfficeActivity data","description":"Identifies a match - in OfficeActivity data from any URL IOC from TI","tactics":["Impact"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2019-08-27T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"Office365","dataTypes":["OfficeActivity"]},{"connectorId":"ThreatIntelligence","dataTypes":["ThreatIntelligenceIndicator"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80da0a8f-cfe1-4cd0-a895-8bc1771a720e","name":"80da0a8f-cfe1-4cd0-a895-8bc1771a720e","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - timeframe = 1d;\nSecurityEvent\n| where TimeGenerated >= ago(timeframe)\n| - where EventID == 1102 and EventSourceName == \"Microsoft-Windows-Eventlog\" - \n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), - EventCount = count() by Computer, Account, EventID, Activity\n| extend timestamp - = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]}],"displayName":"Security - Event log cleared","description":"Checks for event id 1102 which indicates - the security event log was cleared. \nIt uses Event Source Name \"Microsoft-Windows-Eventlog\" - to avoid generating false positives from other sources, like AD FS servers - for instance.","tactics":["DefenseEvasion"],"lastUpdatedDateUTC":"2020-11-19T00:00:00Z","createdDateUTC":"2019-02-22T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"SecurityEvents","dataTypes":["SecurityEvent"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1fa1528e-f746-4794-8a41-14827f4cb798","name":"1fa1528e-f746-4794-8a41-14827f4cb798","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - timeframe = ago(1h);\nlet threshold = 100;\nPulseConnectSecure\n| where TimeGenerated - >= timeframe\n| where Messages startswith \"Login failed\"\n| summarize dcount(User) - by Computer, bin(TimeGenerated, 15m)\n| where dcount_User > threshold\n| extend - timestamp = TimeGenerated, HostCustomEntity = Computer","queryFrequency":"PT1H","queryPeriod":"PT1H","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]}],"displayName":"PulseConnectSecure - - Large Number of Distinct Failed User Logins","description":"This query identifies - evidence of failed login attempts from a large number of distinct users on - a Pulse Connect Secure VPN server","tactics":["CredentialAccess"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2020-06-06T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"PulseConnectSecure","dataTypes":["Syslog"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0777f138-e5d8-4eab-bec1-e11ddfbc2be2","name":"0777f138-e5d8-4eab-bec1-e11ddfbc2be2","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Low","query":"let - timeframe = 10m;\nlet threshold = 20;\nSecurityEvent \n| where TimeGenerated - >= ago(timeframe)\n| where EventID == 4625\n| where AccountType =~ \"User\"\n| - where SubStatus !=''0xc0000064'' and Account !in (''\\\\'', ''-\\\\-'')\n// - SubStatus ''0xc0000064'' signifies ''Account name does not exist''\n| extend - ResourceId = column_ifexists(\"_ResourceId\", _ResourceId), SourceComputerId - = column_ifexists(\"SourceComputerId\", SourceComputerId)\n| extend Reason - = case(\nSubStatus =~ ''0xC000005E'', ''There are currently no logon servers - available to service the logon request.'',\nSubStatus =~ ''0xC0000064'', ''User - logon with misspelled or bad user account'',\nSubStatus =~ ''0xC000006A'', - ''User logon with misspelled or bad password'', \nSubStatus =~ ''0xC000006D'', - ''Bad user name or password'',\nSubStatus =~ ''0xC000006E'', ''Unknown user - name or bad password'',\nSubStatus =~ ''0xC000006F'', ''User logon outside - authorized hours'',\nSubStatus =~ ''0xC0000070'', ''User logon from unauthorized - workstation'',\nSubStatus =~ ''0xC0000071'', ''User logon with expired password'',\nSubStatus - =~ ''0xC0000072'', ''User logon to account disabled by administrator'',\nSubStatus - =~ ''0xC00000DC'', ''Indicates the Sam Server was in the wrong state to perform - the desired operation'', \nSubStatus =~ ''0xC0000133'', ''Clocks between DC - and other computer too far out of sync'',\nSubStatus =~ ''0xC000015B'', ''The - user has not been granted the requested logon type (aka logon right) at this - machine'',\nSubStatus =~ ''0xC000018C'', ''The logon request failed because - the trust relationship between the primary domain and the trusted domain failed'',\nSubStatus - =~ ''0xC0000192'', ''An attempt was made to logon, but the Netlogon service - was not started'',\nSubStatus =~ ''0xC0000193'', ''User logon with expired - account'',\nSubStatus =~ ''0xC0000224'', ''User is required to change password - at next logon'',\nSubStatus =~ ''0xC0000225'', ''Evidently a bug in Windows - and not a risk'',\nSubStatus =~ ''0xC0000234'', ''User logon with account - locked'',\nSubStatus =~ ''0xC00002EE'', ''Failure Reason: An Error occurred - during Logon'',\nSubStatus =~ ''0xC0000413'', ''Logon Failure: The machine - you are logging onto is protected by an authentication firewall. The specified - account is not allowed to authenticate to the machine'',\nstrcat(''Unknown - reason substatus: '', SubStatus))\n| summarize StartTime = min(TimeGenerated), - EndTime = max(TimeGenerated), FailedLogonCount = count() by EventID, \nActivity, - Computer, Account, TargetAccount, TargetUserName, TargetDomainName, \nLogonType, - LogonTypeName, LogonProcessName, Status, SubStatus, Reason, ResourceId, SourceComputerId, - WorkstationName, IpAddress\n| where FailedLogonCount >= threshold\n| extend - timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, - IPCustomEntity = IpAddress","queryFrequency":"PT10M","queryPeriod":"PT10M","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Failed - logon attempts by valid accounts within 10 mins","description":"Identifies - when failed logon attempts are 20 or higher during a 10 minute period (2 failed - logons per minute minimum) from valid account.","tactics":["CredentialAccess"],"lastUpdatedDateUTC":"2020-11-19T00:00:00Z","createdDateUTC":"2019-02-14T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"SecurityEvents","dataTypes":["SecurityEvent"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b2c15736-b9eb-4dae-8b02-3016b6a45a32","name":"b2c15736-b9eb-4dae-8b02-3016b6a45a32","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - starttime = 14d;\nlet endtime = 1d;\n// The number of operations below which - an IP address is considered an unusual source of role assignment operations\nlet - alertOperationThreshold = 5;\nlet createRoleAssignmentActivity = AzureActivity\n| - where OperationName == \"Create role assignment\";\ncreateRoleAssignmentActivity - \n| where TimeGenerated between (ago(starttime) .. ago(endtime))\n| summarize - count() by CallerIpAddress, Caller\n| where count_ >= alertOperationThreshold\n| - join kind = rightanti ( \ncreateRoleAssignmentActivity\n| where TimeGenerated - > ago(endtime)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc - = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatus - = makelist(ActivityStatus), \nOperationIds = makelist(OperationId), CorrelationId - = makelist(CorrelationId), ActivityCountByCallerIPAddress = count() \nby - ResourceId, CallerIpAddress, Caller, OperationName, Resource, ResourceGroup\n) - on CallerIpAddress, Caller\n| extend timestamp = StartTimeUtc, AccountCustomEntity - = Caller, IPCustomEntity = CallerIpAddress","queryFrequency":"P1D","queryPeriod":"P14D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Suspicious - granting of permissions to an account","description":"Identifies IPs from - which users grant access to other users on azure resources and alerts when - a previously unseen source IP address is used.","tactics":["Persistence","PrivilegeEscalation"],"lastUpdatedDateUTC":"2020-11-19T00:00:00Z","createdDateUTC":"2019-02-05T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AzureActivity","dataTypes":["AzureActivity"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2790795b-7dba-483e-853f-44aa0bc9c985","name":"2790795b-7dba-483e-853f-44aa0bc9c985","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Low","query":"let - incidentTime = ago(1d);\nCommonSecurityLog\n| where TimeGenerated > incidentTime\n| - where DeviceProduct =~ \"Wazuh\"\n| where Activity has \"Web server 400 error - code.\"\n| where Message has \"403\"\n| extend HostName=substring(split(DeviceCustomString1,\")\")[0],1)\n| - summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors - = dcount(SourceIP) by HostName, SourceIP\n| where NumberOfErrors > 400\n| - sort by NumberOfErrors desc\n| extend timestamp = StartTime, HostCustomEntity - = HostName, IPCustomEntity = SourceIP","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Wazuh - - Large Number of Web errors from an IP","description":"Identifies instances - where Wazuh logged over 400 ''403'' Web Errors from one IP Address. To onboard - Wazuh data into Sentinel please view: https://github.com/wazuh/wazuh-documentation/blob/master/source/azure/monitoring%20activity.rst","tactics":["Persistence"],"lastUpdatedDateUTC":"2021-01-16T00:00:00Z","createdDateUTC":"2020-04-21T00:00:00Z","status":"Available","alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ca67c83e-7fff-4127-a3e3-1af66d6d4cad","name":"ca67c83e-7fff-4127-a3e3-1af66d6d4cad","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - timeframe = 1d;\nlet ProcessCreationEvents=() {\nlet processEvents=SecurityEvent\n| - where EventID==4688\n| where isnotempty(CommandLine)\n| summarize StartTimeUtc - = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Computer, - Account = SubjectUserName, AccountDomain = SubjectDomainName,\nFileName = - Process, CommandLine, ParentProcessName;\nprocessEvents};\nProcessCreationEvents\n| - where CommandLine contains \"TVqQAAMAAAAEAAA\"\n| where StartTimeUtc >= ago(timeframe)\n| - extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity - = Computer","queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]}],"displayName":"Base64 - encoded Windows process command-lines","description":"Identifies instances - of a base64 encoded PE file header seen in the process command line parameter.","tactics":["Execution","DefenseEvasion"],"lastUpdatedDateUTC":"2020-11-19T00:00:00Z","createdDateUTC":"2018-09-14T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"SecurityEvents","dataTypes":["SecurityEvent"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b725d62c-eb77-42ff-96f6-bdc6745fc6e0","name":"b725d62c-eb77-42ff-96f6-bdc6745fc6e0","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Low","query":"let - starttime = 14d;\nlet endtime = 1d;\nlet UserAgentAll =\n(union isfuzzy=true\n(OfficeActivity\n| - where TimeGenerated >= ago(starttime)\n| where isnotempty(UserAgent)\n| summarize - StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, - SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\n),\n(\nW3CIISLog\n| - where TimeGenerated >= ago(starttime)\n| where isnotempty(csUserAgent)\n| - summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by - UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, - csMethod, csUriStem\n),\n(\nAWSCloudTrail\n| where TimeGenerated >= ago(starttime)\n| - where isnotempty(UserAgent)\n| summarize StartTime = min(TimeGenerated), EndTime - = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, - Type, EventSource, EventName\n))\n// remove wordSize blocks of non-numeric - hex characters prior to word extraction\n| extend UserAgentNoHexAlphas = replace(\"([A-Fa-f]{4,})\", - \"x\", UserAgent)\n// once blocks of hex chars are removed, extract wordSize - blocks of a-z\n| extend Tokens = extract_all(\"([A-Za-z]{4,})\", UserAgentNoHexAlphas)\n// - concatenate extracted words to create a summarized user agent for baseline - and comparison\n| extend NormalizedUserAgent = strcat_array(Tokens, \"|\")\n| - project-away UserAgentNoHexAlphas, Tokens;\nUserAgentAll\n| where StartTime - >= ago(endtime)\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), - count() by UserAgent, NormalizedUserAgent, SourceIP, Account, Type, RecordType, - Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\n| join - kind=leftanti\n(\nUserAgentAll\n| where StartTime < ago(endtime)\n| summarize - by NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, - EventName, sSiteName, csMethod, csUriStem\n)\non NormalizedUserAgent\n| extend - timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account","queryFrequency":"P1D","queryPeriod":"P14D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"New - UserAgent observed in last 24 hours","description":"Identifies new UserAgents - observed in the last 24 hours versus the previous 14 days. This detection\nextracts - words from user agents to build the baseline and determine rareity rather - than perform a\ndirect comparison. This avoids FPs caused by version numbers - and other high entropy user agent components.\nThese new UserAgents could - be benign. However, in normally stable environments,\nthese new UserAgents - could provide a starting point for investigating malicious activity.\nNote: - W3CIISLog can be noisy depending on the environment, however OfficeActivity - and AWSCloudTrail are\nusually stable with low numbers of detections.","tactics":["InitialAccess","CommandAndControl","Execution"],"lastUpdatedDateUTC":"2020-12-11T00:00:00Z","createdDateUTC":"2019-04-01T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AWS","dataTypes":["AWSCloudTrail"]},{"connectorId":"Office365","dataTypes":["OfficeActivity"]},{"connectorId":"AzureMonitor(IIS)","dataTypes":["W3CIISLog"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/361dd1e3-1c11-491e-82a3-bb2e44ac36ba","name":"361dd1e3-1c11-491e-82a3-bb2e44ac36ba","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - szOperationNames = dynamic([\"Create or Update Virtual Machine\", \"Create - Deployment\"]);\nlet starttime = 7d;\nlet endtime = 1d;\nAzureActivity\n| - where TimeGenerated between (startofday(ago(starttime)) .. startofday(ago(endtime)))\n| - where OperationName in~ (szOperationNames)\n| summarize StartTimeUtc = min(TimeGenerated), - EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), - ActivityStatus = makelist(ActivityStatus), \nOperationIds = makelist(OperationId), - CallerIpAddress = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) - \nby ResourceId, Caller, OperationName, Resource, ResourceGroup\n| mvexpand - CallerIpAddress\n| where isnotempty(CallerIpAddress)\n| make-series dResourceCount=dcount(ResourceId) default=0 - on StartTimeUtc in range(startofday(ago(7d)), now(), 1d) \nby Caller, tostring(ActivityTimeStamp), - tostring(ActivityStatus), tostring(OperationIds), tostring(CallerIpAddress), - tostring(CorrelationId), ResourceId, OperationName, Resource, ResourceGroup\n| - extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\n| - where Slope > 0.2\n| join kind=leftsemi (\n// Last day''s activity is anomalous\nAzureActivity\n| - where TimeGenerated >= startofday(ago(endtime))\n| where OperationName in~ - (szOperationNames)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc - = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatus - = makelist(ActivityStatus), \nOperationIds = makelist(OperationId), CallerIpAddress - = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) \nby - ResourceId, Caller, OperationName, Resource, ResourceGroup\n| mvexpand CallerIpAddress\n| - where isnotempty(CallerIpAddress)\n| make-series dResourceCount=dcount(ResourceId) default=0 - on StartTimeUtc in range(startofday(ago(1d)), now(), 1d) \nby Caller, tostring(ActivityTimeStamp), - tostring(ActivityStatus), tostring(OperationIds), tostring(CallerIpAddress), - tostring(CorrelationId), ResourceId, OperationName, Resource, ResourceGroup\n| - extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\n| - where Slope > 0.2 \n) on Caller, CallerIpAddress \n| mvexpand todynamic(ActivityTimeStamp), - todynamic(ActivityStatus), todynamic(OperationIds), todynamic(CorrelationId)\n| - extend timestamp = ActivityTimeStamp, AccountCustomEntity = Caller, IPCustomEntity - = CallerIpAddress","queryFrequency":"P1D","queryPeriod":"P7D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Suspicious - number of resource creation or deployment activities","description":"Indicates - when an anomalous number of VM creations or deployment activities occur in - Azure via the AzureActivity log.\nThe anomaly detection identifies activities - that have occurred both since the start of the day 1 day ago and the start - of the day 7 days ago.\nThe start of the day is considered 12am UTC time.","tactics":["Impact"],"lastUpdatedDateUTC":"2020-11-19T00:00:00Z","createdDateUTC":"2019-02-05T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AzureActivity","dataTypes":["AzureActivity"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2be4ef67-a93f-4d8a-981a-88158cb73abd","name":"2be4ef67-a93f-4d8a-981a-88158cb73abd","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"let - dt_lookBack = 1h;\nlet covidIndicators = (externaldata(TimeGenerated:datetime, - FileHashValue:string, FileHashType: string, TlpLevel: string, Product: string, - ThreatType: string, Description: string )\n[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.Covid19.Indicators.csv\"] - with (format=\"csv\"));\nlet fileHashIndicators = covidIndicators\n| where - isnotempty(FileHashValue);\n// Handle matches against both lower case and - uppercase versions of the hash:\n( fileHashIndicators | extend FileHashValue - = tolower(FileHashValue)\n | union (fileHashIndicators | extend FileHashValue - = toupper(FileHashValue)))\n| join (\n CommonSecurityLog | where TimeGenerated - >= ago(dt_lookBack) \n | where isnotempty(FileHash)\n | extend CommonSecurityLog_TimeGenerated - = TimeGenerated\n)\non $left.FileHashValue == $right.FileHash\n| summarize - LatestIndicatorTime = arg_max(TimeGenerated, *) by FileHashValue\n| project - LatestIndicatorTime, FileHashValue, FileHashType, Description, ThreatType, \nCommonSecurityLog_TimeGenerated, - SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, - DeviceName, DeviceAction, \nRequestURL, DestinationUserName, DestinationUserID, - ApplicationProtocol, Activity\n| extend timestamp = CommonSecurityLog_TimeGenerated, - IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity - = SourceUserName","queryFrequency":"PT1H","queryPeriod":"P14D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"Microsoft - COVID-19 file hash indicator matches","description":"Identifies a match in - CommonSecurityLog Event data from any FileHash published in the Microsoft - COVID-19 Threat Intel Feed - as described at https://www.microsoft.com/security/blog/2020/05/14/open-sourcing-covid-threat-intelligence/","tactics":["Impact"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2019-08-30T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"PaloAltoNetworks","dataTypes":["CommonSecurityLog"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2391ce61-8c8d-41ac-9723-d945b2e90720","name":"2391ce61-8c8d-41ac-9723-d945b2e90720","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Low","query":"let - starttime = 8d;\nlet endtime = 1d;\nlet threshold = 0.333;\nlet countlimit - = 50;\nSecurityEvent\n| where TimeGenerated >= ago(endtime)\n| where EventID - == 4625 and AccountType =~ \"User\"\n| where IpAddress !in (\"127.0.0.1\", - \"::1\")\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), - CountToday = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, - Computer, WorkstationName, IpAddress\n| join kind=leftouter (\n SecurityEvent - \n | where TimeGenerated between (ago(starttime) .. ago(endtime))\n | - where EventID == 4625 and AccountType =~ \"User\"\n | where IpAddress !in - (\"127.0.0.1\", \"::1\")\n | summarize CountPrev7day = count() by EventID, - Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, - IpAddress\n) on EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, - WorkstationName, IpAddress\n| where CountToday >= coalesce(CountPrev7day,0)*threshold - and CountToday >= countlimit\n//SubStatus Codes are detailed here - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4625\n| - extend Reason = case(\nSubStatus =~ ''0xC000005E'', ''There are currently - no logon servers available to service the logon request.'',\nSubStatus =~ - ''0xC0000064'', ''User logon with misspelled or bad user account'',\nSubStatus - =~ ''0xC000006A'', ''User logon with misspelled or bad password'', \nSubStatus - =~ ''0xC000006D'', ''Bad user name or password'',\nSubStatus =~ ''0xC000006E'', - ''Unknown user name or bad password'',\nSubStatus =~ ''0xC000006F'', ''User - logon outside authorized hours'',\nSubStatus =~ ''0xC0000070'', ''User logon - from unauthorized workstation'',\nSubStatus =~ ''0xC0000071'', ''User logon - with expired password'',\nSubStatus =~ ''0xC0000072'', ''User logon to account - disabled by administrator'',\nSubStatus =~ ''0xC00000DC'', ''Indicates the - Sam Server was in the wrong state to perform the desired operation'', \nSubStatus - =~ ''0xC0000133'', ''Clocks between DC and other computer too far out of sync'',\nSubStatus - =~ ''0xC000015B'', ''The user has not been granted the requested logon type - (aka logon right) at this machine'',\nSubStatus =~ ''0xC000018C'', ''The logon - request failed because the trust relationship between the primary domain and - the trusted domain failed'',\nSubStatus =~ ''0xC0000192'', ''An attempt was - made to logon, but the Netlogon service was not started'',\nSubStatus =~ ''0xC0000193'', - ''User logon with expired account'',\nSubStatus =~ ''0xC0000224'', ''User - is required to change password at next logon'',\nSubStatus =~ ''0xC0000225'', - ''Evidently a bug in Windows and not a risk'',\nSubStatus =~ ''0xC0000234'', - ''User logon with account locked'',\nSubStatus =~ ''0xC00002EE'', ''Failure - Reason: An Error occurred during Logon'',\nSubStatus =~ ''0xC0000413'', ''Logon - Failure: The machine you are logging onto is protected by an authentication - firewall. The specified account is not allowed to authenticate to the machine'',\nstrcat(''Unknown - reason substatus: '', SubStatus))\n| extend WorkstationName = iff(WorkstationName - == \"-\" or isempty(WorkstationName), Computer , WorkstationName) \n| project - StartTime, EndTime, EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, - Computer, WorkstationName, IpAddress, CountToday, CountPrev7day, Avg7Day = - round(CountPrev7day*1.00/7,2)\n| summarize StartTime = min(StartTime), EndTime - = max(EndTime), Computer = make_set(Computer,128), IpAddressList = make_set(IpAddress,128), - sum(CountToday), sum(CountPrev7day), avg(Avg7Day) \nby EventID, Account, LogonTypeName, - SubStatus, Reason, AccountType, WorkstationName\n| order by sum_CountToday - desc nulls last \n| extend timestamp = StartTime, AccountCustomEntity = Account, - HostCustomEntity = WorkstationName","queryFrequency":"P1D","queryPeriod":"P8D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"Host","fieldMappings":[{"identifier":"FullName","columnName":"HostCustomEntity"}]}],"displayName":"Excessive - Windows logon failures","description":"User has over 50 Windows logon failures - today and at least 33% of the count of logon failures over the previous 7 - days.","tactics":["CredentialAccess"],"lastUpdatedDateUTC":"2020-11-19T00:00:00Z","createdDateUTC":"2019-02-22T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"SecurityEvents","dataTypes":["SecurityEvent"]}],"alertRulesCreatedByTemplateCount":0}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aac495a9-feb1-446d-b08e-a1164a539452","name":"aac495a9-feb1-446d-b08e-a1164a539452","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"severity":"Medium","query":"ThreatIntelligenceIndicator\n| - where TimeGenerated >= ago(24h)\n| where Action == true\n// Picking up only - IOC''s that contain the entities we want\n| where isnotempty(NetworkIP) or - isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// - Taking the first non-empty value based on potential IOC match availability\n| - extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| - extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), - NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) - and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n| - join (\n GitHubAudit\n | where TimeGenerated >= ago(24h)\n | extend GitHubAudit_TimeGenerated - = TimeGenerated\n)\non $left.TI_ipEntity == $right.IPaddress\n| summarize - LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| project - LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, - Url, ExpirationDateTime, ConfidenceScore, GitHubAudit_TimeGenerated, TI_ipEntity, - IPaddress, Actor, Action, Country, OperationType, NetworkIP, NetworkDestinationIP, - NetworkSourceIP, EmailSourceIpAddress\n| extend timestamp = GitHubAudit_TimeGenerated, - IPCustomEntity = IPaddress, AccountCustomEntity = Actor","queryFrequency":"PT1H","queryPeriod":"P14D","triggerOperator":"GreaterThan","triggerThreshold":0,"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"displayName":"TI - map IP entity to GitHub_CL","description":"Identifies a match in GitHub_CL - table from any IP IOC from TI","tactics":["Impact"],"lastUpdatedDateUTC":"2020-11-17T00:00:00Z","createdDateUTC":"2019-08-27T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"ThreatIntelligence","dataTypes":["ThreatIntelligenceIndicator"]},{"connectorId":"ThreatIntelligenceTaxii","dataTypes":["ThreatIntelligenceIndicator"]}],"alertRulesCreatedByTemplateCount":0}}]}' - headers: - cache-control: - - no-cache - content-length: - - '693305' - content-type: - - application/json; charset=utf-8 - date: - - Tue, 16 Mar 2021 09:04:27 GMT - expires: - - '-1' - pragma: - - no-cache - server: - - Kestrel - strict-transport-security: - - max-age=31536000; includeSubDomains - transfer-encoding: - - chunked - vary: - - Accept-Encoding - x-content-type-options: - - nosniff - status: - code: 200 - message: OK -- request: - body: '{"etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", "properties": {"created": - "2019-01-01T13:15:30.000Z", "displayName": "My bookmark", "labels": ["Tag2"], - "notes": "Found a suspicious activity", "query": "SecurityEvent | where TimeGenerated - > ago(1d) and TimeGenerated < ago(2d)", "queryResult": "Security Event query - result", "updated": "2019-01-01T13:15:30.000Z"}}' - headers: - Accept: - - application/json - Accept-Encoding: - - gzip, deflate - CommandName: - - sentinel bookmark create - Connection: - - keep-alive - Content-Length: - - '368' - Content-Type: - - application/json - ParameterSetName: - - --etag --created --display-name --labels --labels --notes -q --query-result - --updated --bookmark-id --resource-group --workspace-name - User-Agent: - - AZURECLI/2.20.0 azsdk-python-securityinsights/unknown Python/3.8.0 (Windows-10-10.0.19041-SP0) - method: PUT - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/bookmarks/73e01a99-5cd7-4139-a149-9f2736ff2ab5?api-version=2020-01-01 - response: - body: - string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/Bookmarks/73e01a99-5cd7-4139-a149-9f2736ff2ab5","name":"73e01a99-5cd7-4139-a149-9f2736ff2ab5","etag":"\"0500531e-0000-0100-0000-6050749d0000\"","type":"Microsoft.SecurityInsights/Bookmarks","properties":{"displayName":"My - bookmark","created":"2021-03-16T09:04:29.7955741+00:00","updated":"2021-03-16T09:04:29+00:00","createdBy":{"objectId":"ade81686-dde7-4bb0-9062-8f5250ff95eb","email":"yungez@microsoft.com","name":"Catherine - Zhu"},"updatedBy":{"objectId":"ade81686-dde7-4bb0-9062-8f5250ff95eb","email":"yungez@microsoft.com","name":"Catherine - Zhu"},"eventTime":"2021-03-16T09:04:29.7955741+00:00","notes":"Found a suspicious - activity","labels":["Tag2"],"query":"SecurityEvent | where TimeGenerated > - ago(1d) and TimeGenerated < ago(2d)","queryResult":"Security Event query result","incidentInfo":{"incidentId":null,"title":null,"relationName":null,"severity":null}}}' - headers: - cache-control: - - no-cache - content-length: - - '1124' - content-type: - - application/json; charset=utf-8 - date: - - Tue, 16 Mar 2021 09:04:30 GMT - expires: - - '-1' - pragma: - - no-cache - server: - - Kestrel - strict-transport-security: - - max-age=31536000; includeSubDomains - transfer-encoding: - - chunked - vary: - - Accept-Encoding - x-content-type-options: - - nosniff - x-ms-ratelimit-remaining-subscription-writes: - - '1198' - status: - code: 200 - message: OK -- request: - body: null - headers: - Accept: - - application/json - Accept-Encoding: - - gzip, deflate - CommandName: - - sentinel bookmark show - Connection: - - keep-alive - ParameterSetName: - - --bookmark-id --resource-group --workspace-name - User-Agent: - - AZURECLI/2.20.0 azsdk-python-securityinsights/unknown Python/3.8.0 (Windows-10-10.0.19041-SP0) - method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/bookmarks/73e01a99-5cd7-4139-a149-9f2736ff2ab5?api-version=2020-01-01 - response: - body: - string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/Bookmarks/73e01a99-5cd7-4139-a149-9f2736ff2ab5","name":"73e01a99-5cd7-4139-a149-9f2736ff2ab5","etag":"\"0500531e-0000-0100-0000-6050749d0000\"","type":"Microsoft.SecurityInsights/Bookmarks","properties":{"displayName":"My - bookmark","created":"2021-03-16T09:04:29.7955741+00:00","updated":"2021-03-16T09:04:29.7955741+00:00","createdBy":{"objectId":"ade81686-dde7-4bb0-9062-8f5250ff95eb","email":"yungez@microsoft.com","name":"Catherine - Zhu"},"updatedBy":{"objectId":"ade81686-dde7-4bb0-9062-8f5250ff95eb","email":"yungez@microsoft.com","name":"Catherine - Zhu"},"eventTime":"2021-03-16T09:04:29.7955741+00:00","notes":"Found a suspicious - activity","labels":["Tag2"],"query":"SecurityEvent | where TimeGenerated > - ago(1d) and TimeGenerated < ago(2d)","queryResult":"Security Event query result","incidentInfo":{"incidentId":null,"title":null,"relationName":null,"severity":null}}}' - headers: - cache-control: - - no-cache - content-length: - - '1132' - content-type: - - application/json; charset=utf-8 - date: - - Tue, 16 Mar 2021 09:04:31 GMT - expires: - - '-1' - pragma: - - no-cache - server: - - Kestrel - strict-transport-security: - - max-age=31536000; includeSubDomains - transfer-encoding: - - chunked - vary: - - Accept-Encoding - x-content-type-options: - - nosniff - status: - code: 200 - message: OK -- request: - body: null - headers: - Accept: - - application/json - Accept-Encoding: - - gzip, deflate - CommandName: - - sentinel bookmark list - Connection: - - keep-alive - ParameterSetName: - - --resource-group --workspace-name - User-Agent: - - AZURECLI/2.20.0 azsdk-python-securityinsights/unknown Python/3.8.0 (Windows-10-10.0.19041-SP0) - method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/bookmarks?api-version=2020-01-01 - response: - body: - string: '{"value":[{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/Bookmarks/73e01a99-5cd7-4139-a149-9f2736ff2ab5","name":"73e01a99-5cd7-4139-a149-9f2736ff2ab5","etag":"\"0500531e-0000-0100-0000-6050749d0000\"","type":"Microsoft.SecurityInsights/Bookmarks","properties":{"displayName":"My - bookmark","created":"2021-03-16T09:04:29.7955741+00:00","updated":"2021-03-16T09:04:29.7955741+00:00","createdBy":{"objectId":"ade81686-dde7-4bb0-9062-8f5250ff95eb","email":"yungez@microsoft.com","name":"Catherine - Zhu"},"updatedBy":{"objectId":"ade81686-dde7-4bb0-9062-8f5250ff95eb","email":"yungez@microsoft.com","name":"Catherine - Zhu"},"eventTime":"2021-03-16T09:04:29.7955741+00:00","notes":"Found a suspicious - activity","labels":["Tag2"],"query":"SecurityEvent | where TimeGenerated > - ago(1d) and TimeGenerated < ago(2d)","queryResult":"Security Event query result","incidentInfo":{"incidentId":null,"title":null,"relationName":null,"severity":null}}}]}' - headers: - cache-control: - - no-cache - content-length: - - '1144' - content-type: - - application/json; charset=utf-8 - date: - - Tue, 16 Mar 2021 09:04:32 GMT - expires: - - '-1' - pragma: - - no-cache - server: - - Kestrel - strict-transport-security: - - max-age=31536000; includeSubDomains - transfer-encoding: - - chunked - vary: - - Accept-Encoding - x-content-type-options: - - nosniff - status: - code: 200 - message: OK -- request: - body: null - headers: - Accept: - - application/json - Accept-Encoding: - - gzip, deflate - CommandName: - - sentinel bookmark delete - Connection: - - keep-alive - Content-Length: - - '0' - ParameterSetName: - - -y --bookmark-id --resource-group --workspace-name - User-Agent: - - AZURECLI/2.20.0 azsdk-python-securityinsights/unknown Python/3.8.0 (Windows-10-10.0.19041-SP0) - method: DELETE - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/bookmarks/73e01a99-5cd7-4139-a149-9f2736ff2ab5?api-version=2020-01-01 - response: - body: - string: '{}' - headers: - cache-control: - - no-cache - content-length: - - '2' - content-type: - - application/json; charset=utf-8 - date: - - Tue, 16 Mar 2021 09:04:34 GMT - expires: - - '-1' - pragma: - - no-cache - server: - - Kestrel - strict-transport-security: - - max-age=31536000; includeSubDomains - transfer-encoding: - - chunked - vary: - - Accept-Encoding - x-content-type-options: - - nosniff - x-ms-ratelimit-remaining-subscription-deletes: - - '14999' - status: - code: 200 - message: OK -- request: - body: '{"etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", "properties": {"classification": - "FalsePositive", "classificationComment": "Not a malicious activity", "classificationReason": - "IncorrectAlertLogic", "description": "This is a demo incident", "firstActivityTimeUtc": - "2019-01-01T13:00:30.000Z", "lastActivityTimeUtc": "2019-01-01T13:05:30.000Z", - "owner": {"objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70"}, "severity": "High", - "status": "Closed", "title": "title"}}' - headers: - Accept: - - application/json - Accept-Encoding: - - gzip, deflate - CommandName: - - sentinel incident create - Connection: - - keep-alive - Content-Length: - - '469' - Content-Type: - - application/json - ParameterSetName: - - --etag --description --classification --classification-comment --classification-reason - --first-activity-time-utc --last-activity-time-utc --owner --severity --status - --title --incident-id --resource-group --workspace-name - User-Agent: - - AZURECLI/2.20.0 azsdk-python-securityinsights/unknown Python/3.8.0 (Windows-10-10.0.19041-SP0) - method: PUT - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5?api-version=2020-01-01 - response: - body: - string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/Incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5","name":"73e01a99-5cd7-4139-a149-9f2736ff2ab5","etag":"\"01000d0a-0000-0100-0000-605074a30000\"","type":"Microsoft.SecurityInsights/Incidents","properties":{"title":"title","description":"This - is a demo incident","severity":"High","status":"Closed","classification":"FalsePositive","classificationReason":"IncorrectAlertLogic","classificationComment":"Not - a malicious activity","owner":{"objectId":"2046feea-040d-4a46-9e2b-91c2941bfa70","email":null,"assignedTo":null,"userPrincipalName":null},"labels":[],"firstActivityTimeUtc":"2019-01-01T13:00:30Z","lastActivityTimeUtc":"2019-01-01T13:05:30Z","lastModifiedTimeUtc":"2021-03-16T09:04:35.9200598Z","createdTimeUtc":"2021-03-16T09:04:35.9200598Z","incidentNumber":1,"additionalData":{"alertsCount":0,"bookmarksCount":0,"commentsCount":0,"alertProductNames":[],"tactics":[]},"relatedAnalyticRuleIds":[],"incidentUrl":"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/Incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5"}}' - headers: - cache-control: - - no-cache - content-length: - - '1541' - content-type: - - application/json; charset=utf-8 - date: - - Tue, 16 Mar 2021 09:04:35 GMT - expires: - - '-1' - pragma: - - no-cache - server: - - Kestrel - strict-transport-security: - - max-age=31536000; includeSubDomains - transfer-encoding: - - chunked - vary: - - Accept-Encoding - x-content-type-options: - - nosniff - x-ms-ratelimit-remaining-subscription-writes: - - '1199' - status: - code: 200 - message: OK -- request: - body: null - headers: - Accept: - - application/json - Accept-Encoding: - - gzip, deflate - CommandName: - - sentinel incident show - Connection: - - keep-alive - ParameterSetName: - - --incident-id --resource-group --workspace-name - User-Agent: - - AZURECLI/2.20.0 azsdk-python-securityinsights/unknown Python/3.8.0 (Windows-10-10.0.19041-SP0) - method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5?api-version=2020-01-01 - response: - body: - string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/Incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5","name":"73e01a99-5cd7-4139-a149-9f2736ff2ab5","etag":"\"01000d0a-0000-0100-0000-605074a30000\"","type":"Microsoft.SecurityInsights/Incidents","properties":{"title":"title","description":"This - is a demo incident","severity":"High","status":"Closed","classification":"FalsePositive","classificationReason":"IncorrectAlertLogic","classificationComment":"Not - a malicious activity","owner":{"objectId":"2046feea-040d-4a46-9e2b-91c2941bfa70","email":null,"assignedTo":null,"userPrincipalName":null},"labels":[],"firstActivityTimeUtc":"2019-01-01T13:00:30Z","lastActivityTimeUtc":"2019-01-01T13:05:30Z","lastModifiedTimeUtc":"2021-03-16T09:04:35.9200598Z","createdTimeUtc":"2021-03-16T09:04:35.9200598Z","incidentNumber":1,"additionalData":{"alertsCount":0,"bookmarksCount":0,"commentsCount":0,"alertProductNames":[],"tactics":[]},"relatedAnalyticRuleIds":[],"incidentUrl":"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/Incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5"}}' - headers: - cache-control: - - no-cache - content-length: - - '1541' - content-type: - - application/json; charset=utf-8 - date: - - Tue, 16 Mar 2021 09:04:36 GMT - expires: - - '-1' - pragma: - - no-cache - server: - - Kestrel - strict-transport-security: - - max-age=31536000; includeSubDomains - transfer-encoding: - - chunked - vary: - - Accept-Encoding - x-content-type-options: - - nosniff - status: - code: 200 - message: OK -- request: - body: '{"properties": {"message": "Some message"}}' - headers: - Accept: - - application/json - Accept-Encoding: - - gzip, deflate - CommandName: - - sentinel incident-comment create - Connection: - - keep-alive - Content-Length: - - '43' - Content-Type: - - application/json - ParameterSetName: - - --message --incident-comment-id --incident-id --resource-group --workspace-name - User-Agent: - - AZURECLI/2.20.0 azsdk-python-securityinsights/unknown Python/3.8.0 (Windows-10-10.0.19041-SP0) - method: PUT - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5/comments/4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014?api-version=2020-01-01 - response: - body: - string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/Incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5/Comments/4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014","name":"4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014","type":"Microsoft.SecurityInsights/Incidents/Comments","properties":{"message":"Some - message","createdTimeUtc":"2021-03-16T09:04:38.0892344Z","author":{"objectId":"ade81686-dde7-4bb0-9062-8f5250ff95eb","email":"yungez@microsoft.com","name":"Catherine - Zhu","userPrincipalName":"yungez@microsoft.com"}}}' - headers: - cache-control: - - no-cache - content-length: - - '696' - content-type: - - application/json; charset=utf-8 - date: - - Tue, 16 Mar 2021 09:04:37 GMT - expires: - - '-1' - pragma: - - no-cache - server: - - Kestrel - strict-transport-security: - - max-age=31536000; includeSubDomains - x-content-type-options: - - nosniff - x-ms-ratelimit-remaining-subscription-writes: - - '1199' - status: - code: 201 - message: Created -- request: - body: null - headers: - Accept: - - application/json - Accept-Encoding: - - gzip, deflate - CommandName: - - sentinel incident-comment list - Connection: - - keep-alive - ParameterSetName: - - --incident-id --resource-group --workspace-name - User-Agent: - - AZURECLI/2.20.0 azsdk-python-securityinsights/unknown Python/3.8.0 (Windows-10-10.0.19041-SP0) - method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5/comments?api-version=2020-01-01 - response: - body: - string: '{"value":[{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/Incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5/Comments/4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014","name":"4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014","type":"Microsoft.SecurityInsights/Incidents/Comments","properties":{"message":"Some - message","createdTimeUtc":"2021-03-16T09:04:38.0892344Z","author":{"objectId":"ade81686-dde7-4bb0-9062-8f5250ff95eb","email":"yungez@microsoft.com","name":"Catherine - Zhu","userPrincipalName":"yungez@microsoft.com"}}}]}' - headers: - cache-control: - - no-cache - content-length: - - '708' - content-type: - - application/json; charset=utf-8 - date: - - Tue, 16 Mar 2021 09:04:39 GMT - expires: - - '-1' - pragma: - - no-cache - server: - - Kestrel - strict-transport-security: - - max-age=31536000; includeSubDomains - transfer-encoding: - - chunked - vary: - - Accept-Encoding - x-content-type-options: - - nosniff - status: - code: 200 - message: OK -- request: - body: null - headers: - Accept: - - application/json - Accept-Encoding: - - gzip, deflate - CommandName: - - sentinel incident-comment show - Connection: - - keep-alive - ParameterSetName: - - --incident-comment-id --incident-id --resource-group --workspace-name - User-Agent: - - AZURECLI/2.20.0 azsdk-python-securityinsights/unknown Python/3.8.0 (Windows-10-10.0.19041-SP0) - method: GET - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5/comments/4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014?api-version=2020-01-01 - response: - body: - string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/Incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5/Comments/4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014","name":"4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014","type":"Microsoft.SecurityInsights/Incidents/Comments","properties":{"message":"Some - message","createdTimeUtc":"2021-03-16T09:04:38.0892344Z","author":{"objectId":"ade81686-dde7-4bb0-9062-8f5250ff95eb","email":"yungez@microsoft.com","name":"Catherine - Zhu","userPrincipalName":"yungez@microsoft.com"}}}' - headers: - cache-control: - - no-cache - content-length: - - '696' - content-type: - - application/json; charset=utf-8 - date: - - Tue, 16 Mar 2021 09:04:40 GMT - expires: - - '-1' - pragma: - - no-cache - server: - - Kestrel - strict-transport-security: - - max-age=31536000; includeSubDomains - transfer-encoding: - - chunked - vary: - - Accept-Encoding - x-content-type-options: - - nosniff - status: - code: 200 - message: OK -- request: - body: null - headers: - Accept: - - application/json - Accept-Encoding: - - gzip, deflate - CommandName: - - sentinel incident delete - Connection: - - keep-alive - Content-Length: - - '0' - ParameterSetName: - - -y --incident-id --resource-group --workspace-name - User-Agent: - - AZURECLI/2.20.0 azsdk-python-securityinsights/unknown Python/3.8.0 (Windows-10-10.0.19041-SP0) - method: DELETE - uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.OperationalInsights/workspaces/clitestws-000002/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5?api-version=2020-01-01 - response: - body: - string: '{}' - headers: - cache-control: - - no-cache - content-length: - - '2' - content-type: - - application/json; charset=utf-8 - date: - - Tue, 16 Mar 2021 09:04:41 GMT - expires: - - '-1' - pragma: - - no-cache - server: - - Kestrel - strict-transport-security: - - max-age=31536000; includeSubDomains - transfer-encoding: - - chunked - vary: - - Accept-Encoding - x-content-type-options: - - nosniff - x-ms-ratelimit-remaining-subscription-deletes: - - '14999' - status: - code: 200 - message: OK -version: 1 diff --git a/src/securityinsight/azext_sentinel/tests/latest/recordings/test_sentinel_alert_rule_crud.yaml b/src/securityinsight/azext_sentinel/tests/latest/recordings/test_sentinel_alert_rule_crud.yaml new file mode 100644 index 00000000000..1ecf5cec462 --- /dev/null +++ b/src/securityinsight/azext_sentinel/tests/latest/recordings/test_sentinel_alert_rule_crud.yaml @@ -0,0 +1,12036 @@ +interactions: +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - monitor log-analytics workspace create + Connection: + - keep-alive + ParameterSetName: + - -n -g + User-Agent: + - AZURECLI/2.37.0 azsdk-python-azure-mgmt-resource/21.1.0b1 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001?api-version=2021-04-01 + response: + body: + string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001","name":"cli_test_sentinel_000001","type":"Microsoft.Resources/resourceGroups","location":"eastus2","tags":{"product":"azurecli","cause":"automation","date":"2022-06-24T07:43:39Z"},"properties":{"provisioningState":"Succeeded"}}' + headers: + cache-control: + - no-cache + content-length: + - '327' + content-type: + - application/json; charset=utf-8 + date: + - Fri, 24 Jun 2022 07:43:43 GMT + expires: + - '-1' + pragma: + - no-cache + strict-transport-security: + - max-age=31536000; includeSubDomains + vary: + - Accept-Encoding + x-content-type-options: + - nosniff + status: + code: 200 + message: OK +- request: + body: '{"location": "eastus2", "properties": {"sku": {"name": "PerGB2018"}, "retentionInDays": + 30, "workspaceCapping": {}}}' + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - monitor log-analytics workspace create + Connection: + - keep-alive + Content-Length: + - '116' + Content-Type: + - application/json + ParameterSetName: + - -n -g + User-Agent: + - AZURECLI/2.37.0 azsdk-python-mgmt-loganalytics/13.0.0b4 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: PUT + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002?api-version=2021-12-01-preview + response: + body: + string: "{\r\n \"properties\": {\r\n \"source\": \"Azure\",\r\n \"customerId\": + \"9b8321af-5bfa-4eec-b577-4b78a68487e2\",\r\n \"provisioningState\": \"Creating\",\r\n + \ \"sku\": {\r\n \"name\": \"pergb2018\",\r\n \"lastSkuUpdate\": + \"Fri, 24 Jun 2022 07:43:51 GMT\"\r\n },\r\n \"retentionInDays\": 30,\r\n + \ \"features\": {\r\n \"legacy\": 0,\r\n \"searchVersion\": 1,\r\n + \ \"enableLogAccessUsingOnlyResourcePermissions\": true\r\n },\r\n + \ \"workspaceCapping\": {\r\n \"dailyQuotaGb\": -1.0,\r\n \"quotaNextResetTime\": + \"Fri, 24 Jun 2022 19:00:00 GMT\",\r\n \"dataIngestionStatus\": \"RespectQuota\"\r\n + \ },\r\n \"publicNetworkAccessForIngestion\": \"Enabled\",\r\n \"publicNetworkAccessForQuery\": + \"Enabled\",\r\n \"createdDate\": \"Fri, 24 Jun 2022 07:43:51 GMT\",\r\n + \ \"modifiedDate\": \"Fri, 24 Jun 2022 07:43:51 GMT\"\r\n },\r\n \"id\": + \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/microsoft.operationalinsights/workspaces/workspace-000002\",\r\n + \ \"name\": \"workspace-000002\",\r\n \"type\": \"Microsoft.OperationalInsights/workspaces\",\r\n + \ \"location\": \"eastus2\"\r\n}" + headers: + access-control-allow-origin: + - '*' + cache-control: + - no-cache + content-length: + - '1075' + content-type: + - application/json + date: + - Fri, 24 Jun 2022 07:43:52 GMT + pragma: + - no-cache + request-context: + - appId=cid-v1:e6336c63-aab2-45f0-996a-e5dbab2a1508 + server: + - Microsoft-IIS/10.0 + strict-transport-security: + - max-age=31536000; includeSubDomains + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-writes: + - '1199' + x-powered-by: + - ASP.NET + - ASP.NET + status: + code: 201 + message: Created +- request: + body: null + headers: + Accept: + - '*/*' + Accept-Encoding: + - gzip, deflate + CommandName: + - monitor log-analytics workspace create + Connection: + - keep-alive + ParameterSetName: + - -n -g + User-Agent: + - AZURECLI/2.37.0 azsdk-python-mgmt-loganalytics/13.0.0b4 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002?api-version=2021-12-01-preview + response: + body: + string: "{\r\n \"properties\": {\r\n \"source\": \"Azure\",\r\n \"customerId\": + \"9b8321af-5bfa-4eec-b577-4b78a68487e2\",\r\n \"provisioningState\": \"Succeeded\",\r\n + \ \"sku\": {\r\n \"name\": \"pergb2018\",\r\n \"lastSkuUpdate\": + \"Fri, 24 Jun 2022 07:43:51 GMT\"\r\n },\r\n \"retentionInDays\": 30,\r\n + \ \"features\": {\r\n \"legacy\": 0,\r\n \"searchVersion\": 1,\r\n + \ \"enableLogAccessUsingOnlyResourcePermissions\": true\r\n },\r\n + \ \"workspaceCapping\": {\r\n \"dailyQuotaGb\": -1.0,\r\n \"quotaNextResetTime\": + \"Fri, 24 Jun 2022 19:00:00 GMT\",\r\n \"dataIngestionStatus\": \"RespectQuota\"\r\n + \ },\r\n \"publicNetworkAccessForIngestion\": \"Enabled\",\r\n \"publicNetworkAccessForQuery\": + \"Enabled\",\r\n \"createdDate\": \"Fri, 24 Jun 2022 07:43:51 GMT\",\r\n + \ \"modifiedDate\": \"Fri, 24 Jun 2022 07:43:53 GMT\"\r\n },\r\n \"id\": + \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/microsoft.operationalinsights/workspaces/workspace-000002\",\r\n + \ \"name\": \"workspace-000002\",\r\n \"type\": \"Microsoft.OperationalInsights/workspaces\",\r\n + \ \"location\": \"eastus2\"\r\n}" + headers: + access-control-allow-origin: + - '*' + cache-control: + - no-cache + content-length: + - '1076' + content-type: + - application/json + date: + - Fri, 24 Jun 2022 07:44:22 GMT + pragma: + - no-cache + request-context: + - appId=cid-v1:e6336c63-aab2-45f0-996a-e5dbab2a1508 + server: + - Microsoft-IIS/10.0 + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding,Accept-Encoding + x-content-type-options: + - nosniff + x-powered-by: + - ASP.NET + - ASP.NET + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - monitor log-analytics solution create + Connection: + - keep-alive + ParameterSetName: + - -t -w -g + User-Agent: + - AZURECLI/2.37.0 azsdk-python-mgmt-loganalytics/13.0.0b4 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002?api-version=2021-12-01-preview + response: + body: + string: "{\r\n \"properties\": {\r\n \"source\": \"Azure\",\r\n \"customerId\": + \"9b8321af-5bfa-4eec-b577-4b78a68487e2\",\r\n \"provisioningState\": \"Succeeded\",\r\n + \ \"sku\": {\r\n \"name\": \"pergb2018\",\r\n \"lastSkuUpdate\": + \"Fri, 24 Jun 2022 07:43:51 GMT\"\r\n },\r\n \"retentionInDays\": 30,\r\n + \ \"features\": {\r\n \"legacy\": 0,\r\n \"searchVersion\": 1,\r\n + \ \"enableLogAccessUsingOnlyResourcePermissions\": true\r\n },\r\n + \ \"workspaceCapping\": {\r\n \"dailyQuotaGb\": -1.0,\r\n \"quotaNextResetTime\": + \"Fri, 24 Jun 2022 19:00:00 GMT\",\r\n \"dataIngestionStatus\": \"RespectQuota\"\r\n + \ },\r\n \"publicNetworkAccessForIngestion\": \"Enabled\",\r\n \"publicNetworkAccessForQuery\": + \"Enabled\",\r\n \"createdDate\": \"Fri, 24 Jun 2022 07:43:51 GMT\",\r\n + \ \"modifiedDate\": \"Fri, 24 Jun 2022 07:43:53 GMT\"\r\n },\r\n \"id\": + \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/microsoft.operationalinsights/workspaces/workspace-000002\",\r\n + \ \"name\": \"workspace-000002\",\r\n \"type\": \"Microsoft.OperationalInsights/workspaces\",\r\n + \ \"location\": \"eastus2\"\r\n}" + headers: + access-control-allow-origin: + - '*' + cache-control: + - no-cache + content-length: + - '1076' + content-type: + - application/json + date: + - Fri, 24 Jun 2022 07:44:23 GMT + pragma: + - no-cache + request-context: + - appId=cid-v1:e6336c63-aab2-45f0-996a-e5dbab2a1508 + server: + - Microsoft-IIS/10.0 + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding,Accept-Encoding + x-content-type-options: + - nosniff + x-powered-by: + - ASP.NET + - ASP.NET + status: + code: 200 + message: OK +- request: + body: '{"location": "eastus2", "plan": {"name": "SecurityInsights(workspace-000002)", + "publisher": "Microsoft", "promotionCode": "", "product": "OMSGallery/SecurityInsights"}, + "properties": {"workspaceResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/microsoft.OperationalInsights/workspaces/workspace-000002"}}' + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - monitor log-analytics solution create + Connection: + - keep-alive + Content-Length: + - '370' + Content-Type: + - application/json; charset=utf-8 + ParameterSetName: + - -t -w -g + User-Agent: + - python/3.8.10 (Windows-10-10.0.19044-SP0) msrest/0.7.0 msrest_azure/0.6.4 + azure-mgmt-operationsmanagement/0.1.0 Azure-SDK-For-Python AZURECLI/2.37.0 + accept-language: + - en-US + method: PUT + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/Microsoft.OperationsManagement/solutions/SecurityInsights%28workspace-000002%29?api-version=2015-11-01-preview + response: + body: + string: "{\r\n \"plan\": {\r\n \"name\": \"SecurityInsights(workspace-000002)\",\r\n + \ \"publisher\": \"Microsoft\",\r\n \"promotionCode\": \"\",\r\n \"product\": + \"OMSGallery/SecurityInsights\"\r\n },\r\n \"properties\": {\r\n \"workspaceResourceId\": + \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/microsoft.OperationalInsights/workspaces/workspace-000002\",\r\n + \ \"provisioningState\": \"Succeeded\",\r\n \"creationTime\": \"Mon, + 01 Jan 0001 00:00:00 GMT\",\r\n \"sku\": {\r\n \"name\": \"PerGB\"\r\n + \ },\r\n \"lastModifiedTime\": \"Mon, 01 Jan 0001 00:00:00 GMT\",\r\n + \ \"containedResources\": []\r\n },\r\n \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/Microsoft.OperationsManagement/solutions/SecurityInsights(workspace-000002)\",\r\n + \ \"name\": \"SecurityInsights(workspace-000002)\",\r\n \"type\": \"Microsoft.OperationsManagement/solutions\",\r\n + \ \"location\": \"East US 2\"\r\n}" + headers: + access-control-allow-origin: + - '*' + cache-control: + - no-cache + cachecontrol: + - no-cache + content-length: + - '940' + content-type: + - application/json; charset=utf-8 + date: + - Fri, 24 Jun 2022 07:44:32 GMT + expires: + - '-1' + pragma: + - no-cache + request-context: + - appId=cid-v1:e6336c63-aab2-45f0-996a-e5dbab2a1508 + server: + - Microsoft-IIS/10.0 + strict-transport-security: + - max-age=31536000; includeSubDomains + x-ams-apiversion: + - WebAPI1.0 + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-writes: + - '1199' + x-powered-by: + - ASP.NET + - ASP.NET + status: + code: 201 + message: Created +- request: + body: '{"kind": "MicrosoftSecurityIncidentCreation", "properties": {"displayName": + "testing", "enabled": true, "productFilter": "Microsoft Cloud App Security"}}' + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - sentinel alert-rule create + Connection: + - keep-alive + Content-Length: + - '153' + Content-Type: + - application/json + ParameterSetName: + - -n -w -g --ms-security-incident + User-Agent: + - AZURECLI/2.37.0 (AAZ) azsdk-python-core/1.24.0 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: PUT + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/alertRules/alert-rule-000003?api-version=2022-06-01-preview + response: + body: + string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/alertRules/alert-rule-000003","name":"alert-rule-000003","etag":"\"13002956-0000-0100-0000-62b56b640000\"","type":"Microsoft.SecurityInsights/alertRules","kind":"MicrosoftSecurityIncidentCreation","properties":{"productFilter":"Microsoft + Cloud App Security","severitiesFilter":null,"displayNamesFilter":null,"displayNamesExcludeFilter":null,"displayName":"testing","enabled":true,"description":null,"alertRuleTemplateName":null,"lastModifiedUtc":"2022-06-24T07:44:36.8128078Z"}}' + headers: + cache-control: + - no-cache + content-length: + - '682' + content-type: + - application/json; charset=utf-8 + date: + - Fri, 24 Jun 2022 07:44:36 GMT + expires: + - '-1' + pragma: + - no-cache + server: + - Kestrel + strict-transport-security: + - max-age=31536000; includeSubDomains + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-writes: + - '1199' + status: + code: 201 + message: Created +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - sentinel alert-rule list + Connection: + - keep-alive + ParameterSetName: + - -w -g + User-Agent: + - AZURECLI/2.37.0 (AAZ) azsdk-python-core/1.24.0 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/alertRules?api-version=2022-06-01-preview + response: + body: + string: '{"value":[{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/alertRules/alert-rule-000003","name":"alert-rule-000003","etag":"\"13002956-0000-0100-0000-62b56b640000\"","type":"Microsoft.SecurityInsights/alertRules","kind":"MicrosoftSecurityIncidentCreation","properties":{"productFilter":"Microsoft + Cloud App Security","severitiesFilter":null,"displayNamesFilter":null,"displayNamesExcludeFilter":null,"displayName":"testing","enabled":true,"description":null,"alertRuleTemplateName":null,"lastModifiedUtc":"2022-06-24T07:44:36.8128078Z"}}]}' + headers: + cache-control: + - no-cache + content-length: + - '694' + content-type: + - application/json; charset=utf-8 + date: + - Fri, 24 Jun 2022 07:44:38 GMT + expires: + - '-1' + pragma: + - no-cache + server: + - Kestrel + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding + x-content-type-options: + - nosniff + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - sentinel alert-rule update + Connection: + - keep-alive + ParameterSetName: + - -n -w -g --ms-security-incident + User-Agent: + - AZURECLI/2.37.0 (AAZ) azsdk-python-core/1.24.0 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/alertRules/alert-rule-000003?api-version=2022-06-01-preview + response: + body: + string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/alertRules/alert-rule-000003","name":"alert-rule-000003","etag":"\"13002956-0000-0100-0000-62b56b640000\"","type":"Microsoft.SecurityInsights/alertRules","kind":"MicrosoftSecurityIncidentCreation","properties":{"productFilter":"Microsoft + Cloud App Security","severitiesFilter":null,"displayNamesFilter":null,"displayNamesExcludeFilter":null,"displayName":"testing","enabled":true,"description":null,"alertRuleTemplateName":null,"lastModifiedUtc":"2022-06-24T07:44:36.8128078Z"}}' + headers: + cache-control: + - no-cache + content-length: + - '682' + content-type: + - application/json; charset=utf-8 + date: + - Fri, 24 Jun 2022 07:44:40 GMT + expires: + - '-1' + pragma: + - no-cache + server: + - Kestrel + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding + x-content-type-options: + - nosniff + status: + code: 200 + message: OK +- request: + body: '{"etag": "\"13002956-0000-0100-0000-62b56b640000\"", "kind": "MicrosoftSecurityIncidentCreation", + "properties": {"displayName": "tested", "enabled": true, "productFilter": "Microsoft + Cloud App Security"}}' + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - sentinel alert-rule update + Connection: + - keep-alive + Content-Length: + - '204' + Content-Type: + - application/json + ParameterSetName: + - -n -w -g --ms-security-incident + User-Agent: + - AZURECLI/2.37.0 (AAZ) azsdk-python-core/1.24.0 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: PUT + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/alertRules/alert-rule-000003?api-version=2022-06-01-preview + response: + body: + string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/alertRules/alert-rule-000003","name":"alert-rule-000003","etag":"\"13004056-0000-0100-0000-62b56b680000\"","type":"Microsoft.SecurityInsights/alertRules","kind":"MicrosoftSecurityIncidentCreation","properties":{"productFilter":"Microsoft + Cloud App Security","severitiesFilter":null,"displayNamesFilter":null,"displayNamesExcludeFilter":null,"displayName":"tested","enabled":true,"description":null,"alertRuleTemplateName":null,"lastModifiedUtc":"2022-06-24T07:44:40.7138615Z"}}' + headers: + cache-control: + - no-cache + content-length: + - '681' + content-type: + - application/json; charset=utf-8 + date: + - Fri, 24 Jun 2022 07:44:40 GMT + expires: + - '-1' + pragma: + - no-cache + server: + - Kestrel + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-writes: + - '1199' + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - sentinel alert-rule show + Connection: + - keep-alive + ParameterSetName: + - -n -w -g + User-Agent: + - AZURECLI/2.37.0 (AAZ) azsdk-python-core/1.24.0 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/alertRules/alert-rule-000003?api-version=2022-06-01-preview + response: + body: + string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/alertRules/alert-rule-000003","name":"alert-rule-000003","etag":"\"13004056-0000-0100-0000-62b56b680000\"","type":"Microsoft.SecurityInsights/alertRules","kind":"MicrosoftSecurityIncidentCreation","properties":{"productFilter":"Microsoft + Cloud App Security","severitiesFilter":null,"displayNamesFilter":null,"displayNamesExcludeFilter":null,"displayName":"tested","enabled":true,"description":null,"alertRuleTemplateName":null,"lastModifiedUtc":"2022-06-24T07:44:40.7138615Z"}}' + headers: + cache-control: + - no-cache + content-length: + - '681' + content-type: + - application/json; charset=utf-8 + date: + - Fri, 24 Jun 2022 07:44:41 GMT + expires: + - '-1' + pragma: + - no-cache + server: + - Kestrel + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding + x-content-type-options: + - nosniff + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - '*/*' + Accept-Encoding: + - gzip, deflate + CommandName: + - sentinel alert-rule delete + Connection: + - keep-alive + Content-Length: + - '0' + ParameterSetName: + - -n --workspace-name -g --yes + User-Agent: + - AZURECLI/2.37.0 (AAZ) azsdk-python-core/1.24.0 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: DELETE + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/alertRules/alert-rule-000003?api-version=2022-06-01-preview + response: + body: + string: '{}' + headers: + cache-control: + - no-cache + content-length: + - '2' + content-type: + - application/json; charset=utf-8 + date: + - Fri, 24 Jun 2022 07:44:41 GMT + expires: + - '-1' + pragma: + - no-cache + server: + - Kestrel + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-deletes: + - '14999' + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - sentinel alert-rule template list + Connection: + - keep-alive + ParameterSetName: + - -w -g + User-Agent: + - AZURECLI/2.37.0 (AAZ) azsdk-python-core/1.24.0 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/alertRuleTemplates?api-version=2022-06-01-preview + response: + body: + string: "{\"value\":[{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f71aba3d-28fb-450b-b192-4e76a83015c8\",\"name\":\"f71aba3d-28fb-450b-b192-4e76a83015c8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Fusion\",\"properties\":{\"severity\":\"High\",\"sourceSettings\":[{\"sourceName\":\"Anomalies\",\"sourceSubTypes\":null},{\"sourceName\":\"Alert + providers\",\"sourceSubTypes\":[{\"sourceSubTypeDisplayName\":\"Azure Active + Directory Identity Protection\",\"sourceSubTypeName\":\"Azure Active Directory + Identity Protection\",\"severityFilter\":{\"isSupported\":true,\"severityFilters\":[\"Informational\",\"Low\",\"Medium\",\"High\"]}},{\"sourceSubTypeDisplayName\":\"Microsoft + 365 Defender\",\"sourceSubTypeName\":\"Microsoft 365 Defender\",\"severityFilter\":{\"isSupported\":true,\"severityFilters\":[\"Informational\",\"Low\",\"Medium\",\"High\"]}},{\"sourceSubTypeDisplayName\":\"Microsoft + Cloud App Security\",\"sourceSubTypeName\":\"Microsoft Cloud App Security\",\"severityFilter\":{\"isSupported\":true,\"severityFilters\":[\"Informational\",\"Low\",\"Medium\",\"High\"]}},{\"sourceSubTypeDisplayName\":\"Microsoft + Defender for Cloud\",\"sourceSubTypeName\":\"Azure Defender\",\"severityFilter\":{\"isSupported\":true,\"severityFilters\":[\"Informational\",\"Low\",\"Medium\",\"High\"]}},{\"sourceSubTypeDisplayName\":\"Microsoft + Defender for Endpoint\",\"sourceSubTypeName\":\"Microsoft Defender for Endpoint\",\"severityFilter\":{\"isSupported\":true,\"severityFilters\":[\"Informational\",\"Low\",\"Medium\",\"High\"]}},{\"sourceSubTypeDisplayName\":\"Microsoft + Defender for Identity\",\"sourceSubTypeName\":\"Microsoft Defender for Identity\",\"severityFilter\":{\"isSupported\":true,\"severityFilters\":[\"Informational\",\"Low\",\"Medium\",\"High\"]}},{\"sourceSubTypeDisplayName\":\"Microsoft + Defender for IoT\",\"sourceSubTypeName\":\"Azure Defender for IoT\",\"severityFilter\":{\"isSupported\":true,\"severityFilters\":[\"Informational\",\"Low\",\"Medium\",\"High\"]}},{\"sourceSubTypeDisplayName\":\"Microsoft + Defender for Office 365\",\"sourceSubTypeName\":\"Microsoft Defender for Office + 365\",\"severityFilter\":{\"isSupported\":true,\"severityFilters\":[\"Informational\",\"Low\",\"Medium\",\"High\"]}},{\"sourceSubTypeDisplayName\":\"Azure + Sentinel scheduled analytics rules\",\"sourceSubTypeName\":\"Azure Sentinel + scheduled analytics rules\",\"severityFilter\":{\"isSupported\":true,\"severityFilters\":[\"Informational\",\"Low\",\"Medium\",\"High\"]}},{\"sourceSubTypeDisplayName\":\"Azure + Sentinel NRT analytic rules\",\"sourceSubTypeName\":\"Azure Sentinel NRT analytic + rules\",\"severityFilter\":{\"isSupported\":true,\"severityFilters\":[\"Informational\",\"Low\",\"Medium\",\"High\"]}}]}],\"tactics\":[\"Collection\",\"CommandAndControl\",\"CredentialAccess\",\"DefenseEvasion\",\"Discovery\",\"Execution\",\"Exfiltration\",\"Impact\",\"InitialAccess\",\"LateralMovement\",\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Advanced + Multistage Attack Detection\",\"description\":\"Microsoft Sentinel uses Fusion, + a correlation engine based on scalable machine learning algorithms, to automatically + detect multistage attacks by identifying combinations of anomalous behaviors + and suspicious activities that are observed at various stages of the kill + chain. On the basis of these discoveries, Azure Sentinel generates incidents + that would otherwise be very difficult to catch. By design, these incidents + are low-volume, high-fidelity, and high-severity, which is why this detection + is turned ON by default.\\n\\nSince Fusion correlates multiple signals from + various products to detect advanced multistage attacks, successful Fusion + detections are presented as Fusion incidents on the Microsoft Sentinel Incidents + page. This rule covers the following detections:\\n- Fusion for emerging threats\\n- + Fusion for ransomware\\n- Scenario-based Fusion detections (122 scenarios)\\n\\nTo + enable these detections, we recommend you configure the following data connectors + for best results:\\n- Out-of-the-box anomaly detections\\n- Azure Active Directory + Identity Protection\\n- Azure Defender\\n- Azure Defender for IoT\\n- Microsoft + 365 Defender\\n- Microsoft Cloud App Security \\n- Microsoft Defender for + Endpoint\\n- Microsoft Defender for Identity\\n- Microsoft Defender for Office + 365\\n- Scheduled analytics rules, both built-in and those created by your + security analysts. Analytics rules must contain kill-chain (tactics) and entity + mapping information in order to be used by Fusion.\\n\\nFor the full description + of each detection that is supported by Fusion, go to https://aka.ms/SentinelFusion.\",\"lastUpdatedDateUTC\":\"2021-06-09T00:00:00Z\",\"createdDateUTC\":\"2019-07-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/57c7e832-64eb-411f-8928-4133f01f4a25\",\"name\":\"57c7e832-64eb-411f-8928-4133f01f4a25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| + where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| + summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| + where Active == true\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) + or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend + TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| + extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), + NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) + and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// + using innerunique to keep perf fast and result set low, we only need one match + to indicate potential malicious activity that needs to be investigated\\n| + join kind=innerunique (\\n AzureDiagnostics\\n | where ResourceType + =~ \\\"VAULTS\\\"\\n | where TimeGenerated >= ago(dt_lookBack)\\n | + extend KeyVaultEvents_TimeGenerated = TimeGenerated, ClientIP = CallerIPAddress\\n)\\non + $left.TI_ipEntity == $right.ClientIP\\n| where KeyVaultEvents_TimeGenerated + < ExpirationDateTime\\n| summarize KeyVaultEvents_TimeGenerated = arg_max(KeyVaultEvents_TimeGenerated, + *) by IndicatorId, ClientIP\\n| project KeyVaultEvents_TimeGenerated, Description, + ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, + ClientIP, ResourceId, SubscriptionId, OperationName, ResultType, CorrelationId, + id_s, clientInfo_s, httpStatusCode_d, identity_claim_appid_g, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\n| + extend timestamp = KeyVaultEvents_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI + map IP entity to Azure Key Vault logs\",\"description\":\"Identifies a match + in Azure Key Vault logsfrom any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-06-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f948a32f-226c-4116-bddd-d95e91d97eb9\",\"name\":\"f948a32f-226c-4116-bddd-d95e91d97eb9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let + detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated + > ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| + where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ + \\\"Consent to application\\\"\\n| where TargetResources has \\\"mailboxsettings\\\"\\n| + extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId + = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, + knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] + with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| + parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: + \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"contacts.read\\\" + and ConsentFull contains \\\"user.read\\\" and ConsentFull contains \\\"mail.read\\\" + and ConsentFull contains \\\"notes.read.all\\\" and ConsentFull contains \\\"mailboxsettings.readwrite\\\" + and ConsentFull contains \\\"Files.ReadWrite.All\\\"\\n| where GrantConsentType + != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was + granted to all users via an admin - but admin due diligence should be audited + occasionally\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), + tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| + extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), + tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| + extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", + tostring(AdditionalDetails[0].value), \\\"\\\")\\n| project TimeGenerated, + GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, + GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| + join kind = leftouter (AuditLogs\\n| where TimeGenerated > ago(joinLookback)\\n| + where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| + where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId + = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue + has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, + \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| + join kind = innerunique (AuditLogs\\n| where TimeGenerated > ago(joinLookback)\\n| + where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| + where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName + =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = + tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| + project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| + project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, + AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, + OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp + = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = + GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"techniques\":[\"T1528\",\"T1550\"],\"displayName\":\"Suspicious + application consent similar to O365 Attack Toolkit\",\"description\":\"This + will alert when a user consents to provide a previously-unknown Azure application + with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\\nThe + default permissions/scope for the MDSec O365 Attack toolkit are contacts.read, + user.read, mail.read, notes.read.all, mailboxsettings.readwrite, and files.readwrite.all.\\nConsent + to applications with these permissions should be rare, especially as the knownApplications + list is expanded, especially as the knownApplications list is expanded. Public + contributions to expand this filter are welcome!\\nFor further information + on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8d19b599-3c58-41ea-8db1-7ed22f80561e\",\"name\":\"8d19b599-3c58-41ea-8db1-7ed22f80561e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.0\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.1\",\"name\":\"Score\",\"description\":\"Generate + an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"techniques\":[\"T1078\"],\"displayName\":\"(Preview) + Powershell obfuscation detection by user account\",\"description\":\"This + algorithm detects potential powershell obfuscation on windows security events + by user account within the last day. The model is based on assumption that + number of alphanumeric characters and powershell command line length should + follow linear regression relationship. Any powershell command lines deviate + far from the linear trend will be labeld as anomalies.\",\"lastUpdatedDateUTC\":\"2022-02-23T00:00:00Z\",\"createdDateUTC\":\"2022-02-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3c144f9-8051-47d4-ac29-ffb0c312c910\",\"name\":\"a3c144f9-8051-47d4-ac29-ffb0c312c910\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let + SunburstMD5=dynamic([\\\"b91ce2fa41029f6955bff20079468448\\\",\\\"02af7cec58b9a5da1c542b5a32151ba1\\\",\\\"2c4a910a1299cdae2a4e55988a2f102e\\\",\\\"846e27a652a5e1bfbd0ddd38a16dc865\\\",\\\"4f2eb62fa529c0283b28d05ddd311fae\\\"]);\\nlet + SupernovaMD5=\\\"56ceb6d0011d87b6e4d7023d7ef85676\\\";\\nDeviceFileEvents\\n| + where MD5 in(SunburstMD5) or MD5 in(SupernovaMD5)\\n| extend\\n timestamp + = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), + InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity + = DeviceName,\\n AlgorithmCustomEntity = \\\"MD5\\\",\\n FileHashCustomEntity + = MD5\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.2\",\"tactics\":[\"Execution\",\"Persistence\",\"InitialAccess\"],\"techniques\":[\"T1195\"],\"displayName\":\"SUNBURST + and SUPERNOVA backdoor hashes\",\"description\":\"Identifies SolarWinds SUNBURST + and SUPERNOVA backdoor file hash IOCs in DeviceFileEvents\\nReferences:\\n- + https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- + https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-02-23T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/87210ca1-49a4-4a7d-bb4a-4988752f978c\",\"name\":\"87210ca1-49a4-4a7d-bb4a-4988752f978c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// + Get details of current Azure Ranges (note this URL updates regularly so will + need to be manually updated over time)\\n// You may find the name of the new + JSON here: https://www.microsoft.com/download/details.aspx?id=56519\\n// On + the downloads page, click the 'details' button, and then replace just the + filename in the URL below\\nlet azure_ranges = externaldata(changeNumber: + string, cloud: string, values: dynamic)\\n[\\\"https://download.microsoft.com/download/7/1/D/71D86715-5596-4529-9B13-DA13A5DE5B63/ServiceTags_Public_20220321.json\\\"]\\nwith(format='multijson')\\n| + mv-expand values\\n| mv-expand values.properties.addressPrefixes\\n| mv-expand + values_properties_addressPrefixes\\n| summarize by tostring(values_properties_addressPrefixes);\\nSigninLogs\\n// + Limiting to Azure Portal really reduces false positives and helps focus on + potential admin activity\\n| where AppDisplayName =~ \\\"Azure Portal\\\"\\n// + Only get logons where the IP address is in an Azure range\\n| evaluate ipv4_lookup(azure_ranges, + IPAddress, values_properties_addressPrefixes)\\n// Limit to where the user + is external to the tenant\\n| where HomeTenantId != ResourceTenantId\\n// + Further limit it to just access to the current tenant (you can drop this if + you wanted to look elsewhere as well but it helps reduce FPs)\\n| where ResourceTenantId + == AADTenantId\\n| summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), + make_set(ResourceDisplayName) by UserPrincipalName, IPAddress, UserAgent, + Location, HomeTenantId, ResourceTenantId\\n| extend AccountCustomEntity = + UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.1.0\",\"tactics\":[\"InitialAccess\"],\"techniques\":[\"T1199\"],\"displayName\":\"Azure + Portal Signin from another Azure Tenant\",\"description\":\"This query looks + for sign in attempts to the Azure Portal where the user who is signing in + from another Azure tenant,\\n and the IP address the login attempt is from + is an Azure IP. A threat actor who compromises an Azure tenant may look\\n + to pivot to other tenants leveraging cross-tenant delegated access in this + manner.\",\"lastUpdatedDateUTC\":\"2022-03-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/29a29e5d-354e-4f5e-8321-8b39d25047bf\",\"name\":\"29a29e5d-354e-4f5e-8321-8b39d25047bf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let + files1 = dynamic([\\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\lsa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pa.exe\\\", + \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pc.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\Rar.exe\\\"]);\\nlet + files2 = dynamic([\\\"svchost.exe\\\",\\\"wdmsvc.exe\\\"]);\\nlet FileHash1 + = dynamic([\\\"43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3\\\", + \\\"ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb\\\", + \\\"010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77\\\", + \ \\\"56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7\\\"]);\\nlet + FileHash2 = dynamic([\\\"2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7\\\", + \\\"9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd\\\", + \\\"18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b\\\"]);\\nimFileEvent\\n| + where ((FilePath has_any (files1)) and (ActingProcessSHA256 has_any (FileHash1))) + or ((FilePath has_any (files2)) and (ActingProcessSHA256 has_any (FileHash2)))\\n// + Increase risk score if recent alerts for the host\\n| join kind=leftouter + (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName + = tostring(parse_json(ExtendedProperties).ThreatName)\\n| mv-expand todynamic(Entities)\\n| + extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)\\n| where isnotempty(DvcId)\\n// + Higher risk score are for Defender alerts related to threat actor\\n| extend + AlertRiskScore = iif(ThreatName has_any (\\\"Backdoor:MSIL/ShellClient.A\\\", + \\\"Backdoor:MSIL/ShellClient.A!dll\\\", \\\"Trojan:MSIL/Mimikatz.BA!MTB\\\"), + 1.0, 0.5)\\n| project DvcId, AlertRiskScore) on DvcId\\n| extend AlertRiskScore + = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)\\n| extend timestamp = + TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = ActorUsername\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileName\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.1.1\",\"tactics\":[\"CredentialAccess\",\"Execution\"],\"techniques\":[\"T1569\"],\"displayName\":\"Dev-0228 + File Path Hashes November 2021 (ASIM Version)\",\"description\":\"This hunting + query looks for file paths/hashes related to observed activity by Dev-0228. + The actor is known to use custom version of popular tool like PsExec, Procdump + etc. to carry its activity.\\n The risk score associated with each result + is based on a number of factors, hosts with higher risk events should be investigated + first.\\n This query uses the Microsoft Sentinel Information Model - https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2022-03-02T00:00:00Z\",\"createdDateUTC\":\"2021-11-18T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0dd2a343-4bf9-4c93-a547-adf3658ddaec\",\"name\":\"0dd2a343-4bf9-4c93-a547-adf3658ddaec\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let + known_processes = (\\n imProcess\\n // Change these values if adjusting + Query Frequency or Query Period\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n + \ | where Process has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", + \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | summarize + by Process);\\n imProcess\\n // Change these values if adjusting Query Frequency + or Query Period\\n | where TimeGenerated > ago(1d)\\n | where Process has_any + (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n + \ | where Process !in (known_processes)\\n | summarize FirstSeen=min(TimeGenerated), + LastSeen=max(TimeGenerated) by Process, CommandLine, DvcHostname\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DvcHostname\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"Execution\",\"LateralMovement\"],\"techniques\":[\"T1072\",\"T1570\"],\"displayName\":\"New + EXE deployed via Default Domain or Default Domain Controller Policies (ASIM + Version)\",\"description\":\"This detection highlights executables deployed + to hosts via either the Default Domain or Default Domain Controller Policies. + These policies apply to all hosts or Domain Controllers and best practice + is that these policies should not be used for deployment of files.\\n A threat + actor may use these policies to deploy files or scripts to all hosts in a + domain.\\n This query uses the ASIM parsers and will need them deployed before + usage - https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2022-03-02T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/871ba14c-88ef-48aa-ad38-810f26760ca3\",\"name\":\"871ba14c-88ef-48aa-ad38-810f26760ca3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| + where Operation =~ \\\"Set-Mailbox\\\"\\n| where Parameters has \\\"ForwardingSmtpAddress\\\"\\n| + extend parsed = parse_json(Parameters)\\n| mv-expand parsed\\n| where parsed.Name + == \\\"ForwardingSmtpAddress\\\"\\n| extend parameterName = tostring(parsed.Name), + fwdingDestination = tostring(parsed.Value)\\n| where isnotempty(fwdingDestination)\\n| + extend ClientIPOnly = case( \\nClientIP has \\\".\\\" and ClientIP has ':', + tostring(split(ClientIP,\\\":\\\")[0]), \\nClientIP has \\\".\\\" and ClientIP + has '-', tostring(split(ClientIP,\\\"-\\\")[0]), \\nClientIP has ']-', tostring(trim_start(@'[[]',tostring(split(ClientIP,\\\"]\\\")[0]))),\\nClientIP + has ']:', tostring(trim_start(@'[[]',tostring(split(ClientIP,\\\"]\\\")[0]))),\\nisempty(ClientIP) + and ClientIP_ has \\\".\\\" and ClientIP_ has ':', tostring(split(ClientIP_,\\\":\\\")[0]), + \\nisempty(ClientIP) and ClientIP_ has \\\".\\\" and ClientIP_ has '-', tostring(split(ClientIP_,\\\"-\\\")[0]), + \\nisempty(ClientIP) and ClientIP_ has ']-', tostring(trim_start(@'[[]',tostring(split(ClientIP_,\\\"]\\\")[0]))),\\nisempty(ClientIP) + and ClientIP_ has ']:', tostring(trim_start(@'[[]',tostring(split(ClientIP_,\\\"]\\\")[0]))),\\nisnotempty(ClientIP), + ClientIP,\\nisnotempty(ClientIP_), ClientIP_,\\n\\\"IP Not Available\\\"\\n) + \ \\n| extend Port = case(\\nClientIP has \\\".\\\" and ClientIP has ':', + tostring(split(ClientIP,\\\":\\\")[1]), \\nClientIP has \\\".\\\" and ClientIP + has '-', tostring(split(ClientIP,\\\"-\\\")[1]), \\nClientIP has ']-', tostring(split(ClientIP,\\\"]-\\\")[1]), + \\nClientIP has ']:', tostring(split(ClientIP,\\\"]:\\\")[1]), \\nisempty(ClientIP) + and ClientIP_ has \\\".\\\" and ClientIP_ has ':', tostring(split(ClientIP_,\\\":\\\")[1]), + \\nisempty(ClientIP) and ClientIP_ has \\\".\\\" and ClientIP_ has '-', tostring(split(ClientIP_,\\\"-\\\")[1]), + \\nisempty(ClientIP) and ClientIP_ has ']-', tostring(split(ClientIP_,\\\"]-\\\")[1]),\\nisempty(ClientIP) + and ClientIP_ has ']:', tostring(split(ClientIP_,\\\"]:\\\")[1]),\\nisnotempty(ClientIP), + ClientIP,\\nisnotempty(ClientIP_), ClientIP_,\\n\\\"IP Not Available\\\"\\n)\\n| + extend UserId = iff(isempty(UserId), UserId_, UserId)\\n| summarize StartTimeUtc + = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), DistinctUserCount = + dcount(UserId), UserId = make_set(UserId), \\nPorts = make_set(Port), EventCount + = count() by fwdingDestination, ClientIP = ClientIPOnly \\n| where DistinctUserCount + > 1\\n| mv-expand UserId\\n| extend UserId = tostring(UserId), Ports = tostring(Ports)\\n| + distinct StartTimeUtc, EndTimeUtc, UserId, DistinctUserCount, ClientIP, Ports, + fwdingDestination, EventCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity + = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Collection\",\"Exfiltration\"],\"techniques\":[\"T1114\",\"T1020\"],\"displayName\":\"Multiple + users email forwarded to same destination\",\"description\":\"Identifies when + multiple (more than one) users mailboxes are configured to forward to the + same destination. \\nThis could be an attacker-controlled destination mailbox + configured to collect mail from multiple compromised user accounts.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a6c435a2-b1a0-466d-b730-9f8af69262e8\",\"name\":\"a6c435a2-b1a0-466d-b730-9f8af69262e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT20M\",\"queryPeriod\":\"PT20M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + failureCountThreshold = 10;\\nlet successCountThreshold = 1;\\n// let authenticationWindow + = 20m; // Implicit in the analytic rule query period \\nimAuthentication\\n| + summarize \\n StartTime = min(TimeGenerated), \\n EndTime = max(TimeGenerated), + \\n IpAddresses = make_set (SrcDvcIpAddr, 100),\\n ReportedBy = + make_set (strcat (EventVendor, \\\"/\\\", EventProduct), 100),\\n FailureCount + = countif(EventResult=='Failure'),\\n SuccessCount = countif(EventResult=='Success')\\n + \ by \\n TargetUserId, TargetUsername, TargetUserType \\n| where FailureCount + >= failureCountThreshold and SuccessCount >= successCountThreshold\\n| extend\\n + \ IpAddresses = strcat_array(IpAddresses, \\\", \\\"), \\n ReportedBy + = strcat_array(ReportedBy, \\\", \\\")\",\"customDetails\":{\"IpAddresses\":\"IpAddresses\",\"ReportedBy\":\"ReportedBy\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUsername\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.2.0\",\"tactics\":[\"CredentialAccess\"],\"techniques\":[\"T1110\"],\"displayName\":\"Brute + force attack against user credentials (Uses Authentication Normalization)\",\"description\":\"Identifies + evidence of brute force activity against a user based on multiple authentication + failures \\nand at least one successful authentication within a given time + window. Note that the query does not enforce any sequence,\\nand does not + require the successful authentication to occur last.\\nThe default failure + threshold is 10, success threshold is 1, and the default time window is 20 + minutes.\\nTo use this analytics rule, make sure you have deployed the [ASIM + normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb8a3481-dd14-4e76-8dcc-bbec8776d695\",\"name\":\"bb8a3481-dd14-4e76-8dcc-bbec8776d695\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + DomainNames = dynamic(['onetechcompany.com', 'reyweb.com', 'srfnetwork.org', + 'sense4baby.fr', 'nikeoutletinc.org', 'megatoolkit.com']);\\nlet IPList = + dynamic(['185.225.69.69']);\\nlet IPRegex = '[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}';\\n(union + isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP + in (IPList) or DestinationHostName in~ (DomainNames) or RequestURL has_any + (DomainNames) or Message has_any (IPList)\\n| parse Message with * '(' DNSName + ')' * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch + = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), + \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL + in (DomainNames), \\\"RequestUrl\\\", \\\"NoMatch\\\") \\n| extend timestamp + = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, + IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", + MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(_Im_Dns + (domain_has_any=DomainNames)\\n| extend DestinationIPAddress = DnsResponseName, + DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity + = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| + extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = + Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, + HostCustomEntity = Host\\n),\\n(_Im_WebSession(url_has_any=DomainNames)\\n| + extend DestinationIPAddress = DstIpAddr, DNSName = tostring(parse_url(Url)[\\\"Host\\\"]), + Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, + HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) + or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (DomainNames)\\n| + parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n| extend + IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), + \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, + IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", + DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer\\n),\\n(OfficeActivity\\n| + where ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity + = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where + RemoteUrl has_any (DomainNames) or RemoteIP in (IPList)\\n| extend timestamp + = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity + = DeviceName\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| + where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with + Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' + DestinationPort '. Action:' Action\\n| where isnotempty(DestinationHost)\\n| + where DestinationHost has_any (DomainNames) \\n| extend timestamp = TimeGenerated, + DNSName = DestinationHost, IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.3.1\",\"tactics\":[\"CommandAndControl\"],\"techniques\":[\"T1102\"],\"displayName\":\"NOBELIUM + - Domain and IP IOCs - March 2021\",\"description\":\"Identifies a match across + various data feeds for domains and IP IOCs related to NOBELIUM.\\n References: + https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e\",\"name\":\"f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"// + Replace these with the username or emails of your VIP users you wish to monitor + for.\\nlet vips = dynamic(['vip1@email.com','vip2@email.com']);\\n// Add users + who are allowed to conduct these searches - this could be specific SOC team + members\\nlet allowed_users = dynamic([]);\\nLAQueryLogs\\n| where QueryText + has_any (vips) or QueryText has_any ('_GetWatchlist(\\\"VIPUsers\\\")', \\\"_GetWatchlist('VIPUsers')\\\")\\n| + where AADEmail !in (allowed_users)\\n| project TimeGenerated, AADEmail, RequestClientApp, + QueryText, ResponseRowCount, RequestTarget\\n| extend timestamp = TimeGenerated, + AccountCustomEntity = AADEmail\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"RequestTarget\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.1.1\",\"tactics\":[\"Collection\",\"Exfiltration\"],\"techniques\":[\"T1530\",\"T1213\",\"T1020\"],\"displayName\":\"Users + searching for VIP user activity\",\"description\":\"This query monitors for + users running Log Analytics queries that contain filters\\nfor specific, defined + VIP user accounts or the VIPUser watchlist template.\\nUse this detection + to alert for users specifically searching for activity of sensitive users.\",\"lastUpdatedDateUTC\":\"2021-11-11T00:00:00Z\",\"createdDateUTC\":\"2020-09-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/62085097-d113-459f-9ea7-30216f2ee6af\",\"name\":\"62085097-d113-459f-9ea7-30216f2ee6af\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P3D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let + starttime = 3d;\\nlet SecEvents = materialize ( SecurityEvent | where TimeGenerated + >= ago(starttime)\\n| where EventID in (4722,4723) | where TargetUserName + !endswith \\\"$\\\"\\n| project TimeGenerated, EventID, Activity, Computer, + TargetAccount, TargetSid, SubjectAccount, SubjectUserSid);\\nlet userEnable + = SecEvents\\n| extend EventID4722Time = TimeGenerated\\n// 4722: User Account + Enabled\\n| where EventID == 4722\\n| project Time_Event4722 = TimeGenerated, + TargetAccount, TargetSid, SubjectAccount_Event4722 = SubjectAccount, SubjectUserSid_Event4722 + = SubjectUserSid, Activity_4722 = Activity, Computer_4722 = Computer;\\nlet + userPwdSet = SecEvents\\n// 4723: Attempt made by user to set password\\n| + where EventID == 4723\\n| project Time_Event4723 = TimeGenerated, TargetAccount, + TargetSid, SubjectAccount_Event4723 = SubjectAccount, SubjectUserSid_Event4723 + = SubjectUserSid, Activity_4723 = Activity, Computer_4723 = Computer;\\nuserEnable + | join kind=leftouter userPwdSet on TargetAccount, TargetSid\\n| extend PasswordSetAttemptDelta_Min + = datetime_diff('minute', Time_Event4723, Time_Event4722)\\n| where PasswordSetAttemptDelta_Min + > 2880 or isempty(PasswordSetAttemptDelta_Min)\\n| project-away TargetAccount1, + TargetSid1\\n| extend Reason = @\\\"User either has not yet attempted to set + the initial password after account was enabled or it occurred after 48 hours\\\"\\n| + order by Time_Event4722 asc \\n| extend timestamp = Time_Event4722, AccountCustomEntity + = TargetAccount, HostCustomEntity = Computer_4722\\n| project-reorder Time_Event4722, + Time_Event4723, PasswordSetAttemptDelta_Min, TargetAccount, TargetSid\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"TargetSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"techniques\":[\"T1098\"],\"displayName\":\"AD + user enabled and password not set within 48 hours\",\"description\":\"Identifies + when an account is enabled with a default password and the password is not + set by the user within 48 hours.\\nEffectively, there is an event 4722 indicating + an account was enabled and within 48 hours, no event 4723 occurs which \\nindicates + there was no attempt by the user to set the password. This will show any attempts + (success or fail) that occur \\nafter 48 hours, which can indicate too long + of a time period in setting the password to something that only the user knows.\\nIt + is recommended that this time period is adjusted per your internal company + policy.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f9949656-473f-4503-bf43-a9d9890f7d08\",\"name\":\"f9949656-473f-4503-bf43-a9d9890f7d08\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| + where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| + summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| + where Active == true\\n// Picking up only IOC's that contain the entities + we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) + or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As + there is potentially more than 1 indicator type for matching IP, taking NetworkIP + first, then others if that is empty.\\n// Taking the first non-empty value + based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), + NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) + and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend + TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), + EmailSourceIpAddress, TI_ipEntity)\\n//Exclude local addresses, using the + ipv4_is_private operator\\n| where ipv4_is_private(TI_ipEntity) == false and + \ TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" + and TI_ipEntity !startswith \\\"127.\\\"\\n// using innerunique to keep perf + fast and result set low, we only need one match to indicate potential malicious + activity that needs to be investigated\\n| join kind=innerunique (\\n AppServiceHTTPLogs + | where TimeGenerated >= ago(dt_lookBack)\\n | where isnotempty(CIp)\\n | + extend WebApp = split(_ResourceId, '/')[8]\\n // renaming time column so + it is clear the log this came from\\n | extend AppService_TimeGenerated = + TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CIp\\n| where AppService_TimeGenerated + < ExpirationDateTime\\n| summarize AppService_TimeGenerated = arg_max(AppService_TimeGenerated, + *) by IndicatorId, CIp\\n| project AppService_TimeGenerated, Description, + ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, + TI_ipEntity, CsUsername, \\nWebApp = split(_ResourceId, '/')[8], CIp, CsHost, + NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, _ResourceId\\n| + extend timestamp = AppService_TimeGenerated, AccountCustomEntity = CsUsername, + IPCustomEntity = CIp, URLCustomEntity = Url, HostCustomEntity = CsHost\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"_ResourceId\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.2.3\",\"tactics\":[\"Impact\"],\"displayName\":\"TI + map IP entity to AppServiceHTTPLogs\",\"description\":\"Identifies a match + in AppServiceHTTPLogs from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-04-26T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8b3c49c-4087-499b-920f-0dcfaff0cbca\",\"name\":\"f8b3c49c-4087-499b-920f-0dcfaff0cbca\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"imProcessCreate\\n + \ | where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\\n | where isnotempty(Process)\\n + \ | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), + count() by Dvc, ActorUsername, Process, CommandLine, ActingProcessName, EventVendor, + EventProduct\\n | extend timestamp = StartTimeUtc, AccountCustomEntity = + ActorUsername, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.1.1\",\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"techniques\":[\"T1059\",\"T1027\",\"T1140\"],\"displayName\":\"Base64 + encoded Windows process command-lines (Normalized Process Events)\",\"description\":\"Identifies + instances of a base64 encoded PE file header seen in the process command line + parameter.\\nTo use this analytics rule, make sure you have deployed the [ASIM + normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2018-09-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c3e5dbaa-a540-408c-8b36-68bdfb3df088\",\"name\":\"c3e5dbaa-a540-408c-8b36-68bdfb3df088\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n + | where EventID==4688\\n | where isnotempty(CommandLine)\\n | where CommandLine + contains \\\"TVqQAAMAAAAEAAA\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"techniques\":[\"T1059\",\"T1027\",\"T1140\"],\"displayName\":\"NRT + Base64 encoded Windows process command-lines\",\"description\":\"Identifies + instances of a base64 encoded PE file header seen in the process command line + parameter.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2022-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8a602940-4153-4045-a741-3bf15591ae29\",\"name\":\"8a602940-4153-4045-a741-3bf15591ae29\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.2.8\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.4\",\"name\":\"Score\",\"description\":\"Generate + an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CredentialAccess\"],\"techniques\":[\"T1110\"],\"displayName\":\"(Preview) + Attempted computer bruteforce\",\"description\":\"This algorithm detects an + unusually high volume of failed login attempts to each computer. The model + is trained on the previous 21 days of security event ID 4625 on a computer. + It indicates anomalous high volume of failed login attempts in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2020-12-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/79566f41-df67-4e10-a703-c38a6213afd8\",\"name\":\"79566f41-df67-4e10-a703-c38a6213afd8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| + where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates + and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add + service principal credentials\\\", and \\\"Update application - Certificates + and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| + mv-expand target = TargetResources\\n| where tostring(InitiatedBy.user.userPrincipalName) + has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend + targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId + = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| + extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| + where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set + = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| + where old_value_set != \\\"[]\\\"\\n| extend diff = set_difference(new_value_set, + old_value_set)\\n| where isnotempty(diff)\\n| parse diff with * \\\"KeyIdentifier=\\\" + keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string + \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage + == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key + == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend + InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), + tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), + tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// + The below line is currently commented out but Microsoft Sentinel users can + modify this query to show only Application or only Service Principal events + in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType + =~ \\\"ServicePrincipal\\\"\\n| project-away diff, new_value_set, old_value_set\\n| + project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, + UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, + keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend timestamp = TimeGenerated, + AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.1.0\",\"tactics\":[\"DefenseEvasion\"],\"techniques\":[\"T1550\"],\"displayName\":\"New + access credential added to Application or Service Principal\",\"description\":\"This + will alert when an admin or app owner account adds a new credential to an + Application or Service Principal where a verify KeyCredential was already + present for the app.\\nIf a threat actor obtains access to an account with + sufficient privileges and adds the alternate authentication material triggering + this event, the threat actor can now authenticate as the Application or Service + Principal using this credential.\\nAdditional information on OAuth Credential + Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor + further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/66276b14-32c5-4226-88e3-080dacc31ce1\",\"name\":\"66276b14-32c5-4226-88e3-080dacc31ce1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + timeframe = 1d;\\nlet AccountAllowList = dynamic(['SYSTEM']);\\nlet SubCategoryList + = dynamic([\\\"Logoff\\\", \\\"Account Lockout\\\", \\\"User Account Management\\\", + \\\"Authorization Policy Change\\\"]); // Add any Category in the list to + be allowed or disallowed\\nlet tokens = dynamic([\\\"clear\\\", \\\"remove\\\", + \\\"success:disable\\\",\\\"failure:disable\\\"]); \\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| + where TimeGenerated >= ago(timeframe)\\n//| where Process =~ \\\"auditpol.exe\\\" + \\n| where CommandLine has_any (tokens)\\n| where AccountType !~ \\\"Machine\\\" + and Account !in~ (AccountAllowList)\\n| parse CommandLine with * \\\"/subcategory:\\\" + subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, + \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| + where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for + exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable + /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| + project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, + Process, ParentProcessName, CommandLine, SubCategory, Toggle\\n| extend timestamp + = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(\\nDeviceProcessEvents\\n| + where TimeGenerated >= ago(timeframe)\\n// | where InitiatingProcessFileName + =~ \\\"auditpol.exe\\\" \\n| where InitiatingProcessCommandLine has_any (tokens)\\n| + where AccountName !in~ (AccountAllowList)\\n| parse InitiatingProcessCommandLine + with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, + \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| + where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for + exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable + /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| + project TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, + InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, + \ InitiatingProcessCommandLine, SubCategory, Toggle\\n| extend timestamp = + TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName\\n),\\n(\\nEvent\\n| + where TimeGenerated > ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| + where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| + mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| + extend Key=tostring(['@Name']), Value=['#text']\\n| evaluate pivot(Key, any(Value), + TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, + UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n// + | where OriginalFileName =~ \\\"auditpol.exe\\\"\\n| where CommandLine has_any + (tokens)\\n| where User !in~ (AccountAllowList)\\n| parse CommandLine with + * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, + \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| + where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for + exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable + /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| + project TimeGenerated, Computer, User, Process, ParentImage, CommandLine, + SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity + = User, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Execution\"],\"techniques\":[\"T1204\"],\"displayName\":\"Audit + policy manipulation using auditpol utility\",\"description\":\"This detects + attempt to manipulate audit policies using auditpol command.\\nThis technique + was seen in relation to Solorigate attack but the results can indicate potential + \ malicious activity used in different attacks.\\nThe process name in each + data source is commented out as an adversary could rename it. It is advisable + to keep process name commented but \\nif the results show unrelated false + positives, users may want to uncomment it.\\nRefer to auditpol syntax: https://docs.microsoft.com/windows-server/administration/windows-commands/auditpol + \ \\nRefer to our M365 blog for details on use during the Solorigate attack:\\nhttps://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/18e6a87e-9d06-4a4e-8b59-3469cd49552d\",\"name\":\"18e6a87e-9d06-4a4e-8b59-3469cd49552d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"(union + isfuzzy=true \\n(SecurityEvent \\n| where EventID == 4662 // You need to create + a SACL on the ADFS Policy Store DKM group for this event to be created. \\n| + where ObjectServer == 'DS'\\n| where OperationType == 'Object Access'\\n//| + where ObjectName contains '= ago(endtime)\\n| where EventID + == 4625 and AccountType =~ \\\"User\\\"\\n| where IpAddress !in (\\\"127.0.0.1\\\", + \\\"::1\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), + CountToday = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, + Computer, WorkstationName, IpAddress, Process\\n| join kind=leftouter (\\n + \ SecurityEvent \\n | where TimeGenerated between (ago(starttime) .. + ago(endtime))\\n | where EventID == 4625 and AccountType =~ \\\"User\\\"\\n + \ | where IpAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n | summarize + CountPrev7day = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, + Computer, WorkstationName, IpAddress\\n) on EventID, Account, LogonTypeName, + SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n| where CountToday + >= coalesce(CountPrev7day,0)*threshold and CountToday >= countlimit\\n//SubStatus + Codes are detailed here - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4625\\n| + extend Reason = case(\\nSubStatus =~ '0xC000005E', 'There are currently no + logon servers available to service the logon request.',\\nSubStatus =~ '0xC0000064', + 'User logon with misspelled or bad user account',\\nSubStatus =~ '0xC000006A', + 'User logon with misspelled or bad password', \\nSubStatus =~ '0xC000006D', + 'Bad user name or password',\\nSubStatus =~ '0xC000006E', 'Unknown user name + or bad password',\\nSubStatus =~ '0xC000006F', 'User logon outside authorized + hours',\\nSubStatus =~ '0xC0000070', 'User logon from unauthorized workstation',\\nSubStatus + =~ '0xC0000071', 'User logon with expired password',\\nSubStatus =~ '0xC0000072', + 'User logon to account disabled by administrator',\\nSubStatus =~ '0xC00000DC', + 'Indicates the Sam Server was in the wrong state to perform the desired operation', + \ \\nSubStatus =~ '0xC0000133', 'Clocks between DC and other computer too + far out of sync',\\nSubStatus =~ '0xC000015B', 'The user has not been granted + the requested logon type (aka logon right) at this machine',\\nSubStatus =~ + '0xC000018C', 'The logon request failed because the trust relationship between + the primary domain and the trusted domain failed',\\nSubStatus =~ '0xC0000192', + 'An attempt was made to logon, but the Netlogon service was not started',\\nSubStatus + =~ '0xC0000193', 'User logon with expired account',\\nSubStatus =~ '0xC0000224', + 'User is required to change password at next logon',\\nSubStatus =~ '0xC0000225', + 'Evidently a bug in Windows and not a risk',\\nSubStatus =~ '0xC0000234', + 'User logon with account locked',\\nSubStatus =~ '0xC00002EE', 'Failure Reason: + An Error occurred during Logon',\\nSubStatus =~ '0xC0000413', 'Logon Failure: + The machine you are logging onto is protected by an authentication firewall. + The specified account is not allowed to authenticate to the machine',\\nstrcat('Unknown + reason substatus: ', SubStatus))\\n| extend WorkstationName = iff(WorkstationName + == \\\"-\\\" or isempty(WorkstationName), Computer , WorkstationName) \\n| + project StartTime, EndTime, EventID, Account, LogonTypeName, SubStatus, Reason, + AccountType, Computer, WorkstationName, IpAddress, CountToday, CountPrev7day, + Avg7Day = round(CountPrev7day*1.00/7,2), Process\\n| summarize StartTime = + min(StartTime), EndTime = max(EndTime), Computer = make_set(Computer,128), + IpAddressList = make_set(IpAddress,128), sum(CountToday), sum(CountPrev7day), + avg(Avg7Day) \\nby EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, + WorkstationName, Process\\n| order by sum_CountToday desc nulls last \\n| + extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity + = WorkstationName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"Process\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"2.0.0\",\"tactics\":[\"CredentialAccess\"],\"techniques\":[\"T1110\"],\"displayName\":\"Excessive + Windows logon failures\",\"description\":\"User has over 50 Windows logon + failures today and at least 33% of the count of logon failures over the previous + 7 days.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/56f3f35c-3aca-4437-a1fb-b7a84dc4af00\",\"name\":\"56f3f35c-3aca-4437-a1fb-b7a84dc4af00\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n + \ | where EventID == 4657\\n | parse ObjectName with \\\"\\\\\\\\REGISTRY\\\\\\\\\\\" + KeyPrefix \\\"\\\\\\\\\\\" RegistryKey\\n | project-reorder RegistryKey\\n + \ | where RegistryKey has \\\"Software\\\\\\\\Classes\\\\\\\\ms-settings\\\\\\\\shell\\\\\\\\open\\\\\\\\command\\\"\\n + \ | extend TimeKey = bin(TimeGenerated, 1h)\\n | join (\\n SecurityEvent\\n + \ | where EventID == 4688\\n | where Process =~ \\\"fodhelper.exe\\\"\\n + \ | where ParentProcessName endswith \\\"cmd.exe\\\" or ParentProcessName + endswith \\\"powershell.exe\\\" or ParentProcessName endswith \\\"powershell_ise.exe\\\"\\n + \ | extend TimeKey = bin(TimeGenerated, 1h)) on TimeKey, Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"PrivilegeEscalation\"],\"techniques\":[\"T1548\"],\"displayName\":\"Potential + Fodhelper UAC Bypass\",\"description\":\"This detection looks for the steps + required to conduct a UAC bypass using Fodhelper.exe. By default this detection + looks for the setting of the required registry keys and the invoking of the + process within 1 hour - this can be tweaked as required.\",\"lastUpdatedDateUTC\":\"2022-02-25T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b93c5af-d20b-4236-b696-a28b8c51407f\",\"name\":\"4b93c5af-d20b-4236-b696-a28b8c51407f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1DT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + timeframe = 1d;\\nlet spanoftime = 10m;\\nlet threshold = 0;\\n (union isfuzzy=true\\n + (SecurityEvent\\n| where TimeGenerated > ago(timeframe+spanoftime)\\n// A + user account was created\\n| where EventID == 4720\\n| where AccountType =~ + \\\"User\\\"\\n| project creationTime = TimeGenerated, CreateEventID = EventID, + CreateActivity = Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToCreate + = SubjectAccount, SIDofAccountUsedToCreate = SubjectUserSid, TargetAccount + = tolower(TargetAccount), TargetSid\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated + > ago(timeframe+spanoftime)\\n// A user account was created\\n| where EventID + == 4720\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| + extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid + in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", + isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType =~ + \\\"User\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", + tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", + EventData.TargetUserName)\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| + extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| extend + Activity = \\\"4720 - A user account was created.\\\"\\n| extend TargetUserName + = tostring(EventData.TargetUserName) \\n| project creationTime = TimeGenerated, + CreateEventID = EventID, CreateActivity = Activity, Computer, TargetUserName, + UserPrincipalName, \\nAccountUsedToCreate = SubjectAccount, SIDofAccountUsedToCreate + = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid \\n))\\n| + join kind= inner (\\n (union isfuzzy=true\\n (SecurityEvent\\n | where + TimeGenerated > ago(timeframe)\\n // A user account was deleted\\n | where + EventID == 4726\\n| where AccountType == \\\"User\\\"\\n| project deletionTime + = TimeGenerated, DeleteEventID = EventID, DeleteActivity = Activity, Computer, + TargetUserName, UserPrincipalName, \\nAccountUsedToDelete = SubjectAccount, + SIDofAccountUsedToDelete = SubjectUserSid, TargetAccount = tolower(TargetAccount), + TargetSid\\n),\\n(WindowsEvent\\n| where TimeGenerated > ago(timeframe)\\n + \ // A user account was deleted\\n| where EventID == 4726\\n| extend SubjectUserSid + = tostring(EventData.SubjectUserSid)\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", + tostring(EventData.SubjectUserName))\\n| extend AccountType=case(SubjectAccount + endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", + \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| + where AccountType == \\\"User\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| + extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| extend + Activity = \\\"4726 - A user account was deleted.\\\"\\n| extend TargetUserName + = tostring(EventData.TargetUserName) \\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", + EventData.TargetUserName)\\n| project deletionTime = TimeGenerated, DeleteEventID + = EventID, DeleteActivity = Activity, Computer, TargetUserName, UserPrincipalName, + AccountUsedToDelete = SubjectAccount, SIDofAccountUsedToDelete = SubjectUserSid, + TargetAccount = tolower(TargetAccount), TargetSid))\\n) on Computer, TargetAccount\\n| + where deletionTime - creationTime < spanoftime\\n| extend TimeDelta = deletionTime + - creationTime\\n| where tolong(TimeDelta) >= threshold\\n| project TimeDelta, + creationTime, CreateEventID, CreateActivity, Computer, TargetAccount, TargetSid, + UserPrincipalName, AccountUsedToCreate, SIDofAccountUsedToCreate,\\ndeletionTime, + DeleteEventID, DeleteActivity, AccountUsedToDelete, SIDofAccountUsedToDelete\\n| + extend timestamp = creationTime, AccountCustomEntity = AccountUsedToCreate, + HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"SIDofAccountUsedToCreate\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.1.1\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"techniques\":[\"T1098\",\"T1078\"],\"displayName\":\"User + account created and deleted within 10 mins\",\"description\":\"Identifies + when a user account is created and then deleted within 10 minutes. This can + be an indication of compromise and\\nan adversary attempting to hide in the + noise.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1399664f-9434-497c-9cde-42e4d74ae20e\",\"name\":\"1399664f-9434-497c-9cde-42e4d74ae20e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"SecurityAlert + \\n| where AlertName == \\\"Impossible travel activity\\\"\\n| extend Extprop + = parsejson(Entities)\\n| mv-expand Extprop\\n| extend Extprop = parsejson(Extprop)\\n| + extend CmdLine = iff(Extprop['Type']==\\\"process\\\", Extprop['CommandLine'], + '')\\n| extend File = iff(Extprop['Type']==\\\"file\\\", Extprop['Name'], + '')\\n| extend Account = Extprop['Name']\\n| extend Domain = Extprop['UPNSuffix']\\n| + extend Account = iif(isnotempty(Domain) and Extprop['Type']==\\\"account\\\", + tolower(strcat(Account, \\\"@\\\", Domain)), iif(Extprop['Type']==\\\"account\\\", + tolower(Account), \\\"\\\"))\\n| extend IpAddress = iff(Extprop[\\\"Type\\\"] + == \\\"ip\\\",Extprop['Address'], '')\\n| extend Process = iff(isnotempty(CmdLine), + CmdLine, File)\\n| project TimeGenerated,Account,IpAddress,CompromisedEntity,Description,ProviderName,ResourceId\\n| + join kind=inner\\n(\\nOfficeActivity\\n| where Operation =~ \\\"Add-MailboxPermission\\\"\\n| + extend value = tostring(parse_json(Parameters)[3].Value)\\n| where value contains + \\\"FullAccess\\\"\\n| where ResultStatus == \\\"True\\\"\\n| project Parameters,TimeGenerated,value,RecordType,Operation,OrganizationId,UserType,UserKey,OfficeWorkload,ResultStatus,OfficeObjectId,UserId,ClientIP,ExternalAccess,OriginatingServer,OrganizationName,TenantId,ElevationTime,SourceSystem,OfficeId,OfficeTenantId,Type,SourceRecordId\\n) + on $left.Account == $right.UserId\\n| join kind=inner\\n(\\nAuditLogs\\n| + where ActivityDisplayName =~ \\\"Add eligible member to role in PIM requested + (timebound)\\\"\\n| where AADOperationType =~ \\\"CreateRequestEligibleRole\\\"\\n| + where TargetResources has_any (\\\"-PRIV\\\", \\\"Administrator\\\", \\\"Security\\\")\\n| + extend BuiltinRole = tostring(parse_json(TargetResources[0].displayName))\\n| + extend CustomGroup = tostring(parse_json(TargetResources[3].displayName))\\n| + extend TargetAccount = tostring(parse_json(TargetResources[2].displayName))\\n| + extend Initiatedby = Identity\\n| project TimeGenerated, ActivityDisplayName, + AADOperationType, Initiatedby, TargetAccount, BuiltinRole, CustomGroup, LoggedByService, + Result, ResourceId, Id\\n| sort by TimeGenerated desc\\n) on $left.UserId + == $right.Initiatedby\\n| project AADOperationType, ActivityDisplayName,AccountCustomEntity=Initiatedby, + Id,ResourceId,IPCustomEntity=IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"PrivilegeEscalation\"],\"techniques\":[\"T1078\",\"T1548\"],\"displayName\":\"Detecting + Impossible travel with mailbox permission tampering & Privilege Escalation + attempt\",\"description\":\"This hunting query will alert on any Impossible + travel activity in correlation with mailbox permission tampering followed + by account being added to a PIM managed privileged group.\\nEnsure this impossible + travel incident with increase of privileges is legitimate in your environment.\",\"lastUpdatedDateUTC\":\"2022-02-09T00:00:00Z\",\"createdDateUTC\":\"2022-02-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert + (ASC)\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4f19d4e3-ec5f-4abc-9e61-819eb131758c\",\"name\":\"4f19d4e3-ec5f-4abc-9e61-819eb131758c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let + EventNameList = dynamic([ \\\"AuthorizeSecurityGroupEgress\\\", \\\"AuthorizeSecurityGroupIngress\\\", + \\\"RevokeSecurityGroupEgress\\\", \\\"RevokeSecurityGroupIngress\\\"]);\\nAWSCloudTrail\\n| + where EventName in~ (EventNameList)\\n| extend User = iif(isnotempty(UserIdentityUserName), + UserIdentityUserName, SessionIssuerUserName)\\n| summarize EventCount=count(), + StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \\nby EventSource, + EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, + AWSRegion, \\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, + ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity + = User , IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"techniques\":[\"T1098\"],\"displayName\":\"Changes + to AWS Security Group ingress and egress settings\",\"description\":\"A Security + Group acts as a virtual firewall of an instance to control inbound and outbound + traffic. \\n Hence, ingress and egress settings changes to AWS Security Group + should be monitored as these can expose the enviornment to new attack vectors.\\nMore + information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0914adab-90b5-47a3-a79f-7cdcac843aa7\",\"name\":\"0914adab-90b5-47a3-a79f-7cdcac843aa7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let + starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold + = 5;\\n// To avoid any False Positives, filtering using AppId is recommended. + For example the AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added + in the query as it corresponds \\n// to Azure Resource Graph performing VaultGet + operations for indexing and syncing all tracked resources across Azure.\\nlet + Allowedappid = dynamic([\\\"509e4652-da8d-478d-a730-e9d4a1996ca4\\\"]);\\nlet + OperationList = dynamic(\\n[\\\"SecretGet\\\", \\\"KeyGet\\\", \\\"VaultGet\\\"]);\\nlet + TimeSeriesData = AzureDiagnostics\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n| + where not((identity_claim_appid_g in (Allowedappid)) and OperationName == + 'VaultGet')\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"None\\\"), + CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\")\\n| + where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where CallerIPAddress + !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where ResourceType =~ + \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in + (OperationList)\\n| project TimeGenerated, OperationName, Resource, CallerIPAddress\\n| + make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) + to startofday(now()) step timeframe by Resource;\\n//Filter anomolies against + TimeSeriesData\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, + score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, + -1, 'linefit')\\n| mv-expand HourlyCount to typeof(double), TimeGenerated + to typeof(datetime), anomalies to typeof(double),score to typeof(double), + baseline to typeof(long)\\n| where anomalies > 0 | extend AnomalyHour = TimeGenerated\\n| + where baseline > baselinethreshold // Filtering low count events per baselinethreshold\\n| + project Resource, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, + score;\\nlet AnomalyHours = TimeSeriesAlerts | where TimeGenerated > ago(2d) + | project TimeGenerated;\\n// Filter the alerts since specified timeframe\\nTimeSeriesAlerts\\n| + where TimeGenerated > ago(2d)\\n// Join against base logs since specified + timeframe to retrive records associated with the hour of anomoly\\n| join + (\\nAzureDiagnostics\\n| where TimeGenerated > ago(timeframe)\\n| where not((identity_claim_appid_g + in (Allowedappid)) and OperationName == 'VaultGet')\\n| extend DateHour = + bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where + DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly + hours\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| + extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), + identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g + = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", + \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), + CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s + = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType + !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g + !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| + where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress + !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ + \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" + and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and + ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList)\\n| + summarize PerOperationCount=count(), LatestAnomalyTime = arg_max(TimeGenerated,*) + by bin(TimeGenerated,1h), Resource, OperationName, id_s, CallerIPAddress, + identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, + requestUri_s, clientInfo_s\\n) on Resource, TimeGenerated\\n| summarize EventCount=count(), + OperationNameList = make_set(OperationName), RequestURLList = make_set(requestUri_s, + 100), AccountList = make_set(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, + 100), AccountMax = arg_max(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g,*) + by Resource, id_s, clientInfo_s, LatestAnomalyTime\\n| extend timestamp = + LatestAnomalyTime, IPCustomEntity = CallerIPAddress, AccountCustomEntity = + AccountMax\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.2\",\"tactics\":[\"CredentialAccess\"],\"techniques\":[\"T1003\"],\"displayName\":\"Azure + Key Vault access TimeSeries anomaly\",\"description\":\"Indentifies a sudden + increase in count of Azure Key Vault secret or vault access operations by + CallerIPAddress. The query leverages a built-in KQL anomaly detection algorithm\\nto + find large deviations from baseline Azure Key Vault access patterns. Any sudden + increase in the count of Azure Key Vault accesses can be an\\nindication of + adversary dumping credentials via automated methods. If you are seeing any + noise, try filtering known source(IP/Account) and user-agent combinations.\\nTimeSeries + Reference Blog: https://techcommunity.microsoft.com/t5/azure-sentinel/looking-for-unknown-anomalies-what-is-normal-time-series/ba-p/555052\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6a2e2ff4-5568-475e-bef2-b95f12b9367b\",\"name\":\"6a2e2ff4-5568-475e-bef2-b95f12b9367b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + FailureThreshold = 15;\\nimAuthentication\\n| where EventType== 'Logon' and + \ EventResult== 'Failure'\\n// reason: creds \\n| where EventResultDetails + in ('No such user or password', 'Incorrect password')\\n| summarize UserCount=dcount(TargetUserId), + Vendors=make_set(EventVendor), Products=make_set(EventVendor)\\n , Users + = make_set(TargetUserId,100) \\n by SrcDvcIpAddr, SrcGeoCountry, bin(TimeGenerated, + 5m)\\n| where UserCount > FailureThreshold\\n| extend timestamp = TimeGenerated, + IPCustomEntity = SrcDvcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.1.1\",\"tactics\":[\"CredentialAccess\"],\"techniques\":[\"T1110\"],\"displayName\":\"Potential + Password Spray Attack (Uses Authentication Normalization)\",\"description\":\"This + query searches for failed attempts to log in from more than 15 various users + within a 5 minute timeframe from the same source. This is a potential indication + of a password spray attack\\n To use this analytics rule, make sure you have + deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a5b3429d-f1da-42b9-883c-327ecb7b91ff\",\"name\":\"a5b3429d-f1da-42b9-883c-327ecb7b91ff\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"SecurityAlert + \\n| where AlertName == \\\"Sign-in from an infected device\\\"\\n| extend + Extprop = parsejson(Entities)\\n| mv-expand Extprop\\n| extend Extprop = parsejson(Extprop)\\n| + extend CmdLine = iff(Extprop['Type']==\\\"process\\\", Extprop['CommandLine'], + '')\\n| extend File = iff(Extprop['Type']==\\\"file\\\", Extprop['Name'], + '')\\n| extend Account = Extprop['Name']\\n| extend Domain = Extprop['UPNSuffix']\\n| + extend Account = iif(isnotempty(Domain) and Extprop['Type']==\\\"account\\\", + tolower(strcat(Account, \\\"@\\\", Domain)), iif(Extprop['Type']==\\\"account\\\", + tolower(Account), \\\"\\\"))\\n| extend IpAddress = iff(Extprop[\\\"Type\\\"] + == \\\"ip\\\",Extprop['Address'], '')\\n| extend Process = iff(isnotempty(CmdLine), + CmdLine, File)\\n| summarize count() by AlertName, AlertSeverity, CompromisedEntity, + Account, IpAddress\\n| join kind=inner \\n(\\nAzureActivity\\n| where OperationNameValue + hassuffix (\\\"/workspaces/computes/delete\\\")\\n| where ActivityStatusValue + =~ \\\"Succeeded\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc + = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue + = makelist(ActivityStatusValue), OperationIds = makelist(OperationId), CorrelationIds + = makelist(CorrelationId), Resources = makelist(Resource), ResourceGroups + = makelist(ResourceGroup), ResourceIds = makelist(ResourceId), ActivityCountByCallerIPAddress + = count() \\nby CallerIpAddress, Caller, OperationNameValue\\n) on $left. + IpAddress == $right. CallerIpAddress\\n| extend timestamp = StartTimeUtc, + AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"Impact\"],\"techniques\":[\"T1078\",\"T1489\"],\"displayName\":\"Workspace + deletion attempt from an infected device\",\"description\":\"This hunting + query will alert on any sign-ins from devices infected with malware in correlation + with potential workspace deletion activity. \\nAttackers may attempt to delete + \ workspaces containing compute instances after successful compromise to + cause service unavailability to regular business operation.\",\"lastUpdatedDateUTC\":\"2022-04-11T00:00:00Z\",\"createdDateUTC\":\"2022-04-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert + (IPC)\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8e267e91-6bda-4b3c-bf68-9f5cbdd103a3\",\"name\":\"8e267e91-6bda-4b3c-bf68-9f5cbdd103a3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"ZoomLogs + \\n| where Event =~ \\\"account.settings_updated\\\" \\n| extend EnforceLogin + = columnifexists(\\\"payload_object_settings_schedule_meeting_enfore_login_b\\\", + \\\"\\\") \\n| extend EnforceLoginDomain = columnifexists(\\\"payload_object_settings_schedule_meeting_enfore_login_b\\\", + \\\"\\\") \\n| extend GuestAlerts = columnifexists(\\\"payload_object_settings_in_meeting_alert_guest_join_b\\\", + \\\"\\\") \\n| where EnforceLogin == 'false' or EnforceLoginDomain == 'false' + or GuestAlerts == 'false' \\n| extend SettingChanged = case(EnforceLogin == + 'false' and EnforceLoginDomain == 'false' and GuestAlerts == 'false', \\\"All + settings changed\\\", \\n EnforceLogin == 'false' + and EnforceLoginDomain == 'false', \\\"Enforced Logons and Restricted Domains + Changed\\\", \\n EnforceLoginDomain == 'false' + and GuestAlerts == 'false', \\\"Enforced Domains Changed\\\", \\n EnforceLoginDomain + == 'false', \\\"Enfored Domains Changed\\\", \\n GuestAlerts + == 'false', \\\"Guest Join Alerts Changed\\\", \\n EnforceLogin + == 'false', \\\"Enforced Logins Changed\\\", \\n \\\"No + Changes\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"techniques\":[\"T1098\"],\"displayName\":\"External + User Access Enabled\",\"description\":\"This alerts when the account setting + is changed to allow either external domain access or anonymous access to meetings.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2bb167bf-3951-435b-a932-8b03bfde0a2b\",\"name\":\"2bb167bf-3951-435b-a932-8b03bfde0a2b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.5\",\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"accept\",\"allow\",\"start\"],\"values\":[\"accept\",\"allow\",\"start\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Device + action\",\"description\":\"Include only these specific device actions\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\"53,67,80,8080,123,137,138,443,445,3389\",\"dataType\":\"string\",\"name\":\"Exclude + ports\",\"description\":\"Provide a comma separated list to exclude specific + ports from source data. This should be within double quotes, example: \\\"53, + 67, 80, 8080, 123, 137, 138, 443, 445, 3389\\\"\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"1\",\"maximum\":\"60000000\",\"value\":\"600\",\"name\":\"Destination + IP count\",\"description\":\"The minimum distinct destination IP count per + hour required for inclusion. Default is 600. This is an OR condition with + destination port count.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"minimum\":\"1\",\"maximum\":\"60000000\",\"value\":\"600\",\"name\":\"Destination + port count\",\"description\":\"The minimum distinct destination port count + per hour required for inclusion. Default is 600. This is an OR condition with + destination IP count.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"0.00\",\"maximum\":\"1.00\",\"value\":\"1.00\",\"name\":\"IP + ratio\",\"description\":\"The distinct source IP (always 1) to distinct destination + IP count with a default minimum ratio of 1.00 or lower (converted to Base + 10 to the -4 power of original value). This is an OR condition with port ratio.\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"},{\"minimum\":\"0.00\",\"maximum\":\"1.00\",\"value\":\"1.00\",\"name\":\"Port + ratio\",\"description\":\"The distinct source port to distinct destination + port count with a default minimum ratio of 1.00 or lower (converted to Base + 10 to the -4 power of original value). This is an OR condition with IP Ratio.\",\"sequenceNumber\":3,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Discovery\"],\"techniques\":[\"T1046\"],\"displayName\":\"(Preview) + Anomalous scanning activity\",\"description\":\"The Scanning Activity anomaly + is looking to determine if there is potential port scanning anomaly in an + environment coming from a single source IP to one or more destination IPs. + \ \\nThe algorithm takes into account whether the IP is public, meaning external, + or private, meaning internal, and the event is marked accordingly. Only private + to public or public \\nto private is considered at this time. Scanning activity + can indicate an attacker attempting to determine available services in an + environment that can be potentially \\nexploited and used for ingress or lateral + movement.\\nA high number of source ports and high number of destination ports + from a single source IP to either a single or multiple destination IP or IPs + can be interesting and indicate \\nanomalous scanning. Additionally, if there + is a high ratio of destination IPs to the single source IP this can indicate + anomalous scanning.\\nConfiguration details -\\nJob run default is daily, + with hourly bins\\nThe algorithm uses the following defaults to limit the + results based on hourly bins, each is configurable\\n-> Included device actions + - accept, allow, start\\n-> Excluded ports - 53, 67, 80, 8080, 123, 137, 138, + 443, 445, 3389\\n-> Distinct destination port count >= 600\\n-> Distinct source + port count >= 600\\n-> Distinct source port count divided by distinct destination + port, ratio converted to percent >= 99.99\\n-> Source IP (always 1) divided + by destination IP, ratio converted to percent >= 99.99\",\"lastUpdatedDateUTC\":\"2022-05-13T00:00:00Z\",\"createdDateUTC\":\"2021-04-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog + (PaloAlto)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog + (Zscaler)\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog + (CheckPoint)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog + (Fortinet)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/56b0a0cd-894e-4b38-a0a1-c41d9f96649a\",\"name\":\"56b0a0cd-894e-4b38-a0a1-c41d9f96649a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let + lbtime = 1h;\\nlet tls_ciphers = dynamic(['RC4-SHA', 'DES-CBC3-SHA']);\\nProofpointPOD\\n| + where EventType == 'message'\\n| where TlsCipher in (tls_ciphers)\\n| extend + IpCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"displayName\":\"ProofpointPOD + - Weak ciphers\",\"description\":\"Detects when weak TLS ciphers are used.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/87890d78-3e05-43ec-9ab9-ba32f4e01250\",\"name\":\"87890d78-3e05-43ec-9ab9-ba32f4e01250\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our + threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| + where TimeGenerated > ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| + extend parts = split(DomainName, '.')\\n| extend tld = parts[(array_length(parts)-1)]\\n| + summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| + where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| + summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| + where Active == true\\n// Picking up only IOC's that contain the entities + we want\\n| where isnotempty(DomainName)\\n// using innerunique to keep perf + fast and result set low, we only need one match to indicate potential malicious + activity that needs to be investigated\\n| join kind=innerunique (\\n SecurityAlert\\n + \ | where TimeGenerated > ago(dt_lookBack)\\n | extend MSTI = case(AlertName + has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == + 'Azure Sentinel', true, false)\\n | where MSTI == false\\n //Extract + domain patterns from message\\n | extend domain = todynamic(dynamic_to_json(extract_all(@\\\"(((xn--)?[a-z0-9\\\\-]+\\\\.)+([a-z]+|(xn--[a-z0-9]+)))\\\", + dynamic([1]), tolower(Entities))))\\n | mv-expand domain\\n | extend + domain = tostring(domain[0])\\n | extend parts = split(domain, '.')\\n + \ //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n + \ //Validate parsed domain by checking if the TLD is in the list of TLDs + in our threat feed\\n | where tld in~ (list_tlds)\\n // Converting Entities + into dynamic data type and use mv-expand to unpack the array\\n | extend + EntitiesDynamicArray = parse_json(Entities)\\n | mv-apply EntitiesDynamicArray + on\\n (summarize\\n HostName = take_anyif(tostring(EntitiesDynamicArray.HostName), + EntitiesDynamicArray.Type == \\\"host\\\"),\\n IP_addr = take_anyif(tostring(EntitiesDynamicArray.Address), + EntitiesDynamicArray.Type == \\\"ip\\\")\\n )\\n | extend Alert_TimeGenerated + = TimeGenerated\\n | extend Alert_Description = Description\\n) on $left.DomainName==$right.domain\\n| + where Alert_TimeGenerated < ExpirationDateTime\\n| summarize Alert_TimeGenerated + = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\\n| project Alert_TimeGenerated, + Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, + ConfidenceScore, DomainName, AlertName, Alert_Description, ProviderName, AlertSeverity, + ConfidenceLevel, HostName, IP_addr, Url, Entities\\n| extend timestamp = Alert_TimeGenerated, + HostCustomEntity = HostName, IPCustomEntity = IP_addr, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.2.3\",\"tactics\":[\"Impact\"],\"displayName\":\"TI + map Domain entity to SecurityAlert\",\"description\":\"Identifies a match + in SecurityAlert table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/88f453ff-7b9e-45bb-8c12-4058ca5e44ee\",\"name\":\"88f453ff-7b9e-45bb-8c12-4058ca5e44ee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| + where CategoryValue == 'Administrative'\\n| where ResourceProviderValue =~ + 'Microsoft.ADHybridHealthService'\\n| where _ResourceId contains 'AdFederationService'\\n| + where OperationNameValue =~ 'Microsoft.ADHybridHealthService/services/servicemembers/action'\\n| + extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| + extend AccountName = tostring(claimsJson.name)\\n| project-away claimsJson\\n| + extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity + = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"techniques\":[\"T1578\"],\"displayName\":\"Azure + Active Directory Hybrid Health AD FS New Server\",\"description\":\"This detection + uses AzureActivity logs (Administrative category) to identify the creation + or update of a server instance in an Azure AD Hybrid health AD FS service.\\nA + threat actor can create a new AD Health ADFS service and create a fake server + instance to spoof AD FS signing logs. There is no need to compromise an on-prem + AD FS server.\\nThis can be done programmatically via HTTP requests to Azure. + More information in this blog: https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e1ce0eab-10d1-4aae-863f-9a383345ba88\",\"name\":\"e1ce0eab-10d1-4aae-863f-9a383345ba88\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let + threshold = 15;\\nSyslog\\n| where SyslogMessage contains \\\"Failed password + for invalid user\\\"\\n| where ProcessName =~ \\\"sshd\\\" \\n| parse kind=relaxed + SyslogMessage with * \\\"invalid user\\\" user \\\" from \\\" ip \\\" port\\\" + port \\\" ssh2\\\"\\n| project user, ip, port, SyslogMessage, EventTime\\n| + summarize EventTimes = make_list(EventTime), PerHourCount = count() by ip, + bin(EventTime, 4h), user\\n| where PerHourCount > threshold\\n| mvexpand EventTimes\\n| + extend EventTimes = tostring(EventTimes) \\n| summarize StartTimeUtc = min(EventTimes), + EndTimeUtc = max(EventTimes), UserList = makeset(user), sum(PerHourCount) + by IPAddress = ip\\n| extend UserList = tostring(UserList) \\n| extend timestamp + = StartTimeUtc, IPCustomEntity = IPAddress, AccountCustomEntity = UserList\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"techniques\":[\"T1110\"],\"displayName\":\"SSH + - Potential Brute Force\",\"description\":\"Identifies an IP address that + had 15 failed attempts to sign in via SSH in a 4 hour block during a 24 hour + time period.\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-02-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7b9df32-1367-402d-b385-882daf6e3020\",\"name\":\"a7b9df32-1367-402d-b385-882daf6e3020\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"Event\\n| + where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==10\\n| + parse EventData with * 'TargetImage\\\">' TargetImage \\\"<\\\" * 'GrantedAccess\\\">' + GrantedAccess \\\"<\\\" * 'CallTrace\\\">' CallTrace \\\"<\\\" * \\n| where + GrantedAccess == \\\"0x1FFFFF\\\" and TargetImage == \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\" + and CallTrace has_any (\\\"dbghelp.dll\\\",\\\"dbgcore.dll\\\")\\n| parse + EventData with * 'SourceProcessGUID\\\">' SourceProcessGUID \\\"<\\\" * 'SourceImage\\\">' + SourceImage \\\"<\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime + = max(TimeGenerated) by EventID, Computer, SourceProcessGUID, SourceImage, + GrantedAccess, TargetImage, CallTrace\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"SourceImage\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"techniques\":[\"T1003\"],\"displayName\":\"Dumping + LSASS Process Into a File\",\"description\":\"Adversaries may attempt to access + credential material stored in the process memory of the Local Security Authority + Subsystem Service (LSASS). \\nAfter a user logs on, the system generates and + stores a variety of credential materials in LSASS process memory. \\nThese + credential materials can be harvested by an administrative user or SYSTEM + and used to conduct Lateral Movement using Use Alternate Authentication Material. + \\nAs well as in-memory techniques, the LSASS process memory can be dumped + from the target host and analyzed on a local system.\\nRef: https://attack.mitre.org/techniques/T1003/001/\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/94749332-1ad9-49dd-a5ab-5ff2170788fc\",\"name\":\"94749332-1ad9-49dd-a5ab-5ff2170788fc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let + iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv\\\"] + with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet domains = (iocs | + where Type =~ \\\"domainname\\\"| project IoC);\\nlet sha256Hashes = (iocs + | where Type =~ \\\"sha256\\\" | project IoC);\\nlet file_path1 = (iocs | + where Type =~ \\\"filepath1\\\" | project IoC);\\nlet file_path2 = (iocs | + where Type =~ \\\"filepath2\\\" | project IoC);\\nlet file_path3 = (iocs | + where Type =~ \\\"filepath3\\\" | project IoC);\\nlet reg_key = (iocs | where + Type =~ \\\"regkey\\\" | project IoC);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| + where DestinationHostName has_any (domains) or RequestURL has_any (domains) + or Message has_any (domains)\\n| parse Message with * '(' DNSName ')' *\\n| + project TimeGenerated, Message, SourceUserID, RequestURL, DestinationHostName, + Type, SourceIP, DestinationIP, DNSName\\n| extend Alert = 'SOURGUM IOC detected'\\n| + extend timestamp = TimeGenerated, AccountCustomEntity = SourceUserID, UrlCustomEntity + = RequestURL , IPCustomEntity = DestinationIP, DNSCustomEntity = DNSName\\n),\\n(DnsEvents\\n| + where Name in~ (domains)\\n| project TimeGenerated, Computer, IPAddresses, + Name, ClientIP, Type\\n| extend DNSName = Name, Host = Computer , Alert = + 'SOURGUM IOC detected'\\n| extend timestamp = TimeGenerated, HostCustomEntity + = Host, DNSCustomEntity = DNSName, IPCustomEntity = IPAddresses\\n),\\n(VMConnection\\n| + where RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames + with * '[\\\"' DNSName '\\\"]' *\\n| project TimeGenerated, Computer, Direction, + RemoteDnsCanonicalNames, ProcessName, SourceIp, DestinationIp, DestinationPort, + DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend timestamp + = TimeGenerated, IPCustomEntity = DestinationIp, HostCustomEntity = Computer, + ProcessCustomEntity = ProcessName, DNSCustomEntity = DNSName, Alert = 'SOURGUM + IOC detected'\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| + where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail + = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), + DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"]), Image = EventDetail.[4].[\\\"#text\\\"]\\n| + where Image has_any (file_path1) or Image has_any (file_path3)\\n| project + TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, EventDetail, + Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, + ProcessCustomEntity = tostring(split(Image, '\\\\\\\\', -1)[-1]), HostCustomEntity + = Computer , IPCustomEntity = DestinationIP, Alert = 'SOURGUM IOC detected'\\n), + \ \\n(DeviceNetworkEvents\\n| where (RemoteUrl has_any (domains)) or (InitiatingProcessSHA256 + in (sha256Hashes) and InitiatingProcessFolderPath has_any (file_path1)) or + InitiatingProcessFolderPath has_any (file_path3)\\n| project TimeGenerated, + ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, + InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, + InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, + LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, + HostCustomEntity = DeviceName, Alert = 'SOURGUM IOC detected', UrlCustomEntity + =RemoteUrl\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| + where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, + msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" + ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class + \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size + \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" + \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| + where Request_Name has_any (domains)\\n| extend timestamp = TimeGenerated, + DNSName = Request_Name, IPCustomEntity = ClientIP, Alert = 'SOURGUM IOC detected'\\n),\\n(AzureDiagnostics\\n| + where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| + project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol 'request + from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort + '. Action:' Action\\n| where DestinationHost has_any (domains) \\n| extend + timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost, + Alert = 'SOURGUM IOC detected'\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| + where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail + = EvData.DataItem.EventData.Data\\n| parse EventDetail with * 'SHA256=' SHA256 + '\\\",' *\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine + = EventDetail.[10].[\\\"#text\\\"]\\n| where (SHA256 has_any (sha256Hashes) + and Image has_any (file_path1)) or (Image has_any (file_path3)) or ( CommandLine + has_any (file_path3)) or ( CommandLine has_any (file_path1)) or ( CommandLine + has 'reg add' and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) + \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, + SHA256, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source), + Alert = 'SOURGUM IOC detected'\\n| extend timestamp = TimeGenerated, HostCustomEntity + = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, + '\\\\\\\\', -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity + = SHA256\\n),\\n(DeviceRegistryEvents\\n| where RegistryKey has_any (reg_key) + and RegistryValueData has_any (file_path2)\\n| project TimeGenerated, ActionType, + DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, + InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, + InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, + Type \\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName + , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity + = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity + = InitiatingProcessSHA256, Alert = 'SOURGUM IOC detected'\\n),\\n(DeviceProcessEvents\\n| + where ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine + has_any (file_path3)) or ( InitiatingProcessCommandLine has 'reg add' and + InitiatingProcessCommandLine has_any (reg_key) and InitiatingProcessCommandLine + has_any (file_path2)) or (InitiatingProcessFolderPath has_any (file_path1)) + or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any + (file_path1)) or (FolderPath has_any (file_path3))\\n| project TimeGenerated, + ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, + InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, + InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, + FolderPath, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = + DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity + = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity + = InitiatingProcessSHA256, Alert = 'SOURGUM IOC detected'\\n),\\n(DeviceFileEvents\\n| + where (InitiatingProcessSHA256 has_any (sha256Hashes) and InitiatingProcessFolderPath + has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) + or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3)) + or ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine + has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, + InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, + InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, + InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, + FolderPath, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = + DeviceName , AccountCustomEntity = RequestAccountName, ProcessCustomEntity + = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity + = InitiatingProcessSHA256, Alert = 'SOURGUM IOC detected'\\n),\\n(DeviceEvents\\n| + where ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine + has_any (file_path3)) or ( InitiatingProcessCommandLine has 'reg add' and + InitiatingProcessCommandLine has_any (reg_key) and InitiatingProcessCommandLine + has_any (file_path2)) or (InitiatingProcessFolderPath has_any (file_path1)) + or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any + (file_path1)) or (FolderPath has_any (file_path3))\\n| project TimeGenerated, + ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, + InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, + InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, + FolderPath, Type\\n| extend CommandLine = InitiatingProcessCommandLine, Alert + = 'SOURGUM IOC detected'\\n| extend timestamp = TimeGenerated, HostCustomEntity + = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity + = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity + = InitiatingProcessSHA256\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| + where ( CommandLine has_any (file_path1)) or ( CommandLine has_any (file_path3)) + or ( CommandLine has 'reg add' and CommandLine has_any (reg_key) and CommandLine + has_any (file_path2)) or (NewProcessName has_any (file_path1)) or (NewProcessName + has_any (file_path3)) or (ParentProcessName has_any (file_path1)) or (ParentProcessName + has_any (file_path3))\\n| project TimeGenerated, Computer, NewProcessName, + ParentProcessName, Account, NewProcessId, Type\\n| extend timestamp = TimeGenerated, + HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity + = NewProcessName, Alert = 'SOURGUM IOC detected'\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.1.1\",\"tactics\":[\"Persistence\"],\"techniques\":[\"T1546\"],\"displayName\":\"SOURGUM + Actor IOC - July 2021\",\"description\":\"Identifies a match across IOC's + related to an actor tracked by Microsoft as SOURGUM\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-07-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceRegistryEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95407904-0131-4918-bc49-ebf282ce149a\",\"name\":\"95407904-0131-4918-bc49-ebf282ce149a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let + IPList = dynamic([\\\"135.125.147.170:80\\\",\\\"185.244.129.79:63047\\\",\\\"185.244.129.79:80\\\",\\\"45.80.149.108:63047\\\",\\\"45.80.149.108:80\\\",\\\"45.80.149.57:63047\\\",\\\"45.80.149.68:63047\\\",\\\"45.80.149.71:80\\\",\\\"185.244.129.109\\\",\\\"172.96.188.51\\\",\\\"51.83.246.73\\\"]); + \\n(union isfuzzy=true \\n(CommonSecurityLog \\n| where isnotempty(SourceIP) + or isnotempty(DestinationIP) \\n| where SourceIP in (IPList) or DestinationIP + in (IPList) or Message has_any (IPList) \\n| extend IPMatch = case(SourceIP + in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", + \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc + = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, + Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, + IPMatch \\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch + == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, + \\\"IP in Message Field\\\") \\n), \\n(OfficeActivity \\n|extend SourceIPAddress + = ClientIP, Account = UserId \\n| where SourceIPAddress in (IPList) \\n| + extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity + = Account \\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress + = ResponseName, Host = SrcIpAddr \\n| extend timestamp = TimeGenerated, IPCustomEntity + = DestinationIPAddress, HostCustomEntity = Host \\n), \\n(_Im_NetworkSession + (srcipaddr_has_any_prefix=IPList)\\n | extend timestamp = TimeGenerated, IPCustomEntity + = SrcIpAddr, HostCustomEntity = Hostname, AccountCustomEntity=User\\n), \\n(_Im_NetworkSession + (dstipaddr_has_any_prefix=IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity + = DstIpAddr, HostCustomEntity = Hostname , AccountCustomEntity = User\\n), + \\n(WireData \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) + \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity + = Computer \\n), \\n(SigninLogs \\n| where isnotempty(IPAddress) \\n| where + IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity + = UserPrincipalName, IPCustomEntity = IPAddress \\n),\\n(AADNonInteractiveUserSignInLogs + \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend + timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity + = IPAddress \\n), \\n(W3CIISLog \\n| where isnotempty(cIP) \\n| where cIP + in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity + = Computer, AccountCustomEntity = csUserName \\n), \\n(AzureActivity \\n| + where isnotempty(CallerIpAddress) \\n| where CallerIpAddress in (IPList) \\n| + extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity + = Caller \\n), \\n( \\nAWSCloudTrail \\n| where isnotempty(SourceIpAddress) + \\n| where SourceIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, + IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName + \\n), \\n( \\nDeviceNetworkEvents \\n| where isnotempty(RemoteIP) \\n| where + RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity + = RemoteIP, HostCustomEntity = DeviceName \\n),\\n(\\nAzureDiagnostics\\n| + where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| + parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' + DestinationHost ':' DestinationPort '. Action:' Action\\n| where isnotempty(DestinationHost)\\n| + where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost + \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where + ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| + parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' + DestinationHost ':' DestinationPort '. Action:' Action\\n| where isnotempty(DestinationHost)\\n| + where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost + \\n| extend IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known + POLONIUM IP\",\"description\":\"Identifies a match across various data feeds + for IP IOCs related to the POLONIUM activity group. \\n References: BLOGURL' + \",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4915c713-ab38-432e-800b-8e2d46933de6\",\"name\":\"4915c713-ab38-432e-800b-8e2d46933de6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + avgthreshold = 0;\\nlet probabilityLimit = 0.01;\\nlet ssh_logins = Syslog\\n| + where Facility contains \\\"auth\\\" and ProcessName =~ \\\"sshd\\\"\\n| where + SyslogMessage has \\\"Accepted\\\"\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage) + \\n| where isnotempty(SourceIP)\\n| extend result = ipv4_is_private(SourceIP);\\nssh_logins + \\n| summarize privatecount=countif(result== true), publiccount=countif(result==false) + by HostName, HostIP, bin(EventTime, 1d)\\n| summarize \\npublicIPLoginHistory + \ = make_list(pack('IPCount', publiccount, 'logon_time', EventTime)),\\nprivateIPLoginHistory + = make_list(pack('IPCount', privatecount, 'logon_time', EventTime)) by HostName, + HostIP\\n| mv-apply publicIPLoginHistory = publicIPLoginHistory on\\n(\\n + \ order by todatetime(publicIPLoginHistory['logon_time']) asc\\n | summarize + publicIPLoginCountList=make_list(toint(publicIPLoginHistory['IPCount'])), + publicAverage=avg(toint(publicIPLoginHistory['IPCount'])), publicStd=stdev(toint(publicIPLoginHistory['IPCount'])), + maxPublicLoginCount=max(toint(publicIPLoginHistory['IPCount']))\\n)\\n| mv-apply + privateIPLoginHistory = privateIPLoginHistory on\\n(\\n order by todatetime(privateIPLoginHistory['logon_time']) + asc\\n | summarize privateIPLoginCountList=make_list(toint(privateIPLoginHistory['IPCount'])), + privateAverage=avg(toint(privateIPLoginHistory['IPCount'])), privateStd=stdev(toint(privateIPLoginHistory['IPCount']))\\n)\\n// + Some logins from private IPs\\n| where privateAverage > avgthreshold\\n// + There is a non-zero number of logins from public IPs\\n| where publicAverage + > avgthreshold\\n// Approximate probability of seeing login from a public + IP is < 1%\\n| extend probabilityPublic = publicAverage / (privateAverage + + publicAverage)\\n| where probabilityPublic < probabilityLimit\\n// Today + has the highest number of logins from public IPs that we've seen in the last + week\\n| extend publicLoginCountToday = publicIPLoginCountList[-1]\\n| where + publicLoginCountToday >= maxPublicLoginCount\\n| extend HostCustomEntity = + HostName\\n// Optionally retrieve the original raw data for those logins that + we've identified as potentially suspect\\n// | join kind=rightsemi (\\n// + \ ssh_logins\\n// | where result == false\\n// ) on HostName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.2\",\"tactics\":[\"InitialAccess\"],\"techniques\":[\"T1078\"],\"displayName\":\"New + internet-exposed SSH endpoints\",\"description\":\"Looks for SSH endpoints + that rarely are accessed from a public IP address, in comparison with their + history of sign-ins from private IP addresses.\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ed43bdb7-eaab-4ea4-be52-6951fcfa7e3b\",\"name\":\"ed43bdb7-eaab-4ea4-be52-6951fcfa7e3b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet TotalEventsThreshold + = 25; \\nlet TimeSeriesData = \\nAzureActivity \\n| where TimeGenerated between + (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where OperationNameValue + endswith \\\"delete\\\" \\n| project TimeGenerated, Caller \\n| make-series + Total = count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) + step timeframe by Caller; \\nlet TimeSeriesAlerts = materialize(TimeSeriesData + \\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, + 3, -1, 'linefit') \\n| mv-expand Total to typeof(double), TimeGenerated to + typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline + to typeof(long) \\n| where anomalies > 0 \\n| project Caller, TimeGenerated, + Total, baseline, anomalies, score \\n| where Total > TotalEventsThreshold + and baseline > 0 ); \\nTimeSeriesAlerts \\n| where TimeGenerated > (ago(endtime)) + \\n| project TimeGenerated, Caller \\n| join (AzureActivity \\n| where TimeGenerated + > (ago(endtime)) \\n| where OperationNameValue endswith \\\"delete\\\" \\n| + summarize count(), make_set(OperationNameValue), make_set(Resource) by bin(TimeGenerated, + 1h), Caller) on TimeGenerated, Caller \\n| extend timestamp = TimeGenerated, + AccountCustomEntity = Caller\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"techniques\":[\"T1485\"],\"displayName\":\"Mass + Cloud resource deletions Time Series Anomaly\",\"description\":\"This query + generates baseline pattern of cloud resource deletions by an user and generated + anomaly \\nwhen any unusual spike is detected.\\nThese anomalies from unusual + or privileged users could be an indication of cloud infrastructure \\ntake-down + by an adversary \",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2022-03-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba\",\"name\":\"fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + account_threshold = 5;\\nAADNonInteractiveUserSignInLogs\\n//| where ResultType + == \\\"81016\\\"\\n| where ResultType startswith \\\"81\\\"\\n| summarize + DistinctAccounts = dcount(UserPrincipalName), DistinctAddresses = make_set(IPAddress) + by ResultType\\n| where DistinctAccounts > account_threshold\\n| mv-expand + IPAddress = DistinctAddresses\\n| extend IPAddress = tostring(IPAddress)\\n| + join kind=leftouter (union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs) + on IPAddress\\n| summarize\\n StartTime = min(TimeGenerated),\\n EndTime + = max(TimeGenerated),\\n UserPrincipalName = make_set(UserPrincipalName),\\n + \ UserAgent = make_set(UserAgent),\\n ResultDescription = take_any(ResultDescription),\\n + \ ResultSignature = take_any(ResultSignature)\\n by IPAddress, Type, + ResultType\\n| project Type, StartTime, EndTime, IPAddress, ResultType, ResultDescription, + ResultSignature, UserPrincipalName, UserAgent = iff(array_length(UserAgent) + == 1, UserAgent[0], UserAgent)\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"techniques\":[\"T1110\"],\"displayName\":\"Password + spray attack against Azure AD Seamless SSO\",\"description\":\"This query + detects when there is a spike in Azure AD Seamless SSO errors. They may not + be caused by a Password Spray attack, but the cause of the errors might need + to be investigated.\\nAzure AD only logs the requests that matched existing + accounts, thus there might have been unlogged requests for non-existing accounts.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2022-03-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/825991eb-ea39-4590-9de2-ee97ef42eb93\",\"name\":\"825991eb-ea39-4590-9de2-ee97ef42eb93\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let + iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv\\\"] + with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet domains = (iocs | + where Type =~ \\\"domainname\\\"| project IoC);\\nlet sha256Hashes = (iocs + | where Type =~ \\\"sha256\\\" | project IoC);\\n(union isfuzzy=true\\n(DeviceProcessEvents\\n| + where InitiatingProcessSHA256 in (sha256Hashes) or SHA256 in (sha256Hashes) + or (ProcessCommandLine has ('schtasks.exe /CREATE /sc minute /mo 12 /tn') + \ and ProcessCommandLine has ('/tr \\\"wscript.exe') and ProcessCommandLine + has ('\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\') and ProcessCommandLine has ('//e:VBScript + //b\\\" /F')) or (ProcessCommandLine has ('wscript.exe C:\\\\\\\\Users\\\\\\\\') + and ProcessCommandLine has ('.wav') and ProcessCommandLine has ('//e:VBScript + //b') \\nor (ProcessCommandLine has_all (\\\"schtasks.exe\\\", \\\"create\\\", + \\\"wscript\\\", \\\"e:vbscript\\\", \\\".wav\\\")))\\n| project TimeGenerated, + ActionType, DeviceId, DeviceName, ProcessCommandLine, InitiatingProcessAccountName, + InitiatingProcessCommandLine, FolderPath, InitiatingProcessFolderPath, ProcessId, + InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, + \ InitiatingProcessSHA256, Type, AccountName, SHA256, FileName\\n| extend + Account = AccountName, Computer = DeviceName, FileHash = case(InitiatingProcessSHA256 + in (sha256Hashes), \\\"InitiatingProcessSHA256\\\", SHA256 in (sha256Hashes), + \\\"SHA256\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity + = Computer , AccountCustomEntity = Account, ProcessCustomEntity = FileName, + FileHashCustomEntity = case(FileHash == \\\"InitiatingProcessSHA256\\\", InitiatingProcessSHA256, + FileHash == \\\"SHA256\\\", SHA256, \\\"No Match\\\")\\n),\\n( SecurityEvent\\n| + where EventID == 4688\\n| where (CommandLine has ('schtasks.exe /CREATE /sc + minute /mo 12 /tn') and CommandLine has ('/tr \\\"wscript.exe') and CommandLine + has ('\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\') and CommandLine has ('//e:VBScript + //b\\\" /F')) or (CommandLine has ('wscript.exe C:\\\\\\\\Users\\\\\\\\') + and CommandLine has ('.wav') and CommandLine has ('//e:VBScript //b'))\\n| + project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, + NewProcessId, Type, EventID\\n| extend timestamp = TimeGenerated, HostCustomEntity + = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n( + CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, + Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, + FileHashCustomEntity = 'SHA256', Account = SourceUserID\\n),\\n( imFileEvent\\n| + where Hash in~ (sha256Hashes) or (ActingProcessCommandLine has ('schtasks.exe + /CREATE /sc minute /mo 12 /tn') and ActingProcessCommandLine has ('/tr \\\"wscript.exe') + and ActingProcessCommandLine has ('\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\') + and ActingProcessCommandLine has ('//e:VBScript //b\\\" /F')) or (ActingProcessCommandLine + \ has ('wscript.exe C:\\\\\\\\Users\\\\\\\\') and ActingProcessCommandLine + \ has ('.wav') and ActingProcessCommandLine has ('//e:VBScript //b') \\n + or (ActingProcessCommandLine has_all (\\\"schtasks.exe\\\", \\\"create\\\", + \\\"wscript\\\", \\\"e:vbscript\\\", \\\".wav\\\")))\\n| extend Account = + ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine + = ActingProcessCommandLine, FileHash = Hash\\n| project Type, TimeGenerated, + Computer, Account, IPAddress, CommandLine, FileHash\\n| extend timestamp = + TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(Event\\n| + where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| + extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| + extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], + Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\\\\w+)=(?P[a-zA-Z0-9]+)\\\", + dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", + \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| + where (Hashes has_any (sha256Hashes) ) or (CommandLine has ('schtasks.exe + /CREATE /sc minute /mo 12 /tn') and CommandLine has ('/tr \\\"wscript.exe') + and CommandLine has ('\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\') and CommandLine + has ('//e:VBScript //b\\\" /F')) or (CommandLine has ('wscript.exe C:\\\\\\\\Users\\\\\\\\') + and CommandLine has ('.wav') and CommandLine has ('//e:VBScript //b') or + (CommandLine has_all (\\\"schtasks.exe\\\", \\\"create\\\", \\\"wscript\\\", + \\\"e:vbscript\\\", \\\".wav\\\")))\\n| project TimeGenerated, EventDetail, + UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type + = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity + = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, + '\\\\\\\\', -1)[-1]), FileHashCustomEntity = Hashes\\n),\\n(DnsEvents\\n| + where Name in~ (domains) \\n| project TimeGenerated, Computer, IPAddresses, + Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName + = Name, Computer \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress\\n),\\n(VMConnection\\n| + where RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames + with * '[\\\"' DNSName '\\\"]' *\\n| project TimeGenerated, Computer, Direction, + ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, + DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend timestamp + = TimeGenerated, IPCustomEntity = DestinationIp, File = ProcessName\\n),\\n(AzureDiagnostics + \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| + project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with Protocol + 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort + '. Action:' Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost + has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, + IPCustomEntity = SourceHost\\n),\\n(DeviceNetworkEvents \\n| where isnotempty(RemoteUrl) + \\n| where RemoteUrl in~ (domains) \\n| project Type, TimeGenerated, DeviceName, + RemoteIP, RemoteUrl, InitiatingProcessAccountName\\n| extend timestamp = TimeGenerated, + HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, + DNSName = RemoteUrl, IPCustomEntity = RemoteIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\"],\"techniques\":[\"T1137\"],\"displayName\":\"ACTINIUM + Actor IOCs - Feb 2022\",\"description\":\"Identifies a match across various + data feeds for domains, hashes and commands related to an actor tracked by + Microsoft as Actinium.\",\"lastUpdatedDateUTC\":\"2022-03-09T00:00:00Z\",\"createdDateUTC\":\"2022-02-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f209187f-1d17-4431-94af-c141bf5f23db\",\"name\":\"f209187f-1d17-4431-94af-c141bf5f23db\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.9\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0\",\"name\":\"Anomaly + score threshold\",\"description\":\"Generate an anomaly when the anomaly score + is greater than the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Persistence\"],\"techniques\":[\"T1136\"],\"displayName\":\"(Preview) + UEBA Anomalous Account Creation\",\"description\":\"Adversaries may create + an account to maintain access to victim systems. With a sufficient level of + access,\\ncreating such accounts may be used to establish secondary credentialed + access\\nthat do not require persistent remote access tools to be deployed + on the system.\",\"lastUpdatedDateUTC\":\"2022-04-13T00:00:00Z\",\"createdDateUTC\":\"2021-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65360bb0-8986-4ade-a89d-af3cf44d28aa\",\"name\":\"65360bb0-8986-4ade-a89d-af3cf44d28aa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let + EventNameList = dynamic([\\\"CreateNetworkAclEntry\\\",\\\"CreateRoute\\\",\\\"CreateRouteTable\\\",\\\"CreateInternetGateway\\\",\\\"CreateNatGateway\\\"]);\\nAWSCloudTrail\\n| + where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), + EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, + UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, + SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| + extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, + IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"PrivilegeEscalation\",\"LateralMovement\"],\"techniques\":[\"T1078\"],\"displayName\":\"Changes + to Amazon VPC settings\",\"description\":\"Amazon Virtual Private Cloud (Amazon + VPC) lets you provision a logically isolated section of the AWS Cloud where + you can launch AWS resources\\nin a virtual network that you define.\\nThis + identifies changes to Amazon VPC (Virtual Private Cloud) settings such as + new ACL entries,routes, routetable or Gateways.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 + \\nand AWS VPC API Docs: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/OperationList-query-vpc.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2eb15bd-8a88-4b24-9281-e133edfba315\",\"name\":\"f2eb15bd-8a88-4b24-9281-e133edfba315\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet aadFunc = (tableName:string){\\nThreatIntelligenceIndicator\\n| + where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| + summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| + where Active == true\\n// Picking up only IOC's that contain the entities + we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) + or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As + there is potentially more than 1 indicator type for matching IP, taking NetworkIP + first, then others if that is empty.\\n// Taking the first non-empty value + based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), + NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) + and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend + TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), + EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast + and result set low, we only need one match to indicate potential malicious + activity that needs to be investigated\\n| join kind=innerunique (\\n table(tableName) + | where TimeGenerated >= ago(dt_lookBack)\\n | extend Status = todynamic(Status), + LocationDetails = todynamic(LocationDetails)\\n | extend StatusCode = tostring(Status.errorCode), + StatusDetails = tostring(Status.additionalDetails), StatusReason = tostring(Status.failureReason)\\n + \ | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), + Region = tostring(LocationDetails.countryOrRegion)\\n // renaming time + column so it is clear the log this came from\\n | extend SigninLogs_TimeGenerated + = TimeGenerated, Type = Type\\n)\\non $left.TI_ipEntity == $right.IPAddress\\n| + where SigninLogs_TimeGenerated < ExpirationDateTime\\n| summarize SigninLogs_TimeGenerated + = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, IPAddress\\n| project + SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, + Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, IPAddress, UserPrincipalName, + AppDisplayName, StatusCode, StatusDetails, StatusReason, NetworkIP, NetworkDestinationIP, + NetworkSourceIP, EmailSourceIpAddress, Type\\n| extend timestamp = SigninLogs_TimeGenerated, + AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity + = Url\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt + = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, + aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.2.2\",\"tactics\":[\"Impact\"],\"displayName\":\"TI + map IP entity to SigninLogs\",\"description\":\"Identifies a match in SigninLogs + from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6e715730-82c0-496c-983b-7a20c4590bd9\",\"name\":\"6e715730-82c0-496c-983b-7a20c4590bd9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + accountLookback = 3d;\\nlet requestLookback = 3d;\\nlet extraction_regex = + @\\\"(?:\\\\?|&)[a-zA-Z0-9\\\\%]*=([a-zA-Z0-9\\\\/\\\\+\\\\=]*)\\\";\\n// + Collect account names and base64 encode them\\nDeviceEvents\\n| where TimeGenerated + > ago(accountLookback)\\n| summarize make_set(DeviceId), make_set(DeviceName) + by InitiatingProcessAccountName\\n| where isnotempty(InitiatingProcessAccountName)\\n| + extend base64_user = base64_encode_tostring(InitiatingProcessAccountName)\\n| + join (\\n // Collect requests and extract base64 parameters\\n CommonSecurityLog\\n + \ | where TimeGenerated > ago(requestLookback)\\n | where isnotempty(RequestURL)\\n + \ // Summarize early on the RequestURL\\n | summarize FirstRequest=min(TimeGenerated), + LastRequest=max(TimeGenerated), NumberOfRequests=count() by RequestURL\\n + \ | extend base64_candidate = extract_all(extraction_regex, RequestURL)\\n + \ | mv-expand base64_candidate to typeof(string)\\n) on $left.base64_user + == $right.base64_candidate\\n| project FirstRequest, LastRequest, NumberOfRequests, + RequestURL, DeviceIds=set_DeviceId, DeviceNames=set_DeviceName, UserName=InitiatingProcessAccountName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceNames\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"UserName\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"techniques\":[\"T1041\",\"T1071\"],\"displayName\":\"Windows + host username encoded in base64 web request\",\"description\":\"This detection + will identify network requests in HTTP proxy data that contains Base64 encoded + usernames from machines in the DeviceEvents table.\\nThis technique was seen + usee by POLONIUM in their RunningRAT tool.\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d7309cb9-b16b-4c7a-9e4b-3e9009bd373d\",\"name\":\"d7309cb9-b16b-4c7a-9e4b-3e9009bd373d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.0\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.7\",\"name\":\"Score\",\"description\":\"Generate + an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"techniques\":[\"T1190\"],\"displayName\":\"(Preview) + Anomalous Azure operations\",\"description\":\"This detection algorithm generates + anomaly of a caller who performed sequence of an operation(s) which is uncommon + in their workspace.\\nWe collect and featurize last 21 days of operation happened + in the workspace grouped by the caller as a training data for ML algorithm.\\nThe + trained model is used to score the operation performed by the caller on the + test date and we tag those caller as anomaly whose error score is greater + than given thershold.\\nFrom Security perspective, this anomaly will capture + the caller along with operation performed on the test date which are not common + in their workspace.\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2021-11-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e4779bdc-397a-4b71-be28-59e6a1e1d16b\",\"name\":\"e4779bdc-397a-4b71-be28-59e6a1e1d16b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"ZoomLogs\\n| + where Event =~ \\\"account.settings_updated\\\"\\n| extend NewE2ESetting = + columnifexists(\\\"payload_object_settings_in_meeting_e2e_encryption_b\\\", + \\\"\\\")\\n| extend OldE2ESetting = columnifexists(\\\"payload_old_object_settings_in_meeting_e2e_encryption_b\\\", + \\\"\\\")\\n| where OldE2ESetting =~ 'false' and NewE2ESetting =~ 'true'\\n| + extend timestamp = TimeGenerated, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Discovery\"],\"techniques\":[\"T1040\"],\"displayName\":\"Zoom + E2E Encryption Disabled\",\"description\":\"This alerts when end to end encryption + is disabled for Zoom meetings.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/194dd92e-d6e7-4249-85a5-273350a7f5ce\",\"name\":\"194dd92e-d6e7-4249-85a5-273350a7f5ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| + where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\") \\n// Only admin or global-admin + can disable audit logging\\n| where Operation =~ \\\"Set-AdminAuditLogConfig\\\" + \\n| extend AdminAuditLogEnabledValue = tostring(parse_json(tostring(parse_json(tostring(array_slice(parse_json(Parameters),3,3)))[0])).Value)\\n| + where AdminAuditLogEnabledValue =~ \\\"False\\\" \\n| summarize StartTimeUtc + = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() + by Operation, UserType, UserId, ClientIP, ResultStatus, Parameters, AdminAuditLogEnabledValue\\n| + extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity + = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"techniques\":[\"T1562\"],\"displayName\":\"Exchange + AuditLog disabled\",\"description\":\"Identifies when the exchange audit logging + has been disabled which may be an adversary attempt\\nto evade detection or + avoid other defenses.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/218f60de-c269-457a-b882-9966632b9dc6\",\"name\":\"218f60de-c269-457a-b882-9966632b9dc6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AuditLogs\\n| + where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has_any + (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand + TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend + displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| + where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| + where RoleName contains \\\"Admin\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| + summarize dcount(Target) by bin(TimeGenerated, 1h)\\n| where dcount_Target + > 9\\n| join kind=rightsemi (AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| + where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add + member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| + extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| + where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| + where RoleName contains \\\"Admin\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| + extend TimeWindow = bin(TimeGenerated, 1h)) on $left.TimeGenerated == $right.TimeWindow\\n| + extend AccountCustomEntity = Target\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"PrivilegeEscalation\"],\"techniques\":[\"T1078\"],\"displayName\":\"Bulk + Changes to Privileged Account Permissions\",\"description\":\"Identifies when + changes to multiple users permissions are changed at once. Investigate immediately + if not a planned change. This setting could enable an attacker access to Azure + subscriptions in your environment.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d4f9d54b-6dec-4655-8631-0fa8d4954fea\",\"name\":\"d4f9d54b-6dec-4655-8631-0fa8d4954fea\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.1.7\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.99\",\"name\":\"Score\",\"description\":\"Generate + an anomaly when score is greater than the chosen value\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CommandAndControl\"],\"techniques\":[\"T1568\"],\"displayName\":\"(Preview) + Domain Reputation Palo Alto anomaly\",\"description\":\"This anomaly evaluates + the reputation for all domains seen specifically for Palo Alto firewall (PAN-OS + product).\\nA high anomaly score indicates a low reputation, suggesting that + the domain has been observed to host malicious content or is likely to do + so.\",\"lastUpdatedDateUTC\":\"2022-05-11T00:00:00Z\",\"createdDateUTC\":\"2021-07-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog + (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6e575295-a7e6-464c-8192-3e1d8fd6a990\",\"name\":\"6e575295-a7e6-464c-8192-3e1d8fd6a990\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let + IPList = externaldata(IPAddress:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Log4j_IOC_List.csv\\\"] + with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet IPRegex = '[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}';\\n//Network + logs\\nlet CSlogSourceIP = CommonSecurityLog | summarize by IPAddress = SourceIP, + Type;\\nlet CSlogDestIP = CommonSecurityLog | summarize by IPAddress = DestinationIP, + Type;\\nlet CSlogMsgIP = CommonSecurityLog | extend MessageIP = extract(IPRegex, + 0, Message) | summarize by IPAddress = MessageIP, Type;\\nlet DnsIP = DnsEvents + | summarize by IPAddress = IPAddresses, Type;\\n// If you have enabled the + imDNS and/or imNetworkSession normalization in your workspace, you can uncomment + one or both below. Reference - https://docs.microsoft.com/azure/sentinel/normalization\\n//let + imDnsIP = imDns (response_has_any_prefix=IPList) | summarize by IPAddress + = ResponseName, Type;\\n//let imNetSessIP = imNetworkSession (dstipaddr_has_any_prefix=IPList) + | summarize by IPAddress = DstIpAddr, Type;\\n//Cloud service logs\\nlet officeIP + = OfficeActivity | summarize by IPAddress = ClientIP, Type;\\nlet signinIP + = SigninLogs | summarize by IPAddress, Type;\\nlet nonintSigninIP = AADNonInteractiveUserSignInLogs + | summarize by IPAddress, Type;\\nlet azureActIP = AzureActivity | summarize + by IPAddress = CallerIpAddress, Type;\\nlet awsCtIP = AWSCloudTrail | summarize + by IPAddress = SourceIpAddress, Type;\\n//Device logs\\nlet vmConnSourceIP + = VMConnection | summarize by IPAddress = SourceIp, Type;\\nlet vmConnDestIP + = VMConnection | summarize by IPAddress = DestinationIp, Type;\\nlet iisLogIP + = W3CIISLog | summarize by IPAddress = cIP, Type;\\nlet devNetIP = DeviceNetworkEvents + | summarize by IPAddress = RemoteIP, Type;\\n//need to parse to get IP\\nlet + azureDiagIP = AzureDiagnostics | where ResourceType == \\\"AZUREFIREWALLS\\\" + | where Category in (\\\"AzureFirewallApplicationRule\\\", \\\"AzureFirewallNetworkRule\\\") + \\n| where msg_s has_any (IPList) | parse msg_s with Protocol 'request from + ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' + Action | summarize by IPAddress = DestinationHost, Type;\\nlet sysEvtIP = + Event | where Source == \\\"Microsoft-Windows-Sysmon\\\" | where EventID == + 3 | where EventData has_any (IPList) | extend EvData = parse_xml(EventData)\\n| + extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = + tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"])\\n| + where SourceIP in (IPList) or DestinationIP in (IPList) | extend IPAddress + = iff(SourceIP in (IPList), SourceIP, DestinationIP) | summarize by IPAddress, + Type;\\n// If you have enabled the imDNS and/or imNetworkSession normalization + in your workdspace, you can uncomment below and include. Reference - https://docs.microsoft.com/azure/sentinel/normalization\\n//let + ipsort = union isfuzzy=true CSlogDestIP, CSlogMsgIP, CSlogSourceIP, DnsIP, + officeIP, signinIP, nonintSigninIP, azureActIP, awsCtIP, vmConnDestIP, vmConnSourceIP, + azureDiagIP, sysEvtIP, imDnsIP, imNetSessIP\\n// If you uncomment above, then + comment out the line below\\nlet ipsort = union isfuzzy=true CSlogDestIP, + CSlogMsgIP, CSlogSourceIP, DnsIP, officeIP, signinIP, nonintSigninIP, azureActIP, + awsCtIP, vmConnDestIP, vmConnSourceIP, azureDiagIP, sysEvtIP\\n| summarize + by IPAddress\\n| where isnotempty(IPAddress) | where not(ipv4_is_private(IPAddress)) + and IPAddress !in ('0.0.0.0','127.0.0.1');\\nlet ipMatch = ipsort | where + IPAddress in (IPList);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where + SourceIP in (ipMatch) or DestinationIP in (ipMatch) or Message has_any (ipMatch)\\n| + project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, + Type\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch + = case(SourceIP in (ipMatch), \\\"SourceIP\\\", DestinationIP in (ipMatch), + \\\"DestinationIP\\\", MessageIP in (ipMatch), \\\"Message\\\", \\\"No Match\\\")\\n| + extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", + SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", + MessageIP, \\\"No Match\\\")\\n),\\n(OfficeActivity\\n| where ClientIP in + (ipMatch)\\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, + ClientIP, Type\\n| extend SourceIPAddress = ClientIP, Account = UserId\\n| + extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity + = Account\\n),\\n(DnsEvents\\n| where IPAddresses has_any (ipMatch)\\n| project + TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress + = IPAddresses, Host = Computer\\n| extend timestamp = TimeGenerated, IPCustomEntity + = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where + SourceIp in (ipMatch) or DestinationIp in (ipMatch)\\n| project TimeGenerated, + Computer, SourceIp, DestinationIp, Type\\n| extend IPMatch = case( SourceIp + in (ipMatch), \\\"SourceIP\\\", DestinationIp in (ipMatch), \\\"DestinationIP\\\", + \\\"None\\\")\\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch + == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, + \\\"None\\\"), Host = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| + where EventID == 3\\n| where EventData has_any (ipMatch)\\n| project TimeGenerated, + EventData, UserName, Computer, Type\\n| extend EvData = parse_xml(EventData)\\n| + extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = + tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"])\\n| + where SourceIP in (ipMatch) or DestinationIP in (ipMatch)\\n| extend IPMatch + = case( SourceIP in (ipMatch), \\\"SourceIP\\\", DestinationIP in (ipMatch), + \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, + AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity + = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", + DestinationIP, \\\"None\\\")\\n),\\n(SigninLogs\\n| where IPAddress in (ipMatch)\\n| + project TimeGenerated, UserPrincipalName, IPAddress, Type\\n| extend timestamp + = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = + IPAddress\\n),\\n(AADNonInteractiveUserSignInLogs\\n| where IPAddress in (ipMatch)\\n| + project TimeGenerated, UserPrincipalName, IPAddress, Type\\n| extend timestamp + = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = + IPAddress\\n),\\n(W3CIISLog\\n| where cIP in (ipMatch)\\n| project TimeGenerated, + Computer, cIP, csUserName, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity + = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(AzureActivity\\n| + where CallerIpAddress in (ipMatch)\\n| project TimeGenerated, CallerIpAddress, + Caller, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, + AccountCustomEntity = Caller\\n),\\n(\\nAWSCloudTrail\\n| where SourceIpAddress + in (ipMatch)\\n| project TimeGenerated, SourceIpAddress, UserIdentityUserName, + Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, + AccountCustomEntity = UserIdentityUserName\\n), \\n( \\nDeviceNetworkEvents\\n| + where RemoteIP in (ipMatch)\\n| where ActionType == \\\"InboundConnectionAccepted\\\"\\n| + project TimeGenerated, RemoteIP, DeviceName, Type\\n| extend timestamp = TimeGenerated, + IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(\\nAzureDiagnostics\\n| + where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category in (\\\"AzureFirewallApplicationRule\\\", + \\\"AzureFirewallNetworkRule\\\")\\n| where msg_s has_any (ipMatch)\\n| project + TimeGenerated, msg_s, Type\\n| parse msg_s with Protocol 'request from ' SourceIP + ':' SourcePort 'to ' DestinationIP ':' DestinationPort '. Action:' Action\\n| + where DestinationIP has_any (ipMatch)\\n| extend timestamp = TimeGenerated, + IPCustomEntity = DestinationIP\\n)\\n// If you have enabled the imDNS and/or + imNetworkSession normalization in your workdspace, you can uncomment below + and include. Reference - https://docs.microsoft.com/azure/sentinel/normalization\\n//,\\n//(imDns + (response_has_any_prefix=IPList)\\n//| project TimeGenerated, ResponseName, + SrcIpAddr, Type\\n//| extend DestinationIPAddress = ResponseName, Host = + SrcIpAddr\\n//| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, + HostCustomEntity = Host\\n//),\\n//(imNetworkSession (dstipaddr_has_any_prefix=IPList)\\n//| + project TimeGenerated, DstIpAddr, SrcIpAddr, Type\\n//| extend timestamp = + TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = SrcIpAddr\\n//)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"2.0.1\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Log4j + vulnerability exploit aka Log4Shell IP IOC\",\"description\":\"Identifies + a match across various data feeds for IP IOCs related to the Log4j vulnerability + exploit aka Log4Shell described in CVE-2021-44228. \\n References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228' + \",\"lastUpdatedDateUTC\":\"2022-03-18T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bda5a2bd-979b-4828-a91f-27c2a5048f7f\",\"name\":\"bda5a2bd-979b-4828-a91f-27c2a5048f7f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + lbtime = 30m;\\nlet msgthreshold = 3;\\nProofpointPOD\\n| where TimeGenerated + > ago(lbtime)\\n| where EventType == 'message'\\n| where NetworkDirection + == 'outbound'\\n| extend attachedMimeType = todynamic(MsgParts)[0]['detectedMime']\\n| + where attachedMimeType == 'application/zip'\\n| summarize count() by SrcUserUpn, + DstUserUpn\\n| where count_ > msgthreshold\\n| extend AccountCustomEntity + = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD + - Multiple archived attachments to the same recipient\",\"description\":\"Detects + when multiple emails where sent to the same recipient with large archived + attachments.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/39198934-62a0-4781-8416-a81265c03fd6\",\"name\":\"39198934-62a0-4781-8416-a81265c03fd6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated + > ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| + where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ + \\\"Consent to application\\\"\\n| where TargetResources has \\\"offline\\\"\\n| + extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId + = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, + knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] + with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| + parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: + \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"user.read\\\" + and ConsentFull contains \\\"offline_access\\\" and ConsentFull contains \\\"mail.readwrite\\\" + and ConsentFull contains \\\"mail.send\\\" and ConsentFull contains \\\"files.read.all\\\"\\n| + where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if + OAuth application was granted to all users via an admin - but admin due diligence + should be audited occasionally\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), + tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| + extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), + tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| + extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", + AdditionalDetails[0].value, \\\"\\\")\\n| project TimeGenerated, GrantConsentType, + GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, + AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter + (AuditLogs\\n| where TimeGenerated > ago(joinLookback)\\n| where LoggedByService + =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| + where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId + = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue + has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, + \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| + join kind = innerunique (AuditLogs\\n| where TimeGenerated > ago(joinLookback)\\n| + where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| + where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName + =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = + tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| + project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| + project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, + AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, + OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp + = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = + GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"techniques\":[\"T1528\",\"T1550\"],\"displayName\":\"Suspicious + application consent similar to PwnAuth\",\"description\":\"This will alert + when a user consents to provide a previously-unknown Azure application with + the same OAuth permissions used by the FireEye PwnAuth toolkit (https://github.com/fireeye/PwnAuth).\\nThe + default permissions/scope for the PwnAuth toolkit are user.read, offline_access, + mail.readwrite, mail.send, and files.read.all.\\nConsent to applications with + these permissions should be rare, especially as the knownApplications list + is expanded. Public contributions to expand this filter are welcome!\\nFor + further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fbd72eb8-087e-466b-bd54-1ca6ea08c6d3\",\"name\":\"fbd72eb8-087e-466b-bd54-1ca6ea08c6d3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + opList = OfficeActivity \\n| summarize by Operation\\n//| where Operation + startswith \\\"Remove-\\\" or Operation startswith \\\"Disable-\\\"\\n| where + Operation has_any (\\\"Remove\\\", \\\"Disable\\\")\\n| where Operation contains + \\\"AntiPhish\\\" or Operation contains \\\"SafeAttachment\\\" or Operation + contains \\\"SafeLinks\\\" or Operation contains \\\"Dlp\\\" or Operation + contains \\\"Audit\\\"\\n| summarize make_set(Operation);\\nOfficeActivity\\n// + Only admin or global-admin can disable/remove policy\\n| where RecordType + =~ \\\"ExchangeAdmin\\\"\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\")\\n// + Pass in interesting Operation list\\n| where Operation in~ (opList)\\n| extend + ClientIPOnly = case( \\nClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), + \\nClientIP has \\\"[\\\", tostring(trim_start(@'[[]',tostring(split(ClientIP,\\\"]\\\")[0]))),\\nClientIP\\n) + \ \\n| extend Port = case(\\nClientIP has \\\".\\\", (split(ClientIP,\\\":\\\")[1]),\\nClientIP + has \\\"[\\\", tostring(split(ClientIP,\\\"]:\\\")[1]),\\nClientIP\\n)\\n| + summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), + OperationCount = count() by Operation, UserType, UserId, ClientIP = ClientIPOnly, + Port, ResultStatus, Parameters\\n| extend timestamp = StartTimeUtc, AccountCustomEntity + = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"techniques\":[\"T1098\",\"T1562\"],\"displayName\":\"Office + policy tampering\",\"description\":\"Identifies if any tampering is done to + either auditlog, ATP Safelink, SafeAttachment, AntiPhish or Dlp policy. \\nAn + adversary may use this technique to evade detection or avoid other policy + based defenses.\\nReferences: https://docs.microsoft.com/powershell/module/exchange/advanced-threat-protection/remove-antiphishrule?view=exchange-ps.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06a9b845-6a95-4432-a78b-83919b28c375\",\"name\":\"06a9b845-6a95-4432-a78b-83919b28c375\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":3,\"severity\":\"Medium\",\"query\":\"let + starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold + = 5;\\nlet percentotalthreshold = 50;\\nlet TimeSeriesData = CommonSecurityLog\\n| + where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated + between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| project + TimeGenerated,SourceIP, DestinationIP, DeviceVendor\\n| make-series Total=count() + on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) + step timeframe by DeviceVendor;\\n// Filtering specific records associated + with spikes as outliers\\nlet TimeSeriesAlerts=materialize(TimeSeriesData\\n| + extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, + -1, 'linefit')\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), + anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| + where anomalies > 0 | extend score = round(score,2), AnomalyHour = TimeGenerated\\n| + project DeviceVendor,AnomalyHour, TimeGenerated, Total, baseline, anomalies, + score);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated + > ago(2d) | project TimeGenerated);\\n// Join anomalies with Base Data to + popalate associated records for investigation - Results sorted by score in + descending order\\nTimeSeriesAlerts\\n| where TimeGenerated > ago(2d)\\n| + join (\\n CommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| + where TimeGenerated > ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) + // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) + //filter the dataset to only selected anomaly hours\\n| summarize HourlyCount + = count(), TimeGeneratedMax = arg_max(TimeGenerated, *), DestinationIPlist + = make_set(DestinationIP, 100), DestinationPortlist = make_set(DestinationPort, + 100) by DeviceVendor, SourceIP, TimeGeneratedHour= bin(TimeGenerated, 1h)\\n| + extend AnomalyHour = TimeGeneratedHour\\n) on AnomalyHour, DeviceVendor\\n| + extend PercentTotal = round((HourlyCount / Total) * 100, 3)\\n| where PercentTotal + > percentotalthreshold\\n| project DeviceVendor , AnomalyHour, TimeGeneratedMax, + SourceIP, DestinationIPlist, DestinationPortlist, HourlyCount, PercentTotal, + Total, baseline, score, anomalies\\n| summarize HourlyCount=sum(HourlyCount), + StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist + = make_set(SourceIP, 100), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist + = make_set(DestinationIPlist, 100), DestinationPortlist = make_set(DestinationPortlist, + 100) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies\\n| + project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, + DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, + anomalies\\n| extend timestamp= EndTimeUtc , IPCustomEntity = SourceIPMax\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"techniques\":[\"T1030\"],\"displayName\":\"Time + series anomaly detection for total volume of traffic\",\"description\":\"Identifies + anamalous spikes in network traffic logs as compared to baseline or normal + historical patterns.\\nThe query leverages a KQL built-in anomaly detection + algorithm to find large deviations from baseline patterns.\\nSudden increases + in network traffic volume may be an indication of data exfiltration attempts + and should be investigated.\\nThe higher the score, the further it is from + the baseline value.\\nThe output is aggregated to provide summary view of + unique source IP to destination IP address and port traffic observed in the + flagged anomaly hour.\\nThe source IP addresses which were sending less than + percentotalthreshold of the total traffic have been exluded whose value can + be adjusted as needed .\\nYou may have to run queries for individual source + IP addresses from SourceIPlist to determine if anything looks suspicious\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Barracuda\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f110287e-1358-490d-8147-ed804b328514\",\"name\":\"f110287e-1358-490d-8147-ed804b328514\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| + where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| + summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| + where Active == true\\n// Picking up only IOC's that contain the entities + we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) + or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As + there is potentially more than 1 indicator type for matching IP, taking NetworkIP + first, then others if that is empty.\\n// Taking the first non-empty value + based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), + NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) + and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend + TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), + EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast + and result set low, we only need one match to indicate potential malicious + activity that needs to be investigated\\n| join kind=innerunique (\\n AWSCloudTrail + | where TimeGenerated >= ago(dt_lookBack)\\n // renaming time column so + it is clear the log this came from\\n | extend AWSCloudTrail_TimeGenerated + = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SourceIpAddress\\n| where + AWSCloudTrail_TimeGenerated < ExpirationDateTime\\n| summarize AWSCloudTrail_TimeGenerated + = arg_max(AWSCloudTrail_TimeGenerated, *) by IndicatorId, SourceIpAddress\\n| + project AWSCloudTrail_TimeGenerated, Description, ActivityGroupNames, IndicatorId, + ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, EventName, + EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, + SourceIpAddress,\\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| + extend timestamp = AWSCloudTrail_TimeGenerated, IPCustomEntity = SourceIpAddress, + AccountCustomEntity = UserIdentityUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.2.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI + map IP entity to AWSCloudTrail\",\"description\":\"Identifies a match in AWSCloudTrail + from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1d10c95d-ef32-41cd-aca0-c6a7f4523494\",\"name\":\"1d10c95d-ef32-41cd-aca0-c6a7f4523494\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.0\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":\"\",\"exclude\":\"spotfire,vc_redist\",\"dataType\":\"string\",\"name\":\"IgnorePrefixList\",\"description\":\"Ignore + provided prefixes of Process Name\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.1\",\"name\":\"RarenessThreshold\",\"description\":\"Set + the rareness threshold for the anomalies generated. All rarity score values + lower than the threshold are flagged as anomalies.\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"techniques\":[\"T1078\"],\"displayName\":\"(Preview) + Rare privileged process calls on a daily basis\",\"description\":\"This anomaly + algorithm identifies rare privileged processes that use either Full or Elevated + security tokens created by an user account. The rarity score is the normalized + probability of a user executing a process based on the number of users executing + that particular process divided by the total number of users in the workspace + within the last 21 days. The threshold value for the rarity score scales according + to the minimum number of users executing the process to ensure the value of + the threshold remains meaningful regardless of sample size. Users accounts + that execute processes rarely executed within a workspace with elevated privileges + may be the victim of a privilege escalation attack.\",\"lastUpdatedDateUTC\":\"2022-03-21T00:00:00Z\",\"createdDateUTC\":\"2022-03-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7249500f-3038-4b83-8549-9cd8dfa2d498\",\"name\":\"7249500f-3038-4b83-8549-9cd8dfa2d498\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let + DomainNames = dynamic([\\\"de-ma.online\\\", \\\"g20saudi.000webhostapp.com\\\", + \\\"ksat20.000webhostapp.com\\\"]);\\nlet EmailAddresses = dynamic([\\\"munichconference1962@gmail.com\\\",\\\"munichconference@outlook.de\\\", + \\\"munichconference@outlook.com\\\", \\\"t20saudiarabia@gmail.com\\\", \\\"t20saudiarabia@hotmail.com\\\", + \\\"t20saudiarabia@outlook.sa\\\"]);\\nlet IPRegex = '[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}';\\n(union + isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * '(' DNSName ')' + * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP + = extract(IPRegex, 0, Message)\\n| where (isnotempty(DNSName) and DNSName + has_any (DomainNames)) \\n or (isnotempty(DestinationHostName) and DestinationHostName + has_any (DomainNames)) \\n or (isnotempty(RequestURL) and (RequestURL has_any + (DomainNames)))\\n| extend timestamp = TimeGenerated , AccountCustomEntity + = SourceUserID, HostCustomEntity = DeviceName\\n),\\n(DnsEvents \\n| extend + DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| where + DNSName has_any (DomainNames) \\n| extend timestamp = TimeGenerated, IPCustomEntity + = DestinationIPAddress, HostCustomEntity = Host),\\n(VMConnection \\n| parse + RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n| where isnotempty(DNSName)\\n| + where DNSName has_any (DomainNames)\\n| extend timestamp = TimeGenerated , + HostCustomEntity = Computer),\\n(SecurityAlert\\n| where ProviderName =~ 'OATP'\\n| + extend UPN = case(isnotempty(parse_json(Entities)[0].Upn), parse_json(Entities)[0].Upn, + \\n isnotempty(parse_json(Entities)[1].Upn), parse_json(Entities)[1].Upn,\\n + \ isnotempty(parse_json(Entities)[2].Upn), parse_json(Entities)[2].Upn,\\n + \ isnotempty(parse_json(Entities)[3].Upn), parse_json(Entities)[3].Upn,\\n + \ isnotempty(parse_json(Entities)[4].Upn), parse_json(Entities)[4].Upn,\\n + \ isnotempty(parse_json(Entities)[5].Upn), parse_json(Entities)[5].Upn,\\n + \ isnotempty(parse_json(Entities)[6].Upn), parse_json(Entities)[6].Upn,\\n + \ isnotempty(parse_json(Entities)[7].Upn), parse_json(Entities)[7].Upn,\\n + \ isnotempty(parse_json(Entities)[8].Upn), parse_json(Entities)[8].Upn,\\n + \ parse_json(Entities)[9].Upn)\\n| where Entities has_any + (EmailAddresses)\\n| extend timestamp = TimeGenerated, AccountCustomEntity + = tostring(UPN)),\\n(AzureDiagnostics\\n| where ResourceType =~ \\\"AZUREFIREWALLS\\\"\\n| + where msg_s has_any (DomainNames)\\n| extend timestamp = TimeGenerated))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\",\"InitialAccess\"],\"techniques\":[\"T1071\",\"T1566\"],\"displayName\":\"Known + PHOSPHORUS group domains/IP - October 2020\",\"description\":\"Matches IOCs + related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, + DnsEvents, OfficeActivity and VMConnection dataTypes.\\nReferences: \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog + (Cisco)\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog + (PaloAlto)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog + (Zscaler)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog + (Fortinet)\"]},{\"connectorId\":\"OfficeATP\",\"dataTypes\":[\"SecurityAlert + (OATP)\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics + (Azure Firewall)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5ef06767-b37c-4818-b035-47de950d0046\",\"name\":\"5ef06767-b37c-4818-b035-47de950d0046\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// + How far back to look for events from\\nlet timeframe = 1d;\\n// How close + together build events and file modifications should occur to alert (make this + smaller to reduce FPs)\\nlet time_window = 5m;\\n// Edit this to include build + processes used\\nlet build_processes = dynamic([\\\"MSBuild.exe\\\", \\\"dotnet.exe\\\", + \\\"VBCSCompiler.exe\\\"]);\\n// Include any processes that you want to allow + to edit files during/around the build process\\nlet allow_list = dynamic([\\\"\\\"]);\\n(union + isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated > ago(timeframe)\\n// + Look for build process starts\\n| where EventID == 4688\\n| where Process + has_any (build_processes)\\n| summarize by BuildParentProcess=ParentProcessName, + BuildProcess=Process, BuildAccount = Account, Computer, BuildCommand=CommandLine, + timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| + join kind=inner(\\nSecurityEvent\\n| where TimeGenerated > ago(timeframe)\\n// + Look for file modifications to code file\\n| where EventID == 4663\\n| where + Process !in (allow_list)\\n// Look for code files, edit this to include file + extensions used in build.\\n| where ObjectName endswith \\\".cs\\\" or ObjectName + endswith \\\".cpp\\\"\\n// 0x6 and 0x4 for file append, 0x100 for file replacements\\n| + where AccessMask == \\\"0x6\\\" or AccessMask == \\\"0x4\\\" or AccessMask + == \\\"0X100\\\"\\n| summarize by FileEditParentProcess=ParentProcessName, + FileEditAccount = Account, Computer, FileEdited=ObjectName, FileEditProcess=ProcessName, + timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// + join where build processes and file modifications seen at same time on same + host\\non timekey, Computer\\n// Limit to only where the file edit happens + after the build process starts\\n| where BuildProcessTime <= FileEditTime\\n| + summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) + by timekey, Computer, BuildParentProcess, BuildProcess\\n| extend HostCustomEntity=Computer, + timestamp=timekey\\n),\\n(WindowsEvent\\n| where TimeGenerated > ago(timeframe)\\n// + Look for build process starts\\n| where EventID == 4688 and EventData has_any + (build_processes)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| + extend Process=tostring(split(NewProcessName, '\\\\\\\\')[-1])\\n| where Process + has_any (build_processes)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| + extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", + tostring(EventData.SubjectUserName))\\n| extend CommandLine = tostring(EventData.CommandLine) + \\n| summarize by BuildParentProcess=ParentProcessName, BuildProcess=Process, + BuildAccount = Account, Computer, BuildCommand=CommandLine, timekey= bin(TimeGenerated, + time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nWindowsEvent\\n| + where TimeGenerated > ago(timeframe)\\n// Look for file modifications to code + file\\n| where EventID == 4663 and EventData has_any (\\\"0x6\\\", \\\"0x4\\\", + \\\"0X100\\\") and EventData has_any (\\\".cs\\\", \\\".cpp\\\")\\n| extend + NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, + '\\\\\\\\')[-1])\\n| where Process !in (allow_list)\\n// Look for code files, + edit this to include file extensions used in build.\\n| extend ObjectName + = tostring(EventData.ObjectName)\\n| where ObjectName endswith \\\".cs\\\" + or ObjectName endswith \\\".cpp\\\"\\n// 0x6 and 0x4 for file append, 0x100 + for file replacements\\n| extend AccessMask = tostring(EventData.AccessMask) + \ \\n| where AccessMask == \\\"0x6\\\" or AccessMask == \\\"0x4\\\" or AccessMask + == \\\"0X100\\\"\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| + extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", + tostring(EventData.SubjectUserName))\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| + summarize by FileEditParentProcess=ParentProcessName, FileEditAccount = Account, + Computer, FileEdited=ObjectName, FileEditProcess=ProcessName, timekey= bin(TimeGenerated, + time_window), FileEditTime=TimeGenerated)\\n// join where build processes + and file modifications seen at same time on same host\\non timekey, Computer\\n// + Limit to only where the file edit happens after the build process starts\\n| + where BuildProcessTime <= FileEditTime\\n| summarize make_set(FileEdited), + make_set(FileEditProcess), make_set(FileEditAccount) by timekey, Computer, + BuildParentProcess, BuildProcess\\n| extend HostCustomEntity=Computer, timestamp=timekey\\n))\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.1.1\",\"tactics\":[\"Persistence\"],\"techniques\":[\"T1554\"],\"displayName\":\"Potential + Build Process Compromise\",\"description\":\"The query looks for source code + files being modified immediately after a build process is started. The purpose + of this is to look for malicious code injection during the build process.\\nMore + details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a83ef0f4-dace-4767-bce3-ebd32599d2a0\",\"name\":\"a83ef0f4-dace-4767-bce3-ebd32599d2a0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"DnsEvents\\n| + where Name contains \\\".\\\"\\n| where Name has_any (\\\"tor2web.org\\\", + \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", + \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", + \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", + \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", + \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", + \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", + \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", + \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", + \\\"hiddenservice.net\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity + = ClientIP, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"techniques\":[\"T1048\"],\"displayName\":\"DNS + events related to ToR proxies\",\"description\":\"Identifies IP addresses + performing DNS lookups associated with common ToR proxies.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/42436753-9944-4d70-801c-daaa4d19ddd2\",\"name\":\"42436753-9944-4d70-801c-daaa4d19ddd2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"severity\":\"Medium\",\"query\":\"let + threatCategory=\\\"Powershell\\\";\\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, + Category:string)\\n [ @\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\\\"]\\n + \ with(format=\\\"csv\\\", ignoreFirstRecord=True));\\nlet knownUserAgents=toscalar(knownUserAgentsIndicators + | where Category==threatCategory | where isnotempty(UserAgent) | summarize + make_list(UserAgent));\\nlet customUserAgents=toscalar(_GetWatchlist(\\\"UnusualUserAgents\\\") + | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\\\"UserAgent\\\",\\\"\\\") + | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet fullUAList + = array_concat(knownUserAgents,customUserAgents);\\n_Im_WebSession(httpuseragent_has_any=fullUAList)\\n| + project SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername\",\"customDetails\":{\"UserAgent\":\"HttpUserAgent\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"SrcUsername\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Host + {{SrcIpAddr}} is potentially running PowerShell\",\"alertDescriptionFormat\":\"The + host at address {{SrcIpAddr}} sent an HTTP request to the URL {{Url}} with + the HTTP user agent header {{HttpUserAgent}}. This user agent is known to + be used by PoerShell and indicates suspicious activity on the host.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"sentinelEntitiesMappings\":[],\"version\":\"1.1.0\",\"tactics\":[\"CommandAndControl\",\"DefenseEvasion\"],\"displayName\":\"A + host is potentially running PowerShell to send HTTP(S) requests (ASIM Web + Session schema)\",\"description\":\"This rule identifies a web request with + a user agent header known to belong PowerShell.
You can add custom Powershell + indicating User-Agent headers using a watchlist, for more information refer + to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).

\\n + This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any + built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession + Schema)\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/56fe0db0-6779-46fa-b3c5-006082a53064\",\"name\":\"56fe0db0-6779-46fa-b3c5-006082a53064\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"severity\":\"Medium\",\"query\":\"let + tokens = dynamic([\\\"416\\\",\\\"208\\\",\\\"128\\\",\\\"120\\\",\\\"96\\\",\\\"80\\\",\\\"72\\\",\\\"64\\\",\\\"48\\\",\\\"44\\\",\\\"40\\\",\\\"g5\\\",\\\"gs5\\\",\\\"g4\\\",\\\"gs4\\\",\\\"nc12\\\",\\\"nc24\\\",\\\"nv12\\\"]);\\nlet + operationList = dynamic([\\\"microsoft.compute/virtualmachines/write\\\", + \\\"microsoft.resources/deployments/write\\\"]);\\nAzureActivity\\n| where + tolower(OperationNameValue) in (operationList)\\n| where ActivityStatusValue + == \\\"Accepted\\\" \\n| where isnotempty(Properties)\\n| extend vmSize = + tolower(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).hardwareProfile)).vmSize))\\n| + where isnotempty(vmSize)\\n| where vmSize has_any (tokens) \\n| extend ComputerName + = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).osProfile)).computerName)\\n| + extend clientIpAddress = tostring(parse_json(HTTPRequest).clientIpAddress)\\n| + project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, CallerIpAddress, + ComputerName, vmSize\\n| extend timestamp = TimeGenerated, AccountCustomEntity + = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"techniques\":[\"T1578\"],\"displayName\":\"NRT + Creation of expensive computes in Azure\",\"description\":\"Identifies the + creation of large size/expensive VMs (GPU or with large no of virtual CPUs) + in Azure.\\nAdversary may create new or update existing virtual machines sizes + to evade defenses \\nor use it for cryptomining purposes.\\nFor Windows/Linux + Vm Sizes - https://docs.microsoft.com/azure/virtual-machines/windows/sizes + \\nAzure VM Naming Conventions - https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions\",\"lastUpdatedDateUTC\":\"2022-03-31T00:00:00Z\",\"createdDateUTC\":\"2020-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5d33fc63-b83b-4913-b95e-94d13f0d379f\",\"name\":\"5d33fc63-b83b-4913-b95e-94d13f0d379f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet fileHashIndicators = ThreatIntelligenceIndicator\\n| + where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| + summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| + where Active == true\\n| where isnotempty(FileHashValue);\\n// Handle matches + against both lower case and uppercase versions of the hash:\\n(fileHashIndicators + | extend FileHashValue = tolower(FileHashValue)\\n| union (fileHashIndicators + | extend FileHashValue = toupper(FileHashValue)))\\n// using innerunique to + keep perf fast and result set low, we only need one match to indicate potential + malicious activity that needs to be investigated\\n| join kind=innerunique + (\\n CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack)\\n | where + isnotempty(FileHash)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n + \ )\\non $left.FileHashValue == $right.FileHash\\n| where CommonSecurityLog_TimeGenerated + < ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, + *) by IndicatorId, FileHashValue\\n| project CommonSecurityLog_TimeGenerated, + Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, + ConfidenceScore,\\nSourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, + SourceUserName, DeviceName, DeviceAction,\\nRequestURL, DestinationUserName, + DestinationUserID, ApplicationProtocol, Activity\\n| extend timestamp = CommonSecurityLog_TimeGenerated, + IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity + = SourceUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.2.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI + map File Hash to CommonSecurityLog Event\",\"description\":\"Identifies a + match in CommonSecurityLog Event data from any FileHash IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1f3b4dfd-21ff-4ed3-8e27-afc219e05c50\",\"name\":\"1f3b4dfd-21ff-4ed3-8e27-afc219e05c50\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| + where LoggedByService =~ \\\"PIM\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| + where ActivityDisplayName has \\\"Disable PIM Alert\\\"\\n| extend IpAddress + = case(\\n isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) + and tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) != 'null', + tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), \\n isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).ipAddress)) + and tostring(parse_json(tostring(InitiatedBy.app)).ipAddress) != 'null', tostring(parse_json(tostring(InitiatedBy.app)).ipAddress),\\n + \ 'Not Available')\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), + \\n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName)), + UserRoles = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| + project InitiatedBy, ActivityDateTime, ActivityDisplayName, IpAddress, AADOperationType, + AADTenantId, ResourceId, CorrelationId, Identity\\n| extend timestamp = ActivityDateTime, + IPCustomEntity = IpAddress, AccountCustomEntity = tolower(InitiatedBy), ResourceCustomEntity + = ResourceId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"techniques\":[\"T1098\",\"T1078\"],\"displayName\":\"Detect + PIM Alert Disabling activity\",\"description\":\"Privileged Identity Management + (PIM) generates alerts when there is suspicious or unsafe activity in Azure + Active Directory (Azure AD) organization. \\nThis query will help detect attackers + attempts to disable in product PIM alerts which are associated with Azure + MFA requirements and could indicate activation of privileged access\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d99cf5c3-d660-436c-895b-8a8f8448da23\",\"name\":\"d99cf5c3-d660-436c-895b-8a8f8448da23\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"SigninLogs\\n| + where ResultType == 500121\\n| extend additionalDetails_ = tostring(Status.additionalDetails)\\n| + where additionalDetails_ =~ \\\"MFA denied; user declined the authentication\\\"\\n| + extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"AadUserId\",\"columnName\":\"UserId\"},{\"identifier\":\"AadTenantId\",\"columnName\":\"AADTenantId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.2\",\"tactics\":[\"InitialAccess\"],\"techniques\":[\"T1078\"],\"displayName\":\"MFA + Rejected by User\",\"description\":\"Identifies accurances where a user has + rejected an MFA prompt. This could be an indicator that a threat actor has + compromised the username and password of this user account and is using it + to try and log into the account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c097bfdb-8b4b-4a98-b74d-1871ffd50a03\",\"name\":\"c097bfdb-8b4b-4a98-b74d-1871ffd50a03\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.6\",\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"2-Interactive\",\"3-Network\",\"4-Batch\",\"5-Service\",\"7-Unlock\",\"8-NetworkCleartext\",\"9-NewCredentials\",\"10-RemoteInteractive\",\"11-CachedInteractive\"],\"values\":[\"2-Interactive\",\"3-Network\",\"4-Batch\",\"5-Service\",\"7-Unlock\",\"8-NetworkCleartext\",\"9-NewCredentials\",\"10-RemoteInteractive\",\"11-CachedInteractive\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Logon + Types\",\"description\":\"Include only selected logon types in anomaly results.\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.03\",\"name\":\"Score\",\"description\":\"Generate + an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CredentialAccess\"],\"techniques\":[\"T1110\"],\"displayName\":\"(Preview) + Attempted user account bruteforce per logon type\",\"description\":\"This + algorithm detects an unusually high volume of failed login attempts per user + account per logon type. The model is trained on the previous 21 days of security + event ID 4625 on an account and a logon type. It indicates anomalous high + volume of failed login attempts with certain logon type in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d0aa8969-1bbe-4da3-9e76-09e5f67c9d85\",\"name\":\"d0aa8969-1bbe-4da3-9e76-09e5f67c9d85\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| + where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| + summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| + where Active == true\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) + or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend + TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| + extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), + NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) + and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// + using innerunique to keep perf fast and result set low, we only need one match + to indicate potential malicious activity that needs to be investigated\\n| + join kind=innerunique (\\n AzureDiagnostics\\n | where TimeGenerated + >= ago(dt_lookBack)\\n | where ResourceProvider == 'MICROSOFT.SQL'\\n + \ | where Category == 'SQLSecurityAuditEvents'\\n | extend SQLSecurityAuditEvents_TimeGenerated + = TimeGenerated\\n // projecting fields with column if exists as this + is in AzureDiag and if the event is not in the table, then queries will fail + due to event specific schemas\\n | extend ClientIP = column_ifexists(\\\"client_ip_s\\\", + \\\"Not Available\\\"), Action = column_ifexists(\\\"action_name_s\\\", \\\"Not + Available\\\"), \\n Application = column_ifexists(\\\"application_name_s\\\", + \\\"Not Available\\\"), HostName = column_ifexists(\\\"host_name_s\\\", \\\"Not + Available\\\")\\n)\\non $left.TI_ipEntity == $right.ClientIP\\n| where SQLSecurityAuditEvents_TimeGenerated + < ExpirationDateTime\\n| summarize SQLSecurityAuditEvents_TimeGenerated = + arg_max(SQLSecurityAuditEvents_TimeGenerated, *) by IndicatorId, ClientIP\\n| + project SQLSecurityAuditEvents_TimeGenerated, Description, ActivityGroupNames, + IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, + ResourceId, ClientIP, Action, Application, HostName, NetworkIP, NetworkDestinationIP, + NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = SQLSecurityAuditEvents_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI + map IP entity to Azure SQL Security Audit Events\",\"description\":\"Identifies + a match in SQLSecurityAuditEvents from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-06-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2\",\"name\":\"4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$';\\nThreatIntelligenceIndicator\\n| + where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| + summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| + where Active == true\\n//Filtering the table for Email related IOCs\\n| where + isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and + result set low, we only need one match to indicate potential malicious activity + that needs to be investigated\\n| join kind=innerunique (\\n OfficeActivity + | where TimeGenerated >= ago(dt_lookBack) and isnotempty(UserId)\\n | where + UserId matches regex emailregex\\n | extend OfficeActivity_TimeGenerated + = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.UserId\\n| where + OfficeActivity_TimeGenerated < ExpirationDateTime\\n| summarize OfficeActivity_TimeGenerated + = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId, UserId\\n| project + OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, + ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nEmailSenderName, EmailRecipient, + EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, + UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters\\n| + extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = UserId, + IPCustomEntity = ClientIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.2.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI + map Email entity to OfficeActivity\",\"description\":\"Identifies a match + in OfficeActivity table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/44a555d8-ecee-4a25-95ce-055879b4b14b\",\"name\":\"44a555d8-ecee-4a25-95ce-055879b4b14b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + timeBin = 10m;\\nlet portThreshold = 30;\\nW3CIISLog\\n| extend scStatusFull + = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend + scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access + denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull + == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull + == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull + == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull + == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull + == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL + required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// + Mapping to Hex so can be mapped using website in comments above\\n| extend + scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| + extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", + \\\"The referenced account is currently locked out and cannot be logged on + to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user + name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: + The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", + \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ + \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ + \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex + =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", + \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ + \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex + =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex + =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", + \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", + \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode + URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// + Count of attempts by client IP on many ports\\n| summarize makeset(sPort), + makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), + makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), + makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), + ConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, + sIP\\n| extend portCount = arraylength(set_sPort)\\n| where portCount >= portThreshold\\n| + project TimeGenerated, cIP, set_sPort, set_csUserName, set_decodedUriQuery, + Computer, set_sSiteName, sIP, set_csUserAgent, set_csMethod, set_scStatusFull, + set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, + ConnectionsCount, portCount\\n| order by portCount\\n| extend timestamp = + TimeGenerated, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"techniques\":[\"T1190\"],\"displayName\":\"High + count of connections by client IP on many ports\",\"description\":\"Identifies + when 30 or more ports are used for a given client IP in 10 minutes occurring + on the IIS server.\\nThis could be indicative of attempted port scanning or + exploit attempt at internet facing web applications. \\nThis could also simply + indicate a misconfigured service or device.\\nReferences:\\nIIS status code + mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 + Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/edc946ae-cba8-419f-8e90-309966895956\",\"name\":\"edc946ae-cba8-419f-8e90-309966895956\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.3\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Include + regularly repeating anomalies for URI stems\",\"Exclude regularly repeating + anomalies for URI stems\"],\"supportedValuesKql\":null,\"value\":\"Exclude + regularly repeating anomalies for URI stems\",\"name\":\"Handle regularly + repeating anomalies for URI stems\",\"description\":\"Choose to exclude URI + stems that have been regularly occuring in the Anomalies table in Log Analytics.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":[{\"prioritize\":\".asp, + .aspx, .armx, .asax, .ashz, .asmx, .axd, .cshtml, .php, .phps, .php3, .php4, + .php5, .php7, .jsp, .jspx, .cfm, .cfml, .phtml\",\"exclude\":null,\"dataType\":\"string\",\"name\":\"Prioritize + script suffixes of the URI stems\",\"description\":\"Give comma separated + script suffixes of the URI stems that should be included in the prioritize + field.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"prioritize\":null,\"exclude\":\"\",\"dataType\":\"string\",\"name\":\"Exclude + noisy URI stems\",\"description\":\"Give comma separated URI stems that are + frequently observing noisy sessions, and should be excluded from the Anomalies + table in Log Analytics.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.2\",\"name\":\"Score\",\"description\":\"Generate + an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"techniques\":[\"T1190\",\"T1505\"],\"displayName\":\"(Preview) + Anomalous web request activity\",\"description\":\"This algorithm groups the + W3CIIS logs into per site name and per URI stem hourly sessions.\\nThe machine + learning model identifies the sessions with anomalous requests that triggered + response code 5xx in the last day.\\n5xx codes are an indication that some + application instability or error condition has been triggered by the request.\\nThey + can be an indication that an attacker is probing the URI stem for vulnerabilities + and configuration issues, performing some exploitation activity such as SQL + injection, or leveraging an unpatched vulnerability.\\n\\nThe algorithm uses + 6 days of data for training.\\nIt identifies unusual high volume of web requests + that generated respond code 5xx in the last day.\",\"lastUpdatedDateUTC\":\"2022-05-11T00:00:00Z\",\"createdDateUTC\":\"2021-04-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2de8abd6-a613-450e-95ed-08e503369fb3\",\"name\":\"2de8abd6-a613-450e-95ed-08e503369fb3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AzureDiagnostics\\n| + where details_data_s has \\\"jndi:\\\"\\n| parse details_data_s with * '${' + MaliciousCommand '}' *\\n| extend EncodeCmd = iff(MaliciousCommand has 'Base64/', + split(split(MaliciousCommand, \\\"Base64/\\\",1)[0], \\\"}\\\", 0)[0], \\\"\\\")\\n| + extend EncodeCmd1 = iff(MaliciousCommand has 'base64/', split(split(MaliciousCommand, + \\\"base64/\\\",1)[0], \\\"}\\\", 0)[0], \\\"\\\")\\n| extend CmdLine = iff( + isnotempty(EncodeCmd), EncodeCmd, EncodeCmd1)\\n| extend DecodedCmdLine = + base64_decode_tostring(tostring(CmdLine))\\n| extend DecodedCmdLine = iff( + isnotempty(DecodedCmdLine), DecodedCmdLine, \\\"Unable to decode\\\")\\n| + project TimeGenerated, Target=hostname_s, MaliciousHost = clientIp_s, MaliciousCommand, + details_data_s, DecodedCmdLine, Message, ruleSetType_s, OperationName, SubscriptionId, + details_message_s, details_file_s \\n| extend IPCustomEntity = MaliciousHost, + timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"techniques\":[\"T1190\"],\"displayName\":\"Azure + WAF matching for Log4j vuln(CVE-2021-44228)\",\"description\":\"This query + will alert on a positive pattern match by Azure WAF for CVE-2021-44228 log4j + vulnerability exploitation attempt. If possible, it then decodes the malicious + command for further analysis.\\n Refrence: https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-12-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/972c89fa-c969-4d12-932f-04d55d145299\",\"name\":\"972c89fa-c969-4d12-932f-04d55d145299\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"( + union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| + extend FileName = Process, ProcessCommandLine = CommandLine\\n| where (FileName + in~('control.exe','rundll32.exe') and ProcessCommandLine has '.cpl:')\\n or + ProcessCommandLine matches regex @'\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.'\\n| + extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity + = Computer\\n),\\n(DeviceProcessEvents\\n| where (FileName in~('control.exe','rundll32.exe') + and ProcessCommandLine has '.cpl:')\\nor ProcessCommandLine matches regex + @'\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.'\\n| extend timestamp = + TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity + = DeviceName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| + where EventID == 1 \\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| + mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| + extend Key = tostring(column_ifexists('@Name', \\\"\\\")), Value = column_ifexists('#text', + \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, + Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, + Type, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\"), + ProcessCommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| extend + FileName = split(Image, '\\\\\\\\', -1)[-1]\\n| where (FileName in~('control.exe','rundll32.exe') + and ProcessCommandLine has '.cpl:')\\n or ProcessCommandLine matches regex + @'\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.'\\n| extend timestamp = + TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Execution\"],\"techniques\":[\"T1203\"],\"displayName\":\"MSHTML + vulnerability CVE-2021-40444 attack\",\"description\":\"This query detects + attacks that exploit the CVE-2021-40444 MSHTML vulnerability using specially + crafted Microsoft Office documents. \\n The detection searches for relevant + files used in the attack along with regex matches in commnadline to look for + pattern similar to : \\\".cpl:../../msword.inf\\\"\\n Refrence: https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ca74dc0-8352-4ac5-893c-73571cc78331\",\"name\":\"4ca74dc0-8352-4ac5-893c-73571cc78331\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + keywords = dynamic([\\\"secret\\\", \\\"secrets\\\", \\\"password\\\", \\\"PAT\\\", + \\\"passwd\\\", \\\"pswd\\\", \\\"pwd\\\", \\\"cred\\\", \\\"creds\\\", \\\"credentials\\\", + \\\"credential\\\", \\\"key\\\"]);\\nAzureDevOpsAuditing\\n| where OperationName + =~ \\\"Library.VariableGroupModified\\\"\\n| extend Type = tostring(Data.Type)\\n| + extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend VariableGroupName + = tostring(Data.VariableGroupName)\\n| mv-expand Data.Variables\\n| where + VariableGroupName has_any (keywords) or Data_Variables has_any (keywords)\\n| + where Type != \\\"AzureKeyVault\\\"\\n| where Data_Variables !has \\\"IsSecret\\\"\\n| + extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity + = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"CredentialAccess\"],\"techniques\":[\"T1552\"],\"displayName\":\"Azure + DevOps Variable Secret Not Secured\",\"description\":\"Credentials used in + the build process may be stored as Azure DevOps variables. To secure these + variables they should be stored in KeyVault or marked as Secrets. \\nThis + detection looks for new variables added with names that suggest they are credentials + but where they are not set as Secrets or stored in KeyVault.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/15049017-527f-4d3b-b011-b0e99e68ef45\",\"name\":\"15049017-527f-4d3b-b011-b0e99e68ef45\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + procList = externaldata(Process:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Microsoft_Lolbas_Execution_Binaries.csv\\\"] + with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityEvent\\n| where + EventID == 4688 and Process has_any (procList) and not (NewProcessName has + (\\\"C:\\\\\\\\Windows\\\\\\\\\\\"))\\n| summarize StartTime = min(TimeGenerated), + EndTime = max(TimeGenerated) by EventID, Computer, SubjectUserName, NewProcessName, + Process, CommandLine\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectUserName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"Execution\"],\"techniques\":[\"T1059\"],\"displayName\":\"Windows + Binaries Executed from Non-Default Directory\",\"description\":\"The query + detects Windows binaries, that can be executed from a non-default directory + (e.g. C:\\\\Windows\\\\, C:\\\\Windows\\\\System32 etc.). \\nRef: https://lolbas-project.github.io/\",\"lastUpdatedDateUTC\":\"2022-02-15T00:00:00Z\",\"createdDateUTC\":\"2022-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/25bf2f45-1cf0-47d2-b394-a7b331d707b3\",\"name\":\"25bf2f45-1cf0-47d2-b394-a7b331d707b3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"2.1.0\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Yes\",\"No\"],\"supportedValuesKql\":null,\"value\":\"Yes\",\"name\":\"Use + region adjacency\",\"description\":\"Suppress anomalies originated from two + adjacent regions.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"supportedValues\":[\"Yes\",\"No\"],\"supportedValuesKql\":null,\"value\":\"No\",\"name\":\"Check + for matching device\",\"description\":\"Suppress anomalies which are originated + from the same device.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":null,\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"techniques\":[\"T1133\",\"T1078\"],\"displayName\":\"(Preview) + Suspicious geography change in Palo Alto GlobalProtect account logins\",\"description\":\"When + a Palo Alto GlobalProtect account logs in from a geographically new region + that is not the same as the last region the day before, an anomaly will be + generated.\",\"lastUpdatedDateUTC\":\"2022-03-08T00:00:00Z\",\"createdDateUTC\":\"2021-04-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog + (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2f4165a6-c4fb-4e94-861e-37f1b4d6c0e6\",\"name\":\"2f4165a6-c4fb-4e94-861e-37f1b4d6c0e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// + Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback + = 0d;\\n// Adjust this to adjust detection timeframe\\n//let timeframe = 1d;\\n// + SamAccountName of AD FS Service Account. Filter on the use of a specific AD + FS user account\\n//let adfsuser = 'adfsadmin';\\n// Identify ADFS Servers\\nlet + ADFS_Servers = (\\n SecurityEvent\\n //| where TimeGenerated > ago(timeframe+lookback)\\n + \ | where EventSourceName == 'AD FS Auditing'\\n | distinct Computer\\n);\\nSecurityEvent\\n + \ //| where TimeGenerated > ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n + \ // A token of type 'http://schemas.microsoft.com/ws/2006/05/servicemodel/tokens/SecureConversation'\\n + \ // for relying party '-' was successfully authenticated.\\n | where + EventID == 412\\n | extend EventData = parse_xml(EventData).EventData.Data\\n + \ | extend InstanceId = tostring(EventData[0])\\n| join kind=inner\\n(\\n + \ SecurityEvent\\n //| where TimeGenerated > ago(timeframe)\\n | where + Computer in~ (ADFS_Servers)\\n // Events to identify caller identity from + event 412\\n | where EventID == 501\\n | extend EventData = parse_xml(EventData).EventData.Data\\n + \ | where tostring(EventData[1]) contains 'identity/claims/name'\\n | + extend InstanceId = tostring(EventData[0])\\n | extend ClaimsName = tostring(EventData[2])\\n + \ // Filter on the use of a specific AD FS user account\\n //| where + ClaimsName contains adfsuser\\n)\\non $left.InstanceId == $right.InstanceId\\n| + join kind=inner\\n(\\n SecurityEvent\\n | where EventID == 5156\\n | + where Computer in~ (ADFS_Servers)\\n | extend EventData = parse_xml(EventData).EventData.Data\\n + \ | mv-expand bagexpansion=array EventData\\n | evaluate bag_unpack(EventData)\\n + \ | extend Key = tostring(column_ifexists('@Name', \\\"\\\")), Value = column_ifexists('#text', + \\\"\\\")\\n | evaluate pivot(Key, any(Value), TimeGenerated, Computer, + EventID)\\n | extend DestPort = column_ifexists(\\\"DestPort\\\", \\\"\\\"),\\n + \ Direction = column_ifexists(\\\"Direction\\\", \\\"\\\"),\\n Application + = column_ifexists(\\\"Application\\\", \\\"\\\"),\\n DestAddress + = column_ifexists(\\\"DestAddress\\\", \\\"\\\"),\\n SourceAddress + = column_ifexists(\\\"SourceAddress\\\", \\\"\\\"),\\n SourcePort + = column_ifexists(\\\"SourcePort\\\", \\\"\\\")\\n // Look for inbound + connections from endpoints on port 80\\n | where DestPort == 80 and Direction + == '%%14592' and Application == 'System'\\n | where DestAddress !in ('::1','0:0:0:0:0:0:0:1') + \\n)\\non $left.Computer == $right.Computer\\n| project TimeGenerated, Computer, + ClaimsName, SourceAddress, SourcePort\\n| extend HostCustomEntity = Computer, + AccountCustomEntity = ClaimsName, IPCustomEntity = SourceAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"techniques\":[\"T1005\"],\"displayName\":\"AD + FS Remote Auth Sync Connection\",\"description\":\"This detection uses Security + events from the \\\"AD FS Auditing\\\" provider to detect suspicious authentication + events on an AD FS server. The results then get\\ncorrelated with events from + the Windows Filtering Platform (WFP) to detect suspicious incoming network + traffic on port 80 on the AD FS server.\\nThis could be a sign of a threat + actor trying to use replication services on the AD FS server to get its configuration + settings and extract\\nsensitive information such as AD FS certificates.\\nIn + order to use this query you need to enable AD FS auditing on the AD FS Server.\\nReference: + https://twitter.com/OTR_Community/status/1387038995016732672\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-04-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d992b87b-eb49-4a9d-aa96-baacf9d26247\",\"name\":\"d992b87b-eb49-4a9d-aa96-baacf9d26247\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + IPList = dynamic([\\\"185.63.90.137\\\"]); \\nlet IPRegex = '[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}';\\nlet + sha256Hashes = \\ndynamic([\\\"53854c6d163bfd0c56d8b297ac43bd25c21f696de6063031241e792ee65df441\\\",\\n\\\"c297e545b8f150cc5ff56dbb68dc74fe30a421d9d40f38f4a53083192697c44c\\\",\\n\\\"17921368901f23e0cad0d2fe4ce5694aebaf4727699ed0358117500701914d1b\\\",\\n\\\"198a2d42df010d838b4207f478d885ef36e3db13b1744d673e221b828c28bf77\\\",\\n\\\"71d7b48c2fdc7b57b104a7858a35165bbed21d2fa7e34828d6c1d50b2b33a1d0\\\",\\n\\\"601227d52c6e367e11b80240183d07d38bc11a88e844e8401fce17eb25e92ba8\\\",\\n\\\"63ff04bed4fdb120a9cb9b1ea7fd88e83f12fb01ab6a057088f8016e663b48d4\\\",\\n\\\"a3037c3389b811bc1404f719af5c8b9034c5e24710cf3a0b457d28bf1b922cf7\\\",\\n\\\"e19b8be1b21c066d60725e550f8455f824065abbf1b43f7b2fe4fb338b241ffc\\\",\\n\\\"a3037c3389b811bc1404f719af5c8b9034c5e24710cf3a0b457d28bf1b922cf7\\\"\\n]);\\n(union + isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP + in (IPList) or Message has_any (IPList) \\n| project TimeGenerated, SourceIP, + DestinationIP, Message, SourceUserID, RequestURL\\n| extend MessageIP = extract(IPRegex, + 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", + DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", + MessageIP in (IPList), \\\"Message\\\", \\\"NoMatch\\\")\\n| extend timestamp + = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, + IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", + MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DeviceNetworkEvents\\n| + where RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) \\n| + project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, + InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, + InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, + RemoteIP, RemoteUrl, RemotePort, LocalIP\\n| extend timestamp = TimeGenerated, + DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(WindowsFirewall\\n| + where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, + Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort\\n| + extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP + in (IPList), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, + HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", + SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics + \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| + project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol 'request + from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort + '. Action:' Action\\n| where isnotempty(DestinationHost) \\n| where SourceHost + in (IPList) or DestinationHost in (IPList)\\n| extend timestamp = TimeGenerated, + DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(DeviceFileEvents\\n| + project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, + InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, + InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, + RequestAccountName, RequestSourceIP, InitiatingProcessSHA256\\n| extend Account + = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, + CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256\\n| + extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity + = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity + = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n| where FileHash in (sha256Hashes)\\n),\\n(CommonSecurityLog\\n| + where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, + FileHash\\n| extend timestamp = TimeGenerated, AlgorithmCustomEntity = \\\"SHA256\\\", + FileHashCustomEntity = FileHash\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 + in~ (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, + InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, + InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, + InitiatingProcessFileName, InitiatingProcessSHA256\\n| extend Account = InitiatingProcessAccountName, + Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash + = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend + timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity + = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity + = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(SecurityEvent\\n| + where EventID == '4688'\\n| where CommandLine has_any (IPList) \\n| project + TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId\\n| + extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity + = Account, ProcessCustomEntity = NewProcessName\\n),\\n(WindowsEvent\\n| where + EventID == '4688' and has_any_ipv4(EventData, toscalar(IPList)) \\n| extend + NewProcessName = tostring(EventData.NewProcessName)\\n| where NewProcessName + \ in (IPList) \\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| + extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| + extend NewProcessId = tostring(EventData.NewProcessId)\\n| project TimeGenerated, + Computer, NewProcessName, ParentProcessName, Account, NewProcessId\\n| extend + timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity + = Account, ProcessCustomEntity = NewProcessName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"techniques\":[\"T1496\"],\"displayName\":\"Alert + for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021\",\"description\":\"Identifies + a match across various data feeds for IP,hashes and IOCs related to Windows/ELF + malware published by Black Lotus Labs\\nReference: \\nhttps://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders\\nhttps://github.com/ManuelBerrueta/YARA-rules/blob/master/BlackLotusLabs-WSLMalware/BLL_SneakyWSL.yar\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ce1e7025-866c-41f3-9b08-ec170e05e73e\",\"name\":\"ce1e7025-866c-41f3-9b08-ec170e05e73e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + SunburstURL=dynamic([\\\"panhardware.com\\\",\\\"databasegalore.com\\\",\\\"avsvmcloud.com\\\",\\\"freescanonline.com\\\",\\\"thedoccloud.com\\\",\\\"deftsecurity.com\\\"]);\\nDeviceNetworkEvents\\n| + where ActionType == \\\"ConnectionSuccess\\\"\\n| where RemoteUrl in(SunburstURL)\\n| + extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), + InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity + = DeviceName,\\n FileHashCustomEntity = InitiatingProcessMD5, \\n HashAlgorithm + = 'MD5',\\n URLCustomEntity = RemoteUrl,\\n IPCustomEntity = RemoteIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"HashAlgorithm\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"Execution\",\"Persistence\",\"InitialAccess\"],\"techniques\":[\"T1195\"],\"displayName\":\"SUNBURST + network beacons\",\"description\":\"Identifies SolarWinds SUNBURST domain + beacon IOCs in DeviceNetworkEvents\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- + https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-02-23T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/baedfdf4-7cc8-45a1-81a9-065821628b83\",\"name\":\"baedfdf4-7cc8-45a1-81a9-065821628b83\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let + runningRAT_parameters = dynamic(['/ui/chk', 'mactok=', 'UsRnMe=', 'IlocalP=', + 'kMnD=']);\\nCommonSecurityLog\\n| where RequestMethod == \\\"GET\\\"\\n| + project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, + DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication\\n| + where RequestURL has_any (runningRAT_parameters)\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DestinationIP\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"SourceHostName\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"techniques\":[\"T1041\",\"T1071\"],\"displayName\":\"RunningRAT + request parameters\",\"description\":\"This detection will alert when RunningRAT + URI parameters or paths are detect in an HTTP request. Id the device blocked + this communication\\npresence of this alert means the RunningRAT implant is + likely still executing on the source host.\",\"lastUpdatedDateUTC\":\"2022-06-02T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d8de9e6-263e-4845-8618-cd23a4f58b70\",\"name\":\"4d8de9e6-263e-4845-8618-cd23a4f58b70\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT3H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + starttime = 14d;\\nlet endtime = 3h;\\n// Add full UPN (user@domain.com) to + Authorized Bypassers to ignore policy bypasses by certain authorized users\\nlet + AuthorizedBypassers = dynamic(['foo@baz.com', 'test@foo.com']);\\nlet historicBypassers + = AzureDevOpsAuditing\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| + where OperationName == 'Git.RefUpdatePoliciesBypassed'\\n| distinct ActorUPN;\\nAzureDevOpsAuditing\\n| + where TimeGenerated >= ago(endtime)\\n| where OperationName == 'Git.RefUpdatePoliciesBypassed'\\n| + where ActorUPN !in (historicBypassers) and ActorUPN !in (AuthorizedBypassers)\\n| + parse ScopeDisplayName with OrganizationName '(Organization)'\\n| project + TimeGenerated, ActorUPN, IpAddress, UserAgent, OrganizationName, ProjectName, + RepoName = Data.RepoName, AlertDetails = Details, Branch = Data.Name, \\n + \ BypassReason = Data.BypassReason, PRLink = strcat('https://dev.azure.com/', + OrganizationName, '/', ProjectName, '/_git/', Data.RepoName, '/pullrequest/', + Data.PullRequestId)\\n| extend timestamp = TimeGenerated, AccountCustomEntity + = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\"],\"techniques\":[\"T1098\"],\"displayName\":\"Azure + DevOps Pull Request Policy Bypassing - Historic allow list\",\"description\":\"This + detection builds an allow list of historic PR policy bypasses and compares + to recent history, flagging pull request bypasses that are not manually in + the allow list and not historically included in the allow list.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75bf9902-0789-47c1-a5d8-f57046aa72df\",\"name\":\"75bf9902-0789-47c1-a5d8-f57046aa72df\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + procList = externaldata(Process:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Microsoft_Lolbas_Execution_Binaries.csv\\\"] + with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet ProcessCreationEvents=() + {\\nlet processEvents=(union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| + where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account + = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,\\nFileName + = Process, CommandLine, ParentProcessName\\n),\\n(WindowsEvent\\n| where + EventID==4688 and EventData has_any (procList) and EventData has \\\":\\\\\\\\recycler\\\"\\n| + extend CommandLine = tostring(EventData.CommandLine)\\n| where isnotempty(CommandLine)\\n| + extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName + = tostring(EventData.SubjectDomainName) \\n| extend NewProcessName = tostring(EventData.NewProcessName) + \ \\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| + extend Process=tostring(split(NewProcessName, '\\\\\\\\')[-1])\\n| project + TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, + NewProcessName,\\nFileName = Process, CommandLine, ParentProcessName\\n));\\nprocessEvents};\\nProcessCreationEvents + \\n| where FileName in~ (procList)\\n| where CommandLine contains \\\":\\\\\\\\recycler\\\"\\n| + project StartTimeUtc = TimeGenerated, Computer, Account, NewProcessName, FileName, + CommandLine, ParentProcessName\\n| extend timestamp = StartTimeUtc, AccountCustomEntity + = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.1.1\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Malware + in the recycle bin\",\"description\":\"The query detects Windows binaries, + that can be used for executing malware, that have been hidden in the recycle + bin. \\n The list of these binaries are sourced from https://lolbas-project.github.io/\\n + References: https://azure.microsoft.com/blog/how-azure-security-center-helps-reveal-a-cyberattack/.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2018-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e2399891-383c-4caf-ae67-68a008b9f89e\",\"name\":\"e2399891-383c-4caf-ae67-68a008b9f89e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet + IP_TI=ThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) + and ExpirationDateTime > now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, + *) by IndicatorId\\n| where Active == true\\n// As there is potentially more + than 1 indicator type for matching IP, taking NetworkIP first, then others + if that is empty.\\n// Taking the first non-empty value based on potential + IOC match availability\\n| extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, + NetworkSourceIP,EmailSourceIpAddress,\\\"NO_IP\\\")\\n// Picking up only IOC's + that contain the entities we want\\n| where TI_ipEntity != \\\"NO_IP\\\";\\nlet + IP_TI_list=toscalar(IP_TI | summarize NIoCs=dcount(TI_ipEntity), IoCs=make_set( + TI_ipEntity)\\n | project IoCs=iff(NIoCs > HAS_ANY_MAX, dynamic([]), IoCs));\\nIP_TI\\n + \ // using innerunique to keep perf fast and result set low, we only need + one match to indicate potential malicious activity that needs to be investigated\\n + \ | join kind=innerunique \\n (\\n union \\n (\\n _Im_NetworkSession + (starttime=ago(dt_lookBack), dstipaddr_has_any_prefix=IP_TI_list)\\n | + where isnotempty(SrcIpAddr)\\n // renaming time column so it is clear + the log this came from\\n | extend imNWS_TimeGenerated = TimeGenerated, + IoCIP=DstIpAddr, IoCIPDirection='Destination'\\n ),\\n (\\n + \ _Im_NetworkSession (starttime=ago(dt_lookBack), srcipaddr_has_any_prefix=IP_TI_list)\\n + \ | where isnotempty(DstIpAddr)\\n // renaming time column + so it is clear the log this came from\\n | extend imNWS_TimeGenerated + = TimeGenerated, IoCIP=SrcIpAddr, IoCIPDirection='Source'\\n )\\n)on + $left.TI_ipEntity == $right.IoCIP\\n| where imNWS_TimeGenerated < ExpirationDateTime\\n| + summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, + IoCIP, IoCIPDirection\\n| project imNWS_TimeGenerated, Description, ActivityGroupNames, + IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, + Dvc, SrcIpAddr, DstIpAddr, IoCIPDirection, IoCIP\",\"customDetails\":{\"EventTime\":\"imNWS_TimeGenerated\",\"IoCDescription\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"IoCExpirationTime\":\"ExpirationDateTime\",\"IoCConfidenceScore\":\"ConfidenceScore\",\"IoCIPDirection\":\"IoCIPDirection\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IoCIP\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"A + network session {{IoCIPDirection}} address {{IoCIP}} matched an IoC.\",\"alertDescriptionFormat\":\"The + {{IoCIPDirection}} address {{IoCIP}} of a network session matched a known + indicator of compromise of {{ThreatType}}. Consult the threat intelligence + blead for more information on the indicator.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"sentinelEntitiesMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) + TI map IP entity to Network Session Events (ASIM Network Session schema)\",\"description\":\"This + rule identifies a match Network Sessions for which the source of destination + IP address is a known IoC.

\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) + and supports any built-in or custom source that supports the ASIM NetworkSession + schema\",\"lastUpdatedDateUTC\":\"2022-04-27T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8c2ef238-67a0-497d-b1dd-5c8a0f533e25\",\"name\":\"8c2ef238-67a0-497d-b1dd-5c8a0f533e25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let + EventNameList = dynamic([\\\"AuthorizeDBSecurityGroupIngress\\\",\\\"CreateDBSecurityGroup\\\",\\\"DeleteDBSecurityGroup\\\",\\\"RevokeDBSecurityGroupIngress\\\"]);\\nAWSCloudTrail\\n| + where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), + EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, + UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, + SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| + extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, + IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"techniques\":[\"T1098\"],\"displayName\":\"Changes + to internet facing AWS RDS Database instances\",\"description\":\"Amazon Relational + Database Service (RDS) is scalable relational database in the cloud. \\nIf + your organization have one or more AWS RDS Databases running, monitoring changes + to especially internet facing AWS RDS (Relational Database Service) \\nOnce + alerts triggered, validate if changes observed are authorized and adhere to + change control policy. \\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255\\nand + RDS API Reference Docs: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Operations.html\",\"lastUpdatedDateUTC\":\"2021-11-28T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6ee72a9e-2e54-459c-bc9a-9c09a6502a63\",\"name\":\"6ee72a9e-2e54-459c-bc9a-9c09a6502a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let + IPList = dynamic([\\\"216.24.185.74\\\", \\\"107.175.189.159\\\", \\\"192.210.132.102\\\", + \\\"67.230.163.214\\\", \\n \\\"199.19.110.240\\\", \\\"107.148.130.176\\\", + \\\"154.212.129.218\\\", \\\"172.86.75.54\\\", \\\"45.61.136.199\\\", \\n + \ \\\"149.28.150.195\\\", \\\"108.61.214.194\\\", \\\"144.202.98.198\\\", + \\\"149.28.84.98\\\", \\\"103.99.209.78\\\", \\n \\\"45.61.136.2\\\", \\\"176.122.162.149\\\", + \\\"192.3.80.245\\\", \\\"149.28.23.32\\\", \\\"107.182.18.149\\\", \\\"107.174.45.134\\\", + \\n \\\"149.248.18.104\\\", \\\"65.49.192.74\\\", \\\"156.255.2.154\\\", + \\\"45.76.6.149\\\", \\\"8.9.11.130\\\", \\\"140.238.27.255\\\", \\n \\\"107.182.24.70\\\", + \\\"176.122.188.254\\\", \\\"192.161.161.108\\\", \\\"64.64.234.24\\\", \\\"104.224.185.36\\\", + \\n \\\"104.233.224.227\\\", \\\"104.36.69.105\\\", \\\"119.28.139.120\\\", + \\\"161.117.39.130\\\", \\\"66.42.100.42\\\", \\\"45.76.31.159\\\", \\n \\\"149.248.8.134\\\", + \\\"216.24.182.48\\\", \\\"66.42.103.222\\\", \\\"218.89.236.11\\\", \\\"180.150.227.249\\\", + \\\"47.75.80.23\\\",\\n \\\"124.156.164.19\\\", \\\"149.248.62.83\\\", \\\"150.109.76.174\\\", + \\\"222.209.187.207\\\", \\\"218.38.191.38\\\", \\n \\\"119.28.226.59\\\", + \\\"66.42.98.220\\\", \\\"74.82.201.8\\\", \\\"173.242.122.198\\\", \\\"45.32.130.72\\\", + \\\"89.35.178.10\\\", \\n \\\"89.43.60.113\\\"]); \\n(union isfuzzy=true + \\n(CommonSecurityLog \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) + \\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any + (IPList) \\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", + DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize + StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, + DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, + DestinationPort, DeviceAddress, DeviceName, IPMatch \\n| extend timestamp + = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, + IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") + \ \\n), \\n(OfficeActivity \\n|extend SourceIPAddress = ClientIP, Account + = UserId \\n| where SourceIPAddress in (IPList) \\n| extend timestamp = TimeGenerated + , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \\n),\\n(_Im_Dns + (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = ResponseName, + \ Host = SrcIpAddr \\n| extend timestamp = TimeGenerated, IPCustomEntity = + DestinationIPAddress, HostCustomEntity = Host \\n), \\n(_Im_NetworkSession + (srcipaddr_has_any_prefix=IPList)\\n | extend timestamp = TimeGenerated, IPCustomEntity + = SrcIpAddr, HostCustomEntity = Hostname, AccountCustomEntity=User\\n), \\n(_Im_NetworkSession + (dstipaddr_has_any_prefix=IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity + = DstIpAddr, HostCustomEntity = Hostname , AccountCustomEntity = User\\n), + \\n(WireData \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) + \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity + = Computer \\n), \\n(SigninLogs \\n| where isnotempty(IPAddress) \\n| where + IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity + = UserPrincipalName, IPCustomEntity = IPAddress \\n),\\n(AADNonInteractiveUserSignInLogs + \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend + timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity + = IPAddress \\n), \\n(W3CIISLog \\n| where isnotempty(cIP) \\n| where cIP + in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity + = Computer, AccountCustomEntity = csUserName \\n), \\n(AzureActivity \\n| + where isnotempty(CallerIpAddress) \\n| where CallerIpAddress in (IPList) \\n| + extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity + = Caller \\n), \\n( \\nAWSCloudTrail \\n| where isnotempty(SourceIpAddress) + \\n| where SourceIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, + IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName + \\n), \\n( \\nDeviceNetworkEvents \\n| where isnotempty(RemoteIP) \\n| where + RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity + = RemoteIP, HostCustomEntity = DeviceName \\n),\\n(\\nAzureDiagnostics\\n| + where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| + parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' + DestinationHost ':' DestinationPort '. Action:' Action\\n| where isnotempty(DestinationHost)\\n| + where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost + \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where + ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| + parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' + DestinationHost ':' DestinationPort '. Action:' Action\\n| where isnotempty(DestinationHost)\\n| + where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost + \\n| extend IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.3.1\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known + Barium IP\",\"description\":\"Identifies a match across various data feeds + for IP IOCs related to the Barium activity group. \\n References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' + \",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/595a10c9-91be-4abb-bbc7-ae9c57848bef\",\"name\":\"595a10c9-91be-4abb-bbc7-ae9c57848bef\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let + iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv\\\"] + with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | + where Type =~ \\\"process\\\" | project IoC);\\nlet sha256Hashes = (iocs | + where Type =~ \\\"sha256\\\" | project IoC);\\nlet IPList = (iocs | where + Type =~ \\\"ip\\\"| project IoC);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| + project IoC);\\nlet IPRegex = '[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}';\\n//This + query uses sysmon data, sections that have - | where Source == \\\"Microsoft-Windows-Sysmon\\\" + - may need to be updated with latest\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| + where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName + has_any (domains) or RequestURL has_any (domains) or Message has_any (IPList)\\n| + parse Message with * '(' DNSName ')' * \\n| project TimeGenerated, SourceIP, + DestinationIP, Message, SourceUserID, RequestURL, DNSName, Type\\n| extend + MessageIP = extract(IPRegex, 0, Message), RequestIP = extract(IPRegex, 0, + RequestURL)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", + DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", + RequestURL has_any (domains), \\\"RequestUrl\\\", \\\"NoMatch\\\"), AlertDetail + = 'Chia crypto IOC detected'\\n| extend timestamp = TimeGenerated, IPEntity + = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", + DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), Account + = SourceUserID\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) or Name + in~ (domains) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, + Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Computer + , AlertDetail = 'Chia crypto IOC detected'\\n| extend timestamp = TimeGenerated, + IPEntity = DestinationIPAddress\\n),\\n(VMConnection\\n| where SourceIp in + (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (domains)\\n| + parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n| project + TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, + DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, + Type\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp + in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = 'Chia crypto + IOC detected'\\n| extend timestamp = TimeGenerated, IPEntity = case(IPMatch + == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, + \\\"NoMatch\\\"), File = ProcessName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| + where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail + = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), + DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"]), Image = tostring(EventDetail.[4].[\\\"#text\\\"])\\n| + where SourceIP in (IPList) or DestinationIP in (IPList) or Image has_any (process)\\n| + project TimeGenerated, SourceIP, DestinationIP, Image, Account = UserName, + Computer, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", + DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail + = 'Chia crypto IOC detected'\\n| extend timestamp = TimeGenerated, File = + tostring(split(Image, '\\\\\\\\', -1)[-1]), IPEntity = case(IPMatch == \\\"SourceIP\\\", + SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n| + extend FilePath = replace_string(Image, File, '')\\n), \\n(OfficeActivity\\n| + where ClientIP in (IPList) \\n| project TimeGenerated, UserAgent, Operation, + RecordType, UserId, ClientIP, AlertDetail = 'Chia crypto IOC detected', Type\\n| + extend timestamp = TimeGenerated, IPEntity = ClientIP, Account = UserId\\n),\\n(DeviceNetworkEvents\\n| + where RemoteUrl has_any (domains) or RemoteIP in (IPList) or InitiatingProcessSHA256 + in (sha256Hashes) or InitiatingProcessFileName has_any (process)\\n| project + TimeGenerated, ActionType, DeviceId, Computer = DeviceName, InitiatingProcessAccountDomain, + InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, + InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, + RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, + IPEntity = RemoteIP, AlertDetail = 'Chia crypto IOC detected'\\n),\\n(WindowsFirewall\\n| + where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, + Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, + Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP + in (IPList), \\\"DestinationIP\\\", \\\"None\\\"), AlertDetail = 'Chia crypto + IOC detected'\\n| extend timestamp = TimeGenerated, Computer, IPEntity = case(IPMatch + == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, + \\\"None\\\")\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| + where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, + msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" + ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class + \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size + \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" + \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| + where Request_Name has_any (domains) or ClientIP in (IPList)\\n| extend timestamp + = TimeGenerated, DNSName = Request_Name, IPEntity = ClientIP, AlertDetail + = 'Chia crypto IOC detected'\\n),\\n(AzureDiagnostics \\n| where ResourceType + == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| + project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with Protocol + 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort + '. Action:' Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost + has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, + IPEntity = SourceHost, AlertDetail = 'Chia crypto IOC detected'\\n),\\n(Event\\n| + where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| + extend EventDetail = EvData.DataItem.EventData.Data\\n| where EventDetail + has_any (sha256Hashes) \\n| parse EventDetail with * 'SHA256=' SHA256 '\\\",' + *\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, + SHA256\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, + FileHash = SHA256, Image = tostring(EventDetail.[4].[\\\"#text\\\"]), AlertDetail + = 'Chia crypto IOC detected'\\n| extend timestamp = TimeGenerated, Computer, + Account, File = tostring(split(Image, '\\\\\\\\', -1)[-1]), FileHashAlgo = + 'SHA256'\\n| extend FilePath = replace_string(Image, File, '')\\n),\\n(DeviceFileEvents\\n| + where InitiatingProcessFolderPath has_any (process)\\n| project TimeGenerated, + ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, + InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, + InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, + RequestSourceIP, InitiatingProcessSHA256, Type\\n| extend Account = RequestAccountName, + Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, + FileHash = InitiatingProcessSHA256, AlertDetail = 'Chia crypto IOC detected'\\n| + extend timestamp = TimeGenerated, Computer, Account, File = InitiatingProcessFileName, + FileHashAlgo = 'SHA256'\\n| extend FilePath = replace_string(InitiatingProcessFolderPath, + File, '')\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| + project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp + = TimeGenerated, AlertDetail = 'Chia crypto IOC detected', FileHashAlgo = + 'SHA256', Account = SourceUserID\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| + where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail + = EvData.DataItem.EventData.Data\\n| project TimeGenerated, EventDetail, UserName, + Computer, Type\\n| extend Image = tostring(EventDetail.[4].[\\\"#text\\\"]), + CommandLine = tostring(EventDetail.[10].[\\\"#text\\\"]), Account = UserName, + FileHash = tostring(EventDetail.[17].[\\\"#text\\\"]), AlertDetail = 'Chia + crypto IOC detected'\\n| where Image has_any (process)\\n| extend timestamp + = TimeGenerated, Computer, Account, File = tostring(split(Image, '\\\\\\\\', + -1)[-1]), FileHashAlgo = 'SHA256'\\n| extend FilePath= replace_string(Image, + File, '')\\n),\\n(DeviceEvents\\n| where InitiatingProcessFileName has_any + (process) or InitiatingProcessSHA256 in~ (sha256Hashes)\\n| project TimeGenerated, + ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, + InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, + InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, + Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, + CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, + Image = InitiatingProcessFolderPath, AlertDetail = 'Chia crypto IOC detected'\\n| + extend timestamp = TimeGenerated, Computer, Account, File = InitiatingProcessFileName, + FileHashAlgo = 'SHA256'\\n| extend FilePath = replace_string(InitiatingProcessFolderPath, + File, '')\\n),\\n(SecurityEvent\\n| where EventID == '4688'\\n| where NewProcessName + \ has_any (process)\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, + Account, NewProcessId, Type\\n| extend timestamp = TimeGenerated, Computer, + Account, File = tostring(split(NewProcessName, '\\\\\\\\', -1)[-1]), AlertDetail + = 'Chia crypto IOC detected'\\n| extend FilePath = replace_string(NewProcessName, + File, '')\\n)\\n)\\n| extend AccountCustomEntity = Account, HostCustomEntity + = Computer, IPCustomEntity = IPEntity, FileCustomEntity = File, FilePathCustomEntity + = FilePath, FileHashCustomEntity = FileHash\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileCustomEntity\"},{\"identifier\":\"Directory\",\"columnName\":\"FilePathCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashAlgo\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.1.0\",\"tactics\":[\"Impact\"],\"techniques\":[\"T1496\"],\"displayName\":\"Chia_Crypto_Mining + - Domain, Process, Hash and IP IOCs - June 2021\",\"description\":\"Identifies + a match across various data feeds for domains, process, hashes and IP IOC + related to Chia cryptocurrency farming/plotting activity.\",\"lastUpdatedDateUTC\":\"2021-12-08T00:00:00Z\",\"createdDateUTC\":\"2021-06-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd0a6029-ecef-4507-89c4-fc355ac52111\",\"name\":\"dd0a6029-ecef-4507-89c4-fc355ac52111\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our + threat feed for later validation of extracted domains\\nlet list_tlds = ThreatIntelligenceIndicator\\n| + where TimeGenerated > ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| + extend DomainName = tolower(DomainName)\\n| extend parts = split(DomainName, + '.')\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() + by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| + where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| + summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| + where Active == true\\n// Picking up only IOC's that contain the entities + we want\\n| where isnotempty(DomainName)\\n// using innerunique to keep perf + fast and result set low, we only need one match to indicate potential malicious + activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog\\n + \ | extend IngestionTime = ingestion_time()\\n | where IngestionTime > + ago(dt_lookBack)\\n | where DeviceEventClassID =~ 'url'\\n //Uncomment + the line below to only alert on allowed connections\\n //| where DeviceAction + !~ \\\"block-url\\\"\\n //Extract domain from RequestURL, if not present + extarct it from AdditionalExtentions\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", + \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions + !startswith \\\"PanOS\\\", extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), + trim('\\\"', PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" + and ApplicationProtocol !~ \\\"ssl\\\", strcat('http://', PA_Url), iif(PA_Url + !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat('https://', + PA_Url), PA_Url))\\n | extend Domain = trim(@\\\"\\\"\\\"\\\",tostring(parse_url(PA_Url).Host))\\n + \ | where isnotempty(Domain)\\n | extend Domain = tolower(Domain)\\n | + extend parts = split(Domain, '.')\\n //Split out the TLD for the purpose + of checking if we have any TI indicators with this TLD to match on\\n | + extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain + by checking TLD against TLDs from threat feed and drop domains where there + is no chance of a match\\n | where tld in~ (list_tlds)\\n | extend CommonSecurityLog_TimeGenerated + = TimeGenerated\\n ) on $left.DomainName==$right.Domain\\n| where CommonSecurityLog_TimeGenerated + < ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, + *) by IndicatorId, FileHashValue\\n| project CommonSecurityLog_TimeGenerated, + Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, + ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, + DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod\\n| extend + timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity + = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.2.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI + map Domain entity to CommonSecurityLog\",\"description\":\"Identifies a match + in CommonSecurityLog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6c360107-f3ee-4b91-9f43-f4cfd90441cf\",\"name\":\"6c360107-f3ee-4b91-9f43-f4cfd90441cf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"union + isfuzzy=true \\n(\\n SecurityEvent\\n | where EventID == 4738\\n // 2089 value + indicates the Don't Expire Password value has been set\\n | where UserAccountControl + has \\\"%%2089\\\" \\n | extend Value_2089 = iff(UserAccountControl has \\\"%%2089\\\",\\\"'Don't + Expire Password' - Enabled\\\", \\\"Not Changed\\\")\\n // 2050 indicates + that the Password Not Required value is NOT set, this often shows up at the + same time as a 2089 and is the recommended value. This value may not be in + the event. \\n | extend Value_2050 = iff(UserAccountControl has \\\"%%2050\\\",\\\"'Password + Not Required' - Disabled\\\", \\\"Not Changed\\\")\\n // If value %%2082 is + present in the 4738 event, this indicates the account has been configured + to logon WITHOUT a password. Generally you should only see this value when + an account is created and only in Event 4720: Account Creation Event. \\n + | extend Value_2082 = iff(UserAccountControl has \\\"%%2082\\\",\\\"'Password + Not Required' - Enabled\\\", \\\"Not Changed\\\")\\n | project StartTime = + TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, AccountType, + UserAccountControl, Value_2089, Value_2050, Value_2082, SubjectAccount\\n + | extend timestamp = StartTime, AccountCustomEntity = TargetAccount, HostCustomEntity + = Computer\\n ),\\n (\\n WindowsEvent\\n | where EventID == 4738 and EventData + has '2089'\\n // 2089 value indicates the Don't Expire Password value has + been set\\n | extend UserAccountControl = tostring(EventData.UserAccountControl)\\n + | where UserAccountControl has \\\"%%2089\\\" \\n | extend Value_2089 = iff(UserAccountControl + has \\\"%%2089\\\",\\\"'Don't Expire Password' - Enabled\\\", \\\"Not Changed\\\")\\n + // 2050 indicates that the Password Not Required value is NOT set, this often + shows up at the same time as a 2089 and is the recommended value. This value + may not be in the event. \\n | extend Value_2050 = iff(UserAccountControl + has \\\"%%2050\\\",\\\"'Password Not Required' - Disabled\\\", \\\"Not Changed\\\")\\n + // If value %%2082 is present in the 4738 event, this indicates the account + has been configured to logon WITHOUT a password. Generally you should only + see this value when an account is created and only in Event 4720: Account + Creation Event. \\n | extend Value_2082 = iff(UserAccountControl has \\\"%%2082\\\",\\\"'Password + Not Required' - Enabled\\\", \\\"Not Changed\\\")\\n | extend Activity=\\\"4738 + - A user account was changed.\\\"\\n | extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", + EventData.TargetUserName)\\n | extend TargetSid = tostring(EventData.TargetSid)\\n + | extend SubjectAccount = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", + EventData.SubjectUserName)\\n | extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n + | extend AccountType=case(SubjectAccount endswith \\\"$\\\" or SubjectUserSid + in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", + isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n | project StartTime = + TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, AccountType, + UserAccountControl, Value_2089, Value_2050, Value_2082, SubjectAccount\\n + | extend timestamp = StartTime, AccountCustomEntity = TargetAccount, HostCustomEntity + = Computer\\n )\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"TargetSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.1.1\",\"tactics\":[\"Persistence\"],\"techniques\":[\"T1098\"],\"displayName\":\"AD + account with Don't Expire Password\",\"description\":\"Identifies whenever + a user account has the setting \\\"Password Never Expires\\\" in the user + account properties selected.\\nThis is indicated in Security event 4738 in + the EventData item labeled UserAccountControl with an included value of %%2089.\\n%%2089 + resolves to \\\"Don't Expire Password - Enabled\\\".\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4e8238bd-ff4f-4126-a9f6-09b3b6801b3d\",\"name\":\"4e8238bd-ff4f-4126-a9f6-09b3b6801b3d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AzureDevOpsAuditing\\n| + where OperationName =~ \\\"AuditLog.StreamDisabledByUser\\\"\\n| extend StreamType + = tostring(Data.ConsumerType)\\n| project-reorder TimeGenerated, Details, + ActorUPN, IpAddress, UserAgent, StreamType\\n| extend timestamp = TimeGenerated, + AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"DefenseEvasion\"],\"techniques\":[\"T1562\"],\"displayName\":\"Azure + DevOps Audit Stream Disabled\",\"description\":\"Azure DevOps allow for audit + logs to be streamed to external storage solutions such as SIEM solutions. + An attacker looking to hide malicious Azure DevOps activity from defenders + may look to disable data streams \\nbefore conducting activity and then re-enabling + the stream after (so as not to raise data threshold-based alarms). Looking + for disabled audit streams can identify this activity, and due to the nature + of the action \\nits unlikely to have a high false positive rate.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e2559891-383c-4caf-ae67-55a008b9f89e\",\"name\":\"e2559891-383c-4caf-ae67-55a008b9f89e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet + IP_TI=ThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) + and ExpirationDateTime > now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, + *) by IndicatorId\\n| where Active == true\\n// As there is potentially more + than 1 indicator type for matching IP, taking NetworkIP first, then others + if that is empty.\\n// Taking the first non-empty value based on potential + IOC match availability\\n| extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, + NetworkSourceIP,EmailSourceIpAddress,\\\"NO_IP\\\")\\n// Picking up only IOC's + that contain the entities we want\\n| where TI_ipEntity != \\\"NO_IP\\\";\\nlet + IP_TI_list=toscalar(IP_TI | summarize NIoCs= dcount(TI_ipEntity), IoCs=make_set(TI_ipEntity) + \\n | project IoCs=iff(NIoCs > HAS_ANY_MAX, dynamic([]), IoCs ) );\\nIP_TI\\n// + using innerunique to keep perf fast and result set low, we only need one match + to indicate potential malicious activity that needs to be investigated\\n| + join kind=innerunique (\\n _Im_WebSession (starttime=ago(dt_lookBack), + srcipaddr_has_any_prefix=IP_TI_list)\\n | where isnotempty(SrcIpAddr)\\n + \ // renaming time column so it is clear the log this came from\\n | + extend imNWS_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SrcIpAddr\\n| + where imNWS_TimeGenerated < ExpirationDateTime\\n| summarize imNWS_TimeGenerated + = arg_max(imNWS_TimeGenerated , *) by IndicatorId, DstIpAddr\\n| project imNWS_TimeGenerated, + Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, + ConfidenceScore,\\nTI_ipEntity, Dvc, SrcIpAddr, DstIpAddr\",\"customDetails\":{\"EventTime\":\"imNWS_TimeGenerated\",\"IoCDescription\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"IoCExpirationTime\":\"ExpirationDateTime\",\"IoCConfidenceScore\":\"ConfidenceScore\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DstIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"The + IP {{SrcIpAddr}} of a web request to hostname {{domain}} matched an IoC\",\"alertDescriptionFormat\":\"The + source address {{SrcIpAddr}} of a web request for URL {{Url}} matched a known + indicator of compromise of {{ThreatType}}. Consult the threat intelligence + blead for more information on the indicator.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) + TI map IP entity to Web Session Events (ASIM Web Session schema)\",\"description\":\"This + rule identifies Web Sessions for which the source IP address is a known IoC. +

This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) + and supports any web session source that complies with ASIM.\",\"lastUpdatedDateUTC\":\"2022-03-15T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c7bfadd4-34a6-4fa5-82f8-3691a32261e8\",\"name\":\"c7bfadd4-34a6-4fa5-82f8-3691a32261e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let + EventNameList = dynamic([\\\"ApplySecurityGroupsToLoadBalancer\\\", \\\"SetSecurityGroups\\\"]);\\nAWSCloudTrail\\n| + where EventName in~ (EventNameList)\\n| extend User = iif(isnotempty(UserIdentityUserName), + UserIdentityUserName, SessionIssuerUserName)\\n| summarize EventCount=count(), + StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \\nby EventSource, + EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, + AWSRegion,\\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, + ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity + = User , IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"techniques\":[\"T1098\"],\"displayName\":\"Changes + to AWS Elastic Load Balancer security groups\",\"description\":\"Elastic Load + Balancer distributes incoming traffic across multiple instances in multiple + availability Zones. This increases the fault tolerance of your applications. + \\n Unwanted changes to Elastic Load Balancer specific security groups could + open your environment to attack and hence needs monitoring.\\n More information: + https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 + \\n and https://aws.amazon.com/elasticloadbalancing/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bdf04f58-242b-4729-b376-577c4bdf5d3a\",\"name\":\"bdf04f58-242b-4729-b376-577c4bdf5d3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"imProcessCreate\\n| + where Process hassuffix 'rundll32.exe'\\n| where CommandLine has_any ('Execute','RegRead','window.close')\\n| + project TimeGenerated, Dvc, User, Process, CommandLine, ActingProcessName, + EventVendor, EventProduct\\n| extend timestamp = TimeGenerated, HostCustomEntity + = Dvc, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.1.1\",\"tactics\":[\"Persistence\"],\"techniques\":[\"T1547\"],\"displayName\":\"NOBELIUM + - suspicious rundll32.exe execution of vbscript (Normalized Process Events)\",\"description\":\"This + query idenifies when rundll32.exe executes a specific set of inline VBScript + commands\\nReferences: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\\nTo + use this analytics rule, make sure you have deployed the [ASIM normalization + parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f30a47c1-65fb-42b1-a7f4-00941c12550b\",\"name\":\"f30a47c1-65fb-42b1-a7f4-00941c12550b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| + where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| + summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| + where Active == true\\n// Picking up only IOC's that contain the entities + we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast + and result set low, we only need one match to indicate potential malicious + activity that needs to be investigated\\n| join kind=innerunique (\\n SecurityAlert\\n + \ | where TimeGenerated >= ago(dt_lookBack)\\n | extend MSTI = case(AlertName + has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == + 'Azure Sentinel', true, false)\\n | where MSTI == false\\n // Extract URL + from JSON data\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", + 1,Entities)\\n // We only want alerts that actually contain URL data\\n | + where isnotempty(Url)\\n // Extract hostname from JSON data for entity mapping\\n + \ | extend Compromised_Host = tostring(parse_json(ExtendedProperties).[\\\"Compromised + Host\\\"])\\n | extend Alert_TimeGenerated = TimeGenerated\\n) on Url\\n| + where Alert_TimeGenerated < ExpirationDateTime\\n| summarize Alert_TimeGenerated + = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\\n| project Alert_TimeGenerated, + ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, + AlertName, AlertSeverity, Description, Url, Compromised_Host\\n| extend timestamp + = Alert_TimeGenerated, HostCustomEntity = Compromised_Host, URLCustomEntity + = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.2.2\",\"tactics\":[\"Impact\"],\"displayName\":\"TI + map URL entity to SecurityAlert data\",\"description\":\"Identifies a match + in SecurityAlert data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80da0a8f-cfe1-4cd0-a895-8bc1771a720e\",\"name\":\"80da0a8f-cfe1-4cd0-a895-8bc1771a720e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"(union + isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == 1102 and EventSourceName + == \\\"Microsoft-Windows-Eventlog\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), + EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, + EventID, Activity\\n| extend timestamp = StartTimeUtc, AccountCustomEntity + = Account, HostCustomEntity = Computer\\n),\\n(\\nWindowsEvent\\n| where EventID + == 1102 and Provider == \\\"Microsoft-Windows-Eventlog\\\" \\n| extend Account + = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| + extend Activity= \\\"1102 - The audit log was cleared.\\\"\\n| summarize StartTimeUtc + = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() + by Computer, Account, EventID, Activity\\n| extend timestamp = StartTimeUtc, + AccountCustomEntity = Account, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.1.1\",\"tactics\":[\"DefenseEvasion\"],\"techniques\":[\"T1070\"],\"displayName\":\"Security + Event log cleared\",\"description\":\"Checks for event id 1102 which indicates + the security event log was cleared. \\nIt uses Event Source Name \\\"Microsoft-Windows-Eventlog\\\" + to avoid generating false positives from other sources, like AD FS servers + for instance.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b\",\"name\":\"36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| + where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| + summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| + where Active == true\\n// Picking up only IOC's that contain the entities + we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast + and result set low, we only need one match to indicate potential malicious + activity that needs to be investigated\\n| join kind=innerunique (\\n OfficeActivity\\n + \ | where TimeGenerated >= ago(dt_lookBack)\\n //Extract the Url from a number + of potential fields\\n | extend Url = iif(OfficeWorkload == \\\"AzureActiveDirectory\\\",extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\\\", + 1,ModifiedProperties),tostring(parse_json(ModifiedProperties)[12].NewValue))\\n + \ | where isnotempty(Url)\\n // Ensure we get a clean URL\\n | extend Url + = tostring(split(Url, ';')[0])\\n | extend OfficeActivity_TimeGenerated = + TimeGenerated\\n // Project a single user identity that we can use for entity + mapping\\n | extend User = iif(isnotempty(UserId), UserId, iif(isnotempty(Actor), + tostring(parse_json(Actor)[0].ID), tostring(parse_json(Parameters)[0].Vlaue))) + \\n) on Url\\n| where OfficeActivity_TimeGenerated < ExpirationDateTime\\n| + summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, + *) by IndicatorId, Url\\n| project OfficeActivity_TimeGenerated, Description, + ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, + Operation, \\nUserType, OfficeWorkload, Parameters, Url, User\\n| extend timestamp + = OfficeActivity_TimeGenerated, AccountCustomEntity = User, URLCustomEntity + = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.2.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI + map URL entity to OfficeActivity data\",\"description\":\"Identifies a match + in OfficeActivity data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f0be259a-34ac-4946-aa15-ca2b115d5feb\",\"name\":\"f0be259a-34ac-4946-aa15-ca2b115d5feb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let + starttime = 2d;\\nlet endtime = 1d;\\nlet TimeDeltaThreshold = 25;\\nlet TotalEventsThreshold + = 30;\\nlet MostFrequentTimeDeltaThreshold = 25;\\nlet PercentBeaconThreshold + = 80;\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Palo Alto Networks\\\" + and Activity == \\\"TRAFFIC\\\"\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| + where ipv4_is_private(DestinationIP)== false\\n| project TimeGenerated, DeviceName, + SourceUserID, SourceIP, SourcePort, DestinationIP, DestinationPort, ReceivedBytes, + SentBytes\\n| sort by SourceIP asc,TimeGenerated asc, DestinationIP asc, DestinationPort + asc\\n| serialize\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP + = next(SourceIP, 1)\\n| extend TimeDeltainSeconds = datetime_diff('second',nextTimeGenerated,TimeGenerated)\\n| + where SourceIP == nextSourceIP\\n//Whitelisting criteria/ threshold criteria\\n| + where TimeDeltainSeconds > TimeDeltaThreshold \\n| summarize count(), sum(ReceivedBytes), + sum(SentBytes)\\nby TimeDeltainSeconds, bin(TimeGenerated, 1h), DeviceName, + SourceUserID, SourceIP, DestinationIP, DestinationPort\\n| summarize (MostFrequentTimeDeltaCount, + MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), + TotalSentBytes = sum(sum_SentBytes), TotalReceivedBytes = sum(sum_ReceivedBytes) + \\nby bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, + DestinationPort\\n| where TotalEvents > TotalEventsThreshold and MostFrequentTimeDeltaCount + > MostFrequentTimeDeltaThreshold\\n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) + * 100\\n| where BeaconPercent > PercentBeaconThreshold\\n| extend timestamp + = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = SourceUserID, + HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"CommandAndControl\"],\"techniques\":[\"T1071\",\"T1571\"],\"displayName\":\"Palo + Alto - potential beaconing detected\",\"description\":\"Identifies beaconing + patterns from Palo Alto Network traffic logs based on recurrent timedelta + patterns. \\nThe query leverages various KQL functions to calculate time deltas + and then compares it with total events observed in a day to find percentage + of beaconing. \\nThis outbound beaconing pattern to untrusted public networks + should be investigated for any malware callbacks or data exfiltration attempts.\\nReference + Blog:\\nhttp://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/\\nhttps://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/detect-network-beaconing-via-intra-request-time-delta-patterns/ba-p/779586\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/14f6da04-2f96-44ee-9210-9ccc1be6401e\",\"name\":\"14f6da04-2f96-44ee-9210-9ccc1be6401e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"severity\":\"Low\",\"query\":\"AuditLogs\\n| + where Category =~ \\\"RoleManagement\\\"\\n| where OperationName has \\\"Add + member to role outside of PIM\\\"\\n or (LoggedByService == \\\"Core + Directory\\\" and OperationName == \\\"Add member to role\\\" and Identity + != \\\"MS-PIM\\\")\\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), + IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"PrivilegeEscalation\"],\"techniques\":[\"T1078\"],\"displayName\":\"NRT + Privileged Role Assigned Outside PIM\",\"description\":\"Identifies a privileged + role being assigned to a user outside of PIM\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-04-22T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f6502545-ae3a-4232-a8b0-79d87e5c98d7\",\"name\":\"f6502545-ae3a-4232-a8b0-79d87e5c98d7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"Event\\n| + where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID + in (13)\\n| parse EventData with * 'TargetObject\\\">' TargetObject \\\"<\\\" + * 'Details\\\">' Details \\\"<\\\" * \\n| where TargetObject==\\\"HKLM\\\\\\\\System\\\\\\\\CurrentControlSet\\\\\\\\Control\\\\\\\\SecurityProviders\\\\\\\\WDigest\\\\\\\\UseLogonCredential\\\" + and Details !=\\\"DWORD (0x00000000)\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), + EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"techniques\":[\"T1003\"],\"displayName\":\"WDigest + downgrade attack\",\"description\":\"When the WDigest Authentication protocol + is enabled, plain text passwords are stored in the Local Security Authority + Subsystem Service (LSASS) exposing them to theft. This setting will prevent + WDigest from storing credentials in memory.\\nRef: https://www.stigviewer.com/stig/windows_7/2016-12-19/finding/V-72753\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2022-03-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b725d62c-eb77-42ff-96f6-bdc6745fc6e0\",\"name\":\"b725d62c-eb77-42ff-96f6-bdc6745fc6e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let + starttime = 14d;\\nlet endtime = 1d;\\nlet UserAgentAll =\\n(union isfuzzy=true\\n(OfficeActivity\\n| + where TimeGenerated >= ago(starttime)\\n| where isnotempty(UserAgent)\\n| + summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by + UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\\n),\\n(\\nW3CIISLog\\n| + where TimeGenerated >= ago(starttime)\\n| where isnotempty(csUserAgent)\\n| + summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by + UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, + csMethod, csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where TimeGenerated >= ago(starttime)\\n| + where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), + EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account + = UserIdentityUserName, Type, EventSource, EventName\\n))\\n// remove wordSize + blocks of non-numeric hex characters prior to word extraction\\n| extend UserAgentNoHexAlphas + = replace(\\\"([A-Fa-f]{4,})\\\", \\\"x\\\", UserAgent)\\n// once blocks of + hex chars are removed, extract wordSize blocks of a-z\\n| extend Tokens = + extract_all(\\\"([A-Za-z]{4,})\\\", UserAgentNoHexAlphas)\\n// concatenate + extracted words to create a summarized user agent for baseline and comparison\\n| + extend NormalizedUserAgent = strcat_array(Tokens, \\\"|\\\")\\n| project-away + UserAgentNoHexAlphas, Tokens;\\nUserAgentAll\\n| where StartTime >= ago(endtime)\\n| + summarize StartTime = min(StartTime), EndTime = max(EndTime), count() by UserAgent, + NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, + EventName, sSiteName, csMethod, csUriStem\\n| join kind=leftanti\\n(\\nUserAgentAll\\n| + where StartTime < ago(endtime)\\n| summarize by NormalizedUserAgent, SourceIP, + Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, + csUriStem\\n)\\non NormalizedUserAgent\\n| extend timestamp = StartTime, IPCustomEntity + = SourceIP, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CommandAndControl\",\"Execution\"],\"techniques\":[\"T1189\",\"T1071\",\"T1203\"],\"displayName\":\"New + UserAgent observed in last 24 hours\",\"description\":\"Identifies new UserAgents + observed in the last 24 hours versus the previous 14 days. This detection\\nextracts + words from user agents to build the baseline and determine rareity rather + than perform a\\ndirect comparison. This avoids FPs caused by version numbers + and other high entropy user agent components.\\nThese new UserAgents could + be benign. However, in normally stable environments,\\nthese new UserAgents + could provide a starting point for investigating malicious activity.\\nNote: + W3CIISLog can be noisy depending on the environment, however OfficeActivity + and AWSCloudTrail are\\nusually stable with low numbers of detections.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/155e9134-d5ad-4a6f-88f3-99c220040b66\",\"name\":\"155e9134-d5ad-4a6f-88f3-99c220040b66\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// + Set the lookback to determine if user has created pipelines before\\nlet timeback + = 14d;\\n// Set the period for detections\\nlet timeframe = 1d;\\n// Get a + list of previous Release Pipeline creators to exclude\\nlet releaseusers = + AzureDevOpsAuditing\\n| where TimeGenerated > ago(timeback) and TimeGenerated + < ago(timeframe)\\n| where OperationName in (\\\"Release.ReleasePipelineCreated\\\", + \\\"Release.ReleasePipelineModified\\\")\\n// We want to look for users performing + actions in specific projects so we create this userscope object to match on\\n| + extend UserScope = strcat(ActorUserId, \\\"-\\\", ProjectName)\\n| summarize + by UserScope;\\n// Get Release Pipeline creations by new users\\nAzureDevOpsAuditing\\n| + where TimeGenerated > ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineModified\\\"\\n| + extend UserScope = strcat(ActorUserId, \\\"-\\\", ProjectName)\\n| where UserScope + !in (releaseusers)\\n| extend ActorUPN = tolower(ActorUPN)\\n| project-away + Id, ActivityId, ActorCUID, ScopeId, ProjectId, TenantId, SourceSystem, UserScope\\n// + See if any of these users have Azure AD alerts associated with them in the + same timeframe\\n| join kind = leftouter (\\nSecurityAlert\\n| where TimeGenerated + > ago(timeframe)\\n| where ProviderName == \\\"IPC\\\"\\n| extend AadUserId + = tostring(parse_json(Entities)[0].AadUserId)\\n| summarize Alerts=count() + by AadUserId) on $left.ActorUserId == $right.AadUserId\\n| extend Alerts = + iif(isnotempty(Alerts), Alerts, 0)\\n// Uncomment the line below to only show + results where the user as AADIdP alerts\\n//| where Alerts > 0\\n| extend + timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity + = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"techniques\":[\"T1578\"],\"displayName\":\"Azure + DevOps Pipeline modified by a new user.\",\"description\":\"There are several + potential pipeline steps that could be modified by an attacker to inject malicious + code into the build cycle. A likely attacker path is the modification to an + existing pipeline that they have access to. \\nThis detection looks for users + modifying a pipeline when they have not previously been observed modifying + or creating that pipeline before. This query also joins events with data to + Azure AD Identity Protection (AAD IdP) \\nin order to show if the user conducting + the action has any associated AAD IdP alerts. You can also choose to filter + this detection to only alert when the user also has AAD IdP alerts associated + with them.\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d023f64-8225-41a2-9570-2bd7c2c4535e\",\"name\":\"3d023f64-8225-41a2-9570-2bd7c2c4535e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1DT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + timeframe = 1d;\\nlet spanoftime = 10m;\\nlet threshold = 0;\\n(union isfuzzy=true\\n(SecurityEvent\\n| + where TimeGenerated > ago(timeframe+spanoftime)\\n// A user account was enabled\\n| + where EventID == 4722\\n| where AccountType =~ \\\"User\\\"\\n| where TargetAccount + !endswith \\\"$\\\"\\n| project EnableTime = TimeGenerated, EnableEventID + = EventID, EnableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToEnable + = SubjectAccount, SIDofAccountUsedToEnable = SubjectUserSid, TargetAccount + = tolower(TargetAccount), TargetSid\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated + > ago(timeframe+spanoftime)\\n// A user account was enabled\\n| where EventID + == 4722\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| + extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid + in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", + isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType =~ + \\\"User\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", + tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", + EventData.TargetUserName)\\n| where TargetAccount !endswith \\\"$\\\"\\n| + extend Activity=\\\"4722 - A user account was enabled.\\\"\\n| extend TargetSid + = tostring(EventData.TargetSid)\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| + project EnableTime = TimeGenerated, EnableEventID = EventID, EnableActivity + = Activity, Computer, UserPrincipalName, \\nAccountUsedToEnable = SubjectAccount, + SIDofAccountUsedToEnable = SubjectUserSid, TargetAccount = tolower(TargetAccount), + TargetSid\\n))\\n| join kind= inner (\\n (union isfuzzy=true\\n (SecurityEvent\\n + \ | where TimeGenerated > ago(timeframe)\\n // A user account was disabled\\n + \ | where EventID == 4725\\n| where AccountType =~ \\\"User\\\"\\n| project + DisableTime = TimeGenerated, DisableEventID = EventID, DisableActivity = Activity, + Computer, UserPrincipalName, \\nAccountUsedToDisable = SubjectAccount, SIDofAccountUsedToDisable + = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n),\\n(WindowsEvent\\n + \ | where TimeGenerated > ago(timeframe)\\n // A user account was disabled\\n + \ | where EventID == 4725\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| + extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid + in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", + isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType =~ + \\\"User\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", + tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", + EventData.TargetUserName)\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| + extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| extend + Activity = \\\"4725 - A user account was disabled.\\\"\\n| project DisableTime + = TimeGenerated, DisableEventID = EventID, DisableActivity = Activity, Computer, + UserPrincipalName, \\nAccountUsedToDisable = SubjectAccount, SIDofAccountUsedToDisable + = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid))\\n) + on Computer, TargetAccount\\n| where DisableTime - EnableTime < spanoftime\\n| + extend TimeDelta = DisableTime - EnableTime\\n| where tolong(TimeDelta) >= + threshold\\n| project TimeDelta, EnableTime, EnableEventID, EnableActivity, + Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToEnable, + SIDofAccountUsedToEnable, \\nDisableTime, DisableEventID, DisableActivity, + AccountUsedToDisable, SIDofAccountUsedToDisable\\n| extend timestamp = EnableTime, + AccountCustomEntity = AccountUsedToEnable, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"SIDofAccountUsedToEnable\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.1.2\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"techniques\":[\"T1098\",\"T1078\"],\"displayName\":\"User + account enabled and disabled within 10 mins\",\"description\":\"Identifies + when a user account is enabled and then disabled within 10 minutes. This can + be an indication of compromise and\\nan adversary attempting to hide in the + noise.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8bada072-c58c-4df3-a17e-e02392b48240\",\"name\":\"8bada072-c58c-4df3-a17e-e02392b48240\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.3\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.3\",\"name\":\"Anomaly + score threshold\",\"description\":\"Generate an anomaly when the anomaly score + is greater than the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Impact\"],\"techniques\":[\"T1531\"],\"displayName\":\"(Preview) + UEBA Anomalous Account Deletion\",\"description\":\"Adversaries may interrupt + availability of system and network resources by inhibiting access to accounts + utilized by legitimate users. Accounts may be deleted, locked, or manipulated + (ex: changed credentials) to remove access to accounts.\\nSentinel UEBA detects + anomalies based on dynamic baselines created for each entity across various + data inputs. Each entity\xE2\u20AC\u2122s baseline behavior is set according + to its own historical activities, those of its peers, and those of the organization + as a whole. Anomalies can be triggered by the correlation of different attributes + such as action type, geo-location, device, resource, ISP, and more.\\nSupported + data sources: Azure Audit (Core Directory/UserManagement/Delete user, Core + Directory/Device/Delete user, Core Directory/UserManagement/Delete user)\",\"lastUpdatedDateUTC\":\"2022-04-13T00:00:00Z\",\"createdDateUTC\":\"2021-12-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0625fcce-6d52-491e-8c68-1d9b801d25b9\",\"name\":\"0625fcce-6d52-491e-8c68-1d9b801d25b9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"Event\\n| + where EventLog =~ \\\"Application\\\"\\n| where Source startswith \\\"MSExchange\\\"\\n| + where EventLevelName =~ \\\"error\\\"\\n| where (RenderedDescription startswith + \\\"Watson report\\\" and RenderedDescription contains \\\"umworkerprocess\\\" + and RenderedDescription contains \\\"TextFormattingRunProperties\\\") or RenderedDescription + startswith \\\"An unhandled exception occurred in a UM worker process\\\" + or RenderedDescription startswith \\\"The Microsoft Exchange Unified Messaging + service\\\" or RenderedDescription contains \\\"MSExchange Unified Messaging\\\"\\n| + where RenderedDescription !contains \\\"System.OutOfMemoryException\\\"\\n| + extend timestamp = TimeGenerated, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"techniques\":[\"T1190\"],\"displayName\":\"HAFNIUM + Suspicious UM Service Error\",\"description\":\"This query looks for errors + that may indicate that an attacker is attempting to exploit a vulnerability + in the service. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09c49590-4e9d-4da9-a34d-17222d0c9e7e\",\"name\":\"09c49590-4e9d-4da9-a34d-17222d0c9e7e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"severity\":\"Medium\",\"query\":\"let + default_file_ext_blocklist = dynamic(['.ps1', '.vbs', '.bat', '.scr']);\\nlet + custom_file_ext_blocklist=toscalar(_GetWatchlist('RiskyFileTypes') | extend + Extension=column_ifexists(\\\"Extension\\\",\\\"\\\") | where isnotempty(Extension) + | summarize make_set(Extension));\\nlet file_ext_blocklist = array_concat(default_file_ext_blocklist, + custom_file_ext_blocklist);\\n_Im_WebSession(url_has_any=file_ext_blocklist, + eventresult='Success')\\n| extend requestedFileName=tostring(split(tostring(parse_url(Url)[\\\"Path\\\"]),'/')[-1])\\n| + extend requestedFileExt=extract(@(\\\\.\\\\w+)$,1,requestedFileName, typeof(string))\\n| + where requestedFileExtension in (file_ext_blocklist)\\n| summarize LastAttemptTime=max(TimeGenerated), + NumFailedAttempts=count() by SrcIpAddr, requestedFileName, Url\\n| extend + IPCustomEntity = SrcIpAddr, UrlCustomEntity=Url\",\"customDetails\":{\"requestedFileName\":\"requestedFileName\",\"requestedFileExt\":\"requestedFileExt\",\"Username\":\"SrcUsername\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Client + {{SrcIpAddr}} accessed a URL with potentially harmful extension {{requestedFileExt}}\",\"alertDescriptionFormat\":\"The + client at address {{SrcIpAddr}} accessed the URL {{Url}} that has the extension + {{requestedFileExt}}. Downloading a file with this extension may be harmful + and may indicate malicious activity.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"sentinelEntitiesMappings\":[],\"version\":\"1.1.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"A + client made a web request to a potentially harmful file (ASIM Web Session + schema)\",\"description\":\"This rule identifies a web request to a URL that + holds a file type, including .ps1, .bat, .vbs, and .scr that can be harmful + if downloaded. This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) + and supports any web session source that complies with ASIM. To use this Analytics + Rule, deploy the Advanced Security Information Model (ASIM).\\n This analytic + rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom + source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ffcd575b-3d54-482a-a6d8-d0de13b6ac63\",\"name\":\"ffcd575b-3d54-482a-a6d8-d0de13b6ac63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$';\\nThreatIntelligenceIndicator\\n| + where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| + summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| + where Active == true\\n//Filtering the table for Email related IOCs\\n| where + isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and + result set low, we only need one match to indicate potential malicious activity + that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog + | where TimeGenerated >= ago(dt_lookBack) and isnotempty(DestinationUserID)\\n + \ // Filtering PAN Logs for specific event type to match relevant email + entities\\n | where DeviceVendor == \\\"Palo Alto Networks\\\" and DeviceEventClassID + == \\\"wildfire\\\" and ApplicationProtocol in (\\\"smtp\\\",\\\"pop3\\\")\\n + \ | extend DestinationUserID = tolower(DestinationUserID)\\n | where + DestinationUserID matches regex emailregex\\n | extend CommonSecurityLog_TimeGenerated + = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.DestinationUserID\\n| + where CommonSecurityLog_TimeGenerated < ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated + = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, DestinationUserID\\n| + project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, + IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, EmailSenderName, + EmailRecipient, \\nEmailSourceDomain, EmailSourceIpAddress, EmailSubject, + FileHashValue, FileHashType, DestinationUserID, DeviceEventClassID, LogSeverity, + DeviceAction, SourceIP, SourcePort, \\nDestinationIP, DestinationPort, Protocol, + ApplicationProtocol\\n| extend timestamp = CommonSecurityLog_TimeGenerated, + AccountCustomEntity = DestinationUserID, IPCustomEntity = SourceIP, URLCustomEntity + = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.2.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI + map Email entity to CommonSecurityLog\",\"description\":\"Identifies a match + in CommonSecurityLog table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7cb8f77d-c52f-4e46-b82f-3cf2e106224a\",\"name\":\"7cb8f77d-c52f-4e46-b82f-3cf2e106224a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + lookBack_long = 7d;\\nlet lookBack_med = 3d;\\nlet lookBack = 1d;\\nlet aadFunc + = (tableName:string){\\ntable(tableName)\\n| where TimeGenerated >= startofday(ago(lookBack_long))\\n| + extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), + LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), + \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), + \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, + locationString \\n// Create time series \\n| make-series dLocationCount = + dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack_long)),now(), + 1d) \\nby UserPrincipalName, AppDisplayName \\n// Compute best fit line for + each entry \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount) + \\n// Chart the 3 most interesting lines \\n// A 0-value slope corresponds + to an account being completely stable over time for a given Azure Active Directory + application\\n| where Slope > 0.3\\n| top 50 by Slope desc\\n| join kind = + leftsemi (\\ntable(tableName)\\n| where TimeGenerated >= startofday(ago(lookBack_med))\\n| + extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), + LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), + \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), + \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, + locationString \\n| make-series dLocationCount = dcount(locationString) on + TimeGenerated in range(startofday(ago(lookBack_med)) ,now(), 1d) \\nby UserPrincipalName, + AppDisplayName \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount)\\n| + where Slope > 0.3\\n| top 50 by Slope desc\\n) on UserPrincipalName, AppDisplayName\\n| + join kind = leftsemi (\\ntable(tableName)\\n| where TimeGenerated >= startofday(ago(lookBack))\\n| + extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), + LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), + \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), + \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, + locationString \\n| make-series dLocationCount = dcount(locationString) on + TimeGenerated in range(startofday(ago(lookBack)) ,now(), 1d) \\nby UserPrincipalName, + AppDisplayName \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount)\\n| + where Slope > 5\\n| top 50 by Slope desc\\n// Higher threshold requirement + on last day anomaly\\n) on UserPrincipalName, AppDisplayName\\n| extend timestamp + = TimeGenerated, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin + = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion + isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"techniques\":[\"T1078\"],\"displayName\":\"Anomalous + sign-in location by user account and authenticating application\",\"description\":\"This + query over Azure Active Directory sign-in considers all user sign-ins for + each Azure Active \\nDirectory application and picks out the most anomalous + change in location profile for a user within an \\nindividual application. + An alert is generated for recent sign-ins that have location counts that are + anomalous\\nover last day but also over the last 3-day and 7-day periods.\\nPlease + note that on workspaces with larger volume of Signin data (~10M+ events a + day) may timeout when using this default query time period.\\nIt is recommended + that you test and tune this appropriately for the workspace.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1da9853f-3dea-4ea9-b7e5-26730da3d537\",\"name\":\"1da9853f-3dea-4ea9-b7e5-26730da3d537\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + PortScanThreshold = 50;\\n_Im_NetworkSession\\n| where ipv4_is_private(SrcIpAddr) + == False\\n| summarize AttemptedPortsCount=dcount(DstPortNumber) by SrcIpAddr, + bin(TimeGenerated, 5m)\\n| where AttemptedPortsCount > PortScanThreshold\",\"customDetails\":{\"AttemptedPortsCount\":\"AttemptedPortsCount\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Potential + port scan from {{SrcIpAddr}}\",\"alertDescriptionFormat\":\"A port scan has + been performed from address {{SrcIpAddr}} over {{AttemptedPortsCount}} pots + within 5 minutes. This may indicate that a [port scanner](https://en.wikipedia.org/wiki/Port_scanner) + is trying to identify open ports in order to penetrate a system.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\"],\"techniques\":[\"T1046\"],\"displayName\":\"Port + scan detected (ASIM Network Session schema)\",\"description\":\"This rule + identifies a possible port scan, in which a single source tries to access + a large number of different ports is a short time frame. This may indicate + that a [port scanner](https://en.wikipedia.org/wiki/Port_scanner) is trying + to identify open ports in order to penetrate a system.

\\nThis analytic + rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom + source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/eda260eb-f4a1-4379-ad98-452604da9b3e\",\"name\":\"eda260eb-f4a1-4379-ad98-452604da9b3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let + eventsThreshold = 20;\\nCommonSecurityLog\\n| where isnotempty(RequestURL)\\n| + project TimeGenerated, RequestURL, RequestMethod, SourceIP, SourceHostName\\n| + evaluate sequence_detect(TimeGenerated, 5s, 8s, login=(RequestURL has \\\"login.microsoftonline.com/consumers/oauth2/v2.0/token\\\"), + graph=(RequestURL has \\\"graph.microsoft.com/v1.0/me/drive/\\\"), SourceIP, + SourceHostName)\\n| summarize Events=count() by SourceIP, SourceHostName\\n| + where Events >= eventsThreshold\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"SourceHostName\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"techniques\":[\"T1567\",\"T1102\"],\"displayName\":\"CreepyDrive + request URL sequence\",\"description\":\"CreepyDrive uses OneDrive for command + and control, however, it makes regular requests to predicatable paths.\\nThis + detecton will alert when over 20 sequences are observed in a single day.\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3533f74c-9207-4047-96e2-0eb9383be587\",\"name\":\"3533f74c-9207-4047-96e2-0eb9383be587\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let + detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated + > ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| + where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ + \\\"Consent to application\\\"\\n| where TargetResources has \\\"offline\\\"\\n| + extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId + = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, + knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] + with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| + parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: + \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"offline_access\\\" + and ConsentFull contains \\\"Files.Read\\\" or ConsentFull contains \\\"Mail.Read\\\" + or ConsentFull contains \\\"Notes.Read\\\" or ConsentFull contains \\\"ChannelMessage.Read\\\" + or ConsentFull contains \\\"Chat.Read\\\" or ConsentFull contains \\\"TeamsActivity.Read\\\" + or ConsentFull contains \\\"Group.Read\\\" or ConsentFull contains \\\"EWS.AccessAsUser.All\\\" + or ConsentFull contains \\\"EAS.AccessAsUser.All\\\"\\n| where GrantConsentType + != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was + granted to all users via an admin - but admin due diligence should be audited + occasionally\\n| extend GrantIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), + InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy + = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, + InitiatedBy.app.displayName))\\n| extend GrantUserAgent = tostring(iff(AdditionalDetails[0].key + =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\"))\\n| project + TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, + GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| + join kind = leftouter (AuditLogs\\n| where TimeGenerated > ago(joinLookback)\\n| + where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| + where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId + = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue + has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, + \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| + join kind = innerunique (AuditLogs\\n| where TimeGenerated > ago(joinLookback)\\n| + where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| + where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName + =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = + tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| + project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| + project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, + AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, + OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp + = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = + GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"techniques\":[\"T1528\"],\"displayName\":\"Suspicious + application consent for offline access\",\"description\":\"This will alert + when a user consents to provide a previously-unknown Azure application with + offline access via OAuth.\\nOffline access will provide the Azure App with + access to the listed resources without requiring two-factor authentication.\\nConsent + to applications with offline access and read capabilities should be rare, + especially as the knownApplications list is expanded. Public contributions + to expand this filter are welcome!\\nFor further information on AuditLogs + please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0ee2aafb-4500-4e36-bcb1-e90eec2f0b9b\",\"name\":\"0ee2aafb-4500-4e36-bcb1-e90eec2f0b9b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| + where EventName =~ \\\"ConsoleLogin\\\"\\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed), + LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)\\n| where + MFAUsed !~ \\\"Yes\\\" and LoginResult !~ \\\"Failure\\\"\\n| summarize StartTimeUtc + = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, + LoginResult, MFAUsed, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent,\\nUserIdentityUserName, + SessionMfaAuthenticated, SourceIpAddress, AWSRegion\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserIdentityUserName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\",\"Persistence\",\"InitialAccess\"],\"techniques\":[\"T1078\"],\"displayName\":\"NRT + Login to AWS Management Console without MFA\",\"description\":\"Multi-Factor + Authentication (MFA) helps you to prevent credential compromise. This alert + identifies logins to the AWS Management Console without MFA.\\nYou can limit + this detection to trigger for administrative accounts if you do not have MFA + enabled on all accounts.\\nThis is done by looking at the eventName ConsoleLogin + and if the AdditionalEventData field indicates MFA was NOT used\\nand the + ResponseElements field indicates NOT a Failure. Thereby indicating that a + non-MFA login was successful.\",\"lastUpdatedDateUTC\":\"2022-02-08T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/269435e3-1db8-4423-9dfc-9bf59997da1c\",\"name\":\"269435e3-1db8-4423-9dfc-9bf59997da1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"AuditLogs\\n| + where Category =~ \\\"RoleManagement\\\"\\n| where OperationName has \\\"Add + member to role outside of PIM\\\"\\n or (LoggedByService == \\\"Core + Directory\\\" and OperationName == \\\"Add member to role\\\" and Identity + != \\\"MS-PIM\\\")\\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), + IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.3\",\"tactics\":[\"PrivilegeEscalation\"],\"techniques\":[\"T1078\"],\"displayName\":\"Privileged + Role Assigned Outside PIM\",\"description\":\"Identifies a privileged role + being assigned to a user outside of PIM\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2be4ef67-a93f-4d8a-981a-88158cb73abd\",\"name\":\"2be4ef67-a93f-4d8a-981a-88158cb73abd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + dt_lookBack = 1h;\\nlet covidIndicators = (externaldata(TimeGenerated:datetime, + FileHashValue:string, FileHashType: string, TlpLevel: string, Product: string, + ThreatType: string, Description: string )\\n[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.Covid19.Indicators.csv\\\"] + with (format=\\\"csv\\\"));\\nlet fileHashIndicators = covidIndicators\\n| + where isnotempty(FileHashValue);\\n// Handle matches against both lower case + and uppercase versions of the hash:\\n(fileHashIndicators | extend FileHashValue + = tolower(FileHashValue)\\n| union (fileHashIndicators | extend FileHashValue + = toupper(FileHashValue)))\\n// using innerunique to keep perf fast and result + set low, we only need one match to indicate potential malicious activity that + needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog + | where TimeGenerated >= ago(dt_lookBack) \\n | where isnotempty(FileHash)\\n + \ | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n )\\non $left.FileHashValue + == $right.FileHash\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, + *) by FileHashValue\\n| project CommonSecurityLog_TimeGenerated, FileHashValue, + FileHashType, Description, ThreatType, \\nSourceIP, SourcePort, DestinationIP, + DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, \\nRequestURL, + DestinationUserName, DestinationUserID, ApplicationProtocol, Activity\\n| + extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, + HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.2.0\",\"tactics\":[\"Impact\"],\"displayName\":\"Microsoft + COVID-19 file hash indicator matches\",\"description\":\"Identifies a match + in CommonSecurityLog Event data from any FileHash published in the Microsoft + COVID-19 Threat Intel Feed - as described at https://www.microsoft.com/security/blog/2020/05/14/open-sourcing-covid-threat-intelligence/\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5b72f527-e3f6-4a00-9908-8e4fee14da9f\",\"name\":\"5b72f527-e3f6-4a00-9908-8e4fee14da9f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"CommonSecurityLog\\n| + where isnotempty(DestinationPort) and DeviceAction !in (\\\"reset-both\\\", + \\\"deny\\\") \\n// filter out common usage ports. Add ports that are legitimate + for your environment\\n| where DestinationPort !in (\\\"443\\\", \\\"53\\\", + \\\"389\\\", \\\"80\\\", \\\"0\\\", \\\"880\\\", \\\"8888\\\", \\\"8080\\\")\\n| + where ApplicationProtocol == \\\"incomplete\\\" \\n// filter out IANA ephemeral + or negotiated ports as per https://en.wikipedia.org/wiki/Ephemeral_port\\n| + where DestinationPort !between (toint(49512) .. toint(65535)) \\n| where Computer + != \\\"\\\" \\n| where DestinationIP !startswith \\\"10.\\\"\\n| extend Reason + = coalesce(\\n column_ifexists(\\\"Reason\\\", + \\\"\\\"), \\n extract(\\\"reason=(.+?)(;|$)\\\", + 1, AdditionalExtensions),\\n \\\"\\\"\\n )\\n// + Filter out any graceful reset reasons of AGED OUT which occurs when a TCP + session closes with a FIN due to aging out. \\n| where Reason !has \\\"aged-out\\\" + \\n// Filter out any TCP FIN which occurs when a TCP FIN is used to gracefully + close half or both sides of a connection.\\n| where Reason !has \\\"tcp-fin\\\" + \\n// Uncomment one of the following where clauses to trigger on specific + TCP reset reasons\\n// See Palo Alto article for details - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK\\n// + TCP RST-server - Occurs when the server sends a TCP reset to the client\\n// + | where AdditionalExtensions has \\\"reason=tcp-rst-from-server\\\" \\n// + TCP RST-client - Occurs when the client sends a TCP reset to the server\\n// + | where AdditionalExtensions has \\\"reason=tcp-rst-from-client\\\" \\n// + Already performed\\n//| extend reason = tostring(split(AdditionalExtensions, + \\\";\\\")[3])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc + = max(TimeGenerated), count() by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, + Reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction, + DestinationIP\\n| where count_ >= 10\\n| summarize StartTimeUtc = min(StartTimeUtc), + EndTimeUtc = max(EndTimeUtc), makeset(DestinationIP), totalcount = sum(count_) + by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, Reason, DestinationPort, + Protocol, DeviceVendor, DeviceProduct, DeviceAction\\n| extend timestamp = + StartTimeUtc, IPCustomEntity = SourceIP, AccountCustomEntity = SourceUserID, + HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"Discovery\"],\"techniques\":[\"T1046\"],\"displayName\":\"Palo + Alto - possible internal to external port scanning\",\"description\":\"Identifies + a list of internal Source IPs (10.x.x.x Hosts) that have triggered 10 or more + non-graceful tcp server resets from one or more Destination IPs which \\nresults + in an \\\"ApplicationProtocol = incomplete\\\" designation. The server resets + coupled with an \\\"Incomplete\\\" ApplicationProtocol designation can be + an indication \\nof internal to external port scanning or probing attack. + \\nReferences: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK + and\\nhttps://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTaCAK\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/677da133-e487-4108-a150-5b926591a92b\",\"name\":\"677da133-e487-4108-a150-5b926591a92b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\\n[@\\\"https://raw.githubusercontent.com/microsoft/mstic/master/Indicators/May21-NOBELIUM/May21NOBELIUMIoCs.csv\\\"] + with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256s = (iocs | + where Type =~ \\\"SHA256\\\"| project IoC);\\nlet ips = (iocs | where Type + =~ \\\"IP\\\"| project IoC);\\nlet IPList = dynamic([\\\"192.99.221.77\\\",\\\"83.171.237.173\\\"]);\\nlet + ips_list=toscalar(ips | summarize makeset(IoC));\\nlet full_ip_list= array_concat(ips_list, + IPList);\\nlet domains = (iocs | where Type =~ \\\"Domain\\\"| project IoC);\\nlet + domain_list=toscalar(domains | summarize make_set(IoC));\\nlet IPRegex = '[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}';\\nlet + sha256Hashes = dynamic([\\\"2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252\\\",\\n\\\"d035d394a82ae1e44b25e273f99eae8e2369da828d6b6fdb95076fd3eb5de142\\\",\\n\\\"94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916\\\",\\n\\\"48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0\\\",\\n\\\"ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c\\\",\\n\\\"ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330\\\"]);\\n(union + isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP + in (IPList) or DestinationHostName in~ (domains) or RequestURL has_any (domains) + or Message has_any (IPList)\\n| parse Message with * '(' DNSName ')' * \\n| + extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP + in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", + MessageIP in (IPList), \\\"Message\\\", RequestURL in (domains), \\\"RequestUrl\\\", + SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", + MessageIP in (IPList), \\\"Message\\\", \\\"NoMatch\\\") \\n| extend timestamp + = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, + IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", + MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(_Im_Dns + (domain_has_any=todynamic(domain_list))\\n| extend DestinationIPAddress = + DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, + IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(_Im_Dns (response_has_any_prefix=todynamic(full_ip_list))\\n| + extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = + Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity + = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp + in (IPList) or SourceIp in (ips) or DestinationIp in (ips) or RemoteDnsCanonicalNames + has_any (domains)\\n| parse RemoteDnsCanonicalNames with * '[\\\"' DNSName + '\\\"]' *\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", + DestinationIp in (IPList), \\\"DestinationIP\\\", SourceIp in (ips), \\\"SourceIP\\\", + DestinationIp in (ips), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp + = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, + IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity + = Computer\\n),\\n(OfficeActivity\\n| where ClientIP in (IPList) or ClientIP + in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, + AccountCustomEntity = UserId\\n),\\n(WindowsFirewall\\n| where SourceIP in + (IPList) or DestinationIP in (IPList) or SourceIP in (ips) or DestinationIP + in (ips)\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", + DestinationIP in (IPList), \\\"DestinationIP\\\", SourceIP in (ips), \\\"SourceIP\\\", + DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n),\\n(_Im_NetworkSession(srcipaddr_has_any_prefix=full_ip_list)\\n + \ | extend IPMatch = \\\"SourceIP\\\"\\n | extend timestamp = TimeGenerated, + HostCustomEntity = Dvc , IPCustomEntity = SrcIpAddr //, AccountCustomEntity + =User\\n),\\n(_Im_NetworkSession(dstipaddr_has_any_prefix=full_ip_list)\\n + \ | extend IPMatch = \\\"DestinationIP\\\"\\n | extend timestamp = TimeGenerated, + HostCustomEntity = Dvc , IPCustomEntity = DstIpAddr //, AccountCustomEntity + =User\\n),\\n(_Im_WebSession(url_has_any=domains)\\n | extend timestamp=TimeGenerated, + HostCustomEntity=Dvc , DNSName=tostring(parse_url(Url)[\\\"Host\\\"]), AccountCustomEntity=User\\n),\\n(_Im_WebSession(srcipaddr_has_any_prefix=full_ip_list)\\n + \ | extend timestamp=TimeGenerated, HostCustomEntity=Dvc , DNSName=tostring(parse_url(Url)[\\\"Host\\\"]), + AccountCustomEntity=User\\n),\\n(AzureDiagnostics \\n| where ResourceType + == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| + parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' + DestinationHost ':' DestinationPort '. Action:' Action\\n| where isnotempty(DestinationHost)\\n| + where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, + DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(Event\\n//This + query uses sysmon data depending on table name used this may need updating\\n| + where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| + extend EventDetail = EvData.DataItem.EventData.Data\\n| where EventDetail + has_any (sha256Hashes) or EventDetail has_any (sha256s)\\n| parse EventDetail + with * 'SHA256=' SHA256 '\\\",' *\\n| extend Type = strcat(Type, \\\": \\\", + Source), Account = UserName, FileHash = SHA256\\n| project Type, TimeGenerated, + Computer, Account, FileHash\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ + (sha256Hashes) or SHA256 in~ (sha256s)\\n| extend Account = RequestAccountName, + Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, + FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, + CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (sha256Hashes) + or TargetFileSHA256 in~ (sha256s)\\n| extend Account = ActorUsername, Computer + = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, + FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, + IPAddress, CommandLine, FileHash\\n),\\n(CommonSecurityLog\\n| where FileHash + in (sha256Hashes) or FileHash in (sha256s)\\n| extend timestamp = TimeGenerated\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.5.1\",\"tactics\":[\"CommandAndControl\",\"Execution\"],\"techniques\":[\"T1102\",\"T1204\"],\"displayName\":\"NOBELIUM + - Domain, Hash and IP IOCs - May 2021\",\"description\":\"Identifies a match + across various data feeds for domains, hashes and IP IOCs related to NOBELIUM.\\nRef: + https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/35ce9aff-1708-45b8-a295-5e9a307f5f17\",\"name\":\"35ce9aff-1708-45b8-a295-5e9a307f5f17\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AzureDevOpsAuditing\\n| + where OperationName =~ \\\"Group.UpdateGroupMembership.Add\\\"\\n| where Details + has_any (\\\"Project Administrators\\\", \\\"Project Collection Administrators\\\", + \\\"Project Collection Service Accounts\\\", \\\"Build Administrator\\\")\\n| + project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, AuthenticationMechanism, + ScopeDisplayName\\n| extend timekey = bin(TimeGenerated, 1h)\\n| extend ActorUserId + = tostring(Data.MemberId)\\n| project timekey, ActorUserId, AddingUser=ActorUPN, + TimeAdded=TimeGenerated, PermissionGrantDetails = Details\\n// Get details + of operations conducted by user soon after elevation of permissions\\n| join + (AzureDevOpsAuditing\\n| extend ActorUserId = tostring(Data.MemberId)\\n| + extend timekey = bin(TimeGenerated, 1h)) on timekey, ActorUserId\\n| summarize + ActionsWhenAdded = make_set(OperationName) by ActorUPN, AddingUser, TimeAdded, + PermissionGrantDetails, IpAddress, UserAgent\\n| extend timestamp = TimeAdded, + AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddingUser\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"techniques\":[\"T1078\"],\"displayName\":\"New + PA, PCA, or PCAS added to Azure DevOps\",\"description\":\"In order for an + attacker to be able to conduct many potential attacks against Azure DevOps + they will need to gain elevated permissions. \\nThis detection looks for users + being granted key administrative permissions. If the principal of least privilege + is applied, the number of \\nusers granted these permissions should be small. + Note that permissions can also be granted via Azure AD groups and monitoring + of these \\nshould also be conducted.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/30dea201-74da-4141-8d21-8a18f0861d60\",\"name\":\"30dea201-74da-4141-8d21-8a18f0861d60\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.5\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.02\",\"name\":\"Score\",\"description\":\"Generate + an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"techniques\":[\"T1078\"],\"displayName\":\"(Preview) + Suspicious volume of AWS cloud trail logs events of group user account by + EventTypeName\",\"description\":\"This algorithm detects an unusually high + volume of AWS cloud trail log events per group user account by different event + types (AwsApiCall, AwsServiceEvent, AwsConsoleSignIn, AwsConsoleAction) within + the last day. The model is trained on the previous 21 days of AWS cloud trail + log events on a group user account basis. This activity may indicate that + the account is compromised.\",\"lastUpdatedDateUTC\":\"2022-03-08T00:00:00Z\",\"createdDateUTC\":\"2021-06-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bf07ca9c-e408-443a-8939-6860a45a929e\",\"name\":\"bf07ca9c-e408-443a-8939-6860a45a929e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let + allowed_publishers = dynamic([]);\\nAzureDevOpsAuditing\\n| where OperationName + =~ \\\"Extension.Installed\\\"\\n| extend ExtensionName = tostring(Data.ExtensionName)\\n| + extend PublisherName = tostring(Data.PublisherName)\\n| where PublisherName + !in (allowed_publishers)\\n| project-reorder TimeGenerated, OperationName, + ExtensionName, PublisherName, ActorUPN, IpAddress, UserAgent, ScopeDisplayName, + Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, + IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\"],\"techniques\":[\"T1505\"],\"displayName\":\"Azure + DevOps New Extension Added\",\"description\":\"Extensions add additional features + to Azure DevOps. An attacker could use a malicious extension to conduct malicious + activity. \\nThis query looks for new extensions that are not from a configurable + list of approved publishers.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65c78944-930b-4cae-bd79-c3664ae30ba7\",\"name\":\"65c78944-930b-4cae-bd79-c3664ae30ba7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"(union + isfuzzy=true\\n(AuditLogs \\n| where OperationName =~ \\\"Disable Strong Authentication\\\"\\n| + extend IPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) + \\n| extend InitiatedByUser = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), + \\n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| + extend Targetprop = todynamic(TargetResources)\\n| extend TargetUser = tostring(Targetprop[0].userPrincipalName) + \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) + by User = TargetUser, InitiatedByUser , Operation = OperationName , CorrelationId, + IPAddress, Category, Source = SourceSystem , AADTenantId, Type\\n),\\n(AWSCloudTrail\\n| + where EventName in~ (\\\"DeactivateMFADevice\\\", \\\"DeleteVirtualMFADevice\\\") + \\n| extend InstanceProfileName = tostring(parse_json(RequestParameters).InstanceProfileName)\\n| + extend TargetUser = tostring(parse_json(RequestParameters).userName)\\n| summarize + StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User + = TargetUser, Source = EventSource , Operation = EventName , TenantorInstance_Detail + = InstanceProfileName, IPAddress = SourceIpAddress\\n)\\n)\\n| extend timestamp + = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"techniques\":[\"T1098\"],\"displayName\":\"MFA + disabled for a user\",\"description\":\"Multi-Factor Authentication (MFA) + helps prevent credential compromise. This alert identifies when an attempt + has been made to disable MFA for a user \",\"lastUpdatedDateUTC\":\"2022-02-23T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4759ddb4-2daf-43cb-b34e-d85b85b4e4a5\",\"name\":\"4759ddb4-2daf-43cb-b34e-d85b85b4e4a5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let + iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv\\\"] + with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | + where Type =~ \\\"process\\\" | project IoC);\\nlet parentprocess = (iocs + | where Type =~ \\\"parentprocess\\\" | project IoC);\\nlet IPList = (iocs + | where Type =~ \\\"ip\\\"| project IoC);\\nlet IPRegex = '[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}';\\n(union + isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP + in (IPList) or RequestURL has_any (IPList) or Message has_any (IPList)\\n| + project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, + Type\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch + = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), + \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL + in (IPList), \\\"RequestUrl\\\",\\\"NoMatch\\\"), AlertDetail = 'Dev-0322 + IOC match'\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch + == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, + IPMatch == \\\"Message\\\", MessageIP, IPMatch == \\\"RequestUrl\\\", RequestURL, + \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DnsEvents\\n| + where IPAddresses in (IPList) \\n| project TimeGenerated, Computer, IPAddresses, + Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName + = Name, Host = Computer , AlertDetail = 'Dev-0322 IOC match'\\n| extend timestamp + = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = + Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp + in (IPList)\\n| parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' + *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, + DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, + Type\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp + in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = 'Dev-0322 + IOC match'\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch + == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, + \\\"NoMatch\\\"), HostCustomEntity = Computer, ProcessCustomEntity = ProcessName\\n),\\n(Event\\n| + where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| + extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| + extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"], + Image = EventDetail.[4].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or + DestinationIP in (IPList) \\n| project TimeGenerated, SourceIP, DestinationIP, + Image, UserName, Computer, Type\\n| extend IPMatch = case( SourceIP in (IPList), + \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") + , AlertDetail = 'Dev-0322 IOC match'\\n| extend timestamp = TimeGenerated, + AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, + '\\\\\\\\', -1)[-1]), HostCustomEntity = Computer , IPCustomEntity = case(IPMatch + == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, + \\\"None\\\")\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) \\n| + project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, + AlertDetail = 'Dev-0322 IOC match', Type\\n| extend timestamp = TimeGenerated, + IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| + where RemoteIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, + DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, + InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, + InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, + RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity + = RemoteIP, HostCustomEntity = DeviceName, AlertDetail = 'Dev-0322 IOC match', + UrlCustomEntity =RemoteUrl, ProcessCustomEntity = InitiatingProcessFileName\\n),\\n(WindowsFirewall\\n| + where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, + Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, + Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP + in (IPList), \\\"DestinationIP\\\", \\\"None\\\"), AlertDetail = 'Dev-0322 + IOC match'\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer + , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == + \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics\\n| + where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| + project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: + \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type + \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol + \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" + \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" + Response_Duration\\n| where ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, + DNSName = Request_Name, IPCustomEntity = ClientIP, AlertDetail = 'Dev-0322 + IOC match'\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| + where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, + msg_s\\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort + 'to ' DestinationHost ':' DestinationPort '. Action:' Action\\n| where isnotempty(DestinationHost)\\n| + where SourceHost in (IPList)\\n| extend timestamp = TimeGenerated, DNSName + = DestinationHost, IPCustomEntity = SourceHost, AlertDetail = 'Dev-0322 IOC + match'\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| + extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| + extend ParentImage = EventDetail.[20].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| + where ( ParentImage has_any (parentprocess) and Image has_any (process))\\n| + parse EventDetail with * 'SHA256=' SHA256 '\\\",' *\\n| project TimeGenerated, + EventDetail, UserName, Computer, Type, Source, SHA256,Image, ParentImage \\n| + extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash + = SHA256, AlertDetail = 'Dev-0322 IOC match'\\n| extend timestamp = TimeGenerated, + HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity + = tostring(split(Image, '\\\\\\\\', -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", + FileHashCustomEntity = FileHash\\n),\\n(DeviceFileEvents\\n| extend CommandLineIP + = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName + in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP + in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, + InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, + InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, + RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, Type, CommandLineIP\\n| + extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, + CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, + AlertDetail = 'Dev-0322 IOC match'\\n| extend timestamp = TimeGenerated, HostCustomEntity + = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, + AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash, IPCustomEntity + = CommandLineIP\\n),\\n(DeviceEvents\\n| extend CommandLineIP = extract(IPRegex, + 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) + and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in + (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, + InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, + InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, + InitiatingProcessSHA256, Type, CommandLineIP\\n| extend Account = InitiatingProcessAccountName, + Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash + = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath, AlertDetail + = 'Dev-0322 IOC match'\\n| extend timestamp = TimeGenerated, HostCustomEntity + = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, + AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash, IPCustomEntity + = CommandLineIP\\n),\\n(DeviceProcessEvents\\n| extend CommandLineIP = extract(IPRegex, + 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) + and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP + in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, + InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, + InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, + \ InitiatingProcessSHA256, Type, CommandLineIP, AccountName\\n| extend Account + = AccountName, Computer = DeviceName, IPAddress = CommandLineIP, CommandLine + = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail + = 'Dev-0322 IOC match'\\n| extend timestamp = TimeGenerated, HostCustomEntity + = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, + AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash, IPCustomEntity + = IPAddress\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| extend CommandLineIP + = extract(IPRegex, 0, CommandLine)\\n| where CommandLineIP in (IPList) or + (NewProcessName has_any (process) and ParentProcessName has_any (parentprocess))\\n| + project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, + NewProcessId, Type, CommandLine, CommandLineIP\\n| extend timestamp = TimeGenerated, + HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity + = NewProcessName, AlertDetail = 'Dev-0322 IOC match', IPCustomEntity = CommandLineIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.2\",\"tactics\":[\"InitialAccess\"],\"techniques\":[\"T1190\"],\"displayName\":\"DEV-0322 + Serv-U related IOCs - July 2021\",\"description\":\"Identifies a match across + IOC's related to DEV-0322 targeting SolarWinds Serv-U software.\",\"lastUpdatedDateUTC\":\"2021-11-30T00:00:00Z\",\"createdDateUTC\":\"2021-06-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6491be0-ab2d-439d-95d6-ad8ea39277c5\",\"name\":\"d6491be0-ab2d-439d-95d6-ad8ea39277c5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let + SensitiveOperationList = dynamic(\\n[\\\"VaultDelete\\\", \\\"KeyDelete\\\", + \\\"SecretDelete\\\", \\\"SecretPurge\\\", \\\"KeyPurge\\\", \\\"SecretBackup\\\", + \\\"KeyBackup\\\"]);\\nAzureDiagnostics\\n| extend ResultType = columnifexists(\\\"ResultType\\\", + \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", + \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g + = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", + \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), + CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s + = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType + !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g + !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| + where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress + !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ + \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" + and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and + ResultType =~ \\\"Success\\\" \\n| where OperationName in~ (SensitiveOperationList) + \ \\n| summarize EventCount=count(), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), + TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), + RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), + \ CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, + id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, + clientInfo_s\\n| extend timestamp = StartTimeUtc, IPCustomEntity = CallerIPMax, + AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"Impact\"],\"techniques\":[\"T1485\"],\"displayName\":\"Sensitive + Azure Key Vault operations\",\"description\":\"Identifies when sensitive Azure + Key Vault operations are used. This includes: VaultDelete, KeyDelete, SecretDelete, + SecretPurge, KeyPurge, SecretBackup, KeyBackup. \\nAny Backup operations should + match with expected scheduled backup activity.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70b12a3b-4899-42cb-910c-5ffaf9d7997d\",\"name\":\"70b12a3b-4899-42cb-910c-5ffaf9d7997d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let + DomainNames = dynamic([\\\"0.ns1.dns-info.gq\\\", \\\"1.ns1.dns-info.gq\\\", + \\\"10.ns1.dns-info.gq\\\", \\\"102.ns1.dns-info.gq\\\", \\n \\\"104.ns1.dns-info.gq\\\", + \\\"11.ns1.dns-info.gq\\\", \\\"110.ns1.dns-info.gq\\\", \\\"115.ns1.dns-info.gq\\\", + \\\"116.ns1.dns-info.gq\\\", \\n \\\"117.ns1.dns-info.gq\\\", \\\"118.ns1.dns-info.gq\\\", + \\\"12.ns1.dns-info.gq\\\", \\\"120.ns1.dns-info.gq\\\", \\\"122.ns1.dns-info.gq\\\", + \\n \\\"123.ns1.dns-info.gq\\\", \\\"128.ns1.dns-info.gq\\\", \\\"13.ns1.dns-info.gq\\\", + \\\"134.ns1.dns-info.gq\\\", \\\"135.ns1.dns-info.gq\\\", \\n \\\"138.ns1.dns-info.gq\\\", + \\\"14.ns1.dns-info.gq\\\", \\\"144.ns1.dns-info.gq\\\", \\\"15.ns1.dns-info.gq\\\", + \\\"153.ns1.dns-info.gq\\\", \\n \\\"157.ns1.dns-info.gq\\\", \\\"16.ns1.dns-info.gq\\\", + \\\"17.ns1.dns-info.gq\\\", \\\"18.ns1.dns-info.gq\\\", \\\"19.ns1.dns-info.gq\\\", + \\n \\\"1a9604fa.ns1.feedsdns.com\\\", \\\"1c7606b6.ns1.steamappstore.com\\\", + \\\"2.ns1.dns-info.gq\\\", \\\"20.ns1.dns-info.gq\\\", \\n \\\"201.ns1.dns-info.gq\\\", + \\\"202.ns1.dns-info.gq\\\", \\\"204.ns1.dns-info.gq\\\", \\\"207.ns1.dns-info.gq\\\", + \\\"21.ns1.dns-info.gq\\\", \\n \\\"210.ns1.dns-info.gq\\\", \\\"211.ns1.dns-info.gq\\\", + \\\"216.ns1.dns-info.gq\\\", \\\"22.ns1.dns-info.gq\\\", \\\"220.ns1.dns-info.gq\\\", + \\n \\\"223.ns1.dns-info.gq\\\", \\\"23.ns1.dns-info.gq\\\", \\\"24.ns1.dns-info.gq\\\", + \\\"25.ns1.dns-info.gq\\\", \\\"26.ns1.dns-info.gq\\\", \\n \\\"27.ns1.dns-info.gq\\\", + \\\"28.ns1.dns-info.gq\\\", \\\"29.ns1.dns-info.gq\\\", \\\"3.ns1.dns-info.gq\\\", + \\\"30.ns1.dns-info.gq\\\", \\n \\\"31.ns1.dns-info.gq\\\", \\\"32.ns1.dns-info.gq\\\", + \\\"33.ns1.dns-info.gq\\\", \\\"34.ns1.dns-info.gq\\\", \\\"35.ns1.dns-info.gq\\\", + \\n \\\"36.ns1.dns-info.gq\\\", \\\"37.ns1.dns-info.gq\\\", \\\"39.ns1.dns-info.gq\\\", + \\\"3d6fe4b2.ns1.steamappstore.com\\\", \\n \\\"4.ns1.dns-info.gq\\\", \\\"40.ns1.dns-info.gq\\\", + \\\"42.ns1.dns-info.gq\\\", \\\"43.ns1.dns-info.gq\\\", \\\"44.ns1.dns-info.gq\\\", + \\n \\\"45.ns1.dns-info.gq\\\", \\\"46.ns1.dns-info.gq\\\", \\\"48.ns1.dns-info.gq\\\", + \\\"5.ns1.dns-info.gq\\\", \\\"50.ns1.dns-info.gq\\\", \\n \\\"50417.service.gstatic.dnset.com\\\", + \\\"51.ns1.dns-info.gq\\\", \\\"52.ns1.dns-info.gq\\\", \\\"53.ns1.dns-info.gq\\\",\\n + \ \\\"54.ns1.dns-info.gq\\\", \\\"55.ns1.dns-info.gq\\\", \\\"56.ns1.dns-info.gq\\\", + \\\"57.ns1.dns-info.gq\\\", \\\"58.ns1.dns-info.gq\\\", \\n \\\"6.ns1.dns-info.gq\\\", + \\\"60.ns1.dns-info.gq\\\", \\\"62.ns1.dns-info.gq\\\", \\\"63.ns1.dns-info.gq\\\", + \\\"64.ns1.dns-info.gq\\\", \\n \\\"65.ns1.dns-info.gq\\\", \\\"67.ns1.dns-info.gq\\\", + \\\"7.ns1.dns-info.gq\\\", \\\"70.ns1.dns-info.gq\\\", \\\"71.ns1.dns-info.gq\\\",\\n + \ \\\"73.ns1.dns-info.gq\\\", \\\"77.ns1.dns-info.gq\\\", \\\"77075.service.gstatic.dnset.com\\\", + \\\"7c1947fa.ns1.steamappstore.com\\\",\\n \\\"8.ns1.dns-info.gq\\\", \\\"81.ns1.dns-info.gq\\\", + \\\"86.ns1.dns-info.gq\\\", \\\"87.ns1.dns-info.gq\\\", \\\"9.ns1.dns-info.gq\\\", + \\n \\\"94343.service.gstatic.dnset.com\\\", \\\"9939.service.gstatic.dnset.com\\\", + \\\"aa.ns.mircosoftdoc.com\\\", \\n \\\"aaa.feeds.api.ns1.feedsdns.com\\\", + \\\"aaa.googlepublic.feeds.ns1.dns-info.gq\\\", \\n \\\"aaa.resolution.174547._get.cache.up.sourcedns.tk\\\", + \\\"acc.microsoftonetravel.com\\\", \\n \\\"accounts.longmusic.com\\\", + \\\"admin.dnstemplog.com\\\", \\\"agent.updatenai.com\\\", \\n \\\"alibaba.zzux.com\\\", + \\\"api.feedsdns.com\\\", \\\"app.portomnail.com\\\", \\\"asia.updatenai.com\\\", + \\n \\\"battllestategames.com\\\", \\\"bguha.serveuser.com\\\", \\\"binann-ce.com\\\", + \\\"bing.dsmtp.com\\\", \\n \\\"blog.cdsend.xyz\\\", \\\"brives.minivineyapp.com\\\", + \\\"bsbana.dynamic-dns.net\\\", \\n \\\"californiaforce.000webhostapp.com\\\", + \\\"californiafroce.000webhostapp.com\\\", \\n \\\"cdn.freetcp.com\\\", + \\\"cdsend.xyz\\\", \\\"cipla.zzux.com\\\", \\\"cloudfeeddns.com\\\", \\\"comcleanner.info\\\",\\n + \ \\\"cs.microsoftsonline.net\\\", \\\"dns-info.gq\\\", \\\"dns05.cf\\\", + \\\"dns22.ml\\\", \\\"dns224.com\\\", \\n \\\"dnsdist.org\\\", \\\"dnstemplog.com\\\", + \\\"doc.mircosoftdoc.com\\\", \\\"dropdns.com\\\", \\n \\\"eshop.cdn.freetcp.com\\\", + \\\"exchange.dumb1.com\\\", \\\"exchange.misecure.com\\\", \\\"exchange.mrbasic.com\\\",\\n + \ \\\"facebookdocs.com\\\", \\\"facebookint.com\\\", \\\"facebookvi.com\\\", + \\\"feed.ns1.dns-info.gq\\\", \\\"feedsdns.com\\\", \\n \\\"firejun.freeddns.com\\\", + \\\"ftp.dns-info.dyndns.pro\\\", \\\"goallbandungtravel.com\\\", \\\"goodhk.azurewebsites.net\\\", + \\n \\\"googlepublic.feed.ns1.dns-info.gq\\\", \\\"gp.spotifylite.cloud\\\", + \\\"gskytop.com\\\", \\\"gstatic.dnset.com\\\", \\n \\\"gxxservice.com\\\", + \\\"helpdesk.cdn.freetcp.com\\\", \\\"id.serveuser.com\\\", \\\"infestexe.com\\\", + \\\"item.itemdb.com\\\",\\n \\\"m.mircosoftdoc.com\\\", \\\"mail.transferdkim.xyz\\\", + \\\"mcafee.updatenai.com\\\", \\\"mecgjm.mircosoftdoc.com\\\",\\n \\\"microdocs.ga\\\", + \\\"microsock.website\\\", \\\"microsocks.net\\\", \\\"microsoft.sendsmtp.com\\\", + \\n \\\"microsoftbook.dns05.com\\\", \\\"microsoftcontactcenter.com\\\", + \\\"microsoftdocs.dns05.com\\\", \\\"microsoftdocs.ml\\\", \\n \\\"microsoftonetravel.com\\\", + \\\"microsoftonlines.net\\\", \\\"microsoftprod.com\\\", \\\"microsofts.dns1.us\\\", + \\\"microsoftsonline.net\\\",\\n \\\"minivineyapp.com\\\", \\\"mircosoftdoc.com\\\", + \\\"mircosoftdocs.com\\\", \\\"mlcrosoft.ninth.biz\\\", \\\"mlcrosoft.site\\\", + \\n \\\"mm.portomnail.com\\\", \\\"msdnupdate.com\\\", \\\"msecdn.cloud\\\", + \\\"mtnl1.dynamic-dns.net\\\", \\\"ns.gstatic.dnset.com\\\", \\n \\\"ns.microsoftprod.com\\\", + \\\"ns.steamappstore.com\\\", \\\"ns1.cdn.freetcp.com\\\", \\\"ns1.comcleanner.info\\\", + \\\"ns1.dns-info.gq\\\", \\n \\\"ns1.dns05.cf\\\", \\\"ns1.dnstemplog.com\\\", + \\\"ns1.dropdns.com\\\", \\\"ns1.microsoftonetravel.com\\\", \\n \\\"ns1.microsoftonlines.net\\\", + \\\"ns1.microsoftprod.com\\\", \\\"ns1.microsoftsonline.net\\\", \\\"ns1.mlcrosoft.site\\\", + \\n \\\"ns1.teams.wikaba.com\\\", \\\"ns1.windowsdefende.com\\\", \\\"ns2.comcleanner.info\\\", + \\\"ns2.dnstemplog.com\\\", \\n \\\"ns2.microsoftonetravel.com\\\", \\\"ns2.microsoftprod.com\\\", + \\\"ns2.microsoftsonline.net\\\", \\\"ns2.mlcrosoft.site\\\", \\n \\\"ns2.windowsdefende.com\\\", + \\\"ns3.microsoftprod.com\\\", \\\"ns3.mlcrosoft.site\\\", \\\"nutrition.mrbasic.com\\\", + \\n \\\"nutrition.youdontcare.com\\\", \\\"online.mlcrosoft.site\\\", \\\"online.msdnupdate.com\\\", + \\\"outlookservce.site\\\", \\n \\\"owa.jetos.com\\\", \\\"owa.otzo.com\\\", + \\\"pornotime.co\\\", \\\"portomnail.com\\\", \\n \\\"post.1a0.066e063ac.7c1947fa.ns1.steamappstore.com\\\", + \\\"pricingdmdk.com\\\", \\\"prod.microsoftprod.com\\\", \\n \\\"product.microsoftprod.com\\\", + \\\"ptcl.yourtrap.com\\\", \\\"query.api.sourcedns.tk\\\", \\\"rb.itemdb.com\\\", + \\\"redditcdn.com\\\", \\n \\\"rss.otzo.com\\\", \\\"secure.msdnupdate.com\\\", + \\\"service.dns22.ml\\\", \\\"service.gstatic.dnset.com\\\", \\\"service04.dns04.com\\\", + \\n \\\"settings.teams.wikaba.com\\\", \\\"sip.outlookservce.site\\\", \\\"sixindent.epizy.com\\\", + \\\"soft.msdnupdate.com\\\", \\\"sourcedns.ml\\\", \\n \\\"sourcedns.tk\\\", + \\\"sport.msdnupdate.com\\\", \\\"spotifylite.cloud\\\", \\\"static.misecure.com\\\", + \\\"steamappstore.com\\\", \\n \\\"store.otzo.com\\\", \\\"survey.outlookservce.site\\\", + \\\"team.itemdb.com\\\", \\\"temp221.com\\\", \\\"test.microsoftprod.com\\\", + \\n \\\"thisisaaa.000webhostapp.com\\\", \\\"token.dns04.com\\\", \\\"token.dns05.com\\\", + \\\"transferdkim.xyz\\\", \\n \\\"travelsanignacio.com\\\", \\\"update08.com\\\", + \\\"updated08.com\\\", \\\"updatenai.com\\\", \\\"wantforspeed.com\\\",\\n + \ \\\"web.mircosoftdoc.com\\\", \\\"webmail.pornotime.co\\\", \\\"webwhois.team.itemdb.com\\\", + \\\"windowsdefende.com\\\", \\\"wnswindows.com\\\",\\n \\\"ashcrack.freetcp.com\\\", + \\\"battllestategames.com\\\", \\\"binannce.com\\\", \\\"cdsend.xyz\\\", \\\"comcleanner.info\\\", + \\\"microsock.website\\\", \\n \\\"microsocks.net\\\", \\\"microsoftsonline.net\\\", + \\\"mlcrosoft.site\\\", \\\"notify.serveuser.com\\\", \\\"ns1.microsoftprod.com\\\", + \\n \\\"ns2.microsoftprod.com\\\", \\\"pricingdmdk.com\\\", \\\"steamappstore.com\\\", + \\\"update08.com\\\", \\\"wnswindows.com\\\", \\n \\\"youtube.dns05.com\\\", + \\\"z1.zalofilescdn.com\\\", \\\"z2.zalofilescdn.com\\\", \\\"zalofilescdn.com\\\"]); + \\n(union isfuzzy=true \\n (CommonSecurityLog \\n | parse Message with * + '(' DNSName ')' * \\n | where DNSName in~ (DomainNames) \\n | extend Account + = SourceUserID, Computer = DeviceName, IPAddress = DestinationIP \\n ), \\n + (_Im_Dns (domain_has_any=DomainNames)\\n | extend DNSName = DnsQuery \\n | + extend IPAddress = SrcIpAddr, Computer = Dvc\\n ), \\n (_Im_WebSession (url_has_any=DomainNames)\\n + | extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n | extend IPAddress + = SrcIpAddr, Computer = Dvc\\n ), \\n (VMConnection \\n | parse RemoteDnsCanonicalNames + with * '[\\\"' DNSName '\\\"]' * \\n | where isnotempty(DNSName) \\n | where + DNSName in~ (DomainNames) \\n | extend IPAddress = RemoteIp \\n ), \\n ( + \\n DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl + \ in~ (DomainNames) \\n | extend IPAddress = RemoteIP \\n | extend Computer + = DeviceName \\n ),\\n (AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n + | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s + with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost + ':' DestinationPort '. Action:' Action\\n | where isnotempty(DestinationHost)\\n + | where DestinationHost has_any (DomainNames) \\n | extend DNSName = DestinationHost + \\n | extend IPAddress = SourceHost\\n ) \\n ) \\n | extend timestamp = TimeGenerated, + AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity + = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.6.1\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known + Barium domains\",\"description\":\"Identifies a match across various data + feeds for domains IOCs related to the Barium activity group.\\n References: + https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bff058b2-500e-4ae5-bb49-a5b1423cbd5b\",\"name\":\"bff058b2-500e-4ae5-bb49-a5b1423cbd5b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let + fileAccessThrehold = 10;\\nOfficeActivity\\n | where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n + | where Operation =~ \\\"MemberAdded\\\"\\n | extend UPN = tostring(parse_json(Members)[0].UPN)\\n + | where UPN contains (\\\"#EXT#\\\")\\n | project TimeAdded=TimeGenerated, + Operation, UPN, UserWhoAdded = UserId, TeamName\\n | join kind = inner(\\n + \ OfficeActivity\\n | where OfficeWorkload + =~ \\\"MicrosoftTeams\\\"\\n | where Operation =~ \\\"MemberRemoved\\\"\\n + \ | extend UPN = tostring(parse_json(Members)[0].UPN)\\n + \ | where UPN contains (\\\"#EXT#\\\")\\n | + project TimeDeleted=TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, + TeamName\\n ) on UPN\\n | where TimeDeleted > TimeAdded\\n + | join kind=inner \\n (\\n OfficeActivity\\n + \ | where RecordType == \\\"SharePointFileOperation\\\"\\n + \ | where SourceRelativeUrl has \\\"Microsoft Teams Chat + Files\\\"\\n | where Operation == \\\"FileUploaded\\\"\\n + \ | join kind = inner \\n (\\n + \ OfficeActivity\\n | + where RecordType == \\\"SharePointFileOperation\\\"\\n | + where Operation == \\\"FileAccessed\\\"\\n | + where SourceRelativeUrl has \\\"Microsoft Teams Chat Files\\\"\\n | + summarize FileAccessCount = count() by OfficeObjectId\\n | + where FileAccessCount > fileAccessThrehold\\n ) + on $left.OfficeObjectId == $right.OfficeObjectId\\n )on + $left.UPN == $right.UserId\\n | extend timestamp=TimeGenerated, AccountCustomEntity + = UserWhoAdded\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"techniques\":[\"T1566\"],\"displayName\":\"Accessed + files shared by temporary external user\",\"description\":\"This detection + identifies an external user is added to a Team or Teams chat\\nand shares + a files which is accessed by many users (>10) and the users is removed within + short period of time. This might be\\nan indicator of suspicious activity.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2020-08-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity + (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/610d3850-c26f-4f20-8d86-f10fdf2425f5\",\"name\":\"610d3850-c26f-4f20-8d86-f10fdf2425f5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let + EventNameList = dynamic([\\\"UpdateTrail\\\",\\\"DeleteTrail\\\",\\\"StopLogging\\\",\\\"DeleteFlowLogs\\\",\\\"DeleteEventBus\\\"]);\\nAWSCloudTrail\\n| + where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), + EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, + UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, + SourceIpAddress, AWSRegion, EventSource\\n| extend timestamp = StartTimeUtc, + AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Changes + made to AWS CloudTrail logs\",\"description\":\"Attackers often try to hide + their steps by deleting or stopping the collection of logs that could show + their activity. \\nThis alert identifies any manipulation of AWS CloudTrail, + Cloudwatch/EventBridge or VPC Flow logs.\\nMore Information: AWS CloudTrail + API: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html\\nAWS + Cloudwatch/Eventbridge API: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_Operations.html\\nAWS + DelteteFlowLogs API : https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html + \",\"lastUpdatedDateUTC\":\"2022-01-11T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3fbc20a4-04c4-464e-8fcb-6667f53e4987\",\"name\":\"3fbc20a4-04c4-464e-8fcb-6667f53e4987\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + failureCountThreshold = 5;\\nlet successCountThreshold = 1;\\nlet authenticationWindow + = 20m;\\nSigninLogs\\n| extend OS = DeviceDetail.operatingSystem, Browser + = DeviceDetail.browser\\n| extend StatusCode = tostring(Status.errorCode), + StatusDetails = tostring(Status.additionalDetails)\\n| extend State = tostring(LocationDetails.state), + City = tostring(LocationDetails.city)\\n| where AppDisplayName =~ \\\"Windows + Sign In\\\"\\n// Split out failure versus non-failure types\\n| extend FailureOrSuccess + = iff(ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70043\\\", + \\\"70044\\\"), \\\"Success\\\", \\\"Failure\\\")\\n| summarize StartTime + = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddress = makeset(IPAddress), + makeset(OS), makeset(Browser), makeset(City), \\nmakeset(ResultType), FailureCount + = countif(FailureOrSuccess==\\\"Failure\\\"), SuccessCount = countif(FailureOrSuccess==\\\"Success\\\") + \\nby bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName, + AppDisplayName\\n| where FailureCount >= failureCountThreshold and SuccessCount + >= successCountThreshold\\n| mvexpand IPAddress\\n| extend IPAddress = tostring(IPAddress)\\n| + extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity + = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"techniques\":[\"T1110\"],\"displayName\":\"Brute + force attack against a Cloud PC\",\"description\":\"Identifies evidence of + brute force activity against a Windows 365 Cloud PC by highlighting multiple + authentication failures and by a successful authentication within a given + time window.\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2021-10-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/173f8699-6af5-484a-8b06-8c47ba89b380\",\"name\":\"173f8699-6af5-484a-8b06-8c47ba89b380\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"// + Adjust this value to change how many Teams should be deleted before including\\nlet + max_delete_count = 3;\\n// Adjust this value to change the timewindow the + query runs over\\n OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\" + \\n| where Operation =~ \\\"TeamDeleted\\\"\\n| summarize StartTime = min(TimeGenerated), + EndTime = max(TimeGenerated), DeletedTeams = make_set(TeamName) by UserId\\n| + where array_length(DeletedTeams) > max_delete_count\\n| extend timestamp = + StartTime, AccountCustomEntity = UserId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"Impact\"],\"techniques\":[\"T1485\",\"T1489\"],\"displayName\":\"Multiple + Teams deleted by a single user\",\"description\":\"This detection flags the + occurrences of deleting multiple teams within an hour.\\nThis data is a part + of Office 365 Connector in Microsoft Sentinel.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity + (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fbfbf530-506b-49a4-81ad-4030885a195c\",\"name\":\"fbfbf530-506b-49a4-81ad-4030885a195c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + alertTimeWindow = 1h;\\nlet logTimeWindow = 7d;\\n// Define script extensions + that suit your web application environment - a sample are provided below\\nlet + scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", + \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]); \\nlet alertData + = materialize(SecurityAlert \\n| where TimeGenerated > ago(alertTimeWindow) + \\n| where ProviderName == \\\"MDATP\\\" \\n// Parse and expand the alert + JSON \\n| extend alertData = parse_json(Entities) \\n| mvexpand alertData);\\nlet + fileData = alertData\\n// Extract web script files from MDATP alerts - our + malicious web scripts - candidate webshells\\n| where alertData.Type =~ \\\"file\\\" + \\n| where alertData.Name has_any(scriptExtensions) \\n| extend FileName = + tostring(alertData.Name), Directory = tostring(alertData.Directory);\\nlet + hostData = alertData\\n// Extract server details from alerts and map to alert + id\\n| where alertData.Type =~ \\\"host\\\"\\n| project HostName = tostring(alertData.HostName), + DnsDomain = tostring(alertData.DnsDomain), SystemAlertId\\n| distinct HostName, + DnsDomain, SystemAlertId;\\n// Join the files on their impacted servers\\nlet + webshellData = fileData\\n| join kind=inner (hostData) on SystemAlertId \\n| + project TimeGenerated, FileName, Directory, HostName, DnsDomain;\\nwebshellData\\n| + join ( \\n// Find requests that were made to this file on the impacted server + in the W3CIISLog table \\nW3CIISLog \\n| where TimeGenerated > ago(logTimeWindow) + \\n// Restrict to accesses to script extensions \\n| where csUriStem has_any(scriptExtensions)\\n| + extend splitUriStem = split(csUriStem, \\\"/\\\") \\n| extend FileName = + splitUriStem[-1], HostName = sComputerName\\n// Summarize potential attacker + activity\\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), + RequestUserAgents=make_set(csUserAgent), ReqestMethods=make_set(csMethod), + RequestStatusCodes=make_set(scStatus), RequestCookies=make_set(csCookie), + RequestReferers=make_set(csReferer), RequestQueryStrings=make_set(csUriQuery) + by AttackerIP=cIP, SiteName=sSiteName, ShellLocation=csUriStem, tostring(FileName), + HostName \\n) on FileName, HostName\\n| project StartTime, EndTime, AttackerIP, + RequestUserAgents, HostName, SiteName, ShellLocation, ReqestMethods, RequestStatusCodes, + RequestCookies, RequestReferers, RequestQueryStrings, RequestCount = count_\\n// + Expose the attacker ip address as a custom entity\\n| extend timestamp=StartTime, + IPCustomEntity = AttackerIP, HostCustomEntity = HostName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"techniques\":[\"T1505\"],\"displayName\":\"Malicious + web application requests linked with Microsoft Defender for Endpoint (formerly + Microsoft Defender ATP) alerts\",\"description\":\"Takes Microsoft Defender + for Endpoint (formerly Microsoft Defender ATP) alerts where web scripts are + present in the evidence and correlates with requests made to those scripts\\nin + the WCSIISLog to surface new alerts for potentially malicious web request + activity.\\nThe lookback for alerts is set to 1h and the lookback for W3CIISLogs + is set to 7d. A sample set of popular web script extensions\\nhas been provided + in scriptExtensions that should be tailored to your environment.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-05-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5f0d80db-3415-4265-9d52-8466b7372e3a\",\"name\":\"5f0d80db-3415-4265-9d52-8466b7372e3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AzureDevOpsAuditing\\n| + where AuthenticationMechanism startswith \\\"PAT\\\"\\n// Look for useragents + that include a redenring engine\\n| where UserAgent has_any (\\\"Gecko\\\", + \\\"WebKit\\\", \\\"Presto\\\", \\\"Trident\\\", \\\"EdgeHTML\\\", \\\"Blink\\\")\\n| + extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity + = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure + DevOps PAT used with Browser.\",\"description\":\"Personal Access Tokens (PATs) + are used as an alternate password to authenticate into Azure DevOps. PATs + are intended for programmatic access use in code or applications. \\nThis + can be prone to attacker theft if not adequately secured. This query looks + for the use of a PAT in authentication but from a User Agent indicating a + browser. \\nThis should not be normal activity and could be an indicator of + an attacker using a stolen PAT.\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/86a036b2-3686-42eb-b417-909fc0867771\",\"name\":\"86a036b2-3686-42eb-b417-909fc0867771\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| + where CategoryValue == 'Administrative'\\n| where ResourceProviderValue =~ + 'Microsoft.ADHybridHealthService'\\n| where _ResourceId contains 'AdFederationService'\\n| + where OperationNameValue =~ 'Microsoft.ADHybridHealthService/services/delete'\\n| + extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| + extend AccountName = tostring(claimsJson.name)\\n| project-away claimsJson\\n| + extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity + = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"techniques\":[\"T1578\"],\"displayName\":\"Azure + Active Directory Hybrid Health AD FS Service Delete\",\"description\":\"This + detection uses AzureActivity logs (Administrative category) to identify the + deletion of an Azure AD Hybrid health AD FS service instance in a tenant.\\nA + threat actor can create a new AD Health ADFS service and create a fake server + to spoof AD FS signing logs.\\nThe health AD FS service can then be deleted + after it is not longer needed via HTTP requests to Azure.\\nMore information + in this blog https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b2c15736-b9eb-4dae-8b02-3016b6a45a32\",\"name\":\"b2c15736-b9eb-4dae-8b02-3016b6a45a32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + starttime = 14d;\\nlet endtime = 1d;\\n// The number of operations below which + an IP address is considered an unusual source of role assignment operations\\nlet + alertOperationThreshold = 5;\\nlet createRoleAssignmentActivity = AzureActivity\\n| + where OperationNameValue =~ \\\"microsoft.authorization/roleassignments/write\\\";\\ncreateRoleAssignmentActivity + \\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| summarize + count() by CallerIpAddress, Caller\\n| where count_ >= alertOperationThreshold\\n| + join kind = rightanti ( \\ncreateRoleAssignmentActivity\\n| where TimeGenerated + > ago(endtime)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc + = max(TimeGenerated), ActivityTimeStamp = make_set(TimeGenerated), ActivityStatusValue + = make_set(ActivityStatusValue), \\nOperationIds = make_set(OperationId), + CorrelationId = make_set(CorrelationId), ActivityCountByCallerIPAddress = + count() \\nby ResourceId, CallerIpAddress, Caller, OperationNameValue, Resource, + ResourceGroup\\n) on CallerIpAddress, Caller\\n| extend timestamp = StartTimeUtc, + AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.1.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"techniques\":[\"T1098\"],\"displayName\":\"Suspicious + granting of permissions to an account\",\"description\":\"Identifies IPs from + which users grant access to other users on azure resources and alerts when + a previously unseen source IP address is used.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9fb57e58-3ed8-4b89-afcf-c8e786508b1c\",\"name\":\"9fb57e58-3ed8-4b89-afcf-c8e786508b1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let + szOperationNames = dynamic([\\\"Microsoft.Compute/virtualMachines/write\\\", + \\\"Microsoft.Resources/deployments/write\\\"]);\\nlet starttime = 14d;\\nlet + endtime = 1d;\\nlet RareCaller = AzureActivity\\n| where TimeGenerated between + (ago(starttime) .. ago(endtime))\\n| where OperationNameValue in~ (szOperationNames)\\n| + project ResourceGroup, Caller, OperationNameValue, CallerIpAddress\\n| join + kind=rightantisemi (\\nAzureActivity\\n| where TimeGenerated > ago(endtime)\\n| + where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc + = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityStatusValue + = makeset(ActivityStatusValue), OperationIds = makeset(OperationId), CallerIpAddress + = makeset(CallerIpAddress) \\nby ResourceId, Caller, OperationNameValue, Resource, + ResourceGroup\\n) on Caller, ResourceGroup \\n| mvexpand CallerIpAddress\\n| + where isnotempty(CallerIpAddress);\\nlet Counts = RareCaller | summarize ActivityCountByCaller + = count() by Caller;\\nRareCaller | join kind= inner (Counts) on Caller | + project-away Caller1\\n| extend timestamp = StartTimeUtc, AccountCustomEntity + = Caller, IPCustomEntity = tostring(CallerIpAddress)\\n| sort by ActivityCountByCaller + desc nulls last\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"techniques\":[\"T1496\"],\"displayName\":\"Suspicious + Resource deployment\",\"description\":\"Identifies when a rare Resource and + ResourceGroup deployment occurs by a previously unseen Caller.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/67722b33-6ac1-485c-ad6f-9418f360d1d5\",\"name\":\"67722b33-6ac1-485c-ad6f-9418f360d1d5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.2\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0\",\"name\":\"Anomaly + score threshold\",\"description\":\"Generate an anomaly when the anomaly score + is greater than the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Impact\"],\"techniques\":[\"T1531\"],\"displayName\":\"(Preview) + UEBA Anomalous Account Access Removal\",\"description\":\"Adversaries may + interrupt availability of system and network resources by inhibiting access + to accounts utilized by legitimate users. Accounts may be deleted, locked, + or manipulated (ex. changed credentials) to remove access to accounts. Sentinel + UEBA detects anomalies based on dynamic baselines created for each entity + across various data inputs. Each entity\xE2\u20AC\u2122s baseline behavior + is set according to its own historical activities, those of its peers, and + those of the organization as a whole. Anomalies can be triggered by the correlation + of different attributes such as action type, geo-location, device, resource, + ISP, and more.\",\"lastUpdatedDateUTC\":\"2022-04-13T00:00:00Z\",\"createdDateUTC\":\"2022-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4902eddb-34f7-44a8-ac94-8486366e9494\",\"name\":\"4902eddb-34f7-44a8-ac94-8486366e9494\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + threshold = 5000;\\n_Im_NetworkSession(eventresult='Failure')\\n| summarize + Count=count() by SrcIpAddr, bin(TimeGenerated,5m)\\n| where Count > threshold\\n| + extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr\",\"customDetails\":{\"NumberOfDenies\":\"Count\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Excessive + number of failed connections from {{SrcIpAddr}}\",\"alertDescriptionFormat\":\"The + client at address {{SrcIpAddr}} generated more than {{threshold}} failures + over a 5 minutes time window, which may indicate malicious activity.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"sentinelEntitiesMappings\":[],\"version\":\"1.2.0\",\"tactics\":[\"Impact\"],\"techniques\":[\"T1499\"],\"displayName\":\"Excessive + number of failed connections from a single source (ASIM Network Session schema)\",\"description\":\"This + rule identifies that a single source generates an excessive amount of failed + connections. Modify the threshold to change the sensitivity of the rule: the + higher the threshold, the less sensitive is the rule and less incidents will + be generated.

\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) + and supports any built-in or custom source that supports the ASIM NetworkSession + schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1572e66b-20a7-4012-9ec4-77ec4b101bc8\",\"name\":\"1572e66b-20a7-4012-9ec4-77ec4b101bc8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + starttime = 1d;\\nlet endtime = 1h;\\nlet prev23hThreshold = 4;\\nlet prev1hThreshold + = 15;\\nlet Kerbevent = (union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated + >= ago(starttime)\\n| where EventID == 4769\\n| parse EventData with * 'TicketEncryptionType\\\">' + TicketEncryptionType \\\"<\\\" *\\n| where TicketEncryptionType == '0x17'\\n| + parse EventData with * 'TicketOptions\\\">' TicketOptions \\\"<\\\" *\\n| + where TicketOptions == '0x40810000'\\n| parse EventData with * 'Status\\\">' + Status \\\"<\\\" *\\n| where Status == '0x0'\\n| parse EventData with * 'ServiceName\\\">' + ServiceName \\\"<\\\" *\\n| where ServiceName !contains \\\"$\\\" and ServiceName + !contains \\\"krbtgt\\\" \\n| parse EventData with * 'TargetUserName\\\">' + TargetUserName \\\"<\\\" *\\n| where TargetUserName !contains \\\"$@\\\" and + TargetUserName !contains ServiceName\\n| parse EventData with * 'IpAddress\\\">::ffff:' + ClientIPAddress \\\"<\\\" *\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated + >= ago(starttime)\\n| where EventID == 4769 and EventData has '0x17' and EventData + has '0x40810000' and EventData has 'krbtgt'\\n| extend TicketEncryptionType + = tostring(EventData.TicketEncryptionType)\\n| where TicketEncryptionType + == '0x17'\\n| extend TicketOptions = tostring(EventData.TicketOptions)\\n| + where TicketOptions == '0x40810000'\\n| extend Status = tostring(EventData.Status)\\n| + where Status == '0x0'\\n| extend ServiceName = tostring(EventData.ServiceName)\\n| + where ServiceName !contains \\\"$\\\" and ServiceName !contains \\\"krbtgt\\\"\\n| + extend TargetUserName = tostring(EventData.TargetUserName) \\n| where TargetUserName + !contains \\\"$@\\\" and TargetUserName !contains ServiceName\\n| extend ClientIPAddress + = tostring(EventData.IpAddress) \\n));\\nlet Kerbevent23h = Kerbevent\\n| + where TimeGenerated >= ago(starttime) and TimeGenerated < ago(endtime)\\n| + summarize ServiceNameCountPrev23h = dcount(ServiceName), ServiceNameSet23h + = makeset(ServiceName) \\nby Computer, TargetUserName,TargetDomainName, ClientIPAddress, + TicketOptions, TicketEncryptionType, Status\\n| where ServiceNameCountPrev23h + < prev23hThreshold;\\nlet Kerbevent1h = \\nKerbevent\\n| where TimeGenerated + >= ago(endtime)\\n| summarize min(TimeGenerated), max(TimeGenerated), ServiceNameCountPrev1h + = dcount(ServiceName), ServiceNameSet1h = makeset(ServiceName) \\nby Computer, + TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, + Status;\\nKerbevent1h \\n| join kind=leftanti\\n(\\nKerbevent23h\\n) on TargetUserName, + TargetDomainName\\n// Threshold value set above is based on testing, this + value may need to be changed for your environment.\\n| where ServiceNameCountPrev1h + > prev1hThreshold\\n| project StartTimeUtc = min_TimeGenerated, EndTimeUtc + = max_TimeGenerated, TargetUserName, Computer, ClientIPAddress, TicketOptions, + \\nTicketEncryptionType, Status, ServiceNameCountPrev1h, ServiceNameSet1h, + TargetDomainName\\n| extend timestamp = StartTimeUtc, AccountCustomEntity + = strcat(TargetDomainName,\\\"\\\\\\\\\\\", TargetUserName), HostCustomEntity + = Computer, IPCustomEntity = ClientIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.1.1\",\"tactics\":[\"CredentialAccess\"],\"techniques\":[\"T1558\"],\"displayName\":\"Potential + Kerberoasting\",\"description\":\"A service principal name (SPN) is used to + uniquely identify a service instance in a Windows environment. \\nEach SPN + is usually associated with a service account. Organizations may have used + service accounts with weak passwords in their environment. \\nAn attacker + can try requesting Kerberos ticket-granting service (TGS) service tickets + for any SPN from a domain controller (DC) which contains \\na hash of the + Service account. This can then be used for offline cracking. This hunting + query looks for accounts that are generating excessive \\nrequests to different + resources within the last hour compared with the previous 24 hours. Normal + users would not make an unusually large number \\nof request within a small + time window. This is based on 4769 events which can be very noisy so environment + based tweaking might be needed.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-04-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/508cef41-2cd8-4d40-a519-b04826a9085f\",\"name\":\"508cef41-2cd8-4d40-a519-b04826a9085f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| + where EventID == 1102 and EventSourceName == \\\"Microsoft-Windows-Eventlog\\\"\\n| + summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), + EventCount = count() by Computer, Account, EventID, Activity\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"techniques\":[\"T1070\"],\"displayName\":\"NRT + Security Event log cleared\",\"description\":\"Checks for event id 1102 which + indicates the security event log was cleared.\\nIt uses Event Source Name + \\\"Microsoft-Windows-Eventlog\\\" to avoid generating false positives from + other sources, like AD FS servers for instance.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3ff0fffb-d963-40c0-b235-3404f915add7\",\"name\":\"3ff0fffb-d963-40c0-b235-3404f915add7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"GitHubAudit\\n| + where Action == \\\"org.disable_two_factor_requirement\\\"\\n| project TimeGenerated, + Action, Actor, Country, IPaddress, Repository\\n| extend AccountCustomEntity + = Actor, IPCustomEntity = IPaddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"techniques\":[\"T1562\"],\"displayName\":\"GitHub + Two Factor Auth Disable\",\"description\":\"Two-factor authentication is a + process where a user is prompted during the sign-in process for an additional + form of identification, such as to enter a code on their cellphone or to provide + a fingerprint scan. Two factor authentication reduces the risk of account + takeover. Attacker will want to disable such security tools in order to go + undetected. \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/50cbf34a-4cdd-45d7-b3f5-8b53a1d0d14f\",\"name\":\"50cbf34a-4cdd-45d7-b3f5-8b53a1d0d14f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"Event\\n| + where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n| + parse EventData with * 'CommandLine\\\">' CommandLine \\\"<\\\" * 'ParentCommandLine\\\">' + ParentCommandLine \\\"<\\\" *\\n| where ParentCommandLine == \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe + -k DcomLaunch\\\" and CommandLine == \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe + -Embedding\\\"\\n| parse EventData with * 'ProcessGuid\\\">' ProcessGuid \\\"<\\\" + * 'Image\\\">' Image \\\"<\\\" * 'Description\\\">' Description \\\"<\\\" + * 'CurrentDirectory\\\">' CurrentDirectory \\\"<\\\" * 'User\\\">' User \\\"<\\\" + * 'LogonGuid\\\">' LogonGuid \\\"<\\\" * 'ParentProcessGuid\\\">' ParentProcessGuid + \\\"<\\\" * 'ParentImage\\\">' ParentImage \\\"<\\\" * 'ParentCommandLine\\\">' + ParentCommandLine \\\"<\\\" * 'ParentUser\\\">' ParentUser \\\"<\\\" *\\n| + summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by + EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, + ParentUser, Image, ProcessGuid, CommandLine, Description\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"LateralMovement\"],\"techniques\":[\"T1021\"],\"displayName\":\"Lateral + Movement via DCOM\",\"description\":\"This query detects a fairly uncommon + attack technique using the Windows Distributed Component Object Model (DCOM) + to make a remote execution call to another computer system and gain lateral + movement throughout the network.\\nRef: http://thenegative.zone/incident%20response/2017/02/04/MMC20.Application-Lateral-Movement-Analysis.html\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b1832f60-6c3d-4722-a0a5-3d564ee61a63\",\"name\":\"b1832f60-6c3d-4722-a0a5-3d564ee61a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create + a list of TLDs in our threat feed for later validation\\nlet DOMAIN_TI=ThreatIntelligenceIndicator\\n| + where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| + summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| + where Active == true\\n// Picking up only IOC's that contain the entities + we want\\n| where isnotempty(DomainName);\\nlet DOMAIN_TI_list= todynamic(toscalar(DOMAIN_TI + | summarize NIoCs = dcount(DomainName), Domains = make_set(DomainName) \\n + \ | project Domains=iff(NIoCs > HAS_ANY_MAX, dynamic([]), Domains) ));\\nDOMAIN_TI\\n// + using innerunique to keep perf fast and result set low, we only need one match + to indicate potential malicious activity that needs to be investigated\\n| + join kind=innerunique (\\n _Im_WebSession(starttime=ago(dt_lookBack), url_has_any= + DOMAIN_TI_list )\\n //Extract domain patterns from syslog message\\n | + extend domain = tostring(parse_url(Url)[\\\"Host\\\"])\\n | where isnotempty(domain)\\n + \ | extend tld = tostring(split(domain, '.')[-1])\\n | extend Event_TimeGenerated + = TimeGenerated\\n) on $left.DomainName==$right.domain\\n| where Event_TimeGenerated + < ExpirationDateTime\\n| summarize Event_TimeGenerated = arg_max(Event_TimeGenerated + , *) by IndicatorId, domain\\n| project Event_TimeGenerated, Description, + ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, + domain, SrcIpAddr, Url\",\"customDetails\":{\"EventTime\":\"Event_TimeGenerated\",\"IoCDescription\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"IoCExpirationTime\":\"ExpirationDateTime\",\"IoCConfidenceScore\":\"ConfidenceScore\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"A + web request from {{SrcIpAddr}} to hostname {{domain}} matched an IoC\",\"alertDescriptionFormat\":\"A + client with address {{SrcIpAddr}} requested the URL {{Url}}, whose hostname + is a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence + blead for more information on the indicator.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) + TI map Domain entity to Web Session Events (ASIM Web Session schema)\",\"description\":\"This + rule identifies Web Sessions for which the target URL hostname is a known + IoC.

This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutSIM) + and supports any web session source that complies with ASIM.\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/643c2025-9604-47c5-833f-7b4b9378a1f5\",\"name\":\"643c2025-9604-47c5-833f-7b4b9378a1f5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//Adjust + this threshold to fit your environment\\nlet signin_threshold = 5; \\n//Make + a list of IPs with AAD signin failures above our threshold\\nlet aadFunc = + (tableName:string){\\nlet Suspicious_signins = \\ntable(tableName)\\n| where + ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress + !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n| summarize count() by IPAddress\\n| + where count_ > signin_threshold\\n| summarize make_set(IPAddress);\\nSuspicious_signins\\n};\\nlet + aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet + Suspicious_signins = \\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize + make_set(set_IPAddress);\\n//See if any of those IPs have sucessfully logged + into the AWS console\\nAWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\"\\n| + extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \\n| + where LoginResult =~ \\\"Success\\\"\\n| where SourceIpAddress in (Suspicious_signins)\\n| + extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| extend + MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed)\\n| extend User + = iif(isempty(UserIdentityUserName), UserIdentityType, UserIdentityUserName) + \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) + by Reason, LoginResult, EventTypeName, UserIdentityType, User, AWSRegion, + SourceIpAddress, UserAgent, MFAUsed\\n| extend timestamp = StartTimeUtc, AccountCustomEntity + = User, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"techniques\":[\"T1078\",\"T1110\"],\"displayName\":\"Failed + AzureAD logons but success logon to AWS Console\",\"description\":\"Identifies + a list of IP addresses with a minimum number(defualt of 5) of failed logon + attempts to Azure Active Directory.\\nUses that list to identify any successful + AWS Console logons from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d714ef62-1a56-4779-804f-91c4158e528d\",\"name\":\"d714ef62-1a56-4779-804f-91c4158e528d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + ImagesList = dynamic ([\\\"sethc.exe\\\",\\\"utilman.exe\\\",\\\"osk.exe\\\",\\\"Magnify.exe\\\",\\\"Narrator.exe\\\",\\\"DisplaySwitch.exe\\\",\\\"AtBroker.exe\\\"]); + \\nlet OriginalFileNameList = dynamic ([\\\"sethc.exe\\\",\\\"utilman.exe\\\",\\\"osk.exe\\\",\\\"Magnify.exe\\\",\\\"Narrator.exe\\\",\\\"DisplaySwitch.exe\\\",\\\"AtBroker.exe\\\",\\\"SR.exe\\\",\\\"utilman2.exe\\\",\\\"ScreenMagnifier.exe\\\"]); + \\nEvent\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" + and EventID==1\\n| parse EventData with * 'Image\\\">' Image \\\"<\\\" * 'OriginalFileName\\\">' + OriginalFileName \\\"<\\\" *\\n| where Image has_any (ImagesList) and not + (OriginalFileName has_any (OriginalFileNameList))\\n| parse EventData with + * 'ProcessGuid\\\">' ProcessGuid \\\"<\\\" * 'Description\\\">' Description + \\\"<\\\" * 'CommandLine\\\">' CommandLine \\\"<\\\" * 'CurrentDirectory\\\">' + CurrentDirectory \\\"<\\\" * 'User\\\">' User \\\"<\\\" * 'LogonGuid\\\">' + LogonGuid \\\"<\\\" * 'Hashes\\\">' Hashes \\\"<\\\" * 'ParentProcessGuid\\\">' + ParentProcessGuid \\\"<\\\" * 'ParentImage\\\">' ParentImage \\\"<\\\" * 'ParentCommandLine\\\">' + ParentCommandLine \\\"<\\\" * 'ParentUser\\\">' ParentUser \\\"<\\\" *\\n| + summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by + EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, + ParentUser, Image, ProcessGuid, CommandLine, Description, OriginalFileName, + CurrentDirectory, Hashes\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"techniques\":[\"T1546\"],\"displayName\":\"Modification + of Accessibility Features\",\"description\":\"Adversaries may establish persistence + and/or elevate privileges by executing malicious content triggered by accessibility + features. Windows contains accessibility features that may be launched with + a key combination before a user has logged in (ex: when the user is on the + Windows logon screen). An adversary can modify the way these programs are + launched to get a command prompt or backdoor without logging in to the system.\\n + Two common accessibility programs are C:\\\\Windows\\\\System32\\\\sethc.exe, + launched when the shift key is pressed five times and C:\\\\Windows\\\\System32\\\\utilman.exe, + launched when the Windows + U key combination is pressed. The sethc.exe program + is often referred to as \\\"sticky keys\\\", and has been used by adversaries + for unauthenticated access through a remote desktop login screen. [1]\\nRef: + https://attack.mitre.org/techniques/T1546/008/\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e\",\"name\":\"7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let + scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", + \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]);\\nunion isfuzzy=true\\n(SecurityEvent\\n| + where EventID == 4663\\n| where Process has_any (\\\"umworkerprocess.exe\\\", + \\\"UMService.exe\\\")\\n| where ObjectName has_any (scriptExtensions)\\n| + where AccessMask in ('0x2','0x100', '0x10', '0x4')\\n| extend timestamp = + TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, + IPCustomEntity = IpAddress\\n),\\n (WindowsEvent\\n| where EventID == 4663 + and EventData has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\") + and EventData has_any (scriptExtensions) \\n| where EventData has_any ('0x2','0x100', + '0x10', '0x4')\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| + extend Process=tostring(split(NewProcessName, '\\\\\\\\')[-1])\\n| where Process + has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend ObjectName + = tostring(EventData.ObjectName)\\n| where ObjectName has_any (scriptExtensions)\\n| + extend AccessMask = tostring(EventData.AccessMask)\\n| where AccessMask in + ('0x2','0x100', '0x10', '0x4')\\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", + EventData.SubjectUserName)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| + extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity + = Computer, IPCustomEntity = IpAddress\\n),\\n(imFileEvent\\n| where EventType + == \\\"FileCreated\\\"\\n| where ActingProcessName has_any (\\\"umworkerprocess.exe\\\", + \\\"UMService.exe\\\")\\n and\\n TargetFileName has_any (scriptExtensions)\\n| + extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity + = DvcHostname\\n),\\n(DeviceFileEvents\\n| where ActionType =~ \\\"FileCreated\\\"\\n| + where InitiatingProcessFileName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| + where FileName has_any(scriptExtensions)\\n| extend timestamp = TimeGenerated, + AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName, + IPCustomEntity = RequestSourceIP)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingProcessAccountUpn\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.2.1\",\"tactics\":[\"InitialAccess\"],\"techniques\":[\"T1190\"],\"displayName\":\"HAFNIUM + UM Service writing suspicious file\",\"description\":\"This query looks for + the Exchange server UM process writing suspicious files that may be indicative + of webshells.\\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e\",\"name\":\"f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"severity\":\"Medium\",\"query\":\"let + threshold = 1;\\nAzureDiagnostics\\n | where OperationName in (\\\"AzureFirewallApplicationRuleLog\\\",\\\"AzureFirewallNetworkRuleLog\\\")\\n + \ | extend msg_s_replaced0 = replace(@\\\"\\\\s\\\\s\\\",@\\\" \\\",msg_s)\\n + \ | extend msg_s_replaced1 = replace(@\\\"\\\\.\\\\s\\\",@\\\" \\\",msg_s_replaced0)\\n + \ | extend msg_a = split(msg_s_replaced1,\\\" \\\")\\n | extend srcAddr_a + = split(msg_a[3],\\\":\\\") , destAddr_a = split(msg_a[5],\\\":\\\")\\n | + extend protocol = tostring(msg_a[0]), srcIp = tostring(srcAddr_a[0]), srcPort + = tostring(srcAddr_a[1]), destIp = tostring(destAddr_a[0]), destPort = tostring(destAddr_a[1]), + action = tostring(msg_a[7])\\n | where action == \\\"Deny\\\"\\n | extend + url = iff(destIp matches regex \\\"\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\",\\\"\\\",destIp)\\n + \ | summarize StartTime = min(TimeGenerated), count() by srcIp, destIp, + url, action, protocol\\n | where count_ >= [\\\"threshold\\\"]\\n | + extend timestamp = StartTime, URLCustomEntity = url, IPCustomEntity = srcIp\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\",\"LateralMovement\",\"CommandAndControl\"],\"techniques\":[\"T1046\",\"T1071\"],\"displayName\":\"Several + deny actions registered\",\"description\":\"Identifies attack pattern when + attacker tries to move, or scan, from resource to resource on the network + and creates an incident when a source has more than 1 registered deny action + in Azure Firewall.\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2020-10-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b9d2eebc-5dcb-4888-8165-900db44443ab\",\"name\":\"b9d2eebc-5dcb-4888-8165-900db44443ab\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"// + Enter a reference list of hostnames for your DC servers\\n//let DCServersList + = dynamic ([\\\"DC01.simulandlabs.com\\\",\\\"DC02.simulandlabs.com\\\"]);\\nSecurityEvent\\n//| + where Computer in (DCServersList)\\n| where EventID == 4662 and ObjectServer + == 'DS'\\n| where AccountType != 'Machine'\\n| where Properties has '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2' + //DS-Replication-Get-Changes\\n or Properties has '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2' + //DS-Replication-Get-Changes-All\\n or Properties has '89e95b76-444d-4c62-991a-0facbeda640c' + //DS-Replication-Get-Changes-In-Filtered-Set\\n| project TimeGenerated, Account, + Activity, Properties, SubjectLogonId, Computer\\n| join kind=leftouter\\n(\\n + \ SecurityEvent\\n //| where Computer in (DCServersList)\\n | where + EventID == 4624 and LogonType == 3\\n | where AccountType != 'Machine'\\n + \ | project TargetLogonId, IpAddress\\n)\\non $left.SubjectLogonId == $right.TargetLogonId\\n| + project-reorder TimeGenerated, Computer, Account, IpAddress\\n| extend timestamp + = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, + SourceAddress = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceAddress\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"CredentialAccess\"],\"techniques\":[\"T1003\"],\"displayName\":\"Non + Domain Controller Active Directory Replication\",\"description\":\"This query + detects potential attempts by non-computer accounts (non domain controllers) + to retrieve/synchronize an active directory object leveraging directory replication + services (DRS).\\nA Domain Controller (computer account) would usually be + performing these actions in a domain environment. Another detection rule can + be created to cover domain controllers accounts doing at rare times.\\nA domain + user with privileged permissions to use directory replication services is + rare. Ref: https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html\",\"lastUpdatedDateUTC\":\"2021-11-08T00:00:00Z\",\"createdDateUTC\":\"2021-05-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75297f62-10a8-4fc1-9b2a-12f25c6f05a7\",\"name\":\"75297f62-10a8-4fc1-9b2a-12f25c6f05a7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + domain_lookBack= 14d;\\nlet timeframe = 1d;\\nlet top_million_list = Cisco_Umbrella\\n| + where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated > ago(domain_lookBack) + and TimeGenerated < ago(timeframe)\\n| extend Hostname = parse_url(UrlOriginal)[\\\"Host\\\"]\\n| + summarize count() by tostring(Hostname)\\n| top 1000000 by count_\\n| summarize + make_list(Hostname);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| + where TimeGenerated > ago(timeframe)\\n| extend Hostname = parse_url(UrlOriginal)[\\\"Host\\\"]\\n| + where Hostname !in (top_million_list)\\n| extend Message = \\\"Connect to + unpopular website (possible malicious payload delivery)\\\"\\n| project Message, + SrcIpAddr, DstIpAddr,UrlOriginal, TimeGenerated\\n| extend IpCustomEntity + = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.1.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco + Umbrella - Connection to Unpopular Website Detected\",\"description\":\"Detects + first connection to an unpopular website (possible malicious payload delivery).\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/89a86f70-615f-4a79-9621-6f68c50f365f\",\"name\":\"89a86f70-615f-4a79-9621-6f68c50f365f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + starttime = 7d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet HistThreshold + = 25; \\nlet CurrThreshold = 10; \\nlet HistoricalThreats = CommonSecurityLog\\n| + where isnotempty(SourceIP)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| + where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n| where Activity =~ \\\"THREAT\\\" + and SimplifiedDeviceAction =~ \\\"alert\\\" \\n| where DeviceEventClassID + in ('spyware', 'scan', 'file', 'vulnerability', 'flood', 'packet', 'virus','wildfire', + 'wildfire-virus')\\n| summarize TotalEvents = count(), ThreatTypes = make_set(DeviceEventClassID), + DestinationIpList = make_set(DestinationIP), FirstSeen = min(TimeGenerated) + , LastSeen = max(TimeGenerated) by SourceIP, DeviceAction, DeviceVendor;\\nlet + CurrentHourThreats = CommonSecurityLog\\n| where isnotempty(SourceIP)\\n| + where TimeGenerated > ago(timeframe)\\n| where DeviceVendor =~ \\\"Palo Alto + Networks\\\"\\n| where Activity =~ \\\"THREAT\\\" and SimplifiedDeviceAction + =~ \\\"alert\\\" \\n| where DeviceEventClassID in ('spyware', 'scan', 'file', + 'vulnerability', 'flood', 'packet', 'virus','wildfire', 'wildfire-virus')\\n| + summarize TotalEvents = count(), ThreatTypes = make_set(DeviceEventClassID), + DestinationIpList = make_set(DestinationIP), FirstSeen = min(TimeGenerated) + , LastSeen = max(TimeGenerated) by SourceIP, DeviceAction, DeviceProduct, + DeviceVendor;\\nCurrentHourThreats \\n| where TotalEvents < CurrThreshold\\n| + join kind = leftanti (HistoricalThreats \\n| where TotalEvents > HistThreshold) + on SourceIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\",\"Exfiltration\",\"CommandAndControl\"],\"techniques\":[\"T1046\",\"T1030\",\"T1071\"],\"displayName\":\"Palo + Alto Threat signatures from Unusual IP addresses\",\"description\":\"Identifies + Palo Alto Threat signatures from unusual IP addresses which are not historically + seen. \\nThis detection is also leveraged and required for MDE and PAN Fusion + scenario\\nhttps://docs.microsoft.com/Azure/sentinel/fusion-scenario-reference#network-request-to-tor-anonymization-service-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall\",\"lastUpdatedDateUTC\":\"2022-04-20T00:00:00Z\",\"createdDateUTC\":\"2022-03-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/35a0792a-1269-431e-ac93-7ae2980d4dde\",\"name\":\"35a0792a-1269-431e-ac93-7ae2980d4dde\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| + where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now() \\n| + where Active == true\\n| where isnotempty(EmailSenderAddress)\\n| extend TI_emailEntity + = EmailSenderAddress\\n// using innerunique to keep perf fast and result set + low, we only need one match to indicate potential malicious activity that + needs to be investigated\\n| join kind=innerunique (\\n ProofpointPOD + \\n | where TimeGenerated >= ago(dt_lookBack)\\n | where isnotempty(SrcUserUpn)\\n + \ | extend ProofpointPOD_TimeGenerated = TimeGenerated, ClientEmail = + SrcUserUpn\\n \\n)\\non $left.TI_emailEntity == $right.ClientEmail\\n| + where ProofpointPOD_TimeGenerated < ExpirationDateTime\\n| summarize ProofpointPOD_TimeGenerated + = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientEmail\\n| + project ProofpointPOD_TimeGenerated, Description, IndicatorId, ThreatType, + ExpirationDateTime, ConfidenceScore, ClientEmail\\n| extend timestamp = ProofpointPOD_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ClientEmail\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.1.0\",\"tactics\":[\"Exfiltration\",\"InitialAccess\"],\"displayName\":\"ProofpointPOD + - Email sender in TI list\",\"description\":\"Email sender in TI list.\",\"lastUpdatedDateUTC\":\"2021-11-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_maillog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9c27cee8-0a33-4abe-8683-212c0a98fc28\",\"name\":\"9c27cee8-0a33-4abe-8683-212c0a98fc28\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.6\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.1\",\"name\":\"Score\",\"description\":\"Generate + an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"techniques\":[\"T1078\"],\"displayName\":\"(Preview) + Suspicious volume of logins to computer with elevated token\",\"description\":\"This + algorithm detects an unusually high volume of successful logins with elevated + token per computer. The model is trained on the previous 21 days of security + event ID 4624 on a computer. It indicates anomalous high volume of successful + logins with administrator privileges in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c3b11fb2-9201-4844-b7b9-6b7bf6d9b851\",\"name\":\"c3b11fb2-9201-4844-b7b9-6b7bf6d9b851\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + threshold = 200;\\n_Im_Dns(responsecodename='NXDOMAIN')\\n| where isnotempty(DnsResponseCodeName)\\n//| + where DnsResponseCodeName =~ \\\"NXDOMAIN\\\"\\n| summarize count() by SrcIpAddr, + bin(TimeGenerated,15m)\\n| where count_ > threshold\\n| join kind=inner (_Im_Dns(responsecodename='NXDOMAIN')\\n + \ ) on SrcIpAddr\\n| extend timestamp = TimeGenerated, IPCustomEntity = + SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.3.1\",\"tactics\":[\"CommandAndControl\"],\"techniques\":[\"T1568\",\"T1008\"],\"displayName\":\"Excessive + NXDOMAIN DNS Queries (ASIM DNS Schema)\",\"description\":\"This creates an + incident in the event a client generates excessive amounts of DNS queries + for non-existent domains. \\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) + and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500415fb-bba7-4227-a08a-9857fb61b6a7\",\"name\":\"500415fb-bba7-4227-a08a-9857fb61b6a7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| + where OfficeWorkload == \\\"Exchange\\\"\\n| where Operation in~ (\\\"New-TransportRule\\\", + \\\"Set-TransportRule\\\")\\n| mv-apply DynamicParameters = todynamic(Parameters) + on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), + DynamicParameters.Value)))\\n| extend RuleName = case(\\n Operation =~ + \\\"Set-TransportRule\\\", OfficeObjectId,\\n Operation =~ \\\"New-TransportRule\\\", + ParsedParameters.Name,\\n \\\"Unknown\\\")\\n| mv-expand ExpandedParameters + = todynamic(Parameters)\\n| where ExpandedParameters.Name in~ (\\\"BlindCopyTo\\\", + \\\"RedirectMessageTo\\\") and isnotempty(ExpandedParameters.Value)\\n| extend + RedirectTo = ExpandedParameters.Value\\n| extend ClientIPValues = extract_all(@'\\\\[?(::ffff:)?(?P(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?([-:](?P\\\\d+))?', + dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n| project TimeGenerated, + RedirectTo, IPAddress = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1]), + UserId, Operation, RuleName, Parameters\\n| extend timestamp = TimeGenerated, + AccountCustomEntity = UserId, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"Collection\",\"Exfiltration\"],\"techniques\":[\"T1114\",\"T1020\"],\"displayName\":\"Mail + redirect via ExO transport rule\",\"description\":\"Identifies when Exchange + Online transport rule configured to forward emails.\\nThis could be an adversary + mailbox configured to collect mail from multiple user accounts.\",\"lastUpdatedDateUTC\":\"2022-04-18T00:00:00Z\",\"createdDateUTC\":\"2020-05-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500c103a-0319-4d56-8e99-3cec8d860757\",\"name\":\"500c103a-0319-4d56-8e99-3cec8d860757\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == \\\"50057\\\" + \\n| where ResultDescription == \\\"User account is disabled. The account + has been disabled by an administrator.\\\" \\n| summarize StartTime = min(TimeGenerated), + EndTime = max(TimeGenerated), disabledAccountLoginAttempts = count(), \\ndisabledAccountsTargeted + = dcount(UserPrincipalName), applicationsTargeted = dcount(AppDisplayName), + disabledAccountSet = make_set(UserPrincipalName), \\napplicationSet = make_set(AppDisplayName) + by IPAddress, Type\\n| order by disabledAccountLoginAttempts desc\\n| join + kind= leftouter (\\n // Consider these IPs suspicious - and alert any related + \ successful sign-ins\\n table(tableName)\\n | where ResultType == 0\\n + \ | summarize successfulAccountSigninCount = dcount(UserPrincipalName), + successfulAccountSigninSet = make_set(UserPrincipalName, 15) by IPAddress, + Type\\n // Assume IPs associated with sign-ins from 100+ distinct user + accounts are safe\\n | where successfulAccountSigninCount < 100\\n) on + IPAddress \\n// IPs from which attempts to authenticate as disabled user + accounts originated, and had a non-zero success rate for some other account\\n| + where isnotempty(successfulAccountSigninCount)\\n| project StartTime, EndTime, + IPAddress, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, + applicationSet, \\nsuccessfulAccountSigninCount, successfulAccountSigninSet, + Type\\n| order by disabledAccountLoginAttempts\\n| extend timestamp = StartTime, + IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet + aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true + aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.1.0\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"techniques\":[\"T1078\",\"T1098\"],\"displayName\":\"Sign-ins + from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies + IPs with failed attempts to sign in to one or more disabled accounts and where + that same IP has had successful signins from other accounts.\\nThis could + indicate an attacker who obtained credentials for a list of accounts and is + attempting to login with those accounts, some of which may have already been + disabled.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 + - User account is disabled. The account has been disabled by an administrator.\",\"lastUpdatedDateUTC\":\"2021-10-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e7470b35-0128-4508-bfc9-e01cfb3c2eb7\",\"name\":\"e7470b35-0128-4508-bfc9-e01cfb3c2eb7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"Event\\n + | where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n + | parse EventData with * 'Image\\\">' Image \\\"<\\\" * 'CommandLine\\\">' + CommandLine \\\"<\\\" * 'ParentImage\\\">' ParentImage \\\"<\\\" *\\n | where + ParentImage has \\\"svchost.exe\\\" and Image has \\\"rundll32.exe\\\" and + CommandLine has \\\"{c08afd90-f2a1-11d1-8455-00a0c91f3880}\\\"\\n | parse + EventData with * 'ProcessGuid\\\">' ProcessGuid \\\"<\\\" * 'Description\\\">' + Description \\\"<\\\" * 'CurrentDirectory\\\">' CurrentDirectory \\\"<\\\" + * 'User\\\">' User \\\"<\\\" * 'LogonGuid\\\">' LogonGuid \\\"<\\\" * 'ParentProcessGuid\\\">' + ParentProcessGuid \\\"<\\\" * 'ParentImage\\\">' ParentImage \\\"<\\\" * 'ParentCommandLine\\\">' + ParentCommandLine \\\"<\\\" * 'ParentUser\\\">' ParentUser \\\"<\\\" *\\n + | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by + EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, + ParentUser, Image, ProcessGuid, CommandLine, Description\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"LateralMovement\"],\"techniques\":[\"T1021\"],\"displayName\":\"Detecting + Macro Invoking ShellBrowserWindow COM Objects\",\"description\":\"This query + detects a macro invoking ShellBrowserWindow COM Objects evade naive parent/child + Office detection rules.\\nRef: https://blog.menasec.net/2019/02/threat-hunting-doc-with-macro-invoking.html\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c2da1106-bfe4-4a63-bf14-5ab73130ccd5\",\"name\":\"c2da1106-bfe4-4a63-bf14-5ab73130ccd5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"severity\":\"Informational\",\"query\":\"let + timeframe = ago(1d);\\nAppServiceAntivirusScanAuditLogs\\n| where ScanStatus + == \\\"Failed\\\"\\n| extend HostCustomEntity = _ResourceId, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"displayName\":\"AppServices + AV Scan Failure\",\"description\":\"Identifies if an AV scan fails in Azure + App Services.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/200f05a2-db6e-4ff7-be83-bbc30b44755f\",\"name\":\"200f05a2-db6e-4ff7-be83-bbc30b44755f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.3.8\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.07\",\"name\":\"Score\",\"description\":\"Generate + an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"techniques\":[\"T1078\"],\"displayName\":\"(Preview) + Suspicious volume of logins to user account\",\"description\":\"This algorithm + detects an unusually high volume of successful logins per user account. The + model is trained on the previous 21 days of security event ID 4624 on an account. + It indicates anomalous high volume of successful logins in the last day\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2020-12-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/68271db2-cbe9-4009-b1d3-bb3b5fe5713c\",\"name\":\"68271db2-cbe9-4009-b1d3-bb3b5fe5713c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let + User_Agents = dynamic ([\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 + (KHTML, like Gecko) Chrome/70\\\", \\n\\\"Mozilla/5.0 (Macintosh; Intel Mac + OS X 10_14_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.1 Safari/605.1.15\\\", + \\n\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0\\\", + \\n\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, + like Gecko) Chrome/70.0.3538.110 Safari/537.36\\\", \\n\\\"Mozilla/5.0 (Windows + NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 + Safari/537.36\\\"]);\\nOfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", + \\\"AzureActiveDirectoryStsLogon\\\") \\n| where Operation != 'UserLoggedIn'\\n| + extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \\\"UserAgent\\\", + extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string)),\\\"\\\")\\n| + mv-expand parse_json(ExtendedProperties)\\n| where ExtendedProperties.Name + =~ \\\"RequestType\\\"\\n| extend RequestType = todynamic(ExtendedProperties).Value\\n| + where UserAgent =~ \\\"ms-office\\\" or UserAgent has_any (User_Agents)\\n| + summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), + lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), + attemptedAccounts=make_set(UserId) by UserAgent\\n| where authAttempts > 500\\n| + extend timestamp = firstAttempt\\n| sort by uniqueAccounts\",\"entityMappings\":[],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"techniques\":[\"T1110\"],\"displayName\":\"Possible + STRONTIUM attempted credential harvesting - Oct 2020\",\"description\":\"Surfaces + potential STRONTIUM group Office365 credential harvesting attempts within + OfficeActivity Logon events.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6\",\"name\":\"e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + threshold = 15;\\n// Below pulls messages from syslog-authpriv logs where + there was an authentication failure with an unknown user.\\n// IP address + of system attempting logon is also extracted from the SyslogMessage field. + Some of these messages\\n// are aggregated.\\nSyslog\\n| where Facility =~ + \\\"authpriv\\\"\\n| where SyslogMessage has \\\"authentication failure\\\" + and SyslogMessage has \\\" uid=0\\\"\\n| parse SyslogMessage with * \\\"rhost=\\\" + RemoteIP\\n| project TimeGenerated, Computer, ProcessName, HostIP, RemoteIP, + ProcessID\\n| join kind=innerunique (\\n // Below pulls messages from syslog-authpriv + logs that show each instance an unknown user tried to logon. \\n Syslog + \\n | where Facility =~ \\\"authpriv\\\"\\n | where SyslogMessage has + \\\"user unknown\\\"\\n | project Computer, HostIP, ProcessID\\n ) on + Computer, HostIP, ProcessID\\n// Count the number of failed logon attempts + by External IP and internal machine\\n| summarize FirstLogonAttempt = min(TimeGenerated), + LatestLogonAttempt = max(TimeGenerated), TotalLogonAttempts = count() by Computer, + HostIP, RemoteIP\\n// Calculate the time between first and last logon attempt + (AttemptPeriodLength)\\n| extend TimeBetweenLogonAttempts = LatestLogonAttempt + - FirstLogonAttempt\\n| where TotalLogonAttempts >= threshold\\n| project + FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts, TotalLogonAttempts, + SourceAddress = RemoteIP, DestinationHost = Computer, DestinationAddress = + HostIP\\n| sort by DestinationHost asc nulls last\\n| extend timestamp = FirstLogonAttempt, + HostCustomEntity = DestinationHost, IPCustomEntity = DestinationAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"CredentialAccess\"],\"techniques\":[\"T1110\"],\"displayName\":\"Failed + logon attempts in authpriv\",\"description\":\"Identifies failed logon attempts + from unknown users in Syslog authpriv logs. The unknown user means the account + that tried to log in \\nisn't provisioned on the machine. A few hits could + indicate someone attempting to access a machine they aren't authorized to + access. \\nIf there are many of hits, especially from outside your network, + it could indicate a brute force attack. \\nDefault threshold for logon attempts + is 15.\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f041e01d-840d-43da-95c8-4188f6cef546\",\"name\":\"f041e01d-840d-43da-95c8-4188f6cef546\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + LearningPeriod = 7d;\\nlet RunTime = 1h;\\nlet StartTime = 1h;\\nlet EndRunTime + = StartTime - RunTime;\\nlet EndLearningTime = StartTime + LearningPeriod;\\nlet + GitHubCountryCodeLogs = (GitHubAudit\\n| where Country != \\\"\\\");\\n GitHubCountryCodeLogs\\n| + where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime))\\n| summarize + makeset(Country) by Actor\\n| join kind=innerunique (\\n GitHubCountryCodeLogs\\n + \ | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime))\\n | + distinct Country, Actor, TimeGenerated\\n) on Actor \\n| where set_Country + !contains Country\\n| extend AccountCustomEntity = Actor , timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"techniques\":[\"T1078\"],\"displayName\":\"GitHub + Activites from a New Country\",\"description\":\"Detect activities from a + location that was not recently or was never visited by the user or by any + user in your organization.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/40ba9493-4183-4eee-974f-87fe39c8f267\",\"name\":\"40ba9493-4183-4eee-974f-87fe39c8f267\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure + Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft + Defender for Identity alerts\",\"description\":\"Create incidents based on + all alerts generated in Microsoft Defender for Identity\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert + (AATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7\",\"name\":\"4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + threshold = 50;\\nlet szSharePointFileOperation = \\\"SharePointFileOperation\\\";\\nlet + szOperations = dynamic([\\\"FileDownloaded\\\", \\\"FileUploaded\\\"]);\\nlet + starttime = 14d;\\nlet endtime = 1d;\\nlet historicalActivity =\\nOfficeActivity\\n| + where TimeGenerated between(ago(starttime)..ago(endtime))\\n| where RecordType + =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| summarize + historicalCount = count() by ClientIP, RecordType, Operation;\\nlet recentActivity + = OfficeActivity\\n| where TimeGenerated > ago(endtime)\\n| where RecordType + =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| summarize + min(Start_Time), max(Start_Time), recentCount = count() by ClientIP, RecordType, + Operation;\\nlet RareIP = recentActivity | join kind= leftanti ( historicalActivity + ) on ClientIP, RecordType, Operation\\n// More than 50 downloads/uploads from + a new IP\\n| where recentCount > threshold;\\nOfficeActivity \\n| where TimeGenerated + >= ago(endtime) \\n| where RecordType =~ szSharePointFileOperation\\n| where + Operation in~ (szOperations)\\n| join kind= inner (RareIP) on ClientIP, RecordType, + Operation\\n| where Start_Time between(min_Start_Time .. max_Start_Time)\\n| + summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) + by RecordType, Operation, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, + OfficeObjectId, UserAgent, IPSeenCount = recentCount\\n| extend timestamp + = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity + = Site_Url\\n| order by IPSeenCount desc, ClientIP asc, Operation asc, UserId + asc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"techniques\":[\"T1030\"],\"displayName\":\"SharePointFileOperation + via previously unseen IPs\",\"description\":\"Identifies when the volume of + documents uploaded to or downloaded from Sharepoint by new IP addresses\\nexceeds + a threshold (default is 50).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4a3073ac-7383-48a9-90a8-eb6716183a54\",\"name\":\"4a3073ac-7383-48a9-90a8-eb6716183a54\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + excludeProcs = dynamic([@\\\"\\\\SolarWinds\\\\Orion\\\\APM\\\\APMServiceControl.exe\\\", + @\\\"\\\\SolarWinds\\\\Orion\\\\ExportToPDFCmd.Exe\\\", @\\\"\\\\SolarWinds.Credentials\\\\SolarWinds.Credentials.Orion.WebApi.exe\\\", + @\\\"\\\\SolarWinds\\\\Orion\\\\Topology\\\\SolarWinds.Orion.Topology.Calculator.exe\\\", + @\\\"\\\\SolarWinds\\\\Orion\\\\Database-Maint.exe\\\", @\\\"\\\\SolarWinds.Orion.ApiPoller.Service\\\\SolarWinds.Orion.ApiPoller.Service.exe\\\", + @\\\"\\\\Windows\\\\SysWOW64\\\\WerFault.exe\\\"]);\\nDeviceProcessEvents\\n| + where InitiatingProcessFileName =~ \\\"solarwinds.businesslayerhost.exe\\\"\\n| + where not(FolderPath has_any (excludeProcs))\\n| extend\\n timestamp = + TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), + InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity + = DeviceName,\\n AlgorithmCustomEntity = \\\"MD5\\\",\\n FileHashCustomEntity + = MD5\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST + suspicious SolarWinds child processes\",\"description\":\"Identifies suspicious + child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence + of the SUNBURST backdoor\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- + https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-02-01T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8546330c-e1fb-422a-9388-5c09e9a8f4ca\",\"name\":\"8546330c-e1fb-422a-9388-5c09e9a8f4ca\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.1.0\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.98\",\"name\":\"Score\",\"description\":\"Generate + an anomaly when a region rarity score is less than the threshold.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"minimum\":\"2\",\"maximum\":\"100\",\"value\":\"100\",\"name\":\"Minimum + users per region\",\"description\":\"whitelist an anomaly if the number of + users from a rare region is greater than this limit.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\",\"LateralMovement\"],\"techniques\":[\"T1133\"],\"displayName\":\"(Preview) + Login from an unusual region via Palo Alto GlobalProtect account logins\",\"description\":\"When + a Palo Alto GlobalProtect account logs in from a source region that has rarely + been logged in\\nfrom during the last 14 days, an anomaly is triggered. This + anomaly may indicate that the account\\nhas been compromised.\",\"lastUpdatedDateUTC\":\"2022-03-08T00:00:00Z\",\"createdDateUTC\":\"2021-06-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog + (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32\",\"name\":\"d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + lbtime = 30m;\\nlet msgthreshold = 3;\\nlet msgszthreshold = 3000000;\\nProofpointPOD\\n| + where TimeGenerated > ago(lbtime)\\n| where EventType == 'message'\\n| where + NetworkDirection == 'outbound'\\n| where NetworkBytes > msgszthreshold\\n| + summarize count() by SrcUserUpn, DstUserUpn\\n| where count_ > msgthreshold\\n| + extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD + - Multiple large emails to the same recipient\",\"description\":\"Detects + when multiple emails with lage size where sent to the same recipient.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6dd2629c-534b-4275-8201-d7968b4fa77e\",\"name\":\"6dd2629c-534b-4275-8201-d7968b4fa77e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"SecurityEvent\\n| + where EventID == 4657\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| + mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| + extend Key = tostring(column_ifexists('@Name', \\\"\\\")), Value = column_ifexists('#text', + \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, TargetAccount, + Computer, EventSourceName, Channel, Task, Level, EventID, Activity, TargetLogonId, + SourceComputerId, EventOriginId, Type, _ResourceId, TenantId, SourceSystem, + ManagementGroupName, IpAddress, Account)\\n| extend ObjectName = column_ifexists('ObjectName', + \\\"\\\"), OperationType = column_ifexists('OperationType', \\\"\\\"), ObjectValueName + = column_ifexists('ObjectValueName', \\\"\\\")\\n| where ObjectName has 'Schedule\\\\\\\\TaskCache\\\\\\\\Tree' + and ObjectValueName == \\\"SD\\\" and OperationType == \\\"%%1906\\\" // + %%1906 - Registry value deleted\\n| extend timestamp = TimeGenerated, HostCustomEntity + = Computer, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"techniques\":[\"T1562\"],\"displayName\":\"Scheduled + Task Hide\",\"description\":\"This query detects attempts by malware to hide + the scheduled task by deleting the SD (Security Descriptor) value. Removal + of SD value results in the scheduled task disappearing from schtasks /query + and Task Scheduler.\\n The query requires auditing to be turned on for HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows + NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree registry hive as well + as audit policy for registry auditing to be turned on.\\n Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/\\n + Reference: https://4sysops.com/archives/audit-changes-in-the-windows-registry/\",\"lastUpdatedDateUTC\":\"2022-04-12T00:00:00Z\",\"createdDateUTC\":\"2022-04-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3f0c20d5-6228-48ef-92f3-9ff7822c1954\",\"name\":\"3f0c20d5-6228-48ef-92f3-9ff7822c1954\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"severity\":\"Medium\",\"query\":\"let + threatCategory=\\\"Hacking Tool\\\";\\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, + Category:string)\\n [ @\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\\\"] + \\n with(format=\\\"csv\\\", ignoreFirstRecord=True));\\nlet knownUserAgents=toscalar(knownUserAgentsIndicators + | where Category==threatCategory | where isnotempty(UserAgent) | summarize + make_list(UserAgent));\\nlet customUserAgents=toscalar(_GetWatchlist(\\\"UnusualUserAgents\\\") + | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\\\"UserAgent\\\",\\\"\\\") + | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet fullUAList + = array_concat(knownUserAgents,customUserAgents);\\n_Im_WebSession(httpuseragent_has_any=fullUAList)\\n| + project SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername\",\"customDetails\":{\"UserAgent\":\"HttpUserAgent\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"SrcUsername\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Host + {{SrcIpAddr}} is potentially running a hacking tool\",\"alertDescriptionFormat\":\"The + host at address {{SrcIpAddr}} sent an HTTP request to the URL {{Url}} with + the HTTP user agent header {{HttpUserAgent}}. This user agent is known to + be used by a hacking tool and indicates suspicious activity on the host.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"sentinelEntitiesMappings\":[],\"version\":\"1.1.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"A + host is potentially running a hacking tool (ASIM Web Session schema)\",\"description\":\"This + rule identifies a web request with a user agent header known to belong to + a hacking tool. This indicates a hacking tool is used on the host.
You + can add custom hacking tool indicating User-Agent headers using a watchlist, + for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).

\\n + This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any + built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession + Schema)\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/738702fd-0a66-42c7-8586-e30f0583f8fe\",\"name\":\"738702fd-0a66-42c7-8586-e30f0583f8fe\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"DeviceEvents\\n| + where ActionType has \\\"ExploitGuardNonMicrosoftSignedBlocked\\\"\\n| where + InitiatingProcessFileName contains \\\"svchost.exe\\\" and FileName contains + \\\"NetSetupSvc.dll\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity + = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, + InitiatingProcessAccountName),\\nHostCustomEntity = DeviceName, FileHashCustomEntity + = InitiatingProcessSHA1, FileHashType = \\\"SHA1\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"Execution\",\"Persistence\",\"InitialAccess\"],\"techniques\":[\"T1543\",\"T1195\"],\"displayName\":\"TEARDROP + memory-only dropper\",\"description\":\"Identifies SolarWinds TEARDROP memory-only + dropper IOCs in Window's defender Exploit Guard activity\\nReferences:\\n- + https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- + https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-02-23T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a4025a76-6490-4e6b-bb69-d02be4b03f07\",\"name\":\"a4025a76-6490-4e6b-bb69-d02be4b03f07\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| + where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| + summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| + where Active == true\\n// Picking up only IOC's that contain the entities + we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) + or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As + there is potentially more than 1 indicator type for matching IP, taking NetworkIP + first, then others if that is empty.\\n// Taking the first non-empty value + based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), + NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) + and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend + TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), + EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast + and result set low, we only need one match to indicate potential malicious + activity that needs to be investigated\\n| join kind=innerunique (\\n AzureNetworkAnalytics_CL\\n + \ | where TimeGenerated >= ago(dt_lookBack)\\n // renaming time column + so it is clear the log this came from\\n | extend AzureNetworkAnalytics_CL_TimeGenerated + = TimeGenerated\\n // NSG Flow Logs have additional information concat + with Public IP, removing onlp Public IP\\n | extend PIPs = split(PublicIPs_s, + '|', 0)\\n | extend PIP = tostring(PIPs[0])\\n)\\non $left.TI_ipEntity + == $right.PIP\\n| where AzureNetworkAnalytics_CL_TimeGenerated < ExpirationDateTime\\n| + summarize AzureNetworkAnalytics_CL_TimeGenerated = arg_max(AzureNetworkAnalytics_CL_TimeGenerated, + *) by IndicatorId, PIP\\n// Set to alert on Allowed NSG Flows from TI Public + IP IOC\\n| where FlowStatus_s == \\\"A\\\"\\n| project AzureNetworkAnalytics_CL_TimeGenerated, + Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, + ConfidenceScore,\\nTI_ipEntity, Computer, FlowDirection_s, FlowStatus_s, FlowType_s, + SrcPublicIPs_s, DestPublicIPs_s, PublicIPs_s, L7Protocol_s, DestPort_d, NetworkIP, + NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp + = AzureNetworkAnalytics_CL_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity + = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.2.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI + map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs)\",\"description\":\"Identifies + a match in AzureNetworkAnalytics_CL (NSG Flow Logs) from any IP IOC from TI + that was Allowed\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/968358d6-6af8-49bb-aaa4-187b3067fb95\",\"name\":\"968358d6-6af8-49bb-aaa4-187b3067fb95\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let + successCodes = dynamic([200, 302, 401]);\\nW3CIISLog\\n| where scStatus has_any + (successCodes)\\n| where ipv4_is_private(cIP) == False\\n| where csUriStem + hasprefix \\\"/autodiscover/autodiscover.json\\\"\\n| project TimeGenerated, + cIP, sIP, sSiteName, csUriStem, csUriQuery, Computer, csUserName, _ResourceId, + FileUri\\n| where (csUriQuery !has \\\"Protocol\\\" and isnotempty(csUriQuery))\\nor + (csUriQuery has_any(\\\"/mapi/\\\", \\\"powershell\\\"))\\nor (csUriQuery + contains \\\"@\\\" and csUriQuery matches regex @\\\"\\\\.[a-zA-Z]{2,4}?(?:[a-zA-Z]{2,4}\\\\/)\\\")\\nor + (csUriQuery contains \\\":\\\" and csUriQuery matches regex @\\\"\\\\:[0-9]{2,4}\\\\/\\\")\\n| + extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity + = cIP, AccountCustomEntity = csUserName, ResourceCustomEntity = _ResourceId, + FileCustomEntity = FileUri\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"techniques\":[\"T1190\"],\"displayName\":\"Exchange + SSRF Autodiscover ProxyShell - Detection\",\"description\":\"This query looks + for suspicious request patterns to Exchange servers that fit patterns recently\\nblogged + about by PeterJson. This exploitation chain utilises an SSRF vulnerability + in Exchange\\nwhich eventually allows the attacker to execute arbitrary Powershell + on the server. In the example\\npowershell can be used to write an email to + disk with an encoded attachment containing a shell.\\nReference: https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-09T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/999e9f5d-db4a-4b07-a206-29c4e667b7e8\",\"name\":\"999e9f5d-db4a-4b07-a206-29c4e667b7e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet + DomainTIs= ThreatIntelligenceIndicator\\n | where TimeGenerated >= ago(ioc_lookBack) + and ExpirationDateTime > now()\\n // Picking up only IOC's that contain the + entities we want\\n | where isnotempty(DomainName)\\n | where Active == + true\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId;\\nlet + Domains = DomainTIs | where isnotempty(DomainName) |summarize NDomains=dcount(DomainName), + DomainsList=make_set(DomainName) \\n | project DomainList = iff(NDomains + > HAS_ANY_MAX, dynamic([]), DomainsList) ;\\nDomainTIs\\n | join (\\n _Im_Dns(starttime=ago(dt_lookBack), + domain_has_any=toscalar(Domains))\\n | extend DNS_TimeGenerated = TimeGenerated\\n) + on $left.DomainName==$right.DnsQuery\\n| where DNS_TimeGenerated < ExpirationDateTime\\n| + project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, + ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, + SrcIpAddr, DnsQuery, DnsQueryType\\n| extend timestamp = DNS_TimeGenerated, + HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url\",\"customDetails\":{\"LatestIndicatorTime\":\"LatestIndicatorTime\",\"Description\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"ExpirationDateTime\":\"ExpirationDateTime\",\"ConfidenceScore\":\"ConfidenceScore\",\"DNSRequestTime\":\"DNS_TimeGenerated\",\"SourceIPAddress\":\"SrcIpAddr\",\"DnsQuery\":\"DnsQuery\",\"QueryType\":\"DnsQueryType\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.1.2\",\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) + TI map Domain entity to Dns Events (ASIM DNS Schema)\",\"description\":\"Identifies + a match in DNS events from any Domain IOC from TI\\nThis analytic rule uses + [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source + that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-27T00:00:00Z\",\"createdDateUTC\":\"2021-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2dd4a3a-ebac-4994-9499-1a859938c947\",\"name\":\"f2dd4a3a-ebac-4994-9499-1a859938c947\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"severity\":\"Medium\",\"query\":\"let + starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold + = 5;\\nlet bytessentperhourthreshold = 10;\\nlet TimeSeriesData = (union isfuzzy=true\\n(\\nVMConnection\\n| + where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| + where isnotempty(DestinationIp) and isnotempty(SourceIp)\\n| extend SourceIP + = SourceIp, DestinationIP = DestinationIp\\n| where ipv4_is_private(DestinationIP) + == false\\n| extend DeviceVendor = \\\"VMConnection\\\"\\n| project TimeGenerated, + BytesSent, DeviceVendor\\n| make-series TotalBytesSent=sum(BytesSent) on TimeGenerated + from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe + by DeviceVendor\\n),\\n(\\nCommonSecurityLog\\n| where TimeGenerated between + (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where isnotempty(DestinationIP) + and isnotempty(SourceIP)\\n| where ipv4_is_private(DestinationIP) == false\\n| + project TimeGenerated, SentBytes, DeviceVendor\\n| make-series TotalBytesSent=sum(SentBytes) + on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) + step timeframe by DeviceVendor\\n)\\n);\\n//Filter anomolies against TimeSeriesData\\nlet + TimeSeriesAlerts = materialize(TimeSeriesData\\n| extend (anomalies, score, + baseline) = series_decompose_anomalies(TotalBytesSent, scorethreshold, -1, + 'linefit')\\n| mv-expand TotalBytesSent to typeof(double), TimeGenerated to + typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline + to typeof(long)\\n| where anomalies > 0 | extend AnomalyHour = TimeGenerated\\n| + extend TotalBytesSentinMBperHour = round(((TotalBytesSent / 1024)/1024),2), + baselinebytessentperHour = round(((baseline / 1024)/1024),2), score = round(score,2)\\n| + project DeviceVendor, AnomalyHour, TimeGenerated, TotalBytesSentinMBperHour, + baselinebytessentperHour, anomalies, score);\\nlet AnomalyHours = materialize(TimeSeriesAlerts + \ | where TimeGenerated > ago(2d) | project TimeGenerated);\\n//Union of all + BaseLogs aggregated per hour\\nlet BaseLogs = (union isfuzzy=true\\n(\\nCommonSecurityLog\\n| + where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated + > ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column + and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset + to only selected anomaly hours\\n| where ipv4_is_private(DestinationIP) == + false\\n| extend SentBytesinMB = ((SentBytes / 1024)/1024), ReceivedBytesinMB + = ((ReceivedBytes / 1024)/1024)\\n| summarize HourlyCount = count(), TimeGeneratedMax=arg_max(TimeGenerated, + *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = + make_set(DestinationPort,100), TotalSentBytesinMB = sum(SentBytesinMB), TotalReceivedBytesinMB + = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\\n| + where TotalSentBytesinMB > bytessentperhourthreshold\\n| sort by TimeGeneratedHour + asc, TotalSentBytesinMB desc\\n| extend Rank=row_number(1, prev(TimeGeneratedHour) + != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\\n| where + Rank < 10 // Selecting Top 10 records with Highest BytesSent in each Hour\\n| + project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, + DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\\n),\\n(\\nVMConnection\\n| + where isnotempty(DestinationIp) and isnotempty(SourceIp)\\n| where TimeGenerated + > ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column + and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset + to only selected anomaly hours\\n| extend SourceIP = SourceIp, DestinationIP + = DestinationIp\\n| where ipv4_is_private(DestinationIP) == false | extend + DeviceVendor = \\\"VMConnection\\\"\\n| extend SentBytesinMB = ((BytesSent + / 1024)/1024), ReceivedBytesinMB = ((BytesReceived / 1024)/1024)\\n| summarize + HourlyCount = count(),TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, + 100), DestinationPortList = make_set(DestinationPort, 100), TotalSentBytesinMB + = sum(SentBytesinMB),TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, + DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\\n| where TotalSentBytesinMB + > bytessentperhourthreshold\\n| sort by TimeGeneratedHour asc, TotalSentBytesinMB + desc\\n| extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) + // Ranking the dataset per Hourly Partition\\n| where Rank < 10 // Selecting + Top 10 records with Highest BytesSent in each Hour\\n| project DeviceVendor, + TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, + TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\\n)\\n);\\n// Join against + base logs to retrive records associated with the hour of anomoly\\nTimeSeriesAlerts\\n| + where TimeGenerated > ago(2d)\\n| join (\\n BaseLogs | extend AnomalyHour + = TimeGeneratedHour\\n) on DeviceVendor, AnomalyHour | sort by score desc\\n| + project DeviceVendor, AnomalyHour,TimeGeneratedMax, SourceIP, DestinationIPList, + DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, TotalBytesSentinMBperHour, + baselinebytessentperHour, score, anomalies\\n| summarize EventCount = count(), + StartTimeUtc= min(TimeGeneratedMax), EndTimeUtc= max(TimeGeneratedMax), SourceIPMax= + arg_max(SourceIP,*), TotalBytesSentinMB = sum(TotalSentBytesinMB), TotalBytesReceivedinMB + = sum(TotalReceivedBytesinMB), SourceIPList = make_set(SourceIP, 100), DestinationIPList + = make_set(DestinationIPList, 100) by AnomalyHour,TotalBytesSentinMBperHour, + baselinebytessentperHour, score, anomalies\\n| project DeviceVendor, AnomalyHour, + StartTimeUtc, EndTimeUtc, SourceIPMax, SourceIPList, DestinationIPList, DestinationPortList, + TotalBytesSentinMB, TotalBytesReceivedinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, + score, anomalies, EventCount\\n| extend timestamp =EndTimeUtc, IPCustomEntity + = SourceIPMax\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.2\",\"tactics\":[\"Exfiltration\"],\"techniques\":[\"T1030\"],\"displayName\":\"Time + series anomaly for data size transferred to public internet\",\"description\":\"Identifies + anomalous data transfer to public networks. The query leverages built-in KQL + anomaly detection algorithms that detects large deviations from a baseline + pattern.\\nA sudden increase in data transferred to unknown public networks + is an indication of data exfiltration attempts and should be investigated.\\nThe + higher the score, the further it is from the baseline value.\\nThe output + is aggregated to provide summary view of unique source IP to destination IP + address and port bytes sent traffic observed in the flagged anomaly hour.\\nThe + source IP addresses which were sending less than bytessentperhourthreshold + have been exluded whose value can be adjusted as needed .\\nYou may have to + run queries for individual source IP addresses from SourceIPlist to determine + if anything looks suspicious\",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06bbf969-fcbe-43fa-bac2-b2fa131d113a\",\"name\":\"06bbf969-fcbe-43fa-bac2-b2fa131d113a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// + ADHealth Monitoring Agent Registry Key\\nlet aadHealthMonAgentRegKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\MicrosoftOnline\\\\\\\\Reporting\\\\\\\\MonitoringAgent\\\";\\n// + Filter out known processes\\nlet aadConnectHealthProcs = dynamic ([\\n 'Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe',\\n + \ 'Microsoft.Identity.Health.Adfs.InsightsService.exe',\\n 'Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe',\\n + \ 'Microsoft.Identity.Health.Adfs.PshSurrogate.exe',\\n 'Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe',\\n + \ 'Microsoft.Identity.Health.AadSync.MonitoringAgent.Startup.exe',\\n 'Microsoft.Identity.AadConnect.Health.AadSync.Host.exe',\\n + \ 'Microsoft.Azure.ActiveDirectory.Synchronization.Upgrader.exe',\\n 'miiserver.exe'\\n]);\\n(union + isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == '4656'\\n| where EventData + has aadHealthMonAgentRegKey\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| + mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| + extend Key = tostring(column_ifexists('@Name', \\\"\\\")), Value = column_ifexists('#text', + \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| + extend ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),\\n ObjectType + = column_ifexists(\\\"ObjectType\\\", \\\"\\\")\\n| where ObjectType == 'Key'\\n| + where ObjectName == aadHealthMonAgentRegKey\\n| extend SubjectUserName = column_ifexists(\\\"SubjectUserName\\\", + \\\"\\\"),\\n SubjectDomainName = column_ifexists(\\\"SubjectDomainName\\\", + \\\"\\\"),\\n ProcessName = column_ifexists(\\\"ProcessName\\\", \\\"\\\")\\n| + extend Process = split(ProcessName, '\\\\\\\\', -1)[-1],\\n Account = strcat(SubjectDomainName, + \\\"\\\\\\\\\\\", SubjectUserName)\\n| where Process !in (aadConnectHealthProcs)\\n| + summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() + by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, + ObjectName, ObjectType, ProcessName\\n),\\n ( WindowsEvent\\n| where EventID + == '4656' and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType + = tostring(EventData.ObjectType)\\n| where ObjectType == 'Key'\\n| extend + ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| + extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = + tostring(split(ProcessName, '\\\\\\\\')[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| + extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", + tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| + extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize + StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, + Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, + ObjectType, ProcessName\\n),\\n(\\nSecurityEvent\\n| where EventID == '4663'\\n| + where ObjectType == 'Key'\\n| where ObjectName == aadHealthMonAgentRegKey\\n| + extend Process = tostring(split(ProcessName, '\\\\\\\\', -1)[-1])\\n| where + Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), + EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, + SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n( + WindowsEvent\\n| where EventID == '4663' and EventData has aadHealthMonAgentRegKey\\n| + extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == + 'Key'\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName + == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| + extend Process = tostring(split(ProcessName, '\\\\\\\\')[-1])\\n| where Process + !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", + tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| + extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize + StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, + Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, + ObjectType, ProcessName\\n)\\n)\\n// You can filter out potential machine + accounts\\n//| where AccountType != 'Machine'\\n| extend timestamp = StartTime, + AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.1.1\",\"tactics\":[\"Collection\"],\"techniques\":[\"T1005\"],\"displayName\":\"Azure + AD Health Service Agents Registry Keys Access\",\"description\":\"This detection + uses Windows security events to detect suspicious access attempts to the registry + key values and sub-keys of Azure AD Health service agents (e.g AD FS).\\nInformation + from AD Health service agents can be used to potentially abuse some of the + features provided by those services in the cloud (e.g. Federation).\\nThis + detection requires an access control entry (ACE) on the system access control + list (SACL) of the following securable object: HKLM:\\\\SOFTWARE\\\\Microsoft\\\\ADHealthAgent.\\nMake + sure you set the SACL to propagate to its sub-keys. You can find more information + in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml\\n\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a35f2c18-1b97-458f-ad26-e033af18eb99\",\"name\":\"a35f2c18-1b97-458f-ad26-e033af18eb99\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"// + For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups\\nlet + WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID + = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nunion + isfuzzy=true \\n(\\nSecurityEvent \\n// When MemberName contains '-' this + indicates addition of a group to a group\\n| where AccountType == \\\"User\\\" + and MemberName != \\\"-\\\"\\n// 4728 - A member was added to a security-enabled + global group\\n// 4732 - A member was added to a security-enabled local group\\n// + 4756 - A member was added to a security-enabled universal group\\n| where + EventID in (4728, 4732, 4756) \\n| where TargetSid matches regex WellKnownLocalSID + or TargetSid matches regex WellKnownGroupSID\\n// Exclude Remote Desktop Users + group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| extend + SimpleMemberName = substring(MemberName, 3, indexof_regex(MemberName, @\\\",OU|,CN\\\") + - 3)\\n| project TimeGenerated, EventID, Activity, Computer, SimpleMemberName, + MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, + SubjectUserName, SubjectUserSid\\n| extend timestamp = TimeGenerated, AccountCustomEntity + = SimpleMemberName, HostCustomEntity = Computer\\n),\\n(\\nWindowsEvent \\n// + 4728 - A member was added to a security-enabled global group\\n// 4732 - A + member was added to a security-enabled local group\\n// 4756 - A member was + added to a security-enabled universal group\\n| where EventID in (4728, 4732, + 4756) and not(EventData has \\\"S-1-5-32-555\\\")\\n| extend SubjectUserSid + = tostring(EventData.SubjectUserSid)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", + tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith + \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), + \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| extend + MemberName = tostring(EventData.MemberName)\\n// When MemberName contains + '-' this indicates addition of a group to a group\\n| where AccountType == + \\\"User\\\" and MemberName != \\\"-\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| + where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex + WellKnownGroupSID\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| + where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| extend SimpleMemberName = substring(MemberName, + 3, indexof_regex(MemberName, @\\\",OU|,CN\\\") - 3)\\n| extend MemberSid = + tostring(EventData.MemberSid)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| + extend TargetDomainName = tostring(EventData.TargetDomainName)\\n| extend + UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| extend SubjectUserName + = tostring(EventData.SubjectUserName)\\n| project TimeGenerated, EventID, + Computer, SimpleMemberName, MemberName, MemberSid, TargetUserName, TargetDomainName, + TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid\\n| extend timestamp + = TimeGenerated, AccountCustomEntity = SimpleMemberName, HostCustomEntity + = Computer\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.3.1\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"techniques\":[\"T1098\",\"T1078\"],\"displayName\":\"User + account added to built in domain local or global group\",\"description\":\"Identifies + when a user account has been added to a privileged built in domain local group + or global group \\nsuch as the Enterprise Admins, Cert Publishers or DnsAdmins. + Be sure to verify this is an expected addition.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2acc91c3-17c2-4388-938e-4eac2d5894e8\",\"name\":\"2acc91c3-17c2-4388-938e-4eac2d5894e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"W3CIISLog\\n| + where csMethod == 'GET'\\n| where isnotempty(csUriStem) and isnotempty(csUriQuery)\\n| + where csUriStem contains \\\"logoimagehandler.ashx\\\"\\n| where csUriQuery + contains \\\"codes\\\" and csUriQuery contains \\\"clazz\\\" and csUriQuery + contains \\\"method\\\" and csUriQuery contains \\\"args\\\"\\n| extend timestamp + = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity + = csUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"techniques\":[\"T1505\"],\"displayName\":\"SUPERNOVA + webshell\",\"description\":\"Identifies SUPERNOVA webshell based on W3CIISLog + data.\\n References:\\n - https://unit42.paloaltonetworks.com/solarstorm-supernova/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/223db5c1-1bf8-47d8-8806-bed401b356a4\",\"name\":\"223db5c1-1bf8-47d8-8806-bed401b356a4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let + timeRange = 1d;\\nlet lookBack = 7d;\\nlet threshold_Failed = 5;\\nlet threshold_FailedwithSingleIP + = 20;\\nlet threshold_IPAddressCount = 2;\\nlet isGUID = \\\"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\\";\\nlet + aadFunc = (tableName:string){\\nlet azPortalSignins = materialize(table(tableName)\\n| + where TimeGenerated >= ago(lookBack)\\n// Azure Portal only\\n| where AppDisplayName + =~ \\\"Azure Portal\\\")\\n;\\nlet successPortalSignins = azPortalSignins\\n| + where TimeGenerated >= ago(timeRange)\\n// Azure Portal only and exclude non-failure + Result Types\\n| where ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n// + Tagging identities not resolved to friendly names\\n//| extend Unresolved + = iff(Identity matches regex isGUID, true, false)\\n| distinct TimeGenerated, + UserPrincipalName\\n;\\nlet failPortalSignins = azPortalSignins\\n| where + TimeGenerated >= ago(timeRange)\\n// Azure Portal only and exclude non-failure + Result Types\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", + \\\"70044\\\", \\\"70043\\\")\\n// Tagging identities not resolved to friendly + names\\n| extend Unresolved = iff(Identity matches regex isGUID, true, false)\\n;\\n// + Verify there is no success for the same connection attempt after the fail\\nlet + failnoSuccess = failPortalSignins | join kind= leftouter (\\n successPortalSignins + \\n) on UserPrincipalName\\n| where TimeGenerated > TimeGenerated1 or isempty(TimeGenerated1)\\n| + project-away TimeGenerated1, UserPrincipalName1\\n;\\n// Lookup up resolved + identities from last 7 days\\nlet identityLookup = azPortalSignins\\n| where + TimeGenerated >= ago(lookBack)\\n| where not(Identity matches regex isGUID)\\n| + summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName + = UserPrincipalName;\\n// Join resolved names to unresolved list from portal + signins\\nlet unresolvedNames = failnoSuccess | where Unresolved == true | + join kind= inner (\\n identityLookup \\n) on UserId\\n| extend UserDisplayName + = lu_UserDisplayName, UserPrincipalName = lu_UserPrincipalName\\n| project-away + lu_UserDisplayName, lu_UserPrincipalName;\\n// Join Signins that had resolved + names with list of unresolved that now have a resolved name\\nlet u_azPortalSignins + = failnoSuccess | where Unresolved == false | union unresolvedNames;\\nu_azPortalSignins\\n| + extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), + LocationDetails = todynamic(LocationDetails)\\n| extend Status = strcat(ResultType, + \\\": \\\", ResultDescription), OS = tostring(DeviceDetail.operatingSystem), + Browser = tostring(DeviceDetail.browser)\\n| extend State = tostring(LocationDetails.state), + City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n| + extend FullLocation = strcat(Region,'|', State, '|', City)\\n| summarize TimeGenerated + = makelist(TimeGenerated), Status = makelist(Status), IPAddresses = makelist(IPAddress), + IPAddressCount = dcount(IPAddress), FailedLogonCount = count()\\nby UserPrincipalName, + UserId, UserDisplayName, AppDisplayName, Browser, OS, FullLocation, Type\\n| + mvexpand TimeGenerated, IPAddresses, Status\\n| extend TimeGenerated = todatetime(tostring(TimeGenerated)), + IPAddress = tostring(IPAddresses), Status = tostring(Status)\\n| project-away + IPAddresses\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) + by UserPrincipalName, UserId, UserDisplayName, Status, FailedLogonCount, IPAddress, + IPAddressCount, AppDisplayName, Browser, OS, FullLocation, Type\\n| where + (IPAddressCount >= threshold_IPAddressCount and FailedLogonCount >= threshold_Failed) + or FailedLogonCount >= threshold_FailedwithSingleIP\\n| extend timestamp = + StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet + aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion + isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.2\",\"tactics\":[\"CredentialAccess\"],\"techniques\":[\"T1110\"],\"displayName\":\"Failed + login attempts to Azure Portal\",\"description\":\"Identifies failed login + attempts in the Azure Active Directory SigninLogs to the Azure Portal. Many + failed logon \\nattempts or some failed logon attempts from multiple IPs could + indicate a potential brute force attack. \\nThe following are excluded due + to success and non-failure results:\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n0 + - successful logon\\n50125 - Sign-in was interrupted due to a password reset + or password registration entry.\\n50140 - This error occurred due to 'Keep + me signed in' interrupt when the user was signing-in.\",\"lastUpdatedDateUTC\":\"2022-04-21T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/acc4c247-aaf7-494b-b5da-17f18863878a\",\"name\":\"acc4c247-aaf7-494b-b5da-17f18863878a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + queryfrequency = 1h;\\nlet queryperiod = 1d;\\nAuditLogs\\n| where TimeGenerated + > ago(queryperiod)\\n| where OperationName in (\\\"Invite external user\\\", + \\\"Bulk invite users - started (bulk)\\\", \\\"Invite external user with + reset invitation status\\\")\\n| extend InitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), + InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\\n//| where + InitiatedBy has_any (\\\"live.com#\\\", \\\"#EXT#\\\")\\n| extend InvitedUser + = TargetResources[0].userPrincipalName\\n| mv-expand UserToCompare = pack_array(InitiatedBy, + InvitedUser)\\n| where UserToCompare has_any (\\\"live.com#\\\", \\\"#EXT#\\\")\\n| + extend\\n parsedUser = replace_string((iff(UserToCompare has \\\"live.com#\\\", + tostring(split(UserToCompare, \\\"#\\\")[1]), tostring(split(UserToCompare, + \\\"#EXT#\\\")[0]))), \\\"@\\\", \\\"_\\\"),\\n InvitationTime = TimeGenerated\\n| + join (\\n (union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs)\\n + \ | where TimeGenerated > ago(queryfrequency)\\n | where UserType != + \\\"Member\\\"\\n | where AppId has_any\\n (\\\"1b730954-1685-4b74-9bfd-dac224a7b894\\\",// + Azure Active Directory PowerShell\\n \\\"04b07795-8ddb-461a-bbee-02f9e1bf7b46\\\",// + Microsoft Azure CLI\\n \\\"1950a258-227b-4e31-a9cf-717495945fc2\\\",// + Microsoft Azure PowerShell\\n \\\"a0c73c16-a7e3-4564-9a95-2bdf47383716\\\",// + Microsoft Exchange Online Remote PowerShell\\n \\\"fb78d390-0c51-40cd-8e17-fdbfab77341b\\\",// + Microsoft Exchange REST API Based Powershell\\n \\\"d1ddf0e4-d672-4dae-b554-9d5bdfd93547\\\",// + Microsoft Intune PowerShell\\n \\\"9bc3ab49-b65d-410a-85ad-de819febfddc\\\",// + Microsoft SharePoint Online Management Shell\\n \\\"12128f48-ec9e-42f0-b203-ea49fb6af367\\\",// + MS Teams Powershell Cmdlets\\n \\\"23d8f6bd-1eb0-4cc2-a08c-7bf525c67bcd\\\",// + Power BI PowerShell\\n \\\"31359c7f-bd7e-475c-86db-fdb8c937548e\\\",// + PnP Management Shell\\n \\\"90f610bf-206d-4950-b61d-37fa6fd1b224\\\" + // Aadrm Admin Powershell\\n )\\n | summarize arg_min(TimeGenerated, + *) by UserPrincipalName\\n | extend\\n parsedUser = replace_string(UserPrincipalName, + \\\"@\\\", \\\"_\\\"),\\n SigninTime = TimeGenerated\\n )\\n on + parsedUser\\n| project InvitationTime, InitiatedBy, OperationName, InvitedUser, + SigninTime, SigninCategory = Category1, SigninUserPrincipalName = UserPrincipalName, + IPAddress, AppDisplayName, ResourceDisplayName, UserAgent, InvitationAdditionalDetails + = AdditionalDetails, InvitationTargetResources = TargetResources\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InvitedUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatedBy\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.4\",\"tactics\":[\"InitialAccess\",\"Persistence\",\"Discovery\"],\"techniques\":[\"T1078\",\"T1136\",\"T1087\"],\"displayName\":\"External + guest invitation followed by Azure AD PowerShell signin\",\"description\":\"By + default guests have capability to invite more external guest users, guests + also can do suspicious Azure AD enumeration. This detection look at guests\\nusers, + who have been invited or have invited recently, who also are logging via various + PowerShell CLI.\\nRef : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/\",\"lastUpdatedDateUTC\":\"2022-03-30T00:00:00Z\",\"createdDateUTC\":\"2021-11-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3af9285d-bb98-4a35-ad29-5ea39ba0c628\",\"name\":\"3af9285d-bb98-4a35-ad29-5ea39ba0c628\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let + threshold = 1;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| + where ConditionalAccessStatus == 1 or ConditionalAccessStatus =~ \\\"failure\\\"\\n| + extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), + LocationDetails = todynamic(LocationDetails)\\n| extend OS = DeviceDetail.operatingSystem, + Browser = DeviceDetail.browser\\n| extend State = tostring(LocationDetails.state), + City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion) + \\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| + extend ConditionalAccessPolicies = todynamic(ConditionalAccessPolicies)\\n| + extend ConditionalAccessPol0Name = tostring(ConditionalAccessPolicies[0].displayName)\\n| + extend ConditionalAccessPol1Name = tostring(ConditionalAccessPolicies[1].displayName)\\n| + extend ConditionalAccessPol2Name = tostring(ConditionalAccessPolicies[2].displayName)\\n| + extend Status = strcat(StatusCode, \\\": \\\", ResultDescription) \\n| summarize + StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Status = make_list(Status), + StatusDetails = make_list(StatusDetails), IPAddresses = make_list(IPAddress), + IPAddressCount = dcount(IPAddress), CorrelationIds = make_list(CorrelationId) + \\nby UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), + City, State, Region, ConditionalAccessPol0Name, ConditionalAccessPol1Name, + ConditionalAccessPol2Name, Type\\n| where IPAddressCount > threshold and StatusDetails + !has \\\"MFA successfully completed\\\"\\n| mvexpand IPAddresses, Status, + StatusDetails, CorrelationIds\\n| extend Status = strcat(Status, \\\" \\\", + StatusDetails)\\n| summarize IPAddresses = make_set(IPAddresses), Status = + make_set(Status), CorrelationIds = make_set(CorrelationIds) \\nby StartTime, + EndTime, UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), + City, State, Region, ConditionalAccessPol0Name, ConditionalAccessPol1Name, + ConditionalAccessPol2Name, IPAddressCount, Type\\n| extend timestamp = StartTime, + AccountCustomEntity = UserPrincipalName, IPCustomEntity = tostring(IPAddresses)\\n};\\nlet + aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion + isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"techniques\":[\"T1078\",\"T1098\"],\"displayName\":\"Attempt + to bypass conditional access rule in Azure AD\",\"description\":\"Identifies + an attempt to Bypass conditional access rule(s) in Azure Active Directory.\\nThe + ConditionalAccessStatus column value details if there was an attempt to bypass + Conditional Access\\nor if the Conditional access rule was not satisfied (ConditionalAccessStatus + == 1).\\nReferences: \\nhttps://docs.microsoft.com/azure/active-directory/conditional-access/overview\\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins\\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\nConditionalAccessStatus + == 0 // Success\\nConditionalAccessStatus == 1 // Failure\\nConditionalAccessStatus + == 2 // Not Applied\\nConditionalAccessStatus == 3 // unknown\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0b904747-1336-4363-8d84-df2710bfe5e7\",\"name\":\"0b904747-1336-4363-8d84-df2710bfe5e7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| + where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| + summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| + where Active == true\\n// Picking up only IOC's that contain the entities + we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) + or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As + there is potentially more than 1 indicator type for matching IP, taking NetworkIP + first, then others if that is empty.\\n// Taking the first non-empty value + based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), + NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) + and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend + TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), + EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast + and result set low, we only need one match to indicate potential malicious + activity that needs to be investigated\\n| join kind=innerunique (\\n AzureDiagnostics\\n + \ | where TimeGenerated >= ago(dt_lookBack)\\n | where OperationName + in (\\\"AzureFirewallApplicationRuleLog\\\", \\\"AzureFirewallNetworkRuleLog\\\")\\n + \ | parse kind=regex flags=U msg_s with Protocol 'request from ' SourceHost + 'to ' DestinationHost @'\\\\.? Action: ' Firewall_Action @'\\\\.' Rest_msg\\n + \ | extend SourceAddress = extract(@'([\\\\.0-9]+)(:[\\\\.0-9]+)?', 1, SourceHost)\\n + \ | extend DestinationAddress = extract(@'([\\\\.0-9]+)(:[\\\\.0-9]+)?', + 1, DestinationHost)\\n | extend RemoteIP = case(not(ipv4_is_private(DestinationAddress)), + DestinationAddress, not(ipv4_is_private(SourceAddress)), SourceAddress, \\\"\\\")\\n + \ // Traffic that involves a public address, and in case this is the source + address then the traffic was not denied\\n | where isnotempty(RemoteIP)\\n + \ | project-rename AzureFirewall_TimeGenerated = TimeGenerated\\n)\\non + $left.TI_ipEntity == $right.RemoteIP\\n| where AzureFirewall_TimeGenerated + < ExpirationDateTime\\n| summarize AzureFirewall_TimeGenerated = arg_max(AzureFirewall_TimeGenerated, + *) by IndicatorId, RemoteIP\\n| project LatestIndicatorTime, Description, + ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, + ConfidenceScore, AzureFirewall_TimeGenerated,\\nTI_ipEntity, Resource, Category, + msg_s, SourceAddress, DestinationAddress, Firewall_Action, Protocol, NetworkIP, + NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp + = AzureFirewall_TimeGenerated, IPCustomEntity = TI_ipEntity, URLCustomEntity + = Url\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.1.2\",\"tactics\":[\"Impact\"],\"displayName\":\"TI + map IP entity to AzureFirewall\",\"description\":\"Identifies a match in AzureFirewall + (NetworkRule & ApplicationRule Logs) from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ebbb5c2-8802-11ec-a8a3-0242ac120002\",\"name\":\"4ebbb5c2-8802-11ec-a8a3-0242ac120002\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"// + Enter a reference list of decoy users (usernames) \\\"Case Sensitive\\\"\\nlet + MaliciousServiceArtifacts = dynamic ([\\\"fgexec\\\",\\\"cachedump\\\",\\\"mimikatz\\\",\\\"mimidrv\\\",\\\"wceservice\\\",\\\"pwdump\\\"]);\\nEvent\\n| + where Source == \\\"Service Control Manager\\\" and EventID == 7045\\n| parse + EventData with * 'ServiceName\\\">' ServiceName \\\"<\\\" * 'ImagePath\\\">' + ImagePath \\\"<\\\" *\\n| where ServiceName has_any (MaliciousServiceArtifacts) + or ImagePath has_any (MaliciousServiceArtifacts)\\n| parse EventData with + * 'AccountName\\\">' AccountName \\\"<\\\" *\\n|summarize StartTime = min(TimeGenerated), + EndTime = max(TimeGenerated) by EventID, Computer, ServiceName, ImagePath, + AccountName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountName\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ImagePath\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"CredentialAccess\"],\"techniques\":[\"T1003\"],\"displayName\":\"Credential + Dumping Tools - Service Installation\",\"description\":\"This query detects + the installation of a Windows service that contains artifacts from credential + dumping tools such as Mimikatz.\\nRef: https://blueteamblog.com/darkside-ransomware-operations-preventions-and-detections\",\"lastUpdatedDateUTC\":\"2022-04-22T00:00:00Z\",\"createdDateUTC\":\"2022-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"Event\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/adc32a33-1cd6-46f5-8801-e3ed8337885f\",\"name\":\"adc32a33-1cd6-46f5-8801-e3ed8337885f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// + Add any known allowed sources and source locations to the filter below (the + NuGet Gallery has been added here as an example).\\nlet allowed_sources = + dynamic([\\\"NuGet Gallery\\\"]);\\nlet allowed_locations = dynamic([\\\"https://api.nuget.org/v3/index.json\\\"]);\\nAzureDevOpsAuditing\\n// + Look for feeds created or modified at either the organization or project level\\n| + where OperationName matches regex \\\"Artifacts.Feed.(Org|Project).Modify\\\"\\n| + where Details has \\\"UpstreamSources, added\\\"\\n| extend FeedName = tostring(Data.FeedName)\\n| + extend FeedId = tostring(Data.FeedId)\\n| extend UpstreamsAdded = Data.UpstreamsAdded\\n// + As multiple feeds may be added expand these out\\n| mv-expand UpstreamsAdded\\n// + Only focus on external feeds\\n| where UpstreamsAdded.UpstreamSourceType !~ + \\\"internal\\\"\\n| extend SourceLocation = tostring(UpstreamsAdded.Location)\\n| + extend SourceName = tostring(UpstreamsAdded.Name)\\n// Exclude sources and + locations in the allow list\\n| where SourceLocation !in (allowed_locations) + and SourceName !in (allowed_sources)\\n| extend SourceProtocol = tostring(UpstreamsAdded.Protocol)\\n| + extend SourceStatus = tostring(UpstreamsAdded.Status)\\n| project-reorder + TimeGenerated, OperationName, ScopeDisplayName, ProjectName, FeedName, SourceName, + SourceLocation, SourceProtocol, ActorUPN, UserAgent, IpAddress\\n| extend + timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity + = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"techniques\":[\"T1199\"],\"displayName\":\"External + Upstream Source Added to Azure DevOps Feed\",\"description\":\"The detection + looks for new external sources added to an Azure DevOps feed. An allow list + can be customized to explicitly allow known good sources. \\nAn attacker could + look to add a malicious feed in order to inject malicious packages into a + build pipeline.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/93c4b361-ea7d-40f4-9ca6-e501cdef9c53\",\"name\":\"93c4b361-ea7d-40f4-9ca6-e501cdef9c53\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.1.6\",\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"\\\\%%2305-The + specified user account has expired\",\"\\\\%%2309-The specified account's + password has expired\",\"\\\\%%2310-Account currently disabled\",\"\\\\%%2311-Account + logon time restriction violation\",\"\\\\%%2312-User not allowed to logon + at this computer\",\"\\\\%%2313-Unknown user name or bad password\",\"\\\\%%2307-Account + locked out\",\"\\\\%%2304-An Error occurred during Logon\"],\"values\":[\"\\\\%%2305-The + specified user account has expired\",\"\\\\%%2309-The specified account's + password has expired\",\"\\\\%%2310-Account currently disabled\",\"\\\\%%2311-Account + logon time restriction violation\",\"\\\\%%2312-User not allowed to logon + at this computer\",\"\\\\%%2313-Unknown user name or bad password\",\"\\\\%%2307-Account + locked out\",\"\\\\%%2304-An Error occurred during Logon\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Failure + Reasons\",\"description\":\"Include only selected failure reasons in anomaly + results.\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.3\",\"name\":\"Score\",\"description\":\"Generate + an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CredentialAccess\"],\"techniques\":[\"T1110\"],\"displayName\":\"(Preview) + Attempted user account bruteforce per failure reason\",\"description\":\"This + algorithm detects an unusually high volume of failed login attempts per user + account per failure reason. The model is trained on the previous 21 days of + security event ID 4625 on an account and a failure reason. It indicates anomalous + high volume of failed login attempts with certain failure reason in the last + day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-04-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c9053c76-c6cd-409a-a10f-e20b05cc91f5\",\"name\":\"c9053c76-c6cd-409a-a10f-e20b05cc91f5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.0\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"1\",\"name\":\"Score\",\"description\":\"Generate + an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"techniques\":[\"T1078\"],\"displayName\":\"(Preview) + Anomalous volume of privileged process calls of commonly seen windows attack + vectors on a daily basis\",\"description\":\"This anomaly algorithm detects + unusual volume of privileged (Full or Elevated security token) process creation + calls made by a user account from a selected process list in the last 21 days. + These selected processes are commonly used attack vectors in windows systems. + This activity may indicate that the user account is compromised.\",\"lastUpdatedDateUTC\":\"2022-02-22T00:00:00Z\",\"createdDateUTC\":\"2022-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2937bc6b-7cda-4fba-b452-ea43ba8e835f\",\"name\":\"2937bc6b-7cda-4fba-b452-ea43ba8e835f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| + where EventID == 5136 \\n| parse EventData with * 'ObjectClass\\\">' ObjectClass + \\\"<\\\" *\\n| parse EventData with * 'AttributeLDAPDisplayName\\\">' AttributeLDAPDisplayName + \\\"<\\\" *\\n| where ObjectClass == \\\"computer\\\" and AttributeLDAPDisplayName + == \\\"msDS-AllowedToActOnBehalfOfOtherIdentity\\\"\\n| parse EventData with + * 'ObjectDN\\\">' ObjectDN \\\"<\\\" *\\n| summarize StartTime = min(TimeGenerated), + EndTime = max(TimeGenerated) by Computer, SubjectAccount, SubjectUserSid, + SubjectLogonId, ObjectDN, AttributeLDAPDisplayName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"PrivilegeEscalation\"],\"techniques\":[\"T1134\"],\"displayName\":\"Possible + Resource-Based Constrained Delegation Abuse\",\"description\":\"This query + identifies Active Directory computer objects modifications that allow an adversary + to abuse the Resource-based constrained delegation. \\nThis query checks for + event id 5136 that the Object Class field is \\\"computer\\\" and the LDAP + Display Name is \\\"msDS-AllowedToActOnBehalfOfOtherIdentity\\\" which is + an indicator of Resource-based constrained delegation.\\nRef: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html\",\"lastUpdatedDateUTC\":\"2022-01-19T00:00:00Z\",\"createdDateUTC\":\"2022-01-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/213252f1-497c-4124-91da-6cb43902d5b1\",\"name\":\"213252f1-497c-4124-91da-6cb43902d5b1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.5\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"5\",\"maximum\":\"15\",\"value\":\"7\",\"name\":\"Number + of distinct signatures in a day\",\"description\":\"Triggers anomalies when + daily signatures triggered is more than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Discovery\",\"CommandAndControl\"],\"techniques\":[\"T1046\",\"T1135\",\"T1071\",\"T1095\",\"T1571\"],\"displayName\":\"(Preview) + Unusual external firewall alarm detected\",\"description\":\"This algorithm + identifies unusual external firewall alarms which are threat signatures released + by a firewall vendor. \\nThe anomaly takes last 7 days activities to calculate + top 10 noisy signatures and also noisy source hosts which are repeatedly seen + \\ntriggering threat signatures. After excluding both type of noisy events, + it triggers an anomaly only after exceeding the threshold of \\nnumber of + signatures triggered in a single day.\",\"lastUpdatedDateUTC\":\"2022-02-24T00:00:00Z\",\"createdDateUTC\":\"2021-04-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog + (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/89e6adbd-612c-4fbe-bc3d-32f81baf3b6c\",\"name\":\"89e6adbd-612c-4fbe-bc3d-32f81baf3b6c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT4H\",\"queryPeriod\":\"PT4H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// + Change to true to monitor for Project Administrator adds to *any* project\\nlet + MonitorAllProjects = false;\\n// If MonitorAllProjects is false, trigger only + on Project Administrator add for the following projects\\nlet ProjectsToMonitor + = dynamic(['','']);\\nAzureDevOpsAuditing\\n| where + Area == \\\"Group\\\" and OperationName == \\\"Group.UpdateGroupMembership.Add\\\"\\n| + where Details has 'Administrators'\\n| where Details has \\\"was added as + a member of group\\\" and (Details endswith '\\\\\\\\Project Administrators' + or Details endswith '\\\\\\\\Project Collection Administrators')\\n| parse + Details with AddedIdentity ' was added as a member of group [' EntityName + ']\\\\\\\\' GroupName\\n| extend Level = iif(GroupName == 'Project Collection + Administrators', 'Organization', 'Project'), AddedIdentityId = Data.MemberId\\n| + extend Severity = iif(Level == 'Organization', 'High', 'Medium'), AlertDetails + = strcat('At ', TimeGenerated, ' UTC ', ActorUPN, '/', ActorDisplayName, ' + added ', AddedIdentity, ' to the ', EntityName, ' ', Level)\\n| where MonitorAllProjects + == true or EntityName in (ProjectsToMonitor) or Level == 'Organization'\\n| + project TimeGenerated, Severity, Adder = ActorUPN, AddedIdentity, AddedIdentityId, + AlertDetails, Level, EntityName, GroupName, ActorAuthType = AuthenticationMechanism, + \\n ActorIpAddress = IpAddress, ActorUserAgent = UserAgent, RawDetails = + Details\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Adder, + IPCustomEntity = ActorIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\"],\"techniques\":[\"T1098\"],\"displayName\":\"Azure + DevOps Administrator Group Monitoring\",\"description\":\"This detection monitors + for additions to projects or project collection administration groups in an + Azure DevOps Organization.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/38781e25-924e-4c9d-9a76-8703077be83d\",\"name\":\"38781e25-924e-4c9d-9a76-8703077be83d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.4\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.2\",\"name\":\"Anomaly + score threshold\",\"description\":\"Generate an anomaly when the anomaly score + is greater than the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Impact\"],\"techniques\":[\"T1531\"],\"displayName\":\"(Preview) + UEBA Anomalous Password Reset\",\"description\":\"Adversaries may interrupt + availability of system and network resources by inhibiting access to accounts + utilized by legitimate users. Accounts may be deleted, locked, or manipulated + (ex: changed credentials) to remove access to accounts. Sentinel UEBA detects + anomalies based on dynamic baselines created for each entity across various + data inputs. Each entity\xE2\u20AC\u2122s baseline behavior is set according + to its own historical activities, those of its peers, and those of the organization + as a whole. Anomalies can be triggered by the correlation of different attributes + such as action type, geo-location, device, resource, ISP, and more.\",\"lastUpdatedDateUTC\":\"2022-04-13T00:00:00Z\",\"createdDateUTC\":\"2022-01-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/473d57e6-f787-435c-a16b-b38b51fa9a4b\",\"name\":\"473d57e6-f787-435c-a16b-b38b51fa9a4b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let + servicelist = dynamic(['Services\\\\\\\\HealthService', 'Services\\\\\\\\Sense', + 'Services\\\\\\\\WinDefend', 'Services\\\\\\\\MsSecFlt', 'Services\\\\\\\\DiagTrack', + 'Services\\\\\\\\SgrmBroker', 'Services\\\\\\\\SgrmAgent', 'Services\\\\\\\\AATPSensorUpdater' + , 'Services\\\\\\\\AATPSensor', 'Services\\\\\\\\mpssvc']);\\nlet filename + = dynamic([\\\"subinacl.exe\\\",'SetACL.exe']);\\nlet parameters = dynamic + (['/deny=SYSTEM', '/deny=S-1-5-18', '/grant=SYSTEM=r', '/grant=S-1-5-18=r', + 'n:SYSTEM;p:READ', 'n1:SYSTEM;ta:remtrst;w:dacl']);\\nlet FullAccess = dynamic(['A;CI;KA;;;SY', + 'A;ID;KA;;;SY', 'A;CIID;KA;;;SY']);\\nlet ReadAccess = dynamic(['A;CI;KR;;;SY', + 'A;ID;KR;;;SY', 'A;CIID;KR;;;SY']);\\nlet DenyAccess = dynamic(['D;CI;KR;;;SY', + 'D;ID;KR;;;SY', 'D;CIID;KR;;;SY']);\\nlet timeframe = 1d;\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| + where TimeGenerated >= ago(timeframe)\\n| where EventID == 4670\\n| where + ObjectType == 'Key'\\n| where ObjectName has_any (servicelist)\\n| parse EventData + with * 'OldSd\\\">' OldSd \\\"<\\\" *\\n| parse EventData with * 'NewSd\\\">' + NewSd \\\"<\\\" *\\n| extend Reason = case( (OldSd has ';;;SY' and NewSd !has + ';;;SY'), 'System Account is removed', (OldSd has_any (FullAccess) and NewSd + has_any (ReadAccess)) , 'System permission has been changed to read from full + access', (OldSd has_any (FullAccess) and NewSd has_any (DenyAccess)), 'System + account has been given denied permission', 'None')\\n| project TimeGenerated, + Computer, Account, ProcessName, ProcessId, ObjectName, EventData, Activity, + HandleId, SubjectLogonId, OldSd, NewSd , Reason\\n),\\n(\\nSecurityEvent\\n| + where TimeGenerated >= ago(timeframe)\\n| where EventID == 4688\\n| extend + ProcessName = tostring(split(NewProcessName, '\\\\\\\\')[-1])\\n| where ProcessName + in~ (filename) \\n| where CommandLine has_any (servicelist) and CommandLine + has_any (parameters)\\n| project TimeGenerated, Computer, Account, AccountDomain, + ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, + EventSourceName, Type\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated >= ago(timeframe)\\n| + where EventID == 4670 and EventData has_any (servicelist) and EventData has + 'Key'\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType + == 'Key'\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where + ObjectName has_any (servicelist)\\n| extend OldSd = tostring(EventData.OldSd)\\n| + extend NewSd = tostring(EventData.NewSd)\\n| extend Reason = case( (OldSd + has ';;;SY' and NewSd !has ';;;SY'), 'System Account is removed', (OldSd has_any + (FullAccess) and NewSd has_any (ReadAccess)) , 'System permission has been + changed to read from full access', (OldSd has_any (FullAccess) and NewSd has_any + (DenyAccess)), 'System account has been given denied permission', 'None')\\n| + extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", + tostring(EventData.SubjectUserName))\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| + extend ProcessId = tostring(EventData.ProcessId)\\n| extend Activity= \\\"4670 + - Permissions on an object were changed.\\\"\\n| extend HandleId = tostring(EventData.HandleId)\\n| + extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| project TimeGenerated, + Computer, Account, ProcessName, ProcessId, ObjectName, EventData, Activity, + HandleId, SubjectLogonId, OldSd, NewSd , Reason\\n),\\n(\\nWindowsEvent\\n| + where TimeGenerated >= ago(timeframe)\\n| where EventID == 4688 and EventData + has_any (filename) and EventData has_any (servicelist) and EventData has_any + (parameters)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| + extend ProcessName = tostring(split(NewProcessName, '\\\\\\\\')[-1])\\n| where + ProcessName in~ (filename) \\n| extend CommandLine = tostring(EventData.CommandLine) + \\n| where CommandLine has_any (servicelist) and CommandLine has_any (parameters)\\n| + extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", + tostring(EventData.SubjectUserName))\\n| extend AccountDomain = tostring(EventData.AccountDomain)\\n| + extend Activity=\\\"4688 - A new process has been created.\\\"\\n| extend + \ EventSourceName=Provider\\n| project TimeGenerated, Computer, Account, AccountDomain, + ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, + EventSourceName, Type\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated + >= ago(timeframe)\\n| where InitiatingProcessFileName in~ (filename) \\n| + where InitiatingProcessCommandLine has_any(servicelist) and InitiatingProcessCommandLine + has_any (parameters)\\n| extend Account = iff(isnotempty(InitiatingProcessAccountUpn), + InitiatingProcessAccountUpn, InitiatingProcessAccountName), Computer = DeviceName\\n| + project TimeGenerated, Computer, Account, AccountDomain, ProcessName = InitiatingProcessFileName, + ProcessNameFullPath = FolderPath, Activity = ActionType, CommandLine = InitiatingProcessCommandLine, + Type, InitiatingProcessParentFileName\\n)\\n)\\n| extend timestamp = TimeGenerated, + AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.1.1\",\"tactics\":[\"DefenseEvasion\"],\"techniques\":[\"T1562\"],\"displayName\":\"Security + Service Registry ACL Modification\",\"description\":\"Identifies attempts + to modify registry ACL to evade security solutions. In the Solorigate attack, + the attackers were found modifying registry permissions so services.exe cannot + access the relevant registry keys to start the service.\\n The detection leverages + Security Event as well as MDE data to identify when specific security services + registry permissions are modified. \\n Only some portions of this detection + are related to Solorigate, it also includes coverage for some common tools + that perform this activity. \\n Reference on guidance for enabling registry + auditing:\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing-faq\\n + - https://docs.microsoft.com/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events\\n + - https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-registry\\n + - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4670\\n + \ - For the event 4670 to be created the audit policy for the registry must + have auditing enabled for Write DAC and/or Write Owner\\n - https://github.com/OTRF/Set-AuditRule + \\n - https://docs.microsoft.com/dotnet/api/system.security.accesscontrol.registryrights?view=dotnet-plat-ext-5.0\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-01-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/29283b22-a1c0-4d16-b0a9-3460b655a46a\",\"name\":\"29283b22-a1c0-4d16-b0a9-3460b655a46a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let + UserAgentString = dynamic ([\\\"${jndi:ldap:/\\\", \\\"${jndi:rmi:/\\\", \\\"${jndi:ldaps:/\\\", + \\\"${jndi:dns:/\\\", \\\"${jndi:iiop:/\\\",\\\"${jndi:\\\",\\\"${jndi:nds:/\\\",\\\"${jndi:corba/\\\"]);\\nlet + UARegexMinimalString=dynamic(['{','%7b', '%7B']);\\nlet UARegex = @'(\\\\\\\\$|%24)(\\\\\\\\{|%7B)([^jJ]*[jJ])([^nN]*[nN])([^dD]*[dD])([^iI]*[iI])(:|%3A|\\\\\\\\$|%24|}|%7D)';\\n(union + isfuzzy=true\\n(OfficeActivity\\n| where UserAgent has_any (UserAgentString) + or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), + EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = + UserId, Type, Operation\\n| extend timestamp = StartTime, AccountCustomEntity + = Account, IPCustomEntity = SourceIP\\n),\\n(AzureDiagnostics\\n| where Category + in (\\\"FrontdoorWebApplicationFirewallLog\\\", \\\"FrontdoorAccessLog\\\", + \\\"ApplicationGatewayFirewallLog\\\", \\\"ApplicationGatewayAccessLog\\\")\\n| + where userAgent_s has_any (UserAgentString) or userAgent_s matches regex UARegex\\n| + summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by + UserAgent = userAgent_s, SourceIP = clientIP_s, Type, host_s, requestUri_s, + httpStatus_d\\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, + UrlCustomEntity = requestUri_s\\n),\\n(\\nW3CIISLog\\n| where csUserAgent + has_any (UserAgentString) or csUserAgent matches regex UARegex\\n| summarize + StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent + = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, + csUriStem\\n| extend timestamp = StartTime, AccountCustomEntity = Account, + IPCustomEntity = SourceIP, UrlCustomEntity = csUriStem\\n),\\n(\\nAWSCloudTrail\\n| + where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| + summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by + UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, + EventName\\n| extend timestamp = StartTime, AccountCustomEntity = Account, + IPCustomEntity = SourceIP\\n),\\n(SigninLogs\\n| where UserAgent has_any (UserAgentString) + or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), + EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = + UserPrincipalName, Type, Operation = OperationName, tostring(LocationDetails), + tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n| extend timestamp + = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n),\\n(AADNonInteractiveUserSignInLogs + \\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex + UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) + by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, Operation + = OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, + ClientAppUsed\\n| extend timestamp = StartTime, AccountCustomEntity = Account, + IPCustomEntity = SourceIP\\n),\\n(_Im_WebSession (httpuseragent_has_any=array_concat(UserAgentString,UARegexMinimalString))\\n| + where HttpUserAgent has_any (UserAgentString) or HttpUserAgent matches regex + UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) + by HttpUserAgent, SourceIP = SrcIpAddr, DstIpAddr, Account = SrcUsername, + Url, Type\\n| extend timestamp = StartTime, AccountCustomEntity = Account, + IPCustomEntity = SourceIP, UrlCustomEntity = Url\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.2\",\"tactics\":[\"InitialAccess\"],\"techniques\":[\"T1190\"],\"displayName\":\"User + agent search for log4j exploitation attempt\",\"description\":\"This query + uses various log sources having user agent data to look for log4j CVE-2021-44228 + exploitation attempt based on user agent pattern. Log4j is an open-source + Apache logging library that is used in \\n many Java-based applications. The + regex and the string matching look for the most common attacks. This might + not be comprehensive to detect every possible user agent variation.\\n Reference: + https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3255ec41-6bd6-4f35-84b1-c032b18bbfcb\",\"name\":\"3255ec41-6bd6-4f35-84b1-c032b18bbfcb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let + starttime = 1d;\\nlet TimeDeltaThresholdInSeconds = 60; // we ignore beacons + diffs that fall below this threshold \\nlet TotalBeaconsThreshold = 4; // + minimum number of beacons required in a session to surface a row\\nlet JitterTolerance + = 0.2; // tolerance to jitter, e.g. - 0.2 = 20% jitter is tolerated either + side of the periodicity\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Fortinet\\\"\\n| + where TimeGenerated > ago(starttime)\\n// eliminate bad data\\n| where isnotempty(SourceIP) + and isnotempty(DestinationIP) and SourceIP != \\\"0.0.0.0\\\"\\n// filter + out deny, close, rst and SNMP to reduce data volume\\n| where DeviceAction + !in (\\\"close\\\", \\\"client-rst\\\", \\\"server-rst\\\", \\\"deny\\\") + and DestinationPort != 161\\n// map input fields\\n| project TimeGenerated + , SourceIP, DestinationIP, DestinationPort, ReceivedBytes, SentBytes, DeviceAction + \\n// where destination IPs are public\\n| where ipv4_is_private(DestinationIP) + == false\\n// sort into source->destination 'sessions'\\n| sort by SourceIP + asc, DestinationIP asc, DestinationPort asc, TimeGenerated asc\\n| serialize\\n// + time diff the contact times between source and destination to get a list of + deltas\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP + = next(SourceIP, 1), nextDestIP = next(DestinationIP, 1), nextDestPort = next(DestinationPort, + 1)\\n| extend TimeDeltainSeconds = datetime_diff(\\\"second\\\",nextTimeGenerated,TimeGenerated)\\n| + where SourceIP == nextSourceIP and DestinationIP == nextDestIP and DestinationPort + == nextDestPort\\n// remove small time deltas below the set threshold\\n| + where TimeDeltainSeconds > TimeDeltaThresholdInSeconds\\n// summarize the + deltas by source->destination\\n| summarize count(), StartTime=min(TimeGenerated), + EndTime=max(TimeGenerated), sum(ReceivedBytes), sum(SentBytes), makelist(TimeDeltainSeconds), + makeset(DeviceAction) by SourceIP, DestinationIP, DestinationPort\\n// get + some statistical properties of the delta distribution and smooth any outliers + (e.g. laptop shut overnight, working hours)\\n| extend series_stats(list_TimeDeltainSeconds), + outliers=series_outliers(list_TimeDeltainSeconds)\\n// expand the deltas and + the outliers\\n| mvexpand list_TimeDeltainSeconds to typeof(double), outliers + to typeof(double)\\n// replace outliers with the average of the distribution\\n| + extend list_TimeDeltainSeconds_normalized=iff(outliers > 1.5 or outliers < + -1.5, series_stats_list_TimeDeltainSeconds_avg , list_TimeDeltainSeconds)\\n// + summarize with the smoothed distribution\\n| summarize BeaconCount=count(), + makelist(list_TimeDeltainSeconds), list_TimeDeltainSeconds_normalized=makelist(list_TimeDeltainSeconds_normalized), + makeset(set_DeviceAction) by StartTime, EndTime, SourceIP, DestinationIP, + DestinationPort, sum_ReceivedBytes, sum_SentBytes\\n// get stats on the smoothed + distribution\\n| extend series_stats(list_TimeDeltainSeconds_normalized)\\n// + match jitter tolerance on smoothed distrib\\n| extend MaxJitter = (series_stats_list_TimeDeltainSeconds_normalized_avg*JitterTolerance)\\n| + where series_stats_list_TimeDeltainSeconds_normalized_stdev < MaxJitter\\n// + where the minimum beacon threshold is satisfied and there was some data transfer\\n| + where BeaconCount > TotalBeaconsThreshold and (sum_SentBytes > 0 or sum_ReceivedBytes + > 0)\\n// final projection\\n| project StartTime, EndTime, SourceIP, DestinationIP, + DestinationPort, BeaconCount, TimeDeltasInSeconds=list_list_TimeDeltainSeconds, + Periodicity=series_stats_list_TimeDeltainSeconds_normalized_avg, ReceivedBytes=sum_ReceivedBytes, + SentBytes=sum_SentBytes, Actions=set_set_DeviceAction\\n// where periodicity + is order of magnitude larger than time delta threshold (eliminates FPs whose + periodicity is close to the values we ignored)\\n| where Periodicity >= (10*TimeDeltaThresholdInSeconds)\\n| + extend timestamp = StartTime, IPCustomEntity = DestinationIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"CommandAndControl\"],\"techniques\":[\"T1071\",\"T1571\"],\"displayName\":\"Fortinet + - Beacon pattern detected\",\"description\":\"Identifies patterns in the time + deltas of contacts between internal and external IPs in Fortinet network data + that are consistent with beaconing.\\n Accounts for randomness (jitter) and + seasonality such as working hours that may have been introduced into the beacon + pattern.\\n The lookback is set to 1d, the minimum granularity in time deltas + is set to 60 seconds and the minimum number of beacons required to emit a\\n + detection is set to 4.\\n Increase the lookback period to capture beacons + with larger periodicities.\\n The jitter tolerance is set to 0.2 - This means + we account for an overall 20% deviation from the infered beacon periodicity. + Seasonality is dealt with\\n automatically using series_outliers.\\n Note: + In large environments it may be necessary to reduce the lookback period to + get fast query times.\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2020-03-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80733eb7-35b2-45b6-b2b8-3c51df258206\",\"name\":\"80733eb7-35b2-45b6-b2b8-3c51df258206\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let + DomainList = dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", + \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", + \\\"xmrget.com\\\", \\n\\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", + \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", + \\\"supportxmr.com\\\",\\n\\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", + \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", + \\\"herominers.com\\\", \\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\n\\\"coinfoundry.org\\\", + \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", + \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", + \\n\\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", + \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", + \\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\n\\\"kippo.eu\\\", \\\"hashinvest.ws\\\", + \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", + \\\"1gh.com\\\", \\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\n\\\"hashvault.pro\\\", + \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", + \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\",\\n\\\"extremepool.org\\\", + \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", + \\\"monero.net\\\", \\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", + \\\"cryptonight.net\\\",\\n\\\"shscrypto.net\\\"]);\\nSyslog\\n| where ProcessName + contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ + )([^ :]*)\\\",3,SyslogMessage), \\n SourceIP = extract(\\\"([0-9]+ + )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage), + \\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage), + \\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n + \ User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n + \ RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n + \ Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ + )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} + )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| + extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code + == '200'\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\\n| + extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = + SourceIP, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"techniques\":[\"T1102\"],\"displayName\":\"Squid + proxy events related to mining pools\",\"description\":\"Checks for Squid + proxy events in Syslog associated with common mining pools .This query presumes + the default Squid log format is being used. \\n http://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-07-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b05727d-a8d1-477d-bbdd-d957da96ac7b\",\"name\":\"3b05727d-a8d1-477d-bbdd-d957da96ac7b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| + where OfficeWorkload =~ \\\"Exchange\\\"\\n| where Parameters has \\\"ForwardingSmtpAddress\\\"\\n| + extend parsed = parse_json(Parameters)\\n| mv-expand parsed\\n| where parsed.Name + == \\\"ForwardingSmtpAddress\\\"\\n| extend parameterName = tostring(parsed.Name), + fwdingDestination = tostring(parsed.Value)\\n| where isnotempty(fwdingDestination)\\n| + extend ClientIPOnly = case(\\nClientIP has \\\".\\\" and ClientIP has ':', + tostring(split(ClientIP,\\\":\\\")[0]),\\nClientIP has \\\".\\\" and ClientIP + has '-', tostring(split(ClientIP,\\\"-\\\")[0]),\\nClientIP has ']-', tostring(trim_start(@'[[]',tostring(split(ClientIP,\\\"]\\\")[0]))),\\nClientIP + has ']:', tostring(trim_start(@'[[]',tostring(split(ClientIP,\\\"]\\\")[0]))),\\nisempty(ClientIP) + and ClientIP_ has \\\".\\\" and ClientIP_ has ':', tostring(split(ClientIP_,\\\":\\\")[0]),\\nisempty(ClientIP) + and ClientIP_ has \\\".\\\" and ClientIP_ has '-', tostring(split(ClientIP_,\\\"-\\\")[0]),\\nisempty(ClientIP) + and ClientIP_ has ']-', tostring(trim_start(@'[[]',tostring(split(ClientIP_,\\\"]\\\")[0]))),\\nisempty(ClientIP) + and ClientIP_ has ']:', tostring(trim_start(@'[[]',tostring(split(ClientIP_,\\\"]\\\")[0]))),\\nisnotempty(ClientIP), + ClientIP,\\nisnotempty(ClientIP_), ClientIP_,\\n\\\"IP Not Available\\\"\\n)\\n| + extend Port = case(\\nClientIP has \\\".\\\" and ClientIP has ':', tostring(split(ClientIP,\\\":\\\")[1]),\\nClientIP + has \\\".\\\" and ClientIP has '-', tostring(split(ClientIP,\\\"-\\\")[1]),\\nClientIP + has ']-', tostring(split(ClientIP,\\\"]-\\\")[1]),\\nClientIP has ']:', tostring(split(ClientIP,\\\"]:\\\")[1]),\\nisempty(ClientIP) + and ClientIP_ has \\\".\\\" and ClientIP_ has ':', tostring(split(ClientIP_,\\\":\\\")[1]),\\nisempty(ClientIP) + and ClientIP_ has \\\".\\\" and ClientIP_ has '-', tostring(split(ClientIP_,\\\"-\\\")[1]),\\nisempty(ClientIP) + and ClientIP_ has ']-', tostring(split(ClientIP_,\\\"]-\\\")[1]),\\nisempty(ClientIP) + and ClientIP_ has ']:', tostring(split(ClientIP_,\\\"]:\\\")[1]),\\nisnotempty(ClientIP), + ClientIP,\\nisnotempty(ClientIP_), ClientIP_,\\n\\\"IP Not Available\\\"\\n)\\n| + extend UserId = iff(isempty(UserId), UserId_, UserId)\\n| summarize StartTimeUtc + = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), DistinctUserCount = + dcount(UserId), UserId = make_set(UserId),\\nPorts = make_set(Port), EventCount + = count() by fwdingDestination, ClientIP = ClientIPOnly\\n| where DistinctUserCount + > 1\\n| mv-expand UserId\\n| extend UserId = tostring(UserId), Ports = tostring(Ports)\\n| + distinct StartTimeUtc, EndTimeUtc, UserId, DistinctUserCount, ClientIP, Ports, + fwdingDestination, EventCount\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"Collection\",\"Exfiltration\"],\"techniques\":[\"T1114\",\"T1020\"],\"displayName\":\"NRT + Multiple users email forwarded to same destination\",\"description\":\"Identifies + when multiple (more than one) users mailboxes are configured to forward to + the same destination.\\nThis could be an attacker-controlled destination mailbox + configured to collect mail from multiple compromised user accounts.\",\"lastUpdatedDateUTC\":\"2022-03-07T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75ea5c39-93e5-489b-b1e1-68fa6c9d2d04\",\"name\":\"75ea5c39-93e5-489b-b1e1-68fa6c9d2d04\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + threshold = 3;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| + where ResultType == \\\"50057\\\"\\n| where ResultDescription =~ \\\"User + account is disabled. The account has been disabled by an administrator.\\\"\\n| + summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), applicationCount + = dcount(AppDisplayName), \\napplicationSet = make_set(AppDisplayName), count() + by UserPrincipalName, IPAddress, Type\\n| where applicationCount >= threshold\\n| + extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity + = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt + = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, + aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"techniques\":[\"T1078\"],\"displayName\":\"Attempts + to sign in to disabled accounts\",\"description\":\"Identifies failed attempts + to sign in to disabled accounts across multiple Azure Applications.\\nDefault + threshold for Azure Applications attempted to sign in to is 3.\\nReferences: + https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 + - User account is disabled. The account has been disabled by an administrator.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bfb1c90f-8006-4325-98be-c7fffbc254d6\",\"name\":\"bfb1c90f-8006-4325-98be-c7fffbc254d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + s_threshold = 30;\\nlet l_threshold = 3;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| + where OperationName =~ \\\"Sign-in activity\\\"\\n// Error codes that we want + to look at as they are related to the use of incorrect password.\\n| where + ResultType in (\\\"50126\\\", \\\"50053\\\" , \\\"50055\\\", \\\"50056\\\")\\n| + extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), + LocationDetails = todynamic(LocationDetails)\\n| extend OS = DeviceDetail.operatingSystem, + Browser = DeviceDetail.browser\\n| extend StatusCode = tostring(Status.errorCode), + StatusDetails = tostring(Status.additionalDetails)\\n| extend LocationString + = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), + \\\"/\\\", tostring(LocationDetails.city))\\n| summarize StartTime = min(TimeGenerated), + EndTime = max(TimeGenerated), LocationCount=dcount(LocationString), Location + = make_set(LocationString), \\nIPAddress = make_set(IPAddress), IPAddressCount + = dcount(IPAddress), AppDisplayName = make_set(AppDisplayName), ResultDescription + = make_set(ResultDescription), \\nBrowser = make_set(Browser), OS = make_set(OS), + SigninCount = count() by UserPrincipalName, Type \\n// + Setting a generic threshold - Can be different for different environment\\n| + where SigninCount > s_threshold and LocationCount >= l_threshold\\n| extend + tostring(Location), tostring(IPAddress), tostring(AppDisplayName), tostring(ResultDescription), + tostring(Browser), tostring(OS)\\n| distinct *\\n| extend timestamp = StartTime, + AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet + aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion + isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"techniques\":[\"T1110\"],\"displayName\":\"Distributed + Password cracking attempts in AzureAD\",\"description\":\"Identifies distributed + password cracking attempts from the Azure Active Directory SigninLogs.\\nThe + query looks for unusually high number of failed password attempts coming from + multiple locations for a user account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50053 + \ Account is locked because the user tried to sign in too many times with + an incorrect user ID or password.\\n50055 Invalid password, entered expired + password.\\n50056 Invalid or null password - Password does not exist in + store for this user.\\n50126 Invalid username or password, or invalid on-premises + username or password.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7ad4c32b-d0d2-411c-a0e8-b557afa12fce\",\"name\":\"7ad4c32b-d0d2-411c-a0e8-b557afa12fce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| + where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, + Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName + = Process, CommandLine, ParentProcessName\\n| where CommandLine contains \\\".decode('base64')\\\"\\n + \ or CommandLine contains \\\"base64 --decode\\\"\\n or CommandLine + contains \\\".decode64(\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"techniques\":[\"T1059\",\"T1027\",\"T1140\"],\"displayName\":\"NRT + Process executed from binary hidden in Base64 encoded file\",\"description\":\"Encoding + malicious software is a technique used to obfuscate files from detection.\\nThe + first CommandLine component is looking for Python decoding base64.\\nThe second + CommandLine component is looking for Bash/sh command line base64 decoding.\\nThe + third one is looking for Ruby decoding base64.\",\"lastUpdatedDateUTC\":\"2022-02-08T00:00:00Z\",\"createdDateUTC\":\"2019-01-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95002681-4ecb-4da3-9ece-26d7e5feaa33\",\"name\":\"95002681-4ecb-4da3-9ece-26d7e5feaa33\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"imAuthentication\\n| + where EventResult =='Failure'\\n| where EventResultDetails == 'User disabled'\\n| + summarize StartTime=min(EventStartTime), EndTime=max(EventEndTime), disabledAccountLoginAttempts + = count()\\n , disabledAccountsTargeted = dcount(TargetUsername), disabledAccountSet + = make_set(TargetUsername)\\n , applicationsTargeted = dcount(TargetAppName)\\n + \ , applicationSet = make_set(TargetAppName) \\n by SrcDvcIpAddr, + Type\\n| order by disabledAccountLoginAttempts desc\\n| join kind=leftouter + \\n (\\n // Consider these IPs suspicious - and alert any related successful + sign-ins\\n imAuthentication\\n | where EventResult=='Success'\\n | + summarize successfulAccountSigninCount = dcount(TargetUsername), successfulAccountSigninSet + = makeset(TargetUsername, 15) by SrcDvcIpAddr, Type\\n // Assume IPs associated + with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount + < 100\\n )\\n on SrcDvcIpAddr\\n| where isnotempty(successfulAccountSigninCount)\\n| + project StartTime, EndTime, SrcDvcIpAddr, disabledAccountLoginAttempts, disabledAccountsTargeted, + disabledAccountSet, applicationSet, \\nsuccessfulAccountSigninCount, successfulAccountSigninSet, + Type\\n| order by disabledAccountLoginAttempts\\n| extend timestamp = StartTime, + IPCustomEntity = SrcDvcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"techniques\":[\"T1078\",\"T1098\"],\"displayName\":\"Sign-ins + from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)\",\"description\":\"Identifies + IPs with failed attempts to sign in to one or more disabled accounts signed + in successfully to another account.\\nTo use this analytics rule, make sure + you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-07-27T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/795edf2d-cf3e-45b5-8452-fe6c9e6a582e\",\"name\":\"795edf2d-cf3e-45b5-8452-fe6c9e6a582e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"CommonSecurityLog + \\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID in + (\\\"733101\\\",\\\"733102\\\",\\\"733103\\\",\\\"733104\\\",\\\"733105\\\")\\n| + extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity + = DeviceName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\",\"Impact\"],\"techniques\":[\"T1046\",\"T1498\"],\"displayName\":\"Cisco + ASA - threat detection message fired\",\"description\":\"Identifies when the + Cisco ASA Threat Detection engine fired an alert based on malicious activity + occurring on the network inicated by DeviceEventClassID 733101-733105\\nResources: + https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\\nDetails + on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1785d372-b9fe-4283-96a6-3a1d83cabfd1\",\"name\":\"1785d372-b9fe-4283-96a6-3a1d83cabfd1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let + Tarrask_threats = dynamic([\\\"HackTool:Win64/Tarrask!MS\\\", \\\"HackTool:Win64/Ligolo!MSR\\\", + \\\"Behavior:Win32/ScheduledTaskHide.A\\\", \\\"Tarrask\\\"]);\\nDeviceInfo\\n| + extend DeviceName = tolower(DeviceName)\\n| join kind=rightouter ( SecurityAlert\\n| + where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| + extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| + where ThreatName in~ (Tarrask_threats) or ThreatFamilyName in~ (Tarrask_threats)\\n| + extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName + == $right.CompromisedEntity\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"techniques\":[\"T1053\"],\"displayName\":\"AV + detections related to Tarrask malware\",\"description\":\"This query looks + for Microsoft Defender AV detections related to Tarrask malware. In Microsoft + Sentinel the SecurityAlerts table \\n includes only the Device Name of the + affected device, this query joins the DeviceInfo table to clearly connect + other information such as Device group, ip, logged on users etc. \\n This + would allow the Microsoft Sentinel analyst to have more context related to + the alert, if available.\\n Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/\",\"lastUpdatedDateUTC\":\"2022-04-12T00:00:00Z\",\"createdDateUTC\":\"2022-04-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fc1b7e7a-bc24-42c3-ad67-5c76c8fcb2d6\",\"name\":\"fc1b7e7a-bc24-42c3-ad67-5c76c8fcb2d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.3\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\".txt,.jpg,.mp4\",\"dataType\":\"string\",\"name\":\"File + extension\",\"description\":\"Give comma separated file extension to exclude + from source data within double quotes, example: \\\".txt,.jpg,.mp4\\\"\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"5\",\"maximum\":\"100\",\"value\":\"10\",\"name\":\"Minimum + number of downgrades\",\"description\":\"Generate an anomaly when number of + downgrade label is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Collection\"],\"techniques\":[\"T1530\",\"T1213\",\"T1005\",\"T1039\",\"T1114\"],\"displayName\":\"(Preview) + Unusual mass downgrade AIP label\",\"description\":\"This algorithm detects + unusual high volume of downgrade label activity in Azure Information Protection + (AIP) logs.\\nIt considers \\\"AIP\\\" workload records for a given number + of days and determines the sequence of activity performed on documents along + with the label applied to classify unusual volume of downgrade activity.\",\"lastUpdatedDateUTC\":\"2021-06-04T00:00:00Z\",\"createdDateUTC\":\"2020-11-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureInformationProtection\",\"dataTypes\":[\"InformationProtectionLogs_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/157c0cfc-d76d-463b-8755-c781608cdc1a\",\"name\":\"157c0cfc-d76d-463b-8755-c781608cdc1a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + aadFunc = (tableName:string){\\nCommonSecurityLog\\n| where DeviceVendor =~ + \\\"Cisco\\\"\\n| where DeviceAction =~ \\\"denied\\\"\\n| where ipv4_is_private(SourceIP) + == false\\n| summarize count() by SourceIP\\n| join (\\n // Successful + signins from IPs blocked by the firewall solution are suspect\\n // Include + fully successful sign-ins, but also ones that failed only at MFA stage\\n + \ // as that supposes the password was sucessfully guessed.\\n table(tableName)\\n + \ | where ResultType in (\\\"0\\\", \\\"50074\\\", \\\"50076\\\") \\n) on + $left.SourceIP == $right.IPAddress\\n| extend timestamp = TimeGenerated, IPCustomEntity + = SourceIP, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = + aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion + isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"techniques\":[\"T1078\"],\"displayName\":\"Cisco + - firewall block but success logon to Azure AD\",\"description\":\"Correlate + IPs blocked by a Cisco firewall appliance with successful Azure Active Directory + signins. \\nBecause the IP was blocked by the firewall, that same IP logging + on successfully to AAD is potentially suspect\\nand could indicate credential + compromise for the user account.\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2019-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/875d0eb1-883a-4191-bd0e-dbfdeb95a464\",\"name\":\"875d0eb1-883a-4191-bd0e-dbfdeb95a464\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| + where EventID == 5136 \\n| parse EventData with * 'AttributeLDAPDisplayName\\\">' + AttributeLDAPDisplayName \\\"<\\\" *\\n| parse EventData with * 'ObjectClass\\\">' + ObjectClass \\\"<\\\" *\\n| where AttributeLDAPDisplayName == \\\"servicePrincipalName\\\" + and ObjectClass == \\\"user\\\"\\n| parse EventData with * 'ObjectDN\\\">' + ObjectDN \\\"<\\\" *\\n| parse EventData with * 'AttributeValue\\\">' AttributeValue + \\\"<\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) + by Computer, SubjectAccount, ObjectDN, AttributeValue\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"PrivilegeEscalation\"],\"techniques\":[\"T1134\"],\"displayName\":\"Service + Principal Name (SPN) Assigned to User Account\",\"description\":\"This query + identifies whether a Active Directory user object was assigned a service principal + name which could indicate that an adversary is preparing for performing Kerberoasting. + \\nThis query checks for event id 5136 that the Object Class field is \\\"user\\\" + and the LDAP Display Name is \\\"servicePrincipalName\\\".\\nRef: https://thevivi.net/assets/docs/2019/theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf\",\"lastUpdatedDateUTC\":\"2022-02-02T00:00:00Z\",\"createdDateUTC\":\"2022-01-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/45076281-35ae-45e0-b443-c32aa0baf965\",\"name\":\"45076281-35ae-45e0-b443-c32aa0baf965\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let + args = dynamic([\\\"objectcategory\\\",\\\"domainlist\\\",\\\"dcmodes\\\",\\\"adinfo\\\",\\\"trustdmp\\\",\\\"computers_pwdnotreqd\\\",\\\"Domain + Admins\\\", \\\"objectcategory=person\\\", \\\"objectcategory=computer\\\", + \\\"objectcategory=*\\\",\\\"dclist\\\"]);\\nlet parentProcesses = dynamic([\\\"pwsh.exe\\\",\\\"powershell.exe\\\",\\\"cmd.exe\\\"]);\\nimProcessCreate\\n//looks + for execution from a shell\\n| where ActingProcessName has_any (parentProcesses)\\n| + extend ActingProcessFileName = tostring(split(ActingProcessName, '\\\\\\\\')[-1])\\n| + where ActingProcessFileName in~ (parentProcesses)\\n// main filter\\n| where + Process hassuffix \\\"AdFind.exe\\\" or TargetProcessSHA256 == \\\"c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\\\"\\n + \ // AdFind common Flags to check for from various threat actor TTPs\\n + \ or CommandLine has_any (args)\\n| extend AccountCustomEntity = User, HostCustomEntity + = Dvc, ProcessCustomEntity = ActingProcessName, CommandLineCustomEntity = + CommandLine, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity + = TargetProcessSHA256\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"},{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLineCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.1.2\",\"tactics\":[\"Discovery\"],\"techniques\":[\"T1018\"],\"displayName\":\"Probable + AdFind Recon Tool Usage (Normalized Process Events)\",\"description\":\"Identifies + the host and account that executed AdFind by hash and filename in addition + to common and unique flags that are used by many threat actors in discovery.\\nTo + use this analytics rule, make sure you have deployed the [ASIM normalization + parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-06-09T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/910124df-913c-47e3-a7cd-29e1643fa55e\",\"name\":\"910124df-913c-47e3-a7cd-29e1643fa55e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//Adjust + this threshold to fit environment\\nlet signin_threshold = 5; \\n//Make a + list of IPs with failed AWS console logins\\nlet aws_fails = AWSCloudTrail\\n| + where EventName == \\\"ConsoleLogin\\\"\\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) + \\n| where LoginResult != \\\"Success\\\"\\n| where SourceIpAddress != \\\"127.0.0.1\\\"\\n| + summarize count() by SourceIpAddress\\n| where count_ > signin_threshold\\n| + summarize make_set(SourceIpAddress);\\n//See if any of those IPs have sucessfully + logged into Azure AD.\\nSigninLogs\\n| where ResultType in (\\\"0\\\", \\\"50125\\\", + \\\"50140\\\")\\n| where IPAddress in (aws_fails) \\n| extend Reason = \\\"Multiple + failed AWS Console logins from IP address\\\"\\n| extend timestamp = TimeGenerated, + AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"techniques\":[\"T1078\",\"T1110\"],\"displayName\":\"Failed + AWS Console logons but success logon to AzureAD\",\"description\":\"Identifies + a list of IP addresses with a minimum numbe(default of 5) of failed logon + attempts to AWS Console.\\nUses that list to identify any successful Azure + Active Directory logons from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23850aa1-37d3-4b4b-9f39-4ebf5feb59fd\",\"name\":\"23850aa1-37d3-4b4b-9f39-4ebf5feb59fd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.6\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Akamai\",\"Aruba + Networks\",\"Check Point\",\"Dell\",\"Forcepoint\",\"Fortinet\",\"McAfee\",\"Palo + Alto Networks\",\"SonicWall\",\"Trend Micro\",\"Vectra Networks\",\"Zscaler\"],\"supportedValuesKql\":null,\"value\":\"Palo + Alto Networks\",\"name\":\"Device vendor\",\"description\":\"Select device + vendor reporting network connection logs to CommonSecurityLog\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"1\",\"maximum\":\"10000\",\"value\":\"1\",\"name\":\"Hourly + data transfer threshold in MB\",\"description\":\"Suppress anomalies when + hourly data transfered (in MB) per hour is less than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\".98\",\"name\":\"Score\",\"description\":\"Generate + an anomaly when score is greater than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Exfiltration\"],\"techniques\":[\"T1011\",\"T1029\",\"T1030\",\"T1041\",\"T1011\",\"T1537\",\"T1567\"],\"displayName\":\"(Preview) + Excessive data transfer anomaly\",\"description\":\"This algorithm is to detect + unusually high data transfer seen in network logs. \\nIt uses time series + to decompose the data into seasonal, trend and residual components to \\ncalculate + baseline. Any sudden large deviation from the historical baseline is considered + anomalous activity.\",\"lastUpdatedDateUTC\":\"2022-04-21T00:00:00Z\",\"createdDateUTC\":\"2021-04-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog + (PaloAlto)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog + (Zscaler)\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog + (CheckPoint)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog + (Fortinet)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aedc5b33-2d7c-42cb-a692-f25ef637cbb1\",\"name\":\"aedc5b33-2d7c-42cb-a692-f25ef637cbb1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated > ago(lbtime)\\n| where + EventType == 'message'\\n| where NetworkDirection == 'outbound'\\n| where + array_length(todynamic(DstUserUpn)) == 1\\n| extend sender = extract(@'\\\\A(.*?)@', + 1, SrcUserUpn)\\n| extend sender_domain = extract(@'@(.*)$', 1, SrcUserUpn)\\n| + extend recipient = extract(@'\\\\A(.*?)@', 1, tostring(todynamic(DstUserUpn)[0]))\\n| + extend recipient_domain = extract(@'@(.*)$', 1, tostring(todynamic(DstUserUpn)[0]))\\n| + where sender =~ recipient\\n| where sender_domain != recipient_domain\\n| + project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD + - Possible data exfiltration to private email\",\"description\":\"Detects + when sender sent email to the non-corporate domain and recipient's username + is the same as sender's username.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/30fa312c-31eb-43d8-b0cc-bcbdfb360822\",\"name\":\"30fa312c-31eb-43d8-b0cc-bcbdfb360822\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$';\\nlet + aadFunc = (tableName:string){\\nThreatIntelligenceIndicator\\n| where TimeGenerated + >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| summarize LatestIndicatorTime + = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering + the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// + using innerunique to keep perf fast and result set low, we only need one match + to indicate potential malicious activity that needs to be investigated\\n| + join kind=innerunique (\\n table(tableName) | where TimeGenerated >= ago(dt_lookBack) + and isnotempty(UserPrincipalName)\\n //Normalizing the column to lower + case for exact match with EmailSenderAddress column\\n | extend UserPrincipalName + = tolower(UserPrincipalName)\\n | where UserPrincipalName matches regex + emailregex\\n | extend Status = todynamic(DeviceDetail), LocationDetails + = todynamic(LocationDetails)\\n | extend StatusCode = tostring(Status.errorCode), + StatusDetails = tostring(Status.additionalDetails)\\n | extend State = + tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region + = tostring(LocationDetails.countryOrRegion)\\n // renaming timestamp column + so it is clear the log this came from SigninLogs table\\n | extend SigninLogs_TimeGenerated + = TimeGenerated, Type = Type\\n)\\non $left.EmailSenderAddress == $right.UserPrincipalName\\n| + where SigninLogs_TimeGenerated < ExpirationDateTime\\n| summarize SigninLogs_TimeGenerated + = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, UserPrincipalName\\n| + project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, + ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nEmailSenderName, EmailRecipient, + EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, + IPAddress, UserPrincipalName, AppDisplayName,\\nStatusCode, StatusDetails, + NetworkIP, NetworkDestinationIP, NetworkSourceIP, Type\\n| extend timestamp + = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity + = IPAddress, URLCustomEntity = Url\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet + aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true + aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.2.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI + map Email entity to SigninLogs\",\"description\":\"Identifies a match in SigninLogs + table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6190dde-8fd2-456a-ac5b-0a32400b0464\",\"name\":\"d6190dde-8fd2-456a-ac5b-0a32400b0464\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + ProcessCreationEvents=() {\\nlet processEvents=(union isfuzzy=true\\n(SecurityEvent\\n| + where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, + Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName + = Process, CommandLine, ParentProcessName\\n),\\n(WindowsEvent\\n| where EventID==4688\\n| + where EventData has_any (\\\".decode('base64')\\\", \\\"base64 --decode\\\", + \\\".decode64(\\\" )\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| + where isnotempty(CommandLine)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| + extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| extend + NewProcessName = tostring(EventData.NewProcessName)\\n| extend FileName=tostring(split(NewProcessName, + '\\\\\\\\')[-1])\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| + project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain + = SubjectDomainName, CommandLine, ParentProcessName\\n));\\nprocessEvents;\\n};\\nProcessCreationEvents + \\n| where CommandLine contains \\\".decode('base64')\\\"\\n or CommandLine + contains \\\"base64 --decode\\\"\\n or CommandLine contains \\\".decode64(\\\" + \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), + CountToday = count() by Computer, Account, AccountDomain, FileName, CommandLine, + ParentProcessName \\n| extend timestamp = StartTimeUtc, AccountCustomEntity + = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.1.1\",\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"techniques\":[\"T1059\",\"T1027\",\"T1140\"],\"displayName\":\"Process + executed from binary hidden in Base64 encoded file\",\"description\":\"Encoding + malicious software is a technique used to obfuscate files from detection. + \\nThe first CommandLine component is looking for Python decoding base64. + \\nThe second CommandLine component is looking for Bash/sh command line base64 + decoding.\\nThe third one is looking for Ruby decoding base64.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-01-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a04cf847-a832-4c60-b687-b0b6147da219\",\"name\":\"a04cf847-a832-4c60-b687-b0b6147da219\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let + IPList = dynamic([\\\"45.63.52.41\\\",\\\"140.82.17.161\\\",\\\"207.148.101.95\\\",\\\"45.32.87.51\\\",\\\"66.42.98.156\\\",\\\"45.76.144.105\\\",\\\"217.163.28.35\\\",\\\"45.32.141.174\\\",\\\"149.28.165.249\\\",\\\"209.250.225.247\\\",\\\"45.63.100.115\\\",\\\"95.179.229.230\\\",\\\"209.250.233.247\\\",\\\"45.77.121.232\\\",\\\"45.76.175.65\\\",\\\"104.238.160.237\\\",\\\"45.77.181.97\\\",\\\"95.179.192.125\\\",\\\"149.28.93.184\\\",\\\"140.82.16.81\\\",\\\"45.76.173.103\\\",\\\"45.77.255.22\\\",\\\"45.32.11.71\\\",\\\"149.28.77.26\\\",\\\"45.32.54.50\\\",\\\"104.156.233.156\\\",\\\"45.32.21.118\\\",\\\"45.63.62.109\\\",\\\"45.77.244.202\\\",\\\"149.248.11.205\\\",\\\"104.238.190.244\\\"]);\\nlet + IOCTerms = \\\"\\\\\\\\?lang=[/..]*/dev/cmdb/sslvpn_websession|/dana-na/jam/[/..]*home/webserver/htdocs/dana/html5acc/guacamole[/..]*etc/passwd\\\\\\\\?\\\";\\n(union + isfuzzy=true\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| + where SourceIP in (IPList) or DestinationIP in (IPList) or has_any_ipv4 (Message, + IPList)\\n| extend IPMatch = case(\\nSourceIP in (IPList), \\\"SourceIP\\\", + \\nDestinationIP in (IPList), \\\"DestinationIP\\\",\\n\\\"Message\\\") \\n| + where Message matches regex IOCTerms\\n| summarize StartTimeUtc = min(TimeGenerated), + EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, + DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, + DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = + case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", + DestinationIP, \\\"IP in Message Field\\\") \\n),\\n(OfficeActivity\\n| where + isnotempty(UserAgent) and ClientIP in (IPList)\\n| where UserAgent contains + \\\"ExchangeServicesClient/0.0.0.0\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), + EndTimeUtc = max(TimeGenerated) by SourceIP = ClientIP, Account = UserId, + Type, RecordType, OfficeWorkload, UserAgent, OfficeObjectId, IPMatch = \\\"ClientIP\\\"\\n| + extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity + = SourceIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.1.0\",\"tactics\":[\"InitialAccess\",\"Collection\"],\"techniques\":[\"T1133\",\"T1114\"],\"displayName\":\"Known + Manganese IP and UserAgent activity\",\"description\":\"Matches IP plus UserAgent + IOCs in OfficeActivity data, along with IP plus Connection string information + in the CommonSecurityLog data related to Manganese group activity.\\nReferences: + \\nhttps://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/\\nhttps://fortiguard.com/psirt/FG-IR-18-384\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-10-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a356c8bd-c81d-428b-aa36-83be706be034\",\"name\":\"a356c8bd-c81d-428b-aa36-83be706be034\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// + AADJoined or Register Device Registry Keys\\nlet aadJoinRoot = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet001\\\\\\\\Control\\\\\\\\CloudDomainJoin\\\\\\\\JoinInfo\\\\\\\\\\\";\\nlet + aadRegisteredRoot = \\\"\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\WorkplaceJoin\\\";\\n// + Transport Key Registry Key\\nlet keyTransportKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet001\\\\\\\\Control\\\\\\\\Cryptography\\\\\\\\Ngc\\\\\\\\KeyTransportKey\\\\\\\\\\\";\\n(union + isfuzzy=true\\n(\\n// Access to Object Requested\\nSecurityEvent\\n| where + EventID == '4656'\\n| where EventData contains aadJoinRoot or EventData contains + aadRegisteredRoot\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| + mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| + extend Key = tostring(column_ifexists('@Name', \\\"\\\")), Value = column_ifexists('#text', + \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| + where ObjectType == 'Key'\\n| where ObjectName startswith aadJoinRoot and + SubjectLogonId != '0x3e7' //Local System\\n| extend ProcessId = column_ifexists(\\\"ProcessId\\\", + \\\"\\\"), Process = split(ProcessName, '\\\\\\\\', -1)[-1],Account = strcat(SubjectDomainName, + \\\"\\\\\\\\\\\", SubjectUserName)\\n| join kind=innerunique (\\n SecurityEvent\\n + \ | where EventID == '4656'\\n | where EventData contains keyTransportKey\\n + \ | extend EventData = parse_xml(EventData).EventData.Data\\n | mv-expand + bagexpansion=array EventData\\n | evaluate bag_unpack(EventData)\\n | + extend Key = tostring(column_ifexists('@Name', \\\"\\\")), Value = column_ifexists('#text', + \\\"\\\")\\n | evaluate pivot(Key, any(Value), TimeGenerated, Computer, + EventID)\\n | extend ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),ObjectType + = column_ifexists(\\\"ObjectType\\\", \\\"\\\")\\n | where ObjectType == + 'Key'\\n | where ObjectName startswith keyTransportKey and SubjectLogonId + != '0x3e7' //Local System\\n | extend ProcessId = column_ifexists(\\\"ProcessId\\\", + \\\"\\\"), Process = split(ProcessName, '\\\\\\\\', -1)[-1],Account = strcat(SubjectDomainName, + \\\"\\\\\\\\\\\", SubjectUserName)\\n) on $left.Computer == $right.Computer + and $left.SubjectLogonId == $right.SubjectLogonId and $left.ProcessId == $right.ProcessId\\n| + project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, + SubjectLogonId, ObjectName, tostring(Process), ProcessName, ProcessId, EventID\\n),\\n// + Accessing Object\\n(\\nSecurityEvent\\n| where EventID == '4663'\\n| where + ObjectType == 'Key'\\n| where (ObjectName startswith aadJoinRoot or ObjectName + contains aadRegisteredRoot) and SubjectLogonId != '0x3e7' //Local System\\n| + extend Account = SubjectAccount\\n| join kind=innerunique (\\n SecurityEvent\\n + \ | where EventID == '4663'\\n | where ObjectType == 'Key'\\n | where + ObjectName contains keyTransportKey and SubjectLogonId != '0x3e7' //Local + System\\n | extend Account = SubjectAccount\\n) on $left.Computer == $right.Computer + and $left.SubjectLogonId == $right.SubjectLogonId and $left.ProcessId == $right.ProcessId\\n| + project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, + SubjectLogonId, ObjectName, Process, ProcessName, ProcessId, EventID\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\"],\"techniques\":[\"T1012\"],\"displayName\":\"AAD + Local Device Join Information and Transport Key Registry Keys Access\",\"description\":\"This + detection uses Windows security events to detect suspicious access attempts + by the same process\\n to registry keys that provide information about an + AAD joined or registered devices and Transport keys (tkpub / tkpriv).\\n This + information can be used to export the Device Certificate (dkpub / dkpriv) + and Transport key (tkpub/tkpriv).\\n These set of keys can be used to impersonate + existing Azure AD joined devices.\\n This detection requires an access control + entry (ACE) on the system access control list (SACL) of the following securable + objects:\\n HKLM:\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\CloudDomainJoin + (AAD joined devices)\\n HKCU:\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\WorkplaceJoin + (AAD registered devices)\\n HKLM:\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Cryptography\\\\Ngc\\\\KeyTransportKey + (Transport Key)\\n Make sure you set the SACL to propagate to its sub-keys. + You can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml\\n + Reference: https://o365blog.com/post/deviceidentity/\",\"lastUpdatedDateUTC\":\"2022-02-17T00:00:00Z\",\"createdDateUTC\":\"2022-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/58fc0170-0877-4ea8-a9ff-d805e361cfae\",\"name\":\"58fc0170-0877-4ea8-a9ff-d805e361cfae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let + schedule_lookback = 14d; \\nlet join_lookback = 1d; \\n// If you want to whitelist + specific timezones include them in a list here\\nlet tz_whitelist = dynamic([]);\\nlet + meetings = ( \\nZoomLogs \\n| where TimeGenerated >= ago(schedule_lookback) + \\n| where Event =~ \\\"meeting.created\\\" \\n| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId) + \ \\n| extend SchedTimezone = tostring(parse_json(MeetingEvents).Timezone)); + \\nZoomLogs \\n| where TimeGenerated >= ago(join_lookback) \\n| where Event + =~ \\\"meeting.participant_joined\\\" \\n| extend JoinedTimeZone = tostring(parse_json(MeetingEvents).Timezone) + \\n| extend MeetingName = tostring(parse_json(MeetingEvents).MeetingName) + \\n| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId) \\n| + where JoinedTimeZone !in (tz_whitelist)\\n| join (meetings) on MeetingId \\n| + where SchedTimezone != JoinedTimeZone \\n| project TimeGenerated, MeetingName, + JoiningUser=payload_object_participant_user_name_s, JoinedTimeZone, SchedTimezone, + MeetingScheduler=User1 \\n| extend timestamp = TimeGenerated, AccountCustomEntity + = JoiningUser\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"techniques\":[\"T1078\"],\"displayName\":\"User + joining Zoom meeting from suspicious timezone\",\"description\":\"The alert + shows users that join a Zoom meeting from a time zone other than the one the + meeting was created in.\\nYou can also whitelist known good time zones in + the tz_whitelist value using the tz database name format https://en.wikipedia.org/wiki/List_of_tz_database_time_zones\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b12b3dab-d973-45af-b07e-e29bb34d8db9\",\"name\":\"b12b3dab-d973-45af-b07e-e29bb34d8db9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| + where TimeGenerated > ago(timeframe)\\n| where HttpUserAgentOriginal contains + \\\"WindowsPowerShell\\\"\\n| extend Message = \\\"Windows PowerShell User + Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal\\n| + extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.1.0\",\"tactics\":[\"CommandAndControl\",\"DefenseEvasion\"],\"displayName\":\"Cisco + Umbrella - Windows PowerShell User-Agent Detected\",\"description\":\"Rule + helps to detect Powershell user-agent activity by an unusual process other + than a web browser.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d722831e-88f5-4e25-b106-4ef6e29f8c13\",\"name\":\"d722831e-88f5-4e25-b106-4ef6e29f8c13\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"// + a threshold can be enabled, see commented line below for PrevSeenCount\\nlet + threshold = 2;\\nlet uploadOp = 'FileUploaded';\\n// Extensions that are interesting. + Add/Remove to this list as you see fit\\nlet execExt = dynamic(['exe', 'inf', + 'gzip', 'cmd', 'bat']);\\nlet starttime = 8d;\\nlet endtime = 1d;\\nOfficeActivity + | where TimeGenerated >= ago(endtime)\\n// Limited to File Uploads due to + potential noise, comment out the Operation statement below to include any + operation type\\n// Additional, but potentially noisy operation types that + include Uploads and Downloads can be included by adding the following - Operation + contains \\\"upload\\\" or Operation contains \\\"download\\\"\\n| where Operation + =~ uploadOp\\n| where SourceFileExtension has_any (execExt)\\n| project TimeGenerated, + OfficeId, OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, + ClientIP, UserAgent, Site_Url, SourceRelativeUrl, SourceFileName\\n| join + kind= leftanti (\\nOfficeActivity | where TimeGenerated between (ago(starttime) + .. ago(endtime))\\n| where Operation =~ uploadOp\\n| where SourceFileExtension + has_any (execExt)\\n| summarize SourceRelativeUrl = make_set(SourceRelativeUrl), + UserId = make_set(UserId) , PrevSeenCount = count() by SourceFileName\\n// + To exclude previous matches when only above a specific count, change threshold + above and uncomment the line below\\n//| where PrevSeenCount > threshold\\n| + mvexpand SourceRelativeUrl, UserId\\n| extend SourceRelativeUrl = tostring(SourceRelativeUrl), + UserId = tostring(UserId)\\n) on SourceFileName, SourceRelativeUrl, UserId + \\n| extend SiteUrlUserFolder = tolower(split(Site_Url, '/')[-2])\\n| extend + UserIdUserFolderFormat = tolower(replace('@|\\\\\\\\.', '_',UserId))\\n// + identify when UserId is not a match to the specific site url personal folder + reference\\n| extend UserIdDiffThanUserFolder = iff(Site_Url has '/personal/' + and SiteUrlUserFolder != UserIdUserFolderFormat, true , false ) \\n| summarize + TimeGenerated = make_list(TimeGenerated), StartTime = min(TimeGenerated), + EndTime = max(TimeGenerated), \\nUserAgents = make_list(UserAgent), OfficeIds + = make_list(OfficeId), SourceRelativeUrls = make_list(SourceRelativeUrl), + FileNames = make_list(SourceFileName)\\nby OfficeWorkload, RecordType, Operation, + UserType, UserKey, UserId, ClientIP, Site_Url, SiteUrlUserFolder, UserIdUserFolderFormat, + UserIdDiffThanUserFolder\\n| extend timestamp = StartTime, AccountCustomEntity + = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"techniques\":[\"T1105\"],\"displayName\":\"New + executable via Office FileUploaded Operation\",\"description\":\"Identifies + when executable file types are uploaded to Office services such as SharePoint + and OneDrive.\\nList currently includes 'exe', 'inf', 'gzip', 'cmd', 'bat' + file extensions.\\nAdditionally, identifies when a given user is uploading + these files to another users workspace.\\nThis may be indication of a staging + location for malware or other malicious activity.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69a45b05-71f5-45ca-8944-2e038747fb39\",\"name\":\"69a45b05-71f5-45ca-8944-2e038747fb39\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + endtime = 1d;\\nlet starttime = 8d;\\n// The threshold below excludes matching + on RDP connection computer counts of 5 or more by a given account and IP in + a given day. Change the threshold as needed.\\nlet threshold = 5;\\n(union + isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated >= ago(endtime)\\n| + where EventID == 4624 and LogonType == 10\\n// Labeling the first RDP connection + time, computer and ip\\n| extend FirstHop = TimeGenerated, FirstComputer = + toupper(Computer), FirstIPAddress = IpAddress, Account = tolower(Account)\\n),\\n( + WindowsEvent\\n| where TimeGenerated >= ago(endtime)\\n| where EventID == + 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = tostring(EventData.LogonType)\\n| + where LogonType == 10 // Labeling the first RDP connection time, computer + and ip\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", + tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| + extend FirstHop = TimeGenerated, FirstComputer = toupper(Computer), FirstIPAddress + = IpAddress, Account = tolower(Account)\\n))\\n| join kind=inner (\\n(union + isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated >= ago(endtime)\\n| + where EventID == 4624 and LogonType == 10\\n// Labeling the second RDP connection + time, computer and ip\\n| extend SecondHop = TimeGenerated, SecondComputer + = toupper(Computer), SecondIPAddress = IpAddress, Account = tolower(Account)\\n),\\n(WindowsEvent\\n| + where TimeGenerated >= ago(endtime)\\n| where EventID == 4624 and EventData + has (\\\"10\\\")\\n| extend LogonType = toint(EventData.LogonType)\\n| where + \ LogonType == 10 // Labeling the second RDP connection time, computer and + ip\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", + tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| + extend SecondHop = TimeGenerated, SecondComputer = toupper(Computer), SecondIPAddress + = IpAddress, Account = tolower(Account)\\n))\\n) on Account\\n// Make sure + that the first connection is after the second connection --> SecondHop > FirstHop\\n// + Then identify only RDP to another computer from within the first RDP connection + by only choosing matches where the Computer names do not match --> FirstComputer + != SecondComputer\\n// Then make sure the IPAddresses do not match by excluding + connections from the same computers with first hop RDP connections to multiple + computers --> FirstIPAddress != SecondIPAddress\\n| where FirstComputer != + SecondComputer and FirstIPAddress != SecondIPAddress and SecondHop > FirstHop\\n// + where the second hop occurs within 30 minutes of the first hop\\n| where SecondHop + <= FirstHop+30m\\n| distinct Account, FirstHop, FirstComputer, FirstIPAddress, + SecondHop, SecondComputer, SecondIPAddress, AccountType, Activity, LogonTypeName, + ProcessName\\n// use left anti to exclude anything from the previous 7 days + where the Account and IP has connected 5 or more computers.\\n| join kind=leftanti + (\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated >= ago(starttime) + and TimeGenerated < ago(endtime)\\n| where EventID == 4624 and LogonType == + 10\\n| summarize makeset(Computer), ComputerCount = dcount(Computer) by bin(TimeGenerated, + 1d), Account = tolower(Account), IpAddress\\n// Connection count to computer + by same account and IP to exclude counts of 5 or more on a given day\\n| where + ComputerCount >= threshold\\n| mvexpand set_Computer\\n| extend Computer = + toupper(set_Computer)\\n),\\n(WindowsEvent\\n| where TimeGenerated >= ago(starttime) + and TimeGenerated < ago(endtime)\\n| where EventID == 4624 and EventData has + (\\\"10\\\")\\n| extend LogonType = tostring(EventData.LogonType)\\n| where + \ LogonType == 10 \\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", + tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| + summarize makeset(Computer), ComputerCount = dcount(Computer) by bin(TimeGenerated, + 1d), Account = tolower(Account), IpAddress\\n// Connection count to computer + by same account and IP to exclude counts of 5 or more on a given day\\n| where + ComputerCount >= threshold\\n| mvexpand set_Computer\\n| extend Computer = + toupper(set_Computer)\\n))\\n) on Account, $left.SecondComputer == $right.Computer, + $left.SecondIPAddress == $right.IpAddress\\n| summarize FirstHopFirstSeen + = min(FirstHop), FirstHopLastSeen = max(FirstHop) by Account, FirstComputer, + FirstIPAddress, SecondHop, SecondComputer, \\nSecondIPAddress, AccountType, + Activity, LogonTypeName, ProcessName\\n| extend timestamp = FirstHopFirstSeen, + AccountCustomEntity = Account, HostCustomEntity = FirstComputer, IPCustomEntity + = FirstIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.2.1\",\"tactics\":[\"LateralMovement\"],\"techniques\":[\"T1021\"],\"displayName\":\"RDP + Nesting\",\"description\":\"Identifies when an RDP connection is made to a + first system and then an RDP connection is made from the first system\\nto + another system with the same account within the 60 minutes. Additionally, + if historically daily\\nRDP connections are indicated by the logged EventID + 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-10-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884c4957-70ea-4f57-80b9-1bca3890315b\",\"name\":\"884c4957-70ea-4f57-80b9-1bca3890315b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + timeBin = 10m;\\nlet failedThreshold = 100;\\nW3CIISLog\\n| where scStatus + in (\\\"401\\\",\\\"403\\\")\\n| where csUserName != \\\"-\\\"\\n// Handling + Exchange specific items in IIS logs to remove the unique log identifier in + the URI\\n| extend csUriQuery = iff(csUriQuery startswith \\\"MailboxId=\\\", + tostring(split(csUriQuery, \\\"&\\\")[0]) , csUriQuery )\\n| extend csUriQuery + = iff(csUriQuery startswith \\\"X-ARR-CACHE-HIT=\\\", strcat(tostring(split(csUriQuery, + \\\"&\\\")[0]),tostring(split(csUriQuery, \\\"&\\\")[1])) , csUriQuery )\\n| + extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common + IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", + \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull + == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull + == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull + == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull + == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull + == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL + required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// + Mapping to Hex so can be mapped using website in comments above\\n| extend + scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| + extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", + \\\"The referenced account is currently locked out and cannot be logged on + to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user + name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: + The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", + \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ + \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ + \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex + =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", + \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ + \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex + =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex + =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", + \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", + \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode + URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// + Count of failed logons by a user\\n| summarize makeset(decodedUriQuery), makeset(cIP), + makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), + makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), + makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount + = count() by bin(TimeGenerated, timeBin), csUserName, Computer, sIP\\n| where + FailedConnectionsCount >= failedThreshold\\n| project TimeGenerated, csUserName, + set_decodedUriQuery, Computer, set_sSiteName, sIP, set_cIP, set_sPort, set_csUserAgent, + set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, + set_scWin32Status_Friendly, FailedConnectionsCount\\n| order by FailedConnectionsCount\\n| + extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity + = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"techniques\":[\"T1110\"],\"displayName\":\"High + count of failed logons by a user\",\"description\":\"Identifies when 100 or + more failed attempts by a given user in 10 minutes occur on the IIS Server.\\nThis + could be indicative of attempted brute force based on known account information.\\nThis + could also simply indicate a misconfigured service or device. \\nReferences:\\nIIS + status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 + Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7efc75ce-e2a4-400f-a8b1-283d3b0f2c60\",\"name\":\"7efc75ce-e2a4-400f-a8b1-283d3b0f2c60\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let + WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID + = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nlet + AC_Add = \\n(union isfuzzy=true \\n(SecurityEvent\\n// Event ID related to + member addition.\\n| where EventID in (4728, 4732,4756) \\n| where TargetSid + matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID + \ \\n| parse EventData with * '\\\"MemberName\\\">' * '=' AccountAdded \\\",OU\\\" + *\\n| where isnotempty(AccountAdded)\\n| extend GroupAddedTo = TargetUserName, + AddingAccount = Account \\n| extend AccountAdded_GroupAddedTo_AddingAccount + = strcat(AccountAdded, \\\"||\\\", GroupAddedTo, \\\"||\\\", AddingAccount + )\\n| project AccountAdded_GroupAddedTo_AddingAccount, AccountAddedTime = + TimeGenerated\\n),\\n(WindowsEvent\\n// Event ID related to member addition.\\n| + where EventID in (4728, 4732,4756) \\n| extend TargetSid = tostring(EventData.TargetSid)\\n| + where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex + WellKnownGroupSID \\n| parse EventData.MemberName with * '\\\"MemberName\\\">' + * '=' AccountAdded \\\",OU\\\" *\\n| where isnotempty(AccountAdded)\\n| extend + TargetUserName = tostring(EventData.TargetUserName)\\n| extend AddingAccount + = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| + extend GroupAddedTo = TargetUserName\\n| extend AccountAdded_GroupAddedTo_AddingAccount + = strcat(AccountAdded, \\\"||\\\", GroupAddedTo, \\\"||\\\", AddingAccount + )\\n| project AccountAdded_GroupAddedTo_AddingAccount, AccountAddedTime = + TimeGenerated\\n)\\n);\\nlet AC_Remove = \\n( union isfuzzy=true \\n(SecurityEvent\\n// + Event IDs related to member removal.\\n| where EventID in (4729,4733,4757)\\n| + where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex + WellKnownGroupSID \\n| parse EventData with * '\\\"MemberName\\\">' * '=' + AccountRemoved \\\",OU\\\" * \\n| where isnotempty(AccountRemoved)\\n| extend + GroupRemovedFrom = TargetUserName, RemovingAccount = Account\\n| extend AccountRemoved_GroupRemovedFrom_RemovingAccount + = strcat(AccountRemoved, \\\"||\\\", GroupRemovedFrom, \\\"||\\\", RemovingAccount)\\n| + project AccountRemoved_GroupRemovedFrom_RemovingAccount, AccountRemovedTime + = TimeGenerated, Computer, RemovedAccountId = tolower(AccountRemoved), \\nRemovedByUser + = SubjectUserName, RemovedByUserLogonId = SubjectLogonId, GroupRemovedFrom + = TargetUserName, TargetDomainName\\n),\\n(WindowsEvent\\n// Event IDs related + to member removal.\\n| where EventID in (4729,4733,4757)\\n| extend TargetSid + = tostring(EventData.TargetSid)\\n| where TargetSid matches regex WellKnownLocalSID + or TargetSid matches regex WellKnownGroupSID \\n| parse EventData.MemberName + with * '\\\"MemberName\\\">' * '=' AccountRemoved \\\",OU\\\" * \\n| where + isnotempty(AccountRemoved)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| + extend RemovingAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", + tostring(EventData.SubjectUserName))\\n| extend GroupRemovedFrom = TargetUserName\\n| + extend AccountRemoved_GroupRemovedFrom_RemovingAccount = strcat(AccountRemoved, + \\\"||\\\", GroupRemovedFrom, \\\"||\\\", RemovingAccount)\\n| extend SubjectUserName + = tostring(EventData.SubjectUserName)\\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| + extend TargetDomainName = tostring(EventData.TargetDomainName)\\n| project + AccountRemoved_GroupRemovedFrom_RemovingAccount, AccountRemovedTime = TimeGenerated, + Computer, RemovedAccountId = tolower(AccountRemoved), \\nRemovedByUser = SubjectUserName, + RemovedByUserLogonId = SubjectLogonId, GroupRemovedFrom = TargetUserName, + TargetDomainName\\n)); \\nAC_Add \\n| join kind= inner AC_Remove on $left.AccountAdded_GroupAddedTo_AddingAccount + == $right.AccountRemoved_GroupRemovedFrom_RemovingAccount \\n| extend DurationinSecondAfter_Removed + = datetime_diff ('second', AccountRemovedTime, AccountAddedTime)\\n| where + DurationinSecondAfter_Removed > 0\\n| project-away AccountRemoved_GroupRemovedFrom_RemovingAccount\\n| + extend timestamp = AccountAddedTime, AccountCustomEntity = RemovedAccountId, + HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.1.1\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"techniques\":[\"T1098\",\"T1078\"],\"displayName\":\"Account + added and removed from privileged groups\",\"description\":\"Identifies accounts + that are added to privileged group and then quickly removed, which could be + a sign of compromise.' \",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-04-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9c712bb2-08dc-44d3-b66b-af154dfc1c4f\",\"name\":\"9c712bb2-08dc-44d3-b66b-af154dfc1c4f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.2.8\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.07\",\"name\":\"Score\",\"description\":\"Generate + an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"techniques\":[\"T1078\"],\"displayName\":\"(Preview) + Suspicious volume of logins to computer\",\"description\":\"This algorithm + detects an unusually high volume of successful logins per computer. The model + is trained on the previous 21 days of security event ID 4624 on a computer. + It indicates anomalous high volume of successful logins in the last day\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2020-11-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3df4a32-4805-4c6d-8699-f3c888af2f67\",\"name\":\"a3df4a32-4805-4c6d-8699-f3c888af2f67\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let + Alert1 = \\nSecurityAlert\\n| where AlertName == \\\"Unfamiliar sign-in properties\\\"\\n| + extend UserPrincipalName = tostring(parse_json(ExtendedProperties).[\\\"User + Account\\\"])\\n| extend Alert1Time = TimeGenerated\\n| extend Alert1 = AlertName\\n| + extend Alert1Severity = AlertSeverity\\n;\\nlet Alert2 = \\nSecurityAlert\\n| + where AlertName == \\\"Atypical travel\\\"\\n| extend UserPrincipalName = + tostring(parse_json(ExtendedProperties).[\\\"User Account\\\"])\\n| extend + Alert2Time = TimeGenerated\\n| extend Alert2 = AlertName\\n| extend Alert2Severity + = AlertSeverity\\n| extend CurrentLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[2].Location)).CountryCode), + \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).State), + \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).City))\\n| + extend PreviousLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[3].Location)).CountryCode), + \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[3].Location)).State), + \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[3].Location)).City))\\n| + extend CurrentIPAddress = tostring(parse_json(Entities)[2].Address)\\n| extend + PreviousIPAddress = tostring(parse_json(Entities)[3].Address)\\n;\\nAlert1\\n| + join kind=inner Alert2 on UserPrincipalName\\n| where abs(datetime_diff('minute', + Alert1Time, Alert2Time)) <=10\\n| extend TimeDelta = Alert1Time - Alert2Time\\n| + project UserPrincipalName, Alert1, Alert1Time, Alert1Severity, Alert2, Alert2Time, + Alert2Severity, TimeDelta, CurrentLocation, PreviousLocation, CurrentIPAddress, + PreviousIPAddress\\n| extend AccountCustomEntity = UserPrincipalName\\n| extend + IPCustomEntity = CurrentIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"techniques\":[\"T1078\"],\"displayName\":\"Correlate + Unfamiliar sign-in properties and atypical travel alerts\",\"description\":\"The + combination of an Unfamiliar sign-in properties alert and an Atypical travel + alert about the same user within a +10m or -10m window is considered a high + severity incident.\",\"lastUpdatedDateUTC\":\"2021-12-07T00:00:00Z\",\"createdDateUTC\":\"2020-09-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert + (IPC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7564d76-ec6b-4519-a66b-fcc80c42332b\",\"name\":\"a7564d76-ec6b-4519-a66b-fcc80c42332b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID + = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nlet + GroupAddition = (union isfuzzy=true \\n(SecurityEvent \\n// 4728 - A member + was added to a security-enabled global group\\n// 4732 - A member was added + to a security-enabled local group\\n// 4756 - A member was added to a security-enabled + universal group \\n| where EventID in (\\\"4728\\\", \\\"4732\\\", \\\"4756\\\") + \\n| where AccountType =~ \\\"User\\\" and MemberName == \\\"-\\\"\\n// Exclude + Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| + where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex + WellKnownGroupSID\\n| project GroupAddTime = TimeGenerated, GroupAddEventID + = EventID, GroupAddActivity = Activity, GroupAddComputer = Computer, GroupAddTargetAccount + = TargetAccount, \\nGroupAddTargetSid = TargetSid, GroupAddSubjectAccount + = SubjectAccount, GroupAddSubjectUserSid = SubjectUserSid, GroupSid = MemberSid\\n),\\n(\\nWindowsEvent + \\n// 4728 - A member was added to a security-enabled global group\\n// 4732 + - A member was added to a security-enabled local group\\n// 4756 - A member + was added to a security-enabled universal group \\n| where EventID in (\\\"4728\\\", + \\\"4732\\\", \\\"4756\\\") and not(EventData has \\\"S-1-5-32-555\\\")\\n| + extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend Account + = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| + extend AccountType=case(Account endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", + \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), + \\\"\\\", \\\"User\\\")\\n| extend MemberName = tostring(EventData.MemberName)\\n| + where AccountType =~ \\\"User\\\" and MemberName == \\\"-\\\"\\n// Exclude + Remote Desktop Users group: S-1-5-32-555\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| + where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| where TargetSid matches regex + WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n| extend + TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| + extend MemberSid = tostring(EventData.MemberSid)\\n| extend Activity= \\\"GroupAddActivity\\\"\\n| + project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity + = Activity, GroupAddComputer = Computer, GroupAddTargetAccount = TargetAccount, + \\nGroupAddTargetSid = TargetSid, GroupAddSubjectAccount = Account, GroupAddSubjectUserSid + = SubjectUserSid, GroupSid = MemberSid\\n));\\nlet GroupCreated = (union isfuzzy=true + \ \\n(SecurityEvent\\n// 4727 - A security-enabled global group was created\\n// + 4731 - A security-enabled local group was created\\n// 4754 - A security-enabled + universal group was created\\n| where EventID in (\\\"4727\\\", \\\"4731\\\", + \\\"4754\\\")\\n| where AccountType =~ \\\"User\\\"\\n| project GroupCreateTime + = TimeGenerated, GroupCreateEventID = EventID, GroupCreateActivity = Activity, + GroupCreateComputer = Computer, GroupCreateTargetAccount = TargetAccount, + \\nGroupCreateSubjectAccount = SubjectAccount, GroupCreateSubjectUserSid = + SubjectUserSid, GroupSid = TargetSid\\n),\\n(WindowsEvent\\n// 4727 - A security-enabled + global group was created\\n// 4731 - A security-enabled local group was created\\n// + 4754 - A security-enabled universal group was created\\n| where EventID in + (\\\"4727\\\", \\\"4731\\\", \\\"4754\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| + extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", + tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith + \\\"$\\\", \\\"Machine\\\", iff(SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", + \\\"S-1-5-20\\\"), \\\"Machine\\\", iff(isempty(SubjectUserSid), \\\"\\\", + \\\"User\\\")))\\n| where AccountType =~ \\\"User\\\"\\n| extend TargetAccount + = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| + extend SubjectAccount = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", + EventData.SubjectUserName) \\n| extend TargetSid = tostring(EventData.TargetSid) + \\n| extend Activity= \\\"GroupAddActivity\\\"\\n| project GroupCreateTime + = TimeGenerated, GroupCreateEventID = EventID, GroupCreateActivity = Activity, + GroupCreateComputer = Computer, GroupCreateTargetAccount = TargetAccount, + \\nGroupCreateSubjectAccount = SubjectAccount, GroupCreateSubjectUserSid = + SubjectUserSid, GroupSid = TargetSid\\n));\\nGroupCreated\\n| join (\\nGroupAddition\\n) + on GroupSid \\n| extend timestamp = GroupCreateTime, AccountCustomEntity = + GroupCreateSubjectAccount, HostCustomEntity = GroupCreateComputer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"GroupCreateSubjectUserSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.1.1\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"techniques\":[\"T1098\",\"T1078\"],\"displayName\":\"Group + created then added to built in domain local or global group\",\"description\":\"Identifies + when a recently created Group was added to a privileged built in domain local + group or global group such as the \\nEnterprise Admins, Cert Publishers or + DnsAdmins. Be sure to verify this is an expected addition.\\nReferences: + For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b443f22-9be9-4c35-ac70-a94757748439\",\"name\":\"3b443f22-9be9-4c35-ac70-a94757748439\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let + files1 = dynamic([\\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\lsa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pa.exe\\\", + \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pc.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\Rar.exe\\\"]);\\nlet + files2 = dynamic([\\\"svchost.exe\\\",\\\"wdmsvc.exe\\\"]);\\nlet FileHash1 + = dynamic([\\\"43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3\\\", + \\\"ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb\\\", + \\\"010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77\\\", + \ \\\"56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7\\\"]);\\nlet + FileHash2 = dynamic([\\\"2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7\\\", + \\\"9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd\\\", + \\\"18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b\\\"]);\\nDeviceProcessEvents\\n| + where ( FolderPath has_any (files1) and SHA256 has_any (FileHash1)) or (FolderPath + has_any (files2) and SHA256 has_any (FileHash2))\\n| extend DvcId = DeviceId\\n| + join kind=leftouter (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| + extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| + mv-expand todynamic(Entities)\\n| extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)\\n| + where isnotempty(DvcId)\\n// Higher risk score are for Defender alerts related + to threat actor\\n| extend AlertRiskScore = iif(ThreatName has_any (\\\"Backdoor:MSIL/ShellClient.A\\\", + \\\"Backdoor:MSIL/ShellClient.A!dll\\\", \\\"Trojan:MSIL/Mimikatz.BA!MTB\\\"), + 1.0, 0.5)\\n| project DvcId, AlertRiskScore) on DvcId\\n| extend AlertRiskScore + = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)\\n| extend timestamp = + TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = AccountName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileName\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Execution\"],\"techniques\":[\"T1569\"],\"displayName\":\"Dev-0228 + File Path Hashes November 2021\",\"description\":\"This hunting query looks + for file paths/hashes related to observed activity by Dev-0228. The actor + is known to use custom version of popular tool like PsExec, Procdump etc. + to carry its activity.\\n The risk score associated with each result is based + on a number of factors, hosts with higher risk events should be investigated + first.\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2021-11-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert + (MDATP)\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2f561e20-d97b-4b13-b02d-18b34af6e87c\",\"name\":\"2f561e20-d97b-4b13-b02d-18b34af6e87c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + timeframe = 1d;\\nlet cmdList = dynamic([\\\"Set-CASMailbox\\\",\\\"ActiveSyncAllowedDeviceIDs\\\",\\\"add\\\"]);\\n(union + isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated >= ago(timeframe)\\n| + where EventID == 4688\\n| where CommandLine has_all (cmdList)\\n| project + Type, TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, + Process, ParentProcessName, CommandLine\\n| extend timestamp = TimeGenerated, + AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n( WindowsEvent\\n| + where TimeGenerated >= ago(timeframe)\\n| where EventID == 4688\\n| where + EventData has_all (cmdList)\\n| extend CommandLine = tostring(EventData.CommandLine) + \\n| where CommandLine has_all (cmdList)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", + tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| + extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| extend + NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, + '\\\\\\\\')[-1])\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| + project Type, TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, + Process, ParentProcessName, CommandLine\\n| extend timestamp = TimeGenerated, + AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(\\nDeviceProcessEvents\\n| + where TimeGenerated >= ago(timeframe)\\n| where InitiatingProcessCommandLine + has_all (cmdList)\\n| project Type, TimeGenerated, DeviceName, AccountName, + InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, + InitiatingProcessParentFileName, InitiatingProcessCommandLine\\n| extend + timestamp = TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity + = DeviceName\\n),\\n(\\nEvent\\n| where TimeGenerated > ago(timeframe)\\n| + where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| + extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand + bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend + Key=tostring(['@Name']), Value=['#text']\\n| evaluate pivot(Key, any(Value), + TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, + UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| + where TimeGenerated >= ago(timeframe)\\n| where CommandLine has_all (cmdList)\\n| + extend Type = strcat(Type, \\\": \\\", Source)\\n| project Type, TimeGenerated, + Computer, User, Process, ParentImage, CommandLine\\n| extend timestamp = TimeGenerated, + AccountCustomEntity = User, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.1.1\",\"tactics\":[\"PrivilegeEscalation\"],\"techniques\":[\"T1068\",\"T1078\"],\"displayName\":\"Email + access via active sync\",\"description\":\"This query detects attempts to + add attacker devices as allowed IDs for active sync using the Set-CASMailbox + command.\\nThis technique was seen in relation to Solorigate attack but the + results can indicate potential malicious activity used in different attacks.\\n- + Note that this query can be changed to use the KQL \\\"has_all\\\" operator, + which hasn't yet been documented officially, but will be soon.\\n In short, + \\\"has_all\\\" will only match when the referenced field has all strings + in the list.\\n- Refer to Set-CASMailbox syntax: https://docs.microsoft.com/powershell/module/exchange/set-casmailbox?view=exchange-ps + \ \",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-02-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2c55fe7a-b06f-4029-a5b9-c54a2320d7b8\",\"name\":\"2c55fe7a-b06f-4029-a5b9-c54a2320d7b8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet TotalEventsThreshold + = 5;\\nlet ExeList = dynamic([\\\"powershell.exe\\\",\\\"cmd.exe\\\",\\\"wmic.exe\\\",\\\"psexec.exe\\\",\\\"cacls.exe\\\",\\\"rundll.exe\\\"]);\\nlet + TimeSeriesData =\\nSecurityEvent\\n| where EventID == 4688 | extend Process + = tolower(Process)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| + where Process in (ExeList)\\n| project TimeGenerated, Computer, AccountType, + Account, Process\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) + to startofday(ago(endtime)) step timeframe by Process;\\nlet TimeSeriesAlerts + = materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, + 1.5, -1, 'linefit')\\n| mv-expand Total to typeof(double), TimeGenerated to + typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline + to typeof(long)\\n| where anomalies > 0\\n| project Process, TimeGenerated, + Total, baseline, anomalies, score\\n| where Total > TotalEventsThreshold);\\nlet + AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated > ago(2d) + | project TimeGenerated);\\nTimeSeriesAlerts\\n| where TimeGenerated > ago(2d)\\n| + join (\\nSecurityEvent\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| + extend DateHour = bin(TimeGenerated, 1h) // create a new column and round + to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only + selected anomaly hours\\n| where EventID == 4688 | extend Process = tolower(Process)\\n| + summarize CommandlineCount = count() by bin(TimeGenerated, 1h), Process, CommandLine, + Computer, Account\\n) on Process, TimeGenerated\\n| project AnomalyHour = + TimeGenerated, Computer, Account, Process, CommandLine, CommandlineCount, + Total, baseline, anomalies, score\\n| extend timestamp = AnomalyHour, AccountCustomEntity + = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.2\",\"tactics\":[\"Execution\"],\"techniques\":[\"T1059\"],\"displayName\":\"Process + execution frequency anomaly\",\"description\":\"Identifies anomalous spike + in frequency of executions of sensitive processes which are often leveraged + as attack vectors.\\nThe query leverages KQL built-in anomaly detection algorithms + to find large deviations from baseline patterns.\\nSudden increases in execution + frequency of sensitive processes should be further investigated for malicious + activity.\\nTune the values from 1.5 to 3 in series_decompose_anomalies for + further outliers or based on custom threshold values for score.\",\"lastUpdatedDateUTC\":\"2022-03-07T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/694c91ee-d606-4ba9-928e-405a2dd0ff0f\",\"name\":\"694c91ee-d606-4ba9-928e-405a2dd0ff0f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let + queryperiod = 14d;\\nlet queryfrequency = 2h;\\nlet security_info_actions + = dynamic([\\\"User registered security info\\\", \\\"User changed default + security info\\\", \\\"User deleted security info\\\", \\\"Admin updated security + info\\\", \\\"User reviewed security info\\\", \\\"Admin deleted security + info\\\", \\\"Admin registered security info\\\"]);\\nlet VIPUsers = (\\n + \ IdentityInfo\\n | where TimeGenerated > ago(queryperiod)\\n | mv-expand + AssignedRoles\\n | where AssignedRoles matches regex 'Admin'\\n | summarize + by tolower(AccountUPN));\\nAuditLogs\\n| where TimeGenerated > ago(queryfrequency)\\n| + where Category =~ \\\"UserManagement\\\"\\n| where ActivityDisplayName in + (security_info_actions)\\n| extend Initiator = tostring(InitiatedBy.user.userPrincipalName)\\n| + extend IP = tostring(InitiatedBy.user.ipAddress)\\n| extend Target = tolower(tostring(TargetResources[0].userPrincipalName))\\n| + where Target in (VIPUsers)\\n| summarize Start=min(TimeGenerated), End=max(TimeGenerated), + Actions = make_set(ResultReason, MaxSize=8), Targets=make_set(Target, MaxSize=256) + by Initiator, IP, Result\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Target\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IP\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.5\",\"tactics\":[\"Persistence\"],\"techniques\":[\"T1098\"],\"displayName\":\"Authentication + Methods Changed for Privileged Account\",\"description\":\"Identifies authentication + methods being changed for a privileged account. This could be an indication + of an attacker adding an auth method to the account so they can have continued + access.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-04-13T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6267ce44-1e9d-471b-9f1e-ae76a6b7aa84\",\"name\":\"6267ce44-1e9d-471b-9f1e-ae76a6b7aa84\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"SecurityAlert\\n| + where AlertName =~ \\\"mass download by a single user\\\"\\n| extend Extprop + = parse_json(ExtendedProperties)\\n| extend Computer = iff(isnotempty(toupper(tostring(Extprop[\\\"Compromised + Host\\\"]))), toupper(tostring(Extprop[\\\"Compromised Host\\\"])), tostring(parse_json(Entities)[0].HostName))\\n| + extend Account = iff(isnotempty(tolower(tostring(Extprop[\\\"User Name\\\"]))), + tolower(tostring(Extprop[\\\"User Name\\\"])), tolower(tostring(Extprop[\\\"user + name\\\"])))\\n| extend IpAddress = tostring(parse_json(ExtendedProperties).[\\\"IpAddress\\\"]) + \\n| project timestamp=TimeGenerated, AlertName, Computer, Account, IpAddress, + ExtendedProperties\\n| join kind=inner\\n( \\nDeviceEvents\\n| where ActionType + == \\\"PnpDeviceConnected\\\"\\n| extend parsed = parse_json(AdditionalFields)\\n| + project DeviceId, DriveClass = tostring(parsed.ClassName), UsbDeviceId = tostring(parsed.DeviceId), + ClassId = tostring(parsed.DeviceId), DeviceDescription = tostring(parsed.DeviceDescription), + VendorIds = tostring(parsed.VendorIds), AccountDomain,AccountName,TimeGenerated, + ActionType, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, + InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, + InitiatingProcessParentFileName, InitiatingProcessFileName, Type\\n| where + DriveClass == 'USB' and DeviceDescription == 'USB Mass Storage Device'\\n) + on $left.Account == $right.AccountName\\n| join kind=inner \\n(\\nDeviceFileEvents\\n| + where FolderPath !startswith \\\"c\\\" and FolderPath !startswith @\\\"\\\\\\\"\\n) + \ on DeviceId\\n| project TimeGenerated, ActionType, Computer, FileName, + FileSize, IpAddress, InitiatingProcessCommandLine, InitiatingProcessFileName, + Account\\n| extend timestamp = TimeGenerated, CompromisedEntity = Computer, + AccountCustomEntity=Account, ProcessCustomEntity = InitiatingProcessFileName, + IPCustomEntity=IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"techniques\":[\"T1052\"],\"displayName\":\"Mass + Download & copy to USB device by single user\",\"description\":\"This query + looks for any mass download by a single user with possible file copy activity + to a new USB drive. Malicious insiders may perform such activities that may + cause harm to the organization. \\nThis query could also reveal unintentional + insider that had no intention of malicious activity but their actions may + impact an organizations security posture.\\nReference:https://docs.microsoft.com/defender-cloud-apps/policy-template-reference\",\"lastUpdatedDateUTC\":\"2022-05-04T00:00:00Z\",\"createdDateUTC\":\"2022-04-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\",\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3edb7215-250b-40c0-8b46-79093949242d\",\"name\":\"3edb7215-250b-40c0-8b46-79093949242d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + threshold = 10;\\nQualysHostDetectionV2_CL\\n| where Severity_s == \\\"5\\\"\\n| + summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() + by NetBios_s, IPAddress\\n| where count_ >= threshold\\n| extend timestamp + = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"techniques\":[\"T1190\"],\"displayName\":\"High + Number of Urgent Vulnerabilities Detected\",\"description\":\"This Creates + an incident when a host has a high number of Urgent, severity 5, vulnerabilities + detected.\",\"lastUpdatedDateUTC\":\"2021-12-08T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2441bce9-02e4-407b-8cc7-7d597f38b8b0\",\"name\":\"2441bce9-02e4-407b-8cc7-7d597f38b8b0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| + where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| + summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| + where Active == true\\n// Picking up only IOC's that contain the entities + we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) + or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As + there is potentially more than 1 indicator type for matching IP, taking NetworkIP + first, then others if that is empty.\\n// Taking the first non-empty value + based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), + NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) + and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend + TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), + EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast + and result set low, we only need one match to indicate potential malicious + activity that needs to be investigated\\n| join kind=innerunique (\\n AzureActivity + | where TimeGenerated >= ago(dt_lookBack)\\n // renaming time column so + it is clear the log this came from\\n | extend AzureActivity_TimeGenerated + = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CallerIpAddress\\n| where + AzureActivity_TimeGenerated < ExpirationDateTime\\n| summarize AzureActivity_TimeGenerated + = arg_max(AzureActivity_TimeGenerated, *) by IndicatorId, CallerIpAddress\\n| + project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, + ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CallerIpAddress, + \\nCaller, OperationNameValue, ActivityStatusValue, CategoryValue, ResourceId, + NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| + extend timestamp = AzureActivity_TimeGenerated, IPCustomEntity = CallerIpAddress, + AccountCustomEntity = Caller, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.2.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI + map IP entity to AzureActivity\",\"description\":\"Identifies a match in AzureActivity + from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3174a9ec-d0ad-4152-8307-94ed04fa450a\",\"name\":\"3174a9ec-d0ad-4152-8307-94ed04fa450a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let + SHA256Hash = \\\"1174fd03271f80f5e2a6435c72bdd0272a6e3a37049f6190abf125b216a83471\\\" + ;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * '(' + DNSName ')' * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) + \\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(Event\\n//This + query uses sysmon data depending on table name used this may need updataing\\n| + where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| + extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| + parse Hashes with * 'SHA256=' SHA265 ',' * \\n| where isnotempty(Hashes)\\n| + where Hashes in (SHA256Hash) \\n| extend Account = UserName\\n)\\n)\\n| extend + timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity + = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known + ZINC related maldoc hash\",\"description\":\"Document hash used by ZINC in + highly targeted spear phishing campaign.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d25b1998-a592-4bc5-8a3a-92b39eedb1bc\",\"name\":\"d25b1998-a592-4bc5-8a3a-92b39eedb1bc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| + where EventName =~ \\\"ConsoleLogin\\\" \\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed), + LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)\\n| where + MFAUsed !~ \\\"Yes\\\" and LoginResult !~ \\\"Failure\\\"\\n| summarize StartTimeUtc + = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, + LoginResult, MFAUsed, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, + \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion\\n| + extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, + IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\",\"Persistence\",\"InitialAccess\"],\"techniques\":[\"T1078\"],\"displayName\":\"Login + to AWS Management Console without MFA\",\"description\":\"Multi-Factor Authentication + (MFA) helps you to prevent credential compromise. This alert identifies logins + to the AWS Management Console without MFA.\\nYou can limit this detection + to trigger for adminsitrative accounts if you do not have MFA enabled on all + accounts.\\nThis is done by looking at the eventName ConsoleLogin and if the + AdditionalEventData field indicates MFA was NOT used \\nand the ResponseElements + field indicates NOT a Failure. Thereby indicating that a non-MFA login was + successful.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c805d9b1-97e7-4bc0-9172-67edb36273e4\",\"name\":\"c805d9b1-97e7-4bc0-9172-67edb36273e4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft + 365 Insider Risk Management\",\"displayName\":\"(Private Preview) Create incidents + based on Microsoft 365 Insider Risk Management\",\"description\":\"Create + incidents based on all alerts generated in Microsoft 365 Insider Risk Management\",\"lastUpdatedDateUTC\":\"2021-05-13T00:00:00Z\",\"createdDateUTC\":\"2021-05-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OfficeIRM\",\"dataTypes\":[\"SecurityAlert + (OfficeIRM)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09551db0-e147-4a0c-9e7b-918f88847605\",\"name\":\"09551db0-e147-4a0c-9e7b-918f88847605\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let + tokens = dynamic([\\\"SSL_HandShaking\\\", \\\"ASN2_TYPE_new\\\", \\\"sql_blob_open\\\", + \\\"cmsSetLogHandlerTHR\\\", \\\"ntSystemInfo\\\", \\\"SetWebFilterString\\\", + \\\"CleanupBrokerString\\\", \\\"glInitSampler\\\", \\\"deflateSuffix\\\", + \\\"ntWindowsProc\\\"]);\\nlet DomainNames = dynamic(['codevexillium.org', + 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']);\\nlet SHA256Hash + = dynamic(['58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495','e0e59bfc22876c170af65dcbf19f744ae560cc43b720b23b9d248f4505c02f3e','3d3195697521973efe0097a320cbce0f0f98d29d50e044f4505e1fbc043e8cf9', + '0a2d81164d524be7022ba8fd4e1e8e01bfd65407148569d172e2171b5cd76cd4', '96d7a93f6691303d39a9cc270b8814151dfec5683e12094537fd580afdf2e5fe','dc4cf164635db06b2a0b62d313dbd186350bca6fc88438617411a68df13ec83c', + '46efd5179e43c9cbf07dcec22ce0d5527e2402655aee3afc016e5c260650284a', '95e42a94d4df1e7e472998f43b9879eb34aaa93f3705d7d3ef9e3b97349d7008', + '9d5320e883264a80ea214077f44b1d4b22155446ad5083f4b27d2ab5bd127ef5', '9fd05063ad203581a126232ac68027ca731290d17bd43b5d3311e8153c893fe3', + 'ada7e80c9d09f3efb39b729af238fcdf375383caaf0e9e0aed303931dc73b720', 'edb1597789c7ed784b85367a36440bf05267ac786efe5a4044ec23e490864cee', + '33665ce1157ddb7cd7e905e3356b39245dfba17b7a658bdbf02b6968656b9998', '3ab770458577eb72bd6239fe97c35e7eb8816bce5a4b47da7bd0382622854f7c', + 'b630ad8ffa11003693ce8431d2f1c6b8b126cd32b657a4bfa9c0dbe70b007d6c', '53f3e55c1217dafb8801af7087e7d68b605e2b6dde6368fceea14496c8a9f3e5', + '99c95b5272c5b11093eed3ef2272e304b7a9311a22ff78caeb91632211fcb777', 'f21abadef52b4dbd01ad330efb28ef50f8205f57916a26daf5de02249c0f24ef', + '2cbdea62e26d06080d114bbd922d6368807d7c6b950b1421d0aa030eca7e85da', '079659fac6bd9a1ce28384e7e3a465be4380acade3b4a4a4f0e67fd0260e9447']);\\nlet + SigNames = dynamic([\\\"Backdoor:Script/ComebackerCompile.A!dha\\\", \\\"Trojan:Win64/Comebacker.A!dha\\\", + \\\"Trojan:Win64/Comebacker.A.gen!dha\\\", \\\"Trojan:Win64/Comebacker.B.gen!dha\\\", + \\\"Trojan:Win32/Comebacker.C.gen!dha\\\", \\\"Trojan:Win32/Klackring.A!dha\\\", + \\\"Trojan:Win32/Klackring.B!dha\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| + parse Message with * '(' DNSName ')' * \\n| where isnotempty(FileHash)\\n| + where FileHash in~ (SHA256Hash) or DNSName in~ (DomainNames)\\n| extend Account + = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n| project Type, + TimeGenerated, Computer, Account, IPAddress, FileHash, DNSName\\n),\\n(_Im_Dns(domain_has_any=DomainNames)\\n| + extend DNSName = DnsQuery\\n| extend Type = \\\"imDns\\\", IPAddress = SrcIpAddr, + Computer=Dvc\\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(VMConnection\\n| + parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n| where isnotempty(DNSName)\\n| + where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n| project + Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(Event\\n//This query + uses sysmon data depending on table name used this may need updataing\\n| + where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| + extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| + where isnotempty(Hashes)\\n| parse Hashes with * 'SHA256=' SHA256 ',' * \\n| + where SHA256 in~ (SHA256Hash) \\n| extend Type = strcat(Type, \\\": \\\", + Source), Account = UserName, FileHash = Hashes\\n| project Type, TimeGenerated, + Computer, Account, FileHash\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ + (SHA256Hash)\\n| extend Account = RequestAccountName, Computer = DeviceName, + IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash + = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, + FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (SHA256Hash)\\n| + extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, + CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project + Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(DeviceNetworkEvents\\n| + where RemoteUrl in~ (DomainNames)\\n| extend Computer = DeviceName, IPAddress + = LocalIP, Account = InitiatingProcessAccountName\\n| project Type, TimeGenerated, + Computer, Account, IPAddress, RemoteUrl\\n),\\n(SecurityAlert\\n| where ProductName + == \\\"Microsoft Defender Advanced Threat Protection\\\"\\n| extend ThreatName + = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where isnotempty(ThreatName)\\n| + where ThreatName has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName) + \\n| project Type, TimeGenerated, Computer\\n),\\n(DeviceProcessEvents\\n| + where FileName =~ \\\"powershell.exe\\\" or FileName =~ \\\"rundll32.exe\\\"\\n| + where (ProcessCommandLine has \\\"is64bitoperatingsystem\\\" and ProcessCommandLine + has \\\"Debug\\\\\\\\Browse\\\") or (ProcessCommandLine has_any (tokens))\\n| + extend Computer = DeviceName, Account = AccountName, CommandLine = ProcessCommandLine\\n| + project Type, TimeGenerated, Computer, Account, CommandLine, FileName\\n),\\n(SecurityEvent\\n| + where EventID == 4688\\n| where ProcessName has_any (\\\"powershell.exe\\\", + \\\"rundll32.exe\\\")\\n| where (CommandLine has \\\"is64bitoperatingsystem\\\" + and CommandLine has \\\"Debug\\\\\\\\Browse\\\") or (CommandLine has_any (tokens))\\n| + project Type, TimeGenerated, Computer, Account, ProcessName, CommandLine \\n),\\n( + WindowsEvent\\n| where EventID == 4688\\n| where EventData has_any (\\\"powershell.exe\\\", + \\\"rundll32.exe\\\") and EventData has_any (tokens, \\\"Debug\\\\\\\\Browse\\\",\\\"is64bitoperatingsystem\\\" + ) \\n| extend ProcessName = tostring(EventData.ProcessName)\\n| where ProcessName + has_any (\\\"powershell.exe\\\", \\\"rundll32.exe\\\")\\n| extend CommandLine + = tostring(EventData.CommandLine) \\n| where (CommandLine has \\\"is64bitoperatingsystem\\\" + and CommandLine has \\\"Debug\\\\\\\\Browse\\\") or (CommandLine has_any (tokens))\\n| + extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", + tostring(EventData.SubjectUserName))\\n| project Type, TimeGenerated, Computer, + Account, ProcessName, CommandLine \\n),\\n(AzureDiagnostics \\n| where ResourceType + == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| + parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' + DestinationHost ':' DestinationPort '. Action:' Action\\n| where isnotempty(DestinationHost)\\n| + where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost + \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, + AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity + = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.6.2\",\"tactics\":[\"CommandAndControl\",\"Execution\"],\"techniques\":[\"T1071\",\"T1204\"],\"displayName\":\"Known + ZINC Comebacker and Klackring malware hashes\",\"description\":\"ZINC attacks + against security researcher campaign malware hashes.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ce177b3-56b1-4f0e-b83e-27eed4cb0b16\",\"name\":\"4ce177b3-56b1-4f0e-b83e-27eed4cb0b16\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + lookback = 14d;\\nlet timeframe = 1d;\\n// exclude allowed users from query + such as the ADO service\\nlet allowed_users = dynamic([\\\"Azure DevOps Service\\\"]);\\nunion\\n// + Look for agents being added to a pool of a OS type not seen with that pool + before\\n(AzureDevOpsAuditing\\n| where TimeGenerated > ago(lookback) and + TimeGenerated < ago(timeframe)\\n| where OperationName =~ \\\"Library.AgentAdded\\\"\\n| + where ActorUPN !in (allowed_users)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| + extend OsDescription = tostring(Data.OsDescription)\\n| where isnotempty(OsDescription)\\n| + extend OsDescription = tostring(split(OsDescription, \\\"#\\\", 0)[0])\\n| + project AgentPoolName, OsDescription\\n| join kind=rightanti (AzureDevOpsAuditing\\n| + where TimeGenerated > ago(timeframe)\\n| where OperationName == \\\"Library.AgentAdded\\\"\\n| + extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend OsDescription + = tostring(Data.OsDescription)\\n| where isnotempty(OsDescription)\\n| extend + OsDescription = tostring(split(OsDescription, \\\"#\\\", 0)[0])) on AgentPoolName, + OsDescription),\\n// Look for users addeing agents to a pool that they have + not added agents to before.\\n(AzureDevOpsAuditing\\n| where TimeGenerated + > ago(lookback) and TimeGenerated < ago(timeframe)\\n| extend AgentPoolName + = tostring(Data.AgentPoolName)\\n| where ActorUPN !in (allowed_users)\\n| + project AgentPoolName, ActorUPN\\n| join kind=rightanti (AzureDevOpsAuditing\\n| + where TimeGenerated > ago(timeframe)\\n| where OperationName == \\\"Library.AgentAdded\\\"\\n| + where ActorUPN !in (allowed_users)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n) + on AgentPoolName, ActorUPN)\\n| extend AgentName = tostring(Data.AgentName)\\n| + extend OsDescription = tostring(Data.OsDescription)\\n| extend SystemDetails + = Data.SystemCapabilities\\n| project-reorder TimeGenerated, OperationName, + ScopeDisplayName, AgentPoolName, AgentName, ActorUPN, IpAddress, UserAgent, + OsDescription, SystemDetails, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity + = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"Execution\"],\"techniques\":[\"T1053\"],\"displayName\":\"New + Agent Added to Pool by New User or Added to a New OS Type.\",\"description\":\"As + seen in attacks such as SolarWinds attackers can look to subvert a build process + by controlling build servers. Azure DevOps uses agent pools to execute pipeline + tasks. \\nAn attacker could insert compromised agents that they control into + the pools in order to execute malicious code. This query looks for users adding + agents to pools they have \\nnot added agents to before, or adding agents + to a pool of an OS that has not been added to that pool before. This detection + has potential for false positives so has a \\nconfigurable allow list to allow + for certain users to be excluded from the logic.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/05b4bccd-dd12-423d-8de4-5a6fb526bb4f\",\"name\":\"05b4bccd-dd12-423d-8de4-5a6fb526bb4f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let + known_processes = (\\n SecurityEvent\\n // If adjusting Query Period or + Frequency update these\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n + \ | where EventID == 4688\\n | where NewProcessName has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", + \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | summarize + by Process);\\n SecurityEvent\\n // If adjusting Query Period or Frequency + update these\\n | where TimeGenerated > ago(1d)\\n | where EventID == 4688\\n + \ | where NewProcessName has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", + \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | where + Process !in (known_processes)\\n // This will likely apply to multiple hosts + so summarize these data\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) + by Process, NewProcessName, CommandLine, Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"LateralMovement\"],\"techniques\":[\"T1072\",\"T1570\"],\"displayName\":\"New + EXE deployed via Default Domain or Default Domain Controller Policies\",\"description\":\"This + detection highlights executables deployed to hosts via either the Default + Domain or Default Domain Controller Policies. These policies apply to all + hosts or Domain Controllers and best practice is that these policies should + not be used for deployment of files.\\nA threat actor may use these policies + to deploy files or scripts to all hosts in a domain.\",\"lastUpdatedDateUTC\":\"2022-02-25T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c61ad0ac-ad68-4ebb-b41a-74296d3e0044\",\"name\":\"c61ad0ac-ad68-4ebb-b41a-74296d3e0044\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"Event\\n| + where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID + in (13)\\n| parse EventData with * 'TargetObject\\\">' TargetObject \\\"<\\\" + * 'Details\\\">' Details \\\"<\\\" * \\n| where TargetObject has (\\\"\\\\\\\\Control\\\\\\\\Session + Manager\\\\\\\\AppCertDLLs\\\\\\\\\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), + EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"techniques\":[\"T1546\"],\"displayName\":\"Registry + Persistence via AppCert DLL Modification\",\"description\":\"Adversaries may + establish persistence and/or elevate privileges by executing malicious content + triggered by AppCert DLLs loaded into processes. \\nDynamic-link libraries + (DLLs) that are specified in the AppCertDLLs Registry key under HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Session + Manager\\\\ are loaded into every process that calls the ubiquitously used + application programming interface (API) functions CreateProcess, CreateProcessAsUser, + CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec.\\nRef: https://attack.mitre.org/techniques/T1546/009/\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8ee967a2-a645-4832-85f4-72b635bcb3a6\",\"name\":\"8ee967a2-a645-4832-85f4-72b635bcb3a6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//Adjust + this threshold to fit the environment\\nlet signin_threshold = 5;\\n//Make + a list of all IPs with failed signins to AAD above our threshold\\nlet aadFunc + = (tableName:string){\\nlet suspicious_signins =\\ntable(tableName)\\n| where + ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress + !in ('127.0.0.1', '::1')\\n| summarize count() by IPAddress\\n| where count_ + > signin_threshold\\n| summarize make_set(IPAddress);\\n//See if any of these + IPs have sucessfully logged into *nix hosts\\nlet linux_logons =\\nSyslog\\n| + where Facility contains \\\"auth\\\" and ProcessName != \\\"sudo\\\"\\n| where + SyslogMessage has \\\"Accepted\\\"\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage)\\n| + where SourceIP in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed + AAD logins from IP address\\\"\\n| project TimeGenerated, Computer, HostIP, + IpAddress = SourceIP, SyslogMessage, Facility, ProcessName, Reason;\\n//See + if any of these IPs have sucessfully logged into Windows hosts\\nlet win_logons + = (union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4624\\n| where + LogonType in (10, 7, 3)\\n| where IpAddress != \\\"-\\\"\\n| where IpAddress + in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins + from IP address\\\"\\n| project TimeGenerated, Account, AccountType, Computer, + Activity, EventID, LogonProcessName, IpAddress, LogonTypeName, TargetUserSid, + Reason\\n),\\n(WindowsEvent\\n| where EventID == 4624 and has_any_ipv4(EventData, + toscalar(suspicious_signins))\\n| extend LogonType = tostring(EventData.LogonType)\\n| + where LogonType in (10, 7, 3)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| + where IpAddress != \\\"-\\\"\\n| where IpAddress in (suspicious_signins)\\n| + extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| extend + Activity = \\\"4624 - An account was successfully logged on.\\\"\\n| extend + Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| + extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| extend TargetAccount + = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| + extend AccountType =case(Account endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", + \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), + \\\"\\\", \\\"User\\\")\\n| extend LogonProcessName = tostring(EventData.LogonProcessName)\\n| + project TimeGenerated, Account, AccountType, Computer, Activity, EventID, + LogonProcessName, IpAddress, TargetUserSid, Reason\\n)\\n);\\nunion isfuzzy=true + linux_logons,win_logons\\n| extend timestamp = TimeGenerated, AccountCustomEntity + = Account, IPCustomEntity = IpAddress, HostCustomEntity = Computer\\n};\\nlet + aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion + isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.1.1\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"techniques\":[\"T1078\",\"T1110\"],\"displayName\":\"Failed + AzureAD logons but success logon to host\",\"description\":\"Identifies a + list of IP addresses with a minimum number (default of 5) of failed logon + attempts to Azure Active Directory.\\nUses that list to identify any successful + remote logons to hosts from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/46ac55ae-47b8-414a-8f94-89ccd1962178\",\"name\":\"46ac55ae-47b8-414a-8f94-89ccd1962178\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + mode = 'Blocked'; \\nlet successCode = dynamic(['200', '101','204', '400','504','304','401','500']);\\nlet + minTime = ago(1d);\\nlet maxSessionWindow = 1h;\\nlet sessionBin = maxSessionWindow/2.0;\\nAzureDiagnostics\\n| + where TimeGenerated > minTime\\n| where Category == 'ApplicationGatewayFirewallLog'\\n| + where action_s == mode\\n| sort by hostname_s asc, clientIp_s asc, TimeGenerated + asc\\n| extend SessionStarted = row_window_session(TimeGenerated, maxSessionWindow, + 10m, ((clientIp_s != prev(clientIp_s)) or (hostname_s != prev(hostname_s))))\\n| + summarize minTime = min(TimeGenerated), maxTime = max(TimeGenerated), SessionBlockedCount=count() + \ by hostname_s, clientIp_s, SessionStarted\\n| extend duration = maxTime + - minTime\\n| extend TimeKey = bin(SessionStarted, sessionBin)\\n| join kind + = inner(\\nAzureDiagnostics\\n| where TimeGenerated > minTime\\n| where Category + == 'ApplicationGatewayAccessLog'\\n| where httpStatus_d in (successCode) or + isempty(httpStatus_d)\\n| extend TimeKey = range(bin(TimeGenerated-maxSessionWindow, + sessionBin), bin(TimeGenerated, sessionBin), sessionBin)\\n| mv-expand TimeKey + to typeof(datetime)\\n) on $left.hostname_s == $right.host_s, $left.clientIp_s + == $right.clientIP_s, TimeKey\\n| where (TimeGenerated - SessionStarted) between + (0m .. duration)\\n| extend originalRequestUriWithArgs_s = column_ifexists(\\\"originalRequestUriWithArgs_s\\\", + \\\"\\\")\\n| extend serverStatus_s = column_ifexists(\\\"serverStatus_s\\\", + \\\"\\\")\\n| extend timestamp = SessionStarted, IPCustomEntity = clientIP_s\\n| + summarize SuccessfulAccessLogCount = count(), UserAgents = make_set(userAgent_s), + RequestURIs = make_set(requestUri_s) , OriginalRequestURIs = make_set(originalRequestUriWithArgs_s), + \\nSuccessCodes = make_set(httpStatus_d), SuccessCodes_BackendServer = make_set(serverStatus_s) + by timestamp, hostname_s, IPCustomEntity, SessionBlockedCount\\n| extend BlockvsSuccessRatio + = SessionBlockedCount/SuccessfulAccessLogCount\\n| sort by BlockvsSuccessRatio + desc, timestamp asc\\n| where SessionBlockedCount > SuccessfulAccessLogCount\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"techniques\":[\"T1190\"],\"displayName\":\"A + potentially malicious web request was executed against a web server\",\"description\":\"Detects + unobstructed Web Application Firewall (WAF) activity in sessions where the + WAF blocked incoming requests by computing the \\nratio between blocked requests + and unobstructed WAF requests in these sessions (BlockvsSuccessRatio metric). + A high ratio value for \\na given client IP and hostname calls for further + investigation of the WAF data in that session, due to the significantly high + number \\nof blocked requests and a few unobstructed logs which may be malicious + but have passed undetected through the WAF. The successCode \\nvariable defines + what the detection thinks is a successful status code, and should be altered + to fit the environment.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d173248-439b-4741-8b37-f63ad0c896ae\",\"name\":\"4d173248-439b-4741-8b37-f63ad0c896ae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let + iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv\\\"] + with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | + where Type =~ \\\"process\\\" | project IoC);\\n//This query uses sysmon data, + sections that have - | where Source == \\\"Microsoft-Windows-Sysmon\\\" - + may need to be updated with latest\\nWindowsEvent\\n| where EventID == '4688' + and EventData has_any (process)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| + where NewProcessName has_any (process)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n + \ , Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", + tostring(EventData.SubjectUserName))\\n , NewProcessId = tostring(EventData.NewProcessId)\\n| + extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(NewProcessName, + '\\\\\\\\', -1)[-1]), AlertDetail = 'Chia crypto IOC detected'\\n| extend + FilePath = replace_string(NewProcessName, File, '')\\n| project TimeGenerated, + timestamp, File, AlertDetail, FilePath,Computer, NewProcessName, ParentProcessName, + Account, NewProcessId, Type\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileCustomEntity\"},{\"identifier\":\"Directory\",\"columnName\":\"FilePathCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashAlgo\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.2\",\"tactics\":[\"Impact\"],\"techniques\":[\"T1496\"],\"displayName\":\"Chia_Crypto_Mining + - Domain, Process, Hash and IP IOCs - June 2021\",\"description\":\"Identifies + a match across various data feeds for domains, process, hashes and IP IOC + related to Chia cryptocurrency farming/plotting activity.\",\"lastUpdatedDateUTC\":\"2022-05-19T00:00:00Z\",\"createdDateUTC\":\"2022-02-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7b907bf7-77d4-41d0-a208-5643ff75bf9a\",\"name\":\"7b907bf7-77d4-41d0-a208-5643ff75bf9a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + Keywords = dynamic([\\\"helpdesk\\\", \\\" alert\\\", \\\" suspicious\\\", + \\\"fake\\\", \\\"malicious\\\", \\\"phishing\\\", \\\"spam\\\", \\\"do not + click\\\", \\\"do not open\\\", \\\"hijacked\\\", \\\"Fatal\\\"]);\\nOfficeActivity\\n| + where Operation =~ \\\"New-InboxRule\\\"\\n| where Parameters has \\\"Deleted + Items\\\" or Parameters has \\\"Junk Email\\\" or Parameters has \\\"DeleteMessage\\\"\\n| + extend Events=todynamic(Parameters)\\n| parse Events with * \\\"SubjectContainsWords\\\" + SubjectContainsWords '}'*\\n| parse Events with * \\\"BodyContainsWords\\\" + BodyContainsWords '}'*\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" + SubjectOrBodyContainsWords '}'*\\n| where SubjectContainsWords has_any (Keywords)\\n + or BodyContainsWords has_any (Keywords)\\n or SubjectOrBodyContainsWords has_any + (Keywords)\\n| extend ClientIPAddress = case( ClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), + ClientIP has \\\"[\\\", tostring(trim_start(@'[[]',tostring(split(ClientIP,\\\"]\\\")[0]))), + ClientIP )\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, + (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords + )))\\n| extend RuleDetail = case(OfficeObjectId contains '/' , tostring(split(OfficeObjectId, + '/')[-1]) , tostring(split(OfficeObjectId, '\\\\\\\\')[-1]))\\n| summarize + count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) + by Operation, UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, + OfficeObjectId, RuleDetail\\n| extend timestamp = StartTimeUtc, IPCustomEntity + = ClientIPAddress, AccountCustomEntity = UserId , HostCustomEntity = OriginatingServer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"techniques\":[\"T1098\",\"T1078\"],\"displayName\":\"Malicious + Inbox Rule\",\"description\":\"Often times after the initial compromise the + attackers create inbox rules to delete emails that contain certain keywords. + \\n This is done so as to limit ability to warn compromised users that they've + been compromised. Below is a sample query that tries to detect this.\\nReference: + https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ef88eb96-861c-43a0-ab16-f3835a97c928\",\"name\":\"ef88eb96-861c-43a0-ab16-f3835a97c928\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + regexEmpire = @\\\"SetDelay|GetDelay|Set-LostLimit|Get-LostLimit|Set-Killdate|Get-Killdate|Set-WorkingHours|Get-WorkingHours|Get-Sysinfo|Add-Servers|Invoke-ShellCommand|Start-AgentJob|Update-Profile|Get-FilePart|Encrypt-Bytes|Decrypt-Bytes|Encode-Packet|Decode-Packet|Send-Message|Process-Packet|Process-Tasking|Get-Task|Start-Negotiate|Invoke-DllInjection|Invoke-ReflectivePEInjection|Invoke-Shellcode|Invoke-ShellcodeMSIL|Get-ChromeDump|Get-ClipboardContents|Get-IndexedItem|Get-Keystrokes|Invoke-Inveigh|Invoke-NetRipper|local:Invoke-PatchDll|Invoke-NinjaCopy|Get-Win32Types|Get-Win32Constants|Get-Win32Functions|Sub-SignedIntAsUnsigned|Add-SignedIntAsUnsigned|Compare-Val1GreaterThanVal2AsUInt|Convert-UIntToInt|Test-MemoryRangeValid|Write-BytesToMemory|Get-DelegateType|Get-ProcAddress|Enable-SeDebugPrivilege|Invoke-CreateRemoteThread|Get-ImageNtHeaders|Get-PEBasicInfo|Get-PEDetailedInfo|Import-DllInRemoteProcess|Get-RemoteProcAddress|Copy-Sections|Update-MemoryAddresses|Import-DllImports|Get-VirtualProtectValue|Update-MemoryProtectionFlags|Update-ExeFunctions|Copy-ArrayOfMemAddresses|Get-MemoryProcAddress|Invoke-MemoryLoadLibrary|Invoke-MemoryFreeLibrary|Out-Minidump|Get-VaultCredential|Invoke-DCSync|Translate-Name|Get-NetDomain|Get-NetForest|Get-NetForestDomain|Get-DomainSearcher|Get-NetComputer|Get-NetGroupMember|Get-NetUser|Invoke-Mimikatz|Invoke-PowerDump|Invoke-TokenManipulation|Exploit-JMXConsole|Exploit-JBoss|Invoke-Thunderstruck|Invoke-VoiceTroll|Set-WallPaper|Invoke-PsExec|Invoke-SSHCommand|Invoke-PSInject|Invoke-RunAs|Invoke-SendMail|Invoke-Rule|Get-OSVersion|Select-EmailItem|View-Email|Get-OutlookFolder|Get-EmailItems|Invoke-MailSearch|Get-SubFolders|Get-GlobalAddressList|Invoke-SearchGAL|Get-SMTPAddress|Disable-SecuritySettings|Reset-SecuritySettings|Get-OutlookInstance|New-HoneyHash|Set-MacAttribute|Invoke-PatchDll|Get-SecurityPackages|Install-SSP|Invoke-BackdoorLNK|New-ElevatedPersistenceOption|New-UserPersistenceOption|Add-Persistence|Invoke-CallbackIEX|Add-PSFirewallRules|Invoke-EventLoop|Invoke-PortBind|Invoke-DNSLoop|Invoke-PacketKnock|Invoke-CallbackLoop|Invoke-BypassUAC|Get-DecryptedCpassword|Get-GPPInnerFields|Invoke-WScriptBypassUAC|Get-ModifiableFile|Get-ServiceUnquoted|Get-ServiceFilePermission|Get-ServicePermission|Invoke-ServiceUserAdd|Invoke-ServiceCMD|Write-UserAddServiceBinary|Write-CMDServiceBinary|Write-ServiceEXE|Write-ServiceEXECMD|Restore-ServiceEXE|Invoke-ServiceStart|Invoke-ServiceStop|Invoke-ServiceEnable|Invoke-ServiceDisable|Get-ServiceDetail|Find-DLLHijack|Find-PathHijack|Write-HijackDll|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-VulnAutoRun|Get-VulnSchTask|Get-UnattendedInstallFile|Get-Webconfig|Get-ApplicationHost|Write-UserAddMSI|Invoke-AllChecks|Invoke-ThreadedFunction|Test-Login|Get-UserAgent|Test-Password|Get-ComputerDetails|Find-4648Logons|Find-4624Logons|Find-AppLockerLogs|Find-PSScriptsInPSAppLog|Find-RDPClientConnections|Get-SystemDNSServer|Invoke-Paranoia|Invoke-WinEnum{|Get-SPN|Invoke-ARPScan|Invoke-Portscan|Invoke-ReverseDNSLookup|Invoke-SMBScanner|New-InMemoryModule|Add-Win32Type|Export-PowerViewCSV|Get-MacAttribute|Copy-ClonedFile|Get-IPAddress|Convert-NameToSid|Convert-SidToName|Convert-NT4toCanonical|Get-Proxy|Get-PathAcl|Get-NameField|Convert-LDAPProperty|Get-NetDomainController|Add-NetUser|Add-NetGroupUser|Get-UserProperty|Find-UserField|Get-UserEvent|Get-ObjectAcl|Add-ObjectAcl|Invoke-ACLScanner|Get-GUIDMap|Get-ADObject|Set-ADObject|Get-ComputerProperty|Find-ComputerField|Get-NetOU|Get-NetSite|Get-NetSubnet|Get-DomainSID|Get-NetGroup|Get-NetFileServer|SplitPath|Get-DFSshare|Get-DFSshareV1|Get-DFSshareV2|Get-GptTmpl|Get-GroupsXML|Get-NetGPO|Get-NetGPOGroup|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Invoke-ImpersonateUser|Create-ProcessWithToken|Free-AllTokens|Enum-AllTokens|Invoke-RevertToSelf|Set-Speaker\\\\(\\\\$Volume\\\\){\\\\$wshShell|Local:Get-RandomString|Local:Invoke-PsExecCmd|Get-GPPPassword|Local:Inject-BypassStuff|Local:Invoke-CopyFile\\\\(\\\\$sSource,|ind-Fruit|New-IPv4Range|New-IPv4RangeFromCIDR|Parse-Hosts|Parse-ILHosts|Exclude-Hosts|Get-TopPort|Parse-Ports|Parse-IpPorts|Remove-Ports|Write-PortscanOut|Convert-SwitchtoBool|Get-ForeignUser|Get-ForeignGroup\\\";\\n(union + isfuzzy=true\\n (SecurityEvent\\n| where EventID == 4688\\n//consider filtering + on filename if perf issues occur\\n//where FileName in~ (\\\"powershell.exe\\\",\\\"powershell_ise.exe\\\",\\\"pwsh.exe\\\")\\n| + where not(ParentProcessName has_any ('gc_worker.exe', 'gc_service.exe'))\\n| + where CommandLine has \\\"-encodedCommand\\\"\\n| parse kind=regex flags=i + CommandLine with * \\\"-EncodedCommand \\\" encodedCommand\\n| extend encodedCommand + = iff(encodedCommand has \\\" \\\", tostring(split(encodedCommand, \\\" \\\")[0]), + encodedCommand)\\n// Note: currently the base64_decode_tostring function is + limited to supporting UTF8\\n| extend decodedCommand = translate('\\\\0','', + base64_decode_tostring(substring(encodedCommand, 0, strlen(encodedCommand) + - (strlen(encodedCommand) %8)))), encodedCommand, CommandLine , strlen(encodedCommand)\\n| + extend EfectiveCommand = iff(isnotempty(encodedCommand), decodedCommand, CommandLine)\\n| + where EfectiveCommand matches regex regexEmpire\\n| project TimeGenerated, + Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName + = Process, EfectiveCommand, decodedCommand, encodedCommand, CommandLine, ParentProcessName\\n| + extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity + = Computer\\n),\\n(WindowsEvent\\n| where EventID == 4688 \\n| where EventData + has_any (\\\"-encodedCommand\\\", \\\"powershell.exe\\\",\\\"powershell_ise.exe\\\",\\\"pwsh.exe\\\")\\n| + where not(EventData has_any ('gc_worker.exe', 'gc_service.exe'))\\n//consider + filtering on filename if perf issues occur\\n//extend NewProcessName = tostring(EventData.NewProcessName)\\n//extend + Process=tostring(split(NewProcessName, '\\\\\\\\')[-1])\\n//FileName = Process\\n//where + FileName in~ (\\\"powershell.exe\\\",\\\"powershell_ise.exe\\\",\\\"pwsh.exe\\\")\\n| + extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where + not(ParentProcessName has_any ('gc_worker.exe', 'gc_service.exe'))\\n| extend + CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has \\\"-encodedCommand\\\"\\n| + parse kind=regex flags=i CommandLine with * \\\"-EncodedCommand \\\" encodedCommand\\n| + extend encodedCommand = iff(encodedCommand has \\\" \\\", tostring(split(encodedCommand, + \\\" \\\")[0]), encodedCommand)\\n// Note: currently the base64_decode_tostring + function is limited to supporting UTF8\\n| extend decodedCommand = translate('\\\\0','', + base64_decode_tostring(substring(encodedCommand, 0, strlen(encodedCommand) + - (strlen(encodedCommand) %8)))), encodedCommand, CommandLine , strlen(encodedCommand)\\n| + extend EfectiveCommand = iff(isnotempty(encodedCommand), decodedCommand, CommandLine)\\n| + where EfectiveCommand matches regex regexEmpire\\n| extend SubjectUserName + = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| + extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, + '\\\\\\\\')[-1])\\n| project TimeGenerated, Computer, Account = SubjectUserName, + AccountDomain = SubjectDomainName, FileName = Process, EfectiveCommand, decodedCommand, + encodedCommand, CommandLine, ParentProcessName\\n| extend timestamp = TimeGenerated, + AccountCustomEntity = Account, HostCustomEntity = Computer\\n))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.1.1\",\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"Powershell + Empire cmdlets seen in command line\",\"description\":\"Identifies instances + of PowerShell Empire cmdlets in powershell process command line data.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-01-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cda5928c-2c1e-4575-9dfa-07568bc27a4f\",\"name\":\"cda5928c-2c1e-4575-9dfa-07568bc27a4f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + lookback = 7d; \\nlet timeframe = 1h; \\nlet GlobalAdminsRemoved = AuditLogs + \\n| where TimeGenerated > ago(timeframe) \\n| where Category =~ \\\"RoleManagement\\\" + \\n| where AADOperationType in (\\\"Unassign\\\", \\\"RemoveEligibleRole\\\") + \\n| where ActivityDisplayName has_any (\\\"Remove member from role\\\", \\\"Remove + eligible member from role\\\") \\n| mv-expand TargetResources \\n| mv-expand + TargetResources.modifiedProperties \\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName) + \\n| where displayName_ =~ \\\"Role.DisplayName\\\" \\n| extend RoleName = + tostring(parse_json(tostring(TargetResources_modifiedProperties.oldValue))) + \\n| where RoleName == \\\"Global Administrator\\\" // Add other Privileged + role if applicable \\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName) + \\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) + \\n| where Initiator != \\\"MS-PIM\\\" // Filtering PIM events \\n| extend + Target = tostring(TargetResources.userPrincipalName) \\n| summarize RemovedGlobalAdminTime + = max(TimeGenerated), TargetAdmins = make_set(Target) by OperationName, RoleName, + Initiator, Result; \\nlet GlobalAdminsAdded = AuditLogs \\n| where TimeGenerated + > ago(lookback) \\n| where Category =~ \\\"RoleManagement\\\" \\n| where AADOperationType + in (\\\"Assign\\\", \\\"AssignEligibleRole\\\") \\n| where ActivityDisplayName + has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\") + and Result == \\\"success\\\" \\n| mv-expand TargetResources \\n| mv-expand + TargetResources.modifiedProperties \\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName) + \\n| where displayName_ =~ \\\"Role.DisplayName\\\" \\n| extend RoleName = + tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue))) + \\n| where RoleName == \\\"Global Administrator\\\" // Add other Privileged + role if applicable \\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName) + \\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) + \\n| where Initiator != \\\"MS-PIM\\\" // Filtering PIM events \\n| extend + Target = tostring(TargetResources.userPrincipalName) \\n| summarize AddedGlobalAdminTime + = max(TimeGenerated) by OperationName, RoleName, Target, Initiator, Result + \\n| extend AccountCustomEntity = Target; \\nGlobalAdminsAdded \\n| join kind= + inner GlobalAdminsRemoved on $left.Target == $right.Initiator \\n| where AddedGlobalAdminTime + < RemovedGlobalAdminTime \\n| extend NoofAdminsRemoved = array_length(TargetAdmins) + \\n| where NoofAdminsRemoved > 1\\n| project AddedGlobalAdminTime, Initiator, + Target, AccountCustomEntity, RemovedGlobalAdminTime, TargetAdmins, NoofAdminsRemoved\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"techniques\":[\"T1531\"],\"displayName\":\"Multiple + admin membership removals from newly created admin.\",\"description\":\"This + query detects when newly created Global admin removes multiple existing global + admins which can be an attempt by adversaries to lock down organization and + retain sole access. \\n Investigate reasoning and intention of multiple membership + removal by new Global admins and take necessary actions accordingly.\",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2022-03-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/be52662c-3b23-435a-a6fa-f39bdfc849e6\",\"name\":\"be52662c-3b23-435a-a6fa-f39bdfc849e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + threshold = 10;\\nQualysHostDetection_CL\\n| mv-expand todynamic(Detections_s)\\n| + where Detections_s.Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), + EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\\n| where count_ + >= threshold\\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, + IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"techniques\":[\"T1190\"],\"displayName\":\"High + Number of Urgent Vulnerabilities Detected\",\"description\":\"This Creates + an incident when a host has a high number of Urgent, severity 5, vulnerabilities + detected.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/45b903c5-6f56-4969-af10-ae62ac709718\",\"name\":\"45b903c5-6f56-4969-af10-ae62ac709718\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + starttime = 14d;\\nlet endtime = 1d;\\n(union isfuzzy=true\\n(SecurityEvent\\n| + where TimeGenerated >= ago(endtime)\\n| where EventID == 4624 and LogonType + == 10\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), + ConnectionCount = count()\\nby Account = tolower(Account), Computer = toupper(Computer), + IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n// use left + anti to exclude anything from the previous 14 days that is not rare\\n),\\n(WindowsEvent\\n| + where TimeGenerated >= ago(endtime)\\n| where EventID == 4624 and EventData + has (\\\"10\\\")\\n| extend LogonType = tostring(EventData.LogonType)\\n| + where LogonType == 10 \\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", + tostring(EventData.TargetUserName))\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| + extend IpAddress = tostring(EventData.IpAddress)\\n| extend TargetUserSid + = tostring(EventData.TargetUserSid)\\n| extend AccountType=case(Account endswith + \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), + \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| extend + Activity=\\\"4624 - An account was successfully logged on.\\\"\\n| extend + LogonTypeName=\\\"10 - RemoteInteractive\\\"\\n| summarize StartTime = min(TimeGenerated), + EndTime = max(TimeGenerated), ConnectionCount = count()\\nby Account = tolower(Account), + Computer = toupper(Computer), IpAddress, AccountType, Activity, LogonTypeName, + ProcessName\\n))\\n| join kind=leftanti (\\n(union isfuzzy=true\\n(SecurityEvent\\n| + where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where EventID + == 4624\\n| summarize by Computer = toupper(Computer), IpAddress, Account + = tolower(Account)\\n),\\n( WindowsEvent\\n| where TimeGenerated between (ago(starttime) + .. ago(endtime))\\n| where EventID == 4624\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| + extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", + tostring(EventData.TargetUserName))\\n| summarize by Computer = toupper(Computer), + IpAddress, Account = tolower(Account)\\n))\\n) on Account, Computer\\n| summarize + StartTime = min(StartTime), EndTime = max(EndTime), ConnectionCount = sum(ConnectionCount)\\nby + Account, Computer, IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n| + extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity + = Computer, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.2.1\",\"tactics\":[\"LateralMovement\"],\"techniques\":[\"T1021\"],\"displayName\":\"Rare + RDP Connections\",\"description\":\"Identifies when an RDP connection is new + or rare related to any logon type by a given account today based on comparison + with the previous 14 days.\\nRDP connections are indicated by the EventID + 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2020-01-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e42e889a-caaf-4dbb-aec6-371b37d64298\",\"name\":\"e42e889a-caaf-4dbb-aec6-371b37d64298\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| + where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates + and secrets management\\\")\\n| where Result =~ \\\"success\\\"\\n| mv-expand + target = TargetResources\\n| where tostring(InitiatedBy.user.userPrincipalName) + has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend + targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId + = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| + extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| + where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set + = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| + where old_value_set != \\\"[]\\\"\\n| extend diff = set_difference(new_value_set, + old_value_set)\\n| where isnotempty(diff)\\n| parse diff with * \\\"KeyIdentifier=\\\" + keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string + \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage + == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key + == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend + InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), + tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), + tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// + The below line is currently commented out but Microsoft Sentinel users can + modify this query to show only Application or only Service Principal events + in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType + =~ \\\"ServicePrincipal\\\"\\n| project-away diff, new_value_set, old_value_set\\n| + project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, + UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, + keyUsage, keyIdentifier, CorrelationId, TenantId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserOrApp\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"techniques\":[\"T1550\"],\"displayName\":\"NRT + New access credential added to Application or Service Principal\",\"description\":\"This + will alert when an admin or app owner account adds a new credential to an + Application or Service Principal where a verify KeyCredential was already + present for the app.\\nIf a threat actor obtains access to an account with + sufficient privileges and adds the alternate authentication material triggering + this event, the threat actor can now authenticate as the Application or Service + Principal using this credential.\\nAdditional information on OAuth Credential + Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor + further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b79f6190-d104-4691-b7db-823e05980895\",\"name\":\"b79f6190-d104-4691-b7db-823e05980895\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"severity\":\"Medium\",\"query\":\"let + Keywords = dynamic([\\\"helpdesk\\\", \\\" alert\\\", \\\" suspicious\\\", + \\\"fake\\\", \\\"malicious\\\", \\\"phishing\\\", \\\"spam\\\", \\\"do not + click\\\", \\\"do not open\\\", \\\"hijacked\\\", \\\"Fatal\\\"]);\\nOfficeActivity\\n| + where OfficeWorkload =~ \\\"Exchange\\\"\\n| where Parameters has \\\"Deleted + Items\\\" or Parameters has \\\"Junk Email\\\" or Parameters has \\\"DeleteMessage\\\"\\n| + extend Events=todynamic(Parameters)\\n| parse Events with * \\\"SubjectContainsWords\\\" + SubjectContainsWords '}'*\\n| parse Events with * \\\"BodyContainsWords\\\" + BodyContainsWords '}'*\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" + SubjectOrBodyContainsWords '}'*\\n| where SubjectContainsWords has_any (Keywords)\\n + or BodyContainsWords has_any (Keywords)\\n or SubjectOrBodyContainsWords has_any + (Keywords)\\n| extend ClientIPAddress = case( ClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), + ClientIP has \\\"[\\\", tostring(trim_start(@'[[]',tostring(split(ClientIP,\\\"]\\\")[0]))), + ClientIP )\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, + (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords + )))\\n| extend RuleDetail = case(OfficeObjectId contains '/' , tostring(split(OfficeObjectId, + '/')[-1]) , tostring(split(OfficeObjectId, '\\\\\\\\')[-1]))\\n| summarize + count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) + by UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, + RuleDetail\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"OriginatingServer\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIPAddress\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"techniques\":[\"T1098\",\"T1078\"],\"displayName\":\"NRT + Malicious Inbox Rule\",\"description\":\"Often times after the initial compromise + the attackers create inbox rules to delete emails that contain certain keywords.\\n + This is done so as to limit ability to warn compromised users that they've + been compromised. Below is a sample query that tries to detect this.\\nReference: + https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/\",\"lastUpdatedDateUTC\":\"2022-03-07T00:00:00Z\",\"createdDateUTC\":\"2020-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a255ca7d-ea19-4b7b-8d88-a51ce1c72c29\",\"name\":\"a255ca7d-ea19-4b7b-8d88-a51ce1c72c29\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.2\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.1\",\"name\":\"Anomaly + score threshold\",\"description\":\"Generate an anomaly when the anomaly score + is greater than the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Impact\"],\"techniques\":[\"T1531\"],\"displayName\":\"(Preview) + UEBA Anomalous Privilege Granted\",\"description\":\"Adversaries may add adversary-controlled + credentials for Azure Service Principals in addition to existing legitimate + credentials to maintain persistent access to victim Azure accounts.\\nSentinel + UEBA detects anomalies based on dynamic baselines created for each entity + across various data inputs. Each entity\xE2\u20AC\u2122s baseline behavior + is set according to its own historical activities,\\nthose of its peers, and + those of the organization as a whole. Anomalies can be triggered by the correlation + of different attributes such as action type, geo location, device, resource, + ISP, and more.\",\"lastUpdatedDateUTC\":\"2022-04-13T00:00:00Z\",\"createdDateUTC\":\"2022-01-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/faf1a6ff-53b5-4f92-8c55-4b20e9957594\",\"name\":\"faf1a6ff-53b5-4f92-8c55-4b20e9957594\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"SecurityEvent\\n// + Look for specific Directory Service Changes and parse data\\n| where EventID + == 5136\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand + bagexpansion = array EventData\\n| evaluate bag_unpack(EventData)\\n| extend + Key = tostring(column_ifexists('@Name', \\\"\\\")), Value = column_ifexists('#text', + \\\"\\\")\\n| evaluate pivot(Key, any(Value),TimeGenerated, EventID, Computer, + Account, AccountType, EventSourceName, Activity, SubjectAccount)\\n// Where + changes relate to Exchange OAB\\n| extend ObjectClass = column_ifexists(\\\"ObjectClass\\\", + \\\"\\\")\\n| where ObjectClass =~ \\\"msExchOABVirtualDirectory\\\"\\n// + Look for InternalHostName or ExternalHostName properties being changed\\n| + extend AttributeLDAPDisplayName = column_ifexists(\\\"AttributeLDAPDisplayName\\\", + \\\"\\\")\\n| where AttributeLDAPDisplayName in (\\\"msExchExternalHostName\\\", + \\\"msExchInternalHostName\\\")\\n// Look for suspected webshell activity\\n| + extend AttributeValue = column_ifexists(\\\"AttributeValue\\\", \\\"\\\")\\n| + where AttributeValue has \\\"script\\\"\\n| project-rename LastSeen = TimeGenerated\\n| + extend ObjectDN = column_ifexists(\\\"ObjectDN\\\", \\\"\\\")\\n| project-reorder + LastSeen, Computer, Account, ObjectDN, AttributeLDAPDisplayName, AttributeValue\\n| + extend timestamp = LastSeen, AccountCustomEntity = Account, HostCustomEntity + = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"techniques\":[\"T1190\"],\"displayName\":\"Exchange + OAB Virtual Directory Attribute Containing Potential Webshell\",\"description\":\"This + query uses Windows Event ID 5136 in order to detect potential webshell deployment + by exploitation of CVE-2021-27065.\\nThis query looks for changes to the InternalHostName + or ExternalHostName properties of Exchange OAB Virtual Directory objects in + AD Directory Services\\nwhere the new objects contain potential webshell objects. + Ref: https://aka.ms/ExchangeVulns\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b3cfc7c0-092c-481c-a55b-34a3979758cb\",\"name\":\"b3cfc7c0-092c-481c-a55b-34a3979758cb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft + Cloud App Security\",\"displayName\":\"Create incidents based on Microsoft + Cloud App Security alerts\",\"description\":\"Create incidents based on all + alerts generated in Microsoft Defender for Cloud Apps\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert + (MCAS)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/eb68b129-5f17-4f56-bf6d-dde48d5e615a\",\"name\":\"eb68b129-5f17-4f56-bf6d-dde48d5e615a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated > ago(lbtime)\\n| where + EventType == 'message'\\n| where NetworkDirection == 'inbound'\\n| where FilterDisposition + !in ('reject', 'discard')\\n| extend attachedMimeType = todynamic(MsgParts)[0]['detectedMime']\\n| + where attachedMimeType == 'application/zip'\\n| project SrcUserUpn, DstUserUpn\\n| + extend AccountCustomEntity = DstUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD + - Binary file in attachment\",\"description\":\"Detects when email recieved + with binary file as attachment.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c0e84221-f240-4dd7-ab1e-37e034ea2a4e\",\"name\":\"c0e84221-f240-4dd7-ab1e-37e034ea2a4e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"union + isfuzzy=true\\n(DeviceFileEvents\\n| where FolderPath endswith \\\"vmware-vmdmp.log\\\"\\n| + extend HostCustomEntity = DeviceName, timestamp=TimeGenerated),\\n(WindowsEvent\\n| + where EventID == 4663 and EventData has \\\"vmware-vmdmp.log\\\"\\n| extend + ObjectName = tostring(EventData.ObjectName) \\n| where ObjectName endswith + \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = Computer, timestamp=TimeGenerated),\\n(SecurityEvent\\n| + where EventID == 4663\\n| where ObjectName endswith \\\"vmware-vmdmp.log\\\"\\n| + extend HostCustomEntity = Computer, timestamp=TimeGenerated),\\n(imFileEvent\\n| + where TargetFileName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity + = DvcHostname, timestamp=TimeGenerated\\n)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.2.1\",\"tactics\":[\"Persistence\"],\"techniques\":[\"T1554\"],\"displayName\":\"SUNSPOT + log file creation\",\"description\":\"This query uses Microsoft Defender for + Endpoint data and Windows Event Logs to look for IoCs associated with the + SUNSPOT malware shared by Crowdstrike.\\nMore details: \\n - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ + \\n - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5b6ae038-f66e-4f74-9315-df52fd492be4\",\"name\":\"5b6ae038-f66e-4f74-9315-df52fd492be4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"imProcess\\n + \ | where CommandLine has_all (\\\"accepteula\\\", \\\"-s\\\", \\\"-r\\\", + \\\"-q\\\")\\n | where Process !endswith \\\"sdelete.exe\\\"\\n | where + CommandLine !has \\\"sdelete\\\"\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DvcHostname\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DvcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.2\",\"tactics\":[\"DefenseEvasion\",\"Impact\"],\"techniques\":[\"T1485\",\"T1036\"],\"displayName\":\"Potential + re-named sdelete usage (ASIM Version)\",\"description\":\"This detection looks + for command line parameters associated with the use of Sysinternals sdelete + (https://docs.microsoft.com/sysinternals/downloads/sdelete) to delete multiple + files on a host's C drive.\\nA threat actor may re-name the tool to avoid + detection and then use it for destructive attacks on a host.\\nThis detection + uses the ASIM imProcess parser, this will need to be deployed before use - + https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2022-03-02T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8c8de3fa-6425-4623-9cd9-45de1dd0569a\",\"name\":\"8c8de3fa-6425-4623-9cd9-45de1dd0569a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + lookBack = 14d;\\nlet timeframe = 1d;\\nlet user_agents_list = Cisco_Umbrella\\n| + where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated > ago(lookBack) + and TimeGenerated < ago(timeframe)\\n| summarize count() by HttpUserAgentOriginal\\n| + summarize make_list(HttpUserAgentOriginal);\\nCisco_Umbrella\\n| where EventType + == \\\"proxylogs\\\"\\n| where TimeGenerated > ago(timeframe)\\n| where HttpUserAgentOriginal + !in (user_agents_list)\\n| extend Message = \\\"Rare User Agent\\\"\\n| project + Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\\n| + extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.1.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco + Umbrella - Rare User Agent Detected\",\"description\":\"Rule helps to detect + a rare user-agents indicating web browsing activity by an unusual process + other than a web browser.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/02ef8d7e-fc3a-4d86-a457-650fa571d8d2\",\"name\":\"02ef8d7e-fc3a-4d86-a457-650fa571d8d2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + logonDiff = 10m;\\nlet aadFunc = (tableName:string){\\ntable(tableName) \\n| + where ResultType == \\\"0\\\" \\n| where AppDisplayName !in (\\\"Office 365 + Exchange Online\\\", \\\"Skype for Business Online\\\")\\n| project SuccessLogonTime + = TimeGenerated, UserPrincipalName, SuccessIPAddress = IPAddress, AppDisplayName, + SuccessIPBlock = strcat(split(IPAddress, \\\".\\\")[0], \\\".\\\", split(IPAddress, + \\\".\\\")[1]), Type\\n| join kind= inner (\\n table(tableName)\\n | + where ResultType !in (\\\"0\\\", \\\"50140\\\") \\n | where ResultDescription + !~ \\\"Other\\\" \\n | where AppDisplayName !in (\\\"Office 365 Exchange + Online\\\", \\\"Skype for Business Online\\\")\\n | project FailedLogonTime + = TimeGenerated, UserPrincipalName, FailedIPAddress = IPAddress, AppDisplayName, + ResultType, ResultDescription, Type\\n) on UserPrincipalName, AppDisplayName + \\n| where SuccessLogonTime < FailedLogonTime and FailedLogonTime - SuccessLogonTime + <= logonDiff and FailedIPAddress !startswith SuccessIPBlock\\n| summarize + FailedLogonTime = max(FailedLogonTime), SuccessLogonTime = max(SuccessLogonTime) + by UserPrincipalName, SuccessIPAddress, AppDisplayName, FailedIPAddress, ResultType, + ResultDescription, Type\\n| extend timestamp = SuccessLogonTime\\n};\\nlet + aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion + isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SuccessIPAddress\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"FailedIPAddress\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.1.0\",\"tactics\":[\"CredentialAccess\",\"InitialAccess\"],\"techniques\":[\"T1110\",\"T1078\"],\"displayName\":\"Successful + logon from IP and failure from a different IP\",\"description\":\"Identifies + when a user account successfully logs onto an Azure App from one IP and within + 10 mins failed to logon to the same App via a different IP.\\nThis may indicate + a malicious attempt at password guessing based on knowledge of the users account.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/16d55bbb-8c54-4c1d-8537-521824e76bb6\",\"name\":\"16d55bbb-8c54-4c1d-8537-521824e76bb6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.2\",\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"Distinct + number of operations\",\"Distinct number of ClientInfoString\",\"Distinct + number of mailboxes\",\"Number of operations\",\"Distinct number of IP addresses\",\"Distinct + number of /24 subnets\",\"Distinct number of /16 subnets\",\"Number of MessageBind + operations\",\"Number of FolderBind operations\",\"Number of UpdateInboxRules + operations\",\"Number of MailItemsAccessed operations\"],\"values\":[\"Distinct + number of operations\",\"Distinct number of ClientInfoString\",\"Distinct + number of mailboxes\",\"Number of operations\",\"Distinct number of IP addresses\",\"Distinct + number of /24 subnets\",\"Distinct number of /16 subnets\",\"Number of MessageBind + operations\",\"Number of FolderBind operations\",\"Number of UpdateInboxRules + operations\",\"Number of MailItemsAccessed operations\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Top + reason for high anomaly score\",\"description\":\"Include only anomalies where + the top reason is one of these values.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.6\",\"name\":\"Score\",\"description\":\"Generate + an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Collection\",\"Persistence\"],\"techniques\":[\"T1114\",\"T1213\",\"T1098\",\"T1136\",\"T1137\",\"T1505\",\"T1078\"],\"displayName\":\"(Preview) + Anomalous user activities in Office Exchange\",\"description\":\"This machine + learning model groups the Office Exchange logs on a per-user basis into hourly + buckets. We define one\\nhour as a session. The model is trained on the previous + 7 days of behavior across all regular (non-admin) users.\\nIt indicates anomalous + user Office Exchange sessions in the last day.\\nThis algorithm checks for + sufficient volume of data before training the model.\\n\\nAn autoencoder model + is used.\\nIts aim is to compress the user Office Exchange sessions into a + bottleneck encoding.\\nIt then attempts to reconstruct the input sessions + as best it can from the bottleneck encoding.\\nThe sessions with high reconstruction + errors are assumed to be anomalous.\",\"lastUpdatedDateUTC\":\"2021-06-09T00:00:00Z\",\"createdDateUTC\":\"2021-02-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity + (Exchange)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9736e5f1-7b6e-4bfb-a708-e53ff1d182c3\",\"name\":\"9736e5f1-7b6e-4bfb-a708-e53ff1d182c3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"severity\":\"Low\",\"query\":\"let + tokens = dynamic([\\\"416\\\",\\\"208\\\",\\\"128\\\",\\\"120\\\",\\\"96\\\",\\\"80\\\",\\\"72\\\",\\\"64\\\",\\\"48\\\",\\\"44\\\",\\\"40\\\",\\\"g5\\\",\\\"gs5\\\",\\\"g4\\\",\\\"gs4\\\",\\\"nc12\\\",\\\"nc24\\\",\\\"nv12\\\"]);\\nlet + operationList = dynamic([\\\"microsoft.compute/virtualmachines/write\\\", + \\\"microsoft.resources/deployments/write\\\"]);\\nAzureActivity\\n| where + tolower(OperationNameValue) in (operationList)\\n| where ActivityStatusValue + == \\\"Accepted\\\" \\n| where isnotempty(Properties)\\n| extend vmSize = + tolower(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).hardwareProfile)).vmSize))\\n| + where isnotempty(vmSize)\\n| where vmSize has_any (tokens) \\n| extend ComputerName + = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).osProfile)).computerName)\\n| + extend clientIpAddress = tostring(parse_json(HTTPRequest).clientIpAddress)\\n| + project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, CallerIpAddress, + ComputerName, vmSize\\n| extend timestamp = TimeGenerated, AccountCustomEntity + = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.1.0\",\"tactics\":[\"DefenseEvasion\"],\"techniques\":[\"T1578\"],\"displayName\":\"Creation + of expensive computes in Azure\",\"description\":\"Identifies the creation + of large size/expensive VMs (GPU or with large no of virtual CPUs) in Azure.\\nAdversary + may create new or update existing virtual machines sizes to evade defenses + \\nor use it for cryptomining purposes.\\nFor Windows/Linux Vm Sizes - https://docs.microsoft.com/azure/virtual-machines/windows/sizes + \\nAzure VM Naming Conventions - https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/78422ef2-62bf-48ca-9bab-72c69818a425\",\"name\":\"78422ef2-62bf-48ca-9bab-72c69818a425\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let + endtime = 1d;\\nlet starttime = 8d;\\nlet threshold = 2.0;\\n(union isfuzzy=true\\n(SecurityEvent\\n| + where TimeGenerated >= ago(endtime)\\n| where EventID == 4624 and LogonType + == 10\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), + ComputerCountToday = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet + = makeset(ProcessName)\\nby Account, IpAddress, AccountType, Activity, LogonTypeName),\\n(WindowsEvent\\n| + where TimeGenerated >= ago(endtime)\\n| where EventID == 4624 \\n| extend + LogonType = tostring(EventData.LogonType)\\n| where LogonType == 10\\n| extend + ProcessName = tostring(EventData.ProcessName)\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", + tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| + extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| extend AccountType=case(Account + endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", + \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| + extend Activity=\\\"4624 - An account was successfully logged on.\\\"\\n| + extend LogonTypeName=\\\"10 - RemoteInteractive\\\"\\n| summarize StartTimeUtc + = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerCountToday + = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet = makeset(ProcessName)\\nby + Account, IpAddress, AccountType, Activity, LogonTypeName)\\n)\\n| join kind=inner + (\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated >= ago(starttime) + and TimeGenerated < ago(endtime)\\n| where EventID == 4624 and LogonType == + 10\\n| summarize ComputerCountPrev7Days = dcount(Computer) by Account = tolower(Account), + IpAddress\\n),\\n( WindowsEvent\\n| where TimeGenerated >= ago(starttime) + and TimeGenerated < ago(endtime)\\n| where EventID == 4624 and EventData + has (\\\"10\\\")\\n| extend LogonType = toint(EventData.LogonType)\\n| where + \ LogonType == 10\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", + tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| + summarize ComputerCountPrev7Days = dcount(Computer) by Account = tolower(Account), + IpAddress)\\n)\\n) on Account, IpAddress\\n| extend Ratio = iff(isempty(ComputerCountPrev7Days), + toreal(ComputerCountToday), ComputerCountToday / (ComputerCountPrev7Days * + 1.0))\\n// Where the ratio of today to previous 7 days is more than double.\\n| + where Ratio > threshold\\n| project StartTimeUtc, EndTimeUtc, Account, IpAddress, + ComputerSet, ComputerCountToday, ComputerCountPrev7Days, Ratio, AccountType, + Activity, LogonTypeName, ProcessSet\\n| extend timestamp = StartTimeUtc, AccountCustomEntity + = Account, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.2.1\",\"tactics\":[\"LateralMovement\"],\"techniques\":[\"T1021\"],\"displayName\":\"Multiple + RDP connections from Single System\",\"description\":\"Identifies when an + RDP connection is made to multiple systems and above the normal for the previous + 7 days.\\nConnections from the same system with the same account within the + same day.\\nRDP connections are indicated by the EventID 4624 with LogonType + = 10\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-10-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d94d4a9-dc96-450a-9dea-4d4d4594199b\",\"name\":\"4d94d4a9-dc96-450a-9dea-4d4d4594199b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"SecurityNestedRecommendation\\n| + where RemediationDescription has 'CVE-2021-38647'\\n| parse ResourceDetails + with * 'virtualMachines/' VirtualMAchine '\\\"' *\\n| summarize arg_min(TimeGenerated, + *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, + tostring(AdditionalData),VulnerabilityId\\n| extend Timestamp = TimeGenerated, + HostCustomEntity = VirtualMAchine\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.2\",\"tactics\":[\"InitialAccess\",\"Execution\"],\"techniques\":[\"T1190\",\"T1203\"],\"displayName\":\"Vulnerable + Machines related to OMIGOD CVE-2021-38647\",\"description\":\"This query uses + the Azure Defender Security Nested Recommendations data to find machines vulnerable + to OMIGOD CVE-2021-38647. OMI is the Linux equivalent of Windows WMI and \\n + helps users manage configurations across remote and local environments. The + query aims to find machines that have this OMI vulnerability (CVE-2021-38647).\\n + Security Nested Recommendations data is sent to Microsoft Sentinel using the + continuous export feature of Azure Defender(refrence link below).\\n Reference: + https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure\\n Reference: + https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d3980830-dd9d-40a5-911f-76b44dfdce16\",\"name\":\"d3980830-dd9d-40a5-911f-76b44dfdce16\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + aadFunc = (tableName:string){\\ntable(tableName)\\n| where AppDisplayName + == \\\"GitHub.com\\\"\\n| where ResultType == 0\\n| summarize CountOfLocations + = dcount(Location), Locations = make_set(Location), BurstStartTime = min(TimeGenerated), + BurstEndTime = max(TimeGenerated) by UserPrincipalName, Type\\n| where CountOfLocations + > 1\\n| extend timestamp = BurstStartTime, AccountCustomEntity = UserPrincipalName\\n};\\nlet + aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion + isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"techniques\":[\"T1110\"],\"displayName\":\"GitHub + Signin Burst from Multiple Locations\",\"description\":\"This alerts when + there Signin burst from multiple locations in GitHub (AAD SSO).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70b12a3b-4896-42cb-910c-5ffaf8d7987d\",\"name\":\"70b12a3b-4896-42cb-910c-5ffaf8d7987d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let + DomainNames = dynamic([\\\"seoulhobi.biz\\\", \\\"reader.cash\\\", \\\"pieceview.club\\\", + \\\"app-wallet.com\\\", \\\"bigwnet.com\\\", \\\"bitwoll.com\\\", \\\"cexrout.com\\\", + \\\"change-pw.com\\\", \\\"checkprofie.com\\\", \\\"cloudwebappservice.com\\\", + \\\"ctquast.com\\\", \\\"dataviewering.com\\\", \\\"day-post.com\\\", \\\"dialy-post.com\\\", + \\\"documentviewingcom.com\\\", \\\"dovvn-mail.com\\\", \\\"down-error.com\\\", + \\\"drivecheckingcom.com\\\", \\\"drog-service.com\\\", \\\"encodingmail.com\\\", + \\\"filinvestment.com\\\", \\\"foldershareing.com\\\", \\\"golangapis.com\\\", + \\\"hotrnall.com\\\", \\\"lh-logins.com\\\", \\\"login-use.com\\\", \\\"mail-down.com\\\", + \\\"matmiho.com\\\", \\\"mihomat.com\\\", \\\"natwpersonal-online.com\\\", + \\\"nidlogin.com\\\", \\\"nid-login.com\\\", \\\"nidlogon.com\\\", \\\"pw-change.com\\\", + \\\"rnaii.com\\\", \\\"rnailm.com\\\", \\\"sec-live.com\\\", \\\"secrityprocessing.com\\\", + \\\"securitedmode.com\\\", \\\"securytingmail.com\\\", \\\"set-login.com\\\", + \\\"usrchecking.com\\\", \\\"com-serviceround.info\\\", \\\"mai1.info\\\", + \\\"reviewer.mobi\\\", \\\"files-download.net\\\", \\\"fixcool.net\\\", \\\"hanrnaii.net\\\", + \\\"office356-us.org\\\", \\\"smtper.org\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog + \\n| parse Message with * '(' DNSName ')' * \\n| where isnotempty(FileHash)\\n| + where DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer + = DeviceName, IPAddress = SourceIP\\n),\\n(_Im_Dns (domain_has_any=DomainNames)\\n| + extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(VMConnection + \\n| parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n| where + isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress + = RemoteIp\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| + where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with + Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' + DestinationPort '. Action:' Action\\n| where isnotempty(DestinationHost)\\n| + where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost + \\n| extend IPAddress = SourceHost \\n)\\n)\\n| extend timestamp = TimeGenerated, + AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity + = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.4.1\",\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"THALLIUM + domains included in DCU takedown\",\"description\":\"THALLIUM spearphishing + and command and control domains included in December 2019 DCU/MSTIC takedown. + \\n Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, + DnsEvents, VMConnection and SecurityEvents dataTypes.\\n References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ + \",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-01-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d94d4a9-dc96-410a-8dea-4d4d4584188b\",\"name\":\"4d94d4a9-dc96-410a-8dea-4d4d4584188b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + OperationList = dynamic([\\\"Add member to role\\\",\\\"Add member to role + in PIM requested (permanent)\\\"]);\\nlet PrivilegedGroups = dynamic([\\\"UserAccountAdmins\\\",\\\"PrivilegedRoleAdmins\\\",\\\"TenantAdmins\\\"]);\\nAuditLogs\\n//| + where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| + where OperationName in~ (OperationList)\\n| mv-expand TargetResources\\n| + extend modProps = parse_json(TargetResources).modifiedProperties\\n| mv-expand + bagexpansion=array modProps\\n| evaluate bag_unpack(modProps)\\n| extend displayName + = column_ifexists(\\\"displayName\\\", \\\"NotAvailable\\\"), newValue = column_ifexists(\\\"newValue\\\", + \\\"NotAvailable\\\")\\n| where displayName =~ \\\"Role.WellKnownObjectName\\\"\\n| + extend DisplayName = displayName, GroupName = replace('\\\"','',newValue)\\n| + extend initByApp = parse_json(InitiatedBy).app, initByUser = parse_json(InitiatedBy).user\\n| + extend AppId = initByApp.appId, \\nInitiatedByDisplayName = case(isnotempty(initByApp.displayName), + initByApp.displayName, isnotempty(initByUser.displayName), initByUser.displayName, + \\\"not available\\\"),\\nServicePrincipalId = tostring(initByApp.servicePrincipalId),\\nServicePrincipalName + = tostring(initByApp.servicePrincipalName),\\nUserId = initByUser.id,\\nUserIPAddress + = initByUser.ipAddress,\\nUserRoles = initByUser.roles,\\nUserPrincipalName + = tostring(initByUser.userPrincipalName),\\nTargetUserPrincipalName = tostring(TargetResources.userPrincipalName)\\n| + where GroupName in~ (PrivilegedGroups)\\n// If you don't want to alert for + operations from PIM, remove below filtering for MS-PIM.\\n//| where InitiatedByDisplayName + != \\\"MS-PIM\\\"\\n| project TimeGenerated, AADOperationType, Category, OperationName, + AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, + DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, + TargetUserPrincipalName\\n| extend timestamp = TimeGenerated, AccountCustomEntity + = case(isnotempty(ServicePrincipalName), ServicePrincipalName, isnotempty(ServicePrincipalId), + ServicePrincipalId, isnotempty(UserPrincipalName), UserPrincipalName, \\\"not + available\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.3\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"techniques\":[\"T1098\",\"T1078\"],\"displayName\":\"User + added to Azure Active Directory Privileged Groups\",\"description\":\"This + will alert when a user is added to any of the Privileged Groups.\\nFor further + information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\\nFor + Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles\",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2020-07-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/50574fac-f8d1-4395-81c7-78a463ff0c52\",\"name\":\"50574fac-f8d1-4395-81c7-78a463ff0c52\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let + aadFunc = (tableName:string){\\ntable(tableName)\\n| where AppId =~ \\\"1b730954-1685-4b74-9bfd-dac224a7b894\\\" + // AppDisplayName IS Azure Active Directory PowerShell\\n| where TokenIssuerType + =~ \\\"AzureAD\\\"\\n| where ResourceIdentity !in (\\\"00000002-0000-0000-c000-000000000000\\\", + \\\"00000003-0000-0000-c000-000000000000\\\") // ResourceDisplayName IS NOT + Windows Azure Active Directory OR Microsoft Graph\\n| extend Status = todynamic(Status)\\n| + where Status.errorCode == 0 // Success\\n| project-reorder IPAddress, UserAgent, + ResourceDisplayName, UserDisplayName, UserId, UserPrincipalName, Type\\n| + order by TimeGenerated desc\\n// New entity mapping\\n| extend timestamp = + TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet + aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion + isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"techniques\":[\"T1078\"],\"displayName\":\"Azure + Active Directory PowerShell accessing non-AAD resources\",\"description\":\"This + will alert when a user or application signs in using Azure Active Directory + PowerShell to access non-Active Directory resources, such as the Azure Key + Vault, which may be undesired or unauthorized behavior.\\nFor capabilities + and expected behavior of the Azure Active Directory PowerShell module, see: + https://docs.microsoft.com/powershell/module/azuread/?view=azureadps-2.0.\\nFor + further information on Azure Active Directory Signin activity reports, see: + https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins.\",\"lastUpdatedDateUTC\":\"2022-02-23T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ffe3625d-a933-4f63-b192-7e6ebf3be5fb\",\"name\":\"ffe3625d-a933-4f63-b192-7e6ebf3be5fb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.2.8\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.1\",\"name\":\"Score\",\"description\":\"Generate + an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CredentialAccess\"],\"techniques\":[\"T1110\"],\"displayName\":\"(Preview) + Attempted user account bruteforce\",\"description\":\"This algorithm detects + an unusually high volume of failed login attempts per user account. The model + is trained on the previous 21 days of security event ID 4625 on an account. + It indicates anomalous high volume of failed login attempts in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2020-12-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb32dc8a-4f6b-4274-a28f-50f3400070b4\",\"name\":\"bb32dc8a-4f6b-4274-a28f-50f3400070b4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.7\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.5\",\"name\":\"Anomaly + score threshold\",\"description\":\"Generate an anomaly when the anomaly score + is greater than the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"techniques\":[\"T1078\"],\"displayName\":\"(Preview) + UEBA Anomalous Sign In\",\"description\":\"Adversaries may steal the credentials + of a specific user or service account using Credential\\nAccess techniques + or capture credentials earlier in their reconnaissance process through\\nsocial + engineering for means of gaining Persistence. Sentinel UEBA detects anomalies + based on dynamic baselines created for each entity across various data inputs. + Each entity's baseline behavior is set according to its own historical activities, + those of its peers, and those of the organization as a whole. Anomalies can + be triggered by the correlation of different attributes such as action type, + geo-location, device, resource, ISP, and more.\",\"lastUpdatedDateUTC\":\"2022-04-13T00:00:00Z\",\"createdDateUTC\":\"2021-08-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cca3b4d9-ac39-4109-8b93-65bb284003e6\",\"name\":\"cca3b4d9-ac39-4109-8b93-65bb284003e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$';\\nThreatIntelligenceIndicator\\n| + where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| + summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| + where Active == true\\n//Filtering the table for Email related IOCs\\n| where + isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and + result set low, we only need one match to indicate potential malicious activity + that needs to be investigated\\n| join kind=innerunique (\\n AzureActivity + | where TimeGenerated >= ago(dt_lookBack) and isnotempty(Caller)\\n | extend + Caller = tolower(Caller)\\n | where Caller matches regex emailregex\\n + \ | extend AzureActivity_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress + == $right.Caller\\n| where AzureActivity_TimeGenerated < ExpirationDateTime\\n| + summarize AzureActivity_TimeGenerated = arg_max(AzureActivity_TimeGenerated, + *) by IndicatorId, Caller\\n| project AzureActivity_TimeGenerated, Description, + ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, + Url, EmailSenderName, EmailRecipient, \\nEmailSourceDomain, EmailSourceIpAddress, + EmailSubject, FileHashValue, FileHashType, Caller, Level, CallerIpAddress, + CategoryValue, OperationNameValue, ActivityStatusValue, \\nResourceGroup, + SubscriptionId\\n| extend timestamp = AzureActivity_TimeGenerated, AccountCustomEntity + = Caller, IPCustomEntity = CallerIpAddress, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.2.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI + map Email entity to AzureActivity\",\"description\":\"Identifies a match in + AzureActivity table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8595d264-2f64-442d-b293-4e16dffc9882\",\"name\":\"8595d264-2f64-442d-b293-4e16dffc9882\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.6\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0\",\"name\":\"Anomaly + score threshold\",\"description\":\"Generate an anomaly when the anomaly score + is greater than the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Execution\"],\"techniques\":[\"T1059\"],\"displayName\":\"(Preview) + UEBA Anomalous Code Execution\",\"description\":\"Adversaries may abuse command + and script interpreters to execute commands, scripts, or binaries.\\nThese + interfaces and languages provide ways of interacting with computer systems\\nand + are a common feature across many different platforms.\",\"lastUpdatedDateUTC\":\"2022-04-13T00:00:00Z\",\"createdDateUTC\":\"2021-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9122a9cb-916b-4d98-a199-1b7b0af8d598\",\"name\":\"9122a9cb-916b-4d98-a199-1b7b0af8d598\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let + DomainNames = dynamic([\\\"beesweiserdog.com\\\", \\n \\\"bluehostfit.com\\\", + \\n \\\"business-toys.com\\\", \\n \\\"cleanskycloud.com\\\", + \\n \\\"cumberbat.com\\\", \\n \\\"czreadsecurity.com\\\", + \\n \\\"dgtresorgouv.com\\\", \\n \\\"dimediamikedask.com\\\", + \\n \\\"diresitioscon.com\\\", \\n \\\"elcolectador.com\\\", + \\n \\\"elperuanos.org\\\", \\n \\\"eprotectioneu.com\\\", + \\n \\\"fheacor.com\\\", \\n \\\"followthewaterdata.com\\\", + \\n \\\"francevrteepress.com\\\", \\n \\\"futtuhy.com\\\", + \\n \\\"gardienweb.com\\\", \\n \\\"heimflugaustr.com\\\", + \\n \\\"ivpsers.com\\\", \\n \\\"jkeducation.org\\\", + \\n \\\"micrlmb.com\\\", \\n \\\"muthesck.com\\\", + \\n \\\"netscalertech.com\\\", \\n \\\"newgoldbalmap.com\\\", + \\n \\\"news-laestrella.com\\\", \\n \\\"noticialif.com\\\", + \\n \\\"opentanzanfoundation.com\\\", \\n \\\"optonlinepress.com\\\", + \\n \\\"palazzochigi.com\\\", \\n \\\"pandemicacre.com\\\", + \\n \\\"papa-ser.com\\\", \\n \\\"pekematclouds.com\\\", + \\n \\\"pipcake.com\\\", \\n \\\"popularservicenter.com\\\", + \\n \\\"projectsyndic.com\\\", \\n \\\"qsadtv.com\\\", + \\n \\\"sankreal.com\\\", \\n \\\"scielope.com\\\", + \\n \\\"seoamdcopywriting.com\\\", \\n \\\"slidenshare.com\\\", + \\n \\\"somoswake.com\\\", \\n \\\"squarespacenow.com\\\", + \\n \\\"subapostilla.com\\\", \\n \\\"suzukicycles.net\\\", + \\n \\\"tatanotakeeps.com\\\", \\n \\\"tijuanazxc.com\\\", + \\n \\\"transactioninfo.net\\\", \\n \\\"eurolabspro.com\\\", + \\n \\\"adelluminate.com\\\", \\n \\\"headhunterblue.com\\\", + \\n \\\"primenuesty.com\\\" \\n ]);\\nlet + SHA256Hashes = dynamic ([\\\"02daf4544bcefb2de865d0b45fc406bee3630704be26a9d6da25c9abe906e7d2\\\", + \\n \\\"0a45ec3da31838aa7f56e4cbe70d5b3b3809029f9159ff0235837e5b7a4cb34c\\\", + \\n \\\"0d7965489810446ca7acc7a2160795b22e452a164261313c634a6529a0090a0c\\\", + \\n \\\"10bb4e056fd19f2debe61d8fc5665434f56064a93ca0ec0bef946a4c3e098b95\\\", + \\n \\\"12d914f24fe5501e09f5edf503820cc5fe8b763827a1c6d44cdb705e48651b21\\\", + \\n \\\"1899f761123fedfeba0fee6a11f830a29cd3653bcdcf70380b72a05b921b4b49\\\", + \\n \\\"22e68e366dd3323e5bb68161b0938da8e1331e4f1c1819c8e84a97e704d93844\\\", + \\n \\\"259783405ec2cb37fdd8fd16304328edbb6a0703bc3d551eba252d9b450554ef\\\", + \\n \\\"26debed09b1bbf24545e3b4501b799b66a0146d4020f882776465b5071e91822\\\", + \\n \\\"35c5f22bb11f7dd7a2bb03808e0337cb7f9c0d96047b94c8afdab63efc0b9bb2\\\", + \\n \\\"3ae2d9ffa4e53519e62cc0a75696f9023f9cce09b0a917f25699b48d0f7c4838\\\", + \\n \\\"3bac2e459c69fcef8c1c93c18e5f4f3e3102d8d0f54a63e0650072aeb2a5fa65\\\", + \\n \\\"3c0bf69f6faf85523d9e60d13218e77122b2adb0136ffebbad0f39f3e3eed4e6\\\", + \\n \\\"3dc0001a11d54925d2591aec4ea296e64f1d4fdf17ff3343ddeea82e9bd5e4f1\\\", + \\n \\\"3fd73af89e94af180b1fbf442bbfb7d7a6c4cf9043abd22ac0aa2f8149bafc90\\\", + \\n \\\"6854df6aa0af46f7c77667c450796d5658b3058219158456e869ebd39a47d54b\\\", + \\n \\\"6b79b807a66c786bd2e57d1c761fc7e69dd9f790ffab7ce74086c4115c9305ce\\\", + \\n \\\"7944a86fbef6238d2a55c14c660c3a3d361c172f6b8fa490686cc8889b7a51a0\\\", + \\n \\\"926904f7c0da13a6b8689c36dab9d20b3a2e6d32f212fca9e5f8cf2c6055333c\\\", + \\n \\\"95e98c811ea9d212673d0e84046d6da94cbd9134284275195800278593594b5a\\\", + \\n \\\"a142625512e5372a1728595be19dbee23eea50524b4827cb64ed5aaeaaa0270b\\\", + \\n \\\"afe5e9145882e0b98a795468a4c0352f5b1ddb7b4a534783c9e8fc366914cf6a\\\", + \\n \\\"b9027bad09a9f5c917cf0f811610438e46e42e5e984a8984b6d69206ceb74124\\\", + \\n \\\"c132d59a3bf0099e0f9f5667daf7b65dba66780f4addd88f04eecae47d5d99fa\\\", + \\n \\\"c9a5765561f52bbe34382ce06f4431f7ac65bafe786db5de89c29748cf371dda\\\", + \\n \\\"ce0408f92635e42aadc99da3cc1cbc0044e63441129c597e7aa1d76bf2700c94\\\", + \\n \\\"ce47bacc872516f91263f5e59441c54f14e9856cf213ca3128470217655fc5e6\\\", + \\n \\\"d0fe4562970676e30a4be8cb4923dc9bfd1fca8178e8e7fea0f3f02e0c7435ce\\\", + \\n \\\"d5b36648dc9828e69242b57aca91a0bb73296292bf987720c73fcd3d2becbae6\\\", + \\n \\\"e72d142a2bc49572e2d99ed15827fc27c67fc0999e90d4bf1352b075f86a83ba\\\"\\n + \ ]);\\nlet SigNames = dynamic([\\\"Backdoor:Win32/Leeson\\\", + \\\"Trojan:Win32/Kechang\\\", \\\"Backdoor:Win32/Nightimp!dha\\\", \\\"Trojan:Win32/QuarkBandit.A!dha\\\", + \\\"TrojanSpy:Win32/KeyLogger\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog + \\n| parse Message with * '(' DNSName ')' * \\n| where isnotempty(FileHash)\\n| + where FileHash in (SHA256Hashes) or DNSName in~ (DomainNames)\\n| extend Account + = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(_Im_Dns(domain_has_any + = DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(_Im_WebSession(url_has_any + = DomainNames)\\n| extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n| + extend IPAddress = SrcIpAddr\\n),\\n(Event\\n//This query uses sysmon data + depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| + extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| + extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * 'SHA256=' + SHA256 ',' * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA256Hashes) + \\n| extend Account = UserName\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ + (SHA256Hashes)\\n| extend Account = RequestAccountName, Computer = DeviceName, + IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash + = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, + FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (SHA256Hashes)\\n| + extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, + CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project + Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(DeviceNetworkEvents\\n| + where RemoteUrl in~ (DomainNames)\\n| extend Computer = DeviceName, IPAddress + = LocalIP, Account = InitiatingProcessAccountName\\n| project Type, TimeGenerated, + Computer, Account, IPAddress, RemoteUrl\\n),\\n(SecurityAlert\\n| where ProductName + == \\\"Microsoft Defender Advanced Threat Protection\\\"\\n| extend ThreatName + = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where isnotempty(ThreatName)\\n| + where ThreatName has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName)\\n),\\n(AzureDiagnostics + \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| + parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' + DestinationHost ':' DestinationPort '. Action:' Action\\n| where isnotempty(DestinationHost)\\n| + where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost + \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, + AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity + = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.2.1\",\"tactics\":[\"CommandAndControl\"],\"techniques\":[\"T1071\"],\"displayName\":\"Known + NICKEL domains and hashes\",\"description\":\"IOC domains and hash values + for tools and malware used by NICKEL. \\n Matches domain name, hash IOCs and + M365 Defender sigs related to the NICKEL activity group with CommonSecurityLog, + DnsEvents, VMConnection and SecurityEvents dataTypes.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/720d12c6-a08c-44c4-b18f-2236412d59b0\",\"name\":\"720d12c6-a08c-44c4-b18f-2236412d59b0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"SecurityEvent\\n + \ | where EventID == 4688\\n | where Process !~ \\\"sdelete.exe\\\"\\n | + where CommandLine has_all (\\\"accepteula\\\", \\\"-r\\\", \\\"-s\\\", \\\"-q\\\", + \\\"c:/\\\")\\n | where CommandLine !has (\\\"sdelete\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"DefenseEvasion\",\"Impact\"],\"techniques\":[\"T1485\",\"T1036\"],\"displayName\":\"Potential + re-named sdelete usage\",\"description\":\"This detection looks for command + line parameters associated with the use of Sysinternals sdelete (https://docs.microsoft.com/sysinternals/downloads/sdelete) + to delete multiple files on a host's C drive.\\nA threat actor may re-name + the tool to avoid detection and then use it for destructive attacks on a host.\",\"lastUpdatedDateUTC\":\"2022-03-01T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e70fa6e0-796a-4e85-9420-98b17b0bb749\",\"name\":\"e70fa6e0-796a-4e85-9420-98b17b0bb749\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"DeviceInfo\\n| + extend DeviceName = tolower(DeviceName)\\n| join (SecurityAlert\\n| where + ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| + where ThreatName has \\\"Solorigate\\\"\\n| extend HostCustomEntity = tolower(CompromisedEntity)\\n) + on $left.DeviceName == $right.HostCustomEntity\\n| project TimeGenerated, + DisplayName, ThreatName, CompromisedEntity, PublicIP, MachineGroup, AlertSeverity, + Description, LoggedOnUsers, DeviceId, TenantId, HostCustomEntity\\n| extend + timestamp = TimeGenerated, IPCustomEntity = PublicIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"techniques\":[\"T1195\"],\"displayName\":\"Solorigate + Defender Detections\",\"description\":\"Surfaces any Defender Alert for Solorigate + Events. In Microsoft Sentinel the SecurityAlerts table includes only the Device + Name of the affected device, this query joins the DeviceInfo table to clearly + connect other information such as \\n Device group, ip, logged on users etc. + This way, the Microsoft Sentinel user can have all the pertinent device info + in one view for all the the Solarigate Defender alerts.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert + (MDATP)\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9176b18f-a946-42c6-a2f6-0f6d17cd6a8a\",\"name\":\"9176b18f-a946-42c6-a2f6-0f6d17cd6a8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + triThreshold = 500;\\nlet querystarttime = 6h;\\nlet dgaLengthThreshold = + 8;\\n// fetch the cisco umbrella top 1M domains\\nlet top1M = (externaldata + (Position:int, Domain:string) [@\\\"http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip\\\"] + \ with (format=\\\"csv\\\", zipPattern=\\\"*.csv\\\"));\\n// extract tri grams + that are above our threshold - i.e. are common\\nlet triBaseline = top1M\\n + \ | extend Domain = tolower(extract(\\\"([^.]*).{0,7}$\\\", 1, Domain))\\n + \ | extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", Domain), + extract_all(\\\"(...)\\\", substring(Domain, 1)), extract_all(\\\"(...)\\\", + substring(Domain, 2)))\\n | mvexpand Trigram=AllTriGrams to typeof(string)\\n + \ | summarize triCount=count() by Trigram\\n | sort by triCount desc\\n | + where triCount > triThreshold\\n | distinct Trigram;\\n// collect domain + information from common security log, filter and extract the DGA candidate + and its trigrams\\nlet allDataSummarized = _Im_WebSession \\n| where isnotempty(Url) + \ \\n| extend Name = tolower(tostring(parse_url(Url)[\\\"Host\\\"]))\\n| + summarize NameCount=count() by Name\\n| where Name has \\\".\\\"\\n| where + Name !endswith \\\".home\\\" and Name !endswith \\\".lan\\\"\\n// extract + DGA candidate\\n| extend DGADomain = extract(\\\"([^.]*).{0,7}$\\\", 1, Name)\\n| + where strlen(DGADomain) > dgaLengthThreshold\\n// throw out domains with number + in them\\n| where DGADomain matches regex \\\"^[A-Za-z]{0,}$\\\"\\n// extract + the tri grams from summarized data\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", + DGADomain), extract_all(\\\"(...)\\\", substring(DGADomain, 1)), extract_all(\\\"(...)\\\", + substring(DGADomain, 2)));\\n// throw out domains that have repeating tri's + and/or >=3 repeating letters\\nlet nonRepeatingTris = allDataSummarized\\n| + join kind=leftanti\\n(\\n allDataSummarized\\n | mvexpand AllTriGrams\\n + \ | summarize count() by tostring(AllTriGrams), DGADomain\\n | where + count_ > 1\\n | distinct DGADomain\\n)\\non DGADomain;\\n// find domains + that do not have a common tri in the baseline\\nlet dataWithRareTris = nonRepeatingTris\\n| + join kind=leftanti\\n(\\n nonRepeatingTris\\n | mvexpand AllTriGrams\\n + \ | extend Trigram = tostring(AllTriGrams)\\n | distinct Trigram, DGADomain\\n + \ | join kind=inner\\n (\\n triBaseline\\n )\\n on Trigram\\n + \ | distinct DGADomain\\n)\\non DGADomain;\\ndataWithRareTris\\n// join + DGAs back on connection data\\n| join kind=inner\\n(\\n _Im_WebSession\\n + \ | where isnotempty(Url)\\n | extend Url = tolower(Url)\\n | summarize + arg_max(TimeGenerated, EventVendor, SrcIpAddr) by Url\\n | extend Name=tostring(parse_url(Url)[\\\"Host\\\"])\\n + \ | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) by + Name, SrcIpAddr, Url\\n)\\non Name\\n| project StartTime, EndTime, Name, DGADomain, + SrcIpAddr, Url, NameCount\",\"customDetails\":{\"DGAPattern\":\"DGADomain\",\"NameCount\":\"NameCount\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Potential + communication from {{SrcIpAddr} with a Domain Generation Algorithm (DGA) based + host {{Name}}\",\"alertDescriptionFormat\":\"A client with address {{SrcIpAddr}} + communicated with host {{Name}} that have a domain name that might have been + generated by a Domain Generation Algorithm (DGA), identified by the pattern + {{DGADomain}}. DGAs are used by malware to generate rendezvous points that + are difficult to predict in advance. This detection uses the top 1 million + domain names to build a model of what normal domains look like and uses the + model to identify domains that may have been randomly generated by an algorithm.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"sentinelEntitiesMappings\":[],\"version\":\"1.1.0\",\"tactics\":[\"CommandAndControl\"],\"techniques\":[\"T1568\"],\"displayName\":\"Potential + communication with a Domain Generation Algorithm (DGA) based hostname (ASIM + Web Session schema)\",\"description\":\"This rule identifies communication + with hosts that have a domain name that might have been generated by a Domain + Generation Algorithm (DGA). DGAs are used by malware to generate rendezvous + points that are difficult to predict in advance. This detection uses the top + 1 million domain names to build a model of what normal domains look like nad + uses the model to identify domains that may have been randomly generated by + an algorithm. You can modify the triThreshold and dgaLengthThreshold query + parameters to change Analytic Rule sensitivity. The higher the numbers, the + less noisy the rule is.
\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) + and supports any built-in or custom source that supports the ASIM WebSession + schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f819c592-c5f9-4d5c-a79f-1e6819863533\",\"name\":\"f819c592-c5f9-4d5c-a79f-1e6819863533\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// + ADHealth Monitoring Agent Registry Key\\nlet aadHealthMonAgentRegKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Microsoft + Online\\\\\\\\Reporting\\\\\\\\MonitoringAgent\\\";\\n// Filter out known + processes\\nlet aadConnectHealthProcs = dynamic ([\\n 'Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe',\\n + \ 'Microsoft.Identity.Health.Adfs.InsightsService.exe',\\n 'Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe',\\n + \ 'Microsoft.Identity.Health.Adfs.PshSurrogate.exe',\\n 'Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe',\\n + \ 'Microsoft.Identity.Health.AadSync.MonitoringAgent.Startup.exe',\\n 'Microsoft.Identity.AadConnect.Health.AadSync.Host.exe',\\n + \ 'Microsoft.Azure.ActiveDirectory.Synchronization.Upgrader.exe',\\n 'miiserver.exe'\\n]);\\n(union + isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == '4656'\\n| where EventData + has aadHealthMonAgentRegKey\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| + mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| + extend Key = tostring(column_ifexists('@Name', \\\"\\\")), Value = column_ifexists('#text', + \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| + extend ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),\\n ObjectType + = column_ifexists(\\\"ObjectType\\\", \\\"\\\")\\n| where ObjectType == 'Key'\\n| + where ObjectName == aadHealthMonAgentRegKey\\n| extend SubjectUserName = column_ifexists(\\\"SubjectUserName\\\", + \\\"\\\"),\\n SubjectDomainName = column_ifexists(\\\"SubjectDomainName\\\", + \\\"\\\"),\\n ProcessName = column_ifexists(\\\"ProcessName\\\", \\\"\\\")\\n| + extend Process = split(ProcessName, '\\\\\\\\', -1)[-1],\\n Account = strcat(SubjectDomainName, + \\\"\\\\\\\\\\\", SubjectUserName)\\n| where Process !in (aadConnectHealthProcs)\\n| + summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() + by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, + ObjectName, ObjectType, ProcessName\\n),\\n(\\nWindowsEvent\\n| where EventID + == '4656' and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType + = tostring(EventData.ObjectType)\\n| where ObjectType == 'Key'\\n| extend + ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| + extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = + tostring(split(ProcessName, '\\\\\\\\')[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| + extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", + tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| + extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize + StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, + Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, + ObjectType, ProcessName\\n),\\n(\\nSecurityEvent\\n| where EventID == '4663'\\n| + where ObjectType == 'Key'\\n| where ObjectName == aadHealthMonAgentRegKey\\n| + extend Process = tostring(split(ProcessName, '\\\\\\\\', -1)[-1])\\n| where + Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), + EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, + SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n + \ (\\nWindowsEvent\\n| where EventID == '4663' and EventData has aadHealthMonAgentRegKey\\n| + extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == + 'Key'\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName + == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| + extend Process = tostring(split(ProcessName, '\\\\\\\\')[-1])\\n| where Process + !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", + tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| + extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize + StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, + Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, + ObjectType, ProcessName\\n)\\n)\\n// You can filter out potential machine + accounts\\n//| where AccountType != 'Machine'\\n| extend timestamp = StartTime, + AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.1.1\",\"tactics\":[\"Collection\"],\"techniques\":[\"T1005\"],\"displayName\":\"Azure + AD Health Monitoring Agent Registry Keys Access\",\"description\":\"This detection + uses Windows security events to detect suspicious access attempts to the registry + key of Azure AD Health monitoring agent.\\nThis detection requires an access + control entry (ACE) on the system access control list (SACL) of the following + securable object HKLM\\\\SOFTWARE\\\\Microsoft\\\\Microsoft Online\\\\Reporting\\\\MonitoringAgent.\\nYou + can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_monitoring_agent.yml\\n\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/066395ac-ef91-4993-8bf6-25c61ab0ca5a\",\"name\":\"066395ac-ef91-4993-8bf6-25c61ab0ca5a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let + iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv\\\"] + with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet domains = (iocs | + where Type =~ \\\"domainname\\\"| project IoC);\\nlet sha256Hashes = (iocs + | where Type =~ \\\"sha256\\\" | project IoC);\\nlet file_path1 = (iocs | + where Type =~ \\\"filepath1\\\" | project IoC);\\nlet file_path2 = (iocs | + where Type =~ \\\"filepath2\\\" | project IoC);\\nlet file_path3 = (iocs | + where Type =~ \\\"filepath3\\\" | project IoC);\\nlet reg_key = (iocs | where + Type =~ \\\"regkey\\\" | project IoC);\\nWindowsEvent\\n| where EventID == + 4688 and (EventData has_any (file_path1) or EventData has_any (file_path2) + or EventData has_any (file_path3) or EventData has_any ('reg add') or EventData + has_any (reg_key) )\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| + extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend ParentProcessName + = tostring(EventData.ParentProcessName)\\n| where (CommandLine has_any (file_path1)) + or\\n (CommandLine has_any (file_path3)) or\\n (CommandLine has 'reg add' + and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) or + \\n (NewProcessName has_any (file_path1)) or\\n (NewProcessName has_any + (file_path3)) or\\n (ParentProcessName has_any (file_path1)) or \\n (ParentProcessName + has_any (file_path3)) \\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", + EventData.SubjectUserName)\\n| extend NewProcessId = tostring(EventData.NewProcessId)\\n| + extend IPCustomEntity = tostring(EventData.IpAddress)\\n| project TimeGenerated, + Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, + IPCustomEntity\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer + , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert + = 'SOURGUM IOC detected'\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\"],\"techniques\":[\"T1546\"],\"displayName\":\"SOURGUM + Actor IOC - July 2021\",\"description\":\"Identifies a match across IOC's + related to an actor tracked by Microsoft as SOURGUM\",\"lastUpdatedDateUTC\":\"2022-05-19T00:00:00Z\",\"createdDateUTC\":\"2022-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e7277475-4e31-41c7-9997-0b8b3d7f00cd\",\"name\":\"e7277475-4e31-41c7-9997-0b8b3d7f00cd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.2\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.01\",\"name\":\"Score\",\"description\":\"Generate + an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"techniques\":[\"T1078\"],\"displayName\":\"(Preview) + Suspicious volume of failed login attempts to AWS Console by each source IP + address\",\"description\":\"This algorithm detects an unusually high volume + of AWS cloud trail log console failed login events per source IP address within + the last day. The model is trained on the previous 21 days of AWS cloud trail + log events on source IP address basis. This activity may indicate that the + IP address is compromised.\",\"lastUpdatedDateUTC\":\"2021-10-26T00:00:00Z\",\"createdDateUTC\":\"2021-08-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6116dc19-475a-4148-84b2-efe89c073e27\",\"name\":\"6116dc19-475a-4148-84b2-efe89c073e27\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + threshold = 10;\\nQualysHostDetectionV2_CL\\n| extend Status = tostring(Status_s), + Vulnerability = tostring(QID_s), Severity = tostring(Severity_s)\\n| where + Status =~ \\\"New\\\" and Severity == \\\"5\\\"\\n| summarize StartTime = + min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(QID_s)\\n| + where dcount_NetBios_s >= threshold\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"techniques\":[\"T1190\"],\"displayName\":\"New + High Severity Vulnerability Detected Across Multiple Hosts\",\"description\":\"This + creates an incident when a new high severity vulnerability is detected across + multilple hosts\",\"lastUpdatedDateUTC\":\"2021-12-08T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90d3f6ec-80fb-48e0-9937-2c70c9df9bad\",\"name\":\"90d3f6ec-80fb-48e0-9937-2c70c9df9bad\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let + DomainList = dynamic([\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", + \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", + \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", + \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", + \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", + \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", + \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", + \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", + \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\"]);\\nSyslog\\n| where + ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ + )([^ :]*)\\\",3,SyslogMessage), \\n SourceIP = extract(\\\"([0-9]+ + )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage), + \\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage), + \\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n + \ User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n + \ RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n + \ Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ + )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} + )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| + extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code + == \\\"200\\\"\\n| where Domain contains \\\".\\\"\\n| where Domain has_any + (DomainList)\\n| extend timestamp = TimeGenerated, URLCustomEntity = URL, + IPCustomEntity = SourceIP, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"techniques\":[\"T1090\",\"T1008\"],\"displayName\":\"Squid + proxy events for ToR proxies\",\"description\":\"Check for Squid proxy events + associated with common ToR proxies. This query presumes the default squid + log format is being used.\\nhttp://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-07-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70fc7201-f28e-4ba7-b9ea-c04b96701f13\",\"name\":\"70fc7201-f28e-4ba7-b9ea-c04b96701f13\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"severity\":\"Medium\",\"query\":\"let + OperationList = dynamic([\\\"Add member to role\\\",\\\"Add member to role + in PIM requested (permanent)\\\"]);\\nlet PrivilegedGroups = dynamic([\\\"UserAccountAdmins\\\",\\\"PrivilegedRoleAdmins\\\",\\\"TenantAdmins\\\"]);\\nAuditLogs\\n//| + where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| + where OperationName in~ (OperationList)\\n| mv-expand TargetResources\\n| + extend modProps = parse_json(TargetResources).modifiedProperties\\n| mv-expand + bagexpansion=array modProps\\n| evaluate bag_unpack(modProps)\\n| extend displayName + = column_ifexists(\\\"displayName\\\", \\\"NotAvailable\\\"), newValue = column_ifexists(\\\"newValue\\\", + \\\"NotAvailable\\\")\\n| where displayName =~ \\\"Role.WellKnownObjectName\\\"\\n| + extend DisplayName = displayName, GroupName = replace('\\\"','',newValue)\\n| + extend initByApp = parse_json(InitiatedBy).app, initByUser = parse_json(InitiatedBy).user\\n| + extend AppId = initByApp.appId,\\nInitiatedByDisplayName = case(isnotempty(initByApp.displayName), + initByApp.displayName, isnotempty(initByUser.displayName), initByUser.displayName, + \\\"not available\\\"),\\nServicePrincipalId = tostring(initByApp.servicePrincipalId),\\nServicePrincipalName + = tostring(initByApp.servicePrincipalName),\\nUserId = initByUser.id,\\nUserIPAddress + = initByUser.ipAddress,\\nUserRoles = initByUser.roles,\\nUserPrincipalName + = tostring(initByUser.userPrincipalName),\\nTargetUserPrincipalName = tostring(TargetResources.userPrincipalName)\\n| + where GroupName in~ (PrivilegedGroups)\\n// If you don't want to alert for + operations from PIM, remove below filtering for MS-PIM.\\n//| where InitiatedByDisplayName + != \\\"MS-PIM\\\"\\n| project TimeGenerated, AADOperationType, Category, OperationName, + AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, + DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, + TargetUserPrincipalName\\n| extend AccountCustomEntity = case(isnotempty(ServicePrincipalName), + ServicePrincipalName, isnotempty(ServicePrincipalId), ServicePrincipalId, + isnotempty(UserPrincipalName), UserPrincipalName, \\\"not available\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"techniques\":[\"T1098\",\"T1078\"],\"displayName\":\"NRT + User added to Azure Active Directory Privileged Groups\",\"description\":\"This + will alert when a user is added to any of the Privileged Groups.\\nFor further + information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\\nFor + Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles\",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2020-07-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5239248b-abfb-4c6a-8177-b104ade5db56\",\"name\":\"5239248b-abfb-4c6a-8177-b104ade5db56\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + RunCommandData = materialize ( AzureActivity\\n// Isolate run command actions\\n| + where OperationNameValue == \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\\\"\\n// + Confirm that the operation impacted a virtual machine\\n| where Authorization + has \\\"virtualMachines\\\"\\n// Each runcommand operation consists of three + events when successful, StartTimeed, Accepted (or Rejected), Successful (or + Failed).\\n| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), + max(CallerIpAddress), make_list(ActivityStatusValue) by CorrelationId, Authorization, + Caller\\n// Limit to Run Command executions that Succeeded\\n| where list_ActivityStatusValue + has \\\"Success\\\"\\n// Extract data from the Authorization field, allowing + us to later extract the Caller (UPN) and CallerIpAddress\\n| extend Authorization_d + = parse_json(Authorization)\\n| extend Scope = Authorization_d.scope\\n| extend + Scope_s = split(Scope, \\\"/\\\")\\n| extend Subscription = tostring(Scope_s[2])\\n| + extend VirtualMachineName = tostring(Scope_s[-1])\\n| project StartTime, EndTime, + Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress\\n| + join kind=leftouter (\\n DeviceFileEvents\\n | where InitiatingProcessFileName + == \\\"RunCommandExtension.exe\\\"\\n | extend VirtualMachineName = tostring(split(DeviceName, + \\\".\\\")[0])\\n | project VirtualMachineName, PowershellFileCreatedTimestamp=TimeGenerated, + FileName, FileSize, InitiatingProcessAccountName, InitiatingProcessAccountDomain, + InitiatingProcessFolderPath, InitiatingProcessId\\n) on VirtualMachineName\\n// + We need to filter by time sadly, this is the only way to link events\\n| where + PowershellFileCreatedTimestamp between (StartTime .. EndTime)\\n| project + StartTime, EndTime, PowershellFileCreatedTimestamp, VirtualMachineName, Caller, + CallerIpAddress, FileName, FileSize, InitiatingProcessId, InitiatingProcessAccountDomain, + InitiatingProcessFolderPath\\n| join kind=inner(\\n DeviceEvents\\n | + extend VirtualMachineName = tostring(split(DeviceName, \\\".\\\")[0])\\n | + where InitiatingProcessCommandLine has \\\"-File\\\"\\n // Extract the + script name based on the structure used by the RunCommand extension\\n | + extend PowershellFileName = extract(@\\\"\\\\-File\\\\s(script[0-9]{1,9}\\\\.ps1)\\\", + 1, InitiatingProcessCommandLine)\\n // Discard results that didn't successfully + extract, these are not run command related\\n | where isnotempty(PowershellFileName)\\n + \ | extend PSCommand = tostring(parse_json(AdditionalFields).Command)\\n + \ // The first execution of PowerShell will be the RunCommand script itself, + we can discard this as it will break our hash later\\n | where PSCommand + != PowershellFileName \\n // Now we normalise the cmdlets, we're aiming + to hash them to find scripts using rare combinations\\n | extend PSCommand + = toupper(PSCommand)\\n | order by PSCommand asc\\n | summarize PowershellExecStartTime=min(TimeGenerated), + PowershellExecEnd=max(TimeGenerated), make_list(PSCommand) by PowershellFileName, + InitiatingProcessCommandLine\\n) on $left.FileName == $right.PowershellFileName\\n| + project StartTime, EndTime, PowershellFileCreatedTimestamp, PowershellExecStartTime, + PowershellExecEnd, PowershellFileName, PowershellScriptCommands=list_PSCommand, + Caller, CallerIpAddress, InitiatingProcessCommandLine, PowershellFileSize=FileSize, + VirtualMachineName\\n| order by StartTime asc \\n// We generate the hash based + on the cmdlets called and the size of the powershell script\\n| extend TempFingerprintString + = strcat(PowershellScriptCommands, PowershellFileSize)\\n| extend ScriptFingerprintHash + = hash_sha256(tostring(PowershellScriptCommands)));\\nlet totals = toscalar + (RunCommandData\\n| summarize count());\\nlet hashTotals = RunCommandData\\n| + summarize HashCount=count() by ScriptFingerprintHash;\\nRunCommandData\\n| + join kind=leftouter (\\nhashTotals\\n) on ScriptFingerprintHash\\n// Calculate + prevalence, while we don't need this, it may be useful for responders to know + how rare this script is in relation to normal activity\\n| extend Prevalence + = toreal(HashCount) / toreal(totals) * 100\\n// Where the hash was only ever + seen once.\\n| where HashCount == 1\\n| extend timestamp = StartTime, IPCustomEntity=CallerIpAddress, + AccountCustomEntity=Caller, HostCustomEntity=VirtualMachineName\\n| project + timestamp, StartTime, EndTime, PowershellFileName, VirtualMachineName, Caller, + CallerIpAddress, PowershellScriptCommands, PowershellFileSize, ScriptFingerprintHash, + Prevalence, IPCustomEntity, AccountCustomEntity, HostCustomEntity\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.2\",\"tactics\":[\"LateralMovement\",\"CredentialAccess\"],\"techniques\":[\"T1570\"],\"displayName\":\"Azure + VM Run Command operations executing a unique powershell script\",\"description\":\"Identifies + when Azure Run command is used to execute a powershell script on a VM that + is unique.\\nThe uniqueness of the powershell script is determined by taking + a combined hash of the cmdlets it imports\\nand the filesize of the PowerShell + script. Alerts from this detection indicate a unique PowerShell was executed\\nin + your environment.\",\"lastUpdatedDateUTC\":\"2022-03-01T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f15370f4-c6fa-42c5-9be4-1d308f40284e\",\"name\":\"f15370f4-c6fa-42c5-9be4-1d308f40284e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| + where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| + summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| + where Active == true\\n// Picking up only IOC's that contain the entities + we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) + or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As + there is potentially more than 1 indicator type for matching IP, taking NetworkIP + first, then others if that is empty.\\n// Taking the first non-empty value + based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), + NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) + and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend + TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), + EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast + and result set low, we only need one match to indicate potential malicious + activity that needs to be investigated\\n| join kind=innerunique (\\n OfficeActivity + | where TimeGenerated >= ago(dt_lookBack)\\n // renaming time column so + it is clear the log this came from\\n | extend OfficeActivity_TimeGenerated + = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.ClientIP\\n| where OfficeActivity_TimeGenerated + < ExpirationDateTime\\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, + *) by IndicatorId\\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, + IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, + ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, + NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp + = OfficeActivity_TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity + = UserId, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.2.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI + map IP entity to OfficeActivity\",\"description\":\"Identifies a match in + OfficeActivity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a4ce20ae-a2e4-4d50-b40d-d49f1353b6cc\",\"name\":\"a4ce20ae-a2e4-4d50-b40d-d49f1353b6cc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// + Extracts plaintext IPv4 addresses\\nlet ipv4_plaintext_extraction_regex = + @\\\"((?:(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])(?:\\\\.)){3}(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]){1,3})\\\";\\n// + Identified base64 encoded IPv4 addresses\\nlet ipv4_encoded_identification_regex + = @\\\"\\\\=([a-zA-Z0-9\\\\/\\\\+]*(?:(?:MC|Au|wL|MS|Eu|xL|Mi|Iu|yL|My|Mu|zL|NC|Qu|0L|NS|Uu|1L|Ni|Yu|2L|Ny|cu|3L|OC|gu|4L|OS|ku|5L){1}[a-zA-Z0-9\\\\/\\\\+]{2,4}){3}[a-zA-Z0-9\\\\/\\\\+\\\\=]*)\\\";\\n// + Extractes IPv4 addresses as hex values\\nlet ipv4_decoded_hex_extract = @\\\"((?:(?:61|62|63|64|65|66|67|68|69|6a|6b|6c|6d|6e|6f|70|71|72|73|74|75|76|77|78|79|7a|41|42|43|44|45|46|47|48|49|4a|4b|4c|4d|4e|4f|50|51|52|53|54|55|56|57|58|59|5a|2f|2b|3d),){7,15})\\\";\\nCommonSecurityLog\\n| + where isnotempty(RequestURL)\\n// Identify requests with encoded IPv4 addresses\\n| + where RequestURL matches regex ipv4_encoded_identification_regex\\n| project + TimeGenerated, RequestURL\\n// Extract IP candidates in their base64 encoded + format, significantly reducing the dataset\\n| extend extracted_encoded_ip_candidate + = extract_all(ipv4_encoded_identification_regex, RequestURL)\\n// We could + have more than one candidate, expand them out\\n| mv-expand extracted_encoded_ip_candidate + to typeof(string)\\n| summarize Start=min(TimeGenerated), End=max(TimeGenerated), + make_set(RequestURL) by extracted_encoded_ip_candidate\\n// Pad if we need + to\\n| extend extracted_encoded_ip_candidate = iff(strlen(extracted_encoded_ip_candidate) + % 2 == 0, extracted_encoded_ip_candidate, strcat(extracted_encoded_ip_candidate, + \\\"=\\\"))\\n// Now decode the candidate to a long array, we cannot go straight + to string as it cannot handle non-UTF8, we need to strip that first\\n| extend + extracted_encoded_ip_candidate = tostring(base64_decode_toarray(extracted_encoded_ip_candidate))\\n// + Extract the IP candidates from the array\\n| extend hex_extracted = extract_all(ipv4_decoded_hex_extract, + extracted_encoded_ip_candidate)\\n// Expand, it's still possible that we might + have more than 1 IP\\n| mv-expand hex_extracted\\n// Now we should have a + clean string. We need to put it back into a dynamic array to convert back + to a string.\\n| extend hex_extracted = trim_end(\\\",\\\", tostring(hex_extracted))\\n| + extend hex_extracted = strcat(\\\"[\\\",hex_extracted,\\\"]\\\")\\n| extend + hex_extracted = todynamic(hex_extracted)\\n| extend extracted_encoded_ip_candidate + = todynamic(extracted_encoded_ip_candidate)\\n// Convert the array back into + a string\\n| extend decoded_ip_candidate = make_string(hex_extracted)\\n| + summarize by decoded_ip_candidate, tostring(set_RequestURL), Start, End\\n// + Now the IP candidates will be in plaintext, extract the IPs using a regex\\n| + extend ipmatch = extract_all(ipv4_plaintext_extraction_regex, decoded_ip_candidate)\\n// + If it's not an IP, throw it out\\n| where isnotnull(ipmatch)\\n| mv-expand + ipmatch to typeof(string)\\n// Join with DeviceNetworkEvents to find instances + where an IP of a machine in our MDE estate sent it's IP in a base64 encoded + string\\n| join (\\n DeviceNetworkEvents\\n | summarize make_set(DeviceId), + make_set(DeviceName) by RemoteIP\\n) on $left.ipmatch == $right.RemoteIP\\n| + project Start, End, IPmatch=ipmatch, RequestURL=set_RequestURL, DeviceNames=set_DeviceName, + DeviceIds=set_DeviceId, RemoteIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPmatch\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceNames\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"techniques\":[\"T1041\",\"T1071\"],\"displayName\":\"IP + address of Windows host encoded in web request\",\"description\":\"This detection + will identify network requests in HTTP proxy data that contains Base64 encoded + IP addresses. After identifying candidates the query\\njoins with DeviceNetworkEvents + to idnetify any machine within the network using that IP address. Alerts indicate + that the IP address of a machine\\nwithin your network was seen with it's + IP address base64 encoded in an outbounf web request. This method of egressing + the IP was seen used in POLONIUM's\\nRunningRAT tool, however the detection + is generic.\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cbf6ad48-fa5c-4bf7-b205-28dbadb91255\",\"name\":\"cbf6ad48-fa5c-4bf7-b205-28dbadb91255\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + procList = externaldata(Process:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Microsoft_Lolbas_Execution_Binaries.csv\\\"] + with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nEvent\\n| where EventLog + == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n| parse EventData + with * 'Image\\\">' Image \\\"<\\\" * 'OriginalFileName\\\">' OriginalFileName + \\\"<\\\" *\\n| where OriginalFileName has_any (procList) and not (Image has_any + (procList))\\n| parse EventData with * 'ProcessGuid\\\">' ProcessGuid \\\"<\\\" + * 'Description\\\">' Description \\\"<\\\" * 'CommandLine\\\">' CommandLine + \\\"<\\\" * 'CurrentDirectory\\\">' CurrentDirectory \\\"<\\\" * 'User\\\">' + User \\\"<\\\" * 'LogonGuid\\\">' LogonGuid \\\"<\\\" * 'Hashes\\\">' Hashes + \\\"<\\\" * 'ParentProcessGuid\\\">' ParentProcessGuid \\\"<\\\" * 'ParentImage\\\">' + ParentImage \\\"<\\\" * 'ParentCommandLine\\\">' ParentCommandLine \\\"<\\\" + * 'ParentUser\\\">' ParentUser \\\"<\\\" *\\n| summarize StartTime = min(TimeGenerated), + EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, + ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description, + OriginalFileName, CurrentDirectory, Hashes\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Execution\"],\"techniques\":[\"T1059\"],\"displayName\":\"Windows + Binaries Lolbins Renamed\",\"description\":\"This query detects the execution + of renamed Windows binaries (Lolbins). This is a common technique used by + adversaries to evade detection. \\nRef: https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/execution-of-renamed-lolbin.html\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3a9d5ede-2b9d-43a2-acc4-d272321ff77c\",\"name\":\"3a9d5ede-2b9d-43a2-acc4-d272321ff77c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold + = 50;\\nlet aadFunc = (tableName:string){\\n // Failed Signins attempts with + reasoning related to conditional access policies.\\n table(tableName)\\n + \ | where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n + \ | where ResultDescription has_any (\\\"conditional access\\\", \\\"CA\\\") + or ResultType in (50005, 50131, 53000, 53001, 53002, 52003, 70044)\\n | extend + UserPrincipalName = tolower(UserPrincipalName)\\n | extend timestamp = TimeGenerated, + AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet + aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet allSignins + = union isfuzzy=true aadSignin, aadNonInt;\\nlet TimeSeriesAlerts = \\nallSignins\\n| + make-series DailyCount=count() on TimeGenerated from startofday(ago(starttime)) + to startofday(now()) step 1d by UserPrincipalName\\n| extend (anomalies, score, + baseline) = series_decompose_anomalies(DailyCount, scorethreshold, -1, 'linefit')\\n| + mv-expand DailyCount to typeof(double), TimeGenerated to typeof(datetime), + anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n// + Filtering low count events per baselinethreshold\\n| where anomalies > 0 and + baseline > baselinethreshold\\n| extend AnomalyHour = TimeGenerated\\n| project + UserPrincipalName, AnomalyHour, TimeGenerated, DailyCount, baseline, anomalies, + score;\\n// Filter the alerts for specified timeframe\\nTimeSeriesAlerts\\n| + where TimeGenerated > startofday(ago(timeframe))\\n| join kind=inner ( \\n + \ allSignins\\n | where TimeGenerated > startofday(ago(timeframe))\\n // + create a new column and round to hour\\n | extend DateHour = bin(TimeGenerated, + 1h)\\n | summarize PartialFailedSignins = count(), LatestAnomalyTime = arg_max(TimeGenerated, + *) by bin(TimeGenerated, 1h), OperationName, Category, ResultType, ResultDescription, + UserPrincipalName, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, + ResourceDisplayName\\n) on UserPrincipalName, $left.AnomalyHour == $right.DateHour\\n| + project LatestAnomalyTime, OperationName, Category, UserPrincipalName, UserDisplayName, + ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, + Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, + PartialFailedSignins, TotalFailedSignins = DailyCount, baseline, anomalies, + score\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = IPAddress, + AccountCustomEntity = UserPrincipalName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"techniques\":[\"T1078\"],\"displayName\":\"User + Accounts - Sign in Failure due to CA Spikes\",\"description\":\" Identifies + spike in failed sign-ins from user accounts due to conditional access policied.\\nSpike + is determined based on Time series anomaly which will look at historical baseline + values.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/622844c2-fc11-4efc-91e6-c05b06ab3008\",\"name\":\"622844c2-fc11-4efc-91e6-c05b06ab3008\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.6\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"10\",\"maximum\":\"1000\",\"value\":\"25\",\"name\":\"Degree + of source IPs\",\"description\":\"Suppress anomalies when degree of source + IPs is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"10\",\"maximum\":\"1000\",\"value\":\"30\",\"name\":\"Daily + event count threshold\",\"description\":\"Suppress anomalies when daily event + count is less than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"},{\"minimum\":\"10\",\"maximum\":\"1000\",\"value\":\"60\",\"name\":\"Time + delta threshold in seconds\",\"description\":\"Suppress anomalies when time + delta in seconds between network connections is less than the chosen value\",\"sequenceNumber\":3,\"rerun\":\"RerunAlways\"},{\"minimum\":\"50\",\"maximum\":\"100\",\"value\":\"75\",\"name\":\"Percent + beaconing threshold\",\"description\":\"Generate an anomaly when percent beaconing + is greater than the chosen value\",\"sequenceNumber\":4,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CommandAndControl\"],\"techniques\":[\"T1001\",\"T1008\",\"T1071\",\"T1090\",\"T1095\",\"T1102\",\"T1104\",\"T1132\",\"T1205\",\"T1568\",\"T1571\",\"T1572\",\"T1573\"],\"displayName\":\"(Preview) + Detect machine generated network beaconing behavior\",\"description\":\"This + algorithm identifies beaconing patterns from network traffic connection logs + based on recurrent time delta patterns.\\nAny network connection towards the + untrusted public networks at repetitive time delta is an indication of malware + callbacks or data exfiltration attempts. \\nThe anomaly will calculate time + delta between consecutive network connection between same source and destination + ip as well as count (Connections in time-delta sequence) of \\ntime-delta + sequence between same source and destination. Percentage of beaconing is calculated + between connections in time-delta sequence against total connections in a + day.\",\"lastUpdatedDateUTC\":\"2022-03-01T00:00:00Z\",\"createdDateUTC\":\"2021-04-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog + (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b6d03b88-4d27-49a2-9c1c-29f1ad2842dc\",\"name\":\"b6d03b88-4d27-49a2-9c1c-29f1ad2842dc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let + oneDriveCalls = dynamic(['graph.microsoft.com/v1.0/me/drive/root:/Documents/data.txt:/content','graph.microsoft.com/v1.0/me/drive/root:/Documents/response.json:/content']);\\nlet + oneDriveCallsRegex = dynamic([@'graph\\\\.microsoft\\\\.com\\\\/v1\\\\.0\\\\/me\\\\/drive\\\\/root\\\\:\\\\/Uploaded\\\\/.*\\\\:\\\\/content',@'graph\\\\.microsoft\\\\.com\\\\/v1\\\\.0\\\\/me\\\\/drive\\\\/root\\\\:\\\\/Downloaded\\\\/.*\\\\:\\\\/content']);\\nCommonSecurityLog\\n| + where RequestURL has_any (oneDriveCalls) or RequestURL matches regex tostring(oneDriveCallsRegex[0]) + or RequestURL matches regex tostring(oneDriveCallsRegex[1])\\n| project TimeGenerated, + DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, + RequestURL, SourceIP, SourceHostName, RequestClientApplication\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"SourceHostName\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"techniques\":[\"T1567\",\"T1102\"],\"displayName\":\"CreepyDrive + URLs\",\"description\":\"CreepyDrive uses OneDrive for command and control. + This detection identifies URLs specific to CreepyDrive.\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7e38a3e4-ccb9-4c73-b4ee-290b3bed077c\",\"name\":\"7e38a3e4-ccb9-4c73-b4ee-290b3bed077c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.0\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\".lan, + .home\",\"dataType\":\"string\",\"name\":\"Domain suffixes\",\"description\":\"Give + comma separated suffixes to exclude from source data within double quotes, + example: \\\".lan, .home\\\"\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.9\",\"name\":\"Score\",\"description\":\"Generate + an anomaly when the anomaly score (probability that the domain is DGA) is + greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"minimum\":\"5\",\"maximum\":\"100\",\"value\":\"30\",\"name\":\"Distinct + IP filter\",\"description\":\"DGA attacks tend to come from a small number + of distinct IP addresses. Define a threshold value for the number of distinct + IP addresses a second-level domain accesses, above which that domain will + be filtered out as noise. For example, if the threshold is 30, only anomalies + in which the distinct number of IP addresses accessing the second-level domain + is less than or equal to 30 will be included in your results. Our default + value is a result of our own data studies but you can use the Observables + provided to help you adjust your threshold value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CommandAndControl\"],\"techniques\":[\"T1568\"],\"displayName\":\"(Preview) + Potential domain generation algorithm (DGA) on next-level DNS Domains\",\"description\":\"This + machine learning model indicates the next-level domains (third-level and up)\\nof + the domain names from the last day of DNS logs are unusual. They could potentially + be the output of a domain generation\\nalgorithm (DGA). The anomaly applies + to the DNS records that resolve to IPv4 and IPv6 addresses.\",\"lastUpdatedDateUTC\":\"2022-01-18T00:00:00Z\",\"createdDateUTC\":\"2022-01-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/011c84d8-85f0-4370-b864-24c13455aa94\",\"name\":\"011c84d8-85f0-4370-b864-24c13455aa94\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"SecurityAlert\\n| + extend Extprop = parse_json(ExtendedProperties)\\n| extend Computer = iff(isnotempty(toupper(tostring(Extprop[\\\"Compromised + Host\\\"]))), toupper(tostring(Extprop[\\\"Compromised Host\\\"])), tostring(parse_json(Entities)[0].HostName))\\n| + extend Account = iff(isnotempty(tolower(tostring(Extprop[\\\"User Name\\\"]))), + tolower(tostring(Extprop[\\\"User Name\\\"])), tolower(tostring(Extprop[\\\"user + name\\\"])))\\n| extend IpAddress = tostring(parse_json(ExtendedProperties).[\\\"IpAddress\\\"]) + \\n| project TimeGenerated, AlertName, Computer, Account, IpAddress, ExtendedProperties\\n| + extend timestamp = TimeGenerated, Account, MachineName = Computer, IpAddress\\n| + join kind=inner\\n(\\nCoreAzureBackup\\n| where State =~ \\\"Deleted\\\"\\n| + where OperationName =~ \\\"BackupItem\\\"\\n| extend data = split(BackupItemUniqueId, + \\\";\\\")\\n| extend AzureLocation = data[0], VaultId=data[1], MachineName=data[2], + DrivesBackedUp=data[3]\\n| project timestamp = TimeGenerated, AzureLocation, + VaultId, tostring(MachineName), DrivesBackedUp, State, BackupItemUniqueId, + _ResourceId, OperationName, BackupItemFriendlyName\\n)\\non MachineName\\n| + project timestamp, AlertName, HostCustomEntity = MachineName, AccountCustomEntity + = Account, ResourceCustomEntity = _ResourceId, IPCustomEntity = IpAddress, + VaultId, AzureLocation, DrivesBackedUp, State, BackupItemUniqueId, OperationName, + BackupItemFriendlyName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"techniques\":[\"T1496\"],\"displayName\":\"CoreBackUp + Deletion in correlation with other related security alerts\",\"description\":\"This + query will help detect attackers attempt to delete backup containers in correlation + with other alerts that could have triggered to help possibly reveal more details + of attacker activity. \\nThough such an activity could be legitimate as part + of business operation, some ransomware actors may perform such operation to + cause interruption to regular business services.\",\"lastUpdatedDateUTC\":\"2021-11-05T00:00:00Z\",\"createdDateUTC\":\"2021-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1218175f-c534-421c-8070-5dcaabf28067\",\"name\":\"1218175f-c534-421c-8070-5dcaabf28067\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let + threshold = 3; \\nZoomLogs \\n| where Event =~ \\\"chat_message.sent\\\" \\n| + extend Channel = tostring(parse_json(ChatEvents).Channel) \\n| extend Message + = tostring(parse_json(ChatEvents).Message) \\n| where Message matches regex + \\\"http(s?):\\\\\\\\/\\\\\\\\/\\\" \\n| summarize Channels = makeset(Channel), + StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Message, User, + UserId\\n| extend ChannelCount = arraylength(Channels) \\n| where ChannelCount + > threshold\\n| extend timestamp = StartTime, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"Suspicious + link sharing pattern\",\"description\":\"Alerts in links that have been shared + across multiple Zoom chat channels by the same user in a short space if time. + \\nAdjust the threshold figure to change the number of channels a message + needs to be posted in before an alert is raised.\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06107abb-1b68-4fdc-841b-8a1ff9301467\",\"name\":\"06107abb-1b68-4fdc-841b-8a1ff9301467\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.1.0\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.87\",\"name\":\"Score\",\"description\":\"Generate + an anomaly when score is greater than the chosen value\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Exfiltration\"],\"techniques\":[\"T1030\",\"T1041\",\"T1011\",\"T1567\",\"T1029\",\"T1537\"],\"displayName\":\"(Preview) + Excessive Downloads via Palo Alto GlobalProtect\",\"description\":\"This algorithm + detects unusually high volume of download per user account via Palo Alto VPN + solution.\\nThe model is trained on the previous 14 days of the VPN logs.\\nIt + indicates anomalous high volume of downloads in the last day.\",\"lastUpdatedDateUTC\":\"2022-03-08T00:00:00Z\",\"createdDateUTC\":\"2020-11-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog + (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0d76e9cf-788d-4a69-ac7d-f234826b5bed\",\"name\":\"0d76e9cf-788d-4a69-ac7d-f234826b5bed\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"DnsEvents\\n| + where Name contains \\\".\\\"\\n| where Name has_any (\\\"monerohash.com\\\", + \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", + \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", + \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", + \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", + \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", + \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\n\\\"gntl.co.uk\\\", + \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", + \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", + \\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", + \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", + \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\n\\\"extrmepool.org\\\", + \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", + \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", + \\\"1gh.com\\\", \\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", + \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", + \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", + \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", + \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\n\\\"backup-pool.com\\\", + \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\")\\n| + extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity + = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"techniques\":[\"T1496\"],\"displayName\":\"DNS + events related to mining pools\",\"description\":\"Identifies IP addresses + that may be performing DNS lookups associated with common currency mining + pools.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95a15f39-d9cc-4667-8cdd-58f3113691c9\",\"name\":\"95a15f39-d9cc-4667-8cdd-58f3113691c9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + lookback = 14d;\\nlet timeframe = 1d;\\n(union isfuzzy=true\\n(SecurityEvent\\n| + where TimeGenerated > ago(lookback) and TimeGenerated < ago(timeframe)\\n| + where EventID == 4688\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", + \\\"UMService.exe\\\")\\n| join kind=rightanti (\\nSecurityEvent\\n| where + TimeGenerated > ago(timeframe)\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", + \\\"UMService.exe\\\")\\n| where EventID == 4688) on NewProcessName\\n| extend + timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity + = Computer, IPCustomEntity = IpAddress\\n),\\n(WindowsEvent\\n| where TimeGenerated + > ago(lookback) and TimeGenerated < ago(timeframe)\\n| where EventID == 4688 + and EventData has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| + extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where + ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| + extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Account + = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| + extend IpAddress = tostring(EventData.IpAddress)\\n| join kind=rightanti (\\nWindowsEvent\\n| + where TimeGenerated > ago(timeframe)\\n| where EventID == 4688 and EventData + has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend ParentProcessName + = tostring(EventData.ParentProcessName)\\n| where ParentProcessName has_any + (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend NewProcessName + = tostring(EventData.NewProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", + tostring(EventData.SubjectUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)) + on NewProcessName\\n| extend timestamp = TimeGenerated, AccountCustomEntity + = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.1.1\",\"tactics\":[\"InitialAccess\"],\"techniques\":[\"T1190\"],\"displayName\":\"HAFNIUM + New UM Service Child Process\",\"description\":\"This query looks for new + processes being spawned by the Exchange UM service where that process has + not previously been observed before. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f845881e-2500-44dc-8ed7-b372af3e1e25\",\"name\":\"f845881e-2500-44dc-8ed7-b372af3e1e25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let + short_uaLength = 5;\\nlet long_uaLength = 1000;\\nlet c_threshold = 100;\\nW3CIISLog + \\n// Exclude local IPs as these create noise\\n| where cIP !startswith \\\"192.168.\\\" + and cIP != \\\"::1\\\"\\n| where isnotempty(csUserAgent) and csUserAgent !in~ + (\\\"-\\\", \\\"MSRPC\\\") and (string_size(csUserAgent) <= short_uaLength + or string_size(csUserAgent) >= long_uaLength)\\n| extend csUserAgent_size + = string_size(csUserAgent)\\n| summarize StartTimeUtc = min(TimeGenerated), + EndTimeUtc = max(TimeGenerated), ConnectionCount = count() by Computer, sSiteName, + sPort, csUserAgent, csUserAgent_size, csUserName , csMethod, csUriStem, sIP, + cIP, scStatus, scSubStatus, scWin32Status\\n| where ConnectionCount < c_threshold\\n| + extend timestamp = StartTimeUtc, AccountCustomEntity = csUserName, HostCustomEntity + = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"techniques\":[\"T1190\"],\"displayName\":\"Anomalous + User Agent connection attempt\",\"description\":\"Identifies connection attempts + (success or fail) from clients with very short or very long User Agent strings + and with less than 100 connection attempts.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc\",\"name\":\"a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$';\\nThreatIntelligenceIndicator\\n| + where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| + summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| + where Active == true\\n//Filtering the table for Email related IOCs\\n| where + isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and + result set low, we only need one match to indicate potential malicious activity + that needs to be investigated\\n| join kind=innerunique (\\n SecurityAlert + \\n | where TimeGenerated >= ago(dt_lookBack)\\n | extend MSTI = case(AlertName + has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == + 'Azure Sentinel', true, false)\\n | where MSTI == false\\n // Converting + Entities into dynamic data type and use mv-expand to unpack the array\\n | + extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray\\n + \ // Parsing relevant entity column to filter type account and creating + new column by combining account and UPNSuffix\\n | extend Entitytype = + tostring(parse_json(EntitiesDynamicArray).Type), EntityName = tostring(parse_json(EntitiesDynamicArray).Name),\\n + \ EntityUPNSuffix = tostring(parse_json(EntitiesDynamicArray).UPNSuffix)\\n + \ | where Entitytype =~ \\\"account\\\"\\n | extend EntityEmail = tolower(strcat(EntityName, + \\\"@\\\", EntityUPNSuffix))\\n | where EntityEmail matches regex emailregex\\n + \ | extend Alert_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress + == $right.EntityEmail\\n| where Alert_TimeGenerated < ExpirationDateTime\\n| + summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, + AlertName\\n| project Alert_TimeGenerated, Description, ActivityGroupNames, + IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, \\nEmailSenderName, + EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, + FileHashType, EntityEmail, AlertName, AlertType,\\nAlertSeverity, Entities, + ProviderName, VendorName\\n| extend timestamp = Alert_TimeGenerated, AccountCustomEntity + = EntityEmail, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.2.2\",\"tactics\":[\"Impact\"],\"displayName\":\"TI + map Email entity to SecurityAlert\",\"description\":\"Identifies a match in + SecurityAlert table from any Email IOC from TI which will extend coverage + to datatypes such as MCAS, StorageThreatProtection and many others\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c9b6d281-b96b-4763-b728-9a04b9fe1246\",\"name\":\"c9b6d281-b96b-4763-b728-9a04b9fe1246\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated > ago(lbtime)\\n| where + EventType == 'proxylogs'\\n| where DvcAction =~ 'Allowed'\\n| where UrlCategory + has_any ('Dynamic and Residential', 'Personal VPN')\\n| project TimeGenerated, + SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity + = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.1.0\",\"tactics\":[\"CommandAndControl\",\"Exfiltration\"],\"displayName\":\"Cisco + Umbrella - Connection to non-corporate private network\",\"description\":\"IP + addresses of broadband links that usually indicates users attempting to access + their home network, for example for a remote session to a home computer.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/631d02df-ab51-46c1-8d72-32d0cfec0720\",\"name\":\"631d02df-ab51-46c1-8d72-32d0cfec0720\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + excludeProcs = dynamic([@\\\"\\\\SolarWinds\\\\Orion\\\\APM\\\\APMServiceControl.exe\\\", + @\\\"\\\\SolarWinds\\\\Orion\\\\ExportToPDFCmd.Exe\\\", @\\\"\\\\SolarWinds.Credentials\\\\SolarWinds.Credentials.Orion.WebApi.exe\\\", + @\\\"\\\\SolarWinds\\\\Orion\\\\Topology\\\\SolarWinds.Orion.Topology.Calculator.exe\\\", + @\\\"\\\\SolarWinds\\\\Orion\\\\Database-Maint.exe\\\", @\\\"\\\\SolarWinds.Orion.ApiPoller.Service\\\\SolarWinds.Orion.ApiPoller.Service.exe\\\", + @\\\"\\\\Windows\\\\SysWOW64\\\\WerFault.exe\\\"]);\\nimProcessCreate\\n| + where Process hassuffix 'solarwinds.businesslayerhost.exe'\\n| where not(Process + has_any (excludeProcs))\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity + = ActorUsername,\\n HostCustomEntity = User,\\n AlgorithmCustomEntity + = \\\"MD5\\\",\\n FileHashCustomEntity = TargetProcessMD5 // Change to + *hash* once implemented\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.1.2\",\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST + suspicious SolarWinds child processes (Normalized Process Events)\",\"description\":\"Identifies + suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that + may be evidence of the SUNBURST backdoor\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- + https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\\nTo + use this analytics rule, make sure you have deployed the [ASIM normalization + parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0bd65651-1404-438b-8f63-eecddcec87b4\",\"name\":\"0bd65651-1404-438b-8f63-eecddcec87b4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + timeframe = 1d;\\n// Adjust for a longer timeframe for identifying ADFS Servers\\nlet + lookback = 6d;\\n// Identify ADFS Servers\\nlet ADFS_Servers = ( union isfuzzy=true\\n( + Event\\n| where TimeGenerated > ago(timeframe+lookback)\\n| where Source == + \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData + = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array + EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring(['@Name']), + Value=['#text']\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, + EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, + MG, ManagementGroupName, Type, _ResourceId)\\n| extend process = split(Image, + '\\\\\\\\', -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| + distinct Computer\\n),\\n( SecurityEvent\\n| where TimeGenerated > ago(timeframe+lookback)\\n| + where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName + has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n),\\n(WindowsEvent\\n| + where TimeGenerated > ago(timeframe+lookback)\\n| where EventID == 4688 and + EventData has \\\"0x3e4\\\" and EventData has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| + extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| where SubjectLogonId + != \\\"0x3e4\\\"\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| + where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| + distinct Computer\\n)\\n| distinct Computer);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| + where EventID == 4688\\n| where TimeGenerated > ago(timeframe)\\n| where Computer + in~ (ADFS_Servers)\\n| where ParentProcessName has 'wmiprvse.exe'\\n// Looking + for rundll32.exe is based on intel from the blog linked in the description\\n// + This can be commented out or altered to filter out known internal uses\\n| + where CommandLine has_any ('rundll32') \\n| project TimeGenerated, TargetAccount, + CommandLine, Computer, Account, TargetLogonId\\n| extend timestamp = TimeGenerated, + HostCustomEntity = Computer, AccountCustomEntity = Account\\n// Search for + recent logons to identify lateral movement\\n| join kind= inner\\n(SecurityEvent\\n| + where TimeGenerated > ago(timeframe)\\n| where EventID == 4624 and LogonType + == 3\\n| where Account !endswith \\\"$\\\"\\n| project TargetLogonId\\n) on + TargetLogonId\\n),\\n(\\nWindowsEvent\\n| where EventID == 4688\\n| where + TimeGenerated > ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where + EventData has 'wmiprvse.exe' and EventData has_any ('rundll32') \\n| extend + ParentProcessName = tostring(EventData.ParentProcessName)\\n| where ParentProcessName + has 'wmiprvse.exe'\\n// Looking for rundll32.exe is based on intel from the + blog linked in the description\\n// This can be commented out or altered to + filter out known internal uses\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| + where CommandLine has_any ('rundll32') \\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", + EventData.TargetUserName)\\n| extend Account = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", + EventData.TargetUserName)\\n| extend TargetLogonId = tostring(EventData.TargetLogonId)\\n| + project TimeGenerated, TargetAccount, CommandLine, Computer, Account, TargetLogonId\\n| + extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity + = Account\\n// Search for recent logons to identify lateral movement\\n| join + kind= inner\\n(WindowsEvent\\n| where TimeGenerated > ago(timeframe)\\n| where + EventID == 4624 \\n| extend LogonType = tostring(EventData.LogonType)\\n| + where LogonType == 3\\n| extend Account = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", + EventData.TargetUserName)\\n| where Account !endswith \\\"$\\\"\\n| extend + TargetLogonId = tostring(EventData.TargetLogonId)\\n| project TargetLogonId\\n) + on TargetLogonId\\n),\\n(\\nEvent\\n| where TimeGenerated > ago(timeframe)\\n| + where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n// Check for WMI Events\\n| + where Computer in~ (ADFS_Servers) and EventID in (19, 20, 21)\\n| extend EventData + = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array + EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring(['@Name']), + Value=['#text']\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, + EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, + MG, ManagementGroupName, Type, _ResourceId)\\n| project TimeGenerated, EventType, + Image, Computer, UserName\\n| extend timestamp = TimeGenerated, HostCustomEntity + = Computer, AccountCustomEntity = UserName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.1.1\",\"tactics\":[\"LateralMovement\"],\"techniques\":[\"T1210\"],\"displayName\":\"Gain + Code Execution on ADFS Server via Remote WMI Execution\",\"description\":\"This + query detects instances where an attacker has gained the ability to execute + code on an ADFS Server through remote WMI Execution.\\nIn order to use this + query you need to be collecting Sysmon EventIDs 19, 20, and 21.\\nIf you do + not have Sysmon data in your workspace this query will raise an error stating:\\n + \ Failed to resolve scalar expression named \\\"[@Name]\\\"\\nFor more + on how WMI was used in Solorigate see https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/.\\nThe + query contains some features from the following detections to look for potentially + malicious ADFS activity. See them for more details.\\n- ADFS Key Export (Sysmon): + https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSKeyExportSysmon.yaml\\n- + ADFS DKM Master Key Export: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d71fc38-f249-454e-8479-0a358382ef9a\",\"name\":\"3d71fc38-f249-454e-8479-0a358382ef9a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"SecurityNestedRecommendation\\n| + where RemediationDescription has 'CVE-2021-44228'\\n| parse ResourceDetails + with * 'virtualMachines/' VirtualMAchine '\\\"' *\\n| summarize arg_min(TimeGenerated, + *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, + tostring(AdditionalData),VulnerabilityId\\n| extend Timestamp = TimeGenerated, + HostCustomEntity = VirtualMAchine\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"Execution\"],\"techniques\":[\"T1190\",\"T1203\"],\"displayName\":\"Vulnerable + Machines related to log4j CVE-2021-44228\",\"description\":\"This query uses + the Azure Defender Security Nested Recommendations data to find machines vulnerable + to log4j CVE-2021-44228. Log4j is an open-source Apache logging library that + is used in \\n many Java-based applications. Security Nested Recommendations + data is sent to Microsoft Sentinel using the continuous export feature of + Azure Defender(refrence link below).\\n Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/\\n + Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal\\n + Reference: https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/how-defender-for-cloud-displays-machines-affected-by-log4j/ba-p/3037271\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\"name\":\"a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure + Security Center for IoT\",\"displayName\":\"Create incidents based on Microsoft + Defender for IOT alerts\",\"description\":\"Create incidents based on all + alerts generated in Microsoft Defender for IOT\",\"lastUpdatedDateUTC\":\"2019-12-24T00:00:00Z\",\"createdDateUTC\":\"2019-12-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"IoT\",\"dataTypes\":[\"SecurityAlert + (ASC for IoT)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d2e8fd50-8d66-11ec-b909-0242ac120002\",\"name\":\"d2e8fd50-8d66-11ec-b909-0242ac120002\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n + \ | where EventID in (4624,4625) and LogonType in (10) and IpAddress in (\\\"::1\\\",\\\"127.0.0.1\\\")\\n + \ | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) + by EventID, Computer, TargetUserName, TargetLogonId, LogonType, IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"techniques\":[\"T1572\"],\"displayName\":\"Potential + Remote Desktop Tunneling\",\"description\":\"This query detects remote desktop + authentication attempts with a localhost source address which can indicate + a tunneled login.\\nRef: https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling\",\"lastUpdatedDateUTC\":\"2022-02-15T00:00:00Z\",\"createdDateUTC\":\"2022-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c37711a4-5f44-4472-8afc-0679bc0ef966\",\"name\":\"c37711a4-5f44-4472-8afc-0679bc0ef966\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let + iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/FoggyWebIOC.csv\\\"] + with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs + | where Type == \\\"sha256\\\" | project IoC);\\nlet FilePaths = (iocs | where + Type =~ \\\"FilePath\\\" | project IoC);\\nlet POST_URI = (iocs | where Type + =~ \\\"URI1\\\" | project IoC);\\nlet GET_URI = (iocs | where Type =~ \\\"URI2\\\" + | project IoC);\\n//Include in the list below, the ADFS servers you know about + in your environment. In the next part of the query, we will try to identify + them for you if you have the telemetry.\\nlet ADFS_Servers1 = datatable(Computer:string)\\n[ + \\\"..\\\",\\n\\\"..\\\"\\n];\\n// + Automatically identify potential ADFS services in your environment by searching + process event telemetry for \\\"Microsoft.IdentityServer.ServiceHost.exe\\\".\\nlet + ADFS_Servers2 = \\n(union isfuzzy=true\\n(SecurityEvent\\n| where EventID + == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| + distinct Computer\\n),\\n( WindowsEvent\\n| where EventID == 4688 and EventData + has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\" and EventData has \\\"0x3e4\\\"\\n| + extend ProcessName = tostring(EventData.ProcessName)\\n| where ProcessName + == \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| extend SubjectLogonId + = tostring(EventData.SubjectLogonId)\\n| where SubjectLogonId != \\\"0x3e4\\\"\\n| + distinct Computer\\n),\\n(DeviceProcessEvents\\n| where InitiatingProcessFileName + == 'Microsoft.IdentityServer.ServiceHost.exe'\\n| extend Computer = DeviceName\\n| + distinct Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| + where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| + mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| + extend Key=tostring(['@Name']), Value=['#text']\\n| evaluate pivot(Key, any(Value), + TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, + RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend + process = split(Image, '\\\\\\\\', -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| + distinct Computer\\n)\\n);\\nlet ADFS_Servers =\\nADFS_Servers1\\n| union + \ (ADFS_Servers2 | distinct Computer);\\n(union isfuzzy=true\\n(DeviceNetworkEvents\\n| + where DeviceName in (ADFS_Servers)\\n| where isnotempty(InitiatingProcessSHA256) + or isnotempty(InitiatingProcessFolderPath)\\n| where InitiatingProcessSHA256 + has_any (sha256Hashes) or InitiatingProcessFolderPath has_any (FilePaths)\\n| + project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, + InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, + InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, + RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, + IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(Event\\n| + where Source == \\\"Microsoft-Windows-Sysmon\\\" and EventID == '7'\\n| where + Computer in (ADFS_Servers)\\n| extend EvData = parse_xml(EventData)\\n| extend + EventDetail = EvData.DataItem.EventData.Data\\n| extend ImageLoaded = EventDetail.[5].[\\\"#text\\\"], + Hashes = EventDetail.[11].[\\\"#text\\\"]\\n| parse Hashes with * 'SHA256=' + SHA256 '\\\",' *\\n| where ImageLoaded has_any (FilePaths) or SHA256 has_any + (sha256Hashes) \\n| project TimeGenerated, EventDetail, UserName, Computer, + Type, Source, SHA256, ImageLoaded, EventID\\n| extend Type = strcat(Type,\\\":\\\",EventID, + \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\\\"#text\\\"] + \\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity + = Account, ProcessCustomEntity = tostring(split(Image, '\\\\\\\\', -1)[-1]), + AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(CommonSecurityLog\\n| + where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, + FileHash, Type\\n| extend timestamp = TimeGenerated, AlgorithmCustomEntity + = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceEvents\\n| + where DeviceName in (ADFS_Servers)\\n| extend FilePath = strcat(FolderPath, + '\\\\\\\\', FileName)\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) + or FilePath has_any (FilePaths)\\n| project TimeGenerated, ActionType, DeviceId, + DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, + InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, + InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, + Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, + CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, + Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, + HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity + = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity + = FileHash\\n),\\n(DeviceFileEvents\\n| where DeviceName in (ADFS_Servers)\\n| + where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)\\n| + project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, + InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, + InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, + InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, + Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash + = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend + timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity + = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity + = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceImageLoadEvents\\n| + where DeviceName in (ADFS_Servers)\\n| where FolderPath has_any (FilePaths) + or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, + DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, + InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, + InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, + Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, + CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, + Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, + HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity + = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity + = FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| + where Computer in (ADFS_Servers)\\n| extend EvData = parse_xml(EventData)\\n| + extend EventDetail = EvData.DataItem.EventData.Data\\n| parse EventDetail + with * 'SHA256=' SHA256 '\\\",' *\\n| where EventDetail has_any (sha256Hashes) + \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, + SHA256\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, + FileHash = SHA256, Image = EventDetail.[4].[\\\"#text\\\"] \\n| extend timestamp + = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, + ProcessCustomEntity = tostring(split(Image, '\\\\\\\\', -1)[-1]), AlgorithmCustomEntity + = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(W3CIISLog \\n| where + ( csMethod == 'GET' and csUriStem has_any (GET_URI)) or (csMethod == 'POST' + and csUriStem has_any (POST_URI))\\n| summarize StartTime = max(TimeGenerated), + EndTime = min(TimeGenerated), cIP_MethodCount = count() \\nby cIP, cIP_MethodCountType + = \\\"Count of repeated entries, this is to reduce rowsets returned\\\", csMethod, + \\ncsHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserAgent, + csCookie, csReferer\\n| extend timestamp = StartTime, IPCustomEntity = cIP, + HostCustomEntity = csHost, AccountCustomEntity = csUserName\\n),\\n(imFileEvent\\n| + where DvcHostname in (ADFS_Servers)\\n| where TargetFileSHA256 has_any (sha256Hashes) + or FilePath has_any (FilePaths)\\n| extend Account = ActorUsername, Computer + = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, + FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, + IPAddress, CommandLine, FileHash\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"2.1.1\",\"tactics\":[\"Collection\"],\"techniques\":[\"T1005\"],\"displayName\":\"NOBELIUM + IOCs related to FoggyWeb backdoor\",\"description\":\"Identifies a match across + various data feeds for IOCs related to FoggyWeb backdoor by the threat actor + NOBELIUM.\\n FoggyWeb is a passive and highly targeted backdoor capable of + remotely exfiltrating sensitive information from a compromised AD FS server.\\n + It can also receive additional malicious components from a command-and-control + (C2) server and execute them on the compromised server.\\n Reference: https://aka.ms/nobelium-foggy-web\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/61988db3-0565-49b5-b8e3-747195baac6e\",\"name\":\"61988db3-0565-49b5-b8e3-747195baac6e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + procList = dynamic([\\\"cmd.exe\\\",\\\"ftp.exe\\\",\\\"schtasks.exe\\\",\\\"powershell.exe\\\",\\\"rundll32.exe\\\",\\\"regsvr32.exe\\\",\\\"msiexec.exe\\\"]); + \ \\nimProcessCreate\\n| where CommandLine has \\\"recycler\\\"\\n| where + Process has_any (procList)\\n| extend FileName = tostring(split(Process, '\\\\\\\\')[-1])\\n| + where FileName in~ (procList)\\n| project StartTimeUtc = TimeGenerated, Dvc, + User, Process, FileName, CommandLine, ActingProcessName, EventVendor, EventProduct\\n| + extend timestamp = StartTimeUtc, AccountCustomEntity = User, HostCustomEntity + = Dvc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.2.2\",\"tactics\":[\"DefenseEvasion\"],\"techniques\":[\"T1564\"],\"displayName\":\"Malware + in the recycle bin (Normalized Process Events)\",\"description\":\"Identifies + malware that has been hidden in the recycle bin.\\nTo use this analytics rule, + make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-23T00:00:00Z\",\"createdDateUTC\":\"2021-06-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ec491363-5fe7-4eff-b68e-f42dcb76fcf6\",\"name\":\"ec491363-5fe7-4eff-b68e-f42dcb76fcf6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| + where CategoryValue == 'Administrative'\\n| where ResourceProviderValue =~ + 'Microsoft.ADHybridHealthService'\\n| where _ResourceId contains 'AdFederationService'\\n| + where OperationNameValue =~ 'Microsoft.ADHybridHealthService/services/servicemembers/action'\\n| + extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| + extend AccountName = tostring(claimsJson.name)\\n| project-away claimsJson\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"techniques\":[\"T1578\"],\"displayName\":\"NRT + Azure Active Directory Hybrid Health AD FS New Server\",\"description\":\"This + detection uses AzureActivity logs (Administrative category) to identify the + creation or update of a server instance in an Azure AD Hybrid health AD FS + service.\\nA threat actor can create a new AD Health ADFS service and create + a fake server instance to spoof AD FS signing logs. There is no need to compromise + an on-prem AD FS server.\\nThis can be done programmatically via HTTP requests + to Azure. More information in this blog: https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/32ffb19e-8ed8-40ed-87a0-1adb4746b7c4\",\"name\":\"32ffb19e-8ed8-40ed-87a0-1adb4746b7c4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"// + Enter a reference list of malicious file artifacts\\nlet MaliciousFileArtifacts + = dynamic ([\\\"lsass.dmp\\\",\\\"test.pwd\\\",\\\"lsremora.dll\\\",\\\"lsremora64.dll\\\",\\\"fgexec.exe\\\",\\\"pwdump\\\",\\\"kirbi\\\",\\\"wce_ccache\\\",\\\"wce_krbtkts\\\",\\\"wceaux.dll\\\",\\\"PwHashes\\\",\\\"SAM.out\\\",\\\"SECURITY.out\\\",\\\"SYSTEM.out\\\",\\\"NTDS.out\\\" + \\\"DumpExt.dll\\\",\\\"DumpSvc.exe\\\",\\\"cachedump64.exe\\\",\\\"cachedump.exe\\\",\\\"pstgdump.exe\\\",\\\"servpw64.exe\\\",\\\"servpw.exe\\\",\\\"pwdump.exe\\\",\\\"fgdump-log\\\"]);\\nEvent\\n| + where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==11\\n| + parse EventData with * 'TargetFilename\\\">' TargetFilename \\\"<\\\" *\\n| + where TargetFilename has_any (MaliciousFileArtifacts)\\n| parse EventData + with * 'ProcessGuid\\\">' ProcessGuid \\\"<\\\" * 'Image\\\">' Image \\\"<\\\" + *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) + by EventID, Computer, Image, ProcessGuid, TargetFilename\",\"entityMappings\":[{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"TargetFilename\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"Image\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"CredentialAccess\"],\"techniques\":[\"T1003\"],\"displayName\":\"Credential + Dumping Tools - File Artifacts\",\"description\":\"This query detects the + creation of credential dumping tools files. Several credential dumping tools + export files with hardcoded file names.\\nRef: https://jpcertcc.github.io/ToolAnalysisResultSheet/\",\"lastUpdatedDateUTC\":\"2022-04-22T00:00:00Z\",\"createdDateUTC\":\"2022-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"Event\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/983a6922-894d-413c-9f04-d7add0ecc307\",\"name\":\"983a6922-894d-413c-9f04-d7add0ecc307\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P10D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + referencestarttime = 10d;\\nlet referenceendtime = 1d;\\nlet threshold = 100;\\nlet + nxDomainDnsEvents = (stime:datetime, etime:datetime) \\n {_Im_Dns(responsecodename='NXDOMAIN', + starttime=stime, endtime=etime)\\n | where DnsQueryTypeName in (\\\"A\\\", + \\\"AAAA\\\")\\n | where ipv4_is_match(\\\"127.0.0.1\\\", SrcIpAddr) == False\\n + \ | where DnsQuery !contains \\\"/\\\" and DnsQuery contains \\\".\\\"};\\nnxDomainDnsEvents + (stime=ago(referenceendtime) ,etime=now())\\n | extend sld = tostring(split(DnsQuery, + \\\".\\\")[-2])\\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc + = max(TimeGenerated), dcount(sld) by SrcIpAddr\\n | where dcount_sld > threshold\\n + \ // Filter out previously seen IPs\\n | join kind=leftanti (nxDomainDnsEvents + (stime=ago(referencestarttime), etime=ago(referenceendtime))\\n | extend + sld = tostring(split(DnsQuery, \\\".\\\")[-2])\\n | summarize dcount(sld) + by SrcIpAddr\\n | where dcount_sld > threshold ) on SrcIpAddr\\n// Pull + out sample NXDomain responses for those remaining potentially infected IPs\\n| + join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) + | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr\\n| summarize StartTimeUtc + = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(DnsQuery, + 100) by SrcIpAddr, dcount_sld\\n| extend timestamp = StartTimeUtc, IPCustomEntity + = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.3.1\",\"tactics\":[\"CommandAndControl\"],\"techniques\":[\"T1568\",\"T1008\"],\"displayName\":\"Potential + DGA detected (ASIM DNS Schema)\",\"description\":\"Identifies clients with + a high NXDomain count which could be indicative of a DGA (cycling through + possible C2 domains\\nwhere most C2s are not live). Alert is generated when + a new IP address is seen (based on not being seen associated with \\nNXDomain + records in prior 10-day baseline period).\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) + and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/18dbdc22-b69f-4109-9e39-723d9465f45f\",\"name\":\"18dbdc22-b69f-4109-9e39-723d9465f45f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let + iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv\\\"] + with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet AVHits = (iocs | + where Type =~ \\\"AVDetection\\\"| project IoC);\\nSecurityAlert\\n| where + ProviderName == 'MDATP'\\n| extend ThreatName_ = tostring(parse_json(ExtendedProperties).ThreatName)\\n| + where ThreatName_ has_any (AVHits)\\n| extend Directory = tostring(parse_json(Entities)[0].Directory), + SHA256 = tostring(parse_json(tostring(parse_json(Entities)[0].FileHashes))[2].Value), + FileName = tostring(parse_json(Entities)[0].Name), Hostname = tostring(parse_json(Entities)[6].FQDN)| + extend AccountName = tostring(parse_json(tostring(parse_json(Entities)[6].LoggedOnUsers))[0].AccountName)\\n| + project TimeGenerated, AlertName, ThreatName_, ProviderName, AlertSeverity, + Description, RemediationSteps, ExtendedProperties, Entities, FileName,SHA256, + Directory, Hostname, AccountName\\n| extend timestamp = TimeGenerated, HostCustomEntity + = Hostname , AccountCustomEntity = AccountName, FileHashCustomEntity = SHA256\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"techniques\":[\"T1137\"],\"displayName\":\"ACTINIUM + AV hits - Feb 2022\",\"description\":\"Identifies a match in the Security + Alert table for MDATP hits related to the ACTINIUM actor\",\"lastUpdatedDateUTC\":\"2022-02-04T00:00:00Z\",\"createdDateUTC\":\"2022-02-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert + (MDATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f6a51e2c-2d6a-4f92-a090-cfb002ca611f\",\"name\":\"f6a51e2c-2d6a-4f92-a090-cfb002ca611f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + lbtime = 10m;\\nlet disallowed_ext = dynamic(['ps1', 'exe', 'vbs', 'js', 'scr']);\\nProofpointPOD\\n| + where TimeGenerated > ago(lbtime)\\n| where EventType == 'message'\\n| where + NetworkDirection == 'inbound'\\n| where FilterDisposition !in ('reject', 'discard')\\n| + extend attachedExt = todynamic(MsgParts)[0]['detectedExt']\\n| where attachedExt + in (disallowed_ext)\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity + = DstUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD + - Suspicious attachment\",\"description\":\"Detects when email contains suspicious + attachment (file type).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/707494a5-8e44-486b-90f8-155d1797a8eb\",\"name\":\"707494a5-8e44-486b-90f8-155d1797a8eb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + auditLookbackStart = 2d;\\nlet auditLookbackEnd = 1d;\\nAuditLogs\\n| where + TimeGenerated >= ago(auditLookbackStart)\\n| where OperationName =~ \\\"Consent + to application\\\" \\n| where Result =~ \\\"success\\\"\\n| mv-expand target + = TargetResources\\n| extend targetResourceName = tostring(target.displayName)\\n| + extend targetResourceID = tostring(target.id)\\n| extend targetResourceType + = tostring(target.type)\\n| extend targetModifiedProp = TargetResources[0].modifiedProperties\\n| + extend isAdminConsent = targetModifiedProp[0].newValue\\n| extend Consent_ServicePrincipalNames + = targetModifiedProp[5].newValue\\n| extend Consent_Permissions = targetModifiedProp[4].newValue\\n| + extend Consent_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), + tostring(InitiatedBy.app.displayName))\\n| extend Consent_InitiatingIpAddress + = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), + tostring(InitiatedBy.app.ipAddress))\\n| join ( \\nAuditLogs\\n| where TimeGenerated + \ >= ago(auditLookbackEnd)\\n| where OperationName =~ \\\"Add service principal + credentials\\\"\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = + TargetResources\\n| extend targetResourceName = tostring(target.displayName)\\n| + extend targetResourceID = tostring(target.id)\\n| extend targetModifiedProp + = TargetResources[0].modifiedProperties\\n| extend Credential_KeyDescription + = targetModifiedProp[0].newValue\\n| extend UpdatedProperties = targetModifiedProp[1].newValue\\n| + extend Credential_ServicePrincipalNames = targetModifiedProp[2].newValue\\n| + extend Credential_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), + tostring(InitiatedBy.app.displayName))\\n| extend Credential_InitiatingIpAddress + = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), + tostring(InitiatedBy.app.ipAddress))\\n) on targetResourceName, targetResourceID\\n| + extend TimeConsent = TimeGenerated, TimeCred = TimeGenerated1\\n| where TimeConsent + > TimeCred \\n| project TimeConsent, TimeCred, Consent_InitiatingUserOrApp, + Credential_InitiatingUserOrApp, targetResourceName, targetResourceType, isAdminConsent, + Consent_ServicePrincipalNames, Credential_ServicePrincipalNames, Consent_Permissions, + Credential_KeyDescription, Consent_InitiatingIpAddress, Credential_InitiatingIpAddress\\n| + extend timestamp = TimeConsent, AccountCustomEntity = Consent_InitiatingUserOrApp, + IPCustomEntity = Consent_InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Credential + added after admin consented to Application\",\"description\":\"This query + will identify instances where Service Principal credentials were added to + an application by one user after the application was granted admin consent + rights by another user.\\n If a threat actor obtains access to an account + with sufficient privileges and adds the alternate authentication material + triggering this event, the threat actor can now authenticate as the Application + or Service Principal using this credential.\\n Additional information on OAuth + Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow.\\n + For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2021-02-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b40a7a5b-5d39-46fe-a79e-2acdb38e1ce7\",\"name\":\"b40a7a5b-5d39-46fe-a79e-2acdb38e1ce7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.3\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.01\",\"name\":\"Score\",\"description\":\"Generate + an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"techniques\":[\"T1078\"],\"displayName\":\"(Preview) + Suspicious volume of failed login attempts to AWS Console by each group user + account\",\"description\":\"This algorithm detects an unusually high volume + of AWS cloud trail log console failed login events per group user account + within the last day. The model is trained on the previous 21 days of AWS cloud + trail log events on group user account basis. This activity may indicate that + the account is compromised.\",\"lastUpdatedDateUTC\":\"2021-10-26T00:00:00Z\",\"createdDateUTC\":\"2021-08-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/11bda520-a965-4654-9a45-d09f372f71aa\",\"name\":\"11bda520-a965-4654-9a45-d09f372f71aa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AzureActivity\\n// + Isolate run command actions\\n| where OperationNameValue == \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\\\"\\n// + Confirm that the operation impacted a virtual machine\\n| where Authorization + has \\\"virtualMachines\\\"\\n// Each runcommand operation consists of three + events when successful, Started, Accepted (or Rejected), Successful (or Failed).\\n| + summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), max(CallerIpAddress), + make_list(ActivityStatusValue) by CorrelationId, Authorization, Caller\\n// + Limit to Run Command executions that Succeeded\\n| where list_ActivityStatusValue + has \\\"Success\\\"\\n// Extract data from the Authorization field\\n| extend + Authorization_d = parse_json(Authorization)\\n| extend Scope = Authorization_d.scope\\n| + extend Scope_s = split(Scope, \\\"/\\\")\\n| extend Subscription = tostring(Scope_s[2])\\n| + extend VirtualMachineName = tostring(Scope_s[-1])\\n| project StartTime, EndTime, + Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress\\n// + Create a join key using the Caller (UPN)\\n| extend joinkey = tolower(Caller)\\n// + Join the Run Command actions to UEBA data\\n| join kind = inner (\\n BehaviorAnalytics\\n + \ // We are specifically interested in unusual logins\\n | where EventSource + == \\\"Azure AD\\\" and ActivityInsights.ActionUncommonlyPerformedByUser == + \\\"True\\\"\\n | project UEBAEventTime=TimeGenerated, UEBAActionType=ActionType, + UserPrincipalName, UEBASourceIPLocation=SourceIPLocation, UEBAActivityInsights=ActivityInsights, + UEBAUsersInsights=UsersInsights\\n | where isnotempty(UserPrincipalName) + and isnotempty(UEBASourceIPLocation)\\n | extend joinkey = tolower(UserPrincipalName)\\n) + on joinkey\\n// Create a window around the UEBA event times, check to see + if the Run Command action was performed within them\\n| extend UEBAWindowStart + = UEBAEventTime - 1h, UEBAWindowEnd = UEBAEventTime + 6h\\n| where StartTime + between (UEBAWindowStart .. UEBAWindowEnd)\\n| project StartTime, EndTime, + Subscription, VirtualMachineName, Caller, CallerIpAddress, UEBAEventTime, + UEBAActionType, UEBASourceIPLocation, UEBAActivityInsights, UEBAUsersInsights\\n| + extend timestamp = StartTime, AccountCustomEntity=Caller, IPCustomEntity=CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.3\",\"tactics\":[\"LateralMovement\",\"CredentialAccess\"],\"techniques\":[\"T1570\"],\"displayName\":\"Azure + VM Run Command operation executed during suspicious login window\",\"description\":\"Identifies + when the Azure Run Command operation is executed by a UserPrincipalName and + IP Address \\nthat has resulted in a recent user entity behaviour alert.\",\"lastUpdatedDateUTC\":\"2022-03-01T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3fe3c520-04f1-44b8-8398-782ed21435f8\",\"name\":\"3fe3c520-04f1-44b8-8398-782ed21435f8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let + torProxies=dynamic([\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", + \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", + \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", + \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", + \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", + \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", + \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", + \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", + \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\"]);\\n_Im_Dns(domain_has_any=torProxies)\\n| + extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity + = Dvc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.3.1\",\"tactics\":[\"Exfiltration\"],\"techniques\":[\"T1048\"],\"displayName\":\"DNS + events related to ToR proxies (ASIM DNS Schema)\",\"description\":\"Identifies + IP addresses performing DNS lookups associated with common ToR proxies.\\nThis + analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in + or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d9938c3b-16f9-444d-bc22-ea9a9110e0fd\",\"name\":\"d9938c3b-16f9-444d-bc22-ea9a9110e0fd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// + Azure AD Connect Health Agent - cf6d7e68-f018-4e0a-a7b3-126e053fb88d\\n// + Azure Active Directory Connect - cb1056e2-e479-49de-ae31-7812af012ed8\\nlet + appList = dynamic(['cf6d7e68-f018-4e0a-a7b3-126e053fb88d','cb1056e2-e479-49de-ae31-7812af012ed8']);\\nlet + operationNamesList = dynamic(['Microsoft.ADHybridHealthService/services/servicemembers/action','Microsoft.ADHybridHealthService/services/delete']);\\nAzureActivity\\n| + where CategoryValue == 'Administrative'\\n| where ResourceProviderValue =~ + 'Microsoft.ADHybridHealthService'\\n| where _ResourceId contains 'AdFederationService'\\n| + where OperationNameValue in~ (operationNamesList)\\n| extend claimsJson = + parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend + AccountName = tostring(claimsJson.name)\\n| where AppId !in (appList)\\n| + project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity + = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"techniques\":[\"T1528\",\"T1550\"],\"displayName\":\"Azure + Active Directory Hybrid Health AD FS Suspicious Application\",\"description\":\"This + detection uses AzureActivity logs (Administrative category) to a suspicious + application adding a server instance to an Azure AD Hybrid health AD FS service + or deleting the AD FS service instance.\\nUsually the Azure AD Connect Health + Agent application with ID cf6d7e68-f018-4e0a-a7b3-126e053fb88d is used to + perform those operations.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2d3e33c6-d8e6-4b51-92d6-dbe8bd9efb05\",\"name\":\"2d3e33c6-d8e6-4b51-92d6-dbe8bd9efb05\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.5\",\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"Fraction + of failed signins\",\"Number of failed signins\",\"Failed signins to successful + signins ratio\",\"Number of signins with incorrect passwords\",\"Incorrect + passwords to correct passwords ratio\",\"Fraction of incorrect password signins\",\"Distinct + number of app ids\",\"Distinct number of client apps\",\"Distinct number of + ip addresses\",\"Distinct number of opperating systems\",\"Distinct number + of browsers\",\"Distinct number of cities\",\"Distinct number of states\",\"Distinct + number of countries\"],\"values\":[\"Fraction of failed signins\",\"Number + of failed signins\",\"Failed signins to successful signins ratio\",\"Number + of signins with incorrect passwords\",\"Incorrect passwords to correct passwords + ratio\",\"Fraction of incorrect password signins\",\"Distinct number of app + ids\",\"Distinct number of client apps\",\"Distinct number of ip addresses\",\"Distinct + number of opperating systems\",\"Distinct number of browsers\",\"Distinct + number of cities\",\"Distinct number of states\",\"Distinct number of countries\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Top + reason for high anomaly score\",\"description\":\"Include only anomalies where + the top reason is one of these values.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.5\",\"name\":\"Score\",\"description\":\"Generate + an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"techniques\":[\"T1078\",\"T1566\",\"T1133\"],\"displayName\":\"(Preview) + Anomalous Azure AD sign-in sessions\",\"description\":\"The machine learning + model groups the Azure AD sign-in logs on a per-user basis.\\nThe model is + trained on the previous 6 days of user sign-in behavior.\\nIt indicates anomalous + user sign-in sessions in the last day.\\nThis algorithm checks for sufficient + volume of data before training the model.\\n\\nAn autoencoder model is used.\\nIts + aim is to compress the user sign-in sessions into a bottleneck encoding.\\nIt + then attempts to reconstruct the input sessions as best it can from the bottleneck + encoding.\\nThe sessions with high reconstruction errors are assumed to be + anomalous.\",\"lastUpdatedDateUTC\":\"2022-03-01T00:00:00Z\",\"createdDateUTC\":\"2020-11-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9d0295ee-cb75-4f2c-9952-e5acfbb67036\",\"name\":\"9d0295ee-cb75-4f2c-9952-e5acfbb67036\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"severity\":\"Informational\",\"query\":\"let + timeframe = ago(1d);\\nAppServiceAntivirusScanAuditLogs\\n| where NumberOfInfectedFiles + > 0\\n| extend HostCustomEntity = _ResourceId, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"displayName\":\"AppServices + AV Scan with Infected Files\",\"description\":\"Identifies if an AV scan finds + infected files in Azure App Services.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d0bd9611-2fc1-42cb-af4e-793b6f28ba92\",\"name\":\"d0bd9611-2fc1-42cb-af4e-793b6f28ba92\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.1.0\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.87\",\"name\":\"Score\",\"description\":\"Generate + an anomaly when score is greater than the chosen value\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Exfiltration\"],\"techniques\":[\"T1030\",\"T1041\",\"T1011\",\"T1567\",\"T1029\",\"T1537\"],\"displayName\":\"(Preview) + Excessive upload via Palo Alto GlobalProtect\",\"description\":\"This algorithm + detects unusually high volume of upload per user account via Palo Alto VPN + solution.\\nThe model is trained on the previous 14 days of the VPN logs.\\nIt + indicates anomalous high volume of upload in the last day.\",\"lastUpdatedDateUTC\":\"2022-03-08T00:00:00Z\",\"createdDateUTC\":\"2020-11-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog + (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1ff56009-db01-4615-8211-d4fda21da02d\",\"name\":\"1ff56009-db01-4615-8211-d4fda21da02d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AuditLogs\\n| + where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| + where AADOperationType =~ \\\"Assign\\\"\\n| where ActivityDisplayName has_any + (\\\"Add delegated permission grant\\\",\\\"Add app role assignment to service + principal\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| + extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| + where displayName_ has_any (\\\"AppRole.Value\\\",\\\"DelegatedPermissionGrant.Scope\\\")\\n| + extend Permission = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| + where Permission has \\\"RoleManagement.ReadWrite.Directory\\\"\\n| extend + InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| + extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n| + extend Target = tostring(parse_json(tostring(TargetResources.modifiedProperties[4].newValue)))\\n| + extend TargetId = iif(displayName_ =~ 'DelegatedPermissionGrant.Scope',\\n + \ tostring(parse_json(tostring(TargetResources.modifiedProperties[2].newValue))),\\n + \ tostring(parse_json(tostring(TargetResources.modifiedProperties[3].newValue))))\\n| + summarize by bin(TimeGenerated, 1h), OperationName, Initiator, Target, TargetId, + Result\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Initiator\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Target\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"PrivilegeEscalation\",\"Persistence\"],\"techniques\":[\"T1098\"],\"displayName\":\"Azure + AD Role Management Permission Grant\",\"description\":\"Identifies when the + Microsoft Graph RoleManagement.ReadWrite.Directory (Delegated or Application) + permission is granted to a service principal.\\nThis permission allows an + application to read and manage the role-based access control (RBAC) settings + for your company's directory.\\nAn adversary could use this permission to + add an Azure AD object to an Admin directory role and escalate privileges.\\nRef + : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions\\nRef + : https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0&tabs=http\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-11-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/71d374e0-1cf8-4e50-aecd-ab6c519795c2\",\"name\":\"71d374e0-1cf8-4e50-aecd-ab6c519795c2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"AzureDevOpsAuditing\\n| + where OperationName =~ \\\"Pipelines.PipelineRetentionSettingChanged\\\"\\n| + where Data.SettingName in (\\\"PurgeArtifacts\\\", \\\"PurgeRuns\\\")\\n| + where Data.NewValue == 1 or Data.NewValue < Data.OldValue/2\\n| project-reorder + TimeGenerated, OperationName, ActorUPN, IpAddress, UserAgent, Data\\n| extend + timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity + = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.2\",\"tactics\":[\"DefenseEvasion\"],\"techniques\":[\"T1564\"],\"displayName\":\"Azure + DevOps Retention Reduced\",\"description\":\"AzureDevOps retains items such + as run records and produced artifacts for a configurable amount of time. An + attacker looking to reduce the footprint left by their malicious activity + may look to reduce the retention time for artifacts and runs.\\nThis query + will look for where retention has been reduced to the minimum level - 1, or + reduced by more than half.\",\"lastUpdatedDateUTC\":\"2021-11-02T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/979c42dd-533e-4ede-b18b-31a84ba8b3d6\",\"name\":\"979c42dd-533e-4ede-b18b-31a84ba8b3d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"Event\\n| + where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID + in (13)\\n| parse EventData with * 'TargetObject\\\">' TargetObject \\\"<\\\" + * 'Details\\\">' Details \\\"<\\\" * \\n| where TargetObject has (\\\"HKLM\\\\\\\\System\\\\\\\\CurrentControlSet\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\DsrmAdminLogonBehavior\\\") + and Details == \\\"DWORD (0x00000002)\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), + EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"techniques\":[\"T1098\"],\"displayName\":\"DSRM + Account Abuse\",\"description\":\"This query detects an abuse of the DSRM + account in order to maintain persistence and access to the organization's + Active Directory.\\nRef: https://adsecurity.org/?p=1785\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/03401f05-5c45-4f2d-9295-092764090e02\",\"name\":\"03401f05-5c45-4f2d-9295-092764090e02\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"2.1.0\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Yes\",\"No\"],\"supportedValuesKql\":null,\"value\":\"Yes\",\"name\":\"Use + region adjacency\",\"description\":\"Suppress anomalies originated from two + adjacent regions.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"2\",\"maximum\":\"10\",\"value\":\"2\",\"name\":\"Minimum + daily regions for anomaly\",\"description\":\"Generate an anomaly when a user + logs in from this many or more regions in a day\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\",\"DefenseEvasion\"],\"techniques\":[\"T1078\"],\"displayName\":\"(Preview) + Multi-region logins in a single day via Palo Alto GlobalProtect\",\"description\":\"This + algorithm detects a user account which had logins from multiple non-adjacent + regions in a single day via Palo Alto VPN.\",\"lastUpdatedDateUTC\":\"2022-03-08T00:00:00Z\",\"createdDateUTC\":\"2021-04-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog + (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ba144bf8-75b8-406f-9420-ed74397f9479\",\"name\":\"ba144bf8-75b8-406f-9420-ed74397f9479\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//Set + a threshold of failed AAD signins from an IP address within 1 day above which + we want to deem those logins suspicious.\\nlet signin_threshold = 5; \\n//Make + a list of IPs with AAD signin failures above our threshold.\\nlet aadFunc + = (tableName:string){\\nlet suspicious_signins = \\n table(tableName)\\n + \ //Looking for logon failure results\\n | where ResultType !in (\\\"0\\\", + \\\"50125\\\", \\\"50140\\\")\\n //Exclude localhost addresses to reduce + the chance of FPs\\n | where IPAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n + \ | summarize count() by IPAddress\\n | where count_ > signin_threshold\\n + \ | summarize make_set(IPAddress);\\n suspicious_signins\\n};\\nlet aadSignin + = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet + suspicious_signins = \\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize + make_set(set_IPAddress);\\n//See if any of those IPs have sucessfully logged + into PA VPNs during the same timeperiod\\nCommonSecurityLog\\n //Select + only PA VPN sucessful logons\\n | where DeviceVendor == \\\"Palo Alto Networks\\\" + and DeviceEventClassID == \\\"globalprotect\\\"\\n | where Message has + \\\"GlobalProtect gateway user authentication succeeded\\\"\\n //Parse + out the logon source IP from the Message field to match on\\n | extend + SourceIP = extract(\\\"Login from: ([^,]+)\\\", 1, Message) \\n | where + SourceIP in (suspicious_signins)\\n | extend Reason = \\\"Multiple failed + AAD logins from SourceIP\\\"\\n //Parse out other useful information from + Message field\\n | extend User = extract('User name: ([^,]+)', 1, Message) + \\n | extend ClientOS = extract('Client OS version: ([^,\\\\\\\"]+)', 1, + Message)\\n | extend Location = extract('Source region: ([^,]{2})',1, Message)\\n + \ | project TimeGenerated, Reason, SourceIP, User, ClientOS, Location, Message, + DeviceName, ReceiptTime, DeviceVendor, DeviceEventClassID, Computer, FileName\\n + \ | extend AccountCustomEntity = User, IPCustomEntity = SourceIP, timestamp + = TimeGenerated, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"techniques\":[\"T1078\",\"T1110\"],\"displayName\":\"IP + with multiple failed Azure AD logins successfully logs in to Palo Alto VPN\",\"description\":\"This + query creates a list of IP addresses with a number failed login attempts to + AAD \\nabove a set threshold. It then looks for any successful Palo Alto + VPN logins from any\\nof these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-09-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/32555639-b639-4c2b-afda-c0ae0abefa55\",\"name\":\"32555639-b639-4c2b-afda-c0ae0abefa55\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| + where EventName =~ \\\"GetCallerIdentity\\\" and UserIdentityType =~ \\\"AssumedRole\\\" + \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) + by SourceIpAddress, EventName, EventTypeName, UserIdentityType, UserIdentityAccountId, + UserIdentityPrincipalid, \\nUserAgent, UserIdentityUserName, SessionMfaAuthenticated,AWSRegion, + EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = + StartTime, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\\n| + sort by EndTime desc nulls last\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\"],\"techniques\":[\"T1087\"],\"displayName\":\"Monitor + AWS Credential abuse or hijacking\",\"description\":\"Looking for GetCallerIdentity + Events where the UserID Type is AssumedRole \\nAn attacker who has assumed + the role of a legitimate account can call the GetCallerIdentity function to + determine what account they are using.\\nA legitimate user using legitimate + credentials would not need to call GetCallerIdentity since they should already + know what account they are using.\\nMore Information: https://duo.com/decipher/trailblazer-hunts-compromised-credentials-in-aws\\nAWS + STS GetCallerIdentity API: https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html + \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/53e936c6-6c30-4d12-8343-b8a0456e8429\",\"name\":\"53e936c6-6c30-4d12-8343-b8a0456e8429\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + SUNSPOT_Hashes = dynamic([\\\"c45c9bda8db1d470f1fd0dcc346dc449839eb5ce9a948c70369230af0b3ef168\\\", + \\\"0819db19be479122c1d48743e644070a8dc9a1c852df9a8c0dc2343e904da389\\\"]);\\nunion + isfuzzy=true(\\nDeviceEvents\\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes)),\\n(DeviceImageLoadEvents\\n| + where InitiatingProcessSHA256 in (SUNSPOT_Hashes))\\n| extend HostCustomEntity + = DeviceName, timestamp=TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"techniques\":[\"T1554\"],\"displayName\":\"SUNSPOT + malware hashes\",\"description\":\"This query uses Microsoft Defender for + Endpoint data to look for IoCs associated with the SUNSPOT malware shared + by Crowdstrike.\\nMore details: \\n - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ + \\n - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceImageLoadEvents\",\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fcb9d75c-c3c1-4910-8697-f136bfef2363\",\"name\":\"fcb9d75c-c3c1-4910-8697-f136bfef2363\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let + querystarttime = 2d;\\nlet queryendtime = 1d;\\nlet TimeDeltaThreshold = 10;\\nlet + TotalEventsThreshold = 15;\\nlet PercentBeaconThreshold = 80;\\n_Im_NetworkSession(starttime=querystarttime, + endtime=queryendtime)\\n| where not(ipv4_is_private(DstIpAddr))\\n| project + TimeGenerated, SrcIpAddr, SrcPortNumber, DstIpAddr, DstPortNumber, DstBytes, + SrcBytes\\n| sort by SrcIpAddr asc,TimeGenerated asc, DstIpAddr asc, DstPortNumber + asc\\n| serialize\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSrcIpAddr + = next(SrcIpAddr, 1)\\n| extend TimeDeltainSeconds = datetime_diff('second',nextTimeGenerated,TimeGenerated)\\n| + where SrcIpAddr == nextSrcIpAddr\\n//Whitelisting criteria/ threshold criteria\\n| + where TimeDeltainSeconds > TimeDeltaThreshold \\n| project TimeGenerated, + TimeDeltainSeconds, SrcIpAddr, SrcPortNumber, DstIpAddr, DstPortNumber, + DstBytes, SrcBytes\\n| summarize count(), sum(DstBytes), sum(SrcBytes), make_list(TimeDeltainSeconds) + \\nby TimeDeltainSeconds, bin(TimeGenerated, 1h), SrcIpAddr, DstIpAddr, + DstPortNumber\\n| summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) + = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), TotalSrcBytes + = sum(sum_SrcBytes), TotalDstBytes = sum(sum_DstBytes) \\nby bin(TimeGenerated, + 1h), SrcIpAddr, DstIpAddr, DstPortNumber\\n| where TotalEvents > TotalEventsThreshold + \\n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) + * 100\\n| where BeaconPercent > PercentBeaconThreshold\",\"customDetails\":{\"DstPortNumber\":\"DstPortNumber\",\"FrequencyCount\":\"TotalSrcBytes\",\"FrequencyTime\":\"MostFrequentTimeDeltaCount\",\"TotalDstBytes\":\"TotalDstBytes\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DstIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Potential + beaconing from {{SrcIpAddr}} to {{DstIpAddr}} over port {{DstPortNumber}}\",\"alertDescriptionFormat\":\"Potential + beaconing pattern from a client at address {{SrcIpAddr}} to a server at address + {{DstIpAddr}} over port {{DstPortNumber}} identified. Such potential outbound + beaconing pattern to untrusted public networks should be investigated for + any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/). + The recurring frequency, reported as FrequencyTime in the custom details, + and the total transferred volume reported as TotalDstBytes in the custom details, + can help to determine the significance of this incident.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"sentinelEntitiesMappings\":[],\"version\":\"1.1.0\",\"tactics\":[\"CommandAndControl\"],\"techniques\":[\"T1071\",\"T1571\"],\"displayName\":\"Potential + beaconing activity (ASIM Network Session schema)\",\"description\":\"This + rule identifies beaconing patterns from Network traffic logs based on recurrent + frequency patterns. Such potential outbound beaconing pattern to untrusted + public networks should be investigated for any malware callbacks or data exfiltration + attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/).\\\\

\\nThis + analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in + or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b8b8ba09-1e89-45a1-8bd7-691cd23bfa32\",\"name\":\"b8b8ba09-1e89-45a1-8bd7-691cd23bfa32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let + query_frequency = 15m;\\nlet missing_period = 1h;\\n//Enter a reference list + of hostnames for your DC servers\\nlet DCServersList = dynamic ([\\\"DC01.simulandlabs.com\\\",\\\"DC02.simulandlabs.com\\\"]);\\n//Alternatively, + a Watchlist can be used\\n//let DCServersList = _GetWatchlist('HostName-DomainControllers') + | project HostName;\\nHeartbeat\\n| summarize arg_max(TimeGenerated, *) by + Computer\\n| where Computer in (DCServersList)\\n//You may specify the OS + type of your Domain Controllers\\n//| where OSType == 'Windows'\\n| where + TimeGenerated between (ago(query_frequency + missing_period) .. ago(missing_period))\\n| + project TimeGenerated, Computer, OSType, Version, ComputerEnvironment, Type, + Solutions\\n| sort by TimeGenerated asc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"Computer\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Impact\",\"DefenseEvasion\"],\"displayName\":\"Missing + Domain Controller Heartbeat\",\"description\":\"This detection will go over + the heartbeats received from the agents of Domain Controllers over the last + hour, and will create alerts if the last heartbeats were received an hour + ago.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-11-23T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/36f191f8-d1d1-4a22-8ba7-22c9b64a651a\",\"name\":\"36f191f8-d1d1-4a22-8ba7-22c9b64a651a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.3\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.5\",\"name\":\"Anomaly + score threshold\",\"description\":\"Generate an anomaly when the anomaly score + is greater than the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CredentialAccess\"],\"techniques\":[\"T1110\"],\"displayName\":\"(Preview) + UEBA Anomalous Failed Sign-in\",\"description\":\"Adversaries with no prior + knowledge of legitimate credentials within the system or environment may guess + passwords to attempt access to accounts.\\nSentinel UEBA detects anomalies + based on dynamic baselines created for each entity across various data inputs. + Each entity\xE2\u20AC\u2122s baseline behavior is set according to its own + historical activities, those of its peers, and those of the organization as + a whole. Anomalies can be triggered by the correlation of different attributes + such as action type, geo-location, device, resource, ISP, and more.\\nSupported + data sources: Azure Sign-in, Windows security logs (Events 4624, 4625, 4672, + 4648)\",\"lastUpdatedDateUTC\":\"2022-04-13T00:00:00Z\",\"createdDateUTC\":\"2021-12-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/737a2ce1-70a3-4968-9e90-3e6aca836abf\",\"name\":\"737a2ce1-70a3-4968-9e90-3e6aca836abf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MLBehaviorAnalytics\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) + Anomalous RDP Login Detections\",\"description\":\"This detection uses machine + learning (ML) to identify anomalous Remote Desktop Protocol (RDP) login activity, + based on Windows Security Event data. Scenarios include:\\n\\n*\\tUnusual + IP - This IP address has not or has rarely been seen in last 30 days.\\n*\\tUnusual + Geo - The IP address, city, country and ASN have not (or rarely) been seen + in last 30 days.\\n*\\tNew user - A new user logs in from an IP address and + geo location, both or either of which are not expected to be seen in the last + 30 days.\\n\\nAllow 7 days after this alert is enabled for Microsoft Sentinel + to build a profile of normal activity for your environment.\\t\\n\\nThis detection + requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events)\\n\\nBy + enabling this rule, you give Microsoft permission to copy ingested data outside + of your Microsoft Sentinel workspace's geography as necessary for processing + by the machine learning engine.\",\"lastUpdatedDateUTC\":\"2021-03-26T00:00:00Z\",\"createdDateUTC\":\"2020-04-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/85aca4d1-5d15-4001-abd9-acb86ca1786a\",\"name\":\"85aca4d1-5d15-4001-abd9-acb86ca1786a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our + threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| + where TimeGenerated > ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| + extend parts = split(DomainName, '.')\\n| extend tld = parts[(array_length(parts)-1)]\\n| + summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| + where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| + summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| + where Active == true\\n// Picking up only IOC's that contain the entities + we want\\n| where isnotempty(DomainName)\\n// using innerunique to keep perf + fast and result set low, we only need one match to indicate potential malicious + activity that needs to be investigated\\n| join kind=innerunique (\\n DnsEvents\\n + \ | where TimeGenerated > ago(dt_lookBack)\\n //Extract domain patterns + from syslog message\\n | where isnotempty(Name)\\n | extend parts = + split(Name, '.')\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n + \ //Validate parsed domain by checking if the TLD is in the list of TLDs + in our threat feed\\n | where tld in~ (list_tlds)\\n | extend DNS_TimeGenerated + = TimeGenerated\\n) on $left.DomainName==$right.Name\\n| where DNS_TimeGenerated + < ExpirationDateTime\\n| summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated + , *) by IndicatorId, Name\\n| project DNS_TimeGenerated, Description, ActivityGroupNames, + IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, Computer, + ClientIP, Name, QueryType\\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity + = Computer, IPCustomEntity = ClientIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.2.2\",\"tactics\":[\"Impact\"],\"displayName\":\"TI + map Domain entity to DnsEvents\",\"description\":\"Identifies a match in DnsEvents + from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2022-02-15T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5e45930c-09b1-4430-b2d1-cc75ada0dc0f\",\"name\":\"5e45930c-09b1-4430-b2d1-cc75ada0dc0f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| + where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| + summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| + where Active == true\\n// Picking up only IOC's that contain the entities + we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) + or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As + there is potentially more than 1 indicator type for matching IP, taking NetworkIP + first, then others if that is empty.\\n// Taking the first non-empty value + based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), + NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) + and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend + TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), + EmailSourceIpAddress, TI_ipEntity)\\n//Exclude local addresses, using the + ipv4_is_private operator\\n| where ipv4_is_private(TI_ipEntity) == false and + \ TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" + and TI_ipEntity !startswith \\\"127.\\\"\\n// using innerunique to keep perf + fast and result set low, we only need one match to indicate potential malicious + activity that needs to be investigated\\n| join kind=innerunique (\\n W3CIISLog\\n + \ | where TimeGenerated >= ago(dt_lookBack)\\n | where isnotempty(cIP)\\n + \ //Exclude local addresses, using the ipv4_is_private operator\\n | + where ipv4_is_private(cIP) == false and cIP !startswith \\\"fe80\\\" and + cIP !startswith \\\"::\\\" and cIP !startswith \\\"127.\\\"\\n // renaming + time column so it is clear the log this came from\\n | extend W3CIISLog_TimeGenerated + = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.cIP\\n| where W3CIISLog_TimeGenerated + < ExpirationDateTime\\n| summarize W3CIISLog_TimeGenerated = arg_max(W3CIISLog_TimeGenerated, + *) by IndicatorId, cIP\\n| project W3CIISLog_TimeGenerated, Description, ActivityGroupNames, + IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, + Computer, sSiteName, cIP, sIP, sPort, csMethod, csUserName, scStatus, scSubStatus, + scWin32Status,\\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| + extend timestamp = W3CIISLog_TimeGenerated, IPCustomEntity = cIP, HostCustomEntity + = Computer, AccountCustomEntity = csUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.2.2\",\"tactics\":[\"Impact\"],\"displayName\":\"TI + map IP entity to W3CIISLog\",\"description\":\"Identifies a match in W3CIISLog + from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-04-26T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d564ff12-8f53-41b8-8649-44f76b37b99f\",\"name\":\"d564ff12-8f53-41b8-8649-44f76b37b99f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// + How many greater than Service Connections you want to view per build/release\\nlet + ServiceConnectionThreshold = 4;\\nlet BypassDefIds = datatable(DefId:string, + Type:string, ProjectName:string)\\n[\\n//\\\"103\\\", \\\"Release\\\", \\\"ProjectA\\\",\\n//\\\"42\\\", + \\\"Release\\\", \\\"ProjectB\\\",\\n//\\\"122\\\", \\\"Build\\\", \\\"ProjectB\\\"\\n];\\nAzureDevOpsAuditing\\n| + where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend + DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId + = tostring(Data.ConnectionId)\\n| parse ScopeDisplayName with OrganizationName + ' (Organization)'\\n| summarize CurrentCount = dcount(tostring(ConnectionId)), + ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), + EndTime = max(TimeGenerated) \\n by OrganizationName, tostring(DefId), tostring(Type), + ProjectId, ProjectName\\n| where CurrentCount > ServiceConnectionThreshold\\n| + join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type == + $right.Type and $left.ProjectName == $right.ProjectName\\n| extend link = + iif(\\n Type == \\\"Build\\\", strcat('https://dev.azure.com/', OrganizationName, + '/', ProjectName, '/_build?definitionId=', DefId),\\n strcat('https://dev.azure.com/', + OrganizationName, '/', ProjectName, '/_release?_a=releases&view=mine&definitionId=', + DefId))\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\",\"Impact\"],\"techniques\":[\"T1098\",\"T1496\"],\"displayName\":\"Azure + DevOps Service Connection Abuse\",\"description\":\"Flags builds/releases + that use a large number of service connections if they aren't manually in + the allow list.\\nThis is to determine if someone is hijacking a build/release + and adding many service connections in order to abuse \\nor dump credentials + from service connections.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/01e8ffff-dc0c-43fe-aa22-d459c4204553\",\"name\":\"01e8ffff-dc0c-43fe-aa22-d459c4204553\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + discord=dynamic([\\\"cdn.discordapp.com\\\", \\\"media.discordapp.com\\\"]);\\n + \ _Im_WebSession(url_has_any=discord, eventresult='Success')\\n | where Url + has \\\"attachments\\\"\\n | extend DiscordServerId = extract(@\\\"\\\\/attachments\\\\/([0-9]+)\\\\/\\\", + 1, Url)\\n | summarize dcount(Url), make_set(SrcUsername), make_set(SrcIpAddr), + make_set(Url), min(TimeGenerated), max(TimeGenerated), make_set(EventResult) + by DiscordServerId\\n | mv-expand set_SrcUsername to typeof(string), set_Url + to typeof(string), set_EventResult to typeof(string), set_SrcIpAddr to typeof(string)\\n + \ | summarize by DiscordServerId, dcount_Url, set_SrcUsername, min_TimeGenerated, + max_TimeGenerated, set_EventResult, set_SrcIpAddr, set_Url\\n | project StartTime=min_TimeGenerated, + EndTime=max_TimeGenerated, Result=set_EventResult, SourceUser=set_SrcUsername, + SourceIP=set_SrcIpAddr, RequestURL=set_Url\\n | where RequestURL has_any + (\\\".bin\\\",\\\".exe\\\",\\\".dll\\\",\\\".bin\\\",\\\".msi\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SourceUser\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.1.0\",\"tactics\":[\"CommandAndControl\"],\"techniques\":[\"T1071\"],\"displayName\":\"Discord + CDN Risky File Download (ASIM Web Session Schema)\",\"description\":\"Identifies + callouts to Discord CDN addresses for risky file extensions. This detection + will trigger when a callout for a risky file is made to a discord server that + has only been seen once in your environment. Unique discord servers are identified + using the server ID that is included in the request URL (DiscordServerId in + query). Discord CDN has been used in multiple campaigns to download additional + payloads.\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and + supports any built-in or custom source that supports the ASIM WebSession schema + (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/361dd1e3-1c11-491e-82a3-bb2e44ac36ba\",\"name\":\"361dd1e3-1c11-491e-82a3-bb2e44ac36ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + szOperationNames = dynamic([\\\"microsoft.compute/virtualMachines/write\\\", + \\\"microsoft.resources/deployments/write\\\"]);\\nlet starttime = 7d;\\nlet + endtime = 1d;\\nAzureActivity\\n| where TimeGenerated between (startofday(ago(starttime)) + .. startofday(ago(endtime)))\\n| where OperationNameValue in~ (szOperationNames)\\n| + summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), + ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), + \\nOperationIds = makelist(OperationId), CallerIpAddress = makelist(CallerIpAddress), + CorrelationId = makelist(CorrelationId) \\nby ResourceId, Caller, OperationNameValue, + Resource, ResourceGroup\\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress)\\n| + make-series dResourceCount=dcount(ResourceId) default=0 on StartTimeUtc in + range(startofday(ago(7d)), now(), 1d) \\nby Caller, tostring(ActivityTimeStamp), + tostring(ActivityStatusValue), tostring(OperationIds), tostring(CallerIpAddress), + tostring(CorrelationId), ResourceId, OperationNameValue , Resource, ResourceGroup\\n| + extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\\n| + where Slope > 0.2\\n| join kind=leftsemi (\\n// Last day's activity is anomalous\\nAzureActivity\\n| + where TimeGenerated >= startofday(ago(endtime))\\n| where OperationNameValue + in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc + = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue + = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), + CallerIpAddress = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) + \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n| + mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress)\\n| make-series + dResourceCount=dcount(ResourceId) default=0 on StartTimeUtc in range(startofday(ago(1d)), + now(), 1d) \\nby Caller, tostring(ActivityTimeStamp), tostring(ActivityStatusValue), + tostring(OperationIds), tostring(CallerIpAddress), tostring(CorrelationId), + ResourceId, OperationNameValue , Resource, ResourceGroup\\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\\n| + where Slope > 0.2 \\n) on Caller, CallerIpAddress \\n| mvexpand + todynamic(ActivityTimeStamp), todynamic(ActivityStatusValue), todynamic(OperationIds), + todynamic(CorrelationId)\\n| extend timestamp = ActivityTimeStamp, AccountCustomEntity + = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.1.0\",\"tactics\":[\"Impact\"],\"techniques\":[\"T1496\"],\"displayName\":\"Suspicious + number of resource creation or deployment activities\",\"description\":\"Indicates + when an anomalous number of VM creations or deployment activities occur in + Azure via the AzureActivity log.\\nThe anomaly detection identifies activities + that have occurred both since the start of the day 1 day ago and the start + of the day 7 days ago.\\nThe start of the day is considered 12am UTC time.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/050b9b3d-53d0-4364-a3da-1b678b8211ec\",\"name\":\"050b9b3d-53d0-4364-a3da-1b678b8211ec\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AuditLogs\\n| + where Category =~ \\\"RoleManagement\\\"\\n| where AADOperationType in (\\\"Assign\\\", + \\\"AssignEligibleRole\\\")\\n| where ActivityDisplayName has_any (\\\"Add + eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| + mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| + where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| + where RoleName contains \\\"Admin\\\"\\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| + extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n| + extend Target = tostring(TargetResources.userPrincipalName)\\n| summarize + by bin(TimeGenerated, 1h), OperationName, RoleName, Target, Initiator, Result\\n| + extend AccountCustomEntity = Target\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Initiator\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\"],\"techniques\":[\"T1078\"],\"displayName\":\"User + Assigned Privileged Role\",\"description\":\"Identifies when a new privileged + role is assigned to a user. Any account eligible for a role is now being + given privileged access. If the assignment is unexpected or into a role that + isn't the responsibility of the account holder, investigate.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/48607a29-a26a-4abf-8078-a06dbdd174a4\",\"name\":\"48607a29-a26a-4abf-8078-a06dbdd174a4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + timeRange = 3d;\\nlet lookBack = 7d;\\nlet authenticationWindow = 20m;\\nlet + authenticationThreshold = 5;\\nlet isGUID = \\\"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\\";\\nlet + failureCodes = dynamic([50053, 50126, 50055]); // invalid password, account + is locked - too many sign ins, expired password\\nlet successCodes = dynamic([0, + 50055, 50057, 50155, 50105, 50133, 50005, 50076, 50079, 50173, 50158, 50072, + 50074, 53003, 53000, 53001, 50129]);\\n// Lookup up resolved identities from + last 7 days\\nlet aadFunc = (tableName:string){\\nlet identityLookup = table(tableName)\\n| + where TimeGenerated >= ago(lookBack)\\n| where not(Identity matches regex + isGUID)\\n| where isnotempty(UserId)\\n| summarize by UserId, lu_UserDisplayName + = UserDisplayName, lu_UserPrincipalName = UserPrincipalName, Type;\\n// collect + window threshold breaches\\ntable(tableName)\\n| where TimeGenerated > ago(timeRange)\\n| + where ResultType in(failureCodes)\\n| summarize FailedPrincipalCount = dcount(UserPrincipalName) + by bin(TimeGenerated, authenticationWindow), IPAddress, AppDisplayName, Type\\n| + where FailedPrincipalCount >= authenticationThreshold\\n| summarize WindowThresholdBreaches + = count() by IPAddress, Type\\n| join kind= inner (\\n// where we breached + a threshold, join the details back on all failure data\\ntable(tableName)\\n| + where TimeGenerated > ago(timeRange)\\n| where ResultType in(failureCodes)\\n| + extend LocationDetails = todynamic(LocationDetails)\\n| extend FullLocation + = strcat(LocationDetails.countryOrRegion,'|', LocationDetails.state, '|', + LocationDetails.city)\\n| summarize StartTime = min(TimeGenerated), EndTime + = max(TimeGenerated), make_set(ClientAppUsed), make_set(FullLocation), FailureCount + = count() by IPAddress, AppDisplayName, UserPrincipalName, UserDisplayName, + Identity, UserId, Type\\n// lookup any unresolved identities\\n| extend UnresolvedUserId + = iff(Identity matches regex isGUID, UserId, \\\"\\\")\\n| join kind= leftouter + (\\n identityLookup \\n) on $left.UnresolvedUserId==$right.UserId\\n| extend + UserDisplayName=iff(isempty(lu_UserDisplayName), UserDisplayName, lu_UserDisplayName)\\n| + extend UserPrincipalName=iff(isempty(lu_UserPrincipalName), UserPrincipalName, + lu_UserPrincipalName)\\n| summarize StartTime = min(StartTime), EndTime = + max(EndTime), make_set(UserPrincipalName), make_set(UserDisplayName), make_set(set_ClientAppUsed), + make_set(set_FullLocation), make_list(FailureCount) by IPAddress, AppDisplayName, + Type\\n| extend FailedPrincipalCount = arraylength(set_UserPrincipalName)\\n) + on IPAddress\\n| project IPAddress, StartTime, EndTime, TargetedApplication=AppDisplayName, + FailedPrincipalCount, UserPrincipalNames=set_UserPrincipalName, UserDisplayNames=set_UserDisplayName, + ClientAppsUsed=set_set_ClientAppUsed, Locations=set_set_FullLocation, FailureCountByPrincipal=list_FailureCount, + WindowThresholdBreaches, Type\\n| join kind= inner (\\ntable(tableName) // + get data on success vs. failure history for each IP\\n| where TimeGenerated + > ago(timeRange)\\n| where ResultType in(successCodes) or ResultType in(failureCodes) + // success or failure types\\n| summarize GlobalSuccessPrincipalCount = dcountif(UserPrincipalName, + (ResultType in(successCodes))), ResultTypeSuccesses = make_set_if(ResultType, + (ResultType in(successCodes))), GlobalFailPrincipalCount = dcountif(UserPrincipalName, + (ResultType in(failureCodes))), ResultTypeFailures = make_set_if(ResultType, + (ResultType in(failureCodes))) by IPAddress, Type\\n| where GlobalFailPrincipalCount + > GlobalSuccessPrincipalCount // where the number of failed principals is + greater than success - eliminates FPs from IPs who authenticate successfully + alot and as a side effect have alot of failures\\n) on IPAddress\\n| project-away + IPAddress1\\n| extend timestamp=StartTime, IPCustomEntity = IPAddress\\n};\\nlet + aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion + isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"CredentialAccess\"],\"techniques\":[\"T1110\"],\"displayName\":\"Password + spray attack against Azure AD application\",\"description\":\"Identifies evidence + of password spray activity against Azure AD applications by looking for failures + from multiple accounts from the same\\nIP address within a time window. If + the number of accounts breaches the threshold just once, all failures from + the IP address within the time range\\nare bought into the result. Details + on whether there were successful authentications by the IP address within + the time window are also included.\\nThis can be an indicator that an attack + was successful.\\nThe default failure acccount threshold is 5, Default time + window for failures is 20m and default look back window is 3 days\\nNote: + Due to the number of possible accounts involved in a password spray it is + not possible to map identities to a custom entity.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.\",\"lastUpdatedDateUTC\":\"2022-02-16T00:00:00Z\",\"createdDateUTC\":\"2020-03-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7ee72a9e-2e54-459c-bc8a-8c08a6532a63\",\"name\":\"7ee72a9e-2e54-459c-bc8a-8c08a6532a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let + IPList = dynamic([\\\"154.223.45.38\\\",\\\"185.141.207.140\\\",\\\"185.234.73.19\\\",\\\"216.245.210.106\\\",\\\"51.91.48.210\\\",\\\"46.255.230.229\\\"]);\\n(union + isfuzzy=true\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| + where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any + (IPList)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", + DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize + StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, + DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, + DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = + StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, + IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") + \\n),\\n(OfficeActivity\\n|extend SourceIPAddress = ClientIP, Account = UserId\\n| + where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , + IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account\\n),\\n(_Im_Dns + (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DnsResponseName, + \ Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, + HostCustomEntity = Host, AccountCustomEntity=User\\n),\\n(_Im_WebSession (srcipaddr_has_any_prefix=IPList)\\n| + extend DestinationIPAddress = DstIpAddr, Host = Dvc\\n| extend timestamp + = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(_Im_NetworkSession + (srcipaddr_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DstIpAddr, + \ Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, + HostCustomEntity = Host\\n),\\n(_Im_NetworkSession (dstipaddr_has_any_prefix=IPList)\\n| + extend DestinationIPAddress = DstIpAddr, Host = Dvc\\n| extend timestamp + = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(SigninLogs\\n| + where isnotempty(IPAddress)\\n| where IPAddress in (IPList)\\n| extend timestamp + = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = + IPAddress\\n),\\n(AADNonInteractiveUserSignInLogs\\n| where isnotempty(IPAddress)\\n| + where IPAddress in (IPList)\\n| extend timestamp = TimeGenerated, AccountCustomEntity + = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(W3CIISLog \\n| where + isnotempty(cIP)\\n| where cIP in (IPList)\\n| extend timestamp = TimeGenerated, + IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(AzureActivity + \\n| where isnotempty(CallerIpAddress)\\n| where CallerIpAddress in (IPList)\\n| + extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity + = Caller\\n),\\n(\\nAWSCloudTrail\\n| where isnotempty(SourceIpAddress)\\n| + where SourceIpAddress in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity + = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\\n),\\n(\\nAzureDiagnostics\\n| + where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| + parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' + DestinationHost ':' DestinationPort '. Action:' Action\\n| where isnotempty(DestinationHost)\\n| + where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost + \\n| extend IPCustomEntity = SourceHost\\n),\\n(Event\\n| where Source == + \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData + = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| + extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| + where SourceIP in (IPList) or DestinationIP in (IPList) \\n| extend IPMatch + = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), + \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, + AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity + = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", + DestinationIP, \\\"None\\\")\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.4.1\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known + IRIDIUM IP\",\"description\":\"IRIDIUM command and control IP. Identifies + a match across various data feeds for IP IOCs related to the IRIDIUM activity + group.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6bf1931-b1eb-448d-90b2-de118559c7ce\",\"name\":\"d6bf1931-b1eb-448d-90b2-de118559c7ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated > ago(lbtime)\\n| where + EventType == 'proxylogs'\\n| where DvcAction =~ 'Allowed'\\n| where UrlCategory + contains 'Adult Themes' or\\n UrlCategory contains 'Adware' or\\n UrlCategory + contains 'Alcohol' or\\n UrlCategory contains 'Illegal Downloads' or\\n + \ UrlCategory contains 'Drugs' or\\n UrlCategory contains 'Child + Abuse Content' or\\n UrlCategory contains 'Hate/Discrimination' or\\n + \ UrlCategory contains 'Nudity' or\\n UrlCategory contains 'Pornography' + or\\n UrlCategory contains 'Proxy/Anonymizer' or\\n UrlCategory + contains 'Sexuality' or\\n UrlCategory contains 'Tasteless' or\\n UrlCategory + contains 'Terrorism' or\\n UrlCategory contains 'Web Spam' or\\n UrlCategory + contains 'German Youth Protection' or\\n UrlCategory contains 'Illegal + Activities' or\\n UrlCategory contains 'Lingerie/Bikini' or\\n UrlCategory + contains 'Weapons'\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend + IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.1.0\",\"tactics\":[\"CommandAndControl\",\"InitialAccess\"],\"displayName\":\"Cisco + Umbrella - Request Allowed to harmful/malicious URI category\",\"description\":\"It + is reccomended that these Categories shoud be blocked by policies because + they provide harmful/malicious content..\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0777f138-e5d8-4eab-bec1-e11ddfbc2be2\",\"name\":\"0777f138-e5d8-4eab-bec1-e11ddfbc2be2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let + threshold = 20;\\nlet ReasontoSubStatus = datatable(SubStatus:string,Reason:string) + [\\n\\\"0xC000005E\\\", \\\"There are currently no logon servers available + to service the logon request.\\\",\\n\\\"0xC0000064\\\", \\\"User logon with + misspelled or bad user account\\\", \\n\\\"0xC000006A\\\", \\\"User logon + with misspelled or bad password\\\",\\n\\\"0xC000006D\\\", \\\"Bad user name + or password\\\",\\n\\\"0xC000006E\\\", \\\"Unknown user name or bad password\\\",\\n\\\"0xC000006F\\\", + \\\"User logon outside authorized hours\\\",\\n\\\"0xC0000070\\\", \\\"User + logon from unauthorized workstation\\\",\\n\\\"0xC0000071\\\", \\\"User logon + with expired password\\\",\\n\\\"0xC0000072\\\", \\\"User logon to account + disabled by administrator\\\",\\n\\\"0xC00000DC\\\", \\\"Indicates the Sam + Server was in the wrong state to perform the desired operation\\\",\\n\\\"0xC0000133\\\", + \\\"Clocks between DC and other computer too far out of sync\\\",\\n\\\"0xC000015B\\\", + \\\"The user has not been granted the requested logon type (aka logon right) + at this machine\\\",\\n\\\"0xC000018C\\\", \\\"The logon request failed because + the trust relationship between the primary domain and the trusted domain failed\\\",\\n\\\"0xC0000192\\\", + \\\"An attempt was made to logon, but the Netlogon service was not started\\\",\\n\\\"0xC0000193\\\", + \\\"User logon with expired account\\\",\\n\\\"0xC0000224\\\", \\\"User is + required to change password at next logon\\\",\\n\\\"0xC0000225\\\", \\\"Evidently + a bug in Windows and not a risk\\\",\\n\\\"0xC0000234\\\", \\\"User logon + with account locked\\\",\\n\\\"0xC00002EE\\\", \\\"Failure Reason: An Error + occurred during Logon\\\",\\n\\\"0xC0000413\\\", \\\"Logon Failure: The machine + you are logging onto is protected by an authentication firewall. The specified + account is not allowed to authenticate to the machine\\\"\\n];\\n(union isfuzzy=true\\n(SecurityEvent + \\n| where EventID == 4625\\n| where AccountType =~ \\\"User\\\"\\n| where + SubStatus !='0xc0000064' and Account !in ('\\\\\\\\', '-\\\\\\\\-')\\n// SubStatus + '0xc0000064' signifies 'Account name does not exist'\\n| extend ResourceId + = column_ifexists(\\\"_ResourceId\\\", _ResourceId), SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", + SourceComputerId)\\n| lookup ReasontoSubStatus on SubStatus\\n| extend coalesce(Reason, + strcat('Unknown reason substatus: ', SubStatus))\\n| summarize StartTime = + min(TimeGenerated), EndTime = max(TimeGenerated), FailedLogonCount = count() + by EventID, \\nActivity, Computer, Account, TargetAccount, TargetUserName, + TargetDomainName, \\nLogonType, LogonTypeName, LogonProcessName, Status, SubStatus, + Reason, ResourceId, SourceComputerId, WorkstationName, IpAddress\\n| where + FailedLogonCount >= threshold\\n| extend timestamp = StartTime, AccountCustomEntity + = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n(\\n(WindowsEvent + \\n| where EventID == 4625 and not(EventData has '0xc0000064')\\n| extend + TargetAccount = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", + tostring(EventData.TargetUserName))\\n| extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| + extend AccountType=case(EventData.TargetUserName endswith \\\"$\\\" or TargetUserSid + in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", + isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType =~ \\\"User\\\"\\n| + extend SubStatus = tostring(EventData.SubStatus)\\n| where SubStatus !='0xc0000064' + and TargetAccount !in ('\\\\\\\\', '-\\\\\\\\-')\\n// SubStatus '0xc0000064' + signifies 'Account name does not exist'\\n| extend ResourceId = column_ifexists(\\\"_ResourceId\\\", + _ResourceId), SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", + \\\"\\\")\\n| lookup ReasontoSubStatus on SubStatus\\n| extend coalesce(Reason, + strcat('Unknown reason substatus: ', SubStatus))\\n| extend Activity=\\\"4625 + - An account failed to log on.\\\"\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| + extend TargetDomainName = tostring(EventData.TargetDomainName)\\n| extend + LogonType = tostring(EventData.LogonType)\\n| extend Status= tostring(EventData.Status)\\n| + extend LogonProcessName = tostring(EventData.LogonProcessName)\\n| extend + WorkstationName = tostring(EventData.WorkstationName)\\n| extend IpAddress + = tostring(EventData.IpAddress)\\n| extend LogonTypeName=case(LogonType==2,\\\"2 + - Interactive\\\", LogonType==3,\\\"3 - Network\\\", LogonType==4, \\\"4 - + Batch\\\",LogonType==5, \\\"5 - Service\\\", LogonType==7, \\\"7 - Unlock\\\", + LogonType==8, \\\"8 - NetworkCleartext\\\", LogonType==9, \\\"9 - NewCredentials\\\", + LogonType==10, \\\"10 - RemoteInteractive\\\", LogonType==11, \\\"11 - CachedInteractive\\\",tostring(LogonType))\\n| + summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), FailedLogonCount + = count() by EventID, \\nActivity, Computer, TargetAccount, TargetUserName, + TargetDomainName, \\nLogonType, LogonTypeName, LogonProcessName, Status, SubStatus, + Reason, ResourceId, SourceComputerId, WorkstationName, IpAddress\\n| where + FailedLogonCount >= threshold\\n| extend timestamp = StartTime, AccountCustomEntity + = TargetAccount, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n)))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.1.1\",\"tactics\":[\"CredentialAccess\"],\"techniques\":[\"T1110\"],\"displayName\":\"Failed + logon attempts by valid accounts within 10 mins\",\"description\":\"Identifies + when failed logon attempts are 20 or higher during a 10 minute period (2 failed + logons per minute minimum) from valid account.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b9a44d7-c651-45ed-816c-eae583a6f2f1\",\"name\":\"3b9a44d7-c651-45ed-816c-eae583a6f2f1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + lookback = 14d;\\nlet timeframe = 1d;\\nlet historical_data =\\nAzureDevOpsAuditing\\n| + where TimeGenerated > ago(lookback) and TimeGenerated < ago(timeframe)\\n| + where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend variables + = Data.Variables\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| + extend UserKey = strcat(VariableGroupId, \\\"-\\\", ActorUserId)\\n| project + UserKey;\\nAzureDevOpsAuditing\\n| where TimeGenerated > ago(timeframe)\\n| + where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend VariableGroupName + = tostring(Data.VariableGroupName)\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| + extend UserKey = strcat(VariableGroupId, \\\"-\\\", ActorUserId)\\n| where + UserKey !in (historical_data)\\n| project-away UserKey\\n| project-reorder + TimeGenerated, VariableGroupName, ActorUPN, IpAddress, UserAgent\\n| extend + timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity + = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"DefenseEvasion\"],\"techniques\":[\"T1578\"],\"displayName\":\"Azure + DevOps Build Variable Modified by New User.\",\"description\":\"Variables + can be configured and used at any stage of the build process in Azure DevOps + to inject values. An attacker with the required permissions could modify \\nor + add to these variables to conduct malicious activity such as changing paths + or remote endpoints called during the build. As variables are often changed + by users, \\njust detecting these changes would have a high false positive + rate. This detection looks for modifications to variable groups where that + user has not been observed \\nmodifying them before.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8127962-7739-4211-a4a9-390a7a00e91f\",\"name\":\"f8127962-7739-4211-a4a9-390a7a00e91f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + lbtime = 30m;\\nlet lbperiod = 14d;\\nlet knownrecipients = ProofpointPOD\\n| + where TimeGenerated > ago(lbperiod)\\n| where EventType == 'message'\\n| where + NetworkDirection == 'outbound'\\n| where SrcUserUpn != ''\\n| where array_length(todynamic(DstUserUpn)) + == 1\\n| summarize recipients = make_set(tostring(todynamic(DstUserUpn)[0])) + by SrcUserUpn\\n| extend commcol = SrcUserUpn;\\nProofpointPOD\\n| where TimeGenerated + between (ago(lbtime) .. now())\\n| where EventType == 'message'\\n| where + NetworkDirection == 'outbound'\\n| extend isProtected = todynamic(MsgParts)[0]['isProtected']\\n| + extend mimePgp = todynamic(MsgParts)[0]['detectedMime']\\n| where isProtected + == 'true' or mimePgp == 'application/pgp-encrypted'\\n| extend DstUserMail + = tostring(todynamic(DstUserUpn)[0])\\n| extend commcol = tostring(todynamic(DstUserUpn)[0])\\n| + join knownrecipients on commcol\\n| where recipients !contains DstUserMail\\n| + project SrcUserUpn, DstUserMail\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.1.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD + - Multiple protected emails to unknown recipient\",\"description\":\"Detects + when multiple protected messages where sent to early not seen recipient.\",\"lastUpdatedDateUTC\":\"2021-11-25T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee1818ec-5f65-4991-b711-bcf2ab7e36c3\",\"name\":\"ee1818ec-5f65-4991-b711-bcf2ab7e36c3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated > ago(lbtime)\\n| where + EventType == 'proxylogs'\\n| where DvcAction =~ 'Allowed'\\n| where UrlOriginal + matches regex @'\\\\Ahttp:\\\\/\\\\/\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}.*'\\n| + project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| + extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.1.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco + Umbrella - URI contains IP address\",\"description\":\"Malware can use IP + address to communicate with C2.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23005e87-2d3a-482b-b03d-edbebd1ae151\",\"name\":\"23005e87-2d3a-482b-b03d-edbebd1ae151\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + exchange_servers = (\\nW3CIISLog\\n| where TimeGenerated > ago(14d)\\n| where + sSiteName =~ \\\"Exchange Back End\\\"\\n| summarize by Computer);\\nW3CIISLog\\n| + where TimeGenerated > ago(1d)\\n| where Computer in (exchange_servers)\\n| + where csUriQuery startswith \\\"t=\\\"\\n| project-reorder TimeGenerated, + Computer, csUriStem, csUriQuery, csUserName, csUserAgent, cIP\\n| extend timestamp + = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity = Computer, + IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"techniques\":[\"T1190\"],\"displayName\":\"HAFNIUM + Suspicious Exchange Request\",\"description\":\"This query looks for suspicious + request patterns to Exchange servers that fit a pattern observed by HAFNIUM + actors.\\nThe same query can be run on HTTPProxy logs from on-premise hosted + Exchange servers.\\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ac9e233e-44d4-45eb-b522-6e47445f6582\",\"name\":\"ac9e233e-44d4-45eb-b522-6e47445f6582\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"imRegistry\\n + \ | where EventType in (\\\"RegistryValueSet\\\", \\\"RegistryKeyCreated\\\")\\n + \ | where RegistryKey has \\\"Software\\\\\\\\Classes\\\\\\\\ms-settings\\\\\\\\shell\\\\\\\\open\\\\\\\\command\\\"\\n + \ | extend TimeKey = bin(TimeGenerated, 1h)\\n | join (imProcess\\n | where + Process endswith \\\"fodhelper.exe\\\"\\n | where ParentProcessName endswith + \\\"cmd.exe\\\" or ParentProcessName endswith \\\"powershell.exe\\\" or ParentProcessName + endswith \\\"powershell_ise.exe\\\"\\n | extend TimeKey = bin(TimeGenerated, + 1h)) on TimeKey, Dvc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DvcHostname\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DvcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.3\",\"tactics\":[\"PrivilegeEscalation\"],\"techniques\":[\"T1548\"],\"displayName\":\"Potential + Fodhelper UAC Bypass (ASIM Version)\",\"description\":\"This detection looks + for the steps required to conduct a UAC bypass using Fodhelper.exe. By default + this detection looks for the setting of the required registry keys and the + invoking of the process within 1 hour - this can be tweaked as required.\",\"lastUpdatedDateUTC\":\"2022-03-02T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\"name\":\"ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Office + 365 Advanced Threat Protection\",\"displayName\":\"Create incidents based + on Microsoft Defender for Office 365 alerts\",\"description\":\"Create incidents + based on all alerts generated in Microsoft Defender for Office 365\",\"lastUpdatedDateUTC\":\"2020-09-01T00:00:00Z\",\"createdDateUTC\":\"2020-04-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OfficeATP\",\"dataTypes\":[\"SecurityAlert + (OATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a333d8bf-22a3-4c55-a1e9-5f0a135c0253\",\"name\":\"a333d8bf-22a3-4c55-a1e9-5f0a135c0253\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let + mde_threats = dynamic([\\\"Behavior:Win32/SuspAzureRequest.A\\\", \\\"Behavior:Win32/SuspAzureRequest.B\\\", + \\\"Behavior:Win32/SuspAzureRequest.C\\\", \\\"Behavior:Win32/LaunchingSuspCMD.B\\\"]);\\nDeviceInfo\\n| + extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| + where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| + extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| + where ThreatName in~ (mde_threats) or ThreatFamilyName in~ (mde_threats)\\n| + extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName + == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, + PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId + , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, + Entities\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"techniques\":[\"T1190\"],\"displayName\":\"Microsoft + Defender for Endpoint (MDE) signatures for Azure Synapse pipelines and Azure + Data Factory\",\"description\":\"This query looks for Microsoft Defender for + Endpoint detections related to the remote command execution attempts on Azure + IR with Managed VNet or SHIR. \\nIn Microsoft Sentinel, the SecurityAlerts + table includes the name of the impacted device. Additionally, this query joins + the DeviceInfo table to connect other information such as device group, \\nIP + address, signed in users, and others allowing analysts using Microsoft Sentinel + to have more context related to the alert. \\nReference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29972 + , \\nhttps://msrc-blog.microsoft.com/2022/05/09/vulnerability-mitigated-in-the-third-party-data-connector-used-in-azure-synapse-pipelines-and-azure-data-factory-cve-2022-29972\",\"lastUpdatedDateUTC\":\"2022-05-09T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/db58d592-4e64-4800-825e-12c09622dd47\",\"name\":\"db58d592-4e64-4800-825e-12c09622dd47\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.1\",\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"Distinct + number of AWS regions\",\"Distinct number of source ips\",\"Distinct number + of user agents\",\"Distinct number of session issuers\",\"Total number of + operations\",\"Session activity of AWS API events\"],\"values\":[\"Distinct + number of AWS regions\",\"Distinct number of source ips\",\"Distinct number + of user agents\",\"Distinct number of session issuers\",\"Total number of + operations\",\"Session activity of AWS API events\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Top + reason for high anomaly score\",\"description\":\"Display anomalies where + the top reason is one of these values.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":null,\"dataType\":\"string\",\"name\":\"Exclude + user accounts from the anomalies generated\",\"description\":\"Enter comma + separated user accounts that the anomalies should not display results for, + in the exclude field.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.7\",\"name\":\"Score\",\"description\":\"Generate + an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"techniques\":[\"T1190\",\"T1505\"],\"displayName\":\"(Preview) + Unusual AWS Cloudtrail API activity\",\"description\":\"This algorithm identifies + anomalous AWS Cloudtrail API hourly sessions for a user account, using an + Isolation Forest model.\\nPotential anomalous factors include a high number + of distinct URI queries, user agents, IPs, AWS regions, a high number of logs, + or API event activity in a session.\\nThe model uses user account activity + over the previous 7 days of AWS activity. The algorithm checks for sufficient + volume of AWS API activity before training the model.\\nSessions deviating + from their normal behavior are marked as anomalous.\",\"lastUpdatedDateUTC\":\"2022-05-12T00:00:00Z\",\"createdDateUTC\":\"2022-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5db427b2-f406-4274-b413-e9fcb29412f8\",\"name\":\"5db427b2-f406-4274-b413-e9fcb29412f8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"severity\":\"High\",\"query\":\"AuditLogs\\n| + where ActivityDisplayName =~'Add member to role completed (PIM activation)'\\n| + where Result == \\\"failure\\\"\\n| extend Role = tostring(TargetResources[3].displayName)\\n| + extend User = tostring(TargetResources[2].displayName)\\n| project-reorder + TimeGenerated, User, Role, OperationName, Result, ResultDescription\\n| extend + InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| + extend IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"techniques\":[\"T1078\"],\"displayName\":\"NRT + PIM Elevation Request Rejected\",\"description\":\"Identifies when a user + is rejected for a privileged role elevation via PIM. Monitor rejections for + indicators of attacker compromise of the requesting account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/03e04c97-8cae-48b3-9d2f-4ab262e4ffff\",\"name\":\"03e04c97-8cae-48b3-9d2f-4ab262e4ffff\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", + \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]);\\nhttp_proxy_oab_CL\\n| + where RawData contains \\\"Download failed and temporary file\\\"\\n| extend + File = extract(\\\"([^\\\\\\\\\\\\\\\\]*)(\\\\\\\\\\\\\\\\[^']*)\\\",2,RawData)\\n| + extend Extension = strcat(\\\".\\\",split(File, \\\".\\\")[-1])\\n| extend + InteractiveFile = iif(Extension in (scriptExtensions), \\\"Yes\\\", \\\"No\\\")\\n// + Uncomment the following line to alert only on interactive file download type\\n//| + where InteractiveFile =~ \\\"Yes\\\"\\n| extend timestamp = TimeGenerated, + HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"techniques\":[\"T1190\"],\"displayName\":\"HAFNIUM + Suspicious File Downloads.\",\"description\":\"This query looks for messages + related to file downloads of suspicious file types. This query uses the Exchange + HttpProxy AOBGeneratorLog, you will need to onboard this log as a custom log + under the table http_proxy_oab_CL before using this query. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d5b32cd4-2328-43da-ab47-cd289c1f5efc\",\"name\":\"d5b32cd4-2328-43da-ab47-cd289c1f5efc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"severity\":\"Low\",\"query\":\"DnsEvents\\n| + where Name contains \\\".\\\"\\n| where Name has_any (\\\"monerohash.com\\\", + \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", + \\\"minexmr.org\\\", \\\"hashanywhere.com\\\",\\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", + \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", + \\\"xmrpool.eu\\\", \\\"coolmining.club\\\",\\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", + \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", + \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\",\\n\\\"gntl.co.uk\\\", + \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", + \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\",\\n\\\"coinpoolit.webhop.me\\\", + \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", + \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\",\\n\\\"extrmepool.org\\\", + \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", + \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", + \\\"1gh.com\\\",\\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", + \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", + \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\",\\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", + \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", + \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\",\\n\\\"backup-pool.com\\\", + \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\")\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"techniques\":[\"T1496\"],\"displayName\":\"NRT + DNS events related to mining pools\",\"description\":\"Identifies IP addresses + that may be performing DNS lookups associated with common currency mining + pools.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/de58ee9e-b229-4252-8537-41a4c2f4045e\",\"name\":\"de58ee9e-b229-4252-8537-41a4c2f4045e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + file_ext_blocklist = dynamic(['.ps1', '.vbs', '.bat', '.scr']);\\nlet lbtime + = 10m;\\nCisco_Umbrella\\n| where TimeGenerated > ago(lbtime)\\n| where EventType + == 'proxylogs'\\n| where DvcAction =~ 'Allowed'\\n| extend file_ext = extract(@'.*(\\\\.\\\\w+)$', + 1, UrlOriginal)\\n| extend Filename = extract(@'.*\\\\/*\\\\/(.*\\\\.\\\\w+)$', + 1, UrlOriginal)\\n| where file_ext in (file_ext_blocklist)\\n| project TimeGenerated, + SrcIpAddr, Identities, Filename\\n| extend IPCustomEntity = SrcIpAddr\\n| + extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Cisco + Umbrella - Request to blocklisted file type\",\"description\":\"Detects request + to potentially harmful file types (.ps1, .bat, .vbs, etc.).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06\",\"name\":\"97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + LearningPeriod = 7d; \\nlet BinTime = 1h; \\nlet RunTime = 1h; \\nlet StartTime + = 1h; \\nlet NumberOfStds = 3; \\nlet MinThreshold = 10.0; \\nlet EndRunTime + = StartTime - RunTime; \\nlet EndLearningTime = StartTime + LearningPeriod;\\nlet + aadFunc = (tableName:string){\\nlet GitHubFailedSSOLogins = (table(tableName) + \ \\n| where AppDisplayName == \\\"GitHub.com\\\" \\n| where ResultType != + 0); \\nGitHubFailedSSOLogins \\n| where TimeGenerated between (ago(EndLearningTime) + .. ago(StartTime)) \\n| summarize FailedLoginsCountInBinTime = count() by + \ UserPrincipalName, bin(TimeGenerated, BinTime), Type\\n| summarize AvgOfFailedLoginsInLearning + = avg(FailedLoginsCountInBinTime), StdOfFailedLoginsInLearning = stdev(FailedLoginsCountInBinTime) + by UserPrincipalName, Type\\n| extend LearningThreshold = max_of(AvgOfFailedLoginsInLearning + + StdOfFailedLoginsInLearning * NumberOfStds, MinThreshold) \\n| join kind=innerunique + ( \\n GitHubFailedSSOLogins \\n | where TimeGenerated between (ago(StartTime) + .. ago(EndRunTime)) \\n | summarize FailedLoginsCountInRunTime = count() + by User = Identity, UserPrincipalName, bin(TimeGenerated, BinTime), Type\\n) + on UserPrincipalName \\n| where FailedLoginsCountInRunTime > LearningThreshold\\n| + extend AccountCustomEntity = UserPrincipalName , timestamp = TimeGenerated\\n};\\nlet + aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion + isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"techniques\":[\"T1110\"],\"displayName\":\"Brute + Force Attack against GitHub Account\",\"description\":\"Attackers who are + trying to guess your users' passwords or use brute-force methods to get in. + If your organization is using SSO with Azure Active Directory, authentication + logs to GitHub.com will be generated. Using the following query can help you + identify a sudden increase in failed logon attempt of users.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/12dcea64-bec2-41c9-9df2-9f28461b1295\",\"name\":\"12dcea64-bec2-41c9-9df2-9f28461b1295\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + timeframe = 1d;\\n// Adjust for a longer timeframe for identifying ADFS Servers\\nlet + lookback = 6d;\\n// Identify ADFS Servers\\nlet ADFS_Servers = (\\nSecurityEvent\\n| + where TimeGenerated > ago(timeframe+lookback)\\n| where EventID == 4688 and + SubjectLogonId != \\\"0x3e4\\\"\\n| where NewProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| + distinct Computer\\n);\\nSecurityEvent\\n| where TimeGenerated > ago(timeframe)\\n| + where Computer in~ (ADFS_Servers)\\n| where Account !endswith \\\"$\\\"\\n// + Check for scheduled task events\\n| where EventID in (4697, 4698, 4699, 4700, + 4701, 4702)\\n| extend EventDataParsed = parse_xml(EventData)\\n| extend SubjectLogonId + = tostring(EventDataParsed.EventData.Data[3][\\\"#text\\\"])\\n// Check specifically + for access to IPC$ share and PIPE\\\\svcctl and PIPE\\\\atsvc for Service + Control Services and Schedule Control Services\\n| union (\\n SecurityEvent\\n + \ | where TimeGenerated > ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n + \ | where Account !endswith \\\"$\\\"\\n | where EventID == 5145\\n | + where RelativeTargetName =~ \\\"svcctl\\\" or RelativeTargetName =~ \\\"atsvc\\\"\\n)\\n// + Check for lateral movement\\n| join kind=inner\\n(SecurityEvent\\n| where + TimeGenerated > ago(timeframe)\\n| where Account !endswith \\\"$\\\"\\n| where + EventID == 4624 and LogonType == 3\\n) on $left.SubjectLogonId == $right.TargetLogonId\\n| + project TimeGenerated, Account, Computer, EventID, RelativeTargetName\\n| + extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity + = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.2.0\",\"tactics\":[\"LateralMovement\"],\"techniques\":[\"T1210\"],\"displayName\":\"Gain + Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task\",\"description\":\"This + query detects instances where an attacker has gained the ability to execute + code on an ADFS Server through SMB and Remote Service or Scheduled Task.\",\"lastUpdatedDateUTC\":\"2022-01-30T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/155f40c6-610d-497d-85fc-3cf06ec13256\",\"name\":\"155f40c6-610d-497d-85fc-3cf06ec13256\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let + DomainNames = dynamic([\\\"yahoo-verification.org\\\",\\\"support-servics.com\\\",\\\"verification-live.com\\\",\\\"com-mailbox.com\\\",\\\"com-myaccuants.com\\\",\\\"notification-accountservice.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\\"verify-linkedin.net\\\", + \\n\\\"yahoo-verification.net\\\",\\\"yahoo-verify.net\\\",\\\"outlook-verify.net\\\",\\\"com-users.net\\\",\\\"verifiy-account.net\\\",\\\"te1egram.net\\\",\\\"account-verifiy.net\\\",\\\"myaccount-services.net\\\",\\n\\\"com-identifier-servicelog.name\\\",\\\"microsoft-update.bid\\\",\\\"outlook-livecom.bid\\\",\\\"update-microsoft.bid\\\",\\\"documentsfilesharing.cloud\\\",\\\"com-microsoftonline.club\\\",\\n\\\"confirm-session-identifier.info\\\",\\\"session-management.info\\\",\\\"confirmation-service.info\\\",\\\"document-share.info\\\",\\\"broadcast-news.info\\\",\\\"customize-identity.info\\\",\\\"webemail.info\\\",\\n\\\"com-identifier-servicelog.info\\\",\\\"documentsharing.info\\\",\\\"notification-accountservice.info\\\",\\\"identifier-activities.info\\\",\\\"documentofficupdate.info\\\",\\\"recoveryusercustomer.info\\\",\\n\\\"serverbroadcast.info\\\",\\\"account-profile-users.info\\\",\\\"account-service-management.info\\\",\\\"accounts-manager.info\\\",\\\"activity-confirmation-service.info\\\",\\\"com-accountidentifier.info\\\",\\n\\\"com-privacy-help.info\\\",\\\"com-sessionidentifier.info\\\",\\\"com-useraccount.info\\\",\\\"confirmation-users-service.info\\\",\\\"confirm-identity.info\\\",\\\"confirm-session-identification.info\\\",\\n\\\"continue-session-identifier.info\\\",\\\"customer-recovery.info\\\",\\\"customers-activities.info\\\",\\\"elitemaildelivery.info\\\",\\\"email-delivery.info\\\",\\\"identify-user-session.info\\\",\\n\\\"message-serviceprovider.info\\\",\\\"notificationapp.info\\\",\\\"notification-manager.info\\\",\\\"recognized-activity.info\\\",\\\"recover-customers-service.info\\\",\\\"recovery-session-change.info\\\",\\n\\\"service-recovery-session.info\\\",\\\"service-session-continue.info\\\",\\\"session-mail-customers.info\\\",\\\"session-managment.info\\\",\\\"session-verify-user.info\\\",\\\"shop-sellwear.info\\\",\\n\\\"supportmailservice.info\\\",\\\"terms-service-notification.info\\\",\\\"user-activity-issues.info\\\",\\\"useridentity-confirm.info\\\",\\\"users-issue-services.info\\\",\\\"verify-user-session.info\\\",\\n\\\"login-gov.info\\\",\\\"notification-signal-agnecy.info\\\",\\\"notifications-center.info\\\",\\\"identifier-services-sessions.info\\\",\\\"customers-manager.info\\\",\\\"session-manager.info\\\",\\n\\\"customer-managers.info\\\",\\\"confirmation-recovery-options.info\\\",\\\"service-session-confirm.info\\\",\\\"session-recovery-options.info\\\",\\\"services-session-confirmation.info\\\",\\n\\\"notification-managers.info\\\",\\\"activities-services-notification.info\\\",\\\"activities-recovery-options.info\\\",\\\"activity-session-recovery.info\\\",\\\"customers-services.info\\\",\\n\\\"sessions-notification.info\\\",\\\"download-teamspeak.info\\\",\\\"services-issue-notification.info\\\",\\\"microsoft-upgrade.mobi\\\",\\\"broadcastnews.pro\\\",\\\"mobile-messengerplus.network\\\"]);\\nlet + IPList = dynamic([\\\"51.91.200.147\\\"]);\\nlet IPRegex = '[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}';\\n(union + isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * '(' DNSName ')' + * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP + = extract(IPRegex, 0, Message)\\n| where (isnotempty(SourceIP) and SourceIP + in (IPList)) or (isnotempty(DestinationIP) and DestinationIP in (IPList)) + \\nor (isnotempty(DNSName) and DNSName in~ (DomainNames)) or (isnotempty(DestinationHostName) + and DestinationHostName in~ (DomainNames)) or (isnotempty(RequestURL) and + (RequestURL has_any (DomainNames) or RequestURLIP in (IPList))) \\nor (isnotempty(Message) + and MessageIP in (IPList))\\n| extend IPMatch = case(SourceIP in (IPList), + \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP + in (IPList), \\\"Message\\\", RequestURLIP in (IPList), \\\"RequestUrl\\\", + \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = + case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", + DestinationIP,IPMatch == \\\"Message\\\", MessageIP,\\nIPMatch == \\\"RequestUrl\\\", + RequestURLIP,\\\"NoMatch\\\"), Account = SourceUserID, Host = DeviceName\\n),\\n(_Im_Dns + (domain_has_any=DomainNames)\\n| extend DestinationIPAddress = DnsResponseName, + DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity + = SrcIpAddr, HostCustomEntity = Host),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| + extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = + Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity + = Host),\\n(_Im_WebSession(url_has_any=DomainNames)\\n| extend DestinationIPAddress + = DstIpAddr, DNSName = tostring(parse_url(Url)[\\\"Host\\\"]), Host = Dvc\\n| + extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity + = Host),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * '[\\\"' + DNSName '\\\"]' *\\n| where isnotempty(SourceIp) or isnotempty(DestinationIp) + or isnotempty(DNSName)\\n| where SourceIp in (IPList) or DestinationIp in + (IPList) or DNSName in~ (DomainNames)\\n| extend IPMatch = case( SourceIp + in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", + \\\"None\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch + == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, + \\\"None\\\"), Host = Computer),\\n(OfficeActivity\\n| extend SourceIPAddress + = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend + timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity + = Account),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| + where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with + Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' + DestinationPort '. Action:' Action\\n| where isnotempty(DestinationHost)\\n| + where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost + \\n| extend IPCustomEntity = SourceHost \\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.4.1\",\"tactics\":[\"CommandAndControl\"],\"techniques\":[\"T1071\"],\"displayName\":\"Known + Phosphorus group domains/IP\",\"description\":\"Matches domain name IOCs related + to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity + and VMConnection dataTypes.\\nReferences: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-10-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a1bddaf8-982b-4089-ba9e-6590dfcf80ea\",\"name\":\"a1bddaf8-982b-4089-ba9e-6590dfcf80ea\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let + error403_count_threshold=200;\\n_Im_WebSession(eventresultdetails_in=\\\"403\\\")\\n| + extend ParsedUrl=parse_url(Url)\\n| extend UrlHost=tostring(ParsedUrl[\\\"Host\\\"]), + UrlSchema=tostring(ParsedUrl[\\\"Schema\\\"])\\n| summarize StartTime = min(TimeGenerated), + EndTime = max(TimeGenerated), NumberOfErrors = count(), Urls=makeset(Url) + by UrlHost, SrcIpAddr\\n| where NumberOfErrors > error403_count_threshold\\n| + sort by NumberOfErrors desc\\n| extend Url=tostring(Urls[0])\",\"customDetails\":{\"NumberOfErrors\":\"NumberOfErrors\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Excessive + number of HTTP authentication failures from {{SrcIpAddr}\",\"alertDescriptionFormat\":\"A + client with address {{SrcIpAddr}} generated a large number of failed authentication + HTTP requests. This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) + or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) + attack.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"CredentialAccess\"],\"techniques\":[\"T1110\"],\"displayName\":\"Excessive + number of HTTP authentication failures from a source (ASIM Web Session schema)\",\"description\":\"This + rule identifies a source that repeatedly fails to authenticate to a web service + (HTTP response code 403). This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) + or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) + attack.

\\nThis rule uses the [Advanced Security Information Model + (ASIM)](https://aka.ms/AboutSIM) and supports any web session source that + complies with ASIM. \",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aa1eff90-29d4-49dc-a3ea-b65199f516db\",\"name\":\"aa1eff90-29d4-49dc-a3ea-b65199f516db\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"(union + isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4720\\n| where AccountType + == \\\"User\\\"\\n| project CreatedUserTime = TimeGenerated, CreatedUserEventID + = EventID, CreatedUserActivity = Activity, Computer = toupper(Computer), \\nCreatedUser + = tolower(TargetAccount), CreatedUserSid = TargetSid, AccountUsedToCreateUser + = strcat(SubjectAccount), SidofAccountUsedToCreateUser = SubjectUserSid\\n),\\n(WindowsEvent\\n| + where EventID == 4720\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| + extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid + in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", + isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType == + \\\"User\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", + tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", + EventData.TargetUserName)\\n| extend Activity=\\\"4720 - A user account was + created.\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| project + CreatedUserTime = TimeGenerated, CreatedUserEventID = EventID, CreatedUserActivity + = Activity, Computer = toupper(Computer), \\nCreatedUser = tolower(TargetAccount), + CreatedUserSid = TargetSid, AccountUsedToCreateUser = strcat(SubjectAccount), + SidofAccountUsedToCreateUser = SubjectUserSid\\n))\\n| join ((union isfuzzy=true\\n(SecurityEvent + \\n| where AccountType == \\\"User\\\"\\n// 4732 - A member was added to a + security-enabled local group\\n| where EventID == 4732\\n// TargetSid is the + builin Admins group: S-1-5-32-544\\n| where TargetSid == \\\"S-1-5-32-544\\\"\\n| + project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity + = Activity, Computer = toupper(Computer), GroupName = tolower(TargetAccount), + \\nGroupSid = TargetSid, AccountThatAddedUser = SubjectAccount, SIDofAccountThatAddedUser + = SubjectUserSid, CreatedUserSid = MemberSid\\n),\\n( WindowsEvent \\n// + 4732 - A member was added to a security-enabled local group\\n| where EventID + == 4732 and EventData has \\\"S-1-5-32-544\\\"\\n//TargetSid is the builin + Admins group: S-1-5-32-544\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| + extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid + in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", + isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType == + \\\"User\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where + TargetSid == \\\"S-1-5-32-544\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", + tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", + EventData.TargetUserName)\\n| extend Activity=\\\"4732 - A member was added + to a security-enabled local group.\\\"\\n| extend MemberSid = tostring(EventData.MemberSid)\\n| + project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity + = Activity, Computer = toupper(Computer), GroupName = tolower(TargetAccount), + \\nGroupSid = TargetSid, AccountThatAddedUser = SubjectAccount, SIDofAccountThatAddedUser + = SubjectUserSid, CreatedUserSid = MemberSid)\\n))\\non CreatedUserSid\\n//Create + User first, then the add to the group.\\n| project Computer, CreatedUserTime, + CreatedUserEventID, CreatedUserActivity, CreatedUser, CreatedUserSid, GroupAddTime, + GroupAddEventID, \\nGroupAddActivity, AccountUsedToCreateUser, GroupName, + GroupSid, AccountThatAddedUser, SIDofAccountThatAddedUser \\n| extend timestamp + = CreatedUserTime, AccountCustomEntity = CreatedUser, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"CreatedUserSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.1.2\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"techniques\":[\"T1098\",\"T1078\"],\"displayName\":\"New + user created and added to the built-in administrators group\",\"description\":\"Identifies + when a user account was created and then added to the builtin Administrators + group in the same day.\\nThis should be monitored closely and all additions + reviewed.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d23ed927-5be3-4902-a9c1-85f841eb4fa1\",\"name\":\"d23ed927-5be3-4902-a9c1-85f841eb4fa1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| + where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| + where Active == true\\n// Picking up only IOC's that contain the entities + we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) + or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As + there is potentially more than 1 indicator type for matching IP, taking NetworkIP + first, then others if that is empty.\\n// Taking the first non-empty value + based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), + NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) + and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend + TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), + EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n DuoSecurityAuthentication_CL\\n + \ | where TimeGenerated >= ago(dt_lookBack)\\n | where isnotempty(access_device_ip_s)\\n + \ // renaming time column so it is clear the log this came from\\n | + extend Duo_TimeGenerated = isotimestamp_t\\n)\\non $left.TI_ipEntity == $right.access_device_ip_s\\n| + summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| + project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, + ThreatType, Url, ExpirationDateTime, ConfidenceScore, Duo_TimeGenerated,\\nTI_ipEntity, + user_name_s, factor_s, result_s, application_name_s, event_type_s, txid_g, + user_key_s, access_device_ip_s, access_device_location_city_s, access_device_location_state_s, + access_device_location_country_s\\n| extend timestamp = Duo_TimeGenerated, + IPCustomEntity = access_device_ip_s, AccountCustomEntity = user_name_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI + map IP entity to Duo Security\",\"description\":\"Identifies a match in DuoSecurity + from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae\",\"name\":\"2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| + where EventID == 4656\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| + mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| + extend Key = tostring(column_ifexists('@Name', \\\"\\\")), Value = column_ifexists('#text', + \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, TargetAccount, + Computer, EventSourceName, Channel, Task, Level, EventID, Activity, TargetLogonId, + SourceComputerId, EventOriginId, Type, _ResourceId, TenantId, SourceSystem, + ManagementGroupName, IpAddress, Account)\\n| extend ObjectServer = column_ifexists('ObjectServer', + \\\"\\\"), ObjectType = column_ifexists('ObjectType', \\\"\\\"), ObjectName + = column_ifexists('ObjectName', \\\"\\\")\\n| where isnotempty(ObjectServer) + and isnotempty(ObjectType) and isnotempty(ObjectName)\\n| where ObjectServer + =~ \\\"SC Manager\\\" and ObjectType =~ \\\"SERVICE OBJECT\\\" and ObjectName + =~ \\\"HealthService\\\"\\n// Comment out the join below if the SACL only + audits users that are part of the Network logon users, i.e. with user/group + target pointing to \\\"NU.\\\"\\n| join kind=leftouter (\\n SecurityEvent\\n + \ | where EventID == 4624\\n) on TargetLogonId\\n| project TimeGenerated, + Computer, Account, TargetAccount, IpAddress,TargetLogonId, ObjectServer, ObjectType, + ObjectName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, + AccountCustomEntity = Account, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"DefenseEvasion\"],\"techniques\":[\"T1562\"],\"displayName\":\"Starting + or Stopping HealthService to Avoid Detection\",\"description\":\"This query + detects events where an actor is stopping or starting HealthService to disable + telemetry collection/detection from the agent.\\n The query requires a SACL + to audit for access request to the service.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-03-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bff093b2-500e-4ae5-bb49-a5b1423cbd5b\",\"name\":\"bff093b2-500e-4ae5-bb49-a5b1423cbd5b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"OfficeActivity\\n| + where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n| where Operation =~ \\\"MemberAdded\\\"\\n| + extend UPN = tostring(parse_json(Members)[0].UPN)\\n| where UPN contains (\\\"#EXT#\\\")\\n| + project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName\\n| + join (\\n OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n| + where Operation =~ \\\"MemberRemoved\\\"\\n| extend UPN = tostring(parse_json(Members)[0].UPN)\\n| + where UPN contains (\\\"#EXT#\\\")\\n| project TimeDeleted=TimeGenerated, + Operation, UPN, UserWhoDeleted = UserId, TeamName\\n) on UPN\\n| where TimeDeleted + > TimeAdded\\n| project TimeAdded, TimeDeleted, UPN, UserWhoAdded, UserWhoDeleted, + TeamName\\n| extend timestamp = TimeAdded, AccountCustomEntity = UPN\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"techniques\":[\"T1136\"],\"displayName\":\"External + user added and removed in short timeframe\",\"description\":\"This detection + flags the occurances of external user accounts that are added to a Team and + then removed within\\none hour.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity + (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9367dff0-941d-44e2-8875-cb48570c7add\",\"name\":\"9367dff0-941d-44e2-8875-cb48570c7add\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"Event\\n| + where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID + in (13)\\n| parse EventData with * 'TargetObject\\\">' TargetObject \\\"<\\\" + * 'Details\\\">' Details \\\"<\\\" * \\n| where TargetObject has \\\"\\\\\\\\Windows + NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_DLLs\\\"\\n| summarize + StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, + Computer, TargetObject, Details\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"techniques\":[\"T1546\"],\"displayName\":\"Registry + Persistence via AppInit DLLs Modification\",\"description\":\"Adversaries + may establish persistence and/or elevate privileges by executing malicious + content triggered by AppInit DLLs loaded into processes. \\nDynamic-link libraries + (DLLs) that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows + NT\\\\CurrentVersion\\\\Windows or HKEY_LOCAL_MACHINE\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Windows + NT\\\\CurrentVersion\\\\Windows are loaded by user32.dll into every process + that loads user32.dll. In practice this is nearly every program, since user32.dll + is a very common library.\\nRef: https://attack.mitre.org/techniques/T1546/010/\",\"lastUpdatedDateUTC\":\"2022-03-21T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95514e77-1b23-4f05-817c-ae363c53aad3\",\"name\":\"95514e77-1b23-4f05-817c-ae363c53aad3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.5\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Akamai\",\"Aruba + Networks\",\"Check Point\",\"Dell\",\"Forcepoint\",\"Fortinet\",\"McAfee\",\"Palo + Alto Networks\",\"SonicWall\",\"Trend Micro\",\"Vectra Networks\",\"Zscaler\"],\"supportedValuesKql\":null,\"value\":\"Palo + Alto Networks\",\"name\":\"Device vendor\",\"description\":\"Select device + vendor reporting network connection logs to CommonSecurityLog\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"10\",\"maximum\":\"10000\",\"value\":\"10\",\"name\":\"Hourly + event count threshold\",\"description\":\"Suppress anomalies when hourly event + count is less than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\".98\",\"name\":\"Score\",\"description\":\"Generate + an anomaly when score is greater than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Exfiltration\"],\"techniques\":[\"T1030\"],\"displayName\":\"(Preview) + Unusual network volume anomaly\",\"description\":\"This algorithm is to detect + unusually high volume of connections in network logs. \\nIt uses time series + to decompose the data into seasonal, trend and residual components to \\ncalculate + baseline. Any sudden large deviation from the historical baseline is considered + as anomalous activity.\",\"lastUpdatedDateUTC\":\"2022-04-21T00:00:00Z\",\"createdDateUTC\":\"2021-04-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog + (PaloAlto)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog + (Zscaler)\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog + (CheckPoint)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog + (Fortinet)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8d537f3c-094f-430c-a588-8a87da36ee3a\",\"name\":\"8d537f3c-094f-430c-a588-8a87da36ee3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + timeframe = 15m;\\nlet user_agents=dynamic([\\n '(hydra)',\\n + \ ' arachni/',\\n ' BFAC + ',\\n ' brutus ',\\n ' cgichk + ',\\n 'core-project/1.0',\\n ' + crimscanner/',\\n 'datacha0s',\\n 'dirbuster',\\n + \ 'domino hunter',\\n 'dotdotpwn',\\n + \ 'FHScan Core',\\n 'floodgate',\\n + \ 'get-minimal',\\n 'gootkit + auto-rooter scanner',\\n 'grendel-scan',\\n ' + inspath ',\\n 'internet ninja',\\n 'jaascois',\\n + \ ' zmeu ',\\n 'masscan',\\n + \ ' metis ',\\n 'morfeus + fucking scanner',\\n 'n-stealth',\\n 'nsauditor',\\n + \ 'pmafind',\\n 'security + scan',\\n 'springenwerk',\\n 'teh + forest lobster',\\n 'toata dragostea',\\n ' + vega/',\\n 'voideye',\\n 'webshag',\\n + \ 'webvulnscan',\\n ' whcc/',\\n + \ ' Havij',\\n 'absinthe',\\n + \ 'bsqlbf',\\n 'mysqloit',\\n + \ 'pangolin',\\n 'sql power + injector',\\n 'sqlmap',\\n 'sqlninja',\\n + \ 'uil2pn',\\n 'ruler',\\n + \ 'Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; + rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)'\\n ]);\\nCisco_Umbrella\\n| + where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated > ago(timeframe)\\n| + where HttpUserAgentOriginal has_any (user_agents)\\n| extend Message = \\\"Hack + Tool User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, + TimeGenerated, HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, + UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.1.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco + Umbrella - Hack Tool User-Agent Detected\",\"description\":\"Detects suspicious + user agent strings used by known hack tools\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/30c8b802-ace1-4408-bc29-4c5c5afb49e1\",\"name\":\"30c8b802-ace1-4408-bc29-4c5c5afb49e1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"imProcess\\n + \ | where EventType =~ \\\"ProcessCreated\\\"\\n | where Process endswith + \\\"svchost.exe\\\"\\n | where CommandLine has \\\"-k GPSvcGroup\\\" or CommandLine + has \\\"-s gpsvc\\\"\\n | extend timekey = bin(TimeGenerated, 1m)\\n | project + timekey, ActingProcessId, Dvc\\n | join kind=inner (imProcess\\n | where + EventType =~ \\\"ProcessCreated\\\"\\n | where Process =~ \\\"sdelete.exe\\\" + or CommandLine has \\\"sdelete\\\"\\n | where ActingProcessName endswith + \\\"svchost.exe\\\"\\n | where CommandLine has_all (\\\"-s\\\", \\\"-r\\\")\\n + \ | extend timekey = bin(TimeGenerated, 1m)\\n ) on $left.ActingProcessId + == $right.ParentProcessId, timekey, Dvc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DvcIpAddr\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Dvc\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"Impact\"],\"techniques\":[\"T1485\"],\"displayName\":\"Sdelete + deployed via GPO and run recursively (ASIM Version)\",\"description\":\"This + query looks for the Sdelete process being run recursively after being deployed + to a host via GPO. Attackers could use this technique to deploy Sdelete to + multiple host and delete data on them.\\n This query uses the Advanced Security + Information Model. Parsers will need to be deployed before use: https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2022-03-02T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3f8fa297-1fbb-4515-98af-b77be2c873a1\",\"name\":\"3f8fa297-1fbb-4515-98af-b77be2c873a1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.1\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0\",\"name\":\"Anomaly + score threshold\",\"description\":\"Generate an anomaly when the anomaly score + is greater than the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Impact\"],\"techniques\":[\"T1485\"],\"displayName\":\"(Preview) + UEBA Anomalous Data Destruction\",\"description\":\"Adversaries may destroy + data and files on specific systems or in large numbers on a network to interrupt + availability to systems,\\nservices, and network resources. Data destruction + is likely to render stored data irrecoverable by forensic techniques through + \\noverwriting files or data on local and remote drives. \\nSentinel UEBA + detects anomalies based on dynamic baselines created for each entity across + various data inputs.\\nEach entity\xE2\u20AC\u2122s baseline behavior is set + according to its own historical activities, \\nthose of its peers, and those + of the organization as a whole.\\nAnomalies can be triggered by the correlation + of different attributes such as action type, geo-location, device, resource, + ISP, and more.\",\"lastUpdatedDateUTC\":\"2022-04-13T00:00:00Z\",\"createdDateUTC\":\"2022-03-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8dcf7238-a7d0-4cfd-8d0c-b230e3cd9182\",\"name\":\"8dcf7238-a7d0-4cfd-8d0c-b230e3cd9182\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT5M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + timeframe = ago(5m);\\nDuoSecurityTrustMonitor_CL\\n| where TimeGenerated + >= timeframe\\n| extend AccountCustomEntity = surfaced_auth_user_name_s, IPCustomEntity + = surfaced_auth_access_device_ip_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Trust + Monitor Event\",\"description\":\"This query identifies when a new trust monitor + event is detected.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ae9128e8-2740-4b62-8bde-54e62b183fca\",\"name\":\"ae9128e8-2740-4b62-8bde-54e62b183fca\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.7\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Palo + Alto Networks\",\"Fortinet\",\"Check Point\"],\"supportedValuesKql\":null,\"value\":\"Palo + Alto Networks\",\"name\":\"Device vendor\",\"description\":\"Select device + vendor of network connection logs from CommonSecurityLog\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"1\",\"maximum\":\"100\",\"value\":\"25\",\"name\":\"Daily + data transfer threshold in MB\",\"description\":\"Suppress anomalies when + daily data transfered (in MB) per hour is less than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"2\",\"maximum\":\"10\",\"value\":\"3\",\"name\":\"Number + of standard deviations\",\"description\":\"Triggers anomalies when number + of standard deviations is greater than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"techniques\":[\"T1030\",\"T1071\"],\"displayName\":\"(Preview) + Unusual network communication on commonly used ports\",\"description\":\"This + algorithm identifies unusual network communication on commonly used ports, + comparing daily traffic to a baseline from the previous 7 days.\\nThis includes + traffic on commonly used ports (22, 53, 80, 443, 8080, 8888), and compares + daily traffic to the mean and standard deviation of several\\nnetwork traffic + attributes calculated over the baseline period. The traffic attributes considered + are daily total events, daily data transfer and \\nnumber of distinct destination + IP addresses per port. An anomaly is triggered when the daily values are greater + than the configured number of standard deviations above the mean.\",\"lastUpdatedDateUTC\":\"2022-02-24T00:00:00Z\",\"createdDateUTC\":\"2021-05-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog + (PaloAlto)\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog + (CheckPoint)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog + (Fortinet)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dcdf9bfc-c239-4764-a9f9-3612e6dff49c\",\"name\":\"dcdf9bfc-c239-4764-a9f9-3612e6dff49c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// + Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback + = 6d;\\n// Adjust this to adjust the key export detection timeframe\\n//let + timeframe = 1d;\\n// Start be identifying ADFS servers to reduce FP chance\\nlet + ADFS_Servers = (\\nEvent\\n//| where TimeGenerated > ago(timeframe+lookback)\\n| + where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| + extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand + bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend + Key = tostring(column_ifexists('@Name', \\\"\\\")), Value = column_ifexists('#text', + \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, + Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, + _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\")\\n| + extend process = split(Image, '\\\\\\\\', -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| + summarize by Computer);\\n// Look for ADFS servers where Named Pipes event + are present\\nEvent\\n//| where TimeGenerated > ago(timeframe)\\n| where Source + == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| where Computer + in~ (ADFS_Servers)\\n| extend RenderedDescription = tostring(split(RenderedDescription, + \\\":\\\")[0])\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| + mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| + extend Key = tostring(column_ifexists('@Name', \\\"\\\")), Value = column_ifexists('#text', + \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, + Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, + MG, ManagementGroupName, Type, _ResourceId)\\n| extend RuleName = column_ifexists(\\\"RuleName\\\", + \\\"\\\"),\\n TechniqueId = column_ifexists(\\\"TechniqueId\\\", \\\"\\\"),\\n + \ TechniqueName = column_ifexists(\\\"TechniqueName\\\", \\\"\\\"),\\n Image + = column_ifexists(\\\"Image\\\", \\\"\\\"),\\n PipeName = column_ifexists(\\\"PipeName\\\", + \\\"\\\"),\\n EventType = column_ifexists(\\\"EventType\\\", \\\"\\\")\\n| + parse RuleName with * 'technique_id=' TechniqueId ',' * 'technique_name=' + TechniqueName\\n// Look for Pipe related to querying the WID\\n| where PipeName + == \\\"\\\\\\\\MICROSOFT##WID\\\\\\\\tsql\\\\\\\\query\\\"\\n| extend process + = split(Image, '\\\\\\\\', -1)[-1]\\n// Exclude expected processes\\n| where + process !in (\\\"Microsoft.IdentityServer.ServiceHost.exe\\\", \\\"Microsoft.Identity.Health.Adfs.PshSurrogate.exe\\\", + \\\"AzureADConnect.exe\\\", \\\"Microsoft.Tri.Sensor.exe\\\", \\\"wsmprovhost.exe\\\",\\\"mmc.exe\\\", + \\\"sqlservr.exe\\\")\\n| extend Operation = RenderedDescription\\n| project-reorder + TimeGenerated, EventType, Operation, process, Image, Computer, UserName\\n| + extend HostCustomEntity = Computer, AccountCustomEntity = UserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"Collection\"],\"techniques\":[\"T1005\"],\"displayName\":\"ADFS + Database Named Pipe Connection\",\"description\":\"This detection uses Sysmon + telemetry to detect suspicious local connections via a named pipe to the AD + FS configuration database (Windows Internal Database).\\nIn order to use this + query you need to be collecting Sysmon EventIdD 18 (Pipe Connected).\\nIf + you do not have Sysmon data in your workspace this query will raise an error + stating:\\nFailed to resolve scalar expression named \\\"[@Name]\",\"lastUpdatedDateUTC\":\"2021-11-23T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3617d76d-b15e-4c6f-985e-a1dac73c592d\",\"name\":\"3617d76d-b15e-4c6f-985e-a1dac73c592d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"severity\":\"Medium\",\"query\":\"SigninLogs\\n| + where ResultType == 500121\\n| extend additionalDetails_ = tostring(Status.additionalDetails)\\n| + where additionalDetails_ =~ \\\"MFA denied; user declined the authentication\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"techniques\":[\"T1078\"],\"displayName\":\"NRT + MFA Rejected by User\",\"description\":\"Identifies occurrences where a user + has rejected an MFA prompt. This could be an indicator that a threat actor + has compromised the username and password of this user account and is using + it to try and log into the account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-02-08T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/29094df8-e0c7-4475-a74c-bda74a07affb\",\"name\":\"29094df8-e0c7-4475-a74c-bda74a07affb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.8\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.03\",\"name\":\"Score\",\"description\":\"Generate + an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"techniques\":[\"T1078\"],\"displayName\":\"(Preview) + Suspicious volume of logins to user account by logon types\",\"description\":\"This + algorithm detects an unusually high volume of successful logins per user account + by different logon types. The model is trained on the previous 21 days of + security event ID 4624 on an account. It indicates anomalous high volume of + successful logins in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5436f471-b03d-41cb-b333-65891f887c43\",\"name\":\"5436f471-b03d-41cb-b333-65891f887c43\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Informational\",\"query\":\"GitHubRepo\\n| + where Action == \\\"vulnerabilityAlert\\\"\\n| project TimeGenerated, DismmisedAt, + Reason, vulnerableManifestFilename, Description, Link, PublishedAt, Severity, + Summary\",\"entityMappings\":[],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"displayName\":\"GitHub + Security Vulnerability in Repository\",\"description\":\"This alerts when + there is a new security vulnerability in a GitHub repository.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-10T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d82e1987-4356-4a7b-bc5e-064f29b143c0\",\"name\":\"d82e1987-4356-4a7b-bc5e-064f29b143c0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"(union + isfuzzy=true \\n(SecurityEvent\\n| where EventID == 4688\\n| where Process + =~ 'rundll32.exe' \\n| where CommandLine has_all ('Execute','RegRead','window.close')\\n| + project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, + ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity + = Computer, AccountCustomEntity = Account\\n),\\n(WindowsEvent\\n| where EventID + == 4688 and EventData has 'rundll32.exe' and EventData has_any ('Execute','RegRead','window.close')\\n| + extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, + '\\\\\\\\')[-1])\\n| where Process =~ 'rundll32.exe' \\n| extend CommandLine + = tostring(EventData.CommandLine)\\n| where CommandLine has_all ('Execute','RegRead','window.close')\\n| + extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| + extend ParentProcessName = tostring(EventData.ParentProcessName) \\n| project + TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, + _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, + AccountCustomEntity = Account\\n) )\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.1.1\",\"tactics\":[\"Persistence\"],\"techniques\":[\"T1547\"],\"displayName\":\"NOBELIUM + - suspicious rundll32.exe execution of vbscript\",\"description\":\"This query + idenifies when rundll32.exe executes a specific set of inline VBScript commands\\n + References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b783df9c-4088-452e-a791-0c4fca47a109\",\"name\":\"b783df9c-4088-452e-a791-0c4fca47a109\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.6\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\".lan, + .home\",\"dataType\":\"string\",\"name\":\"Top level domain\",\"description\":\"Give + comma separated TLDs to exclude from source data within double quotes, example: + \\\".lan, .home\\\"\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.9\",\"name\":\"Score\",\"description\":\"Generate + an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CommandAndControl\"],\"techniques\":[\"T1568\"],\"displayName\":\"(Preview) + Domain generation algorithm (DGA) on DNS domains\",\"description\":\"This + machine learning model indicates potential DGA domains in the second-level-domain + (SLD) from the last day in the DNS logs.\\nThe algorithm applies to the DNS + records that resolve to IPv4 and IPv6 addresses.\",\"lastUpdatedDateUTC\":\"2022-01-18T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/961b6a81-5c53-40b6-9800-4f661a8faea7\",\"name\":\"961b6a81-5c53-40b6-9800-4f661a8faea7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let + iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0586.csv\\\"] + with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs + | where Type =~ \\\"sha256\\\" | project IoC);\\nlet Command_Line = (iocs + | where Type =~ \\\"CommandLine\\\" | project IoC);\\n(union isfuzzy=true\\n(DeviceProcessEvents\\n| + where InitiatingProcessSHA256 in (sha256Hashes) or SHA256 in (sha256Hashes) + or ( InitiatingProcessCommandLine has ('127.0.0.1\\\\\\\\ADMIN$') and InitiatingProcessCommandLine + has_any (Command_Line))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, + InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, + InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, + InitiatingProcessFileName, InitiatingProcessSHA256, Type, AccountName, SHA256\\n| + extend Account = AccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, + FileHash = case(InitiatingProcessSHA256 in (sha256Hashes), \\\"InitiatingProcessSHA256\\\", + SHA256 in (sha256Hashes), \\\"SHA256\\\", \\\"No Match\\\")\\n| extend timestamp + = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, + ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = case(FileHash + == \\\"InitiatingProcessSHA256\\\", InitiatingProcessSHA256, FileHash == \\\"SHA256\\\", + SHA256, \\\"No Match\\\")\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| + where ( CommandLine has (@'127.0.0.1\\\\\\\\ADMIN$') and CommandLine has_any + (Command_Line))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, + Account, NewProcessId, Type, EventID\\n| extend timestamp = TimeGenerated, + HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity + = NewProcessName\\n),\\n( CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| + project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp + = TimeGenerated, FileHashCustomEntity = 'SHA256', Account = SourceUserID\\n),\\n( + imFileEvent\\n| where Hash in~ (sha256Hashes) or ( ActingProcessCommandLine + has ('127.0.0.1\\\\\\\\ADMIN$') and ActingProcessCommandLine has_any (Command_Line))\\n| + extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, + CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project + Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n| + extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity + = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| + where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail + = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], + \ CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| + extend Hashes = extract_all(@\\\"(?P\\\\w+)=(?P[a-zA-Z0-9]+)\\\", + dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", + \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| + where (Hashes has_any (sha256Hashes) ) or ( CommandLine has ('127.0.0.1\\\\\\\\ADMIN$') + and CommandLine has_any (Command_Line)) \\n| project TimeGenerated, EventDetail, + UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type + = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity + = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, + '\\\\\\\\', -1)[-1]), FileHashCustomEntity = Hashes\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashAlgo\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"techniques\":[\"T1561\"],\"displayName\":\"DEV-0586 + Actor IOC - January 2022\",\"description\":\"Identifies a match across IOC's + related to an actor tracked by Microsoft as DEV-0586\\n Refrence: https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2022-01-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/66c81ae2-1f89-4433-be00-2fbbd9ba5ebe\",\"name\":\"66c81ae2-1f89-4433-be00-2fbbd9ba5ebe\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + IPRegex = '[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}';\\nlet + dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| + where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| + summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| + where Active == true\\n// Picking up only IOC's that contain the entities + we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) + or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As + there is potentially more than 1 indicator type for matching IP, taking NetworkIP + first, then others if that is empty.\\n// Taking the first non-empty value + based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), + NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) + and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend + TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), + EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast + and result set low, we only need one match to indicate potential malicious + activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog\\n + \ | where TimeGenerated >= ago(dt_lookBack)\\n | extend MessageIP = extract(IPRegex, + 0, Message)\\n | extend CS_ipEntity = iff(isnotempty(SourceIP), SourceIP, + DestinationIP)\\n | extend CS_ipEntity = iff(isempty(CS_ipEntity) and isnotempty(MessageIP), + MessageIP, CS_ipEntity)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non + $left.TI_ipEntity == $right.CS_ipEntity\\n| where CommonSecurityLog_TimeGenerated + < ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, + *) by IndicatorId, CS_ipEntity\\n| project CommonSecurityLog_TimeGenerated, + SourceIP, DestinationIP, MessageIP, Message, DeviceVendor, DeviceProduct, + IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, + CS_ipEntity, LogSeverity, DeviceAction\\n| extend timestamp = CommonSecurityLog_TimeGenerated, + IPCustomEntity = CS_ipEntity\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI + map IP entity to CommonSecurityLog\",\"description\":\"Identifies a match + in CommonSecurityLog from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/17f23fbe-bb73-4324-8ecf-a18545a5dc26\",\"name\":\"17f23fbe-bb73-4324-8ecf-a18545a5dc26\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P3D\",\"queryPeriod\":\"P3D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + timeframe = 3d;\\n// Get Release Pipeline Creation Events and group by day\\nAzureDevOpsAuditing\\n| + where TimeGenerated > ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineCreated\\\"\\n// + Group by day\\n| extend timekey = bin(TimeGenerated, 1d)\\n| extend PipelineId + = tostring(Data.PipelineId)\\n| extend PipelineName = tostring(Data.PipelineName)\\n// + Rename some columns to make output clearer\\n| project-rename TimeCreated + = TimeGenerated, CreatingUser = ActorUPN, CreatingUserAgent = UserAgent, CreatingIP + = IpAddress\\n// Join with Release Pipeline Deletions where Pipeline ID is + the same and deletion occurred on same day as creation\\n| join (AzureDevOpsAuditing\\n| + where TimeGenerated > ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineDeleted\\\"\\n// + Group by day\\n| extend timekey = bin(TimeGenerated, 1d)\\n| extend PipelineId + = tostring(Data.PipelineId)\\n| extend PipelineName = tostring(Data.PipelineName)\\n// + Rename some things to make the output clearer\\n| project-rename TimeDeleted + = TimeGenerated, DeletingUser = ActorUPN, DeletingUserAgent = UserAgent, DeletingIP + = IpAddress) on PipelineId, timekey\\n| project TimeCreated, TimeDeleted, + PipelineName, PipelineId, CreatingUser, CreatingIP, CreatingUserAgent, DeletingUser, + DeletingIP, DeletingUserAgent, ScopeDisplayName, ProjectName, Data, OperationName, + OperationName1\\n| extend timestamp = TimeCreated, AccountCustomEntity = CreatingUser, + IPCustomEntity = CreatingIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeletingUser\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DeletingIP\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Execution\"],\"techniques\":[\"T1072\"],\"displayName\":\"Azure + DevOps Pipeline Created and Deleted on the Same Day\",\"description\":\"An + attacker with access to Azure DevOps could create a pipeline to inject artifacts + used by other pipelines, \\nor to create a malicious software build that looks + legitimate by using a pipeline that incorporates legitimate elements. \\nAn + attacker would also likely want to cover their tracks once conducting such + activity. This query looks for Pipelines \\ncreated and deleted within the + same day, this is unlikely to be legitimate user activity in the majority + of cases.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/83ba3057-9ea3-4759-bf6a-933f2e5bc7ee\",\"name\":\"83ba3057-9ea3-4759-bf6a-933f2e5bc7ee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":3,\"severity\":\"Medium\",\"query\":\"let + current = 1d;\\nlet auditLookback = 7d;\\n// Setting threshold to 3 as a default, + change as needed. \\n// Any operation that has been initiated by a user or + app more than 3 times in the past 7 days will be excluded\\nlet threshold + = 3;\\n// Gather initial data from lookback period, excluding current, adjust + current to more than a single day if no results\\nlet AuditTrail = AuditLogs + | where TimeGenerated >= ago(auditLookback) and TimeGenerated < ago(current)\\n// + 2 other operations that can be part of malicious activity in this situation + are \\n// \\\"Add OAuth2PermissionGrant\\\" and \\\"Add service principal\\\", + extend the filter below to capture these too\\n| where OperationName has \\\"Consent + to application\\\"\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), + \\ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| + extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\n| + summarize max(TimeGenerated), OperationCount = count() by OperationName, InitiatedBy, + TargetResourceName\\n// only including operations by initiated by a user or + app that is above the threshold so we produce only rare and has not occurred + in last 7 days\\n| where OperationCount > threshold\\n;\\n// Gather current + period of audit data\\nlet RecentConsent = AuditLogs | where TimeGenerated + >= ago(current)\\n| where OperationName has \\\"Consent to application\\\"\\n| + extend IpAddress = case(\\nisnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) + and tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) != 'null', + tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), \\nisnotempty(tostring(parse_json(tostring(InitiatedBy.app)).ipAddress)) + and tostring(parse_json(tostring(InitiatedBy.app)).ipAddress) != 'null', tostring(parse_json(tostring(InitiatedBy.app)).ipAddress),\\n'Not + Available')\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), + \\ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| + extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\n| + parse TargetResources.[0].modifiedProperties with * \\\"ConsentType: \\\" + ConsentType \\\"]\\\" *\\n| mv-expand AdditionalDetails\\n| extend UserAgent + = iff(AdditionalDetails.key == \\\"User-Agent\\\",tostring(AdditionalDetails.value),\\\"\\\")\\n| + project TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, + OperationName, ConsentType, UserAgent, CorrelationId, Type;\\n// Exclude previously + seen audit activity for \\\"Consent to application\\\" that was seen in the + lookback period\\n// First for rare InitiatedBy\\nlet RareConsentBy = RecentConsent + | join kind= leftanti AuditTrail on OperationName, InitiatedBy \\n| extend + Reason = \\\"Previously unseen user consenting\\\";\\n// Second for rare TargetResourceName\\nlet + RareConsentApp = RecentConsent | join kind= leftanti AuditTrail on OperationName, + TargetResourceName\\n| extend Reason = \\\"Previously unseen app granted consent\\\";\\nRareConsentBy + | union RareConsentApp\\n| summarize Reason = makeset(Reason) by TimeGenerated, + InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, + UserAgent, CorrelationId, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity + = InitiatedBy, HostCustomEntity = TargetResourceName, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.1.0\",\"tactics\":[\"Persistence\",\"LateralMovement\",\"Collection\"],\"techniques\":[\"T1136\"],\"displayName\":\"Rare + application consent\",\"description\":\"This will alert when the \\\"Consent + to application\\\" operation occurs by a user that has not done this operation + before or rarely does this.\\nThis could indicate that permissions to access + the listed Azure App were provided to a malicious actor. \\nConsent to application, + Add service principal and Add OAuth2PermissionGrant should typically be rare + events. \\nThis may help detect the Oauth2 attack that can be initiated by + this publicly available tool - https://github.com/fireeye/PwnAuth\\nFor further + information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69b7723c-2889-469f-8b55-a2d355ed9c87\",\"name\":\"69b7723c-2889-469f-8b55-a2d355ed9c87\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| + where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| + summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| + where Active == true\\n// Picking up only IOC's that contain the entities + we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) + or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As + there is potentially more than 1 indicator type for matching IP, taking NetworkIP + first, then others if that is empty.\\n// Taking the first non-empty value + based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), + NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) + and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend + TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), + EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast + and result set low, we only need one match to indicate potential malicious + activity that needs to be investigated\\n| join kind=innerunique (\\n DnsEvents + | where TimeGenerated >= ago(dt_lookBack)\\n | where SubType =~ \\\"LookupQuery\\\" + and isnotempty(IPAddresses)\\n | extend SingleIP = split(IPAddresses, \\\",\\\")\\n + \ | mvexpand SingleIP\\n | extend SingleIP = tostring(SingleIP)\\n // + renaming time column so it is clear the log this came from\\n | extend + DNS_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SingleIP\\n| + where DNS_TimeGenerated < ExpirationDateTime\\n| summarize DNS_TimeGenerated + = arg_max(DNS_TimeGenerated , *) by IndicatorId, SingleIP\\n| project DNS_TimeGenerated, + Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, + ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Computer, EventId, SubType, + ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, + EmailSourceIpAddress\\n| extend timestamp = DNS_TimeGenerated, IPCustomEntity + = ClientIP, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.2.2\",\"tactics\":[\"Impact\"],\"displayName\":\"TI + map IP entity to DnsEvents\",\"description\":\"Identifies a match in DnsEvents + from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd\",\"name\":\"c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let + args = dynamic([\\\"objectcategory\\\",\\\"domainlist\\\",\\\"dcmodes\\\",\\\"adinfo\\\",\\\"trustdmp\\\",\\\"computers_pwdnotreqd\\\",\\\"Domain + Admins\\\", \\\"objectcategory=person\\\", \\\"objectcategory=computer\\\", + \\\"objectcategory=*\\\",\\\"dclist\\\"]);\\nlet parentProcesses = dynamic([\\\"pwsh.exe\\\",\\\"powershell.exe\\\",\\\"cmd.exe\\\"]);\\nDeviceProcessEvents\\n//looks + for execution from a shell\\n| where InitiatingProcessFileName in (parentProcesses)\\n// + main filter\\n| where FileName =~ \\\"AdFind.exe\\\" or SHA256 == \\\"c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\\\"\\n + \ // AdFind common Flags to check for from various threat actor TTPs\\n or + ProcessCommandLine has_any (args)\\n| extend AccountCustomEntity = AccountName, + HostCustomEntity = DeviceName, ProcessCustomEntity = InitiatingProcessFileName, + CommandLineCustomEntity = ProcessCommandLine, AlgorithmCustomEntity = \\\"SHA256\\\", + FileHashCustomEntity = SHA256\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"},{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLineCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"Discovery\"],\"techniques\":[\"T1018\"],\"displayName\":\"Probable + AdFind Recon Tool Usage\",\"description\":\"Identifies the host and account + that executed AdFind by hash and filename in addition to common and unique + flags that are used by many threat actors in discovery.\",\"lastUpdatedDateUTC\":\"2021-11-30T00:00:00Z\",\"createdDateUTC\":\"2021-04-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf\",\"name\":\"b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| + where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| + summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| + where Active == true\\n// Picking up only IOC's that contain the entities + we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast + and result set low, we only need one match to indicate potential malicious + activity that needs to be investigated\\n| join kind=innerunique (\\n Syslog\\n + \ | where TimeGenerated >= ago(dt_lookBack)\\n // Extract URL from the Syslog + message but only take messages that include URLs\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", + 1,SyslogMessage)\\n | where isnotempty(Url)\\n | extend Syslog_TimeGenerated + = TimeGenerated\\n) on Url\\n| where Syslog_TimeGenerated < ExpirationDateTime\\n| + summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, + Url\\n| project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, + ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, + ProcessName, Url, HostIP\\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity + = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.2.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI + map URL entity to Syslog data\",\"description\":\"Identifies a match in Syslog + data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a357535e-f722-4afe-b375-cff362b2b376\",\"name\":\"a357535e-f722-4afe-b375-cff362b2b376\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"(union + isfuzzy=true\\n(OfficeActivity | where UserAgent != \\\"\\\"),\\n(OfficeActivity\\n| + where RecordType in (\\\"AzureActiveDirectory\\\", \\\"AzureActiveDirectoryStsLogon\\\")\\n| + extend OperationName = Operation\\n| parse ExtendedProperties with * 'User-Agent\\\\\\\\\\\":\\\\\\\\\\\"' + UserAgent2 '\\\\\\\\' *\\n| parse ExtendedProperties with * 'UserAgent\\\", + \ \\\"Value\\\": \\\"' UserAgent1 '\\\"' *\\n| where isnotempty(UserAgent1) + or isnotempty(UserAgent2)\\n| extend UserAgent = iff( RecordType == 'AzureActiveDirectoryStsLogon', + UserAgent1, UserAgent2)\\n| summarize StartTime = min(TimeGenerated), EndTime + = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, + Type, RecordType, Operation\\n),\\n(AzureDiagnostics\\n| where ResourceType + =~ \\\"APPLICATIONGATEWAYS\\\" \\n| where OperationName =~ \\\"ApplicationGatewayAccess\\\" + \\n| extend ClientIP = columnifexists(\\\"clientIP_s\\\", \\\"None\\\"), UserAgent + = columnifexists(\\\"userAgent_s\\\", \\\"None\\\")\\n| where UserAgent != + '-'\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) + by UserAgent, SourceIP = ClientIP, requestUri_s, httpMethod_s, host_s, requestQuery_s, + Type\\n),\\n(\\nW3CIISLog\\n| where isnotempty(csUserAgent)\\n| summarize + StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent + = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, + csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where isnotempty(UserAgent)\\n| summarize + StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, + SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, + EventName\\n),\\n(SigninLogs\\n| where isnotempty(UserAgent)\\n| summarize + StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, + SourceIP = IPAddress, Account = UserPrincipalName, Type, OperationName, tostring(LocationDetails), + tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n),\\n(AADNonInteractiveUserSignInLogs + \\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), + EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = + UserPrincipalName, Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), + AppDisplayName, ClientAppUsed\\n)\\n)\\n// Likely artefact of hardcoding\\n| + where UserAgent startswith \\\"User\\\" or UserAgent startswith '\\\\\\\"'\\n// + Incorrect casing\\nor (UserAgent startswith \\\"Mozilla\\\" and not(UserAgent + containscs \\\"Mozilla\\\"))\\n// Incorrect casing\\nor UserAgent containscs + \ \\\"(Compatible;\\\"\\n// Missing MSIE version\\nor UserAgent matches regex + @\\\"MSIE\\\\s?;\\\"\\n// Incorrect spacing around MSIE version\\nor UserAgent + matches regex @\\\"MSIE(?:\\\\d|.{1,5}?\\\\d\\\\s;)\\\"\\n| extend timestamp + = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CommandAndControl\",\"Execution\"],\"techniques\":[\"T1189\",\"T1071\",\"T1203\"],\"displayName\":\"Malformed + user agent\",\"description\":\"Malware authors will sometimes hardcode user + agent string values when writing the network communication component of their + malware.\\nMalformed user agents can be an indication of such malware.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4acd3a04-2fad-4efc-8a4b-51476594cec4\",\"name\":\"4acd3a04-2fad-4efc-8a4b-51476594cec4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + triThreshold = 500;\\nlet startTime = 6h;\\nlet dgaLengthThreshold = 8;\\n// + fetch the alexa top 1M domains\\nlet top1M = (externaldata (Position:int, + Domain:string) [@\\\"http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip\\\"] + \ with (format=\\\"csv\\\", zipPattern=\\\"*.csv\\\"));\\n// extract tri grams + that are above our threshold - i.e. are common\\nlet triBaseline = top1M\\n| + extend Domain = tolower(extract(\\\"([^.]*).{0,7}$\\\", 1, Domain))\\n| extend + AllTriGrams = array_concat(extract_all(\\\"(...)\\\", Domain), extract_all(\\\"(...)\\\", + substring(Domain, 1)), extract_all(\\\"(...)\\\", substring(Domain, 2)))\\n| + mvexpand Trigram=AllTriGrams\\n| summarize triCount=count() by tostring(Trigram)\\n| + sort by triCount desc\\n| where triCount > triThreshold\\n| distinct Trigram;\\n// + collect domain information from common security log, filter and extract the + DGA candidate and its trigrams\\nlet allDataSummarized = CommonSecurityLog\\n| + where TimeGenerated > ago(startTime)\\n| where isnotempty(DestinationHostName)\\n| + extend Name = tolower(DestinationHostName)\\n| distinct Name\\n| where Name + has \\\".\\\"\\n| where Name !endswith \\\".home\\\" and Name !endswith \\\".lan\\\"\\n// + extract DGA candidate\\n| extend DGADomain = extract(\\\"([^.]*).{0,7}$\\\", + 1, Name)\\n| where strlen(DGADomain) > dgaLengthThreshold\\n// throw out domains + with number in them\\n| where DGADomain matches regex \\\"^[A-Za-z]{0,}$\\\"\\n// + extract the tri grams from summarized data\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", + DGADomain), extract_all(\\\"(...)\\\", substring(DGADomain, 1)), extract_all(\\\"(...)\\\", + substring(DGADomain, 2)));\\n// throw out domains that have repeating tri's + and/or >=3 repeating letters\\nlet nonRepeatingTris = allDataSummarized\\n| + join kind=leftanti\\n(\\n allDataSummarized\\n | mvexpand AllTriGrams\\n + \ | summarize count() by tostring(AllTriGrams), DGADomain\\n | where + count_ > 1\\n | distinct DGADomain\\n)\\non DGADomain;\\n// find domains + that do not have a common tri in the baseline\\nlet dataWithRareTris = nonRepeatingTris\\n| + join kind=leftanti\\n(\\n nonRepeatingTris\\n | mvexpand AllTriGrams\\n + \ | extend Trigram = tostring(AllTriGrams)\\n | distinct Trigram, DGADomain\\n + \ | join kind=inner\\n (\\n triBaseline\\n )\\n on Trigram\\n + \ | distinct DGADomain\\n)\\non DGADomain;\\ndataWithRareTris\\n// join + DGAs back on connection data\\n| join kind=inner\\n(\\n CommonSecurityLog\\n + \ | where TimeGenerated > ago(startTime)\\n | where isnotempty(DestinationHostName)\\n + \ | extend DestinationHostName = tolower(DestinationHostName)\\n | project-rename + Name=DestinationHostName, DataSource=DeviceVendor\\n | summarize StartTime=min(TimeGenerated), + EndTime=max(TimeGenerated) by Name, SourceIP, DestinationIP, DataSource\\n)\\non + Name\\n| project StartTime, EndTime, Name, DGADomain, SourceIP, DestinationIP, + DataSource\\n| extend timestamp=StartTime, IPCustomEntity=SourceIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"Name\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"techniques\":[\"T1568\"],\"displayName\":\"Possible + contact with a domain generated by a DGA\",\"description\":\"Identifies contacts + with domains names in CommonSecurityLog that might have been generated by + a Domain Generation Algorithm (DGA). DGAs can be used\\nby malware to generate + rendezvous points that are difficult to predict in advance. This detection + uses the Alexa Top 1 million domain names to build a model\\nof what normal + domains look like. It uses this to identify domains that may have been randomly + generated by an algorithm.\\nThe triThreshold is set to 500 - increase this + to report on domains that are less likely to have been randomly generated, + decrease it for more likely.\\nThe start time and end time look back over + 6 hours of data and the dgaLengthThreshold is set to 8 - meaning domains whose + length is 8 or more are reported.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Barracuda\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aac495a9-feb1-446d-b08e-a1164a539452\",\"name\":\"aac495a9-feb1-446d-b08e-a1164a539452\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"ThreatIntelligenceIndicator\\n| + where Action == true\\n// Picking up only IOC's that contain the entities + we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) + or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// Taking + the first non-empty value based on potential IOC match availability\\n| extend + TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| + extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), + NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) + and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| + join (\\n GitHubAudit\\n | extend GitHubAudit_TimeGenerated = TimeGenerated\\n)\\non + $left.TI_ipEntity == $right.IPaddress\\n| summarize LatestIndicatorTime = + arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, + Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, + ConfidenceScore, GitHubAudit_TimeGenerated, TI_ipEntity, IPaddress, Actor, + Action, Country, OperationType, NetworkIP, NetworkDestinationIP, NetworkSourceIP, + EmailSourceIpAddress\\n| extend timestamp = GitHubAudit_TimeGenerated, IPCustomEntity + = IPaddress, AccountCustomEntity = Actor\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI + map IP entity to GitHub_CL\",\"description\":\"Identifies a match in GitHub_CL + table from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2cfc3c6e-f424-4b88-9cc9-c89f482d016a\",\"name\":\"2cfc3c6e-f424-4b88-9cc9-c89f482d016a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AuditLogs\\n| + where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates + and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add + service principal credentials\\\", and \\\"Update application - Certificates + and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| + where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) + has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| + extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = + tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| + mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| + extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend + old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set + == \\\"[]\\\"\\n| mv-expand new_value_set\\n| parse new_value_set with * \\\"KeyIdentifier=\\\" + keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string + \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage + == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key + == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend + InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), + tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), + tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// + The below line is currently commented out but Microsoft Sentinel users can + modify this query to show only Application or only Service Principal events + in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType + =~ \\\"ServicePrincipal\\\"\\n| project-away new_value_set, old_value_set\\n| + project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, + UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, + keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend timestamp = TimeGenerated, + AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.1.1\",\"tactics\":[\"DefenseEvasion\"],\"techniques\":[\"T1550\"],\"displayName\":\"First + access credential added to Application or Service Principal where no credential + was present\",\"description\":\"This will alert when an admin or app owner + account adds a new credential to an Application or Service Principal where + there was no previous verify KeyCredential associated.\\nIf a threat actor + obtains access to an account with sufficient privileges and adds the alternate + authentication material triggering this event, the threat actor can now authenticate + as the Application or Service Principal using this credential.\\nAdditional + information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 + or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor + further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-02-11T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0dd422ee-e6af-4204-b219-f59ac172e4c6\",\"name\":\"0dd422ee-e6af-4204-b219-f59ac172e4c6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"ThreatIntelligence\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"Persistence\",\"LateralMovement\"],\"displayName\":\"(Preview) + Microsoft Threat Intelligence Analytics\",\"description\":\"This rule generates + an alert when a Microsoft Threat Intelligence Indicator gets matched with + your event logs. The alerts are very high fidelity.\\n\\nNote : It is advised + to turn off any custom alert rules which match the threat intelligence indicators + with the same event logs matched by this analytics to prevent duplicate alerts.\",\"lastUpdatedDateUTC\":\"2021-07-28T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/074ce265-f684-41cd-af07-613c5f3e6d0d\",\"name\":\"074ce265-f684-41cd-af07-613c5f3e6d0d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let + DomainNames = dynamic([\\\"irf.services\\\",\\\"microsoft-onthehub.com\\\",\\\"msofficelab.com\\\",\\\"com-mailbox.com\\\",\\\"my-sharefile.com\\\",\\\"my-sharepoints.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\n\\\"onedrive-sharedfile.com\\\",\\\"onedrv-live.com\\\",\\\"transparencyinternational-my-sharepoint.com\\\",\\\"transparencyinternational-my-sharepoints.com\\\",\\\"soros-my-sharepoint.com\\\"]);\\n(union + isfuzzy=true\\n (CommonSecurityLog \\n | parse Message with * '(' DNSName + ')' * \\n | extend Account = SourceUserID, Host = DeviceName, IPAddress = + SourceIP\\n ),\\n (_Im_Dns(domain_has_any=DomainNames)\\n | extend IPAddress + = SrcIpAddr, DNSName = DnsQuery, Host = Dvc),\\n (VMConnection \\n | parse + RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n | extend IPAddress + = RemoteIp, Host = Computer\\n ),\\n (AzureDiagnostics \\n | where ResourceType + == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n + \ | parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to + ' DestinationHost ':' DestinationPort '. Action:' Action\\n | extend DNSName + = DestinationHost \\n | extend IPAddress = SourceHost\\n ),\\n (\\n _Im_WebSession(url_has_any=DomainNames)\\n + \ | extend IPCustomEntity=IpAddr, HostCustomEntity=Hostname, AccoutCustomEntity=User\\n + \ )\\n)\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| + extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity + = Account, HostCustomEntity = Host\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.4.1\",\"tactics\":[\"CommandAndControl\"],\"techniques\":[\"T1071\"],\"displayName\":\"Known + STRONTIUM group domains - July 2019\",\"description\":\"Matches domain name + IOCs related to Strontium group activity published July 2019 with CommonSecurityLog, + DnsEvents and VMConnection dataTypes.\\nReferences: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2019-07-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a50766a7-0674-4ccb-8845-15dc55a80ba1\",\"name\":\"a50766a7-0674-4ccb-8845-15dc55a80ba1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| + where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| + summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| + where Active == true\\n// Picking up only IOC's that contain the entities + we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) + or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As + there is potentially more than 1 indicator type for matching IP, taking NetworkIP + first, then others if that is empty.\\n// Taking the first non-empty value + based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), + NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) + and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend + TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), + EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast + and result set low, we only need one match to indicate potential malicious + activity that needs to be investigated\\n| join kind=innerunique (\\n WireData + | where TimeGenerated >= ago(dt_lookBack)\\n | where isnotempty(RemoteIP)\\n + \ // renaming time column so it is clear the log this came from\\n | + extend WireData_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == + $right.RemoteIP\\n| where WireData_TimeGenerated < ExpirationDateTime\\n| + summarize WireData_TimeGenerated = arg_max(WireData_TimeGenerated, *) by IndicatorId, + RemoteIP\\n| project WireData_TimeGenerated, Description, ActivityGroupNames, + IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, + Computer, LocalIP, RemoteIP, ProcessName, ApplicationProtocol, LocalPortNumber, + NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| + extend timestamp = WireData_TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity + = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.2.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI + map IP entity to WireData\",\"description\":\"Identifies a match in WireData + from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6d7214d9-4a28-44df-aafb-0910b9e6ae3e\",\"name\":\"6d7214d9-4a28-44df-aafb-0910b9e6ae3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let + match_window = 3m;\\nAzureActivity\\n| where ResourceGroup has \\\"cloud-shell\\\"\\n| + where (OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/listKeys/action\\\") + \\n| where ActivityStatusValue == \\\"Success\\\"\\n| extend TimeKey = bin(TimeGenerated, + match_window), AzureIP = CallerIpAddress\\n| join kind = inner\\n(AzureActivity\\n| + where ResourceGroup has \\\"cloud-shell\\\"\\n| where (OperationNameValue + =~ \\\"Microsoft.Storage/storageAccounts/write\\\") \\n| extend TimeKey = + bin(TimeGenerated, match_window), UserIP = CallerIpAddress\\n) on Caller, + TimeKey\\n| summarize count() by TimeKey, Caller, ResourceGroup, SubscriptionId, + TenantId, AzureIP, UserIP, HTTPRequest, Type, Properties, CategoryValue, OperationList + = strcat(OperationNameValue, ' , ', OperationNameValue1)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"UserIP\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.1.0\",\"tactics\":[\"Execution\"],\"techniques\":[\"T1059\"],\"displayName\":\"New + CloudShell User\",\"description\":\"Identifies when a user creates an Azure + CloudShell for the first time.\\nMonitor this activity to ensure only expected + user are using CloudShell\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5170c3c4-b8c9-485c-910d-a21d965ee181\",\"name\":\"5170c3c4-b8c9-485c-910d-a21d965ee181\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + queryfrequency = 30m;\\nlet accountthreshold = 10;\\nlet successCodes = dynamic([0, + 50144]);\\nADFSSignInLogs\\n| extend IngestionTime = ingestion_time()\\n| + where IngestionTime > ago(queryfrequency)\\n| where not(todynamic(AuthenticationDetails)[0].authenticationMethod + == \\\"Integrated Windows Authentication\\\")\\n| summarize\\n DistinctFailureCount + = dcountif(UserPrincipalName, ResultType !in (successCodes)),\\n DistinctSuccessCount + = dcountif(UserPrincipalName, ResultType in (successCodes)),\\n SuccessAccounts + = make_set_if(UserPrincipalName, ResultType in (successCodes), 250),\\n arg_min(TimeGenerated, + *)\\n by IPAddress\\n| where DistinctFailureCount > DistinctSuccessCount + and DistinctFailureCount >= accountthreshold\\n//| extend SuccessAccounts + = iff(array_length(SuccessAccounts) != 0, SuccessAccounts, dynamic([\\\"null\\\"]))\\n//| + mv-expand SuccessAccounts\\n| project TimeGenerated, Category, OperationName, + IPAddress, DistinctFailureCount, DistinctSuccessCount, SuccessAccounts, AuthenticationRequirement, + ConditionalAccessStatus, IsInteractive, UserAgent, NetworkLocationDetails, + DeviceDetail, TokenIssuerType, TokenIssuerName, ResourceIdentity\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"techniques\":[\"T1110\"],\"displayName\":\"Password + spray attack against ADFSSignInLogs\",\"description\":\"Identifies evidence + of password spray activity against Connect Health for AD FS sign-in events + by looking for failures from multiple accounts from the same IP address within + a time window.\\nReference: https://adfshelp.microsoft.com/References/ConnectHealthErrorCodeReference\",\"lastUpdatedDateUTC\":\"2022-05-04T00:00:00Z\",\"createdDateUTC\":\"2022-03-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"ADFSSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/32686052-5bed-48ef-9ffa-39fc7699f085\",\"name\":\"32686052-5bed-48ef-9ffa-39fc7699f085\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.1\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.1\",\"name\":\"Score\",\"description\":\"Generate + an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"techniques\":[\"T1078\"],\"displayName\":\"(Preview) + Suspicious volume of AWS API calls from Non-AWS source IP address from a user + account id per workspace on a daily basis\",\"description\":\"This algorithm + detects an unusually high volume of AWS API calls from Source IPs not in AWS + Source IP ranges from one user account per workspace within the last day. + The model is trained on the previous 21 days of AWS cloud trail log events + on source IP address basis. This activity may indicate that the user account + is compromised.\",\"lastUpdatedDateUTC\":\"2022-03-07T00:00:00Z\",\"createdDateUTC\":\"2021-10-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6d63efa6-7c25-4bd4-a486-aa6bf50fde8a\",\"name\":\"6d63efa6-7c25-4bd4-a486-aa6bf50fde8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// + Add non-approved user principal names to the list below to search for their + account creation/deletion activity\\n// ex: dynamic([\\\"UPN1\\\", \\\"upn123\\\"])\\nlet + nonapproved_users = dynamic([]);\\nAuditLogs\\n| where OperationName == \\\"Add + user\\\" or OperationName == \\\"Delete user\\\"\\n| where Result == \\\"success\\\"\\n| + extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| + where InitiatingUser has_any (nonapproved_users)\\n| project-reorder TimeGenerated, + ResourceId, OperationName, InitiatingUser, TargetResources\\n| extend AccountCustomEntity + = InitiatingUser, IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"techniques\":[\"T1078\"],\"displayName\":\"Account + created or deleted by non-approved user\",\"description\":\"Identifies accounts + that were created or deleted by a defined list of non-approved user principal + names. Add to this list before running the query for accurate results.\\nRef + : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/11b4c19d-2a79-4da3-af38-b067e1273dee\",\"name\":\"11b4c19d-2a79-4da3-af38-b067e1273dee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"(union + isfuzzy=true\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| + where EventID in (17,18)\\n| where EventData has '583da945-62af-10e8-4902-a8f205c72b2e'\\n| + extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand + bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend + Key = tostring(column_ifexists('@Name', \\\"\\\")), Value = column_ifexists('#text', + \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, + Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, + _ResourceId)\\n| extend PipeName = column_ifexists(\\\"PipeName\\\", \\\"\\\")\\n| + extend Account = UserName\\n),\\n(\\nSecurityEvent\\n| where EventID == '5145'\\n// + %%4418 looks for presence of CreatePipeInstance value \\n| where AccessList + has '%%4418' \\n| where RelativeTargetName has '583da945-62af-10e8-4902-a8f205c72b2e'\\n),\\n(\\nWindowsEvent\\n| + where EventID == '5145' and EventData has '%%4418' and EventData has '583da945-62af-10e8-4902-a8f205c72b2e' + \\n// %%4418 looks for presence of CreatePipeInstance value \\n| extend AccessList= + tostring(EventData.AccessList)\\n| where AccessList has '%%4418' \\n| + extend RelativeTargetName= tostring(EventData.RelativeTargetName)\\n| where + RelativeTargetName has '583da945-62af-10e8-4902-a8f205c72b2e'\\n| extend Account + = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n)\\n)\\n| + extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity + = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.2.1\",\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\"],\"techniques\":[\"T1055\"],\"displayName\":\"Solorigate + Named Pipe\",\"description\":\"Identifies a match across various data feeds + for named pipe IOCs related to the Solorigate incident.\\n For the sysmon + events required for this detection, logging for Named Pipe Events needs to + be configured in Sysmon config (Event ID 17 and Event ID 18)\\n Reference: + https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2020-12-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532f62c1-fba6-4baa-bbb6-4a32a4ef32fa\",\"name\":\"532f62c1-fba6-4baa-bbb6-4a32a4ef32fa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our + threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| + where TimeGenerated > ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| + extend parts = split(DomainName, '.')\\n| extend tld = parts[(array_length(parts)-1)]\\n| + summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| + where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| + summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| + where Active == true\\n// Picking up only IOC's that contain the entities + we want\\n| where isnotempty(DomainName)\\n// using innerunique to keep perf + fast and result set low, we only need one match to indicate potential malicious + activity that needs to be investigated\\n| join kind=innerunique (\\n Syslog\\n + \ | where TimeGenerated > ago(dt_lookBack)\\n //Extract domain patterns + from syslog message\\n | extend domain = extract(\\\"(([a-z0-9]+(-[a-z0-9]+)*\\\\\\\\.)+[a-z]{2,})\\\",1, + tolower(SyslogMessage))\\n | where isnotempty(domain)\\n | extend parts + = split(domain, '.')\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n + \ //Validate parsed domain by checking if the TLD is in the list of TLDs + in our threat feed\\n | where tld in~ (list_tlds)\\n | extend Syslog_TimeGenerated + = TimeGenerated\\n) on $left.DomainName==$right.domain\\n| where Syslog_TimeGenerated + < ExpirationDateTime\\n| summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated + , *) by IndicatorId, domain\\n| project Syslog_TimeGenerated, Description, + ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, + SyslogMessage, Computer, ProcessName, domain, HostIP, Url\\n| extend timestamp + = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, + URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.2.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI + map Domain entity to Syslog\",\"description\":\"Identifies a match in Syslog + table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/19e01883-15d8-4eb6-a7a5-3276cd668388\",\"name\":\"19e01883-15d8-4eb6-a7a5-3276cd668388\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + timeBin = 1m;\\nlet failedThreshold = 20;\\nW3CIISLog\\n| where scStatus in + (\\\"401\\\",\\\"403\\\")\\n| where csUserName != \\\"-\\\"\\n| extend scStatusFull + = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend + scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access + denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull + == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull + == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull + == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull + == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull + == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL + required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// + Mapping to Hex so can be mapped using website in comments above\\n| extend + scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| + extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", + \\\"The referenced account is currently locked out and cannot be logged on + to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user + name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: + The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", + \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ + \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ + \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex + =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", + \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ + \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex + =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex + =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", + \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", + \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode + URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// + Count of failed attempts from same client IP\\n| summarize makeset(decodedUriQuery), + makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), + makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), + makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount + = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\\n| where FailedConnectionsCount + >= failedThreshold\\n| project TimeGenerated, cIP, set_csUserName, set_decodedUriQuery, + Computer, set_sSiteName, sIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, + set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, + FailedConnectionsCount\\n| order by FailedConnectionsCount\\n| extend timestamp + = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"techniques\":[\"T1110\"],\"displayName\":\"High + count of failed attempts from same client IP\",\"description\":\"Identifies + when 20 or more failed attempts from a given client IP in 1 minute occur on + the IIS server.\\nThis could be indicative of an attempted brute force. This + could also simply indicate a misconfigured service or device.\\nRecommendations: + Validate that these are expected connections from the given Client IP. If + the client IP is not recognized, \\npotentially block these connections at + the edge device.\\nIf these are expected connections, verify the credentials + are properly configured on the system, service, application or device \\nthat + is associated with the client IP.\\nReferences:\\nIIS status code mapping: + https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 + Status code mapping: https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d9f28fdf-abc8-4f1a-a7e7-1aaec87a2fc5\",\"name\":\"d9f28fdf-abc8-4f1a-a7e7-1aaec87a2fc5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n + \ | where EventID == 4688\\n | where Process =~ \\\"svchost.exe\\\"\\n | + where CommandLine has \\\"-k GPSvcGroup\\\" or CommandLine has \\\"-s gpsvc\\\"\\n + \ | extend timekey = bin(TimeGenerated, 1m)\\n | project timekey, NewProcessId, + Computer\\n | join kind=inner (SecurityEvent\\n | where EventID == 4688\\n + \ | where Process =~ \\\"sdelete.exe\\\" or CommandLine has \\\"sdelete\\\"\\n + \ | where ParentProcessName endswith \\\"svchost.exe\\\"\\n | where CommandLine + has_all (\\\"-s\\\", \\\"-r\\\")\\n | extend newProcess = Process\\n | extend + timekey = bin(TimeGenerated, 1m)\\n ) on $left.NewProcessId == $right.ProcessId, + timekey, Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"techniques\":[\"T1485\"],\"displayName\":\"Sdelete + deployed via GPO and run recursively\",\"description\":\"This query looks + for the Sdelete process being run recursively after being deployed to a host + via GPO. Attackers could use this technique to deploy Sdelete to multiple + host and delete data on them.\",\"lastUpdatedDateUTC\":\"2022-03-01T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5dd76a87-9f87-4576-bab3-268b0e2b338b\",\"name\":\"5dd76a87-9f87-4576-bab3-268b0e2b338b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + threshold = 5;\\nlet szSharePointFileOperation = \\\"SharePointFileOperation\\\";\\nlet + szOperations = dynamic([\\\"FileDownloaded\\\", \\\"FileUploaded\\\"]);\\nlet + starttime = 14d;\\nlet endtime = 1d;\\nlet historicalActivity =\\nOfficeActivity\\n| + where TimeGenerated between(ago(starttime)..ago(endtime))\\n| where RecordType + =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| where + isnotempty(UserAgent)\\n| summarize historicalCount = count() by UserAgent, + RecordType, Operation;\\nlet recentActivity = OfficeActivity\\n| where RecordType + =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| where + TimeGenerated > ago(endtime)\\n| where isnotempty(UserAgent)\\n| summarize + min(Start_Time), max(Start_Time), recentCount = count() by UserAgent, RecordType, + Operation;\\nlet RareUserAgent = recentActivity | join kind = leftanti (historicalActivity) + on UserAgent\\n| order by recentCount desc, UserAgent\\n// More than 5 downloads/uploads + from a new user agent today\\n| where recentCount > threshold;\\nOfficeActivity + \\n| where TimeGenerated > ago(endtime) \\n| where RecordType =~ szSharePointFileOperation + \\n| where Operation in~ (szOperations)\\n| where isnotempty(UserAgent)\\n| + join kind= inner (RareUserAgent)\\non UserAgent, RecordType, Operation \\n| + where Start_Time between(min_Start_Time .. max_Start_Time)\\n| summarize StartTimeUtc + = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, + UserAgent, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, + UserAgentSeenCount = recentCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity + = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\\n| order + by UserAgentSeenCount desc, UserAgent asc, Operation asc, UserId asc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"techniques\":[\"T1030\"],\"displayName\":\"SharePointFileOperation + via devices with previously unseen user agents\",\"description\":\"Identifies + if the number of documents uploaded or downloaded from device(s) associated\\nwith + a previously unseen user agent exceeds a threshold (default is 5).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f80d951a-eddc-4171-b9d0-d616bb83efdc\",\"name\":\"f80d951a-eddc-4171-b9d0-d616bb83efdc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AuditLogs\\n| + where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| + where AADOperationType =~ \\\"Assign\\\"\\n| where ActivityDisplayName =~ + \\\"Add app role assignment to service principal\\\"\\n| mv-expand TargetResources\\n| + mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| + where displayName_ =~ \\\"AppRole.Value\\\"\\n| extend AppRole = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| + where AppRole has \\\"RoleManagement.ReadWrite.Directory\\\"\\n| extend InitiatingApp + = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| extend Initiator + = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n| + extend Target = tostring(parse_json(tostring(TargetResources.modifiedProperties[4].newValue)))\\n| + extend TargetId = tostring(parse_json(tostring(TargetResources.modifiedProperties[3].newValue)))\\n| + project TimeGenerated, OperationName, Initiator, Target, TargetId, Result\\n| + join kind=innerunique (\\n AuditLogs\\n | where LoggedByService =~ \\\"Core + Directory\\\"\\n | where Category =~ \\\"RoleManagement\\\"\\n | where AADOperationType + in (\\\"Assign\\\", \\\"AssignEligibleRole\\\")\\n | where ActivityDisplayName + has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n + \ | mv-expand TargetResources\\n | mv-expand TargetResources.modifiedProperties\\n + \ | extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n + \ | where displayName_ =~ \\\"Role.DisplayName\\\"\\n | extend RoleName = + tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n + \ | where RoleName contains \\\"Admin\\\"\\n | extend Initiator = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n + \ | extend InitiatorId = tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalId)\\n + \ | extend TargetUser = tostring(TargetResources.userPrincipalName)\\n | + extend Target = iif(isnotempty(TargetUser), TargetUser, tostring(TargetResources.displayName))\\n + \ | extend TargetType = tostring(TargetResources.type)\\n | extend TargetId + = tostring(TargetResources.id)\\n | project TimeGenerated, OperationName, + \ RoleName, Initiator, InitiatorId, Target, TargetId, TargetType, Result\\n) + on $left.TargetId == $right.InitiatorId\\n| extend TimeRoleMgGrant = TimeGenerated, + TimeAdminPromo = TimeGenerated1, ServicePrincipal = Initiator1, ServicePrincipalId + = InitiatorId,\\n TargetObject = Target1, TargetObjectId = TargetId1, TargetObjectType + = TargetType\\n| where TimeRoleMgGrant < TimeAdminPromo\\n| project TimeRoleMgGrant, + TimeAdminPromo, RoleName, ServicePrincipal, ServicePrincipalId, TargetObject, + TargetObjectId, TargetObjectType\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ServicePrincipal\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetObject\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"PrivilegeEscalation\",\"Persistence\"],\"techniques\":[\"T1098\"],\"displayName\":\"Admin + promotion after Role Management Application Permission Grant\",\"description\":\"This + rule looks for a service principal being granted the Microsoft Graph RoleManagement.ReadWrite.Directory + (application) permission before being used to add an Azure AD object or user + account to an Admin directory role (i.e. Global Administrators).\\nThis is + a known attack path that is usually abused when a service principal already + has the AppRoleAssignment.ReadWrite.All permission granted. This permission + Allows an app to manage permission grants for application permissions to any + API.\\nA service principal can promote itself or other service principals + to admin roles (i.e. Global Administrators). This would be considered a privilege + escalation technique.\\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions, + https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0&tabs=http\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-11-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/79f29feb-6a9d-4cdf-baaa-2daf480a5da1\",\"name\":\"79f29feb-6a9d-4cdf-baaa-2daf480a5da1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let + timeframe = 1h;\\nlet last1h = CommonSecurityLog \\n| where TimeGenerated + >= ago(timeframe)\\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID + == \\\"733100\\\"\\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, + \\\"]\\\")[0]),\\\"[ \\\")[1])\\n| extend splitMessage = split(Message, \\\".\\\")\\n| + extend DropRate = tostring(split(tostring(splitMessage[0]),\\\"] \\\")[1])\\n| + extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\\\" + \ \\\")[0]),\\\"is \\\")\\n| extend CurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\\\" + \\\")[0])\\n| extend MaxConfiguredBurstRate = toint(CurrentBurstRate[2])\\n| + extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\\\" + \ \\\")[1]),\\\"is \\\")\\n| extend CurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\\\" + \\\")[0])\\n| extend MaxConfiguredAvgRate = toint(CurrentAvgRate[2])\\n| extend + CumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\\\" + \ \\\")[2]),\\\"is \\\")[1])\\n| summarize last1hCumTotal = sum(CumulativeTotal), + last1hAvgRatePerSec = avg(CurrentAvgRatePerSec), last1hAvgBurstRatePerSec + = avg(CurrentBurstRatePerSec) by DeviceName, DeviceEventClassID, SourceIP, + SourceOfDropRateCount, DropRate;\\nlet prev6h = CommonSecurityLog \\n| where + TimeGenerated between (ago(6h) .. ago(1h))\\n| where isempty(CommunicationDirection) + \\n| where DeviceEventClassID == \\\"733100\\\"\\n| extend SourceOfDropRateCount + = tostring(split(tostring(split(Message, \\\"]\\\")[0]),\\\"[ \\\")[1])\\n| + extend splitMessage = split(Message, \\\".\\\")\\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\\\"] + \\\")[1])\\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\\\" + \ \\\")[0]),\\\"is \\\")\\n| extend prevCurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\\\" + \\\")[0])\\n| extend prevMaxConfiguredBurstRate = toint(CurrentBurstRate[2])\\n| + extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\\\" + \ \\\")[1]),\\\"is \\\")\\n| extend prevCurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\\\" + \\\")[0])\\n| extend prevMaxConfiguredAvgRate = toint(CurrentAvgRate[2])\\n| + extend prevCumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\\\" + \ \\\")[2]),\\\"is \\\")[1])\\n| summarize StartTimeUtc = min(TimeGenerated), + EndTimeUtc = max(TimeGenerated), prev6hCumTotal = sum(prevCumulativeTotal), + prev6hAvgRatePerSec = avg(prevCurrentAvgRatePerSec), prev6hAvgBurstRatePerSec + = avg(prevCurrentBurstRatePerSec) \\nby DeviceName, DeviceEventClassID, SourceIP, + SourceOfDropRateCount, DropRate;\\nlast1h | join (\\n prev6h \\n) on DeviceName, + DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate\\n| project + StartTimeUtc, EndTimeUtc, DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, + DropRate, last1hCumTotal, prev6hCumTotal, prev6hAvgCumTotal = prev6hCumTotal/6, + last1hAvgRatePerSec, prev6hAvgRatePerSec, last1hAvgBurstRatePerSec, prev6hAvgBurstRatePerSec\\n// + Select only events that indicate a doubling of the expected rate in the last + hour over the previous 6 hours\\n| where last1hCumTotal > 2*prev6hAvgCumTotal + or last1hAvgRatePerSec > 2*prev6hAvgRatePerSec or last1hAvgBurstRatePerSec + > 2*prev6hAvgBurstRatePerSec\\n| extend timestamp = StartTimeUtc, IPCustomEntity + = SourceIP, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\",\"Impact\"],\"techniques\":[\"T1046\",\"T1498\"],\"displayName\":\"Cisco + ASA - average attack detection rate increase\",\"description\":\"This will + help you determine if Cisco ASA devices are under heavier attack than normal + over the last hour versus the previous 6 hours based on DeviceEventClassID + 733100\\nReferences: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\\nDetails + on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/826bb2f8-7894-4785-9a6b-a8a855d8366f\",\"name\":\"826bb2f8-7894-4785-9a6b-a8a855d8366f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + EventNameList = dynamic([\\\"AttachUserPolicy\\\",\\\"AttachRolePolicy\\\",\\\"AttachGroupPolicy\\\"]);\\nlet + createPolicy = \\\"CreatePolicy\\\";\\nlet timeframe = 1d;\\nlet lookback + = 14d;\\n// Creating Master table with all the events to use with materialize + for better performance\\nlet EventInfo = AWSCloudTrail\\n| where TimeGenerated + >= ago(lookback)\\n| where EventName in (EventNameList) or EventName == createPolicy;\\n//Checking + for Policy creation event with Full Admin Privileges since lookback period.\\nlet + FullAdminPolicyEvents = materialize( EventInfo\\n| where TimeGenerated >= + ago(lookback)\\n| where EventName == createPolicy\\n| extend PolicyName = + tostring(parse_json(RequestParameters).policyName)\\n| extend Statement = + parse_json(tostring((parse_json(RequestParameters).policyDocument))).Statement\\n| + mvexpand Statement\\n| extend Action = parse_json(Statement).Action , Effect + = tostring(parse_json(Statement).Effect), Resource = tostring(parse_json(Statement).Resource)\\n| + mvexpand Action\\n| extend Action = tostring(Action)\\n| where Effect =~ \\\"Allow\\\" + and Action == \\\"*\\\" and Resource == \\\"*\\\"\\n| distinct TimeGenerated, + EventName, PolicyName, SourceIpAddress, UserIdentityArn, UserIdentityUserName\\n| + extend UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, + tostring(split(UserIdentityArn,'/')[-1]))\\n| project-rename StartTime = TimeGenerated + \ );\\nlet PolicyAttach = materialize( EventInfo\\n| where TimeGenerated + >= ago(timeframe)\\n| where EventName in (EventNameList)\\n| extend PolicyName + = tostring(split(tostring(parse_json(RequestParameters).policyArn),\\\"/\\\")[1])\\n| + summarize AttachEventCount=count(), StartTime = min(TimeGenerated), EndTime + = max(TimeGenerated) by EventSource, EventName, UserIdentityType , UserIdentityArn, + SourceIpAddress, UserIdentityUserName = iff(isnotempty(UserIdentityUserName), + \ UserIdentityUserName, tostring(split(UserIdentityArn,'/')[-1])), PolicyName\\n| + extend AttachEvent = pack(\\\"StartTime\\\", StartTime, \\\"EndTime\\\", EndTime, + \\\"EventName\\\", EventName, \\\"UserIdentityType\\\", UserIdentityType, + \\\"UserIdentityArn\\\", UserIdentityArn, \\\"SourceIpAddress\\\", SourceIpAddress, + \\\"UserIdentityUserName\\\", UserIdentityUserName)\\n| project EventSource, + PolicyName, AttachEvent, AttachEventCount\\n);\\n// Joining the list of PolicyNames + and checking if it has been attached to any Roles/Users/Groups.\\n// These + Roles/Users/Groups will be Privileged and can be used by adversaries as pivot + point for privilege escalation via multiple ways.\\nFullAdminPolicyEvents\\n| + join kind=leftouter\\n(\\n PolicyAttach\\n)\\non PolicyName\\n| project-away + PolicyName1\\n| extend timestamp = StartTime, IPCustomEntity = SourceIpAddress, + AccountCustomEntity = UserIdentityUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Full + Admin policy created and then attached to Roles, Users or Groups\",\"description\":\"Identity + and Access Management (IAM) securely manages access to AWS services and resources. + \\nIdentifies when a policy is created with Full Administrators Access (Allow-Action:*,Resource:*). + \\nThis policy can be attached to role,user or group and may be used by an + adversary to escalate a normal user privileges to an adminsitrative level.\\nAWS + IAM Policy Grammar: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html\\nand + AWS IAM API at https://docs.aws.amazon.com/IAM/latest/APIReference/API_Operations.html\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2020-04-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/34c5aff9-a8c2-4601-9654-c7e46342d03b\",\"name\":\"34c5aff9-a8c2-4601-9654-c7e46342d03b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let + starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold + = 5;\\nlet aadFunc = (tableName:string){\\n IdentityInfo\\n | where + TimeGenerated > ago(starttime)\\n | summarize arg_max(TimeGenerated, *) + by AccountUPN\\n | mv-expand AssignedRoles\\n | where AssignedRoles + matches regex 'Admin'\\n | summarize Roles = make_list(AssignedRoles) by + AccountUPN = tolower(AccountUPN)\\n | join kind=inner (\\n table(tableName)\\n + \ | where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n + \ | where ResultType != 0\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n + \ ) on $left.AccountUPN == $right.UserPrincipalName\\n | extend timestamp + = TimeGenerated, AccountCustomEntity = UserPrincipalName, Roles = tostring(Roles)\\n};\\nlet + aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet + allSignins = union isfuzzy=true aadSignin, aadNonInt;\\nlet TimeSeriesAlerts + = \\n allSignins\\n | make-series HourlyCount=count() on TimeGenerated + from startofday(ago(starttime)) to startofday(now()) step 1h by UserPrincipalName, + Roles\\n | extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, + scorethreshold, -1, 'linefit')\\n | mv-expand HourlyCount to typeof(double), + TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), + baseline to typeof(long)\\n // Filtering low count events per baselinethreshold\\n + \ | where anomalies > 0 and baseline > baselinethreshold\\n | extend + AnomalyHour = TimeGenerated\\n | project UserPrincipalName, Roles, AnomalyHour, + TimeGenerated, HourlyCount, baseline, anomalies, score;\\n// Filter the alerts + for specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated > startofday(ago(timeframe))\\n| + join kind=inner ( \\n allSignins\\n | where TimeGenerated > startofday(ago(timeframe))\\n + \ // create a new column and round to hour\\n | extend DateHour = bin(TimeGenerated, + 1h)\\n | summarize PartialFailedSignins = count(), LatestAnomalyTime = + arg_max(TimeGenerated, *) by bin(TimeGenerated, 1h), OperationName, Category, + ResultType, ResultDescription, UserPrincipalName, Roles, UserDisplayName, + AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\\n) on UserPrincipalName, + $left.AnomalyHour == $right.DateHour\\n| project LatestAnomalyTime, OperationName, + Category, UserPrincipalName, Roles = todynamic(Roles), UserDisplayName, ResultType, + ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, + AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, PartialFailedSignins, + TotalFailedSignins = HourlyCount, baseline, anomalies, score\\n| extend timestamp + = LatestAnomalyTime, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.2\",\"tactics\":[\"InitialAccess\"],\"techniques\":[\"T1078\"],\"displayName\":\"Privileged + Accounts - Sign in Failure Spikes\",\"description\":\" Identifies spike in + failed sign-ins from Privileged accounts. Privileged accounts list can be + based on IdentityInfo UEBA table or built-in watchlist.\\nSpike is determined + based on Time series anomaly which will look at historical baseline values.\\nRef + : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor\",\"lastUpdatedDateUTC\":\"2022-01-25T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/106813db-679e-4382-a51b-1bfc463befc3\",\"name\":\"106813db-679e-4382-a51b-1bfc463befc3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| + where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| + summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| + where Active == true\\n// Picking up only IOC's that contain the entities + we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast + and result set low, we only need one match to indicate potential malicious + activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog\\n + \ | extend IngestionTime = ingestion_time()\\n | where IngestionTime > ago(dt_lookBack)\\n + \ // Select on Palo Alto logs\\n | where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n + \ | where DeviceEventClassID =~ 'url'\\n //Uncomment the line below to only + alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n + \ //Select logs where URL data is populated\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", + \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url), extract(\\\"([^\\\\\\\"]+)\\\", + 1, tolower(AdditionalExtensions)), trim('\\\"', PA_Url))\\n | extend PA_Url + = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", + strcat('http://', PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol + =~ \\\"ssl\\\", strcat('https://', PA_Url), PA_Url))\\n | where isnotempty(PA_Url)\\n + \ | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n) on $left.Url + == $right.PA_Url\\n| where CommonSecurityLog_TimeGenerated < ExpirationDateTime\\n| + summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, + *) by IndicatorId, PA_Url\\n| project CommonSecurityLog_TimeGenerated, Description, + ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, + DeviceAction, SourceIP, PA_Url, DeviceName\\n| extend timestamp = CommonSecurityLog_TimeGenerated, + IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity + = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.2.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI + map URL entity to PaloAlto data\",\"description\":\"Identifies a match in + PaloAlto data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884ead54-cb3f-4676-a1eb-b26532d6cbfd\",\"name\":\"884ead54-cb3f-4676-a1eb-b26532d6cbfd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"severity\":\"Low\",\"query\":\"let + SensitiveOperationList = dynamic(\\n[\\\"VaultDelete\\\", \\\"KeyDelete\\\", + \\\"SecretDelete\\\", \\\"SecretPurge\\\", \\\"KeyPurge\\\", \\\"SecretBackup\\\", + \\\"KeyBackup\\\"]);\\nAzureDiagnostics\\n| extend ResultType = columnifexists(\\\"ResultType\\\", + \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", + \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g + = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", + \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), + CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s + = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType + !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g + !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| + where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress + !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ + \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" + and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and + ResultType =~ \\\"Success\\\"\\n| where OperationName in~ (SensitiveOperationList)\\n| + summarize EventCount=count(), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), + TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), + RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), + \ CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, + id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, + clientInfo_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIPMax\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"techniques\":[\"T1485\"],\"displayName\":\"NRT + Sensitive Azure Key Vault operations\",\"description\":\"Identifies when sensitive + Azure Key Vault operations are used. This includes: VaultDelete, KeyDelete, + SecretDelete, SecretPurge, KeyPurge, SecretBackup, KeyBackup.\\nAny Backup + operations should match with expected scheduled backup activity.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95dc4ae3-e0f2-48bd-b996-cdd22b90f9af\",\"name\":\"95dc4ae3-e0f2-48bd-b996-cdd22b90f9af\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"(union + isfuzzy=true\\n(\\nAuditLogs\\n| where OperationName =~ \\\"Set federation + settings on domain\\\"\\n//| where Result =~ \\\"success\\\" // commenting + out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| + extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| + mv-expand modifiedProperties\\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName)\\n| + mv-expand AdditionalDetails\\n),\\n(\\nAuditLogs\\n| where OperationName =~ + \\\"Set domain authentication\\\"\\n//| where Result =~ \\\"success\\\" // + commenting out, as it may be interesting to capture failed attempts\\n| mv-expand + TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| + mv-expand modifiedProperties\\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName), + NewDomainValue=tostring(parse_json(modifiedProperties).newValue)\\n| where + NewDomainValue has \\\"Federated\\\"\\n)\\n)\\n| extend UserAgent = iff(AdditionalDetails.key + == \\\"User-Agent\\\",tostring(AdditionalDetails.value),\\\"\\\")\\n| extend + InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), + tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), + tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| + project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, + targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, + TenantId, AADTenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity + = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Modified + domain federation trust settings\",\"description\":\"This will alert when + a user or application modifies the federation settings on the domain or Update + domain authentication from Managed to Federated.\\nFor example, this alert + will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm + object, such as a signing certificate, is added to the domain.\\nModification + to domain federation settings should be rare. Confirm the added or modified + target domain/URL is legitimate administrator behavior.\\nTo understand why + an authorized user may update settings for a federated domain in Office 365, + Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\\nFor + details on security realms that accept security tokens, see the ADFS Proxy + Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\\nFor + further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ac891683-53c3-4f86-86b4-c361708e2b2b\",\"name\":\"ac891683-53c3-4f86-86b4-c361708e2b2b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"// + Allowlisted UPNs should likely stay empty\\nlet AllowlistedUpns = datatable(UPN:string)['foo@bar.com', + 'test@foo.com'];\\n// Operation Name parts that will alert\\nlet HasAnyBlocklist + = datatable(OperationNamePart:string)['Security.','Project.','AuditLog.','Extension.'];\\n// + Distinct Operation Names that will flag\\nlet HasExactBlocklist = datatable(OperationName:string)['Group.UpdateGroupMembership.Add','Library.ServiceConnectionExecuted','Pipelines.PipelineModified',\\n'Release.ReleasePipelineModified', + 'Git.RefUpdatePoliciesBypassed'];\\nAzureDevOpsAuditing\\n| where AuthenticationMechanism + startswith \\\"PAT\\\" and (OperationName has_any (HasAnyBlocklist) or OperationName + in (HasExactBlocklist))\\n and ActorUPN !in (AllowlistedUpns)\\n| project + TimeGenerated, AuthenticationMechanism, ProjectName, ActorUPN, ActorDisplayName, + IpAddress, UserAgent, OperationName, Details, Data\\n| extend timestamp = + TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"Execution\",\"Impact\"],\"techniques\":[\"T1496\"],\"displayName\":\"Azure + DevOps Personal Access Token (PAT) misuse\",\"description\":\"This Alert detects + whenever a PAT is used in ways that PATs are not normally used. May require + an allow list and baselining.\\nReference - https://docs.microsoft.com/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops&tabs=preview-page\\nUse + this query for baselining:\\nAzureDevOpsAuditing\\n| distinct OperationName\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2020-06-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/acfdee3f-b794-404a-aeba-ef6a1fa08ad1\",\"name\":\"acfdee3f-b794-404a-aeba-ef6a1fa08ad1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let + lookback = 14d;\\nlet timewindow = 7d;\\nAzureDevOpsAuditing\\n| where TimeGenerated + > ago(lookback)\\n| where OperationName =~ \\\"Library.AgentPoolCreated\\\"\\n| + extend AgentCloudId = tostring(Data.AgentCloudId)\\n| extend PoolType = iif(isnotempty(AgentCloudId), + \\\"Azure VMs\\\", \\\"Self Hosted\\\")\\n// Comment this line out to include + cloud pools as well\\n| where PoolType == \\\"Self Hosted\\\"\\n| extend AgentPoolName + = tostring(Data.AgentPoolName)\\n| extend AgentPoolId = tostring(Data.AgentPoolId)\\n| + extend IsHosted = tostring(Data.IsHosted)\\n| extend IsLegacy = tostring(Data.IsLegacy)\\n| + extend timekey = bin(TimeGenerated, timewindow)\\n// Join only with pools + deleted in the same window\\n| join (AzureDevOpsAuditing\\n| where TimeGenerated + > ago(lookback)\\n| where OperationName =~ \\\"Library.AgentPoolDeleted\\\"\\n| + extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend AgentPoolId + = tostring(Data.AgentPoolId)\\n| extend timekey = bin(TimeGenerated, timewindow)) + on AgentPoolId, timekey\\n| project-reorder TimeGenerated, ActorUPN, UserAgent, + IpAddress, AuthenticationMechanism, OperationName, AgentPoolName, IsHosted, + IsLegacy, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = + ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"DefenseEvasion\"],\"techniques\":[\"T1578\"],\"displayName\":\"Azure + DevOps Agent Pool Created Then Deleted\",\"description\":\"As well as adding + build agents to an existing pool to execute malicious activity within a pipeline, + an attacker could create a complete new agent pool and use this for execution.\\nAzure + DevOps allows for the creation of agent pools with Azure hosted infrastructure + or self-hosted infrastructure. Given the additional customizability of self-hosted + agents this \\ndetection focuses on the creation of new self-hosted pools. + To further reduce false positive rates the detection looks for pools created + and deleted relatively quickly (within 7 days by default), \\nas an attacker + is likely to remove a malicious pool once used in order to reduce/remove evidence + of their activity.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/af7fd11a-f305-44e1-8f46-f31580a15eab\",\"name\":\"af7fd11a-f305-44e1-8f46-f31580a15eab\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.1\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\"app@sharepoint,user@example.com\",\"dataType\":\"string\",\"name\":\"User + allowlist\",\"description\":\"Enter comma separated userids to be suppressed + while triggering anomalies. This should be within double quotes and is case + insensitive, example: \\\"user@exmaple.com, app@sharepoint\\\"\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"10\",\"maximum\":\"100\",\"value\":\"25\",\"name\":\"Number + of distinct files dowloaded per day\",\"description\":\"Suppress anomalies + when daily number of distinct files downloaded per day is less than the chosen + value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"2\",\"maximum\":\"10\",\"value\":\"3\",\"name\":\"Number + of standard deviations\",\"description\":\"Triggers anomalies when number + of standard deviations is greater than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Collection\"],\"techniques\":[\"T1074\"],\"displayName\":\"(Preview) + Potential data staging\",\"description\":\"The algorithm compares the downloads + of distinct files on a per user basis from the previous week with the downloads + for the current day for each user and \\nan anomaly is triggered when the + number of downloads of distinct files exceeds the configured number of standard + deviations above the mean. \\nCurrently the algorithm only analyze commonly + seen files during exfiltration of type documents, images, videos and archives + with the extensions\\n[\\\"doc\\\",\\\"docx\\\",\\\"xls\\\",\\\"xlsx\\\",\\\"xlsm\\\",\\\"ppt\\\",\\\"pptx\\\",\\\"one\\\",\\\"pdf\\\",\\\"zip\\\",\\\"rar\\\",\\\"bmp\\\",\\\"jpg\\\",\\\"mp3\\\",\\\"mp4\\\",\\\"mov\\\"].\",\"lastUpdatedDateUTC\":\"2021-11-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity + (Exchange)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/26a3b261-b997-4374-94ea-6c37f67f4f39\",\"name\":\"26a3b261-b997-4374-94ea-6c37f67f4f39\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let + DomainNames = dynamic([\\\"asyspy256.ddns.net\\\",\\\"hotkillmail9sddcc.ddns.net\\\",\\\"rosaf112.ddns.net\\\",\\\"cvdfhjh1231.myftp.biz\\\",\\\"sz2016rose.ddns.net\\\",\\\"dffwescwer4325.myftp.biz\\\",\\\"cvdfhjh1231.ddns.net\\\"]);\\nlet + SHA1Hash = dynamic ([\\\"53a44c2396d15c3a03723fa5e5db54cafd527635\\\", \\\"9c5e496921e3bc882dc40694f1dcc3746a75db19\\\", + \\\"aeb573accfd95758550cf30bf04f389a92922844\\\", \\\"79ef78a797403a4ed1a616c68e07fff868a8650a\\\", + \\\"4f6f38b4cec35e895d91c052b1f5a83d665c2196\\\", \\\"1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d\\\", + \\\"e841a63e47361a572db9a7334af459ddca11347a\\\", \\\"c28f606df28a9bc8df75a4d5e5837fc5522dd34d\\\", + \\\"2e94b305d6812a9f96e6781c888e48c7fb157b6b\\\", \\\"dd44133716b8a241957b912fa6a02efde3ce3025\\\", + \\\"8793bf166cb89eb55f0593404e4e933ab605e803\\\", \\\"a39b57032dbb2335499a51e13470a7cd5d86b138\\\", + \\\"41cc2b15c662bc001c0eb92f6cc222934f0beeea\\\", \\\"d209430d6af54792371174e70e27dd11d3def7a7\\\", + \\\"1c6452026c56efd2c94cea7e0f671eb55515edb0\\\", \\\"c6b41d3afdcdcaf9f442bbe772f5da871801fd5a\\\", + \\\"4923d460e22fbbf165bbbaba168e5a46b8157d9f\\\", \\\"f201504bd96e81d0d350c3a8332593ee1c9e09de\\\", + \\\"ddd2db1127632a2a52943a2fe516a2e7d05d70d2\\\"]);\\nlet SHA256Hash = dynamic + ([\\\"9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd\\\", + \\\"7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b\\\", + \\\"657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5\\\", + \\\"2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29\\\", + \\\"52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77\\\", + \\\"a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3\\\", + \\\"5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022\\\", + \\\"6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883\\\", + \\\"3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e\\\", + \\\"1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7\\\", + \\\"fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1\\\", + \\\"7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c\\\", + \\\"178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945\\\", + \\\"51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9\\\", + \\\"889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79\\\", + \\\"332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf\\\", + \\\"44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08\\\", + \\\"63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef\\\", + \\\"056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070\\\"]);\\nlet + SigNames = dynamic([\\\"TrojanDropper:Win32/BlackMould.A!dha\\\", \\\"Trojan:Win32/BlackMould.B!dha\\\", + \\\"Trojan:Win32/QuarkBandit.A!dha\\\", \\\"Trojan:Win32/Sidelod.A!dha\\\"]);\\n(union + isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * '(' DNSName ')' + * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) or DNSName + in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, + IPAddress = SourceIP\\n),\\n( _Im_Dns(domain_has_any=DomainNames)\\n| extend + DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(VMConnection \\n| + parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n| where isnotempty(DNSName)\\n| + where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n),\\n(Event\\n//This + query uses sysmon data depending on table name used this may need updataing\\n| + where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| + extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| + parse Hashes with * 'SHA1=' SHA1 ',' * \\n| where isnotempty(Hashes)\\n| where + Hashes in (SHA1Hash) \\n| extend Account = UserName\\n),\\n(SecurityAlert\\n| + where ProductName == \\\"Microsoft Defender Advanced Threat Protection\\\"\\n| + extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| + where isnotempty(ThreatName)\\n| where ThreatName has_any (SigNames)\\n| extend + Computer = tostring(parse_json(Entities)[0].HostName)\\n),\\n(AzureDiagnostics + \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| + parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' + DestinationHost ':' DestinationPort '. Action:' Action\\n| where isnotempty(DestinationHost)\\n| + where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost + \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, + AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity + = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.5.1\",\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known + GALLIUM domains and hashes\",\"description\":\"GALLIUM command and control + domains and hash values for tools and malware used by GALLIUM. \\n Matches + domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, + DnsEvents, VMConnection and SecurityEvents dataTypes.\\n References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ + \",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2019-12-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/52aec824-96c1-4a03-8e44-bb70532e6cea\",\"name\":\"52aec824-96c1-4a03-8e44-bb70532e6cea\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"SecurityEvent\\n| + where EventID == 5136 and EventData contains \\\"CN=AdminSDHolder,CN=System\\\"\\n| + parse EventData with * 'ObjectDN\\\">' ObjectDN \\\"<\\\" *\\n| summarize + StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, + SubjectAccount, SubjectUserSid, SubjectLogonId, ObjectDN\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\"],\"techniques\":[\"T1078\"],\"displayName\":\"AdminSDHolder + Modifications\",\"description\":\"This query detects modification in the AdminSDHolder + \ in the Active Directory which could indicate an attempt for persistence. + \\nAdminSDHolder Modification is a persistence technique in which an attacker + abuses the SDProp process in Active Directory to establish a persistent backdoor + to Active Directory.\\nThis query searches for the event id 5136 where the + Object DN is AdminSDHolder.\\nRef: https://attack.stealthbits.com/adminsdholder-modification-ad-persistence\",\"lastUpdatedDateUTC\":\"2022-01-20T00:00:00Z\",\"createdDateUTC\":\"2021-12-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8540c842-5bbc-4a24-9fb2-a836c0e55a51\",\"name\":\"8540c842-5bbc-4a24-9fb2-a836c0e55a51\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"severity\":\"High\",\"query\":\"AuditLogs\\n| + where OperationName =~ \\\"Set federation settings on domain\\\" or OperationName + =~ \\\"Set domain authentication\\\"\\n//| where Result =~ \\\"success\\\" + \ // commenting out, as it may be interesting to capture failed attempts\\n| + mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| + mv-expand modifiedProperties\\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName), + NewDomainValue=tostring(parse_json(modifiedProperties).newValue)\\n| extend + Federated = iif(OperationName =~ \\\"Set domain authentication\\\", iif(NewDomainValue + has \\\"Federated\\\", True, False), True)\\n| where Federated == True\\n| + mv-expand AdditionalDetails\\n| extend UserAgent = iff(AdditionalDetails.key + == \\\"User-Agent\\\",tostring(AdditionalDetails.value),\\\"\\\")\\n| extend + InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), + tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), + tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| + project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, + targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, + TenantId, AADTenantId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserOrApp\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"NRT + Modified domain federation trust settings\",\"description\":\"This will alert + when a user or application modifies the federation settings on the domain + or Update domain authentication from Managed to Federated.\\nFor example, + this alert will trigger when a new Active Directory Federated Service (ADFS) + TrustedRealm object, such as a signing certificate, is added to the domain.\\nModification + to domain federation settings should be rare. Confirm the added or modified + target domain/URL is legitimate administrator behavior.\\nTo understand why + an authorized user may update settings for a federated domain in Office 365, + Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\\nFor + details on security realms that accept security tokens, see the ADFS Proxy + Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\\nFor + further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/327cd4ed-ca42-454b-887c-54e1c91363c6\",\"name\":\"327cd4ed-ca42-454b-887c-54e1c91363c6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft + Defender Advanced Threat Protection\",\"displayName\":\"Create incidents based + on Microsoft Defender for Endpoint alerts\",\"description\":\"Create incidents + based on all alerts generated in Microsoft Defender for Endpoint\",\"lastUpdatedDateUTC\":\"2019-10-24T00:00:00Z\",\"createdDateUTC\":\"2019-10-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert + (MDATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0b9ae89d-8cad-461c-808f-0494f70ad5c4\",\"name\":\"0b9ae89d-8cad-461c-808f-0494f70ad5c4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let + PerUserThreshold = 5;\\nlet TotalThreshold = 100;\\nlet action = dynamic([\\\"change\\\", + \\\"changed\\\", \\\"reset\\\"]);\\nlet pWord = dynamic([\\\"password\\\", + \\\"credentials\\\"]);\\nlet PasswordResetMultiDataSource =\\n(union isfuzzy=true\\n(//Password + reset events\\n//4723: An attempt was made to change an account's password\\n//4724: + An attempt was made to reset an accounts password\\nSecurityEvent\\n| where + EventID in (\\\"4723\\\",\\\"4724\\\")\\n| project TimeGenerated, Computer, + AccountType, Account, Type, TargetUserName),\\n(//Password reset events\\n//4723: + An attempt was made to change an account's password\\n//4724: An attempt was + made to reset an accounts password\\nWindowsEvent\\n| where EventID in (\\\"4723\\\",\\\"4724\\\")\\n| + extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend TargetUserName + = tostring(EventData.TargetUserName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", + tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith + \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), + \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| project + TimeGenerated, Computer, AccountType, Account, Type, TargetUserName),\\n(//Azure + Active Directory Password reset events\\nAuditLogs\\n| where OperationName + has_any (pWord) and OperationName has_any (action) and Result =~ \\\"success\\\"\\n| + extend AccountType = tostring(TargetResources[0].type), Account = tostring(TargetResources[0].userPrincipalName), + \\nTargetUserName = tolower(tostring(TargetResources[0].displayName))\\n| + project TimeGenerated, AccountType, Account, Computer = \\\"\\\", Type),\\n(//OfficeActive + ActiveDirectory Password reset events\\nOfficeActivity\\n| where OfficeWorkload + == \\\"AzureActiveDirectory\\\" \\n| where (ExtendedProperties has_any (pWord) + or ModifiedProperties has_any (pWord)) and (ExtendedProperties has_any (action) + or ModifiedProperties has_any (action))\\n| extend AccountType = UserType, + Account = OfficeObjectId \\n| project TimeGenerated, AccountType, Account, + Type, Computer = \\\"\\\"),\\n(// Unix syslog password reset events\\nSyslog\\n| + where Facility in (\\\"auth\\\",\\\"authpriv\\\")\\n| where SyslogMessage + has_any (pWord) and SyslogMessage has_any (action)\\n| extend AccountType + = iif(SyslogMessage contains \\\"root\\\", \\\"Root\\\", \\\"Non-Root\\\")\\n| + where SyslogMessage matches regex \\\".*password changed for.*\\\"\\n| parse + SyslogMessage with * \\\"password changed for\\\" Account\\n| project TimeGenerated, + AccountType, Account, Computer = HostName, Type)\\n);\\nlet pwrmd = PasswordResetMultiDataSource\\n| + project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName;\\n(union + isfuzzy=true \\n(pwrmd\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc + = max(TimeGenerated), Computerlist = make_set(Computer, 25), AccountType = + make_set(AccountType, 25), Computer = arg_max(Computer , TimeGenerated), TargetUserList + = make_set(TargetUserName, 25), TargetUserName = arg_max(TargetUserName, TimeGenerated), + Total=count() by Account, Type\\n| where Total > PerUserThreshold\\n| extend + ResetPivot = \\\"PerUserReset\\\"), \\n(pwrmd\\n| summarize StartTimeUtc + = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerList = make_set(Computer, + 25), AccountList = make_set(Account, 25), AccountType = make_set(AccountType, + 25), Computer = arg_max(Computer , TimeGenerated), TargetUserList = make_set(TargetUserName, + 25), TargetUserName = arg_max(TargetUserName, TimeGenerated), Total=count() + by Type\\n| where Total > TotalThreshold\\n| extend ResetPivot = \\\"TotalUserReset\\\")\\n)\\n| + extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity + = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserName\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"2.1.1\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"techniques\":[\"T1078\",\"T1110\"],\"displayName\":\"Multiple + Password Reset by user\",\"description\":\"This query will determine multiple + password resets by user across multiple data sources. \\nAccount manipulation + including password reset may aid adversaries in maintaining access to credentials + \\nand certain permission levels within an environment.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-09-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c5644575-4982-4a07-8884-b11ec2866dc3\",\"name\":\"c5644575-4982-4a07-8884-b11ec2866dc3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.1\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\"srcdomain1\\\\account1, + srcdomain1\\\\account1\",\"dataType\":\"string\",\"name\":\"Source user allowlist\",\"description\":\"Enter + comma separated source usernames to be suppressed while triggering anomalies. + This should be within double quotes and is case sensitive, example: \\\"srcdomain1\\\\\\\\account1, + srcdomain2\\\\\\\\account2\\\"\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"prioritize\":null,\"exclude\":\"account1, + account2\",\"dataType\":\"string\",\"name\":\"Destination user allowlist\",\"description\":\"Enter + comma separated destination usernames to be suppressed while triggering anomalies. + This should be within double quotes and is case sensitive, example: \\\"account1, + account2\\\"\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":null,\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Persistence\"],\"techniques\":[\"T1136\"],\"displayName\":\"(Preview) + Anomalous local account creation\",\"description\":\"This algorithm is to + detect anomalous local account creation on windows systems. Adversaries may + create local accounts to maintain access to victim systems.\\nThis algorithm + analyzes historical local account creation activity (14 days) by users and + compare with current day to find similar activity from the users who were + not \\npreviously seen in historical activity. You can further customize the + allowlist to filter known users from triggering this anomaly.\",\"lastUpdatedDateUTC\":\"2022-03-01T00:00:00Z\",\"createdDateUTC\":\"2021-09-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d804b39c-03a4-417c-a949-bdbf21fa3305\",\"name\":\"d804b39c-03a4-417c-a949-bdbf21fa3305\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\\n[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv\\\"] + with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet file_paths = (iocs + | where Type =~ \\\"filepath\\\" | project IoC);\\nlet sha256s = (iocs | where + Type =~ \\\"sha256\\\" | project IoC);\\nlet ips = (iocs | where Type =~ \\\"ip\\\" + | project IoC);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\" | + project IoC);\\nlet dyndomains = todynamic(toscalar((domains | summarize make_set(IoC))));\\nunion + isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4663\\n| where ObjectName + in (file_paths)\\n| extend timestamp = TimeGenerated, AccountCustomEntity + = Account, HostCustomEntity = Computer\\n),\\n(WindowsEvent\\n| where EventID + == 4663 and EventData has_any (file_paths)\\n| extend ObjectName = tostring(EventData.ObjectName) + \\n| where ObjectName in (file_paths)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName), + \\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend timestamp + = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(imFileEvent\\n| + where TargetFileName in (file_paths)\\n or\\n TargetFileSHA256 in (sha256s)\\n| + extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity + = DvcHostname\\n),\\n(DeviceFileEvents\\n| where FolderPath in (file_paths)\\n| + extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, + HostCustomEntity = DeviceName\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 + in (sha256s)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, + HostCustomEntity = DeviceName\\n),\\n (CommonSecurityLog\\n| where FileHash + in (sha256s)\\n| extend timestamp = TimeGenerated\\n),\\n(Event // File iocs\\n//This + query uses sysmon data depending on table name used this may need updating\\n| + where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| + extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| + where isnotempty(Hashes)\\n| parse Hashes with * 'SHA256=' SHA256 ',' *\\n| + where SHA256 in~ (sha256s)\\n| extend Type = strcat(Type, \\\": \\\", Source), + Account = UserName, FileHash = Hashes\\n| extend timestamp = TimeGenerated, + AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(CommonSecurityLog\\n| + where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where (SourceIP + in (ips) or DestinationIP in (ips) or Message has_any (ips)) or (RequestURL + has_any (domains))\\n| extend IPMatch = case(SourceIP in (ips), \\\"SourceIP\\\", + DestinationIP in (ips), \\\"DestinationIP\\\", \\\"Message\\\")\\n| summarize + StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, + DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, + DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = + StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, + IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\")\\n),\\n(Event\\n| + where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| + extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| + extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| + where SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( + SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", + \\\"None\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = + UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", + SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(WireData\\n| + where isnotempty(RemoteIP)\\n| where RemoteIP in (ips)\\n| extend timestamp + = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer\\n),\\n(W3CIISLog\\n| + where isnotempty(cIP)\\n| where cIP in (ips)\\n| extend timestamp = TimeGenerated, + IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(\\nWindowsFirewall\\n| + where SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( + SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", + \\\"None\\\")\\n),\\n(\\n _Im_NetworkSession(srcipaddr_has_any_prefix=ips) + \\n | extend IPCustomEntity = SrcIpAddr, AccountCustomEntity= User, HostCustomEntity=Hostname\\n),\\n + \ (\\n _Im_NetworkSession(dstipaddr_has_any_prefix=ips) \\n | extend IPCustomEntity + = DstIpAddr, AccountCustomEntity= User, HostCustomEntity=Hostname\\n),\\n(_Im_Dns(domain_has_any=dyndomains)\\n| + extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity + = Dvc\\n)\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.7.2\",\"tactics\":[\"InitialAccess\"],\"techniques\":[\"T1190\"],\"displayName\":\"Exchange + Server Vulnerabilities Disclosed March 2021 IoC Match\",\"description\":\"This + detection look for IoCs shared by Microsoft relating to attacks exploiting + the Exchange Server vulnerabilities disclosed in March 2021. It looks for + SHA256 file hashes, IP addresses and file paths in a number of data sources. + This query can also be customized with additional data sources that may include + these elements.\\nRef: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-03-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog + (CheckPoint)\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog + (Cisco)\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog + (F5)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog + (Fortinet)\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog + (PaloAlto)\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/61a45b42-5fe8-47ef-9b16-c61e6b76ab8e\",\"name\":\"61a45b42-5fe8-47ef-9b16-c61e6b76ab8e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.2\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.1\",\"name\":\"Anomaly + score threshold\",\"description\":\"Generate an anomaly when the anomaly score + is greater than the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Impact\"],\"techniques\":[\"T1531\"],\"displayName\":\"(Preview) + UEBA Anomalous Defensive Mechanism Modification\",\"description\":\"Adversaries + may add adversary-controlled credentials for Azure Service Principals in addition + to existing legitimate credentials to maintain persistent access to victim + Azure accounts.\\nSentinel UEBA detects anomalies based on dynamic baselines + created for each entity across various data inputs. Each entity\xE2\u20AC\u2122s + baseline behavior is set according to its own historical activities,\\nthose + of its peers, and those of the organization as a whole. Anomalies can be triggered + by the correlation of different attributes such as action type, geo location, + device, resource, ISP, and more.\",\"lastUpdatedDateUTC\":\"2022-04-13T00:00:00Z\",\"createdDateUTC\":\"2022-01-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09ec8fa2-b25f-4696-bfae-05a7b85d7b9e\",\"name\":\"09ec8fa2-b25f-4696-bfae-05a7b85d7b9e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT3H\",\"queryPeriod\":\"PT3H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let + timeframe = ago(3h);\\nlet threshold = 2;\\nimAuthentication\\n| where TimeGenerated + > timeframe\\n| where EventType=='Logon' and EventResult=='Success'\\n| where + isnotempty(SrcGeoCountry)\\n| summarize StartTime = min(TimeGenerated), EndTime + = max(TimeGenerated), Vendors=make_set(EventVendor), Products=make_set(EventProduct)\\n + \ , NumOfCountries = dcount(SrcGeoCountry)\\n by TargetUserId, TargetUsername, + TargetUserType\\n| where NumOfCountries >= threshold\\n| extend timestamp + = StartTime, AccountCustomEntity = TargetUsername\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.2.1\",\"tactics\":[\"InitialAccess\"],\"techniques\":[\"T1078\"],\"displayName\":\"User + login from different countries within 3 hours (Uses Authentication Normalization)\",\"description\":\"This + query searches for successful user logins from different countries within + 3 hours.\\n To use this analytics rule, make sure you have deployed the [ASIM + normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/67775878-7f8b-4380-ac54-115e1e828901\",\"name\":\"67775878-7f8b-4380-ac54-115e1e828901\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + HAS_ANY_MAX=10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet + IP_TI = (ThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) + and ExpirationDateTime > now()\\n// Picking up only IOC's that contain the + entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) + or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As + there is potentially more than 1 indicator type for matching IP, taking NetworkIP + first, then others if that is empty.\\n// Taking the first non-empty value + based on potential IOC match availability\\n| extend TI_ipEntity = coalesce(NetworkIP, + NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\\\"\\\")\\n| summarize + LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active + == true);\\nlet TI_IP_List=IP_TI | summarize NIPs=dcount(TI_ipEntity), IP_List=make_set( + TI_ipEntity) \\n| project IP_List=iff(NIPs > HAS_ANY_MAX, dynamic([]), IP_List);\\n_Im_Dns(starttime=ago(dt_lookBack), + response_has_any_prefix=todynamic(toscalar(TI_IP_List)))\\n | extend tilist + = toscalar(TI_IP_List)\\n | mv-expand tilist\\n | extend SingleIP=tostring(tilist)\\n + \ | project-away tilist\\n | where has_ipv4(DnsResponseName, SingleIP)\\n + \ | extend DNS_TimeGenerated = TimeGenerated\\n| join IP_TI\\n on $left.SingleIP + == $right.TI_ipEntity\\n| where DNS_TimeGenerated >= TimeGenerated and DNS_TimeGenerated + < ExpirationDateTime\\n| project LatestIndicatorTime, Description, ActivityGroupNames, + IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated,\\nTI_ipEntity, + Dvc, EventSubType, SrcIpAddr, DnsQuery, DnsResponseName, NetworkIP, NetworkDestinationIP, + NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = DNS_TimeGenerated, + IPCustomEntity = TI_ipEntity, HostCustomEntity = Dvc, URLCustomEntity = Url\",\"customDetails\":{\"LatestIndicatorTime\":\"LatestIndicatorTime\",\"Description\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"ExpirationDateTime\":\"ExpirationDateTime\",\"ConfidenceScore\":\"ConfidenceScore\",\"DNSRequestTime\":\"DNS_TimeGenerated\",\"SourceIPAddress\":\"SrcIpAddr\",\"SubType\":\"EventSubType\",\"DnsQuery\":\"DnsQuery\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.1.2\",\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) + TI map IP entity to Dns Events (ASIM DNS Schema)\",\"description\":\"Identifies + a match in DNS events from any IP IOC from TI\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) + and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-27T00:00:00Z\",\"createdDateUTC\":\"2021-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ca67c83e-7fff-4127-a3e3-1af66d6d4cad\",\"name\":\"ca67c83e-7fff-4127-a3e3-1af66d6d4cad\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + ProcessCreationEvents=() {\\nlet processEvents=(union isfuzzy=true\\n(SecurityEvent\\n| + where EventID==4688\\n| where isnotempty(CommandLine)\\n| summarize StartTimeUtc + = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Computer, + Account = SubjectUserName, AccountDomain = SubjectDomainName,\\nFileName = + Process, CommandLine, ParentProcessName\\n),\\n(WindowsEvent\\n| where EventID==4688\\n| + where EventData has \\\"TVqQAAMAAAAEAAA\\\"\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| + where isnotempty(CommandLine)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| + extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, + '\\\\\\\\')[-1])\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| + extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize + StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() + by Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName,\\nFileName + = Process, CommandLine, ParentProcessName));\\nprocessEvents};\\nProcessCreationEvents\\n| + where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\\n| extend timestamp = + StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.1.1\",\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"techniques\":[\"T1059\",\"T1027\",\"T1140\"],\"displayName\":\"Base64 + encoded Windows process command-lines\",\"description\":\"Identifies instances + of a base64 encoded PE file header seen in the process command line parameter.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2018-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90586451-7ba8-4c1e-9904-7d1b7c3cc4d6\",\"name\":\"90586451-7ba8-4c1e-9904-7d1b7c3cc4d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure + Security Center\",\"severitiesFilter\":[\"Low\",\"Medium\",\"High\"],\"displayName\":\"Create + incidents based on Microsoft Defender for Cloud\",\"description\":\"Create + incidents based on all alerts generated in Microsoft Defender for Cloud\",\"lastUpdatedDateUTC\":\"2021-07-25T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert + (ASC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d57c33a9-76b9-40e0-9dfa-ff0404546410\",\"name\":\"d57c33a9-76b9-40e0-9dfa-ff0404546410\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// + Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback + = 0d;\\n// Adjust this to adjust detection timeframe\\n//let timeframe = 1d;\\n// + Filter out other servers in the AD FS farm\\nlet ADFSServersList = dynamic([\\\"ADFS02.domain.com\\\",\\\"ADFS03.domain.com\\\"]);\\n// + Start by identifying ADFS servers to reduce FP chance\\nlet ADFS_Servers = + (\\nEvent\\n//| where TimeGenerated > ago(timeframe+lookback)\\n| where Source + == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| where Computer + !in (ADFSServersList)\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| + mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| + extend Key = tostring(column_ifexists('@Name', \\\"\\\")), Value = column_ifexists('#text', + \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, + Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, + _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\")\\n| + extend process = split(Image, '\\\\\\\\', -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| + summarize by Computer\\n);\\n// Look for ADFS servers receiving connections + over port 80\\nEvent\\n//| where TimeGenerated > ago(timeframe)\\n| where + Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where Computer in~ (ADFS_Servers)\\n| + extend RenderedDescription = tostring(split(RenderedDescription, \\\":\\\")[0])\\n| + extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand + bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend + Key = tostring(column_ifexists('@Name', \\\"\\\")), Value = column_ifexists('#text', + \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, + Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, + MG, ManagementGroupName, _ResourceId)\\n| extend RuleName = column_ifexists(\\\"RuleName\\\", + \\\"\\\"), TechniqueId = column_ifexists(\\\"TechniqueId\\\", \\\"\\\"), TechniqueName + = column_ifexists(\\\"TechniqueName\\\", \\\"\\\")\\n| parse RuleName with + * 'technique_id=' TechniqueId ',' * 'technique_name=' TechniqueName\\n| where + EventID == 3\\n// Look for endpoints connecting to the AD FS server over port + 80\\n| extend DestinationPort = column_ifexists(\\\"DestinationPort\\\", \\\"\\\"), + Image = column_ifexists(\\\"Image\\\", \\\"\\\"), Initiated = column_ifexists(\\\"Initiated\\\", + \\\"\\\"), SourceIp = column_ifexists(\\\"DestinationIp\\\", \\\"\\\"), DestinationIp + = column_ifexists(\\\"DestinationIp\\\", \\\"\\\")\\n| where DestinationPort + == 80\\n| extend process = split(Image, '\\\\\\\\', -1)[-1]\\n// Look for + the System process receiving connections\\n| where process == 'System' and + Initiated == 'false'\\n| where DestinationIp !in ('::1','0:0:0:0:0:0:0:1')\\n| + extend Operation = RenderedDescription\\n| project-reorder TimeGenerated, + Operation, Image, Computer, UserName\\n| extend HostCustomEntity = Computer, + AccountCustomEntity = UserName, IPCustomEntity = SourceIp\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"techniques\":[\"T1005\"],\"displayName\":\"AD + FS Remote HTTP Network Connection\",\"description\":\"This detection uses + Sysmon events (NetworkConnect events) to detect incoming network traffic on + port 80 on AD FS servers. This could be a sign of a threat actor\\ntrying + to use replication services on the AD FS server to get its configuration settings + and extract sensitive information such as AD FS certificates.\\nIn order to + use this query you need to enable Sysmon telemetry on the AD FS Server.\\nReference: + https://twitter.com/OTR_Community/status/1387038995016732672\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c1faf5e8-6958-11ec-90d6-0242ac120003\",\"name\":\"c1faf5e8-6958-11ec-90d6-0242ac120003\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| + where EventID == 4720 and TargetUserName endswith \\\"$\\\"\\n| summarize + StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, + SubjectUserName, SubjectUserSid, SubjectLogonId, TargetUserName, TargetSid\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectUserName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"techniques\":[\"T1564\"],\"displayName\":\"Fake + computer account created\",\"description\":\"This query detects domain user + accounts creation (event ID 4720) where the username ends with $. \\nAccounts + that end with $ are normally domain computer accounts and when they are created + the event ID 4741 is generated instead.\\nRef: https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights.html\",\"lastUpdatedDateUTC\":\"2022-01-19T00:00:00Z\",\"createdDateUTC\":\"2021-12-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/04384937-e927-4595-8f3c-89ff58ed231f\",\"name\":\"04384937-e927-4595-8f3c-89ff58ed231f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let + IPs = dynamic ([\\\"199.249.230.\\\",\\\"185.220.101.\\\",\\\"23.129.64.\\\",\\\"109.70.100.\\\",\\\"185.220.102.\\\"]);\\nOfficeActivity\\n| + where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\") + \\n| where Operation != 'UserLoggedIn'\\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name + =~ \\\"UserAgent\\\", extractjson(\\\"$[0].Value\\\", ExtendedProperties, + typeof(string)),\\\"\\\")\\n| mv-expand parse_json(ExtendedProperties)\\n| + where ExtendedProperties.Name =~ \\\"RequestType\\\"\\n| extend RequestType + = ExtendedProperties.Value\\n| where ClientIP has_any (IPs)\\n| summarize + authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), + uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) + by UserAgent\\n| where authAttempts > 2500\\n| extend timestamp = firstAttempt\\n| + sort by uniqueAccounts\",\"entityMappings\":[],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"techniques\":[\"T1110\"],\"displayName\":\"Possible + STRONTIUM attempted credential harvesting - Sept 2020\",\"description\":\"Surfaces + potential STRONTIUM group Office365 credential harvesting attempts within + OfficeActivity Logon events.\\nReferences: https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7d7e20f8-3384-4b71-811c-f5e950e8306c\",\"name\":\"7d7e20f8-3384-4b71-811c-f5e950e8306c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AuditLogs\\n| + where ActivityDisplayName =~'Add member to role completed (PIM activation)'\\n| + where Result == \\\"failure\\\"\\n| extend Role = tostring(TargetResources[3].displayName)\\n| + extend User = tostring(TargetResources[2].displayName)\\n| project-reorder + TimeGenerated, User, Role, OperationName, Result, ResultDescription\\n| extend + InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| + extend AccountCustomEntity = User, IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\"],\"techniques\":[\"T1078\"],\"displayName\":\"PIM + Elevation Request Rejected\",\"description\":\"Identifies when a user is rejected + for a privileged role elevation via PIM. Monitor rejections for indicators + of attacker compromise of the requesting account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6852d9da-8015-4b95-8ecf-d9572ee0395d\",\"name\":\"6852d9da-8015-4b95-8ecf-d9572ee0395d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let + queryfrequency = 1h;\\nlet wait_for_deletion = 10m;\\nlet account_created + =\\n AuditLogs \\n | where ActivityDisplayName == \\\"Add service principal\\\"\\n + \ | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n + \ | extend creationTime = ActivityDateTime\\n | extend userPrincipalName_creator + = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | + extend ipAddress_creator = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\\nlet + account_activity =\\n AADServicePrincipalSignInLogs\\n | extend Activities + = pack(\\\"ActivityTime\\\", TimeGenerated ,\\\"IpAddress\\\", IPAddress, + \\\"ResourceDisplayName\\\", ResourceDisplayName)\\n | extend AppID = AppId\\n + \ | summarize make_list(Activities) by AppID;\\nlet account_deleted =\\n AuditLogs + \\n | where OperationName == \\\"Remove service principal\\\"\\n | where + Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n + \ | extend deletionTime = ActivityDateTime\\n | extend userPrincipalName_deleter + = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | + extend ipAddress_deleter = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\\nlet + account_credentials =\\n AuditLogs\\n | where OperationName has_all (\\\"Update + application\\\", \\\"Certificates and secrets management\\\")\\n | where + Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n + \ | extend credentialCreationTime = ActivityDateTime;\\nlet roles_assigned + =\\n AuditLogs\\n | where ActivityDisplayName == \\\"Add app role assignment + to service principal\\\"\\n | extend AppID = tostring(TargetResources[1].displayName)\\n + \ | extend AssignedRole = iff(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].displayName)==\\\"AppRole.Value\\\", + tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue))),\\\"\\\")\\n + \ | extend AssignedRoles = pack(\\\"Role\\\", AssignedRole)\\n | summarize + make_list(AssignedRoles) by AppID;\\naccount_created\\n| where TimeGenerated + between (ago(wait_for_deletion+queryfrequency)..ago(wait_for_deletion))\\n| + join kind= inner (account_activity) on AppID\\n| join kind= inner (account_deleted) + on AppID\\n| join kind= inner (account_credentials) on AppID\\n| join kind= + inner (roles_assigned) on AppID\\n| where deletionTime - creationTime between + (time(0s)..wait_for_deletion)\\n| extend AliveTime = deletionTime - creationTime\\n| + project AADTenantId, AppID, creationTime, deletionTime, userPrincipalName_creator, + userPrincipalName_deleter, ipAddress_creator, ipAddress_deleter, list_Activities, + list_AssignedRoles, AliveTime\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName_creator\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName_deleter\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress_creator\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress_deleter\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"CredentialAccess\",\"PrivilegeEscalation\",\"InitialAccess\"],\"techniques\":[\"T1078\"],\"displayName\":\"Suspicious + Service Principal creation activity\",\"description\":\"This alert will detect + creation of an SPN, permissions granted, credentials cretaed, activity and + deletion of the SPN in a time frame (default 10 minutes)\",\"lastUpdatedDateUTC\":\"2021-12-07T00:00:00Z\",\"createdDateUTC\":\"2021-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\",\"AADServicePrincipalSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ec21493c-2684-4acd-9bc2-696dbad72426\",\"name\":\"ec21493c-2684-4acd-9bc2-696dbad72426\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our + threat feed for later validation of extracted domains\\nlet list_tlds = ThreatIntelligenceIndicator\\n + \ | where TimeGenerated > ago(ioc_lookBack)\\n | where isnotempty(DomainName)\\n + \ | extend DomainName = tolower(DomainName)\\n | extend parts = split(DomainName, + '.')\\n | extend tld = parts[(array_length(parts)-1)]\\n | summarize + count() by tostring(tld)\\n | summarize make_list(tld);\\n ThreatIntelligenceIndicator\\n + \ | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n + \ | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n + \ | where Active == true\\n // Picking up only IOC's that contain the + entities we want\\n | where isnotempty(DomainName)\\n // using innerunique + to keep perf fast and result set low, we only need one match to indicate potential + malicious activity that needs to be investigated\\n | join kind=innerunique + (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n + \ | where IngestionTime > ago(dt_lookBack)\\n | where DeviceVendor + =~ 'Palo Alto Networks'\\n | where DeviceEventClassID =~ 'url'\\n //Uncomment + the line below to only alert on allowed connections\\n //| where DeviceAction + !~ \\\"block-url\\\"\\n //Extract domain from RequestURL, if not present + extarct it from AdditionalExtentions\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", + \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions + !startswith \\\"PanOS\\\", extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), + trim('\\\"', PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" + and ApplicationProtocol !~ \\\"ssl\\\", strcat('http://', PA_Url), iif(PA_Url + !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat('https://', + PA_Url), PA_Url))\\n | extend Domain = trim(@\\\"\\\"\\\"\\\",tostring(parse_url(PA_Url).Host))\\n + \ | where isnotempty(Domain)\\n | extend Domain = tolower(Domain)\\n + \ | extend parts = split(Domain, '.')\\n //Split out the TLD + for the purpose of checking if we have any TI indicators with this TLD to + match on\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate + parsed domain by checking TLD against TLDs from threat feed and drop domains + where there is no chance of a match\\n | where tld in~ (list_tlds)\\n + \ | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n ) on + $left.DomainName==$right.Domain\\n | where CommonSecurityLog_TimeGenerated + < ExpirationDateTime\\n | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, + *) by IndicatorId, Domain\\n | project CommonSecurityLog_TimeGenerated, + Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, + ExpirationDateTime, ConfidenceScore, \\n DeviceAction, DestinationIP, DestinationPort, + DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod\\n | + extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, + HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.2.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI + map Domain entity to PaloAlto\",\"description\":\"Identifies a match in Palo + Alto data in CommonSecurityLog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/caf78b95-d886-4ac3-957a-a7a3691ff4ed\",\"name\":\"caf78b95-d886-4ac3-957a-a7a3691ff4ed\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let + iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Tarrask.csv\\\"] + with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs + | where Type =~ \\\"sha256\\\" | project IoC);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| + where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, + FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity + = 'SHA256', Account = SourceUserID\\n),\\n(imFileEvent\\n| where TargetFileSHA256 + has_any (sha256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, + IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = + TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, + CommandLine, FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| + where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail + = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], + \ CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| + extend Hashes = extract_all(@\\\"(?P\\\\w+)=(?P[a-zA-Z0-9]+)\\\", + dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", + \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| + where (Hashes has_any (sha256Hashes) ) \\n| project TimeGenerated, EventDetail, + UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type + = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity + = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, + '\\\\\\\\', -1)[-1]), FileHashCustomEntity = Hashes\\n),\\n(DeviceEvents\\n| + where InitiatingProcessSHA256 has_any (sha256Hashes) or SHA256 has_any (sha256Hashes)\\n| + project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, + InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, + InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, + InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity + = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity + = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity + = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image + = InitiatingProcessFolderPath\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any + (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, + InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, + InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, + InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp + = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, + ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", + FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image + = InitiatingProcessFolderPath\\n),\\n(DeviceImageLoadEvents\\n| where SHA256 + has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, + InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, + InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, + InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp + = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, + ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", + FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image + = InitiatingProcessFolderPath\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"techniques\":[\"T1053\"],\"displayName\":\"Tarrask + malware IOC - April 2022\",\"description\":\"Identifies a hash match related + to Tarrask malware across various data sources.\\n Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/\",\"lastUpdatedDateUTC\":\"2022-04-12T00:00:00Z\",\"createdDateUTC\":\"2022-01-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/543c9254-eb6f-4fdd-858d-783e0e3d5cb9\",\"name\":\"543c9254-eb6f-4fdd-858d-783e0e3d5cb9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.4\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\".msg,.jpg,.txt\",\"dataType\":\"string\",\"name\":\"File + extension\",\"description\":\"Give comma separated file extension to exclude + from source data, for example: .txt,.jpg,.mp4\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.9\",\"name\":\"Score\",\"description\":\"Generate + an anomaly when the error percentile is greater than chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Collection\"],\"techniques\":[\"T1530\",\"T1213\",\"T1005\",\"T1039\",\"T1114\"],\"displayName\":\"(Preview) + Suspicious number of protected documents accessed\",\"description\":\"This + algorithm is to detect high volume of access to protected documents in Azure + Information Protection (AIP) logs. \\nIt considers AIP workload records for + a given number of days and determines whether the user performed unusual access + to protected documents in a day given his/her historical behavior.\",\"lastUpdatedDateUTC\":\"2022-05-09T00:00:00Z\",\"createdDateUTC\":\"2021-02-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureInformationProtection\",\"dataTypes\":[\"InformationProtectionLogs_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2560515c-07d1-434e-87fb-ebe3af267760\",\"name\":\"2560515c-07d1-434e-87fb-ebe3af267760\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| + where Category =~ \\\"ApplicationManagement\\\"\\n| where ActivityDisplayName + has_any (\\\"Add delegated permission grant\\\",\\\"Add app role assignment + to service principal\\\")\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) + has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend + props = parse_json(tostring(TargetResources[0].modifiedProperties))\\n| mv-expand + props\\n| extend UserAgent = tostring(AdditionalDetails[0].value)\\n| extend + InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| + extend UserIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| + extend DisplayName = tostring(props.displayName)\\n| extend Permissions = + tostring(parse_json(tostring(props.newValue)))\\n| where Permissions has_any + (\\\"Mail.Read\\\", \\\"Mail.ReadWrite\\\")\\n| extend PermissionsAddedTo + = tostring(TargetResources[0].displayName)\\n| extend Type = tostring(TargetResources[0].type)\\n| + project-away props\\n| join kind=leftouter(\\n AuditLogs\\n | where ActivityDisplayName + has \\\"Consent to application\\\"\\n | extend AppName = tostring(TargetResources[0].displayName)\\n + \ | extend AppId = tostring(TargetResources[0].id)\\n | project AppName, + AppId, CorrelationId) on CorrelationId\\n| project-reorder TimeGenerated, + OperationName, InitiatingUser, UserIPAddress, UserAgent, PermissionsAddedTo, + Permissions, AppName, AppId, CorrelationId\\n| extend timestamp = TimeGenerated, + AccountCustomEntity = InitiatingUser, IPCustomEntity = UserIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"techniques\":[\"T1098\"],\"displayName\":\"Mail.Read + Permissions Granted to Application\",\"description\":\"This query look for + applications that have been granted (Delegated or App/Role) permissions to + Read Mail (Permissions field has Mail.Read) and subsequently has been consented + to. This can help identify applications that have been abused to gain access + to mailboxes.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0c804654-63b9-4241-89f8-1cddd7e9cacd\",\"name\":\"0c804654-63b9-4241-89f8-1cddd7e9cacd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.1\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.2\",\"name\":\"Score\",\"description\":\"Generate + an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"techniques\":[\"T1078\"],\"displayName\":\"(Preview) + Suspicious volume of AWS write API calls from a user account \",\"description\":\"This + algorithm detects an unusually high volume of AWS write API calls per user + account within the last day. The model is trained on the previous 21 days + of AWS cloud trail log events on a user account basis. This activity may indicate + that the account is compromised.\",\"lastUpdatedDateUTC\":\"2022-03-07T00:00:00Z\",\"createdDateUTC\":\"2021-10-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532c1811-79ee-4d9f-8d4d-6304c840daa1\",\"name\":\"532c1811-79ee-4d9f-8d4d-6304c840daa1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure + Active Directory Identity Protection\",\"displayName\":\"Create incidents + based on Azure Active Directory Identity Protection alerts\",\"description\":\"Create + incidents based on all alerts generated in Azure Active Directory Identity + Protection\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert + (IPC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb616d82-108f-47d3-9dec-9652ea0d3bf6\",\"name\":\"bb616d82-108f-47d3-9dec-9652ea0d3bf6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let + queryfrequency = 1h;\\nlet queryperiod = 1d;\\nAuditLogs\\n| where TimeGenerated + > ago(queryfrequency)\\n| where OperationName =~ \\\"Delete user\\\"\\n//extend + UserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n| extend + UserPrincipalName = extract(@'([a-f0-9]{32})?(.*)', 2, tostring(TargetResources[0].userPrincipalName))\\n| + extend DeletedByUser = tostring(InitiatedBy.user.userPrincipalName), DeletedByIPAddress + = tostring(InitiatedBy.user.ipAddress)\\n| extend DeletedByApp = tostring(InitiatedBy.app.displayName)\\n| + project Deletion_TimeGenerated = TimeGenerated, UserPrincipalName, DeletedByUser, + DeletedByIPAddress, DeletedByApp, Deletion_AdditionalDetails = AdditionalDetails, + Deletion_InitiatedBy = InitiatedBy, Deletion_TargetResources = TargetResources\\n| + join kind=inner (\\n AuditLogs\\n | where TimeGenerated > ago(queryperiod)\\n + \ | where OperationName =~ \\\"Add user\\\"\\n | extend UserPrincipalName + = tostring(TargetResources[0].userPrincipalName)\\n | project-rename Creation_TimeGenerated + = TimeGenerated\\n) on UserPrincipalName\\n| extend TimeDelta = Deletion_TimeGenerated + - Creation_TimeGenerated\\n| where TimeDelta between (time(0s) .. queryperiod)\\n| + extend CreatedByUser = tostring(InitiatedBy.user.userPrincipalName), CreatedByIPAddress + = tostring(InitiatedBy.user.ipAddress)\\n| extend CreatedByApp = tostring(InitiatedBy.app.displayName)\\n| + project Creation_TimeGenerated, Deletion_TimeGenerated, TimeDelta, UserPrincipalName, + DeletedByUser, DeletedByIPAddress, DeletedByApp, CreatedByUser, CreatedByIPAddress, + CreatedByApp, Creation_AdditionalDetails = AdditionalDetails, Creation_InitiatedBy + = InitiatedBy, Creation_TargetResources = TargetResources, Deletion_AdditionalDetails, + Deletion_InitiatedBy, Deletion_TargetResources\\n| extend timestamp = Deletion_TimeGenerated, + CustomAccountEntity = UserPrincipalName, IPCustomEntity = DeletedByIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CustomAccountEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.2\",\"tactics\":[\"InitialAccess\"],\"techniques\":[\"T1078\"],\"displayName\":\"Account + Created and Deleted in Short Timeframe\",\"description\":\"Search for user + principal name (UPN) events. Look for accounts created and then deleted in + under 24 hours. Attackers may create an account for their use, and then remove + the account when no longer needed.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-account\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a0907abe-6925-4d90-af2b-c7e89dc201a6\",\"name\":\"a0907abe-6925-4d90-af2b-c7e89dc201a6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P10D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + starttime = 10d;\\nlet endtime = 1d;\\nlet threshold = 100;\\nlet nxDomainDnsEvents + = DnsEvents \\n| where ResultCode == 3 \\n| where QueryType in (\\\"A\\\", + \\\"AAAA\\\")\\n| where ipv4_is_match(\\\"127.0.0.1\\\", ClientIP) == False\\n| + where Name !contains \\\"/\\\"\\n| where Name contains \\\".\\\";\\nnxDomainDnsEvents\\n| + where TimeGenerated > ago(endtime)\\n| extend sld = tostring(split(Name, \\\".\\\")[-2])\\n| + summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), + dcount(sld) by ClientIP\\n| where dcount_sld > threshold\\n// Filter out previously + seen IPs\\n| join kind=leftanti (nxDomainDnsEvents\\n | where TimeGenerated + between(ago(starttime)..ago(endtime))\\n | extend sld = tostring(split(Name, + \\\".\\\")[-2])\\n | summarize dcount(sld) by ClientIP\\n | where dcount_sld + > threshold ) on ClientIP\\n// Pull out sample NXDomain responses for those + remaining potentially infected IPs\\n| join kind = inner (nxDomainDnsEvents + | summarize by Name, ClientIP) on ClientIP\\n| summarize StartTimeUtc = min(StartTimeUtc), + EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(Name, 100) by + ClientIP, dcount_sld\\n| extend timestamp = StartTimeUtc, IPCustomEntity = + ClientIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"techniques\":[\"T1568\",\"T1008\"],\"displayName\":\"Potential + DGA detected\",\"description\":\"Identifies clients with a high NXDomain count + which could be indicative of a DGA (cycling through possible C2 domains\\nwhere + most C2s are not live). Alert is generated when a new IP address is seen (based + on not being seen associated with \\nNXDomain records in prior 10-day baseline + period).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9713e3c0-1410-468d-b79e-383448434b2d\",\"name\":\"9713e3c0-1410-468d-b79e-383448434b2d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| + where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| + summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| + where Active == true\\n// Picking up only IOC's that contain the entities + we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) + or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As + there is potentially more than 1 indicator type for matching IP, taking NetworkIP + first, then others if that is empty.\\n// Taking the first non-empty value + based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), + NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) + and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend + TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), + EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast + and result set low, we only need one match to indicate potential malicious + activity that needs to be investigated\\n| join kind=innerunique (\\n VMConnection\\n + \ | where TimeGenerated >= ago(dt_lookBack)\\n // renaming time column + so it is clear the log this came from\\n | extend VMConnection_TimeGenerated + = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIp\\n| where VMConnection_TimeGenerated + < ExpirationDateTime\\n| summarize VMConnection_TimeGenerated = arg_max(VMConnection_TimeGenerated, + *) by IndicatorId, RemoteIp\\n| project VMConnection_TimeGenerated, Description, + ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, + Computer, Direction, ProcessName, SourceIp, DestinationIp, RemoteIp, Protocol, + DestinationPort, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| + extend timestamp = VMConnection_TimeGenerated, IPCustomEntity = RemoteIp, + HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.2.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI + map IP entity to VMConnection\",\"description\":\"Identifies a match in VMConnection + from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1de6460f-30dc-4e8c-8086-8100d8e2b461\",\"name\":\"1de6460f-30dc-4e8c-8086-8100d8e2b461\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.2\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.2\",\"name\":\"Anomaly + score threshold\",\"description\":\"Generate an anomaly when the anomaly score + is greater than the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Persistence\"],\"techniques\":[\"T1098\"],\"displayName\":\"(Preview) + UEBA Anomalous Account Manipulation\",\"description\":\"Adversaries may manipulate + accounts to maintain access to victim systems. These actions include adding + new accounts to high privilleged groups. Dragonfly 2.0, for example, added + newly created accounts to the administrators group to maintain elevated access. + The query below generates an output of all high Blast Radius users performing + \\\"Update user\\\" (name change) to privileged role, or ones that changed + users for the first time. Sentinel UEBA detects anomalies based on dynamic + baselines created for each entity across various data inputs. Each entity\xE2\u20AC\u2122s + baseline behavior is set according to its own historical activities, those + of its peers, and those of the organization as a whole. Anomalies can be triggered + by the correlation of different attributes such as action type, geo-location, + device, resource, ISP, and more.\",\"lastUpdatedDateUTC\":\"2022-04-13T00:00:00Z\",\"createdDateUTC\":\"2022-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d\",\"name\":\"b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//Collect + the alert events\\nlet alertData = SecurityAlert \\n| where DisplayName has + \\\"Potential malware uploaded to\\\" \\n| extend Entities = parse_json(Entities) + \\n| mv-expand Entities;\\n//Parse the IP address data\\nlet ipData = alertData + \\n| where Entities['Type'] =~ \\\"ip\\\" \\n| extend AttackerIP = tostring(Entities['Address']), + AttackerCountry = tostring(Entities['Location']['CountryName']);\\n//Parse + the file data\\nlet FileData = alertData \\n| where Entities['Type'] =~ \\\"file\\\" + \\n| extend MaliciousFileDirectory = tostring(Entities['Directory']), MaliciousFileName + = tostring(Entities['Name']), MaliciousFileHashes = tostring(Entities['FileHashes']);\\n//Combine + the File and IP data together\\nipData \\n| join (FileData) on VendorOriginalId + \\n| summarize by TimeGenerated, AttackerIP, AttackerCountry, DisplayName, + ResourceId, AlertType, MaliciousFileDirectory, MaliciousFileName, MaliciousFileHashes\\n//Create + a type column so we can track if it was a File storage or blobl storage upload + \\n| extend type = iff(DisplayName has \\\"file\\\", \\\"File\\\", \\\"Blob\\\") + \\n| join (\\n union\\n StorageFileLogs, \\n StorageBlobLogs \\n //File + upload operations \\n | where OperationName =~ \\\"PutBlob\\\" or OperationName + =~ \\\"PutRange\\\"\\n //Parse out the uploader IP \\n | extend ClientIP + = tostring(split(CallerIpAddress, \\\":\\\", 0)[0])\\n //Extract the filename + from the Uri \\n | extend FileName = extract(@\\\"\\\\/([\\\\w\\\\-. ]+)\\\\?\\\", + 1, Uri)\\n //Base64 decode the MD5 filehash, we will encounter non-ascii + hex so string operations don't work\\n //We can work around this by making + it an array then converting it to hex from an int \\n | extend base64Char + = base64_decode_toarray(ResponseMd5) \\n | mv-expand base64Char \\n | extend + hexChar = tohex(toint(base64Char))\\n | extend hexChar = iff(strlen(hexChar) + < 2, strcat(\\\"0\\\", hexChar), hexChar) \\n | extend SourceTable = iff(OperationName + has \\\"range\\\", \\\"StorageFileLogs\\\", \\\"StorageBlobLogs\\\") \\n | + summarize make_list(hexChar) by CorrelationId, ResponseMd5, FileName, AccountName, + TimeGenerated, RequestBodySize, ClientIP, SourceTable \\n | extend Md5Hash + = strcat_array(list_hexChar, \\\"\\\")\\n //Pack the file information the + summarise into a ClientIP row \\n | extend p = pack(\\\"FileName\\\", FileName, + \\\"FileSize\\\", RequestBodySize, \\\"Md5Hash\\\", Md5Hash, \\\"Time\\\", + TimeGenerated, \\\"SourceTable\\\", SourceTable) \\n | summarize UploadedFileInfo=make_list(p), + FilesUploaded=count() by ClientIP \\n | join kind=leftouter (\\n union\\n + \ StorageFileLogs,\\n StorageBlobLogs \\n | + where OperationName =~ \\\"DeleteFile\\\" or OperationName =~ \\\"DeleteBlob\\\" + \ \\n | extend ClientIP = tostring(split(CallerIpAddress, \\\":\\\", + 0)[0]) \\n | extend FileName = extract(@\\\"\\\\/([\\\\w\\\\-. + ]+)\\\\?\\\", 1, Uri) \\n | extend SourceTable = iff(OperationName + has \\\"range\\\", \\\"StorageFileLogs\\\", \\\"StorageBlobLogs\\\") \\n + \ | extend p = pack(\\\"FileName\\\", FileName, \\\"Time\\\", TimeGenerated, + \\\"SourceTable\\\", SourceTable) \\n | summarize DeletedFileInfo=make_list(p), + FilesDeleted=count() by ClientIP\\n ) on ClientIP\\n ) on $left.AttackerIP + == $right.ClientIP \\n| mvexpand UploadedFileInfo \\n| extend LinkedMaliciousFileName + = UploadedFileInfo.FileName \\n| extend LinkedMaliciousFileHash = UploadedFileInfo.Md5Hash + \ \\n| project AlertTimeGenerated = TimeGenerated, tostring(LinkedMaliciousFileName), + tostring(LinkedMaliciousFileHash), AlertType, AttackerIP, AttackerCountry, + MaliciousFileDirectory, MaliciousFileName, FilesUploaded, UploadedFileInfo + \\n| extend FileHashCustomEntity = LinkedMaliciousFileName, HashAlgorithm + = \\\"MD5\\\", IPCustomEntity = AttackerIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"HashAlgorithm\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\",\"Exfiltration\"],\"techniques\":[\"T1071\",\"T1567\"],\"displayName\":\"Linked + Malicious Storage Artifacts\",\"description\":\"An IP address which uploaded + malicious content to an Azure Blob or File Storage container (triggering a + malware alert) also uploaded additional files.\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2021-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c7cd6073-6d2c-4284-a5c8-da27605bdfde\",\"name\":\"c7cd6073-6d2c-4284-a5c8-da27605bdfde\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let + lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated > ago(lbtime)\\n| where + EventType == 'message'\\n| where NetworkDirection == 'inbound'\\n| where FilterDisposition + !in ('reject', 'discard')\\n| where FilterModulesSpamScoresOverall == '100'\\n| + project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD + - High risk message not discarded\",\"description\":\"Detects when email with + high risk score was not rejected or discarded by filters.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c87fb346-ea3a-4c64-ba92-3dd383e0f0b5\",\"name\":\"c87fb346-ea3a-4c64-ba92-3dd383e0f0b5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let + DomainNames = \\\"miniodaum.ml\\\";\\nlet SHA256Hash = dynamic ([\\\"53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0dfd44771762257\\\", + \\\"0897c80df8b80b4c49bf1ccf876f5f782849608b830c3b5cb3ad212dc3e19eff\\\"]);\\n(union + isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * '(' DNSName ')' + * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) or DNSName + =~ DomainNames\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress + = SourceIP\\n),\\n (_Im_Dns (domain_has_any=DomainNames)\\n| extend DNSName + = DnsQuery \\n| extend IPAddress = SrcIpAddr, Computer = Dvc\\n), \\n(_Im_WebSession(url_has_any=DomainNames) + \\n| extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n| extend IPAddress + = SrcIpAddr, Account=User\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames + with * '[\\\"' DNSName '\\\"]' *\\n| where isnotempty(DNSName)\\n| where DNSName + =~ DomainNames\\n| extend IPAddress = RemoteIp\\n),\\n(AzureDiagnostics \\n| + where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| + parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' + DestinationHost ':' DestinationPort '. Action:' Action\\n| where isnotempty(DestinationHost)\\n| + where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost + \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, + AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity + = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.2.1\",\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known + CERIUM domains and hashes\",\"description\":\"CERIUM malicious webserver and + hash values for maldocs and malware. \\n Matches domain name IOCs related + to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection + dataTypes.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/712fab52-2a7d-401e-a08c-ff939cc7c25e\",\"name\":\"712fab52-2a7d-401e-a08c-ff939cc7c25e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| + where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| + summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| + where Active == true\\n// Picking up only IOC's that contain the entities + we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast + and result set low, we only need one match to indicate potential malicious + activity that needs to be investigated\\n| join kind=innerunique (\\n AuditLogs\\n + \ | where TimeGenerated >= ago(dt_lookBack)\\n // Extract the URL that is + contained within the JSON data\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\\\", + 1,tostring(TargetResources))\\n | where isnotempty(Url)\\n | extend userPrincipalName + = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | + extend TargetResourceDisplayName = tostring(TargetResources[0].displayName)\\n + \ | extend Audit_TimeGenerated = TimeGenerated\\n) on Url\\n| where Audit_TimeGenerated + < ExpirationDateTime\\n| summarize Audit_TimeGenerated = arg_max(Audit_TimeGenerated, + *) by IndicatorId, Url\\n| project Audit_TimeGenerated, Description, ActivityGroupNames, + IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nOperationName, + Identity, userPrincipalName, TargetResourceDisplayName, Url\\n| extend timestamp + = Audit_TimeGenerated, AccountCustomEntity = userPrincipalName, HostCustomEntity + = TargetResourceDisplayName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.2.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI + map URL entity to AuditLogs\",\"description\":\"Identifies a match in AuditLogs + from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ab4b6944-a20d-42ab-8b63-238426525801\",\"name\":\"ab4b6944-a20d-42ab-8b63-238426525801\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let + domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\nlet + timeframe = 1h;\\nlet connections = VMConnection \\n | where TimeGenerated + >= ago(timeframe)\\n | extend DNSName = set_union(todynamic(RemoteDnsCanonicalNames),todynamic(RemoteDnsQuestions))\\n + \ | mv-expand DNSName\\n | where isnotempty(DNSName)\\n | where DNSName + has_any (domains)\\n | extend IPCustomEntity = RemoteIp\\n | summarize + TimeGenerated = arg_min(TimeGenerated, *), requests = count() by IPCustomEntity, + DNSName = tostring(DNSName), AgentId, Machine, Process;\\nlet processes = + VMProcess\\n | where TimeGenerated >= ago(timeframe)\\n | project AgentId, + Machine, Process, UserName, UserDomain, ExecutablePath, CommandLine, FirstPid\\n + \ | extend exePathArr = split(ExecutablePath, \\\"\\\\\\\\\\\")\\n | + extend DirectoryName = array_strcat(array_slice(exePathArr, 0, array_length(exePathArr) + - 2), \\\"\\\\\\\\\\\")\\n | extend Filename = array_strcat(array_slice(exePathArr, + array_length(exePathArr) - 1, array_length(exePathArr)), \\\"\\\\\\\\\\\")\\n + \ | project-away exePathArr;\\nlet computers = VMComputer\\n | where + TimeGenerated >= ago(timeframe)\\n | project HostCustomEntity = HostName, + AzureResourceId = _ResourceId, AgentId, Machine;\\nconnections | join kind + = inner (processes) on AgentId, Machine, Process\\n | join kind + = inner (computers) on AgentId, Machine\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"FirstPid\"},{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Directory\",\"columnName\":\"DirectoryName\"},{\"identifier\":\"Name\",\"columnName\":\"Filename\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"techniques\":[\"T1102\"],\"displayName\":\"Solorigate + Domains Found in VM Insights\",\"description\":\"Identifies connections to + Solorigate-related DNS records based on VM insights data\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMProcess\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMComputer\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1ce5e766-26ab-4616-b7c8-3b33ae321e80\",\"name\":\"1ce5e766-26ab-4616-b7c8-3b33ae321e80\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//Adjust + this threshold to fit environment\\nlet signin_threshold = 5; \\n//Make a + list of IPs with failed Windows host logins above threshold\\nlet win_fails + = \\nSecurityEvent\\n| where EventID == 4625\\n| where LogonType in (10, 7, + 3)\\n| where IpAddress != \\\"-\\\"\\n| summarize count() by IpAddress\\n| + where count_ > signin_threshold\\n| summarize make_list(IpAddress);\\nlet + wef_fails =\\nWindowsEvent\\n| where EventID == 4625\\n| extend LogonType + = tostring(EventData.LogonType)\\n| where LogonType in (10, 7, 3)\\n| extend + IpAddress = tostring(EventData.IpAddress)\\n| where IpAddress != \\\"-\\\"\\n| + summarize count() by IpAddress\\n| where count_ > signin_threshold\\n| summarize + make_list(IpAddress);\\n//Make a list of IPs with failed *nix host logins + above threshold\\nlet nix_fails = \\nSyslog\\n| where Facility contains 'auth' + and ProcessName != 'sudo'\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage)\\n| + where SourceIP != \\\"\\\" and SourceIP != \\\"127.0.0.1\\\"\\n| summarize + count() by SourceIP\\n| where count_ > signin_threshold\\n| summarize make_list(SourceIP);\\n//See + if any of the IPs with failed host logins hve had a sucessful Azure AD login\\nlet + aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType !in + (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress in (win_fails) + or IPAddress in (nix_fails) or IPAddress in (wef_fails)\\n| extend Reason= + \ \\\"Multiple failed host logins from IP address with successful Azure AD + login\\\"\\n| extend timstamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, + IPCustomEntity = IPAddress, Type = Type\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet + aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true + aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.1.1\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"techniques\":[\"T1078\",\"T1110\"],\"displayName\":\"Failed + host logons but success logon to AzureAD\",\"description\":\"Identifies a + list of IP addresses with a minimum number(default of 5) of failed logon attempts + to remote hosts.\\nUses that list to identify any successful logons to Azure + Active Directory from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/28b42356-45af-40a6-a0b4-a554cdfd5d8a\",\"name\":\"28b42356-45af-40a6-a0b4-a554cdfd5d8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + timeRange = 24h;\\nlet failureCountThreshold = 5;\\nlet authenticationWindow + = 20m;\\nlet aadFunc = (tableName:string){\\n table(tableName)\\n| where AppDisplayName + has \\\"Azure Portal\\\"\\n| extend\\n DeviceDetail = todynamic(DeviceDetail),\\n + \ //Status = todynamic(Status),\\n LocationDetails = todynamic(LocationDetails)\\n| + extend\\n OS = tostring(DeviceDetail.operatingSystem),\\n Browser + = tostring(DeviceDetail.browser),\\n //StatusCode = tostring(Status.errorCode),\\n + \ //StatusDetails = tostring(Status.additionalDetails),\\n State = + tostring(LocationDetails.state),\\n City = tostring(LocationDetails.city),\\n + \ Region = tostring(LocationDetails.countryOrRegion)\\n// Split out failure + versus non-failure types\\n| extend FailureOrSuccess = iff(ResultType in (\\\"0\\\", + \\\"50125\\\", \\\"50140\\\", \\\"70043\\\", \\\"70044\\\"), \\\"Success\\\", + \\\"Failure\\\") \\n// bin outcomes based on authenticationWindow\\n| summarize + take_anyif(UserPrincipalName, not(UserPrincipalName matches regex @\\\"[a-f\\\\d]+\\\\-[a-f\\\\d]+\\\\-[a-f\\\\d]+\\\\-[a-f\\\\d]+\\\\-[a-f\\\\d]+\\\")),\\n + \ take_anyif(UserDisplayName, isnotempty(UserDisplayName)), FailureOrSuccessCount + = count() by FailureOrSuccess, UserId, UserDisplayName, AppDisplayName, IPAddress, + Browser, OS, State, City, Region, Type, CorrelationId, bin(TimeGenerated, + authenticationWindow), ResultType\\n// sort for sessionizing - by UserPrincipalName + and time of the authentication outcome\\n| sort by UserPrincipalName asc, + TimeGenerated asc\\n| serialize \\n// sessionize into failure groupings until + either the account changes or there is a success\\n| extend SessionStartedUtc + = row_window_session(TimeGenerated, timeRange, authenticationWindow, UserPrincipalName + != prev(UserPrincipalName) or prev(FailureOrSuccess) == \\\"Success\\\")\\n// + count the failures in each session\\n| summarize FailureCountBeforeSuccess=sumif(FailureOrSuccessCount, + FailureOrSuccess == \\\"Failure\\\"), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), + makelist(FailureOrSuccess), IPAddress = make_set(IPAddress), make_set(Browser), + make_set(City), make_set(State), make_set(Region), make_set(ResultType) by + SessionStartedUtc, UserPrincipalName, CorrelationId, AppDisplayName, UserId, + Type\\n// the session must not start with a success, and must end with one\\n| + where array_index_of(list_FailureOrSuccess, \\\"Success\\\") != 0\\n| where + array_index_of(list_FailureOrSuccess, \\\"Success\\\") == array_length(list_FailureOrSuccess) + - 1\\n| project-away SessionStartedUtc, list_FailureOrSuccess\\n// where the + number of failures before the success is above the threshold \\n| where FailureCountBeforeSuccess + >= failureCountThreshold \\n// expand out ip for entity assignment\\n| mv-expand + IPAddress\\n| extend IPAddress = tostring(IPAddress)\\n| extend timestamp + = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress + \\n};\\n let aadSignin = aadFunc(\\\"SigninLogs\\\");\\n let aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\n + union isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"2.0.0\",\"tactics\":[\"CredentialAccess\"],\"techniques\":[\"T1110\"],\"displayName\":\"Brute + force attack against Azure Portal\",\"description\":\"Identifies evidence + of brute force activity against Azure Portal by highlighting multiple authentication + failures \\nand by a successful authentication within a given time window. + \\nDefault Failure count is 5 and default Time Window is 20 minutes.\\nReferences: + https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.\",\"lastUpdatedDateUTC\":\"2022-06-06T00:00:00Z\",\"createdDateUTC\":\"2019-04-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23de46ea-c425-4a77-b456-511ae4855d69\",\"name\":\"23de46ea-c425-4a77-b456-511ae4855d69\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let + starttime = 14d;\\nlet endtime = 1d;\\n// The number of operations below which + an IP address is considered an unusual source of role assignment operations\\nlet + alertOperationThreshold = 5;\\nlet SensitiveOperationList = dynamic([\\\"microsoft.compute/snapshots/write\\\", + \\\"microsoft.network/networksecuritygroups/write\\\", \\\"microsoft.storage/storageaccounts/listkeys/action\\\"]);\\nlet + SensitiveActivity = AzureActivity\\n| where OperationNameValue in~ (SensitiveOperationList) + or OperationNameValue hassuffix \\\"listkeys/action\\\"\\n| where ActivityStatusValue + =~ \\\"Success\\\";\\nSensitiveActivity\\n| where TimeGenerated between (ago(starttime) + .. ago(endtime))\\n| summarize count() by CallerIpAddress, Caller, OperationNameValue\\n| + where count_ >= alertOperationThreshold\\n| join kind = rightanti ( \\nSensitiveActivity\\n| + where TimeGenerated >= ago(endtime)\\n| summarize StartTimeUtc = min(TimeGenerated), + EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), + ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), + CorrelationIds = makelist(CorrelationId), Resources = makelist(Resource), + ResourceGroups = makelist(ResourceGroup), ResourceIds = makelist(ResourceId), + ActivityCountByCallerIPAddress = count() \\nby CallerIpAddress, Caller, OperationNameValue\\n) + on CallerIpAddress, Caller, OperationNameValue\\n| extend timestamp = StartTimeUtc, + AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.1.1\",\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"techniques\":[\"T1003\",\"T1098\"],\"displayName\":\"Rare + subscription-level operations in Azure\",\"description\":\"This query looks + for a few sensitive subscription-level events based on Azure Activity Logs. + \\n For example this monitors for the operation name 'Create or Update Snapshot' + which is used for creating backups but could be misused by attackers \\n to + dump hashes or extract sensitive information from the disk.\",\"lastUpdatedDateUTC\":\"2022-03-15T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84cf1d59-f620-4fee-b569-68daf7008b7b\",\"name\":\"84cf1d59-f620-4fee-b569-68daf7008b7b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + threshold = 10;\\nQualysHostDetection_CL\\n| mv-expand todynamic(Detections_s)\\n| + extend Status = tostring(Detections_s.Status), Vulnerability = tostring(Detections_s.Results), + Severity = tostring(Detections_s.Severity)\\n| where Status =~ \\\"New\\\" + and Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime + = max(TimeGenerated), dcount(NetBios_s) by tostring(Detections_s.QID)\\n| + where dcount_NetBios_s >= threshold\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"techniques\":[\"T1190\"],\"displayName\":\"New + High Severity Vulnerability Detected Across Multiple Hosts\",\"description\":\"This + creates an incident when a new high severity vulnerability is detected across + multilple hosts\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bc5ffe2a-84d6-48fe-bc7b-1055100469bc\",\"name\":\"bc5ffe2a-84d6-48fe-bc7b-1055100469bc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let + SunburstMD5=dynamic([\\\"b91ce2fa41029f6955bff20079468448\\\",\\\"02af7cec58b9a5da1c542b5a32151ba1\\\",\\\"2c4a910a1299cdae2a4e55988a2f102e\\\",\\\"846e27a652a5e1bfbd0ddd38a16dc865\\\",\\\"4f2eb62fa529c0283b28d05ddd311fae\\\"]);\\nlet + SupernovaMD5=\\\"56ceb6d0011d87b6e4d7023d7ef85676\\\";\\nimFileEvent\\n| where + TargetFileMD5 in(SunburstMD5) or TargetFileMD5 in(SupernovaMD5)\\n| extend\\n + \ timestamp = TimeGenerated,\\n AccountCustomEntity = User, \\n HostCustomEntity + = DvcHostname,\\n FileHashCustomEntity = TargetFileMD5,\\n AlgorithmCustomEntity + = \\\"MD5\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.3\",\"tactics\":[\"Execution\",\"Persistence\",\"InitialAccess\"],\"techniques\":[\"T1195\"],\"displayName\":\"SUNBURST + and SUPERNOVA backdoor hashes (Normalized File Events)\",\"description\":\"Identifies + SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in File Events\\nTo + use this analytics rule, make sure you have deployed the [ASIM normalization + parsers](https://aka.ms/ASimFileEvent)\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- + https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-02-23T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3dccf381-2bb2-40c6-81a0-ab878bdf323f\",\"name\":\"3dccf381-2bb2-40c6-81a0-ab878bdf323f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.1\",\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"Number + of operations\",\"Number of failed operations\",\"Number of \\\"interesting\\\" + operations\",\"Number of \\\"interesting\\\" failed operations\",\"Fraction + of operations that are \\\"interesting\\\"\",\"Fraction of failed operations\",\"Fraction + of \\\"interesting\\\" operations that failed\",\"Distinct number of operations\",\"Distinct + number of Azure AD operation types\",\"Distinct number of categories\",\"Distinct + number of categories with \\\"interesting\\\" operations\",\"Distinct number + of \\\"interesting\\\" operations\",\"Distinct number of \\\"interesting\\\" + app management operations\",\"Distinct number of \\\"interesting\\\" device + operations\",\"Distinct number of \\\"interesting\\\" directory management + operations\",\"Distinct number of \\\"interesting\\\" group management operations\",\"Distinct + number of \\\"interesting\\\" role management operations\",\"Distinct number + of \\\"interesting\\\" user management operations\"],\"values\":[\"Number + of operations\",\"Number of failed operations\",\"Number of \\\"interesting\\\" + operations\",\"Number of \\\"interesting\\\" failed operations\",\"Fraction + of operations that are \\\"interesting\\\"\",\"Fraction of failed operations\",\"Fraction + of \\\"interesting\\\" operations that failed\",\"Distinct number of operations\",\"Distinct + number of Azure AD operation types\",\"Distinct number of categories\",\"Distinct + number of categories with \\\"interesting\\\" operations\",\"Distinct number + of \\\"interesting\\\" operations\",\"Distinct number of \\\"interesting\\\" + app management operations\",\"Distinct number of \\\"interesting\\\" device + operations\",\"Distinct number of \\\"interesting\\\" directory management + operations\",\"Distinct number of \\\"interesting\\\" group management operations\",\"Distinct + number of \\\"interesting\\\" role management operations\",\"Distinct number + of \\\"interesting\\\" user management operations\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Top + reason for high anomaly score\",\"description\":\"Include only anomalies where + the top reason is one of these values.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.6\",\"name\":\"Score\",\"description\":\"Generate + an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\",\"Persistence\",\"PrivilegeEscalation\",\"Discovery\",\"Collection\"],\"techniques\":[\"T1190\",\"T1078\",\"T1098\",\"T1136\",\"T1484\",\"T1087\",\"T1538\",\"T1526\",\"T1069\",\"T1518\",\"T1530\"],\"displayName\":\"(Preview) + Anomalous user/app activities in Azure audit logs\",\"description\":\"This + autoencoder model identifies anomalous user/app Azure sessions in audit logs + for the last day.\\nWe define 10 minutes to be the length of a session.\\nIt + groups the Azure audit logs on a per-user/app basis into sessions.\\nIt compresses + these user/app Azure sessions into a bottleneck encoding.\\nIt then reconstructs + the input sessions as best it can from the bottleneck encoding.\\nIf the sessions + have high reconstruction errors, they are assumed to be anomalous.\\nThe model + is trained on the previous 21 days of behavior across all users and apps.\\nThis + algorithm checks for sufficient volume of data before training the model.\",\"lastUpdatedDateUTC\":\"2022-01-18T00:00:00Z\",\"createdDateUTC\":\"2021-04-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8cbc3215-fa58-4bd6-aaaa-f0029c351730\",\"name\":\"8cbc3215-fa58-4bd6-aaaa-f0029c351730\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"severity\":\"Medium\",\"query\":\"let + threatCategory=\\\"Cryptominer\\\";\\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, + Category:string)\\n [ @\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\\\"] + \\n with(format=\\\"csv\\\", ignoreFirstRecord=True));\\nlet knownUserAgents=toscalar(knownUserAgentsIndicators + | where Category==threatCategory | where isnotempty(UserAgent) | summarize + make_list(UserAgent));\\nlet customUserAgents=toscalar(_GetWatchlist(\\\"UnusualUserAgents\\\") + | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\\\"UserAgent\\\",\\\"\\\") + | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet fullUAList + = array_concat(knownUserAgents,customUserAgents);\\n_Im_WebSession(httpuseragent_has_any=fullUAList)\\n| + summarize N_Events=count() by SrcIpAddr, Url, TimeGenerated,HttpUserAgent, + SrcUsername\",\"customDetails\":{\"UserAgent\":\"HttpUserAgent\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"SrcUsername\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"The + host {{SrcIpAddr}} is potentially running a crypto miner\",\"alertDescriptionFormat\":\"The + host at address {{SrcIpAddr}} sent an HTTP request to the URL {{Url}} with + the HTTP user agent header {{HttpUserAgent}}. This user agent is known to + be used by crypto miners and indicates crypto mining activity on the client.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"sentinelEntitiesMappings\":[],\"version\":\"1.1.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"A + host is potentially running a crypto miner (ASIM Web Session schema)\",\"description\":\"This + rule identifies a web request with a user agent header known to belong to + a crypto miner. This indicates a crypto miner may have infected the client + machine.
You can add custom crypto mining indicating User-Agent headers + using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).

+ \ This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any + built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession + Schema)\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/24f8c234-d1ff-40ec-8b73-96b17a3a9c1c\",\"name\":\"24f8c234-d1ff-40ec-8b73-96b17a3a9c1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let + EventCountThreshold = 25;\\n// To avoid any False Positives, filtering using + AppId is recommended. For example the AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 + has been added in the query as it corresponds \\n// to Azure Resource Graph + performing VaultGet operations for indexing and syncing all tracked resources + across Azure.\\nlet Allowedappid = dynamic([\\\"509e4652-da8d-478d-a730-e9d4a1996ca4\\\"]);\\nlet + OperationList = dynamic(\\n[\\\"SecretGet\\\", \\\"KeyGet\\\", \\\"VaultGet\\\"]);\\nAzureDiagnostics\\n| + where not((identity_claim_appid_g in (Allowedappid)) and OperationName == + 'VaultGet')\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"None\\\"), + identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g + = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", + \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| + where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g + !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| + where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| + where OperationName in (OperationList) \\n| summarize count() by identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, + OperationName\\n| where count_ > EventCountThreshold \\n| join (\\nAzureDiagnostics\\n| + where not((identity_claim_appid_g in (Allowedappid)) and OperationName == + 'VaultGet')\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| + extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), + identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g + = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", + \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), + CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s + = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType + !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g + !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| + where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress + !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ + \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" + and isnotempty(requestUri_s)\\n| where OperationName in~ (OperationList) \\n) + on identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g + \\n| summarize EventCount=sum(count_), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), + TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), + RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), + \ CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, + id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, + clientInfo_s\\n| extend timestamp = EndTimeUtc, IPCustomEntity = CallerIPMax, + AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.2\",\"tactics\":[\"CredentialAccess\"],\"techniques\":[\"T1003\"],\"displayName\":\"Mass + secret retrieval from Azure Key Vault\",\"description\":\"Identifies mass + secret retrieval from Azure Key Vault observed by a single user. \\nMass secret + retrival crossing a certain threshold is an indication of credential dump + operations or mis-configured applications. \\nYou can tweak the EventCountThreshold + based on average count seen in your environment \\nand also filter any known + sources (IP/Account) and useragent combinations based on historical analysis + to further reduce noise\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b619d1f1-7f39-4c7e-bf9e-afbb46457997\",\"name\":\"b619d1f1-7f39-4c7e-bf9e-afbb46457997\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| + where TimeGenerated > ago(timeframe)\\n| where HttpUserAgentOriginal contains + \\\"XMRig\\\" or HttpUserAgentOriginal contains \\\"ccminer\\\"\\n| extend + Message = \\\"Crypto Miner User Agent\\\"\\n| project Message, SrcIpAddr, + DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal\\n| extend IpCustomEntity + = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.1.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco + Umbrella - Crypto Miner User-Agent Detected\",\"description\":\"Detects suspicious + user agent strings used by crypto miners in proxy logs.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd03057e-4347-4853-bf1e-2b2d21eb4e59\",\"name\":\"dd03057e-4347-4853-bf1e-2b2d21eb4e59\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"severity\":\"Low\",\"query\":\"let + DomainList = dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", + \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", + \\\"xmrget.com\\\",\\n\\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", + \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", + \\\"supportxmr.com\\\",\\n\\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", + \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", + \\\"herominers.com\\\", \\\"gntl.co.uk\\\", \\\"semipool.com\\\",\\n\\\"coinfoundry.org\\\", + \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", + \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\",\\n\\\"moneropool.com\\\", + \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", + \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\\"extrmepool.org\\\", + \\\"webcoin.me\\\",\\n\\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", + \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", + \\\"1gh.com\\\", \\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\",\\n\\\"hashvault.pro\\\", + \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", + \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\",\\n\\\"extremepool.org\\\", + \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", + \\\"monero.net\\\", \\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", + \\\"cryptonight.net\\\",\\n\\\"shscrypto.net\\\"]);\\nSyslog\\n| where ProcessName + contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ + )([^ :]*)\\\",3,SyslogMessage),\\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage),\\n + \ Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage),\\n + \ HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n + \ User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n + \ RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n + \ Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ + )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} + )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| + extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code + == '200'\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URL\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"techniques\":[\"T1102\"],\"displayName\":\"NRT + Squid proxy events related to mining pools\",\"description\":\"Checks for + Squid proxy events in Syslog associated with common mining pools .This query + presumes the default Squid log format is being used.\\n http://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-07-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2b701288-b428-4fb8-805e-e4372c574786\",\"name\":\"2b701288-b428-4fb8-805e-e4372c574786\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//The + bigger the window the better the data sample size, as we use IP prevalence, + more sample data is better.\\n//The minimum number of countries that the account + has been accessed from [default: 2]\\nlet minimumCountries = 2;\\n//The delta + (%) between the largest in-use IP and the smallest [default: 95]\\nlet deltaThreshold + = 95;\\n//The maximum (%) threshold that the country appears in login data + [default: 10]\\nlet countryPrevalenceThreshold = 10;\\n//The time to project + forward after the last login activity [default: 60min]\\nlet projectedEndTime + = 60m;\\nlet queryfrequency = 1d;\\nlet queryperiod = 14d;\\nlet aadFunc = + (tableName: string) {\\n // Get successful signins to Teams\\n let signinData + =\\n table(tableName)\\n | where TimeGenerated > ago(queryperiod)\\n + \ | where AppDisplayName has \\\"Teams\\\" and ConditionalAccessStatus + =~ \\\"success\\\"\\n | extend Country = tostring(todynamic(LocationDetails)['countryOrRegion'])\\n + \ | where isnotempty(Country) and isnotempty(IPAddress);\\n // Calculate + prevalence of countries\\n let countryPrevalence =\\n signinData\\n + \ | summarize CountCountrySignin = count() by Country\\n | extend + TotalSignin = toscalar(signinData | summarize count())\\n | extend + CountryPrevalence = toreal(CountCountrySignin) / toreal(TotalSignin) * 100;\\n + \ // Count signins by user and IP address\\n let userIpSignin =\\n signinData\\n + \ | summarize CountIPSignin = count(), Country = any(Country), ListSigninTimeGenerated + = make_list(TimeGenerated) by IPAddress, UserPrincipalName;\\n // Calculate + delta between the IP addresses with the most and minimum activity by user\\n + \ let userIpDelta =\\n userIpSignin\\n | summarize MaxIPSignin + = max(CountIPSignin), MinIPSignin = min(CountIPSignin), DistinctCountries + = dcount(Country), make_set(Country) by UserPrincipalName\\n | extend + UserIPDelta = toreal(MaxIPSignin - MinIPSignin) / toreal(MaxIPSignin) * 100;\\n + \ // Collect Team operations the user account has performed within a time + range of the suspicious signins\\n OfficeActivity\\n | where TimeGenerated + > ago(queryfrequency)\\n | where Operation in~ (\\\"TeamsAdminAction\\\", + \\\"MemberAdded\\\", \\\"MemberRemoved\\\", \\\"MemberRoleChanged\\\", \\\"AppInstalled\\\", + \\\"BotAddedToTeam\\\")\\n | project OperationTimeGenerated = TimeGenerated, + UserId = tolower(UserId), Operation\\n | join kind = inner(\\n userIpDelta\\n + \ // Check users with activity from distinct countries\\n | where + DistinctCountries >= minimumCountries\\n // Check users with high IP + delta\\n | where UserIPDelta >= deltaThreshold\\n // Add information + about signins and countries\\n | join kind = leftouter userIpSignin + on UserPrincipalName\\n | join kind = leftouter countryPrevalence on + Country\\n // Check activity that comes from nonprevalent countries\\n + \ | where CountryPrevalence < countryPrevalenceThreshold\\n | + project\\n UserPrincipalName,\\n SuspiciousIP = IPAddress,\\n + \ UserIPDelta,\\n SuspiciousSigninCountry = Country,\\n + \ SuspiciousCountryPrevalence = CountryPrevalence,\\n EventTimes + = ListSigninTimeGenerated\\n ) on $left.UserId == $right.UserPrincipalName\\n + \ // Check the signins occured 60 min before the Teams operations\\n | + mv-expand SigninTimeGenerated = EventTimes\\n | extend SigninTimeGenerated + = todatetime(SigninTimeGenerated)\\n | where OperationTimeGenerated between + (SigninTimeGenerated .. (SigninTimeGenerated + projectedEndTime))\\n};\\nlet + aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion + isfuzzy=true aadSignin, aadNonInt\\n| summarize arg_max(SigninTimeGenerated, + *) by UserPrincipalName, SuspiciousIP, OperationTimeGenerated\\n| summarize\\n + \ ActivitySummary = make_bag(pack(tostring(SigninTimeGenerated), pack(\\\"Operation\\\", + tostring(Operation), \\\"OperationTime\\\", OperationTimeGenerated)))\\n by + UserPrincipalName, SuspiciousIP, SuspiciousSigninCountry, SuspiciousCountryPrevalence\\n| + extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"techniques\":[\"T1199\",\"T1136\",\"T1078\",\"T1098\"],\"displayName\":\"Anomalous + login followed by Teams action\",\"description\":\"Detects anomalous IP address + usage by user accounts and then checks to see if a suspicious Teams action + is performed.\\nQuery calculates IP usage Delta for each user account and + selects accounts where a delta >= 90% is observed between the most and least + used IP.\\nTo further reduce results the query performs a prevalence check + on the lowest used IP's country, only keeping IP's where the country is unusual + for the tenant (dynamic ranges)\\nFinally the user accounts activity within + Teams logs is checked for suspicious commands (modifying user privileges or + admin actions) during the period the suspicious IP was active.\",\"lastUpdatedDateUTC\":\"2022-03-21T00:00:00Z\",\"createdDateUTC\":\"2020-06-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fa118b98-de46-4e94-87f9-8e6d5060b60b\",\"name\":\"fa118b98-de46-4e94-87f9-8e6d5060b60b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MLBehaviorAnalytics\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) + Anomalous SSH Login Detection\",\"description\":\"This detection uses machine + learning (ML) to identify anomalous Secure Shell (SSH) login activity, based + on syslog data. Scenarios include:\\n\\n*\\tUnusual IP - This IP address has + not or has rarely been seen in last 30 days.\\n*\\tUnusual Geo - The IP address, + city, country and ASN have not (or rarely) been seen in last 30 days.\\n*\\tNew + user - A new user logs in from an IP address and geo location, both or either + of which are not expected to be seen in the last 30 days.\\n\\nAllow 7 days + after this alert is enabled for Microsoft Sentinel to build a profile of normal + activity for your environment.\\n\\nThis detection requires a specific configuration + of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-syslog#configure-the-syslog-connector-for-anomalous-ssh-login-detection)\\n\\nBy + enabling this rule, you give Microsoft permission to copy ingested data outside + of your Microsoft Sentinel workspace's geography as necessary for processing + by the machine learning engine.\",\"lastUpdatedDateUTC\":\"2021-03-26T00:00:00Z\",\"createdDateUTC\":\"2019-08-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c094384d-7ea7-4091-83be-18706ecca981\",\"name\":\"c094384d-7ea7-4091-83be-18706ecca981\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let + minersDomains=dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", + \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", + \\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", + \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", + \\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", + \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", + \\\"herominers.com\\\", \\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", + \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", + \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\n\\\"coinpoolit.webhop.me\\\", + \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", + \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", + \\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", + \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", + \\\"1gh.com\\\", \\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", + \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", + \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", + \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", + \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\n\\\"backup-pool.com\\\", + \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\"]);\\n_Im_Dns(domain_has_any=minersDomains)\\n| + extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity + = Dvc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.3.1\",\"tactics\":[\"Impact\"],\"techniques\":[\"T1496\"],\"displayName\":\"DNS + events related to mining pools (ASIM DNS Schema)\",\"description\":\"Identifies + IP addresses that may be performing DNS lookups associated with common currency + mining pools.\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and + supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/15ae38a2-2e29-48f7-883f-863fb25a5a06\",\"name\":\"15ae38a2-2e29-48f7-883f-863fb25a5a06\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + starttime = 8d;\\nlet endtime = 1d;\\nlet threshold = 10;\\nDnsEvents \\n| + where TimeGenerated > ago(endtime)\\n| where Name contains \\\"in-addr.arpa\\\" + \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), + dcount(Name) by ClientIP\\n| where dcount_Name > threshold\\n| project StartTimeUtc, + EndTimeUtc, ClientIP , dcount_Name \\n| join kind=leftanti (DnsEvents \\n + \ | where TimeGenerated between(ago(starttime)..ago(endtime))\\n | where + Name contains \\\"in-addr.arpa\\\" \\n | summarize dcount(Name) by ClientIP, + bin(TimeGenerated, 1d)\\n | where dcount_Name > threshold\\n | project + ClientIP , dcount_Name \\n) on ClientIP\\n| extend timestamp = StartTimeUtc, + IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\"],\"techniques\":[\"T1046\"],\"displayName\":\"Rare + client observed with high reverse DNS lookup count\",\"description\":\"Identifies + clients with a high reverse DNS counts which could be carrying out reconnaissance + or discovery activity.\\nAlert is generated if the IP performing such reverse + DNS lookups was not seen doing so in the preceding 7-day period.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7427ed7-04b4-4e3b-b323-08b981b9b4bf\",\"name\":\"a7427ed7-04b4-4e3b-b323-08b981b9b4bf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + dt_lookBack = 1h;\\n let ioc_lookBack = 14d;\\n ThreatIntelligenceIndicator\\n + | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n + | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n + | where Active == true\\n | where isnotempty(FileHashValue)\\n | extend FileHashValue + = toupper(FileHashValue)\\n // using innerunique to keep perf fast and result + set low, we only need one match to indicate potential malicious activity that + needs to be investigated\\n | join kind=innerunique ( union isfuzzy=true \\n + \ (SecurityEvent | where TimeGenerated >= ago(dt_lookBack)\\n | where + EventID in (\\\"8003\\\",\\\"8002\\\",\\\"8005\\\")\\n | where isnotempty(FileHash)\\n + \ | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID, + FileHash = toupper(FileHash)\\n ),\\n (WindowsEvent | where TimeGenerated + >= ago(dt_lookBack)\\n | where EventID in (\\\"8003\\\",\\\"8002\\\",\\\"8005\\\")\\n + \ | where isnotempty(EventData.FileHash)\\n | extend SecurityEvent_TimeGenerated + = TimeGenerated, Event = EventID, FileHash = toupper(EventData.FileHash)\\n + \ )\\n )\\n on $left.FileHashValue == $right.FileHash\\n | where SecurityEvent_TimeGenerated + < ExpirationDateTime\\n | summarize SecurityEvent_TimeGenerated = arg_max(SecurityEvent_TimeGenerated, + *) by IndicatorId, FileHash\\n | project SecurityEvent_TimeGenerated, Description, + ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\n + Process, FileHash, Computer, Account, Event\\n | extend timestamp = SecurityEvent_TimeGenerated, + AccountCustomEntity = Account, HostCustomEntity = Computer, URLCustomEntity + = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.3.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI + map File Hash to Security Event\",\"description\":\"Identifies a match in + Security Event data from any File Hash IOC from TI\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1bf6e165-5e32-420e-ab4f-0da8558a8be2\",\"name\":\"1bf6e165-5e32-420e-ab4f-0da8558a8be2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// + How far back to look for events from\\nlet timeframe = 1d;\\n// How close + together build events and file modifications should occur to alert (make this + smaller to reduce FPs)\\nlet time_window = 5m;\\n// Edit this to include build + processes used\\nlet build_processes = dynamic([\\\"MSBuild.exe\\\", \\\"dotnet.exe\\\", + \\\"VBCSCompiler.exe\\\"]);\\n// Include any processes that you want to allow + to edit files during/around the build process\\nlet allow_list = dynamic([]);\\nDeviceProcessEvents\\n| + where TimeGenerated > ago(timeframe)\\n// Look for build process starts\\n| + where FileName has_any (build_processes)\\n| summarize by BuildParentProcess=InitiatingProcessFileName, + BuildProcess=FileName, BuildAccount = AccountName, DeviceName, BuildCommand=ProcessCommandLine, + timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| + join kind=inner(\\nDeviceFileEvents\\n| where TimeGenerated > ago(timeframe)\\n| + where InitiatingProcessFileName !in (allow_list)\\n| where ActionType == \\\"FileCreated\\\" + \ or ActionType == \\\"FileModified\\\"\\n// Look for code files, edit this + to include file extensions used in build.\\n| where FileName endswith \\\".cs\\\" + or FileName endswith \\\".cpp\\\"\\n| summarize by FileEditParentProcess=InitiatingProcessParentFileName, + FileEditAccount = InitiatingProcessAccountName, DeviceName, FileEdited=FileName, + FileEditProcess=InitiatingProcessFileName, timekey= bin(TimeGenerated, time_window), + FileEditTime=TimeGenerated)\\n// join where build processes and file modifications + seen at same time on same host\\non timekey, DeviceName\\n// Limit to only + where the file edit happens after the build process starts\\n| where BuildProcessTime + <= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), + make_set(FileEditAccount) by timekey, DeviceName, BuildParentProcess, BuildProcess\\n| + extend HostCustomEntity=DeviceName, timestamp=timekey\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"techniques\":[\"T1554\"],\"displayName\":\"Potential + Build Process Compromise - MDE\",\"description\":\"The query looks for source + code files being modified immediately after a build process is started. The + purpose of this is to look for malicious code injection during the build process. + This query uses Microsoft Defender for Endpoint telemetry.\\nMore details: + https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\",\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/957cb240-f45d-4491-9ba5-93430a3c08be\",\"name\":\"957cb240-f45d-4491-9ba5-93430a3c08be\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"OfficeActivity\\n| + where Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Add-MailboxFolderPermission\\\", + \\\"Set-Mailbox\\\", \\\"New-ManagementRoleAssignment\\\", \\\"New-InboxRule\\\", + \\\"Set-InboxRule\\\", \\\"Set-TransportRule\\\")\\nand not(UserId has_any + ('NT AUTHORITY\\\\\\\\SYSTEM (Microsoft.Exchange.ServiceHost)', 'NT AUTHORITY\\\\\\\\SYSTEM + (w3wp)', 'devilfish-applicationaccount') and Operation in~ ( \\\"Add-MailboxPermission\\\", + \\\"Set-Mailbox\\\"))\\n| extend timestamp = TimeGenerated, AccountCustomEntity + = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.2\",\"tactics\":[\"Persistence\",\"Collection\"],\"techniques\":[\"T1098\",\"T1114\"],\"displayName\":\"Rare + and potentially high-risk Office operations\",\"description\":\"Identifies + Office operations that are typically rare and can provide capabilities useful + to attackers.\",\"lastUpdatedDateUTC\":\"2022-02-18T00:00:00Z\",\"createdDateUTC\":\"2019-02-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2fc5d810-c9cc-491a-b564-841427ae0e50\",\"name\":\"2fc5d810-c9cc-491a-b564-841427ae0e50\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$';\\nThreatIntelligenceIndicator\\n| + where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| + summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| + where Active == true\\n//Filtering the table for Email related IOCs\\n| where + isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and + result set low, we only need one match to indicate potential malicious activity + that needs to be investigated\\n| join kind=innerunique ( \\n(union isfuzzy=true\\n(SecurityEvent\\n| + where TimeGenerated >= ago(dt_lookBack) and isnotempty(TargetUserName)\\n//Normalizing + the column to lower case for exact match with EmailSenderAddress column\\n| + extend TargetUserName = tolower(TargetUserName)\\n// renaming timestamp column + so it is clear the log this came from SecurityEvent table\\n| extend SecurityEvent_TimeGenerated + = TimeGenerated\\n),\\n(WindowsEvent\\n| where TimeGenerated >= ago(dt_lookBack) + \\n| extend TargetUserName = tostring(EventData.TargetUserName) \\n| where + isnotempty(TargetUserName)\\n//Normalizing the column to lower case for exact + match with EmailSenderAddress column\\n| extend TargetUserName = tolower(TargetUserName)\\n// + renaming timestamp column so it is clear the log this came from SecurityEvent + table\\n| extend SecurityEvent_TimeGenerated = TimeGenerated\\n))\\n)\\non + $left.EmailSenderAddress == $right.TargetUserName\\n| where SecurityEvent_TimeGenerated + < ExpirationDateTime\\n| summarize SecurityEvent_TimeGenerated = arg_max(SecurityEvent_TimeGenerated, + *) by IndicatorId, TargetUserName\\n| project SecurityEvent_TimeGenerated, + Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, + ConfidenceScore,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, + EmailSubject, FileHashValue, FileHashType, Computer, EventID, TargetUserName, + Activity, IpAddress, AccountType,\\nLogonTypeName, LogonProcessName, Status, + SubStatus\\n| extend\\ntimestamp = SecurityEvent_TimeGenerated,\\nAccountCustomEntity + = TargetUserName,\\nIPCustomEntity = IpAddress,\\nHostCustomEntity = Computer,\\nURLCustomEntity + = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.3.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI + map Email entity to SecurityEvent\",\"description\":\"Identifies a match in + SecurityEvent table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8a12afde-ed27-46ac-a5ef-392e3d4f071f\",\"name\":\"8a12afde-ed27-46ac-a5ef-392e3d4f071f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.1\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"1\",\"2\",\"3\"],\"supportedValuesKql\":null,\"value\":\"3\",\"name\":\"Number + of reasons for anomalous activity\",\"description\":\"Provide explanations + for the specified number of reasons why a W3CIIS session is anomalous.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"supportedValues\":[\"Distinct + number of methods\",\"Distinct number of uri queries\",\"Distinct number of + uri stems\",\"Distinct number of statuses\",\"Distinct number of user agents\",\"Total + number of operations\",\"Total number of http verbs\",\"Total number of http + statuses\",\"None\"],\"supportedValuesKql\":null,\"value\":\"None\",\"name\":\"Display + anomalies for a specific top reason\",\"description\":\"Display anomalies + only where the top reason is specified in the checklist.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"supportedValues\":[\"Public + IPs\",\"Private IPs\",\"All IPs\"],\"supportedValuesKql\":null,\"value\":\"All + IPs\",\"name\":\"Display anomalies for public, private, or all IPs\",\"description\":\"Choose + to display anomalies for public, private, or all IPs.\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":null,\"dataType\":\"string\",\"name\":\"Exclude + client IPs from the anomalies generated\",\"description\":\"Enter comma separated + client IPs (prefixed client IP entities supported) that the anomalies should + not display results for, in the exclude field.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.7\",\"name\":\"Score\",\"description\":\"Generate + an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"techniques\":[\"T1190\",\"T1505\"],\"displayName\":\"(Preview) + Anomalous W3CIIS logs activity\",\"description\":\"This anomaly indicates + anomalous W3CIIS sessions within the last day, due to reasons such as a high + number of distinct uri queries, specific http verbs or http statuses, user + agents, or an unusually high number of logs in a session.\\nThe machine learning + algorithm identifies unusual W3CIIS log events within an hourly session, grouped + by site name and client IP.\\nThe model is trained on the previous 7 days + of W3CIIS activity, using an autoencoder. The algorithm checks for sufficient + volume of W3CIIS activity before training the model.\\nThe autoencoder compressess + these site name/client IP sessions using a bottleneck encoding, and reconstructs + the input sessions using a decoder.\\nSessions with high reconstruction errors + are marked as anomalous.\",\"lastUpdatedDateUTC\":\"2022-03-17T00:00:00Z\",\"createdDateUTC\":\"2021-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/01f64465-b1ef-41ea-a7f5-31553a11ad43\",\"name\":\"01f64465-b1ef-41ea-a7f5-31553a11ad43\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + endpointData = \\n(union isfuzzy=true\\n(SecurityEvent\\n | where EventID + == 4688\\n | extend shortFileName = tostring(split(NewProcessName, '\\\\\\\\')[-1])\\n + \ ),\\n (WindowsEvent\\n | where EventID == 4688\\n | extend NewProcessName + = tostring(EventData.NewProcessName)\\n | extend shortFileName = tostring(split(NewProcessName, + '\\\\\\\\')[-1])\\n | extend TargetUserName = tostring(EventData.TargetUserName)\\n + \ ));\\n// Correlate suspect executables seen in TrendMicro rule updates with + similar activity on endpoints\\nCommonSecurityLog\\n| where DeviceVendor =~ + \\\"Trend Micro\\\"\\n| where Activity =~ \\\"Deny List updated\\\" \\n| where + RequestURL endswith \\\".exe\\\"\\n| project TimeGenerated, Activity , RequestURL + , SourceIP, DestinationIP\\n| extend suspectExeName = tolower(tostring(split(RequestURL, + '/')[-1]))\\n| join (endpointData) on $left.suspectExeName == $right.shortFileName + \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity + = TargetUserName, HostCustomEntity = Computer, URLCustomEntity = RequestURL\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.1.2\",\"tactics\":[\"Execution\"],\"techniques\":[\"T1204\"],\"displayName\":\"Network + endpoint to host executable correlation\",\"description\":\"Correlates blocked + URLs hosting [malicious] executables with host endpoint data\\nto identify + potential instances of executables of the same name having been recently run.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"TrendMicro\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5efb0cfd-063d-417a-803b-562eae5b0301\",\"name\":\"5efb0cfd-063d-417a-803b-562eae5b0301\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + starttime = 14d;\\nlet endtime = 6h;\\n// Ignore Build/Releases with less/equal + this number\\nlet ServiceConnectionThreshold = 3;\\n// New Connections need + to exhibit execution of more \\\"new\\\" connections than this number.\\nlet + NewConnectionThreshold = 1;\\n// List of Builds/Releases to ignore in your + space\\nlet BypassDefIds = datatable(DefId:string, Type:string, ProjectName:string)\\n[\\n//\\\"103\\\", + \\\"Release\\\", \\\"ProjectA\\\",\\n//\\\"42\\\", \\\"Release\\\", \\\"ProjectB\\\",\\n//\\\"122\\\", + \\\"Build\\\", \\\"ProjectB\\\"\\n];\\nlet HistoricDefs = AzureDevOpsAuditing\\n| + where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationName + == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), + Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| + summarize HistoricCount = dcount(tostring(ConnectionId)), ConnectionNames + = make_set(tostring(Data.ConnectionName)) \\n by DefId = tostring(DefId), + Type = tostring(Type), ProjectId, ProjectName, ActorUPN;\\nAzureDevOpsAuditing\\n| + where TimeGenerated >= ago(endtime)\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" + \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), + ConnectionId = tostring(Data.ConnectionId)\\n| parse ScopeDisplayName with + OrganizationName ' (Organization)'\\n| summarize CurrentCount = dcount(tostring(ConnectionId)), + ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), + EndTime = max(TimeGenerated) \\n by OrganizationName, DefId = tostring(DefId), + Type = tostring(Type), ProjectId, ProjectName, ActorUPN\\n| where CurrentCount + > ServiceConnectionThreshold\\n| join (HistoricDefs) on ProjectId, DefId, + Type, ActorUPN\\n| join kind=anti BypassDefIds on $left.DefId==$right.DefId + and $left.Type == $right.Type and $left.ProjectName == $right.ProjectName\\n| + extend link = iff(\\nType == \\\"Build\\\", strcat('https://dev.azure.com/', + OrganizationName, '/', ProjectName, '/_build?definitionId=', DefId),\\nstrcat('https://dev.azure.com/', + OrganizationName, '/', ProjectName, '/_release?_a=releases&view=mine&definitionId=', + DefId))\\n| where CurrentCount >= HistoricCount + NewConnectionThreshold\\n| + project StartTime, OrganizationName, ProjectName, DefId, link, RecentDistinctServiceConnections + = CurrentCount, HistoricDistinctServiceConnections = HistoricCount, \\n RecentConnections + = ConnectionNames, HistoricConnections = ConnectionNames1, ActorUPN\\n| extend + timestamp = StartTime, AccountCustomEntity = ActorUPN\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\",\"Impact\"],\"techniques\":[\"T1098\",\"T1496\"],\"displayName\":\"Azure + DevOps Service Connection Addition/Abuse - Historic allow list\",\"description\":\"This + detection builds an allow list of historic service connection use by Builds + and Releases and compares to recent history, flagging growth of service connection + use which are not manually included in the allow list and \\nnot historically + included in the allow list Build/Release runs. This is to determine if someone + is hijacking a build/release and adding many service connections in order + to abuse or dump credentials from service connections.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3bd33158-3f0b-47e3-a50f-7c20a1b88038\",\"name\":\"3bd33158-3f0b-47e3-a50f-7c20a1b88038\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let + SpringShell_threats = dynamic([\\\"Trojan:Python/SpringShellExpl\\\", \\\"Exploit:Python/SpringShell\\\", + \\\"Backdoor:PHP/Remoteshell.V\\\", \\\"SpringShell\\\"]);\\nDeviceInfo\\n| + extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| + where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| + extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| + where ThreatName in~ (SpringShell_threats) or ThreatFamilyName in~ (SpringShell_threats)\\n| + extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName + == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, + PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId + , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, + Entities\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"techniques\":[\"T1190\"],\"displayName\":\"AV + detections related to SpringShell Vulnerability\",\"description\":\"This query + looks for Microsoft Defender AV detections related to SpringShell Vulnerability. + In Microsoft Sentinel the SecurityAlerts table includes only the Device Name + of the affected device, \\n this query joins the DeviceInfo table to clearly + connect other information such as Device group, ip, logged on users etc. This + would allow the Microsoft Sentinel analyst to have more context related to + the alert, if available.\\n Reference: https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/\",\"lastUpdatedDateUTC\":\"2022-04-05T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b4ceb583-4c44-4555-8ecf-39f572e827ba\",\"name\":\"b4ceb583-4c44-4555-8ecf-39f572e827ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold + = 1.5;\\nlet percentthreshold = 50;\\n// Preparing the time series data aggregated + hourly count of MailItemsAccessd Operation in the form of multi-value array + to use with time series anomaly function.\\nlet TimeSeriesData =\\nOfficeActivity\\n| + where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| + where OfficeWorkload=~ \\\"Exchange\\\" and Operation =~ \\\"MailItemsAccessed\\\" + and ResultStatus =~ \\\"Succeeded\\\"\\n| project TimeGenerated, Operation, + MailboxOwnerUPN\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) + to startofday(ago(endtime)) step timeframe;\\nlet TimeSeriesAlerts = TimeSeriesData\\n| + extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, + -1, 'linefit')\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), + anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n| + where anomalies > 0\\n| project TimeGenerated, Total, baseline, anomalies, + score;\\n// Joining the flagged outlier from the previous step with the original + dataset to present contextual information\\n// during the anomalyhour to analysts + to conduct investigation or informed decisions.\\nTimeSeriesAlerts | where + TimeGenerated > ago(2d)\\n// Join against base logs since specified timeframe + to retrive records associated with the hour of anomoly\\n| join (\\n OfficeActivity\\n + \ | where TimeGenerated > ago(2d)\\n | extend DateHour = bin(TimeGenerated, + 1h)\\n | where OfficeWorkload=~ \\\"Exchange\\\" and Operation =~ \\\"MailItemsAccessed\\\" + and ResultStatus =~ \\\"Succeeded\\\"\\n | summarize HourlyCount=count(), + TimeGeneratedMax = arg_max(TimeGenerated, *), IPAdressList = make_set(Client_IPAddress), + SourceIPMax= arg_max(Client_IPAddress, *), ClientInfoStringList= make_set(ClientInfoString) + by MailboxOwnerUPN, Logon_Type, TenantId, UserType, TimeGenerated = bin(TimeGenerated, + 1h) \\n | where HourlyCount > 25 // Only considering operations with more + than 25 hourly count to reduce False Positivies\\n | order by HourlyCount + desc \\n) on TimeGenerated\\n| extend PercentofTotal = round(HourlyCount/Total, + 2) * 100 \\n| where PercentofTotal > percentthreshold // Filter Users with + count of less than 5 percent of TotalEvents per Hour to remove FPs/ users + with very low count of MailItemsAccessed events\\n| order by PercentofTotal + desc \\n| project-reorder TimeGeneratedMax, Type, OfficeWorkload, Operation, + UserId,SourceIPMax ,IPAdressList, ClientInfoStringList, HourlyCount, PercentofTotal, + Total, baseline, score, anomalies\\n| extend timestamp = TimeGenerated, AccountCustomEntity + = UserId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"techniques\":[\"T1114\"],\"displayName\":\"Exchange + workflow MailItemsAccessed operation anomaly\",\"description\":\"Identifies + anomalous increases in Exchange mail items accessed operations.\\nThe query + leverages KQL built-in anomaly detection algorithms to find large deviations + from baseline patterns.\\nSudden increases in execution frequency of sensitive + actions should be further investigated for malicious activity.\\nManually + change scorethreshold from 1.5 to 3 or higher to reduce the noise based on + outliers flagged from the query criteria.\\nRead more about MailItemsAccessed- + https://docs.microsoft.com/microsoft-365/compliance/advanced-audit?view=o365-worldwide#mailitemsaccessed\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/00cb180c-08a8-4e55-a276-63fb1442d5b5\",\"name\":\"00cb180c-08a8-4e55-a276-63fb1442d5b5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + cmdTokens0 = dynamic(['vbscript','jscript']);\\nlet cmdTokens1 = dynamic(['mshtml','RunHTMLApplication']);\\nlet + cmdTokens2 = dynamic(['Execute','CreateObject','RegRead','window.close']);\\n(union + isfuzzy=true \\n(SecurityEvent\\n| where TimeGenerated >= ago(14d)\\n| where + EventID == 4688\\n| where CommandLine has @'\\\\Microsoft\\\\Windows\\\\CurrentVersion'\\n| + where not(CommandLine has_any (@'\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run', + @'\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce'))\\n// + If you are receiving false positives, then it may help to make the query more + strict by uncommenting one or both of the lines below to refine the matches\\n//| + where CommandLine has_any (cmdTokens0)\\n//| where CommandLine has_all (cmdTokens1)\\n| + where CommandLine has_all (cmdTokens2)\\n| project TimeGenerated, Computer, + Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| + extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity + = Account\\n),\\n(WindowsEvent\\n| where TimeGenerated >= ago(14d)\\n| where + EventID == 4688 and EventData has_all(cmdTokens2) and EventData has @'\\\\Microsoft\\\\Windows\\\\CurrentVersion'\\n| + where not(EventData has_any (@'\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run', + @'\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce'))\\n| + extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine + has @'\\\\Microsoft\\\\Windows\\\\CurrentVersion'\\n| where not(CommandLine + has_any (@'\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run', + @'\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce'))\\n// + If you are receiving false positives, then it may help to make the query more + strict by uncommenting one or both of the lines below to refine the matches\\n//| + where CommandLine has_any (cmdTokens0)\\n//| where CommandLine has_all (cmdTokens1)\\n| + where CommandLine has_all (cmdTokens2)\\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", + EventData.SubjectUserName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| + extend Process=tostring(split(NewProcessName, '\\\\\\\\')[-1])\\n| extend + ParentProcessName = tostring(EventData.ParentProcessName) \\n| project TimeGenerated, + Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, + _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, + AccountCustomEntity = Account))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.1.1\",\"tactics\":[\"Execution\"],\"techniques\":[\"T1059\"],\"displayName\":\"NOBELIUM + - Script payload stored in Registry\",\"description\":\"This query idenifies + when a process execution commandline indicates that a registry value is written + to allow for later execution a malicious script\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3cc5ccd8-b416-4141-bb2d-4eba370e37a5\",\"name\":\"3cc5ccd8-b416-4141-bb2d-4eba370e37a5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + OMIVulnerabilityPatchVersion = \\\"OMIVulnerabilityPatchVersion:1.13.40-0\\\";\\nHeartbeat\\n| + where Category == \\\"Direct Agent\\\"\\n| summarize arg_max(TimeGenerated,*) + by Computer\\n| parse strcat(\\\"Version:\\\" , Version) with * \\\"Version:\\\" + Major:long \\\".\\\"\\nMinor:long \\\".\\\" Patch:long \\\"-\\\" *\\n| parse + OMIVulnerabilityPatchVersion with * \\\"OMIVulnerabilityPatchVersion:\\\"\\nOMIVersionMajor:long + \\\".\\\" OMIVersionMinor:long \\\".\\\" OMIVersionPatch:long \\\"-\\\" *\\n| + where Major ago(timeRange)\\n| where EventID + == 4624 or EventID == 4625\\n| where IpAddress != \\\"-\\\" and isnotempty(Account)\\n| + extend Outcome = iff(EventID == 4624, \\\"Success\\\", \\\"Failure\\\")\\n// + bin outcomes into 5 minute windows to reduce the volume of data\\n| summarize + OutcomeCount=count() by Account, IpAddress, Computer, Outcome, bin(TimeGenerated, + 5m)\\n| project TimeGenerated, Account, IpAddress, Computer, Outcome, OutcomeCount\\n// + sort ready for sessionizing - by account and time of the authentication outcome\\n| + sort by Account asc, TimeGenerated asc\\n| serialize \\n// sessionize into + failure groupings until either the account changes or there is a success\\n| + extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, + Account != prev(Account) or prev(Outcome) == \\\"Success\\\")\\n// count the + failures in each session\\n| summarize FailureCountBeforeSuccess=sumif(OutcomeCount, + Outcome == \\\"Failure\\\"), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), + makelist(Outcome), makeset(Computer), makeset(IpAddress) by SessionStartedUtc, + Account\\n// the session must not start with a success, and must end with + one\\n| where array_index_of(list_Outcome, \\\"Success\\\") != 0\\n| where + array_index_of(list_Outcome, \\\"Success\\\") == array_length(list_Outcome) + - 1\\n| project-away SessionStartedUtc, list_Outcome \\n// where the number + of failures before the success is above the threshold \\n| where FailureCountBeforeSuccess + >= authenticationThreshold\\n// expand out ip and computer for customer entity + assignment\\n| mvexpand set_IpAddress, set_Computer\\n| extend IpAddress = + tostring(set_IpAddress), Computer = tostring(set_Computer)\\n| extend timestamp=StartTime, + AccountCustomEntity=Account, HostCustomEntity=Computer, IPCustomEntity=IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"techniques\":[\"T1110\"],\"displayName\":\"SecurityEvent + - Multiple authentication failures followed by a success\",\"description\":\"Identifies + accounts who have failed to logon to the domain multiple times in a row, followed + by a successful authentication\\nwithin a short time frame. Multiple failed + attempts followed by a success can be an indication of a brute force attempt + or\\npossible mis-configuration of a service account within an environment.\\nThe + lookback is set to 6h and the authentication window and threshold are set + to 1h and 5, meaning we need to see a minimum\\nof 5 failures followed by + a success for an account within 1 hour to surface an alert.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\"name\":\"cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let + domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\n(union + isfuzzy=true\\n(CommonSecurityLog \\n | parse Message with * '(' DNSName + ')' * \\n | where DNSName in~ (domains) or DestinationHostName has_any (domains) + or RequestURL has_any(domains)\\n | extend AccountCustomEntity = SourceUserID, + HostCustomEntity = DeviceName, IPCustomEntity = SourceIP\\n ),\\n(_Im_Dns + (domain_has_any=domains)\\n | extend DNSName = DnsQuery\\n | extend IPCustomEntity + = SrcIpAddr\\n ),\\n(VMConnection \\n | parse RemoteDnsCanonicalNames with + * '[\\\"' DNSName '\\\"]' *\\n | where isnotempty(DNSName)\\n | where DNSName + in~ (domains)\\n | extend IPCustomEntity = RemoteIp\\n ),\\n(DeviceNetworkEvents + \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl has_any (domains) + \ \\n | extend DNSName = RemoteUrl\\n | extend IPCustomEntity = RemoteIP + \\n | extend HostCustomEntity = DeviceName \\n ),\\n(AzureDiagnostics \\n + \ | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n + \ | parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to + ' DestinationHost ':' DestinationPort '. Action:' Action\\n | where isnotempty(DestinationHost)\\n + \ | where DestinationHost has_any (domains) \\n | extend DNSName = DestinationHost + \\n | extend IPCustomEntity = SourceHost\\n ) \\n )\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.4.1\",\"tactics\":[\"CommandAndControl\"],\"techniques\":[\"T1102\"],\"displayName\":\"Solorigate + Network Beacon\",\"description\":\"Identifies a match across various data + feeds for domains IOCs related to the Solorigate incident.\\n References: + https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, + \\n https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3863d8b-8be1-4f52-8ba2-d6cec98b606b\",\"name\":\"a3863d8b-8be1-4f52-8ba2-d6cec98b606b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.1.7\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.7\",\"name\":\"Score\",\"description\":\"Generate + an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"techniques\":[\"T1078\"],\"displayName\":\"(Preview) + Suspicious volume of logins to user account with elevated token\",\"description\":\"This + algorithm detects an unusually high volume of successful logins with elevated + token per user account. The model is trained on the previous 21 days of security + event ID 4624 on an account. It indicates anomalous high volume of successful + logins with administrator privileges in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2790795b-7dba-483e-853f-44aa0bc9c985\",\"name\":\"2790795b-7dba-483e-853f-44aa0bc9c985\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"CommonSecurityLog\\n| + where DeviceProduct =~ \\\"Wazuh\\\"\\n| where Activity has \\\"Web server + 400 error code.\\\"\\n| where Message has \\\"403\\\"\\n| extend HostName=substring(split(DeviceCustomString1,\\\")\\\")[0],1)\\n| + summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors + = dcount(SourceIP) by HostName, SourceIP\\n| where NumberOfErrors > 400\\n| + sort by NumberOfErrors desc\\n| extend timestamp = StartTime, HostCustomEntity + = HostName, IPCustomEntity = SourceIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Wazuh + - Large Number of Web errors from an IP\",\"description\":\"Identifies instances + where Wazuh logged over 400 '403' Web Errors from one IP Address. To onboard + Wazuh data into Sentinel please view: https://github.com/wazuh/wazuh-documentation/blob/master/source/azure/monitoring%20activity.rst\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2020-04-21T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/78979d32-e63f-4740-b206-cfb300c735e0\",\"name\":\"78979d32-e63f-4740-b206-cfb300c735e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| + where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| + where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) + or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), + NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) + and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend + TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), + EmailSourceIpAddress, TI_ipEntity)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, + *) by IndicatorId\\n| where Active == true\\n// using innerunique to keep + perf fast and result set low, we only need one match to indicate potential + malicious activity that needs to be investigated\\n| join kind=innerunique + (\\n ProofpointPOD \\n | where TimeGenerated >= ago(dt_lookBack)\\n + \ | where isnotempty(SrcIpAddr)\\n | extend ProofpointPOD_TimeGenerated + = TimeGenerated, ClientIP = SrcIpAddr\\n )\\non $left.TI_ipEntity == $right.ClientIP\\n| + where ProofpointPOD_TimeGenerated < ExpirationDateTime\\n| summarize ProofpointPOD_TimeGenerated + = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientIP\\n| project + ProofpointPOD_TimeGenerated, SrcUserUpn, DstUserUpn, SrcIpAddr, IndicatorId, + ThreatType, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ClientIP\\n| + extend timestamp = ProofpointPOD_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SrcUserUpn\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.1.0\",\"tactics\":[\"Exfiltration\",\"InitialAccess\"],\"displayName\":\"ProofpointPOD + - Email sender IP in TI list\",\"description\":\"Email sender IP in TI list.\",\"lastUpdatedDateUTC\":\"2021-12-02T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_maillog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2b328487-162d-4034-b472-59f1d53684a1\",\"name\":\"2b328487-162d-4034-b472-59f1d53684a1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| + where TimeGenerated > ago(timeframe)\\n| where HttpUserAgentOriginal == ''\\n| + extend Message = \\\"Empty User Agent\\\"\\n| project Message, SrcIpAddr, + DstIpAddr, UrlOriginal, TimeGenerated\\n| extend IpCustomEntity = SrcIpAddr, + UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.1.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco + Umbrella - Empty User Agent Detected\",\"description\":\"Rule helps to detect + empty and unusual user agent indicating web browsing activity by an unusual + process other than a web browser.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a22740ec-fc1e-4c91-8de6-c29c6450ad00\",\"name\":\"a22740ec-fc1e-4c91-8de6-c29c6450ad00\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let + aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == 500121\\n| + where Status has \\\"MFA Denied; user declined the authentication\\\" or Status + has \\\"MFA denied; Phone App Reported Fraud\\\"\\n| extend Type = Type\\n| + extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, + IPCustomEntity = IPAddress, URLCustomEntity = ClientAppUsed\\n};\\nlet aadSignin + = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion + isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"sentinelEntitiesMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"CredentialAccess\"],\"techniques\":[\"T1110\"],\"displayName\":\"Explicit + MFA Deny\",\"description\":\"User explicitly denies MFA push, indicating that + login was not expected and the account's password may be compromised.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-10-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}}]}" + headers: + cache-control: + - no-cache + content-length: + - '1460919' + content-type: + - application/json; charset=utf-8 + date: + - Fri, 24 Jun 2022 07:44:46 GMT + expires: + - '-1' + pragma: + - no-cache + server: + - Kestrel + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding + x-content-type-options: + - nosniff + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - sentinel alert-rule template show + Connection: + - keep-alive + ParameterSetName: + - -n -w -g + User-Agent: + - AZURECLI/2.37.0 (AAZ) azsdk-python-core/1.24.0 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/alertRuleTemplates/65360bb0-8986-4ade-a89d-af3cf44d28aa?api-version=2022-06-01-preview + response: + body: + string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65360bb0-8986-4ade-a89d-af3cf44d28aa","name":"65360bb0-8986-4ade-a89d-af3cf44d28aa","type":"Microsoft.SecurityInsights/AlertRuleTemplates","kind":"Scheduled","properties":{"queryFrequency":"P1D","queryPeriod":"P1D","triggerOperator":"GreaterThan","triggerThreshold":0,"severity":"Low","query":"let + EventNameList = dynamic([\"CreateNetworkAclEntry\",\"CreateRoute\",\"CreateRouteTable\",\"CreateInternetGateway\",\"CreateNatGateway\"]);\nAWSCloudTrail\n| + where EventName in~ (EventNameList)\n| summarize StartTimeUtc = min(TimeGenerated), + EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, + UserIdentityPrincipalid, UserAgent, \nUserIdentityUserName, SessionMfaAuthenticated, + SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\n| + extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, + IPCustomEntity = SourceIpAddress","entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"FullName","columnName":"AccountCustomEntity"}]},{"entityType":"IP","fieldMappings":[{"identifier":"Address","columnName":"IPCustomEntity"}]}],"sentinelEntitiesMappings":[],"version":"1.0.0","tactics":["PrivilegeEscalation","LateralMovement"],"techniques":["T1078"],"displayName":"Changes + to Amazon VPC settings","description":"Amazon Virtual Private Cloud (Amazon + VPC) lets you provision a logically isolated section of the AWS Cloud where + you can launch AWS resources\nin a virtual network that you define.\nThis + identifies changes to Amazon VPC (Virtual Private Cloud) settings such as + new ACL entries,routes, routetable or Gateways.\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 + \nand AWS VPC API Docs: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/OperationList-query-vpc.html","lastUpdatedDateUTC":"2021-10-19T00:00:00Z","createdDateUTC":"2019-02-27T00:00:00Z","status":"Available","requiredDataConnectors":[{"connectorId":"AWS","dataTypes":["AWSCloudTrail"]}],"alertRulesCreatedByTemplateCount":0}}' + headers: + cache-control: + - no-cache + content-length: + - '2288' + content-type: + - application/json; charset=utf-8 + date: + - Fri, 24 Jun 2022 07:44:48 GMT + expires: + - '-1' + pragma: + - no-cache + server: + - Kestrel + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding + x-content-type-options: + - nosniff + status: + code: 200 + message: OK +version: 1 diff --git a/src/securityinsight/azext_sentinel/tests/latest/recordings/test_sentinel_automation_rule_crud.yaml b/src/securityinsight/azext_sentinel/tests/latest/recordings/test_sentinel_automation_rule_crud.yaml new file mode 100644 index 00000000000..e65c309b84d --- /dev/null +++ b/src/securityinsight/azext_sentinel/tests/latest/recordings/test_sentinel_automation_rule_crud.yaml @@ -0,0 +1,627 @@ +interactions: +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - monitor log-analytics workspace create + Connection: + - keep-alive + ParameterSetName: + - -n -g + User-Agent: + - AZURECLI/2.37.0 azsdk-python-azure-mgmt-resource/21.1.0b1 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001?api-version=2021-04-01 + response: + body: + string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001","name":"cli_test_sentinel_000001","type":"Microsoft.Resources/resourceGroups","location":"eastus2","tags":{"product":"azurecli","cause":"automation","date":"2022-06-27T03:43:02Z"},"properties":{"provisioningState":"Succeeded"}}' + headers: + cache-control: + - no-cache + content-length: + - '327' + content-type: + - application/json; charset=utf-8 + date: + - Mon, 27 Jun 2022 03:43:06 GMT + expires: + - '-1' + pragma: + - no-cache + strict-transport-security: + - max-age=31536000; includeSubDomains + vary: + - Accept-Encoding + x-content-type-options: + - nosniff + status: + code: 200 + message: OK +- request: + body: '{"location": "eastus2", "properties": {"sku": {"name": "PerGB2018"}, "retentionInDays": + 30, "workspaceCapping": {}}}' + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - monitor log-analytics workspace create + Connection: + - keep-alive + Content-Length: + - '116' + Content-Type: + - application/json + ParameterSetName: + - -n -g + User-Agent: + - AZURECLI/2.37.0 azsdk-python-mgmt-loganalytics/13.0.0b4 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: PUT + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002?api-version=2021-12-01-preview + response: + body: + string: "{\r\n \"properties\": {\r\n \"source\": \"Azure\",\r\n \"customerId\": + \"b51784f5-c3bf-4ca9-817a-5bd07318fd62\",\r\n \"provisioningState\": \"Creating\",\r\n + \ \"sku\": {\r\n \"name\": \"pergb2018\",\r\n \"lastSkuUpdate\": + \"Mon, 27 Jun 2022 03:43:14 GMT\"\r\n },\r\n \"retentionInDays\": 30,\r\n + \ \"features\": {\r\n \"legacy\": 0,\r\n \"searchVersion\": 1,\r\n + \ \"enableLogAccessUsingOnlyResourcePermissions\": true\r\n },\r\n + \ \"workspaceCapping\": {\r\n \"dailyQuotaGb\": -1.0,\r\n \"quotaNextResetTime\": + \"Mon, 27 Jun 2022 15:00:00 GMT\",\r\n \"dataIngestionStatus\": \"RespectQuota\"\r\n + \ },\r\n \"publicNetworkAccessForIngestion\": \"Enabled\",\r\n \"publicNetworkAccessForQuery\": + \"Enabled\",\r\n \"createdDate\": \"Mon, 27 Jun 2022 03:43:14 GMT\",\r\n + \ \"modifiedDate\": \"Mon, 27 Jun 2022 03:43:14 GMT\"\r\n },\r\n \"id\": + \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/microsoft.operationalinsights/workspaces/workspace-000002\",\r\n + \ \"name\": \"workspace-000002\",\r\n \"type\": \"Microsoft.OperationalInsights/workspaces\",\r\n + \ \"location\": \"eastus2\"\r\n}" + headers: + access-control-allow-origin: + - '*' + cache-control: + - no-cache + content-length: + - '1075' + content-type: + - application/json + date: + - Mon, 27 Jun 2022 03:43:15 GMT + pragma: + - no-cache + request-context: + - appId=cid-v1:e6336c63-aab2-45f0-996a-e5dbab2a1508 + server: + - Microsoft-IIS/10.0 + strict-transport-security: + - max-age=31536000; includeSubDomains + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-writes: + - '1199' + x-powered-by: + - ASP.NET + - ASP.NET + status: + code: 201 + message: Created +- request: + body: null + headers: + Accept: + - '*/*' + Accept-Encoding: + - gzip, deflate + CommandName: + - monitor log-analytics workspace create + Connection: + - keep-alive + ParameterSetName: + - -n -g + User-Agent: + - AZURECLI/2.37.0 azsdk-python-mgmt-loganalytics/13.0.0b4 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002?api-version=2021-12-01-preview + response: + body: + string: "{\r\n \"properties\": {\r\n \"source\": \"Azure\",\r\n \"customerId\": + \"b51784f5-c3bf-4ca9-817a-5bd07318fd62\",\r\n \"provisioningState\": \"Succeeded\",\r\n + \ \"sku\": {\r\n \"name\": \"pergb2018\",\r\n \"lastSkuUpdate\": + \"Mon, 27 Jun 2022 03:43:14 GMT\"\r\n },\r\n \"retentionInDays\": 30,\r\n + \ \"features\": {\r\n \"legacy\": 0,\r\n \"searchVersion\": 1,\r\n + \ \"enableLogAccessUsingOnlyResourcePermissions\": true\r\n },\r\n + \ \"workspaceCapping\": {\r\n \"dailyQuotaGb\": -1.0,\r\n \"quotaNextResetTime\": + \"Mon, 27 Jun 2022 15:00:00 GMT\",\r\n \"dataIngestionStatus\": \"RespectQuota\"\r\n + \ },\r\n \"publicNetworkAccessForIngestion\": \"Enabled\",\r\n \"publicNetworkAccessForQuery\": + \"Enabled\",\r\n \"createdDate\": \"Mon, 27 Jun 2022 03:43:14 GMT\",\r\n + \ \"modifiedDate\": \"Mon, 27 Jun 2022 03:43:16 GMT\"\r\n },\r\n \"id\": + \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/microsoft.operationalinsights/workspaces/workspace-000002\",\r\n + \ \"name\": \"workspace-000002\",\r\n \"type\": \"Microsoft.OperationalInsights/workspaces\",\r\n + \ \"location\": \"eastus2\"\r\n}" + headers: + access-control-allow-origin: + - '*' + cache-control: + - no-cache + content-length: + - '1076' + content-type: + - application/json + date: + - Mon, 27 Jun 2022 03:43:46 GMT + pragma: + - no-cache + request-context: + - appId=cid-v1:e6336c63-aab2-45f0-996a-e5dbab2a1508 + server: + - Microsoft-IIS/10.0 + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding,Accept-Encoding + x-content-type-options: + - nosniff + x-powered-by: + - ASP.NET + - ASP.NET + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - monitor log-analytics solution create + Connection: + - keep-alive + ParameterSetName: + - -t -w -g + User-Agent: + - AZURECLI/2.37.0 azsdk-python-mgmt-loganalytics/13.0.0b4 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002?api-version=2021-12-01-preview + response: + body: + string: "{\r\n \"properties\": {\r\n \"source\": \"Azure\",\r\n \"customerId\": + \"b51784f5-c3bf-4ca9-817a-5bd07318fd62\",\r\n \"provisioningState\": \"Succeeded\",\r\n + \ \"sku\": {\r\n \"name\": \"pergb2018\",\r\n \"lastSkuUpdate\": + \"Mon, 27 Jun 2022 03:43:14 GMT\"\r\n },\r\n \"retentionInDays\": 30,\r\n + \ \"features\": {\r\n \"legacy\": 0,\r\n \"searchVersion\": 1,\r\n + \ \"enableLogAccessUsingOnlyResourcePermissions\": true\r\n },\r\n + \ \"workspaceCapping\": {\r\n \"dailyQuotaGb\": -1.0,\r\n \"quotaNextResetTime\": + \"Mon, 27 Jun 2022 15:00:00 GMT\",\r\n \"dataIngestionStatus\": \"RespectQuota\"\r\n + \ },\r\n \"publicNetworkAccessForIngestion\": \"Enabled\",\r\n \"publicNetworkAccessForQuery\": + \"Enabled\",\r\n \"createdDate\": \"Mon, 27 Jun 2022 03:43:14 GMT\",\r\n + \ \"modifiedDate\": \"Mon, 27 Jun 2022 03:43:16 GMT\"\r\n },\r\n \"id\": + \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/microsoft.operationalinsights/workspaces/workspace-000002\",\r\n + \ \"name\": \"workspace-000002\",\r\n \"type\": \"Microsoft.OperationalInsights/workspaces\",\r\n + \ \"location\": \"eastus2\"\r\n}" + headers: + access-control-allow-origin: + - '*' + cache-control: + - no-cache + content-length: + - '1076' + content-type: + - application/json + date: + - Mon, 27 Jun 2022 03:43:47 GMT + pragma: + - no-cache + request-context: + - appId=cid-v1:e6336c63-aab2-45f0-996a-e5dbab2a1508 + server: + - Microsoft-IIS/10.0 + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding,Accept-Encoding + x-content-type-options: + - nosniff + x-powered-by: + - ASP.NET + - ASP.NET + status: + code: 200 + message: OK +- request: + body: '{"location": "eastus2", "plan": {"name": "SecurityInsights(workspace-000002)", + "publisher": "Microsoft", "promotionCode": "", "product": "OMSGallery/SecurityInsights"}, + "properties": {"workspaceResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/microsoft.OperationalInsights/workspaces/workspace-000002"}}' + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - monitor log-analytics solution create + Connection: + - keep-alive + Content-Length: + - '370' + Content-Type: + - application/json; charset=utf-8 + ParameterSetName: + - -t -w -g + User-Agent: + - python/3.8.10 (Windows-10-10.0.19044-SP0) msrest/0.7.0 msrest_azure/0.6.4 + azure-mgmt-operationsmanagement/0.1.0 Azure-SDK-For-Python AZURECLI/2.37.0 + accept-language: + - en-US + method: PUT + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/Microsoft.OperationsManagement/solutions/SecurityInsights%28workspace-000002%29?api-version=2015-11-01-preview + response: + body: + string: "{\r\n \"plan\": {\r\n \"name\": \"SecurityInsights(workspace-000002)\",\r\n + \ \"publisher\": \"Microsoft\",\r\n \"promotionCode\": \"\",\r\n \"product\": + \"OMSGallery/SecurityInsights\"\r\n },\r\n \"properties\": {\r\n \"workspaceResourceId\": + \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/microsoft.OperationalInsights/workspaces/workspace-000002\",\r\n + \ \"provisioningState\": \"Succeeded\",\r\n \"creationTime\": \"Mon, + 01 Jan 0001 00:00:00 GMT\",\r\n \"sku\": {\r\n \"name\": \"PerGB\"\r\n + \ },\r\n \"lastModifiedTime\": \"Mon, 01 Jan 0001 00:00:00 GMT\",\r\n + \ \"containedResources\": []\r\n },\r\n \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/Microsoft.OperationsManagement/solutions/SecurityInsights(workspace-000002)\",\r\n + \ \"name\": \"SecurityInsights(workspace-000002)\",\r\n \"type\": \"Microsoft.OperationsManagement/solutions\",\r\n + \ \"location\": \"East US 2\"\r\n}" + headers: + access-control-allow-origin: + - '*' + cache-control: + - no-cache + cachecontrol: + - no-cache + content-length: + - '940' + content-type: + - application/json; charset=utf-8 + date: + - Mon, 27 Jun 2022 03:43:54 GMT + expires: + - '-1' + pragma: + - no-cache + request-context: + - appId=cid-v1:e6336c63-aab2-45f0-996a-e5dbab2a1508 + server: + - Microsoft-IIS/10.0 + strict-transport-security: + - max-age=31536000; includeSubDomains + x-ams-apiversion: + - WebAPI1.0 + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-writes: + - '1199' + x-powered-by: + - ASP.NET + - ASP.NET + status: + code: 201 + message: Created +- request: + body: '{"properties": {"actions": [{"actionType": "ModifyProperties", "order": + 1, "actionConfiguration": {"severity": "High"}}], "displayName": "High severity + incidents escalation", "order": 1, "triggeringLogic": {"isEnabled": true, "triggersOn": + "Incidents", "triggersWhen": "Created"}}}' + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - sentinel automation-rule create + Connection: + - keep-alive + Content-Length: + - '281' + Content-Type: + - application/json + ParameterSetName: + - -n -w -g --display-name --order --actions --triggering-logic + User-Agent: + - AZURECLI/2.37.0 (AAZ) azsdk-python-core/1.24.0 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: PUT + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/automationRules/rule-000003?api-version=2022-06-01-preview + response: + body: + string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AutomationRules/rule-000003","name":"rule-000003","etag":"\"0a001bd0-0000-0100-0000-62b9277e0000\"","type":"Microsoft.SecurityInsights/AutomationRules","properties":{"displayName":"High + severity incidents escalation","order":1,"triggeringLogic":{"isEnabled":true,"triggersOn":"Incidents","triggersWhen":"Created","conditions":[]},"actions":[{"order":1,"actionType":"ModifyProperties","actionConfiguration":{"severity":"High","status":null,"classification":null,"classificationReason":null,"classificationComment":null,"owner":null,"labels":null}}],"lastModifiedTimeUtc":"2022-06-27T03:43:58Z","createdTimeUtc":"2022-06-27T03:43:58Z","lastModifiedBy":{"objectId":"f44cc02c-cec4-4b32-860a-50bdf6ab7362","email":"ethanyang@microsoft.com","name":"Ethan + Yang","userPrincipalName":"ethanyang_microsoft.com#EXT#@AzureSDKTeam.onmicrosoft.com"},"createdBy":{"objectId":"f44cc02c-cec4-4b32-860a-50bdf6ab7362","email":"ethanyang@microsoft.com","name":"Ethan + Yang","userPrincipalName":"ethanyang_microsoft.com#EXT#@AzureSDKTeam.onmicrosoft.com"}}}' + headers: + cache-control: + - no-cache + content-length: + - '1239' + content-type: + - application/json; charset=utf-8 + date: + - Mon, 27 Jun 2022 03:43:58 GMT + expires: + - '-1' + pragma: + - no-cache + server: + - Kestrel + strict-transport-security: + - max-age=31536000; includeSubDomains + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-resource-requests: + - '499' + status: + code: 201 + message: Created +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - sentinel automation-rule list + Connection: + - keep-alive + ParameterSetName: + - -w -g + User-Agent: + - AZURECLI/2.37.0 (AAZ) azsdk-python-core/1.24.0 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/automationRules?api-version=2022-06-01-preview + response: + body: + string: '{"value":[{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AutomationRules/rule-000003","name":"rule-000003","etag":"\"0a001bd0-0000-0100-0000-62b9277e0000\"","type":"Microsoft.SecurityInsights/AutomationRules","properties":{"displayName":"High + severity incidents escalation","order":1,"triggeringLogic":{"isEnabled":true,"triggersOn":"Incidents","triggersWhen":"Created","conditions":[]},"actions":[{"order":1,"actionType":"ModifyProperties","actionConfiguration":{"severity":"High","status":null,"classification":null,"classificationReason":null,"classificationComment":null,"owner":null,"labels":null}}],"lastModifiedTimeUtc":"2022-06-27T03:43:58Z","createdTimeUtc":"2022-06-27T03:43:58Z","lastModifiedBy":{"objectId":"f44cc02c-cec4-4b32-860a-50bdf6ab7362","email":"ethanyang@microsoft.com","name":"Ethan + Yang","userPrincipalName":"ethanyang_microsoft.com#EXT#@AzureSDKTeam.onmicrosoft.com"},"createdBy":{"objectId":"f44cc02c-cec4-4b32-860a-50bdf6ab7362","email":"ethanyang@microsoft.com","name":"Ethan + Yang","userPrincipalName":"ethanyang_microsoft.com#EXT#@AzureSDKTeam.onmicrosoft.com"}}}]}' + headers: + cache-control: + - no-cache + content-length: + - '1251' + content-type: + - application/json; charset=utf-8 + date: + - Mon, 27 Jun 2022 03:43:59 GMT + expires: + - '-1' + pragma: + - no-cache + server: + - Kestrel + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-resource-requests: + - '498' + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - sentinel automation-rule update + Connection: + - keep-alive + ParameterSetName: + - -n -w -g --display-name + User-Agent: + - AZURECLI/2.37.0 (AAZ) azsdk-python-core/1.24.0 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/automationRules/rule-000003?api-version=2022-06-01-preview + response: + body: + string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AutomationRules/rule-000003","name":"rule-000003","etag":"\"0a001bd0-0000-0100-0000-62b9277e0000\"","type":"Microsoft.SecurityInsights/AutomationRules","properties":{"displayName":"High + severity incidents escalation","order":1,"triggeringLogic":{"isEnabled":true,"triggersOn":"Incidents","triggersWhen":"Created","conditions":[]},"actions":[{"order":1,"actionType":"ModifyProperties","actionConfiguration":{"severity":"High","status":null,"classification":null,"classificationReason":null,"classificationComment":null,"owner":null,"labels":null}}],"lastModifiedTimeUtc":"2022-06-27T03:43:58Z","createdTimeUtc":"2022-06-27T03:43:58Z","lastModifiedBy":{"objectId":"f44cc02c-cec4-4b32-860a-50bdf6ab7362","email":"ethanyang@microsoft.com","name":"Ethan + Yang","userPrincipalName":"ethanyang_microsoft.com#EXT#@AzureSDKTeam.onmicrosoft.com"},"createdBy":{"objectId":"f44cc02c-cec4-4b32-860a-50bdf6ab7362","email":"ethanyang@microsoft.com","name":"Ethan + Yang","userPrincipalName":"ethanyang_microsoft.com#EXT#@AzureSDKTeam.onmicrosoft.com"}}}' + headers: + cache-control: + - no-cache + content-length: + - '1239' + content-type: + - application/json; charset=utf-8 + date: + - Mon, 27 Jun 2022 03:44:00 GMT + expires: + - '-1' + pragma: + - no-cache + server: + - Kestrel + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-resource-requests: + - '499' + status: + code: 200 + message: OK +- request: + body: '{"etag": "\"0a001bd0-0000-0100-0000-62b9277e0000\"", "properties": {"actions": + [{"actionType": "ModifyProperties", "order": 1, "actionConfiguration": {"severity": + "High"}}], "displayName": "New name", "order": 1, "triggeringLogic": {"conditions": + [], "isEnabled": true, "triggersOn": "Incidents", "triggersWhen": "Created"}}}' + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - sentinel automation-rule update + Connection: + - keep-alive + Content-Length: + - '325' + Content-Type: + - application/json + ParameterSetName: + - -n -w -g --display-name + User-Agent: + - AZURECLI/2.37.0 (AAZ) azsdk-python-core/1.24.0 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: PUT + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/automationRules/rule-000003?api-version=2022-06-01-preview + response: + body: + string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AutomationRules/rule-000003","name":"rule-000003","etag":"\"0a001dd0-0000-0100-0000-62b927810000\"","type":"Microsoft.SecurityInsights/AutomationRules","properties":{"displayName":"New + name","order":1,"triggeringLogic":{"isEnabled":true,"triggersOn":"Incidents","triggersWhen":"Created","conditions":[]},"actions":[{"order":1,"actionType":"ModifyProperties","actionConfiguration":{"severity":"High","status":null,"classification":null,"classificationReason":null,"classificationComment":null,"owner":null,"labels":null}}],"lastModifiedTimeUtc":"2022-06-27T03:44:01Z","createdTimeUtc":"2022-06-27T03:43:58Z","lastModifiedBy":{"objectId":"f44cc02c-cec4-4b32-860a-50bdf6ab7362","email":"ethanyang@microsoft.com","name":"Ethan + Yang","userPrincipalName":"ethanyang_microsoft.com#EXT#@AzureSDKTeam.onmicrosoft.com"},"createdBy":{"objectId":"f44cc02c-cec4-4b32-860a-50bdf6ab7362","email":"ethanyang@microsoft.com","name":"Ethan + Yang","userPrincipalName":"ethanyang_microsoft.com#EXT#@AzureSDKTeam.onmicrosoft.com"}}}' + headers: + cache-control: + - no-cache + content-length: + - '1213' + content-type: + - application/json; charset=utf-8 + date: + - Mon, 27 Jun 2022 03:44:01 GMT + expires: + - '-1' + pragma: + - no-cache + server: + - Kestrel + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-resource-requests: + - '499' + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - sentinel automation-rule show + Connection: + - keep-alive + ParameterSetName: + - -n -w -g + User-Agent: + - AZURECLI/2.37.0 (AAZ) azsdk-python-core/1.24.0 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/automationRules/rule-000003?api-version=2022-06-01-preview + response: + body: + string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/AutomationRules/rule-000003","name":"rule-000003","etag":"\"0a001dd0-0000-0100-0000-62b927810000\"","type":"Microsoft.SecurityInsights/AutomationRules","properties":{"displayName":"New + name","order":1,"triggeringLogic":{"isEnabled":true,"triggersOn":"Incidents","triggersWhen":"Created","conditions":[]},"actions":[{"order":1,"actionType":"ModifyProperties","actionConfiguration":{"severity":"High","status":null,"classification":null,"classificationReason":null,"classificationComment":null,"owner":null,"labels":null}}],"lastModifiedTimeUtc":"2022-06-27T03:44:01Z","createdTimeUtc":"2022-06-27T03:43:58Z","lastModifiedBy":{"objectId":"f44cc02c-cec4-4b32-860a-50bdf6ab7362","email":"ethanyang@microsoft.com","name":"Ethan + Yang","userPrincipalName":"ethanyang_microsoft.com#EXT#@AzureSDKTeam.onmicrosoft.com"},"createdBy":{"objectId":"f44cc02c-cec4-4b32-860a-50bdf6ab7362","email":"ethanyang@microsoft.com","name":"Ethan + Yang","userPrincipalName":"ethanyang_microsoft.com#EXT#@AzureSDKTeam.onmicrosoft.com"}}}' + headers: + cache-control: + - no-cache + content-length: + - '1213' + content-type: + - application/json; charset=utf-8 + date: + - Mon, 27 Jun 2022 03:44:02 GMT + expires: + - '-1' + pragma: + - no-cache + server: + - Kestrel + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-resource-requests: + - '499' + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - '*/*' + Accept-Encoding: + - gzip, deflate + CommandName: + - sentinel automation-rule delete + Connection: + - keep-alive + Content-Length: + - '0' + ParameterSetName: + - -n -w -g --yes + User-Agent: + - AZURECLI/2.37.0 (AAZ) azsdk-python-core/1.24.0 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: DELETE + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/automationRules/rule-000003?api-version=2022-06-01-preview + response: + body: + string: '{}' + headers: + cache-control: + - no-cache + content-length: + - '2' + content-type: + - application/json; charset=utf-8 + date: + - Mon, 27 Jun 2022 03:44:03 GMT + expires: + - '-1' + pragma: + - no-cache + server: + - Kestrel + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-deletes: + - '14999' + status: + code: 200 + message: OK +version: 1 diff --git a/src/securityinsight/azext_sentinel/tests/latest/recordings/test_sentinel_bookmark_crud.yaml b/src/securityinsight/azext_sentinel/tests/latest/recordings/test_sentinel_bookmark_crud.yaml new file mode 100644 index 00000000000..2bd425e05a3 --- /dev/null +++ b/src/securityinsight/azext_sentinel/tests/latest/recordings/test_sentinel_bookmark_crud.yaml @@ -0,0 +1,530 @@ +interactions: +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - monitor log-analytics workspace create + Connection: + - keep-alive + ParameterSetName: + - -n -g + User-Agent: + - AZURECLI/2.37.0 azsdk-python-azure-mgmt-resource/21.1.0b1 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001?api-version=2021-04-01 + response: + body: + string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001","name":"cli_test_sentinel_000001","type":"Microsoft.Resources/resourceGroups","location":"eastus2","tags":{"product":"azurecli","cause":"automation","date":"2022-06-24T07:50:13Z"},"properties":{"provisioningState":"Succeeded"}}' + headers: + cache-control: + - no-cache + content-length: + - '327' + content-type: + - application/json; charset=utf-8 + date: + - Fri, 24 Jun 2022 07:50:18 GMT + expires: + - '-1' + pragma: + - no-cache + strict-transport-security: + - max-age=31536000; includeSubDomains + vary: + - Accept-Encoding + x-content-type-options: + - nosniff + status: + code: 200 + message: OK +- request: + body: '{"location": "eastus2", "properties": {"sku": {"name": "PerGB2018"}, "retentionInDays": + 30, "workspaceCapping": {}}}' + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - monitor log-analytics workspace create + Connection: + - keep-alive + Content-Length: + - '116' + Content-Type: + - application/json + ParameterSetName: + - -n -g + User-Agent: + - AZURECLI/2.37.0 azsdk-python-mgmt-loganalytics/13.0.0b4 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: PUT + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002?api-version=2021-12-01-preview + response: + body: + string: "{\r\n \"properties\": {\r\n \"source\": \"Azure\",\r\n \"customerId\": + \"801ea8ce-07c3-4850-8ab1-e1b96b3c265c\",\r\n \"provisioningState\": \"Creating\",\r\n + \ \"sku\": {\r\n \"name\": \"pergb2018\",\r\n \"lastSkuUpdate\": + \"Fri, 24 Jun 2022 07:50:27 GMT\"\r\n },\r\n \"retentionInDays\": 30,\r\n + \ \"features\": {\r\n \"legacy\": 0,\r\n \"searchVersion\": 1,\r\n + \ \"enableLogAccessUsingOnlyResourcePermissions\": true\r\n },\r\n + \ \"workspaceCapping\": {\r\n \"dailyQuotaGb\": -1.0,\r\n \"quotaNextResetTime\": + \"Fri, 24 Jun 2022 14:00:00 GMT\",\r\n \"dataIngestionStatus\": \"RespectQuota\"\r\n + \ },\r\n \"publicNetworkAccessForIngestion\": \"Enabled\",\r\n \"publicNetworkAccessForQuery\": + \"Enabled\",\r\n \"createdDate\": \"Fri, 24 Jun 2022 07:50:27 GMT\",\r\n + \ \"modifiedDate\": \"Fri, 24 Jun 2022 07:50:27 GMT\"\r\n },\r\n \"id\": + \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/microsoft.operationalinsights/workspaces/workspace-000002\",\r\n + \ \"name\": \"workspace-000002\",\r\n \"type\": \"Microsoft.OperationalInsights/workspaces\",\r\n + \ \"location\": \"eastus2\"\r\n}" + headers: + access-control-allow-origin: + - '*' + cache-control: + - no-cache + content-length: + - '1075' + content-type: + - application/json + date: + - Fri, 24 Jun 2022 07:50:29 GMT + pragma: + - no-cache + request-context: + - appId=cid-v1:e6336c63-aab2-45f0-996a-e5dbab2a1508 + server: + - Microsoft-IIS/10.0 + strict-transport-security: + - max-age=31536000; includeSubDomains + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-writes: + - '1198' + x-powered-by: + - ASP.NET + - ASP.NET + status: + code: 201 + message: Created +- request: + body: null + headers: + Accept: + - '*/*' + Accept-Encoding: + - gzip, deflate + CommandName: + - monitor log-analytics workspace create + Connection: + - keep-alive + ParameterSetName: + - -n -g + User-Agent: + - AZURECLI/2.37.0 azsdk-python-mgmt-loganalytics/13.0.0b4 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002?api-version=2021-12-01-preview + response: + body: + string: "{\r\n \"properties\": {\r\n \"source\": \"Azure\",\r\n \"customerId\": + \"801ea8ce-07c3-4850-8ab1-e1b96b3c265c\",\r\n \"provisioningState\": \"Succeeded\",\r\n + \ \"sku\": {\r\n \"name\": \"pergb2018\",\r\n \"lastSkuUpdate\": + \"Fri, 24 Jun 2022 07:50:27 GMT\"\r\n },\r\n \"retentionInDays\": 30,\r\n + \ \"features\": {\r\n \"legacy\": 0,\r\n \"searchVersion\": 1,\r\n + \ \"enableLogAccessUsingOnlyResourcePermissions\": true\r\n },\r\n + \ \"workspaceCapping\": {\r\n \"dailyQuotaGb\": -1.0,\r\n \"quotaNextResetTime\": + \"Fri, 24 Jun 2022 14:00:00 GMT\",\r\n \"dataIngestionStatus\": \"RespectQuota\"\r\n + \ },\r\n \"publicNetworkAccessForIngestion\": \"Enabled\",\r\n \"publicNetworkAccessForQuery\": + \"Enabled\",\r\n \"createdDate\": \"Fri, 24 Jun 2022 07:50:27 GMT\",\r\n + \ \"modifiedDate\": \"Fri, 24 Jun 2022 07:50:28 GMT\"\r\n },\r\n \"id\": + \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/microsoft.operationalinsights/workspaces/workspace-000002\",\r\n + \ \"name\": \"workspace-000002\",\r\n \"type\": \"Microsoft.OperationalInsights/workspaces\",\r\n + \ \"location\": \"eastus2\"\r\n}" + headers: + access-control-allow-origin: + - '*' + cache-control: + - no-cache + content-length: + - '1076' + content-type: + - application/json + date: + - Fri, 24 Jun 2022 07:50:59 GMT + pragma: + - no-cache + request-context: + - appId=cid-v1:e6336c63-aab2-45f0-996a-e5dbab2a1508 + server: + - Microsoft-IIS/10.0 + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding,Accept-Encoding + x-content-type-options: + - nosniff + x-powered-by: + - ASP.NET + - ASP.NET + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - monitor log-analytics solution create + Connection: + - keep-alive + ParameterSetName: + - -t -w -g + User-Agent: + - AZURECLI/2.37.0 azsdk-python-mgmt-loganalytics/13.0.0b4 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002?api-version=2021-12-01-preview + response: + body: + string: "{\r\n \"properties\": {\r\n \"source\": \"Azure\",\r\n \"customerId\": + \"801ea8ce-07c3-4850-8ab1-e1b96b3c265c\",\r\n \"provisioningState\": \"Succeeded\",\r\n + \ \"sku\": {\r\n \"name\": \"pergb2018\",\r\n \"lastSkuUpdate\": + \"Fri, 24 Jun 2022 07:50:27 GMT\"\r\n },\r\n \"retentionInDays\": 30,\r\n + \ \"features\": {\r\n \"legacy\": 0,\r\n \"searchVersion\": 1,\r\n + \ \"enableLogAccessUsingOnlyResourcePermissions\": true\r\n },\r\n + \ \"workspaceCapping\": {\r\n \"dailyQuotaGb\": -1.0,\r\n \"quotaNextResetTime\": + \"Fri, 24 Jun 2022 14:00:00 GMT\",\r\n \"dataIngestionStatus\": \"RespectQuota\"\r\n + \ },\r\n \"publicNetworkAccessForIngestion\": \"Enabled\",\r\n \"publicNetworkAccessForQuery\": + \"Enabled\",\r\n \"createdDate\": \"Fri, 24 Jun 2022 07:50:27 GMT\",\r\n + \ \"modifiedDate\": \"Fri, 24 Jun 2022 07:50:28 GMT\"\r\n },\r\n \"id\": + \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/microsoft.operationalinsights/workspaces/workspace-000002\",\r\n + \ \"name\": \"workspace-000002\",\r\n \"type\": \"Microsoft.OperationalInsights/workspaces\",\r\n + \ \"location\": \"eastus2\"\r\n}" + headers: + access-control-allow-origin: + - '*' + cache-control: + - no-cache + content-length: + - '1076' + content-type: + - application/json + date: + - Fri, 24 Jun 2022 07:51:00 GMT + pragma: + - no-cache + request-context: + - appId=cid-v1:e6336c63-aab2-45f0-996a-e5dbab2a1508 + server: + - Microsoft-IIS/10.0 + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding,Accept-Encoding + x-content-type-options: + - nosniff + x-powered-by: + - ASP.NET + - ASP.NET + status: + code: 200 + message: OK +- request: + body: '{"location": "eastus2", "plan": {"name": "SecurityInsights(workspace-000002)", + "publisher": "Microsoft", "promotionCode": "", "product": "OMSGallery/SecurityInsights"}, + "properties": {"workspaceResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/microsoft.OperationalInsights/workspaces/workspace-000002"}}' + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - monitor log-analytics solution create + Connection: + - keep-alive + Content-Length: + - '370' + Content-Type: + - application/json; charset=utf-8 + ParameterSetName: + - -t -w -g + User-Agent: + - python/3.8.10 (Windows-10-10.0.19044-SP0) msrest/0.7.0 msrest_azure/0.6.4 + azure-mgmt-operationsmanagement/0.1.0 Azure-SDK-For-Python AZURECLI/2.37.0 + accept-language: + - en-US + method: PUT + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/Microsoft.OperationsManagement/solutions/SecurityInsights%28workspace-000002%29?api-version=2015-11-01-preview + response: + body: + string: "{\r\n \"plan\": {\r\n \"name\": \"SecurityInsights(workspace-000002)\",\r\n + \ \"publisher\": \"Microsoft\",\r\n \"promotionCode\": \"\",\r\n \"product\": + \"OMSGallery/SecurityInsights\"\r\n },\r\n \"properties\": {\r\n \"workspaceResourceId\": + \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/microsoft.OperationalInsights/workspaces/workspace-000002\",\r\n + \ \"provisioningState\": \"Succeeded\",\r\n \"creationTime\": \"Mon, + 01 Jan 0001 00:00:00 GMT\",\r\n \"sku\": {\r\n \"name\": \"PerGB\"\r\n + \ },\r\n \"lastModifiedTime\": \"Mon, 01 Jan 0001 00:00:00 GMT\",\r\n + \ \"containedResources\": []\r\n },\r\n \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/Microsoft.OperationsManagement/solutions/SecurityInsights(workspace-000002)\",\r\n + \ \"name\": \"SecurityInsights(workspace-000002)\",\r\n \"type\": \"Microsoft.OperationsManagement/solutions\",\r\n + \ \"location\": \"East US 2\"\r\n}" + headers: + access-control-allow-origin: + - '*' + cache-control: + - no-cache + cachecontrol: + - no-cache + content-length: + - '940' + content-type: + - application/json; charset=utf-8 + date: + - Fri, 24 Jun 2022 07:51:12 GMT + expires: + - '-1' + pragma: + - no-cache + request-context: + - appId=cid-v1:e6336c63-aab2-45f0-996a-e5dbab2a1508 + server: + - Microsoft-IIS/10.0 + strict-transport-security: + - max-age=31536000; includeSubDomains + x-ams-apiversion: + - WebAPI1.0 + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-writes: + - '1199' + x-powered-by: + - ASP.NET + - ASP.NET + status: + code: 201 + message: Created +- request: + body: '{"properties": {"displayName": "My bookmark", "entityMappings": [{"entityType": + "Account", "fieldMappings": [{"identifier": "Fullname", "value": "johndoe@microsoft.com"}]}], + "labels": ["Tag1", "Tag2"], "notes": "Found a suspicious activity", "query": + "SecurityEvent | where TimeGenerated > ago(1d) and TimeGenerated < ago(2d)", + "queryResult": "Security Event query result", "tactics": ["Execution"], "techniques": + ["T1609"]}}' + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - sentinel bookmark create + Connection: + - keep-alive + Content-Length: + - '425' + Content-Type: + - application/json + ParameterSetName: + - -n -w -g --query-content --query-result --display-name --notes --entity-mappings + --tactics --techniques --labels + User-Agent: + - AZURECLI/2.37.0 (AAZ) azsdk-python-core/1.24.0 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: PUT + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/bookmarks/73e01a99-5cd7-4139-a149-9f2736ff2ab5?api-version=2022-06-01-preview + response: + body: + string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/Bookmarks/73e01a99-5cd7-4139-a149-9f2736ff2ab5","name":"73e01a99-5cd7-4139-a149-9f2736ff2ab5","etag":"\"c1004b48-0000-0100-0000-62b56cf50000\"","type":"Microsoft.SecurityInsights/Bookmarks","properties":{"displayName":"My + bookmark","created":"2022-06-24T07:51:17.0273183+00:00","updated":"2022-06-24T07:51:17+00:00","createdBy":{"objectId":"f44cc02c-cec4-4b32-860a-50bdf6ab7362","email":"ethanyang@microsoft.com","name":"Ethan + Yang"},"updatedBy":{"objectId":"f44cc02c-cec4-4b32-860a-50bdf6ab7362","email":"ethanyang@microsoft.com","name":"Ethan + Yang"},"eventTime":"2022-06-24T07:51:17.0270234+00:00","notes":"Found a suspicious + activity","labels":["Tag1","Tag2"],"query":"SecurityEvent | where TimeGenerated + > ago(1d) and TimeGenerated < ago(2d)","queryResult":"Security Event query + result","incidentInfo":{"incidentId":null,"title":null,"relationName":null,"severity":null},"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"Fullname","value":"johndoe@microsoft.com"}]}],"tactics":["Execution"],"techniques":["T1609"]}}' + headers: + cache-control: + - no-cache + content-length: + - '1247' + content-type: + - application/json; charset=utf-8 + date: + - Fri, 24 Jun 2022 07:51:16 GMT + expires: + - '-1' + pragma: + - no-cache + server: + - Kestrel + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-writes: + - '1198' + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - sentinel bookmark list + Connection: + - keep-alive + ParameterSetName: + - -w -g + User-Agent: + - AZURECLI/2.37.0 (AAZ) azsdk-python-core/1.24.0 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/bookmarks?api-version=2022-06-01-preview + response: + body: + string: '{"value":[{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/Bookmarks/73e01a99-5cd7-4139-a149-9f2736ff2ab5","name":"73e01a99-5cd7-4139-a149-9f2736ff2ab5","etag":"\"c1004b48-0000-0100-0000-62b56cf50000\"","type":"Microsoft.SecurityInsights/Bookmarks","properties":{"displayName":"My + bookmark","created":"2022-06-24T07:51:17.0273183+00:00","updated":"2022-06-24T07:51:17.0273183+00:00","createdBy":{"objectId":"f44cc02c-cec4-4b32-860a-50bdf6ab7362","email":"ethanyang@microsoft.com","name":"Ethan + Yang"},"updatedBy":{"objectId":"f44cc02c-cec4-4b32-860a-50bdf6ab7362","email":"ethanyang@microsoft.com","name":"Ethan + Yang"},"eventTime":"2022-06-24T07:51:17.0270234+00:00","notes":"Found a suspicious + activity","labels":["Tag1","Tag2"],"query":"SecurityEvent | where TimeGenerated + > ago(1d) and TimeGenerated < ago(2d)","queryResult":"Security Event query + result","incidentInfo":{"incidentId":null,"title":null,"relationName":null,"severity":null},"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"Fullname","value":"johndoe@microsoft.com"}]}],"tactics":["Execution"],"techniques":["T1609"]}}]}' + headers: + cache-control: + - no-cache + content-length: + - '1267' + content-type: + - application/json; charset=utf-8 + date: + - Fri, 24 Jun 2022 07:51:18 GMT + expires: + - '-1' + pragma: + - no-cache + server: + - Kestrel + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding + x-content-type-options: + - nosniff + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - sentinel bookmark show + Connection: + - keep-alive + ParameterSetName: + - -n -w -g + User-Agent: + - AZURECLI/2.37.0 (AAZ) azsdk-python-core/1.24.0 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/bookmarks/73e01a99-5cd7-4139-a149-9f2736ff2ab5?api-version=2022-06-01-preview + response: + body: + string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/Bookmarks/73e01a99-5cd7-4139-a149-9f2736ff2ab5","name":"73e01a99-5cd7-4139-a149-9f2736ff2ab5","etag":"\"c1004b48-0000-0100-0000-62b56cf50000\"","type":"Microsoft.SecurityInsights/Bookmarks","properties":{"displayName":"My + bookmark","created":"2022-06-24T07:51:17.0273183+00:00","updated":"2022-06-24T07:51:17.0273183+00:00","createdBy":{"objectId":"f44cc02c-cec4-4b32-860a-50bdf6ab7362","email":"ethanyang@microsoft.com","name":"Ethan + Yang"},"updatedBy":{"objectId":"f44cc02c-cec4-4b32-860a-50bdf6ab7362","email":"ethanyang@microsoft.com","name":"Ethan + Yang"},"eventTime":"2022-06-24T07:51:17.0270234+00:00","notes":"Found a suspicious + activity","labels":["Tag1","Tag2"],"query":"SecurityEvent | where TimeGenerated + > ago(1d) and TimeGenerated < ago(2d)","queryResult":"Security Event query + result","incidentInfo":{"incidentId":null,"title":null,"relationName":null,"severity":null},"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"Fullname","value":"johndoe@microsoft.com"}]}],"tactics":["Execution"],"techniques":["T1609"]}}' + headers: + cache-control: + - no-cache + content-length: + - '1255' + content-type: + - application/json; charset=utf-8 + date: + - Fri, 24 Jun 2022 07:51:19 GMT + expires: + - '-1' + pragma: + - no-cache + server: + - Kestrel + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding + x-content-type-options: + - nosniff + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - '*/*' + Accept-Encoding: + - gzip, deflate + CommandName: + - sentinel bookmark delete + Connection: + - keep-alive + Content-Length: + - '0' + ParameterSetName: + - -n -w -g --yes + User-Agent: + - AZURECLI/2.37.0 (AAZ) azsdk-python-core/1.24.0 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: DELETE + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/bookmarks/73e01a99-5cd7-4139-a149-9f2736ff2ab5?api-version=2022-06-01-preview + response: + body: + string: '{}' + headers: + cache-control: + - no-cache + content-length: + - '2' + content-type: + - application/json; charset=utf-8 + date: + - Fri, 24 Jun 2022 07:51:20 GMT + expires: + - '-1' + pragma: + - no-cache + server: + - Kestrel + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-deletes: + - '14999' + status: + code: 200 + message: OK +version: 1 diff --git a/src/securityinsight/azext_sentinel/tests/latest/recordings/test_sentinel_bookmark_relation_crud.yaml b/src/securityinsight/azext_sentinel/tests/latest/recordings/test_sentinel_bookmark_relation_crud.yaml new file mode 100644 index 00000000000..81eb1a50284 --- /dev/null +++ b/src/securityinsight/azext_sentinel/tests/latest/recordings/test_sentinel_bookmark_relation_crud.yaml @@ -0,0 +1,627 @@ +interactions: +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - monitor log-analytics workspace create + Connection: + - keep-alive + ParameterSetName: + - -n -g + User-Agent: + - AZURECLI/2.37.0 azsdk-python-azure-mgmt-resource/21.1.0b1 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001?api-version=2021-04-01 + response: + body: + string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001","name":"cli_test_sentinel_000001","type":"Microsoft.Resources/resourceGroups","location":"eastus2","tags":{"product":"azurecli","cause":"automation","date":"2022-06-24T09:40:47Z"},"properties":{"provisioningState":"Succeeded"}}' + headers: + cache-control: + - no-cache + content-length: + - '327' + content-type: + - application/json; charset=utf-8 + date: + - Fri, 24 Jun 2022 09:40:50 GMT + expires: + - '-1' + pragma: + - no-cache + strict-transport-security: + - max-age=31536000; includeSubDomains + vary: + - Accept-Encoding + x-content-type-options: + - nosniff + status: + code: 200 + message: OK +- request: + body: '{"location": "eastus2", "properties": {"sku": {"name": "PerGB2018"}, "retentionInDays": + 30, "workspaceCapping": {}}}' + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - monitor log-analytics workspace create + Connection: + - keep-alive + Content-Length: + - '116' + Content-Type: + - application/json + ParameterSetName: + - -n -g + User-Agent: + - AZURECLI/2.37.0 azsdk-python-mgmt-loganalytics/13.0.0b4 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: PUT + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002?api-version=2021-12-01-preview + response: + body: + string: "{\r\n \"properties\": {\r\n \"source\": \"Azure\",\r\n \"customerId\": + \"c5f51b0c-dc71-4e09-8806-20977bdd2255\",\r\n \"provisioningState\": \"Creating\",\r\n + \ \"sku\": {\r\n \"name\": \"pergb2018\",\r\n \"lastSkuUpdate\": + \"Fri, 24 Jun 2022 09:40:56 GMT\"\r\n },\r\n \"retentionInDays\": 30,\r\n + \ \"features\": {\r\n \"legacy\": 0,\r\n \"searchVersion\": 1,\r\n + \ \"enableLogAccessUsingOnlyResourcePermissions\": true\r\n },\r\n + \ \"workspaceCapping\": {\r\n \"dailyQuotaGb\": -1.0,\r\n \"quotaNextResetTime\": + \"Fri, 24 Jun 2022 13:00:00 GMT\",\r\n \"dataIngestionStatus\": \"RespectQuota\"\r\n + \ },\r\n \"publicNetworkAccessForIngestion\": \"Enabled\",\r\n \"publicNetworkAccessForQuery\": + \"Enabled\",\r\n \"createdDate\": \"Fri, 24 Jun 2022 09:40:56 GMT\",\r\n + \ \"modifiedDate\": \"Fri, 24 Jun 2022 09:40:56 GMT\"\r\n },\r\n \"id\": + \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/microsoft.operationalinsights/workspaces/workspace-000002\",\r\n + \ \"name\": \"workspace-000002\",\r\n \"type\": \"Microsoft.OperationalInsights/workspaces\",\r\n + \ \"location\": \"eastus2\"\r\n}" + headers: + access-control-allow-origin: + - '*' + cache-control: + - no-cache + content-length: + - '1075' + content-type: + - application/json + date: + - Fri, 24 Jun 2022 09:40:57 GMT + pragma: + - no-cache + request-context: + - appId=cid-v1:e6336c63-aab2-45f0-996a-e5dbab2a1508 + server: + - Microsoft-IIS/10.0 + strict-transport-security: + - max-age=31536000; includeSubDomains + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-writes: + - '1199' + x-powered-by: + - ASP.NET + - ASP.NET + status: + code: 201 + message: Created +- request: + body: null + headers: + Accept: + - '*/*' + Accept-Encoding: + - gzip, deflate + CommandName: + - monitor log-analytics workspace create + Connection: + - keep-alive + ParameterSetName: + - -n -g + User-Agent: + - AZURECLI/2.37.0 azsdk-python-mgmt-loganalytics/13.0.0b4 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002?api-version=2021-12-01-preview + response: + body: + string: "{\r\n \"properties\": {\r\n \"source\": \"Azure\",\r\n \"customerId\": + \"c5f51b0c-dc71-4e09-8806-20977bdd2255\",\r\n \"provisioningState\": \"Succeeded\",\r\n + \ \"sku\": {\r\n \"name\": \"pergb2018\",\r\n \"lastSkuUpdate\": + \"Fri, 24 Jun 2022 09:40:56 GMT\"\r\n },\r\n \"retentionInDays\": 30,\r\n + \ \"features\": {\r\n \"legacy\": 0,\r\n \"searchVersion\": 1,\r\n + \ \"enableLogAccessUsingOnlyResourcePermissions\": true\r\n },\r\n + \ \"workspaceCapping\": {\r\n \"dailyQuotaGb\": -1.0,\r\n \"quotaNextResetTime\": + \"Fri, 24 Jun 2022 13:00:00 GMT\",\r\n \"dataIngestionStatus\": \"RespectQuota\"\r\n + \ },\r\n \"publicNetworkAccessForIngestion\": \"Enabled\",\r\n \"publicNetworkAccessForQuery\": + \"Enabled\",\r\n \"createdDate\": \"Fri, 24 Jun 2022 09:40:56 GMT\",\r\n + \ \"modifiedDate\": \"Fri, 24 Jun 2022 09:40:57 GMT\"\r\n },\r\n \"id\": + \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/microsoft.operationalinsights/workspaces/workspace-000002\",\r\n + \ \"name\": \"workspace-000002\",\r\n \"type\": \"Microsoft.OperationalInsights/workspaces\",\r\n + \ \"location\": \"eastus2\"\r\n}" + headers: + access-control-allow-origin: + - '*' + cache-control: + - no-cache + content-length: + - '1076' + content-type: + - application/json + date: + - Fri, 24 Jun 2022 09:41:27 GMT + pragma: + - no-cache + request-context: + - appId=cid-v1:e6336c63-aab2-45f0-996a-e5dbab2a1508 + server: + - Microsoft-IIS/10.0 + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding,Accept-Encoding + x-content-type-options: + - nosniff + x-powered-by: + - ASP.NET + - ASP.NET + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - monitor log-analytics solution create + Connection: + - keep-alive + ParameterSetName: + - -t -w -g + User-Agent: + - AZURECLI/2.37.0 azsdk-python-mgmt-loganalytics/13.0.0b4 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002?api-version=2021-12-01-preview + response: + body: + string: "{\r\n \"properties\": {\r\n \"source\": \"Azure\",\r\n \"customerId\": + \"c5f51b0c-dc71-4e09-8806-20977bdd2255\",\r\n \"provisioningState\": \"Succeeded\",\r\n + \ \"sku\": {\r\n \"name\": \"pergb2018\",\r\n \"lastSkuUpdate\": + \"Fri, 24 Jun 2022 09:40:56 GMT\"\r\n },\r\n \"retentionInDays\": 30,\r\n + \ \"features\": {\r\n \"legacy\": 0,\r\n \"searchVersion\": 1,\r\n + \ \"enableLogAccessUsingOnlyResourcePermissions\": true\r\n },\r\n + \ \"workspaceCapping\": {\r\n \"dailyQuotaGb\": -1.0,\r\n \"quotaNextResetTime\": + \"Fri, 24 Jun 2022 13:00:00 GMT\",\r\n \"dataIngestionStatus\": \"RespectQuota\"\r\n + \ },\r\n \"publicNetworkAccessForIngestion\": \"Enabled\",\r\n \"publicNetworkAccessForQuery\": + \"Enabled\",\r\n \"createdDate\": \"Fri, 24 Jun 2022 09:40:56 GMT\",\r\n + \ \"modifiedDate\": \"Fri, 24 Jun 2022 09:40:57 GMT\"\r\n },\r\n \"id\": + \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/microsoft.operationalinsights/workspaces/workspace-000002\",\r\n + \ \"name\": \"workspace-000002\",\r\n \"type\": \"Microsoft.OperationalInsights/workspaces\",\r\n + \ \"location\": \"eastus2\"\r\n}" + headers: + access-control-allow-origin: + - '*' + cache-control: + - no-cache + content-length: + - '1076' + content-type: + - application/json + date: + - Fri, 24 Jun 2022 09:41:28 GMT + pragma: + - no-cache + request-context: + - appId=cid-v1:e6336c63-aab2-45f0-996a-e5dbab2a1508 + server: + - Microsoft-IIS/10.0 + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding,Accept-Encoding + x-content-type-options: + - nosniff + x-powered-by: + - ASP.NET + - ASP.NET + status: + code: 200 + message: OK +- request: + body: '{"location": "eastus2", "plan": {"name": "SecurityInsights(workspace-000002)", + "publisher": "Microsoft", "promotionCode": "", "product": "OMSGallery/SecurityInsights"}, + "properties": {"workspaceResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/microsoft.OperationalInsights/workspaces/workspace-000002"}}' + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - monitor log-analytics solution create + Connection: + - keep-alive + Content-Length: + - '370' + Content-Type: + - application/json; charset=utf-8 + ParameterSetName: + - -t -w -g + User-Agent: + - python/3.8.10 (Windows-10-10.0.19044-SP0) msrest/0.7.0 msrest_azure/0.6.4 + azure-mgmt-operationsmanagement/0.1.0 Azure-SDK-For-Python AZURECLI/2.37.0 + accept-language: + - en-US + method: PUT + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/Microsoft.OperationsManagement/solutions/SecurityInsights%28workspace-000002%29?api-version=2015-11-01-preview + response: + body: + string: "{\r\n \"plan\": {\r\n \"name\": \"SecurityInsights(workspace-000002)\",\r\n + \ \"publisher\": \"Microsoft\",\r\n \"promotionCode\": \"\",\r\n \"product\": + \"OMSGallery/SecurityInsights\"\r\n },\r\n \"properties\": {\r\n \"workspaceResourceId\": + \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/microsoft.OperationalInsights/workspaces/workspace-000002\",\r\n + \ \"provisioningState\": \"Succeeded\",\r\n \"creationTime\": \"Mon, + 01 Jan 0001 00:00:00 GMT\",\r\n \"sku\": {\r\n \"name\": \"PerGB\"\r\n + \ },\r\n \"lastModifiedTime\": \"Mon, 01 Jan 0001 00:00:00 GMT\",\r\n + \ \"containedResources\": []\r\n },\r\n \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/Microsoft.OperationsManagement/solutions/SecurityInsights(workspace-000002)\",\r\n + \ \"name\": \"SecurityInsights(workspace-000002)\",\r\n \"type\": \"Microsoft.OperationsManagement/solutions\",\r\n + \ \"location\": \"East US 2\"\r\n}" + headers: + access-control-allow-origin: + - '*' + cache-control: + - no-cache + cachecontrol: + - no-cache + content-length: + - '940' + content-type: + - application/json; charset=utf-8 + date: + - Fri, 24 Jun 2022 09:41:39 GMT + expires: + - '-1' + pragma: + - no-cache + request-context: + - appId=cid-v1:e6336c63-aab2-45f0-996a-e5dbab2a1508 + server: + - Microsoft-IIS/10.0 + strict-transport-security: + - max-age=31536000; includeSubDomains + x-ams-apiversion: + - WebAPI1.0 + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-writes: + - '1199' + x-powered-by: + - ASP.NET + - ASP.NET + status: + code: 201 + message: Created +- request: + body: '{"properties": {"displayName": "My bookmark", "entityMappings": [{"entityType": + "Account", "fieldMappings": [{"identifier": "Fullname", "value": "johndoe@microsoft.com"}]}], + "labels": ["Tag1", "Tag2"], "notes": "Found a suspicious activity", "query": + "SecurityEvent | where TimeGenerated > ago(1d) and TimeGenerated < ago(2d)", + "queryResult": "Security Event query result", "tactics": ["Execution"], "techniques": + ["T1609"]}}' + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - sentinel bookmark create + Connection: + - keep-alive + Content-Length: + - '425' + Content-Type: + - application/json + ParameterSetName: + - -n -w -g --query-content --query-result --display-name --notes --entity-mappings + --tactics --techniques --labels + User-Agent: + - AZURECLI/2.37.0 (AAZ) azsdk-python-core/1.24.0 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: PUT + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/bookmarks/2216d0e1-91e3-4902-89fd-d2df8c535096?api-version=2022-06-01-preview + response: + body: + string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/Bookmarks/2216d0e1-91e3-4902-89fd-d2df8c535096","name":"2216d0e1-91e3-4902-89fd-d2df8c535096","etag":"\"c2000a5b-0000-0100-0000-62b586d70000\"","type":"Microsoft.SecurityInsights/Bookmarks","properties":{"displayName":"My + bookmark","created":"2022-06-24T09:41:43.0827769+00:00","updated":"2022-06-24T09:41:43+00:00","createdBy":{"objectId":"f44cc02c-cec4-4b32-860a-50bdf6ab7362","email":"ethanyang@microsoft.com","name":"Ethan + Yang"},"updatedBy":{"objectId":"f44cc02c-cec4-4b32-860a-50bdf6ab7362","email":"ethanyang@microsoft.com","name":"Ethan + Yang"},"eventTime":"2022-06-24T09:41:43.0825764+00:00","notes":"Found a suspicious + activity","labels":["Tag1","Tag2"],"query":"SecurityEvent | where TimeGenerated + > ago(1d) and TimeGenerated < ago(2d)","queryResult":"Security Event query + result","incidentInfo":{"incidentId":null,"title":null,"relationName":null,"severity":null},"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"Fullname","value":"johndoe@microsoft.com"}]}],"tactics":["Execution"],"techniques":["T1609"]}}' + headers: + cache-control: + - no-cache + content-length: + - '1247' + content-type: + - application/json; charset=utf-8 + date: + - Fri, 24 Jun 2022 09:41:42 GMT + expires: + - '-1' + pragma: + - no-cache + server: + - Kestrel + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-writes: + - '1198' + status: + code: 200 + message: OK +- request: + body: '{"properties": {"classification": "FalsePositive", "classificationComment": + "Not a malicious activity", "classificationReason": "IncorrectAlertLogic", "description": + "This is a demo incident", "firstActivityTimeUtc": "2019-01-01T13:00:30Z", "lastActivityTimeUtc": + "2019-01-01T13:05:30Z", "owner": {"objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70"}, + "severity": "High", "status": "Closed", "title": "My incident"}}' + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - sentinel incident create + Connection: + - keep-alive + Content-Length: + - '415' + Content-Type: + - application/json + ParameterSetName: + - -n -w -g --classification --classification-reason --classification-comment + --first-activity-time-utc --last-activity-time-utc --severity --status --title + --description --owner + User-Agent: + - AZURECLI/2.37.0 (AAZ) azsdk-python-core/1.24.0 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: PUT + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/incidents/afbd324f-6c48-459c-8710-8d1e1cd03812?api-version=2022-06-01-preview + response: + body: + string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/Incidents/afbd324f-6c48-459c-8710-8d1e1cd03812","name":"afbd324f-6c48-459c-8710-8d1e1cd03812","etag":"\"06009247-0000-0100-0000-62b586d80000\"","type":"Microsoft.SecurityInsights/Incidents","properties":{"title":"My + incident","description":"This is a demo incident","severity":"High","status":"Closed","classification":"FalsePositive","classificationReason":"IncorrectAlertLogic","classificationComment":"Not + a malicious activity","owner":{"objectId":"2046feea-040d-4a46-9e2b-91c2941bfa70","email":null,"assignedTo":null,"userPrincipalName":null,"ownerType":"Unknown"},"labels":[],"firstActivityTimeUtc":"2019-01-01T13:00:30Z","lastActivityTimeUtc":"2019-01-01T13:05:30Z","lastModifiedTimeUtc":"2022-06-24T09:41:44.7097092Z","createdTimeUtc":"2022-06-24T09:41:44.7097092Z","incidentNumber":1,"additionalData":{"alertsCount":0,"bookmarksCount":0,"commentsCount":0,"alertProductNames":[],"tactics":[],"techniques":[]},"relatedAnalyticRuleIds":[],"incidentUrl":"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/Incidents/afbd324f-6c48-459c-8710-8d1e1cd03812","providerName":"Azure + Sentinel","providerIncidentId":"1"}}' + headers: + cache-control: + - no-cache + content-length: + - '1540' + content-type: + - application/json; charset=utf-8 + date: + - Fri, 24 Jun 2022 09:41:44 GMT + expires: + - '-1' + pragma: + - no-cache + server: + - Kestrel + strict-transport-security: + - max-age=31536000; includeSubDomains + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-resource-requests: + - '499' + status: + code: 201 + message: Created +- request: + body: '{"properties": {"relatedResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/Incidents/afbd324f-6c48-459c-8710-8d1e1cd03812"}}' + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - sentinel bookmark relation create + Connection: + - keep-alive + Content-Length: + - '284' + Content-Type: + - application/json + ParameterSetName: + - -n -w -g --bookmark-id --related-resource-id + User-Agent: + - AZURECLI/2.37.0 (AAZ) azsdk-python-core/1.24.0 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: PUT + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/bookmarks/2216d0e1-91e3-4902-89fd-d2df8c535096/relations/relation-000003?api-version=2022-06-01-preview + response: + body: + string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/Bookmarks/2216d0e1-91e3-4902-89fd-d2df8c535096/relations/relation-000003","name":"relation-000003","etag":"\"c200255b-0000-0100-0000-62b586d90000\"","type":"Microsoft.SecurityInsights/Bookmarks/relations","properties":{"relatedResourceId":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/Incidents/afbd324f-6c48-459c-8710-8d1e1cd03812","relatedResourceName":"afbd324f-6c48-459c-8710-8d1e1cd03812","relatedResourceType":"Microsoft.SecurityInsights/Incidents"}}' + headers: + cache-control: + - no-cache + content-length: + - '812' + content-type: + - application/json; charset=utf-8 + date: + - Fri, 24 Jun 2022 09:41:45 GMT + expires: + - '-1' + pragma: + - no-cache + server: + - Kestrel + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-writes: + - '1199' + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - sentinel bookmark relation list + Connection: + - keep-alive + ParameterSetName: + - -w -g --bookmark-id + User-Agent: + - AZURECLI/2.37.0 (AAZ) azsdk-python-core/1.24.0 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/bookmarks/2216d0e1-91e3-4902-89fd-d2df8c535096/relations?api-version=2022-06-01-preview + response: + body: + string: '{"value":[{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/Bookmarks/2216d0e1-91e3-4902-89fd-d2df8c535096/relations/relation-000003","name":"relation-000003","etag":"\"c200255b-0000-0100-0000-62b586d90000\"","type":"Microsoft.SecurityInsights/Bookmarks/relations","properties":{"relatedResourceId":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/Incidents/afbd324f-6c48-459c-8710-8d1e1cd03812","relatedResourceName":"afbd324f-6c48-459c-8710-8d1e1cd03812","relatedResourceType":"Microsoft.SecurityInsights/Incidents"}}]}' + headers: + cache-control: + - no-cache + content-length: + - '824' + content-type: + - application/json; charset=utf-8 + date: + - Fri, 24 Jun 2022 09:41:46 GMT + expires: + - '-1' + pragma: + - no-cache + server: + - Kestrel + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding + x-content-type-options: + - nosniff + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - sentinel bookmark relation show + Connection: + - keep-alive + ParameterSetName: + - -n -w -g --bookmark-id + User-Agent: + - AZURECLI/2.37.0 (AAZ) azsdk-python-core/1.24.0 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/bookmarks/2216d0e1-91e3-4902-89fd-d2df8c535096/relations/relation-000003?api-version=2022-06-01-preview + response: + body: + string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/Bookmarks/2216d0e1-91e3-4902-89fd-d2df8c535096/relations/relation-000003","name":"relation-000003","etag":"\"c200255b-0000-0100-0000-62b586d90000\"","type":"Microsoft.SecurityInsights/Bookmarks/relations","properties":{"relatedResourceId":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/Incidents/afbd324f-6c48-459c-8710-8d1e1cd03812","relatedResourceName":"afbd324f-6c48-459c-8710-8d1e1cd03812","relatedResourceType":"Microsoft.SecurityInsights/Incidents"}}' + headers: + cache-control: + - no-cache + content-length: + - '812' + content-type: + - application/json; charset=utf-8 + date: + - Fri, 24 Jun 2022 09:41:47 GMT + expires: + - '-1' + pragma: + - no-cache + server: + - Kestrel + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding + x-content-type-options: + - nosniff + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - '*/*' + Accept-Encoding: + - gzip, deflate + CommandName: + - sentinel bookmark relation delete + Connection: + - keep-alive + Content-Length: + - '0' + ParameterSetName: + - -n -w -g --bookmark-id --yes + User-Agent: + - AZURECLI/2.37.0 (AAZ) azsdk-python-core/1.24.0 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: DELETE + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/bookmarks/2216d0e1-91e3-4902-89fd-d2df8c535096/relations/relation-000003?api-version=2022-06-01-preview + response: + body: + string: '{}' + headers: + cache-control: + - no-cache + content-length: + - '2' + content-type: + - application/json; charset=utf-8 + date: + - Fri, 24 Jun 2022 09:41:48 GMT + expires: + - '-1' + pragma: + - no-cache + server: + - Kestrel + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-deletes: + - '14999' + status: + code: 200 + message: OK +version: 1 diff --git a/src/securityinsight/azext_sentinel/tests/latest/recordings/test_sentinel_enrichment_crud.yaml b/src/securityinsight/azext_sentinel/tests/latest/recordings/test_sentinel_enrichment_crud.yaml new file mode 100644 index 00000000000..73d92956feb --- /dev/null +++ b/src/securityinsight/azext_sentinel/tests/latest/recordings/test_sentinel_enrichment_crud.yaml @@ -0,0 +1,99 @@ +interactions: +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - sentinel enrichment domain-whois show + Connection: + - keep-alive + ParameterSetName: + - -g --domain + User-Agent: + - AZURECLI/2.37.0 (AAZ) azsdk-python-core/1.24.0 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.SecurityInsights/enrichment/domain/whois/?domain=microsoft.com&api-version=2022-06-01-preview + response: + body: + string: '{"domain":"microsoft.com","server":"whois.markmonitor.com","created":"1991-05-02T00:00:00Z","updated":"2022-04-18T00:00:00Z","expires":"2023-05-03T00:00:00Z","parsedWhois":{"registrar":{"name":"MarkMonitor, + Inc.","abuseContactPhone":"12083895770","abuseContactEmail":"abusecomplaints@markmonitor.com","ianaId":"292","url":"http://www.markmonitor.com","whoisServer":"whois.markmonitor.com"},"contacts":{"admin":{"name":"Domain + Administrator","org":"Microsoft Corporation","street":["One Microsoft Way,"],"city":"Redmond","state":"WA","postal":"98052","country":"us","phone":"14258828080","fax":"14259367329","email":"admin@domains.microsoft"},"registrant":{"name":"Domain + Administrator","org":"Microsoft Corporation","street":["One Microsoft Way,"],"city":"Redmond","state":"WA","postal":"98052","country":"us","phone":"14258828080","fax":"14259367329","email":"admin@domains.microsoft"},"billing":{"name":"","org":"","street":[],"city":"","state":"","postal":"","country":"","phone":"","fax":"","email":""},"tech":{"name":"MSN + Hostmaster","org":"Microsoft Corporation","street":["One Microsoft Way,"],"city":"Redmond","state":"WA","postal":"98052","country":"us","phone":"14258828080","fax":"14259367329","email":"msnhst@microsoft.com"}},"nameServers":["ns1-39.azure-dns.com","ns2-39.azure-dns.net","ns3-39.azure-dns.org","ns4-39.azure-dns.info"],"statuses":["clientUpdateProhibited","clientTransferProhibited","clientDeleteProhibited","serverUpdateProhibited","serverTransferProhibited","serverDeleteProhibited"]}}' + headers: + cache-control: + - no-cache + content-length: + - '1515' + content-type: + - application/json; charset=utf-8 + date: + - Sun, 26 Jun 2022 15:41:18 GMT + expires: + - '-1' + pragma: + - no-cache + server: + - Kestrel + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding + x-content-type-options: + - nosniff + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - sentinel enrichment ip-geodata show + Connection: + - keep-alive + ParameterSetName: + - -g --ip-address + User-Agent: + - AZURECLI/2.37.0 (AAZ) azsdk-python-core/1.24.0 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.SecurityInsights/enrichment/ip/geodata/?ipAddress=1.2.3.4&api-version=2022-06-01-preview + response: + body: + string: '{"asn":null,"carrier":null,"city":"brisbane","cityCf":50,"continent":"oceania","country":"australia","countryCf":86,"ipAddr":"1.2.3.4","ipRoutingType":"fixed","latitude":"-27.46758","longitude":"153.02789","organization":"apnic + debogon project","organizationType":"Telecommunications","region":null,"state":"queensland","stateCf":68,"stateCode":"qld"}' + headers: + cache-control: + - no-cache + content-length: + - '351' + content-type: + - application/json; charset=utf-8 + date: + - Sun, 26 Jun 2022 15:41:19 GMT + expires: + - '-1' + pragma: + - no-cache + server: + - Kestrel + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding + x-content-type-options: + - nosniff + status: + code: 200 + message: OK +version: 1 diff --git a/src/securityinsight/azext_sentinel/tests/latest/recordings/test_sentinel_incident_comment_crud.yaml b/src/securityinsight/azext_sentinel/tests/latest/recordings/test_sentinel_incident_comment_crud.yaml new file mode 100644 index 00000000000..fcf2ded2c2d --- /dev/null +++ b/src/securityinsight/azext_sentinel/tests/latest/recordings/test_sentinel_incident_comment_crud.yaml @@ -0,0 +1,674 @@ +interactions: +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - monitor log-analytics workspace create + Connection: + - keep-alive + ParameterSetName: + - -n -g + User-Agent: + - AZURECLI/2.37.0 azsdk-python-azure-mgmt-resource/21.1.0b1 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001?api-version=2021-04-01 + response: + body: + string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001","name":"cli_test_sentinel_000001","type":"Microsoft.Resources/resourceGroups","location":"eastus2","tags":{"product":"azurecli","cause":"automation","date":"2022-06-24T08:55:17Z"},"properties":{"provisioningState":"Succeeded"}}' + headers: + cache-control: + - no-cache + content-length: + - '327' + content-type: + - application/json; charset=utf-8 + date: + - Fri, 24 Jun 2022 08:55:21 GMT + expires: + - '-1' + pragma: + - no-cache + strict-transport-security: + - max-age=31536000; includeSubDomains + vary: + - Accept-Encoding + x-content-type-options: + - nosniff + status: + code: 200 + message: OK +- request: + body: '{"location": "eastus2", "properties": {"sku": {"name": "PerGB2018"}, "retentionInDays": + 30, "workspaceCapping": {}}}' + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - monitor log-analytics workspace create + Connection: + - keep-alive + Content-Length: + - '116' + Content-Type: + - application/json + ParameterSetName: + - -n -g + User-Agent: + - AZURECLI/2.37.0 azsdk-python-mgmt-loganalytics/13.0.0b4 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: PUT + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002?api-version=2021-12-01-preview + response: + body: + string: "{\r\n \"properties\": {\r\n \"source\": \"Azure\",\r\n \"customerId\": + \"4fd9d94e-ff96-4a9b-a946-03891e311c12\",\r\n \"provisioningState\": \"Creating\",\r\n + \ \"sku\": {\r\n \"name\": \"pergb2018\",\r\n \"lastSkuUpdate\": + \"Fri, 24 Jun 2022 08:55:30 GMT\"\r\n },\r\n \"retentionInDays\": 30,\r\n + \ \"features\": {\r\n \"legacy\": 0,\r\n \"searchVersion\": 1,\r\n + \ \"enableLogAccessUsingOnlyResourcePermissions\": true\r\n },\r\n + \ \"workspaceCapping\": {\r\n \"dailyQuotaGb\": -1.0,\r\n \"quotaNextResetTime\": + \"Fri, 24 Jun 2022 17:00:00 GMT\",\r\n \"dataIngestionStatus\": \"RespectQuota\"\r\n + \ },\r\n \"publicNetworkAccessForIngestion\": \"Enabled\",\r\n \"publicNetworkAccessForQuery\": + \"Enabled\",\r\n \"createdDate\": \"Fri, 24 Jun 2022 08:55:30 GMT\",\r\n + \ \"modifiedDate\": \"Fri, 24 Jun 2022 08:55:30 GMT\"\r\n },\r\n \"id\": + \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/microsoft.operationalinsights/workspaces/workspace-000002\",\r\n + \ \"name\": \"workspace-000002\",\r\n \"type\": \"Microsoft.OperationalInsights/workspaces\",\r\n + \ \"location\": \"eastus2\"\r\n}" + headers: + access-control-allow-origin: + - '*' + cache-control: + - no-cache + content-length: + - '1075' + content-type: + - application/json + date: + - Fri, 24 Jun 2022 08:55:31 GMT + pragma: + - no-cache + request-context: + - appId=cid-v1:e6336c63-aab2-45f0-996a-e5dbab2a1508 + server: + - Microsoft-IIS/10.0 + strict-transport-security: + - max-age=31536000; includeSubDomains + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-writes: + - '1198' + x-powered-by: + - ASP.NET + - ASP.NET + status: + code: 201 + message: Created +- request: + body: null + headers: + Accept: + - '*/*' + Accept-Encoding: + - gzip, deflate + CommandName: + - monitor log-analytics workspace create + Connection: + - keep-alive + ParameterSetName: + - -n -g + User-Agent: + - AZURECLI/2.37.0 azsdk-python-mgmt-loganalytics/13.0.0b4 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002?api-version=2021-12-01-preview + response: + body: + string: "{\r\n \"properties\": {\r\n \"source\": \"Azure\",\r\n \"customerId\": + \"4fd9d94e-ff96-4a9b-a946-03891e311c12\",\r\n \"provisioningState\": \"Succeeded\",\r\n + \ \"sku\": {\r\n \"name\": \"pergb2018\",\r\n \"lastSkuUpdate\": + \"Fri, 24 Jun 2022 08:55:30 GMT\"\r\n },\r\n \"retentionInDays\": 30,\r\n + \ \"features\": {\r\n \"legacy\": 0,\r\n \"searchVersion\": 1,\r\n + \ \"enableLogAccessUsingOnlyResourcePermissions\": true\r\n },\r\n + \ \"workspaceCapping\": {\r\n \"dailyQuotaGb\": -1.0,\r\n \"quotaNextResetTime\": + \"Fri, 24 Jun 2022 17:00:00 GMT\",\r\n \"dataIngestionStatus\": \"RespectQuota\"\r\n + \ },\r\n \"publicNetworkAccessForIngestion\": \"Enabled\",\r\n \"publicNetworkAccessForQuery\": + \"Enabled\",\r\n \"createdDate\": \"Fri, 24 Jun 2022 08:55:30 GMT\",\r\n + \ \"modifiedDate\": \"Fri, 24 Jun 2022 08:55:31 GMT\"\r\n },\r\n \"id\": + \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/microsoft.operationalinsights/workspaces/workspace-000002\",\r\n + \ \"name\": \"workspace-000002\",\r\n \"type\": \"Microsoft.OperationalInsights/workspaces\",\r\n + \ \"location\": \"eastus2\"\r\n}" + headers: + access-control-allow-origin: + - '*' + cache-control: + - no-cache + content-length: + - '1076' + content-type: + - application/json + date: + - Fri, 24 Jun 2022 08:56:02 GMT + pragma: + - no-cache + request-context: + - appId=cid-v1:e6336c63-aab2-45f0-996a-e5dbab2a1508 + server: + - Microsoft-IIS/10.0 + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding,Accept-Encoding + x-content-type-options: + - nosniff + x-powered-by: + - ASP.NET + - ASP.NET + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - monitor log-analytics solution create + Connection: + - keep-alive + ParameterSetName: + - -t -w -g + User-Agent: + - AZURECLI/2.37.0 azsdk-python-mgmt-loganalytics/13.0.0b4 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002?api-version=2021-12-01-preview + response: + body: + string: "{\r\n \"properties\": {\r\n \"source\": \"Azure\",\r\n \"customerId\": + \"4fd9d94e-ff96-4a9b-a946-03891e311c12\",\r\n \"provisioningState\": \"Succeeded\",\r\n + \ \"sku\": {\r\n \"name\": \"pergb2018\",\r\n \"lastSkuUpdate\": + \"Fri, 24 Jun 2022 08:55:30 GMT\"\r\n },\r\n \"retentionInDays\": 30,\r\n + \ \"features\": {\r\n \"legacy\": 0,\r\n \"searchVersion\": 1,\r\n + \ \"enableLogAccessUsingOnlyResourcePermissions\": true\r\n },\r\n + \ \"workspaceCapping\": {\r\n \"dailyQuotaGb\": -1.0,\r\n \"quotaNextResetTime\": + \"Fri, 24 Jun 2022 17:00:00 GMT\",\r\n \"dataIngestionStatus\": \"RespectQuota\"\r\n + \ },\r\n \"publicNetworkAccessForIngestion\": \"Enabled\",\r\n \"publicNetworkAccessForQuery\": + \"Enabled\",\r\n \"createdDate\": \"Fri, 24 Jun 2022 08:55:30 GMT\",\r\n + \ \"modifiedDate\": \"Fri, 24 Jun 2022 08:55:31 GMT\"\r\n },\r\n \"id\": + \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/microsoft.operationalinsights/workspaces/workspace-000002\",\r\n + \ \"name\": \"workspace-000002\",\r\n \"type\": \"Microsoft.OperationalInsights/workspaces\",\r\n + \ \"location\": \"eastus2\"\r\n}" + headers: + access-control-allow-origin: + - '*' + cache-control: + - no-cache + content-length: + - '1076' + content-type: + - application/json + date: + - Fri, 24 Jun 2022 08:56:04 GMT + pragma: + - no-cache + request-context: + - appId=cid-v1:e6336c63-aab2-45f0-996a-e5dbab2a1508 + server: + - Microsoft-IIS/10.0 + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding,Accept-Encoding + x-content-type-options: + - nosniff + x-powered-by: + - ASP.NET + - ASP.NET + status: + code: 200 + message: OK +- request: + body: '{"location": "eastus2", "plan": {"name": "SecurityInsights(workspace-000002)", + "publisher": "Microsoft", "promotionCode": "", "product": "OMSGallery/SecurityInsights"}, + "properties": {"workspaceResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/microsoft.OperationalInsights/workspaces/workspace-000002"}}' + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - monitor log-analytics solution create + Connection: + - keep-alive + Content-Length: + - '370' + Content-Type: + - application/json; charset=utf-8 + ParameterSetName: + - -t -w -g + User-Agent: + - python/3.8.10 (Windows-10-10.0.19044-SP0) msrest/0.7.0 msrest_azure/0.6.4 + azure-mgmt-operationsmanagement/0.1.0 Azure-SDK-For-Python AZURECLI/2.37.0 + accept-language: + - en-US + method: PUT + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/Microsoft.OperationsManagement/solutions/SecurityInsights%28workspace-000002%29?api-version=2015-11-01-preview + response: + body: + string: "{\r\n \"plan\": {\r\n \"name\": \"SecurityInsights(workspace-000002)\",\r\n + \ \"publisher\": \"Microsoft\",\r\n \"promotionCode\": \"\",\r\n \"product\": + \"OMSGallery/SecurityInsights\"\r\n },\r\n \"properties\": {\r\n \"workspaceResourceId\": + \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/microsoft.OperationalInsights/workspaces/workspace-000002\",\r\n + \ \"provisioningState\": \"Succeeded\",\r\n \"creationTime\": \"Mon, + 01 Jan 0001 00:00:00 GMT\",\r\n \"sku\": {\r\n \"name\": \"PerGB\"\r\n + \ },\r\n \"lastModifiedTime\": \"Mon, 01 Jan 0001 00:00:00 GMT\",\r\n + \ \"containedResources\": []\r\n },\r\n \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/Microsoft.OperationsManagement/solutions/SecurityInsights(workspace-000002)\",\r\n + \ \"name\": \"SecurityInsights(workspace-000002)\",\r\n \"type\": \"Microsoft.OperationsManagement/solutions\",\r\n + \ \"location\": \"East US 2\"\r\n}" + headers: + access-control-allow-origin: + - '*' + cache-control: + - no-cache + cachecontrol: + - no-cache + content-length: + - '940' + content-type: + - application/json; charset=utf-8 + date: + - Fri, 24 Jun 2022 08:56:14 GMT + expires: + - '-1' + pragma: + - no-cache + request-context: + - appId=cid-v1:e6336c63-aab2-45f0-996a-e5dbab2a1508 + server: + - Microsoft-IIS/10.0 + strict-transport-security: + - max-age=31536000; includeSubDomains + x-ams-apiversion: + - WebAPI1.0 + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-writes: + - '1198' + x-powered-by: + - ASP.NET + - ASP.NET + status: + code: 201 + message: Created +- request: + body: '{"properties": {"classification": "FalsePositive", "classificationComment": + "Not a malicious activity", "classificationReason": "IncorrectAlertLogic", "description": + "This is a demo incident", "firstActivityTimeUtc": "2019-01-01T13:00:30Z", "lastActivityTimeUtc": + "2019-01-01T13:05:30Z", "owner": {"objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70"}, + "severity": "High", "status": "Closed", "title": "My incident"}}' + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - sentinel incident create + Connection: + - keep-alive + Content-Length: + - '415' + Content-Type: + - application/json + ParameterSetName: + - -n -w -g --classification --classification-reason --classification-comment + --first-activity-time-utc --last-activity-time-utc --severity --status --title + --description --owner + User-Agent: + - AZURECLI/2.37.0 (AAZ) azsdk-python-core/1.24.0 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: PUT + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5?api-version=2022-06-01-preview + response: + body: + string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/Incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5","name":"73e01a99-5cd7-4139-a149-9f2736ff2ab5","etag":"\"0200a411-0000-0100-0000-62b57c320000\"","type":"Microsoft.SecurityInsights/Incidents","properties":{"title":"My + incident","description":"This is a demo incident","severity":"High","status":"Closed","classification":"FalsePositive","classificationReason":"IncorrectAlertLogic","classificationComment":"Not + a malicious activity","owner":{"objectId":"2046feea-040d-4a46-9e2b-91c2941bfa70","email":null,"assignedTo":null,"userPrincipalName":null,"ownerType":"Unknown"},"labels":[],"firstActivityTimeUtc":"2019-01-01T13:00:30Z","lastActivityTimeUtc":"2019-01-01T13:05:30Z","lastModifiedTimeUtc":"2022-06-24T08:56:18.5749518Z","createdTimeUtc":"2022-06-24T08:56:18.5749518Z","incidentNumber":1,"additionalData":{"alertsCount":0,"bookmarksCount":0,"commentsCount":0,"alertProductNames":[],"tactics":[],"techniques":[]},"relatedAnalyticRuleIds":[],"incidentUrl":"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/Incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5","providerName":"Azure + Sentinel","providerIncidentId":"1"}}' + headers: + cache-control: + - no-cache + content-length: + - '1540' + content-type: + - application/json; charset=utf-8 + date: + - Fri, 24 Jun 2022 08:56:18 GMT + expires: + - '-1' + pragma: + - no-cache + server: + - Kestrel + strict-transport-security: + - max-age=31536000; includeSubDomains + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-resource-requests: + - '499' + status: + code: 201 + message: Created +- request: + body: '{"properties": {"message": "Some message"}}' + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - sentinel incident comment create + Connection: + - keep-alive + Content-Length: + - '43' + Content-Type: + - application/json + ParameterSetName: + - -n -w -g --incident-id --message + User-Agent: + - AZURECLI/2.37.0 (AAZ) azsdk-python-core/1.24.0 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: PUT + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5/comments/4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014?api-version=2022-06-01-preview + response: + body: + string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/Incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5/Comments/4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014","name":"4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014","etag":"\"0200a511-0000-0100-0000-62b57c330000\"","type":"Microsoft.SecurityInsights/Incidents/Comments","properties":{"message":"Some + message","createdTimeUtc":"2022-06-24T08:56:19.4960905Z","lastModifiedTimeUtc":"2022-06-24T08:56:19.4960905Z","author":{"objectId":"f44cc02c-cec4-4b32-860a-50bdf6ab7362","email":"ethanyang@microsoft.com","name":"Ethan + Yang","userPrincipalName":"ethanyang_microsoft.com#EXT#@AzureSDKTeam.onmicrosoft.com"}}}' + headers: + cache-control: + - no-cache + content-length: + - '785' + content-type: + - application/json; charset=utf-8 + date: + - Fri, 24 Jun 2022 08:56:18 GMT + expires: + - '-1' + pragma: + - no-cache + server: + - Kestrel + strict-transport-security: + - max-age=31536000; includeSubDomains + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-resource-requests: + - '499' + status: + code: 201 + message: Created +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - sentinel incident comment list + Connection: + - keep-alive + ParameterSetName: + - -w -g --incident-id + User-Agent: + - AZURECLI/2.37.0 (AAZ) azsdk-python-core/1.24.0 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5/comments?api-version=2022-06-01-preview + response: + body: + string: '{"value":[{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/Incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5/Comments/4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014","name":"4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014","etag":"\"0200a511-0000-0100-0000-62b57c330000\"","type":"Microsoft.SecurityInsights/Incidents/Comments","properties":{"message":"Some + message","createdTimeUtc":"2022-06-24T08:56:19.4960905Z","lastModifiedTimeUtc":"2022-06-24T08:56:19.4960905Z","author":{"objectId":"f44cc02c-cec4-4b32-860a-50bdf6ab7362","email":"ethanyang@microsoft.com","name":"Ethan + Yang","userPrincipalName":"ethanyang_microsoft.com#EXT#@AzureSDKTeam.onmicrosoft.com"}}}]}' + headers: + cache-control: + - no-cache + content-length: + - '797' + content-type: + - application/json; charset=utf-8 + date: + - Fri, 24 Jun 2022 08:56:19 GMT + expires: + - '-1' + pragma: + - no-cache + server: + - Kestrel + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-resource-requests: + - '499' + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - sentinel incident comment update + Connection: + - keep-alive + ParameterSetName: + - -n -w -g --incident-id --message + User-Agent: + - AZURECLI/2.37.0 (AAZ) azsdk-python-core/1.24.0 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5/comments/4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014?api-version=2022-06-01-preview + response: + body: + string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/Incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5/Comments/4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014","name":"4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014","etag":"\"0200a511-0000-0100-0000-62b57c330000\"","type":"Microsoft.SecurityInsights/Incidents/Comments","properties":{"message":"Some + message","createdTimeUtc":"2022-06-24T08:56:19.4960905Z","lastModifiedTimeUtc":"2022-06-24T08:56:19.4960905Z","author":{"objectId":"f44cc02c-cec4-4b32-860a-50bdf6ab7362","email":"ethanyang@microsoft.com","name":"Ethan + Yang","userPrincipalName":"ethanyang_microsoft.com#EXT#@AzureSDKTeam.onmicrosoft.com"}}}' + headers: + cache-control: + - no-cache + content-length: + - '785' + content-type: + - application/json; charset=utf-8 + date: + - Fri, 24 Jun 2022 08:56:20 GMT + expires: + - '-1' + pragma: + - no-cache + server: + - Kestrel + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-resource-requests: + - '499' + status: + code: 200 + message: OK +- request: + body: '{"etag": "\"0200a511-0000-0100-0000-62b57c330000\"", "properties": {"message": + "Some messages"}}' + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - sentinel incident comment update + Connection: + - keep-alive + Content-Length: + - '96' + Content-Type: + - application/json + ParameterSetName: + - -n -w -g --incident-id --message + User-Agent: + - AZURECLI/2.37.0 (AAZ) azsdk-python-core/1.24.0 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: PUT + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5/comments/4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014?api-version=2022-06-01-preview + response: + body: + string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/Incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5/Comments/4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014","name":"4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014","etag":"\"0200a711-0000-0100-0000-62b57c350000\"","type":"Microsoft.SecurityInsights/Incidents/Comments","properties":{"message":"Some + messages","createdTimeUtc":"2022-06-24T08:56:19.4960905Z","lastModifiedTimeUtc":"2022-06-24T08:56:21.6575661Z","author":{"objectId":"f44cc02c-cec4-4b32-860a-50bdf6ab7362","email":"ethanyang@microsoft.com","name":"Ethan + Yang","userPrincipalName":"ethanyang_microsoft.com#EXT#@AzureSDKTeam.onmicrosoft.com"}}}' + headers: + cache-control: + - no-cache + content-length: + - '786' + content-type: + - application/json; charset=utf-8 + date: + - Fri, 24 Jun 2022 08:56:21 GMT + expires: + - '-1' + pragma: + - no-cache + server: + - Kestrel + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-resource-requests: + - '499' + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - sentinel incident comment show + Connection: + - keep-alive + ParameterSetName: + - -n -w -g --incident-id + User-Agent: + - AZURECLI/2.37.0 (AAZ) azsdk-python-core/1.24.0 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5/comments/4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014?api-version=2022-06-01-preview + response: + body: + string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/Incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5/Comments/4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014","name":"4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014","etag":"\"0200a711-0000-0100-0000-62b57c350000\"","type":"Microsoft.SecurityInsights/Incidents/Comments","properties":{"message":"Some + messages","createdTimeUtc":"2022-06-24T08:56:19.4960905Z","lastModifiedTimeUtc":"2022-06-24T08:56:21.6575661Z","author":{"objectId":"f44cc02c-cec4-4b32-860a-50bdf6ab7362","email":"ethanyang@microsoft.com","name":"Ethan + Yang","userPrincipalName":"ethanyang_microsoft.com#EXT#@AzureSDKTeam.onmicrosoft.com"}}}' + headers: + cache-control: + - no-cache + content-length: + - '786' + content-type: + - application/json; charset=utf-8 + date: + - Fri, 24 Jun 2022 08:56:22 GMT + expires: + - '-1' + pragma: + - no-cache + server: + - Kestrel + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-resource-requests: + - '499' + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - '*/*' + Accept-Encoding: + - gzip, deflate + CommandName: + - sentinel incident comment delete + Connection: + - keep-alive + Content-Length: + - '0' + ParameterSetName: + - -n -w -g --incident-id --yes + User-Agent: + - AZURECLI/2.37.0 (AAZ) azsdk-python-core/1.24.0 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: DELETE + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5/comments/4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014?api-version=2022-06-01-preview + response: + body: + string: '{}' + headers: + cache-control: + - no-cache + content-length: + - '2' + content-type: + - application/json; charset=utf-8 + date: + - Fri, 24 Jun 2022 08:56:23 GMT + expires: + - '-1' + pragma: + - no-cache + server: + - Kestrel + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-resource-requests: + - '499' + status: + code: 200 + message: OK +version: 1 diff --git a/src/securityinsight/azext_sentinel/tests/latest/recordings/test_sentinel_incident_crud.yaml b/src/securityinsight/azext_sentinel/tests/latest/recordings/test_sentinel_incident_crud.yaml new file mode 100644 index 00000000000..36868838b13 --- /dev/null +++ b/src/securityinsight/azext_sentinel/tests/latest/recordings/test_sentinel_incident_crud.yaml @@ -0,0 +1,515 @@ +interactions: +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - monitor log-analytics workspace create + Connection: + - keep-alive + ParameterSetName: + - -n -g + User-Agent: + - AZURECLI/2.37.0 azsdk-python-azure-mgmt-resource/21.1.0b1 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001?api-version=2021-04-01 + response: + body: + string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001","name":"cli_test_sentinel_000001","type":"Microsoft.Resources/resourceGroups","location":"eastus2","tags":{"product":"azurecli","cause":"automation","date":"2022-06-24T08:43:23Z"},"properties":{"provisioningState":"Succeeded"}}' + headers: + cache-control: + - no-cache + content-length: + - '327' + content-type: + - application/json; charset=utf-8 + date: + - Fri, 24 Jun 2022 08:43:26 GMT + expires: + - '-1' + pragma: + - no-cache + strict-transport-security: + - max-age=31536000; includeSubDomains + x-content-type-options: + - nosniff + status: + code: 200 + message: OK +- request: + body: '{"location": "eastus2", "properties": {"sku": {"name": "PerGB2018"}, "retentionInDays": + 30, "workspaceCapping": {}}}' + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - monitor log-analytics workspace create + Connection: + - keep-alive + Content-Length: + - '116' + Content-Type: + - application/json + ParameterSetName: + - -n -g + User-Agent: + - AZURECLI/2.37.0 azsdk-python-mgmt-loganalytics/13.0.0b4 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: PUT + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002?api-version=2021-12-01-preview + response: + body: + string: "{\r\n \"properties\": {\r\n \"source\": \"Azure\",\r\n \"customerId\": + \"b783ff4c-f0a3-420c-8c54-1791293ad1b7\",\r\n \"provisioningState\": \"Creating\",\r\n + \ \"sku\": {\r\n \"name\": \"pergb2018\",\r\n \"lastSkuUpdate\": + \"Fri, 24 Jun 2022 08:43:34 GMT\"\r\n },\r\n \"retentionInDays\": 30,\r\n + \ \"features\": {\r\n \"legacy\": 0,\r\n \"searchVersion\": 1,\r\n + \ \"enableLogAccessUsingOnlyResourcePermissions\": true\r\n },\r\n + \ \"workspaceCapping\": {\r\n \"dailyQuotaGb\": -1.0,\r\n \"quotaNextResetTime\": + \"Fri, 24 Jun 2022 11:00:00 GMT\",\r\n \"dataIngestionStatus\": \"RespectQuota\"\r\n + \ },\r\n \"publicNetworkAccessForIngestion\": \"Enabled\",\r\n \"publicNetworkAccessForQuery\": + \"Enabled\",\r\n \"createdDate\": \"Fri, 24 Jun 2022 08:43:34 GMT\",\r\n + \ \"modifiedDate\": \"Fri, 24 Jun 2022 08:43:34 GMT\"\r\n },\r\n \"id\": + \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/microsoft.operationalinsights/workspaces/workspace-000002\",\r\n + \ \"name\": \"workspace-000002\",\r\n \"type\": \"Microsoft.OperationalInsights/workspaces\",\r\n + \ \"location\": \"eastus2\"\r\n}" + headers: + access-control-allow-origin: + - '*' + cache-control: + - no-cache + content-length: + - '1075' + content-type: + - application/json + date: + - Fri, 24 Jun 2022 08:43:36 GMT + pragma: + - no-cache + request-context: + - appId=cid-v1:e6336c63-aab2-45f0-996a-e5dbab2a1508 + server: + - Microsoft-IIS/10.0 + strict-transport-security: + - max-age=31536000; includeSubDomains + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-writes: + - '1198' + x-powered-by: + - ASP.NET + - ASP.NET + status: + code: 201 + message: Created +- request: + body: null + headers: + Accept: + - '*/*' + Accept-Encoding: + - gzip, deflate + CommandName: + - monitor log-analytics workspace create + Connection: + - keep-alive + ParameterSetName: + - -n -g + User-Agent: + - AZURECLI/2.37.0 azsdk-python-mgmt-loganalytics/13.0.0b4 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002?api-version=2021-12-01-preview + response: + body: + string: "{\r\n \"properties\": {\r\n \"source\": \"Azure\",\r\n \"customerId\": + \"b783ff4c-f0a3-420c-8c54-1791293ad1b7\",\r\n \"provisioningState\": \"Succeeded\",\r\n + \ \"sku\": {\r\n \"name\": \"pergb2018\",\r\n \"lastSkuUpdate\": + \"Fri, 24 Jun 2022 08:43:34 GMT\"\r\n },\r\n \"retentionInDays\": 30,\r\n + \ \"features\": {\r\n \"legacy\": 0,\r\n \"searchVersion\": 1,\r\n + \ \"enableLogAccessUsingOnlyResourcePermissions\": true\r\n },\r\n + \ \"workspaceCapping\": {\r\n \"dailyQuotaGb\": -1.0,\r\n \"quotaNextResetTime\": + \"Fri, 24 Jun 2022 11:00:00 GMT\",\r\n \"dataIngestionStatus\": \"RespectQuota\"\r\n + \ },\r\n \"publicNetworkAccessForIngestion\": \"Enabled\",\r\n \"publicNetworkAccessForQuery\": + \"Enabled\",\r\n \"createdDate\": \"Fri, 24 Jun 2022 08:43:34 GMT\",\r\n + \ \"modifiedDate\": \"Fri, 24 Jun 2022 08:43:35 GMT\"\r\n },\r\n \"id\": + \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/microsoft.operationalinsights/workspaces/workspace-000002\",\r\n + \ \"name\": \"workspace-000002\",\r\n \"type\": \"Microsoft.OperationalInsights/workspaces\",\r\n + \ \"location\": \"eastus2\"\r\n}" + headers: + access-control-allow-origin: + - '*' + cache-control: + - no-cache + content-length: + - '1076' + content-type: + - application/json + date: + - Fri, 24 Jun 2022 08:44:06 GMT + pragma: + - no-cache + request-context: + - appId=cid-v1:e6336c63-aab2-45f0-996a-e5dbab2a1508 + server: + - Microsoft-IIS/10.0 + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding,Accept-Encoding + x-content-type-options: + - nosniff + x-powered-by: + - ASP.NET + - ASP.NET + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - monitor log-analytics solution create + Connection: + - keep-alive + ParameterSetName: + - -t -w -g + User-Agent: + - AZURECLI/2.37.0 azsdk-python-mgmt-loganalytics/13.0.0b4 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002?api-version=2021-12-01-preview + response: + body: + string: "{\r\n \"properties\": {\r\n \"source\": \"Azure\",\r\n \"customerId\": + \"b783ff4c-f0a3-420c-8c54-1791293ad1b7\",\r\n \"provisioningState\": \"Succeeded\",\r\n + \ \"sku\": {\r\n \"name\": \"pergb2018\",\r\n \"lastSkuUpdate\": + \"Fri, 24 Jun 2022 08:43:34 GMT\"\r\n },\r\n \"retentionInDays\": 30,\r\n + \ \"features\": {\r\n \"legacy\": 0,\r\n \"searchVersion\": 1,\r\n + \ \"enableLogAccessUsingOnlyResourcePermissions\": true\r\n },\r\n + \ \"workspaceCapping\": {\r\n \"dailyQuotaGb\": -1.0,\r\n \"quotaNextResetTime\": + \"Fri, 24 Jun 2022 11:00:00 GMT\",\r\n \"dataIngestionStatus\": \"RespectQuota\"\r\n + \ },\r\n \"publicNetworkAccessForIngestion\": \"Enabled\",\r\n \"publicNetworkAccessForQuery\": + \"Enabled\",\r\n \"createdDate\": \"Fri, 24 Jun 2022 08:43:34 GMT\",\r\n + \ \"modifiedDate\": \"Fri, 24 Jun 2022 08:43:35 GMT\"\r\n },\r\n \"id\": + \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/microsoft.operationalinsights/workspaces/workspace-000002\",\r\n + \ \"name\": \"workspace-000002\",\r\n \"type\": \"Microsoft.OperationalInsights/workspaces\",\r\n + \ \"location\": \"eastus2\"\r\n}" + headers: + access-control-allow-origin: + - '*' + cache-control: + - no-cache + content-length: + - '1076' + content-type: + - application/json + date: + - Fri, 24 Jun 2022 08:44:08 GMT + pragma: + - no-cache + request-context: + - appId=cid-v1:e6336c63-aab2-45f0-996a-e5dbab2a1508 + server: + - Microsoft-IIS/10.0 + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding,Accept-Encoding + x-content-type-options: + - nosniff + x-powered-by: + - ASP.NET + - ASP.NET + status: + code: 200 + message: OK +- request: + body: '{"location": "eastus2", "plan": {"name": "SecurityInsights(workspace-000002)", + "publisher": "Microsoft", "promotionCode": "", "product": "OMSGallery/SecurityInsights"}, + "properties": {"workspaceResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/microsoft.OperationalInsights/workspaces/workspace-000002"}}' + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - monitor log-analytics solution create + Connection: + - keep-alive + Content-Length: + - '370' + Content-Type: + - application/json; charset=utf-8 + ParameterSetName: + - -t -w -g + User-Agent: + - python/3.8.10 (Windows-10-10.0.19044-SP0) msrest/0.7.0 msrest_azure/0.6.4 + azure-mgmt-operationsmanagement/0.1.0 Azure-SDK-For-Python AZURECLI/2.37.0 + accept-language: + - en-US + method: PUT + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/Microsoft.OperationsManagement/solutions/SecurityInsights%28workspace-000002%29?api-version=2015-11-01-preview + response: + body: + string: "{\r\n \"plan\": {\r\n \"name\": \"SecurityInsights(workspace-000002)\",\r\n + \ \"publisher\": \"Microsoft\",\r\n \"promotionCode\": \"\",\r\n \"product\": + \"OMSGallery/SecurityInsights\"\r\n },\r\n \"properties\": {\r\n \"workspaceResourceId\": + \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/microsoft.OperationalInsights/workspaces/workspace-000002\",\r\n + \ \"provisioningState\": \"Succeeded\",\r\n \"creationTime\": \"Mon, + 01 Jan 0001 00:00:00 GMT\",\r\n \"sku\": {\r\n \"name\": \"PerGB\"\r\n + \ },\r\n \"lastModifiedTime\": \"Mon, 01 Jan 0001 00:00:00 GMT\",\r\n + \ \"containedResources\": []\r\n },\r\n \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/Microsoft.OperationsManagement/solutions/SecurityInsights(workspace-000002)\",\r\n + \ \"name\": \"SecurityInsights(workspace-000002)\",\r\n \"type\": \"Microsoft.OperationsManagement/solutions\",\r\n + \ \"location\": \"East US 2\"\r\n}" + headers: + access-control-allow-origin: + - '*' + cache-control: + - no-cache + cachecontrol: + - no-cache + content-length: + - '940' + content-type: + - application/json; charset=utf-8 + date: + - Fri, 24 Jun 2022 08:44:17 GMT + expires: + - '-1' + pragma: + - no-cache + request-context: + - appId=cid-v1:e6336c63-aab2-45f0-996a-e5dbab2a1508 + server: + - Microsoft-IIS/10.0 + strict-transport-security: + - max-age=31536000; includeSubDomains + x-ams-apiversion: + - WebAPI1.0 + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-writes: + - '1199' + x-powered-by: + - ASP.NET + - ASP.NET + status: + code: 201 + message: Created +- request: + body: '{"properties": {"classification": "FalsePositive", "classificationComment": + "Not a malicious activity", "classificationReason": "IncorrectAlertLogic", "description": + "This is a demo incident", "firstActivityTimeUtc": "2019-01-01T13:00:30Z", "lastActivityTimeUtc": + "2019-01-01T13:05:30Z", "owner": {"objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70"}, + "severity": "High", "status": "Closed", "title": "My incident"}}' + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - sentinel incident create + Connection: + - keep-alive + Content-Length: + - '415' + Content-Type: + - application/json + ParameterSetName: + - -n -w -g --classification --classification-reason --classification-comment + --first-activity-time-utc --last-activity-time-utc --severity --status --title + --description --owner + User-Agent: + - AZURECLI/2.37.0 (AAZ) azsdk-python-core/1.24.0 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: PUT + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5?api-version=2022-06-01-preview + response: + body: + string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/Incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5","name":"73e01a99-5cd7-4139-a149-9f2736ff2ab5","etag":"\"2300e901-0000-0100-0000-62b579650000\"","type":"Microsoft.SecurityInsights/Incidents","properties":{"title":"My + incident","description":"This is a demo incident","severity":"High","status":"Closed","classification":"FalsePositive","classificationReason":"IncorrectAlertLogic","classificationComment":"Not + a malicious activity","owner":{"objectId":"2046feea-040d-4a46-9e2b-91c2941bfa70","email":null,"assignedTo":null,"userPrincipalName":null,"ownerType":"Unknown"},"labels":[],"firstActivityTimeUtc":"2019-01-01T13:00:30Z","lastActivityTimeUtc":"2019-01-01T13:05:30Z","lastModifiedTimeUtc":"2022-06-24T08:44:21.8682275Z","createdTimeUtc":"2022-06-24T08:44:21.8682275Z","incidentNumber":1,"additionalData":{"alertsCount":0,"bookmarksCount":0,"commentsCount":0,"alertProductNames":[],"tactics":[],"techniques":[]},"relatedAnalyticRuleIds":[],"incidentUrl":"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/Incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5","providerName":"Azure + Sentinel","providerIncidentId":"1"}}' + headers: + cache-control: + - no-cache + content-length: + - '1540' + content-type: + - application/json; charset=utf-8 + date: + - Fri, 24 Jun 2022 08:44:21 GMT + expires: + - '-1' + pragma: + - no-cache + server: + - Kestrel + strict-transport-security: + - max-age=31536000; includeSubDomains + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-resource-requests: + - '499' + status: + code: 201 + message: Created +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - sentinel incident list + Connection: + - keep-alive + ParameterSetName: + - -w -g --orderby --top + User-Agent: + - AZURECLI/2.37.0 (AAZ) azsdk-python-core/1.24.0 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/incidents?$orderby=properties%2FcreatedTimeUtc%20desc&$top=1&api-version=2022-06-01-preview + response: + body: + string: '{"value":[{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/Incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5","name":"73e01a99-5cd7-4139-a149-9f2736ff2ab5","etag":"\"2300e901-0000-0100-0000-62b579650000\"","type":"Microsoft.SecurityInsights/Incidents","properties":{"title":"My + incident","description":"This is a demo incident","severity":"High","status":"Closed","classification":"FalsePositive","classificationReason":"IncorrectAlertLogic","classificationComment":"Not + a malicious activity","owner":{"objectId":"2046feea-040d-4a46-9e2b-91c2941bfa70","email":null,"assignedTo":null,"userPrincipalName":null,"ownerType":"Unknown"},"labels":[],"firstActivityTimeUtc":"2019-01-01T13:00:30Z","lastActivityTimeUtc":"2019-01-01T13:05:30Z","lastModifiedTimeUtc":"2022-06-24T08:44:21.8682275Z","createdTimeUtc":"2022-06-24T08:44:21.8682275Z","incidentNumber":1,"additionalData":{"alertsCount":0,"bookmarksCount":0,"commentsCount":0,"alertProductNames":[],"tactics":[],"techniques":[]},"relatedAnalyticRuleIds":[],"incidentUrl":"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/Incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5","providerName":"Azure + Sentinel","providerIncidentId":"1"}}]}' + headers: + cache-control: + - no-cache + content-length: + - '1552' + content-type: + - application/json; charset=utf-8 + date: + - Fri, 24 Jun 2022 08:44:22 GMT + expires: + - '-1' + pragma: + - no-cache + server: + - Kestrel + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding + x-content-type-options: + - nosniff + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - sentinel incident show + Connection: + - keep-alive + ParameterSetName: + - -n -w -g + User-Agent: + - AZURECLI/2.37.0 (AAZ) azsdk-python-core/1.24.0 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5?api-version=2022-06-01-preview + response: + body: + string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/Incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5","name":"73e01a99-5cd7-4139-a149-9f2736ff2ab5","etag":"\"2300e901-0000-0100-0000-62b579650000\"","type":"Microsoft.SecurityInsights/Incidents","properties":{"title":"My + incident","description":"This is a demo incident","severity":"High","status":"Closed","classification":"FalsePositive","classificationReason":"IncorrectAlertLogic","classificationComment":"Not + a malicious activity","owner":{"objectId":"2046feea-040d-4a46-9e2b-91c2941bfa70","email":null,"assignedTo":null,"userPrincipalName":null,"ownerType":"Unknown"},"labels":[],"firstActivityTimeUtc":"2019-01-01T13:00:30Z","lastActivityTimeUtc":"2019-01-01T13:05:30Z","lastModifiedTimeUtc":"2022-06-24T08:44:21.8682275Z","createdTimeUtc":"2022-06-24T08:44:21.8682275Z","incidentNumber":1,"additionalData":{"alertsCount":0,"bookmarksCount":0,"commentsCount":0,"alertProductNames":[],"tactics":[],"techniques":[]},"relatedAnalyticRuleIds":[],"incidentUrl":"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/Incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5","providerName":"Azure + Sentinel","providerIncidentId":"1"}}' + headers: + cache-control: + - no-cache + content-length: + - '1540' + content-type: + - application/json; charset=utf-8 + date: + - Fri, 24 Jun 2022 08:44:24 GMT + expires: + - '-1' + pragma: + - no-cache + server: + - Kestrel + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding + x-content-type-options: + - nosniff + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - '*/*' + Accept-Encoding: + - gzip, deflate + CommandName: + - sentinel incident delete + Connection: + - keep-alive + Content-Length: + - '0' + ParameterSetName: + - -n -w -g --yes + User-Agent: + - AZURECLI/2.37.0 (AAZ) azsdk-python-core/1.24.0 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: DELETE + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5?api-version=2022-06-01-preview + response: + body: + string: '{}' + headers: + cache-control: + - no-cache + content-length: + - '2' + content-type: + - application/json; charset=utf-8 + date: + - Fri, 24 Jun 2022 08:44:25 GMT + expires: + - '-1' + pragma: + - no-cache + server: + - Kestrel + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-deletes: + - '14999' + status: + code: 200 + message: OK +version: 1 diff --git a/src/securityinsight/azext_sentinel/tests/latest/recordings/test_sentinel_incident_relation_crud.yaml b/src/securityinsight/azext_sentinel/tests/latest/recordings/test_sentinel_incident_relation_crud.yaml new file mode 100644 index 00000000000..6f94dca96d3 --- /dev/null +++ b/src/securityinsight/azext_sentinel/tests/latest/recordings/test_sentinel_incident_relation_crud.yaml @@ -0,0 +1,631 @@ +interactions: +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - monitor log-analytics workspace create + Connection: + - keep-alive + ParameterSetName: + - -n -g + User-Agent: + - AZURECLI/2.37.0 azsdk-python-azure-mgmt-resource/21.1.0b1 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001?api-version=2021-04-01 + response: + body: + string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001","name":"cli_test_sentinel_000001","type":"Microsoft.Resources/resourceGroups","location":"eastus2","tags":{"product":"azurecli","cause":"automation","date":"2022-06-26T15:31:59Z"},"properties":{"provisioningState":"Succeeded"}}' + headers: + cache-control: + - no-cache + content-length: + - '327' + content-type: + - application/json; charset=utf-8 + date: + - Sun, 26 Jun 2022 15:32:02 GMT + expires: + - '-1' + pragma: + - no-cache + strict-transport-security: + - max-age=31536000; includeSubDomains + vary: + - Accept-Encoding + x-content-type-options: + - nosniff + status: + code: 200 + message: OK +- request: + body: '{"location": "eastus2", "properties": {"sku": {"name": "PerGB2018"}, "retentionInDays": + 30, "workspaceCapping": {}}}' + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - monitor log-analytics workspace create + Connection: + - keep-alive + Content-Length: + - '116' + Content-Type: + - application/json + ParameterSetName: + - -n -g + User-Agent: + - AZURECLI/2.37.0 azsdk-python-mgmt-loganalytics/13.0.0b4 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: PUT + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002?api-version=2021-12-01-preview + response: + body: + string: "{\r\n \"properties\": {\r\n \"source\": \"Azure\",\r\n \"customerId\": + \"92a038ec-4582-4324-a7c3-5c1d6657c8a4\",\r\n \"provisioningState\": \"Creating\",\r\n + \ \"sku\": {\r\n \"name\": \"pergb2018\",\r\n \"lastSkuUpdate\": + \"Sun, 26 Jun 2022 15:32:09 GMT\"\r\n },\r\n \"retentionInDays\": 30,\r\n + \ \"features\": {\r\n \"legacy\": 0,\r\n \"searchVersion\": 1,\r\n + \ \"enableLogAccessUsingOnlyResourcePermissions\": true\r\n },\r\n + \ \"workspaceCapping\": {\r\n \"dailyQuotaGb\": -1.0,\r\n \"quotaNextResetTime\": + \"Mon, 27 Jun 2022 00:00:00 GMT\",\r\n \"dataIngestionStatus\": \"RespectQuota\"\r\n + \ },\r\n \"publicNetworkAccessForIngestion\": \"Enabled\",\r\n \"publicNetworkAccessForQuery\": + \"Enabled\",\r\n \"createdDate\": \"Sun, 26 Jun 2022 15:32:09 GMT\",\r\n + \ \"modifiedDate\": \"Sun, 26 Jun 2022 15:32:09 GMT\"\r\n },\r\n \"id\": + \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/microsoft.operationalinsights/workspaces/workspace-000002\",\r\n + \ \"name\": \"workspace-000002\",\r\n \"type\": \"Microsoft.OperationalInsights/workspaces\",\r\n + \ \"location\": \"eastus2\"\r\n}" + headers: + access-control-allow-origin: + - '*' + cache-control: + - no-cache + content-length: + - '1075' + content-type: + - application/json + date: + - Sun, 26 Jun 2022 15:32:10 GMT + pragma: + - no-cache + request-context: + - appId=cid-v1:e6336c63-aab2-45f0-996a-e5dbab2a1508 + server: + - Microsoft-IIS/10.0 + strict-transport-security: + - max-age=31536000; includeSubDomains + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-writes: + - '1199' + x-powered-by: + - ASP.NET + - ASP.NET + status: + code: 201 + message: Created +- request: + body: null + headers: + Accept: + - '*/*' + Accept-Encoding: + - gzip, deflate + CommandName: + - monitor log-analytics workspace create + Connection: + - keep-alive + ParameterSetName: + - -n -g + User-Agent: + - AZURECLI/2.37.0 azsdk-python-mgmt-loganalytics/13.0.0b4 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002?api-version=2021-12-01-preview + response: + body: + string: "{\r\n \"properties\": {\r\n \"source\": \"Azure\",\r\n \"customerId\": + \"92a038ec-4582-4324-a7c3-5c1d6657c8a4\",\r\n \"provisioningState\": \"Succeeded\",\r\n + \ \"sku\": {\r\n \"name\": \"pergb2018\",\r\n \"lastSkuUpdate\": + \"Sun, 26 Jun 2022 15:32:09 GMT\"\r\n },\r\n \"retentionInDays\": 30,\r\n + \ \"features\": {\r\n \"legacy\": 0,\r\n \"searchVersion\": 1,\r\n + \ \"enableLogAccessUsingOnlyResourcePermissions\": true\r\n },\r\n + \ \"workspaceCapping\": {\r\n \"dailyQuotaGb\": -1.0,\r\n \"quotaNextResetTime\": + \"Mon, 27 Jun 2022 00:00:00 GMT\",\r\n \"dataIngestionStatus\": \"RespectQuota\"\r\n + \ },\r\n \"publicNetworkAccessForIngestion\": \"Enabled\",\r\n \"publicNetworkAccessForQuery\": + \"Enabled\",\r\n \"createdDate\": \"Sun, 26 Jun 2022 15:32:09 GMT\",\r\n + \ \"modifiedDate\": \"Sun, 26 Jun 2022 15:32:10 GMT\"\r\n },\r\n \"id\": + \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/microsoft.operationalinsights/workspaces/workspace-000002\",\r\n + \ \"name\": \"workspace-000002\",\r\n \"type\": \"Microsoft.OperationalInsights/workspaces\",\r\n + \ \"location\": \"eastus2\"\r\n}" + headers: + access-control-allow-origin: + - '*' + cache-control: + - no-cache + content-length: + - '1076' + content-type: + - application/json + date: + - Sun, 26 Jun 2022 15:32:40 GMT + pragma: + - no-cache + request-context: + - appId=cid-v1:e6336c63-aab2-45f0-996a-e5dbab2a1508 + server: + - Microsoft-IIS/10.0 + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding,Accept-Encoding + x-content-type-options: + - nosniff + x-powered-by: + - ASP.NET + - ASP.NET + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - monitor log-analytics solution create + Connection: + - keep-alive + ParameterSetName: + - -t -w -g + User-Agent: + - AZURECLI/2.37.0 azsdk-python-mgmt-loganalytics/13.0.0b4 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002?api-version=2021-12-01-preview + response: + body: + string: "{\r\n \"properties\": {\r\n \"source\": \"Azure\",\r\n \"customerId\": + \"92a038ec-4582-4324-a7c3-5c1d6657c8a4\",\r\n \"provisioningState\": \"Succeeded\",\r\n + \ \"sku\": {\r\n \"name\": \"pergb2018\",\r\n \"lastSkuUpdate\": + \"Sun, 26 Jun 2022 15:32:09 GMT\"\r\n },\r\n \"retentionInDays\": 30,\r\n + \ \"features\": {\r\n \"legacy\": 0,\r\n \"searchVersion\": 1,\r\n + \ \"enableLogAccessUsingOnlyResourcePermissions\": true\r\n },\r\n + \ \"workspaceCapping\": {\r\n \"dailyQuotaGb\": -1.0,\r\n \"quotaNextResetTime\": + \"Mon, 27 Jun 2022 00:00:00 GMT\",\r\n \"dataIngestionStatus\": \"RespectQuota\"\r\n + \ },\r\n \"publicNetworkAccessForIngestion\": \"Enabled\",\r\n \"publicNetworkAccessForQuery\": + \"Enabled\",\r\n \"createdDate\": \"Sun, 26 Jun 2022 15:32:09 GMT\",\r\n + \ \"modifiedDate\": \"Sun, 26 Jun 2022 15:32:10 GMT\"\r\n },\r\n \"id\": + \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/microsoft.operationalinsights/workspaces/workspace-000002\",\r\n + \ \"name\": \"workspace-000002\",\r\n \"type\": \"Microsoft.OperationalInsights/workspaces\",\r\n + \ \"location\": \"eastus2\"\r\n}" + headers: + access-control-allow-origin: + - '*' + cache-control: + - no-cache + content-length: + - '1076' + content-type: + - application/json + date: + - Sun, 26 Jun 2022 15:32:43 GMT + pragma: + - no-cache + request-context: + - appId=cid-v1:e6336c63-aab2-45f0-996a-e5dbab2a1508 + server: + - Microsoft-IIS/10.0 + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding,Accept-Encoding + x-content-type-options: + - nosniff + x-powered-by: + - ASP.NET + - ASP.NET + status: + code: 200 + message: OK +- request: + body: '{"location": "eastus2", "plan": {"name": "SecurityInsights(workspace-000002)", + "publisher": "Microsoft", "promotionCode": "", "product": "OMSGallery/SecurityInsights"}, + "properties": {"workspaceResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/microsoft.OperationalInsights/workspaces/workspace-000002"}}' + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - monitor log-analytics solution create + Connection: + - keep-alive + Content-Length: + - '370' + Content-Type: + - application/json; charset=utf-8 + ParameterSetName: + - -t -w -g + User-Agent: + - python/3.8.10 (Windows-10-10.0.19044-SP0) msrest/0.7.0 msrest_azure/0.6.4 + azure-mgmt-operationsmanagement/0.1.0 Azure-SDK-For-Python AZURECLI/2.37.0 + accept-language: + - en-US + method: PUT + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/Microsoft.OperationsManagement/solutions/SecurityInsights%28workspace-000002%29?api-version=2015-11-01-preview + response: + body: + string: "{\r\n \"plan\": {\r\n \"name\": \"SecurityInsights(workspace-000002)\",\r\n + \ \"publisher\": \"Microsoft\",\r\n \"promotionCode\": \"\",\r\n \"product\": + \"OMSGallery/SecurityInsights\"\r\n },\r\n \"properties\": {\r\n \"workspaceResourceId\": + \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/microsoft.OperationalInsights/workspaces/workspace-000002\",\r\n + \ \"provisioningState\": \"Succeeded\",\r\n \"creationTime\": \"Mon, + 01 Jan 0001 00:00:00 GMT\",\r\n \"sku\": {\r\n \"name\": \"PerGB\"\r\n + \ },\r\n \"lastModifiedTime\": \"Mon, 01 Jan 0001 00:00:00 GMT\",\r\n + \ \"containedResources\": []\r\n },\r\n \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/Microsoft.OperationsManagement/solutions/SecurityInsights(workspace-000002)\",\r\n + \ \"name\": \"SecurityInsights(workspace-000002)\",\r\n \"type\": \"Microsoft.OperationsManagement/solutions\",\r\n + \ \"location\": \"East US 2\"\r\n}" + headers: + access-control-allow-origin: + - '*' + cache-control: + - no-cache + cachecontrol: + - no-cache + content-length: + - '940' + content-type: + - application/json; charset=utf-8 + date: + - Sun, 26 Jun 2022 15:32:51 GMT + expires: + - '-1' + pragma: + - no-cache + request-context: + - appId=cid-v1:e6336c63-aab2-45f0-996a-e5dbab2a1508 + server: + - Microsoft-IIS/10.0 + strict-transport-security: + - max-age=31536000; includeSubDomains + x-ams-apiversion: + - WebAPI1.0 + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-writes: + - '1199' + x-powered-by: + - ASP.NET + - ASP.NET + status: + code: 201 + message: Created +- request: + body: '{"properties": {"classification": "FalsePositive", "classificationComment": + "Not a malicious activity", "classificationReason": "IncorrectAlertLogic", "description": + "This is a demo incident", "firstActivityTimeUtc": "2019-01-01T13:00:30Z", "lastActivityTimeUtc": + "2019-01-01T13:05:30Z", "owner": {"objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70"}, + "severity": "High", "status": "Closed", "title": "My incident"}}' + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - sentinel incident create + Connection: + - keep-alive + Content-Length: + - '415' + Content-Type: + - application/json + ParameterSetName: + - -n -w -g --classification --classification-reason --classification-comment + --first-activity-time-utc --last-activity-time-utc --severity --status --title + --description --owner + User-Agent: + - AZURECLI/2.37.0 (AAZ) azsdk-python-core/1.24.0 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: PUT + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/incidents/afbd324f-6c48-459c-8710-8d1e1cd03812?api-version=2022-06-01-preview + response: + body: + string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/Incidents/afbd324f-6c48-459c-8710-8d1e1cd03812","name":"afbd324f-6c48-459c-8710-8d1e1cd03812","etag":"\"010058ad-0000-0100-0000-62b87c270000\"","type":"Microsoft.SecurityInsights/Incidents","properties":{"title":"My + incident","description":"This is a demo incident","severity":"High","status":"Closed","classification":"FalsePositive","classificationReason":"IncorrectAlertLogic","classificationComment":"Not + a malicious activity","owner":{"objectId":"2046feea-040d-4a46-9e2b-91c2941bfa70","email":null,"assignedTo":null,"userPrincipalName":null,"ownerType":"Unknown"},"labels":[],"firstActivityTimeUtc":"2019-01-01T13:00:30Z","lastActivityTimeUtc":"2019-01-01T13:05:30Z","lastModifiedTimeUtc":"2022-06-26T15:32:55.8915737Z","createdTimeUtc":"2022-06-26T15:32:55.8915737Z","incidentNumber":1,"additionalData":{"alertsCount":0,"bookmarksCount":0,"commentsCount":0,"alertProductNames":[],"tactics":[],"techniques":[]},"relatedAnalyticRuleIds":[],"incidentUrl":"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/Incidents/afbd324f-6c48-459c-8710-8d1e1cd03812","providerName":"Azure + Sentinel","providerIncidentId":"1"}}' + headers: + cache-control: + - no-cache + content-length: + - '1540' + content-type: + - application/json; charset=utf-8 + date: + - Sun, 26 Jun 2022 15:32:55 GMT + expires: + - '-1' + pragma: + - no-cache + server: + - Kestrel + strict-transport-security: + - max-age=31536000; includeSubDomains + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-resource-requests: + - '498' + status: + code: 201 + message: Created +- request: + body: '{"properties": {"displayName": "My bookmark", "entityMappings": [{"entityType": + "Account", "fieldMappings": [{"identifier": "Fullname", "value": "johndoe@microsoft.com"}]}], + "labels": ["Tag1", "Tag2"], "notes": "Found a suspicious activity", "query": + "SecurityEvent | where TimeGenerated > ago(1d) and TimeGenerated < ago(2d)", + "queryResult": "Security Event query result", "tactics": ["Execution"], "techniques": + ["T1609"]}}' + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - sentinel bookmark create + Connection: + - keep-alive + Content-Length: + - '425' + Content-Type: + - application/json + ParameterSetName: + - -n -w -g --query-content --query-result --display-name --notes --entity-mappings + --tactics --techniques --labels + User-Agent: + - AZURECLI/2.37.0 (AAZ) azsdk-python-core/1.24.0 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: PUT + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/bookmarks/2216d0e1-91e3-4902-89fd-d2df8c535096?api-version=2022-06-01-preview + response: + body: + string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/Bookmarks/2216d0e1-91e3-4902-89fd-d2df8c535096","name":"2216d0e1-91e3-4902-89fd-d2df8c535096","etag":"\"020041a8-0000-0100-0000-62b87c290000\"","type":"Microsoft.SecurityInsights/Bookmarks","properties":{"displayName":"My + bookmark","created":"2022-06-26T15:32:57.309088+00:00","updated":"2022-06-26T15:32:57+00:00","createdBy":{"objectId":"f44cc02c-cec4-4b32-860a-50bdf6ab7362","email":"ethanyang@microsoft.com","name":"Ethan + Yang"},"updatedBy":{"objectId":"f44cc02c-cec4-4b32-860a-50bdf6ab7362","email":"ethanyang@microsoft.com","name":"Ethan + Yang"},"eventTime":"2022-06-26T15:32:57.308823+00:00","notes":"Found a suspicious + activity","labels":["Tag1","Tag2"],"query":"SecurityEvent | where TimeGenerated + > ago(1d) and TimeGenerated < ago(2d)","queryResult":"Security Event query + result","incidentInfo":{"incidentId":null,"title":null,"relationName":null,"severity":null},"entityMappings":[{"entityType":"Account","fieldMappings":[{"identifier":"Fullname","value":"johndoe@microsoft.com"}]}],"tactics":["Execution"],"techniques":["T1609"]}}' + headers: + cache-control: + - no-cache + content-length: + - '1245' + content-type: + - application/json; charset=utf-8 + date: + - Sun, 26 Jun 2022 15:32:57 GMT + expires: + - '-1' + pragma: + - no-cache + server: + - Kestrel + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-writes: + - '1199' + status: + code: 200 + message: OK +- request: + body: '{"properties": {"relatedResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/Bookmarks/2216d0e1-91e3-4902-89fd-d2df8c535096"}}' + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - sentinel incident relation create + Connection: + - keep-alive + Content-Length: + - '284' + Content-Type: + - application/json + ParameterSetName: + - -n -w -g --incident-id --related-resource-id + User-Agent: + - AZURECLI/2.37.0 (AAZ) azsdk-python-core/1.24.0 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: PUT + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/incidents/afbd324f-6c48-459c-8710-8d1e1cd03812/relations/relation-000003?api-version=2022-06-01-preview + response: + body: + string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/Incidents/afbd324f-6c48-459c-8710-8d1e1cd03812/relations/relation-000003","name":"relation-000003","etag":"\"010060ad-0000-0100-0000-62b87c2a0000\"","type":"Microsoft.SecurityInsights/Incidents/relations","properties":{"relatedResourceId":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/Bookmarks/2216d0e1-91e3-4902-89fd-d2df8c535096","relatedResourceName":"2216d0e1-91e3-4902-89fd-d2df8c535096","relatedResourceType":"Microsoft.SecurityInsights/Bookmarks"}}' + headers: + cache-control: + - no-cache + content-length: + - '812' + content-type: + - application/json; charset=utf-8 + date: + - Sun, 26 Jun 2022 15:32:57 GMT + expires: + - '-1' + pragma: + - no-cache + server: + - Kestrel + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-resource-requests: + - '499' + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - sentinel incident relation list + Connection: + - keep-alive + ParameterSetName: + - -w -g --incident-id + User-Agent: + - AZURECLI/2.37.0 (AAZ) azsdk-python-core/1.24.0 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/incidents/afbd324f-6c48-459c-8710-8d1e1cd03812/relations?api-version=2022-06-01-preview + response: + body: + string: '{"value":[{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/Incidents/afbd324f-6c48-459c-8710-8d1e1cd03812/relations/relation-000003","name":"relation-000003","etag":"\"010060ad-0000-0100-0000-62b87c2a0000\"","type":"Microsoft.SecurityInsights/Incidents/relations","properties":{"relatedResourceId":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/Bookmarks/2216d0e1-91e3-4902-89fd-d2df8c535096","relatedResourceName":"2216d0e1-91e3-4902-89fd-d2df8c535096","relatedResourceType":"Microsoft.SecurityInsights/Bookmarks"}}]}' + headers: + cache-control: + - no-cache + content-length: + - '824' + content-type: + - application/json; charset=utf-8 + date: + - Sun, 26 Jun 2022 15:32:59 GMT + expires: + - '-1' + pragma: + - no-cache + server: + - Kestrel + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-resource-requests: + - '499' + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - sentinel incident relation show + Connection: + - keep-alive + ParameterSetName: + - -n -w -g --incident-id + User-Agent: + - AZURECLI/2.37.0 (AAZ) azsdk-python-core/1.24.0 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/incidents/afbd324f-6c48-459c-8710-8d1e1cd03812/relations/relation-000003?api-version=2022-06-01-preview + response: + body: + string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/Incidents/afbd324f-6c48-459c-8710-8d1e1cd03812/relations/relation-000003","name":"relation-000003","etag":"\"010060ad-0000-0100-0000-62b87c2a0000\"","type":"Microsoft.SecurityInsights/Incidents/relations","properties":{"relatedResourceId":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/Bookmarks/2216d0e1-91e3-4902-89fd-d2df8c535096","relatedResourceName":"2216d0e1-91e3-4902-89fd-d2df8c535096","relatedResourceType":"Microsoft.SecurityInsights/Bookmarks"}}' + headers: + cache-control: + - no-cache + content-length: + - '812' + content-type: + - application/json; charset=utf-8 + date: + - Sun, 26 Jun 2022 15:32:59 GMT + expires: + - '-1' + pragma: + - no-cache + server: + - Kestrel + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-resource-requests: + - '499' + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - '*/*' + Accept-Encoding: + - gzip, deflate + CommandName: + - sentinel incident relation delete + Connection: + - keep-alive + Content-Length: + - '0' + ParameterSetName: + - -n -w -g --incident-id --yes + User-Agent: + - AZURECLI/2.37.0 (AAZ) azsdk-python-core/1.24.0 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: DELETE + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/incidents/afbd324f-6c48-459c-8710-8d1e1cd03812/relations/relation-000003?api-version=2022-06-01-preview + response: + body: + string: '{}' + headers: + cache-control: + - no-cache + content-length: + - '2' + content-type: + - application/json; charset=utf-8 + date: + - Sun, 26 Jun 2022 15:33:00 GMT + expires: + - '-1' + pragma: + - no-cache + server: + - Kestrel + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-resource-requests: + - '499' + status: + code: 200 + message: OK +version: 1 diff --git a/src/securityinsight/azext_sentinel/tests/latest/recordings/test_sentinel_metadata_crud.yaml b/src/securityinsight/azext_sentinel/tests/latest/recordings/test_sentinel_metadata_crud.yaml new file mode 100644 index 00000000000..b0d464cc6b8 --- /dev/null +++ b/src/securityinsight/azext_sentinel/tests/latest/recordings/test_sentinel_metadata_crud.yaml @@ -0,0 +1,655 @@ +interactions: +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - monitor log-analytics workspace create + Connection: + - keep-alive + ParameterSetName: + - -n -g + User-Agent: + - AZURECLI/2.37.0 azsdk-python-azure-mgmt-resource/21.1.0b1 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001?api-version=2021-04-01 + response: + body: + string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001","name":"cli_test_sentinel_000001","type":"Microsoft.Resources/resourceGroups","location":"eastus2","tags":{"product":"azurecli","cause":"automation","date":"2022-06-26T16:06:09Z"},"properties":{"provisioningState":"Succeeded"}}' + headers: + cache-control: + - no-cache + content-length: + - '327' + content-type: + - application/json; charset=utf-8 + date: + - Sun, 26 Jun 2022 16:06:15 GMT + expires: + - '-1' + pragma: + - no-cache + strict-transport-security: + - max-age=31536000; includeSubDomains + vary: + - Accept-Encoding + x-content-type-options: + - nosniff + status: + code: 200 + message: OK +- request: + body: '{"location": "eastus2", "properties": {"sku": {"name": "PerGB2018"}, "retentionInDays": + 30, "workspaceCapping": {}}}' + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - monitor log-analytics workspace create + Connection: + - keep-alive + Content-Length: + - '116' + Content-Type: + - application/json + ParameterSetName: + - -n -g + User-Agent: + - AZURECLI/2.37.0 azsdk-python-mgmt-loganalytics/13.0.0b4 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: PUT + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002?api-version=2021-12-01-preview + response: + body: + string: "{\r\n \"properties\": {\r\n \"source\": \"Azure\",\r\n \"customerId\": + \"ae193f3e-8cce-4c4e-9de3-bc21e9e0b6d6\",\r\n \"provisioningState\": \"Creating\",\r\n + \ \"sku\": {\r\n \"name\": \"pergb2018\",\r\n \"lastSkuUpdate\": + \"Sun, 26 Jun 2022 16:06:21 GMT\"\r\n },\r\n \"retentionInDays\": 30,\r\n + \ \"features\": {\r\n \"legacy\": 0,\r\n \"searchVersion\": 1,\r\n + \ \"enableLogAccessUsingOnlyResourcePermissions\": true\r\n },\r\n + \ \"workspaceCapping\": {\r\n \"dailyQuotaGb\": -1.0,\r\n \"quotaNextResetTime\": + \"Mon, 27 Jun 2022 01:00:00 GMT\",\r\n \"dataIngestionStatus\": \"RespectQuota\"\r\n + \ },\r\n \"publicNetworkAccessForIngestion\": \"Enabled\",\r\n \"publicNetworkAccessForQuery\": + \"Enabled\",\r\n \"createdDate\": \"Sun, 26 Jun 2022 16:06:21 GMT\",\r\n + \ \"modifiedDate\": \"Sun, 26 Jun 2022 16:06:21 GMT\"\r\n },\r\n \"id\": + \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/microsoft.operationalinsights/workspaces/workspace-000002\",\r\n + \ \"name\": \"workspace-000002\",\r\n \"type\": \"Microsoft.OperationalInsights/workspaces\",\r\n + \ \"location\": \"eastus2\"\r\n}" + headers: + access-control-allow-origin: + - '*' + cache-control: + - no-cache + content-length: + - '1075' + content-type: + - application/json + date: + - Sun, 26 Jun 2022 16:06:23 GMT + pragma: + - no-cache + request-context: + - appId=cid-v1:e6336c63-aab2-45f0-996a-e5dbab2a1508 + server: + - Microsoft-IIS/10.0 + strict-transport-security: + - max-age=31536000; includeSubDomains + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-writes: + - '1195' + x-powered-by: + - ASP.NET + - ASP.NET + status: + code: 201 + message: Created +- request: + body: null + headers: + Accept: + - '*/*' + Accept-Encoding: + - gzip, deflate + CommandName: + - monitor log-analytics workspace create + Connection: + - keep-alive + ParameterSetName: + - -n -g + User-Agent: + - AZURECLI/2.37.0 azsdk-python-mgmt-loganalytics/13.0.0b4 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002?api-version=2021-12-01-preview + response: + body: + string: "{\r\n \"properties\": {\r\n \"source\": \"Azure\",\r\n \"customerId\": + \"ae193f3e-8cce-4c4e-9de3-bc21e9e0b6d6\",\r\n \"provisioningState\": \"Succeeded\",\r\n + \ \"sku\": {\r\n \"name\": \"pergb2018\",\r\n \"lastSkuUpdate\": + \"Sun, 26 Jun 2022 16:06:21 GMT\"\r\n },\r\n \"retentionInDays\": 30,\r\n + \ \"features\": {\r\n \"legacy\": 0,\r\n \"searchVersion\": 1,\r\n + \ \"enableLogAccessUsingOnlyResourcePermissions\": true\r\n },\r\n + \ \"workspaceCapping\": {\r\n \"dailyQuotaGb\": -1.0,\r\n \"quotaNextResetTime\": + \"Mon, 27 Jun 2022 01:00:00 GMT\",\r\n \"dataIngestionStatus\": \"RespectQuota\"\r\n + \ },\r\n \"publicNetworkAccessForIngestion\": \"Enabled\",\r\n \"publicNetworkAccessForQuery\": + \"Enabled\",\r\n \"createdDate\": \"Sun, 26 Jun 2022 16:06:21 GMT\",\r\n + \ \"modifiedDate\": \"Sun, 26 Jun 2022 16:06:22 GMT\"\r\n },\r\n \"id\": + \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/microsoft.operationalinsights/workspaces/workspace-000002\",\r\n + \ \"name\": \"workspace-000002\",\r\n \"type\": \"Microsoft.OperationalInsights/workspaces\",\r\n + \ \"location\": \"eastus2\"\r\n}" + headers: + access-control-allow-origin: + - '*' + cache-control: + - no-cache + content-length: + - '1076' + content-type: + - application/json + date: + - Sun, 26 Jun 2022 16:06:53 GMT + pragma: + - no-cache + request-context: + - appId=cid-v1:e6336c63-aab2-45f0-996a-e5dbab2a1508 + server: + - Microsoft-IIS/10.0 + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding,Accept-Encoding + x-content-type-options: + - nosniff + x-powered-by: + - ASP.NET + - ASP.NET + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - monitor log-analytics solution create + Connection: + - keep-alive + ParameterSetName: + - -t -w -g + User-Agent: + - AZURECLI/2.37.0 azsdk-python-mgmt-loganalytics/13.0.0b4 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002?api-version=2021-12-01-preview + response: + body: + string: "{\r\n \"properties\": {\r\n \"source\": \"Azure\",\r\n \"customerId\": + \"ae193f3e-8cce-4c4e-9de3-bc21e9e0b6d6\",\r\n \"provisioningState\": \"Succeeded\",\r\n + \ \"sku\": {\r\n \"name\": \"pergb2018\",\r\n \"lastSkuUpdate\": + \"Sun, 26 Jun 2022 16:06:21 GMT\"\r\n },\r\n \"retentionInDays\": 30,\r\n + \ \"features\": {\r\n \"legacy\": 0,\r\n \"searchVersion\": 1,\r\n + \ \"enableLogAccessUsingOnlyResourcePermissions\": true\r\n },\r\n + \ \"workspaceCapping\": {\r\n \"dailyQuotaGb\": -1.0,\r\n \"quotaNextResetTime\": + \"Mon, 27 Jun 2022 01:00:00 GMT\",\r\n \"dataIngestionStatus\": \"RespectQuota\"\r\n + \ },\r\n \"publicNetworkAccessForIngestion\": \"Enabled\",\r\n \"publicNetworkAccessForQuery\": + \"Enabled\",\r\n \"createdDate\": \"Sun, 26 Jun 2022 16:06:21 GMT\",\r\n + \ \"modifiedDate\": \"Sun, 26 Jun 2022 16:06:22 GMT\"\r\n },\r\n \"id\": + \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/microsoft.operationalinsights/workspaces/workspace-000002\",\r\n + \ \"name\": \"workspace-000002\",\r\n \"type\": \"Microsoft.OperationalInsights/workspaces\",\r\n + \ \"location\": \"eastus2\"\r\n}" + headers: + access-control-allow-origin: + - '*' + cache-control: + - no-cache + content-length: + - '1076' + content-type: + - application/json + date: + - Sun, 26 Jun 2022 16:06:54 GMT + pragma: + - no-cache + request-context: + - appId=cid-v1:e6336c63-aab2-45f0-996a-e5dbab2a1508 + server: + - Microsoft-IIS/10.0 + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding,Accept-Encoding + x-content-type-options: + - nosniff + x-powered-by: + - ASP.NET + - ASP.NET + status: + code: 200 + message: OK +- request: + body: '{"location": "eastus2", "plan": {"name": "SecurityInsights(workspace-000002)", + "publisher": "Microsoft", "promotionCode": "", "product": "OMSGallery/SecurityInsights"}, + "properties": {"workspaceResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/microsoft.OperationalInsights/workspaces/workspace-000002"}}' + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - monitor log-analytics solution create + Connection: + - keep-alive + Content-Length: + - '370' + Content-Type: + - application/json; charset=utf-8 + ParameterSetName: + - -t -w -g + User-Agent: + - python/3.8.10 (Windows-10-10.0.19044-SP0) msrest/0.7.0 msrest_azure/0.6.4 + azure-mgmt-operationsmanagement/0.1.0 Azure-SDK-For-Python AZURECLI/2.37.0 + accept-language: + - en-US + method: PUT + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/Microsoft.OperationsManagement/solutions/SecurityInsights%28workspace-000002%29?api-version=2015-11-01-preview + response: + body: + string: "{\r\n \"plan\": {\r\n \"name\": \"SecurityInsights(workspace-000002)\",\r\n + \ \"publisher\": \"Microsoft\",\r\n \"promotionCode\": \"\",\r\n \"product\": + \"OMSGallery/SecurityInsights\"\r\n },\r\n \"properties\": {\r\n \"workspaceResourceId\": + \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/microsoft.OperationalInsights/workspaces/workspace-000002\",\r\n + \ \"provisioningState\": \"Succeeded\",\r\n \"creationTime\": \"Mon, + 01 Jan 0001 00:00:00 GMT\",\r\n \"sku\": {\r\n \"name\": \"PerGB\"\r\n + \ },\r\n \"lastModifiedTime\": \"Mon, 01 Jan 0001 00:00:00 GMT\",\r\n + \ \"containedResources\": []\r\n },\r\n \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/Microsoft.OperationsManagement/solutions/SecurityInsights(workspace-000002)\",\r\n + \ \"name\": \"SecurityInsights(workspace-000002)\",\r\n \"type\": \"Microsoft.OperationsManagement/solutions\",\r\n + \ \"location\": \"East US 2\"\r\n}" + headers: + access-control-allow-origin: + - '*' + cache-control: + - no-cache + cachecontrol: + - no-cache + content-length: + - '940' + content-type: + - application/json; charset=utf-8 + date: + - Sun, 26 Jun 2022 16:07:02 GMT + expires: + - '-1' + pragma: + - no-cache + request-context: + - appId=cid-v1:e6336c63-aab2-45f0-996a-e5dbab2a1508 + server: + - Microsoft-IIS/10.0 + strict-transport-security: + - max-age=31536000; includeSubDomains + x-ams-apiversion: + - WebAPI1.0 + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-writes: + - '1199' + x-powered-by: + - ASP.NET + - ASP.NET + status: + code: 201 + message: Created +- request: + body: '{"kind": "MicrosoftSecurityIncidentCreation", "properties": {"displayName": + "testing", "enabled": true, "productFilter": "Microsoft Cloud App Security"}}' + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - sentinel alert-rule create + Connection: + - keep-alive + Content-Length: + - '153' + Content-Type: + - application/json + ParameterSetName: + - -n -w -g --ms-security-incident + User-Agent: + - AZURECLI/2.37.0 (AAZ) azsdk-python-core/1.24.0 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: PUT + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/alertRules/alert-rule-000003?api-version=2022-06-01-preview + response: + body: + string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/alertRules/alert-rule-000003","name":"alert-rule-000003","etag":"\"29006b0a-0000-0100-0000-62b8842d0000\"","type":"Microsoft.SecurityInsights/alertRules","kind":"MicrosoftSecurityIncidentCreation","properties":{"productFilter":"Microsoft + Cloud App Security","severitiesFilter":null,"displayNamesFilter":null,"displayNamesExcludeFilter":null,"displayName":"testing","enabled":true,"description":null,"alertRuleTemplateName":null,"lastModifiedUtc":"2022-06-26T16:07:09.0497394Z"}}' + headers: + cache-control: + - no-cache + content-length: + - '682' + content-type: + - application/json; charset=utf-8 + date: + - Sun, 26 Jun 2022 16:07:08 GMT + expires: + - '-1' + pragma: + - no-cache + server: + - Kestrel + strict-transport-security: + - max-age=31536000; includeSubDomains + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-writes: + - '1199' + status: + code: 201 + message: Created +- request: + body: '{"properties": {"contentId": "c00ee137-7475-47c8-9cce-ec6f0f1bedd0", "kind": + "AnalyticsRule", "parentId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/alertRules/alert-rule-000003"}}' + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - sentinel metadata create + Connection: + - keep-alive + Content-Length: + - '335' + Content-Type: + - application/json + ParameterSetName: + - -n -w -g --content-id --parent-id --kind + User-Agent: + - AZURECLI/2.37.0 (AAZ) azsdk-python-core/1.24.0 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: PUT + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/metadata/metadata-000004?api-version=2022-06-01-preview + response: + body: + string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/metadata/metadata-000004","name":"metadata-000004","type":"Microsoft.SecurityInsights/metadata","systemData":{"createdAt":"2022-06-26T16:07:09.9370942Z","createdBy":"ethanyang@microsoft.com","createdByType":"User","lastModifiedAt":"2022-06-26T16:07:09.9370942Z","lastModifiedBy":"ethanyang@microsoft.com","lastModifiedByType":"User"},"properties":{"contentId":"c00ee137-7475-47c8-9cce-ec6f0f1bedd0","parentId":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/alertRules/alert-rule-000003","kind":"AnalyticsRule","source":{"kind":"LocalWorkspace","name":"workspace-000002","sourceId":"ae193f3e-8cce-4c4e-9de3-bc21e9e0b6d6"}}}' + headers: + cache-control: + - no-cache + content-length: + - '977' + content-type: + - application/json; charset=utf-8 + date: + - Sun, 26 Jun 2022 16:07:11 GMT + expires: + - '-1' + pragma: + - no-cache + server: + - Kestrel + strict-transport-security: + - max-age=31536000; includeSubDomains + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-writes: + - '1198' + status: + code: 201 + message: Created +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - sentinel metadata list + Connection: + - keep-alive + ParameterSetName: + - -w -g + User-Agent: + - AZURECLI/2.37.0 (AAZ) azsdk-python-core/1.24.0 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/metadata?api-version=2022-06-01-preview + response: + body: + string: '{"value":[{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/metadata/metadata-000004","name":"metadata-000004","type":"Microsoft.SecurityInsights/metadata","systemData":{"createdAt":"2022-06-26T16:07:09.9370942Z","createdBy":"ethanyang@microsoft.com","createdByType":"User","lastModifiedAt":"2022-06-26T16:07:09.9370942Z","lastModifiedBy":"ethanyang@microsoft.com","lastModifiedByType":"User"},"properties":{"contentId":"c00ee137-7475-47c8-9cce-ec6f0f1bedd0","parentId":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/alertRules/alert-rule-000003","kind":"AnalyticsRule","source":{"kind":"LocalWorkspace","name":"workspace-000002","sourceId":"ae193f3e-8cce-4c4e-9de3-bc21e9e0b6d6"}}}]}' + headers: + cache-control: + - no-cache + content-length: + - '989' + content-type: + - application/json; charset=utf-8 + date: + - Sun, 26 Jun 2022 16:07:12 GMT + expires: + - '-1' + pragma: + - no-cache + server: + - Kestrel + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding + x-content-type-options: + - nosniff + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - sentinel metadata update + Connection: + - keep-alive + ParameterSetName: + - -n -w -g --author + User-Agent: + - AZURECLI/2.37.0 (AAZ) azsdk-python-core/1.24.0 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/metadata/metadata-000004?api-version=2022-06-01-preview + response: + body: + string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/metadata/metadata-000004","name":"metadata-000004","type":"Microsoft.SecurityInsights/metadata","systemData":{"createdAt":"2022-06-26T16:07:09.9370942Z","createdBy":"ethanyang@microsoft.com","createdByType":"User","lastModifiedAt":"2022-06-26T16:07:09.9370942Z","lastModifiedBy":"ethanyang@microsoft.com","lastModifiedByType":"User"},"properties":{"contentId":"c00ee137-7475-47c8-9cce-ec6f0f1bedd0","parentId":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/alertRules/alert-rule-000003","kind":"AnalyticsRule","source":{"kind":"LocalWorkspace","name":"workspace-000002","sourceId":"ae193f3e-8cce-4c4e-9de3-bc21e9e0b6d6"}}}' + headers: + cache-control: + - no-cache + content-length: + - '977' + content-type: + - application/json; charset=utf-8 + date: + - Sun, 26 Jun 2022 16:07:14 GMT + expires: + - '-1' + pragma: + - no-cache + server: + - Kestrel + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding + x-content-type-options: + - nosniff + status: + code: 200 + message: OK +- request: + body: '{"properties": {"author": {"email": "cli@microsoft.com", "name": "cli"}, + "contentId": "c00ee137-7475-47c8-9cce-ec6f0f1bedd0", "kind": "AnalyticsRule", + "parentId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/alertRules/alert-rule-000003", + "source": {"kind": "LocalWorkspace", "name": "workspace-000002", "sourceId": + "ae193f3e-8cce-4c4e-9de3-bc21e9e0b6d6"}}}' + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - sentinel metadata update + Connection: + - keep-alive + Content-Length: + - '510' + Content-Type: + - application/json + ParameterSetName: + - -n -w -g --author + User-Agent: + - AZURECLI/2.37.0 (AAZ) azsdk-python-core/1.24.0 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: PUT + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/metadata/metadata-000004?api-version=2022-06-01-preview + response: + body: + string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/metadata/metadata-000004","name":"metadata-000004","type":"Microsoft.SecurityInsights/metadata","systemData":{"createdAt":"2022-06-26T16:07:09.9370942Z","createdBy":"ethanyang@microsoft.com","createdByType":"User","lastModifiedAt":"2022-06-26T16:07:15.4451079Z","lastModifiedBy":"ethanyang@microsoft.com","lastModifiedByType":"User"},"properties":{"contentId":"c00ee137-7475-47c8-9cce-ec6f0f1bedd0","parentId":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/alertRules/alert-rule-000003","kind":"AnalyticsRule","source":{"kind":"LocalWorkspace","name":"workspace-000002","sourceId":"ae193f3e-8cce-4c4e-9de3-bc21e9e0b6d6"},"author":{"name":"cli","email":"cli@microsoft.com"}}}' + headers: + cache-control: + - no-cache + content-length: + - '1029' + content-type: + - application/json; charset=utf-8 + date: + - Sun, 26 Jun 2022 16:07:14 GMT + expires: + - '-1' + pragma: + - no-cache + server: + - Kestrel + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-writes: + - '1198' + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - sentinel metadata show + Connection: + - keep-alive + ParameterSetName: + - -n -w -g + User-Agent: + - AZURECLI/2.37.0 (AAZ) azsdk-python-core/1.24.0 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/metadata/metadata-000004?api-version=2022-06-01-preview + response: + body: + string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/metadata/metadata-000004","name":"metadata-000004","type":"Microsoft.SecurityInsights/metadata","systemData":{"createdAt":"2022-06-26T16:07:09.9370942Z","createdBy":"ethanyang@microsoft.com","createdByType":"User","lastModifiedAt":"2022-06-26T16:07:15.4451079Z","lastModifiedBy":"ethanyang@microsoft.com","lastModifiedByType":"User"},"properties":{"contentId":"c00ee137-7475-47c8-9cce-ec6f0f1bedd0","parentId":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/alertRules/alert-rule-000003","kind":"AnalyticsRule","source":{"kind":"LocalWorkspace","name":"workspace-000002","sourceId":"ae193f3e-8cce-4c4e-9de3-bc21e9e0b6d6"},"author":{"name":"cli","email":"cli@microsoft.com"}}}' + headers: + cache-control: + - no-cache + content-length: + - '1029' + content-type: + - application/json; charset=utf-8 + date: + - Sun, 26 Jun 2022 16:07:16 GMT + expires: + - '-1' + pragma: + - no-cache + server: + - Kestrel + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding + x-content-type-options: + - nosniff + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - '*/*' + Accept-Encoding: + - gzip, deflate + CommandName: + - sentinel metadata delete + Connection: + - keep-alive + Content-Length: + - '0' + ParameterSetName: + - -n -w -g --yes + User-Agent: + - AZURECLI/2.37.0 (AAZ) azsdk-python-core/1.24.0 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: DELETE + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/metadata/metadata-000004?api-version=2022-06-01-preview + response: + body: + string: '{}' + headers: + cache-control: + - no-cache + content-length: + - '2' + content-type: + - application/json; charset=utf-8 + date: + - Sun, 26 Jun 2022 16:07:18 GMT + expires: + - '-1' + pragma: + - no-cache + server: + - Kestrel + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-deletes: + - '14999' + status: + code: 200 + message: OK +version: 1 diff --git a/src/securityinsight/azext_sentinel/tests/latest/recordings/test_sentinel_onboarding_state_crud.yaml b/src/securityinsight/azext_sentinel/tests/latest/recordings/test_sentinel_onboarding_state_crud.yaml new file mode 100644 index 00000000000..08c46d25481 --- /dev/null +++ b/src/securityinsight/azext_sentinel/tests/latest/recordings/test_sentinel_onboarding_state_crud.yaml @@ -0,0 +1,506 @@ +interactions: +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - monitor log-analytics workspace create + Connection: + - keep-alive + ParameterSetName: + - -n -g + User-Agent: + - AZURECLI/2.37.0 azsdk-python-azure-mgmt-resource/21.1.0b1 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001?api-version=2021-04-01 + response: + body: + string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001","name":"cli_test_sentinel_000001","type":"Microsoft.Resources/resourceGroups","location":"eastus2","tags":{"product":"azurecli","cause":"automation","date":"2022-06-26T16:13:41Z"},"properties":{"provisioningState":"Succeeded"}}' + headers: + cache-control: + - no-cache + content-length: + - '327' + content-type: + - application/json; charset=utf-8 + date: + - Sun, 26 Jun 2022 16:13:45 GMT + expires: + - '-1' + pragma: + - no-cache + strict-transport-security: + - max-age=31536000; includeSubDomains + vary: + - Accept-Encoding + x-content-type-options: + - nosniff + status: + code: 200 + message: OK +- request: + body: '{"location": "eastus2", "properties": {"sku": {"name": "PerGB2018"}, "retentionInDays": + 30, "workspaceCapping": {}}}' + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - monitor log-analytics workspace create + Connection: + - keep-alive + Content-Length: + - '116' + Content-Type: + - application/json + ParameterSetName: + - -n -g + User-Agent: + - AZURECLI/2.37.0 azsdk-python-mgmt-loganalytics/13.0.0b4 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: PUT + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002?api-version=2021-12-01-preview + response: + body: + string: "{\r\n \"properties\": {\r\n \"source\": \"Azure\",\r\n \"customerId\": + \"8d152db7-d055-4fd6-b9f7-b60706c9e5fc\",\r\n \"provisioningState\": \"Creating\",\r\n + \ \"sku\": {\r\n \"name\": \"pergb2018\",\r\n \"lastSkuUpdate\": + \"Sun, 26 Jun 2022 16:13:51 GMT\"\r\n },\r\n \"retentionInDays\": 30,\r\n + \ \"features\": {\r\n \"legacy\": 0,\r\n \"searchVersion\": 1,\r\n + \ \"enableLogAccessUsingOnlyResourcePermissions\": true\r\n },\r\n + \ \"workspaceCapping\": {\r\n \"dailyQuotaGb\": -1.0,\r\n \"quotaNextResetTime\": + \"Sun, 26 Jun 2022 21:00:00 GMT\",\r\n \"dataIngestionStatus\": \"RespectQuota\"\r\n + \ },\r\n \"publicNetworkAccessForIngestion\": \"Enabled\",\r\n \"publicNetworkAccessForQuery\": + \"Enabled\",\r\n \"createdDate\": \"Sun, 26 Jun 2022 16:13:51 GMT\",\r\n + \ \"modifiedDate\": \"Sun, 26 Jun 2022 16:13:51 GMT\"\r\n },\r\n \"id\": + \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/microsoft.operationalinsights/workspaces/workspace-000002\",\r\n + \ \"name\": \"workspace-000002\",\r\n \"type\": \"Microsoft.OperationalInsights/workspaces\",\r\n + \ \"location\": \"eastus2\"\r\n}" + headers: + access-control-allow-origin: + - '*' + cache-control: + - no-cache + content-length: + - '1075' + content-type: + - application/json + date: + - Sun, 26 Jun 2022 16:13:52 GMT + pragma: + - no-cache + request-context: + - appId=cid-v1:e6336c63-aab2-45f0-996a-e5dbab2a1508 + server: + - Microsoft-IIS/10.0 + strict-transport-security: + - max-age=31536000; includeSubDomains + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-writes: + - '1197' + x-powered-by: + - ASP.NET + - ASP.NET + status: + code: 201 + message: Created +- request: + body: null + headers: + Accept: + - '*/*' + Accept-Encoding: + - gzip, deflate + CommandName: + - monitor log-analytics workspace create + Connection: + - keep-alive + ParameterSetName: + - -n -g + User-Agent: + - AZURECLI/2.37.0 azsdk-python-mgmt-loganalytics/13.0.0b4 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002?api-version=2021-12-01-preview + response: + body: + string: "{\r\n \"properties\": {\r\n \"source\": \"Azure\",\r\n \"customerId\": + \"8d152db7-d055-4fd6-b9f7-b60706c9e5fc\",\r\n \"provisioningState\": \"Succeeded\",\r\n + \ \"sku\": {\r\n \"name\": \"pergb2018\",\r\n \"lastSkuUpdate\": + \"Sun, 26 Jun 2022 16:13:51 GMT\"\r\n },\r\n \"retentionInDays\": 30,\r\n + \ \"features\": {\r\n \"legacy\": 0,\r\n \"searchVersion\": 1,\r\n + \ \"enableLogAccessUsingOnlyResourcePermissions\": true\r\n },\r\n + \ \"workspaceCapping\": {\r\n \"dailyQuotaGb\": -1.0,\r\n \"quotaNextResetTime\": + \"Sun, 26 Jun 2022 21:00:00 GMT\",\r\n \"dataIngestionStatus\": \"RespectQuota\"\r\n + \ },\r\n \"publicNetworkAccessForIngestion\": \"Enabled\",\r\n \"publicNetworkAccessForQuery\": + \"Enabled\",\r\n \"createdDate\": \"Sun, 26 Jun 2022 16:13:51 GMT\",\r\n + \ \"modifiedDate\": \"Sun, 26 Jun 2022 16:13:52 GMT\"\r\n },\r\n \"id\": + \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/microsoft.operationalinsights/workspaces/workspace-000002\",\r\n + \ \"name\": \"workspace-000002\",\r\n \"type\": \"Microsoft.OperationalInsights/workspaces\",\r\n + \ \"location\": \"eastus2\"\r\n}" + headers: + access-control-allow-origin: + - '*' + cache-control: + - no-cache + content-length: + - '1076' + content-type: + - application/json + date: + - Sun, 26 Jun 2022 16:14:23 GMT + pragma: + - no-cache + request-context: + - appId=cid-v1:e6336c63-aab2-45f0-996a-e5dbab2a1508 + server: + - Microsoft-IIS/10.0 + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding,Accept-Encoding + x-content-type-options: + - nosniff + x-powered-by: + - ASP.NET + - ASP.NET + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - monitor log-analytics solution create + Connection: + - keep-alive + ParameterSetName: + - -t -w -g + User-Agent: + - AZURECLI/2.37.0 azsdk-python-mgmt-loganalytics/13.0.0b4 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002?api-version=2021-12-01-preview + response: + body: + string: "{\r\n \"properties\": {\r\n \"source\": \"Azure\",\r\n \"customerId\": + \"8d152db7-d055-4fd6-b9f7-b60706c9e5fc\",\r\n \"provisioningState\": \"Succeeded\",\r\n + \ \"sku\": {\r\n \"name\": \"pergb2018\",\r\n \"lastSkuUpdate\": + \"Sun, 26 Jun 2022 16:13:51 GMT\"\r\n },\r\n \"retentionInDays\": 30,\r\n + \ \"features\": {\r\n \"legacy\": 0,\r\n \"searchVersion\": 1,\r\n + \ \"enableLogAccessUsingOnlyResourcePermissions\": true\r\n },\r\n + \ \"workspaceCapping\": {\r\n \"dailyQuotaGb\": -1.0,\r\n \"quotaNextResetTime\": + \"Sun, 26 Jun 2022 21:00:00 GMT\",\r\n \"dataIngestionStatus\": \"RespectQuota\"\r\n + \ },\r\n \"publicNetworkAccessForIngestion\": \"Enabled\",\r\n \"publicNetworkAccessForQuery\": + \"Enabled\",\r\n \"createdDate\": \"Sun, 26 Jun 2022 16:13:51 GMT\",\r\n + \ \"modifiedDate\": \"Sun, 26 Jun 2022 16:13:52 GMT\"\r\n },\r\n \"id\": + \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/microsoft.operationalinsights/workspaces/workspace-000002\",\r\n + \ \"name\": \"workspace-000002\",\r\n \"type\": \"Microsoft.OperationalInsights/workspaces\",\r\n + \ \"location\": \"eastus2\"\r\n}" + headers: + access-control-allow-origin: + - '*' + cache-control: + - no-cache + content-length: + - '1076' + content-type: + - application/json + date: + - Sun, 26 Jun 2022 16:14:24 GMT + pragma: + - no-cache + request-context: + - appId=cid-v1:e6336c63-aab2-45f0-996a-e5dbab2a1508 + server: + - Microsoft-IIS/10.0 + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding,Accept-Encoding + x-content-type-options: + - nosniff + x-powered-by: + - ASP.NET + - ASP.NET + status: + code: 200 + message: OK +- request: + body: '{"location": "eastus2", "plan": {"name": "SecurityInsights(workspace-000002)", + "publisher": "Microsoft", "promotionCode": "", "product": "OMSGallery/SecurityInsights"}, + "properties": {"workspaceResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/microsoft.OperationalInsights/workspaces/workspace-000002"}}' + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - monitor log-analytics solution create + Connection: + - keep-alive + Content-Length: + - '370' + Content-Type: + - application/json; charset=utf-8 + ParameterSetName: + - -t -w -g + User-Agent: + - python/3.8.10 (Windows-10-10.0.19044-SP0) msrest/0.7.0 msrest_azure/0.6.4 + azure-mgmt-operationsmanagement/0.1.0 Azure-SDK-For-Python AZURECLI/2.37.0 + accept-language: + - en-US + method: PUT + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/Microsoft.OperationsManagement/solutions/SecurityInsights%28workspace-000002%29?api-version=2015-11-01-preview + response: + body: + string: "{\r\n \"plan\": {\r\n \"name\": \"SecurityInsights(workspace-000002)\",\r\n + \ \"publisher\": \"Microsoft\",\r\n \"promotionCode\": \"\",\r\n \"product\": + \"OMSGallery/SecurityInsights\"\r\n },\r\n \"properties\": {\r\n \"workspaceResourceId\": + \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/microsoft.OperationalInsights/workspaces/workspace-000002\",\r\n + \ \"provisioningState\": \"Succeeded\",\r\n \"creationTime\": \"Mon, + 01 Jan 0001 00:00:00 GMT\",\r\n \"sku\": {\r\n \"name\": \"PerGB\"\r\n + \ },\r\n \"lastModifiedTime\": \"Mon, 01 Jan 0001 00:00:00 GMT\",\r\n + \ \"containedResources\": []\r\n },\r\n \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/Microsoft.OperationsManagement/solutions/SecurityInsights(workspace-000002)\",\r\n + \ \"name\": \"SecurityInsights(workspace-000002)\",\r\n \"type\": \"Microsoft.OperationsManagement/solutions\",\r\n + \ \"location\": \"East US 2\"\r\n}" + headers: + access-control-allow-origin: + - '*' + cache-control: + - no-cache + cachecontrol: + - no-cache + content-length: + - '940' + content-type: + - application/json; charset=utf-8 + date: + - Sun, 26 Jun 2022 16:14:35 GMT + expires: + - '-1' + pragma: + - no-cache + request-context: + - appId=cid-v1:e6336c63-aab2-45f0-996a-e5dbab2a1508 + server: + - Microsoft-IIS/10.0 + strict-transport-security: + - max-age=31536000; includeSubDomains + x-ams-apiversion: + - WebAPI1.0 + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-writes: + - '1198' + x-powered-by: + - ASP.NET + - ASP.NET + status: + code: 201 + message: Created +- request: + body: '{"properties": {"customerManagedKey": false}}' + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - sentinel onboarding-state create + Connection: + - keep-alive + Content-Length: + - '45' + Content-Type: + - application/json + ParameterSetName: + - -n -w -g --customer-managed-key + User-Agent: + - AZURECLI/2.37.0 (AAZ) azsdk-python-core/1.24.0 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: PUT + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2022-06-01-preview + response: + body: + string: '{"properties":{},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/onboardingStates/default","name":"default","type":"Microsoft.SecurityInsights/onboardingStates","systemData":{"createdAt":"2022-06-26T16:14:37.3416992Z","createdBy":"ethanyang@microsoft.com","createdByType":"User","lastModifiedAt":"2022-06-26T16:14:37.3416992Z","lastModifiedBy":"ethanyang@microsoft.com","lastModifiedByType":"User"}}' + headers: + cache-control: + - no-cache + content-length: + - '554' + content-type: + - application/json; charset=utf-8 + date: + - Sun, 26 Jun 2022 16:14:42 GMT + expires: + - '-1' + pragma: + - no-cache + server: + - Kestrel + strict-transport-security: + - max-age=31536000; includeSubDomains + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-resource-requests: + - '11' + status: + code: 201 + message: Created +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - sentinel onboarding-state list + Connection: + - keep-alive + ParameterSetName: + - -w -g + User-Agent: + - AZURECLI/2.37.0 (AAZ) azsdk-python-core/1.24.0 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/onboardingStates?api-version=2022-06-01-preview + response: + body: + string: '{"value":[{"properties":{},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/onboardingStates/default","name":"default","type":"Microsoft.SecurityInsights/onboardingStates","systemData":{}}]}' + headers: + cache-control: + - no-cache + content-length: + - '344' + content-type: + - application/json; charset=utf-8 + date: + - Sun, 26 Jun 2022 16:14:44 GMT + expires: + - '-1' + pragma: + - no-cache + server: + - Kestrel + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-resource-requests: + - '11' + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - sentinel onboarding-state show + Connection: + - keep-alive + ParameterSetName: + - -n -w -g + User-Agent: + - AZURECLI/2.37.0 (AAZ) azsdk-python-core/1.24.0 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2022-06-01-preview + response: + body: + string: '{"properties":{},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/onboardingStates/default","name":"default","type":"Microsoft.SecurityInsights/onboardingStates","systemData":{}}' + headers: + cache-control: + - no-cache + content-length: + - '332' + content-type: + - application/json; charset=utf-8 + date: + - Sun, 26 Jun 2022 16:14:46 GMT + expires: + - '-1' + pragma: + - no-cache + server: + - Kestrel + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-resource-requests: + - '11' + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - '*/*' + Accept-Encoding: + - gzip, deflate + CommandName: + - sentinel onboarding-state delete + Connection: + - keep-alive + Content-Length: + - '0' + ParameterSetName: + - -n -w -g --yes + User-Agent: + - AZURECLI/2.37.0 (AAZ) azsdk-python-core/1.24.0 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: DELETE + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2022-06-01-preview + response: + body: + string: '{}' + headers: + cache-control: + - no-cache + content-length: + - '2' + content-type: + - application/json; charset=utf-8 + date: + - Sun, 26 Jun 2022 16:14:50 GMT + expires: + - '-1' + pragma: + - no-cache + server: + - Kestrel + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-deletes: + - '14999' + status: + code: 200 + message: OK +version: 1 diff --git a/src/securityinsight/azext_sentinel/tests/latest/recordings/test_sentinel_threat_indicator_crud.yaml b/src/securityinsight/azext_sentinel/tests/latest/recordings/test_sentinel_threat_indicator_crud.yaml new file mode 100644 index 00000000000..c93605245b4 --- /dev/null +++ b/src/securityinsight/azext_sentinel/tests/latest/recordings/test_sentinel_threat_indicator_crud.yaml @@ -0,0 +1,516 @@ +interactions: +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - monitor log-analytics workspace create + Connection: + - keep-alive + ParameterSetName: + - -n -g + User-Agent: + - AZURECLI/2.37.0 azsdk-python-azure-mgmt-resource/21.1.0b1 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001?api-version=2021-04-01 + response: + body: + string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001","name":"cli_test_sentinel_000001","type":"Microsoft.Resources/resourceGroups","location":"eastus2","tags":{"product":"azurecli","cause":"automation","date":"2022-06-27T07:18:28Z"},"properties":{"provisioningState":"Succeeded"}}' + headers: + cache-control: + - no-cache + content-length: + - '327' + content-type: + - application/json; charset=utf-8 + date: + - Mon, 27 Jun 2022 07:18:34 GMT + expires: + - '-1' + pragma: + - no-cache + strict-transport-security: + - max-age=31536000; includeSubDomains + vary: + - Accept-Encoding + x-content-type-options: + - nosniff + status: + code: 200 + message: OK +- request: + body: '{"location": "eastus2", "properties": {"sku": {"name": "PerGB2018"}, "retentionInDays": + 30, "workspaceCapping": {}}}' + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - monitor log-analytics workspace create + Connection: + - keep-alive + Content-Length: + - '116' + Content-Type: + - application/json + ParameterSetName: + - -n -g + User-Agent: + - AZURECLI/2.37.0 azsdk-python-mgmt-loganalytics/13.0.0b4 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: PUT + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002?api-version=2021-12-01-preview + response: + body: + string: "{\r\n \"properties\": {\r\n \"source\": \"Azure\",\r\n \"customerId\": + \"2c620c9a-c386-4dc6-815c-fcb185bef157\",\r\n \"provisioningState\": \"Creating\",\r\n + \ \"sku\": {\r\n \"name\": \"pergb2018\",\r\n \"lastSkuUpdate\": + \"Mon, 27 Jun 2022 07:18:40 GMT\"\r\n },\r\n \"retentionInDays\": 30,\r\n + \ \"features\": {\r\n \"legacy\": 0,\r\n \"searchVersion\": 1,\r\n + \ \"enableLogAccessUsingOnlyResourcePermissions\": true\r\n },\r\n + \ \"workspaceCapping\": {\r\n \"dailyQuotaGb\": -1.0,\r\n \"quotaNextResetTime\": + \"Mon, 27 Jun 2022 10:00:00 GMT\",\r\n \"dataIngestionStatus\": \"RespectQuota\"\r\n + \ },\r\n \"publicNetworkAccessForIngestion\": \"Enabled\",\r\n \"publicNetworkAccessForQuery\": + \"Enabled\",\r\n \"createdDate\": \"Mon, 27 Jun 2022 07:18:40 GMT\",\r\n + \ \"modifiedDate\": \"Mon, 27 Jun 2022 07:18:40 GMT\"\r\n },\r\n \"id\": + \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/microsoft.operationalinsights/workspaces/workspace-000002\",\r\n + \ \"name\": \"workspace-000002\",\r\n \"type\": \"Microsoft.OperationalInsights/workspaces\",\r\n + \ \"location\": \"eastus2\"\r\n}" + headers: + access-control-allow-origin: + - '*' + cache-control: + - no-cache + content-length: + - '1075' + content-type: + - application/json + date: + - Mon, 27 Jun 2022 07:18:41 GMT + pragma: + - no-cache + request-context: + - appId=cid-v1:e6336c63-aab2-45f0-996a-e5dbab2a1508 + server: + - Microsoft-IIS/10.0 + strict-transport-security: + - max-age=31536000; includeSubDomains + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-writes: + - '1199' + x-powered-by: + - ASP.NET + - ASP.NET + status: + code: 201 + message: Created +- request: + body: null + headers: + Accept: + - '*/*' + Accept-Encoding: + - gzip, deflate + CommandName: + - monitor log-analytics workspace create + Connection: + - keep-alive + ParameterSetName: + - -n -g + User-Agent: + - AZURECLI/2.37.0 azsdk-python-mgmt-loganalytics/13.0.0b4 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002?api-version=2021-12-01-preview + response: + body: + string: "{\r\n \"properties\": {\r\n \"source\": \"Azure\",\r\n \"customerId\": + \"2c620c9a-c386-4dc6-815c-fcb185bef157\",\r\n \"provisioningState\": \"Succeeded\",\r\n + \ \"sku\": {\r\n \"name\": \"pergb2018\",\r\n \"lastSkuUpdate\": + \"Mon, 27 Jun 2022 07:18:40 GMT\"\r\n },\r\n \"retentionInDays\": 30,\r\n + \ \"features\": {\r\n \"legacy\": 0,\r\n \"searchVersion\": 1,\r\n + \ \"enableLogAccessUsingOnlyResourcePermissions\": true\r\n },\r\n + \ \"workspaceCapping\": {\r\n \"dailyQuotaGb\": -1.0,\r\n \"quotaNextResetTime\": + \"Mon, 27 Jun 2022 10:00:00 GMT\",\r\n \"dataIngestionStatus\": \"RespectQuota\"\r\n + \ },\r\n \"publicNetworkAccessForIngestion\": \"Enabled\",\r\n \"publicNetworkAccessForQuery\": + \"Enabled\",\r\n \"createdDate\": \"Mon, 27 Jun 2022 07:18:40 GMT\",\r\n + \ \"modifiedDate\": \"Mon, 27 Jun 2022 07:18:41 GMT\"\r\n },\r\n \"id\": + \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/microsoft.operationalinsights/workspaces/workspace-000002\",\r\n + \ \"name\": \"workspace-000002\",\r\n \"type\": \"Microsoft.OperationalInsights/workspaces\",\r\n + \ \"location\": \"eastus2\"\r\n}" + headers: + access-control-allow-origin: + - '*' + cache-control: + - no-cache + content-length: + - '1076' + content-type: + - application/json + date: + - Mon, 27 Jun 2022 07:19:11 GMT + pragma: + - no-cache + request-context: + - appId=cid-v1:e6336c63-aab2-45f0-996a-e5dbab2a1508 + server: + - Microsoft-IIS/10.0 + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding,Accept-Encoding + x-content-type-options: + - nosniff + x-powered-by: + - ASP.NET + - ASP.NET + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - monitor log-analytics solution create + Connection: + - keep-alive + ParameterSetName: + - -t -w -g + User-Agent: + - AZURECLI/2.37.0 azsdk-python-mgmt-loganalytics/13.0.0b4 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002?api-version=2021-12-01-preview + response: + body: + string: "{\r\n \"properties\": {\r\n \"source\": \"Azure\",\r\n \"customerId\": + \"2c620c9a-c386-4dc6-815c-fcb185bef157\",\r\n \"provisioningState\": \"Succeeded\",\r\n + \ \"sku\": {\r\n \"name\": \"pergb2018\",\r\n \"lastSkuUpdate\": + \"Mon, 27 Jun 2022 07:18:40 GMT\"\r\n },\r\n \"retentionInDays\": 30,\r\n + \ \"features\": {\r\n \"legacy\": 0,\r\n \"searchVersion\": 1,\r\n + \ \"enableLogAccessUsingOnlyResourcePermissions\": true\r\n },\r\n + \ \"workspaceCapping\": {\r\n \"dailyQuotaGb\": -1.0,\r\n \"quotaNextResetTime\": + \"Mon, 27 Jun 2022 10:00:00 GMT\",\r\n \"dataIngestionStatus\": \"RespectQuota\"\r\n + \ },\r\n \"publicNetworkAccessForIngestion\": \"Enabled\",\r\n \"publicNetworkAccessForQuery\": + \"Enabled\",\r\n \"createdDate\": \"Mon, 27 Jun 2022 07:18:40 GMT\",\r\n + \ \"modifiedDate\": \"Mon, 27 Jun 2022 07:18:41 GMT\"\r\n },\r\n \"id\": + \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/microsoft.operationalinsights/workspaces/workspace-000002\",\r\n + \ \"name\": \"workspace-000002\",\r\n \"type\": \"Microsoft.OperationalInsights/workspaces\",\r\n + \ \"location\": \"eastus2\"\r\n}" + headers: + access-control-allow-origin: + - '*' + cache-control: + - no-cache + content-length: + - '1076' + content-type: + - application/json + date: + - Mon, 27 Jun 2022 07:19:13 GMT + pragma: + - no-cache + request-context: + - appId=cid-v1:e6336c63-aab2-45f0-996a-e5dbab2a1508 + server: + - Microsoft-IIS/10.0 + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding,Accept-Encoding + x-content-type-options: + - nosniff + x-powered-by: + - ASP.NET + - ASP.NET + status: + code: 200 + message: OK +- request: + body: '{"location": "eastus2", "plan": {"name": "SecurityInsights(workspace-000002)", + "publisher": "Microsoft", "promotionCode": "", "product": "OMSGallery/SecurityInsights"}, + "properties": {"workspaceResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/microsoft.OperationalInsights/workspaces/workspace-000002"}}' + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - monitor log-analytics solution create + Connection: + - keep-alive + Content-Length: + - '370' + Content-Type: + - application/json; charset=utf-8 + ParameterSetName: + - -t -w -g + User-Agent: + - python/3.8.10 (Windows-10-10.0.19044-SP0) msrest/0.7.0 msrest_azure/0.6.4 + azure-mgmt-operationsmanagement/0.1.0 Azure-SDK-For-Python AZURECLI/2.37.0 + accept-language: + - en-US + method: PUT + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/Microsoft.OperationsManagement/solutions/SecurityInsights%28workspace-000002%29?api-version=2015-11-01-preview + response: + body: + string: "{\r\n \"plan\": {\r\n \"name\": \"SecurityInsights(workspace-000002)\",\r\n + \ \"publisher\": \"Microsoft\",\r\n \"promotionCode\": \"\",\r\n \"product\": + \"OMSGallery/SecurityInsights\"\r\n },\r\n \"properties\": {\r\n \"workspaceResourceId\": + \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/microsoft.OperationalInsights/workspaces/workspace-000002\",\r\n + \ \"provisioningState\": \"Succeeded\",\r\n \"creationTime\": \"Mon, + 01 Jan 0001 00:00:00 GMT\",\r\n \"sku\": {\r\n \"name\": \"PerGB\"\r\n + \ },\r\n \"lastModifiedTime\": \"Mon, 01 Jan 0001 00:00:00 GMT\",\r\n + \ \"containedResources\": []\r\n },\r\n \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/Microsoft.OperationsManagement/solutions/SecurityInsights(workspace-000002)\",\r\n + \ \"name\": \"SecurityInsights(workspace-000002)\",\r\n \"type\": \"Microsoft.OperationsManagement/solutions\",\r\n + \ \"location\": \"East US 2\"\r\n}" + headers: + access-control-allow-origin: + - '*' + cache-control: + - no-cache + cachecontrol: + - no-cache + content-length: + - '940' + content-type: + - application/json; charset=utf-8 + date: + - Mon, 27 Jun 2022 07:19:20 GMT + expires: + - '-1' + pragma: + - no-cache + request-context: + - appId=cid-v1:e6336c63-aab2-45f0-996a-e5dbab2a1508 + server: + - Microsoft-IIS/10.0 + strict-transport-security: + - max-age=31536000; includeSubDomains + x-ams-apiversion: + - WebAPI1.0 + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-writes: + - '1198' + x-powered-by: + - ASP.NET + - ASP.NET + status: + code: 201 + message: Created +- request: + body: '{"kind": "indicator", "properties": {"confidence": 78, "createdByRef": + "contoso@contoso.com", "description": "debugging indicators", "displayName": + "new schema", "externalReferences": [], "modified": "", "pattern": "[url:value + = https://www.contoso.com]", "patternType": "url", "revoked": false, "source": + "Microsoft Sentinel", "threatIntelligenceTags": ["new schema"], "threatTypes": + ["compromised"], "validFrom": "2022-06-15T17:44:00.114052Z", "validUntil": ""}}' + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - sentinel threat-indicator create + Connection: + - keep-alive + Content-Length: + - '464' + Content-Type: + - application/json + ParameterSetName: + - -w -g --source --display-name --confidence --created-by-ref --modified --pattern + --pattern-type --revoked --valid-from --valid-until --description --threat-tags + --threat-types --external-references + User-Agent: + - AZURECLI/2.37.0 (AAZ) azsdk-python-core/1.24.0 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: POST + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/threatIntelligence/main/createIndicator?api-version=2022-06-01-preview + response: + body: + string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/threatIntelligence/585df01e-0bc0-37fa-7610-193cef62fbdc","name":"585df01e-0bc0-37fa-7610-193cef62fbdc","etag":"\"070071c8-0000-0100-0000-62b95a050000\"","type":"Microsoft.SecurityInsights/threatIntelligence","kind":"indicator","properties":{"confidence":78,"created":"2022-06-27T07:19:24.9097765Z","createdByRef":"contoso@contoso.com","extensions":{"sentinel-ext":{"severity":null}},"externalId":"indicator--dc179aa2-4a2e-4676-8ad8-6a46ffbc3c30","externalReferences":[],"lastUpdatedTimeUtc":"2022-06-27T07:19:28.7178067Z","revoked":false,"source":"Microsoft + Sentinel","threatIntelligenceTags":["new schema"],"displayName":"new schema","description":"debugging + indicators","threatTypes":["compromised"],"parsedPattern":[{"patternTypeKey":"url","patternTypeValues":[{"valueType":"url","value":"https:"}]}],"pattern":"[url:value + = https://www.contoso.com]","patternType":"url","validFrom":"2022-06-15T17:44:00.114052Z"}}' + headers: + cache-control: + - no-cache + content-length: + - '1121' + content-type: + - application/json; charset=utf-8 + date: + - Mon, 27 Jun 2022 07:19:34 GMT + expires: + - '-1' + pragma: + - no-cache + server: + - Kestrel + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-writes: + - '1199' + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - sentinel threat-indicator list + Connection: + - keep-alive + ParameterSetName: + - -w -g + User-Agent: + - AZURECLI/2.37.0 (AAZ) azsdk-python-core/1.24.0 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators?api-version=2022-06-01-preview + response: + body: + string: '{"value":[{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/threatIntelligence/585df01e-0bc0-37fa-7610-193cef62fbdc","name":"585df01e-0bc0-37fa-7610-193cef62fbdc","etag":"\"070074c8-0000-0100-0000-62b95a060000\"","type":"Microsoft.SecurityInsights/threatIntelligence","kind":"indicator","properties":{"confidence":78,"created":"2022-06-27T07:19:24.9097765Z","createdByRef":"contoso@contoso.com","extensions":{"sentinel-ext":{"severity":null}},"externalId":"indicator--dc179aa2-4a2e-4676-8ad8-6a46ffbc3c30","externalReferences":[],"lastUpdatedTimeUtc":"2022-06-27T07:19:28.7178067Z","revoked":false,"source":"Microsoft + Sentinel","threatIntelligenceTags":["new schema"],"displayName":"new schema","description":"debugging + indicators","threatTypes":["compromised"],"parsedPattern":[{"patternTypeKey":"url","patternTypeValues":[{"valueType":"url","value":"https:"}]}],"pattern":"[url:value + = https://www.contoso.com]","patternType":"url","validFrom":"2022-06-15T17:44:00.114052Z"}}]}' + headers: + cache-control: + - no-cache + content-length: + - '1133' + content-type: + - application/json; charset=utf-8 + date: + - Mon, 27 Jun 2022 07:19:34 GMT + expires: + - '-1' + pragma: + - no-cache + server: + - Kestrel + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding + x-content-type-options: + - nosniff + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - sentinel threat-indicator show + Connection: + - keep-alive + ParameterSetName: + - -n -w -g + User-Agent: + - AZURECLI/2.37.0 (AAZ) azsdk-python-core/1.24.0 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/585df01e-0bc0-37fa-7610-193cef62fbdc?api-version=2022-06-01-preview + response: + body: + string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/threatIntelligence/585df01e-0bc0-37fa-7610-193cef62fbdc","name":"585df01e-0bc0-37fa-7610-193cef62fbdc","etag":"\"070074c8-0000-0100-0000-62b95a060000\"","type":"Microsoft.SecurityInsights/threatIntelligence","kind":"indicator","properties":{"confidence":78,"created":"2022-06-27T07:19:24.9097765Z","createdByRef":"contoso@contoso.com","extensions":{"sentinel-ext":{"severity":null}},"externalId":"indicator--dc179aa2-4a2e-4676-8ad8-6a46ffbc3c30","externalReferences":[],"lastUpdatedTimeUtc":"2022-06-27T07:19:28.7178067Z","revoked":false,"source":"Microsoft + Sentinel","threatIntelligenceTags":["new schema"],"displayName":"new schema","description":"debugging + indicators","threatTypes":["compromised"],"parsedPattern":[{"patternTypeKey":"url","patternTypeValues":[{"valueType":"url","value":"https:"}]}],"pattern":"[url:value + = https://www.contoso.com]","patternType":"url","validFrom":"2022-06-15T17:44:00.114052Z"}}' + headers: + cache-control: + - no-cache + content-length: + - '1121' + content-type: + - application/json; charset=utf-8 + date: + - Mon, 27 Jun 2022 07:19:35 GMT + expires: + - '-1' + pragma: + - no-cache + server: + - Kestrel + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding + x-content-type-options: + - nosniff + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - '*/*' + Accept-Encoding: + - gzip, deflate + CommandName: + - sentinel threat-indicator delete + Connection: + - keep-alive + Content-Length: + - '0' + ParameterSetName: + - -n -w -g --yes + User-Agent: + - AZURECLI/2.37.0 (AAZ) azsdk-python-core/1.24.0 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: DELETE + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/585df01e-0bc0-37fa-7610-193cef62fbdc?api-version=2022-06-01-preview + response: + body: + string: '' + headers: + cache-control: + - no-cache + content-length: + - '0' + date: + - Mon, 27 Jun 2022 07:19:36 GMT + expires: + - '-1' + pragma: + - no-cache + server: + - Kestrel + strict-transport-security: + - max-age=31536000; includeSubDomains + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-deletes: + - '14999' + status: + code: 200 + message: OK +version: 1 diff --git a/src/securityinsight/azext_sentinel/tests/latest/recordings/test_sentinel_watchlist_crud.yaml b/src/securityinsight/azext_sentinel/tests/latest/recordings/test_sentinel_watchlist_crud.yaml new file mode 100644 index 00000000000..92b50efb063 --- /dev/null +++ b/src/securityinsight/azext_sentinel/tests/latest/recordings/test_sentinel_watchlist_crud.yaml @@ -0,0 +1,625 @@ +interactions: +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - monitor log-analytics workspace create + Connection: + - keep-alive + ParameterSetName: + - -n -g + User-Agent: + - AZURECLI/2.37.0 azsdk-python-azure-mgmt-resource/21.1.0b1 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001?api-version=2021-04-01 + response: + body: + string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001","name":"cli_test_sentinel_000001","type":"Microsoft.Resources/resourceGroups","location":"eastus2","tags":{"product":"azurecli","cause":"automation","date":"2022-06-27T04:16:21Z"},"properties":{"provisioningState":"Succeeded"}}' + headers: + cache-control: + - no-cache + content-length: + - '327' + content-type: + - application/json; charset=utf-8 + date: + - Mon, 27 Jun 2022 04:16:24 GMT + expires: + - '-1' + pragma: + - no-cache + strict-transport-security: + - max-age=31536000; includeSubDomains + vary: + - Accept-Encoding + x-content-type-options: + - nosniff + status: + code: 200 + message: OK +- request: + body: '{"location": "eastus2", "properties": {"sku": {"name": "PerGB2018"}, "retentionInDays": + 30, "workspaceCapping": {}}}' + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - monitor log-analytics workspace create + Connection: + - keep-alive + Content-Length: + - '116' + Content-Type: + - application/json + ParameterSetName: + - -n -g + User-Agent: + - AZURECLI/2.37.0 azsdk-python-mgmt-loganalytics/13.0.0b4 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: PUT + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002?api-version=2021-12-01-preview + response: + body: + string: "{\r\n \"properties\": {\r\n \"source\": \"Azure\",\r\n \"customerId\": + \"0dcec037-e949-4430-a9f1-cd0f5838cd0e\",\r\n \"provisioningState\": \"Creating\",\r\n + \ \"sku\": {\r\n \"name\": \"pergb2018\",\r\n \"lastSkuUpdate\": + \"Mon, 27 Jun 2022 04:16:31 GMT\"\r\n },\r\n \"retentionInDays\": 30,\r\n + \ \"features\": {\r\n \"legacy\": 0,\r\n \"searchVersion\": 1,\r\n + \ \"enableLogAccessUsingOnlyResourcePermissions\": true\r\n },\r\n + \ \"workspaceCapping\": {\r\n \"dailyQuotaGb\": -1.0,\r\n \"quotaNextResetTime\": + \"Mon, 27 Jun 2022 06:00:00 GMT\",\r\n \"dataIngestionStatus\": \"RespectQuota\"\r\n + \ },\r\n \"publicNetworkAccessForIngestion\": \"Enabled\",\r\n \"publicNetworkAccessForQuery\": + \"Enabled\",\r\n \"createdDate\": \"Mon, 27 Jun 2022 04:16:31 GMT\",\r\n + \ \"modifiedDate\": \"Mon, 27 Jun 2022 04:16:31 GMT\"\r\n },\r\n \"id\": + \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/microsoft.operationalinsights/workspaces/workspace-000002\",\r\n + \ \"name\": \"workspace-000002\",\r\n \"type\": \"Microsoft.OperationalInsights/workspaces\",\r\n + \ \"location\": \"eastus2\"\r\n}" + headers: + access-control-allow-origin: + - '*' + cache-control: + - no-cache + content-length: + - '1075' + content-type: + - application/json + date: + - Mon, 27 Jun 2022 04:16:32 GMT + pragma: + - no-cache + request-context: + - appId=cid-v1:e6336c63-aab2-45f0-996a-e5dbab2a1508 + server: + - Microsoft-IIS/10.0 + strict-transport-security: + - max-age=31536000; includeSubDomains + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-writes: + - '1198' + x-powered-by: + - ASP.NET + - ASP.NET + status: + code: 201 + message: Created +- request: + body: null + headers: + Accept: + - '*/*' + Accept-Encoding: + - gzip, deflate + CommandName: + - monitor log-analytics workspace create + Connection: + - keep-alive + ParameterSetName: + - -n -g + User-Agent: + - AZURECLI/2.37.0 azsdk-python-mgmt-loganalytics/13.0.0b4 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002?api-version=2021-12-01-preview + response: + body: + string: "{\r\n \"properties\": {\r\n \"source\": \"Azure\",\r\n \"customerId\": + \"0dcec037-e949-4430-a9f1-cd0f5838cd0e\",\r\n \"provisioningState\": \"Succeeded\",\r\n + \ \"sku\": {\r\n \"name\": \"pergb2018\",\r\n \"lastSkuUpdate\": + \"Mon, 27 Jun 2022 04:16:31 GMT\"\r\n },\r\n \"retentionInDays\": 30,\r\n + \ \"features\": {\r\n \"legacy\": 0,\r\n \"searchVersion\": 1,\r\n + \ \"enableLogAccessUsingOnlyResourcePermissions\": true\r\n },\r\n + \ \"workspaceCapping\": {\r\n \"dailyQuotaGb\": -1.0,\r\n \"quotaNextResetTime\": + \"Mon, 27 Jun 2022 06:00:00 GMT\",\r\n \"dataIngestionStatus\": \"RespectQuota\"\r\n + \ },\r\n \"publicNetworkAccessForIngestion\": \"Enabled\",\r\n \"publicNetworkAccessForQuery\": + \"Enabled\",\r\n \"createdDate\": \"Mon, 27 Jun 2022 04:16:31 GMT\",\r\n + \ \"modifiedDate\": \"Mon, 27 Jun 2022 04:16:33 GMT\"\r\n },\r\n \"id\": + \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/microsoft.operationalinsights/workspaces/workspace-000002\",\r\n + \ \"name\": \"workspace-000002\",\r\n \"type\": \"Microsoft.OperationalInsights/workspaces\",\r\n + \ \"location\": \"eastus2\"\r\n}" + headers: + access-control-allow-origin: + - '*' + cache-control: + - no-cache + content-length: + - '1076' + content-type: + - application/json + date: + - Mon, 27 Jun 2022 04:17:04 GMT + pragma: + - no-cache + request-context: + - appId=cid-v1:e6336c63-aab2-45f0-996a-e5dbab2a1508 + server: + - Microsoft-IIS/10.0 + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding,Accept-Encoding + x-content-type-options: + - nosniff + x-powered-by: + - ASP.NET + - ASP.NET + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - monitor log-analytics solution create + Connection: + - keep-alive + ParameterSetName: + - -t -w -g + User-Agent: + - AZURECLI/2.37.0 azsdk-python-mgmt-loganalytics/13.0.0b4 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002?api-version=2021-12-01-preview + response: + body: + string: "{\r\n \"properties\": {\r\n \"source\": \"Azure\",\r\n \"customerId\": + \"0dcec037-e949-4430-a9f1-cd0f5838cd0e\",\r\n \"provisioningState\": \"Succeeded\",\r\n + \ \"sku\": {\r\n \"name\": \"pergb2018\",\r\n \"lastSkuUpdate\": + \"Mon, 27 Jun 2022 04:16:31 GMT\"\r\n },\r\n \"retentionInDays\": 30,\r\n + \ \"features\": {\r\n \"legacy\": 0,\r\n \"searchVersion\": 1,\r\n + \ \"enableLogAccessUsingOnlyResourcePermissions\": true\r\n },\r\n + \ \"workspaceCapping\": {\r\n \"dailyQuotaGb\": -1.0,\r\n \"quotaNextResetTime\": + \"Mon, 27 Jun 2022 06:00:00 GMT\",\r\n \"dataIngestionStatus\": \"RespectQuota\"\r\n + \ },\r\n \"publicNetworkAccessForIngestion\": \"Enabled\",\r\n \"publicNetworkAccessForQuery\": + \"Enabled\",\r\n \"createdDate\": \"Mon, 27 Jun 2022 04:16:31 GMT\",\r\n + \ \"modifiedDate\": \"Mon, 27 Jun 2022 04:16:33 GMT\"\r\n },\r\n \"id\": + \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/microsoft.operationalinsights/workspaces/workspace-000002\",\r\n + \ \"name\": \"workspace-000002\",\r\n \"type\": \"Microsoft.OperationalInsights/workspaces\",\r\n + \ \"location\": \"eastus2\"\r\n}" + headers: + access-control-allow-origin: + - '*' + cache-control: + - no-cache + content-length: + - '1076' + content-type: + - application/json + date: + - Mon, 27 Jun 2022 04:17:07 GMT + pragma: + - no-cache + request-context: + - appId=cid-v1:e6336c63-aab2-45f0-996a-e5dbab2a1508 + server: + - Microsoft-IIS/10.0 + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding,Accept-Encoding + x-content-type-options: + - nosniff + x-powered-by: + - ASP.NET + - ASP.NET + status: + code: 200 + message: OK +- request: + body: '{"location": "eastus2", "plan": {"name": "SecurityInsights(workspace-000002)", + "publisher": "Microsoft", "promotionCode": "", "product": "OMSGallery/SecurityInsights"}, + "properties": {"workspaceResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/microsoft.OperationalInsights/workspaces/workspace-000002"}}' + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - monitor log-analytics solution create + Connection: + - keep-alive + Content-Length: + - '370' + Content-Type: + - application/json; charset=utf-8 + ParameterSetName: + - -t -w -g + User-Agent: + - python/3.8.10 (Windows-10-10.0.19044-SP0) msrest/0.7.0 msrest_azure/0.6.4 + azure-mgmt-operationsmanagement/0.1.0 Azure-SDK-For-Python AZURECLI/2.37.0 + accept-language: + - en-US + method: PUT + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/Microsoft.OperationsManagement/solutions/SecurityInsights%28workspace-000002%29?api-version=2015-11-01-preview + response: + body: + string: "{\r\n \"plan\": {\r\n \"name\": \"SecurityInsights(workspace-000002)\",\r\n + \ \"publisher\": \"Microsoft\",\r\n \"promotionCode\": \"\",\r\n \"product\": + \"OMSGallery/SecurityInsights\"\r\n },\r\n \"properties\": {\r\n \"workspaceResourceId\": + \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/microsoft.OperationalInsights/workspaces/workspace-000002\",\r\n + \ \"provisioningState\": \"Succeeded\",\r\n \"creationTime\": \"Mon, + 01 Jan 0001 00:00:00 GMT\",\r\n \"sku\": {\r\n \"name\": \"PerGB\"\r\n + \ },\r\n \"lastModifiedTime\": \"Mon, 01 Jan 0001 00:00:00 GMT\",\r\n + \ \"containedResources\": []\r\n },\r\n \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cli_test_sentinel_000001/providers/Microsoft.OperationsManagement/solutions/SecurityInsights(workspace-000002)\",\r\n + \ \"name\": \"SecurityInsights(workspace-000002)\",\r\n \"type\": \"Microsoft.OperationsManagement/solutions\",\r\n + \ \"location\": \"East US 2\"\r\n}" + headers: + access-control-allow-origin: + - '*' + cache-control: + - no-cache + cachecontrol: + - no-cache + content-length: + - '940' + content-type: + - application/json; charset=utf-8 + date: + - Mon, 27 Jun 2022 04:17:17 GMT + expires: + - '-1' + pragma: + - no-cache + request-context: + - appId=cid-v1:e6336c63-aab2-45f0-996a-e5dbab2a1508 + server: + - Microsoft-IIS/10.0 + strict-transport-security: + - max-age=31536000; includeSubDomains + x-ams-apiversion: + - WebAPI1.0 + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-writes: + - '1199' + x-powered-by: + - ASP.NET + - ASP.NET + status: + code: 201 + message: Created +- request: + body: '{"properties": {"description": "Watchlist from CSV content", "displayName": + "High Value Assets Watchlist", "itemsSearchKey": "header1", "provider": "Microsoft", + "watchlistAlias": "watchlist-000003"}}' + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - sentinel watchlist create + Connection: + - keep-alive + Content-Length: + - '199' + Content-Type: + - application/json + ParameterSetName: + - -n -w -g --description --display-name --provider --items-search-key + User-Agent: + - AZURECLI/2.37.0 (AAZ) azsdk-python-core/1.24.0 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: PUT + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/watchlists/watchlist-000003?api-version=2022-06-01-preview + response: + body: + string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/Watchlists/watchlist-000003","name":"watchlist-000003","etag":"\"06003b8d-0000-0100-0000-62b92f510000\"","type":"Microsoft.SecurityInsights/Watchlists","systemData":{"createdAt":"2022-06-27T04:17:18.0236043Z","createdBy":"ethanyang@microsoft.com","createdByType":"User","lastModifiedAt":"2022-06-27T04:17:18.0236043Z","lastModifiedBy":"ethanyang@microsoft.com","lastModifiedByType":"User"},"properties":{"watchlistId":"95081e9c-26e5-4022-8cfd-a00d67e29116","displayName":"High + Value Assets Watchlist","provider":"Microsoft","itemsSearchKey":"header1","created":"2022-06-27T04:17:18.0236043+00:00","updated":"2022-06-27T04:17:18.0236043+00:00","createdBy":{"objectId":"f44cc02c-cec4-4b32-860a-50bdf6ab7362","email":"ethanyang@microsoft.com","name":"a0965655-eecb-4c9f-8e21-2488aadf59fe"},"updatedBy":{"objectId":"f44cc02c-cec4-4b32-860a-50bdf6ab7362","email":"ethanyang@microsoft.com","name":"a0965655-eecb-4c9f-8e21-2488aadf59fe"},"description":"Watchlist + from CSV content","watchlistType":"watchlist","watchlistAlias":"watchlist-000003","isDeleted":false,"labels":[],"tenantId":"54826b22-38d6-4fb2-bad9-b7b93a3e9c5a","numberOfLinesToSkip":0,"provisioningState":"Succeeded","sasUri":"","watchlistCategory":"General"}}' + headers: + cache-control: + - no-cache + content-length: + - '1421' + content-type: + - application/json; charset=utf-8 + date: + - Mon, 27 Jun 2022 04:17:21 GMT + expires: + - '-1' + pragma: + - no-cache + server: + - Kestrel + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-writes: + - '1198' + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - sentinel watchlist list + Connection: + - keep-alive + ParameterSetName: + - -w -g + User-Agent: + - AZURECLI/2.37.0 (AAZ) azsdk-python-core/1.24.0 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/watchlists?api-version=2022-06-01-preview + response: + body: + string: '{"value":[{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/Watchlists/watchlist-000003","name":"watchlist-000003","type":"Microsoft.SecurityInsights/Watchlists","systemData":{"createdAt":"2022-06-27T04:17:18.0236043Z","createdBy":"ethanyang@microsoft.com","createdByType":"User","lastModifiedAt":"2022-06-27T04:17:18.0236043Z","lastModifiedBy":"ethanyang@microsoft.com","lastModifiedByType":"User"},"properties":{"watchlistId":"95081e9c-26e5-4022-8cfd-a00d67e29116","displayName":"High + Value Assets Watchlist","provider":"Microsoft","itemsSearchKey":"header1","created":"2022-06-27T04:17:18.0236043+00:00","updated":"2022-06-27T04:17:18.0236043+00:00","createdBy":{"objectId":"f44cc02c-cec4-4b32-860a-50bdf6ab7362","email":"ethanyang@microsoft.com","name":"a0965655-eecb-4c9f-8e21-2488aadf59fe"},"updatedBy":{"objectId":"f44cc02c-cec4-4b32-860a-50bdf6ab7362","email":"ethanyang@microsoft.com","name":"a0965655-eecb-4c9f-8e21-2488aadf59fe"},"description":"Watchlist + from CSV content","watchlistType":"watchlist","watchlistAlias":"watchlist-000003","isDeleted":false,"labels":[],"tenantId":"54826b22-38d6-4fb2-bad9-b7b93a3e9c5a","numberOfLinesToSkip":0,"provisioningState":"Succeeded","sasUri":"","watchlistCategory":"General"}}]}' + headers: + cache-control: + - no-cache + content-length: + - '1383' + content-type: + - application/json; charset=utf-8 + date: + - Mon, 27 Jun 2022 04:17:23 GMT + expires: + - '-1' + pragma: + - no-cache + server: + - Kestrel + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding + x-content-type-options: + - nosniff + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - sentinel watchlist update + Connection: + - keep-alive + ParameterSetName: + - -n -w -g --display-name + User-Agent: + - AZURECLI/2.37.0 (AAZ) azsdk-python-core/1.24.0 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/watchlists/watchlist-000003?api-version=2022-06-01-preview + response: + body: + string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/Watchlists/watchlist-000003","name":"watchlist-000003","etag":"\"06003b8d-0000-0100-0000-62b92f510000\"","type":"Microsoft.SecurityInsights/Watchlists","systemData":{"createdAt":"2022-06-27T04:17:18.0236043Z","createdBy":"ethanyang@microsoft.com","createdByType":"User","lastModifiedAt":"2022-06-27T04:17:18.0236043Z","lastModifiedBy":"ethanyang@microsoft.com","lastModifiedByType":"User"},"properties":{"watchlistId":"95081e9c-26e5-4022-8cfd-a00d67e29116","displayName":"High + Value Assets Watchlist","provider":"Microsoft","itemsSearchKey":"header1","created":"2022-06-27T04:17:18.0236043+00:00","updated":"2022-06-27T04:17:18.0236043+00:00","createdBy":{"objectId":"f44cc02c-cec4-4b32-860a-50bdf6ab7362","email":"ethanyang@microsoft.com","name":"a0965655-eecb-4c9f-8e21-2488aadf59fe"},"updatedBy":{"objectId":"f44cc02c-cec4-4b32-860a-50bdf6ab7362","email":"ethanyang@microsoft.com","name":"a0965655-eecb-4c9f-8e21-2488aadf59fe"},"description":"Watchlist + from CSV content","watchlistType":"watchlist","watchlistAlias":"watchlist-000003","isDeleted":false,"labels":[],"tenantId":"54826b22-38d6-4fb2-bad9-b7b93a3e9c5a","numberOfLinesToSkip":0,"provisioningState":"Succeeded","sasUri":"","watchlistCategory":"General"}}' + headers: + cache-control: + - no-cache + content-length: + - '1421' + content-type: + - application/json; charset=utf-8 + date: + - Mon, 27 Jun 2022 04:17:26 GMT + expires: + - '-1' + pragma: + - no-cache + server: + - Kestrel + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding + x-content-type-options: + - nosniff + status: + code: 200 + message: OK +- request: + body: '{"etag": "\"06003b8d-0000-0100-0000-62b92f510000\"", "properties": {"created": + "2022-06-27T04:17:18.0236043+00:00", "createdBy": {"objectId": "f44cc02c-cec4-4b32-860a-50bdf6ab7362"}, + "description": "Watchlist from CSV content", "displayName": "New name", "isDeleted": + false, "itemsSearchKey": "header1", "labels": [], "numberOfLinesToSkip": 0, + "provider": "Microsoft", "tenantId": "54826b22-38d6-4fb2-bad9-b7b93a3e9c5a", + "updated": "2022-06-27T04:17:18.0236043+00:00", "updatedBy": {"objectId": "f44cc02c-cec4-4b32-860a-50bdf6ab7362"}, + "watchlistAlias": "watchlist-000003", "watchlistId": "95081e9c-26e5-4022-8cfd-a00d67e29116", + "watchlistType": "watchlist"}}' + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - sentinel watchlist update + Connection: + - keep-alive + Content-Length: + - '659' + Content-Type: + - application/json + ParameterSetName: + - -n -w -g --display-name + User-Agent: + - AZURECLI/2.37.0 (AAZ) azsdk-python-core/1.24.0 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: PUT + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/watchlists/watchlist-000003?api-version=2022-06-01-preview + response: + body: + string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/Watchlists/watchlist-000003","name":"watchlist-000003","etag":"\"0600468d-0000-0100-0000-62b92f570000\"","type":"Microsoft.SecurityInsights/Watchlists","systemData":{"createdAt":"2022-06-27T04:17:18.0236043Z","createdBy":"ethanyang@microsoft.com","createdByType":"User","lastModifiedAt":"2022-06-27T04:17:27.1509698Z","lastModifiedBy":"ethanyang@microsoft.com","lastModifiedByType":"User"},"properties":{"watchlistId":"95081e9c-26e5-4022-8cfd-a00d67e29116","displayName":"New + name","provider":"Microsoft","itemsSearchKey":"header1","created":"2022-06-27T04:17:18.0236043+00:00","updated":"2022-06-27T04:17:27.1509698+00:00","createdBy":{"objectId":"f44cc02c-cec4-4b32-860a-50bdf6ab7362","email":"ethanyang@microsoft.com","name":"a0965655-eecb-4c9f-8e21-2488aadf59fe"},"updatedBy":{"objectId":"f44cc02c-cec4-4b32-860a-50bdf6ab7362","email":"ethanyang@microsoft.com","name":"a0965655-eecb-4c9f-8e21-2488aadf59fe"},"description":"Watchlist + from CSV content","watchlistType":"watchlist","watchlistAlias":"watchlist-000003","isDeleted":false,"labels":[],"tenantId":"54826b22-38d6-4fb2-bad9-b7b93a3e9c5a","numberOfLinesToSkip":0,"provisioningState":"Succeeded","sasUri":"","watchlistCategory":"General"}}' + headers: + cache-control: + - no-cache + content-length: + - '1402' + content-type: + - application/json; charset=utf-8 + date: + - Mon, 27 Jun 2022 04:17:28 GMT + expires: + - '-1' + pragma: + - no-cache + server: + - Kestrel + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-writes: + - '1197' + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - sentinel watchlist show + Connection: + - keep-alive + ParameterSetName: + - -n -w -g + User-Agent: + - AZURECLI/2.37.0 (AAZ) azsdk-python-core/1.24.0 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/watchlists/watchlist-000003?api-version=2022-06-01-preview + response: + body: + string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/Watchlists/watchlist-000003","name":"watchlist-000003","etag":"\"0600468d-0000-0100-0000-62b92f570000\"","type":"Microsoft.SecurityInsights/Watchlists","systemData":{"createdAt":"2022-06-27T04:17:18.0236043Z","createdBy":"ethanyang@microsoft.com","createdByType":"User","lastModifiedAt":"2022-06-27T04:17:27.1509698Z","lastModifiedBy":"ethanyang@microsoft.com","lastModifiedByType":"User"},"properties":{"watchlistId":"95081e9c-26e5-4022-8cfd-a00d67e29116","displayName":"New + name","provider":"Microsoft","itemsSearchKey":"header1","created":"2022-06-27T04:17:18.0236043+00:00","updated":"2022-06-27T04:17:27.1509698+00:00","createdBy":{"objectId":"f44cc02c-cec4-4b32-860a-50bdf6ab7362","email":"ethanyang@microsoft.com","name":"a0965655-eecb-4c9f-8e21-2488aadf59fe"},"updatedBy":{"objectId":"f44cc02c-cec4-4b32-860a-50bdf6ab7362","email":"ethanyang@microsoft.com","name":"a0965655-eecb-4c9f-8e21-2488aadf59fe"},"description":"Watchlist + from CSV content","watchlistType":"watchlist","watchlistAlias":"watchlist-000003","isDeleted":false,"labels":[],"tenantId":"54826b22-38d6-4fb2-bad9-b7b93a3e9c5a","numberOfLinesToSkip":0,"provisioningState":"Succeeded","sasUri":"","watchlistCategory":"General"}}' + headers: + cache-control: + - no-cache + content-length: + - '1402' + content-type: + - application/json; charset=utf-8 + date: + - Mon, 27 Jun 2022 04:17:30 GMT + expires: + - '-1' + pragma: + - no-cache + server: + - Kestrel + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding + x-content-type-options: + - nosniff + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - '*/*' + Accept-Encoding: + - gzip, deflate + CommandName: + - sentinel watchlist delete + Connection: + - keep-alive + Content-Length: + - '0' + ParameterSetName: + - -n -w -g --yes + User-Agent: + - AZURECLI/2.37.0 (AAZ) azsdk-python-core/1.24.0 Python/3.8.10 (Windows-10-10.0.19044-SP0) + method: DELETE + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/watchlists/watchlist-000003?api-version=2022-06-01-preview + response: + body: + string: '{}' + headers: + azure-asyncoperation: + - https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_sentinel_000001/providers/Microsoft.OperationalInsights/workspaces/workspace-000002/providers/Microsoft.SecurityInsights/Watchlists/watchlist-000003/watchlistStatuses/8b22786e-1778-4f2c-933c-7dd7ece00b75?api-version=2022-06-01-preview + cache-control: + - no-cache + content-length: + - '2' + content-type: + - application/json; charset=utf-8 + date: + - Mon, 27 Jun 2022 04:17:32 GMT + expires: + - '-1' + pragma: + - no-cache + server: + - Kestrel + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-deletes: + - '14999' + status: + code: 200 + message: OK +version: 1 diff --git a/src/securityinsight/azext_sentinel/tests/latest/test_securityinsight.py b/src/securityinsight/azext_sentinel/tests/latest/test_securityinsight.py new file mode 100644 index 00000000000..9fa403bf14d --- /dev/null +++ b/src/securityinsight/azext_sentinel/tests/latest/test_securityinsight.py @@ -0,0 +1,531 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# -------------------------------------------------------------------------------------------- + +# pylint: disable=line-too-long +# pylint: disable=too-many-lines + +from azure.cli.testsdk import ( + ResourceGroupPreparer, + ScenarioTest +) +from azure.cli.testsdk.scenario_tests import AllowLargeResponse + + +class SentinelClientTest(ScenarioTest): + def __init__(self, method_name): + super().__init__(method_name) + self.cmd("extension add -n log-analytics-solution") + + @AllowLargeResponse(size_kb=2048) + @ResourceGroupPreparer(name_prefix="cli_test_sentinel_", location="eastus2") + def test_sentinel_alert_rule_crud(self): + self.kwargs.update({ + "workspace_name": self.create_random_name("workspace-", 16), + "alert_rule_name": self.create_random_name("alert-rule-", 16), + "template_id": "65360bb0-8986-4ade-a89d-af3cf44d28aa" + }) + + self.cmd("monitor log-analytics workspace create -n {workspace_name} -g {rg}") + self.cmd("monitor log-analytics solution create -t SecurityInsights -w {workspace_name} -g {rg}") + + self.cmd( + "sentinel alert-rule create -n {alert_rule_name} -w {workspace_name} -g {rg} " + "--ms-security-incident \"{{product-filter:'Microsoft Cloud App Security',display-name:testing,enabled:true}}\"", + checks=[ + self.check("name", "{alert_rule_name}"), + self.check("type", "Microsoft.SecurityInsights/alertRules") + ] + ) + + self.cmd( + "sentinel alert-rule list -w {workspace_name} -g {rg}", + checks=[ + self.check("length(@)", 1), + self.check("@[0].name", "{alert_rule_name}") + ] + ) + + self.cmd("sentinel alert-rule update -n {alert_rule_name} -w {workspace_name} -g {rg} --ms-security-incident display-name=tested") + self.cmd( + "sentinel alert-rule show -n {alert_rule_name} -w {workspace_name} -g {rg}", + checks=[ + self.check("name", "{alert_rule_name}"), + self.check("displayName", "tested") + ] + ) + + self.cmd("sentinel alert-rule delete -n {alert_rule_name} --workspace-name {workspace_name} -g {rg} --yes") + + self.cmd("sentinel alert-rule template list -w {workspace_name} -g {rg}") + self.cmd( + "sentinel alert-rule template show -n {template_id} -w {workspace_name} -g {rg}", + checks=[ + self.check("name", "{template_id}"), + self.check("kind", "Scheduled") + ] + ) + + @ResourceGroupPreparer(name_prefix="cli_test_sentinel_", location="eastus2") + def test_sentinel_automation_rule_crud(self): + self.kwargs.update({ + "workspace_name": self.create_random_name("workspace-", 16), + "rule_name": self.create_random_name("rule-", 12) + }) + + self.cmd("monitor log-analytics workspace create -n {workspace_name} -g {rg}") + self.cmd("monitor log-analytics solution create -t SecurityInsights -w {workspace_name} -g {rg}") + + self.cmd( + "sentinel automation-rule create -n {rule_name} -w {workspace_name} -g {rg} " + "--display-name 'High severity incidents escalation' --order 1 " + "--actions \"[{{order:1,modify-properties:{{action-configuration:{{severity:High}}}}}}]\" " + "--triggering-logic \"{{is-enabled:true,triggers-on:Incidents,triggers-when:Created}}\"", + checks=[ + self.check("name", "{rule_name}"), + self.check("type", "Microsoft.SecurityInsights/AutomationRules") + ] + ) + + self.cmd( + "sentinel automation-rule list -w {workspace_name} -g {rg}", + checks=[ + self.check("length(@)", 1), + self.check("[0].name", "{rule_name}") + ] + ) + + self.cmd("sentinel automation-rule update -n {rule_name} -w {workspace_name} -g {rg} --display-name 'New name'") + self.cmd( + "sentinel automation-rule show -n {rule_name} -w {workspace_name} -g {rg}", + checks=[ + self.check("name", "{rule_name}"), + self.check("displayName", "New name"), + self.check("type", "Microsoft.SecurityInsights/AutomationRules") + ] + ) + + self.cmd("sentinel automation-rule delete -n {rule_name} -w {workspace_name} -g {rg} --yes") + + @ResourceGroupPreparer(name_prefix="cli_test_sentinel_", location="eastus2") + def test_sentinel_bookmark_crud(self): + self.kwargs.update({ + "workspace_name": self.create_random_name("workspace-", 16), + "bookmark_id": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "query": "SecurityEvent | where TimeGenerated > ago(1d) and TimeGenerated < ago(2d)", + "expand_id": "27f76e63-c41b-480f-bb18-12ad2e011d49", + }) + + self.cmd("monitor log-analytics workspace create -n {workspace_name} -g {rg}") + self.cmd("monitor log-analytics solution create -t SecurityInsights -w {workspace_name} -g {rg}") + + self.cmd( + "sentinel bookmark create -n {bookmark_id} -w {workspace_name} -g {rg} " + "--query-content '{query}' --query-result 'Security Event query result' " + "--display-name 'My bookmark' --notes 'Found a suspicious activity' " + "--entity-mappings \"[{{entity-type:Account,field-mappings:[{{identifier:Fullname,value:johndoe@microsoft.com}}]}}]\" " + "--tactics \"[Execution]\" " + "--techniques \"[T1609]\" " + "--labels \"[Tag1,Tag2]\"", + checks=[ + self.check("name", "{bookmark_id}"), + self.check("query", "{query}") + ] + ) + + self.cmd( + "sentinel bookmark list -w {workspace_name} -g {rg}", + checks=[ + self.check("length(@)", 1), + self.check("[0].name", "{bookmark_id}") + ] + ) + + self.cmd( + "sentinel bookmark show -n {bookmark_id} -w {workspace_name} -g {rg}", + checks=[ + self.check("name", "{bookmark_id}"), + self.check("displayName", "My bookmark") + ] + ) + + self.cmd("sentinel bookmark delete -n {bookmark_id} -w {workspace_name} -g {rg} --yes") + + @ResourceGroupPreparer(name_prefix="cli_test_sentinel_", location="eastus2") + def test_sentinel_incident_crud(self): + self.kwargs.update({ + "workspace_name": self.create_random_name("workspace-", 16), + "incident_id": "73e01a99-5cd7-4139-a149-9f2736ff2ab5" + }) + + self.cmd("monitor log-analytics workspace create -n {workspace_name} -g {rg}") + self.cmd("monitor log-analytics solution create -t SecurityInsights -w {workspace_name} -g {rg}") + + self.cmd( + "sentinel incident create -n {incident_id} -w {workspace_name} -g {rg} " + "--classification FalsePositive --classification-reason IncorrectAlertLogic --classification-comment 'Not a malicious activity' " + "--first-activity-time-utc 2019-01-01T13:00:30Z --last-activity-time-utc 2019-01-01T13:05:30Z " + "--severity High --status Closed --title 'My incident' --description 'This is a demo incident' " + "--owner \"{{object-id:2046feea-040d-4a46-9e2b-91c2941bfa70}}\"", + checks=[ + self.check("name", "{incident_id}"), + self.check("classification", "FalsePositive") + ] + ) + + self.cmd( + "sentinel incident list -w {workspace_name} -g {rg} --orderby 'properties/createdTimeUtc desc' --top 1", + checks=[ + self.check("length(@)", "1"), + self.check("[0].name", "{incident_id}") + ] + ) + + self.cmd( + "sentinel incident show -n {incident_id} -w {workspace_name} -g {rg}", + checks=[ + self.check("name", "{incident_id}"), + self.check("classification", "FalsePositive") + ] + ) + + self.cmd("sentinel incident delete -n {incident_id} -w {workspace_name} -g {rg} --yes") + + @ResourceGroupPreparer(name_prefix="cli_test_sentinel_", location="eastus2") + def test_sentinel_incident_comment_crud(self): + self.kwargs.update({ + "workspace_name": self.create_random_name("workspace-", 16), + "incident_id": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "comment_id": "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014" + }) + + self.cmd("monitor log-analytics workspace create -n {workspace_name} -g {rg}") + self.cmd("monitor log-analytics solution create -t SecurityInsights -w {workspace_name} -g {rg}") + self.cmd( + "sentinel incident create -n {incident_id} -w {workspace_name} -g {rg} " + "--classification FalsePositive --classification-reason IncorrectAlertLogic --classification-comment 'Not a malicious activity' " + "--first-activity-time-utc 2019-01-01T13:00:30Z --last-activity-time-utc 2019-01-01T13:05:30Z " + "--severity High --status Closed --title 'My incident' --description 'This is a demo incident' " + "--owner \"{{object-id:2046feea-040d-4a46-9e2b-91c2941bfa70}}\"" + ) + + self.cmd( + "sentinel incident comment create -n {comment_id} -w {workspace_name} -g {rg} --incident-id {incident_id} --message 'Some message'", + checks=[ + self.check("name", "{comment_id}"), + self.check("message", "Some message") + ] + ) + + self.cmd( + "sentinel incident comment list -w {workspace_name} -g {rg} --incident-id {incident_id}", + checks=[ + self.check("length(@)", 1), + self.check("[0].name", "{comment_id}") + ] + ) + + self.cmd("sentinel incident comment update -n {comment_id} -w {workspace_name} -g {rg} --incident-id {incident_id} --message 'Some messages'") + self.cmd( + "sentinel incident comment show -n {comment_id} -w {workspace_name} -g {rg} --incident-id {incident_id}", + checks=[ + self.check("name", "{comment_id}"), + self.check("message", "Some messages") + ] + ) + + self.cmd("sentinel incident comment delete -n {comment_id} -w {workspace_name} -g {rg} --incident-id {incident_id} --yes") + + @ResourceGroupPreparer(name_prefix="cli_test_sentinel_", location="eastus2") + def test_sentinel_bookmark_relation_crud(self): + self.kwargs.update({ + "workspace_name": self.create_random_name("workspace-", 16), + "relation_name": self.create_random_name("relation-", 16), + "bookmark_id": "2216d0e1-91e3-4902-89fd-d2df8c535096", + "incident_id": "afbd324f-6c48-459c-8710-8d1e1cd03812", + "query": "SecurityEvent | where TimeGenerated > ago(1d) and TimeGenerated < ago(2d)" + }) + + self.cmd("monitor log-analytics workspace create -n {workspace_name} -g {rg}") + self.cmd("monitor log-analytics solution create -t SecurityInsights -w {workspace_name} -g {rg}") + self.cmd( + "sentinel bookmark create -n {bookmark_id} -w {workspace_name} -g {rg} " + "--query-content '{query}' --query-result 'Security Event query result' " + "--display-name 'My bookmark' --notes 'Found a suspicious activity' " + "--entity-mappings \"[{{entity-type:Account,field-mappings:[{{identifier:Fullname,value:johndoe@microsoft.com}}]}}]\" " + "--tactics \"[Execution]\" " + "--techniques \"[T1609]\" " + "--labels \"[Tag1,Tag2]\"" + ) + self.kwargs["resource_id"] = self.cmd( + "sentinel incident create -n {incident_id} -w {workspace_name} -g {rg} " + "--classification FalsePositive --classification-reason IncorrectAlertLogic --classification-comment 'Not a malicious activity' " + "--first-activity-time-utc 2019-01-01T13:00:30Z --last-activity-time-utc 2019-01-01T13:05:30Z " + "--severity High --status Closed --title 'My incident' --description 'This is a demo incident' " + "--owner \"{{object-id:2046feea-040d-4a46-9e2b-91c2941bfa70}}\"" + ).get_output_in_json()["id"] + + self.cmd( + "sentinel bookmark relation create -n {relation_name} -w {workspace_name} -g {rg} --bookmark-id {bookmark_id} --related-resource-id {resource_id}", + checks=[ + self.check("name", "{relation_name}"), + self.check("type", "Microsoft.SecurityInsights/Bookmarks/relations") + ] + ) + + self.cmd( + "sentinel bookmark relation list -w {workspace_name} -g {rg} --bookmark-id {bookmark_id}", + checks=[ + self.check("length(@)", 1), + self.check("[0].name", "{relation_name}") + ] + ) + + self.cmd( + "sentinel bookmark relation show -n {relation_name} -w {workspace_name} -g {rg} --bookmark-id {bookmark_id}", + checks=[ + self.check("name", "{relation_name}"), + self.check("type", "Microsoft.SecurityInsights/Bookmarks/relations") + ] + ) + + self.cmd("sentinel bookmark relation delete -n {relation_name} -w {workspace_name} -g {rg} --bookmark-id {bookmark_id} --yes") + + @ResourceGroupPreparer(name_prefix="cli_test_sentinel_", location="eastus2") + def test_sentinel_incident_relation_crud(self): + self.kwargs.update({ + "workspace_name": self.create_random_name("workspace-", 16), + "relation_name": self.create_random_name("relation-", 16), + "bookmark_id": "2216d0e1-91e3-4902-89fd-d2df8c535096", + "incident_id": "afbd324f-6c48-459c-8710-8d1e1cd03812", + "query": "SecurityEvent | where TimeGenerated > ago(1d) and TimeGenerated < ago(2d)" + }) + + self.cmd("monitor log-analytics workspace create -n {workspace_name} -g {rg}") + self.cmd("monitor log-analytics solution create -t SecurityInsights -w {workspace_name} -g {rg}") + self.cmd( + "sentinel incident create -n {incident_id} -w {workspace_name} -g {rg} " + "--classification FalsePositive --classification-reason IncorrectAlertLogic --classification-comment 'Not a malicious activity' " + "--first-activity-time-utc 2019-01-01T13:00:30Z --last-activity-time-utc 2019-01-01T13:05:30Z " + "--severity High --status Closed --title 'My incident' --description 'This is a demo incident' " + "--owner \"{{object-id:2046feea-040d-4a46-9e2b-91c2941bfa70}}\"" + ) + self.kwargs["resource_id"] = self.cmd( + "sentinel bookmark create -n {bookmark_id} -w {workspace_name} -g {rg} " + "--query-content '{query}' --query-result 'Security Event query result' " + "--display-name 'My bookmark' --notes 'Found a suspicious activity' " + "--entity-mappings \"[{{entity-type:Account,field-mappings:[{{identifier:Fullname,value:johndoe@microsoft.com}}]}}]\" " + "--tactics \"[Execution]\" " + "--techniques \"[T1609]\" " + "--labels \"[Tag1,Tag2]\"" + ).get_output_in_json()["id"] + + self.cmd( + "sentinel incident relation create -n {relation_name} -w {workspace_name} -g {rg} --incident-id {incident_id} --related-resource-id {resource_id}", + checks=[ + self.check("name", "{relation_name}"), + self.check("type", "Microsoft.SecurityInsights/Incidents/relations") + ] + ) + + self.cmd( + "sentinel incident relation list -w {workspace_name} -g {rg} --incident-id {incident_id}", + checks=[ + self.check("length(@)", 1), + self.check("[0].name", "{relation_name}") + ] + ) + + self.cmd( + "sentinel incident relation show -n {relation_name} -w {workspace_name} -g {rg} --incident-id {incident_id}", + checks=[ + self.check("name", "{relation_name}"), + self.check("type", "Microsoft.SecurityInsights/Incidents/relations") + ] + ) + + self.cmd("sentinel incident relation delete -n {relation_name} -w {workspace_name} -g {rg} --incident-id {incident_id} --yes") + + @ResourceGroupPreparer(name_prefix="cli_test_sentinel_", location="eastus2") + def test_sentinel_enrichment_crud(self): + self.kwargs.update({ + "domain": "microsoft.com", + "ip_address": "1.2.3.4" + }) + + self.cmd( + "sentinel enrichment domain-whois show -g {rg} --domain {domain}", + checks=[ + self.check("domain", "{domain}") + ] + ) + + self.cmd( + "sentinel enrichment ip-geodata show -g {rg} --ip-address {ip_address}", + checks=[ + self.check("ipAddr", "{ip_address}") + ] + ) + + @ResourceGroupPreparer(name_prefix="cli_test_sentinel_", location="eastus2") + def test_sentinel_metadata_crud(self): + self.kwargs.update({ + "workspace_name": self.create_random_name("workspace-", 16), + "alert_rule_name": self.create_random_name("alert-rule-", 16), + "metadata_name": self.create_random_name("metadata-", 16), + "content_id": "c00ee137-7475-47c8-9cce-ec6f0f1bedd0" + }) + + self.cmd("monitor log-analytics workspace create -n {workspace_name} -g {rg}") + self.cmd("monitor log-analytics solution create -t SecurityInsights -w {workspace_name} -g {rg}") + self.kwargs["parent_id"] = self.cmd( + "sentinel alert-rule create -n {alert_rule_name} -w {workspace_name} -g {rg} " + "--ms-security-incident \"{{product-filter:'Microsoft Cloud App Security',display-name:testing,enabled:true}}\"" + ).get_output_in_json()["id"] + + self.cmd( + "sentinel metadata create -n {metadata_name} -w {workspace_name} -g {rg} " + "--content-id {content_id} --parent-id {parent_id} --kind AnalyticsRule", + checks=[ + self.check("name", "{metadata_name}"), + self.check("contentId", "{content_id}") + ] + ) + + self.cmd( + "sentinel metadata list -w {workspace_name} -g {rg}", + checks=[ + self.check("length(@)", 1), + self.check("[0].name", "{metadata_name}") + ] + ) + + self.cmd("sentinel metadata update -n {metadata_name} -w {workspace_name} -g {rg} --author \"{{name:cli,email:cli@microsoft.com}}\"") + self.cmd( + "sentinel metadata show -n {metadata_name} -w {workspace_name} -g {rg}", + checks=[ + self.check("name", "{metadata_name}"), + self.check("author.name", "cli"), + self.check("author.email", "cli@microsoft.com") + ] + ) + + self.cmd("sentinel metadata delete -n {metadata_name} -w {workspace_name} -g {rg} --yes") + + @ResourceGroupPreparer(name_prefix="cli_test_sentinel_", location="eastus2") + def test_sentinel_onboarding_state_crud(self): + self.kwargs.update({ + "workspace_name": self.create_random_name("workspace-", 16) + }) + + self.cmd("monitor log-analytics workspace create -n {workspace_name} -g {rg}") + self.cmd("monitor log-analytics solution create -t SecurityInsights -w {workspace_name} -g {rg}") + + self.cmd( + "sentinel onboarding-state create -n default -w {workspace_name} -g {rg} --customer-managed-key false", + checks=[ + self.check("name", "default"), + self.check("type", "Microsoft.SecurityInsights/onboardingStates") + ] + ) + + self.cmd( + "sentinel onboarding-state list -w {workspace_name} -g {rg}", + checks=[ + self.check("length(@)", 1), + self.check("value[0].name", "default") + ] + ) + + self.cmd( + "sentinel onboarding-state show -n default -w {workspace_name} -g {rg}", + checks=[ + self.check("name", "default"), + self.check("type", "Microsoft.SecurityInsights/onboardingStates") + ] + ) + + self.cmd("sentinel onboarding-state delete -n default -w {workspace_name} -g {rg} --yes") + + @ResourceGroupPreparer(name_prefix="cli_test_sentinel_", location="eastus2") + def test_sentinel_threat_indicator_crud(self): + self.kwargs.update({ + "workspace_name": self.create_random_name("workspace-", 16), + "reference": "contoso@contoso.com" + }) + + self.cmd("monitor log-analytics workspace create -n {workspace_name} -g {rg}") + self.cmd("monitor log-analytics solution create -t SecurityInsights -w {workspace_name} -g {rg}") + + self.kwargs["indicator_name"] = self.cmd( + "sentinel threat-indicator create -w {workspace_name} -g {rg} " + "--source 'Microsoft Sentinel' --display-name 'new schema' --confidence 78 --created-by-ref {reference} " + "--modified '' --pattern '[url:value = 'https://www.contoso.com']' --pattern-type url --revoked false " + "--valid-from 2022-06-15T17:44:00.114052Z --valid-until '' --description 'debugging indicators' " + "--threat-tags \"['new schema']\" " + "--threat-types \"[compromised]\" " + "--external-references \"[]\"", + checks=[ + self.check("createdByRef", "{reference}"), + self.check("type", "Microsoft.SecurityInsights/threatIntelligence") + ] + ).get_output_in_json()["name"] + + self.cmd( + "sentinel threat-indicator list -w {workspace_name} -g {rg}", + checks=[ + self.check("length(@)", 1), + self.check("[0].createdByRef", "{reference}") + ] + ) + + self.cmd( + "sentinel threat-indicator show -n {indicator_name} -w {workspace_name} -g {rg}", + checks=[ + self.check("name", "{indicator_name}"), + self.check("confidence", "78") + ] + ) + + self.cmd("sentinel threat-indicator delete -n {indicator_name} -w {workspace_name} -g {rg} --yes") + + @ResourceGroupPreparer(name_prefix="cli_test_sentinel_", location="eastus2") + def test_sentinel_watchlist_crud(self): + self.kwargs.update({ + "workspace_name": self.create_random_name("workspace-", 16), + "watchlist_name": self.create_random_name("watchlist-", 16) + }) + + self.cmd("monitor log-analytics workspace create -n {workspace_name} -g {rg}") + self.cmd("monitor log-analytics solution create -t SecurityInsights -w {workspace_name} -g {rg}") + + self.cmd( + "sentinel watchlist create -n {watchlist_name} -w {workspace_name} -g {rg} " + "--description 'Watchlist from CSV content' --display-name 'High Value Assets Watchlist' " + "--provider Microsoft --items-search-key header1", + checks=[ + self.check("name", "{watchlist_name}"), + self.check("type", "Microsoft.SecurityInsights/Watchlists") + ] + ) + + self.cmd( + "sentinel watchlist list -w {workspace_name} -g {rg}", + checks=[ + self.check("length(@)", 1), + self.check("[0].name", "{watchlist_name}") + ] + ) + + self.cmd("sentinel watchlist update -n {watchlist_name} -w {workspace_name} -g {rg} --display-name 'New name'") + self.cmd( + "sentinel watchlist show -n {watchlist_name} -w {workspace_name} -g {rg}", + checks=[ + self.check("name", "{watchlist_name}"), + self.check("displayName", "New name"), + self.check("type", "Microsoft.SecurityInsights/Watchlists") + ] + ) + + self.cmd("sentinel watchlist delete -n {watchlist_name} -w {workspace_name} -g {rg} --yes") diff --git a/src/securityinsight/azext_sentinel/tests/latest/test_sentinel_scenario.py b/src/securityinsight/azext_sentinel/tests/latest/test_sentinel_scenario.py deleted file mode 100644 index 59aa5bcdffe..00000000000 --- a/src/securityinsight/azext_sentinel/tests/latest/test_sentinel_scenario.py +++ /dev/null @@ -1,255 +0,0 @@ -# -------------------------------------------------------------------------- -# Copyright (c) Microsoft Corporation. All rights reserved. -# Licensed under the MIT License. See License.txt in the project root for -# license information. -# -# Code generated by Microsoft (R) AutoRest Code Generator. -# Changes may cause incorrect behavior and will be lost if the code is -# regenerated. -# -------------------------------------------------------------------------- - -import os -from azure.cli.testsdk import ScenarioTest -from .. import try_manual, raise_if, calc_coverage -from azure.cli.testsdk import ResourceGroupPreparer -from azure.cli.testsdk.scenario_tests import AllowLargeResponse - - -TEST_DIR = os.path.abspath(os.path.join(os.path.abspath(__file__), '..')) - - -@try_manual -class SecurityInsightsScenarioTest(ScenarioTest): - - @AllowLargeResponse() - def setUp(self): - super(SecurityInsightsScenarioTest, self).setUp() - self.cmd('extension add -n log-analytics-solution') - - def tearDown(self): - self.cmd('extension remove -n log-analytics-solution') - super(SecurityInsightsScenarioTest, self).tearDown() - - @ResourceGroupPreparer(name_prefix='clitestsentinel_myRg'[:7], key='rg', parameter_name='rg', location='westus') - @AllowLargeResponse() - def test_sentinel(self, rg): - workspace = self.create_random_name('clitestws-', 16) - self.kwargs.update({ - 'subscription_id': self.get_subscription_id(), - 'workspace': workspace, - 'rg': rg - }) - - self.cmd('monitor log-analytics workspace create -g {rg} -n {workspace} -l westus') - - self.cmd('monitor log-analytics solution create ' - '--resource-group "{rg}" ' - '--solution-type SecurityInsights ' - '--workspace {workspace} ') - - # EXAMPLE: /AlertRules/put/Creates or updates a Fusion alert rule. - self.cmd('sentinel alert-rule create ' - '--fusion-alert-rule etag="3d00c3ca-0000-0100-0000-5d42d5010000" alert-rule-template-name="f71aba3d-28fb-4' - '50b-b192-4e76a83015c8" enabled=true ' - '--resource-group "{rg}" ' - '--rule-id "myFirstFusionRule" ' - '--workspace-name {workspace}', - checks=[ - self.check('enabled', True), - self.check('kind', 'Fusion'), - self.check('name', 'myFirstFusionRule') - ]) - - # EXAMPLE: /AlertRules/put/Creates or updates a MicrosoftSecurityIncidentCreation rule. - self.cmd('sentinel alert-rule create ' - '--microsoft-security-incident-creation-alert-rule etag="260097e0-0000-0d00-0000-5d6fa88f0000" ' - 'product-filter="Microsoft Cloud App Security" display-name="testing displayname" enabled=true ' - '--resource-group "{rg}" ' - '--rule-id "microsoftSecurityIncidentCreationRuleExample" ' - '--workspace-name {workspace}', - checks=[ - self.check('enabled', True), - self.check('kind', 'MicrosoftSecurityIncidentCreation'), - self.check('name', 'microsoftSecurityIncidentCreationRuleExample'), - self.check('productFilter', 'Microsoft Cloud App Security'), - self.check('displayName', 'testing displayname') - ]) - - # EXAMPLE: /AlertRules/get/Get a Fusion alert rule. - self.cmd('sentinel alert-rule show ' - '--resource-group "{rg}" ' - '--rule-id "myFirstFusionRule" ' - '--workspace-name {workspace}', - checks=[ - self.check('enabled', True), - self.check('kind', 'Fusion'), - self.check('name', 'myFirstFusionRule') - ]) - - # EXAMPLE: /AlertRules/get/Get a MicrosoftSecurityIncidentCreation rule. - self.cmd('sentinel alert-rule show ' - '--resource-group "{rg}" ' - '--rule-id "microsoftSecurityIncidentCreationRuleExample" ' - '--workspace-name {workspace}', - checks=[ - self.check('enabled', True), - self.check('kind', 'MicrosoftSecurityIncidentCreation'), - self.check('name', 'microsoftSecurityIncidentCreationRuleExample'), - self.check('productFilter', 'Microsoft Cloud App Security'), - self.check('displayName', 'testing displayname') - ]) - - # EXAMPLE: /AlertRules/get/Get all alert rules. - self.cmd('sentinel alert-rule list ' - '--resource-group "{rg}" ' - '--workspace-name {workspace}', - checks=[ - self.check('length(@)', 2) - ]) - - self.cmd('sentinel alert-rule delete -y ' - '--resource-group "{rg}" ' - '--rule-id "myFirstFusionRule" ' - '--workspace-name {workspace}') - - # EXAMPLE: /AlertRuleTemplates/get/Get alert rule template by Id. - self.cmd('sentinel alert-rule-template show ' - '--alert-rule-template-id "65360bb0-8986-4ade-a89d-af3cf44d28aa" ' - '--resource-group "{rg}" ' - '--workspace-name {workspace}', - checks=[ - self.check('kind', 'Scheduled'), - self.check('name', '65360bb0-8986-4ade-a89d-af3cf44d28aa') - ]) - - # EXAMPLE: /AlertRuleTemplates/get/Get all alert rule templates. - self.cmd('sentinel alert-rule-template list ' - '--resource-group "{rg}" ' - '--workspace-name {workspace}') - - # EXAMPLE: /Bookmarks/put/Creates or updates a bookmark. - self.cmd('sentinel bookmark create ' - '--etag "\\"0300bf09-0000-0000-0000-5c37296e0000\\"" ' - '--created "2019-01-01T13:15:30Z" ' - '--display-name "My bookmark" ' - '--labels "Tag1" ' - '--labels "Tag2" ' - '--notes "Found a suspicious activity" ' - '-q "SecurityEvent | where TimeGenerated > ago(1d) and TimeGenerated < ago(2d)" ' - '--query-result "Security Event query result" ' - '--updated "2019-01-01T13:15:30Z" ' - '--bookmark-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" ' - '--resource-group "{rg}" ' - '--workspace-name {workspace}', - checks=[ - self.check('name', '73e01a99-5cd7-4139-a149-9f2736ff2ab5'), - self.check('query', 'SecurityEvent | where TimeGenerated > ago(1d) and TimeGenerated < ago(2d)') - ]) - - # EXAMPLE: /Bookmarks/get/Get a bookmark. - self.cmd('sentinel bookmark show ' - '--bookmark-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" ' - '--resource-group "{rg}" ' - '--workspace-name {workspace}', - checks=[ - self.check('name', '73e01a99-5cd7-4139-a149-9f2736ff2ab5'), - self.check('query', 'SecurityEvent | where TimeGenerated > ago(1d) and TimeGenerated < ago(2d)') - ]) - - # EXAMPLE: /Bookmarks/get/Get all bookmarks. - self.cmd('sentinel bookmark list ' - '--resource-group "{rg}" ' - '--workspace-name {workspace}', - checks=[ - self.check('length(@)', 1), - self.check('[0].name', '73e01a99-5cd7-4139-a149-9f2736ff2ab5'), - self.check('[0].query', 'SecurityEvent | where TimeGenerated > ago(1d) and TimeGenerated < ago(2d)') - ]) - - # EXAMPLE: /Bookmarks/delete/Delete a bookmark. - self.cmd('sentinel bookmark delete -y ' - '--bookmark-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" ' - '--resource-group "{rg}" ' - '--workspace-name {workspace}') - - # EXAMPLE: /Incidents/put/Creates or updates an incident. - self.cmd('sentinel incident create ' - '--etag "\\"0300bf09-0000-0000-0000-5c37296e0000\\"" ' - '--description "This is a demo incident" ' - '--classification "FalsePositive" ' - '--classification-comment "Not a malicious activity" ' - '--classification-reason "IncorrectAlertLogic" ' - '--first-activity-time-utc "2019-01-01T13:00:30Z" ' - '--last-activity-time-utc "2019-01-01T13:05:30Z" ' - '--owner object-id="2046feea-040d-4a46-9e2b-91c2941bfa70" ' - '--severity "High" ' - '--status "Closed" ' - '--title "title" ' - '--incident-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" ' - '--resource-group "{rg}" ' - '--workspace-name {workspace}', - checks=[ - self.check('classification', 'FalsePositive'), - self.check('classificationReason', 'IncorrectAlertLogic'), - self.check('classificationComment', 'Not a malicious activity'), - self.check('severity', 'High'), - self.check('title', 'title'), - self.check('status', 'Closed') - ]) - - # EXAMPLE: /Incidents/get/Get an incident. - self.cmd('sentinel incident show ' - '--incident-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" ' - '--resource-group "{rg}" ' - '--workspace-name {workspace}', - checks=[ - self.check('classification', 'FalsePositive'), - self.check('classificationReason', 'IncorrectAlertLogic'), - self.check('classificationComment', 'Not a malicious activity'), - self.check('severity', 'High'), - self.check('title', 'title'), - self.check('status', 'Closed') - ]) - - # EXAMPLE: /IncidentComments/put/Creates an incident comment. - self.cmd('sentinel incident-comment create ' - '--message "Some message" ' - '--incident-comment-id "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014" ' - '--incident-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" ' - '--resource-group "{rg}" ' - '--workspace-name {workspace}', - checks=[ - self.check('message', 'Some message'), - self.check('name', '4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014') - ]) - - # EXAMPLE: /IncidentComments/get/Get all incident comments. - self.cmd('sentinel incident-comment list ' - '--incident-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" ' - '--resource-group "{rg}" ' - '--workspace-name {workspace}', - checks=[ - self.check('length(@)', 1), - self.check('[0].message', 'Some message'), - self.check('[0].name', '4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014') - ]) - - # EXAMPLE: /IncidentComments/get/Get an incident comment. - self.cmd('sentinel incident-comment show ' - '--incident-comment-id "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014" ' - '--incident-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" ' - '--resource-group "{rg}" ' - '--workspace-name {workspace}', - checks=[ - self.check('message', 'Some message'), - self.check('name', '4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014') - ]) - - # EXAMPLE: /Incidents/delete/Delete an incident. - self.cmd('sentinel incident delete -y ' - '--incident-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" ' - '--resource-group "{rg}" ' - '--workspace-name {workspace}') - - calc_coverage(__file__) - raise_if() diff --git a/src/securityinsight/azext_sentinel/tests/latest/test_sentinel_scenario_coverage.md b/src/securityinsight/azext_sentinel/tests/latest/test_sentinel_scenario_coverage.md deleted file mode 100644 index cb712843009..00000000000 --- a/src/securityinsight/azext_sentinel/tests/latest/test_sentinel_scenario_coverage.md +++ /dev/null @@ -1,2 +0,0 @@ -|Scenario|Result|ErrorMessage|ErrorStack|ErrorNormalized|StartDt|EndDt| -Coverage: 0/0 diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/__init__.py b/src/securityinsight/azext_sentinel/vendored_sdks/__init__.py deleted file mode 100644 index c9cfdc73e77..00000000000 --- a/src/securityinsight/azext_sentinel/vendored_sdks/__init__.py +++ /dev/null @@ -1,12 +0,0 @@ -# coding=utf-8 -# -------------------------------------------------------------------------- -# Copyright (c) Microsoft Corporation. All rights reserved. -# Licensed under the MIT License. See License.txt in the project root for -# license information. -# -# Code generated by Microsoft (R) AutoRest Code Generator. -# Changes may cause incorrect behavior and will be lost if the code is -# regenerated. -# -------------------------------------------------------------------------- - -__path__ = __import__('pkgutil').extend_path(__path__, __name__) diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/__init__.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/__init__.py deleted file mode 100644 index adcb1a40f19..00000000000 --- a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/__init__.py +++ /dev/null @@ -1,16 +0,0 @@ -# coding=utf-8 -# -------------------------------------------------------------------------- -# Copyright (c) Microsoft Corporation. All rights reserved. -# Licensed under the MIT License. See License.txt in the project root for license information. -# Code generated by Microsoft (R) AutoRest Code Generator. -# Changes may cause incorrect behavior and will be lost if the code is regenerated. -# -------------------------------------------------------------------------- - -from ._security_insights import SecurityInsights -__all__ = ['SecurityInsights'] - -try: - from ._patch import patch_sdk # type: ignore - patch_sdk() -except ImportError: - pass diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/_configuration.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/_configuration.py deleted file mode 100644 index e24ce7ef4eb..00000000000 --- a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/_configuration.py +++ /dev/null @@ -1,70 +0,0 @@ -# coding=utf-8 -# -------------------------------------------------------------------------- -# Copyright (c) Microsoft Corporation. All rights reserved. -# Licensed under the MIT License. See License.txt in the project root for license information. -# Code generated by Microsoft (R) AutoRest Code Generator. -# Changes may cause incorrect behavior and will be lost if the code is regenerated. -# -------------------------------------------------------------------------- - -from typing import TYPE_CHECKING - -from azure.core.configuration import Configuration -from azure.core.pipeline import policies -from azure.mgmt.core.policies import ARMHttpLoggingPolicy - -if TYPE_CHECKING: - # pylint: disable=unused-import,ungrouped-imports - from typing import Any - - from azure.core.credentials import TokenCredential - -VERSION = "unknown" - -class SecurityInsightsConfiguration(Configuration): - """Configuration for SecurityInsights. - - Note that all parameters used to create this instance are saved as instance - attributes. - - :param credential: Credential needed for the client to connect to Azure. - :type credential: ~azure.core.credentials.TokenCredential - :param subscription_id: Azure subscription ID. - :type subscription_id: str - """ - - def __init__( - self, - credential, # type: "TokenCredential" - subscription_id, # type: str - **kwargs # type: Any - ): - # type: (...) -> None - if credential is None: - raise ValueError("Parameter 'credential' must not be None.") - if subscription_id is None: - raise ValueError("Parameter 'subscription_id' must not be None.") - super(SecurityInsightsConfiguration, self).__init__(**kwargs) - - self.credential = credential - self.subscription_id = subscription_id - self.api_version = "2020-01-01" - self.credential_scopes = kwargs.pop('credential_scopes', ['https://management.azure.com/.default']) - kwargs.setdefault('sdk_moniker', 'securityinsights/{}'.format(VERSION)) - self._configure(**kwargs) - - def _configure( - self, - **kwargs # type: Any - ): - # type: (...) -> None - self.user_agent_policy = kwargs.get('user_agent_policy') or policies.UserAgentPolicy(**kwargs) - self.headers_policy = kwargs.get('headers_policy') or policies.HeadersPolicy(**kwargs) - self.proxy_policy = kwargs.get('proxy_policy') or policies.ProxyPolicy(**kwargs) - self.logging_policy = kwargs.get('logging_policy') or policies.NetworkTraceLoggingPolicy(**kwargs) - self.http_logging_policy = kwargs.get('http_logging_policy') or ARMHttpLoggingPolicy(**kwargs) - self.retry_policy = kwargs.get('retry_policy') or policies.RetryPolicy(**kwargs) - self.custom_hook_policy = kwargs.get('custom_hook_policy') or policies.CustomHookPolicy(**kwargs) - self.redirect_policy = kwargs.get('redirect_policy') or policies.RedirectPolicy(**kwargs) - self.authentication_policy = kwargs.get('authentication_policy') - if self.credential and not self.authentication_policy: - self.authentication_policy = policies.BearerTokenCredentialPolicy(self.credential, *self.credential_scopes, **kwargs) diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/_security_insights.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/_security_insights.py deleted file mode 100644 index 3f1b4e49c01..00000000000 --- a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/_security_insights.py +++ /dev/null @@ -1,103 +0,0 @@ -# coding=utf-8 -# -------------------------------------------------------------------------- -# Copyright (c) Microsoft Corporation. All rights reserved. -# Licensed under the MIT License. See License.txt in the project root for license information. -# Code generated by Microsoft (R) AutoRest Code Generator. -# Changes may cause incorrect behavior and will be lost if the code is regenerated. -# -------------------------------------------------------------------------- - -from typing import TYPE_CHECKING - -from azure.mgmt.core import ARMPipelineClient -from msrest import Deserializer, Serializer - -if TYPE_CHECKING: - # pylint: disable=unused-import,ungrouped-imports - from typing import Any, Optional - - from azure.core.credentials import TokenCredential - -from ._configuration import SecurityInsightsConfiguration -from .operations import OperationOperations -from .operations import AlertRuleOperations -from .operations import ActionOperations -from .operations import AlertRuleTemplateOperations -from .operations import BookmarkOperations -from .operations import DataConnectorOperations -from .operations import IncidentOperations -from .operations import IncidentCommentOperations -from . import models - - -class SecurityInsights(object): - """API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider. - - :ivar operation: OperationOperations operations - :vartype operation: security_insights.operations.OperationOperations - :ivar alert_rule: AlertRuleOperations operations - :vartype alert_rule: security_insights.operations.AlertRuleOperations - :ivar action: ActionOperations operations - :vartype action: security_insights.operations.ActionOperations - :ivar alert_rule_template: AlertRuleTemplateOperations operations - :vartype alert_rule_template: security_insights.operations.AlertRuleTemplateOperations - :ivar bookmark: BookmarkOperations operations - :vartype bookmark: security_insights.operations.BookmarkOperations - :ivar data_connector: DataConnectorOperations operations - :vartype data_connector: security_insights.operations.DataConnectorOperations - :ivar incident: IncidentOperations operations - :vartype incident: security_insights.operations.IncidentOperations - :ivar incident_comment: IncidentCommentOperations operations - :vartype incident_comment: security_insights.operations.IncidentCommentOperations - :param credential: Credential needed for the client to connect to Azure. - :type credential: ~azure.core.credentials.TokenCredential - :param subscription_id: Azure subscription ID. - :type subscription_id: str - :param str base_url: Service URL - """ - - def __init__( - self, - credential, # type: "TokenCredential" - subscription_id, # type: str - base_url=None, # type: Optional[str] - **kwargs # type: Any - ): - # type: (...) -> None - if not base_url: - base_url = 'https://management.azure.com' - self._config = SecurityInsightsConfiguration(credential, subscription_id, **kwargs) - self._client = ARMPipelineClient(base_url=base_url, config=self._config, **kwargs) - - client_models = {k: v for k, v in models.__dict__.items() if isinstance(v, type)} - self._serialize = Serializer(client_models) - self._deserialize = Deserializer(client_models) - - self.operation = OperationOperations( - self._client, self._config, self._serialize, self._deserialize) - self.alert_rule = AlertRuleOperations( - self._client, self._config, self._serialize, self._deserialize) - self.action = ActionOperations( - self._client, self._config, self._serialize, self._deserialize) - self.alert_rule_template = AlertRuleTemplateOperations( - self._client, self._config, self._serialize, self._deserialize) - self.bookmark = BookmarkOperations( - self._client, self._config, self._serialize, self._deserialize) - self.data_connector = DataConnectorOperations( - self._client, self._config, self._serialize, self._deserialize) - self.incident = IncidentOperations( - self._client, self._config, self._serialize, self._deserialize) - self.incident_comment = IncidentCommentOperations( - self._client, self._config, self._serialize, self._deserialize) - - def close(self): - # type: () -> None - self._client.close() - - def __enter__(self): - # type: () -> SecurityInsights - self._client.__enter__() - return self - - def __exit__(self, *exc_details): - # type: (Any) -> None - self._client.__exit__(*exc_details) diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/_configuration.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/_configuration.py deleted file mode 100644 index 160eb378d2f..00000000000 --- a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/_configuration.py +++ /dev/null @@ -1,66 +0,0 @@ -# coding=utf-8 -# -------------------------------------------------------------------------- -# Copyright (c) Microsoft Corporation. All rights reserved. -# Licensed under the MIT License. See License.txt in the project root for license information. -# Code generated by Microsoft (R) AutoRest Code Generator. -# Changes may cause incorrect behavior and will be lost if the code is regenerated. -# -------------------------------------------------------------------------- - -from typing import Any, TYPE_CHECKING - -from azure.core.configuration import Configuration -from azure.core.pipeline import policies -from azure.mgmt.core.policies import ARMHttpLoggingPolicy - -if TYPE_CHECKING: - # pylint: disable=unused-import,ungrouped-imports - from azure.core.credentials_async import AsyncTokenCredential - -VERSION = "unknown" - -class SecurityInsightsConfiguration(Configuration): - """Configuration for SecurityInsights. - - Note that all parameters used to create this instance are saved as instance - attributes. - - :param credential: Credential needed for the client to connect to Azure. - :type credential: ~azure.core.credentials_async.AsyncTokenCredential - :param subscription_id: Azure subscription ID. - :type subscription_id: str - """ - - def __init__( - self, - credential: "AsyncTokenCredential", - subscription_id: str, - **kwargs: Any - ) -> None: - if credential is None: - raise ValueError("Parameter 'credential' must not be None.") - if subscription_id is None: - raise ValueError("Parameter 'subscription_id' must not be None.") - super(SecurityInsightsConfiguration, self).__init__(**kwargs) - - self.credential = credential - self.subscription_id = subscription_id - self.api_version = "2020-01-01" - self.credential_scopes = kwargs.pop('credential_scopes', ['https://management.azure.com/.default']) - kwargs.setdefault('sdk_moniker', 'securityinsights/{}'.format(VERSION)) - self._configure(**kwargs) - - def _configure( - self, - **kwargs: Any - ) -> None: - self.user_agent_policy = kwargs.get('user_agent_policy') or policies.UserAgentPolicy(**kwargs) - self.headers_policy = kwargs.get('headers_policy') or policies.HeadersPolicy(**kwargs) - self.proxy_policy = kwargs.get('proxy_policy') or policies.ProxyPolicy(**kwargs) - self.logging_policy = kwargs.get('logging_policy') or policies.NetworkTraceLoggingPolicy(**kwargs) - self.http_logging_policy = kwargs.get('http_logging_policy') or ARMHttpLoggingPolicy(**kwargs) - self.retry_policy = kwargs.get('retry_policy') or policies.AsyncRetryPolicy(**kwargs) - self.custom_hook_policy = kwargs.get('custom_hook_policy') or policies.CustomHookPolicy(**kwargs) - self.redirect_policy = kwargs.get('redirect_policy') or policies.AsyncRedirectPolicy(**kwargs) - self.authentication_policy = kwargs.get('authentication_policy') - if self.credential and not self.authentication_policy: - self.authentication_policy = policies.AsyncBearerTokenCredentialPolicy(self.credential, *self.credential_scopes, **kwargs) diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/_security_insights.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/_security_insights.py deleted file mode 100644 index 7eb275a24fa..00000000000 --- a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/_security_insights.py +++ /dev/null @@ -1,97 +0,0 @@ -# coding=utf-8 -# -------------------------------------------------------------------------- -# Copyright (c) Microsoft Corporation. All rights reserved. -# Licensed under the MIT License. See License.txt in the project root for license information. -# Code generated by Microsoft (R) AutoRest Code Generator. -# Changes may cause incorrect behavior and will be lost if the code is regenerated. -# -------------------------------------------------------------------------- - -from typing import Any, Optional, TYPE_CHECKING - -from azure.mgmt.core import AsyncARMPipelineClient -from msrest import Deserializer, Serializer - -if TYPE_CHECKING: - # pylint: disable=unused-import,ungrouped-imports - from azure.core.credentials_async import AsyncTokenCredential - -from ._configuration import SecurityInsightsConfiguration -from .operations import OperationOperations -from .operations import AlertRuleOperations -from .operations import ActionOperations -from .operations import AlertRuleTemplateOperations -from .operations import BookmarkOperations -from .operations import DataConnectorOperations -from .operations import IncidentOperations -from .operations import IncidentCommentOperations -from .. import models - - -class SecurityInsights(object): - """API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider. - - :ivar operation: OperationOperations operations - :vartype operation: security_insights.aio.operations.OperationOperations - :ivar alert_rule: AlertRuleOperations operations - :vartype alert_rule: security_insights.aio.operations.AlertRuleOperations - :ivar action: ActionOperations operations - :vartype action: security_insights.aio.operations.ActionOperations - :ivar alert_rule_template: AlertRuleTemplateOperations operations - :vartype alert_rule_template: security_insights.aio.operations.AlertRuleTemplateOperations - :ivar bookmark: BookmarkOperations operations - :vartype bookmark: security_insights.aio.operations.BookmarkOperations - :ivar data_connector: DataConnectorOperations operations - :vartype data_connector: security_insights.aio.operations.DataConnectorOperations - :ivar incident: IncidentOperations operations - :vartype incident: security_insights.aio.operations.IncidentOperations - :ivar incident_comment: IncidentCommentOperations operations - :vartype incident_comment: security_insights.aio.operations.IncidentCommentOperations - :param credential: Credential needed for the client to connect to Azure. - :type credential: ~azure.core.credentials_async.AsyncTokenCredential - :param subscription_id: Azure subscription ID. - :type subscription_id: str - :param str base_url: Service URL - """ - - def __init__( - self, - credential: "AsyncTokenCredential", - subscription_id: str, - base_url: Optional[str] = None, - **kwargs: Any - ) -> None: - if not base_url: - base_url = 'https://management.azure.com' - self._config = SecurityInsightsConfiguration(credential, subscription_id, **kwargs) - self._client = AsyncARMPipelineClient(base_url=base_url, config=self._config, **kwargs) - - client_models = {k: v for k, v in models.__dict__.items() if isinstance(v, type)} - self._serialize = Serializer(client_models) - self._deserialize = Deserializer(client_models) - - self.operation = OperationOperations( - self._client, self._config, self._serialize, self._deserialize) - self.alert_rule = AlertRuleOperations( - self._client, self._config, self._serialize, self._deserialize) - self.action = ActionOperations( - self._client, self._config, self._serialize, self._deserialize) - self.alert_rule_template = AlertRuleTemplateOperations( - self._client, self._config, self._serialize, self._deserialize) - self.bookmark = BookmarkOperations( - self._client, self._config, self._serialize, self._deserialize) - self.data_connector = DataConnectorOperations( - self._client, self._config, self._serialize, self._deserialize) - self.incident = IncidentOperations( - self._client, self._config, self._serialize, self._deserialize) - self.incident_comment = IncidentCommentOperations( - self._client, self._config, self._serialize, self._deserialize) - - async def close(self) -> None: - await self._client.close() - - async def __aenter__(self) -> "SecurityInsights": - await self._client.__aenter__() - return self - - async def __aexit__(self, *exc_details) -> None: - await self._client.__aexit__(*exc_details) diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/__init__.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/__init__.py deleted file mode 100644 index 5e67996dcd4..00000000000 --- a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/__init__.py +++ /dev/null @@ -1,27 +0,0 @@ -# coding=utf-8 -# -------------------------------------------------------------------------- -# Copyright (c) Microsoft Corporation. All rights reserved. -# Licensed under the MIT License. See License.txt in the project root for license information. -# Code generated by Microsoft (R) AutoRest Code Generator. -# Changes may cause incorrect behavior and will be lost if the code is regenerated. -# -------------------------------------------------------------------------- - -from ._operation_operations import OperationOperations -from ._alert_rule_operations import AlertRuleOperations -from ._action_operations import ActionOperations -from ._alert_rule_template_operations import AlertRuleTemplateOperations -from ._bookmark_operations import BookmarkOperations -from ._data_connector_operations import DataConnectorOperations -from ._incident_operations import IncidentOperations -from ._incident_comment_operations import IncidentCommentOperations - -__all__ = [ - 'OperationOperations', - 'AlertRuleOperations', - 'ActionOperations', - 'AlertRuleTemplateOperations', - 'BookmarkOperations', - 'DataConnectorOperations', - 'IncidentOperations', - 'IncidentCommentOperations', -] diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_action_operations.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_action_operations.py deleted file mode 100644 index 378198b2cfb..00000000000 --- a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_action_operations.py +++ /dev/null @@ -1,121 +0,0 @@ -# coding=utf-8 -# -------------------------------------------------------------------------- -# Copyright (c) Microsoft Corporation. All rights reserved. -# Licensed under the MIT License. See License.txt in the project root for license information. -# Code generated by Microsoft (R) AutoRest Code Generator. -# Changes may cause incorrect behavior and will be lost if the code is regenerated. -# -------------------------------------------------------------------------- -from typing import Any, AsyncIterable, Callable, Dict, Generic, Optional, TypeVar -import warnings - -from azure.core.async_paging import AsyncItemPaged, AsyncList -from azure.core.exceptions import ClientAuthenticationError, HttpResponseError, ResourceExistsError, ResourceNotFoundError, map_error -from azure.core.pipeline import PipelineResponse -from azure.core.pipeline.transport import AsyncHttpResponse, HttpRequest -from azure.mgmt.core.exceptions import ARMErrorFormat - -from ... import models - -T = TypeVar('T') -ClsType = Optional[Callable[[PipelineResponse[HttpRequest, AsyncHttpResponse], T, Dict[str, Any]], Any]] - -class ActionOperations: - """ActionOperations async operations. - - You should not instantiate this class directly. Instead, you should create a Client instance that - instantiates it for you and attaches it as an attribute. - - :ivar models: Alias to model classes used in this operation group. - :type models: ~security_insights.models - :param client: Client for service requests. - :param config: Configuration of service client. - :param serializer: An object model serializer. - :param deserializer: An object model deserializer. - """ - - models = models - - def __init__(self, client, config, serializer, deserializer) -> None: - self._client = client - self._serialize = serializer - self._deserialize = deserializer - self._config = config - - def list_by_alert_rule( - self, - resource_group_name: str, - workspace_name: str, - rule_id: str, - **kwargs - ) -> AsyncIterable["models.ActionsList"]: - """Gets all actions of alert rule. - - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. - :type resource_group_name: str - :param workspace_name: The name of the workspace. - :type workspace_name: str - :param rule_id: Alert rule ID. - :type rule_id: str - :keyword callable cls: A custom type or function that will be passed the direct response - :return: An iterator like instance of either ActionsList or the result of cls(response) - :rtype: ~azure.core.async_paging.AsyncItemPaged[~security_insights.models.ActionsList] - :raises: ~azure.core.exceptions.HttpResponseError - """ - cls = kwargs.pop('cls', None) # type: ClsType["models.ActionsList"] - error_map = { - 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError - } - error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" - accept = "application/json" - - def prepare_request(next_link=None): - # Construct headers - header_parameters = {} # type: Dict[str, Any] - header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') - - if not next_link: - # Construct URL - url = self.list_by_alert_rule.metadata['url'] # type: ignore - path_format_arguments = { - 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), - 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - 'ruleId': self._serialize.url("rule_id", rule_id, 'str'), - } - url = self._client.format_url(url, **path_format_arguments) - # Construct parameters - query_parameters = {} # type: Dict[str, Any] - query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') - - request = self._client.get(url, query_parameters, header_parameters) - else: - url = next_link - query_parameters = {} # type: Dict[str, Any] - request = self._client.get(url, query_parameters, header_parameters) - return request - - async def extract_data(pipeline_response): - deserialized = self._deserialize('ActionsList', pipeline_response) - list_of_elem = deserialized.value - if cls: - list_of_elem = cls(list_of_elem) - return deserialized.next_link or None, AsyncList(list_of_elem) - - async def get_next(next_link=None): - request = prepare_request(next_link) - - pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs) - response = pipeline_response.http_response - - if response.status_code not in [200]: - map_error(status_code=response.status_code, response=response, error_map=error_map) - raise HttpResponseError(response=response, error_format=ARMErrorFormat) - - return pipeline_response - - return AsyncItemPaged( - get_next, extract_data - ) - list_by_alert_rule.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}/actions'} # type: ignore diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_alert_rule_operations.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_alert_rule_operations.py deleted file mode 100644 index 89d90bb06be..00000000000 --- a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_alert_rule_operations.py +++ /dev/null @@ -1,535 +0,0 @@ -# coding=utf-8 -# -------------------------------------------------------------------------- -# Copyright (c) Microsoft Corporation. All rights reserved. -# Licensed under the MIT License. See License.txt in the project root for license information. -# Code generated by Microsoft (R) AutoRest Code Generator. -# Changes may cause incorrect behavior and will be lost if the code is regenerated. -# -------------------------------------------------------------------------- -from typing import Any, AsyncIterable, Callable, Dict, Generic, Optional, TypeVar, Union -import warnings - -from azure.core.async_paging import AsyncItemPaged, AsyncList -from azure.core.exceptions import ClientAuthenticationError, HttpResponseError, ResourceExistsError, ResourceNotFoundError, map_error -from azure.core.pipeline import PipelineResponse -from azure.core.pipeline.transport import AsyncHttpResponse, HttpRequest -from azure.mgmt.core.exceptions import ARMErrorFormat - -from ... import models - -T = TypeVar('T') -ClsType = Optional[Callable[[PipelineResponse[HttpRequest, AsyncHttpResponse], T, Dict[str, Any]], Any]] - -class AlertRuleOperations: - """AlertRuleOperations async operations. - - You should not instantiate this class directly. Instead, you should create a Client instance that - instantiates it for you and attaches it as an attribute. - - :ivar models: Alias to model classes used in this operation group. - :type models: ~security_insights.models - :param client: Client for service requests. - :param config: Configuration of service client. - :param serializer: An object model serializer. - :param deserializer: An object model deserializer. - """ - - models = models - - def __init__(self, client, config, serializer, deserializer) -> None: - self._client = client - self._serialize = serializer - self._deserialize = deserializer - self._config = config - - def list( - self, - resource_group_name: str, - workspace_name: str, - **kwargs - ) -> AsyncIterable["models.AlertRulesList"]: - """Gets all alert rules. - - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. - :type resource_group_name: str - :param workspace_name: The name of the workspace. - :type workspace_name: str - :keyword callable cls: A custom type or function that will be passed the direct response - :return: An iterator like instance of either AlertRulesList or the result of cls(response) - :rtype: ~azure.core.async_paging.AsyncItemPaged[~security_insights.models.AlertRulesList] - :raises: ~azure.core.exceptions.HttpResponseError - """ - cls = kwargs.pop('cls', None) # type: ClsType["models.AlertRulesList"] - error_map = { - 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError - } - error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" - accept = "application/json" - - def prepare_request(next_link=None): - # Construct headers - header_parameters = {} # type: Dict[str, Any] - header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') - - if not next_link: - # Construct URL - url = self.list.metadata['url'] # type: ignore - path_format_arguments = { - 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), - 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - } - url = self._client.format_url(url, **path_format_arguments) - # Construct parameters - query_parameters = {} # type: Dict[str, Any] - query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') - - request = self._client.get(url, query_parameters, header_parameters) - else: - url = next_link - query_parameters = {} # type: Dict[str, Any] - request = self._client.get(url, query_parameters, header_parameters) - return request - - async def extract_data(pipeline_response): - deserialized = self._deserialize('AlertRulesList', pipeline_response) - list_of_elem = deserialized.value - if cls: - list_of_elem = cls(list_of_elem) - return deserialized.next_link or None, AsyncList(list_of_elem) - - async def get_next(next_link=None): - request = prepare_request(next_link) - - pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs) - response = pipeline_response.http_response - - if response.status_code not in [200]: - map_error(status_code=response.status_code, response=response, error_map=error_map) - raise HttpResponseError(response=response, error_format=ARMErrorFormat) - - return pipeline_response - - return AsyncItemPaged( - get_next, extract_data - ) - list.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules'} # type: ignore - - async def get( - self, - resource_group_name: str, - workspace_name: str, - rule_id: str, - **kwargs - ) -> "models.AlertRule": - """Gets the alert rule. - - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. - :type resource_group_name: str - :param workspace_name: The name of the workspace. - :type workspace_name: str - :param rule_id: Alert rule ID. - :type rule_id: str - :keyword callable cls: A custom type or function that will be passed the direct response - :return: AlertRule, or the result of cls(response) - :rtype: ~security_insights.models.AlertRule - :raises: ~azure.core.exceptions.HttpResponseError - """ - cls = kwargs.pop('cls', None) # type: ClsType["models.AlertRule"] - error_map = { - 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError - } - error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" - accept = "application/json" - - # Construct URL - url = self.get.metadata['url'] # type: ignore - path_format_arguments = { - 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), - 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - 'ruleId': self._serialize.url("rule_id", rule_id, 'str'), - } - url = self._client.format_url(url, **path_format_arguments) - - # Construct parameters - query_parameters = {} # type: Dict[str, Any] - query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') - - # Construct headers - header_parameters = {} # type: Dict[str, Any] - header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') - - request = self._client.get(url, query_parameters, header_parameters) - pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs) - response = pipeline_response.http_response - - if response.status_code not in [200]: - map_error(status_code=response.status_code, response=response, error_map=error_map) - raise HttpResponseError(response=response, error_format=ARMErrorFormat) - - deserialized = self._deserialize('AlertRule', pipeline_response) - - if cls: - return cls(pipeline_response, deserialized, {}) - - return deserialized - get.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}'} # type: ignore - - async def create_or_update( - self, - resource_group_name: str, - workspace_name: str, - rule_id: str, - alert_rule: "models.AlertRule", - **kwargs - ) -> "models.AlertRule": - """Creates or updates the alert rule. - - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. - :type resource_group_name: str - :param workspace_name: The name of the workspace. - :type workspace_name: str - :param rule_id: Alert rule ID. - :type rule_id: str - :param alert_rule: The alert rule. - :type alert_rule: ~security_insights.models.AlertRule - :keyword callable cls: A custom type or function that will be passed the direct response - :return: AlertRule, or the result of cls(response) - :rtype: ~security_insights.models.AlertRule - :raises: ~azure.core.exceptions.HttpResponseError - """ - cls = kwargs.pop('cls', None) # type: ClsType["models.AlertRule"] - error_map = { - 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError - } - error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" - content_type = kwargs.pop("content_type", "application/json") - accept = "application/json" - - # Construct URL - url = self.create_or_update.metadata['url'] # type: ignore - path_format_arguments = { - 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), - 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - 'ruleId': self._serialize.url("rule_id", rule_id, 'str'), - } - url = self._client.format_url(url, **path_format_arguments) - - # Construct parameters - query_parameters = {} # type: Dict[str, Any] - query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') - - # Construct headers - header_parameters = {} # type: Dict[str, Any] - header_parameters['Content-Type'] = self._serialize.header("content_type", content_type, 'str') - header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') - - body_content_kwargs = {} # type: Dict[str, Any] - body_content = self._serialize.body(alert_rule, 'AlertRule') - body_content_kwargs['content'] = body_content - request = self._client.put(url, query_parameters, header_parameters, **body_content_kwargs) - pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs) - response = pipeline_response.http_response - - if response.status_code not in [200, 201]: - map_error(status_code=response.status_code, response=response, error_map=error_map) - raise HttpResponseError(response=response, error_format=ARMErrorFormat) - - if response.status_code == 200: - deserialized = self._deserialize('AlertRule', pipeline_response) - - if response.status_code == 201: - deserialized = self._deserialize('AlertRule', pipeline_response) - - if cls: - return cls(pipeline_response, deserialized, {}) - - return deserialized - create_or_update.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}'} # type: ignore - - async def delete( - self, - resource_group_name: str, - workspace_name: str, - rule_id: str, - **kwargs - ) -> None: - """Delete the alert rule. - - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. - :type resource_group_name: str - :param workspace_name: The name of the workspace. - :type workspace_name: str - :param rule_id: Alert rule ID. - :type rule_id: str - :keyword callable cls: A custom type or function that will be passed the direct response - :return: None, or the result of cls(response) - :rtype: None - :raises: ~azure.core.exceptions.HttpResponseError - """ - cls = kwargs.pop('cls', None) # type: ClsType[None] - error_map = { - 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError - } - error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" - accept = "application/json" - - # Construct URL - url = self.delete.metadata['url'] # type: ignore - path_format_arguments = { - 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), - 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - 'ruleId': self._serialize.url("rule_id", rule_id, 'str'), - } - url = self._client.format_url(url, **path_format_arguments) - - # Construct parameters - query_parameters = {} # type: Dict[str, Any] - query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') - - # Construct headers - header_parameters = {} # type: Dict[str, Any] - header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') - - request = self._client.delete(url, query_parameters, header_parameters) - pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs) - response = pipeline_response.http_response - - if response.status_code not in [200, 204]: - map_error(status_code=response.status_code, response=response, error_map=error_map) - raise HttpResponseError(response=response, error_format=ARMErrorFormat) - - if cls: - return cls(pipeline_response, None, {}) - - delete.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}'} # type: ignore - - async def get_action( - self, - resource_group_name: str, - workspace_name: str, - rule_id: str, - action_id: str, - **kwargs - ) -> "models.ActionResponse": - """Gets the action of alert rule. - - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. - :type resource_group_name: str - :param workspace_name: The name of the workspace. - :type workspace_name: str - :param rule_id: Alert rule ID. - :type rule_id: str - :param action_id: Action ID. - :type action_id: str - :keyword callable cls: A custom type or function that will be passed the direct response - :return: ActionResponse, or the result of cls(response) - :rtype: ~security_insights.models.ActionResponse - :raises: ~azure.core.exceptions.HttpResponseError - """ - cls = kwargs.pop('cls', None) # type: ClsType["models.ActionResponse"] - error_map = { - 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError - } - error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" - accept = "application/json" - - # Construct URL - url = self.get_action.metadata['url'] # type: ignore - path_format_arguments = { - 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), - 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - 'ruleId': self._serialize.url("rule_id", rule_id, 'str'), - 'actionId': self._serialize.url("action_id", action_id, 'str'), - } - url = self._client.format_url(url, **path_format_arguments) - - # Construct parameters - query_parameters = {} # type: Dict[str, Any] - query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') - - # Construct headers - header_parameters = {} # type: Dict[str, Any] - header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') - - request = self._client.get(url, query_parameters, header_parameters) - pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs) - response = pipeline_response.http_response - - if response.status_code not in [200]: - map_error(status_code=response.status_code, response=response, error_map=error_map) - raise HttpResponseError(response=response, error_format=ARMErrorFormat) - - deserialized = self._deserialize('ActionResponse', pipeline_response) - - if cls: - return cls(pipeline_response, deserialized, {}) - - return deserialized - get_action.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}/actions/{actionId}'} # type: ignore - - async def create_or_update_action( - self, - resource_group_name: str, - workspace_name: str, - rule_id: str, - action_id: str, - etag: Optional[str] = None, - logic_app_resource_id: Optional[str] = None, - trigger_uri: Optional[str] = None, - **kwargs - ) -> "models.ActionResponse": - """Creates or updates the action of alert rule. - - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. - :type resource_group_name: str - :param workspace_name: The name of the workspace. - :type workspace_name: str - :param rule_id: Alert rule ID. - :type rule_id: str - :param action_id: Action ID. - :type action_id: str - :param etag: Etag of the azure resource. - :type etag: str - :param logic_app_resource_id: Logic App Resource Id, /subscriptions/{my- - subscription}/resourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my- - workflow-id}. - :type logic_app_resource_id: str - :param trigger_uri: Logic App Callback URL for this specific workflow. - :type trigger_uri: str - :keyword callable cls: A custom type or function that will be passed the direct response - :return: ActionResponse, or the result of cls(response) - :rtype: ~security_insights.models.ActionResponse - :raises: ~azure.core.exceptions.HttpResponseError - """ - cls = kwargs.pop('cls', None) # type: ClsType["models.ActionResponse"] - error_map = { - 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError - } - error_map.update(kwargs.pop('error_map', {})) - - action = models.ActionRequest(etag=etag, logic_app_resource_id=logic_app_resource_id, trigger_uri=trigger_uri) - api_version = "2020-01-01" - content_type = kwargs.pop("content_type", "application/json") - accept = "application/json" - - # Construct URL - url = self.create_or_update_action.metadata['url'] # type: ignore - path_format_arguments = { - 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), - 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - 'ruleId': self._serialize.url("rule_id", rule_id, 'str'), - 'actionId': self._serialize.url("action_id", action_id, 'str'), - } - url = self._client.format_url(url, **path_format_arguments) - - # Construct parameters - query_parameters = {} # type: Dict[str, Any] - query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') - - # Construct headers - header_parameters = {} # type: Dict[str, Any] - header_parameters['Content-Type'] = self._serialize.header("content_type", content_type, 'str') - header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') - - body_content_kwargs = {} # type: Dict[str, Any] - body_content = self._serialize.body(action, 'ActionRequest') - body_content_kwargs['content'] = body_content - request = self._client.put(url, query_parameters, header_parameters, **body_content_kwargs) - pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs) - response = pipeline_response.http_response - - if response.status_code not in [200, 201]: - map_error(status_code=response.status_code, response=response, error_map=error_map) - raise HttpResponseError(response=response, error_format=ARMErrorFormat) - - if response.status_code == 200: - deserialized = self._deserialize('ActionResponse', pipeline_response) - - if response.status_code == 201: - deserialized = self._deserialize('ActionResponse', pipeline_response) - - if cls: - return cls(pipeline_response, deserialized, {}) - - return deserialized - create_or_update_action.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}/actions/{actionId}'} # type: ignore - - async def delete_action( - self, - resource_group_name: str, - workspace_name: str, - rule_id: str, - action_id: str, - **kwargs - ) -> None: - """Delete the action of alert rule. - - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. - :type resource_group_name: str - :param workspace_name: The name of the workspace. - :type workspace_name: str - :param rule_id: Alert rule ID. - :type rule_id: str - :param action_id: Action ID. - :type action_id: str - :keyword callable cls: A custom type or function that will be passed the direct response - :return: None, or the result of cls(response) - :rtype: None - :raises: ~azure.core.exceptions.HttpResponseError - """ - cls = kwargs.pop('cls', None) # type: ClsType[None] - error_map = { - 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError - } - error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" - accept = "application/json" - - # Construct URL - url = self.delete_action.metadata['url'] # type: ignore - path_format_arguments = { - 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), - 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - 'ruleId': self._serialize.url("rule_id", rule_id, 'str'), - 'actionId': self._serialize.url("action_id", action_id, 'str'), - } - url = self._client.format_url(url, **path_format_arguments) - - # Construct parameters - query_parameters = {} # type: Dict[str, Any] - query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') - - # Construct headers - header_parameters = {} # type: Dict[str, Any] - header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') - - request = self._client.delete(url, query_parameters, header_parameters) - pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs) - response = pipeline_response.http_response - - if response.status_code not in [200, 204]: - map_error(status_code=response.status_code, response=response, error_map=error_map) - raise HttpResponseError(response=response, error_format=ARMErrorFormat) - - if cls: - return cls(pipeline_response, None, {}) - - delete_action.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}/actions/{actionId}'} # type: ignore diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_alert_rule_template_operations.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_alert_rule_template_operations.py deleted file mode 100644 index 986138cb66b..00000000000 --- a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_alert_rule_template_operations.py +++ /dev/null @@ -1,180 +0,0 @@ -# coding=utf-8 -# -------------------------------------------------------------------------- -# Copyright (c) Microsoft Corporation. All rights reserved. -# Licensed under the MIT License. See License.txt in the project root for license information. -# Code generated by Microsoft (R) AutoRest Code Generator. -# Changes may cause incorrect behavior and will be lost if the code is regenerated. -# -------------------------------------------------------------------------- -from typing import Any, AsyncIterable, Callable, Dict, Generic, Optional, TypeVar -import warnings - -from azure.core.async_paging import AsyncItemPaged, AsyncList -from azure.core.exceptions import ClientAuthenticationError, HttpResponseError, ResourceExistsError, ResourceNotFoundError, map_error -from azure.core.pipeline import PipelineResponse -from azure.core.pipeline.transport import AsyncHttpResponse, HttpRequest -from azure.mgmt.core.exceptions import ARMErrorFormat - -from ... import models - -T = TypeVar('T') -ClsType = Optional[Callable[[PipelineResponse[HttpRequest, AsyncHttpResponse], T, Dict[str, Any]], Any]] - -class AlertRuleTemplateOperations: - """AlertRuleTemplateOperations async operations. - - You should not instantiate this class directly. Instead, you should create a Client instance that - instantiates it for you and attaches it as an attribute. - - :ivar models: Alias to model classes used in this operation group. - :type models: ~security_insights.models - :param client: Client for service requests. - :param config: Configuration of service client. - :param serializer: An object model serializer. - :param deserializer: An object model deserializer. - """ - - models = models - - def __init__(self, client, config, serializer, deserializer) -> None: - self._client = client - self._serialize = serializer - self._deserialize = deserializer - self._config = config - - def list( - self, - resource_group_name: str, - workspace_name: str, - **kwargs - ) -> AsyncIterable["models.AlertRuleTemplatesList"]: - """Gets all alert rule templates. - - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. - :type resource_group_name: str - :param workspace_name: The name of the workspace. - :type workspace_name: str - :keyword callable cls: A custom type or function that will be passed the direct response - :return: An iterator like instance of either AlertRuleTemplatesList or the result of cls(response) - :rtype: ~azure.core.async_paging.AsyncItemPaged[~security_insights.models.AlertRuleTemplatesList] - :raises: ~azure.core.exceptions.HttpResponseError - """ - cls = kwargs.pop('cls', None) # type: ClsType["models.AlertRuleTemplatesList"] - error_map = { - 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError - } - error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" - accept = "application/json" - - def prepare_request(next_link=None): - # Construct headers - header_parameters = {} # type: Dict[str, Any] - header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') - - if not next_link: - # Construct URL - url = self.list.metadata['url'] # type: ignore - path_format_arguments = { - 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), - 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - } - url = self._client.format_url(url, **path_format_arguments) - # Construct parameters - query_parameters = {} # type: Dict[str, Any] - query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') - - request = self._client.get(url, query_parameters, header_parameters) - else: - url = next_link - query_parameters = {} # type: Dict[str, Any] - request = self._client.get(url, query_parameters, header_parameters) - return request - - async def extract_data(pipeline_response): - deserialized = self._deserialize('AlertRuleTemplatesList', pipeline_response) - list_of_elem = deserialized.value - if cls: - list_of_elem = cls(list_of_elem) - return deserialized.next_link or None, AsyncList(list_of_elem) - - async def get_next(next_link=None): - request = prepare_request(next_link) - - pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs) - response = pipeline_response.http_response - - if response.status_code not in [200]: - map_error(status_code=response.status_code, response=response, error_map=error_map) - raise HttpResponseError(response=response, error_format=ARMErrorFormat) - - return pipeline_response - - return AsyncItemPaged( - get_next, extract_data - ) - list.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRuleTemplates'} # type: ignore - - async def get( - self, - resource_group_name: str, - workspace_name: str, - alert_rule_template_id: str, - **kwargs - ) -> "models.AlertRuleTemplate": - """Gets the alert rule template. - - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. - :type resource_group_name: str - :param workspace_name: The name of the workspace. - :type workspace_name: str - :param alert_rule_template_id: Alert rule template ID. - :type alert_rule_template_id: str - :keyword callable cls: A custom type or function that will be passed the direct response - :return: AlertRuleTemplate, or the result of cls(response) - :rtype: ~security_insights.models.AlertRuleTemplate - :raises: ~azure.core.exceptions.HttpResponseError - """ - cls = kwargs.pop('cls', None) # type: ClsType["models.AlertRuleTemplate"] - error_map = { - 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError - } - error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" - accept = "application/json" - - # Construct URL - url = self.get.metadata['url'] # type: ignore - path_format_arguments = { - 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), - 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - 'alertRuleTemplateId': self._serialize.url("alert_rule_template_id", alert_rule_template_id, 'str'), - } - url = self._client.format_url(url, **path_format_arguments) - - # Construct parameters - query_parameters = {} # type: Dict[str, Any] - query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') - - # Construct headers - header_parameters = {} # type: Dict[str, Any] - header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') - - request = self._client.get(url, query_parameters, header_parameters) - pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs) - response = pipeline_response.http_response - - if response.status_code not in [200]: - map_error(status_code=response.status_code, response=response, error_map=error_map) - raise HttpResponseError(response=response, error_format=ARMErrorFormat) - - deserialized = self._deserialize('AlertRuleTemplate', pipeline_response) - - if cls: - return cls(pipeline_response, deserialized, {}) - - return deserialized - get.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRuleTemplates/{alertRuleTemplateId}'} # type: ignore diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_bookmark_operations.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_bookmark_operations.py deleted file mode 100644 index 6cd59a2dc8c..00000000000 --- a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_bookmark_operations.py +++ /dev/null @@ -1,345 +0,0 @@ -# coding=utf-8 -# -------------------------------------------------------------------------- -# Copyright (c) Microsoft Corporation. All rights reserved. -# Licensed under the MIT License. See License.txt in the project root for license information. -# Code generated by Microsoft (R) AutoRest Code Generator. -# Changes may cause incorrect behavior and will be lost if the code is regenerated. -# -------------------------------------------------------------------------- -import datetime -from typing import Any, AsyncIterable, Callable, Dict, Generic, List, Optional, TypeVar, Union -import warnings - -from azure.core.async_paging import AsyncItemPaged, AsyncList -from azure.core.exceptions import ClientAuthenticationError, HttpResponseError, ResourceExistsError, ResourceNotFoundError, map_error -from azure.core.pipeline import PipelineResponse -from azure.core.pipeline.transport import AsyncHttpResponse, HttpRequest -from azure.mgmt.core.exceptions import ARMErrorFormat - -from ... import models - -T = TypeVar('T') -ClsType = Optional[Callable[[PipelineResponse[HttpRequest, AsyncHttpResponse], T, Dict[str, Any]], Any]] - -class BookmarkOperations: - """BookmarkOperations async operations. - - You should not instantiate this class directly. Instead, you should create a Client instance that - instantiates it for you and attaches it as an attribute. - - :ivar models: Alias to model classes used in this operation group. - :type models: ~security_insights.models - :param client: Client for service requests. - :param config: Configuration of service client. - :param serializer: An object model serializer. - :param deserializer: An object model deserializer. - """ - - models = models - - def __init__(self, client, config, serializer, deserializer) -> None: - self._client = client - self._serialize = serializer - self._deserialize = deserializer - self._config = config - - def list( - self, - resource_group_name: str, - workspace_name: str, - **kwargs - ) -> AsyncIterable["models.BookmarkList"]: - """Gets all bookmarks. - - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. - :type resource_group_name: str - :param workspace_name: The name of the workspace. - :type workspace_name: str - :keyword callable cls: A custom type or function that will be passed the direct response - :return: An iterator like instance of either BookmarkList or the result of cls(response) - :rtype: ~azure.core.async_paging.AsyncItemPaged[~security_insights.models.BookmarkList] - :raises: ~azure.core.exceptions.HttpResponseError - """ - cls = kwargs.pop('cls', None) # type: ClsType["models.BookmarkList"] - error_map = { - 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError - } - error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" - accept = "application/json" - - def prepare_request(next_link=None): - # Construct headers - header_parameters = {} # type: Dict[str, Any] - header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') - - if not next_link: - # Construct URL - url = self.list.metadata['url'] # type: ignore - path_format_arguments = { - 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), - 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - } - url = self._client.format_url(url, **path_format_arguments) - # Construct parameters - query_parameters = {} # type: Dict[str, Any] - query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') - - request = self._client.get(url, query_parameters, header_parameters) - else: - url = next_link - query_parameters = {} # type: Dict[str, Any] - request = self._client.get(url, query_parameters, header_parameters) - return request - - async def extract_data(pipeline_response): - deserialized = self._deserialize('BookmarkList', pipeline_response) - list_of_elem = deserialized.value - if cls: - list_of_elem = cls(list_of_elem) - return deserialized.next_link or None, AsyncList(list_of_elem) - - async def get_next(next_link=None): - request = prepare_request(next_link) - - pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs) - response = pipeline_response.http_response - - if response.status_code not in [200]: - map_error(status_code=response.status_code, response=response, error_map=error_map) - raise HttpResponseError(response=response, error_format=ARMErrorFormat) - - return pipeline_response - - return AsyncItemPaged( - get_next, extract_data - ) - list.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks'} # type: ignore - - async def get( - self, - resource_group_name: str, - workspace_name: str, - bookmark_id: str, - **kwargs - ) -> "models.Bookmark": - """Gets a bookmark. - - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. - :type resource_group_name: str - :param workspace_name: The name of the workspace. - :type workspace_name: str - :param bookmark_id: Bookmark ID. - :type bookmark_id: str - :keyword callable cls: A custom type or function that will be passed the direct response - :return: Bookmark, or the result of cls(response) - :rtype: ~security_insights.models.Bookmark - :raises: ~azure.core.exceptions.HttpResponseError - """ - cls = kwargs.pop('cls', None) # type: ClsType["models.Bookmark"] - error_map = { - 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError - } - error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" - accept = "application/json" - - # Construct URL - url = self.get.metadata['url'] # type: ignore - path_format_arguments = { - 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), - 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - 'bookmarkId': self._serialize.url("bookmark_id", bookmark_id, 'str'), - } - url = self._client.format_url(url, **path_format_arguments) - - # Construct parameters - query_parameters = {} # type: Dict[str, Any] - query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') - - # Construct headers - header_parameters = {} # type: Dict[str, Any] - header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') - - request = self._client.get(url, query_parameters, header_parameters) - pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs) - response = pipeline_response.http_response - - if response.status_code not in [200]: - map_error(status_code=response.status_code, response=response, error_map=error_map) - raise HttpResponseError(response=response, error_format=ARMErrorFormat) - - deserialized = self._deserialize('Bookmark', pipeline_response) - - if cls: - return cls(pipeline_response, deserialized, {}) - - return deserialized - get.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks/{bookmarkId}'} # type: ignore - - async def create_or_update( - self, - resource_group_name: str, - workspace_name: str, - bookmark_id: str, - etag: Optional[str] = None, - created: Optional[datetime.datetime] = None, - display_name: Optional[str] = None, - labels: Optional[List[str]] = None, - notes: Optional[str] = None, - query: Optional[str] = None, - query_result: Optional[str] = None, - updated: Optional[datetime.datetime] = None, - incident_info: Optional["models.IncidentInfo"] = None, - object_id: Optional[str] = None, - **kwargs - ) -> "models.Bookmark": - """Creates or updates the bookmark. - - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. - :type resource_group_name: str - :param workspace_name: The name of the workspace. - :type workspace_name: str - :param bookmark_id: Bookmark ID. - :type bookmark_id: str - :param etag: Etag of the azure resource. - :type etag: str - :param created: The time the bookmark was created. - :type created: ~datetime.datetime - :param display_name: The display name of the bookmark. - :type display_name: str - :param labels: List of labels relevant to this bookmark. - :type labels: list[str] - :param notes: The notes of the bookmark. - :type notes: str - :param query: The query of the bookmark. - :type query: str - :param query_result: The query result of the bookmark. - :type query_result: str - :param updated: The last time the bookmark was updated. - :type updated: ~datetime.datetime - :param incident_info: Describes an incident that relates to bookmark. - :type incident_info: ~security_insights.models.IncidentInfo - :param object_id: The object id of the user. - :type object_id: str - :keyword callable cls: A custom type or function that will be passed the direct response - :return: Bookmark, or the result of cls(response) - :rtype: ~security_insights.models.Bookmark - :raises: ~azure.core.exceptions.HttpResponseError - """ - cls = kwargs.pop('cls', None) # type: ClsType["models.Bookmark"] - error_map = { - 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError - } - error_map.update(kwargs.pop('error_map', {})) - - bookmark = models.Bookmark(etag=etag, created=created, display_name=display_name, labels=labels, notes=notes, query=query, query_result=query_result, updated=updated, incident_info=incident_info, object_id_updated_by_object_id=object_id) - api_version = "2020-01-01" - content_type = kwargs.pop("content_type", "application/json") - accept = "application/json" - - # Construct URL - url = self.create_or_update.metadata['url'] # type: ignore - path_format_arguments = { - 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), - 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - 'bookmarkId': self._serialize.url("bookmark_id", bookmark_id, 'str'), - } - url = self._client.format_url(url, **path_format_arguments) - - # Construct parameters - query_parameters = {} # type: Dict[str, Any] - query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') - - # Construct headers - header_parameters = {} # type: Dict[str, Any] - header_parameters['Content-Type'] = self._serialize.header("content_type", content_type, 'str') - header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') - - body_content_kwargs = {} # type: Dict[str, Any] - body_content = self._serialize.body(bookmark, 'Bookmark') - body_content_kwargs['content'] = body_content - request = self._client.put(url, query_parameters, header_parameters, **body_content_kwargs) - pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs) - response = pipeline_response.http_response - - if response.status_code not in [200, 201]: - map_error(status_code=response.status_code, response=response, error_map=error_map) - raise HttpResponseError(response=response, error_format=ARMErrorFormat) - - if response.status_code == 200: - deserialized = self._deserialize('Bookmark', pipeline_response) - - if response.status_code == 201: - deserialized = self._deserialize('Bookmark', pipeline_response) - - if cls: - return cls(pipeline_response, deserialized, {}) - - return deserialized - create_or_update.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks/{bookmarkId}'} # type: ignore - - async def delete( - self, - resource_group_name: str, - workspace_name: str, - bookmark_id: str, - **kwargs - ) -> None: - """Delete the bookmark. - - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. - :type resource_group_name: str - :param workspace_name: The name of the workspace. - :type workspace_name: str - :param bookmark_id: Bookmark ID. - :type bookmark_id: str - :keyword callable cls: A custom type or function that will be passed the direct response - :return: None, or the result of cls(response) - :rtype: None - :raises: ~azure.core.exceptions.HttpResponseError - """ - cls = kwargs.pop('cls', None) # type: ClsType[None] - error_map = { - 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError - } - error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" - accept = "application/json" - - # Construct URL - url = self.delete.metadata['url'] # type: ignore - path_format_arguments = { - 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), - 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - 'bookmarkId': self._serialize.url("bookmark_id", bookmark_id, 'str'), - } - url = self._client.format_url(url, **path_format_arguments) - - # Construct parameters - query_parameters = {} # type: Dict[str, Any] - query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') - - # Construct headers - header_parameters = {} # type: Dict[str, Any] - header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') - - request = self._client.delete(url, query_parameters, header_parameters) - pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs) - response = pipeline_response.http_response - - if response.status_code not in [200, 204]: - map_error(status_code=response.status_code, response=response, error_map=error_map) - raise HttpResponseError(response=response, error_format=ARMErrorFormat) - - if cls: - return cls(pipeline_response, None, {}) - - delete.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks/{bookmarkId}'} # type: ignore diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_data_connector_operations.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_data_connector_operations.py deleted file mode 100644 index 9f83b3170a9..00000000000 --- a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_data_connector_operations.py +++ /dev/null @@ -1,315 +0,0 @@ -# coding=utf-8 -# -------------------------------------------------------------------------- -# Copyright (c) Microsoft Corporation. All rights reserved. -# Licensed under the MIT License. See License.txt in the project root for license information. -# Code generated by Microsoft (R) AutoRest Code Generator. -# Changes may cause incorrect behavior and will be lost if the code is regenerated. -# -------------------------------------------------------------------------- -from typing import Any, AsyncIterable, Callable, Dict, Generic, Optional, TypeVar, Union -import warnings - -from azure.core.async_paging import AsyncItemPaged, AsyncList -from azure.core.exceptions import ClientAuthenticationError, HttpResponseError, ResourceExistsError, ResourceNotFoundError, map_error -from azure.core.pipeline import PipelineResponse -from azure.core.pipeline.transport import AsyncHttpResponse, HttpRequest -from azure.mgmt.core.exceptions import ARMErrorFormat - -from ... import models - -T = TypeVar('T') -ClsType = Optional[Callable[[PipelineResponse[HttpRequest, AsyncHttpResponse], T, Dict[str, Any]], Any]] - -class DataConnectorOperations: - """DataConnectorOperations async operations. - - You should not instantiate this class directly. Instead, you should create a Client instance that - instantiates it for you and attaches it as an attribute. - - :ivar models: Alias to model classes used in this operation group. - :type models: ~security_insights.models - :param client: Client for service requests. - :param config: Configuration of service client. - :param serializer: An object model serializer. - :param deserializer: An object model deserializer. - """ - - models = models - - def __init__(self, client, config, serializer, deserializer) -> None: - self._client = client - self._serialize = serializer - self._deserialize = deserializer - self._config = config - - def list( - self, - resource_group_name: str, - workspace_name: str, - **kwargs - ) -> AsyncIterable["models.DataConnectorList"]: - """Gets all data connectors. - - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. - :type resource_group_name: str - :param workspace_name: The name of the workspace. - :type workspace_name: str - :keyword callable cls: A custom type or function that will be passed the direct response - :return: An iterator like instance of either DataConnectorList or the result of cls(response) - :rtype: ~azure.core.async_paging.AsyncItemPaged[~security_insights.models.DataConnectorList] - :raises: ~azure.core.exceptions.HttpResponseError - """ - cls = kwargs.pop('cls', None) # type: ClsType["models.DataConnectorList"] - error_map = { - 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError - } - error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" - accept = "application/json" - - def prepare_request(next_link=None): - # Construct headers - header_parameters = {} # type: Dict[str, Any] - header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') - - if not next_link: - # Construct URL - url = self.list.metadata['url'] # type: ignore - path_format_arguments = { - 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), - 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - } - url = self._client.format_url(url, **path_format_arguments) - # Construct parameters - query_parameters = {} # type: Dict[str, Any] - query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') - - request = self._client.get(url, query_parameters, header_parameters) - else: - url = next_link - query_parameters = {} # type: Dict[str, Any] - request = self._client.get(url, query_parameters, header_parameters) - return request - - async def extract_data(pipeline_response): - deserialized = self._deserialize('DataConnectorList', pipeline_response) - list_of_elem = deserialized.value - if cls: - list_of_elem = cls(list_of_elem) - return deserialized.next_link or None, AsyncList(list_of_elem) - - async def get_next(next_link=None): - request = prepare_request(next_link) - - pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs) - response = pipeline_response.http_response - - if response.status_code not in [200]: - map_error(status_code=response.status_code, response=response, error_map=error_map) - raise HttpResponseError(response=response, error_format=ARMErrorFormat) - - return pipeline_response - - return AsyncItemPaged( - get_next, extract_data - ) - list.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors'} # type: ignore - - async def get( - self, - resource_group_name: str, - workspace_name: str, - data_connector_id: str, - **kwargs - ) -> "models.DataConnector": - """Gets a data connector. - - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. - :type resource_group_name: str - :param workspace_name: The name of the workspace. - :type workspace_name: str - :param data_connector_id: Connector ID. - :type data_connector_id: str - :keyword callable cls: A custom type or function that will be passed the direct response - :return: DataConnector, or the result of cls(response) - :rtype: ~security_insights.models.DataConnector - :raises: ~azure.core.exceptions.HttpResponseError - """ - cls = kwargs.pop('cls', None) # type: ClsType["models.DataConnector"] - error_map = { - 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError - } - error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" - accept = "application/json" - - # Construct URL - url = self.get.metadata['url'] # type: ignore - path_format_arguments = { - 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), - 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - 'dataConnectorId': self._serialize.url("data_connector_id", data_connector_id, 'str'), - } - url = self._client.format_url(url, **path_format_arguments) - - # Construct parameters - query_parameters = {} # type: Dict[str, Any] - query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') - - # Construct headers - header_parameters = {} # type: Dict[str, Any] - header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') - - request = self._client.get(url, query_parameters, header_parameters) - pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs) - response = pipeline_response.http_response - - if response.status_code not in [200]: - map_error(status_code=response.status_code, response=response, error_map=error_map) - raise HttpResponseError(response=response, error_format=ARMErrorFormat) - - deserialized = self._deserialize('DataConnector', pipeline_response) - - if cls: - return cls(pipeline_response, deserialized, {}) - - return deserialized - get.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors/{dataConnectorId}'} # type: ignore - - async def create_or_update( - self, - resource_group_name: str, - workspace_name: str, - data_connector_id: str, - data_connector: "models.DataConnector", - **kwargs - ) -> "models.DataConnector": - """Creates or updates the data connector. - - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. - :type resource_group_name: str - :param workspace_name: The name of the workspace. - :type workspace_name: str - :param data_connector_id: Connector ID. - :type data_connector_id: str - :param data_connector: The data connector. - :type data_connector: ~security_insights.models.DataConnector - :keyword callable cls: A custom type or function that will be passed the direct response - :return: DataConnector, or the result of cls(response) - :rtype: ~security_insights.models.DataConnector - :raises: ~azure.core.exceptions.HttpResponseError - """ - cls = kwargs.pop('cls', None) # type: ClsType["models.DataConnector"] - error_map = { - 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError - } - error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" - content_type = kwargs.pop("content_type", "application/json") - accept = "application/json" - - # Construct URL - url = self.create_or_update.metadata['url'] # type: ignore - path_format_arguments = { - 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), - 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - 'dataConnectorId': self._serialize.url("data_connector_id", data_connector_id, 'str'), - } - url = self._client.format_url(url, **path_format_arguments) - - # Construct parameters - query_parameters = {} # type: Dict[str, Any] - query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') - - # Construct headers - header_parameters = {} # type: Dict[str, Any] - header_parameters['Content-Type'] = self._serialize.header("content_type", content_type, 'str') - header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') - - body_content_kwargs = {} # type: Dict[str, Any] - body_content = self._serialize.body(data_connector, 'DataConnector') - body_content_kwargs['content'] = body_content - request = self._client.put(url, query_parameters, header_parameters, **body_content_kwargs) - pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs) - response = pipeline_response.http_response - - if response.status_code not in [200, 201]: - map_error(status_code=response.status_code, response=response, error_map=error_map) - raise HttpResponseError(response=response, error_format=ARMErrorFormat) - - if response.status_code == 200: - deserialized = self._deserialize('DataConnector', pipeline_response) - - if response.status_code == 201: - deserialized = self._deserialize('DataConnector', pipeline_response) - - if cls: - return cls(pipeline_response, deserialized, {}) - - return deserialized - create_or_update.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors/{dataConnectorId}'} # type: ignore - - async def delete( - self, - resource_group_name: str, - workspace_name: str, - data_connector_id: str, - **kwargs - ) -> None: - """Delete the data connector. - - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. - :type resource_group_name: str - :param workspace_name: The name of the workspace. - :type workspace_name: str - :param data_connector_id: Connector ID. - :type data_connector_id: str - :keyword callable cls: A custom type or function that will be passed the direct response - :return: None, or the result of cls(response) - :rtype: None - :raises: ~azure.core.exceptions.HttpResponseError - """ - cls = kwargs.pop('cls', None) # type: ClsType[None] - error_map = { - 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError - } - error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" - accept = "application/json" - - # Construct URL - url = self.delete.metadata['url'] # type: ignore - path_format_arguments = { - 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), - 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - 'dataConnectorId': self._serialize.url("data_connector_id", data_connector_id, 'str'), - } - url = self._client.format_url(url, **path_format_arguments) - - # Construct parameters - query_parameters = {} # type: Dict[str, Any] - query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') - - # Construct headers - header_parameters = {} # type: Dict[str, Any] - header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') - - request = self._client.delete(url, query_parameters, header_parameters) - pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs) - response = pipeline_response.http_response - - if response.status_code not in [200, 204]: - map_error(status_code=response.status_code, response=response, error_map=error_map) - raise HttpResponseError(response=response, error_format=ARMErrorFormat) - - if cls: - return cls(pipeline_response, None, {}) - - delete.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors/{dataConnectorId}'} # type: ignore diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_incident_comment_operations.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_incident_comment_operations.py deleted file mode 100644 index cc2b8403fc1..00000000000 --- a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_incident_comment_operations.py +++ /dev/null @@ -1,287 +0,0 @@ -# coding=utf-8 -# -------------------------------------------------------------------------- -# Copyright (c) Microsoft Corporation. All rights reserved. -# Licensed under the MIT License. See License.txt in the project root for license information. -# Code generated by Microsoft (R) AutoRest Code Generator. -# Changes may cause incorrect behavior and will be lost if the code is regenerated. -# -------------------------------------------------------------------------- -from typing import Any, AsyncIterable, Callable, Dict, Generic, Optional, TypeVar -import warnings - -from azure.core.async_paging import AsyncItemPaged, AsyncList -from azure.core.exceptions import ClientAuthenticationError, HttpResponseError, ResourceExistsError, ResourceNotFoundError, map_error -from azure.core.pipeline import PipelineResponse -from azure.core.pipeline.transport import AsyncHttpResponse, HttpRequest -from azure.mgmt.core.exceptions import ARMErrorFormat - -from ... import models - -T = TypeVar('T') -ClsType = Optional[Callable[[PipelineResponse[HttpRequest, AsyncHttpResponse], T, Dict[str, Any]], Any]] - -class IncidentCommentOperations: - """IncidentCommentOperations async operations. - - You should not instantiate this class directly. Instead, you should create a Client instance that - instantiates it for you and attaches it as an attribute. - - :ivar models: Alias to model classes used in this operation group. - :type models: ~security_insights.models - :param client: Client for service requests. - :param config: Configuration of service client. - :param serializer: An object model serializer. - :param deserializer: An object model deserializer. - """ - - models = models - - def __init__(self, client, config, serializer, deserializer) -> None: - self._client = client - self._serialize = serializer - self._deserialize = deserializer - self._config = config - - def list_by_incident( - self, - resource_group_name: str, - workspace_name: str, - incident_id: str, - filter: Optional[str] = None, - orderby: Optional[str] = None, - top: Optional[int] = None, - skip_token: Optional[str] = None, - **kwargs - ) -> AsyncIterable["models.IncidentCommentList"]: - """Gets all incident comments. - - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. - :type resource_group_name: str - :param workspace_name: The name of the workspace. - :type workspace_name: str - :param incident_id: Incident ID. - :type incident_id: str - :param filter: Filters the results, based on a Boolean condition. Optional. - :type filter: str - :param orderby: Sorts the results. Optional. - :type orderby: str - :param top: Returns only the first n results. Optional. - :type top: int - :param skip_token: Skiptoken is only used if a previous operation returned a partial result. If - a previous response contains a nextLink element, the value of the nextLink element will include - a skiptoken parameter that specifies a starting point to use for subsequent calls. Optional. - :type skip_token: str - :keyword callable cls: A custom type or function that will be passed the direct response - :return: An iterator like instance of either IncidentCommentList or the result of cls(response) - :rtype: ~azure.core.async_paging.AsyncItemPaged[~security_insights.models.IncidentCommentList] - :raises: ~azure.core.exceptions.HttpResponseError - """ - cls = kwargs.pop('cls', None) # type: ClsType["models.IncidentCommentList"] - error_map = { - 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError - } - error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" - accept = "application/json" - - def prepare_request(next_link=None): - # Construct headers - header_parameters = {} # type: Dict[str, Any] - header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') - - if not next_link: - # Construct URL - url = self.list_by_incident.metadata['url'] # type: ignore - path_format_arguments = { - 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), - 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - 'incidentId': self._serialize.url("incident_id", incident_id, 'str'), - } - url = self._client.format_url(url, **path_format_arguments) - # Construct parameters - query_parameters = {} # type: Dict[str, Any] - query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') - if filter is not None: - query_parameters['$filter'] = self._serialize.query("filter", filter, 'str') - if orderby is not None: - query_parameters['$orderby'] = self._serialize.query("orderby", orderby, 'str') - if top is not None: - query_parameters['$top'] = self._serialize.query("top", top, 'int') - if skip_token is not None: - query_parameters['$skipToken'] = self._serialize.query("skip_token", skip_token, 'str') - - request = self._client.get(url, query_parameters, header_parameters) - else: - url = next_link - query_parameters = {} # type: Dict[str, Any] - request = self._client.get(url, query_parameters, header_parameters) - return request - - async def extract_data(pipeline_response): - deserialized = self._deserialize('IncidentCommentList', pipeline_response) - list_of_elem = deserialized.value - if cls: - list_of_elem = cls(list_of_elem) - return deserialized.next_link or None, AsyncList(list_of_elem) - - async def get_next(next_link=None): - request = prepare_request(next_link) - - pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs) - response = pipeline_response.http_response - - if response.status_code not in [200]: - map_error(status_code=response.status_code, response=response, error_map=error_map) - raise HttpResponseError(response=response, error_format=ARMErrorFormat) - - return pipeline_response - - return AsyncItemPaged( - get_next, extract_data - ) - list_by_incident.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/comments'} # type: ignore - - async def get( - self, - resource_group_name: str, - workspace_name: str, - incident_id: str, - incident_comment_id: str, - **kwargs - ) -> "models.IncidentComment": - """Gets an incident comment. - - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. - :type resource_group_name: str - :param workspace_name: The name of the workspace. - :type workspace_name: str - :param incident_id: Incident ID. - :type incident_id: str - :param incident_comment_id: Incident comment ID. - :type incident_comment_id: str - :keyword callable cls: A custom type or function that will be passed the direct response - :return: IncidentComment, or the result of cls(response) - :rtype: ~security_insights.models.IncidentComment - :raises: ~azure.core.exceptions.HttpResponseError - """ - cls = kwargs.pop('cls', None) # type: ClsType["models.IncidentComment"] - error_map = { - 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError - } - error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" - accept = "application/json" - - # Construct URL - url = self.get.metadata['url'] # type: ignore - path_format_arguments = { - 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), - 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - 'incidentId': self._serialize.url("incident_id", incident_id, 'str'), - 'incidentCommentId': self._serialize.url("incident_comment_id", incident_comment_id, 'str'), - } - url = self._client.format_url(url, **path_format_arguments) - - # Construct parameters - query_parameters = {} # type: Dict[str, Any] - query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') - - # Construct headers - header_parameters = {} # type: Dict[str, Any] - header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') - - request = self._client.get(url, query_parameters, header_parameters) - pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs) - response = pipeline_response.http_response - - if response.status_code not in [200]: - map_error(status_code=response.status_code, response=response, error_map=error_map) - raise HttpResponseError(response=response, error_format=ARMErrorFormat) - - deserialized = self._deserialize('IncidentComment', pipeline_response) - - if cls: - return cls(pipeline_response, deserialized, {}) - - return deserialized - get.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/comments/{incidentCommentId}'} # type: ignore - - async def create_comment( - self, - resource_group_name: str, - workspace_name: str, - incident_id: str, - incident_comment_id: str, - message: Optional[str] = None, - **kwargs - ) -> "models.IncidentComment": - """Creates the incident comment. - - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. - :type resource_group_name: str - :param workspace_name: The name of the workspace. - :type workspace_name: str - :param incident_id: Incident ID. - :type incident_id: str - :param incident_comment_id: Incident comment ID. - :type incident_comment_id: str - :param message: The comment message. - :type message: str - :keyword callable cls: A custom type or function that will be passed the direct response - :return: IncidentComment, or the result of cls(response) - :rtype: ~security_insights.models.IncidentComment - :raises: ~azure.core.exceptions.HttpResponseError - """ - cls = kwargs.pop('cls', None) # type: ClsType["models.IncidentComment"] - error_map = { - 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError - } - error_map.update(kwargs.pop('error_map', {})) - - incident_comment = models.IncidentComment(message=message) - api_version = "2020-01-01" - content_type = kwargs.pop("content_type", "application/json") - accept = "application/json" - - # Construct URL - url = self.create_comment.metadata['url'] # type: ignore - path_format_arguments = { - 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), - 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - 'incidentId': self._serialize.url("incident_id", incident_id, 'str'), - 'incidentCommentId': self._serialize.url("incident_comment_id", incident_comment_id, 'str'), - } - url = self._client.format_url(url, **path_format_arguments) - - # Construct parameters - query_parameters = {} # type: Dict[str, Any] - query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') - - # Construct headers - header_parameters = {} # type: Dict[str, Any] - header_parameters['Content-Type'] = self._serialize.header("content_type", content_type, 'str') - header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') - - body_content_kwargs = {} # type: Dict[str, Any] - body_content = self._serialize.body(incident_comment, 'IncidentComment') - body_content_kwargs['content'] = body_content - request = self._client.put(url, query_parameters, header_parameters, **body_content_kwargs) - pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs) - response = pipeline_response.http_response - - if response.status_code not in [201]: - map_error(status_code=response.status_code, response=response, error_map=error_map) - raise HttpResponseError(response=response, error_format=ARMErrorFormat) - - deserialized = self._deserialize('IncidentComment', pipeline_response) - - if cls: - return cls(pipeline_response, deserialized, {}) - - return deserialized - create_comment.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/comments/{incidentCommentId}'} # type: ignore diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_incident_operations.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_incident_operations.py deleted file mode 100644 index 8efc09e2788..00000000000 --- a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_incident_operations.py +++ /dev/null @@ -1,373 +0,0 @@ -# coding=utf-8 -# -------------------------------------------------------------------------- -# Copyright (c) Microsoft Corporation. All rights reserved. -# Licensed under the MIT License. See License.txt in the project root for license information. -# Code generated by Microsoft (R) AutoRest Code Generator. -# Changes may cause incorrect behavior and will be lost if the code is regenerated. -# -------------------------------------------------------------------------- -import datetime -from typing import Any, AsyncIterable, Callable, Dict, Generic, List, Optional, TypeVar, Union -import warnings - -from azure.core.async_paging import AsyncItemPaged, AsyncList -from azure.core.exceptions import ClientAuthenticationError, HttpResponseError, ResourceExistsError, ResourceNotFoundError, map_error -from azure.core.pipeline import PipelineResponse -from azure.core.pipeline.transport import AsyncHttpResponse, HttpRequest -from azure.mgmt.core.exceptions import ARMErrorFormat - -from ... import models - -T = TypeVar('T') -ClsType = Optional[Callable[[PipelineResponse[HttpRequest, AsyncHttpResponse], T, Dict[str, Any]], Any]] - -class IncidentOperations: - """IncidentOperations async operations. - - You should not instantiate this class directly. Instead, you should create a Client instance that - instantiates it for you and attaches it as an attribute. - - :ivar models: Alias to model classes used in this operation group. - :type models: ~security_insights.models - :param client: Client for service requests. - :param config: Configuration of service client. - :param serializer: An object model serializer. - :param deserializer: An object model deserializer. - """ - - models = models - - def __init__(self, client, config, serializer, deserializer) -> None: - self._client = client - self._serialize = serializer - self._deserialize = deserializer - self._config = config - - def list( - self, - resource_group_name: str, - workspace_name: str, - filter: Optional[str] = None, - orderby: Optional[str] = None, - top: Optional[int] = None, - skip_token: Optional[str] = None, - **kwargs - ) -> AsyncIterable["models.IncidentList"]: - """Gets all incidents. - - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. - :type resource_group_name: str - :param workspace_name: The name of the workspace. - :type workspace_name: str - :param filter: Filters the results, based on a Boolean condition. Optional. - :type filter: str - :param orderby: Sorts the results. Optional. - :type orderby: str - :param top: Returns only the first n results. Optional. - :type top: int - :param skip_token: Skiptoken is only used if a previous operation returned a partial result. If - a previous response contains a nextLink element, the value of the nextLink element will include - a skiptoken parameter that specifies a starting point to use for subsequent calls. Optional. - :type skip_token: str - :keyword callable cls: A custom type or function that will be passed the direct response - :return: An iterator like instance of either IncidentList or the result of cls(response) - :rtype: ~azure.core.async_paging.AsyncItemPaged[~security_insights.models.IncidentList] - :raises: ~azure.core.exceptions.HttpResponseError - """ - cls = kwargs.pop('cls', None) # type: ClsType["models.IncidentList"] - error_map = { - 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError - } - error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" - accept = "application/json" - - def prepare_request(next_link=None): - # Construct headers - header_parameters = {} # type: Dict[str, Any] - header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') - - if not next_link: - # Construct URL - url = self.list.metadata['url'] # type: ignore - path_format_arguments = { - 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), - 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - } - url = self._client.format_url(url, **path_format_arguments) - # Construct parameters - query_parameters = {} # type: Dict[str, Any] - query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') - if filter is not None: - query_parameters['$filter'] = self._serialize.query("filter", filter, 'str') - if orderby is not None: - query_parameters['$orderby'] = self._serialize.query("orderby", orderby, 'str') - if top is not None: - query_parameters['$top'] = self._serialize.query("top", top, 'int') - if skip_token is not None: - query_parameters['$skipToken'] = self._serialize.query("skip_token", skip_token, 'str') - - request = self._client.get(url, query_parameters, header_parameters) - else: - url = next_link - query_parameters = {} # type: Dict[str, Any] - request = self._client.get(url, query_parameters, header_parameters) - return request - - async def extract_data(pipeline_response): - deserialized = self._deserialize('IncidentList', pipeline_response) - list_of_elem = deserialized.value - if cls: - list_of_elem = cls(list_of_elem) - return deserialized.next_link or None, AsyncList(list_of_elem) - - async def get_next(next_link=None): - request = prepare_request(next_link) - - pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs) - response = pipeline_response.http_response - - if response.status_code not in [200]: - map_error(status_code=response.status_code, response=response, error_map=error_map) - raise HttpResponseError(response=response, error_format=ARMErrorFormat) - - return pipeline_response - - return AsyncItemPaged( - get_next, extract_data - ) - list.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents'} # type: ignore - - async def get( - self, - resource_group_name: str, - workspace_name: str, - incident_id: str, - **kwargs - ) -> "models.Incident": - """Gets an incident. - - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. - :type resource_group_name: str - :param workspace_name: The name of the workspace. - :type workspace_name: str - :param incident_id: Incident ID. - :type incident_id: str - :keyword callable cls: A custom type or function that will be passed the direct response - :return: Incident, or the result of cls(response) - :rtype: ~security_insights.models.Incident - :raises: ~azure.core.exceptions.HttpResponseError - """ - cls = kwargs.pop('cls', None) # type: ClsType["models.Incident"] - error_map = { - 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError - } - error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" - accept = "application/json" - - # Construct URL - url = self.get.metadata['url'] # type: ignore - path_format_arguments = { - 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), - 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - 'incidentId': self._serialize.url("incident_id", incident_id, 'str'), - } - url = self._client.format_url(url, **path_format_arguments) - - # Construct parameters - query_parameters = {} # type: Dict[str, Any] - query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') - - # Construct headers - header_parameters = {} # type: Dict[str, Any] - header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') - - request = self._client.get(url, query_parameters, header_parameters) - pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs) - response = pipeline_response.http_response - - if response.status_code not in [200]: - map_error(status_code=response.status_code, response=response, error_map=error_map) - raise HttpResponseError(response=response, error_format=ARMErrorFormat) - - deserialized = self._deserialize('Incident', pipeline_response) - - if cls: - return cls(pipeline_response, deserialized, {}) - - return deserialized - get.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}'} # type: ignore - - async def create_or_update( - self, - resource_group_name: str, - workspace_name: str, - incident_id: str, - etag: Optional[str] = None, - classification: Optional[Union[str, "models.IncidentClassification"]] = None, - classification_comment: Optional[str] = None, - classification_reason: Optional[Union[str, "models.IncidentClassificationReason"]] = None, - description: Optional[str] = None, - first_activity_time_utc: Optional[datetime.datetime] = None, - labels: Optional[List["models.IncidentLabel"]] = None, - last_activity_time_utc: Optional[datetime.datetime] = None, - owner: Optional["models.IncidentOwnerInfo"] = None, - severity: Optional[Union[str, "models.IncidentSeverity"]] = None, - status: Optional[Union[str, "models.IncidentStatus"]] = None, - title: Optional[str] = None, - **kwargs - ) -> "models.Incident": - """Creates or updates the incident. - - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. - :type resource_group_name: str - :param workspace_name: The name of the workspace. - :type workspace_name: str - :param incident_id: Incident ID. - :type incident_id: str - :param etag: Etag of the azure resource. - :type etag: str - :param classification: The reason the incident was closed. - :type classification: str or ~security_insights.models.IncidentClassification - :param classification_comment: Describes the reason the incident was closed. - :type classification_comment: str - :param classification_reason: The classification reason the incident was closed with. - :type classification_reason: str or ~security_insights.models.IncidentClassificationReason - :param description: The description of the incident. - :type description: str - :param first_activity_time_utc: The time of the first activity in the incident. - :type first_activity_time_utc: ~datetime.datetime - :param labels: List of labels relevant to this incident. - :type labels: list[~security_insights.models.IncidentLabel] - :param last_activity_time_utc: The time of the last activity in the incident. - :type last_activity_time_utc: ~datetime.datetime - :param owner: Describes a user that the incident is assigned to. - :type owner: ~security_insights.models.IncidentOwnerInfo - :param severity: The severity of the incident. - :type severity: str or ~security_insights.models.IncidentSeverity - :param status: The status of the incident. - :type status: str or ~security_insights.models.IncidentStatus - :param title: The title of the incident. - :type title: str - :keyword callable cls: A custom type or function that will be passed the direct response - :return: Incident, or the result of cls(response) - :rtype: ~security_insights.models.Incident - :raises: ~azure.core.exceptions.HttpResponseError - """ - cls = kwargs.pop('cls', None) # type: ClsType["models.Incident"] - error_map = { - 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError - } - error_map.update(kwargs.pop('error_map', {})) - - incident = models.Incident(etag=etag, classification=classification, classification_comment=classification_comment, classification_reason=classification_reason, description=description, first_activity_time_utc=first_activity_time_utc, labels=labels, last_activity_time_utc=last_activity_time_utc, owner=owner, severity=severity, status=status, title=title) - api_version = "2020-01-01" - content_type = kwargs.pop("content_type", "application/json") - accept = "application/json" - - # Construct URL - url = self.create_or_update.metadata['url'] # type: ignore - path_format_arguments = { - 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), - 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - 'incidentId': self._serialize.url("incident_id", incident_id, 'str'), - } - url = self._client.format_url(url, **path_format_arguments) - - # Construct parameters - query_parameters = {} # type: Dict[str, Any] - query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') - - # Construct headers - header_parameters = {} # type: Dict[str, Any] - header_parameters['Content-Type'] = self._serialize.header("content_type", content_type, 'str') - header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') - - body_content_kwargs = {} # type: Dict[str, Any] - body_content = self._serialize.body(incident, 'Incident') - body_content_kwargs['content'] = body_content - request = self._client.put(url, query_parameters, header_parameters, **body_content_kwargs) - pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs) - response = pipeline_response.http_response - - if response.status_code not in [200, 201]: - map_error(status_code=response.status_code, response=response, error_map=error_map) - raise HttpResponseError(response=response, error_format=ARMErrorFormat) - - if response.status_code == 200: - deserialized = self._deserialize('Incident', pipeline_response) - - if response.status_code == 201: - deserialized = self._deserialize('Incident', pipeline_response) - - if cls: - return cls(pipeline_response, deserialized, {}) - - return deserialized - create_or_update.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}'} # type: ignore - - async def delete( - self, - resource_group_name: str, - workspace_name: str, - incident_id: str, - **kwargs - ) -> None: - """Delete the incident. - - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. - :type resource_group_name: str - :param workspace_name: The name of the workspace. - :type workspace_name: str - :param incident_id: Incident ID. - :type incident_id: str - :keyword callable cls: A custom type or function that will be passed the direct response - :return: None, or the result of cls(response) - :rtype: None - :raises: ~azure.core.exceptions.HttpResponseError - """ - cls = kwargs.pop('cls', None) # type: ClsType[None] - error_map = { - 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError - } - error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" - accept = "application/json" - - # Construct URL - url = self.delete.metadata['url'] # type: ignore - path_format_arguments = { - 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), - 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - 'incidentId': self._serialize.url("incident_id", incident_id, 'str'), - } - url = self._client.format_url(url, **path_format_arguments) - - # Construct parameters - query_parameters = {} # type: Dict[str, Any] - query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') - - # Construct headers - header_parameters = {} # type: Dict[str, Any] - header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') - - request = self._client.delete(url, query_parameters, header_parameters) - pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs) - response = pipeline_response.http_response - - if response.status_code not in [200, 204]: - map_error(status_code=response.status_code, response=response, error_map=error_map) - raise HttpResponseError(response=response, error_format=ARMErrorFormat) - - if cls: - return cls(pipeline_response, None, {}) - - delete.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}'} # type: ignore diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_operation_operations.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_operation_operations.py deleted file mode 100644 index d8d19921e5c..00000000000 --- a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_operation_operations.py +++ /dev/null @@ -1,104 +0,0 @@ -# coding=utf-8 -# -------------------------------------------------------------------------- -# Copyright (c) Microsoft Corporation. All rights reserved. -# Licensed under the MIT License. See License.txt in the project root for license information. -# Code generated by Microsoft (R) AutoRest Code Generator. -# Changes may cause incorrect behavior and will be lost if the code is regenerated. -# -------------------------------------------------------------------------- -from typing import Any, AsyncIterable, Callable, Dict, Generic, Optional, TypeVar -import warnings - -from azure.core.async_paging import AsyncItemPaged, AsyncList -from azure.core.exceptions import ClientAuthenticationError, HttpResponseError, ResourceExistsError, ResourceNotFoundError, map_error -from azure.core.pipeline import PipelineResponse -from azure.core.pipeline.transport import AsyncHttpResponse, HttpRequest -from azure.mgmt.core.exceptions import ARMErrorFormat - -from ... import models - -T = TypeVar('T') -ClsType = Optional[Callable[[PipelineResponse[HttpRequest, AsyncHttpResponse], T, Dict[str, Any]], Any]] - -class OperationOperations: - """OperationOperations async operations. - - You should not instantiate this class directly. Instead, you should create a Client instance that - instantiates it for you and attaches it as an attribute. - - :ivar models: Alias to model classes used in this operation group. - :type models: ~security_insights.models - :param client: Client for service requests. - :param config: Configuration of service client. - :param serializer: An object model serializer. - :param deserializer: An object model deserializer. - """ - - models = models - - def __init__(self, client, config, serializer, deserializer) -> None: - self._client = client - self._serialize = serializer - self._deserialize = deserializer - self._config = config - - def list( - self, - **kwargs - ) -> AsyncIterable["models.OperationsList"]: - """Lists all operations available Azure Security Insights Resource Provider. - - :keyword callable cls: A custom type or function that will be passed the direct response - :return: An iterator like instance of either OperationsList or the result of cls(response) - :rtype: ~azure.core.async_paging.AsyncItemPaged[~security_insights.models.OperationsList] - :raises: ~azure.core.exceptions.HttpResponseError - """ - cls = kwargs.pop('cls', None) # type: ClsType["models.OperationsList"] - error_map = { - 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError - } - error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" - accept = "application/json" - - def prepare_request(next_link=None): - # Construct headers - header_parameters = {} # type: Dict[str, Any] - header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') - - if not next_link: - # Construct URL - url = self.list.metadata['url'] # type: ignore - # Construct parameters - query_parameters = {} # type: Dict[str, Any] - query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') - - request = self._client.get(url, query_parameters, header_parameters) - else: - url = next_link - query_parameters = {} # type: Dict[str, Any] - request = self._client.get(url, query_parameters, header_parameters) - return request - - async def extract_data(pipeline_response): - deserialized = self._deserialize('OperationsList', pipeline_response) - list_of_elem = deserialized.value - if cls: - list_of_elem = cls(list_of_elem) - return deserialized.next_link or None, AsyncList(list_of_elem) - - async def get_next(next_link=None): - request = prepare_request(next_link) - - pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs) - response = pipeline_response.http_response - - if response.status_code not in [200]: - map_error(status_code=response.status_code, response=response, error_map=error_map) - raise HttpResponseError(response=response, error_format=ARMErrorFormat) - - return pipeline_response - - return AsyncItemPaged( - get_next, extract_data - ) - list.metadata = {'url': '/providers/Microsoft.SecurityInsights/operations'} # type: ignore diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/models/__init__.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/models/__init__.py deleted file mode 100644 index d50534763d7..00000000000 --- a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/models/__init__.py +++ /dev/null @@ -1,245 +0,0 @@ -# coding=utf-8 -# -------------------------------------------------------------------------- -# Copyright (c) Microsoft Corporation. All rights reserved. -# Licensed under the MIT License. See License.txt in the project root for license information. -# Code generated by Microsoft (R) AutoRest Code Generator. -# Changes may cause incorrect behavior and will be lost if the code is regenerated. -# -------------------------------------------------------------------------- - -try: - from ._models_py3 import AADDataConnector - from ._models_py3 import AATPDataConnector - from ._models_py3 import ASCDataConnector - from ._models_py3 import ASCDataConnectorProperties - from ._models_py3 import ActionPropertiesBase - from ._models_py3 import ActionRequest - from ._models_py3 import ActionRequestProperties - from ._models_py3 import ActionResponse - from ._models_py3 import ActionResponseProperties - from ._models_py3 import ActionsList - from ._models_py3 import AlertRule - from ._models_py3 import AlertRuleTemplate - from ._models_py3 import AlertRuleTemplateDataSource - from ._models_py3 import AlertRuleTemplatesList - from ._models_py3 import AlertRulesList - from ._models_py3 import AlertsDataTypeOfDataConnector - from ._models_py3 import AwsCloudTrailDataConnector - from ._models_py3 import AwsCloudTrailDataConnectorDataTypesLogs - from ._models_py3 import Bookmark - from ._models_py3 import BookmarkList - from ._models_py3 import ClientInfo - from ._models_py3 import DataConnector - from ._models_py3 import DataConnectorDataTypeCommon - from ._models_py3 import DataConnectorList - from ._models_py3 import DataConnectorTenantId - from ._models_py3 import DataConnectorWithAlertsProperties - from ._models_py3 import ErrorAdditionalInfo - from ._models_py3 import ErrorResponse - from ._models_py3 import FusionAlertRule - from ._models_py3 import FusionAlertRuleTemplate - from ._models_py3 import Incident - from ._models_py3 import IncidentAdditionalData - from ._models_py3 import IncidentComment - from ._models_py3 import IncidentCommentList - from ._models_py3 import IncidentInfo - from ._models_py3 import IncidentLabel - from ._models_py3 import IncidentList - from ._models_py3 import IncidentOwnerInfo - from ._models_py3 import MCASDataConnector - from ._models_py3 import MCASDataConnectorDataTypes - from ._models_py3 import MDATPDataConnector - from ._models_py3 import MicrosoftSecurityIncidentCreationAlertRule - from ._models_py3 import MicrosoftSecurityIncidentCreationAlertRuleCommonProperties - from ._models_py3 import MicrosoftSecurityIncidentCreationAlertRuleProperties - from ._models_py3 import MicrosoftSecurityIncidentCreationAlertRuleTemplate - from ._models_py3 import OfficeConsent - from ._models_py3 import OfficeConsentList - from ._models_py3 import OfficeDataConnector - from ._models_py3 import OfficeDataConnectorDataTypesExchange - from ._models_py3 import OfficeDataConnectorDataTypesSharePoint - from ._models_py3 import Operation - from ._models_py3 import OperationDisplay - from ._models_py3 import OperationsList - from ._models_py3 import Resource - from ._models_py3 import ResourceWithEtag - from ._models_py3 import ScheduledAlertRule - from ._models_py3 import ScheduledAlertRuleCommonProperties - from ._models_py3 import ScheduledAlertRuleProperties - from ._models_py3 import ScheduledAlertRuleTemplate - from ._models_py3 import Settings - from ._models_py3 import TIDataConnector - from ._models_py3 import TIDataConnectorDataTypesIndicators - from ._models_py3 import ThreatIntelligence - from ._models_py3 import ToggleSettings - from ._models_py3 import UebaSettings -except (SyntaxError, ImportError): - from ._models import AADDataConnector # type: ignore - from ._models import AATPDataConnector # type: ignore - from ._models import ASCDataConnector # type: ignore - from ._models import ASCDataConnectorProperties # type: ignore - from ._models import ActionPropertiesBase # type: ignore - from ._models import ActionRequest # type: ignore - from ._models import ActionRequestProperties # type: ignore - from ._models import ActionResponse # type: ignore - from ._models import ActionResponseProperties # type: ignore - from ._models import ActionsList # type: ignore - from ._models import AlertRule # type: ignore - from ._models import AlertRuleTemplate # type: ignore - from ._models import AlertRuleTemplateDataSource # type: ignore - from ._models import AlertRuleTemplatesList # type: ignore - from ._models import AlertRulesList # type: ignore - from ._models import AlertsDataTypeOfDataConnector # type: ignore - from ._models import AwsCloudTrailDataConnector # type: ignore - from ._models import AwsCloudTrailDataConnectorDataTypesLogs # type: ignore - from ._models import Bookmark # type: ignore - from ._models import BookmarkList # type: ignore - from ._models import ClientInfo # type: ignore - from ._models import DataConnector # type: ignore - from ._models import DataConnectorDataTypeCommon # type: ignore - from ._models import DataConnectorList # type: ignore - from ._models import DataConnectorTenantId # type: ignore - from ._models import DataConnectorWithAlertsProperties # type: ignore - from ._models import ErrorAdditionalInfo # type: ignore - from ._models import ErrorResponse # type: ignore - from ._models import FusionAlertRule # type: ignore - from ._models import FusionAlertRuleTemplate # type: ignore - from ._models import Incident # type: ignore - from ._models import IncidentAdditionalData # type: ignore - from ._models import IncidentComment # type: ignore - from ._models import IncidentCommentList # type: ignore - from ._models import IncidentInfo # type: ignore - from ._models import IncidentLabel # type: ignore - from ._models import IncidentList # type: ignore - from ._models import IncidentOwnerInfo # type: ignore - from ._models import MCASDataConnector # type: ignore - from ._models import MCASDataConnectorDataTypes # type: ignore - from ._models import MDATPDataConnector # type: ignore - from ._models import MicrosoftSecurityIncidentCreationAlertRule # type: ignore - from ._models import MicrosoftSecurityIncidentCreationAlertRuleCommonProperties # type: ignore - from ._models import MicrosoftSecurityIncidentCreationAlertRuleProperties # type: ignore - from ._models import MicrosoftSecurityIncidentCreationAlertRuleTemplate # type: ignore - from ._models import OfficeConsent # type: ignore - from ._models import OfficeConsentList # type: ignore - from ._models import OfficeDataConnector # type: ignore - from ._models import OfficeDataConnectorDataTypesExchange # type: ignore - from ._models import OfficeDataConnectorDataTypesSharePoint # type: ignore - from ._models import Operation # type: ignore - from ._models import OperationDisplay # type: ignore - from ._models import OperationsList # type: ignore - from ._models import Resource # type: ignore - from ._models import ResourceWithEtag # type: ignore - from ._models import ScheduledAlertRule # type: ignore - from ._models import ScheduledAlertRuleCommonProperties # type: ignore - from ._models import ScheduledAlertRuleProperties # type: ignore - from ._models import ScheduledAlertRuleTemplate # type: ignore - from ._models import Settings # type: ignore - from ._models import TIDataConnector # type: ignore - from ._models import TIDataConnectorDataTypesIndicators # type: ignore - from ._models import ThreatIntelligence # type: ignore - from ._models import ToggleSettings # type: ignore - from ._models import UebaSettings # type: ignore - -from ._security_insights_enums import ( - AlertRuleKind, - AlertSeverity, - AttackTactic, - CaseSeverity, - DataConnectorKind, - DataTypeState, - IncidentClassification, - IncidentClassificationReason, - IncidentLabelType, - IncidentSeverity, - IncidentStatus, - LicenseStatus, - MicrosoftSecurityProductName, - SettingKind, - StatusInMCAS, - TemplateStatus, - TriggerOperator, -) - -__all__ = [ - 'AADDataConnector', - 'AATPDataConnector', - 'ASCDataConnector', - 'ASCDataConnectorProperties', - 'ActionPropertiesBase', - 'ActionRequest', - 'ActionRequestProperties', - 'ActionResponse', - 'ActionResponseProperties', - 'ActionsList', - 'AlertRule', - 'AlertRuleTemplate', - 'AlertRuleTemplateDataSource', - 'AlertRuleTemplatesList', - 'AlertRulesList', - 'AlertsDataTypeOfDataConnector', - 'AwsCloudTrailDataConnector', - 'AwsCloudTrailDataConnectorDataTypesLogs', - 'Bookmark', - 'BookmarkList', - 'ClientInfo', - 'DataConnector', - 'DataConnectorDataTypeCommon', - 'DataConnectorList', - 'DataConnectorTenantId', - 'DataConnectorWithAlertsProperties', - 'ErrorAdditionalInfo', - 'ErrorResponse', - 'FusionAlertRule', - 'FusionAlertRuleTemplate', - 'Incident', - 'IncidentAdditionalData', - 'IncidentComment', - 'IncidentCommentList', - 'IncidentInfo', - 'IncidentLabel', - 'IncidentList', - 'IncidentOwnerInfo', - 'MCASDataConnector', - 'MCASDataConnectorDataTypes', - 'MDATPDataConnector', - 'MicrosoftSecurityIncidentCreationAlertRule', - 'MicrosoftSecurityIncidentCreationAlertRuleCommonProperties', - 'MicrosoftSecurityIncidentCreationAlertRuleProperties', - 'MicrosoftSecurityIncidentCreationAlertRuleTemplate', - 'OfficeConsent', - 'OfficeConsentList', - 'OfficeDataConnector', - 'OfficeDataConnectorDataTypesExchange', - 'OfficeDataConnectorDataTypesSharePoint', - 'Operation', - 'OperationDisplay', - 'OperationsList', - 'Resource', - 'ResourceWithEtag', - 'ScheduledAlertRule', - 'ScheduledAlertRuleCommonProperties', - 'ScheduledAlertRuleProperties', - 'ScheduledAlertRuleTemplate', - 'Settings', - 'TIDataConnector', - 'TIDataConnectorDataTypesIndicators', - 'ThreatIntelligence', - 'ToggleSettings', - 'UebaSettings', - 'AlertRuleKind', - 'AlertSeverity', - 'AttackTactic', - 'CaseSeverity', - 'DataConnectorKind', - 'DataTypeState', - 'IncidentClassification', - 'IncidentClassificationReason', - 'IncidentLabelType', - 'IncidentSeverity', - 'IncidentStatus', - 'LicenseStatus', - 'MicrosoftSecurityProductName', - 'SettingKind', - 'StatusInMCAS', - 'TemplateStatus', - 'TriggerOperator', -] diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/models/_models.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/models/_models.py deleted file mode 100644 index f8a2cf69674..00000000000 --- a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/models/_models.py +++ /dev/null @@ -1,2922 +0,0 @@ -# coding=utf-8 -# -------------------------------------------------------------------------- -# Copyright (c) Microsoft Corporation. All rights reserved. -# Licensed under the MIT License. See License.txt in the project root for license information. -# Code generated by Microsoft (R) AutoRest Code Generator. -# Changes may cause incorrect behavior and will be lost if the code is regenerated. -# -------------------------------------------------------------------------- - -import msrest.serialization - - -class ResourceWithEtag(msrest.serialization.Model): - """An azure resource object with an Etag property. - - Variables are only populated by the server, and will be ignored when sending a request. - - :ivar id: Azure resource Id. - :vartype id: str - :ivar name: Azure resource name. - :vartype name: str - :ivar type: Azure resource type. - :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str - """ - - _validation = { - 'id': {'readonly': True}, - 'name': {'readonly': True}, - 'type': {'readonly': True}, - } - - _attribute_map = { - 'id': {'key': 'id', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, - } - - def __init__( - self, - **kwargs - ): - super(ResourceWithEtag, self).__init__(**kwargs) - self.id = None - self.name = None - self.type = None - self.etag = kwargs.get('etag', None) - - -class DataConnector(ResourceWithEtag): - """Data connector. - - You probably want to use the sub-classes and not this class directly. Known - sub-classes are: AwsCloudTrailDataConnector, AADDataConnector, AATPDataConnector, ASCDataConnector, MCASDataConnector, MDATPDataConnector, OfficeDataConnector, TIDataConnector. - - Variables are only populated by the server, and will be ignored when sending a request. - - All required parameters must be populated in order to send to Azure. - - :ivar id: Azure resource Id. - :vartype id: str - :ivar name: Azure resource name. - :vartype name: str - :ivar type: Azure resource type. - :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str - :param kind: Required. The data connector kind.Constant filled by server. Possible values - include: "AzureActiveDirectory", "AzureSecurityCenter", "MicrosoftCloudAppSecurity", - "ThreatIntelligence", "Office365", "AmazonWebServicesCloudTrail", - "AzureAdvancedThreatProtection", "MicrosoftDefenderAdvancedThreatProtection". - :type kind: str or ~security_insights.models.DataConnectorKind - """ - - _validation = { - 'id': {'readonly': True}, - 'name': {'readonly': True}, - 'type': {'readonly': True}, - 'kind': {'required': True}, - } - - _attribute_map = { - 'id': {'key': 'id', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, - } - - _subtype_map = { - 'kind': {'AmazonWebServicesCloudTrail': 'AwsCloudTrailDataConnector', 'AzureActiveDirectory': 'AADDataConnector', 'AzureAdvancedThreatProtection': 'AATPDataConnector', 'AzureSecurityCenter': 'ASCDataConnector', 'MicrosoftCloudAppSecurity': 'MCASDataConnector', 'MicrosoftDefenderAdvancedThreatProtection': 'MDATPDataConnector', 'Office365': 'OfficeDataConnector', 'ThreatIntelligence': 'TIDataConnector'} - } - - def __init__( - self, - **kwargs - ): - super(DataConnector, self).__init__(**kwargs) - self.kind = 'DataConnector' # type: str - - -class AADDataConnector(DataConnector): - """Represents AAD (Azure Active Directory) data connector. - - Variables are only populated by the server, and will be ignored when sending a request. - - All required parameters must be populated in order to send to Azure. - - :ivar id: Azure resource Id. - :vartype id: str - :ivar name: Azure resource name. - :vartype name: str - :ivar type: Azure resource type. - :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str - :param kind: Required. The data connector kind.Constant filled by server. Possible values - include: "AzureActiveDirectory", "AzureSecurityCenter", "MicrosoftCloudAppSecurity", - "ThreatIntelligence", "Office365", "AmazonWebServicesCloudTrail", - "AzureAdvancedThreatProtection", "MicrosoftDefenderAdvancedThreatProtection". - :type kind: str or ~security_insights.models.DataConnectorKind - :param tenant_id: The tenant id to connect to, and get the data from. - :type tenant_id: str - :param state: Describe whether this data type connection is enabled or not. Possible values - include: "Enabled", "Disabled". - :type state: str or ~security_insights.models.DataTypeState - """ - - _validation = { - 'id': {'readonly': True}, - 'name': {'readonly': True}, - 'type': {'readonly': True}, - 'kind': {'required': True}, - } - - _attribute_map = { - 'id': {'key': 'id', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, - 'tenant_id': {'key': 'properties.tenantId', 'type': 'str'}, - 'state': {'key': 'dataTypes.alerts.state', 'type': 'str'}, - } - - def __init__( - self, - **kwargs - ): - super(AADDataConnector, self).__init__(**kwargs) - self.kind = 'AzureActiveDirectory' # type: str - self.tenant_id = kwargs.get('tenant_id', None) - self.state = kwargs.get('state', None) - - -class AATPDataConnector(DataConnector): - """Represents AATP (Azure Advanced Threat Protection) data connector. - - Variables are only populated by the server, and will be ignored when sending a request. - - All required parameters must be populated in order to send to Azure. - - :ivar id: Azure resource Id. - :vartype id: str - :ivar name: Azure resource name. - :vartype name: str - :ivar type: Azure resource type. - :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str - :param kind: Required. The data connector kind.Constant filled by server. Possible values - include: "AzureActiveDirectory", "AzureSecurityCenter", "MicrosoftCloudAppSecurity", - "ThreatIntelligence", "Office365", "AmazonWebServicesCloudTrail", - "AzureAdvancedThreatProtection", "MicrosoftDefenderAdvancedThreatProtection". - :type kind: str or ~security_insights.models.DataConnectorKind - :param tenant_id: The tenant id to connect to, and get the data from. - :type tenant_id: str - :param state: Describe whether this data type connection is enabled or not. Possible values - include: "Enabled", "Disabled". - :type state: str or ~security_insights.models.DataTypeState - """ - - _validation = { - 'id': {'readonly': True}, - 'name': {'readonly': True}, - 'type': {'readonly': True}, - 'kind': {'required': True}, - } - - _attribute_map = { - 'id': {'key': 'id', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, - 'tenant_id': {'key': 'properties.tenantId', 'type': 'str'}, - 'state': {'key': 'dataTypes.alerts.state', 'type': 'str'}, - } - - def __init__( - self, - **kwargs - ): - super(AATPDataConnector, self).__init__(**kwargs) - self.kind = 'AzureAdvancedThreatProtection' # type: str - self.tenant_id = kwargs.get('tenant_id', None) - self.state = kwargs.get('state', None) - - -class ActionPropertiesBase(msrest.serialization.Model): - """Action property bag base. - - All required parameters must be populated in order to send to Azure. - - :param logic_app_resource_id: Required. Logic App Resource Id, /subscriptions/{my- - subscription}/resourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my- - workflow-id}. - :type logic_app_resource_id: str - """ - - _validation = { - 'logic_app_resource_id': {'required': True}, - } - - _attribute_map = { - 'logic_app_resource_id': {'key': 'logicAppResourceId', 'type': 'str'}, - } - - def __init__( - self, - **kwargs - ): - super(ActionPropertiesBase, self).__init__(**kwargs) - self.logic_app_resource_id = kwargs['logic_app_resource_id'] - - -class ActionRequest(ResourceWithEtag): - """Action for alert rule. - - Variables are only populated by the server, and will be ignored when sending a request. - - :ivar id: Azure resource Id. - :vartype id: str - :ivar name: Azure resource name. - :vartype name: str - :ivar type: Azure resource type. - :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str - :param logic_app_resource_id: Logic App Resource Id, /subscriptions/{my- - subscription}/resourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my- - workflow-id}. - :type logic_app_resource_id: str - :param trigger_uri: Logic App Callback URL for this specific workflow. - :type trigger_uri: str - """ - - _validation = { - 'id': {'readonly': True}, - 'name': {'readonly': True}, - 'type': {'readonly': True}, - } - - _attribute_map = { - 'id': {'key': 'id', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, - 'logic_app_resource_id': {'key': 'properties.logicAppResourceId', 'type': 'str'}, - 'trigger_uri': {'key': 'properties.triggerUri', 'type': 'str'}, - } - - def __init__( - self, - **kwargs - ): - super(ActionRequest, self).__init__(**kwargs) - self.logic_app_resource_id = kwargs.get('logic_app_resource_id', None) - self.trigger_uri = kwargs.get('trigger_uri', None) - - -class ActionRequestProperties(ActionPropertiesBase): - """Action property bag. - - All required parameters must be populated in order to send to Azure. - - :param logic_app_resource_id: Required. Logic App Resource Id, /subscriptions/{my- - subscription}/resourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my- - workflow-id}. - :type logic_app_resource_id: str - :param trigger_uri: Logic App Callback URL for this specific workflow. - :type trigger_uri: str - """ - - _validation = { - 'logic_app_resource_id': {'required': True}, - } - - _attribute_map = { - 'logic_app_resource_id': {'key': 'logicAppResourceId', 'type': 'str'}, - 'trigger_uri': {'key': 'triggerUri', 'type': 'str'}, - } - - def __init__( - self, - **kwargs - ): - super(ActionRequestProperties, self).__init__(**kwargs) - self.trigger_uri = kwargs.get('trigger_uri', None) - - -class Resource(msrest.serialization.Model): - """An azure resource object. - - Variables are only populated by the server, and will be ignored when sending a request. - - :ivar id: Azure resource Id. - :vartype id: str - :ivar name: Azure resource name. - :vartype name: str - :ivar type: Azure resource type. - :vartype type: str - """ - - _validation = { - 'id': {'readonly': True}, - 'name': {'readonly': True}, - 'type': {'readonly': True}, - } - - _attribute_map = { - 'id': {'key': 'id', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'type': {'key': 'type', 'type': 'str'}, - } - - def __init__( - self, - **kwargs - ): - super(Resource, self).__init__(**kwargs) - self.id = None - self.name = None - self.type = None - - -class ActionResponse(Resource): - """Action for alert rule. - - Variables are only populated by the server, and will be ignored when sending a request. - - :ivar id: Azure resource Id. - :vartype id: str - :ivar name: Azure resource name. - :vartype name: str - :ivar type: Azure resource type. - :vartype type: str - :param etag: Etag of the action. - :type etag: str - :param logic_app_resource_id: Logic App Resource Id, /subscriptions/{my- - subscription}/resourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my- - workflow-id}. - :type logic_app_resource_id: str - :param workflow_id: The name of the logic app's workflow. - :type workflow_id: str - """ - - _validation = { - 'id': {'readonly': True}, - 'name': {'readonly': True}, - 'type': {'readonly': True}, - } - - _attribute_map = { - 'id': {'key': 'id', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, - 'logic_app_resource_id': {'key': 'properties.logicAppResourceId', 'type': 'str'}, - 'workflow_id': {'key': 'properties.workflowId', 'type': 'str'}, - } - - def __init__( - self, - **kwargs - ): - super(ActionResponse, self).__init__(**kwargs) - self.etag = kwargs.get('etag', None) - self.logic_app_resource_id = kwargs.get('logic_app_resource_id', None) - self.workflow_id = kwargs.get('workflow_id', None) - - -class ActionResponseProperties(ActionPropertiesBase): - """Action property bag. - - All required parameters must be populated in order to send to Azure. - - :param logic_app_resource_id: Required. Logic App Resource Id, /subscriptions/{my- - subscription}/resourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my- - workflow-id}. - :type logic_app_resource_id: str - :param workflow_id: The name of the logic app's workflow. - :type workflow_id: str - """ - - _validation = { - 'logic_app_resource_id': {'required': True}, - } - - _attribute_map = { - 'logic_app_resource_id': {'key': 'logicAppResourceId', 'type': 'str'}, - 'workflow_id': {'key': 'workflowId', 'type': 'str'}, - } - - def __init__( - self, - **kwargs - ): - super(ActionResponseProperties, self).__init__(**kwargs) - self.workflow_id = kwargs.get('workflow_id', None) - - -class ActionsList(msrest.serialization.Model): - """List all the actions. - - Variables are only populated by the server, and will be ignored when sending a request. - - All required parameters must be populated in order to send to Azure. - - :ivar next_link: URL to fetch the next set of actions. - :vartype next_link: str - :param value: Required. Array of actions. - :type value: list[~security_insights.models.ActionResponse] - """ - - _validation = { - 'next_link': {'readonly': True}, - 'value': {'required': True}, - } - - _attribute_map = { - 'next_link': {'key': 'nextLink', 'type': 'str'}, - 'value': {'key': 'value', 'type': '[ActionResponse]'}, - } - - def __init__( - self, - **kwargs - ): - super(ActionsList, self).__init__(**kwargs) - self.next_link = None - self.value = kwargs['value'] - - -class AlertRule(ResourceWithEtag): - """Alert rule. - - You probably want to use the sub-classes and not this class directly. Known - sub-classes are: FusionAlertRule, MicrosoftSecurityIncidentCreationAlertRule, ScheduledAlertRule. - - Variables are only populated by the server, and will be ignored when sending a request. - - All required parameters must be populated in order to send to Azure. - - :ivar id: Azure resource Id. - :vartype id: str - :ivar name: Azure resource name. - :vartype name: str - :ivar type: Azure resource type. - :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str - :param kind: Required. The alert rule kind.Constant filled by server. Possible values include: - "Scheduled", "MicrosoftSecurityIncidentCreation", "Fusion". - :type kind: str or ~security_insights.models.AlertRuleKind - """ - - _validation = { - 'id': {'readonly': True}, - 'name': {'readonly': True}, - 'type': {'readonly': True}, - 'kind': {'required': True}, - } - - _attribute_map = { - 'id': {'key': 'id', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, - } - - _subtype_map = { - 'kind': {'Fusion': 'FusionAlertRule', 'MicrosoftSecurityIncidentCreation': 'MicrosoftSecurityIncidentCreationAlertRule', 'Scheduled': 'ScheduledAlertRule'} - } - - def __init__( - self, - **kwargs - ): - super(AlertRule, self).__init__(**kwargs) - self.kind = 'AlertRule' # type: str - - -class AlertRulesList(msrest.serialization.Model): - """List all the alert rules. - - Variables are only populated by the server, and will be ignored when sending a request. - - All required parameters must be populated in order to send to Azure. - - :ivar next_link: URL to fetch the next set of alert rules. - :vartype next_link: str - :param value: Required. Array of alert rules. - :type value: list[~security_insights.models.AlertRule] - """ - - _validation = { - 'next_link': {'readonly': True}, - 'value': {'required': True}, - } - - _attribute_map = { - 'next_link': {'key': 'nextLink', 'type': 'str'}, - 'value': {'key': 'value', 'type': '[AlertRule]'}, - } - - def __init__( - self, - **kwargs - ): - super(AlertRulesList, self).__init__(**kwargs) - self.next_link = None - self.value = kwargs['value'] - - -class AlertRuleTemplate(Resource): - """Alert rule template. - - You probably want to use the sub-classes and not this class directly. Known - sub-classes are: FusionAlertRuleTemplate, MicrosoftSecurityIncidentCreationAlertRuleTemplate, ScheduledAlertRuleTemplate. - - Variables are only populated by the server, and will be ignored when sending a request. - - All required parameters must be populated in order to send to Azure. - - :ivar id: Azure resource Id. - :vartype id: str - :ivar name: Azure resource name. - :vartype name: str - :ivar type: Azure resource type. - :vartype type: str - :param kind: Required. The alert rule kind.Constant filled by server. Possible values include: - "Scheduled", "MicrosoftSecurityIncidentCreation", "Fusion". - :type kind: str or ~security_insights.models.AlertRuleKind - """ - - _validation = { - 'id': {'readonly': True}, - 'name': {'readonly': True}, - 'type': {'readonly': True}, - 'kind': {'required': True}, - } - - _attribute_map = { - 'id': {'key': 'id', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'type': {'key': 'type', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, - } - - _subtype_map = { - 'kind': {'Fusion': 'FusionAlertRuleTemplate', 'MicrosoftSecurityIncidentCreation': 'MicrosoftSecurityIncidentCreationAlertRuleTemplate', 'Scheduled': 'ScheduledAlertRuleTemplate'} - } - - def __init__( - self, - **kwargs - ): - super(AlertRuleTemplate, self).__init__(**kwargs) - self.kind = 'AlertRuleTemplate' # type: str - - -class AlertRuleTemplateDataSource(msrest.serialization.Model): - """alert rule template data sources. - - :param connector_id: The connector id that provides the following data types. - :type connector_id: str - :param data_types: The data types used by the alert rule template. - :type data_types: list[str] - """ - - _attribute_map = { - 'connector_id': {'key': 'connectorId', 'type': 'str'}, - 'data_types': {'key': 'dataTypes', 'type': '[str]'}, - } - - def __init__( - self, - **kwargs - ): - super(AlertRuleTemplateDataSource, self).__init__(**kwargs) - self.connector_id = kwargs.get('connector_id', None) - self.data_types = kwargs.get('data_types', None) - - -class AlertRuleTemplatesList(msrest.serialization.Model): - """List all the alert rule templates. - - Variables are only populated by the server, and will be ignored when sending a request. - - All required parameters must be populated in order to send to Azure. - - :ivar next_link: URL to fetch the next set of alert rule templates. - :vartype next_link: str - :param value: Required. Array of alert rule templates. - :type value: list[~security_insights.models.AlertRuleTemplate] - """ - - _validation = { - 'next_link': {'readonly': True}, - 'value': {'required': True}, - } - - _attribute_map = { - 'next_link': {'key': 'nextLink', 'type': 'str'}, - 'value': {'key': 'value', 'type': '[AlertRuleTemplate]'}, - } - - def __init__( - self, - **kwargs - ): - super(AlertRuleTemplatesList, self).__init__(**kwargs) - self.next_link = None - self.value = kwargs['value'] - - -class AlertsDataTypeOfDataConnector(msrest.serialization.Model): - """Alerts data type for data connectors. - - :param state: Describe whether this data type connection is enabled or not. Possible values - include: "Enabled", "Disabled". - :type state: str or ~security_insights.models.DataTypeState - """ - - _attribute_map = { - 'state': {'key': 'alerts.state', 'type': 'str'}, - } - - def __init__( - self, - **kwargs - ): - super(AlertsDataTypeOfDataConnector, self).__init__(**kwargs) - self.state = kwargs.get('state', None) - - -class ASCDataConnector(DataConnector): - """Represents ASC (Azure Security Center) data connector. - - Variables are only populated by the server, and will be ignored when sending a request. - - All required parameters must be populated in order to send to Azure. - - :ivar id: Azure resource Id. - :vartype id: str - :ivar name: Azure resource name. - :vartype name: str - :ivar type: Azure resource type. - :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str - :param kind: Required. The data connector kind.Constant filled by server. Possible values - include: "AzureActiveDirectory", "AzureSecurityCenter", "MicrosoftCloudAppSecurity", - "ThreatIntelligence", "Office365", "AmazonWebServicesCloudTrail", - "AzureAdvancedThreatProtection", "MicrosoftDefenderAdvancedThreatProtection". - :type kind: str or ~security_insights.models.DataConnectorKind - :param subscription_id: The subscription id to connect to, and get the data from. - :type subscription_id: str - :param state: Describe whether this data type connection is enabled or not. Possible values - include: "Enabled", "Disabled". - :type state: str or ~security_insights.models.DataTypeState - """ - - _validation = { - 'id': {'readonly': True}, - 'name': {'readonly': True}, - 'type': {'readonly': True}, - 'kind': {'required': True}, - } - - _attribute_map = { - 'id': {'key': 'id', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, - 'subscription_id': {'key': 'properties.subscriptionId', 'type': 'str'}, - 'state': {'key': 'dataTypes.alerts.state', 'type': 'str'}, - } - - def __init__( - self, - **kwargs - ): - super(ASCDataConnector, self).__init__(**kwargs) - self.kind = 'AzureSecurityCenter' # type: str - self.subscription_id = kwargs.get('subscription_id', None) - self.state = kwargs.get('state', None) - - -class DataConnectorWithAlertsProperties(msrest.serialization.Model): - """Data connector properties. - - :param data_types: The available data types for the connector. - :type data_types: ~security_insights.models.AlertsDataTypeOfDataConnector - """ - - _attribute_map = { - 'data_types': {'key': 'dataTypes', 'type': 'AlertsDataTypeOfDataConnector'}, - } - - def __init__( - self, - **kwargs - ): - super(DataConnectorWithAlertsProperties, self).__init__(**kwargs) - self.data_types = kwargs.get('data_types', None) - - -class ASCDataConnectorProperties(DataConnectorWithAlertsProperties): - """ASC (Azure Security Center) data connector properties. - - :param data_types: The available data types for the connector. - :type data_types: ~security_insights.models.AlertsDataTypeOfDataConnector - :param subscription_id: The subscription id to connect to, and get the data from. - :type subscription_id: str - """ - - _attribute_map = { - 'data_types': {'key': 'dataTypes', 'type': 'AlertsDataTypeOfDataConnector'}, - 'subscription_id': {'key': 'subscriptionId', 'type': 'str'}, - } - - def __init__( - self, - **kwargs - ): - super(ASCDataConnectorProperties, self).__init__(**kwargs) - self.subscription_id = kwargs.get('subscription_id', None) - - -class AwsCloudTrailDataConnector(DataConnector): - """Represents Amazon Web Services CloudTrail data connector. - - Variables are only populated by the server, and will be ignored when sending a request. - - All required parameters must be populated in order to send to Azure. - - :ivar id: Azure resource Id. - :vartype id: str - :ivar name: Azure resource name. - :vartype name: str - :ivar type: Azure resource type. - :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str - :param kind: Required. The data connector kind.Constant filled by server. Possible values - include: "AzureActiveDirectory", "AzureSecurityCenter", "MicrosoftCloudAppSecurity", - "ThreatIntelligence", "Office365", "AmazonWebServicesCloudTrail", - "AzureAdvancedThreatProtection", "MicrosoftDefenderAdvancedThreatProtection". - :type kind: str or ~security_insights.models.DataConnectorKind - :param aws_role_arn: The Aws Role Arn (with CloudTrailReadOnly policy) that is used to access - the Aws account. - :type aws_role_arn: str - :param state: Describe whether this data type connection is enabled or not. Possible values - include: "Enabled", "Disabled". - :type state: str or ~security_insights.models.DataTypeState - """ - - _validation = { - 'id': {'readonly': True}, - 'name': {'readonly': True}, - 'type': {'readonly': True}, - 'kind': {'required': True}, - } - - _attribute_map = { - 'id': {'key': 'id', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, - 'aws_role_arn': {'key': 'properties.awsRoleArn', 'type': 'str'}, - 'state': {'key': 'dataTypes.logs.state', 'type': 'str'}, - } - - def __init__( - self, - **kwargs - ): - super(AwsCloudTrailDataConnector, self).__init__(**kwargs) - self.kind = 'AmazonWebServicesCloudTrail' # type: str - self.aws_role_arn = kwargs.get('aws_role_arn', None) - self.state = kwargs.get('state', None) - - -class DataConnectorDataTypeCommon(msrest.serialization.Model): - """Common field for data type in data connectors. - - :param state: Describe whether this data type connection is enabled or not. Possible values - include: "Enabled", "Disabled". - :type state: str or ~security_insights.models.DataTypeState - """ - - _attribute_map = { - 'state': {'key': 'state', 'type': 'str'}, - } - - def __init__( - self, - **kwargs - ): - super(DataConnectorDataTypeCommon, self).__init__(**kwargs) - self.state = kwargs.get('state', None) - - -class AwsCloudTrailDataConnectorDataTypesLogs(DataConnectorDataTypeCommon): - """Logs data type. - - :param state: Describe whether this data type connection is enabled or not. Possible values - include: "Enabled", "Disabled". - :type state: str or ~security_insights.models.DataTypeState - """ - - _attribute_map = { - 'state': {'key': 'state', 'type': 'str'}, - } - - def __init__( - self, - **kwargs - ): - super(AwsCloudTrailDataConnectorDataTypesLogs, self).__init__(**kwargs) - - -class Bookmark(ResourceWithEtag): - """Represents a bookmark in Azure Security Insights. - - Variables are only populated by the server, and will be ignored when sending a request. - - :ivar id: Azure resource Id. - :vartype id: str - :ivar name: Azure resource name. - :vartype name: str - :ivar type: Azure resource type. - :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str - :param created: The time the bookmark was created. - :type created: ~datetime.datetime - :param display_name: The display name of the bookmark. - :type display_name: str - :param labels: List of labels relevant to this bookmark. - :type labels: list[str] - :param notes: The notes of the bookmark. - :type notes: str - :param query: The query of the bookmark. - :type query: str - :param query_result: The query result of the bookmark. - :type query_result: str - :param updated: The last time the bookmark was updated. - :type updated: ~datetime.datetime - :param incident_info: Describes an incident that relates to bookmark. - :type incident_info: ~security_insights.models.IncidentInfo - :ivar email_updated_by_email: The email of the user. - :vartype email_updated_by_email: str - :ivar name_updated_by_name: The name of the user. - :vartype name_updated_by_name: str - :param object_id_updated_by_object_id: The object id of the user. - :type object_id_updated_by_object_id: str - :ivar email_created_by_email: The email of the user. - :vartype email_created_by_email: str - :ivar name_created_by_name: The name of the user. - :vartype name_created_by_name: str - :param object_id_created_by_object_id: The object id of the user. - :type object_id_created_by_object_id: str - """ - - _validation = { - 'id': {'readonly': True}, - 'name': {'readonly': True}, - 'type': {'readonly': True}, - 'email_updated_by_email': {'readonly': True}, - 'name_updated_by_name': {'readonly': True}, - 'email_created_by_email': {'readonly': True}, - 'name_created_by_name': {'readonly': True}, - } - - _attribute_map = { - 'id': {'key': 'id', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, - 'created': {'key': 'properties.created', 'type': 'iso-8601'}, - 'display_name': {'key': 'properties.displayName', 'type': 'str'}, - 'labels': {'key': 'properties.labels', 'type': '[str]'}, - 'notes': {'key': 'properties.notes', 'type': 'str'}, - 'query': {'key': 'properties.query', 'type': 'str'}, - 'query_result': {'key': 'properties.queryResult', 'type': 'str'}, - 'updated': {'key': 'properties.updated', 'type': 'iso-8601'}, - 'incident_info': {'key': 'properties.incidentInfo', 'type': 'IncidentInfo'}, - 'email_updated_by_email': {'key': 'updatedBy.email', 'type': 'str'}, - 'name_updated_by_name': {'key': 'updatedBy.name', 'type': 'str'}, - 'object_id_updated_by_object_id': {'key': 'updatedBy.objectId', 'type': 'str'}, - 'email_created_by_email': {'key': 'createdBy.email', 'type': 'str'}, - 'name_created_by_name': {'key': 'createdBy.name', 'type': 'str'}, - 'object_id_created_by_object_id': {'key': 'createdBy.objectId', 'type': 'str'}, - } - - def __init__( - self, - **kwargs - ): - super(Bookmark, self).__init__(**kwargs) - self.created = kwargs.get('created', None) - self.display_name = kwargs.get('display_name', None) - self.labels = kwargs.get('labels', None) - self.notes = kwargs.get('notes', None) - self.query = kwargs.get('query', None) - self.query_result = kwargs.get('query_result', None) - self.updated = kwargs.get('updated', None) - self.incident_info = kwargs.get('incident_info', None) - self.email_updated_by_email = None - self.name_updated_by_name = None - self.object_id_updated_by_object_id = kwargs.get('object_id_updated_by_object_id', None) - self.email_created_by_email = None - self.name_created_by_name = None - self.object_id_created_by_object_id = kwargs.get('object_id_created_by_object_id', None) - - -class BookmarkList(msrest.serialization.Model): - """List all the bookmarks. - - Variables are only populated by the server, and will be ignored when sending a request. - - All required parameters must be populated in order to send to Azure. - - :ivar next_link: URL to fetch the next set of cases. - :vartype next_link: str - :param value: Required. Array of bookmarks. - :type value: list[~security_insights.models.Bookmark] - """ - - _validation = { - 'next_link': {'readonly': True}, - 'value': {'required': True}, - } - - _attribute_map = { - 'next_link': {'key': 'nextLink', 'type': 'str'}, - 'value': {'key': 'value', 'type': '[Bookmark]'}, - } - - def __init__( - self, - **kwargs - ): - super(BookmarkList, self).__init__(**kwargs) - self.next_link = None - self.value = kwargs['value'] - - -class ClientInfo(msrest.serialization.Model): - """Information on the client (user or application) that made some action. - - :param email: The email of the client. - :type email: str - :param name: The name of the client. - :type name: str - :param object_id: The object id of the client. - :type object_id: str - :param user_principal_name: The user principal name of the client. - :type user_principal_name: str - """ - - _attribute_map = { - 'email': {'key': 'email', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'object_id': {'key': 'objectId', 'type': 'str'}, - 'user_principal_name': {'key': 'userPrincipalName', 'type': 'str'}, - } - - def __init__( - self, - **kwargs - ): - super(ClientInfo, self).__init__(**kwargs) - self.email = kwargs.get('email', None) - self.name = kwargs.get('name', None) - self.object_id = kwargs.get('object_id', None) - self.user_principal_name = kwargs.get('user_principal_name', None) - - -class DataConnectorList(msrest.serialization.Model): - """List all the data connectors. - - Variables are only populated by the server, and will be ignored when sending a request. - - All required parameters must be populated in order to send to Azure. - - :ivar next_link: URL to fetch the next set of data connectors. - :vartype next_link: str - :param value: Required. Array of data connectors. - :type value: list[~security_insights.models.DataConnector] - """ - - _validation = { - 'next_link': {'readonly': True}, - 'value': {'required': True}, - } - - _attribute_map = { - 'next_link': {'key': 'nextLink', 'type': 'str'}, - 'value': {'key': 'value', 'type': '[DataConnector]'}, - } - - def __init__( - self, - **kwargs - ): - super(DataConnectorList, self).__init__(**kwargs) - self.next_link = None - self.value = kwargs['value'] - - -class DataConnectorTenantId(msrest.serialization.Model): - """Properties data connector on tenant level. - - :param tenant_id: The tenant id to connect to, and get the data from. - :type tenant_id: str - """ - - _attribute_map = { - 'tenant_id': {'key': 'tenantId', 'type': 'str'}, - } - - def __init__( - self, - **kwargs - ): - super(DataConnectorTenantId, self).__init__(**kwargs) - self.tenant_id = kwargs.get('tenant_id', None) - - -class ErrorAdditionalInfo(msrest.serialization.Model): - """The resource management error additional info. - - Variables are only populated by the server, and will be ignored when sending a request. - - :ivar type: The additional info type. - :vartype type: str - :ivar info: The additional info. - :vartype info: object - """ - - _validation = { - 'type': {'readonly': True}, - 'info': {'readonly': True}, - } - - _attribute_map = { - 'type': {'key': 'type', 'type': 'str'}, - 'info': {'key': 'info', 'type': 'object'}, - } - - def __init__( - self, - **kwargs - ): - super(ErrorAdditionalInfo, self).__init__(**kwargs) - self.type = None - self.info = None - - -class ErrorResponse(msrest.serialization.Model): - """The resource management error response. - - Variables are only populated by the server, and will be ignored when sending a request. - - :ivar code: The error code. - :vartype code: str - :ivar message: The error message. - :vartype message: str - :ivar target: The error target. - :vartype target: str - :ivar details: The error details. - :vartype details: list[~security_insights.models.ErrorResponse] - :ivar additional_info: The error additional info. - :vartype additional_info: list[~security_insights.models.ErrorAdditionalInfo] - """ - - _validation = { - 'code': {'readonly': True}, - 'message': {'readonly': True}, - 'target': {'readonly': True}, - 'details': {'readonly': True}, - 'additional_info': {'readonly': True}, - } - - _attribute_map = { - 'code': {'key': 'code', 'type': 'str'}, - 'message': {'key': 'message', 'type': 'str'}, - 'target': {'key': 'target', 'type': 'str'}, - 'details': {'key': 'details', 'type': '[ErrorResponse]'}, - 'additional_info': {'key': 'additionalInfo', 'type': '[ErrorAdditionalInfo]'}, - } - - def __init__( - self, - **kwargs - ): - super(ErrorResponse, self).__init__(**kwargs) - self.code = None - self.message = None - self.target = None - self.details = None - self.additional_info = None - - -class FusionAlertRule(AlertRule): - """Represents Fusion alert rule. - - Variables are only populated by the server, and will be ignored when sending a request. - - All required parameters must be populated in order to send to Azure. - - :ivar id: Azure resource Id. - :vartype id: str - :ivar name: Azure resource name. - :vartype name: str - :ivar type: Azure resource type. - :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str - :param kind: Required. The alert rule kind.Constant filled by server. Possible values include: - "Scheduled", "MicrosoftSecurityIncidentCreation", "Fusion". - :type kind: str or ~security_insights.models.AlertRuleKind - :param alert_rule_template_name: The Name of the alert rule template used to create this rule. - :type alert_rule_template_name: str - :ivar description: The description of the alert rule. - :vartype description: str - :ivar display_name: The display name for alerts created by this alert rule. - :vartype display_name: str - :param enabled: Determines whether this alert rule is enabled or disabled. - :type enabled: bool - :ivar last_modified_utc: The last time that this alert has been modified. - :vartype last_modified_utc: ~datetime.datetime - :ivar severity: The severity for alerts created by this alert rule. Possible values include: - "High", "Medium", "Low", "Informational". - :vartype severity: str or ~security_insights.models.AlertSeverity - :ivar tactics: The tactics of the alert rule. - :vartype tactics: list[str or ~security_insights.models.AttackTactic] - """ - - _validation = { - 'id': {'readonly': True}, - 'name': {'readonly': True}, - 'type': {'readonly': True}, - 'kind': {'required': True}, - 'description': {'readonly': True}, - 'display_name': {'readonly': True}, - 'last_modified_utc': {'readonly': True}, - 'severity': {'readonly': True}, - 'tactics': {'readonly': True}, - } - - _attribute_map = { - 'id': {'key': 'id', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, - 'alert_rule_template_name': {'key': 'properties.alertRuleTemplateName', 'type': 'str'}, - 'description': {'key': 'properties.description', 'type': 'str'}, - 'display_name': {'key': 'properties.displayName', 'type': 'str'}, - 'enabled': {'key': 'properties.enabled', 'type': 'bool'}, - 'last_modified_utc': {'key': 'properties.lastModifiedUtc', 'type': 'iso-8601'}, - 'severity': {'key': 'properties.severity', 'type': 'str'}, - 'tactics': {'key': 'properties.tactics', 'type': '[str]'}, - } - - def __init__( - self, - **kwargs - ): - super(FusionAlertRule, self).__init__(**kwargs) - self.kind = 'Fusion' # type: str - self.alert_rule_template_name = kwargs.get('alert_rule_template_name', None) - self.description = None - self.display_name = None - self.enabled = kwargs.get('enabled', None) - self.last_modified_utc = None - self.severity = None - self.tactics = None - - -class FusionAlertRuleTemplate(AlertRuleTemplate): - """Represents Fusion alert rule template. - - Variables are only populated by the server, and will be ignored when sending a request. - - All required parameters must be populated in order to send to Azure. - - :ivar id: Azure resource Id. - :vartype id: str - :ivar name: Azure resource name. - :vartype name: str - :ivar type: Azure resource type. - :vartype type: str - :param kind: Required. The alert rule kind.Constant filled by server. Possible values include: - "Scheduled", "MicrosoftSecurityIncidentCreation", "Fusion". - :type kind: str or ~security_insights.models.AlertRuleKind - :param alert_rules_created_by_template_count: the number of alert rules that were created by - this template. - :type alert_rules_created_by_template_count: int - :ivar created_date_utc: The time that this alert rule template has been added. - :vartype created_date_utc: ~datetime.datetime - :param description: The description of the alert rule template. - :type description: str - :param display_name: The display name for alert rule template. - :type display_name: str - :param required_data_connectors: The required data connectors for this template. - :type required_data_connectors: list[~security_insights.models.AlertRuleTemplateDataSource] - :param status: The alert rule template status. Possible values include: "Installed", - "Available", "NotAvailable". - :type status: str or ~security_insights.models.TemplateStatus - :param severity: The severity for alerts created by this alert rule. Possible values include: - "High", "Medium", "Low", "Informational". - :type severity: str or ~security_insights.models.AlertSeverity - :param tactics: The tactics of the alert rule template. - :type tactics: list[str or ~security_insights.models.AttackTactic] - """ - - _validation = { - 'id': {'readonly': True}, - 'name': {'readonly': True}, - 'type': {'readonly': True}, - 'kind': {'required': True}, - 'created_date_utc': {'readonly': True}, - } - - _attribute_map = { - 'id': {'key': 'id', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'type': {'key': 'type', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, - 'alert_rules_created_by_template_count': {'key': 'properties.alertRulesCreatedByTemplateCount', 'type': 'int'}, - 'created_date_utc': {'key': 'properties.createdDateUTC', 'type': 'iso-8601'}, - 'description': {'key': 'properties.description', 'type': 'str'}, - 'display_name': {'key': 'properties.displayName', 'type': 'str'}, - 'required_data_connectors': {'key': 'properties.requiredDataConnectors', 'type': '[AlertRuleTemplateDataSource]'}, - 'status': {'key': 'properties.status', 'type': 'str'}, - 'severity': {'key': 'properties.severity', 'type': 'str'}, - 'tactics': {'key': 'properties.tactics', 'type': '[str]'}, - } - - def __init__( - self, - **kwargs - ): - super(FusionAlertRuleTemplate, self).__init__(**kwargs) - self.kind = 'Fusion' # type: str - self.alert_rules_created_by_template_count = kwargs.get('alert_rules_created_by_template_count', None) - self.created_date_utc = None - self.description = kwargs.get('description', None) - self.display_name = kwargs.get('display_name', None) - self.required_data_connectors = kwargs.get('required_data_connectors', None) - self.status = kwargs.get('status', None) - self.severity = kwargs.get('severity', None) - self.tactics = kwargs.get('tactics', None) - - -class Incident(ResourceWithEtag): - """Represents an incident in Azure Security Insights. - - Variables are only populated by the server, and will be ignored when sending a request. - - :ivar id: Azure resource Id. - :vartype id: str - :ivar name: Azure resource name. - :vartype name: str - :ivar type: Azure resource type. - :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str - :ivar additional_data: Additional data on the incident. - :vartype additional_data: ~security_insights.models.IncidentAdditionalData - :param classification: The reason the incident was closed. Possible values include: - "Undetermined", "TruePositive", "BenignPositive", "FalsePositive". - :type classification: str or ~security_insights.models.IncidentClassification - :param classification_comment: Describes the reason the incident was closed. - :type classification_comment: str - :param classification_reason: The classification reason the incident was closed with. Possible - values include: "SuspiciousActivity", "SuspiciousButExpected", "IncorrectAlertLogic", - "InaccurateData". - :type classification_reason: str or ~security_insights.models.IncidentClassificationReason - :ivar created_time_utc: The time the incident was created. - :vartype created_time_utc: ~datetime.datetime - :param description: The description of the incident. - :type description: str - :param first_activity_time_utc: The time of the first activity in the incident. - :type first_activity_time_utc: ~datetime.datetime - :ivar incident_url: The deep-link url to the incident in Azure portal. - :vartype incident_url: str - :ivar incident_number: A sequential number. - :vartype incident_number: int - :param labels: List of labels relevant to this incident. - :type labels: list[~security_insights.models.IncidentLabel] - :param last_activity_time_utc: The time of the last activity in the incident. - :type last_activity_time_utc: ~datetime.datetime - :ivar last_modified_time_utc: The last time the incident was updated. - :vartype last_modified_time_utc: ~datetime.datetime - :param owner: Describes a user that the incident is assigned to. - :type owner: ~security_insights.models.IncidentOwnerInfo - :ivar related_analytic_rule_ids: List of resource ids of Analytic rules related to the - incident. - :vartype related_analytic_rule_ids: list[str] - :param severity: The severity of the incident. Possible values include: "High", "Medium", - "Low", "Informational". - :type severity: str or ~security_insights.models.IncidentSeverity - :param status: The status of the incident. Possible values include: "New", "Active", "Closed". - :type status: str or ~security_insights.models.IncidentStatus - :param title: The title of the incident. - :type title: str - """ - - _validation = { - 'id': {'readonly': True}, - 'name': {'readonly': True}, - 'type': {'readonly': True}, - 'additional_data': {'readonly': True}, - 'created_time_utc': {'readonly': True}, - 'incident_url': {'readonly': True}, - 'incident_number': {'readonly': True}, - 'last_modified_time_utc': {'readonly': True}, - 'related_analytic_rule_ids': {'readonly': True}, - } - - _attribute_map = { - 'id': {'key': 'id', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, - 'additional_data': {'key': 'properties.additionalData', 'type': 'IncidentAdditionalData'}, - 'classification': {'key': 'properties.classification', 'type': 'str'}, - 'classification_comment': {'key': 'properties.classificationComment', 'type': 'str'}, - 'classification_reason': {'key': 'properties.classificationReason', 'type': 'str'}, - 'created_time_utc': {'key': 'properties.createdTimeUtc', 'type': 'iso-8601'}, - 'description': {'key': 'properties.description', 'type': 'str'}, - 'first_activity_time_utc': {'key': 'properties.firstActivityTimeUtc', 'type': 'iso-8601'}, - 'incident_url': {'key': 'properties.incidentUrl', 'type': 'str'}, - 'incident_number': {'key': 'properties.incidentNumber', 'type': 'int'}, - 'labels': {'key': 'properties.labels', 'type': '[IncidentLabel]'}, - 'last_activity_time_utc': {'key': 'properties.lastActivityTimeUtc', 'type': 'iso-8601'}, - 'last_modified_time_utc': {'key': 'properties.lastModifiedTimeUtc', 'type': 'iso-8601'}, - 'owner': {'key': 'properties.owner', 'type': 'IncidentOwnerInfo'}, - 'related_analytic_rule_ids': {'key': 'properties.relatedAnalyticRuleIds', 'type': '[str]'}, - 'severity': {'key': 'properties.severity', 'type': 'str'}, - 'status': {'key': 'properties.status', 'type': 'str'}, - 'title': {'key': 'properties.title', 'type': 'str'}, - } - - def __init__( - self, - **kwargs - ): - super(Incident, self).__init__(**kwargs) - self.additional_data = None - self.classification = kwargs.get('classification', None) - self.classification_comment = kwargs.get('classification_comment', None) - self.classification_reason = kwargs.get('classification_reason', None) - self.created_time_utc = None - self.description = kwargs.get('description', None) - self.first_activity_time_utc = kwargs.get('first_activity_time_utc', None) - self.incident_url = None - self.incident_number = None - self.labels = kwargs.get('labels', None) - self.last_activity_time_utc = kwargs.get('last_activity_time_utc', None) - self.last_modified_time_utc = None - self.owner = kwargs.get('owner', None) - self.related_analytic_rule_ids = None - self.severity = kwargs.get('severity', None) - self.status = kwargs.get('status', None) - self.title = kwargs.get('title', None) - - -class IncidentAdditionalData(msrest.serialization.Model): - """Incident additional data property bag. - - Variables are only populated by the server, and will be ignored when sending a request. - - :ivar alerts_count: The number of alerts in the incident. - :vartype alerts_count: int - :ivar bookmarks_count: The number of bookmarks in the incident. - :vartype bookmarks_count: int - :ivar comments_count: The number of comments in the incident. - :vartype comments_count: int - :ivar alert_product_names: List of product names of alerts in the incident. - :vartype alert_product_names: list[str] - :ivar tactics: The tactics associated with incident. - :vartype tactics: list[str or ~security_insights.models.AttackTactic] - """ - - _validation = { - 'alerts_count': {'readonly': True}, - 'bookmarks_count': {'readonly': True}, - 'comments_count': {'readonly': True}, - 'alert_product_names': {'readonly': True}, - 'tactics': {'readonly': True}, - } - - _attribute_map = { - 'alerts_count': {'key': 'alertsCount', 'type': 'int'}, - 'bookmarks_count': {'key': 'bookmarksCount', 'type': 'int'}, - 'comments_count': {'key': 'commentsCount', 'type': 'int'}, - 'alert_product_names': {'key': 'alertProductNames', 'type': '[str]'}, - 'tactics': {'key': 'tactics', 'type': '[str]'}, - } - - def __init__( - self, - **kwargs - ): - super(IncidentAdditionalData, self).__init__(**kwargs) - self.alerts_count = None - self.bookmarks_count = None - self.comments_count = None - self.alert_product_names = None - self.tactics = None - - -class IncidentComment(Resource): - """Represents an incident comment. - - Variables are only populated by the server, and will be ignored when sending a request. - - :ivar id: Azure resource Id. - :vartype id: str - :ivar name: Azure resource name. - :vartype name: str - :ivar type: Azure resource type. - :vartype type: str - :ivar created_time_utc: The time the comment was created. - :vartype created_time_utc: ~datetime.datetime - :param message: The comment message. - :type message: str - :ivar author: Describes the client that created the comment. - :vartype author: ~security_insights.models.ClientInfo - """ - - _validation = { - 'id': {'readonly': True}, - 'name': {'readonly': True}, - 'type': {'readonly': True}, - 'created_time_utc': {'readonly': True}, - 'author': {'readonly': True}, - } - - _attribute_map = { - 'id': {'key': 'id', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'type': {'key': 'type', 'type': 'str'}, - 'created_time_utc': {'key': 'properties.createdTimeUtc', 'type': 'iso-8601'}, - 'message': {'key': 'properties.message', 'type': 'str'}, - 'author': {'key': 'properties.author', 'type': 'ClientInfo'}, - } - - def __init__( - self, - **kwargs - ): - super(IncidentComment, self).__init__(**kwargs) - self.created_time_utc = None - self.message = kwargs.get('message', None) - self.author = None - - -class IncidentCommentList(msrest.serialization.Model): - """List of incident comments. - - Variables are only populated by the server, and will be ignored when sending a request. - - All required parameters must be populated in order to send to Azure. - - :ivar next_link: URL to fetch the next set of comments. - :vartype next_link: str - :param value: Required. Array of comments. - :type value: list[~security_insights.models.IncidentComment] - """ - - _validation = { - 'next_link': {'readonly': True}, - 'value': {'required': True}, - } - - _attribute_map = { - 'next_link': {'key': 'nextLink', 'type': 'str'}, - 'value': {'key': 'value', 'type': '[IncidentComment]'}, - } - - def __init__( - self, - **kwargs - ): - super(IncidentCommentList, self).__init__(**kwargs) - self.next_link = None - self.value = kwargs['value'] - - -class IncidentInfo(msrest.serialization.Model): - """Describes related incident information for the bookmark. - - All required parameters must be populated in order to send to Azure. - - :param incident_id: Required. Incident Id. - :type incident_id: str - :param severity: Required. The severity of the incident. Possible values include: "Critical", - "High", "Medium", "Low", "Informational". - :type severity: str or ~security_insights.models.CaseSeverity - :param title: Required. The title of the incident. - :type title: str - :param relation_name: Required. Relation Name. - :type relation_name: str - """ - - _validation = { - 'incident_id': {'required': True}, - 'severity': {'required': True}, - 'title': {'required': True}, - 'relation_name': {'required': True}, - } - - _attribute_map = { - 'incident_id': {'key': 'incidentId', 'type': 'str'}, - 'severity': {'key': 'severity', 'type': 'str'}, - 'title': {'key': 'title', 'type': 'str'}, - 'relation_name': {'key': 'relationName', 'type': 'str'}, - } - - def __init__( - self, - **kwargs - ): - super(IncidentInfo, self).__init__(**kwargs) - self.incident_id = kwargs['incident_id'] - self.severity = kwargs['severity'] - self.title = kwargs['title'] - self.relation_name = kwargs['relation_name'] - - -class IncidentLabel(msrest.serialization.Model): - """Represents an incident label. - - Variables are only populated by the server, and will be ignored when sending a request. - - All required parameters must be populated in order to send to Azure. - - :param label_name: Required. The name of the label. - :type label_name: str - :ivar label_type: The type of the label. Possible values include: "User", "System". - :vartype label_type: str or ~security_insights.models.IncidentLabelType - """ - - _validation = { - 'label_name': {'required': True}, - 'label_type': {'readonly': True}, - } - - _attribute_map = { - 'label_name': {'key': 'labelName', 'type': 'str'}, - 'label_type': {'key': 'labelType', 'type': 'str'}, - } - - def __init__( - self, - **kwargs - ): - super(IncidentLabel, self).__init__(**kwargs) - self.label_name = kwargs['label_name'] - self.label_type = None - - -class IncidentList(msrest.serialization.Model): - """List all the incidents. - - Variables are only populated by the server, and will be ignored when sending a request. - - All required parameters must be populated in order to send to Azure. - - :ivar next_link: URL to fetch the next set of incidents. - :vartype next_link: str - :param value: Required. Array of incidents. - :type value: list[~security_insights.models.Incident] - """ - - _validation = { - 'next_link': {'readonly': True}, - 'value': {'required': True}, - } - - _attribute_map = { - 'next_link': {'key': 'nextLink', 'type': 'str'}, - 'value': {'key': 'value', 'type': '[Incident]'}, - } - - def __init__( - self, - **kwargs - ): - super(IncidentList, self).__init__(**kwargs) - self.next_link = None - self.value = kwargs['value'] - - -class IncidentOwnerInfo(msrest.serialization.Model): - """Information on the user an incident is assigned to. - - :param email: The email of the user the incident is assigned to. - :type email: str - :param assigned_to: The name of the user the incident is assigned to. - :type assigned_to: str - :param object_id: The object id of the user the incident is assigned to. - :type object_id: str - :param user_principal_name: The user principal name of the user the incident is assigned to. - :type user_principal_name: str - """ - - _attribute_map = { - 'email': {'key': 'email', 'type': 'str'}, - 'assigned_to': {'key': 'assignedTo', 'type': 'str'}, - 'object_id': {'key': 'objectId', 'type': 'str'}, - 'user_principal_name': {'key': 'userPrincipalName', 'type': 'str'}, - } - - def __init__( - self, - **kwargs - ): - super(IncidentOwnerInfo, self).__init__(**kwargs) - self.email = kwargs.get('email', None) - self.assigned_to = kwargs.get('assigned_to', None) - self.object_id = kwargs.get('object_id', None) - self.user_principal_name = kwargs.get('user_principal_name', None) - - -class MCASDataConnector(DataConnector): - """Represents MCAS (Microsoft Cloud App Security) data connector. - - Variables are only populated by the server, and will be ignored when sending a request. - - All required parameters must be populated in order to send to Azure. - - :ivar id: Azure resource Id. - :vartype id: str - :ivar name: Azure resource name. - :vartype name: str - :ivar type: Azure resource type. - :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str - :param kind: Required. The data connector kind.Constant filled by server. Possible values - include: "AzureActiveDirectory", "AzureSecurityCenter", "MicrosoftCloudAppSecurity", - "ThreatIntelligence", "Office365", "AmazonWebServicesCloudTrail", - "AzureAdvancedThreatProtection", "MicrosoftDefenderAdvancedThreatProtection". - :type kind: str or ~security_insights.models.DataConnectorKind - :param tenant_id: The tenant id to connect to, and get the data from. - :type tenant_id: str - :param state_data_types_alerts_state: Describe whether this data type connection is enabled or - not. Possible values include: "Enabled", "Disabled". - :type state_data_types_alerts_state: str or ~security_insights.models.DataTypeState - :param state_data_types_discovery_logs_state: Describe whether this data type connection is - enabled or not. Possible values include: "Enabled", "Disabled". - :type state_data_types_discovery_logs_state: str or ~security_insights.models.DataTypeState - """ - - _validation = { - 'id': {'readonly': True}, - 'name': {'readonly': True}, - 'type': {'readonly': True}, - 'kind': {'required': True}, - } - - _attribute_map = { - 'id': {'key': 'id', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, - 'tenant_id': {'key': 'properties.tenantId', 'type': 'str'}, - 'state_data_types_alerts_state': {'key': 'dataTypes.alerts.state', 'type': 'str'}, - 'state_data_types_discovery_logs_state': {'key': 'dataTypes.discoveryLogs.state', 'type': 'str'}, - } - - def __init__( - self, - **kwargs - ): - super(MCASDataConnector, self).__init__(**kwargs) - self.kind = 'MicrosoftCloudAppSecurity' # type: str - self.tenant_id = kwargs.get('tenant_id', None) - self.state_data_types_alerts_state = kwargs.get('state_data_types_alerts_state', None) - self.state_data_types_discovery_logs_state = kwargs.get('state_data_types_discovery_logs_state', None) - - -class MCASDataConnectorDataTypes(AlertsDataTypeOfDataConnector): - """The available data types for MCAS (Microsoft Cloud App Security) data connector. - - :param state: Describe whether this data type connection is enabled or not. Possible values - include: "Enabled", "Disabled". - :type state: str or ~security_insights.models.DataTypeState - :param state_discovery_logs_state: Describe whether this data type connection is enabled or - not. Possible values include: "Enabled", "Disabled". - :type state_discovery_logs_state: str or ~security_insights.models.DataTypeState - """ - - _attribute_map = { - 'state': {'key': 'alerts.state', 'type': 'str'}, - 'state_discovery_logs_state': {'key': 'discoveryLogs.state', 'type': 'str'}, - } - - def __init__( - self, - **kwargs - ): - super(MCASDataConnectorDataTypes, self).__init__(**kwargs) - self.state_discovery_logs_state = kwargs.get('state_discovery_logs_state', None) - - -class MDATPDataConnector(DataConnector): - """Represents MDATP (Microsoft Defender Advanced Threat Protection) data connector. - - Variables are only populated by the server, and will be ignored when sending a request. - - All required parameters must be populated in order to send to Azure. - - :ivar id: Azure resource Id. - :vartype id: str - :ivar name: Azure resource name. - :vartype name: str - :ivar type: Azure resource type. - :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str - :param kind: Required. The data connector kind.Constant filled by server. Possible values - include: "AzureActiveDirectory", "AzureSecurityCenter", "MicrosoftCloudAppSecurity", - "ThreatIntelligence", "Office365", "AmazonWebServicesCloudTrail", - "AzureAdvancedThreatProtection", "MicrosoftDefenderAdvancedThreatProtection". - :type kind: str or ~security_insights.models.DataConnectorKind - :param tenant_id: The tenant id to connect to, and get the data from. - :type tenant_id: str - :param state: Describe whether this data type connection is enabled or not. Possible values - include: "Enabled", "Disabled". - :type state: str or ~security_insights.models.DataTypeState - """ - - _validation = { - 'id': {'readonly': True}, - 'name': {'readonly': True}, - 'type': {'readonly': True}, - 'kind': {'required': True}, - } - - _attribute_map = { - 'id': {'key': 'id', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, - 'tenant_id': {'key': 'properties.tenantId', 'type': 'str'}, - 'state': {'key': 'dataTypes.alerts.state', 'type': 'str'}, - } - - def __init__( - self, - **kwargs - ): - super(MDATPDataConnector, self).__init__(**kwargs) - self.kind = 'MicrosoftDefenderAdvancedThreatProtection' # type: str - self.tenant_id = kwargs.get('tenant_id', None) - self.state = kwargs.get('state', None) - - -class MicrosoftSecurityIncidentCreationAlertRule(AlertRule): - """Represents MicrosoftSecurityIncidentCreation rule. - - Variables are only populated by the server, and will be ignored when sending a request. - - All required parameters must be populated in order to send to Azure. - - :ivar id: Azure resource Id. - :vartype id: str - :ivar name: Azure resource name. - :vartype name: str - :ivar type: Azure resource type. - :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str - :param kind: Required. The alert rule kind.Constant filled by server. Possible values include: - "Scheduled", "MicrosoftSecurityIncidentCreation", "Fusion". - :type kind: str or ~security_insights.models.AlertRuleKind - :param display_names_filter: the alerts' displayNames on which the cases will be generated. - :type display_names_filter: list[str] - :param display_names_exclude_filter: the alerts' displayNames on which the cases will not be - generated. - :type display_names_exclude_filter: list[str] - :param product_filter: The alerts' productName on which the cases will be generated. Possible - values include: "Microsoft Cloud App Security", "Azure Security Center", "Azure Advanced Threat - Protection", "Azure Active Directory Identity Protection", "Azure Security Center for IoT". - :type product_filter: str or ~security_insights.models.MicrosoftSecurityProductName - :param severities_filter: the alerts' severities on which the cases will be generated. - :type severities_filter: list[str or ~security_insights.models.AlertSeverity] - :param alert_rule_template_name: The Name of the alert rule template used to create this rule. - :type alert_rule_template_name: str - :param description: The description of the alert rule. - :type description: str - :param display_name: The display name for alerts created by this alert rule. - :type display_name: str - :param enabled: Determines whether this alert rule is enabled or disabled. - :type enabled: bool - :ivar last_modified_utc: The last time that this alert has been modified. - :vartype last_modified_utc: ~datetime.datetime - """ - - _validation = { - 'id': {'readonly': True}, - 'name': {'readonly': True}, - 'type': {'readonly': True}, - 'kind': {'required': True}, - 'last_modified_utc': {'readonly': True}, - } - - _attribute_map = { - 'id': {'key': 'id', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, - 'display_names_filter': {'key': 'properties.displayNamesFilter', 'type': '[str]'}, - 'display_names_exclude_filter': {'key': 'properties.displayNamesExcludeFilter', 'type': '[str]'}, - 'product_filter': {'key': 'properties.productFilter', 'type': 'str'}, - 'severities_filter': {'key': 'properties.severitiesFilter', 'type': '[str]'}, - 'alert_rule_template_name': {'key': 'properties.alertRuleTemplateName', 'type': 'str'}, - 'description': {'key': 'properties.description', 'type': 'str'}, - 'display_name': {'key': 'properties.displayName', 'type': 'str'}, - 'enabled': {'key': 'properties.enabled', 'type': 'bool'}, - 'last_modified_utc': {'key': 'properties.lastModifiedUtc', 'type': 'iso-8601'}, - } - - def __init__( - self, - **kwargs - ): - super(MicrosoftSecurityIncidentCreationAlertRule, self).__init__(**kwargs) - self.kind = 'MicrosoftSecurityIncidentCreation' # type: str - self.display_names_filter = kwargs.get('display_names_filter', None) - self.display_names_exclude_filter = kwargs.get('display_names_exclude_filter', None) - self.product_filter = kwargs.get('product_filter', None) - self.severities_filter = kwargs.get('severities_filter', None) - self.alert_rule_template_name = kwargs.get('alert_rule_template_name', None) - self.description = kwargs.get('description', None) - self.display_name = kwargs.get('display_name', None) - self.enabled = kwargs.get('enabled', None) - self.last_modified_utc = None - - -class MicrosoftSecurityIncidentCreationAlertRuleCommonProperties(msrest.serialization.Model): - """MicrosoftSecurityIncidentCreation rule common property bag. - - All required parameters must be populated in order to send to Azure. - - :param display_names_filter: the alerts' displayNames on which the cases will be generated. - :type display_names_filter: list[str] - :param display_names_exclude_filter: the alerts' displayNames on which the cases will not be - generated. - :type display_names_exclude_filter: list[str] - :param product_filter: Required. The alerts' productName on which the cases will be generated. - Possible values include: "Microsoft Cloud App Security", "Azure Security Center", "Azure - Advanced Threat Protection", "Azure Active Directory Identity Protection", "Azure Security - Center for IoT". - :type product_filter: str or ~security_insights.models.MicrosoftSecurityProductName - :param severities_filter: the alerts' severities on which the cases will be generated. - :type severities_filter: list[str or ~security_insights.models.AlertSeverity] - """ - - _validation = { - 'product_filter': {'required': True}, - } - - _attribute_map = { - 'display_names_filter': {'key': 'displayNamesFilter', 'type': '[str]'}, - 'display_names_exclude_filter': {'key': 'displayNamesExcludeFilter', 'type': '[str]'}, - 'product_filter': {'key': 'productFilter', 'type': 'str'}, - 'severities_filter': {'key': 'severitiesFilter', 'type': '[str]'}, - } - - def __init__( - self, - **kwargs - ): - super(MicrosoftSecurityIncidentCreationAlertRuleCommonProperties, self).__init__(**kwargs) - self.display_names_filter = kwargs.get('display_names_filter', None) - self.display_names_exclude_filter = kwargs.get('display_names_exclude_filter', None) - self.product_filter = kwargs['product_filter'] - self.severities_filter = kwargs.get('severities_filter', None) - - -class MicrosoftSecurityIncidentCreationAlertRuleProperties(MicrosoftSecurityIncidentCreationAlertRuleCommonProperties): - """MicrosoftSecurityIncidentCreation rule property bag. - - Variables are only populated by the server, and will be ignored when sending a request. - - All required parameters must be populated in order to send to Azure. - - :param display_names_filter: the alerts' displayNames on which the cases will be generated. - :type display_names_filter: list[str] - :param display_names_exclude_filter: the alerts' displayNames on which the cases will not be - generated. - :type display_names_exclude_filter: list[str] - :param product_filter: Required. The alerts' productName on which the cases will be generated. - Possible values include: "Microsoft Cloud App Security", "Azure Security Center", "Azure - Advanced Threat Protection", "Azure Active Directory Identity Protection", "Azure Security - Center for IoT". - :type product_filter: str or ~security_insights.models.MicrosoftSecurityProductName - :param severities_filter: the alerts' severities on which the cases will be generated. - :type severities_filter: list[str or ~security_insights.models.AlertSeverity] - :param alert_rule_template_name: The Name of the alert rule template used to create this rule. - :type alert_rule_template_name: str - :param description: The description of the alert rule. - :type description: str - :param display_name: Required. The display name for alerts created by this alert rule. - :type display_name: str - :param enabled: Required. Determines whether this alert rule is enabled or disabled. - :type enabled: bool - :ivar last_modified_utc: The last time that this alert has been modified. - :vartype last_modified_utc: ~datetime.datetime - """ - - _validation = { - 'product_filter': {'required': True}, - 'display_name': {'required': True}, - 'enabled': {'required': True}, - 'last_modified_utc': {'readonly': True}, - } - - _attribute_map = { - 'display_names_filter': {'key': 'displayNamesFilter', 'type': '[str]'}, - 'display_names_exclude_filter': {'key': 'displayNamesExcludeFilter', 'type': '[str]'}, - 'product_filter': {'key': 'productFilter', 'type': 'str'}, - 'severities_filter': {'key': 'severitiesFilter', 'type': '[str]'}, - 'alert_rule_template_name': {'key': 'alertRuleTemplateName', 'type': 'str'}, - 'description': {'key': 'description', 'type': 'str'}, - 'display_name': {'key': 'displayName', 'type': 'str'}, - 'enabled': {'key': 'enabled', 'type': 'bool'}, - 'last_modified_utc': {'key': 'lastModifiedUtc', 'type': 'iso-8601'}, - } - - def __init__( - self, - **kwargs - ): - super(MicrosoftSecurityIncidentCreationAlertRuleProperties, self).__init__(**kwargs) - self.alert_rule_template_name = kwargs.get('alert_rule_template_name', None) - self.description = kwargs.get('description', None) - self.display_name = kwargs['display_name'] - self.enabled = kwargs['enabled'] - self.last_modified_utc = None - - -class MicrosoftSecurityIncidentCreationAlertRuleTemplate(AlertRuleTemplate): - """Represents MicrosoftSecurityIncidentCreation rule template. - - Variables are only populated by the server, and will be ignored when sending a request. - - All required parameters must be populated in order to send to Azure. - - :ivar id: Azure resource Id. - :vartype id: str - :ivar name: Azure resource name. - :vartype name: str - :ivar type: Azure resource type. - :vartype type: str - :param kind: Required. The alert rule kind.Constant filled by server. Possible values include: - "Scheduled", "MicrosoftSecurityIncidentCreation", "Fusion". - :type kind: str or ~security_insights.models.AlertRuleKind - :param alert_rules_created_by_template_count: the number of alert rules that were created by - this template. - :type alert_rules_created_by_template_count: int - :ivar created_date_utc: The time that this alert rule template has been added. - :vartype created_date_utc: ~datetime.datetime - :param description: The description of the alert rule template. - :type description: str - :param display_name: The display name for alert rule template. - :type display_name: str - :param required_data_connectors: The required data connectors for this template. - :type required_data_connectors: list[~security_insights.models.AlertRuleTemplateDataSource] - :param status: The alert rule template status. Possible values include: "Installed", - "Available", "NotAvailable". - :type status: str or ~security_insights.models.TemplateStatus - :param display_names_filter: the alerts' displayNames on which the cases will be generated. - :type display_names_filter: list[str] - :param display_names_exclude_filter: the alerts' displayNames on which the cases will not be - generated. - :type display_names_exclude_filter: list[str] - :param product_filter: The alerts' productName on which the cases will be generated. Possible - values include: "Microsoft Cloud App Security", "Azure Security Center", "Azure Advanced Threat - Protection", "Azure Active Directory Identity Protection", "Azure Security Center for IoT". - :type product_filter: str or ~security_insights.models.MicrosoftSecurityProductName - :param severities_filter: the alerts' severities on which the cases will be generated. - :type severities_filter: list[str or ~security_insights.models.AlertSeverity] - """ - - _validation = { - 'id': {'readonly': True}, - 'name': {'readonly': True}, - 'type': {'readonly': True}, - 'kind': {'required': True}, - 'created_date_utc': {'readonly': True}, - } - - _attribute_map = { - 'id': {'key': 'id', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'type': {'key': 'type', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, - 'alert_rules_created_by_template_count': {'key': 'properties.alertRulesCreatedByTemplateCount', 'type': 'int'}, - 'created_date_utc': {'key': 'properties.createdDateUTC', 'type': 'iso-8601'}, - 'description': {'key': 'properties.description', 'type': 'str'}, - 'display_name': {'key': 'properties.displayName', 'type': 'str'}, - 'required_data_connectors': {'key': 'properties.requiredDataConnectors', 'type': '[AlertRuleTemplateDataSource]'}, - 'status': {'key': 'properties.status', 'type': 'str'}, - 'display_names_filter': {'key': 'properties.displayNamesFilter', 'type': '[str]'}, - 'display_names_exclude_filter': {'key': 'properties.displayNamesExcludeFilter', 'type': '[str]'}, - 'product_filter': {'key': 'properties.productFilter', 'type': 'str'}, - 'severities_filter': {'key': 'properties.severitiesFilter', 'type': '[str]'}, - } - - def __init__( - self, - **kwargs - ): - super(MicrosoftSecurityIncidentCreationAlertRuleTemplate, self).__init__(**kwargs) - self.kind = 'MicrosoftSecurityIncidentCreation' # type: str - self.alert_rules_created_by_template_count = kwargs.get('alert_rules_created_by_template_count', None) - self.created_date_utc = None - self.description = kwargs.get('description', None) - self.display_name = kwargs.get('display_name', None) - self.required_data_connectors = kwargs.get('required_data_connectors', None) - self.status = kwargs.get('status', None) - self.display_names_filter = kwargs.get('display_names_filter', None) - self.display_names_exclude_filter = kwargs.get('display_names_exclude_filter', None) - self.product_filter = kwargs.get('product_filter', None) - self.severities_filter = kwargs.get('severities_filter', None) - - -class OfficeConsent(Resource): - """Consent for Office365 tenant that already made. - - Variables are only populated by the server, and will be ignored when sending a request. - - :ivar id: Azure resource Id. - :vartype id: str - :ivar name: Azure resource name. - :vartype name: str - :ivar type: Azure resource type. - :vartype type: str - :param tenant_id: The tenantId of the Office365 with the consent. - :type tenant_id: str - :ivar tenant_name: The tenant name of the Office365 with the consent. - :vartype tenant_name: str - """ - - _validation = { - 'id': {'readonly': True}, - 'name': {'readonly': True}, - 'type': {'readonly': True}, - 'tenant_name': {'readonly': True}, - } - - _attribute_map = { - 'id': {'key': 'id', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'type': {'key': 'type', 'type': 'str'}, - 'tenant_id': {'key': 'properties.tenantId', 'type': 'str'}, - 'tenant_name': {'key': 'properties.tenantName', 'type': 'str'}, - } - - def __init__( - self, - **kwargs - ): - super(OfficeConsent, self).__init__(**kwargs) - self.tenant_id = kwargs.get('tenant_id', None) - self.tenant_name = None - - -class OfficeConsentList(msrest.serialization.Model): - """List of all the office365 consents. - - Variables are only populated by the server, and will be ignored when sending a request. - - All required parameters must be populated in order to send to Azure. - - :ivar next_link: URL to fetch the next set of office consents. - :vartype next_link: str - :param value: Required. Array of the consents. - :type value: list[~security_insights.models.OfficeConsent] - """ - - _validation = { - 'next_link': {'readonly': True}, - 'value': {'required': True}, - } - - _attribute_map = { - 'next_link': {'key': 'nextLink', 'type': 'str'}, - 'value': {'key': 'value', 'type': '[OfficeConsent]'}, - } - - def __init__( - self, - **kwargs - ): - super(OfficeConsentList, self).__init__(**kwargs) - self.next_link = None - self.value = kwargs['value'] - - -class OfficeDataConnector(DataConnector): - """Represents office data connector. - - Variables are only populated by the server, and will be ignored when sending a request. - - All required parameters must be populated in order to send to Azure. - - :ivar id: Azure resource Id. - :vartype id: str - :ivar name: Azure resource name. - :vartype name: str - :ivar type: Azure resource type. - :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str - :param kind: Required. The data connector kind.Constant filled by server. Possible values - include: "AzureActiveDirectory", "AzureSecurityCenter", "MicrosoftCloudAppSecurity", - "ThreatIntelligence", "Office365", "AmazonWebServicesCloudTrail", - "AzureAdvancedThreatProtection", "MicrosoftDefenderAdvancedThreatProtection". - :type kind: str or ~security_insights.models.DataConnectorKind - :param tenant_id: The tenant id to connect to, and get the data from. - :type tenant_id: str - :param state_data_types_share_point_state: Describe whether this data type connection is - enabled or not. Possible values include: "Enabled", "Disabled". - :type state_data_types_share_point_state: str or ~security_insights.models.DataTypeState - :param state_data_types_exchange_state: Describe whether this data type connection is enabled - or not. Possible values include: "Enabled", "Disabled". - :type state_data_types_exchange_state: str or ~security_insights.models.DataTypeState - """ - - _validation = { - 'id': {'readonly': True}, - 'name': {'readonly': True}, - 'type': {'readonly': True}, - 'kind': {'required': True}, - } - - _attribute_map = { - 'id': {'key': 'id', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, - 'tenant_id': {'key': 'properties.tenantId', 'type': 'str'}, - 'state_data_types_share_point_state': {'key': 'dataTypes.sharePoint.state', 'type': 'str'}, - 'state_data_types_exchange_state': {'key': 'dataTypes.exchange.state', 'type': 'str'}, - } - - def __init__( - self, - **kwargs - ): - super(OfficeDataConnector, self).__init__(**kwargs) - self.kind = 'Office365' # type: str - self.tenant_id = kwargs.get('tenant_id', None) - self.state_data_types_share_point_state = kwargs.get('state_data_types_share_point_state', None) - self.state_data_types_exchange_state = kwargs.get('state_data_types_exchange_state', None) - - -class OfficeDataConnectorDataTypesExchange(DataConnectorDataTypeCommon): - """Exchange data type connection. - - :param state: Describe whether this data type connection is enabled or not. Possible values - include: "Enabled", "Disabled". - :type state: str or ~security_insights.models.DataTypeState - """ - - _attribute_map = { - 'state': {'key': 'state', 'type': 'str'}, - } - - def __init__( - self, - **kwargs - ): - super(OfficeDataConnectorDataTypesExchange, self).__init__(**kwargs) - - -class OfficeDataConnectorDataTypesSharePoint(DataConnectorDataTypeCommon): - """SharePoint data type connection. - - :param state: Describe whether this data type connection is enabled or not. Possible values - include: "Enabled", "Disabled". - :type state: str or ~security_insights.models.DataTypeState - """ - - _attribute_map = { - 'state': {'key': 'state', 'type': 'str'}, - } - - def __init__( - self, - **kwargs - ): - super(OfficeDataConnectorDataTypesSharePoint, self).__init__(**kwargs) - - -class Operation(msrest.serialization.Model): - """Operation provided by provider. - - :param display: Properties of the operation. - :type display: ~security_insights.models.OperationDisplay - :param name: Name of the operation. - :type name: str - """ - - _attribute_map = { - 'display': {'key': 'display', 'type': 'OperationDisplay'}, - 'name': {'key': 'name', 'type': 'str'}, - } - - def __init__( - self, - **kwargs - ): - super(Operation, self).__init__(**kwargs) - self.display = kwargs.get('display', None) - self.name = kwargs.get('name', None) - - -class OperationDisplay(msrest.serialization.Model): - """Properties of the operation. - - :param description: Description of the operation. - :type description: str - :param operation: Operation name. - :type operation: str - :param provider: Provider name. - :type provider: str - :param resource: Resource name. - :type resource: str - """ - - _attribute_map = { - 'description': {'key': 'description', 'type': 'str'}, - 'operation': {'key': 'operation', 'type': 'str'}, - 'provider': {'key': 'provider', 'type': 'str'}, - 'resource': {'key': 'resource', 'type': 'str'}, - } - - def __init__( - self, - **kwargs - ): - super(OperationDisplay, self).__init__(**kwargs) - self.description = kwargs.get('description', None) - self.operation = kwargs.get('operation', None) - self.provider = kwargs.get('provider', None) - self.resource = kwargs.get('resource', None) - - -class OperationsList(msrest.serialization.Model): - """Lists the operations available in the SecurityInsights RP. - - All required parameters must be populated in order to send to Azure. - - :param next_link: URL to fetch the next set of operations. - :type next_link: str - :param value: Required. Array of operations. - :type value: list[~security_insights.models.Operation] - """ - - _validation = { - 'value': {'required': True}, - } - - _attribute_map = { - 'next_link': {'key': 'nextLink', 'type': 'str'}, - 'value': {'key': 'value', 'type': '[Operation]'}, - } - - def __init__( - self, - **kwargs - ): - super(OperationsList, self).__init__(**kwargs) - self.next_link = kwargs.get('next_link', None) - self.value = kwargs['value'] - - -class ScheduledAlertRule(AlertRule): - """Represents scheduled alert rule. - - Variables are only populated by the server, and will be ignored when sending a request. - - All required parameters must be populated in order to send to Azure. - - :ivar id: Azure resource Id. - :vartype id: str - :ivar name: Azure resource name. - :vartype name: str - :ivar type: Azure resource type. - :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str - :param kind: Required. The alert rule kind.Constant filled by server. Possible values include: - "Scheduled", "MicrosoftSecurityIncidentCreation", "Fusion". - :type kind: str or ~security_insights.models.AlertRuleKind - :param query: The query that creates alerts for this rule. - :type query: str - :param query_frequency: The frequency (in ISO 8601 duration format) for this alert rule to run. - :type query_frequency: ~datetime.timedelta - :param query_period: The period (in ISO 8601 duration format) that this alert rule looks at. - :type query_period: ~datetime.timedelta - :param severity: The severity for alerts created by this alert rule. Possible values include: - "High", "Medium", "Low", "Informational". - :type severity: str or ~security_insights.models.AlertSeverity - :param trigger_operator: The operation against the threshold that triggers alert rule. Possible - values include: "GreaterThan", "LessThan", "Equal", "NotEqual". - :type trigger_operator: str or ~security_insights.models.TriggerOperator - :param trigger_threshold: The threshold triggers this alert rule. - :type trigger_threshold: int - :param alert_rule_template_name: The Name of the alert rule template used to create this rule. - :type alert_rule_template_name: str - :param description: The description of the alert rule. - :type description: str - :param display_name: The display name for alerts created by this alert rule. - :type display_name: str - :param enabled: Determines whether this alert rule is enabled or disabled. - :type enabled: bool - :ivar last_modified_utc: The last time that this alert rule has been modified. - :vartype last_modified_utc: ~datetime.datetime - :param suppression_duration: The suppression (in ISO 8601 duration format) to wait since last - time this alert rule been triggered. - :type suppression_duration: ~datetime.timedelta - :param suppression_enabled: Determines whether the suppression for this alert rule is enabled - or disabled. - :type suppression_enabled: bool - :param tactics: The tactics of the alert rule. - :type tactics: list[str or ~security_insights.models.AttackTactic] - """ - - _validation = { - 'id': {'readonly': True}, - 'name': {'readonly': True}, - 'type': {'readonly': True}, - 'kind': {'required': True}, - 'last_modified_utc': {'readonly': True}, - } - - _attribute_map = { - 'id': {'key': 'id', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, - 'query': {'key': 'properties.query', 'type': 'str'}, - 'query_frequency': {'key': 'properties.queryFrequency', 'type': 'duration'}, - 'query_period': {'key': 'properties.queryPeriod', 'type': 'duration'}, - 'severity': {'key': 'properties.severity', 'type': 'str'}, - 'trigger_operator': {'key': 'properties.triggerOperator', 'type': 'str'}, - 'trigger_threshold': {'key': 'properties.triggerThreshold', 'type': 'int'}, - 'alert_rule_template_name': {'key': 'properties.alertRuleTemplateName', 'type': 'str'}, - 'description': {'key': 'properties.description', 'type': 'str'}, - 'display_name': {'key': 'properties.displayName', 'type': 'str'}, - 'enabled': {'key': 'properties.enabled', 'type': 'bool'}, - 'last_modified_utc': {'key': 'properties.lastModifiedUtc', 'type': 'iso-8601'}, - 'suppression_duration': {'key': 'properties.suppressionDuration', 'type': 'duration'}, - 'suppression_enabled': {'key': 'properties.suppressionEnabled', 'type': 'bool'}, - 'tactics': {'key': 'properties.tactics', 'type': '[str]'}, - } - - def __init__( - self, - **kwargs - ): - super(ScheduledAlertRule, self).__init__(**kwargs) - self.kind = 'Scheduled' # type: str - self.query = kwargs.get('query', None) - self.query_frequency = kwargs.get('query_frequency', None) - self.query_period = kwargs.get('query_period', None) - self.severity = kwargs.get('severity', None) - self.trigger_operator = kwargs.get('trigger_operator', None) - self.trigger_threshold = kwargs.get('trigger_threshold', None) - self.alert_rule_template_name = kwargs.get('alert_rule_template_name', None) - self.description = kwargs.get('description', None) - self.display_name = kwargs.get('display_name', None) - self.enabled = kwargs.get('enabled', None) - self.last_modified_utc = None - self.suppression_duration = kwargs.get('suppression_duration', None) - self.suppression_enabled = kwargs.get('suppression_enabled', None) - self.tactics = kwargs.get('tactics', None) - - -class ScheduledAlertRuleCommonProperties(msrest.serialization.Model): - """Schedule alert rule template property bag. - - :param query: The query that creates alerts for this rule. - :type query: str - :param query_frequency: The frequency (in ISO 8601 duration format) for this alert rule to run. - :type query_frequency: ~datetime.timedelta - :param query_period: The period (in ISO 8601 duration format) that this alert rule looks at. - :type query_period: ~datetime.timedelta - :param severity: The severity for alerts created by this alert rule. Possible values include: - "High", "Medium", "Low", "Informational". - :type severity: str or ~security_insights.models.AlertSeverity - :param trigger_operator: The operation against the threshold that triggers alert rule. Possible - values include: "GreaterThan", "LessThan", "Equal", "NotEqual". - :type trigger_operator: str or ~security_insights.models.TriggerOperator - :param trigger_threshold: The threshold triggers this alert rule. - :type trigger_threshold: int - """ - - _attribute_map = { - 'query': {'key': 'query', 'type': 'str'}, - 'query_frequency': {'key': 'queryFrequency', 'type': 'duration'}, - 'query_period': {'key': 'queryPeriod', 'type': 'duration'}, - 'severity': {'key': 'severity', 'type': 'str'}, - 'trigger_operator': {'key': 'triggerOperator', 'type': 'str'}, - 'trigger_threshold': {'key': 'triggerThreshold', 'type': 'int'}, - } - - def __init__( - self, - **kwargs - ): - super(ScheduledAlertRuleCommonProperties, self).__init__(**kwargs) - self.query = kwargs.get('query', None) - self.query_frequency = kwargs.get('query_frequency', None) - self.query_period = kwargs.get('query_period', None) - self.severity = kwargs.get('severity', None) - self.trigger_operator = kwargs.get('trigger_operator', None) - self.trigger_threshold = kwargs.get('trigger_threshold', None) - - -class ScheduledAlertRuleProperties(ScheduledAlertRuleCommonProperties): - """Scheduled alert rule base property bag. - - Variables are only populated by the server, and will be ignored when sending a request. - - All required parameters must be populated in order to send to Azure. - - :param query: The query that creates alerts for this rule. - :type query: str - :param query_frequency: The frequency (in ISO 8601 duration format) for this alert rule to run. - :type query_frequency: ~datetime.timedelta - :param query_period: The period (in ISO 8601 duration format) that this alert rule looks at. - :type query_period: ~datetime.timedelta - :param severity: The severity for alerts created by this alert rule. Possible values include: - "High", "Medium", "Low", "Informational". - :type severity: str or ~security_insights.models.AlertSeverity - :param trigger_operator: The operation against the threshold that triggers alert rule. Possible - values include: "GreaterThan", "LessThan", "Equal", "NotEqual". - :type trigger_operator: str or ~security_insights.models.TriggerOperator - :param trigger_threshold: The threshold triggers this alert rule. - :type trigger_threshold: int - :param alert_rule_template_name: The Name of the alert rule template used to create this rule. - :type alert_rule_template_name: str - :param description: The description of the alert rule. - :type description: str - :param display_name: Required. The display name for alerts created by this alert rule. - :type display_name: str - :param enabled: Required. Determines whether this alert rule is enabled or disabled. - :type enabled: bool - :ivar last_modified_utc: The last time that this alert rule has been modified. - :vartype last_modified_utc: ~datetime.datetime - :param suppression_duration: Required. The suppression (in ISO 8601 duration format) to wait - since last time this alert rule been triggered. - :type suppression_duration: ~datetime.timedelta - :param suppression_enabled: Required. Determines whether the suppression for this alert rule is - enabled or disabled. - :type suppression_enabled: bool - :param tactics: The tactics of the alert rule. - :type tactics: list[str or ~security_insights.models.AttackTactic] - """ - - _validation = { - 'display_name': {'required': True}, - 'enabled': {'required': True}, - 'last_modified_utc': {'readonly': True}, - 'suppression_duration': {'required': True}, - 'suppression_enabled': {'required': True}, - } - - _attribute_map = { - 'query': {'key': 'query', 'type': 'str'}, - 'query_frequency': {'key': 'queryFrequency', 'type': 'duration'}, - 'query_period': {'key': 'queryPeriod', 'type': 'duration'}, - 'severity': {'key': 'severity', 'type': 'str'}, - 'trigger_operator': {'key': 'triggerOperator', 'type': 'str'}, - 'trigger_threshold': {'key': 'triggerThreshold', 'type': 'int'}, - 'alert_rule_template_name': {'key': 'alertRuleTemplateName', 'type': 'str'}, - 'description': {'key': 'description', 'type': 'str'}, - 'display_name': {'key': 'displayName', 'type': 'str'}, - 'enabled': {'key': 'enabled', 'type': 'bool'}, - 'last_modified_utc': {'key': 'lastModifiedUtc', 'type': 'iso-8601'}, - 'suppression_duration': {'key': 'suppressionDuration', 'type': 'duration'}, - 'suppression_enabled': {'key': 'suppressionEnabled', 'type': 'bool'}, - 'tactics': {'key': 'tactics', 'type': '[str]'}, - } - - def __init__( - self, - **kwargs - ): - super(ScheduledAlertRuleProperties, self).__init__(**kwargs) - self.alert_rule_template_name = kwargs.get('alert_rule_template_name', None) - self.description = kwargs.get('description', None) - self.display_name = kwargs['display_name'] - self.enabled = kwargs['enabled'] - self.last_modified_utc = None - self.suppression_duration = kwargs['suppression_duration'] - self.suppression_enabled = kwargs['suppression_enabled'] - self.tactics = kwargs.get('tactics', None) - - -class ScheduledAlertRuleTemplate(AlertRuleTemplate): - """Represents scheduled alert rule template. - - Variables are only populated by the server, and will be ignored when sending a request. - - All required parameters must be populated in order to send to Azure. - - :ivar id: Azure resource Id. - :vartype id: str - :ivar name: Azure resource name. - :vartype name: str - :ivar type: Azure resource type. - :vartype type: str - :param kind: Required. The alert rule kind.Constant filled by server. Possible values include: - "Scheduled", "MicrosoftSecurityIncidentCreation", "Fusion". - :type kind: str or ~security_insights.models.AlertRuleKind - :param alert_rules_created_by_template_count: the number of alert rules that were created by - this template. - :type alert_rules_created_by_template_count: int - :ivar created_date_utc: The time that this alert rule template has been added. - :vartype created_date_utc: ~datetime.datetime - :param description: The description of the alert rule template. - :type description: str - :param display_name: The display name for alert rule template. - :type display_name: str - :param required_data_connectors: The required data connectors for this template. - :type required_data_connectors: list[~security_insights.models.AlertRuleTemplateDataSource] - :param status: The alert rule template status. Possible values include: "Installed", - "Available", "NotAvailable". - :type status: str or ~security_insights.models.TemplateStatus - :param query: The query that creates alerts for this rule. - :type query: str - :param query_frequency: The frequency (in ISO 8601 duration format) for this alert rule to run. - :type query_frequency: ~datetime.timedelta - :param query_period: The period (in ISO 8601 duration format) that this alert rule looks at. - :type query_period: ~datetime.timedelta - :param severity: The severity for alerts created by this alert rule. Possible values include: - "High", "Medium", "Low", "Informational". - :type severity: str or ~security_insights.models.AlertSeverity - :param trigger_operator: The operation against the threshold that triggers alert rule. Possible - values include: "GreaterThan", "LessThan", "Equal", "NotEqual". - :type trigger_operator: str or ~security_insights.models.TriggerOperator - :param trigger_threshold: The threshold triggers this alert rule. - :type trigger_threshold: int - :param tactics: The tactics of the alert rule template. - :type tactics: list[str or ~security_insights.models.AttackTactic] - """ - - _validation = { - 'id': {'readonly': True}, - 'name': {'readonly': True}, - 'type': {'readonly': True}, - 'kind': {'required': True}, - 'created_date_utc': {'readonly': True}, - } - - _attribute_map = { - 'id': {'key': 'id', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'type': {'key': 'type', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, - 'alert_rules_created_by_template_count': {'key': 'properties.alertRulesCreatedByTemplateCount', 'type': 'int'}, - 'created_date_utc': {'key': 'properties.createdDateUTC', 'type': 'iso-8601'}, - 'description': {'key': 'properties.description', 'type': 'str'}, - 'display_name': {'key': 'properties.displayName', 'type': 'str'}, - 'required_data_connectors': {'key': 'properties.requiredDataConnectors', 'type': '[AlertRuleTemplateDataSource]'}, - 'status': {'key': 'properties.status', 'type': 'str'}, - 'query': {'key': 'properties.query', 'type': 'str'}, - 'query_frequency': {'key': 'properties.queryFrequency', 'type': 'duration'}, - 'query_period': {'key': 'properties.queryPeriod', 'type': 'duration'}, - 'severity': {'key': 'properties.severity', 'type': 'str'}, - 'trigger_operator': {'key': 'properties.triggerOperator', 'type': 'str'}, - 'trigger_threshold': {'key': 'properties.triggerThreshold', 'type': 'int'}, - 'tactics': {'key': 'properties.tactics', 'type': '[str]'}, - } - - def __init__( - self, - **kwargs - ): - super(ScheduledAlertRuleTemplate, self).__init__(**kwargs) - self.kind = 'Scheduled' # type: str - self.alert_rules_created_by_template_count = kwargs.get('alert_rules_created_by_template_count', None) - self.created_date_utc = None - self.description = kwargs.get('description', None) - self.display_name = kwargs.get('display_name', None) - self.required_data_connectors = kwargs.get('required_data_connectors', None) - self.status = kwargs.get('status', None) - self.query = kwargs.get('query', None) - self.query_frequency = kwargs.get('query_frequency', None) - self.query_period = kwargs.get('query_period', None) - self.severity = kwargs.get('severity', None) - self.trigger_operator = kwargs.get('trigger_operator', None) - self.trigger_threshold = kwargs.get('trigger_threshold', None) - self.tactics = kwargs.get('tactics', None) - - -class Settings(ResourceWithEtag): - """The Settings. - - You probably want to use the sub-classes and not this class directly. Known - sub-classes are: ToggleSettings, UebaSettings. - - Variables are only populated by the server, and will be ignored when sending a request. - - All required parameters must be populated in order to send to Azure. - - :ivar id: Azure resource Id. - :vartype id: str - :ivar name: Azure resource name. - :vartype name: str - :ivar type: Azure resource type. - :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str - :param kind: Required. The data connector kind.Constant filled by server. Possible values - include: "UebaSettings", "ToggleSettings". - :type kind: str or ~security_insights.models.SettingKind - """ - - _validation = { - 'id': {'readonly': True}, - 'name': {'readonly': True}, - 'type': {'readonly': True}, - 'kind': {'required': True}, - } - - _attribute_map = { - 'id': {'key': 'id', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, - } - - _subtype_map = { - 'kind': {'ToggleSettings': 'ToggleSettings', 'UebaSettings': 'UebaSettings'} - } - - def __init__( - self, - **kwargs - ): - super(Settings, self).__init__(**kwargs) - self.kind = 'Settings' # type: str - - -class ThreatIntelligence(msrest.serialization.Model): - """ThreatIntelligence property bag. - - Variables are only populated by the server, and will be ignored when sending a request. - - :ivar confidence: Confidence (must be between 0 and 1). - :vartype confidence: float - :ivar provider_name: Name of the provider from whom this Threat Intelligence information was - received. - :vartype provider_name: str - :ivar report_link: Report link. - :vartype report_link: str - :ivar threat_description: Threat description (free text). - :vartype threat_description: str - :ivar threat_name: Threat name (e.g. "Jedobot malware"). - :vartype threat_name: str - :ivar threat_type: Threat type (e.g. "Botnet"). - :vartype threat_type: str - """ - - _validation = { - 'confidence': {'readonly': True}, - 'provider_name': {'readonly': True}, - 'report_link': {'readonly': True}, - 'threat_description': {'readonly': True}, - 'threat_name': {'readonly': True}, - 'threat_type': {'readonly': True}, - } - - _attribute_map = { - 'confidence': {'key': 'confidence', 'type': 'float'}, - 'provider_name': {'key': 'providerName', 'type': 'str'}, - 'report_link': {'key': 'reportLink', 'type': 'str'}, - 'threat_description': {'key': 'threatDescription', 'type': 'str'}, - 'threat_name': {'key': 'threatName', 'type': 'str'}, - 'threat_type': {'key': 'threatType', 'type': 'str'}, - } - - def __init__( - self, - **kwargs - ): - super(ThreatIntelligence, self).__init__(**kwargs) - self.confidence = None - self.provider_name = None - self.report_link = None - self.threat_description = None - self.threat_name = None - self.threat_type = None - - -class TIDataConnector(DataConnector): - """Represents threat intelligence data connector. - - Variables are only populated by the server, and will be ignored when sending a request. - - All required parameters must be populated in order to send to Azure. - - :ivar id: Azure resource Id. - :vartype id: str - :ivar name: Azure resource name. - :vartype name: str - :ivar type: Azure resource type. - :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str - :param kind: Required. The data connector kind.Constant filled by server. Possible values - include: "AzureActiveDirectory", "AzureSecurityCenter", "MicrosoftCloudAppSecurity", - "ThreatIntelligence", "Office365", "AmazonWebServicesCloudTrail", - "AzureAdvancedThreatProtection", "MicrosoftDefenderAdvancedThreatProtection". - :type kind: str or ~security_insights.models.DataConnectorKind - :param tenant_id: The tenant id to connect to, and get the data from. - :type tenant_id: str - :param state: Describe whether this data type connection is enabled or not. Possible values - include: "Enabled", "Disabled". - :type state: str or ~security_insights.models.DataTypeState - """ - - _validation = { - 'id': {'readonly': True}, - 'name': {'readonly': True}, - 'type': {'readonly': True}, - 'kind': {'required': True}, - } - - _attribute_map = { - 'id': {'key': 'id', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, - 'tenant_id': {'key': 'properties.tenantId', 'type': 'str'}, - 'state': {'key': 'dataTypes.indicators.state', 'type': 'str'}, - } - - def __init__( - self, - **kwargs - ): - super(TIDataConnector, self).__init__(**kwargs) - self.kind = 'ThreatIntelligence' # type: str - self.tenant_id = kwargs.get('tenant_id', None) - self.state = kwargs.get('state', None) - - -class TIDataConnectorDataTypesIndicators(DataConnectorDataTypeCommon): - """Data type for indicators connection. - - :param state: Describe whether this data type connection is enabled or not. Possible values - include: "Enabled", "Disabled". - :type state: str or ~security_insights.models.DataTypeState - """ - - _attribute_map = { - 'state': {'key': 'state', 'type': 'str'}, - } - - def __init__( - self, - **kwargs - ): - super(TIDataConnectorDataTypesIndicators, self).__init__(**kwargs) - - -class ToggleSettings(Settings): - """Settings with single toggle. - - Variables are only populated by the server, and will be ignored when sending a request. - - All required parameters must be populated in order to send to Azure. - - :ivar id: Azure resource Id. - :vartype id: str - :ivar name: Azure resource name. - :vartype name: str - :ivar type: Azure resource type. - :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str - :param kind: Required. The data connector kind.Constant filled by server. Possible values - include: "UebaSettings", "ToggleSettings". - :type kind: str or ~security_insights.models.SettingKind - :param is_enabled: Determines whether the setting is enable or disabled. - :type is_enabled: bool - """ - - _validation = { - 'id': {'readonly': True}, - 'name': {'readonly': True}, - 'type': {'readonly': True}, - 'kind': {'required': True}, - } - - _attribute_map = { - 'id': {'key': 'id', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, - 'is_enabled': {'key': 'properties.isEnabled', 'type': 'bool'}, - } - - def __init__( - self, - **kwargs - ): - super(ToggleSettings, self).__init__(**kwargs) - self.kind = 'ToggleSettings' # type: str - self.is_enabled = kwargs.get('is_enabled', None) - - -class UebaSettings(Settings): - """Represents settings for User and Entity Behavior Analytics enablement. - - Variables are only populated by the server, and will be ignored when sending a request. - - All required parameters must be populated in order to send to Azure. - - :ivar id: Azure resource Id. - :vartype id: str - :ivar name: Azure resource name. - :vartype name: str - :ivar type: Azure resource type. - :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str - :param kind: Required. The data connector kind.Constant filled by server. Possible values - include: "UebaSettings", "ToggleSettings". - :type kind: str or ~security_insights.models.SettingKind - :ivar atp_license_status: Determines whether the tenant has ATP (Advanced Threat Protection) - license. Possible values include: "Enabled", "Disabled". - :vartype atp_license_status: str or ~security_insights.models.LicenseStatus - :param is_enabled: Determines whether User and Entity Behavior Analytics is enabled for this - workspace. - :type is_enabled: bool - :ivar status_in_mcas: Determines whether User and Entity Behavior Analytics is enabled from - MCAS (Microsoft Cloud App Security). Possible values include: "Enabled", "Disabled". - :vartype status_in_mcas: str or ~security_insights.models.StatusInMCAS - """ - - _validation = { - 'id': {'readonly': True}, - 'name': {'readonly': True}, - 'type': {'readonly': True}, - 'kind': {'required': True}, - 'atp_license_status': {'readonly': True}, - 'status_in_mcas': {'readonly': True}, - } - - _attribute_map = { - 'id': {'key': 'id', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, - 'atp_license_status': {'key': 'properties.atpLicenseStatus', 'type': 'str'}, - 'is_enabled': {'key': 'properties.isEnabled', 'type': 'bool'}, - 'status_in_mcas': {'key': 'properties.statusInMcas', 'type': 'str'}, - } - - def __init__( - self, - **kwargs - ): - super(UebaSettings, self).__init__(**kwargs) - self.kind = 'UebaSettings' # type: str - self.atp_license_status = None - self.is_enabled = kwargs.get('is_enabled', None) - self.status_in_mcas = None diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/models/_models_py3.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/models/_models_py3.py deleted file mode 100644 index 29010ed670f..00000000000 --- a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/models/_models_py3.py +++ /dev/null @@ -1,3184 +0,0 @@ -# coding=utf-8 -# -------------------------------------------------------------------------- -# Copyright (c) Microsoft Corporation. All rights reserved. -# Licensed under the MIT License. See License.txt in the project root for license information. -# Code generated by Microsoft (R) AutoRest Code Generator. -# Changes may cause incorrect behavior and will be lost if the code is regenerated. -# -------------------------------------------------------------------------- - -import datetime -from typing import List, Optional, Union - -import msrest.serialization - -from ._security_insights_enums import * - - -class ResourceWithEtag(msrest.serialization.Model): - """An azure resource object with an Etag property. - - Variables are only populated by the server, and will be ignored when sending a request. - - :ivar id: Azure resource Id. - :vartype id: str - :ivar name: Azure resource name. - :vartype name: str - :ivar type: Azure resource type. - :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str - """ - - _validation = { - 'id': {'readonly': True}, - 'name': {'readonly': True}, - 'type': {'readonly': True}, - } - - _attribute_map = { - 'id': {'key': 'id', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, - } - - def __init__( - self, - *, - etag: Optional[str] = None, - **kwargs - ): - super(ResourceWithEtag, self).__init__(**kwargs) - self.id = None - self.name = None - self.type = None - self.etag = etag - - -class DataConnector(ResourceWithEtag): - """Data connector. - - You probably want to use the sub-classes and not this class directly. Known - sub-classes are: AwsCloudTrailDataConnector, AADDataConnector, AATPDataConnector, ASCDataConnector, MCASDataConnector, MDATPDataConnector, OfficeDataConnector, TIDataConnector. - - Variables are only populated by the server, and will be ignored when sending a request. - - All required parameters must be populated in order to send to Azure. - - :ivar id: Azure resource Id. - :vartype id: str - :ivar name: Azure resource name. - :vartype name: str - :ivar type: Azure resource type. - :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str - :param kind: Required. The data connector kind.Constant filled by server. Possible values - include: "AzureActiveDirectory", "AzureSecurityCenter", "MicrosoftCloudAppSecurity", - "ThreatIntelligence", "Office365", "AmazonWebServicesCloudTrail", - "AzureAdvancedThreatProtection", "MicrosoftDefenderAdvancedThreatProtection". - :type kind: str or ~security_insights.models.DataConnectorKind - """ - - _validation = { - 'id': {'readonly': True}, - 'name': {'readonly': True}, - 'type': {'readonly': True}, - 'kind': {'required': True}, - } - - _attribute_map = { - 'id': {'key': 'id', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, - } - - _subtype_map = { - 'kind': {'AmazonWebServicesCloudTrail': 'AwsCloudTrailDataConnector', 'AzureActiveDirectory': 'AADDataConnector', 'AzureAdvancedThreatProtection': 'AATPDataConnector', 'AzureSecurityCenter': 'ASCDataConnector', 'MicrosoftCloudAppSecurity': 'MCASDataConnector', 'MicrosoftDefenderAdvancedThreatProtection': 'MDATPDataConnector', 'Office365': 'OfficeDataConnector', 'ThreatIntelligence': 'TIDataConnector'} - } - - def __init__( - self, - *, - etag: Optional[str] = None, - **kwargs - ): - super(DataConnector, self).__init__(etag=etag, **kwargs) - self.kind = 'DataConnector' # type: str - - -class AADDataConnector(DataConnector): - """Represents AAD (Azure Active Directory) data connector. - - Variables are only populated by the server, and will be ignored when sending a request. - - All required parameters must be populated in order to send to Azure. - - :ivar id: Azure resource Id. - :vartype id: str - :ivar name: Azure resource name. - :vartype name: str - :ivar type: Azure resource type. - :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str - :param kind: Required. The data connector kind.Constant filled by server. Possible values - include: "AzureActiveDirectory", "AzureSecurityCenter", "MicrosoftCloudAppSecurity", - "ThreatIntelligence", "Office365", "AmazonWebServicesCloudTrail", - "AzureAdvancedThreatProtection", "MicrosoftDefenderAdvancedThreatProtection". - :type kind: str or ~security_insights.models.DataConnectorKind - :param tenant_id: The tenant id to connect to, and get the data from. - :type tenant_id: str - :param state: Describe whether this data type connection is enabled or not. Possible values - include: "Enabled", "Disabled". - :type state: str or ~security_insights.models.DataTypeState - """ - - _validation = { - 'id': {'readonly': True}, - 'name': {'readonly': True}, - 'type': {'readonly': True}, - 'kind': {'required': True}, - } - - _attribute_map = { - 'id': {'key': 'id', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, - 'tenant_id': {'key': 'properties.tenantId', 'type': 'str'}, - 'state': {'key': 'dataTypes.alerts.state', 'type': 'str'}, - } - - def __init__( - self, - *, - etag: Optional[str] = None, - tenant_id: Optional[str] = None, - state: Optional[Union[str, "DataTypeState"]] = None, - **kwargs - ): - super(AADDataConnector, self).__init__(etag=etag, **kwargs) - self.kind = 'AzureActiveDirectory' # type: str - self.tenant_id = tenant_id - self.state = state - - -class AATPDataConnector(DataConnector): - """Represents AATP (Azure Advanced Threat Protection) data connector. - - Variables are only populated by the server, and will be ignored when sending a request. - - All required parameters must be populated in order to send to Azure. - - :ivar id: Azure resource Id. - :vartype id: str - :ivar name: Azure resource name. - :vartype name: str - :ivar type: Azure resource type. - :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str - :param kind: Required. The data connector kind.Constant filled by server. Possible values - include: "AzureActiveDirectory", "AzureSecurityCenter", "MicrosoftCloudAppSecurity", - "ThreatIntelligence", "Office365", "AmazonWebServicesCloudTrail", - "AzureAdvancedThreatProtection", "MicrosoftDefenderAdvancedThreatProtection". - :type kind: str or ~security_insights.models.DataConnectorKind - :param tenant_id: The tenant id to connect to, and get the data from. - :type tenant_id: str - :param state: Describe whether this data type connection is enabled or not. Possible values - include: "Enabled", "Disabled". - :type state: str or ~security_insights.models.DataTypeState - """ - - _validation = { - 'id': {'readonly': True}, - 'name': {'readonly': True}, - 'type': {'readonly': True}, - 'kind': {'required': True}, - } - - _attribute_map = { - 'id': {'key': 'id', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, - 'tenant_id': {'key': 'properties.tenantId', 'type': 'str'}, - 'state': {'key': 'dataTypes.alerts.state', 'type': 'str'}, - } - - def __init__( - self, - *, - etag: Optional[str] = None, - tenant_id: Optional[str] = None, - state: Optional[Union[str, "DataTypeState"]] = None, - **kwargs - ): - super(AATPDataConnector, self).__init__(etag=etag, **kwargs) - self.kind = 'AzureAdvancedThreatProtection' # type: str - self.tenant_id = tenant_id - self.state = state - - -class ActionPropertiesBase(msrest.serialization.Model): - """Action property bag base. - - All required parameters must be populated in order to send to Azure. - - :param logic_app_resource_id: Required. Logic App Resource Id, /subscriptions/{my- - subscription}/resourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my- - workflow-id}. - :type logic_app_resource_id: str - """ - - _validation = { - 'logic_app_resource_id': {'required': True}, - } - - _attribute_map = { - 'logic_app_resource_id': {'key': 'logicAppResourceId', 'type': 'str'}, - } - - def __init__( - self, - *, - logic_app_resource_id: str, - **kwargs - ): - super(ActionPropertiesBase, self).__init__(**kwargs) - self.logic_app_resource_id = logic_app_resource_id - - -class ActionRequest(ResourceWithEtag): - """Action for alert rule. - - Variables are only populated by the server, and will be ignored when sending a request. - - :ivar id: Azure resource Id. - :vartype id: str - :ivar name: Azure resource name. - :vartype name: str - :ivar type: Azure resource type. - :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str - :param logic_app_resource_id: Logic App Resource Id, /subscriptions/{my- - subscription}/resourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my- - workflow-id}. - :type logic_app_resource_id: str - :param trigger_uri: Logic App Callback URL for this specific workflow. - :type trigger_uri: str - """ - - _validation = { - 'id': {'readonly': True}, - 'name': {'readonly': True}, - 'type': {'readonly': True}, - } - - _attribute_map = { - 'id': {'key': 'id', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, - 'logic_app_resource_id': {'key': 'properties.logicAppResourceId', 'type': 'str'}, - 'trigger_uri': {'key': 'properties.triggerUri', 'type': 'str'}, - } - - def __init__( - self, - *, - etag: Optional[str] = None, - logic_app_resource_id: Optional[str] = None, - trigger_uri: Optional[str] = None, - **kwargs - ): - super(ActionRequest, self).__init__(etag=etag, **kwargs) - self.logic_app_resource_id = logic_app_resource_id - self.trigger_uri = trigger_uri - - -class ActionRequestProperties(ActionPropertiesBase): - """Action property bag. - - All required parameters must be populated in order to send to Azure. - - :param logic_app_resource_id: Required. Logic App Resource Id, /subscriptions/{my- - subscription}/resourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my- - workflow-id}. - :type logic_app_resource_id: str - :param trigger_uri: Logic App Callback URL for this specific workflow. - :type trigger_uri: str - """ - - _validation = { - 'logic_app_resource_id': {'required': True}, - } - - _attribute_map = { - 'logic_app_resource_id': {'key': 'logicAppResourceId', 'type': 'str'}, - 'trigger_uri': {'key': 'triggerUri', 'type': 'str'}, - } - - def __init__( - self, - *, - logic_app_resource_id: str, - trigger_uri: Optional[str] = None, - **kwargs - ): - super(ActionRequestProperties, self).__init__(logic_app_resource_id=logic_app_resource_id, **kwargs) - self.trigger_uri = trigger_uri - - -class Resource(msrest.serialization.Model): - """An azure resource object. - - Variables are only populated by the server, and will be ignored when sending a request. - - :ivar id: Azure resource Id. - :vartype id: str - :ivar name: Azure resource name. - :vartype name: str - :ivar type: Azure resource type. - :vartype type: str - """ - - _validation = { - 'id': {'readonly': True}, - 'name': {'readonly': True}, - 'type': {'readonly': True}, - } - - _attribute_map = { - 'id': {'key': 'id', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'type': {'key': 'type', 'type': 'str'}, - } - - def __init__( - self, - **kwargs - ): - super(Resource, self).__init__(**kwargs) - self.id = None - self.name = None - self.type = None - - -class ActionResponse(Resource): - """Action for alert rule. - - Variables are only populated by the server, and will be ignored when sending a request. - - :ivar id: Azure resource Id. - :vartype id: str - :ivar name: Azure resource name. - :vartype name: str - :ivar type: Azure resource type. - :vartype type: str - :param etag: Etag of the action. - :type etag: str - :param logic_app_resource_id: Logic App Resource Id, /subscriptions/{my- - subscription}/resourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my- - workflow-id}. - :type logic_app_resource_id: str - :param workflow_id: The name of the logic app's workflow. - :type workflow_id: str - """ - - _validation = { - 'id': {'readonly': True}, - 'name': {'readonly': True}, - 'type': {'readonly': True}, - } - - _attribute_map = { - 'id': {'key': 'id', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, - 'logic_app_resource_id': {'key': 'properties.logicAppResourceId', 'type': 'str'}, - 'workflow_id': {'key': 'properties.workflowId', 'type': 'str'}, - } - - def __init__( - self, - *, - etag: Optional[str] = None, - logic_app_resource_id: Optional[str] = None, - workflow_id: Optional[str] = None, - **kwargs - ): - super(ActionResponse, self).__init__(**kwargs) - self.etag = etag - self.logic_app_resource_id = logic_app_resource_id - self.workflow_id = workflow_id - - -class ActionResponseProperties(ActionPropertiesBase): - """Action property bag. - - All required parameters must be populated in order to send to Azure. - - :param logic_app_resource_id: Required. Logic App Resource Id, /subscriptions/{my- - subscription}/resourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my- - workflow-id}. - :type logic_app_resource_id: str - :param workflow_id: The name of the logic app's workflow. - :type workflow_id: str - """ - - _validation = { - 'logic_app_resource_id': {'required': True}, - } - - _attribute_map = { - 'logic_app_resource_id': {'key': 'logicAppResourceId', 'type': 'str'}, - 'workflow_id': {'key': 'workflowId', 'type': 'str'}, - } - - def __init__( - self, - *, - logic_app_resource_id: str, - workflow_id: Optional[str] = None, - **kwargs - ): - super(ActionResponseProperties, self).__init__(logic_app_resource_id=logic_app_resource_id, **kwargs) - self.workflow_id = workflow_id - - -class ActionsList(msrest.serialization.Model): - """List all the actions. - - Variables are only populated by the server, and will be ignored when sending a request. - - All required parameters must be populated in order to send to Azure. - - :ivar next_link: URL to fetch the next set of actions. - :vartype next_link: str - :param value: Required. Array of actions. - :type value: list[~security_insights.models.ActionResponse] - """ - - _validation = { - 'next_link': {'readonly': True}, - 'value': {'required': True}, - } - - _attribute_map = { - 'next_link': {'key': 'nextLink', 'type': 'str'}, - 'value': {'key': 'value', 'type': '[ActionResponse]'}, - } - - def __init__( - self, - *, - value: List["ActionResponse"], - **kwargs - ): - super(ActionsList, self).__init__(**kwargs) - self.next_link = None - self.value = value - - -class AlertRule(ResourceWithEtag): - """Alert rule. - - You probably want to use the sub-classes and not this class directly. Known - sub-classes are: FusionAlertRule, MicrosoftSecurityIncidentCreationAlertRule, ScheduledAlertRule. - - Variables are only populated by the server, and will be ignored when sending a request. - - All required parameters must be populated in order to send to Azure. - - :ivar id: Azure resource Id. - :vartype id: str - :ivar name: Azure resource name. - :vartype name: str - :ivar type: Azure resource type. - :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str - :param kind: Required. The alert rule kind.Constant filled by server. Possible values include: - "Scheduled", "MicrosoftSecurityIncidentCreation", "Fusion". - :type kind: str or ~security_insights.models.AlertRuleKind - """ - - _validation = { - 'id': {'readonly': True}, - 'name': {'readonly': True}, - 'type': {'readonly': True}, - 'kind': {'required': True}, - } - - _attribute_map = { - 'id': {'key': 'id', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, - } - - _subtype_map = { - 'kind': {'Fusion': 'FusionAlertRule', 'MicrosoftSecurityIncidentCreation': 'MicrosoftSecurityIncidentCreationAlertRule', 'Scheduled': 'ScheduledAlertRule'} - } - - def __init__( - self, - *, - etag: Optional[str] = None, - **kwargs - ): - super(AlertRule, self).__init__(etag=etag, **kwargs) - self.kind = 'AlertRule' # type: str - - -class AlertRulesList(msrest.serialization.Model): - """List all the alert rules. - - Variables are only populated by the server, and will be ignored when sending a request. - - All required parameters must be populated in order to send to Azure. - - :ivar next_link: URL to fetch the next set of alert rules. - :vartype next_link: str - :param value: Required. Array of alert rules. - :type value: list[~security_insights.models.AlertRule] - """ - - _validation = { - 'next_link': {'readonly': True}, - 'value': {'required': True}, - } - - _attribute_map = { - 'next_link': {'key': 'nextLink', 'type': 'str'}, - 'value': {'key': 'value', 'type': '[AlertRule]'}, - } - - def __init__( - self, - *, - value: List["AlertRule"], - **kwargs - ): - super(AlertRulesList, self).__init__(**kwargs) - self.next_link = None - self.value = value - - -class AlertRuleTemplate(Resource): - """Alert rule template. - - You probably want to use the sub-classes and not this class directly. Known - sub-classes are: FusionAlertRuleTemplate, MicrosoftSecurityIncidentCreationAlertRuleTemplate, ScheduledAlertRuleTemplate. - - Variables are only populated by the server, and will be ignored when sending a request. - - All required parameters must be populated in order to send to Azure. - - :ivar id: Azure resource Id. - :vartype id: str - :ivar name: Azure resource name. - :vartype name: str - :ivar type: Azure resource type. - :vartype type: str - :param kind: Required. The alert rule kind.Constant filled by server. Possible values include: - "Scheduled", "MicrosoftSecurityIncidentCreation", "Fusion". - :type kind: str or ~security_insights.models.AlertRuleKind - """ - - _validation = { - 'id': {'readonly': True}, - 'name': {'readonly': True}, - 'type': {'readonly': True}, - 'kind': {'required': True}, - } - - _attribute_map = { - 'id': {'key': 'id', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'type': {'key': 'type', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, - } - - _subtype_map = { - 'kind': {'Fusion': 'FusionAlertRuleTemplate', 'MicrosoftSecurityIncidentCreation': 'MicrosoftSecurityIncidentCreationAlertRuleTemplate', 'Scheduled': 'ScheduledAlertRuleTemplate'} - } - - def __init__( - self, - **kwargs - ): - super(AlertRuleTemplate, self).__init__(**kwargs) - self.kind = 'AlertRuleTemplate' # type: str - - -class AlertRuleTemplateDataSource(msrest.serialization.Model): - """alert rule template data sources. - - :param connector_id: The connector id that provides the following data types. - :type connector_id: str - :param data_types: The data types used by the alert rule template. - :type data_types: list[str] - """ - - _attribute_map = { - 'connector_id': {'key': 'connectorId', 'type': 'str'}, - 'data_types': {'key': 'dataTypes', 'type': '[str]'}, - } - - def __init__( - self, - *, - connector_id: Optional[str] = None, - data_types: Optional[List[str]] = None, - **kwargs - ): - super(AlertRuleTemplateDataSource, self).__init__(**kwargs) - self.connector_id = connector_id - self.data_types = data_types - - -class AlertRuleTemplatesList(msrest.serialization.Model): - """List all the alert rule templates. - - Variables are only populated by the server, and will be ignored when sending a request. - - All required parameters must be populated in order to send to Azure. - - :ivar next_link: URL to fetch the next set of alert rule templates. - :vartype next_link: str - :param value: Required. Array of alert rule templates. - :type value: list[~security_insights.models.AlertRuleTemplate] - """ - - _validation = { - 'next_link': {'readonly': True}, - 'value': {'required': True}, - } - - _attribute_map = { - 'next_link': {'key': 'nextLink', 'type': 'str'}, - 'value': {'key': 'value', 'type': '[AlertRuleTemplate]'}, - } - - def __init__( - self, - *, - value: List["AlertRuleTemplate"], - **kwargs - ): - super(AlertRuleTemplatesList, self).__init__(**kwargs) - self.next_link = None - self.value = value - - -class AlertsDataTypeOfDataConnector(msrest.serialization.Model): - """Alerts data type for data connectors. - - :param state: Describe whether this data type connection is enabled or not. Possible values - include: "Enabled", "Disabled". - :type state: str or ~security_insights.models.DataTypeState - """ - - _attribute_map = { - 'state': {'key': 'alerts.state', 'type': 'str'}, - } - - def __init__( - self, - *, - state: Optional[Union[str, "DataTypeState"]] = None, - **kwargs - ): - super(AlertsDataTypeOfDataConnector, self).__init__(**kwargs) - self.state = state - - -class ASCDataConnector(DataConnector): - """Represents ASC (Azure Security Center) data connector. - - Variables are only populated by the server, and will be ignored when sending a request. - - All required parameters must be populated in order to send to Azure. - - :ivar id: Azure resource Id. - :vartype id: str - :ivar name: Azure resource name. - :vartype name: str - :ivar type: Azure resource type. - :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str - :param kind: Required. The data connector kind.Constant filled by server. Possible values - include: "AzureActiveDirectory", "AzureSecurityCenter", "MicrosoftCloudAppSecurity", - "ThreatIntelligence", "Office365", "AmazonWebServicesCloudTrail", - "AzureAdvancedThreatProtection", "MicrosoftDefenderAdvancedThreatProtection". - :type kind: str or ~security_insights.models.DataConnectorKind - :param subscription_id: The subscription id to connect to, and get the data from. - :type subscription_id: str - :param state: Describe whether this data type connection is enabled or not. Possible values - include: "Enabled", "Disabled". - :type state: str or ~security_insights.models.DataTypeState - """ - - _validation = { - 'id': {'readonly': True}, - 'name': {'readonly': True}, - 'type': {'readonly': True}, - 'kind': {'required': True}, - } - - _attribute_map = { - 'id': {'key': 'id', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, - 'subscription_id': {'key': 'properties.subscriptionId', 'type': 'str'}, - 'state': {'key': 'dataTypes.alerts.state', 'type': 'str'}, - } - - def __init__( - self, - *, - etag: Optional[str] = None, - subscription_id: Optional[str] = None, - state: Optional[Union[str, "DataTypeState"]] = None, - **kwargs - ): - super(ASCDataConnector, self).__init__(etag=etag, **kwargs) - self.kind = 'AzureSecurityCenter' # type: str - self.subscription_id = subscription_id - self.state = state - - -class DataConnectorWithAlertsProperties(msrest.serialization.Model): - """Data connector properties. - - :param data_types: The available data types for the connector. - :type data_types: ~security_insights.models.AlertsDataTypeOfDataConnector - """ - - _attribute_map = { - 'data_types': {'key': 'dataTypes', 'type': 'AlertsDataTypeOfDataConnector'}, - } - - def __init__( - self, - *, - data_types: Optional["AlertsDataTypeOfDataConnector"] = None, - **kwargs - ): - super(DataConnectorWithAlertsProperties, self).__init__(**kwargs) - self.data_types = data_types - - -class ASCDataConnectorProperties(DataConnectorWithAlertsProperties): - """ASC (Azure Security Center) data connector properties. - - :param data_types: The available data types for the connector. - :type data_types: ~security_insights.models.AlertsDataTypeOfDataConnector - :param subscription_id: The subscription id to connect to, and get the data from. - :type subscription_id: str - """ - - _attribute_map = { - 'data_types': {'key': 'dataTypes', 'type': 'AlertsDataTypeOfDataConnector'}, - 'subscription_id': {'key': 'subscriptionId', 'type': 'str'}, - } - - def __init__( - self, - *, - data_types: Optional["AlertsDataTypeOfDataConnector"] = None, - subscription_id: Optional[str] = None, - **kwargs - ): - super(ASCDataConnectorProperties, self).__init__(data_types=data_types, **kwargs) - self.subscription_id = subscription_id - - -class AwsCloudTrailDataConnector(DataConnector): - """Represents Amazon Web Services CloudTrail data connector. - - Variables are only populated by the server, and will be ignored when sending a request. - - All required parameters must be populated in order to send to Azure. - - :ivar id: Azure resource Id. - :vartype id: str - :ivar name: Azure resource name. - :vartype name: str - :ivar type: Azure resource type. - :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str - :param kind: Required. The data connector kind.Constant filled by server. Possible values - include: "AzureActiveDirectory", "AzureSecurityCenter", "MicrosoftCloudAppSecurity", - "ThreatIntelligence", "Office365", "AmazonWebServicesCloudTrail", - "AzureAdvancedThreatProtection", "MicrosoftDefenderAdvancedThreatProtection". - :type kind: str or ~security_insights.models.DataConnectorKind - :param aws_role_arn: The Aws Role Arn (with CloudTrailReadOnly policy) that is used to access - the Aws account. - :type aws_role_arn: str - :param state: Describe whether this data type connection is enabled or not. Possible values - include: "Enabled", "Disabled". - :type state: str or ~security_insights.models.DataTypeState - """ - - _validation = { - 'id': {'readonly': True}, - 'name': {'readonly': True}, - 'type': {'readonly': True}, - 'kind': {'required': True}, - } - - _attribute_map = { - 'id': {'key': 'id', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, - 'aws_role_arn': {'key': 'properties.awsRoleArn', 'type': 'str'}, - 'state': {'key': 'dataTypes.logs.state', 'type': 'str'}, - } - - def __init__( - self, - *, - etag: Optional[str] = None, - aws_role_arn: Optional[str] = None, - state: Optional[Union[str, "DataTypeState"]] = None, - **kwargs - ): - super(AwsCloudTrailDataConnector, self).__init__(etag=etag, **kwargs) - self.kind = 'AmazonWebServicesCloudTrail' # type: str - self.aws_role_arn = aws_role_arn - self.state = state - - -class DataConnectorDataTypeCommon(msrest.serialization.Model): - """Common field for data type in data connectors. - - :param state: Describe whether this data type connection is enabled or not. Possible values - include: "Enabled", "Disabled". - :type state: str or ~security_insights.models.DataTypeState - """ - - _attribute_map = { - 'state': {'key': 'state', 'type': 'str'}, - } - - def __init__( - self, - *, - state: Optional[Union[str, "DataTypeState"]] = None, - **kwargs - ): - super(DataConnectorDataTypeCommon, self).__init__(**kwargs) - self.state = state - - -class AwsCloudTrailDataConnectorDataTypesLogs(DataConnectorDataTypeCommon): - """Logs data type. - - :param state: Describe whether this data type connection is enabled or not. Possible values - include: "Enabled", "Disabled". - :type state: str or ~security_insights.models.DataTypeState - """ - - _attribute_map = { - 'state': {'key': 'state', 'type': 'str'}, - } - - def __init__( - self, - *, - state: Optional[Union[str, "DataTypeState"]] = None, - **kwargs - ): - super(AwsCloudTrailDataConnectorDataTypesLogs, self).__init__(state=state, **kwargs) - - -class Bookmark(ResourceWithEtag): - """Represents a bookmark in Azure Security Insights. - - Variables are only populated by the server, and will be ignored when sending a request. - - :ivar id: Azure resource Id. - :vartype id: str - :ivar name: Azure resource name. - :vartype name: str - :ivar type: Azure resource type. - :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str - :param created: The time the bookmark was created. - :type created: ~datetime.datetime - :param display_name: The display name of the bookmark. - :type display_name: str - :param labels: List of labels relevant to this bookmark. - :type labels: list[str] - :param notes: The notes of the bookmark. - :type notes: str - :param query: The query of the bookmark. - :type query: str - :param query_result: The query result of the bookmark. - :type query_result: str - :param updated: The last time the bookmark was updated. - :type updated: ~datetime.datetime - :param incident_info: Describes an incident that relates to bookmark. - :type incident_info: ~security_insights.models.IncidentInfo - :ivar email_updated_by_email: The email of the user. - :vartype email_updated_by_email: str - :ivar name_updated_by_name: The name of the user. - :vartype name_updated_by_name: str - :param object_id_updated_by_object_id: The object id of the user. - :type object_id_updated_by_object_id: str - :ivar email_created_by_email: The email of the user. - :vartype email_created_by_email: str - :ivar name_created_by_name: The name of the user. - :vartype name_created_by_name: str - :param object_id_created_by_object_id: The object id of the user. - :type object_id_created_by_object_id: str - """ - - _validation = { - 'id': {'readonly': True}, - 'name': {'readonly': True}, - 'type': {'readonly': True}, - 'email_updated_by_email': {'readonly': True}, - 'name_updated_by_name': {'readonly': True}, - 'email_created_by_email': {'readonly': True}, - 'name_created_by_name': {'readonly': True}, - } - - _attribute_map = { - 'id': {'key': 'id', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, - 'created': {'key': 'properties.created', 'type': 'iso-8601'}, - 'display_name': {'key': 'properties.displayName', 'type': 'str'}, - 'labels': {'key': 'properties.labels', 'type': '[str]'}, - 'notes': {'key': 'properties.notes', 'type': 'str'}, - 'query': {'key': 'properties.query', 'type': 'str'}, - 'query_result': {'key': 'properties.queryResult', 'type': 'str'}, - 'updated': {'key': 'properties.updated', 'type': 'iso-8601'}, - 'incident_info': {'key': 'properties.incidentInfo', 'type': 'IncidentInfo'}, - 'email_updated_by_email': {'key': 'updatedBy.email', 'type': 'str'}, - 'name_updated_by_name': {'key': 'updatedBy.name', 'type': 'str'}, - 'object_id_updated_by_object_id': {'key': 'updatedBy.objectId', 'type': 'str'}, - 'email_created_by_email': {'key': 'createdBy.email', 'type': 'str'}, - 'name_created_by_name': {'key': 'createdBy.name', 'type': 'str'}, - 'object_id_created_by_object_id': {'key': 'createdBy.objectId', 'type': 'str'}, - } - - def __init__( - self, - *, - etag: Optional[str] = None, - created: Optional[datetime.datetime] = None, - display_name: Optional[str] = None, - labels: Optional[List[str]] = None, - notes: Optional[str] = None, - query: Optional[str] = None, - query_result: Optional[str] = None, - updated: Optional[datetime.datetime] = None, - incident_info: Optional["IncidentInfo"] = None, - object_id_updated_by_object_id: Optional[str] = None, - object_id_created_by_object_id: Optional[str] = None, - **kwargs - ): - super(Bookmark, self).__init__(etag=etag, **kwargs) - self.created = created - self.display_name = display_name - self.labels = labels - self.notes = notes - self.query = query - self.query_result = query_result - self.updated = updated - self.incident_info = incident_info - self.email_updated_by_email = None - self.name_updated_by_name = None - self.object_id_updated_by_object_id = object_id_updated_by_object_id - self.email_created_by_email = None - self.name_created_by_name = None - self.object_id_created_by_object_id = object_id_created_by_object_id - - -class BookmarkList(msrest.serialization.Model): - """List all the bookmarks. - - Variables are only populated by the server, and will be ignored when sending a request. - - All required parameters must be populated in order to send to Azure. - - :ivar next_link: URL to fetch the next set of cases. - :vartype next_link: str - :param value: Required. Array of bookmarks. - :type value: list[~security_insights.models.Bookmark] - """ - - _validation = { - 'next_link': {'readonly': True}, - 'value': {'required': True}, - } - - _attribute_map = { - 'next_link': {'key': 'nextLink', 'type': 'str'}, - 'value': {'key': 'value', 'type': '[Bookmark]'}, - } - - def __init__( - self, - *, - value: List["Bookmark"], - **kwargs - ): - super(BookmarkList, self).__init__(**kwargs) - self.next_link = None - self.value = value - - -class ClientInfo(msrest.serialization.Model): - """Information on the client (user or application) that made some action. - - :param email: The email of the client. - :type email: str - :param name: The name of the client. - :type name: str - :param object_id: The object id of the client. - :type object_id: str - :param user_principal_name: The user principal name of the client. - :type user_principal_name: str - """ - - _attribute_map = { - 'email': {'key': 'email', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'object_id': {'key': 'objectId', 'type': 'str'}, - 'user_principal_name': {'key': 'userPrincipalName', 'type': 'str'}, - } - - def __init__( - self, - *, - email: Optional[str] = None, - name: Optional[str] = None, - object_id: Optional[str] = None, - user_principal_name: Optional[str] = None, - **kwargs - ): - super(ClientInfo, self).__init__(**kwargs) - self.email = email - self.name = name - self.object_id = object_id - self.user_principal_name = user_principal_name - - -class DataConnectorList(msrest.serialization.Model): - """List all the data connectors. - - Variables are only populated by the server, and will be ignored when sending a request. - - All required parameters must be populated in order to send to Azure. - - :ivar next_link: URL to fetch the next set of data connectors. - :vartype next_link: str - :param value: Required. Array of data connectors. - :type value: list[~security_insights.models.DataConnector] - """ - - _validation = { - 'next_link': {'readonly': True}, - 'value': {'required': True}, - } - - _attribute_map = { - 'next_link': {'key': 'nextLink', 'type': 'str'}, - 'value': {'key': 'value', 'type': '[DataConnector]'}, - } - - def __init__( - self, - *, - value: List["DataConnector"], - **kwargs - ): - super(DataConnectorList, self).__init__(**kwargs) - self.next_link = None - self.value = value - - -class DataConnectorTenantId(msrest.serialization.Model): - """Properties data connector on tenant level. - - :param tenant_id: The tenant id to connect to, and get the data from. - :type tenant_id: str - """ - - _attribute_map = { - 'tenant_id': {'key': 'tenantId', 'type': 'str'}, - } - - def __init__( - self, - *, - tenant_id: Optional[str] = None, - **kwargs - ): - super(DataConnectorTenantId, self).__init__(**kwargs) - self.tenant_id = tenant_id - - -class ErrorAdditionalInfo(msrest.serialization.Model): - """The resource management error additional info. - - Variables are only populated by the server, and will be ignored when sending a request. - - :ivar type: The additional info type. - :vartype type: str - :ivar info: The additional info. - :vartype info: object - """ - - _validation = { - 'type': {'readonly': True}, - 'info': {'readonly': True}, - } - - _attribute_map = { - 'type': {'key': 'type', 'type': 'str'}, - 'info': {'key': 'info', 'type': 'object'}, - } - - def __init__( - self, - **kwargs - ): - super(ErrorAdditionalInfo, self).__init__(**kwargs) - self.type = None - self.info = None - - -class ErrorResponse(msrest.serialization.Model): - """The resource management error response. - - Variables are only populated by the server, and will be ignored when sending a request. - - :ivar code: The error code. - :vartype code: str - :ivar message: The error message. - :vartype message: str - :ivar target: The error target. - :vartype target: str - :ivar details: The error details. - :vartype details: list[~security_insights.models.ErrorResponse] - :ivar additional_info: The error additional info. - :vartype additional_info: list[~security_insights.models.ErrorAdditionalInfo] - """ - - _validation = { - 'code': {'readonly': True}, - 'message': {'readonly': True}, - 'target': {'readonly': True}, - 'details': {'readonly': True}, - 'additional_info': {'readonly': True}, - } - - _attribute_map = { - 'code': {'key': 'code', 'type': 'str'}, - 'message': {'key': 'message', 'type': 'str'}, - 'target': {'key': 'target', 'type': 'str'}, - 'details': {'key': 'details', 'type': '[ErrorResponse]'}, - 'additional_info': {'key': 'additionalInfo', 'type': '[ErrorAdditionalInfo]'}, - } - - def __init__( - self, - **kwargs - ): - super(ErrorResponse, self).__init__(**kwargs) - self.code = None - self.message = None - self.target = None - self.details = None - self.additional_info = None - - -class FusionAlertRule(AlertRule): - """Represents Fusion alert rule. - - Variables are only populated by the server, and will be ignored when sending a request. - - All required parameters must be populated in order to send to Azure. - - :ivar id: Azure resource Id. - :vartype id: str - :ivar name: Azure resource name. - :vartype name: str - :ivar type: Azure resource type. - :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str - :param kind: Required. The alert rule kind.Constant filled by server. Possible values include: - "Scheduled", "MicrosoftSecurityIncidentCreation", "Fusion". - :type kind: str or ~security_insights.models.AlertRuleKind - :param alert_rule_template_name: The Name of the alert rule template used to create this rule. - :type alert_rule_template_name: str - :ivar description: The description of the alert rule. - :vartype description: str - :ivar display_name: The display name for alerts created by this alert rule. - :vartype display_name: str - :param enabled: Determines whether this alert rule is enabled or disabled. - :type enabled: bool - :ivar last_modified_utc: The last time that this alert has been modified. - :vartype last_modified_utc: ~datetime.datetime - :ivar severity: The severity for alerts created by this alert rule. Possible values include: - "High", "Medium", "Low", "Informational". - :vartype severity: str or ~security_insights.models.AlertSeverity - :ivar tactics: The tactics of the alert rule. - :vartype tactics: list[str or ~security_insights.models.AttackTactic] - """ - - _validation = { - 'id': {'readonly': True}, - 'name': {'readonly': True}, - 'type': {'readonly': True}, - 'kind': {'required': True}, - 'description': {'readonly': True}, - 'display_name': {'readonly': True}, - 'last_modified_utc': {'readonly': True}, - 'severity': {'readonly': True}, - 'tactics': {'readonly': True}, - } - - _attribute_map = { - 'id': {'key': 'id', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, - 'alert_rule_template_name': {'key': 'properties.alertRuleTemplateName', 'type': 'str'}, - 'description': {'key': 'properties.description', 'type': 'str'}, - 'display_name': {'key': 'properties.displayName', 'type': 'str'}, - 'enabled': {'key': 'properties.enabled', 'type': 'bool'}, - 'last_modified_utc': {'key': 'properties.lastModifiedUtc', 'type': 'iso-8601'}, - 'severity': {'key': 'properties.severity', 'type': 'str'}, - 'tactics': {'key': 'properties.tactics', 'type': '[str]'}, - } - - def __init__( - self, - *, - etag: Optional[str] = None, - alert_rule_template_name: Optional[str] = None, - enabled: Optional[bool] = None, - **kwargs - ): - super(FusionAlertRule, self).__init__(etag=etag, **kwargs) - self.kind = 'Fusion' # type: str - self.alert_rule_template_name = alert_rule_template_name - self.description = None - self.display_name = None - self.enabled = enabled - self.last_modified_utc = None - self.severity = None - self.tactics = None - - -class FusionAlertRuleTemplate(AlertRuleTemplate): - """Represents Fusion alert rule template. - - Variables are only populated by the server, and will be ignored when sending a request. - - All required parameters must be populated in order to send to Azure. - - :ivar id: Azure resource Id. - :vartype id: str - :ivar name: Azure resource name. - :vartype name: str - :ivar type: Azure resource type. - :vartype type: str - :param kind: Required. The alert rule kind.Constant filled by server. Possible values include: - "Scheduled", "MicrosoftSecurityIncidentCreation", "Fusion". - :type kind: str or ~security_insights.models.AlertRuleKind - :param alert_rules_created_by_template_count: the number of alert rules that were created by - this template. - :type alert_rules_created_by_template_count: int - :ivar created_date_utc: The time that this alert rule template has been added. - :vartype created_date_utc: ~datetime.datetime - :param description: The description of the alert rule template. - :type description: str - :param display_name: The display name for alert rule template. - :type display_name: str - :param required_data_connectors: The required data connectors for this template. - :type required_data_connectors: list[~security_insights.models.AlertRuleTemplateDataSource] - :param status: The alert rule template status. Possible values include: "Installed", - "Available", "NotAvailable". - :type status: str or ~security_insights.models.TemplateStatus - :param severity: The severity for alerts created by this alert rule. Possible values include: - "High", "Medium", "Low", "Informational". - :type severity: str or ~security_insights.models.AlertSeverity - :param tactics: The tactics of the alert rule template. - :type tactics: list[str or ~security_insights.models.AttackTactic] - """ - - _validation = { - 'id': {'readonly': True}, - 'name': {'readonly': True}, - 'type': {'readonly': True}, - 'kind': {'required': True}, - 'created_date_utc': {'readonly': True}, - } - - _attribute_map = { - 'id': {'key': 'id', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'type': {'key': 'type', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, - 'alert_rules_created_by_template_count': {'key': 'properties.alertRulesCreatedByTemplateCount', 'type': 'int'}, - 'created_date_utc': {'key': 'properties.createdDateUTC', 'type': 'iso-8601'}, - 'description': {'key': 'properties.description', 'type': 'str'}, - 'display_name': {'key': 'properties.displayName', 'type': 'str'}, - 'required_data_connectors': {'key': 'properties.requiredDataConnectors', 'type': '[AlertRuleTemplateDataSource]'}, - 'status': {'key': 'properties.status', 'type': 'str'}, - 'severity': {'key': 'properties.severity', 'type': 'str'}, - 'tactics': {'key': 'properties.tactics', 'type': '[str]'}, - } - - def __init__( - self, - *, - alert_rules_created_by_template_count: Optional[int] = None, - description: Optional[str] = None, - display_name: Optional[str] = None, - required_data_connectors: Optional[List["AlertRuleTemplateDataSource"]] = None, - status: Optional[Union[str, "TemplateStatus"]] = None, - severity: Optional[Union[str, "AlertSeverity"]] = None, - tactics: Optional[List[Union[str, "AttackTactic"]]] = None, - **kwargs - ): - super(FusionAlertRuleTemplate, self).__init__(**kwargs) - self.kind = 'Fusion' # type: str - self.alert_rules_created_by_template_count = alert_rules_created_by_template_count - self.created_date_utc = None - self.description = description - self.display_name = display_name - self.required_data_connectors = required_data_connectors - self.status = status - self.severity = severity - self.tactics = tactics - - -class Incident(ResourceWithEtag): - """Represents an incident in Azure Security Insights. - - Variables are only populated by the server, and will be ignored when sending a request. - - :ivar id: Azure resource Id. - :vartype id: str - :ivar name: Azure resource name. - :vartype name: str - :ivar type: Azure resource type. - :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str - :ivar additional_data: Additional data on the incident. - :vartype additional_data: ~security_insights.models.IncidentAdditionalData - :param classification: The reason the incident was closed. Possible values include: - "Undetermined", "TruePositive", "BenignPositive", "FalsePositive". - :type classification: str or ~security_insights.models.IncidentClassification - :param classification_comment: Describes the reason the incident was closed. - :type classification_comment: str - :param classification_reason: The classification reason the incident was closed with. Possible - values include: "SuspiciousActivity", "SuspiciousButExpected", "IncorrectAlertLogic", - "InaccurateData". - :type classification_reason: str or ~security_insights.models.IncidentClassificationReason - :ivar created_time_utc: The time the incident was created. - :vartype created_time_utc: ~datetime.datetime - :param description: The description of the incident. - :type description: str - :param first_activity_time_utc: The time of the first activity in the incident. - :type first_activity_time_utc: ~datetime.datetime - :ivar incident_url: The deep-link url to the incident in Azure portal. - :vartype incident_url: str - :ivar incident_number: A sequential number. - :vartype incident_number: int - :param labels: List of labels relevant to this incident. - :type labels: list[~security_insights.models.IncidentLabel] - :param last_activity_time_utc: The time of the last activity in the incident. - :type last_activity_time_utc: ~datetime.datetime - :ivar last_modified_time_utc: The last time the incident was updated. - :vartype last_modified_time_utc: ~datetime.datetime - :param owner: Describes a user that the incident is assigned to. - :type owner: ~security_insights.models.IncidentOwnerInfo - :ivar related_analytic_rule_ids: List of resource ids of Analytic rules related to the - incident. - :vartype related_analytic_rule_ids: list[str] - :param severity: The severity of the incident. Possible values include: "High", "Medium", - "Low", "Informational". - :type severity: str or ~security_insights.models.IncidentSeverity - :param status: The status of the incident. Possible values include: "New", "Active", "Closed". - :type status: str or ~security_insights.models.IncidentStatus - :param title: The title of the incident. - :type title: str - """ - - _validation = { - 'id': {'readonly': True}, - 'name': {'readonly': True}, - 'type': {'readonly': True}, - 'additional_data': {'readonly': True}, - 'created_time_utc': {'readonly': True}, - 'incident_url': {'readonly': True}, - 'incident_number': {'readonly': True}, - 'last_modified_time_utc': {'readonly': True}, - 'related_analytic_rule_ids': {'readonly': True}, - } - - _attribute_map = { - 'id': {'key': 'id', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, - 'additional_data': {'key': 'properties.additionalData', 'type': 'IncidentAdditionalData'}, - 'classification': {'key': 'properties.classification', 'type': 'str'}, - 'classification_comment': {'key': 'properties.classificationComment', 'type': 'str'}, - 'classification_reason': {'key': 'properties.classificationReason', 'type': 'str'}, - 'created_time_utc': {'key': 'properties.createdTimeUtc', 'type': 'iso-8601'}, - 'description': {'key': 'properties.description', 'type': 'str'}, - 'first_activity_time_utc': {'key': 'properties.firstActivityTimeUtc', 'type': 'iso-8601'}, - 'incident_url': {'key': 'properties.incidentUrl', 'type': 'str'}, - 'incident_number': {'key': 'properties.incidentNumber', 'type': 'int'}, - 'labels': {'key': 'properties.labels', 'type': '[IncidentLabel]'}, - 'last_activity_time_utc': {'key': 'properties.lastActivityTimeUtc', 'type': 'iso-8601'}, - 'last_modified_time_utc': {'key': 'properties.lastModifiedTimeUtc', 'type': 'iso-8601'}, - 'owner': {'key': 'properties.owner', 'type': 'IncidentOwnerInfo'}, - 'related_analytic_rule_ids': {'key': 'properties.relatedAnalyticRuleIds', 'type': '[str]'}, - 'severity': {'key': 'properties.severity', 'type': 'str'}, - 'status': {'key': 'properties.status', 'type': 'str'}, - 'title': {'key': 'properties.title', 'type': 'str'}, - } - - def __init__( - self, - *, - etag: Optional[str] = None, - classification: Optional[Union[str, "IncidentClassification"]] = None, - classification_comment: Optional[str] = None, - classification_reason: Optional[Union[str, "IncidentClassificationReason"]] = None, - description: Optional[str] = None, - first_activity_time_utc: Optional[datetime.datetime] = None, - labels: Optional[List["IncidentLabel"]] = None, - last_activity_time_utc: Optional[datetime.datetime] = None, - owner: Optional["IncidentOwnerInfo"] = None, - severity: Optional[Union[str, "IncidentSeverity"]] = None, - status: Optional[Union[str, "IncidentStatus"]] = None, - title: Optional[str] = None, - **kwargs - ): - super(Incident, self).__init__(etag=etag, **kwargs) - self.additional_data = None - self.classification = classification - self.classification_comment = classification_comment - self.classification_reason = classification_reason - self.created_time_utc = None - self.description = description - self.first_activity_time_utc = first_activity_time_utc - self.incident_url = None - self.incident_number = None - self.labels = labels - self.last_activity_time_utc = last_activity_time_utc - self.last_modified_time_utc = None - self.owner = owner - self.related_analytic_rule_ids = None - self.severity = severity - self.status = status - self.title = title - - -class IncidentAdditionalData(msrest.serialization.Model): - """Incident additional data property bag. - - Variables are only populated by the server, and will be ignored when sending a request. - - :ivar alerts_count: The number of alerts in the incident. - :vartype alerts_count: int - :ivar bookmarks_count: The number of bookmarks in the incident. - :vartype bookmarks_count: int - :ivar comments_count: The number of comments in the incident. - :vartype comments_count: int - :ivar alert_product_names: List of product names of alerts in the incident. - :vartype alert_product_names: list[str] - :ivar tactics: The tactics associated with incident. - :vartype tactics: list[str or ~security_insights.models.AttackTactic] - """ - - _validation = { - 'alerts_count': {'readonly': True}, - 'bookmarks_count': {'readonly': True}, - 'comments_count': {'readonly': True}, - 'alert_product_names': {'readonly': True}, - 'tactics': {'readonly': True}, - } - - _attribute_map = { - 'alerts_count': {'key': 'alertsCount', 'type': 'int'}, - 'bookmarks_count': {'key': 'bookmarksCount', 'type': 'int'}, - 'comments_count': {'key': 'commentsCount', 'type': 'int'}, - 'alert_product_names': {'key': 'alertProductNames', 'type': '[str]'}, - 'tactics': {'key': 'tactics', 'type': '[str]'}, - } - - def __init__( - self, - **kwargs - ): - super(IncidentAdditionalData, self).__init__(**kwargs) - self.alerts_count = None - self.bookmarks_count = None - self.comments_count = None - self.alert_product_names = None - self.tactics = None - - -class IncidentComment(Resource): - """Represents an incident comment. - - Variables are only populated by the server, and will be ignored when sending a request. - - :ivar id: Azure resource Id. - :vartype id: str - :ivar name: Azure resource name. - :vartype name: str - :ivar type: Azure resource type. - :vartype type: str - :ivar created_time_utc: The time the comment was created. - :vartype created_time_utc: ~datetime.datetime - :param message: The comment message. - :type message: str - :ivar author: Describes the client that created the comment. - :vartype author: ~security_insights.models.ClientInfo - """ - - _validation = { - 'id': {'readonly': True}, - 'name': {'readonly': True}, - 'type': {'readonly': True}, - 'created_time_utc': {'readonly': True}, - 'author': {'readonly': True}, - } - - _attribute_map = { - 'id': {'key': 'id', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'type': {'key': 'type', 'type': 'str'}, - 'created_time_utc': {'key': 'properties.createdTimeUtc', 'type': 'iso-8601'}, - 'message': {'key': 'properties.message', 'type': 'str'}, - 'author': {'key': 'properties.author', 'type': 'ClientInfo'}, - } - - def __init__( - self, - *, - message: Optional[str] = None, - **kwargs - ): - super(IncidentComment, self).__init__(**kwargs) - self.created_time_utc = None - self.message = message - self.author = None - - -class IncidentCommentList(msrest.serialization.Model): - """List of incident comments. - - Variables are only populated by the server, and will be ignored when sending a request. - - All required parameters must be populated in order to send to Azure. - - :ivar next_link: URL to fetch the next set of comments. - :vartype next_link: str - :param value: Required. Array of comments. - :type value: list[~security_insights.models.IncidentComment] - """ - - _validation = { - 'next_link': {'readonly': True}, - 'value': {'required': True}, - } - - _attribute_map = { - 'next_link': {'key': 'nextLink', 'type': 'str'}, - 'value': {'key': 'value', 'type': '[IncidentComment]'}, - } - - def __init__( - self, - *, - value: List["IncidentComment"], - **kwargs - ): - super(IncidentCommentList, self).__init__(**kwargs) - self.next_link = None - self.value = value - - -class IncidentInfo(msrest.serialization.Model): - """Describes related incident information for the bookmark. - - All required parameters must be populated in order to send to Azure. - - :param incident_id: Required. Incident Id. - :type incident_id: str - :param severity: Required. The severity of the incident. Possible values include: "Critical", - "High", "Medium", "Low", "Informational". - :type severity: str or ~security_insights.models.CaseSeverity - :param title: Required. The title of the incident. - :type title: str - :param relation_name: Required. Relation Name. - :type relation_name: str - """ - - _validation = { - 'incident_id': {'required': True}, - 'severity': {'required': True}, - 'title': {'required': True}, - 'relation_name': {'required': True}, - } - - _attribute_map = { - 'incident_id': {'key': 'incidentId', 'type': 'str'}, - 'severity': {'key': 'severity', 'type': 'str'}, - 'title': {'key': 'title', 'type': 'str'}, - 'relation_name': {'key': 'relationName', 'type': 'str'}, - } - - def __init__( - self, - *, - incident_id: str, - severity: Union[str, "CaseSeverity"], - title: str, - relation_name: str, - **kwargs - ): - super(IncidentInfo, self).__init__(**kwargs) - self.incident_id = incident_id - self.severity = severity - self.title = title - self.relation_name = relation_name - - -class IncidentLabel(msrest.serialization.Model): - """Represents an incident label. - - Variables are only populated by the server, and will be ignored when sending a request. - - All required parameters must be populated in order to send to Azure. - - :param label_name: Required. The name of the label. - :type label_name: str - :ivar label_type: The type of the label. Possible values include: "User", "System". - :vartype label_type: str or ~security_insights.models.IncidentLabelType - """ - - _validation = { - 'label_name': {'required': True}, - 'label_type': {'readonly': True}, - } - - _attribute_map = { - 'label_name': {'key': 'labelName', 'type': 'str'}, - 'label_type': {'key': 'labelType', 'type': 'str'}, - } - - def __init__( - self, - *, - label_name: str, - **kwargs - ): - super(IncidentLabel, self).__init__(**kwargs) - self.label_name = label_name - self.label_type = None - - -class IncidentList(msrest.serialization.Model): - """List all the incidents. - - Variables are only populated by the server, and will be ignored when sending a request. - - All required parameters must be populated in order to send to Azure. - - :ivar next_link: URL to fetch the next set of incidents. - :vartype next_link: str - :param value: Required. Array of incidents. - :type value: list[~security_insights.models.Incident] - """ - - _validation = { - 'next_link': {'readonly': True}, - 'value': {'required': True}, - } - - _attribute_map = { - 'next_link': {'key': 'nextLink', 'type': 'str'}, - 'value': {'key': 'value', 'type': '[Incident]'}, - } - - def __init__( - self, - *, - value: List["Incident"], - **kwargs - ): - super(IncidentList, self).__init__(**kwargs) - self.next_link = None - self.value = value - - -class IncidentOwnerInfo(msrest.serialization.Model): - """Information on the user an incident is assigned to. - - :param email: The email of the user the incident is assigned to. - :type email: str - :param assigned_to: The name of the user the incident is assigned to. - :type assigned_to: str - :param object_id: The object id of the user the incident is assigned to. - :type object_id: str - :param user_principal_name: The user principal name of the user the incident is assigned to. - :type user_principal_name: str - """ - - _attribute_map = { - 'email': {'key': 'email', 'type': 'str'}, - 'assigned_to': {'key': 'assignedTo', 'type': 'str'}, - 'object_id': {'key': 'objectId', 'type': 'str'}, - 'user_principal_name': {'key': 'userPrincipalName', 'type': 'str'}, - } - - def __init__( - self, - *, - email: Optional[str] = None, - assigned_to: Optional[str] = None, - object_id: Optional[str] = None, - user_principal_name: Optional[str] = None, - **kwargs - ): - super(IncidentOwnerInfo, self).__init__(**kwargs) - self.email = email - self.assigned_to = assigned_to - self.object_id = object_id - self.user_principal_name = user_principal_name - - -class MCASDataConnector(DataConnector): - """Represents MCAS (Microsoft Cloud App Security) data connector. - - Variables are only populated by the server, and will be ignored when sending a request. - - All required parameters must be populated in order to send to Azure. - - :ivar id: Azure resource Id. - :vartype id: str - :ivar name: Azure resource name. - :vartype name: str - :ivar type: Azure resource type. - :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str - :param kind: Required. The data connector kind.Constant filled by server. Possible values - include: "AzureActiveDirectory", "AzureSecurityCenter", "MicrosoftCloudAppSecurity", - "ThreatIntelligence", "Office365", "AmazonWebServicesCloudTrail", - "AzureAdvancedThreatProtection", "MicrosoftDefenderAdvancedThreatProtection". - :type kind: str or ~security_insights.models.DataConnectorKind - :param tenant_id: The tenant id to connect to, and get the data from. - :type tenant_id: str - :param state_data_types_alerts_state: Describe whether this data type connection is enabled or - not. Possible values include: "Enabled", "Disabled". - :type state_data_types_alerts_state: str or ~security_insights.models.DataTypeState - :param state_data_types_discovery_logs_state: Describe whether this data type connection is - enabled or not. Possible values include: "Enabled", "Disabled". - :type state_data_types_discovery_logs_state: str or ~security_insights.models.DataTypeState - """ - - _validation = { - 'id': {'readonly': True}, - 'name': {'readonly': True}, - 'type': {'readonly': True}, - 'kind': {'required': True}, - } - - _attribute_map = { - 'id': {'key': 'id', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, - 'tenant_id': {'key': 'properties.tenantId', 'type': 'str'}, - 'state_data_types_alerts_state': {'key': 'dataTypes.alerts.state', 'type': 'str'}, - 'state_data_types_discovery_logs_state': {'key': 'dataTypes.discoveryLogs.state', 'type': 'str'}, - } - - def __init__( - self, - *, - etag: Optional[str] = None, - tenant_id: Optional[str] = None, - state_data_types_alerts_state: Optional[Union[str, "DataTypeState"]] = None, - state_data_types_discovery_logs_state: Optional[Union[str, "DataTypeState"]] = None, - **kwargs - ): - super(MCASDataConnector, self).__init__(etag=etag, **kwargs) - self.kind = 'MicrosoftCloudAppSecurity' # type: str - self.tenant_id = tenant_id - self.state_data_types_alerts_state = state_data_types_alerts_state - self.state_data_types_discovery_logs_state = state_data_types_discovery_logs_state - - -class MCASDataConnectorDataTypes(AlertsDataTypeOfDataConnector): - """The available data types for MCAS (Microsoft Cloud App Security) data connector. - - :param state: Describe whether this data type connection is enabled or not. Possible values - include: "Enabled", "Disabled". - :type state: str or ~security_insights.models.DataTypeState - :param state_discovery_logs_state: Describe whether this data type connection is enabled or - not. Possible values include: "Enabled", "Disabled". - :type state_discovery_logs_state: str or ~security_insights.models.DataTypeState - """ - - _attribute_map = { - 'state': {'key': 'alerts.state', 'type': 'str'}, - 'state_discovery_logs_state': {'key': 'discoveryLogs.state', 'type': 'str'}, - } - - def __init__( - self, - *, - state: Optional[Union[str, "DataTypeState"]] = None, - state_discovery_logs_state: Optional[Union[str, "DataTypeState"]] = None, - **kwargs - ): - super(MCASDataConnectorDataTypes, self).__init__(state=state, **kwargs) - self.state_discovery_logs_state = state_discovery_logs_state - - -class MDATPDataConnector(DataConnector): - """Represents MDATP (Microsoft Defender Advanced Threat Protection) data connector. - - Variables are only populated by the server, and will be ignored when sending a request. - - All required parameters must be populated in order to send to Azure. - - :ivar id: Azure resource Id. - :vartype id: str - :ivar name: Azure resource name. - :vartype name: str - :ivar type: Azure resource type. - :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str - :param kind: Required. The data connector kind.Constant filled by server. Possible values - include: "AzureActiveDirectory", "AzureSecurityCenter", "MicrosoftCloudAppSecurity", - "ThreatIntelligence", "Office365", "AmazonWebServicesCloudTrail", - "AzureAdvancedThreatProtection", "MicrosoftDefenderAdvancedThreatProtection". - :type kind: str or ~security_insights.models.DataConnectorKind - :param tenant_id: The tenant id to connect to, and get the data from. - :type tenant_id: str - :param state: Describe whether this data type connection is enabled or not. Possible values - include: "Enabled", "Disabled". - :type state: str or ~security_insights.models.DataTypeState - """ - - _validation = { - 'id': {'readonly': True}, - 'name': {'readonly': True}, - 'type': {'readonly': True}, - 'kind': {'required': True}, - } - - _attribute_map = { - 'id': {'key': 'id', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, - 'tenant_id': {'key': 'properties.tenantId', 'type': 'str'}, - 'state': {'key': 'dataTypes.alerts.state', 'type': 'str'}, - } - - def __init__( - self, - *, - etag: Optional[str] = None, - tenant_id: Optional[str] = None, - state: Optional[Union[str, "DataTypeState"]] = None, - **kwargs - ): - super(MDATPDataConnector, self).__init__(etag=etag, **kwargs) - self.kind = 'MicrosoftDefenderAdvancedThreatProtection' # type: str - self.tenant_id = tenant_id - self.state = state - - -class MicrosoftSecurityIncidentCreationAlertRule(AlertRule): - """Represents MicrosoftSecurityIncidentCreation rule. - - Variables are only populated by the server, and will be ignored when sending a request. - - All required parameters must be populated in order to send to Azure. - - :ivar id: Azure resource Id. - :vartype id: str - :ivar name: Azure resource name. - :vartype name: str - :ivar type: Azure resource type. - :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str - :param kind: Required. The alert rule kind.Constant filled by server. Possible values include: - "Scheduled", "MicrosoftSecurityIncidentCreation", "Fusion". - :type kind: str or ~security_insights.models.AlertRuleKind - :param display_names_filter: the alerts' displayNames on which the cases will be generated. - :type display_names_filter: list[str] - :param display_names_exclude_filter: the alerts' displayNames on which the cases will not be - generated. - :type display_names_exclude_filter: list[str] - :param product_filter: The alerts' productName on which the cases will be generated. Possible - values include: "Microsoft Cloud App Security", "Azure Security Center", "Azure Advanced Threat - Protection", "Azure Active Directory Identity Protection", "Azure Security Center for IoT". - :type product_filter: str or ~security_insights.models.MicrosoftSecurityProductName - :param severities_filter: the alerts' severities on which the cases will be generated. - :type severities_filter: list[str or ~security_insights.models.AlertSeverity] - :param alert_rule_template_name: The Name of the alert rule template used to create this rule. - :type alert_rule_template_name: str - :param description: The description of the alert rule. - :type description: str - :param display_name: The display name for alerts created by this alert rule. - :type display_name: str - :param enabled: Determines whether this alert rule is enabled or disabled. - :type enabled: bool - :ivar last_modified_utc: The last time that this alert has been modified. - :vartype last_modified_utc: ~datetime.datetime - """ - - _validation = { - 'id': {'readonly': True}, - 'name': {'readonly': True}, - 'type': {'readonly': True}, - 'kind': {'required': True}, - 'last_modified_utc': {'readonly': True}, - } - - _attribute_map = { - 'id': {'key': 'id', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, - 'display_names_filter': {'key': 'properties.displayNamesFilter', 'type': '[str]'}, - 'display_names_exclude_filter': {'key': 'properties.displayNamesExcludeFilter', 'type': '[str]'}, - 'product_filter': {'key': 'properties.productFilter', 'type': 'str'}, - 'severities_filter': {'key': 'properties.severitiesFilter', 'type': '[str]'}, - 'alert_rule_template_name': {'key': 'properties.alertRuleTemplateName', 'type': 'str'}, - 'description': {'key': 'properties.description', 'type': 'str'}, - 'display_name': {'key': 'properties.displayName', 'type': 'str'}, - 'enabled': {'key': 'properties.enabled', 'type': 'bool'}, - 'last_modified_utc': {'key': 'properties.lastModifiedUtc', 'type': 'iso-8601'}, - } - - def __init__( - self, - *, - etag: Optional[str] = None, - display_names_filter: Optional[List[str]] = None, - display_names_exclude_filter: Optional[List[str]] = None, - product_filter: Optional[Union[str, "MicrosoftSecurityProductName"]] = None, - severities_filter: Optional[List[Union[str, "AlertSeverity"]]] = None, - alert_rule_template_name: Optional[str] = None, - description: Optional[str] = None, - display_name: Optional[str] = None, - enabled: Optional[bool] = None, - **kwargs - ): - super(MicrosoftSecurityIncidentCreationAlertRule, self).__init__(etag=etag, **kwargs) - self.kind = 'MicrosoftSecurityIncidentCreation' # type: str - self.display_names_filter = display_names_filter - self.display_names_exclude_filter = display_names_exclude_filter - self.product_filter = product_filter - self.severities_filter = severities_filter - self.alert_rule_template_name = alert_rule_template_name - self.description = description - self.display_name = display_name - self.enabled = enabled - self.last_modified_utc = None - - -class MicrosoftSecurityIncidentCreationAlertRuleCommonProperties(msrest.serialization.Model): - """MicrosoftSecurityIncidentCreation rule common property bag. - - All required parameters must be populated in order to send to Azure. - - :param display_names_filter: the alerts' displayNames on which the cases will be generated. - :type display_names_filter: list[str] - :param display_names_exclude_filter: the alerts' displayNames on which the cases will not be - generated. - :type display_names_exclude_filter: list[str] - :param product_filter: Required. The alerts' productName on which the cases will be generated. - Possible values include: "Microsoft Cloud App Security", "Azure Security Center", "Azure - Advanced Threat Protection", "Azure Active Directory Identity Protection", "Azure Security - Center for IoT". - :type product_filter: str or ~security_insights.models.MicrosoftSecurityProductName - :param severities_filter: the alerts' severities on which the cases will be generated. - :type severities_filter: list[str or ~security_insights.models.AlertSeverity] - """ - - _validation = { - 'product_filter': {'required': True}, - } - - _attribute_map = { - 'display_names_filter': {'key': 'displayNamesFilter', 'type': '[str]'}, - 'display_names_exclude_filter': {'key': 'displayNamesExcludeFilter', 'type': '[str]'}, - 'product_filter': {'key': 'productFilter', 'type': 'str'}, - 'severities_filter': {'key': 'severitiesFilter', 'type': '[str]'}, - } - - def __init__( - self, - *, - product_filter: Union[str, "MicrosoftSecurityProductName"], - display_names_filter: Optional[List[str]] = None, - display_names_exclude_filter: Optional[List[str]] = None, - severities_filter: Optional[List[Union[str, "AlertSeverity"]]] = None, - **kwargs - ): - super(MicrosoftSecurityIncidentCreationAlertRuleCommonProperties, self).__init__(**kwargs) - self.display_names_filter = display_names_filter - self.display_names_exclude_filter = display_names_exclude_filter - self.product_filter = product_filter - self.severities_filter = severities_filter - - -class MicrosoftSecurityIncidentCreationAlertRuleProperties(MicrosoftSecurityIncidentCreationAlertRuleCommonProperties): - """MicrosoftSecurityIncidentCreation rule property bag. - - Variables are only populated by the server, and will be ignored when sending a request. - - All required parameters must be populated in order to send to Azure. - - :param display_names_filter: the alerts' displayNames on which the cases will be generated. - :type display_names_filter: list[str] - :param display_names_exclude_filter: the alerts' displayNames on which the cases will not be - generated. - :type display_names_exclude_filter: list[str] - :param product_filter: Required. The alerts' productName on which the cases will be generated. - Possible values include: "Microsoft Cloud App Security", "Azure Security Center", "Azure - Advanced Threat Protection", "Azure Active Directory Identity Protection", "Azure Security - Center for IoT". - :type product_filter: str or ~security_insights.models.MicrosoftSecurityProductName - :param severities_filter: the alerts' severities on which the cases will be generated. - :type severities_filter: list[str or ~security_insights.models.AlertSeverity] - :param alert_rule_template_name: The Name of the alert rule template used to create this rule. - :type alert_rule_template_name: str - :param description: The description of the alert rule. - :type description: str - :param display_name: Required. The display name for alerts created by this alert rule. - :type display_name: str - :param enabled: Required. Determines whether this alert rule is enabled or disabled. - :type enabled: bool - :ivar last_modified_utc: The last time that this alert has been modified. - :vartype last_modified_utc: ~datetime.datetime - """ - - _validation = { - 'product_filter': {'required': True}, - 'display_name': {'required': True}, - 'enabled': {'required': True}, - 'last_modified_utc': {'readonly': True}, - } - - _attribute_map = { - 'display_names_filter': {'key': 'displayNamesFilter', 'type': '[str]'}, - 'display_names_exclude_filter': {'key': 'displayNamesExcludeFilter', 'type': '[str]'}, - 'product_filter': {'key': 'productFilter', 'type': 'str'}, - 'severities_filter': {'key': 'severitiesFilter', 'type': '[str]'}, - 'alert_rule_template_name': {'key': 'alertRuleTemplateName', 'type': 'str'}, - 'description': {'key': 'description', 'type': 'str'}, - 'display_name': {'key': 'displayName', 'type': 'str'}, - 'enabled': {'key': 'enabled', 'type': 'bool'}, - 'last_modified_utc': {'key': 'lastModifiedUtc', 'type': 'iso-8601'}, - } - - def __init__( - self, - *, - product_filter: Union[str, "MicrosoftSecurityProductName"], - display_name: str, - enabled: bool, - display_names_filter: Optional[List[str]] = None, - display_names_exclude_filter: Optional[List[str]] = None, - severities_filter: Optional[List[Union[str, "AlertSeverity"]]] = None, - alert_rule_template_name: Optional[str] = None, - description: Optional[str] = None, - **kwargs - ): - super(MicrosoftSecurityIncidentCreationAlertRuleProperties, self).__init__(display_names_filter=display_names_filter, display_names_exclude_filter=display_names_exclude_filter, product_filter=product_filter, severities_filter=severities_filter, **kwargs) - self.alert_rule_template_name = alert_rule_template_name - self.description = description - self.display_name = display_name - self.enabled = enabled - self.last_modified_utc = None - - -class MicrosoftSecurityIncidentCreationAlertRuleTemplate(AlertRuleTemplate): - """Represents MicrosoftSecurityIncidentCreation rule template. - - Variables are only populated by the server, and will be ignored when sending a request. - - All required parameters must be populated in order to send to Azure. - - :ivar id: Azure resource Id. - :vartype id: str - :ivar name: Azure resource name. - :vartype name: str - :ivar type: Azure resource type. - :vartype type: str - :param kind: Required. The alert rule kind.Constant filled by server. Possible values include: - "Scheduled", "MicrosoftSecurityIncidentCreation", "Fusion". - :type kind: str or ~security_insights.models.AlertRuleKind - :param alert_rules_created_by_template_count: the number of alert rules that were created by - this template. - :type alert_rules_created_by_template_count: int - :ivar created_date_utc: The time that this alert rule template has been added. - :vartype created_date_utc: ~datetime.datetime - :param description: The description of the alert rule template. - :type description: str - :param display_name: The display name for alert rule template. - :type display_name: str - :param required_data_connectors: The required data connectors for this template. - :type required_data_connectors: list[~security_insights.models.AlertRuleTemplateDataSource] - :param status: The alert rule template status. Possible values include: "Installed", - "Available", "NotAvailable". - :type status: str or ~security_insights.models.TemplateStatus - :param display_names_filter: the alerts' displayNames on which the cases will be generated. - :type display_names_filter: list[str] - :param display_names_exclude_filter: the alerts' displayNames on which the cases will not be - generated. - :type display_names_exclude_filter: list[str] - :param product_filter: The alerts' productName on which the cases will be generated. Possible - values include: "Microsoft Cloud App Security", "Azure Security Center", "Azure Advanced Threat - Protection", "Azure Active Directory Identity Protection", "Azure Security Center for IoT". - :type product_filter: str or ~security_insights.models.MicrosoftSecurityProductName - :param severities_filter: the alerts' severities on which the cases will be generated. - :type severities_filter: list[str or ~security_insights.models.AlertSeverity] - """ - - _validation = { - 'id': {'readonly': True}, - 'name': {'readonly': True}, - 'type': {'readonly': True}, - 'kind': {'required': True}, - 'created_date_utc': {'readonly': True}, - } - - _attribute_map = { - 'id': {'key': 'id', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'type': {'key': 'type', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, - 'alert_rules_created_by_template_count': {'key': 'properties.alertRulesCreatedByTemplateCount', 'type': 'int'}, - 'created_date_utc': {'key': 'properties.createdDateUTC', 'type': 'iso-8601'}, - 'description': {'key': 'properties.description', 'type': 'str'}, - 'display_name': {'key': 'properties.displayName', 'type': 'str'}, - 'required_data_connectors': {'key': 'properties.requiredDataConnectors', 'type': '[AlertRuleTemplateDataSource]'}, - 'status': {'key': 'properties.status', 'type': 'str'}, - 'display_names_filter': {'key': 'properties.displayNamesFilter', 'type': '[str]'}, - 'display_names_exclude_filter': {'key': 'properties.displayNamesExcludeFilter', 'type': '[str]'}, - 'product_filter': {'key': 'properties.productFilter', 'type': 'str'}, - 'severities_filter': {'key': 'properties.severitiesFilter', 'type': '[str]'}, - } - - def __init__( - self, - *, - alert_rules_created_by_template_count: Optional[int] = None, - description: Optional[str] = None, - display_name: Optional[str] = None, - required_data_connectors: Optional[List["AlertRuleTemplateDataSource"]] = None, - status: Optional[Union[str, "TemplateStatus"]] = None, - display_names_filter: Optional[List[str]] = None, - display_names_exclude_filter: Optional[List[str]] = None, - product_filter: Optional[Union[str, "MicrosoftSecurityProductName"]] = None, - severities_filter: Optional[List[Union[str, "AlertSeverity"]]] = None, - **kwargs - ): - super(MicrosoftSecurityIncidentCreationAlertRuleTemplate, self).__init__(**kwargs) - self.kind = 'MicrosoftSecurityIncidentCreation' # type: str - self.alert_rules_created_by_template_count = alert_rules_created_by_template_count - self.created_date_utc = None - self.description = description - self.display_name = display_name - self.required_data_connectors = required_data_connectors - self.status = status - self.display_names_filter = display_names_filter - self.display_names_exclude_filter = display_names_exclude_filter - self.product_filter = product_filter - self.severities_filter = severities_filter - - -class OfficeConsent(Resource): - """Consent for Office365 tenant that already made. - - Variables are only populated by the server, and will be ignored when sending a request. - - :ivar id: Azure resource Id. - :vartype id: str - :ivar name: Azure resource name. - :vartype name: str - :ivar type: Azure resource type. - :vartype type: str - :param tenant_id: The tenantId of the Office365 with the consent. - :type tenant_id: str - :ivar tenant_name: The tenant name of the Office365 with the consent. - :vartype tenant_name: str - """ - - _validation = { - 'id': {'readonly': True}, - 'name': {'readonly': True}, - 'type': {'readonly': True}, - 'tenant_name': {'readonly': True}, - } - - _attribute_map = { - 'id': {'key': 'id', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'type': {'key': 'type', 'type': 'str'}, - 'tenant_id': {'key': 'properties.tenantId', 'type': 'str'}, - 'tenant_name': {'key': 'properties.tenantName', 'type': 'str'}, - } - - def __init__( - self, - *, - tenant_id: Optional[str] = None, - **kwargs - ): - super(OfficeConsent, self).__init__(**kwargs) - self.tenant_id = tenant_id - self.tenant_name = None - - -class OfficeConsentList(msrest.serialization.Model): - """List of all the office365 consents. - - Variables are only populated by the server, and will be ignored when sending a request. - - All required parameters must be populated in order to send to Azure. - - :ivar next_link: URL to fetch the next set of office consents. - :vartype next_link: str - :param value: Required. Array of the consents. - :type value: list[~security_insights.models.OfficeConsent] - """ - - _validation = { - 'next_link': {'readonly': True}, - 'value': {'required': True}, - } - - _attribute_map = { - 'next_link': {'key': 'nextLink', 'type': 'str'}, - 'value': {'key': 'value', 'type': '[OfficeConsent]'}, - } - - def __init__( - self, - *, - value: List["OfficeConsent"], - **kwargs - ): - super(OfficeConsentList, self).__init__(**kwargs) - self.next_link = None - self.value = value - - -class OfficeDataConnector(DataConnector): - """Represents office data connector. - - Variables are only populated by the server, and will be ignored when sending a request. - - All required parameters must be populated in order to send to Azure. - - :ivar id: Azure resource Id. - :vartype id: str - :ivar name: Azure resource name. - :vartype name: str - :ivar type: Azure resource type. - :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str - :param kind: Required. The data connector kind.Constant filled by server. Possible values - include: "AzureActiveDirectory", "AzureSecurityCenter", "MicrosoftCloudAppSecurity", - "ThreatIntelligence", "Office365", "AmazonWebServicesCloudTrail", - "AzureAdvancedThreatProtection", "MicrosoftDefenderAdvancedThreatProtection". - :type kind: str or ~security_insights.models.DataConnectorKind - :param tenant_id: The tenant id to connect to, and get the data from. - :type tenant_id: str - :param state_data_types_share_point_state: Describe whether this data type connection is - enabled or not. Possible values include: "Enabled", "Disabled". - :type state_data_types_share_point_state: str or ~security_insights.models.DataTypeState - :param state_data_types_exchange_state: Describe whether this data type connection is enabled - or not. Possible values include: "Enabled", "Disabled". - :type state_data_types_exchange_state: str or ~security_insights.models.DataTypeState - """ - - _validation = { - 'id': {'readonly': True}, - 'name': {'readonly': True}, - 'type': {'readonly': True}, - 'kind': {'required': True}, - } - - _attribute_map = { - 'id': {'key': 'id', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, - 'tenant_id': {'key': 'properties.tenantId', 'type': 'str'}, - 'state_data_types_share_point_state': {'key': 'dataTypes.sharePoint.state', 'type': 'str'}, - 'state_data_types_exchange_state': {'key': 'dataTypes.exchange.state', 'type': 'str'}, - } - - def __init__( - self, - *, - etag: Optional[str] = None, - tenant_id: Optional[str] = None, - state_data_types_share_point_state: Optional[Union[str, "DataTypeState"]] = None, - state_data_types_exchange_state: Optional[Union[str, "DataTypeState"]] = None, - **kwargs - ): - super(OfficeDataConnector, self).__init__(etag=etag, **kwargs) - self.kind = 'Office365' # type: str - self.tenant_id = tenant_id - self.state_data_types_share_point_state = state_data_types_share_point_state - self.state_data_types_exchange_state = state_data_types_exchange_state - - -class OfficeDataConnectorDataTypesExchange(DataConnectorDataTypeCommon): - """Exchange data type connection. - - :param state: Describe whether this data type connection is enabled or not. Possible values - include: "Enabled", "Disabled". - :type state: str or ~security_insights.models.DataTypeState - """ - - _attribute_map = { - 'state': {'key': 'state', 'type': 'str'}, - } - - def __init__( - self, - *, - state: Optional[Union[str, "DataTypeState"]] = None, - **kwargs - ): - super(OfficeDataConnectorDataTypesExchange, self).__init__(state=state, **kwargs) - - -class OfficeDataConnectorDataTypesSharePoint(DataConnectorDataTypeCommon): - """SharePoint data type connection. - - :param state: Describe whether this data type connection is enabled or not. Possible values - include: "Enabled", "Disabled". - :type state: str or ~security_insights.models.DataTypeState - """ - - _attribute_map = { - 'state': {'key': 'state', 'type': 'str'}, - } - - def __init__( - self, - *, - state: Optional[Union[str, "DataTypeState"]] = None, - **kwargs - ): - super(OfficeDataConnectorDataTypesSharePoint, self).__init__(state=state, **kwargs) - - -class Operation(msrest.serialization.Model): - """Operation provided by provider. - - :param display: Properties of the operation. - :type display: ~security_insights.models.OperationDisplay - :param name: Name of the operation. - :type name: str - """ - - _attribute_map = { - 'display': {'key': 'display', 'type': 'OperationDisplay'}, - 'name': {'key': 'name', 'type': 'str'}, - } - - def __init__( - self, - *, - display: Optional["OperationDisplay"] = None, - name: Optional[str] = None, - **kwargs - ): - super(Operation, self).__init__(**kwargs) - self.display = display - self.name = name - - -class OperationDisplay(msrest.serialization.Model): - """Properties of the operation. - - :param description: Description of the operation. - :type description: str - :param operation: Operation name. - :type operation: str - :param provider: Provider name. - :type provider: str - :param resource: Resource name. - :type resource: str - """ - - _attribute_map = { - 'description': {'key': 'description', 'type': 'str'}, - 'operation': {'key': 'operation', 'type': 'str'}, - 'provider': {'key': 'provider', 'type': 'str'}, - 'resource': {'key': 'resource', 'type': 'str'}, - } - - def __init__( - self, - *, - description: Optional[str] = None, - operation: Optional[str] = None, - provider: Optional[str] = None, - resource: Optional[str] = None, - **kwargs - ): - super(OperationDisplay, self).__init__(**kwargs) - self.description = description - self.operation = operation - self.provider = provider - self.resource = resource - - -class OperationsList(msrest.serialization.Model): - """Lists the operations available in the SecurityInsights RP. - - All required parameters must be populated in order to send to Azure. - - :param next_link: URL to fetch the next set of operations. - :type next_link: str - :param value: Required. Array of operations. - :type value: list[~security_insights.models.Operation] - """ - - _validation = { - 'value': {'required': True}, - } - - _attribute_map = { - 'next_link': {'key': 'nextLink', 'type': 'str'}, - 'value': {'key': 'value', 'type': '[Operation]'}, - } - - def __init__( - self, - *, - value: List["Operation"], - next_link: Optional[str] = None, - **kwargs - ): - super(OperationsList, self).__init__(**kwargs) - self.next_link = next_link - self.value = value - - -class ScheduledAlertRule(AlertRule): - """Represents scheduled alert rule. - - Variables are only populated by the server, and will be ignored when sending a request. - - All required parameters must be populated in order to send to Azure. - - :ivar id: Azure resource Id. - :vartype id: str - :ivar name: Azure resource name. - :vartype name: str - :ivar type: Azure resource type. - :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str - :param kind: Required. The alert rule kind.Constant filled by server. Possible values include: - "Scheduled", "MicrosoftSecurityIncidentCreation", "Fusion". - :type kind: str or ~security_insights.models.AlertRuleKind - :param query: The query that creates alerts for this rule. - :type query: str - :param query_frequency: The frequency (in ISO 8601 duration format) for this alert rule to run. - :type query_frequency: ~datetime.timedelta - :param query_period: The period (in ISO 8601 duration format) that this alert rule looks at. - :type query_period: ~datetime.timedelta - :param severity: The severity for alerts created by this alert rule. Possible values include: - "High", "Medium", "Low", "Informational". - :type severity: str or ~security_insights.models.AlertSeverity - :param trigger_operator: The operation against the threshold that triggers alert rule. Possible - values include: "GreaterThan", "LessThan", "Equal", "NotEqual". - :type trigger_operator: str or ~security_insights.models.TriggerOperator - :param trigger_threshold: The threshold triggers this alert rule. - :type trigger_threshold: int - :param alert_rule_template_name: The Name of the alert rule template used to create this rule. - :type alert_rule_template_name: str - :param description: The description of the alert rule. - :type description: str - :param display_name: The display name for alerts created by this alert rule. - :type display_name: str - :param enabled: Determines whether this alert rule is enabled or disabled. - :type enabled: bool - :ivar last_modified_utc: The last time that this alert rule has been modified. - :vartype last_modified_utc: ~datetime.datetime - :param suppression_duration: The suppression (in ISO 8601 duration format) to wait since last - time this alert rule been triggered. - :type suppression_duration: ~datetime.timedelta - :param suppression_enabled: Determines whether the suppression for this alert rule is enabled - or disabled. - :type suppression_enabled: bool - :param tactics: The tactics of the alert rule. - :type tactics: list[str or ~security_insights.models.AttackTactic] - """ - - _validation = { - 'id': {'readonly': True}, - 'name': {'readonly': True}, - 'type': {'readonly': True}, - 'kind': {'required': True}, - 'last_modified_utc': {'readonly': True}, - } - - _attribute_map = { - 'id': {'key': 'id', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, - 'query': {'key': 'properties.query', 'type': 'str'}, - 'query_frequency': {'key': 'properties.queryFrequency', 'type': 'duration'}, - 'query_period': {'key': 'properties.queryPeriod', 'type': 'duration'}, - 'severity': {'key': 'properties.severity', 'type': 'str'}, - 'trigger_operator': {'key': 'properties.triggerOperator', 'type': 'str'}, - 'trigger_threshold': {'key': 'properties.triggerThreshold', 'type': 'int'}, - 'alert_rule_template_name': {'key': 'properties.alertRuleTemplateName', 'type': 'str'}, - 'description': {'key': 'properties.description', 'type': 'str'}, - 'display_name': {'key': 'properties.displayName', 'type': 'str'}, - 'enabled': {'key': 'properties.enabled', 'type': 'bool'}, - 'last_modified_utc': {'key': 'properties.lastModifiedUtc', 'type': 'iso-8601'}, - 'suppression_duration': {'key': 'properties.suppressionDuration', 'type': 'duration'}, - 'suppression_enabled': {'key': 'properties.suppressionEnabled', 'type': 'bool'}, - 'tactics': {'key': 'properties.tactics', 'type': '[str]'}, - } - - def __init__( - self, - *, - etag: Optional[str] = None, - query: Optional[str] = None, - query_frequency: Optional[datetime.timedelta] = None, - query_period: Optional[datetime.timedelta] = None, - severity: Optional[Union[str, "AlertSeverity"]] = None, - trigger_operator: Optional[Union[str, "TriggerOperator"]] = None, - trigger_threshold: Optional[int] = None, - alert_rule_template_name: Optional[str] = None, - description: Optional[str] = None, - display_name: Optional[str] = None, - enabled: Optional[bool] = None, - suppression_duration: Optional[datetime.timedelta] = None, - suppression_enabled: Optional[bool] = None, - tactics: Optional[List[Union[str, "AttackTactic"]]] = None, - **kwargs - ): - super(ScheduledAlertRule, self).__init__(etag=etag, **kwargs) - self.kind = 'Scheduled' # type: str - self.query = query - self.query_frequency = query_frequency - self.query_period = query_period - self.severity = severity - self.trigger_operator = trigger_operator - self.trigger_threshold = trigger_threshold - self.alert_rule_template_name = alert_rule_template_name - self.description = description - self.display_name = display_name - self.enabled = enabled - self.last_modified_utc = None - self.suppression_duration = suppression_duration - self.suppression_enabled = suppression_enabled - self.tactics = tactics - - -class ScheduledAlertRuleCommonProperties(msrest.serialization.Model): - """Schedule alert rule template property bag. - - :param query: The query that creates alerts for this rule. - :type query: str - :param query_frequency: The frequency (in ISO 8601 duration format) for this alert rule to run. - :type query_frequency: ~datetime.timedelta - :param query_period: The period (in ISO 8601 duration format) that this alert rule looks at. - :type query_period: ~datetime.timedelta - :param severity: The severity for alerts created by this alert rule. Possible values include: - "High", "Medium", "Low", "Informational". - :type severity: str or ~security_insights.models.AlertSeverity - :param trigger_operator: The operation against the threshold that triggers alert rule. Possible - values include: "GreaterThan", "LessThan", "Equal", "NotEqual". - :type trigger_operator: str or ~security_insights.models.TriggerOperator - :param trigger_threshold: The threshold triggers this alert rule. - :type trigger_threshold: int - """ - - _attribute_map = { - 'query': {'key': 'query', 'type': 'str'}, - 'query_frequency': {'key': 'queryFrequency', 'type': 'duration'}, - 'query_period': {'key': 'queryPeriod', 'type': 'duration'}, - 'severity': {'key': 'severity', 'type': 'str'}, - 'trigger_operator': {'key': 'triggerOperator', 'type': 'str'}, - 'trigger_threshold': {'key': 'triggerThreshold', 'type': 'int'}, - } - - def __init__( - self, - *, - query: Optional[str] = None, - query_frequency: Optional[datetime.timedelta] = None, - query_period: Optional[datetime.timedelta] = None, - severity: Optional[Union[str, "AlertSeverity"]] = None, - trigger_operator: Optional[Union[str, "TriggerOperator"]] = None, - trigger_threshold: Optional[int] = None, - **kwargs - ): - super(ScheduledAlertRuleCommonProperties, self).__init__(**kwargs) - self.query = query - self.query_frequency = query_frequency - self.query_period = query_period - self.severity = severity - self.trigger_operator = trigger_operator - self.trigger_threshold = trigger_threshold - - -class ScheduledAlertRuleProperties(ScheduledAlertRuleCommonProperties): - """Scheduled alert rule base property bag. - - Variables are only populated by the server, and will be ignored when sending a request. - - All required parameters must be populated in order to send to Azure. - - :param query: The query that creates alerts for this rule. - :type query: str - :param query_frequency: The frequency (in ISO 8601 duration format) for this alert rule to run. - :type query_frequency: ~datetime.timedelta - :param query_period: The period (in ISO 8601 duration format) that this alert rule looks at. - :type query_period: ~datetime.timedelta - :param severity: The severity for alerts created by this alert rule. Possible values include: - "High", "Medium", "Low", "Informational". - :type severity: str or ~security_insights.models.AlertSeverity - :param trigger_operator: The operation against the threshold that triggers alert rule. Possible - values include: "GreaterThan", "LessThan", "Equal", "NotEqual". - :type trigger_operator: str or ~security_insights.models.TriggerOperator - :param trigger_threshold: The threshold triggers this alert rule. - :type trigger_threshold: int - :param alert_rule_template_name: The Name of the alert rule template used to create this rule. - :type alert_rule_template_name: str - :param description: The description of the alert rule. - :type description: str - :param display_name: Required. The display name for alerts created by this alert rule. - :type display_name: str - :param enabled: Required. Determines whether this alert rule is enabled or disabled. - :type enabled: bool - :ivar last_modified_utc: The last time that this alert rule has been modified. - :vartype last_modified_utc: ~datetime.datetime - :param suppression_duration: Required. The suppression (in ISO 8601 duration format) to wait - since last time this alert rule been triggered. - :type suppression_duration: ~datetime.timedelta - :param suppression_enabled: Required. Determines whether the suppression for this alert rule is - enabled or disabled. - :type suppression_enabled: bool - :param tactics: The tactics of the alert rule. - :type tactics: list[str or ~security_insights.models.AttackTactic] - """ - - _validation = { - 'display_name': {'required': True}, - 'enabled': {'required': True}, - 'last_modified_utc': {'readonly': True}, - 'suppression_duration': {'required': True}, - 'suppression_enabled': {'required': True}, - } - - _attribute_map = { - 'query': {'key': 'query', 'type': 'str'}, - 'query_frequency': {'key': 'queryFrequency', 'type': 'duration'}, - 'query_period': {'key': 'queryPeriod', 'type': 'duration'}, - 'severity': {'key': 'severity', 'type': 'str'}, - 'trigger_operator': {'key': 'triggerOperator', 'type': 'str'}, - 'trigger_threshold': {'key': 'triggerThreshold', 'type': 'int'}, - 'alert_rule_template_name': {'key': 'alertRuleTemplateName', 'type': 'str'}, - 'description': {'key': 'description', 'type': 'str'}, - 'display_name': {'key': 'displayName', 'type': 'str'}, - 'enabled': {'key': 'enabled', 'type': 'bool'}, - 'last_modified_utc': {'key': 'lastModifiedUtc', 'type': 'iso-8601'}, - 'suppression_duration': {'key': 'suppressionDuration', 'type': 'duration'}, - 'suppression_enabled': {'key': 'suppressionEnabled', 'type': 'bool'}, - 'tactics': {'key': 'tactics', 'type': '[str]'}, - } - - def __init__( - self, - *, - display_name: str, - enabled: bool, - suppression_duration: datetime.timedelta, - suppression_enabled: bool, - query: Optional[str] = None, - query_frequency: Optional[datetime.timedelta] = None, - query_period: Optional[datetime.timedelta] = None, - severity: Optional[Union[str, "AlertSeverity"]] = None, - trigger_operator: Optional[Union[str, "TriggerOperator"]] = None, - trigger_threshold: Optional[int] = None, - alert_rule_template_name: Optional[str] = None, - description: Optional[str] = None, - tactics: Optional[List[Union[str, "AttackTactic"]]] = None, - **kwargs - ): - super(ScheduledAlertRuleProperties, self).__init__(query=query, query_frequency=query_frequency, query_period=query_period, severity=severity, trigger_operator=trigger_operator, trigger_threshold=trigger_threshold, **kwargs) - self.alert_rule_template_name = alert_rule_template_name - self.description = description - self.display_name = display_name - self.enabled = enabled - self.last_modified_utc = None - self.suppression_duration = suppression_duration - self.suppression_enabled = suppression_enabled - self.tactics = tactics - - -class ScheduledAlertRuleTemplate(AlertRuleTemplate): - """Represents scheduled alert rule template. - - Variables are only populated by the server, and will be ignored when sending a request. - - All required parameters must be populated in order to send to Azure. - - :ivar id: Azure resource Id. - :vartype id: str - :ivar name: Azure resource name. - :vartype name: str - :ivar type: Azure resource type. - :vartype type: str - :param kind: Required. The alert rule kind.Constant filled by server. Possible values include: - "Scheduled", "MicrosoftSecurityIncidentCreation", "Fusion". - :type kind: str or ~security_insights.models.AlertRuleKind - :param alert_rules_created_by_template_count: the number of alert rules that were created by - this template. - :type alert_rules_created_by_template_count: int - :ivar created_date_utc: The time that this alert rule template has been added. - :vartype created_date_utc: ~datetime.datetime - :param description: The description of the alert rule template. - :type description: str - :param display_name: The display name for alert rule template. - :type display_name: str - :param required_data_connectors: The required data connectors for this template. - :type required_data_connectors: list[~security_insights.models.AlertRuleTemplateDataSource] - :param status: The alert rule template status. Possible values include: "Installed", - "Available", "NotAvailable". - :type status: str or ~security_insights.models.TemplateStatus - :param query: The query that creates alerts for this rule. - :type query: str - :param query_frequency: The frequency (in ISO 8601 duration format) for this alert rule to run. - :type query_frequency: ~datetime.timedelta - :param query_period: The period (in ISO 8601 duration format) that this alert rule looks at. - :type query_period: ~datetime.timedelta - :param severity: The severity for alerts created by this alert rule. Possible values include: - "High", "Medium", "Low", "Informational". - :type severity: str or ~security_insights.models.AlertSeverity - :param trigger_operator: The operation against the threshold that triggers alert rule. Possible - values include: "GreaterThan", "LessThan", "Equal", "NotEqual". - :type trigger_operator: str or ~security_insights.models.TriggerOperator - :param trigger_threshold: The threshold triggers this alert rule. - :type trigger_threshold: int - :param tactics: The tactics of the alert rule template. - :type tactics: list[str or ~security_insights.models.AttackTactic] - """ - - _validation = { - 'id': {'readonly': True}, - 'name': {'readonly': True}, - 'type': {'readonly': True}, - 'kind': {'required': True}, - 'created_date_utc': {'readonly': True}, - } - - _attribute_map = { - 'id': {'key': 'id', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'type': {'key': 'type', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, - 'alert_rules_created_by_template_count': {'key': 'properties.alertRulesCreatedByTemplateCount', 'type': 'int'}, - 'created_date_utc': {'key': 'properties.createdDateUTC', 'type': 'iso-8601'}, - 'description': {'key': 'properties.description', 'type': 'str'}, - 'display_name': {'key': 'properties.displayName', 'type': 'str'}, - 'required_data_connectors': {'key': 'properties.requiredDataConnectors', 'type': '[AlertRuleTemplateDataSource]'}, - 'status': {'key': 'properties.status', 'type': 'str'}, - 'query': {'key': 'properties.query', 'type': 'str'}, - 'query_frequency': {'key': 'properties.queryFrequency', 'type': 'duration'}, - 'query_period': {'key': 'properties.queryPeriod', 'type': 'duration'}, - 'severity': {'key': 'properties.severity', 'type': 'str'}, - 'trigger_operator': {'key': 'properties.triggerOperator', 'type': 'str'}, - 'trigger_threshold': {'key': 'properties.triggerThreshold', 'type': 'int'}, - 'tactics': {'key': 'properties.tactics', 'type': '[str]'}, - } - - def __init__( - self, - *, - alert_rules_created_by_template_count: Optional[int] = None, - description: Optional[str] = None, - display_name: Optional[str] = None, - required_data_connectors: Optional[List["AlertRuleTemplateDataSource"]] = None, - status: Optional[Union[str, "TemplateStatus"]] = None, - query: Optional[str] = None, - query_frequency: Optional[datetime.timedelta] = None, - query_period: Optional[datetime.timedelta] = None, - severity: Optional[Union[str, "AlertSeverity"]] = None, - trigger_operator: Optional[Union[str, "TriggerOperator"]] = None, - trigger_threshold: Optional[int] = None, - tactics: Optional[List[Union[str, "AttackTactic"]]] = None, - **kwargs - ): - super(ScheduledAlertRuleTemplate, self).__init__(**kwargs) - self.kind = 'Scheduled' # type: str - self.alert_rules_created_by_template_count = alert_rules_created_by_template_count - self.created_date_utc = None - self.description = description - self.display_name = display_name - self.required_data_connectors = required_data_connectors - self.status = status - self.query = query - self.query_frequency = query_frequency - self.query_period = query_period - self.severity = severity - self.trigger_operator = trigger_operator - self.trigger_threshold = trigger_threshold - self.tactics = tactics - - -class Settings(ResourceWithEtag): - """The Settings. - - You probably want to use the sub-classes and not this class directly. Known - sub-classes are: ToggleSettings, UebaSettings. - - Variables are only populated by the server, and will be ignored when sending a request. - - All required parameters must be populated in order to send to Azure. - - :ivar id: Azure resource Id. - :vartype id: str - :ivar name: Azure resource name. - :vartype name: str - :ivar type: Azure resource type. - :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str - :param kind: Required. The data connector kind.Constant filled by server. Possible values - include: "UebaSettings", "ToggleSettings". - :type kind: str or ~security_insights.models.SettingKind - """ - - _validation = { - 'id': {'readonly': True}, - 'name': {'readonly': True}, - 'type': {'readonly': True}, - 'kind': {'required': True}, - } - - _attribute_map = { - 'id': {'key': 'id', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, - } - - _subtype_map = { - 'kind': {'ToggleSettings': 'ToggleSettings', 'UebaSettings': 'UebaSettings'} - } - - def __init__( - self, - *, - etag: Optional[str] = None, - **kwargs - ): - super(Settings, self).__init__(etag=etag, **kwargs) - self.kind = 'Settings' # type: str - - -class ThreatIntelligence(msrest.serialization.Model): - """ThreatIntelligence property bag. - - Variables are only populated by the server, and will be ignored when sending a request. - - :ivar confidence: Confidence (must be between 0 and 1). - :vartype confidence: float - :ivar provider_name: Name of the provider from whom this Threat Intelligence information was - received. - :vartype provider_name: str - :ivar report_link: Report link. - :vartype report_link: str - :ivar threat_description: Threat description (free text). - :vartype threat_description: str - :ivar threat_name: Threat name (e.g. "Jedobot malware"). - :vartype threat_name: str - :ivar threat_type: Threat type (e.g. "Botnet"). - :vartype threat_type: str - """ - - _validation = { - 'confidence': {'readonly': True}, - 'provider_name': {'readonly': True}, - 'report_link': {'readonly': True}, - 'threat_description': {'readonly': True}, - 'threat_name': {'readonly': True}, - 'threat_type': {'readonly': True}, - } - - _attribute_map = { - 'confidence': {'key': 'confidence', 'type': 'float'}, - 'provider_name': {'key': 'providerName', 'type': 'str'}, - 'report_link': {'key': 'reportLink', 'type': 'str'}, - 'threat_description': {'key': 'threatDescription', 'type': 'str'}, - 'threat_name': {'key': 'threatName', 'type': 'str'}, - 'threat_type': {'key': 'threatType', 'type': 'str'}, - } - - def __init__( - self, - **kwargs - ): - super(ThreatIntelligence, self).__init__(**kwargs) - self.confidence = None - self.provider_name = None - self.report_link = None - self.threat_description = None - self.threat_name = None - self.threat_type = None - - -class TIDataConnector(DataConnector): - """Represents threat intelligence data connector. - - Variables are only populated by the server, and will be ignored when sending a request. - - All required parameters must be populated in order to send to Azure. - - :ivar id: Azure resource Id. - :vartype id: str - :ivar name: Azure resource name. - :vartype name: str - :ivar type: Azure resource type. - :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str - :param kind: Required. The data connector kind.Constant filled by server. Possible values - include: "AzureActiveDirectory", "AzureSecurityCenter", "MicrosoftCloudAppSecurity", - "ThreatIntelligence", "Office365", "AmazonWebServicesCloudTrail", - "AzureAdvancedThreatProtection", "MicrosoftDefenderAdvancedThreatProtection". - :type kind: str or ~security_insights.models.DataConnectorKind - :param tenant_id: The tenant id to connect to, and get the data from. - :type tenant_id: str - :param state: Describe whether this data type connection is enabled or not. Possible values - include: "Enabled", "Disabled". - :type state: str or ~security_insights.models.DataTypeState - """ - - _validation = { - 'id': {'readonly': True}, - 'name': {'readonly': True}, - 'type': {'readonly': True}, - 'kind': {'required': True}, - } - - _attribute_map = { - 'id': {'key': 'id', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, - 'tenant_id': {'key': 'properties.tenantId', 'type': 'str'}, - 'state': {'key': 'dataTypes.indicators.state', 'type': 'str'}, - } - - def __init__( - self, - *, - etag: Optional[str] = None, - tenant_id: Optional[str] = None, - state: Optional[Union[str, "DataTypeState"]] = None, - **kwargs - ): - super(TIDataConnector, self).__init__(etag=etag, **kwargs) - self.kind = 'ThreatIntelligence' # type: str - self.tenant_id = tenant_id - self.state = state - - -class TIDataConnectorDataTypesIndicators(DataConnectorDataTypeCommon): - """Data type for indicators connection. - - :param state: Describe whether this data type connection is enabled or not. Possible values - include: "Enabled", "Disabled". - :type state: str or ~security_insights.models.DataTypeState - """ - - _attribute_map = { - 'state': {'key': 'state', 'type': 'str'}, - } - - def __init__( - self, - *, - state: Optional[Union[str, "DataTypeState"]] = None, - **kwargs - ): - super(TIDataConnectorDataTypesIndicators, self).__init__(state=state, **kwargs) - - -class ToggleSettings(Settings): - """Settings with single toggle. - - Variables are only populated by the server, and will be ignored when sending a request. - - All required parameters must be populated in order to send to Azure. - - :ivar id: Azure resource Id. - :vartype id: str - :ivar name: Azure resource name. - :vartype name: str - :ivar type: Azure resource type. - :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str - :param kind: Required. The data connector kind.Constant filled by server. Possible values - include: "UebaSettings", "ToggleSettings". - :type kind: str or ~security_insights.models.SettingKind - :param is_enabled: Determines whether the setting is enable or disabled. - :type is_enabled: bool - """ - - _validation = { - 'id': {'readonly': True}, - 'name': {'readonly': True}, - 'type': {'readonly': True}, - 'kind': {'required': True}, - } - - _attribute_map = { - 'id': {'key': 'id', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, - 'is_enabled': {'key': 'properties.isEnabled', 'type': 'bool'}, - } - - def __init__( - self, - *, - etag: Optional[str] = None, - is_enabled: Optional[bool] = None, - **kwargs - ): - super(ToggleSettings, self).__init__(etag=etag, **kwargs) - self.kind = 'ToggleSettings' # type: str - self.is_enabled = is_enabled - - -class UebaSettings(Settings): - """Represents settings for User and Entity Behavior Analytics enablement. - - Variables are only populated by the server, and will be ignored when sending a request. - - All required parameters must be populated in order to send to Azure. - - :ivar id: Azure resource Id. - :vartype id: str - :ivar name: Azure resource name. - :vartype name: str - :ivar type: Azure resource type. - :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str - :param kind: Required. The data connector kind.Constant filled by server. Possible values - include: "UebaSettings", "ToggleSettings". - :type kind: str or ~security_insights.models.SettingKind - :ivar atp_license_status: Determines whether the tenant has ATP (Advanced Threat Protection) - license. Possible values include: "Enabled", "Disabled". - :vartype atp_license_status: str or ~security_insights.models.LicenseStatus - :param is_enabled: Determines whether User and Entity Behavior Analytics is enabled for this - workspace. - :type is_enabled: bool - :ivar status_in_mcas: Determines whether User and Entity Behavior Analytics is enabled from - MCAS (Microsoft Cloud App Security). Possible values include: "Enabled", "Disabled". - :vartype status_in_mcas: str or ~security_insights.models.StatusInMCAS - """ - - _validation = { - 'id': {'readonly': True}, - 'name': {'readonly': True}, - 'type': {'readonly': True}, - 'kind': {'required': True}, - 'atp_license_status': {'readonly': True}, - 'status_in_mcas': {'readonly': True}, - } - - _attribute_map = { - 'id': {'key': 'id', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, - 'atp_license_status': {'key': 'properties.atpLicenseStatus', 'type': 'str'}, - 'is_enabled': {'key': 'properties.isEnabled', 'type': 'bool'}, - 'status_in_mcas': {'key': 'properties.statusInMcas', 'type': 'str'}, - } - - def __init__( - self, - *, - etag: Optional[str] = None, - is_enabled: Optional[bool] = None, - **kwargs - ): - super(UebaSettings, self).__init__(etag=etag, **kwargs) - self.kind = 'UebaSettings' # type: str - self.atp_license_status = None - self.is_enabled = is_enabled - self.status_in_mcas = None diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/models/_security_insights_enums.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/models/_security_insights_enums.py deleted file mode 100644 index ff1e2d1db57..00000000000 --- a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/models/_security_insights_enums.py +++ /dev/null @@ -1,182 +0,0 @@ -# coding=utf-8 -# -------------------------------------------------------------------------- -# Copyright (c) Microsoft Corporation. All rights reserved. -# Licensed under the MIT License. See License.txt in the project root for license information. -# Code generated by Microsoft (R) AutoRest Code Generator. -# Changes may cause incorrect behavior and will be lost if the code is regenerated. -# -------------------------------------------------------------------------- - -from enum import Enum, EnumMeta -from six import with_metaclass - -class _CaseInsensitiveEnumMeta(EnumMeta): - def __getitem__(self, name): - return super().__getitem__(name.upper()) - - def __getattr__(cls, name): - """Return the enum member matching `name` - We use __getattr__ instead of descriptors or inserting into the enum - class' __dict__ in order to support `name` and `value` being both - properties for enum members (which live in the class' __dict__) and - enum members themselves. - """ - try: - return cls._member_map_[name.upper()] - except KeyError: - raise AttributeError(name) - - -class AlertRuleKind(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)): - """The kind of the alert rule - """ - - SCHEDULED = "Scheduled" - MICROSOFT_SECURITY_INCIDENT_CREATION = "MicrosoftSecurityIncidentCreation" - FUSION = "Fusion" - -class AlertSeverity(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)): - """The severity of the alert - """ - - HIGH = "High" #: High severity. - MEDIUM = "Medium" #: Medium severity. - LOW = "Low" #: Low severity. - INFORMATIONAL = "Informational" #: Informational severity. - -class AttackTactic(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)): - """The severity for alerts created by this alert rule. - """ - - INITIAL_ACCESS = "InitialAccess" - EXECUTION = "Execution" - PERSISTENCE = "Persistence" - PRIVILEGE_ESCALATION = "PrivilegeEscalation" - DEFENSE_EVASION = "DefenseEvasion" - CREDENTIAL_ACCESS = "CredentialAccess" - DISCOVERY = "Discovery" - LATERAL_MOVEMENT = "LateralMovement" - COLLECTION = "Collection" - EXFILTRATION = "Exfiltration" - COMMAND_AND_CONTROL = "CommandAndControl" - IMPACT = "Impact" - -class CaseSeverity(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)): - """The severity of the incident - """ - - CRITICAL = "Critical" #: Critical severity. - HIGH = "High" #: High severity. - MEDIUM = "Medium" #: Medium severity. - LOW = "Low" #: Low severity. - INFORMATIONAL = "Informational" #: Informational severity. - -class DataConnectorKind(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)): - """The kind of the data connector - """ - - AZURE_ACTIVE_DIRECTORY = "AzureActiveDirectory" - AZURE_SECURITY_CENTER = "AzureSecurityCenter" - MICROSOFT_CLOUD_APP_SECURITY = "MicrosoftCloudAppSecurity" - THREAT_INTELLIGENCE = "ThreatIntelligence" - OFFICE365 = "Office365" - AMAZON_WEB_SERVICES_CLOUD_TRAIL = "AmazonWebServicesCloudTrail" - AZURE_ADVANCED_THREAT_PROTECTION = "AzureAdvancedThreatProtection" - MICROSOFT_DEFENDER_ADVANCED_THREAT_PROTECTION = "MicrosoftDefenderAdvancedThreatProtection" - -class DataTypeState(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)): - """Describe whether this data type connection is enabled or not. - """ - - ENABLED = "Enabled" - DISABLED = "Disabled" - -class IncidentClassification(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)): - """The reason the incident was closed - """ - - UNDETERMINED = "Undetermined" #: Incident classification was undetermined. - TRUE_POSITIVE = "TruePositive" #: Incident was true positive. - BENIGN_POSITIVE = "BenignPositive" #: Incident was benign positive. - FALSE_POSITIVE = "FalsePositive" #: Incident was false positive. - -class IncidentClassificationReason(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)): - """The classification reason the incident was closed with - """ - - SUSPICIOUS_ACTIVITY = "SuspiciousActivity" #: Classification reason was suspicious activity. - SUSPICIOUS_BUT_EXPECTED = "SuspiciousButExpected" #: Classification reason was suspicious but expected. - INCORRECT_ALERT_LOGIC = "IncorrectAlertLogic" #: Classification reason was incorrect alert logic. - INACCURATE_DATA = "InaccurateData" #: Classification reason was inaccurate data. - -class IncidentLabelType(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)): - """The type of the label - """ - - USER = "User" #: Label manually created by a user. - SYSTEM = "System" #: Label automatically created by the system. - -class IncidentSeverity(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)): - """The severity of the incident - """ - - HIGH = "High" #: High severity. - MEDIUM = "Medium" #: Medium severity. - LOW = "Low" #: Low severity. - INFORMATIONAL = "Informational" #: Informational severity. - -class IncidentStatus(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)): - """The status of the incident - """ - - NEW = "New" #: An active incident which isn't being handled currently. - ACTIVE = "Active" #: An active incident which is being handled. - CLOSED = "Closed" #: A non-active incident. - -class LicenseStatus(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)): - """Determines whether the tenant has ATP (Advanced Threat Protection) license. - """ - - ENABLED = "Enabled" - DISABLED = "Disabled" - -class MicrosoftSecurityProductName(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)): - """The alerts' productName on which the cases will be generated - """ - - MICROSOFT_CLOUD_APP_SECURITY = "Microsoft Cloud App Security" - AZURE_SECURITY_CENTER = "Azure Security Center" - AZURE_ADVANCED_THREAT_PROTECTION = "Azure Advanced Threat Protection" - AZURE_ACTIVE_DIRECTORY_IDENTITY_PROTECTION = "Azure Active Directory Identity Protection" - AZURE_SECURITY_CENTER_FOR_IO_T = "Azure Security Center for IoT" - -class SettingKind(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)): - """The kind of the setting - """ - - UEBA_SETTINGS = "UebaSettings" - TOGGLE_SETTINGS = "ToggleSettings" - -class StatusInMCAS(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)): - """Determines whether User and Entity Behavior Analytics is enabled from MCAS (Microsoft Cloud App - Security). - """ - - ENABLED = "Enabled" - DISABLED = "Disabled" - -class TemplateStatus(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)): - """The alert rule template status. - """ - - INSTALLED = "Installed" #: Alert rule template installed. and can not use more then once. - AVAILABLE = "Available" #: Alert rule template is available. - NOT_AVAILABLE = "NotAvailable" #: Alert rule template is not available. - -class TriggerOperator(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)): - """The operation against the threshold that triggers alert rule. - """ - - GREATER_THAN = "GreaterThan" - LESS_THAN = "LessThan" - EQUAL = "Equal" - NOT_EQUAL = "NotEqual" diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/__init__.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/__init__.py deleted file mode 100644 index 5e67996dcd4..00000000000 --- a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/__init__.py +++ /dev/null @@ -1,27 +0,0 @@ -# coding=utf-8 -# -------------------------------------------------------------------------- -# Copyright (c) Microsoft Corporation. All rights reserved. -# Licensed under the MIT License. See License.txt in the project root for license information. -# Code generated by Microsoft (R) AutoRest Code Generator. -# Changes may cause incorrect behavior and will be lost if the code is regenerated. -# -------------------------------------------------------------------------- - -from ._operation_operations import OperationOperations -from ._alert_rule_operations import AlertRuleOperations -from ._action_operations import ActionOperations -from ._alert_rule_template_operations import AlertRuleTemplateOperations -from ._bookmark_operations import BookmarkOperations -from ._data_connector_operations import DataConnectorOperations -from ._incident_operations import IncidentOperations -from ._incident_comment_operations import IncidentCommentOperations - -__all__ = [ - 'OperationOperations', - 'AlertRuleOperations', - 'ActionOperations', - 'AlertRuleTemplateOperations', - 'BookmarkOperations', - 'DataConnectorOperations', - 'IncidentOperations', - 'IncidentCommentOperations', -] diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_action_operations.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_action_operations.py deleted file mode 100644 index a0eaa43cf9a..00000000000 --- a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_action_operations.py +++ /dev/null @@ -1,126 +0,0 @@ -# coding=utf-8 -# -------------------------------------------------------------------------- -# Copyright (c) Microsoft Corporation. All rights reserved. -# Licensed under the MIT License. See License.txt in the project root for license information. -# Code generated by Microsoft (R) AutoRest Code Generator. -# Changes may cause incorrect behavior and will be lost if the code is regenerated. -# -------------------------------------------------------------------------- -from typing import TYPE_CHECKING -import warnings - -from azure.core.exceptions import ClientAuthenticationError, HttpResponseError, ResourceExistsError, ResourceNotFoundError, map_error -from azure.core.paging import ItemPaged -from azure.core.pipeline import PipelineResponse -from azure.core.pipeline.transport import HttpRequest, HttpResponse -from azure.mgmt.core.exceptions import ARMErrorFormat - -from .. import models - -if TYPE_CHECKING: - # pylint: disable=unused-import,ungrouped-imports - from typing import Any, Callable, Dict, Generic, Iterable, Optional, TypeVar - - T = TypeVar('T') - ClsType = Optional[Callable[[PipelineResponse[HttpRequest, HttpResponse], T, Dict[str, Any]], Any]] - -class ActionOperations(object): - """ActionOperations operations. - - You should not instantiate this class directly. Instead, you should create a Client instance that - instantiates it for you and attaches it as an attribute. - - :ivar models: Alias to model classes used in this operation group. - :type models: ~security_insights.models - :param client: Client for service requests. - :param config: Configuration of service client. - :param serializer: An object model serializer. - :param deserializer: An object model deserializer. - """ - - models = models - - def __init__(self, client, config, serializer, deserializer): - self._client = client - self._serialize = serializer - self._deserialize = deserializer - self._config = config - - def list_by_alert_rule( - self, - resource_group_name, # type: str - workspace_name, # type: str - rule_id, # type: str - **kwargs # type: Any - ): - # type: (...) -> Iterable["models.ActionsList"] - """Gets all actions of alert rule. - - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. - :type resource_group_name: str - :param workspace_name: The name of the workspace. - :type workspace_name: str - :param rule_id: Alert rule ID. - :type rule_id: str - :keyword callable cls: A custom type or function that will be passed the direct response - :return: An iterator like instance of either ActionsList or the result of cls(response) - :rtype: ~azure.core.paging.ItemPaged[~security_insights.models.ActionsList] - :raises: ~azure.core.exceptions.HttpResponseError - """ - cls = kwargs.pop('cls', None) # type: ClsType["models.ActionsList"] - error_map = { - 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError - } - error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" - accept = "application/json" - - def prepare_request(next_link=None): - # Construct headers - header_parameters = {} # type: Dict[str, Any] - header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') - - if not next_link: - # Construct URL - url = self.list_by_alert_rule.metadata['url'] # type: ignore - path_format_arguments = { - 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), - 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - 'ruleId': self._serialize.url("rule_id", rule_id, 'str'), - } - url = self._client.format_url(url, **path_format_arguments) - # Construct parameters - query_parameters = {} # type: Dict[str, Any] - query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') - - request = self._client.get(url, query_parameters, header_parameters) - else: - url = next_link - query_parameters = {} # type: Dict[str, Any] - request = self._client.get(url, query_parameters, header_parameters) - return request - - def extract_data(pipeline_response): - deserialized = self._deserialize('ActionsList', pipeline_response) - list_of_elem = deserialized.value - if cls: - list_of_elem = cls(list_of_elem) - return deserialized.next_link or None, iter(list_of_elem) - - def get_next(next_link=None): - request = prepare_request(next_link) - - pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs) - response = pipeline_response.http_response - - if response.status_code not in [200]: - map_error(status_code=response.status_code, response=response, error_map=error_map) - raise HttpResponseError(response=response, error_format=ARMErrorFormat) - - return pipeline_response - - return ItemPaged( - get_next, extract_data - ) - list_by_alert_rule.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}/actions'} # type: ignore diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_alert_rule_operations.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_alert_rule_operations.py deleted file mode 100644 index f91eef2b673..00000000000 --- a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_alert_rule_operations.py +++ /dev/null @@ -1,546 +0,0 @@ -# coding=utf-8 -# -------------------------------------------------------------------------- -# Copyright (c) Microsoft Corporation. All rights reserved. -# Licensed under the MIT License. See License.txt in the project root for license information. -# Code generated by Microsoft (R) AutoRest Code Generator. -# Changes may cause incorrect behavior and will be lost if the code is regenerated. -# -------------------------------------------------------------------------- -from typing import TYPE_CHECKING -import warnings - -from azure.core.exceptions import ClientAuthenticationError, HttpResponseError, ResourceExistsError, ResourceNotFoundError, map_error -from azure.core.paging import ItemPaged -from azure.core.pipeline import PipelineResponse -from azure.core.pipeline.transport import HttpRequest, HttpResponse -from azure.mgmt.core.exceptions import ARMErrorFormat - -from .. import models - -if TYPE_CHECKING: - # pylint: disable=unused-import,ungrouped-imports - from typing import Any, Callable, Dict, Generic, Iterable, Optional, TypeVar, Union - - T = TypeVar('T') - ClsType = Optional[Callable[[PipelineResponse[HttpRequest, HttpResponse], T, Dict[str, Any]], Any]] - -class AlertRuleOperations(object): - """AlertRuleOperations operations. - - You should not instantiate this class directly. Instead, you should create a Client instance that - instantiates it for you and attaches it as an attribute. - - :ivar models: Alias to model classes used in this operation group. - :type models: ~security_insights.models - :param client: Client for service requests. - :param config: Configuration of service client. - :param serializer: An object model serializer. - :param deserializer: An object model deserializer. - """ - - models = models - - def __init__(self, client, config, serializer, deserializer): - self._client = client - self._serialize = serializer - self._deserialize = deserializer - self._config = config - - def list( - self, - resource_group_name, # type: str - workspace_name, # type: str - **kwargs # type: Any - ): - # type: (...) -> Iterable["models.AlertRulesList"] - """Gets all alert rules. - - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. - :type resource_group_name: str - :param workspace_name: The name of the workspace. - :type workspace_name: str - :keyword callable cls: A custom type or function that will be passed the direct response - :return: An iterator like instance of either AlertRulesList or the result of cls(response) - :rtype: ~azure.core.paging.ItemPaged[~security_insights.models.AlertRulesList] - :raises: ~azure.core.exceptions.HttpResponseError - """ - cls = kwargs.pop('cls', None) # type: ClsType["models.AlertRulesList"] - error_map = { - 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError - } - error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" - accept = "application/json" - - def prepare_request(next_link=None): - # Construct headers - header_parameters = {} # type: Dict[str, Any] - header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') - - if not next_link: - # Construct URL - url = self.list.metadata['url'] # type: ignore - path_format_arguments = { - 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), - 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - } - url = self._client.format_url(url, **path_format_arguments) - # Construct parameters - query_parameters = {} # type: Dict[str, Any] - query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') - - request = self._client.get(url, query_parameters, header_parameters) - else: - url = next_link - query_parameters = {} # type: Dict[str, Any] - request = self._client.get(url, query_parameters, header_parameters) - return request - - def extract_data(pipeline_response): - deserialized = self._deserialize('AlertRulesList', pipeline_response) - list_of_elem = deserialized.value - if cls: - list_of_elem = cls(list_of_elem) - return deserialized.next_link or None, iter(list_of_elem) - - def get_next(next_link=None): - request = prepare_request(next_link) - - pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs) - response = pipeline_response.http_response - - if response.status_code not in [200]: - map_error(status_code=response.status_code, response=response, error_map=error_map) - raise HttpResponseError(response=response, error_format=ARMErrorFormat) - - return pipeline_response - - return ItemPaged( - get_next, extract_data - ) - list.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules'} # type: ignore - - def get( - self, - resource_group_name, # type: str - workspace_name, # type: str - rule_id, # type: str - **kwargs # type: Any - ): - # type: (...) -> "models.AlertRule" - """Gets the alert rule. - - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. - :type resource_group_name: str - :param workspace_name: The name of the workspace. - :type workspace_name: str - :param rule_id: Alert rule ID. - :type rule_id: str - :keyword callable cls: A custom type or function that will be passed the direct response - :return: AlertRule, or the result of cls(response) - :rtype: ~security_insights.models.AlertRule - :raises: ~azure.core.exceptions.HttpResponseError - """ - cls = kwargs.pop('cls', None) # type: ClsType["models.AlertRule"] - error_map = { - 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError - } - error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" - accept = "application/json" - - # Construct URL - url = self.get.metadata['url'] # type: ignore - path_format_arguments = { - 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), - 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - 'ruleId': self._serialize.url("rule_id", rule_id, 'str'), - } - url = self._client.format_url(url, **path_format_arguments) - - # Construct parameters - query_parameters = {} # type: Dict[str, Any] - query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') - - # Construct headers - header_parameters = {} # type: Dict[str, Any] - header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') - - request = self._client.get(url, query_parameters, header_parameters) - pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs) - response = pipeline_response.http_response - - if response.status_code not in [200]: - map_error(status_code=response.status_code, response=response, error_map=error_map) - raise HttpResponseError(response=response, error_format=ARMErrorFormat) - - deserialized = self._deserialize('AlertRule', pipeline_response) - - if cls: - return cls(pipeline_response, deserialized, {}) - - return deserialized - get.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}'} # type: ignore - - def create_or_update( - self, - resource_group_name, # type: str - workspace_name, # type: str - rule_id, # type: str - alert_rule, # type: "models.AlertRule" - **kwargs # type: Any - ): - # type: (...) -> "models.AlertRule" - """Creates or updates the alert rule. - - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. - :type resource_group_name: str - :param workspace_name: The name of the workspace. - :type workspace_name: str - :param rule_id: Alert rule ID. - :type rule_id: str - :param alert_rule: The alert rule. - :type alert_rule: ~security_insights.models.AlertRule - :keyword callable cls: A custom type or function that will be passed the direct response - :return: AlertRule, or the result of cls(response) - :rtype: ~security_insights.models.AlertRule - :raises: ~azure.core.exceptions.HttpResponseError - """ - cls = kwargs.pop('cls', None) # type: ClsType["models.AlertRule"] - error_map = { - 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError - } - error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" - content_type = kwargs.pop("content_type", "application/json") - accept = "application/json" - - # Construct URL - url = self.create_or_update.metadata['url'] # type: ignore - path_format_arguments = { - 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), - 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - 'ruleId': self._serialize.url("rule_id", rule_id, 'str'), - } - url = self._client.format_url(url, **path_format_arguments) - - # Construct parameters - query_parameters = {} # type: Dict[str, Any] - query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') - - # Construct headers - header_parameters = {} # type: Dict[str, Any] - header_parameters['Content-Type'] = self._serialize.header("content_type", content_type, 'str') - header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') - - body_content_kwargs = {} # type: Dict[str, Any] - body_content = self._serialize.body(alert_rule, 'AlertRule') - body_content_kwargs['content'] = body_content - request = self._client.put(url, query_parameters, header_parameters, **body_content_kwargs) - pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs) - response = pipeline_response.http_response - - if response.status_code not in [200, 201]: - map_error(status_code=response.status_code, response=response, error_map=error_map) - raise HttpResponseError(response=response, error_format=ARMErrorFormat) - - if response.status_code == 200: - deserialized = self._deserialize('AlertRule', pipeline_response) - - if response.status_code == 201: - deserialized = self._deserialize('AlertRule', pipeline_response) - - if cls: - return cls(pipeline_response, deserialized, {}) - - return deserialized - create_or_update.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}'} # type: ignore - - def delete( - self, - resource_group_name, # type: str - workspace_name, # type: str - rule_id, # type: str - **kwargs # type: Any - ): - # type: (...) -> None - """Delete the alert rule. - - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. - :type resource_group_name: str - :param workspace_name: The name of the workspace. - :type workspace_name: str - :param rule_id: Alert rule ID. - :type rule_id: str - :keyword callable cls: A custom type or function that will be passed the direct response - :return: None, or the result of cls(response) - :rtype: None - :raises: ~azure.core.exceptions.HttpResponseError - """ - cls = kwargs.pop('cls', None) # type: ClsType[None] - error_map = { - 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError - } - error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" - accept = "application/json" - - # Construct URL - url = self.delete.metadata['url'] # type: ignore - path_format_arguments = { - 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), - 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - 'ruleId': self._serialize.url("rule_id", rule_id, 'str'), - } - url = self._client.format_url(url, **path_format_arguments) - - # Construct parameters - query_parameters = {} # type: Dict[str, Any] - query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') - - # Construct headers - header_parameters = {} # type: Dict[str, Any] - header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') - - request = self._client.delete(url, query_parameters, header_parameters) - pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs) - response = pipeline_response.http_response - - if response.status_code not in [200, 204]: - map_error(status_code=response.status_code, response=response, error_map=error_map) - raise HttpResponseError(response=response, error_format=ARMErrorFormat) - - if cls: - return cls(pipeline_response, None, {}) - - delete.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}'} # type: ignore - - def get_action( - self, - resource_group_name, # type: str - workspace_name, # type: str - rule_id, # type: str - action_id, # type: str - **kwargs # type: Any - ): - # type: (...) -> "models.ActionResponse" - """Gets the action of alert rule. - - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. - :type resource_group_name: str - :param workspace_name: The name of the workspace. - :type workspace_name: str - :param rule_id: Alert rule ID. - :type rule_id: str - :param action_id: Action ID. - :type action_id: str - :keyword callable cls: A custom type or function that will be passed the direct response - :return: ActionResponse, or the result of cls(response) - :rtype: ~security_insights.models.ActionResponse - :raises: ~azure.core.exceptions.HttpResponseError - """ - cls = kwargs.pop('cls', None) # type: ClsType["models.ActionResponse"] - error_map = { - 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError - } - error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" - accept = "application/json" - - # Construct URL - url = self.get_action.metadata['url'] # type: ignore - path_format_arguments = { - 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), - 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - 'ruleId': self._serialize.url("rule_id", rule_id, 'str'), - 'actionId': self._serialize.url("action_id", action_id, 'str'), - } - url = self._client.format_url(url, **path_format_arguments) - - # Construct parameters - query_parameters = {} # type: Dict[str, Any] - query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') - - # Construct headers - header_parameters = {} # type: Dict[str, Any] - header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') - - request = self._client.get(url, query_parameters, header_parameters) - pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs) - response = pipeline_response.http_response - - if response.status_code not in [200]: - map_error(status_code=response.status_code, response=response, error_map=error_map) - raise HttpResponseError(response=response, error_format=ARMErrorFormat) - - deserialized = self._deserialize('ActionResponse', pipeline_response) - - if cls: - return cls(pipeline_response, deserialized, {}) - - return deserialized - get_action.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}/actions/{actionId}'} # type: ignore - - def create_or_update_action( - self, - resource_group_name, # type: str - workspace_name, # type: str - rule_id, # type: str - action_id, # type: str - etag=None, # type: Optional[str] - logic_app_resource_id=None, # type: Optional[str] - trigger_uri=None, # type: Optional[str] - **kwargs # type: Any - ): - # type: (...) -> "models.ActionResponse" - """Creates or updates the action of alert rule. - - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. - :type resource_group_name: str - :param workspace_name: The name of the workspace. - :type workspace_name: str - :param rule_id: Alert rule ID. - :type rule_id: str - :param action_id: Action ID. - :type action_id: str - :param etag: Etag of the azure resource. - :type etag: str - :param logic_app_resource_id: Logic App Resource Id, /subscriptions/{my- - subscription}/resourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my- - workflow-id}. - :type logic_app_resource_id: str - :param trigger_uri: Logic App Callback URL for this specific workflow. - :type trigger_uri: str - :keyword callable cls: A custom type or function that will be passed the direct response - :return: ActionResponse, or the result of cls(response) - :rtype: ~security_insights.models.ActionResponse - :raises: ~azure.core.exceptions.HttpResponseError - """ - cls = kwargs.pop('cls', None) # type: ClsType["models.ActionResponse"] - error_map = { - 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError - } - error_map.update(kwargs.pop('error_map', {})) - - action = models.ActionRequest(etag=etag, logic_app_resource_id=logic_app_resource_id, trigger_uri=trigger_uri) - api_version = "2020-01-01" - content_type = kwargs.pop("content_type", "application/json") - accept = "application/json" - - # Construct URL - url = self.create_or_update_action.metadata['url'] # type: ignore - path_format_arguments = { - 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), - 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - 'ruleId': self._serialize.url("rule_id", rule_id, 'str'), - 'actionId': self._serialize.url("action_id", action_id, 'str'), - } - url = self._client.format_url(url, **path_format_arguments) - - # Construct parameters - query_parameters = {} # type: Dict[str, Any] - query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') - - # Construct headers - header_parameters = {} # type: Dict[str, Any] - header_parameters['Content-Type'] = self._serialize.header("content_type", content_type, 'str') - header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') - - body_content_kwargs = {} # type: Dict[str, Any] - body_content = self._serialize.body(action, 'ActionRequest') - body_content_kwargs['content'] = body_content - request = self._client.put(url, query_parameters, header_parameters, **body_content_kwargs) - pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs) - response = pipeline_response.http_response - - if response.status_code not in [200, 201]: - map_error(status_code=response.status_code, response=response, error_map=error_map) - raise HttpResponseError(response=response, error_format=ARMErrorFormat) - - if response.status_code == 200: - deserialized = self._deserialize('ActionResponse', pipeline_response) - - if response.status_code == 201: - deserialized = self._deserialize('ActionResponse', pipeline_response) - - if cls: - return cls(pipeline_response, deserialized, {}) - - return deserialized - create_or_update_action.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}/actions/{actionId}'} # type: ignore - - def delete_action( - self, - resource_group_name, # type: str - workspace_name, # type: str - rule_id, # type: str - action_id, # type: str - **kwargs # type: Any - ): - # type: (...) -> None - """Delete the action of alert rule. - - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. - :type resource_group_name: str - :param workspace_name: The name of the workspace. - :type workspace_name: str - :param rule_id: Alert rule ID. - :type rule_id: str - :param action_id: Action ID. - :type action_id: str - :keyword callable cls: A custom type or function that will be passed the direct response - :return: None, or the result of cls(response) - :rtype: None - :raises: ~azure.core.exceptions.HttpResponseError - """ - cls = kwargs.pop('cls', None) # type: ClsType[None] - error_map = { - 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError - } - error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" - accept = "application/json" - - # Construct URL - url = self.delete_action.metadata['url'] # type: ignore - path_format_arguments = { - 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), - 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - 'ruleId': self._serialize.url("rule_id", rule_id, 'str'), - 'actionId': self._serialize.url("action_id", action_id, 'str'), - } - url = self._client.format_url(url, **path_format_arguments) - - # Construct parameters - query_parameters = {} # type: Dict[str, Any] - query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') - - # Construct headers - header_parameters = {} # type: Dict[str, Any] - header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') - - request = self._client.delete(url, query_parameters, header_parameters) - pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs) - response = pipeline_response.http_response - - if response.status_code not in [200, 204]: - map_error(status_code=response.status_code, response=response, error_map=error_map) - raise HttpResponseError(response=response, error_format=ARMErrorFormat) - - if cls: - return cls(pipeline_response, None, {}) - - delete_action.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}/actions/{actionId}'} # type: ignore diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_alert_rule_template_operations.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_alert_rule_template_operations.py deleted file mode 100644 index 2dad458b3f7..00000000000 --- a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_alert_rule_template_operations.py +++ /dev/null @@ -1,186 +0,0 @@ -# coding=utf-8 -# -------------------------------------------------------------------------- -# Copyright (c) Microsoft Corporation. All rights reserved. -# Licensed under the MIT License. See License.txt in the project root for license information. -# Code generated by Microsoft (R) AutoRest Code Generator. -# Changes may cause incorrect behavior and will be lost if the code is regenerated. -# -------------------------------------------------------------------------- -from typing import TYPE_CHECKING -import warnings - -from azure.core.exceptions import ClientAuthenticationError, HttpResponseError, ResourceExistsError, ResourceNotFoundError, map_error -from azure.core.paging import ItemPaged -from azure.core.pipeline import PipelineResponse -from azure.core.pipeline.transport import HttpRequest, HttpResponse -from azure.mgmt.core.exceptions import ARMErrorFormat - -from .. import models - -if TYPE_CHECKING: - # pylint: disable=unused-import,ungrouped-imports - from typing import Any, Callable, Dict, Generic, Iterable, Optional, TypeVar - - T = TypeVar('T') - ClsType = Optional[Callable[[PipelineResponse[HttpRequest, HttpResponse], T, Dict[str, Any]], Any]] - -class AlertRuleTemplateOperations(object): - """AlertRuleTemplateOperations operations. - - You should not instantiate this class directly. Instead, you should create a Client instance that - instantiates it for you and attaches it as an attribute. - - :ivar models: Alias to model classes used in this operation group. - :type models: ~security_insights.models - :param client: Client for service requests. - :param config: Configuration of service client. - :param serializer: An object model serializer. - :param deserializer: An object model deserializer. - """ - - models = models - - def __init__(self, client, config, serializer, deserializer): - self._client = client - self._serialize = serializer - self._deserialize = deserializer - self._config = config - - def list( - self, - resource_group_name, # type: str - workspace_name, # type: str - **kwargs # type: Any - ): - # type: (...) -> Iterable["models.AlertRuleTemplatesList"] - """Gets all alert rule templates. - - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. - :type resource_group_name: str - :param workspace_name: The name of the workspace. - :type workspace_name: str - :keyword callable cls: A custom type or function that will be passed the direct response - :return: An iterator like instance of either AlertRuleTemplatesList or the result of cls(response) - :rtype: ~azure.core.paging.ItemPaged[~security_insights.models.AlertRuleTemplatesList] - :raises: ~azure.core.exceptions.HttpResponseError - """ - cls = kwargs.pop('cls', None) # type: ClsType["models.AlertRuleTemplatesList"] - error_map = { - 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError - } - error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" - accept = "application/json" - - def prepare_request(next_link=None): - # Construct headers - header_parameters = {} # type: Dict[str, Any] - header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') - - if not next_link: - # Construct URL - url = self.list.metadata['url'] # type: ignore - path_format_arguments = { - 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), - 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - } - url = self._client.format_url(url, **path_format_arguments) - # Construct parameters - query_parameters = {} # type: Dict[str, Any] - query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') - - request = self._client.get(url, query_parameters, header_parameters) - else: - url = next_link - query_parameters = {} # type: Dict[str, Any] - request = self._client.get(url, query_parameters, header_parameters) - return request - - def extract_data(pipeline_response): - deserialized = self._deserialize('AlertRuleTemplatesList', pipeline_response) - list_of_elem = deserialized.value - if cls: - list_of_elem = cls(list_of_elem) - return deserialized.next_link or None, iter(list_of_elem) - - def get_next(next_link=None): - request = prepare_request(next_link) - - pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs) - response = pipeline_response.http_response - - if response.status_code not in [200]: - map_error(status_code=response.status_code, response=response, error_map=error_map) - raise HttpResponseError(response=response, error_format=ARMErrorFormat) - - return pipeline_response - - return ItemPaged( - get_next, extract_data - ) - list.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRuleTemplates'} # type: ignore - - def get( - self, - resource_group_name, # type: str - workspace_name, # type: str - alert_rule_template_id, # type: str - **kwargs # type: Any - ): - # type: (...) -> "models.AlertRuleTemplate" - """Gets the alert rule template. - - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. - :type resource_group_name: str - :param workspace_name: The name of the workspace. - :type workspace_name: str - :param alert_rule_template_id: Alert rule template ID. - :type alert_rule_template_id: str - :keyword callable cls: A custom type or function that will be passed the direct response - :return: AlertRuleTemplate, or the result of cls(response) - :rtype: ~security_insights.models.AlertRuleTemplate - :raises: ~azure.core.exceptions.HttpResponseError - """ - cls = kwargs.pop('cls', None) # type: ClsType["models.AlertRuleTemplate"] - error_map = { - 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError - } - error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" - accept = "application/json" - - # Construct URL - url = self.get.metadata['url'] # type: ignore - path_format_arguments = { - 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), - 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - 'alertRuleTemplateId': self._serialize.url("alert_rule_template_id", alert_rule_template_id, 'str'), - } - url = self._client.format_url(url, **path_format_arguments) - - # Construct parameters - query_parameters = {} # type: Dict[str, Any] - query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') - - # Construct headers - header_parameters = {} # type: Dict[str, Any] - header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') - - request = self._client.get(url, query_parameters, header_parameters) - pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs) - response = pipeline_response.http_response - - if response.status_code not in [200]: - map_error(status_code=response.status_code, response=response, error_map=error_map) - raise HttpResponseError(response=response, error_format=ARMErrorFormat) - - deserialized = self._deserialize('AlertRuleTemplate', pipeline_response) - - if cls: - return cls(pipeline_response, deserialized, {}) - - return deserialized - get.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRuleTemplates/{alertRuleTemplateId}'} # type: ignore diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_bookmark_operations.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_bookmark_operations.py deleted file mode 100644 index 0121790c420..00000000000 --- a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_bookmark_operations.py +++ /dev/null @@ -1,353 +0,0 @@ -# coding=utf-8 -# -------------------------------------------------------------------------- -# Copyright (c) Microsoft Corporation. All rights reserved. -# Licensed under the MIT License. See License.txt in the project root for license information. -# Code generated by Microsoft (R) AutoRest Code Generator. -# Changes may cause incorrect behavior and will be lost if the code is regenerated. -# -------------------------------------------------------------------------- -import datetime -from typing import TYPE_CHECKING -import warnings - -from azure.core.exceptions import ClientAuthenticationError, HttpResponseError, ResourceExistsError, ResourceNotFoundError, map_error -from azure.core.paging import ItemPaged -from azure.core.pipeline import PipelineResponse -from azure.core.pipeline.transport import HttpRequest, HttpResponse -from azure.mgmt.core.exceptions import ARMErrorFormat - -from .. import models - -if TYPE_CHECKING: - # pylint: disable=unused-import,ungrouped-imports - from typing import Any, Callable, Dict, Generic, Iterable, List, Optional, TypeVar, Union - - T = TypeVar('T') - ClsType = Optional[Callable[[PipelineResponse[HttpRequest, HttpResponse], T, Dict[str, Any]], Any]] - -class BookmarkOperations(object): - """BookmarkOperations operations. - - You should not instantiate this class directly. Instead, you should create a Client instance that - instantiates it for you and attaches it as an attribute. - - :ivar models: Alias to model classes used in this operation group. - :type models: ~security_insights.models - :param client: Client for service requests. - :param config: Configuration of service client. - :param serializer: An object model serializer. - :param deserializer: An object model deserializer. - """ - - models = models - - def __init__(self, client, config, serializer, deserializer): - self._client = client - self._serialize = serializer - self._deserialize = deserializer - self._config = config - - def list( - self, - resource_group_name, # type: str - workspace_name, # type: str - **kwargs # type: Any - ): - # type: (...) -> Iterable["models.BookmarkList"] - """Gets all bookmarks. - - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. - :type resource_group_name: str - :param workspace_name: The name of the workspace. - :type workspace_name: str - :keyword callable cls: A custom type or function that will be passed the direct response - :return: An iterator like instance of either BookmarkList or the result of cls(response) - :rtype: ~azure.core.paging.ItemPaged[~security_insights.models.BookmarkList] - :raises: ~azure.core.exceptions.HttpResponseError - """ - cls = kwargs.pop('cls', None) # type: ClsType["models.BookmarkList"] - error_map = { - 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError - } - error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" - accept = "application/json" - - def prepare_request(next_link=None): - # Construct headers - header_parameters = {} # type: Dict[str, Any] - header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') - - if not next_link: - # Construct URL - url = self.list.metadata['url'] # type: ignore - path_format_arguments = { - 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), - 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - } - url = self._client.format_url(url, **path_format_arguments) - # Construct parameters - query_parameters = {} # type: Dict[str, Any] - query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') - - request = self._client.get(url, query_parameters, header_parameters) - else: - url = next_link - query_parameters = {} # type: Dict[str, Any] - request = self._client.get(url, query_parameters, header_parameters) - return request - - def extract_data(pipeline_response): - deserialized = self._deserialize('BookmarkList', pipeline_response) - list_of_elem = deserialized.value - if cls: - list_of_elem = cls(list_of_elem) - return deserialized.next_link or None, iter(list_of_elem) - - def get_next(next_link=None): - request = prepare_request(next_link) - - pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs) - response = pipeline_response.http_response - - if response.status_code not in [200]: - map_error(status_code=response.status_code, response=response, error_map=error_map) - raise HttpResponseError(response=response, error_format=ARMErrorFormat) - - return pipeline_response - - return ItemPaged( - get_next, extract_data - ) - list.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks'} # type: ignore - - def get( - self, - resource_group_name, # type: str - workspace_name, # type: str - bookmark_id, # type: str - **kwargs # type: Any - ): - # type: (...) -> "models.Bookmark" - """Gets a bookmark. - - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. - :type resource_group_name: str - :param workspace_name: The name of the workspace. - :type workspace_name: str - :param bookmark_id: Bookmark ID. - :type bookmark_id: str - :keyword callable cls: A custom type or function that will be passed the direct response - :return: Bookmark, or the result of cls(response) - :rtype: ~security_insights.models.Bookmark - :raises: ~azure.core.exceptions.HttpResponseError - """ - cls = kwargs.pop('cls', None) # type: ClsType["models.Bookmark"] - error_map = { - 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError - } - error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" - accept = "application/json" - - # Construct URL - url = self.get.metadata['url'] # type: ignore - path_format_arguments = { - 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), - 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - 'bookmarkId': self._serialize.url("bookmark_id", bookmark_id, 'str'), - } - url = self._client.format_url(url, **path_format_arguments) - - # Construct parameters - query_parameters = {} # type: Dict[str, Any] - query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') - - # Construct headers - header_parameters = {} # type: Dict[str, Any] - header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') - - request = self._client.get(url, query_parameters, header_parameters) - pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs) - response = pipeline_response.http_response - - if response.status_code not in [200]: - map_error(status_code=response.status_code, response=response, error_map=error_map) - raise HttpResponseError(response=response, error_format=ARMErrorFormat) - - deserialized = self._deserialize('Bookmark', pipeline_response) - - if cls: - return cls(pipeline_response, deserialized, {}) - - return deserialized - get.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks/{bookmarkId}'} # type: ignore - - def create_or_update( - self, - resource_group_name, # type: str - workspace_name, # type: str - bookmark_id, # type: str - etag=None, # type: Optional[str] - created=None, # type: Optional[datetime.datetime] - display_name=None, # type: Optional[str] - labels=None, # type: Optional[List[str]] - notes=None, # type: Optional[str] - query=None, # type: Optional[str] - query_result=None, # type: Optional[str] - updated=None, # type: Optional[datetime.datetime] - incident_info=None, # type: Optional["models.IncidentInfo"] - object_id=None, # type: Optional[str] - **kwargs # type: Any - ): - # type: (...) -> "models.Bookmark" - """Creates or updates the bookmark. - - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. - :type resource_group_name: str - :param workspace_name: The name of the workspace. - :type workspace_name: str - :param bookmark_id: Bookmark ID. - :type bookmark_id: str - :param etag: Etag of the azure resource. - :type etag: str - :param created: The time the bookmark was created. - :type created: ~datetime.datetime - :param display_name: The display name of the bookmark. - :type display_name: str - :param labels: List of labels relevant to this bookmark. - :type labels: list[str] - :param notes: The notes of the bookmark. - :type notes: str - :param query: The query of the bookmark. - :type query: str - :param query_result: The query result of the bookmark. - :type query_result: str - :param updated: The last time the bookmark was updated. - :type updated: ~datetime.datetime - :param incident_info: Describes an incident that relates to bookmark. - :type incident_info: ~security_insights.models.IncidentInfo - :param object_id: The object id of the user. - :type object_id: str - :keyword callable cls: A custom type or function that will be passed the direct response - :return: Bookmark, or the result of cls(response) - :rtype: ~security_insights.models.Bookmark - :raises: ~azure.core.exceptions.HttpResponseError - """ - cls = kwargs.pop('cls', None) # type: ClsType["models.Bookmark"] - error_map = { - 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError - } - error_map.update(kwargs.pop('error_map', {})) - - bookmark = models.Bookmark(etag=etag, created=created, display_name=display_name, labels=labels, notes=notes, query=query, query_result=query_result, updated=updated, incident_info=incident_info, object_id_updated_by_object_id=object_id) - api_version = "2020-01-01" - content_type = kwargs.pop("content_type", "application/json") - accept = "application/json" - - # Construct URL - url = self.create_or_update.metadata['url'] # type: ignore - path_format_arguments = { - 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), - 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - 'bookmarkId': self._serialize.url("bookmark_id", bookmark_id, 'str'), - } - url = self._client.format_url(url, **path_format_arguments) - - # Construct parameters - query_parameters = {} # type: Dict[str, Any] - query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') - - # Construct headers - header_parameters = {} # type: Dict[str, Any] - header_parameters['Content-Type'] = self._serialize.header("content_type", content_type, 'str') - header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') - - body_content_kwargs = {} # type: Dict[str, Any] - body_content = self._serialize.body(bookmark, 'Bookmark') - body_content_kwargs['content'] = body_content - request = self._client.put(url, query_parameters, header_parameters, **body_content_kwargs) - pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs) - response = pipeline_response.http_response - - if response.status_code not in [200, 201]: - map_error(status_code=response.status_code, response=response, error_map=error_map) - raise HttpResponseError(response=response, error_format=ARMErrorFormat) - - if response.status_code == 200: - deserialized = self._deserialize('Bookmark', pipeline_response) - - if response.status_code == 201: - deserialized = self._deserialize('Bookmark', pipeline_response) - - if cls: - return cls(pipeline_response, deserialized, {}) - - return deserialized - create_or_update.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks/{bookmarkId}'} # type: ignore - - def delete( - self, - resource_group_name, # type: str - workspace_name, # type: str - bookmark_id, # type: str - **kwargs # type: Any - ): - # type: (...) -> None - """Delete the bookmark. - - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. - :type resource_group_name: str - :param workspace_name: The name of the workspace. - :type workspace_name: str - :param bookmark_id: Bookmark ID. - :type bookmark_id: str - :keyword callable cls: A custom type or function that will be passed the direct response - :return: None, or the result of cls(response) - :rtype: None - :raises: ~azure.core.exceptions.HttpResponseError - """ - cls = kwargs.pop('cls', None) # type: ClsType[None] - error_map = { - 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError - } - error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" - accept = "application/json" - - # Construct URL - url = self.delete.metadata['url'] # type: ignore - path_format_arguments = { - 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), - 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - 'bookmarkId': self._serialize.url("bookmark_id", bookmark_id, 'str'), - } - url = self._client.format_url(url, **path_format_arguments) - - # Construct parameters - query_parameters = {} # type: Dict[str, Any] - query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') - - # Construct headers - header_parameters = {} # type: Dict[str, Any] - header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') - - request = self._client.delete(url, query_parameters, header_parameters) - pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs) - response = pipeline_response.http_response - - if response.status_code not in [200, 204]: - map_error(status_code=response.status_code, response=response, error_map=error_map) - raise HttpResponseError(response=response, error_format=ARMErrorFormat) - - if cls: - return cls(pipeline_response, None, {}) - - delete.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks/{bookmarkId}'} # type: ignore diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_data_connector_operations.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_data_connector_operations.py deleted file mode 100644 index cce78e5ae84..00000000000 --- a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_data_connector_operations.py +++ /dev/null @@ -1,324 +0,0 @@ -# coding=utf-8 -# -------------------------------------------------------------------------- -# Copyright (c) Microsoft Corporation. All rights reserved. -# Licensed under the MIT License. See License.txt in the project root for license information. -# Code generated by Microsoft (R) AutoRest Code Generator. -# Changes may cause incorrect behavior and will be lost if the code is regenerated. -# -------------------------------------------------------------------------- -from typing import TYPE_CHECKING -import warnings - -from azure.core.exceptions import ClientAuthenticationError, HttpResponseError, ResourceExistsError, ResourceNotFoundError, map_error -from azure.core.paging import ItemPaged -from azure.core.pipeline import PipelineResponse -from azure.core.pipeline.transport import HttpRequest, HttpResponse -from azure.mgmt.core.exceptions import ARMErrorFormat - -from .. import models - -if TYPE_CHECKING: - # pylint: disable=unused-import,ungrouped-imports - from typing import Any, Callable, Dict, Generic, Iterable, Optional, TypeVar, Union - - T = TypeVar('T') - ClsType = Optional[Callable[[PipelineResponse[HttpRequest, HttpResponse], T, Dict[str, Any]], Any]] - -class DataConnectorOperations(object): - """DataConnectorOperations operations. - - You should not instantiate this class directly. Instead, you should create a Client instance that - instantiates it for you and attaches it as an attribute. - - :ivar models: Alias to model classes used in this operation group. - :type models: ~security_insights.models - :param client: Client for service requests. - :param config: Configuration of service client. - :param serializer: An object model serializer. - :param deserializer: An object model deserializer. - """ - - models = models - - def __init__(self, client, config, serializer, deserializer): - self._client = client - self._serialize = serializer - self._deserialize = deserializer - self._config = config - - def list( - self, - resource_group_name, # type: str - workspace_name, # type: str - **kwargs # type: Any - ): - # type: (...) -> Iterable["models.DataConnectorList"] - """Gets all data connectors. - - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. - :type resource_group_name: str - :param workspace_name: The name of the workspace. - :type workspace_name: str - :keyword callable cls: A custom type or function that will be passed the direct response - :return: An iterator like instance of either DataConnectorList or the result of cls(response) - :rtype: ~azure.core.paging.ItemPaged[~security_insights.models.DataConnectorList] - :raises: ~azure.core.exceptions.HttpResponseError - """ - cls = kwargs.pop('cls', None) # type: ClsType["models.DataConnectorList"] - error_map = { - 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError - } - error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" - accept = "application/json" - - def prepare_request(next_link=None): - # Construct headers - header_parameters = {} # type: Dict[str, Any] - header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') - - if not next_link: - # Construct URL - url = self.list.metadata['url'] # type: ignore - path_format_arguments = { - 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), - 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - } - url = self._client.format_url(url, **path_format_arguments) - # Construct parameters - query_parameters = {} # type: Dict[str, Any] - query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') - - request = self._client.get(url, query_parameters, header_parameters) - else: - url = next_link - query_parameters = {} # type: Dict[str, Any] - request = self._client.get(url, query_parameters, header_parameters) - return request - - def extract_data(pipeline_response): - deserialized = self._deserialize('DataConnectorList', pipeline_response) - list_of_elem = deserialized.value - if cls: - list_of_elem = cls(list_of_elem) - return deserialized.next_link or None, iter(list_of_elem) - - def get_next(next_link=None): - request = prepare_request(next_link) - - pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs) - response = pipeline_response.http_response - - if response.status_code not in [200]: - map_error(status_code=response.status_code, response=response, error_map=error_map) - raise HttpResponseError(response=response, error_format=ARMErrorFormat) - - return pipeline_response - - return ItemPaged( - get_next, extract_data - ) - list.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors'} # type: ignore - - def get( - self, - resource_group_name, # type: str - workspace_name, # type: str - data_connector_id, # type: str - **kwargs # type: Any - ): - # type: (...) -> "models.DataConnector" - """Gets a data connector. - - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. - :type resource_group_name: str - :param workspace_name: The name of the workspace. - :type workspace_name: str - :param data_connector_id: Connector ID. - :type data_connector_id: str - :keyword callable cls: A custom type or function that will be passed the direct response - :return: DataConnector, or the result of cls(response) - :rtype: ~security_insights.models.DataConnector - :raises: ~azure.core.exceptions.HttpResponseError - """ - cls = kwargs.pop('cls', None) # type: ClsType["models.DataConnector"] - error_map = { - 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError - } - error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" - accept = "application/json" - - # Construct URL - url = self.get.metadata['url'] # type: ignore - path_format_arguments = { - 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), - 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - 'dataConnectorId': self._serialize.url("data_connector_id", data_connector_id, 'str'), - } - url = self._client.format_url(url, **path_format_arguments) - - # Construct parameters - query_parameters = {} # type: Dict[str, Any] - query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') - - # Construct headers - header_parameters = {} # type: Dict[str, Any] - header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') - - request = self._client.get(url, query_parameters, header_parameters) - pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs) - response = pipeline_response.http_response - - if response.status_code not in [200]: - map_error(status_code=response.status_code, response=response, error_map=error_map) - raise HttpResponseError(response=response, error_format=ARMErrorFormat) - - deserialized = self._deserialize('DataConnector', pipeline_response) - - if cls: - return cls(pipeline_response, deserialized, {}) - - return deserialized - get.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors/{dataConnectorId}'} # type: ignore - - def create_or_update( - self, - resource_group_name, # type: str - workspace_name, # type: str - data_connector_id, # type: str - data_connector, # type: "models.DataConnector" - **kwargs # type: Any - ): - # type: (...) -> "models.DataConnector" - """Creates or updates the data connector. - - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. - :type resource_group_name: str - :param workspace_name: The name of the workspace. - :type workspace_name: str - :param data_connector_id: Connector ID. - :type data_connector_id: str - :param data_connector: The data connector. - :type data_connector: ~security_insights.models.DataConnector - :keyword callable cls: A custom type or function that will be passed the direct response - :return: DataConnector, or the result of cls(response) - :rtype: ~security_insights.models.DataConnector - :raises: ~azure.core.exceptions.HttpResponseError - """ - cls = kwargs.pop('cls', None) # type: ClsType["models.DataConnector"] - error_map = { - 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError - } - error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" - content_type = kwargs.pop("content_type", "application/json") - accept = "application/json" - - # Construct URL - url = self.create_or_update.metadata['url'] # type: ignore - path_format_arguments = { - 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), - 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - 'dataConnectorId': self._serialize.url("data_connector_id", data_connector_id, 'str'), - } - url = self._client.format_url(url, **path_format_arguments) - print(url) - - # Construct parameters - query_parameters = {} # type: Dict[str, Any] - query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') - - # Construct headers - header_parameters = {} # type: Dict[str, Any] - header_parameters['Content-Type'] = self._serialize.header("content_type", content_type, 'str') - header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') - - body_content_kwargs = {} # type: Dict[str, Any] - body_content = self._serialize.body(data_connector, 'DataConnector') - body_content_kwargs['content'] = body_content - request = self._client.put(url, query_parameters, header_parameters, **body_content_kwargs) - pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs) - response = pipeline_response.http_response - - if response.status_code not in [200, 201]: - map_error(status_code=response.status_code, response=response, error_map=error_map) - raise HttpResponseError(response=response, error_format=ARMErrorFormat) - - if response.status_code == 200: - deserialized = self._deserialize('DataConnector', pipeline_response) - - if response.status_code == 201: - deserialized = self._deserialize('DataConnector', pipeline_response) - - if cls: - return cls(pipeline_response, deserialized, {}) - - return deserialized - create_or_update.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors/{dataConnectorId}'} # type: ignore - - def delete( - self, - resource_group_name, # type: str - workspace_name, # type: str - data_connector_id, # type: str - **kwargs # type: Any - ): - # type: (...) -> None - """Delete the data connector. - - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. - :type resource_group_name: str - :param workspace_name: The name of the workspace. - :type workspace_name: str - :param data_connector_id: Connector ID. - :type data_connector_id: str - :keyword callable cls: A custom type or function that will be passed the direct response - :return: None, or the result of cls(response) - :rtype: None - :raises: ~azure.core.exceptions.HttpResponseError - """ - cls = kwargs.pop('cls', None) # type: ClsType[None] - error_map = { - 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError - } - error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" - accept = "application/json" - - # Construct URL - url = self.delete.metadata['url'] # type: ignore - path_format_arguments = { - 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), - 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - 'dataConnectorId': self._serialize.url("data_connector_id", data_connector_id, 'str'), - } - url = self._client.format_url(url, **path_format_arguments) - - # Construct parameters - query_parameters = {} # type: Dict[str, Any] - query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') - - # Construct headers - header_parameters = {} # type: Dict[str, Any] - header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') - - request = self._client.delete(url, query_parameters, header_parameters) - pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs) - response = pipeline_response.http_response - - if response.status_code not in [200, 204]: - map_error(status_code=response.status_code, response=response, error_map=error_map) - raise HttpResponseError(response=response, error_format=ARMErrorFormat) - - if cls: - return cls(pipeline_response, None, {}) - - delete.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors/{dataConnectorId}'} # type: ignore diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_incident_comment_operations.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_incident_comment_operations.py deleted file mode 100644 index ebed41e74ae..00000000000 --- a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_incident_comment_operations.py +++ /dev/null @@ -1,294 +0,0 @@ -# coding=utf-8 -# -------------------------------------------------------------------------- -# Copyright (c) Microsoft Corporation. All rights reserved. -# Licensed under the MIT License. See License.txt in the project root for license information. -# Code generated by Microsoft (R) AutoRest Code Generator. -# Changes may cause incorrect behavior and will be lost if the code is regenerated. -# -------------------------------------------------------------------------- -from typing import TYPE_CHECKING -import warnings - -from azure.core.exceptions import ClientAuthenticationError, HttpResponseError, ResourceExistsError, ResourceNotFoundError, map_error -from azure.core.paging import ItemPaged -from azure.core.pipeline import PipelineResponse -from azure.core.pipeline.transport import HttpRequest, HttpResponse -from azure.mgmt.core.exceptions import ARMErrorFormat - -from .. import models - -if TYPE_CHECKING: - # pylint: disable=unused-import,ungrouped-imports - from typing import Any, Callable, Dict, Generic, Iterable, Optional, TypeVar - - T = TypeVar('T') - ClsType = Optional[Callable[[PipelineResponse[HttpRequest, HttpResponse], T, Dict[str, Any]], Any]] - -class IncidentCommentOperations(object): - """IncidentCommentOperations operations. - - You should not instantiate this class directly. Instead, you should create a Client instance that - instantiates it for you and attaches it as an attribute. - - :ivar models: Alias to model classes used in this operation group. - :type models: ~security_insights.models - :param client: Client for service requests. - :param config: Configuration of service client. - :param serializer: An object model serializer. - :param deserializer: An object model deserializer. - """ - - models = models - - def __init__(self, client, config, serializer, deserializer): - self._client = client - self._serialize = serializer - self._deserialize = deserializer - self._config = config - - def list_by_incident( - self, - resource_group_name, # type: str - workspace_name, # type: str - incident_id, # type: str - filter=None, # type: Optional[str] - orderby=None, # type: Optional[str] - top=None, # type: Optional[int] - skip_token=None, # type: Optional[str] - **kwargs # type: Any - ): - # type: (...) -> Iterable["models.IncidentCommentList"] - """Gets all incident comments. - - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. - :type resource_group_name: str - :param workspace_name: The name of the workspace. - :type workspace_name: str - :param incident_id: Incident ID. - :type incident_id: str - :param filter: Filters the results, based on a Boolean condition. Optional. - :type filter: str - :param orderby: Sorts the results. Optional. - :type orderby: str - :param top: Returns only the first n results. Optional. - :type top: int - :param skip_token: Skiptoken is only used if a previous operation returned a partial result. If - a previous response contains a nextLink element, the value of the nextLink element will include - a skiptoken parameter that specifies a starting point to use for subsequent calls. Optional. - :type skip_token: str - :keyword callable cls: A custom type or function that will be passed the direct response - :return: An iterator like instance of either IncidentCommentList or the result of cls(response) - :rtype: ~azure.core.paging.ItemPaged[~security_insights.models.IncidentCommentList] - :raises: ~azure.core.exceptions.HttpResponseError - """ - cls = kwargs.pop('cls', None) # type: ClsType["models.IncidentCommentList"] - error_map = { - 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError - } - error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" - accept = "application/json" - - def prepare_request(next_link=None): - # Construct headers - header_parameters = {} # type: Dict[str, Any] - header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') - - if not next_link: - # Construct URL - url = self.list_by_incident.metadata['url'] # type: ignore - path_format_arguments = { - 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), - 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - 'incidentId': self._serialize.url("incident_id", incident_id, 'str'), - } - url = self._client.format_url(url, **path_format_arguments) - # Construct parameters - query_parameters = {} # type: Dict[str, Any] - query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') - if filter is not None: - query_parameters['$filter'] = self._serialize.query("filter", filter, 'str') - if orderby is not None: - query_parameters['$orderby'] = self._serialize.query("orderby", orderby, 'str') - if top is not None: - query_parameters['$top'] = self._serialize.query("top", top, 'int') - if skip_token is not None: - query_parameters['$skipToken'] = self._serialize.query("skip_token", skip_token, 'str') - - request = self._client.get(url, query_parameters, header_parameters) - else: - url = next_link - query_parameters = {} # type: Dict[str, Any] - request = self._client.get(url, query_parameters, header_parameters) - return request - - def extract_data(pipeline_response): - deserialized = self._deserialize('IncidentCommentList', pipeline_response) - list_of_elem = deserialized.value - if cls: - list_of_elem = cls(list_of_elem) - return deserialized.next_link or None, iter(list_of_elem) - - def get_next(next_link=None): - request = prepare_request(next_link) - - pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs) - response = pipeline_response.http_response - - if response.status_code not in [200]: - map_error(status_code=response.status_code, response=response, error_map=error_map) - raise HttpResponseError(response=response, error_format=ARMErrorFormat) - - return pipeline_response - - return ItemPaged( - get_next, extract_data - ) - list_by_incident.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/comments'} # type: ignore - - def get( - self, - resource_group_name, # type: str - workspace_name, # type: str - incident_id, # type: str - incident_comment_id, # type: str - **kwargs # type: Any - ): - # type: (...) -> "models.IncidentComment" - """Gets an incident comment. - - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. - :type resource_group_name: str - :param workspace_name: The name of the workspace. - :type workspace_name: str - :param incident_id: Incident ID. - :type incident_id: str - :param incident_comment_id: Incident comment ID. - :type incident_comment_id: str - :keyword callable cls: A custom type or function that will be passed the direct response - :return: IncidentComment, or the result of cls(response) - :rtype: ~security_insights.models.IncidentComment - :raises: ~azure.core.exceptions.HttpResponseError - """ - cls = kwargs.pop('cls', None) # type: ClsType["models.IncidentComment"] - error_map = { - 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError - } - error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" - accept = "application/json" - - # Construct URL - url = self.get.metadata['url'] # type: ignore - path_format_arguments = { - 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), - 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - 'incidentId': self._serialize.url("incident_id", incident_id, 'str'), - 'incidentCommentId': self._serialize.url("incident_comment_id", incident_comment_id, 'str'), - } - url = self._client.format_url(url, **path_format_arguments) - - # Construct parameters - query_parameters = {} # type: Dict[str, Any] - query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') - - # Construct headers - header_parameters = {} # type: Dict[str, Any] - header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') - - request = self._client.get(url, query_parameters, header_parameters) - pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs) - response = pipeline_response.http_response - - if response.status_code not in [200]: - map_error(status_code=response.status_code, response=response, error_map=error_map) - raise HttpResponseError(response=response, error_format=ARMErrorFormat) - - deserialized = self._deserialize('IncidentComment', pipeline_response) - - if cls: - return cls(pipeline_response, deserialized, {}) - - return deserialized - get.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/comments/{incidentCommentId}'} # type: ignore - - def create_comment( - self, - resource_group_name, # type: str - workspace_name, # type: str - incident_id, # type: str - incident_comment_id, # type: str - message=None, # type: Optional[str] - **kwargs # type: Any - ): - # type: (...) -> "models.IncidentComment" - """Creates the incident comment. - - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. - :type resource_group_name: str - :param workspace_name: The name of the workspace. - :type workspace_name: str - :param incident_id: Incident ID. - :type incident_id: str - :param incident_comment_id: Incident comment ID. - :type incident_comment_id: str - :param message: The comment message. - :type message: str - :keyword callable cls: A custom type or function that will be passed the direct response - :return: IncidentComment, or the result of cls(response) - :rtype: ~security_insights.models.IncidentComment - :raises: ~azure.core.exceptions.HttpResponseError - """ - cls = kwargs.pop('cls', None) # type: ClsType["models.IncidentComment"] - error_map = { - 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError - } - error_map.update(kwargs.pop('error_map', {})) - - incident_comment = models.IncidentComment(message=message) - api_version = "2020-01-01" - content_type = kwargs.pop("content_type", "application/json") - accept = "application/json" - - # Construct URL - url = self.create_comment.metadata['url'] # type: ignore - path_format_arguments = { - 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), - 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - 'incidentId': self._serialize.url("incident_id", incident_id, 'str'), - 'incidentCommentId': self._serialize.url("incident_comment_id", incident_comment_id, 'str'), - } - url = self._client.format_url(url, **path_format_arguments) - - # Construct parameters - query_parameters = {} # type: Dict[str, Any] - query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') - - # Construct headers - header_parameters = {} # type: Dict[str, Any] - header_parameters['Content-Type'] = self._serialize.header("content_type", content_type, 'str') - header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') - - body_content_kwargs = {} # type: Dict[str, Any] - body_content = self._serialize.body(incident_comment, 'IncidentComment') - body_content_kwargs['content'] = body_content - request = self._client.put(url, query_parameters, header_parameters, **body_content_kwargs) - pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs) - response = pipeline_response.http_response - - if response.status_code not in [201]: - map_error(status_code=response.status_code, response=response, error_map=error_map) - raise HttpResponseError(response=response, error_format=ARMErrorFormat) - - deserialized = self._deserialize('IncidentComment', pipeline_response) - - if cls: - return cls(pipeline_response, deserialized, {}) - - return deserialized - create_comment.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/comments/{incidentCommentId}'} # type: ignore diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_incident_operations.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_incident_operations.py deleted file mode 100644 index 0a2071ac198..00000000000 --- a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_incident_operations.py +++ /dev/null @@ -1,381 +0,0 @@ -# coding=utf-8 -# -------------------------------------------------------------------------- -# Copyright (c) Microsoft Corporation. All rights reserved. -# Licensed under the MIT License. See License.txt in the project root for license information. -# Code generated by Microsoft (R) AutoRest Code Generator. -# Changes may cause incorrect behavior and will be lost if the code is regenerated. -# -------------------------------------------------------------------------- -import datetime -from typing import TYPE_CHECKING -import warnings - -from azure.core.exceptions import ClientAuthenticationError, HttpResponseError, ResourceExistsError, ResourceNotFoundError, map_error -from azure.core.paging import ItemPaged -from azure.core.pipeline import PipelineResponse -from azure.core.pipeline.transport import HttpRequest, HttpResponse -from azure.mgmt.core.exceptions import ARMErrorFormat - -from .. import models - -if TYPE_CHECKING: - # pylint: disable=unused-import,ungrouped-imports - from typing import Any, Callable, Dict, Generic, Iterable, List, Optional, TypeVar, Union - - T = TypeVar('T') - ClsType = Optional[Callable[[PipelineResponse[HttpRequest, HttpResponse], T, Dict[str, Any]], Any]] - -class IncidentOperations(object): - """IncidentOperations operations. - - You should not instantiate this class directly. Instead, you should create a Client instance that - instantiates it for you and attaches it as an attribute. - - :ivar models: Alias to model classes used in this operation group. - :type models: ~security_insights.models - :param client: Client for service requests. - :param config: Configuration of service client. - :param serializer: An object model serializer. - :param deserializer: An object model deserializer. - """ - - models = models - - def __init__(self, client, config, serializer, deserializer): - self._client = client - self._serialize = serializer - self._deserialize = deserializer - self._config = config - - def list( - self, - resource_group_name, # type: str - workspace_name, # type: str - filter=None, # type: Optional[str] - orderby=None, # type: Optional[str] - top=None, # type: Optional[int] - skip_token=None, # type: Optional[str] - **kwargs # type: Any - ): - # type: (...) -> Iterable["models.IncidentList"] - """Gets all incidents. - - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. - :type resource_group_name: str - :param workspace_name: The name of the workspace. - :type workspace_name: str - :param filter: Filters the results, based on a Boolean condition. Optional. - :type filter: str - :param orderby: Sorts the results. Optional. - :type orderby: str - :param top: Returns only the first n results. Optional. - :type top: int - :param skip_token: Skiptoken is only used if a previous operation returned a partial result. If - a previous response contains a nextLink element, the value of the nextLink element will include - a skiptoken parameter that specifies a starting point to use for subsequent calls. Optional. - :type skip_token: str - :keyword callable cls: A custom type or function that will be passed the direct response - :return: An iterator like instance of either IncidentList or the result of cls(response) - :rtype: ~azure.core.paging.ItemPaged[~security_insights.models.IncidentList] - :raises: ~azure.core.exceptions.HttpResponseError - """ - cls = kwargs.pop('cls', None) # type: ClsType["models.IncidentList"] - error_map = { - 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError - } - error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" - accept = "application/json" - - def prepare_request(next_link=None): - # Construct headers - header_parameters = {} # type: Dict[str, Any] - header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') - - if not next_link: - # Construct URL - url = self.list.metadata['url'] # type: ignore - path_format_arguments = { - 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), - 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - } - url = self._client.format_url(url, **path_format_arguments) - # Construct parameters - query_parameters = {} # type: Dict[str, Any] - query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') - if filter is not None: - query_parameters['$filter'] = self._serialize.query("filter", filter, 'str') - if orderby is not None: - query_parameters['$orderby'] = self._serialize.query("orderby", orderby, 'str') - if top is not None: - query_parameters['$top'] = self._serialize.query("top", top, 'int') - if skip_token is not None: - query_parameters['$skipToken'] = self._serialize.query("skip_token", skip_token, 'str') - - request = self._client.get(url, query_parameters, header_parameters) - else: - url = next_link - query_parameters = {} # type: Dict[str, Any] - request = self._client.get(url, query_parameters, header_parameters) - return request - - def extract_data(pipeline_response): - deserialized = self._deserialize('IncidentList', pipeline_response) - list_of_elem = deserialized.value - if cls: - list_of_elem = cls(list_of_elem) - return deserialized.next_link or None, iter(list_of_elem) - - def get_next(next_link=None): - request = prepare_request(next_link) - - pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs) - response = pipeline_response.http_response - - if response.status_code not in [200]: - map_error(status_code=response.status_code, response=response, error_map=error_map) - raise HttpResponseError(response=response, error_format=ARMErrorFormat) - - return pipeline_response - - return ItemPaged( - get_next, extract_data - ) - list.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents'} # type: ignore - - def get( - self, - resource_group_name, # type: str - workspace_name, # type: str - incident_id, # type: str - **kwargs # type: Any - ): - # type: (...) -> "models.Incident" - """Gets an incident. - - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. - :type resource_group_name: str - :param workspace_name: The name of the workspace. - :type workspace_name: str - :param incident_id: Incident ID. - :type incident_id: str - :keyword callable cls: A custom type or function that will be passed the direct response - :return: Incident, or the result of cls(response) - :rtype: ~security_insights.models.Incident - :raises: ~azure.core.exceptions.HttpResponseError - """ - cls = kwargs.pop('cls', None) # type: ClsType["models.Incident"] - error_map = { - 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError - } - error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" - accept = "application/json" - - # Construct URL - url = self.get.metadata['url'] # type: ignore - path_format_arguments = { - 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), - 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - 'incidentId': self._serialize.url("incident_id", incident_id, 'str'), - } - url = self._client.format_url(url, **path_format_arguments) - - # Construct parameters - query_parameters = {} # type: Dict[str, Any] - query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') - - # Construct headers - header_parameters = {} # type: Dict[str, Any] - header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') - - request = self._client.get(url, query_parameters, header_parameters) - pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs) - response = pipeline_response.http_response - - if response.status_code not in [200]: - map_error(status_code=response.status_code, response=response, error_map=error_map) - raise HttpResponseError(response=response, error_format=ARMErrorFormat) - - deserialized = self._deserialize('Incident', pipeline_response) - - if cls: - return cls(pipeline_response, deserialized, {}) - - return deserialized - get.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}'} # type: ignore - - def create_or_update( - self, - resource_group_name, # type: str - workspace_name, # type: str - incident_id, # type: str - etag=None, # type: Optional[str] - classification=None, # type: Optional[Union[str, "models.IncidentClassification"]] - classification_comment=None, # type: Optional[str] - classification_reason=None, # type: Optional[Union[str, "models.IncidentClassificationReason"]] - description=None, # type: Optional[str] - first_activity_time_utc=None, # type: Optional[datetime.datetime] - labels=None, # type: Optional[List["models.IncidentLabel"]] - last_activity_time_utc=None, # type: Optional[datetime.datetime] - owner=None, # type: Optional["models.IncidentOwnerInfo"] - severity=None, # type: Optional[Union[str, "models.IncidentSeverity"]] - status=None, # type: Optional[Union[str, "models.IncidentStatus"]] - title=None, # type: Optional[str] - **kwargs # type: Any - ): - # type: (...) -> "models.Incident" - """Creates or updates the incident. - - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. - :type resource_group_name: str - :param workspace_name: The name of the workspace. - :type workspace_name: str - :param incident_id: Incident ID. - :type incident_id: str - :param etag: Etag of the azure resource. - :type etag: str - :param classification: The reason the incident was closed. - :type classification: str or ~security_insights.models.IncidentClassification - :param classification_comment: Describes the reason the incident was closed. - :type classification_comment: str - :param classification_reason: The classification reason the incident was closed with. - :type classification_reason: str or ~security_insights.models.IncidentClassificationReason - :param description: The description of the incident. - :type description: str - :param first_activity_time_utc: The time of the first activity in the incident. - :type first_activity_time_utc: ~datetime.datetime - :param labels: List of labels relevant to this incident. - :type labels: list[~security_insights.models.IncidentLabel] - :param last_activity_time_utc: The time of the last activity in the incident. - :type last_activity_time_utc: ~datetime.datetime - :param owner: Describes a user that the incident is assigned to. - :type owner: ~security_insights.models.IncidentOwnerInfo - :param severity: The severity of the incident. - :type severity: str or ~security_insights.models.IncidentSeverity - :param status: The status of the incident. - :type status: str or ~security_insights.models.IncidentStatus - :param title: The title of the incident. - :type title: str - :keyword callable cls: A custom type or function that will be passed the direct response - :return: Incident, or the result of cls(response) - :rtype: ~security_insights.models.Incident - :raises: ~azure.core.exceptions.HttpResponseError - """ - cls = kwargs.pop('cls', None) # type: ClsType["models.Incident"] - error_map = { - 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError - } - error_map.update(kwargs.pop('error_map', {})) - - incident = models.Incident(etag=etag, classification=classification, classification_comment=classification_comment, classification_reason=classification_reason, description=description, first_activity_time_utc=first_activity_time_utc, labels=labels, last_activity_time_utc=last_activity_time_utc, owner=owner, severity=severity, status=status, title=title) - api_version = "2020-01-01" - content_type = kwargs.pop("content_type", "application/json") - accept = "application/json" - - # Construct URL - url = self.create_or_update.metadata['url'] # type: ignore - path_format_arguments = { - 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), - 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - 'incidentId': self._serialize.url("incident_id", incident_id, 'str'), - } - url = self._client.format_url(url, **path_format_arguments) - - # Construct parameters - query_parameters = {} # type: Dict[str, Any] - query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') - - # Construct headers - header_parameters = {} # type: Dict[str, Any] - header_parameters['Content-Type'] = self._serialize.header("content_type", content_type, 'str') - header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') - - body_content_kwargs = {} # type: Dict[str, Any] - body_content = self._serialize.body(incident, 'Incident') - body_content_kwargs['content'] = body_content - request = self._client.put(url, query_parameters, header_parameters, **body_content_kwargs) - pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs) - response = pipeline_response.http_response - - if response.status_code not in [200, 201]: - map_error(status_code=response.status_code, response=response, error_map=error_map) - raise HttpResponseError(response=response, error_format=ARMErrorFormat) - - if response.status_code == 200: - deserialized = self._deserialize('Incident', pipeline_response) - - if response.status_code == 201: - deserialized = self._deserialize('Incident', pipeline_response) - - if cls: - return cls(pipeline_response, deserialized, {}) - - return deserialized - create_or_update.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}'} # type: ignore - - def delete( - self, - resource_group_name, # type: str - workspace_name, # type: str - incident_id, # type: str - **kwargs # type: Any - ): - # type: (...) -> None - """Delete the incident. - - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. - :type resource_group_name: str - :param workspace_name: The name of the workspace. - :type workspace_name: str - :param incident_id: Incident ID. - :type incident_id: str - :keyword callable cls: A custom type or function that will be passed the direct response - :return: None, or the result of cls(response) - :rtype: None - :raises: ~azure.core.exceptions.HttpResponseError - """ - cls = kwargs.pop('cls', None) # type: ClsType[None] - error_map = { - 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError - } - error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" - accept = "application/json" - - # Construct URL - url = self.delete.metadata['url'] # type: ignore - path_format_arguments = { - 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), - 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - 'incidentId': self._serialize.url("incident_id", incident_id, 'str'), - } - url = self._client.format_url(url, **path_format_arguments) - - # Construct parameters - query_parameters = {} # type: Dict[str, Any] - query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') - - # Construct headers - header_parameters = {} # type: Dict[str, Any] - header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') - - request = self._client.delete(url, query_parameters, header_parameters) - pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs) - response = pipeline_response.http_response - - if response.status_code not in [200, 204]: - map_error(status_code=response.status_code, response=response, error_map=error_map) - raise HttpResponseError(response=response, error_format=ARMErrorFormat) - - if cls: - return cls(pipeline_response, None, {}) - - delete.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}'} # type: ignore diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_operation_operations.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_operation_operations.py deleted file mode 100644 index b1d3c09bbf3..00000000000 --- a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_operation_operations.py +++ /dev/null @@ -1,109 +0,0 @@ -# coding=utf-8 -# -------------------------------------------------------------------------- -# Copyright (c) Microsoft Corporation. All rights reserved. -# Licensed under the MIT License. See License.txt in the project root for license information. -# Code generated by Microsoft (R) AutoRest Code Generator. -# Changes may cause incorrect behavior and will be lost if the code is regenerated. -# -------------------------------------------------------------------------- -from typing import TYPE_CHECKING -import warnings - -from azure.core.exceptions import ClientAuthenticationError, HttpResponseError, ResourceExistsError, ResourceNotFoundError, map_error -from azure.core.paging import ItemPaged -from azure.core.pipeline import PipelineResponse -from azure.core.pipeline.transport import HttpRequest, HttpResponse -from azure.mgmt.core.exceptions import ARMErrorFormat - -from .. import models - -if TYPE_CHECKING: - # pylint: disable=unused-import,ungrouped-imports - from typing import Any, Callable, Dict, Generic, Iterable, Optional, TypeVar - - T = TypeVar('T') - ClsType = Optional[Callable[[PipelineResponse[HttpRequest, HttpResponse], T, Dict[str, Any]], Any]] - -class OperationOperations(object): - """OperationOperations operations. - - You should not instantiate this class directly. Instead, you should create a Client instance that - instantiates it for you and attaches it as an attribute. - - :ivar models: Alias to model classes used in this operation group. - :type models: ~security_insights.models - :param client: Client for service requests. - :param config: Configuration of service client. - :param serializer: An object model serializer. - :param deserializer: An object model deserializer. - """ - - models = models - - def __init__(self, client, config, serializer, deserializer): - self._client = client - self._serialize = serializer - self._deserialize = deserializer - self._config = config - - def list( - self, - **kwargs # type: Any - ): - # type: (...) -> Iterable["models.OperationsList"] - """Lists all operations available Azure Security Insights Resource Provider. - - :keyword callable cls: A custom type or function that will be passed the direct response - :return: An iterator like instance of either OperationsList or the result of cls(response) - :rtype: ~azure.core.paging.ItemPaged[~security_insights.models.OperationsList] - :raises: ~azure.core.exceptions.HttpResponseError - """ - cls = kwargs.pop('cls', None) # type: ClsType["models.OperationsList"] - error_map = { - 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError - } - error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" - accept = "application/json" - - def prepare_request(next_link=None): - # Construct headers - header_parameters = {} # type: Dict[str, Any] - header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') - - if not next_link: - # Construct URL - url = self.list.metadata['url'] # type: ignore - # Construct parameters - query_parameters = {} # type: Dict[str, Any] - query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') - - request = self._client.get(url, query_parameters, header_parameters) - else: - url = next_link - query_parameters = {} # type: Dict[str, Any] - request = self._client.get(url, query_parameters, header_parameters) - return request - - def extract_data(pipeline_response): - deserialized = self._deserialize('OperationsList', pipeline_response) - list_of_elem = deserialized.value - if cls: - list_of_elem = cls(list_of_elem) - return deserialized.next_link or None, iter(list_of_elem) - - def get_next(next_link=None): - request = prepare_request(next_link) - - pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs) - response = pipeline_response.http_response - - if response.status_code not in [200]: - map_error(status_code=response.status_code, response=response, error_map=error_map) - raise HttpResponseError(response=response, error_format=ARMErrorFormat) - - return pipeline_response - - return ItemPaged( - get_next, extract_data - ) - list.metadata = {'url': '/providers/Microsoft.SecurityInsights/operations'} # type: ignore diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/py.typed b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/py.typed deleted file mode 100644 index e5aff4f83af..00000000000 --- a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/py.typed +++ /dev/null @@ -1 +0,0 @@ -# Marker file for PEP 561. \ No newline at end of file diff --git a/src/securityinsight/gen.zip b/src/securityinsight/gen.zip deleted file mode 100644 index a6dbc93f1dd..00000000000 Binary files a/src/securityinsight/gen.zip and /dev/null differ diff --git a/src/securityinsight/report.md b/src/securityinsight/report.md deleted file mode 100644 index d2f533d3f36..00000000000 --- a/src/securityinsight/report.md +++ /dev/null @@ -1,610 +0,0 @@ -# Azure CLI Module Creation Report - -## EXTENSION -|CLI Extension|Command Groups| -|---------|------------| -|az sentinel|[groups](#CommandGroups) - -## GROUPS -### Command groups in `az sentinel` extension -|CLI Command Group|Group Swagger name|Commands| -|---------|------------|--------| -|az sentinel alert-rule|AlertRules|[commands](#CommandsInAlertRules)| -|az sentinel action|Actions|[commands](#CommandsInActions)| -|az sentinel alert-rule-template|AlertRuleTemplates|[commands](#CommandsInAlertRuleTemplates)| -|az sentinel bookmark|Bookmarks|[commands](#CommandsInBookmarks)| -|az sentinel data-connector|DataConnectors|[commands](#CommandsInDataConnectors)| -|az sentinel incident|Incidents|[commands](#CommandsInIncidents)| -|az sentinel incident-comment|IncidentComments|[commands](#CommandsInIncidentComments)| - -## COMMANDS -### Commands in `az sentinel action` group -|CLI Command|Operation Swagger name|Parameters|Examples| -|---------|------------|--------|-----------| -|[az sentinel action list](#ActionsListByAlertRule)|ListByAlertRule|[Parameters](#ParametersActionsListByAlertRule)|[Example](#ExamplesActionsListByAlertRule)| - -### Commands in `az sentinel alert-rule` group -|CLI Command|Operation Swagger name|Parameters|Examples| -|---------|------------|--------|-----------| -|[az sentinel alert-rule list](#AlertRulesList)|List|[Parameters](#ParametersAlertRulesList)|[Example](#ExamplesAlertRulesList)| -|[az sentinel alert-rule show](#AlertRulesGet)|Get|[Parameters](#ParametersAlertRulesGet)|[Example](#ExamplesAlertRulesGet)| -|[az sentinel alert-rule create](#AlertRulesCreateOrUpdateAction)|CreateOrUpdateAction|[Parameters](#ParametersAlertRulesCreateOrUpdateAction)|[Example](#ExamplesAlertRulesCreateOrUpdateAction)| -|[az sentinel alert-rule create](#AlertRulesCreateOrUpdate#Create)|CreateOrUpdate#Create|[Parameters](#ParametersAlertRulesCreateOrUpdate#Create)|[Example](#ExamplesAlertRulesCreateOrUpdate#Create)| -|[az sentinel alert-rule update](#AlertRulesCreateOrUpdate#Update)|CreateOrUpdate#Update|[Parameters](#ParametersAlertRulesCreateOrUpdate#Update)|Not Found| -|[az sentinel alert-rule delete](#AlertRulesDeleteAction)|DeleteAction|[Parameters](#ParametersAlertRulesDeleteAction)|[Example](#ExamplesAlertRulesDeleteAction)| -|[az sentinel alert-rule delete](#AlertRulesDelete)|Delete|[Parameters](#ParametersAlertRulesDelete)|[Example](#ExamplesAlertRulesDelete)| -|[az sentinel alert-rule get-action](#AlertRulesGetAction)|GetAction|[Parameters](#ParametersAlertRulesGetAction)|[Example](#ExamplesAlertRulesGetAction)| - -### Commands in `az sentinel alert-rule-template` group -|CLI Command|Operation Swagger name|Parameters|Examples| -|---------|------------|--------|-----------| -|[az sentinel alert-rule-template list](#AlertRuleTemplatesList)|List|[Parameters](#ParametersAlertRuleTemplatesList)|[Example](#ExamplesAlertRuleTemplatesList)| -|[az sentinel alert-rule-template show](#AlertRuleTemplatesGet)|Get|[Parameters](#ParametersAlertRuleTemplatesGet)|[Example](#ExamplesAlertRuleTemplatesGet)| - -### Commands in `az sentinel bookmark` group -|CLI Command|Operation Swagger name|Parameters|Examples| -|---------|------------|--------|-----------| -|[az sentinel bookmark list](#BookmarksList)|List|[Parameters](#ParametersBookmarksList)|[Example](#ExamplesBookmarksList)| -|[az sentinel bookmark show](#BookmarksGet)|Get|[Parameters](#ParametersBookmarksGet)|[Example](#ExamplesBookmarksGet)| -|[az sentinel bookmark create](#BookmarksCreateOrUpdate#Create)|CreateOrUpdate#Create|[Parameters](#ParametersBookmarksCreateOrUpdate#Create)|[Example](#ExamplesBookmarksCreateOrUpdate#Create)| -|[az sentinel bookmark update](#BookmarksCreateOrUpdate#Update)|CreateOrUpdate#Update|[Parameters](#ParametersBookmarksCreateOrUpdate#Update)|Not Found| -|[az sentinel bookmark delete](#BookmarksDelete)|Delete|[Parameters](#ParametersBookmarksDelete)|[Example](#ExamplesBookmarksDelete)| - -### Commands in `az sentinel data-connector` group -|CLI Command|Operation Swagger name|Parameters|Examples| -|---------|------------|--------|-----------| -|[az sentinel data-connector list](#DataConnectorsList)|List|[Parameters](#ParametersDataConnectorsList)|[Example](#ExamplesDataConnectorsList)| -|[az sentinel data-connector show](#DataConnectorsGet)|Get|[Parameters](#ParametersDataConnectorsGet)|[Example](#ExamplesDataConnectorsGet)| -|[az sentinel data-connector create](#DataConnectorsCreateOrUpdate#Create)|CreateOrUpdate#Create|[Parameters](#ParametersDataConnectorsCreateOrUpdate#Create)|[Example](#ExamplesDataConnectorsCreateOrUpdate#Create)| -|[az sentinel data-connector update](#DataConnectorsCreateOrUpdate#Update)|CreateOrUpdate#Update|[Parameters](#ParametersDataConnectorsCreateOrUpdate#Update)|Not Found| -|[az sentinel data-connector delete](#DataConnectorsDelete)|Delete|[Parameters](#ParametersDataConnectorsDelete)|[Example](#ExamplesDataConnectorsDelete)| - -### Commands in `az sentinel incident` group -|CLI Command|Operation Swagger name|Parameters|Examples| -|---------|------------|--------|-----------| -|[az sentinel incident list](#IncidentsList)|List|[Parameters](#ParametersIncidentsList)|[Example](#ExamplesIncidentsList)| -|[az sentinel incident show](#IncidentsGet)|Get|[Parameters](#ParametersIncidentsGet)|[Example](#ExamplesIncidentsGet)| -|[az sentinel incident create](#IncidentsCreateOrUpdate#Create)|CreateOrUpdate#Create|[Parameters](#ParametersIncidentsCreateOrUpdate#Create)|[Example](#ExamplesIncidentsCreateOrUpdate#Create)| -|[az sentinel incident update](#IncidentsCreateOrUpdate#Update)|CreateOrUpdate#Update|[Parameters](#ParametersIncidentsCreateOrUpdate#Update)|Not Found| -|[az sentinel incident delete](#IncidentsDelete)|Delete|[Parameters](#ParametersIncidentsDelete)|[Example](#ExamplesIncidentsDelete)| - -### Commands in `az sentinel incident-comment` group -|CLI Command|Operation Swagger name|Parameters|Examples| -|---------|------------|--------|-----------| -|[az sentinel incident-comment list](#IncidentCommentsListByIncident)|ListByIncident|[Parameters](#ParametersIncidentCommentsListByIncident)|[Example](#ExamplesIncidentCommentsListByIncident)| -|[az sentinel incident-comment show](#IncidentCommentsGet)|Get|[Parameters](#ParametersIncidentCommentsGet)|[Example](#ExamplesIncidentCommentsGet)| -|[az sentinel incident-comment create](#IncidentCommentsCreateComment)|CreateComment|[Parameters](#ParametersIncidentCommentsCreateComment)|[Example](#ExamplesIncidentCommentsCreateComment)| - - -## COMMAND DETAILS - -### group `az sentinel action` -#### Command `az sentinel action list` - -##### Example -``` -az sentinel action list --resource-group "myRg" --rule-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --workspace-name \ -"myWorkspace" -``` -##### Parameters -|Option|Type|Description|Path (SDK)|Swagger name| -|------|----|-----------|----------|------------| -|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName| -|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| -|**--rule-id**|string|Alert rule ID|rule_id|ruleId| - -### group `az sentinel alert-rule` -#### Command `az sentinel alert-rule list` - -##### Example -``` -az sentinel alert-rule list --resource-group "myRg" --workspace-name "myWorkspace" -``` -##### Parameters -|Option|Type|Description|Path (SDK)|Swagger name| -|------|----|-----------|----------|------------| -|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName| -|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| - -#### Command `az sentinel alert-rule show` - -##### Example -``` -az sentinel alert-rule show --resource-group "myRg" --rule-id "myFirstFusionRule" --workspace-name "myWorkspace" -``` -##### Example -``` -az sentinel alert-rule show --resource-group "myRg" --rule-id "microsoftSecurityIncidentCreationRuleExample" \ ---workspace-name "myWorkspace" -``` -##### Example -``` -az sentinel alert-rule show --resource-group "myRg" --rule-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --workspace-name \ -"myWorkspace" -``` -##### Parameters -|Option|Type|Description|Path (SDK)|Swagger name| -|------|----|-----------|----------|------------| -|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName| -|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| -|**--rule-id**|string|Alert rule ID|rule_id|ruleId| - -#### Command `az sentinel alert-rule create` - -##### Example -``` -az sentinel alert-rule create --etag "\\"0300bf09-0000-0000-0000-5c37296e0000\\"" --logic-app-resource-id \ -"/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/MyAlerts" \ ---trigger-uri "https://prod-31.northcentralus.logic.azure.com:443/workflows/cd3765391efd48549fd7681ded1d48d7/triggers/m\ -anual/paths/invoke?api-version=2016-10-01&sp=%2Ftriggers%2Fmanual%2Frun&sv=1.0&sig=signature" --action-id \ -"912bec42-cb66-4c03-ac63-1761b6898c3e" --resource-group "myRg" --rule-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" \ ---workspace-name "myWorkspace" -``` -##### Parameters -|Option|Type|Description|Path (SDK)|Swagger name| -|------|----|-----------|----------|------------| -|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName| -|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| -|**--rule-id**|string|Alert rule ID|rule_id|ruleId| -|**--action-id**|string|Action ID|action_id|actionId| -|**--etag**|string|Etag of the azure resource|etag|etag| -|**--logic-app-resource-id**|string|Logic App Resource Id, /subscriptions/{my-subscription}/resourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my-workflow-id}.|logic_app_resource_id|logicAppResourceId| -|**--trigger-uri**|string|Logic App Callback URL for this specific workflow.|trigger_uri|triggerUri| - -#### Command `az sentinel alert-rule create` - -##### Example -``` -az sentinel alert-rule create --fusion-alert-rule etag="3d00c3ca-0000-0100-0000-5d42d5010000" \ -alert-rule-template-name="f71aba3d-28fb-450b-b192-4e76a83015c8" enabled=true --resource-group "myRg" --rule-id \ -"myFirstFusionRule" --workspace-name "myWorkspace" -``` -##### Example -``` -az sentinel alert-rule create --microsoft-security-incident-creation-alert-rule etag="\\"260097e0-0000-0d00-0000-5d6fa8\ -8f0000\\"" product-filter="Microsoft Cloud App Security" display-name="testing displayname" enabled=true \ ---resource-group "myRg" --rule-id "microsoftSecurityIncidentCreationRuleExample" --workspace-name "myWorkspace" -``` -##### Example -``` -az sentinel alert-rule create --scheduled-alert-rule etag="\\"0300bf09-0000-0000-0000-5c37296e0000\\"" \ -query="ProtectionStatus | extend HostCustomEntity = Computer | extend IPCustomEntity = ComputerIP_Hidden" \ -query-frequency="PT1H" query-period="P2DT1H30M" severity="High" trigger-operator="GreaterThan" trigger-threshold=0 \ -description="" display-name="Rule2" enabled=true suppression-duration="PT1H" suppression-enabled=false \ -tactics="Persistence" tactics="LateralMovement" --resource-group "myRg" --rule-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5\ -" --workspace-name "myWorkspace" -``` -##### Parameters -|Option|Type|Description|Path (SDK)|Swagger name| -|------|----|-----------|----------|------------| -|**--fusion-alert-rule**|object|Represents Fusion alert rule.|fusion_alert_rule|FusionAlertRule| -|**--microsoft-security-incident-creation-alert-rule**|object|Represents MicrosoftSecurityIncidentCreation rule.|microsoft_security_incident_creation_alert_rule|MicrosoftSecurityIncidentCreationAlertRule| -|**--scheduled-alert-rule**|object|Represents scheduled alert rule.|scheduled_alert_rule|ScheduledAlertRule| - -#### Command `az sentinel alert-rule update` - -##### Parameters -|Option|Type|Description|Path (SDK)|Swagger name| -|------|----|-----------|----------|------------| -|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName| -|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| -|**--rule-id**|string|Alert rule ID|rule_id|ruleId| -|**--fusion-alert-rule**|object|Represents Fusion alert rule.|fusion_alert_rule|FusionAlertRule| -|**--microsoft-security-incident-creation-alert-rule**|object|Represents MicrosoftSecurityIncidentCreation rule.|microsoft_security_incident_creation_alert_rule|MicrosoftSecurityIncidentCreationAlertRule| -|**--scheduled-alert-rule**|object|Represents scheduled alert rule.|scheduled_alert_rule|ScheduledAlertRule| - -#### Command `az sentinel alert-rule delete` - -##### Example -``` -az sentinel alert-rule delete --action-id "912bec42-cb66-4c03-ac63-1761b6898c3e" --resource-group "myRg" --rule-id \ -"73e01a99-5cd7-4139-a149-9f2736ff2ab5" --workspace-name "myWorkspace" -``` -##### Parameters -|Option|Type|Description|Path (SDK)|Swagger name| -|------|----|-----------|----------|------------| -|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName| -|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| -|**--rule-id**|string|Alert rule ID|rule_id|ruleId| -|**--action-id**|string|Action ID|action_id|actionId| - -#### Command `az sentinel alert-rule delete` - -##### Example -``` -az sentinel alert-rule delete --resource-group "myRg" --rule-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" \ ---workspace-name "myWorkspace" -``` -##### Parameters -|Option|Type|Description|Path (SDK)|Swagger name| -|------|----|-----------|----------|------------| -#### Command `az sentinel alert-rule get-action` - -##### Example -``` -az sentinel alert-rule get-action --action-id "912bec42-cb66-4c03-ac63-1761b6898c3e" --resource-group "myRg" --rule-id \ -"73e01a99-5cd7-4139-a149-9f2736ff2ab5" --workspace-name "myWorkspace" -``` -##### Parameters -|Option|Type|Description|Path (SDK)|Swagger name| -|------|----|-----------|----------|------------| -|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName| -|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| -|**--rule-id**|string|Alert rule ID|rule_id|ruleId| -|**--action-id**|string|Action ID|action_id|actionId| - -### group `az sentinel alert-rule-template` -#### Command `az sentinel alert-rule-template list` - -##### Example -``` -az sentinel alert-rule-template list --resource-group "myRg" --workspace-name "myWorkspace" -``` -##### Parameters -|Option|Type|Description|Path (SDK)|Swagger name| -|------|----|-----------|----------|------------| -|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName| -|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| - -#### Command `az sentinel alert-rule-template show` - -##### Example -``` -az sentinel alert-rule-template show --alert-rule-template-id "65360bb0-8986-4ade-a89d-af3cf44d28aa" --resource-group \ -"myRg" --workspace-name "myWorkspace" -``` -##### Parameters -|Option|Type|Description|Path (SDK)|Swagger name| -|------|----|-----------|----------|------------| -|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName| -|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| -|**--alert-rule-template-id**|string|Alert rule template ID|alert_rule_template_id|alertRuleTemplateId| - -### group `az sentinel bookmark` -#### Command `az sentinel bookmark list` - -##### Example -``` -az sentinel bookmark list --resource-group "myRg" --workspace-name "myWorkspace" -``` -##### Parameters -|Option|Type|Description|Path (SDK)|Swagger name| -|------|----|-----------|----------|------------| -|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName| -|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| - -#### Command `az sentinel bookmark show` - -##### Example -``` -az sentinel bookmark show --bookmark-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" \ ---workspace-name "myWorkspace" -``` -##### Parameters -|Option|Type|Description|Path (SDK)|Swagger name| -|------|----|-----------|----------|------------| -|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName| -|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| -|**--bookmark-id**|string|Bookmark ID|bookmark_id|bookmarkId| - -#### Command `az sentinel bookmark create` - -##### Example -``` -az sentinel bookmark create --etag "\\"0300bf09-0000-0000-0000-5c37296e0000\\"" --created "2019-01-01T13:15:30Z" \ ---display-name "My bookmark" --labels "Tag1" --labels "Tag2" --notes "Found a suspicious activity" --query \ -"SecurityEvent | where TimeGenerated > ago(1d) and TimeGenerated < ago(2d)" --query-result "Security Event query \ -result" --updated "2019-01-01T13:15:30Z" --bookmark-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" \ ---workspace-name "myWorkspace" -``` -##### Parameters -|Option|Type|Description|Path (SDK)|Swagger name| -|------|----|-----------|----------|------------| -|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName| -|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| -|**--bookmark-id**|string|Bookmark ID|bookmark_id|bookmarkId| -|**--etag**|string|Etag of the azure resource|etag|etag| -|**--created**|date-time|The time the bookmark was created|created|created| -|**--display-name**|string|The display name of the bookmark|display_name|displayName| -|**--labels**|array|List of labels relevant to this bookmark|labels|labels| -|**--notes**|string|The notes of the bookmark|notes|notes| -|**--query**|string|The query of the bookmark.|query|query| -|**--query-result**|string|The query result of the bookmark.|query_result|queryResult| -|**--updated**|date-time|The last time the bookmark was updated|updated|updated| -|**--incident-info**|object|Describes an incident that relates to bookmark|incident_info|incidentInfo| -|**--updated-by-object-id**|uuid|The object id of the user.|object_id|objectId| - -#### Command `az sentinel bookmark update` - -##### Parameters -|Option|Type|Description|Path (SDK)|Swagger name| -|------|----|-----------|----------|------------| -|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName| -|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| -|**--bookmark-id**|string|Bookmark ID|bookmark_id|bookmarkId| -|**--etag**|string|Etag of the azure resource|etag|etag| -|**--created**|date-time|The time the bookmark was created|created|created| -|**--display-name**|string|The display name of the bookmark|display_name|displayName| -|**--labels**|array|List of labels relevant to this bookmark|labels|labels| -|**--notes**|string|The notes of the bookmark|notes|notes| -|**--query**|string|The query of the bookmark.|query|query| -|**--query-result**|string|The query result of the bookmark.|query_result|queryResult| -|**--updated**|date-time|The last time the bookmark was updated|updated|updated| -|**--incident-info**|object|Describes an incident that relates to bookmark|incident_info|incidentInfo| -|**--updated-by-object-id**|uuid|The object id of the user.|object_id|objectId| - -#### Command `az sentinel bookmark delete` - -##### Example -``` -az sentinel bookmark delete --bookmark-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" \ ---workspace-name "myWorkspace" -``` -##### Parameters -|Option|Type|Description|Path (SDK)|Swagger name| -|------|----|-----------|----------|------------| -|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName| -|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| -|**--bookmark-id**|string|Bookmark ID|bookmark_id|bookmarkId| - -### group `az sentinel data-connector` -#### Command `az sentinel data-connector list` - -##### Example -``` -az sentinel data-connector list --resource-group "myRg" --workspace-name "myWorkspace" -``` -##### Parameters -|Option|Type|Description|Path (SDK)|Swagger name| -|------|----|-----------|----------|------------| -|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName| -|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| - -#### Command `az sentinel data-connector show` - -##### Example -``` -az sentinel data-connector show --data-connector-id "763f9fa1-c2d3-4fa2-93e9-bccd4899aa12" --resource-group "myRg" \ ---workspace-name "myWorkspace" -``` -##### Example -``` -az sentinel data-connector show --data-connector-id "b96d014d-b5c2-4a01-9aba-a8058f629d42" --resource-group "myRg" \ ---workspace-name "myWorkspace" -``` -##### Example -``` -az sentinel data-connector show --data-connector-id "06b3ccb8-1384-4bcc-aec7-852f6d57161b" --resource-group "myRg" \ ---workspace-name "myWorkspace" -``` -##### Example -``` -az sentinel data-connector show --data-connector-id "c345bf40-8509-4ed2-b947-50cb773aaf04" --resource-group "myRg" \ ---workspace-name "myWorkspace" -``` -##### Example -``` -az sentinel data-connector show --data-connector-id "f0cd27d2-5f03-4c06-ba31-d2dc82dcb51d" --resource-group "myRg" \ ---workspace-name "myWorkspace" -``` -##### Example -``` -az sentinel data-connector show --data-connector-id "07e42cb3-e658-4e90-801c-efa0f29d3d44" --resource-group "myRg" \ ---workspace-name "myWorkspace" -``` -##### Example -``` -az sentinel data-connector show --data-connector-id "c345bf40-8509-4ed2-b947-50cb773aaf04" --resource-group "myRg" \ ---workspace-name "myWorkspace" -``` -##### Example -``` -az sentinel data-connector show --data-connector-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" \ ---workspace-name "myWorkspace" -``` -##### Parameters -|Option|Type|Description|Path (SDK)|Swagger name| -|------|----|-----------|----------|------------| -|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName| -|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| -|**--data-connector-id**|string|Connector ID|data_connector_id|dataConnectorId| - -#### Command `az sentinel data-connector create` - -##### Example -``` -az sentinel data-connector create --office-data-connector etag="\\"0300bf09-0000-0000-0000-5c37296e0000\\"" \ -tenant-id="2070ecc9-b4d5-4ae4-adaa-936fa1954fa8" --data-connector-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" \ ---resource-group "myRg" --workspace-name "myWorkspace" -``` -##### Parameters -|Option|Type|Description|Path (SDK)|Swagger name| -|------|----|-----------|----------|------------| -|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName| -|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| -|**--data-connector-id**|string|Connector ID|data_connector_id|dataConnectorId| -|**--aad-data-connector**|object|Represents AAD (Azure Active Directory) data connector.|aad_data_connector|AADDataConnector| -|**--aatp-data-connector**|object|Represents AATP (Azure Advanced Threat Protection) data connector.|aatp_data_connector|AATPDataConnector| -|**--asc-data-connector**|object|Represents ASC (Azure Security Center) data connector.|asc_data_connector|ASCDataConnector| -|**--aws-cloud-trail-data-connector**|object|Represents Amazon Web Services CloudTrail data connector.|aws_cloud_trail_data_connector|AwsCloudTrailDataConnector| -|**--mcas-data-connector**|object|Represents MCAS (Microsoft Cloud App Security) data connector.|mcas_data_connector|MCASDataConnector| -|**--mdatp-data-connector**|object|Represents MDATP (Microsoft Defender Advanced Threat Protection) data connector.|mdatp_data_connector|MDATPDataConnector| -|**--office-data-connector**|object|Represents office data connector.|office_data_connector|OfficeDataConnector| -|**--ti-data-connector**|object|Represents threat intelligence data connector.|ti_data_connector|TIDataConnector| - -#### Command `az sentinel data-connector update` - -##### Parameters -|Option|Type|Description|Path (SDK)|Swagger name| -|------|----|-----------|----------|------------| -|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName| -|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| -|**--data-connector-id**|string|Connector ID|data_connector_id|dataConnectorId| -|**--aad-data-connector**|object|Represents AAD (Azure Active Directory) data connector.|aad_data_connector|AADDataConnector| -|**--aatp-data-connector**|object|Represents AATP (Azure Advanced Threat Protection) data connector.|aatp_data_connector|AATPDataConnector| -|**--asc-data-connector**|object|Represents ASC (Azure Security Center) data connector.|asc_data_connector|ASCDataConnector| -|**--aws-cloud-trail-data-connector**|object|Represents Amazon Web Services CloudTrail data connector.|aws_cloud_trail_data_connector|AwsCloudTrailDataConnector| -|**--mcas-data-connector**|object|Represents MCAS (Microsoft Cloud App Security) data connector.|mcas_data_connector|MCASDataConnector| -|**--mdatp-data-connector**|object|Represents MDATP (Microsoft Defender Advanced Threat Protection) data connector.|mdatp_data_connector|MDATPDataConnector| -|**--office-data-connector**|object|Represents office data connector.|office_data_connector|OfficeDataConnector| -|**--ti-data-connector**|object|Represents threat intelligence data connector.|ti_data_connector|TIDataConnector| - -#### Command `az sentinel data-connector delete` - -##### Example -``` -az sentinel data-connector delete --data-connector-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" \ ---workspace-name "myWorkspace" -``` -##### Parameters -|Option|Type|Description|Path (SDK)|Swagger name| -|------|----|-----------|----------|------------| -|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName| -|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| -|**--data-connector-id**|string|Connector ID|data_connector_id|dataConnectorId| - -### group `az sentinel incident` -#### Command `az sentinel incident list` - -##### Example -``` -az sentinel incident list --orderby "properties/createdTimeUtc desc" --top 1 --resource-group "myRg" --workspace-name \ -"myWorkspace" -``` -##### Parameters -|Option|Type|Description|Path (SDK)|Swagger name| -|------|----|-----------|----------|------------| -|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName| -|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| -|**--filter**|string|Filters the results, based on a Boolean condition. Optional.|filter|$filter| -|**--orderby**|string|Sorts the results. Optional.|orderby|$orderby| -|**--top**|integer|Returns only the first n results. Optional.|top|$top| -|**--skip-token**|string|Skiptoken is only used if a previous operation returned a partial result. If a previous response contains a nextLink element, the value of the nextLink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls. Optional.|skip_token|$skipToken| - -#### Command `az sentinel incident show` - -##### Example -``` -az sentinel incident show --incident-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" \ ---workspace-name "myWorkspace" -``` -##### Parameters -|Option|Type|Description|Path (SDK)|Swagger name| -|------|----|-----------|----------|------------| -|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName| -|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| -|**--incident-id**|string|Incident ID|incident_id|incidentId| - -#### Command `az sentinel incident create` - -##### Example -``` -az sentinel incident create --etag "\\"0300bf09-0000-0000-0000-5c37296e0000\\"" --description "This is a demo \ -incident" --classification "FalsePositive" --classification-comment "Not a malicious activity" --classification-reason \ -"IncorrectAlertLogic" --first-activity-time-utc "2019-01-01T13:00:30Z" --last-activity-time-utc "2019-01-01T13:05:30Z" \ ---owner object-id="2046feea-040d-4a46-9e2b-91c2941bfa70" --severity "High" --status "Closed" --title "My incident" \ ---incident-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" --workspace-name "myWorkspace" -``` -##### Parameters -|Option|Type|Description|Path (SDK)|Swagger name| -|------|----|-----------|----------|------------| -|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName| -|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| -|**--incident-id**|string|Incident ID|incident_id|incidentId| -|**--etag**|string|Etag of the azure resource|etag|etag| -|**--classification**|choice|The reason the incident was closed|classification|classification| -|**--classification-comment**|string|Describes the reason the incident was closed|classification_comment|classificationComment| -|**--classification-reason**|choice|The classification reason the incident was closed with|classification_reason|classificationReason| -|**--description**|string|The description of the incident|description|description| -|**--first-activity-time-utc**|date-time|The time of the first activity in the incident|first_activity_time_utc|firstActivityTimeUtc| -|**--labels**|array|List of labels relevant to this incident|labels|labels| -|**--last-activity-time-utc**|date-time|The time of the last activity in the incident|last_activity_time_utc|lastActivityTimeUtc| -|**--owner**|object|Describes a user that the incident is assigned to|owner|owner| -|**--severity**|choice|The severity of the incident|severity|severity| -|**--status**|choice|The status of the incident|status|status| -|**--title**|string|The title of the incident|title|title| - -#### Command `az sentinel incident update` - -##### Parameters -|Option|Type|Description|Path (SDK)|Swagger name| -|------|----|-----------|----------|------------| -|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName| -|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| -|**--incident-id**|string|Incident ID|incident_id|incidentId| -|**--etag**|string|Etag of the azure resource|etag|etag| -|**--classification**|choice|The reason the incident was closed|classification|classification| -|**--classification-comment**|string|Describes the reason the incident was closed|classification_comment|classificationComment| -|**--classification-reason**|choice|The classification reason the incident was closed with|classification_reason|classificationReason| -|**--description**|string|The description of the incident|description|description| -|**--first-activity-time-utc**|date-time|The time of the first activity in the incident|first_activity_time_utc|firstActivityTimeUtc| -|**--labels**|array|List of labels relevant to this incident|labels|labels| -|**--last-activity-time-utc**|date-time|The time of the last activity in the incident|last_activity_time_utc|lastActivityTimeUtc| -|**--owner**|object|Describes a user that the incident is assigned to|owner|owner| -|**--severity**|choice|The severity of the incident|severity|severity| -|**--status**|choice|The status of the incident|status|status| -|**--title**|string|The title of the incident|title|title| - -#### Command `az sentinel incident delete` - -##### Example -``` -az sentinel incident delete --incident-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" \ ---workspace-name "myWorkspace" -``` -##### Parameters -|Option|Type|Description|Path (SDK)|Swagger name| -|------|----|-----------|----------|------------| -|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName| -|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| -|**--incident-id**|string|Incident ID|incident_id|incidentId| - -### group `az sentinel incident-comment` -#### Command `az sentinel incident-comment list` - -##### Example -``` -az sentinel incident-comment list --incident-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" \ ---workspace-name "myWorkspace" -``` -##### Parameters -|Option|Type|Description|Path (SDK)|Swagger name| -|------|----|-----------|----------|------------| -|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName| -|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| -|**--incident-id**|string|Incident ID|incident_id|incidentId| -|**--filter**|string|Filters the results, based on a Boolean condition. Optional.|filter|$filter| -|**--orderby**|string|Sorts the results. Optional.|orderby|$orderby| -|**--top**|integer|Returns only the first n results. Optional.|top|$top| -|**--skip-token**|string|Skiptoken is only used if a previous operation returned a partial result. If a previous response contains a nextLink element, the value of the nextLink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls. Optional.|skip_token|$skipToken| - -#### Command `az sentinel incident-comment show` - -##### Example -``` -az sentinel incident-comment show --incident-comment-id "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014" --incident-id \ -"73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" --workspace-name "myWorkspace" -``` -##### Parameters -|Option|Type|Description|Path (SDK)|Swagger name| -|------|----|-----------|----------|------------| -|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName| -|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| -|**--incident-id**|string|Incident ID|incident_id|incidentId| -|**--incident-comment-id**|string|Incident comment ID|incident_comment_id|incidentCommentId| - -#### Command `az sentinel incident-comment create` - -##### Example -``` -az sentinel incident-comment create --message "Some message" --incident-comment-id "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da001\ -4" --incident-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" --workspace-name "myWorkspace" -``` -##### Parameters -|Option|Type|Description|Path (SDK)|Swagger name| -|------|----|-----------|----------|------------| -|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName| -|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| -|**--incident-id**|string|Incident ID|incident_id|incidentId| -|**--incident-comment-id**|string|Incident comment ID|incident_comment_id|incidentCommentId| -|**--message**|string|The comment message|message|message| diff --git a/src/securityinsight/setup.py b/src/securityinsight/setup.py index a3d2c6727d7..980b63ec9e9 100644 --- a/src/securityinsight/setup.py +++ b/src/securityinsight/setup.py @@ -1,20 +1,16 @@ -#!/usr/bin/env python - # -------------------------------------------------------------------------------------------- # Copyright (c) Microsoft Corporation. All rights reserved. # Licensed under the MIT License. See License.txt in the project root for license information. +# +# Code generated by aaz-dev-tools # -------------------------------------------------------------------------------------------- - from codecs import open from setuptools import setup, find_packages + # HISTORY.rst entry. -VERSION = '0.1.2' -try: - from azext_sentinel.manual.version import VERSION -except ImportError: - pass +VERSION = '0.2.0' # The full list of classifiers is available at # https://pypi.python.org/pypi?%3Aaction=list_classifiers @@ -24,19 +20,14 @@ 'Intended Audience :: System Administrators', 'Programming Language :: Python', 'Programming Language :: Python :: 3', - 'Programming Language :: Python :: 3.6', 'Programming Language :: Python :: 3.7', 'Programming Language :: Python :: 3.8', + 'Programming Language :: Python :: 3.9', 'License :: OSI Approved :: MIT License', ] DEPENDENCIES = [] -try: - from azext_sentinel.manual.dependency import DEPENDENCIES -except ImportError: - pass - with open('README.md', 'r', encoding='utf-8') as f: README = f.read() with open('HISTORY.rst', 'r', encoding='utf-8') as f: @@ -45,14 +36,14 @@ setup( name='sentinel', version=VERSION, - description='Microsoft Azure Command-Line Tools SecurityInsights Extension', - author='Microsoft Corporation', - author_email='azpycli@microsoft.com', - url='https://github.com/Azure/azure-cli-extensions/tree/main/src/sentinel', + description='Microsoft Azure Command-Line Tools Sentinel Extension.', long_description=README + '\n\n' + HISTORY, license='MIT', + author='Microsoft Corporation', + author_email='azpycli@microsoft.com', + url='https://github.com/Azure/azure-cli-extensions/tree/main/src/securityinsight', classifiers=CLASSIFIERS, - packages=find_packages(), - install_requires=DEPENDENCIES, + packages=find_packages(exclude=["tests"]), package_data={'azext_sentinel': ['azext_metadata.json']}, + install_requires=DEPENDENCIES ) diff --git a/src/service_name.json b/src/service_name.json index ffff84dc052..97fd51cdd9b 100644 --- a/src/service_name.json +++ b/src/service_name.json @@ -406,7 +406,7 @@ }, { "Command": "az sentinel", - "AzureServiceName": "Azure Sentinel", + "AzureServiceName": "Microsoft Sentinel", "URL": "https://docs.microsoft.com/azure/sentinel/overview" }, {