From d8d035796aaf2d8f413e07e557129e412f75d16f Mon Sep 17 00:00:00 2001 From: Anat Gilenson Date: Mon, 25 Oct 2021 11:12:48 +0300 Subject: [PATCH 01/12] Add missing resources and examples from 2020-01-01 --- .../stable/2021-10-01/Bookmarks.json | 439 +++++ .../stable/2021-10-01/DataConnectors.json | 739 +++++++++ .../stable/2021-10-01/SecurityInsights.json | 1430 +++++++++++++++++ .../examples/bookmarks/CreateBookmark.json | 93 ++ .../examples/bookmarks/DeleteBookmark.json | 14 + .../examples/bookmarks/GetBookmarkById.json | 48 + .../examples/bookmarks/GetBookmarks.json | 51 + .../CreateOfficeDataConnetor.json | 76 + ...CreateThreatIntelligenceDataConnector.json | 60 + .../DeleteOfficeDataConnetor.json | 14 + .../GetAmazonWebServicesCloudTrailById.json | 29 + .../GetAzureActiveDirectoryById.json | 29 + .../GetAzureAdvancedThreatProtectionById.json | 29 + .../GetAzureSecurityCenterById.json | 29 + .../dataConnectors/GetDataConnectors.json | 143 ++ .../GetMicrosoftCloudAppSecurityById.json | 32 + ...tDefenderAdvancedThreatProtectionById.json | 29 + .../GetOfficeDataConnetorById.json | 35 + .../GetThreatIntelligenceById.json | 30 + 19 files changed, 3349 insertions(+) create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/Bookmarks.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/DataConnectors.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/SecurityInsights.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/bookmarks/CreateBookmark.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/bookmarks/DeleteBookmark.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/bookmarks/GetBookmarkById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/bookmarks/GetBookmarks.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/CreateOfficeDataConnetor.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/CreateThreatIntelligenceDataConnector.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/DeleteOfficeDataConnetor.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetAmazonWebServicesCloudTrailById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetAzureActiveDirectoryById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetAzureAdvancedThreatProtectionById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetAzureSecurityCenterById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetDataConnectors.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetMicrosoftCloudAppSecurityById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetMicrosoftDefenderAdvancedThreatProtectionById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetOfficeDataConnetorById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetThreatIntelligenceById.json diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/Bookmarks.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/Bookmarks.json new file mode 100644 index 000000000000..a3581ff591da --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/Bookmarks.json @@ -0,0 +1,439 @@ +{ + "swagger": "2.0", + "info": { + "title": "Security Insights", + "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", + "version": "2020-01-01" + }, + "host": "management.azure.com", + "schemes": [ + "https" + ], + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "security": [ + { + "azure_auth": [ + "user_impersonation" + ] + } + ], + "securityDefinitions": { + "azure_auth": { + "type": "oauth2", + "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", + "flow": "implicit", + "description": "Azure Active Directory OAuth2 Flow", + "scopes": { + "user_impersonation": "impersonate your user account" + } + } + }, + "paths": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks": { + "get": { + "x-ms-examples": { + "Get all bookmarks.": { + "$ref": "./examples/bookmarks/GetBookmarks.json" + } + }, + "tags": [ + "Bookmarks" + ], + "description": "Gets all bookmarks.", + "operationId": "Bookmarks_List", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + } + ], + "responses": { + "200": { + "description": "OK, Operation successfully completed", + "schema": { + "$ref": "#/definitions/BookmarkList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks/{bookmarkId}": { + "get": { + "x-ms-examples": { + "Get a bookmark.": { + "$ref": "./examples/bookmarks/GetBookmarkById.json" + } + }, + "tags": [ + "Bookmarks" + ], + "description": "Gets a bookmark.", + "operationId": "Bookmarks_Get", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/BookmarkId" + } + ], + "responses": { + "200": { + "description": "OK, Operation successfully completed", + "schema": { + "$ref": "#/definitions/Bookmark" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + } + }, + "put": { + "x-ms-examples": { + "Creates or updates a bookmark.": { + "$ref": "./examples/bookmarks/CreateBookmark.json" + } + }, + "tags": [ + "Bookmarks" + ], + "description": "Creates or updates the bookmark.", + "operationId": "Bookmarks_CreateOrUpdate", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/BookmarkId" + }, + { + "$ref": "#/parameters/Bookmark" + } + ], + "responses": { + "200": { + "description": "OK, Operation successfully completed", + "schema": { + "$ref": "#/definitions/Bookmark" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/Bookmark" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + } + }, + "delete": { + "x-ms-examples": { + "Delete a bookmark.": { + "$ref": "./examples/bookmarks/DeleteBookmark.json" + } + }, + "tags": [ + "Bookmarks" + ], + "description": "Delete the bookmark.", + "operationId": "Bookmarks_Delete", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/BookmarkId" + } + ], + "responses": { + "200": { + "description": "OK, Operation successfully completed" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + } + } + } + }, + "definitions": { + "Bookmark": { + "allOf": [ + { + "$ref": "SecurityInsights.json#/definitions/ResourceWithEtag" + } + ], + "description": "Represents a bookmark in Azure Security Insights.", + "properties": { + "properties": { + "$ref": "#/definitions/BookmarkProperties", + "description": "Bookmark properties", + "x-ms-client-flatten": true + } + }, + "type": "object" + }, + "BookmarkList": { + "description": "List all the bookmarks.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of cases.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of bookmarks.", + "items": { + "$ref": "#/definitions/Bookmark" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "value" + ] + }, + "BookmarkProperties": { + "description": "Describes bookmark properties", + "properties": { + "created": { + "description": "The time the bookmark was created", + "format": "date-time", + "type": "string" + }, + "createdBy": { + "$ref": "#/definitions/UserInfo", + "description": "Describes a user that created the bookmark", + "type": "object" + }, + "displayName": { + "description": "The display name of the bookmark", + "type": "string" + }, + "labels": { + "description": "List of labels relevant to this bookmark", + "items": { + "$ref": "#/definitions/Label" + }, + "type": "array" + }, + "notes": { + "description": "The notes of the bookmark", + "type": "string" + }, + "query": { + "description": "The query of the bookmark.", + "type": "string" + }, + "queryResult": { + "description": "The query result of the bookmark.", + "type": "string" + }, + "updated": { + "description": "The last time the bookmark was updated", + "format": "date-time", + "type": "string" + }, + "updatedBy": { + "$ref": "#/definitions/UserInfo", + "description": "Describes a user that updated the bookmark", + "type": "object" + }, + "eventTime": { + "description": "The bookmark event time", + "format": "date-time", + "type": "string" + }, + "queryStartTime": { + "description": "The start time for the query", + "format": "date-time", + "type": "string" + }, + "queryEndTime": { + "description": "The end time for the query", + "format": "date-time", + "type": "string" + }, + "incidentInfo": { + "$ref": "#/definitions/IncidentInfo", + "description": "Describes an incident that relates to bookmark", + "type": "object" + } + }, + "required": [ + "displayName", + "query" + ], + "type": "object" + }, + "IncidentInfo": { + "description": "Describes related incident information for the bookmark", + "properties": { + "incidentId": { + "description": "Incident Id", + "type": "string" + }, + "severity": { + "description": "The severity of the incident", + "enum": [ + "Critical", + "High", + "Medium", + "Low", + "Informational" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "CaseSeverity", + "values": [ + { + "description": "Critical severity", + "value": "Critical" + }, + { + "description": "High severity", + "value": "High" + }, + { + "description": "Medium severity", + "value": "Medium" + }, + { + "description": "Low severity", + "value": "Low" + }, + { + "description": "Informational severity", + "value": "Informational" + } + ] + } + }, + "title": { + "description": "The title of the incident", + "type": "string" + }, + "relationName": { + "description": "Relation Name", + "type": "string" + } + }, + "type": "object" + }, + "Label": { + "description": "Label that will be used to tag and filter on.", + "type": "string" + }, + "UserInfo": { + "description": "User information that made some action", + "properties": { + "email": { + "description": "The email of the user.", + "readOnly": true, + "type": "string" + }, + "name": { + "description": "The name of the user.", + "readOnly": true, + "type": "string" + }, + "objectId": { + "description": "The object id of the user.", + "format": "uuid", + "type": "string", + "x-nullable": true + } + }, + "required": [ + "objectId" + ], + "type": "object" + } + }, + "parameters": { + "Bookmark": { + "description": "The bookmark", + "in": "body", + "name": "bookmark", + "required": true, + "schema": { + "$ref": "#/definitions/Bookmark" + }, + "x-ms-parameter-location": "method" + }, + "BookmarkId": { + "description": "Bookmark ID", + "in": "path", + "name": "bookmarkId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/DataConnectors.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/DataConnectors.json new file mode 100644 index 000000000000..4bfbc702611d --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/DataConnectors.json @@ -0,0 +1,739 @@ +{ + "swagger": "2.0", + "info": { + "title": "Security Insights", + "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", + "version": "2020-01-01" + }, + "host": "management.azure.com", + "schemes": [ + "https" + ], + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "security": [ + { + "azure_auth": [ + "user_impersonation" + ] + } + ], + "securityDefinitions": { + "azure_auth": { + "type": "oauth2", + "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", + "flow": "implicit", + "description": "Azure Active Directory OAuth2 Flow", + "scopes": { + "user_impersonation": "impersonate your user account" + } + } + }, + "paths": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors": { + "get": { + "x-ms-examples": { + "Get all data connectors.": { + "$ref": "./examples/dataConnectors/GetDataConnectors.json" + } + }, + "tags": [ + "Data Connectors" + ], + "description": "Gets all data connectors.", + "operationId": "DataConnectors_List", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + } + ], + "responses": { + "200": { + "description": "OK, Operation successfully completed", + "schema": { + "$ref": "#/definitions/DataConnectorList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors/{dataConnectorId}": { + "get": { + "x-ms-examples": { + "Get an Office365 data connector.": { + "$ref": "./examples/dataConnectors/GetOfficeDataConnetorById.json" + }, + "Get a TI data connector.": { + "$ref": "./examples/dataConnectors/GetThreatIntelligenceById.json" + }, + "Get a MCAS data connector.": { + "$ref": "./examples/dataConnectors/GetMicrosoftCloudAppSecurityById.json" + }, + "Get a ASC data connector.": { + "$ref": "./examples/dataConnectors/GetAzureSecurityCenterById.json" + }, + "Get an AAD data connector.": { + "$ref": "./examples/dataConnectors/GetAzureActiveDirectoryById.json" + }, + "Get an AwsCloudTrail data connector.": { + "$ref": "./examples/dataConnectors/GetAmazonWebServicesCloudTrailById.json" + }, + "Get an AATP data connector.": { + "$ref": "./examples/dataConnectors/GetAzureAdvancedThreatProtectionById.json" + }, + "Get a MDATP data connector": { + "$ref": "./examples/dataConnectors/GetMicrosoftDefenderAdvancedThreatProtectionById.json" + } + }, + "tags": [ + "Data Connectors" + ], + "description": "Gets a data connector.", + "operationId": "DataConnectors_Get", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/DataConnectorId" + } + ], + "responses": { + "200": { + "description": "OK, Operation successfully completed", + "schema": { + "$ref": "#/definitions/DataConnector" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + } + }, + "put": { + "x-ms-examples": { + "Creates or updates an Office365 data connector.": { + "$ref": "./examples/dataConnectors/CreateOfficeDataConnetor.json" + }, + "Creates or updates an Threat Intelligence Platform data connector.": { + "$ref": "./examples/dataConnectors/CreateThreatIntelligenceDataConnector.json" + } + }, + "tags": [ + "Data Connectors" + ], + "description": "Creates or updates the data connector.", + "operationId": "DataConnectors_CreateOrUpdate", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/DataConnectorId" + }, + { + "$ref": "#/parameters/DataConnector" + } + ], + "responses": { + "200": { + "description": "OK, Operation successfully completed", + "schema": { + "$ref": "#/definitions/DataConnector" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/DataConnector" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + } + }, + "delete": { + "x-ms-examples": { + "Delete an Office365 data connector.": { + "$ref": "./examples/dataConnectors/DeleteOfficeDataConnetor.json" + } + }, + "tags": [ + "Data Connectors" + ], + "description": "Delete the data connector.", + "operationId": "DataConnectors_Delete", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/DataConnectorId" + } + ], + "responses": { + "200": { + "description": "OK, Operation successfully completed" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + } + } + } + }, + "definitions": { + "AADDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents AAD (Azure Active Directory) data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/AADDataConnectorProperties", + "description": "AAD (Azure Active Directory) data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "AzureActiveDirectory" + }, + "AADDataConnectorProperties": { + "description": "AAD (Azure Active Directory) data connector properties.", + "properties": { + "tenantId": { + "description": "The tenant id to connect to, and get the data from.", + "type": "string" + }, + "dataTypes": { + "$ref": "#/definitions/AlertsDataTypeOfDataConnector", + "description": "The available data types for the connector." + } + }, + "type": "object" + }, + "AATPDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents AATP (Azure Advanced Threat Protection) data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/AATPDataConnectorProperties", + "description": "AATP (Azure Advanced Threat Protection) data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "AzureAdvancedThreatProtection" + }, + "AATPDataConnectorProperties": { + "description": "AATP (Azure Advanced Threat Protection) data connector properties.", + "properties": { + "tenantId": { + "description": "The tenant id to connect to, and get the data from.", + "type": "string" + }, + "dataTypes": { + "$ref": "#/definitions/AlertsDataTypeOfDataConnector", + "description": "The available data types for the connector." + } + }, + "type": "object" + }, + "ASCDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents ASC (Azure Security Center) data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/ASCDataConnectorProperties", + "description": "ASC (Azure Security Center) data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "AzureSecurityCenter" + }, + "ASCDataConnectorProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorWithAlertsProperties" + } + ], + "description": "ASC (Azure Security Center) data connector properties.", + "properties": { + "subscriptionId": { + "description": "The subscription id to connect to, and get the data from.", + "type": "string" + } + }, + "type": "object" + }, + "AlertsDataTypeOfDataConnector": { + "description": "Alerts data type for data connectors.", + "properties": { + "alerts": { + "$ref": "#/definitions/DataConnectorDataTypeCommon", + "description": "Alerts data type connection.", + "type": "object" + } + }, + "type": "object" + }, + "AwsCloudTrailDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents Amazon Web Services CloudTrail data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/AwsCloudTrailDataConnectorProperties", + "description": "Amazon Web Services CloudTrail data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "AmazonWebServicesCloudTrail" + }, + "AwsCloudTrailDataConnectorDataTypes": { + "description": "The available data types for Amazon Web Services CloudTrail data connector.", + "properties": { + "logs": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "description": "Logs data type.", + "type": "object" + } + }, + "type": "object" + }, + "AwsCloudTrailDataConnectorProperties": { + "description": "Amazon Web Services CloudTrail data connector properties.", + "properties": { + "awsRoleArn": { + "description": "The Aws Role Arn (with CloudTrailReadOnly policy) that is used to access the Aws account.", + "type": "string" + }, + "dataTypes": { + "$ref": "#/definitions/AwsCloudTrailDataConnectorDataTypes", + "description": "The available data types for the connector." + } + }, + "type": "object" + }, + "DataConnector": { + "allOf": [ + { + "$ref": "SecurityInsights.json#/definitions/ResourceWithEtag" + } + ], + "description": "Data connector.", + "discriminator": "kind", + "required": [ + "kind" + ], + "properties": { + "kind": { + "$ref": "#/definitions/DataConnectorKind", + "description": "The data connector kind" + } + }, + "type": "object" + }, + "DataConnectorKind": { + "description": "The kind of the data connector", + "enum": [ + "AzureActiveDirectory", + "AzureSecurityCenter", + "MicrosoftCloudAppSecurity", + "ThreatIntelligence", + "Office365", + "AmazonWebServicesCloudTrail", + "AzureAdvancedThreatProtection", + "MicrosoftDefenderAdvancedThreatProtection" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "DataConnectorKind", + "values": [ + { + "value": "AzureActiveDirectory" + }, + { + "value": "AzureSecurityCenter" + }, + { + "value": "MicrosoftCloudAppSecurity" + }, + { + "value": "ThreatIntelligence" + }, + { + "value": "Office365" + }, + { + "value": "AmazonWebServicesCloudTrail" + }, + { + "value": "AzureAdvancedThreatProtection" + }, + { + "value": "MicrosoftDefenderAdvancedThreatProtection" + } + ] + } + }, + "DataConnectorList": { + "description": "List all the data connectors.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of data connectors.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of data connectors.", + "items": { + "$ref": "#/definitions/DataConnector" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "value" + ] + }, + "DataConnectorDataTypeCommon": { + "description": "Common field for data type in data connectors.", + "properties": { + "state": { + "description": "Describe whether this data type connection is enabled or not.", + "enum": [ + "Enabled", + "Disabled" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "DataTypeState" + } + } + }, + "type": "object" + }, + "DataConnectorTenantId": { + "description": "Properties data connector on tenant level.", + "properties": { + "tenantId": { + "description": "The tenant id to connect to, and get the data from.", + "type": "string" + } + }, + "type": "object" + }, + "DataConnectorWithAlertsProperties": { + "description": "Data connector properties.", + "properties": { + "dataTypes": { + "$ref": "#/definitions/AlertsDataTypeOfDataConnector", + "description": "The available data types for the connector." + } + }, + "type": "object" + }, + "MCASDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents MCAS (Microsoft Cloud App Security) data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/MCASDataConnectorProperties", + "description": "MCAS (Microsoft Cloud App Security) data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "MicrosoftCloudAppSecurity" + }, + "MCASDataConnectorDataTypes": { + "allOf": [ + { + "$ref": "#/definitions/AlertsDataTypeOfDataConnector" + } + ], + "description": "The available data types for MCAS (Microsoft Cloud App Security) data connector.", + "properties": { + "alerts": { + "$ref": "#/definitions/DataConnectorDataTypeCommon", + "description": "Alerts data type connection." + }, + "discoveryLogs": { + "$ref": "#/definitions/DataConnectorDataTypeCommon", + "description": "Discovery log data type connection." + } + }, + "type": "object" + }, + "MCASDataConnectorProperties": { + "description": "MCAS (Microsoft Cloud App Security) data connector properties.", + "properties": { + "tenantId": { + "description": "The tenant id to connect to, and get the data from.", + "type": "string" + }, + "dataTypes": { + "$ref": "#/definitions/MCASDataConnectorDataTypes", + "description": "The available data types for the connector." + } + }, + "type": "object" + }, + "MDATPDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents MDATP (Microsoft Defender Advanced Threat Protection) data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/MDATPDataConnectorProperties", + "description": "MDATP (Microsoft Defender Advanced Threat Protection) data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "MicrosoftDefenderAdvancedThreatProtection" + }, + "MDATPDataConnectorProperties": { + "description": "MDATP (Microsoft Defender Advanced Threat Protection) data connector properties.", + "properties": { + "tenantId": { + "description": "The tenant id to connect to, and get the data from.", + "type": "string" + }, + "dataTypes": { + "$ref": "#/definitions/AlertsDataTypeOfDataConnector", + "description": "The available data types for the connector." + } + }, + "type": "object" + }, + "TIDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents threat intelligence data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/TIDataConnectorProperties", + "description": "TI (Threat Intelligence) data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "ThreatIntelligence" + }, + "TIDataConnectorDataTypes": { + "description": "The available data types for TI (Threat Intelligence) data connector.", + "properties": { + "indicators": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "description": "Data type for indicators connection.", + "type": "object" + } + }, + "type": "object" + }, + "TIDataConnectorProperties": { + "description": "TI (Threat Intelligence) data connector properties.", + "properties": { + "tenantId": { + "description": "The tenant id to connect to, and get the data from.", + "type": "string" + }, + "tipLookbackPeriod": { + "description": "The lookback period for the feed to be imported.", + "format": "date-time", + "type": "string", + "x-nullable": true + }, + "dataTypes": { + "$ref": "#/definitions/TIDataConnectorDataTypes", + "description": "The available data types for the connector." + } + }, + "type": "object" + }, + "OfficeDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents office data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/OfficeDataConnectorProperties", + "description": "Office data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Office365" + }, + "OfficeDataConnectorDataTypes": { + "description": "The available data types for office data connector.", + "properties": { + "exchange": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "description": "Exchange data type connection.", + "type": "object" + }, + "sharePoint": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "description": "SharePoint data type connection.", + "type": "object" + }, + "teams": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "description": "Teams data type connection.", + "type": "object" + } + }, + "type": "object" + }, + "OfficeDataConnectorProperties": { + "description": "Office data connector properties.", + "properties": { + "tenantId": { + "description": "The tenant id to connect to, and get the data from.", + "type": "string" + }, + "dataTypes": { + "$ref": "#/definitions/OfficeDataConnectorDataTypes", + "description": "The available data types for the connector." + } + }, + "type": "object" + } + }, + "parameters": { + "DataConnector": { + "description": "The data connector", + "in": "body", + "name": "dataConnector", + "required": true, + "schema": { + "$ref": "#/definitions/DataConnector" + }, + "x-ms-parameter-location": "method" + }, + "DataConnectorId": { + "description": "Connector ID", + "in": "path", + "name": "dataConnectorId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/SecurityInsights.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/SecurityInsights.json new file mode 100644 index 000000000000..1bb0b3dff3b2 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/SecurityInsights.json @@ -0,0 +1,1430 @@ +{ + "swagger": "2.0", + "info": { + "title": "Security Insights", + "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", + "version": "2020-01-01" + }, + "host": "management.azure.com", + "schemes": [ + "https" + ], + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "security": [ + { + "azure_auth": [ + "user_impersonation" + ] + } + ], + "securityDefinitions": { + "azure_auth": { + "type": "oauth2", + "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", + "flow": "implicit", + "description": "Azure Active Directory OAuth2 Flow", + "scopes": { + "user_impersonation": "impersonate your user account" + } + } + }, + "paths": { + "/providers/Microsoft.SecurityInsights/operations": { + "get": { + "operationId": "Operations_List", + "description": "Lists all operations available Azure Security Insights Resource Provider.", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + } + ], + "produces": [ + "application/json" + ], + "responses": { + "200": { + "description": "OK. Successfully retrieved operations list.", + "schema": { + "$ref": "#/definitions/OperationsList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents": { + "get": { + "x-ms-examples": { + "Get all incidents.": { + "$ref": "./examples/incidents/GetIncidents.json" + } + }, + "tags": [ + "Incidents" + ], + "description": "Gets all incidents.", + "operationId": "Incidents_List", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "#/parameters/SubscriptionId" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/ODataFilter" + }, + { + "$ref": "#/parameters/ODataOrderBy" + }, + { + "$ref": "#/parameters/ODataTop" + }, + { + "$ref": "#/parameters/ODataSkipToken" + } + ], + "responses": { + "200": { + "description": "OK, Operation successfully completed", + "schema": { + "$ref": "#/definitions/IncidentList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}": { + "get": { + "x-ms-examples": { + "Get an incident.": { + "$ref": "./examples/incidents/GetIncidentById.json" + } + }, + "tags": [ + "Incidents" + ], + "description": "Gets an incident.", + "operationId": "Incidents_Get", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "#/parameters/SubscriptionId" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/IncidentId" + } + ], + "responses": { + "200": { + "description": "OK, Operation successfully completed", + "schema": { + "$ref": "#/definitions/Incident" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + } + }, + "put": { + "x-ms-examples": { + "Creates or updates an incident.": { + "$ref": "./examples/incidents/CreateIncident.json" + } + }, + "tags": [ + "Incidents" + ], + "description": "Creates or updates the incident.", + "operationId": "Incidents_CreateOrUpdate", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "#/parameters/SubscriptionId" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/IncidentId" + }, + { + "$ref": "#/parameters/Incident" + } + ], + "responses": { + "200": { + "description": "OK, Operation successfully completed", + "schema": { + "$ref": "#/definitions/Incident" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/Incident" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + } + }, + "delete": { + "x-ms-examples": { + "Delete an incident.": { + "$ref": "./examples/incidents/DeleteIncident.json" + } + }, + "tags": [ + "Incidents" + ], + "description": "Delete the incident.", + "operationId": "Incidents_Delete", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "#/parameters/SubscriptionId" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/IncidentId" + } + ], + "responses": { + "200": { + "description": "OK, Operation successfully completed" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/comments": { + "get": { + "x-ms-examples": { + "Get all incident comments.": { + "$ref": "./examples/incidents/comments/GetAllIncidentComments.json" + } + }, + "tags": [ + "IncidentComments" + ], + "description": "Gets all incident comments.", + "operationId": "IncidentComments_ListByIncident", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "#/parameters/SubscriptionId" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/IncidentId" + }, + { + "$ref": "#/parameters/ODataFilter" + }, + { + "$ref": "#/parameters/ODataOrderBy" + }, + { + "$ref": "#/parameters/ODataTop" + }, + { + "$ref": "#/parameters/ODataSkipToken" + } + ], + "responses": { + "200": { + "description": "OK, Operation successfully completed", + "schema": { + "$ref": "#/definitions/IncidentCommentList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + }, + "x-ms-odata": "#/definitions/IncidentComment", + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/comments/{incidentCommentId}": { + "get": { + "x-ms-examples": { + "Get an incident comment.": { + "$ref": "./examples/incidents/comments/GetIncidentCommentById.json" + } + }, + "tags": [ + "IncidentComments" + ], + "description": "Gets an incident comment.", + "operationId": "IncidentComments_Get", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "#/parameters/SubscriptionId" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/IncidentId" + }, + { + "$ref": "#/parameters/IncidentCommentId" + } + ], + "responses": { + "200": { + "description": "OK, Operation successfully completed", + "schema": { + "$ref": "#/definitions/IncidentComment" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + } + }, + "put": { + "x-ms-examples": { + "Creates an incident comment.": { + "$ref": "./examples/incidents/comments/CreateIncidentComment.json" + } + }, + "tags": [ + "IncidentComments" + ], + "description": "Creates the incident comment.", + "operationId": "IncidentComments_CreateComment", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "#/parameters/SubscriptionId" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/IncidentId" + }, + { + "$ref": "#/parameters/IncidentCommentId" + }, + { + "$ref": "#/parameters/IncidentComment" + } + ], + "responses": { + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/IncidentComment" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + } + } + } + }, + "definitions": { + "AttackTactic": { + "description": "The severity for alerts created by this alert rule.", + "enum": [ + "InitialAccess", + "Execution", + "Persistence", + "PrivilegeEscalation", + "DefenseEvasion", + "CredentialAccess", + "Discovery", + "LateralMovement", + "Collection", + "Exfiltration", + "CommandAndControl", + "Impact" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "AttackTactic" + } + }, + "ClientInfo": { + "description": "Information on the client (user or application) that made some action", + "properties": { + "email": { + "description": "The email of the client.", + "type": "string" + }, + "name": { + "description": "The name of the client.", + "type": "string" + }, + "objectId": { + "description": "The object id of the client.", + "format": "uuid", + "type": "string" + }, + "userPrincipalName": { + "description": "The user principal name of the client.", + "type": "string" + } + }, + "type": "object" + }, + "CloudError": { + "x-ms-external": true, + "properties": { + "error": { + "$ref": "../../../../../common-types/resource-management/v1/types.json#/definitions/ErrorResponse", + "description": "The error object of the CloudError response" + } + }, + "type": "object", + "description": "An error response for a resource management request." + }, + "Incident": { + "allOf": [ + { + "$ref": "#/definitions/ResourceWithEtag" + } + ], + "description": "Represents an incident in Azure Security Insights.", + "properties": { + "properties": { + "$ref": "#/definitions/IncidentProperties", + "description": "Incident properties", + "x-ms-client-flatten": true + } + }, + "type": "object" + }, + "IncidentAdditionalData": { + "description": "Incident additional data property bag.", + "properties": { + "alertsCount": { + "description": "The number of alerts in the incident", + "format": "int32", + "readOnly": true, + "type": "integer" + }, + "bookmarksCount": { + "description": "The number of bookmarks in the incident", + "format": "int32", + "readOnly": true, + "type": "integer" + }, + "commentsCount": { + "description": "The number of comments in the incident", + "format": "int32", + "readOnly": true, + "type": "integer" + }, + "alertProductNames": { + "description": "List of product names of alerts in the incident", + "items": { + "description": "Alert product name", + "type": "string" + }, + "readOnly": true, + "type": "array" + }, + "tactics": { + "description": "The tactics associated with incident", + "items": { + "$ref": "#/definitions/AttackTactic" + }, + "readOnly": true, + "type": "array" + } + }, + "type": "object" + }, + "IncidentComment": { + "allOf": [ + { + "$ref": "#/definitions/Resource" + } + ], + "description": "Represents an incident comment", + "properties": { + "properties": { + "$ref": "#/definitions/IncidentCommentProperties", + "description": "Incident comment properties", + "x-ms-client-flatten": true + } + }, + "type": "object" + }, + "IncidentCommentList": { + "description": "List of incident comments.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of comments.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of comments.", + "items": { + "$ref": "#/definitions/IncidentComment" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "value" + ] + }, + "IncidentCommentProperties": { + "description": "Incident comment property bag.", + "properties": { + "createdTimeUtc": { + "description": "The time the comment was created", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "message": { + "description": "The comment message", + "type": "string" + }, + "author": { + "$ref": "#/definitions/ClientInfo", + "description": "Describes the client that created the comment", + "readOnly": true, + "type": "object" + } + }, + "required": [ + "message" + ], + "type": "object" + }, + "IncidentLabel": { + "description": "Represents an incident label", + "properties": { + "labelName": { + "description": "The name of the label", + "type": "string" + }, + "labelType": { + "description": "The type of the label", + "enum": [ + "User", + "System" + ], + "type": "string", + "readOnly": true, + "x-ms-enum": { + "modelAsString": true, + "name": "IncidentLabelType", + "values": [ + { + "description": "Label manually created by a user", + "value": "User" + }, + { + "description": "Label automatically created by the system", + "value": "System" + } + ] + } + } + }, + "required": [ + "labelName" + ], + "type": "object" + }, + "IncidentList": { + "description": "List all the incidents.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of incidents.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of incidents.", + "items": { + "$ref": "#/definitions/Incident" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "value" + ] + }, + "IncidentOwnerInfo": { + "description": "Information on the user an incident is assigned to", + "properties": { + "email": { + "description": "The email of the user the incident is assigned to.", + "type": "string" + }, + "assignedTo": { + "description": "The name of the user the incident is assigned to.", + "type": "string" + }, + "objectId": { + "description": "The object id of the user the incident is assigned to.", + "format": "uuid", + "type": "string" + }, + "userPrincipalName": { + "description": "The user principal name of the user the incident is assigned to.", + "type": "string" + } + }, + "type": "object" + }, + "IncidentProperties": { + "description": "Describes incident properties", + "properties": { + "additionalData": { + "$ref": "#/definitions/IncidentAdditionalData", + "description": "Additional data on the incident", + "readOnly": true, + "type": "object" + }, + "classification": { + "description": "The reason the incident was closed", + "enum": [ + "Undetermined", + "TruePositive", + "BenignPositive", + "FalsePositive" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "IncidentClassification", + "values": [ + { + "description": "Incident classification was undetermined", + "value": "Undetermined" + }, + { + "description": "Incident was true positive", + "value": "TruePositive" + }, + { + "description": "Incident was benign positive", + "value": "BenignPositive" + }, + { + "description": "Incident was false positive", + "value": "FalsePositive" + } + ] + } + }, + "classificationComment": { + "description": "Describes the reason the incident was closed", + "type": "string" + }, + "classificationReason": { + "description": "The classification reason the incident was closed with", + "enum": [ + "SuspiciousActivity", + "SuspiciousButExpected", + "IncorrectAlertLogic", + "InaccurateData" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "IncidentClassificationReason", + "values": [ + { + "description": "Classification reason was suspicious activity", + "value": "SuspiciousActivity" + }, + { + "description": "Classification reason was suspicious but expected", + "value": "SuspiciousButExpected" + }, + { + "description": "Classification reason was incorrect alert logic", + "value": "IncorrectAlertLogic" + }, + { + "description": "Classification reason was inaccurate data", + "value": "InaccurateData" + } + ] + } + }, + "createdTimeUtc": { + "description": "The time the incident was created", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "description": { + "description": "The description of the incident", + "type": "string" + }, + "firstActivityTimeUtc": { + "description": "The time of the first activity in the incident", + "format": "date-time", + "type": "string" + }, + "incidentUrl": { + "description": "The deep-link url to the incident in Azure portal", + "readOnly": true, + "type": "string" + }, + "incidentNumber": { + "description": "A sequential number", + "format": "int32", + "readOnly": true, + "type": "integer" + }, + "labels": { + "description": "List of labels relevant to this incident", + "items": { + "$ref": "#/definitions/IncidentLabel" + }, + "type": "array" + }, + "lastActivityTimeUtc": { + "description": "The time of the last activity in the incident", + "format": "date-time", + "type": "string" + }, + "lastModifiedTimeUtc": { + "description": "The last time the incident was updated", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "owner": { + "$ref": "#/definitions/IncidentOwnerInfo", + "description": "Describes a user that the incident is assigned to", + "type": "object" + }, + "relatedAnalyticRuleIds": { + "description": "List of resource ids of Analytic rules related to the incident", + "items": { + "description": "Related Analytic rule resource id", + "type": "string" + }, + "readOnly": true, + "type": "array" + }, + "severity": { + "description": "The severity of the incident", + "enum": [ + "High", + "Medium", + "Low", + "Informational" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "IncidentSeverity", + "values": [ + { + "description": "High severity", + "value": "High" + }, + { + "description": "Medium severity", + "value": "Medium" + }, + { + "description": "Low severity", + "value": "Low" + }, + { + "description": "Informational severity", + "value": "Informational" + } + ] + } + }, + "status": { + "description": "The status of the incident", + "enum": [ + "New", + "Active", + "Closed" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "IncidentStatus", + "values": [ + { + "description": "An active incident which isn't being handled currently", + "value": "New" + }, + { + "description": "An active incident which is being handled", + "value": "Active" + }, + { + "description": "A non-active incident", + "value": "Closed" + } + ] + } + }, + "title": { + "description": "The title of the incident", + "type": "string" + } + }, + "required": [ + "title", + "severity", + "status" + ], + "type": "object" + }, + "OfficeConsent": { + "allOf": [ + { + "$ref": "#/definitions/Resource" + } + ], + "description": "Consent for Office365 tenant that already made.", + "properties": { + "properties": { + "$ref": "#/definitions/OfficeConsentProperties", + "description": "Office consent properties", + "x-ms-client-flatten": true + } + }, + "type": "object" + }, + "OfficeConsentList": { + "description": "List of all the office365 consents.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of office consents.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of the consents.", + "items": { + "$ref": "#/definitions/OfficeConsent" + }, + "type": "array" + } + }, + "required": [ + "value" + ] + }, + "OfficeConsentProperties": { + "description": "Consent property bag.", + "properties": { + "tenantId": { + "description": "The tenantId of the Office365 with the consent.", + "type": "string" + }, + "tenantName": { + "description": "The tenant name of the Office365 with the consent.", + "readOnly": true, + "type": "string" + } + }, + "type": "object" + }, + "Operation": { + "description": "Operation provided by provider", + "properties": { + "display": { + "description": "Properties of the operation", + "properties": { + "description": { + "description": "Description of the operation", + "type": "string" + }, + "operation": { + "description": "Operation name", + "type": "string" + }, + "provider": { + "description": "Provider name", + "type": "string" + }, + "resource": { + "description": "Resource name", + "type": "string" + } + }, + "type": "object" + }, + "name": { + "description": "Name of the operation", + "type": "string" + }, + "origin": { + "description": "The origin of the operation", + "type": "string" + } + }, + "type": "object" + }, + "OperationsList": { + "description": "Lists the operations available in the SecurityInsights RP.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of operations.", + "type": "string" + }, + "value": { + "description": "Array of operations", + "items": { + "$ref": "#/definitions/Operation" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "value" + ] + }, + "Resource": { + "description": "An azure resource object", + "properties": { + "id": { + "description": "Azure resource Id", + "readOnly": true, + "type": "string" + }, + "name": { + "description": "Azure resource name", + "readOnly": true, + "type": "string" + }, + "type": { + "description": "Azure resource type", + "readOnly": true, + "type": "string" + } + }, + "type": "object", + "x-ms-azure-resource": true + }, + "ResourceWithEtag": { + "description": "An azure resource object with an Etag property", + "properties": { + "id": { + "description": "Azure resource Id", + "readOnly": true, + "type": "string" + }, + "name": { + "description": "Azure resource name", + "readOnly": true, + "type": "string" + }, + "type": { + "description": "Azure resource type", + "readOnly": true, + "type": "string" + }, + "etag": { + "description": "Etag of the azure resource", + "type": "string" + } + }, + "type": "object", + "x-ms-azure-resource": true + }, + "Settings": { + "allOf": [ + { + "$ref": "#/definitions/ResourceWithEtag" + } + ], + "description": "The Settings.", + "discriminator": "kind", + "required": [ + "kind" + ], + "properties": { + "kind": { + "$ref": "#/definitions/SettingsKind", + "description": "The data connector kind" + } + }, + "type": "object" + }, + "SettingsKind": { + "description": "The kind of the setting", + "enum": [ + "UebaSettings", + "ToggleSettings" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "SettingKind" + } + }, + "ThreatIntelligence": { + "description": "ThreatIntelligence property bag.", + "properties": { + "confidence": { + "description": "Confidence (must be between 0 and 1)", + "format": "double", + "readOnly": true, + "type": "number" + }, + "providerName": { + "description": "Name of the provider from whom this Threat Intelligence information was received", + "readOnly": true, + "type": "string" + }, + "reportLink": { + "description": "Report link", + "readOnly": true, + "type": "string" + }, + "threatDescription": { + "description": "Threat description (free text)", + "readOnly": true, + "type": "string" + }, + "threatName": { + "description": "Threat name (e.g. \"Jedobot malware\")", + "readOnly": true, + "type": "string" + }, + "threatType": { + "description": "Threat type (e.g. \"Botnet\")", + "readOnly": true, + "type": "string" + } + }, + "type": "object" + }, + "ToggleSettings": { + "allOf": [ + { + "$ref": "#/definitions/Settings" + } + ], + "description": "Settings with single toggle.", + "properties": { + "properties": { + "$ref": "#/definitions/ToggleSettingsProperties", + "description": "toggle properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "ToggleSettings" + }, + "ToggleSettingsProperties": { + "description": "toggle property bag.", + "properties": { + "isEnabled": { + "description": "Determines whether the setting is enable or disabled.", + "type": "boolean" + } + }, + "type": "object" + }, + "UebaSettings": { + "allOf": [ + { + "$ref": "#/definitions/Settings" + } + ], + "description": "Represents settings for User and Entity Behavior Analytics enablement.", + "properties": { + "properties": { + "$ref": "#/definitions/UebaSettingsProperties", + "description": "User and Entity Behavior Analytics settings properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "UebaSettings" + }, + "UebaSettingsProperties": { + "description": "User and Entity Behavior Analytics settings property bag.", + "properties": { + "atpLicenseStatus": { + "description": "Determines whether the tenant has ATP (Advanced Threat Protection) license.", + "enum": [ + "Enabled", + "Disabled" + ], + "readOnly": true, + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "LicenseStatus" + } + }, + "isEnabled": { + "description": "Determines whether User and Entity Behavior Analytics is enabled for this workspace.", + "type": "boolean" + }, + "statusInMcas": { + "description": "Determines whether User and Entity Behavior Analytics is enabled from MCAS (Microsoft Cloud App Security).", + "enum": [ + "Enabled", + "Disabled" + ], + "readOnly": true, + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "StatusInMcas" + } + } + }, + "type": "object" + }, + "UserInfo": { + "description": "User information that made some action", + "properties": { + "email": { + "description": "The email of the user.", + "readOnly": true, + "type": "string" + }, + "name": { + "description": "The name of the user.", + "readOnly": true, + "type": "string" + }, + "objectId": { + "description": "The object id of the user.", + "format": "uuid", + "type": "string", + "x-nullable": true + } + }, + "required": [ + "objectId" + ], + "type": "object" + }, + "IncidentInfo": { + "description": "Describes related incident information for the bookmark", + "properties": { + "incidentId": { + "description": "Incident Id", + "type": "string" + }, + "severity": { + "description": "The severity of the incident", + "enum": [ + "Critical", + "High", + "Medium", + "Low", + "Informational" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "CaseSeverity", + "values": [ + { + "description": "Critical severity", + "value": "Critical" + }, + { + "description": "High severity", + "value": "High" + }, + { + "description": "Medium severity", + "value": "Medium" + }, + { + "description": "Low severity", + "value": "Low" + }, + { + "description": "Informational severity", + "value": "Informational" + } + ] + } + }, + "title": { + "description": "The title of the incident", + "type": "string" + }, + "relationName": { + "description": "Relation Name", + "type": "string" + } + }, + "type": "object" + } + }, + "parameters": { + "AggregationsName": { + "description": "The aggregation name. Supports - Cases", + "in": "path", + "name": "aggregationsName", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "ApiVersion": { + "description": "API version for the operation", + "enum": [ + "2020-01-01" + ], + "in": "query", + "name": "api-version", + "required": true, + "type": "string" + }, + "ConsentId": { + "description": "consent ID", + "in": "path", + "name": "consentId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "EntityId": { + "description": "entity ID", + "in": "path", + "name": "entityId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "EntityQueryId": { + "description": "entity query ID", + "in": "path", + "name": "entityQueryId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "Incident": { + "description": "The incident", + "in": "body", + "name": "incident", + "required": true, + "schema": { + "$ref": "#/definitions/Incident" + }, + "x-ms-parameter-location": "method" + }, + "IncidentComment": { + "description": "The incident comment", + "in": "body", + "name": "incidentComment", + "required": true, + "schema": { + "$ref": "#/definitions/IncidentComment" + }, + "x-ms-parameter-location": "method" + }, + "IncidentCommentId": { + "description": "Incident comment ID", + "in": "path", + "name": "incidentCommentId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "IncidentId": { + "description": "Incident ID", + "in": "path", + "name": "incidentId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "ODataFilter": { + "description": "Filters the results, based on a Boolean condition. Optional.", + "in": "query", + "name": "$filter", + "required": false, + "type": "string", + "x-ms-parameter-location": "method" + }, + "ODataOrderBy": { + "description": "Sorts the results. Optional.", + "in": "query", + "name": "$orderby", + "required": false, + "type": "string", + "x-ms-parameter-location": "method" + }, + "ODataSkipToken": { + "description": "Skiptoken is only used if a previous operation returned a partial result. If a previous response contains a nextLink element, the value of the nextLink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls. Optional.", + "in": "query", + "name": "$skipToken", + "required": false, + "type": "string", + "x-ms-parameter-location": "method" + }, + "ODataTop": { + "description": "Returns only the first n results. Optional.", + "format": "int32", + "in": "query", + "name": "$top", + "required": false, + "type": "integer", + "x-ms-parameter-location": "method" + }, + "ResourceGroupName": { + "description": "The name of the resource group within the user's subscription. The name is case insensitive.", + "in": "path", + "maxLength": 90, + "minLength": 1, + "name": "resourceGroupName", + "pattern": "^[-\\w\\._\\(\\)]+$", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "Settings": { + "description": "The setting", + "in": "body", + "name": "settings", + "required": true, + "schema": { + "$ref": "#/definitions/Settings" + }, + "x-ms-parameter-location": "method" + }, + "SettingsName": { + "description": "The setting name. Supports- Fusion, UEBA", + "in": "path", + "name": "settingsName", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "SubscriptionId": { + "description": "Azure subscription ID", + "in": "path", + "name": "subscriptionId", + "pattern": "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$", + "required": true, + "type": "string" + }, + "WorkspaceName": { + "description": "The name of the workspace.", + "in": "path", + "maxLength": 90, + "minLength": 1, + "name": "workspaceName", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/bookmarks/CreateBookmark.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/bookmarks/CreateBookmark.json new file mode 100644 index 000000000000..42dc461a6f52 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/bookmarks/CreateBookmark.json @@ -0,0 +1,93 @@ +{ + "parameters": { + "api-version": "2020-01-01", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "bookmarkId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "bookmark": { + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "displayName": "My bookmark", + "createdBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70" + }, + "updatedBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70" + }, + "updated": "2019-01-01T13:15:30Z", + "created": "2019-01-01T13:15:30Z", + "notes": "Found a suspicious activity", + "labels": [ + "Tag1", + "Tag2" + ], + "query": "SecurityEvent | where TimeGenerated > ago(1d) and TimeGenerated < ago(2d)", + "queryResult": "Security Event query result" + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/bookmarks/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/bookmarks", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "displayName": "My bookmark", + "createdBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john@contoso.com", + "name": "john doe" + }, + "updatedBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john@contoso.com", + "name": "john doe" + }, + "updated": "2019-01-01T13:15:30Z", + "created": "2019-01-01T13:15:30Z", + "notes": "Found a suspicious activity", + "labels": [ + "Tag1", + "Tag2" + ], + "query": "SecurityEvent | where TimeGenerated > ago(1d) and TimeGenerated < ago(2d)", + "queryResult": "Security Event query result" + } + } + }, + "201": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/bookmarks/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/bookmarks", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "displayName": "My bookmark", + "createdBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john@contoso.com", + "name": "john doe" + }, + "updatedBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john@contoso.com", + "name": "john doe" + }, + "updated": "2019-01-01T13:15:30Z", + "created": "2019-01-01T13:15:30Z", + "notes": "Found a suspicious activity", + "labels": [ + "Tag1", + "Tag2" + ], + "query": "SecurityEvent | where TimeGenerated > ago(1d) and TimeGenerated < ago(2d)", + "queryResult": "Security Event query result" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/bookmarks/DeleteBookmark.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/bookmarks/DeleteBookmark.json new file mode 100644 index 000000000000..f8357a113600 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/bookmarks/DeleteBookmark.json @@ -0,0 +1,14 @@ +{ + "parameters": { + "api-version": "2020-01-01", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "bookmarkId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5" + }, + "responses": { + "200": {}, + "204": {} + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/bookmarks/GetBookmarkById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/bookmarks/GetBookmarkById.json new file mode 100644 index 000000000000..d38d2d2eee42 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/bookmarks/GetBookmarkById.json @@ -0,0 +1,48 @@ +{ + "parameters": { + "api-version": "2020-01-01", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "bookmarkId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/bookmarks/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/bookmarks", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "displayName": "My bookmark", + "createdBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john@contoso.com", + "name": "john doe" + }, + "updatedBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john@contoso.com", + "name": "john doe" + }, + "updated": "2019-01-01T13:15:30Z", + "created": "2019-01-01T13:15:30Z", + "notes": "Found a suspicious activity", + "labels": [ + "Tag1", + "Tag2" + ], + "query": "SecurityEvent | where TimeGenerated > ago(1d) and TimeGenerated < ago(2d)", + "queryResult": "Security Event query result", + "incidentInfo": { + "incidentId": "DDA55F97-170B-40B9-B8ED-CBFD05481E7D", + "severity": "Low", + "title": "New case 1", + "relationName": "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0018" + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/bookmarks/GetBookmarks.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/bookmarks/GetBookmarks.json new file mode 100644 index 000000000000..78612f8957a5 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/bookmarks/GetBookmarks.json @@ -0,0 +1,51 @@ +{ + "parameters": { + "api-version": "2020-01-01", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/bookmarks/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/bookmarks", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "displayName": "My bookmark", + "createdBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john@contoso.com", + "name": "john doe" + }, + "updatedBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john@contoso.com", + "name": "john doe" + }, + "updated": "2019-01-01T13:15:30Z", + "created": "2019-01-01T13:15:30Z", + "notes": "Found a suspicious activity", + "labels": [ + "Tag1", + "Tag2" + ], + "query": "SecurityEvent | where TimeGenerated > ago(1d) and TimeGenerated < ago(2d)", + "queryResult": "Security Event query result", + "incidentInfo": { + "incidentId": "DDA55F97-170B-40B9-B8ED-CBFD05481E7D", + "severity": "Low", + "title": "New case 1", + "relationName": "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0018" + } + } + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/CreateOfficeDataConnetor.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/CreateOfficeDataConnetor.json new file mode 100644 index 000000000000..51d132bc4656 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/CreateOfficeDataConnetor.json @@ -0,0 +1,76 @@ +{ + "parameters": { + "api-version": "2020-01-01", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "dataConnectorId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "dataConnector": { + "kind": "Office365", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "sharePoint": { + "state": "Enabled" + }, + "exchange": { + "state": "Enabled" + }, + "teams": { + "state": "Enabled" + } + } + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "Office365", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "sharePoint": { + "state": "Enabled" + }, + "exchange": { + "state": "Enabled" + }, + "teams": { + "state": "Enabled" + } + } + } + } + }, + "201": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "Office365", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "sharePoint": { + "state": "Enabled" + }, + "exchange": { + "state": "Enabled" + }, + "teams": { + "state": "Enabled" + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/CreateThreatIntelligenceDataConnector.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/CreateThreatIntelligenceDataConnector.json new file mode 100644 index 000000000000..200254b12150 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/CreateThreatIntelligenceDataConnector.json @@ -0,0 +1,60 @@ +{ + "parameters": { + "api-version": "2020-01-01", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "dataConnectorId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "dataConnector": { + "kind": "ThreatIntelligence", + "properties": { + "tenantId": "06b3ccb8-1384-4bcc-aec7-852f6d57161b", + "tipLookbackPeriod": "2020-01-01T13:00:30.123Z", + "dataTypes": { + "indicators": { + "state": "Enabled" + } + } + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "ThreatIntelligence", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "06b3ccb8-1384-4bcc-aec7-852f6d57161b", + "tipLookbackPeriod": "2020-01-01T13:00:30.123Z", + "dataTypes": { + "indicators": { + "state": "Enabled" + } + } + } + } + }, + "201": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "ThreatIntelligence", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "06b3ccb8-1384-4bcc-aec7-852f6d57161b", + "tipLookbackPeriod": "2020-01-01T13:00:30.123Z", + "dataTypes": { + "indicators": { + "state": "Enabled" + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/DeleteOfficeDataConnetor.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/DeleteOfficeDataConnetor.json new file mode 100644 index 000000000000..e279bf430a8a --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/DeleteOfficeDataConnetor.json @@ -0,0 +1,14 @@ +{ + "parameters": { + "api-version": "2020-01-01", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "dataConnectorId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5" + }, + "responses": { + "200": {}, + "204": {} + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetAmazonWebServicesCloudTrailById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetAmazonWebServicesCloudTrailById.json new file mode 100644 index 000000000000..fdcae39200b9 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetAmazonWebServicesCloudTrailById.json @@ -0,0 +1,29 @@ +{ + "parameters": { + "api-version": "2020-01-01", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "dataConnectorId": "c345bf40-8509-4ed2-b947-50cb773aaf04" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/c345bf40-8509-4ed2-b947-50cb773aaf04", + "name": "c345bf40-8509-4ed2-b947-50cb773aaf04", + "type": "Microsoft.SecurityInsights/dataConnectors", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "kind": "AmazonWebServicesCloudTrail", + "properties": { + "awsRoleArn": "myAwsRoleArn", + "dataTypes": { + "logs": { + "state": "Enabled" + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetAzureActiveDirectoryById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetAzureActiveDirectoryById.json new file mode 100644 index 000000000000..ceab1826ed8f --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetAzureActiveDirectoryById.json @@ -0,0 +1,29 @@ +{ + "parameters": { + "api-version": "2020-01-01", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "dataConnectorId": "f0cd27d2-5f03-4c06-ba31-d2dc82dcb51d" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/f0cd27d2-5f03-4c06-ba31-d2dc82dcb51d", + "name": "f0cd27d2-5f03-4c06-ba31-d2dc82dcb51d", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "AzureActiveDirectory", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "alerts": { + "state": "Enabled" + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetAzureAdvancedThreatProtectionById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetAzureAdvancedThreatProtectionById.json new file mode 100644 index 000000000000..08991fc9ee84 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetAzureAdvancedThreatProtectionById.json @@ -0,0 +1,29 @@ +{ + "parameters": { + "api-version": "2020-01-01", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "dataConnectorId": "07e42cb3-e658-4e90-801c-efa0f29d3d44" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/07e42cb3-e658-4e90-801c-efa0f29d3d44", + "name": "07e42cb3-e658-4e90-801c-efa0f29d3d44", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "AzureAdvancedThreatProtection", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "alerts": { + "state": "Enabled" + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetAzureSecurityCenterById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetAzureSecurityCenterById.json new file mode 100644 index 000000000000..6fba0c432dc3 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetAzureSecurityCenterById.json @@ -0,0 +1,29 @@ +{ + "parameters": { + "api-version": "2020-01-01", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "dataConnectorId": "763f9fa1-c2d3-4fa2-93e9-bccd4899aa12" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/763f9fa1-c2d3-4fa2-93e9-bccd4899aa12", + "name": "763f9fa1-c2d3-4fa2-93e9-bccd4899aa12", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "AzureSecurityCenter", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "subscriptionId": "c0688291-89d7-4bed-87a2-a7b1bff43f4c", + "dataTypes": { + "alerts": { + "state": "Enabled" + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetDataConnectors.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetDataConnectors.json new file mode 100644 index 000000000000..0f46da365092 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetDataConnectors.json @@ -0,0 +1,143 @@ +{ + "parameters": { + "api-version": "2020-01-01", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/763f9fa1-c2d3-4fa2-93e9-bccd4899aa12", + "name": "763f9fa1-c2d3-4fa2-93e9-bccd4899aa12", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "AzureSecurityCenter", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "dataTypes": { + "alerts": { + "state": "Enabled" + } + } + } + }, + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/c345bf40-8509-4ed2-b947-50cb773aaf04", + "name": "c345bf40-8509-4ed2-b947-50cb773aaf04", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "ThreatIntelligence", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "indicators": { + "state": "Enabled" + } + } + } + }, + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/f0cd27d2-5f03-4c06-ba31-d2dc82dcb51d", + "name": "f0cd27d2-5f03-4c06-ba31-d2dc82dcb51d", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "AzureActiveDirectory", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "alerts": { + "state": "Enabled" + } + } + } + }, + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "Office365", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "sharePoint": { + "state": "Enabled" + }, + "exchange": { + "state": "Enabled" + } + } + } + }, + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/b96d014d-b5c2-4a01-9aba-a8058f629d42", + "name": "b96d014d-b5c2-4a01-9aba-a8058f629d42", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "MicrosoftCloudAppSecurity", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "alerts": { + "state": "Enabled" + }, + "discoveryLogs": { + "state": "Enabled" + } + } + } + }, + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/07e42cb3-e658-4e90-801c-efa0f29d3d44", + "name": "07e42cb3-e658-4e90-801c-efa0f29d3d44", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "AzureAdvancedThreatProtection", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "alerts": { + "state": "Enabled" + } + } + } + }, + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/c345bf40-8509-4ed2-b947-50cb773aaf04", + "name": "c345bf40-8509-4ed2-b947-50cb773aaf04", + "type": "Microsoft.SecurityInsights/dataConnectors", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "kind": "AmazonWebServicesCloudTrail", + "properties": { + "awsRoleArn": "myAwsRoleArn", + "dataTypes": { + "logs": { + "state": "Enabled" + } + } + } + }, + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/06b3ccb8-1384-4bcc-aec7-852f6d57161b", + "name": "06b3ccb8-1384-4bcc-aec7-852f6d57161b", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "MicrosoftDefenderAdvancedThreatProtection", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "alerts": { + "state": "Enabled" + } + } + } + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetMicrosoftCloudAppSecurityById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetMicrosoftCloudAppSecurityById.json new file mode 100644 index 000000000000..8dab3597a1fa --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetMicrosoftCloudAppSecurityById.json @@ -0,0 +1,32 @@ +{ + "parameters": { + "api-version": "2020-01-01", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "dataConnectorId": "b96d014d-b5c2-4a01-9aba-a8058f629d42" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/b96d014d-b5c2-4a01-9aba-a8058f629d42", + "name": "b96d014d-b5c2-4a01-9aba-a8058f629d42", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "MicrosoftCloudAppSecurity", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "alerts": { + "state": "Enabled" + }, + "discoveryLogs": { + "state": "Enabled" + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetMicrosoftDefenderAdvancedThreatProtectionById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetMicrosoftDefenderAdvancedThreatProtectionById.json new file mode 100644 index 000000000000..57d265c307c6 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetMicrosoftDefenderAdvancedThreatProtectionById.json @@ -0,0 +1,29 @@ +{ + "parameters": { + "api-version": "2020-01-01", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "dataConnectorId": "06b3ccb8-1384-4bcc-aec7-852f6d57161b" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/06b3ccb8-1384-4bcc-aec7-852f6d57161b", + "name": "06b3ccb8-1384-4bcc-aec7-852f6d57161b", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "MicrosoftDefenderAdvancedThreatProtection", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "alerts": { + "state": "Enabled" + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetOfficeDataConnetorById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetOfficeDataConnetorById.json new file mode 100644 index 000000000000..a696c73731ef --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetOfficeDataConnetorById.json @@ -0,0 +1,35 @@ +{ + "parameters": { + "api-version": "2020-01-01", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "dataConnectorId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "Office365", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "sharePoint": { + "state": "Enabled" + }, + "exchange": { + "state": "Enabled" + }, + "teams": { + "state": "Enabled" + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetThreatIntelligenceById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetThreatIntelligenceById.json new file mode 100644 index 000000000000..2fd7052c04a4 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetThreatIntelligenceById.json @@ -0,0 +1,30 @@ +{ + "parameters": { + "api-version": "2020-01-01", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "dataConnectorId": "c345bf40-8509-4ed2-b947-50cb773aaf04" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/c345bf40-8509-4ed2-b947-50cb773aaf04", + "name": "c345bf40-8509-4ed2-b947-50cb773aaf04", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "ThreatIntelligence", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "tipLookbackPeriod": "2020-01-01T13:00:30.123Z", + "dataTypes": { + "indicators": { + "state": "Enabled" + } + } + } + } + } + } +} From 8a84a8169e83c0e79eeff2b8777822518a3de570 Mon Sep 17 00:00:00 2001 From: Anat Gilenson Date: Mon, 25 Oct 2021 11:30:21 +0300 Subject: [PATCH 02/12] Update version in added resources and examples --- .../Microsoft.SecurityInsights/stable/2021-10-01/Bookmarks.json | 2 +- .../stable/2021-10-01/DataConnectors.json | 2 +- .../stable/2021-10-01/SecurityInsights.json | 2 +- .../stable/2021-10-01/examples/bookmarks/CreateBookmark.json | 2 +- .../stable/2021-10-01/examples/bookmarks/DeleteBookmark.json | 2 +- .../stable/2021-10-01/examples/bookmarks/GetBookmarkById.json | 2 +- .../stable/2021-10-01/examples/bookmarks/GetBookmarks.json | 2 +- .../examples/dataConnectors/CreateOfficeDataConnetor.json | 2 +- .../dataConnectors/CreateThreatIntelligenceDataConnector.json | 2 +- .../examples/dataConnectors/DeleteOfficeDataConnetor.json | 2 +- .../dataConnectors/GetAmazonWebServicesCloudTrailById.json | 2 +- .../examples/dataConnectors/GetAzureActiveDirectoryById.json | 2 +- .../dataConnectors/GetAzureAdvancedThreatProtectionById.json | 2 +- .../examples/dataConnectors/GetAzureSecurityCenterById.json | 2 +- .../2021-10-01/examples/dataConnectors/GetDataConnectors.json | 2 +- .../dataConnectors/GetMicrosoftCloudAppSecurityById.json | 2 +- .../GetMicrosoftDefenderAdvancedThreatProtectionById.json | 2 +- .../examples/dataConnectors/GetOfficeDataConnetorById.json | 2 +- .../examples/dataConnectors/GetThreatIntelligenceById.json | 2 +- 19 files changed, 19 insertions(+), 19 deletions(-) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/Bookmarks.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/Bookmarks.json index a3581ff591da..2496da22e4d8 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/Bookmarks.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/Bookmarks.json @@ -3,7 +3,7 @@ "info": { "title": "Security Insights", "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", - "version": "2020-01-01" + "version": "2021-10-01" }, "host": "management.azure.com", "schemes": [ diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/DataConnectors.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/DataConnectors.json index 4bfbc702611d..84110f9ab021 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/DataConnectors.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/DataConnectors.json @@ -3,7 +3,7 @@ "info": { "title": "Security Insights", "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", - "version": "2020-01-01" + "version": "2021-10-01" }, "host": "management.azure.com", "schemes": [ diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/SecurityInsights.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/SecurityInsights.json index 1bb0b3dff3b2..36c7cae95a64 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/SecurityInsights.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/SecurityInsights.json @@ -3,7 +3,7 @@ "info": { "title": "Security Insights", "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", - "version": "2020-01-01" + "version": "2021-10-01" }, "host": "management.azure.com", "schemes": [ diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/bookmarks/CreateBookmark.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/bookmarks/CreateBookmark.json index 42dc461a6f52..be2a257b88bd 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/bookmarks/CreateBookmark.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/bookmarks/CreateBookmark.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2020-01-01", + "api-version": "2021-10-01", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/bookmarks/DeleteBookmark.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/bookmarks/DeleteBookmark.json index f8357a113600..91e3de6673f8 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/bookmarks/DeleteBookmark.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/bookmarks/DeleteBookmark.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2020-01-01", + "api-version": "2021-10-01", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/bookmarks/GetBookmarkById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/bookmarks/GetBookmarkById.json index d38d2d2eee42..89ad94b1aaa1 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/bookmarks/GetBookmarkById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/bookmarks/GetBookmarkById.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2020-01-01", + "api-version": "2021-10-01", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/bookmarks/GetBookmarks.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/bookmarks/GetBookmarks.json index 78612f8957a5..4fb985039c0d 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/bookmarks/GetBookmarks.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/bookmarks/GetBookmarks.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2020-01-01", + "api-version": "2021-10-01", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/CreateOfficeDataConnetor.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/CreateOfficeDataConnetor.json index 51d132bc4656..7c1258217f99 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/CreateOfficeDataConnetor.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/CreateOfficeDataConnetor.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2020-01-01", + "api-version": "2021-10-01", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/CreateThreatIntelligenceDataConnector.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/CreateThreatIntelligenceDataConnector.json index 200254b12150..f8d906179085 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/CreateThreatIntelligenceDataConnector.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/CreateThreatIntelligenceDataConnector.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2020-01-01", + "api-version": "2021-10-01", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/DeleteOfficeDataConnetor.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/DeleteOfficeDataConnetor.json index e279bf430a8a..ce2ef667e7af 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/DeleteOfficeDataConnetor.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/DeleteOfficeDataConnetor.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2020-01-01", + "api-version": "2021-10-01", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetAmazonWebServicesCloudTrailById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetAmazonWebServicesCloudTrailById.json index fdcae39200b9..232103757892 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetAmazonWebServicesCloudTrailById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetAmazonWebServicesCloudTrailById.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2020-01-01", + "api-version": "2021-10-01", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetAzureActiveDirectoryById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetAzureActiveDirectoryById.json index ceab1826ed8f..99adfe150962 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetAzureActiveDirectoryById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetAzureActiveDirectoryById.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2020-01-01", + "api-version": "2021-10-01", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetAzureAdvancedThreatProtectionById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetAzureAdvancedThreatProtectionById.json index 08991fc9ee84..139200702807 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetAzureAdvancedThreatProtectionById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetAzureAdvancedThreatProtectionById.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2020-01-01", + "api-version": "2021-10-01", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetAzureSecurityCenterById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetAzureSecurityCenterById.json index 6fba0c432dc3..c4d790ff51b6 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetAzureSecurityCenterById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetAzureSecurityCenterById.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2020-01-01", + "api-version": "2021-10-01", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetDataConnectors.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetDataConnectors.json index 0f46da365092..847fe26d84ec 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetDataConnectors.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetDataConnectors.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2020-01-01", + "api-version": "2021-10-01", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetMicrosoftCloudAppSecurityById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetMicrosoftCloudAppSecurityById.json index 8dab3597a1fa..396e08107fd3 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetMicrosoftCloudAppSecurityById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetMicrosoftCloudAppSecurityById.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2020-01-01", + "api-version": "2021-10-01", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetMicrosoftDefenderAdvancedThreatProtectionById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetMicrosoftDefenderAdvancedThreatProtectionById.json index 57d265c307c6..48a0474856e4 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetMicrosoftDefenderAdvancedThreatProtectionById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetMicrosoftDefenderAdvancedThreatProtectionById.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2020-01-01", + "api-version": "2021-10-01", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetOfficeDataConnetorById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetOfficeDataConnetorById.json index a696c73731ef..79b076d73702 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetOfficeDataConnetorById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetOfficeDataConnetorById.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2020-01-01", + "api-version": "2021-10-01", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetThreatIntelligenceById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetThreatIntelligenceById.json index 2fd7052c04a4..ec80f5083412 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetThreatIntelligenceById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/dataConnectors/GetThreatIntelligenceById.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2020-01-01", + "api-version": "2021-10-01", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", From 3b67de60440e40539e2bed56b4a8d82266aa95c9 Mon Sep 17 00:00:00 2001 From: Anat Gilenson Date: Mon, 25 Oct 2021 17:32:10 +0300 Subject: [PATCH 03/12] Use existing common types --- .../stable/2021-10-01/Bookmarks.json | 77 ++++++------------- .../stable/2021-10-01/DataConnectors.json | 42 +++++----- 2 files changed, 45 insertions(+), 74 deletions(-) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/Bookmarks.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/Bookmarks.json index 2496da22e4d8..a2285a713d03 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/Bookmarks.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/Bookmarks.json @@ -48,16 +48,16 @@ "operationId": "Bookmarks_List", "parameters": [ { - "$ref": "SecurityInsights.json#/parameters/ApiVersion" + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" }, { - "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" }, { - "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" }, { - "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" } ], "responses": { @@ -70,7 +70,7 @@ "default": { "description": "Error response describing why the operation failed.", "schema": { - "$ref": "SecurityInsights.json#/definitions/CloudError" + "$ref": "../../../../../common-types/resource-management/v3/types.json#/definitions/ErrorResponse" } } }, @@ -93,16 +93,16 @@ "operationId": "Bookmarks_Get", "parameters": [ { - "$ref": "SecurityInsights.json#/parameters/ApiVersion" + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" }, { - "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" }, { - "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" }, { - "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" }, { "$ref": "#/parameters/BookmarkId" @@ -118,7 +118,7 @@ "default": { "description": "Error response describing why the operation failed.", "schema": { - "$ref": "SecurityInsights.json#/definitions/CloudError" + "$ref": "../../../../../common-types/resource-management/v3/types.json#/definitions/ErrorResponse" } } } @@ -136,16 +136,16 @@ "operationId": "Bookmarks_CreateOrUpdate", "parameters": [ { - "$ref": "SecurityInsights.json#/parameters/ApiVersion" + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" }, { - "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" }, { - "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" }, { - "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" }, { "$ref": "#/parameters/BookmarkId" @@ -170,7 +170,7 @@ "default": { "description": "Error response describing why the operation failed.", "schema": { - "$ref": "SecurityInsights.json#/definitions/CloudError" + "$ref": "../../../../../common-types/resource-management/v3/types.json#/definitions/ErrorResponse" } } } @@ -188,16 +188,16 @@ "operationId": "Bookmarks_Delete", "parameters": [ { - "$ref": "SecurityInsights.json#/parameters/ApiVersion" + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" }, { - "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" }, { - "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" }, { - "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" }, { "$ref": "#/parameters/BookmarkId" @@ -213,7 +213,7 @@ "default": { "description": "Error response describing why the operation failed.", "schema": { - "$ref": "SecurityInsights.json#/definitions/CloudError" + "$ref": "../../../../../common-types/resource-management/v3/types.json#/definitions/ErrorResponse" } } } @@ -224,7 +224,7 @@ "Bookmark": { "allOf": [ { - "$ref": "SecurityInsights.json#/definitions/ResourceWithEtag" + "$ref": "../../../common/2.0/types.json#/definitions/ResourceWithEtag" } ], "description": "Represents a bookmark in Azure Security Insights.", @@ -267,7 +267,7 @@ "type": "string" }, "createdBy": { - "$ref": "#/definitions/UserInfo", + "$ref": "../../../common/2.0/types.json#/definitions/UserInfo", "description": "Describes a user that created the bookmark", "type": "object" }, @@ -278,7 +278,7 @@ "labels": { "description": "List of labels relevant to this bookmark", "items": { - "$ref": "#/definitions/Label" + "$ref": "../../../common/2.0/types.json#/definitions/Label" }, "type": "array" }, @@ -300,7 +300,7 @@ "type": "string" }, "updatedBy": { - "$ref": "#/definitions/UserInfo", + "$ref": "../../../common/2.0/types.json#/definitions/UserInfo", "description": "Describes a user that updated the bookmark", "type": "object" }, @@ -385,35 +385,6 @@ } }, "type": "object" - }, - "Label": { - "description": "Label that will be used to tag and filter on.", - "type": "string" - }, - "UserInfo": { - "description": "User information that made some action", - "properties": { - "email": { - "description": "The email of the user.", - "readOnly": true, - "type": "string" - }, - "name": { - "description": "The name of the user.", - "readOnly": true, - "type": "string" - }, - "objectId": { - "description": "The object id of the user.", - "format": "uuid", - "type": "string", - "x-nullable": true - } - }, - "required": [ - "objectId" - ], - "type": "object" } }, "parameters": { diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/DataConnectors.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/DataConnectors.json index 84110f9ab021..b288aa1932ca 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/DataConnectors.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/DataConnectors.json @@ -48,16 +48,16 @@ "operationId": "DataConnectors_List", "parameters": [ { - "$ref": "SecurityInsights.json#/parameters/ApiVersion" + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" }, { - "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" }, { - "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" }, { - "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" } ], "responses": { @@ -70,7 +70,7 @@ "default": { "description": "Error response describing why the operation failed.", "schema": { - "$ref": "SecurityInsights.json#/definitions/CloudError" + "$ref": "../../../../../common-types/resource-management/v3/types.json#/definitions/ErrorResponse" } } }, @@ -114,16 +114,16 @@ "operationId": "DataConnectors_Get", "parameters": [ { - "$ref": "SecurityInsights.json#/parameters/ApiVersion" + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" }, { - "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" }, { - "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" }, { - "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" }, { "$ref": "#/parameters/DataConnectorId" @@ -139,7 +139,7 @@ "default": { "description": "Error response describing why the operation failed.", "schema": { - "$ref": "SecurityInsights.json#/definitions/CloudError" + "$ref": "../../../../../common-types/resource-management/v3/types.json#/definitions/ErrorResponse" } } } @@ -160,16 +160,16 @@ "operationId": "DataConnectors_CreateOrUpdate", "parameters": [ { - "$ref": "SecurityInsights.json#/parameters/ApiVersion" + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" }, { - "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" }, { - "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" }, { - "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" }, { "$ref": "#/parameters/DataConnectorId" @@ -194,7 +194,7 @@ "default": { "description": "Error response describing why the operation failed.", "schema": { - "$ref": "SecurityInsights.json#/definitions/CloudError" + "$ref": "../../../../../common-types/resource-management/v3/types.json#/definitions/ErrorResponse" } } } @@ -212,16 +212,16 @@ "operationId": "DataConnectors_Delete", "parameters": [ { - "$ref": "SecurityInsights.json#/parameters/ApiVersion" + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" }, { - "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" }, { - "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" }, { - "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" }, { "$ref": "#/parameters/DataConnectorId" @@ -237,7 +237,7 @@ "default": { "description": "Error response describing why the operation failed.", "schema": { - "$ref": "SecurityInsights.json#/definitions/CloudError" + "$ref": "../../../../../common-types/resource-management/v3/types.json#/definitions/ErrorResponse" } } } @@ -399,7 +399,7 @@ "DataConnector": { "allOf": [ { - "$ref": "SecurityInsights.json#/definitions/ResourceWithEtag" + "$ref": "../../../common/2.0/types.json#/definitions/ResourceWithEtag" } ], "description": "Data connector.", From c5edfb4ba2ba82b3ee164080d5ba19862afec752 Mon Sep 17 00:00:00 2001 From: Anat Gilenson Date: Mon, 25 Oct 2021 17:33:02 +0300 Subject: [PATCH 04/12] Remove unnesessary SecurityInsights.json --- .../stable/2021-10-01/SecurityInsights.json | 1430 ----------------- 1 file changed, 1430 deletions(-) delete mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/SecurityInsights.json diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/SecurityInsights.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/SecurityInsights.json deleted file mode 100644 index 36c7cae95a64..000000000000 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/SecurityInsights.json +++ /dev/null @@ -1,1430 +0,0 @@ -{ - "swagger": "2.0", - "info": { - "title": "Security Insights", - "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", - "version": "2021-10-01" - }, - "host": "management.azure.com", - "schemes": [ - "https" - ], - "consumes": [ - "application/json" - ], - "produces": [ - "application/json" - ], - "security": [ - { - "azure_auth": [ - "user_impersonation" - ] - } - ], - "securityDefinitions": { - "azure_auth": { - "type": "oauth2", - "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", - "flow": "implicit", - "description": "Azure Active Directory OAuth2 Flow", - "scopes": { - "user_impersonation": "impersonate your user account" - } - } - }, - "paths": { - "/providers/Microsoft.SecurityInsights/operations": { - "get": { - "operationId": "Operations_List", - "description": "Lists all operations available Azure Security Insights Resource Provider.", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - } - ], - "produces": [ - "application/json" - ], - "responses": { - "200": { - "description": "OK. Successfully retrieved operations list.", - "schema": { - "$ref": "#/definitions/OperationsList" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - }, - "x-ms-pageable": { - "nextLinkName": "nextLink" - } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents": { - "get": { - "x-ms-examples": { - "Get all incidents.": { - "$ref": "./examples/incidents/GetIncidents.json" - } - }, - "tags": [ - "Incidents" - ], - "description": "Gets all incidents.", - "operationId": "Incidents_List", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/ODataFilter" - }, - { - "$ref": "#/parameters/ODataOrderBy" - }, - { - "$ref": "#/parameters/ODataTop" - }, - { - "$ref": "#/parameters/ODataSkipToken" - } - ], - "responses": { - "200": { - "description": "OK, Operation successfully completed", - "schema": { - "$ref": "#/definitions/IncidentList" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - }, - "x-ms-pageable": { - "nextLinkName": "nextLink" - } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}": { - "get": { - "x-ms-examples": { - "Get an incident.": { - "$ref": "./examples/incidents/GetIncidentById.json" - } - }, - "tags": [ - "Incidents" - ], - "description": "Gets an incident.", - "operationId": "Incidents_Get", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/IncidentId" - } - ], - "responses": { - "200": { - "description": "OK, Operation successfully completed", - "schema": { - "$ref": "#/definitions/Incident" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - } - }, - "put": { - "x-ms-examples": { - "Creates or updates an incident.": { - "$ref": "./examples/incidents/CreateIncident.json" - } - }, - "tags": [ - "Incidents" - ], - "description": "Creates or updates the incident.", - "operationId": "Incidents_CreateOrUpdate", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/IncidentId" - }, - { - "$ref": "#/parameters/Incident" - } - ], - "responses": { - "200": { - "description": "OK, Operation successfully completed", - "schema": { - "$ref": "#/definitions/Incident" - } - }, - "201": { - "description": "Created", - "schema": { - "$ref": "#/definitions/Incident" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - } - }, - "delete": { - "x-ms-examples": { - "Delete an incident.": { - "$ref": "./examples/incidents/DeleteIncident.json" - } - }, - "tags": [ - "Incidents" - ], - "description": "Delete the incident.", - "operationId": "Incidents_Delete", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/IncidentId" - } - ], - "responses": { - "200": { - "description": "OK, Operation successfully completed" - }, - "204": { - "description": "No Content" - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/comments": { - "get": { - "x-ms-examples": { - "Get all incident comments.": { - "$ref": "./examples/incidents/comments/GetAllIncidentComments.json" - } - }, - "tags": [ - "IncidentComments" - ], - "description": "Gets all incident comments.", - "operationId": "IncidentComments_ListByIncident", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/IncidentId" - }, - { - "$ref": "#/parameters/ODataFilter" - }, - { - "$ref": "#/parameters/ODataOrderBy" - }, - { - "$ref": "#/parameters/ODataTop" - }, - { - "$ref": "#/parameters/ODataSkipToken" - } - ], - "responses": { - "200": { - "description": "OK, Operation successfully completed", - "schema": { - "$ref": "#/definitions/IncidentCommentList" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - }, - "x-ms-odata": "#/definitions/IncidentComment", - "x-ms-pageable": { - "nextLinkName": "nextLink" - } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/comments/{incidentCommentId}": { - "get": { - "x-ms-examples": { - "Get an incident comment.": { - "$ref": "./examples/incidents/comments/GetIncidentCommentById.json" - } - }, - "tags": [ - "IncidentComments" - ], - "description": "Gets an incident comment.", - "operationId": "IncidentComments_Get", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/IncidentId" - }, - { - "$ref": "#/parameters/IncidentCommentId" - } - ], - "responses": { - "200": { - "description": "OK, Operation successfully completed", - "schema": { - "$ref": "#/definitions/IncidentComment" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - } - }, - "put": { - "x-ms-examples": { - "Creates an incident comment.": { - "$ref": "./examples/incidents/comments/CreateIncidentComment.json" - } - }, - "tags": [ - "IncidentComments" - ], - "description": "Creates the incident comment.", - "operationId": "IncidentComments_CreateComment", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/IncidentId" - }, - { - "$ref": "#/parameters/IncidentCommentId" - }, - { - "$ref": "#/parameters/IncidentComment" - } - ], - "responses": { - "201": { - "description": "Created", - "schema": { - "$ref": "#/definitions/IncidentComment" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - } - } - } - }, - "definitions": { - "AttackTactic": { - "description": "The severity for alerts created by this alert rule.", - "enum": [ - "InitialAccess", - "Execution", - "Persistence", - "PrivilegeEscalation", - "DefenseEvasion", - "CredentialAccess", - "Discovery", - "LateralMovement", - "Collection", - "Exfiltration", - "CommandAndControl", - "Impact" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "AttackTactic" - } - }, - "ClientInfo": { - "description": "Information on the client (user or application) that made some action", - "properties": { - "email": { - "description": "The email of the client.", - "type": "string" - }, - "name": { - "description": "The name of the client.", - "type": "string" - }, - "objectId": { - "description": "The object id of the client.", - "format": "uuid", - "type": "string" - }, - "userPrincipalName": { - "description": "The user principal name of the client.", - "type": "string" - } - }, - "type": "object" - }, - "CloudError": { - "x-ms-external": true, - "properties": { - "error": { - "$ref": "../../../../../common-types/resource-management/v1/types.json#/definitions/ErrorResponse", - "description": "The error object of the CloudError response" - } - }, - "type": "object", - "description": "An error response for a resource management request." - }, - "Incident": { - "allOf": [ - { - "$ref": "#/definitions/ResourceWithEtag" - } - ], - "description": "Represents an incident in Azure Security Insights.", - "properties": { - "properties": { - "$ref": "#/definitions/IncidentProperties", - "description": "Incident properties", - "x-ms-client-flatten": true - } - }, - "type": "object" - }, - "IncidentAdditionalData": { - "description": "Incident additional data property bag.", - "properties": { - "alertsCount": { - "description": "The number of alerts in the incident", - "format": "int32", - "readOnly": true, - "type": "integer" - }, - "bookmarksCount": { - "description": "The number of bookmarks in the incident", - "format": "int32", - "readOnly": true, - "type": "integer" - }, - "commentsCount": { - "description": "The number of comments in the incident", - "format": "int32", - "readOnly": true, - "type": "integer" - }, - "alertProductNames": { - "description": "List of product names of alerts in the incident", - "items": { - "description": "Alert product name", - "type": "string" - }, - "readOnly": true, - "type": "array" - }, - "tactics": { - "description": "The tactics associated with incident", - "items": { - "$ref": "#/definitions/AttackTactic" - }, - "readOnly": true, - "type": "array" - } - }, - "type": "object" - }, - "IncidentComment": { - "allOf": [ - { - "$ref": "#/definitions/Resource" - } - ], - "description": "Represents an incident comment", - "properties": { - "properties": { - "$ref": "#/definitions/IncidentCommentProperties", - "description": "Incident comment properties", - "x-ms-client-flatten": true - } - }, - "type": "object" - }, - "IncidentCommentList": { - "description": "List of incident comments.", - "properties": { - "nextLink": { - "description": "URL to fetch the next set of comments.", - "readOnly": true, - "type": "string" - }, - "value": { - "description": "Array of comments.", - "items": { - "$ref": "#/definitions/IncidentComment" - }, - "type": "array" - } - }, - "type": "object", - "required": [ - "value" - ] - }, - "IncidentCommentProperties": { - "description": "Incident comment property bag.", - "properties": { - "createdTimeUtc": { - "description": "The time the comment was created", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "message": { - "description": "The comment message", - "type": "string" - }, - "author": { - "$ref": "#/definitions/ClientInfo", - "description": "Describes the client that created the comment", - "readOnly": true, - "type": "object" - } - }, - "required": [ - "message" - ], - "type": "object" - }, - "IncidentLabel": { - "description": "Represents an incident label", - "properties": { - "labelName": { - "description": "The name of the label", - "type": "string" - }, - "labelType": { - "description": "The type of the label", - "enum": [ - "User", - "System" - ], - "type": "string", - "readOnly": true, - "x-ms-enum": { - "modelAsString": true, - "name": "IncidentLabelType", - "values": [ - { - "description": "Label manually created by a user", - "value": "User" - }, - { - "description": "Label automatically created by the system", - "value": "System" - } - ] - } - } - }, - "required": [ - "labelName" - ], - "type": "object" - }, - "IncidentList": { - "description": "List all the incidents.", - "properties": { - "nextLink": { - "description": "URL to fetch the next set of incidents.", - "readOnly": true, - "type": "string" - }, - "value": { - "description": "Array of incidents.", - "items": { - "$ref": "#/definitions/Incident" - }, - "type": "array" - } - }, - "type": "object", - "required": [ - "value" - ] - }, - "IncidentOwnerInfo": { - "description": "Information on the user an incident is assigned to", - "properties": { - "email": { - "description": "The email of the user the incident is assigned to.", - "type": "string" - }, - "assignedTo": { - "description": "The name of the user the incident is assigned to.", - "type": "string" - }, - "objectId": { - "description": "The object id of the user the incident is assigned to.", - "format": "uuid", - "type": "string" - }, - "userPrincipalName": { - "description": "The user principal name of the user the incident is assigned to.", - "type": "string" - } - }, - "type": "object" - }, - "IncidentProperties": { - "description": "Describes incident properties", - "properties": { - "additionalData": { - "$ref": "#/definitions/IncidentAdditionalData", - "description": "Additional data on the incident", - "readOnly": true, - "type": "object" - }, - "classification": { - "description": "The reason the incident was closed", - "enum": [ - "Undetermined", - "TruePositive", - "BenignPositive", - "FalsePositive" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "IncidentClassification", - "values": [ - { - "description": "Incident classification was undetermined", - "value": "Undetermined" - }, - { - "description": "Incident was true positive", - "value": "TruePositive" - }, - { - "description": "Incident was benign positive", - "value": "BenignPositive" - }, - { - "description": "Incident was false positive", - "value": "FalsePositive" - } - ] - } - }, - "classificationComment": { - "description": "Describes the reason the incident was closed", - "type": "string" - }, - "classificationReason": { - "description": "The classification reason the incident was closed with", - "enum": [ - "SuspiciousActivity", - "SuspiciousButExpected", - "IncorrectAlertLogic", - "InaccurateData" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "IncidentClassificationReason", - "values": [ - { - "description": "Classification reason was suspicious activity", - "value": "SuspiciousActivity" - }, - { - "description": "Classification reason was suspicious but expected", - "value": "SuspiciousButExpected" - }, - { - "description": "Classification reason was incorrect alert logic", - "value": "IncorrectAlertLogic" - }, - { - "description": "Classification reason was inaccurate data", - "value": "InaccurateData" - } - ] - } - }, - "createdTimeUtc": { - "description": "The time the incident was created", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "description": { - "description": "The description of the incident", - "type": "string" - }, - "firstActivityTimeUtc": { - "description": "The time of the first activity in the incident", - "format": "date-time", - "type": "string" - }, - "incidentUrl": { - "description": "The deep-link url to the incident in Azure portal", - "readOnly": true, - "type": "string" - }, - "incidentNumber": { - "description": "A sequential number", - "format": "int32", - "readOnly": true, - "type": "integer" - }, - "labels": { - "description": "List of labels relevant to this incident", - "items": { - "$ref": "#/definitions/IncidentLabel" - }, - "type": "array" - }, - "lastActivityTimeUtc": { - "description": "The time of the last activity in the incident", - "format": "date-time", - "type": "string" - }, - "lastModifiedTimeUtc": { - "description": "The last time the incident was updated", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "owner": { - "$ref": "#/definitions/IncidentOwnerInfo", - "description": "Describes a user that the incident is assigned to", - "type": "object" - }, - "relatedAnalyticRuleIds": { - "description": "List of resource ids of Analytic rules related to the incident", - "items": { - "description": "Related Analytic rule resource id", - "type": "string" - }, - "readOnly": true, - "type": "array" - }, - "severity": { - "description": "The severity of the incident", - "enum": [ - "High", - "Medium", - "Low", - "Informational" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "IncidentSeverity", - "values": [ - { - "description": "High severity", - "value": "High" - }, - { - "description": "Medium severity", - "value": "Medium" - }, - { - "description": "Low severity", - "value": "Low" - }, - { - "description": "Informational severity", - "value": "Informational" - } - ] - } - }, - "status": { - "description": "The status of the incident", - "enum": [ - "New", - "Active", - "Closed" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "IncidentStatus", - "values": [ - { - "description": "An active incident which isn't being handled currently", - "value": "New" - }, - { - "description": "An active incident which is being handled", - "value": "Active" - }, - { - "description": "A non-active incident", - "value": "Closed" - } - ] - } - }, - "title": { - "description": "The title of the incident", - "type": "string" - } - }, - "required": [ - "title", - "severity", - "status" - ], - "type": "object" - }, - "OfficeConsent": { - "allOf": [ - { - "$ref": "#/definitions/Resource" - } - ], - "description": "Consent for Office365 tenant that already made.", - "properties": { - "properties": { - "$ref": "#/definitions/OfficeConsentProperties", - "description": "Office consent properties", - "x-ms-client-flatten": true - } - }, - "type": "object" - }, - "OfficeConsentList": { - "description": "List of all the office365 consents.", - "properties": { - "nextLink": { - "description": "URL to fetch the next set of office consents.", - "readOnly": true, - "type": "string" - }, - "value": { - "description": "Array of the consents.", - "items": { - "$ref": "#/definitions/OfficeConsent" - }, - "type": "array" - } - }, - "required": [ - "value" - ] - }, - "OfficeConsentProperties": { - "description": "Consent property bag.", - "properties": { - "tenantId": { - "description": "The tenantId of the Office365 with the consent.", - "type": "string" - }, - "tenantName": { - "description": "The tenant name of the Office365 with the consent.", - "readOnly": true, - "type": "string" - } - }, - "type": "object" - }, - "Operation": { - "description": "Operation provided by provider", - "properties": { - "display": { - "description": "Properties of the operation", - "properties": { - "description": { - "description": "Description of the operation", - "type": "string" - }, - "operation": { - "description": "Operation name", - "type": "string" - }, - "provider": { - "description": "Provider name", - "type": "string" - }, - "resource": { - "description": "Resource name", - "type": "string" - } - }, - "type": "object" - }, - "name": { - "description": "Name of the operation", - "type": "string" - }, - "origin": { - "description": "The origin of the operation", - "type": "string" - } - }, - "type": "object" - }, - "OperationsList": { - "description": "Lists the operations available in the SecurityInsights RP.", - "properties": { - "nextLink": { - "description": "URL to fetch the next set of operations.", - "type": "string" - }, - "value": { - "description": "Array of operations", - "items": { - "$ref": "#/definitions/Operation" - }, - "type": "array" - } - }, - "type": "object", - "required": [ - "value" - ] - }, - "Resource": { - "description": "An azure resource object", - "properties": { - "id": { - "description": "Azure resource Id", - "readOnly": true, - "type": "string" - }, - "name": { - "description": "Azure resource name", - "readOnly": true, - "type": "string" - }, - "type": { - "description": "Azure resource type", - "readOnly": true, - "type": "string" - } - }, - "type": "object", - "x-ms-azure-resource": true - }, - "ResourceWithEtag": { - "description": "An azure resource object with an Etag property", - "properties": { - "id": { - "description": "Azure resource Id", - "readOnly": true, - "type": "string" - }, - "name": { - "description": "Azure resource name", - "readOnly": true, - "type": "string" - }, - "type": { - "description": "Azure resource type", - "readOnly": true, - "type": "string" - }, - "etag": { - "description": "Etag of the azure resource", - "type": "string" - } - }, - "type": "object", - "x-ms-azure-resource": true - }, - "Settings": { - "allOf": [ - { - "$ref": "#/definitions/ResourceWithEtag" - } - ], - "description": "The Settings.", - "discriminator": "kind", - "required": [ - "kind" - ], - "properties": { - "kind": { - "$ref": "#/definitions/SettingsKind", - "description": "The data connector kind" - } - }, - "type": "object" - }, - "SettingsKind": { - "description": "The kind of the setting", - "enum": [ - "UebaSettings", - "ToggleSettings" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "SettingKind" - } - }, - "ThreatIntelligence": { - "description": "ThreatIntelligence property bag.", - "properties": { - "confidence": { - "description": "Confidence (must be between 0 and 1)", - "format": "double", - "readOnly": true, - "type": "number" - }, - "providerName": { - "description": "Name of the provider from whom this Threat Intelligence information was received", - "readOnly": true, - "type": "string" - }, - "reportLink": { - "description": "Report link", - "readOnly": true, - "type": "string" - }, - "threatDescription": { - "description": "Threat description (free text)", - "readOnly": true, - "type": "string" - }, - "threatName": { - "description": "Threat name (e.g. \"Jedobot malware\")", - "readOnly": true, - "type": "string" - }, - "threatType": { - "description": "Threat type (e.g. \"Botnet\")", - "readOnly": true, - "type": "string" - } - }, - "type": "object" - }, - "ToggleSettings": { - "allOf": [ - { - "$ref": "#/definitions/Settings" - } - ], - "description": "Settings with single toggle.", - "properties": { - "properties": { - "$ref": "#/definitions/ToggleSettingsProperties", - "description": "toggle properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "ToggleSettings" - }, - "ToggleSettingsProperties": { - "description": "toggle property bag.", - "properties": { - "isEnabled": { - "description": "Determines whether the setting is enable or disabled.", - "type": "boolean" - } - }, - "type": "object" - }, - "UebaSettings": { - "allOf": [ - { - "$ref": "#/definitions/Settings" - } - ], - "description": "Represents settings for User and Entity Behavior Analytics enablement.", - "properties": { - "properties": { - "$ref": "#/definitions/UebaSettingsProperties", - "description": "User and Entity Behavior Analytics settings properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "UebaSettings" - }, - "UebaSettingsProperties": { - "description": "User and Entity Behavior Analytics settings property bag.", - "properties": { - "atpLicenseStatus": { - "description": "Determines whether the tenant has ATP (Advanced Threat Protection) license.", - "enum": [ - "Enabled", - "Disabled" - ], - "readOnly": true, - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "LicenseStatus" - } - }, - "isEnabled": { - "description": "Determines whether User and Entity Behavior Analytics is enabled for this workspace.", - "type": "boolean" - }, - "statusInMcas": { - "description": "Determines whether User and Entity Behavior Analytics is enabled from MCAS (Microsoft Cloud App Security).", - "enum": [ - "Enabled", - "Disabled" - ], - "readOnly": true, - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "StatusInMcas" - } - } - }, - "type": "object" - }, - "UserInfo": { - "description": "User information that made some action", - "properties": { - "email": { - "description": "The email of the user.", - "readOnly": true, - "type": "string" - }, - "name": { - "description": "The name of the user.", - "readOnly": true, - "type": "string" - }, - "objectId": { - "description": "The object id of the user.", - "format": "uuid", - "type": "string", - "x-nullable": true - } - }, - "required": [ - "objectId" - ], - "type": "object" - }, - "IncidentInfo": { - "description": "Describes related incident information for the bookmark", - "properties": { - "incidentId": { - "description": "Incident Id", - "type": "string" - }, - "severity": { - "description": "The severity of the incident", - "enum": [ - "Critical", - "High", - "Medium", - "Low", - "Informational" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "CaseSeverity", - "values": [ - { - "description": "Critical severity", - "value": "Critical" - }, - { - "description": "High severity", - "value": "High" - }, - { - "description": "Medium severity", - "value": "Medium" - }, - { - "description": "Low severity", - "value": "Low" - }, - { - "description": "Informational severity", - "value": "Informational" - } - ] - } - }, - "title": { - "description": "The title of the incident", - "type": "string" - }, - "relationName": { - "description": "Relation Name", - "type": "string" - } - }, - "type": "object" - } - }, - "parameters": { - "AggregationsName": { - "description": "The aggregation name. Supports - Cases", - "in": "path", - "name": "aggregationsName", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "ApiVersion": { - "description": "API version for the operation", - "enum": [ - "2020-01-01" - ], - "in": "query", - "name": "api-version", - "required": true, - "type": "string" - }, - "ConsentId": { - "description": "consent ID", - "in": "path", - "name": "consentId", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "EntityId": { - "description": "entity ID", - "in": "path", - "name": "entityId", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "EntityQueryId": { - "description": "entity query ID", - "in": "path", - "name": "entityQueryId", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "Incident": { - "description": "The incident", - "in": "body", - "name": "incident", - "required": true, - "schema": { - "$ref": "#/definitions/Incident" - }, - "x-ms-parameter-location": "method" - }, - "IncidentComment": { - "description": "The incident comment", - "in": "body", - "name": "incidentComment", - "required": true, - "schema": { - "$ref": "#/definitions/IncidentComment" - }, - "x-ms-parameter-location": "method" - }, - "IncidentCommentId": { - "description": "Incident comment ID", - "in": "path", - "name": "incidentCommentId", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "IncidentId": { - "description": "Incident ID", - "in": "path", - "name": "incidentId", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "ODataFilter": { - "description": "Filters the results, based on a Boolean condition. Optional.", - "in": "query", - "name": "$filter", - "required": false, - "type": "string", - "x-ms-parameter-location": "method" - }, - "ODataOrderBy": { - "description": "Sorts the results. Optional.", - "in": "query", - "name": "$orderby", - "required": false, - "type": "string", - "x-ms-parameter-location": "method" - }, - "ODataSkipToken": { - "description": "Skiptoken is only used if a previous operation returned a partial result. If a previous response contains a nextLink element, the value of the nextLink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls. Optional.", - "in": "query", - "name": "$skipToken", - "required": false, - "type": "string", - "x-ms-parameter-location": "method" - }, - "ODataTop": { - "description": "Returns only the first n results. Optional.", - "format": "int32", - "in": "query", - "name": "$top", - "required": false, - "type": "integer", - "x-ms-parameter-location": "method" - }, - "ResourceGroupName": { - "description": "The name of the resource group within the user's subscription. The name is case insensitive.", - "in": "path", - "maxLength": 90, - "minLength": 1, - "name": "resourceGroupName", - "pattern": "^[-\\w\\._\\(\\)]+$", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "Settings": { - "description": "The setting", - "in": "body", - "name": "settings", - "required": true, - "schema": { - "$ref": "#/definitions/Settings" - }, - "x-ms-parameter-location": "method" - }, - "SettingsName": { - "description": "The setting name. Supports- Fusion, UEBA", - "in": "path", - "name": "settingsName", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "SubscriptionId": { - "description": "Azure subscription ID", - "in": "path", - "name": "subscriptionId", - "pattern": "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$", - "required": true, - "type": "string" - }, - "WorkspaceName": { - "description": "The name of the workspace.", - "in": "path", - "maxLength": 90, - "minLength": 1, - "name": "workspaceName", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - } - } -} From 64c8111b6abb962cf8548a84509368ae6762d421 Mon Sep 17 00:00:00 2001 From: Anat Gilenson Date: Mon, 25 Oct 2021 17:33:56 +0300 Subject: [PATCH 05/12] Update readme --- specification/securityinsights/resource-manager/readme.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/specification/securityinsights/resource-manager/readme.md b/specification/securityinsights/resource-manager/readme.md index d22bdf9e7cda..52cf65f4ea12 100644 --- a/specification/securityinsights/resource-manager/readme.md +++ b/specification/securityinsights/resource-manager/readme.md @@ -42,6 +42,8 @@ input-file: - Microsoft.SecurityInsights/stable/2021-10-01/operations.json - Microsoft.SecurityInsights/stable/2021-10-01/OnboardingStates.json - Microsoft.SecurityInsights/stable/2021-10-01/AlertRules.json + - Microsoft.SecurityInsights/stable/2021-10-01/Bookmarks.json + - Microsoft.SecurityInsights/stable/2021-10-01/DataConnectors.json ``` ### Tag: package-2021-04-01-only From 30762e58dc2799f4802f5113fc8db3053fbc4f1c Mon Sep 17 00:00:00 2001 From: Anat Gilenson Date: Thu, 4 Nov 2021 16:24:29 +0200 Subject: [PATCH 06/12] Use sentinel common types in Incidents and Watchlist --- .../stable/2021-10-01/Incidents.json | 57 ++----------------- .../stable/2021-10-01/Watchlists.json | 36 ++---------- 2 files changed, 9 insertions(+), 84 deletions(-) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/Incidents.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/Incidents.json index bfc76a678c36..f7b67fae9009 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/Incidents.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/Incidents.json @@ -915,29 +915,6 @@ }, "type": "object" }, - "ClientInfo": { - "description": "Information on the client (user or application) that made some action", - "properties": { - "email": { - "description": "The email of the client.", - "type": "string" - }, - "name": { - "description": "The name of the client.", - "type": "string" - }, - "objectId": { - "description": "The object id of the client.", - "format": "uuid", - "type": "string" - }, - "userPrincipalName": { - "description": "The user principal name of the client.", - "type": "string" - } - }, - "type": "object" - }, "CloudApplicationEntity": { "allOf": [ { @@ -1520,7 +1497,7 @@ "type": "string" }, "createdBy": { - "$ref": "#/definitions/UserInfo", + "$ref": "../../../common/2.0/types.json#/definitions/UserInfo", "description": "Describes a user that created the bookmark", "type": "object" }, @@ -1536,7 +1513,7 @@ "labels": { "description": "List of labels relevant to this bookmark", "items": { - "$ref": "#/definitions/Label" + "$ref": "../../../common/2.0/types.json#/definitions/Label" }, "type": "array" }, @@ -1558,7 +1535,7 @@ "type": "string" }, "updatedBy": { - "$ref": "#/definitions/UserInfo", + "$ref": "../../../common/2.0/types.json#/definitions/UserInfo", "description": "Describes a user that updated the bookmark", "type": "object" }, @@ -1720,7 +1697,7 @@ "type": "string" }, "author": { - "$ref": "#/definitions/ClientInfo", + "$ref": "../../../common/2.0/types.json#/definitions/ClientInfo", "description": "Describes the client that created the comment", "readOnly": true, "type": "object" @@ -2276,10 +2253,6 @@ }, "type": "object" }, - "Label": { - "description": "Label that will be used to tag and filter on.", - "type": "string" - }, "MailboxEntity": { "allOf": [ { @@ -3673,28 +3646,6 @@ } }, "type": "object" - }, - "UserInfo": { - "description": "User information that made some action", - "properties": { - "email": { - "description": "The email of the user.", - "readOnly": true, - "type": "string" - }, - "name": { - "description": "The name of the user.", - "readOnly": true, - "type": "string" - }, - "objectId": { - "description": "The object id of the user.", - "format": "uuid", - "type": "string", - "x-nullable": true - } - }, - "type": "object" } }, "parameters": { diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/Watchlists.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/Watchlists.json index 529d5dcecb8e..3e864089242d 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/Watchlists.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/Watchlists.json @@ -526,12 +526,12 @@ "type": "string" }, "createdBy": { - "$ref": "#/definitions/UserInfo", + "$ref": "../../../common/2.0/types.json#/definitions/UserInfo", "description": "Describes a user that created the watchlist", "type": "object" }, "updatedBy": { - "$ref": "#/definitions/UserInfo", + "$ref": "../../../common/2.0/types.json#/definitions/UserInfo", "description": "Describes a user that updated the watchlist", "type": "object" }, @@ -554,7 +554,7 @@ "labels": { "description": "List of labels relevant to this watchlist", "items": { - "$ref": "#/definitions/Label" + "$ref": "../../../common/2.0/types.json#/definitions/Label" }, "type": "array" }, @@ -664,12 +664,12 @@ "type": "string" }, "createdBy": { - "$ref": "#/definitions/UserInfo", + "$ref": "../../../common/2.0/types.json#/definitions/UserInfo", "description": "Describes a user that created the watchlist item", "type": "object" }, "updatedBy": { - "$ref": "#/definitions/UserInfo", + "$ref": "../../../common/2.0/types.json#/definitions/UserInfo", "description": "Describes a user that updated the watchlist item", "type": "object" }, @@ -686,32 +686,6 @@ "itemsKeyValue" ], "type": "object" - }, - "UserInfo": { - "description": "User information that made some action", - "properties": { - "email": { - "description": "The email of the user.", - "readOnly": true, - "type": "string" - }, - "name": { - "description": "The name of the user.", - "readOnly": true, - "type": "string" - }, - "objectId": { - "description": "The object id of the user.", - "format": "uuid", - "type": "string", - "x-nullable": true - } - }, - "type": "object" - }, - "Label": { - "description": "Label that will be used to tag and filter on.", - "type": "string" } }, "parameters": { From 693980b0dcb373509154ebec3bf717ae67825eb4 Mon Sep 17 00:00:00 2001 From: Anat Gilenson Date: Thu, 4 Nov 2021 16:36:25 +0200 Subject: [PATCH 07/12] Extract and common IncidentInfo and IncidentSeverity --- .../stable/2021-10-01/Bookmarks.json | 57 +----------- .../stable/2021-10-01/Incidents.json | 86 +------------------ .../2021-10-01/common/IncidentTypes.json | 66 ++++++++++++++ 3 files changed, 69 insertions(+), 140 deletions(-) create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/common/IncidentTypes.json diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/Bookmarks.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/Bookmarks.json index a2285a713d03..2b6353834a55 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/Bookmarks.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/Bookmarks.json @@ -320,7 +320,7 @@ "type": "string" }, "incidentInfo": { - "$ref": "#/definitions/IncidentInfo", + "$ref": "./common/IncidentTypes.json#/definitions/IncidentInfo", "description": "Describes an incident that relates to bookmark", "type": "object" } @@ -330,61 +330,6 @@ "query" ], "type": "object" - }, - "IncidentInfo": { - "description": "Describes related incident information for the bookmark", - "properties": { - "incidentId": { - "description": "Incident Id", - "type": "string" - }, - "severity": { - "description": "The severity of the incident", - "enum": [ - "Critical", - "High", - "Medium", - "Low", - "Informational" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "CaseSeverity", - "values": [ - { - "description": "Critical severity", - "value": "Critical" - }, - { - "description": "High severity", - "value": "High" - }, - { - "description": "Medium severity", - "value": "Medium" - }, - { - "description": "Low severity", - "value": "Low" - }, - { - "description": "Informational severity", - "value": "Informational" - } - ] - } - }, - "title": { - "description": "The title of the incident", - "type": "string" - }, - "relationName": { - "description": "Relation Name", - "type": "string" - } - }, - "type": "object" } }, "parameters": { diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/Incidents.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/Incidents.json index f7b67fae9009..e022d261287c 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/Incidents.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/Incidents.json @@ -1540,7 +1540,7 @@ "type": "object" }, "incidentInfo": { - "$ref": "#/definitions/IncidentInfo", + "$ref": "./common/IncidentTypes.json#/definitions/IncidentInfo", "description": "Describes an incident that relates to bookmark", "type": "object" } @@ -1747,61 +1747,6 @@ ], "type": "object" }, - "IncidentInfo": { - "description": "Describes related incident information for the bookmark", - "properties": { - "incidentId": { - "description": "Incident Id", - "type": "string" - }, - "severity": { - "description": "The severity of the incident", - "enum": [ - "Critical", - "High", - "Medium", - "Low", - "Informational" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "CaseSeverity", - "values": [ - { - "description": "Critical severity", - "value": "Critical" - }, - { - "description": "High severity", - "value": "High" - }, - { - "description": "Medium severity", - "value": "Medium" - }, - { - "description": "Low severity", - "value": "Low" - }, - { - "description": "Informational severity", - "value": "Informational" - } - ] - } - }, - "title": { - "description": "The title of the incident", - "type": "string" - }, - "relationName": { - "description": "Relation Name", - "type": "string" - } - }, - "type": "object" - }, "IncidentLabel": { "description": "Represents an incident label", "properties": { @@ -2019,35 +1964,8 @@ }, "severity": { "description": "The severity of the incident", - "enum": [ - "High", - "Medium", - "Low", - "Informational" - ], "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "IncidentSeverity", - "values": [ - { - "description": "High severity", - "value": "High" - }, - { - "description": "Medium severity", - "value": "Medium" - }, - { - "description": "Low severity", - "value": "Low" - }, - { - "description": "Informational severity", - "value": "Informational" - } - ] - } + "$ref": "./common/IncidentTypes.json#/definitions/IncidentSeverityEnum" }, "status": { "description": "The status of the incident", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/common/IncidentTypes.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/common/IncidentTypes.json new file mode 100644 index 000000000000..e74e8243a16d --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/common/IncidentTypes.json @@ -0,0 +1,66 @@ +{ + "swagger": "2.0", + "info": { + "version": "2021-09-01-preview", + "title": "Common Incident types" + }, + "paths": {}, + "definitions": { + "IncidentSeverityEnum": { + "description": "The severity of the incident", + "enum": [ + "High", + "Medium", + "Low", + "Informational" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "IncidentSeverity", + "values": [ + { + "description": "High severity", + "value": "High" + }, + { + "description": "Medium severity", + "value": "Medium" + }, + { + "description": "Low severity", + "value": "Low" + }, + { + "description": "Informational severity", + "value": "Informational" + } + ] + } + }, + "IncidentInfo": { + "description": "Describes related incident information for the bookmark", + "properties": { + "incidentId": { + "description": "Incident Id", + "type": "string" + }, + "severity": { + "description": "The severity of the incident", + "type": "string", + "$ref": "#/definitions/IncidentSeverityEnum" + }, + "title": { + "description": "The title of the incident", + "type": "string" + }, + "relationName": { + "description": "Relation Name", + "type": "string" + } + }, + "type": "object" + } + }, + "parameters": {} +} From 1dc2f2e49e2a60c792a0e82cabd5a9008da84500 Mon Sep 17 00:00:00 2001 From: Anat Gilenson Date: Thu, 4 Nov 2021 17:00:37 +0200 Subject: [PATCH 08/12] Extract EntityTypes --- .../stable/2021-10-01/Incidents.json | 2851 ++--------------- .../stable/2021-10-01/ThreatIntelligence.json | 21 +- .../stable/2021-10-01/common/EntityTypes.json | 2268 +++++++++++++ .../2021-10-01/common/IncidentTypes.json | 2 +- 4 files changed, 2567 insertions(+), 2575 deletions(-) create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/common/EntityTypes.json diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/Incidents.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/Incidents.json index e022d261287c..d26b4d6cf2bf 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/Incidents.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/Incidents.json @@ -788,2208 +788,317 @@ } }, "definitions": { - "AccountEntity": { + "Relation": { + "type": "object", + "description": "Represents a relation between two resources", "allOf": [ { - "$ref": "#/definitions/Entity" + "$ref": "../../../common/2.0/types.json#/definitions/ResourceWithEtag" } ], - "description": "Represents an account entity.", "properties": { "properties": { - "$ref": "#/definitions/AccountEntityProperties", - "description": "Account entity properties", + "$ref": "#/definitions/RelationProperties", + "description": "Relation properties", "x-ms-client-flatten": true } - }, - "type": "object", - "x-ms-discriminator-value": "Account" + } }, - "AccountEntityProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "Account entity property bag.", + "RelationList": { + "description": "List of relations.", "properties": { - "aadTenantId": { - "description": "The Azure Active Directory tenant id.", - "readOnly": true, - "type": "string" - }, - "aadUserId": { - "description": "The Azure Active Directory user id.", - "readOnly": true, - "type": "string" - }, - "accountName": { - "description": "The name of the account. This field should hold only the name without any domain added to it, i.e. administrator.", - "readOnly": true, - "type": "string" - }, - "displayName": { - "description": "The display name of the account.", - "readOnly": true, - "type": "string" - }, - "hostEntityId": { - "description": "The Host entity id that contains the account in case it is a local account (not domain joined)", - "readOnly": true, - "type": "string" - }, - "isDomainJoined": { - "description": "Determines whether this is a domain account.", - "readOnly": true, - "type": "boolean" - }, - "ntDomain": { - "description": "The NetBIOS domain name as it appears in the alert format – domain\\username. Examples: NT AUTHORITY.", - "readOnly": true, - "type": "string" - }, - "objectGuid": { - "description": "The objectGUID attribute is a single-value attribute that is the unique identifier for the object, assigned by active directory.", - "format": "uuid", + "nextLink": { "readOnly": true, + "description": "URL to fetch the next set of relations.", "type": "string" }, - "puid": { - "description": "The Azure Active Directory Passport User ID.", - "readOnly": true, + "value": { + "description": "Array of relations.", + "type": "array", + "items": { + "$ref": "#/definitions/Relation" + } + } + }, + "type": "object", + "required": [ + "value" + ] + }, + "RelationProperties": { + "description": "Relation property bag.", + "properties": { + "relatedResourceId": { + "description": "The resource ID of the related resource", "type": "string" }, - "sid": { - "description": "The account security identifier, e.g. S-1-5-18.", + "relatedResourceName": { + "description": "The name of the related resource", "readOnly": true, "type": "string" }, - "upnSuffix": { - "description": "The user principal name suffix for the account, in some cases it is also the domain name. Examples: contoso.com.", + "relatedResourceType": { + "description": "The resource type of the related resource", "readOnly": true, "type": "string" }, - "dnsDomain": { - "description": "The fully qualified domain DNS name.", + "relatedResourceKind": { + "description": "The resource kind of the related resource", "readOnly": true, "type": "string" } }, + "required": [ + "relatedResourceId" + ], "type": "object" }, - "AzureResourceEntity": { + "Incident": { "allOf": [ { - "$ref": "#/definitions/Entity" + "$ref": "../../../common/2.0/types.json#/definitions/ResourceWithEtag" } ], - "description": "Represents an azure resource entity.", + "description": "Represents an incident in Azure Security Insights.", "properties": { "properties": { - "$ref": "#/definitions/AzureResourceEntityProperties", - "description": "AzureResource entity properties", + "$ref": "#/definitions/IncidentProperties", + "description": "Incident properties", "x-ms-client-flatten": true } }, - "type": "object", - "x-ms-discriminator-value": "AzureResource" + "type": "object" }, - "AzureResourceEntityProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "AzureResource entity property bag.", + "IncidentAdditionalData": { + "description": "Incident additional data property bag.", "properties": { - "resourceId": { - "description": "The azure resource id of the resource", + "alertsCount": { + "description": "The number of alerts in the incident", + "format": "int32", "readOnly": true, - "type": "string" + "type": "integer" }, - "subscriptionId": { - "description": "The subscription id of the resource", + "bookmarksCount": { + "description": "The number of bookmarks in the incident", + "format": "int32", "readOnly": true, - "type": "string" + "type": "integer" + }, + "commentsCount": { + "description": "The number of comments in the incident", + "format": "int32", + "readOnly": true, + "type": "integer" + }, + "alertProductNames": { + "description": "List of product names of alerts in the incident", + "items": { + "description": "Alert product name", + "type": "string" + }, + "readOnly": true, + "type": "array" + }, + "tactics": { + "description": "The tactics associated with incident", + "items": { + "$ref": "./common/AlertTypes.json#/definitions/AttackTactic" + }, + "readOnly": true, + "type": "array" } }, "type": "object" }, - "CloudApplicationEntity": { - "allOf": [ - { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents a cloud application entity.", + "IncidentAlertList": { + "description": "List of incident alerts.", "properties": { - "properties": { - "$ref": "#/definitions/CloudApplicationEntityProperties", - "description": "CloudApplication entity properties", - "x-ms-client-flatten": true + "value": { + "description": "Array of incident alerts.", + "type": "array", + "items": { + "$ref": "./common/EntityTypes.json#/definitions/SecurityAlert" + } } }, "type": "object", - "x-ms-discriminator-value": "CloudApplication" + "required": [ + "value" + ] }, - "CloudApplicationEntityProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "CloudApplication entity property bag.", + "IncidentBookmarkList": { + "description": "List of incident bookmarks.", "properties": { - "appId": { - "description": "The technical identifier of the application.", - "readOnly": true, - "type": "integer", - "format": "int32" - }, - "appName": { - "description": "The name of the related cloud application.", - "readOnly": true, - "type": "string" - }, - "instanceName": { - "description": "The user defined instance name of the cloud application. It is often used to distinguish between several applications of the same type that a customer has.", - "readOnly": true, - "type": "string" + "value": { + "description": "Array of incident bookmarks.", + "type": "array", + "items": { + "$ref": "./common/EntityTypes.json#/definitions/HuntingBookmark" + } } }, - "type": "object" + "type": "object", + "required": [ + "value" + ] }, - "DnsEntity": { + "IncidentComment": { "allOf": [ { - "$ref": "#/definitions/Entity" + "$ref": "../../../common/2.0/types.json#/definitions/ResourceWithEtag" } ], - "description": "Represents a dns entity.", + "description": "Represents an incident comment", "properties": { "properties": { - "$ref": "#/definitions/DnsEntityProperties", - "description": "Dns entity properties", + "$ref": "#/definitions/IncidentCommentProperties", + "description": "Incident comment properties", "x-ms-client-flatten": true } }, - "type": "object", - "x-ms-discriminator-value": "DnsResolution" + "type": "object" }, - "DnsEntityProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "Dns entity property bag.", + "IncidentCommentList": { + "description": "List of incident comments.", "properties": { - "dnsServerIpEntityId": { - "description": "An ip entity id for the dns server resolving the request", - "readOnly": true, - "type": "string" - }, - "domainName": { - "description": "The name of the dns record associated with the alert", - "readOnly": true, - "type": "string" - }, - "hostIpAddressEntityId": { - "description": "An ip entity id for the dns request client", + "nextLink": { + "description": "URL to fetch the next set of comments.", "readOnly": true, "type": "string" }, - "ipAddressEntityIds": { - "description": "Ip entity identifiers for the resolved ip address.", + "value": { + "description": "Array of comments.", "items": { - "description": "Ip entity id", - "type": "string" + "$ref": "#/definitions/IncidentComment" }, - "readOnly": true, "type": "array" } }, - "type": "object" - }, - "Entity": { - "allOf": [ - { - "$ref": "../../../../../common-types/resource-management/v3/types.json#/definitions/Resource" - }, - { - "$ref": "#/definitions/EntityKind" - } - ], - "description": "Specific entity.", - "discriminator": "kind", "type": "object", "required": [ - "kind" + "value" ] }, - "EntityCommonProperties": { - "description": "Entity common property bag.", + "IncidentCommentProperties": { + "description": "Incident comment property bag.", "properties": { - "additionalData": { - "additionalProperties": { - "type": "object" - }, - "description": "A bag of custom fields that should be part of the entity and will be presented to the user.", + "createdTimeUtc": { + "description": "The time the comment was created", + "format": "date-time", "readOnly": true, - "type": "object" + "type": "string" }, - "friendlyName": { - "description": "The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated.", + "lastModifiedTimeUtc": { + "description": "The time the comment was updated", + "format": "date-time", "readOnly": true, "type": "string" + }, + "message": { + "description": "The comment message", + "type": "string" + }, + "author": { + "$ref": "../../../common/2.0/types.json#/definitions/ClientInfo", + "description": "Describes the client that created the comment", + "readOnly": true, + "type": "object" } }, + "required": [ + "message" + ], "type": "object" }, - "EntityEdges": { - "description": "The edge that connects the entity to the other entity.", + "IncidentEntitiesResponse": { + "description": "The incident related entities response.", + "type": "object", "properties": { - "targetEntityId": { - "description": "The target entity Id.", - "type": "string" + "entities": { + "description": "Array of the incident related entities.", + "type": "array", + "items": { + "$ref": "./common/EntityTypes.json#/definitions/Entity" + } }, - "additionalData": { - "additionalProperties": { - "type": "object" - }, - "description": "A bag of custom fields that should be part of the entity and will be presented to the user.", - "type": "object" + "metaData": { + "description": "The metadata from the incident related entities results.", + "type": "array", + "items": { + "$ref": "#/definitions/IncidentEntitiesResultsMetadata" + } + } + } + }, + "IncidentEntitiesResultsMetadata": { + "description": "Information of a specific aggregation in the incident related entities result.", + "properties": { + "count": { + "description": "Total number of aggregations of the given kind in the incident related entities result.", + "type": "integer", + "format": "int32" + }, + "entityKind": { + "$ref": "./common/EntityTypes.json#/definitions/EntityInnerKind", + "description": "The kind of the aggregated entity." } }, + "required": [ + "entityKind", + "count" + ], "type": "object" }, - "EntityInnerKind": { - "description": "The kind of the entity", - "enum": [ - "Account", - "Host", - "File", - "AzureResource", - "CloudApplication", - "DnsResolution", - "FileHash", - "Ip", - "Malware", - "Process", - "RegistryKey", - "RegistryValue", - "SecurityGroup", - "Url", - "IoTDevice", - "SecurityAlert", - "Bookmark", - "Mailbox", - "MailCluster", - "MailMessage", - "SubmissionMail" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "EntityKindEnum", - "values": [ - { - "description": "Entity represents account in the system.", - "value": "Account" - }, - { - "description": "Entity represents host in the system.", - "value": "Host" - }, - { - "description": "Entity represents file in the system.", - "value": "File" - }, - { - "description": "Entity represents azure resource in the system.", - "value": "AzureResource" - }, - { - "description": "Entity represents cloud application in the system.", - "value": "CloudApplication" - }, - { - "description": "Entity represents dns resolution in the system.", - "value": "DnsResolution" - }, - { - "description": "Entity represents file hash in the system.", - "value": "FileHash" - }, - { - "description": "Entity represents ip in the system.", - "value": "Ip" - }, - { - "description": "Entity represents malware in the system.", - "value": "Malware" - }, - { - "description": "Entity represents process in the system.", - "value": "Process" - }, - { - "description": "Entity represents registry key in the system.", - "value": "RegistryKey" - }, - { - "description": "Entity represents registry value in the system.", - "value": "RegistryValue" - }, - { - "description": "Entity represents security group in the system.", - "value": "SecurityGroup" - }, - { - "description": "Entity represents url in the system.", - "value": "Url" - }, - { - "description": "Entity represents IoT device in the system.", - "value": "IoTDevice" - }, - { - "description": "Entity represents security alert in the system.", - "value": "SecurityAlert" - }, - { - "description": "Entity represents bookmark in the system.", - "value": "Bookmark" - }, - { - "description": "Entity represents mail cluster in the system.", - "value": "MailCluster" - }, - { - "description": "Entity represents mail message in the system.", - "value": "MailMessage" - }, - { - "description": "Entity represents mailbox in the system.", - "value": "Mailbox" - }, - { - "description": "Entity represents submission mail in the system.", - "value": "SubmissionMail" - } - ] - } - }, - "EntityKind": { - "description": "Describes an entity with kind.", - "properties": { - "kind": { - "$ref": "#/definitions/EntityInnerKind", - "description": "The kind of the entity." - } - }, - "required": [ - "kind" - ], - "type": "object" - }, - "FileEntity": { - "allOf": [ - { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents a file entity.", - "properties": { - "properties": { - "$ref": "#/definitions/FileEntityProperties", - "description": "File entity properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "File" - }, - "FileEntityProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "File entity property bag.", - "properties": { - "directory": { - "description": "The full path to the file.", - "readOnly": true, - "type": "string" - }, - "fileHashEntityIds": { - "description": "The file hash entity identifiers associated with this file", - "items": { - "description": "file hash id", - "type": "string" - }, - "readOnly": true, - "type": "array" - }, - "fileName": { - "description": "The file name without path (some alerts might not include path).", - "readOnly": true, - "type": "string" - }, - "hostEntityId": { - "description": "The Host entity id which the file belongs to", - "readOnly": true, - "type": "string" - } - }, - "type": "object" - }, - "FileHashEntity": { - "allOf": [ - { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents a file hash entity.", - "properties": { - "properties": { - "$ref": "#/definitions/FileHashEntityProperties", - "description": "FileHash entity properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "FileHash" - }, - "FileHashEntityProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "FileHash entity property bag.", - "properties": { - "algorithm": { - "description": "The hash algorithm type.", - "enum": [ - "Unknown", - "MD5", - "SHA1", - "SHA256", - "SHA256AC" - ], - "readOnly": true, - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "FileHashAlgorithm", - "values": [ - { - "description": "Unknown hash algorithm", - "value": "Unknown" - }, - { - "description": "MD5 hash type", - "value": "MD5" - }, - { - "description": "SHA1 hash type", - "value": "SHA1" - }, - { - "description": "SHA256 hash type", - "value": "SHA256" - }, - { - "description": "SHA256 Authenticode hash type", - "value": "SHA256AC" - } - ] - } - }, - "hashValue": { - "description": "The file hash value.", - "readOnly": true, - "type": "string" - } - }, - "type": "object" - }, - "GeoLocation": { - "description": "The geo-location context attached to the ip entity", - "properties": { - "asn": { - "description": "Autonomous System Number", - "readOnly": true, - "type": "integer", - "format": "int32" - }, - "city": { - "description": "City name", - "readOnly": true, - "type": "string" - }, - "countryCode": { - "description": "The country code according to ISO 3166 format", - "readOnly": true, - "type": "string" - }, - "countryName": { - "description": "Country name according to ISO 3166 Alpha 2: the lowercase of the English Short Name", - "readOnly": true, - "type": "string" - }, - "latitude": { - "description": "The longitude of the identified location, expressed as a floating point number with range of -180 to 180, with positive numbers representing East and negative numbers representing West. Latitude and longitude are derived from the city or postal code.", - "format": "double", - "readOnly": true, - "type": "number" - }, - "longitude": { - "description": "The latitude of the identified location, expressed as a floating point number with range of - 90 to 90, with positive numbers representing North and negative numbers representing South. Latitude and longitude are derived from the city or postal code.", - "format": "double", - "readOnly": true, - "type": "number" - }, - "state": { - "description": "State name", - "readOnly": true, - "type": "string" - } - }, - "readOnly": true, - "type": "object" - }, - "HostEntity": { - "allOf": [ - { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents a host entity.", - "properties": { - "properties": { - "$ref": "#/definitions/HostEntityProperties", - "description": "Host entity properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "Host" - }, - "HostEntityProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "Host entity property bag.", - "properties": { - "azureID": { - "description": "The azure resource id of the VM.", - "readOnly": true, - "type": "string" - }, - "dnsDomain": { - "description": "The DNS domain that this host belongs to. Should contain the compete DNS suffix for the domain", - "readOnly": true, - "type": "string" - }, - "hostName": { - "description": "The hostname without the domain suffix.", - "readOnly": true, - "type": "string" - }, - "isDomainJoined": { - "description": "Determines whether this host belongs to a domain.", - "readOnly": true, - "type": "boolean" - }, - "netBiosName": { - "description": "The host name (pre-windows2000).", - "readOnly": true, - "type": "string" - }, - "ntDomain": { - "description": "The NT domain that this host belongs to.", - "readOnly": true, - "type": "string" - }, - "omsAgentID": { - "description": "The OMS agent id, if the host has OMS agent installed.", - "readOnly": true, - "type": "string" - }, - "osFamily": { - "description": "The operating system type.", - "enum": [ - "Linux", - "Windows", - "Android", - "IOS", - "Unknown" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": false, - "name": "OSFamily", - "values": [ - { - "description": "Host with Linux operating system.", - "value": "Linux" - }, - { - "description": "Host with Windows operating system.", - "value": "Windows" - }, - { - "description": "Host with Android operating system.", - "value": "Android" - }, - { - "description": "Host with IOS operating system.", - "value": "IOS" - }, - { - "description": "Host with Unknown operating system.", - "value": "Unknown" - } - ] - } - }, - "osVersion": { - "description": "A free text representation of the operating system. This field is meant to hold specific versions the are more fine grained than OSFamily or future values not supported by OSFamily enumeration", - "readOnly": true, - "type": "string" - } - }, - "type": "object" - }, - "HuntingBookmark": { - "allOf": [ - { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents a Hunting bookmark entity.", - "properties": { - "properties": { - "$ref": "#/definitions/HuntingBookmarkProperties", - "description": "HuntingBookmark entity properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "Bookmark" - }, - "HuntingBookmarkProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "Describes bookmark properties", - "properties": { - "created": { - "description": "The time the bookmark was created", - "format": "date-time", - "type": "string" - }, - "createdBy": { - "$ref": "../../../common/2.0/types.json#/definitions/UserInfo", - "description": "Describes a user that created the bookmark", - "type": "object" - }, - "displayName": { - "description": "The display name of the bookmark", - "type": "string" - }, - "eventTime": { - "description": "The time of the event", - "format": "date-time", - "type": "string" - }, - "labels": { - "description": "List of labels relevant to this bookmark", - "items": { - "$ref": "../../../common/2.0/types.json#/definitions/Label" - }, - "type": "array" - }, - "notes": { - "description": "The notes of the bookmark", - "type": "string" - }, - "query": { - "description": "The query of the bookmark.", - "type": "string" - }, - "queryResult": { - "description": "The query result of the bookmark.", - "type": "string" - }, - "updated": { - "description": "The last time the bookmark was updated", - "format": "date-time", - "type": "string" - }, - "updatedBy": { - "$ref": "../../../common/2.0/types.json#/definitions/UserInfo", - "description": "Describes a user that updated the bookmark", - "type": "object" - }, - "incidentInfo": { - "$ref": "./common/IncidentTypes.json#/definitions/IncidentInfo", - "description": "Describes an incident that relates to bookmark", - "type": "object" - } - }, - "required": [ - "displayName", - "query" - ], - "type": "object" - }, - "Incident": { - "allOf": [ - { - "$ref": "../../../common/2.0/types.json#/definitions/ResourceWithEtag" - } - ], - "description": "Represents an incident in Azure Security Insights.", - "properties": { - "properties": { - "$ref": "#/definitions/IncidentProperties", - "description": "Incident properties", - "x-ms-client-flatten": true - } - }, - "type": "object" - }, - "IncidentAdditionalData": { - "description": "Incident additional data property bag.", - "properties": { - "alertsCount": { - "description": "The number of alerts in the incident", - "format": "int32", - "readOnly": true, - "type": "integer" - }, - "bookmarksCount": { - "description": "The number of bookmarks in the incident", - "format": "int32", - "readOnly": true, - "type": "integer" - }, - "commentsCount": { - "description": "The number of comments in the incident", - "format": "int32", - "readOnly": true, - "type": "integer" - }, - "alertProductNames": { - "description": "List of product names of alerts in the incident", - "items": { - "description": "Alert product name", - "type": "string" - }, - "readOnly": true, - "type": "array" - }, - "tactics": { - "description": "The tactics associated with incident", - "items": { - "$ref": "./common/AlertTypes.json#/definitions/AttackTactic" - }, - "readOnly": true, - "type": "array" - } - }, - "type": "object" - }, - "IncidentAlertList": { - "description": "List of incident alerts.", - "properties": { - "value": { - "description": "Array of incident alerts.", - "type": "array", - "items": { - "$ref": "#/definitions/SecurityAlert" - } - } - }, - "type": "object", - "required": [ - "value" - ] - }, - "IncidentBookmarkList": { - "description": "List of incident bookmarks.", - "properties": { - "value": { - "description": "Array of incident bookmarks.", - "type": "array", - "items": { - "$ref": "#/definitions/HuntingBookmark" - } - } - }, - "type": "object", - "required": [ - "value" - ] - }, - "IncidentComment": { - "allOf": [ - { - "$ref": "../../../common/2.0/types.json#/definitions/ResourceWithEtag" - } - ], - "description": "Represents an incident comment", - "properties": { - "properties": { - "$ref": "#/definitions/IncidentCommentProperties", - "description": "Incident comment properties", - "x-ms-client-flatten": true - } - }, - "type": "object" - }, - "IncidentCommentList": { - "description": "List of incident comments.", - "properties": { - "nextLink": { - "description": "URL to fetch the next set of comments.", - "readOnly": true, - "type": "string" - }, - "value": { - "description": "Array of comments.", - "items": { - "$ref": "#/definitions/IncidentComment" - }, - "type": "array" - } - }, - "type": "object", - "required": [ - "value" - ] - }, - "IncidentCommentProperties": { - "description": "Incident comment property bag.", - "properties": { - "createdTimeUtc": { - "description": "The time the comment was created", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "lastModifiedTimeUtc": { - "description": "The time the comment was updated", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "message": { - "description": "The comment message", - "type": "string" - }, - "author": { - "$ref": "../../../common/2.0/types.json#/definitions/ClientInfo", - "description": "Describes the client that created the comment", - "readOnly": true, - "type": "object" - } - }, - "required": [ - "message" - ], - "type": "object" - }, - "IncidentEntitiesResponse": { - "description": "The incident related entities response.", - "type": "object", - "properties": { - "entities": { - "description": "Array of the incident related entities.", - "type": "array", - "items": { - "$ref": "#/definitions/Entity" - } - }, - "metaData": { - "description": "The metadata from the incident related entities results.", - "type": "array", - "items": { - "$ref": "#/definitions/IncidentEntitiesResultsMetadata" - } - } - } - }, - "IncidentEntitiesResultsMetadata": { - "description": "Information of a specific aggregation in the incident related entities result.", - "properties": { - "count": { - "description": "Total number of aggregations of the given kind in the incident related entities result.", - "type": "integer", - "format": "int32" - }, - "entityKind": { - "$ref": "#/definitions/EntityInnerKind", - "description": "The kind of the aggregated entity." - } - }, - "required": [ - "entityKind", - "count" - ], - "type": "object" - }, - "IncidentLabel": { - "description": "Represents an incident label", - "properties": { - "labelName": { - "description": "The name of the label", - "type": "string" - }, - "labelType": { - "description": "The type of the label", - "enum": [ - "User", - "System" - ], - "type": "string", - "readOnly": true, - "x-ms-enum": { - "modelAsString": true, - "name": "IncidentLabelType", - "values": [ - { - "description": "Label manually created by a user", - "value": "User" - }, - { - "description": "Label automatically created by the system", - "value": "System" - } - ] - } - } - }, - "required": [ - "labelName" - ], - "type": "object" - }, - "IncidentList": { - "description": "List all the incidents.", - "properties": { - "nextLink": { - "description": "URL to fetch the next set of incidents.", - "readOnly": true, - "type": "string" - }, - "value": { - "description": "Array of incidents.", - "items": { - "$ref": "#/definitions/Incident" - }, - "type": "array" - } - }, - "type": "object", - "required": [ - "value" - ] - }, - "IncidentOwnerInfo": { - "description": "Information on the user an incident is assigned to", - "properties": { - "email": { - "description": "The email of the user the incident is assigned to.", - "type": "string" - }, - "assignedTo": { - "description": "The name of the user the incident is assigned to.", - "type": "string" - }, - "objectId": { - "description": "The object id of the user the incident is assigned to.", - "format": "uuid", - "type": "string" - }, - "userPrincipalName": { - "description": "The user principal name of the user the incident is assigned to.", - "type": "string" - } - }, - "type": "object" - }, - "IncidentProperties": { - "description": "Describes incident properties", - "properties": { - "additionalData": { - "$ref": "#/definitions/IncidentAdditionalData", - "description": "Additional data on the incident", - "readOnly": true, - "type": "object" - }, - "classification": { - "description": "The reason the incident was closed", - "enum": [ - "Undetermined", - "TruePositive", - "BenignPositive", - "FalsePositive" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "IncidentClassification", - "values": [ - { - "description": "Incident classification was undetermined", - "value": "Undetermined" - }, - { - "description": "Incident was true positive", - "value": "TruePositive" - }, - { - "description": "Incident was benign positive", - "value": "BenignPositive" - }, - { - "description": "Incident was false positive", - "value": "FalsePositive" - } - ] - } - }, - "classificationComment": { - "description": "Describes the reason the incident was closed", - "type": "string" - }, - "classificationReason": { - "description": "The classification reason the incident was closed with", - "enum": [ - "SuspiciousActivity", - "SuspiciousButExpected", - "IncorrectAlertLogic", - "InaccurateData" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "IncidentClassificationReason", - "values": [ - { - "description": "Classification reason was suspicious activity", - "value": "SuspiciousActivity" - }, - { - "description": "Classification reason was suspicious but expected", - "value": "SuspiciousButExpected" - }, - { - "description": "Classification reason was incorrect alert logic", - "value": "IncorrectAlertLogic" - }, - { - "description": "Classification reason was inaccurate data", - "value": "InaccurateData" - } - ] - } - }, - "createdTimeUtc": { - "description": "The time the incident was created", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "description": { - "description": "The description of the incident", - "type": "string" - }, - "firstActivityTimeUtc": { - "description": "The time of the first activity in the incident", - "format": "date-time", - "type": "string" - }, - "incidentUrl": { - "description": "The deep-link url to the incident in Azure portal", - "readOnly": true, - "type": "string" - }, - "incidentNumber": { - "description": "A sequential number", - "format": "int32", - "readOnly": true, - "type": "integer" - }, - "labels": { - "description": "List of labels relevant to this incident", - "items": { - "$ref": "#/definitions/IncidentLabel" - }, - "type": "array" - }, - "lastActivityTimeUtc": { - "description": "The time of the last activity in the incident", - "format": "date-time", - "type": "string" - }, - "lastModifiedTimeUtc": { - "description": "The last time the incident was updated", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "owner": { - "$ref": "#/definitions/IncidentOwnerInfo", - "description": "Describes a user that the incident is assigned to", - "type": "object" - }, - "relatedAnalyticRuleIds": { - "description": "List of resource ids of Analytic rules related to the incident", - "items": { - "description": "Related Analytic rule resource id", - "type": "string" - }, - "readOnly": true, - "type": "array" - }, - "severity": { - "description": "The severity of the incident", - "type": "string", - "$ref": "./common/IncidentTypes.json#/definitions/IncidentSeverityEnum" - }, - "status": { - "description": "The status of the incident", - "enum": [ - "New", - "Active", - "Closed" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "IncidentStatus", - "values": [ - { - "description": "An active incident which isn't being handled currently", - "value": "New" - }, - { - "description": "An active incident which is being handled", - "value": "Active" - }, - { - "description": "A non-active incident", - "value": "Closed" - } - ] - } - }, - "title": { - "description": "The title of the incident", - "type": "string" - } - }, - "required": [ - "title", - "severity", - "status" - ], - "type": "object" - }, - "IoTDeviceEntity": { - "allOf": [ - { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents an IoT device entity.", - "properties": { - "properties": { - "$ref": "#/definitions/IoTDeviceEntityProperties", - "description": "IoTDevice entity properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "IoTDevice" - }, - "IoTDeviceEntityProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "IoTDevice entity property bag.", - "properties": { - "deviceId": { - "description": "The ID of the IoT Device in the IoT Hub", - "readOnly": true, - "type": "string" - }, - "deviceName": { - "description": "The friendly name of the device", - "readOnly": true, - "type": "string" - }, - "source": { - "description": "The source of the device", - "readOnly": true, - "type": "string" - }, - "iotSecurityAgentId": { - "description": "The ID of the security agent running on the device", - "format": "uuid", - "readOnly": true, - "type": "string" - }, - "deviceType": { - "description": "The type of the device", - "readOnly": true, - "type": "string" - }, - "vendor": { - "description": "The vendor of the device", - "readOnly": true, - "type": "string" - }, - "edgeId": { - "description": "The ID of the edge device", - "readOnly": true, - "type": "string" - }, - "macAddress": { - "description": "The MAC address of the device", - "readOnly": true, - "type": "string" - }, - "model": { - "description": "The model of the device", - "readOnly": true, - "type": "string" - }, - "serialNumber": { - "description": "The serial number of the device", - "readOnly": true, - "type": "string" - }, - "firmwareVersion": { - "description": "The firmware version of the device", - "readOnly": true, - "type": "string" - }, - "operatingSystem": { - "description": "The operating system of the device", - "readOnly": true, - "type": "string" - }, - "iotHubEntityId": { - "description": "The AzureResource entity id of the IoT Hub", - "readOnly": true, - "type": "string" - }, - "hostEntityId": { - "description": "The Host entity id of this device", - "readOnly": true, - "type": "string" - }, - "ipAddressEntityId": { - "description": "The IP entity if of this device", - "readOnly": true, - "type": "string" - }, - "threatIntelligence": { - "description": "A list of TI contexts attached to the IoTDevice entity.", - "items": { - "$ref": "#/definitions/ThreatIntelligence" - }, - "readOnly": true, - "type": "array" - }, - "protocols": { - "description": "A list of protocols of the IoTDevice entity.", - "items": { - "type": "string" - }, - "readOnly": true, - "type": "array" - } - }, - "type": "object" - }, - "IpEntity": { - "allOf": [ - { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents an ip entity.", - "properties": { - "properties": { - "$ref": "#/definitions/IpEntityProperties", - "description": "Ip entity properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "Ip" - }, - "IpEntityProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "Ip entity property bag.", - "properties": { - "address": { - "description": "The IP address as string, e.g. 127.0.0.1 (either in Ipv4 or Ipv6)", - "readOnly": true, - "type": "string" - }, - "location": { - "$ref": "#/definitions/GeoLocation", - "description": "The geo-location context attached to the ip entity" - }, - "threatIntelligence": { - "description": "A list of TI contexts attached to the ip entity.", - "items": { - "$ref": "#/definitions/ThreatIntelligence" - }, - "readOnly": true, - "type": "array" - } - }, - "type": "object" - }, - "MailboxEntity": { - "allOf": [ - { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents a mailbox entity.", - "properties": { - "properties": { - "$ref": "#/definitions/MailboxEntityProperties", - "description": "Mailbox entity properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "Mailbox" - }, - "MailboxEntityProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "Mailbox entity property bag.", - "properties": { - "mailboxPrimaryAddress": { - "description": "The mailbox's primary address", - "readOnly": true, - "type": "string" - }, - "displayName": { - "description": "The mailbox's display name", - "readOnly": true, - "type": "string" - }, - "upn": { - "description": "The mailbox's UPN", - "readOnly": true, - "type": "string" - }, - "externalDirectoryObjectId": { - "description": "The AzureAD identifier of mailbox. Similar to AadUserId in account entity but this property is specific to mailbox object on office side", - "format": "uuid", - "readOnly": true, - "type": "string" - } - }, - "type": "object" - }, - "MailClusterEntity": { - "allOf": [ - { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents a mail cluster entity.", - "properties": { - "properties": { - "$ref": "#/definitions/MailClusterEntityProperties", - "description": "Mail cluster entity properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "MailCluster" - }, - "MailClusterEntityProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "Mail cluster entity property bag.", - "properties": { - "networkMessageIds": { - "description": "The mail message IDs that are part of the mail cluster", - "items": { - "description": "A mail message ID", - "type": "string" - }, - "readOnly": true, - "type": "array" - }, - "countByDeliveryStatus": { - "description": "Count of mail messages by DeliveryStatus string representation", - "readOnly": true, - "type": "object" - }, - "countByThreatType": { - "description": "Count of mail messages by ThreatType string representation", - "readOnly": true, - "type": "object" - }, - "countByProtectionStatus": { - "description": "Count of mail messages by ProtectionStatus string representation", - "readOnly": true, - "type": "object" - }, - "threats": { - "description": "The threats of mail messages that are part of the mail cluster", - "items": { - "description": "A threat", - "type": "string" - }, - "readOnly": true, - "type": "array" - }, - "query": { - "description": "The query that was used to identify the messages of the mail cluster", - "readOnly": true, - "type": "string" - }, - "queryTime": { - "description": "The query time", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "mailCount": { - "description": "The number of mail messages that are part of the mail cluster", - "readOnly": true, - "type": "integer", - "format": "int32" - }, - "isVolumeAnomaly": { - "description": "Is this a volume anomaly mail cluster", - "readOnly": true, - "type": "boolean" - }, - "source": { - "description": "The source of the mail cluster (default is 'O365 ATP')", - "readOnly": true, - "type": "string" - }, - "clusterSourceIdentifier": { - "description": "The id of the cluster source", - "readOnly": true, - "type": "string" - }, - "clusterSourceType": { - "description": "The type of the cluster source", - "readOnly": true, - "type": "string" - }, - "clusterQueryStartTime": { - "description": "The cluster query start time", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "clusterQueryEndTime": { - "description": "The cluster query end time", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "clusterGroup": { - "description": "The cluster group", - "readOnly": true, - "type": "string" - } - }, - "type": "object" - }, - "MailMessageEntity": { - "allOf": [ - { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents a mail message entity.", - "properties": { - "properties": { - "$ref": "#/definitions/MailMessageEntityProperties", - "description": "Mail message entity properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "MailMessage" - }, - "MailMessageEntityProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "Mail message entity property bag.", - "properties": { - "fileEntityIds": { - "description": "The File entity ids of this mail message's attachments", - "items": { - "type": "string" - }, - "readOnly": true, - "type": "array" - }, - "recipient": { - "description": "The recipient of this mail message. Note that in case of multiple recipients the mail message is forked and each copy has one recipient", - "readOnly": true, - "type": "string" - }, - "urls": { - "description": "The Urls contained in this mail message", - "items": { - "description": "A Url contained in this mail message", - "type": "string" - }, - "readOnly": true, - "type": "array" - }, - "threats": { - "description": "The threats of this mail message", - "items": { - "description": "A threat of the mail message", - "type": "string" - }, - "readOnly": true, - "type": "array" - }, - "p1Sender": { - "description": "The p1 sender's email address", - "readOnly": true, - "type": "string" - }, - "p1SenderDisplayName": { - "description": "The p1 sender's display name", - "readOnly": true, - "type": "string" - }, - "p1SenderDomain": { - "description": "The p1 sender's domain", - "readOnly": true, - "type": "string" - }, - "senderIP": { - "description": "The sender's IP address", - "readOnly": true, - "type": "string" - }, - "p2Sender": { - "description": "The p2 sender's email address", - "readOnly": true, - "type": "string" - }, - "p2SenderDisplayName": { - "description": "The p2 sender's display name", - "readOnly": true, - "type": "string" - }, - "p2SenderDomain": { - "description": "The p2 sender's domain", - "readOnly": true, - "type": "string" - }, - "receiveDate": { - "description": "The receive date of this message", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "networkMessageId": { - "description": "The network message id of this mail message", - "format": "uuid", - "readOnly": true, - "type": "string" - }, - "internetMessageId": { - "description": "The internet message id of this mail message", - "readOnly": true, - "type": "string" - }, - "subject": { - "description": "The subject of this mail message", - "readOnly": true, - "type": "string" - }, - "language": { - "description": "The language of this mail message", - "readOnly": true, - "type": "string" - }, - "threatDetectionMethods": { - "description": "The threat detection methods", - "items": { - "description": "A threat detection method", - "type": "string" - }, - "readOnly": true, - "type": "array" - }, - "bodyFingerprintBin1": { - "description": "The bodyFingerprintBin1", - "type": "integer", - "format": "int32" - }, - "bodyFingerprintBin2": { - "description": "The bodyFingerprintBin2", - "type": "integer", - "format": "int32" - }, - "bodyFingerprintBin3": { - "description": "The bodyFingerprintBin3", - "type": "integer", - "format": "int32" - }, - "bodyFingerprintBin4": { - "description": "The bodyFingerprintBin4", - "type": "integer", - "format": "int32" - }, - "bodyFingerprintBin5": { - "description": "The bodyFingerprintBin5", - "type": "integer", - "format": "int32" - }, - "antispamDirection": { - "description": "The directionality of this mail message", - "enum": [ - "Unknown", - "Inbound", - "Outbound", - "Intraorg" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "AntispamMailDirection", - "values": [ - { - "description": "Unknown", - "value": "Unknown" - }, - { - "description": "Inbound", - "value": "Inbound" - }, - { - "description": "Outbound", - "value": "Outbound" - }, - { - "description": "Intraorg", - "value": "Intraorg" - } - ] - } - }, - "deliveryAction": { - "description": "The delivery action of this mail message like Delivered, Blocked, Replaced etc", - "enum": [ - "Unknown", - "DeliveredAsSpam", - "Delivered", - "Blocked", - "Replaced" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": false, - "name": "DeliveryAction", - "values": [ - { - "description": "Unknown", - "value": "Unknown" - }, - { - "description": "DeliveredAsSpam", - "value": "DeliveredAsSpam" - }, - { - "description": "Delivered", - "value": "Delivered" - }, - { - "description": "Blocked", - "value": "Blocked" - }, - { - "description": "Replaced", - "value": "Replaced" - } - ] - } - }, - "deliveryLocation": { - "description": "The delivery location of this mail message like Inbox, JunkFolder etc", - "enum": [ - "Unknown", - "Inbox", - "JunkFolder", - "DeletedFolder", - "Quarantine", - "External", - "Failed", - "Dropped", - "Forwarded" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": false, - "name": "DeliveryLocation", - "values": [ - { - "description": "Unknown", - "value": "Unknown" - }, - { - "description": "Inbox", - "value": "Inbox" - }, - { - "description": "JunkFolder", - "value": "JunkFolder" - }, - { - "description": "DeletedFolder", - "value": "DeletedFolder" - }, - { - "description": "Quarantine", - "value": "Quarantine" - }, - { - "description": "External", - "value": "External" - }, - { - "description": "Failed", - "value": "Failed" - }, - { - "description": "Dropped", - "value": "Dropped" - }, - { - "description": "Forwarded", - "value": "Forwarded" - } - ] - } - } - }, - "type": "object" - }, - "MalwareEntity": { - "allOf": [ - { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents a malware entity.", - "properties": { - "properties": { - "$ref": "#/definitions/MalwareEntityProperties", - "description": "File entity properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "Malware" - }, - "MalwareEntityProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "Malware entity property bag.", - "properties": { - "category": { - "description": "The malware category by the vendor, e.g. Trojan", - "readOnly": true, - "type": "string" - }, - "fileEntityIds": { - "description": "List of linked file entity identifiers on which the malware was found", - "items": { - "description": "file entity id", - "type": "string" - }, - "readOnly": true, - "type": "array" - }, - "malwareName": { - "description": "The malware name by the vendor, e.g. Win32/Toga!rfn", - "readOnly": true, - "type": "string" - }, - "processEntityIds": { - "description": "List of linked process entity identifiers on which the malware was found.", - "items": { - "description": "process entity id", - "type": "string" - }, - "readOnly": true, - "type": "array" - } - }, - "type": "object" - }, - "ProcessEntity": { - "allOf": [ - { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents a process entity.", - "properties": { - "properties": { - "$ref": "#/definitions/ProcessEntityProperties", - "description": "Process entity properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "Process" - }, - "ProcessEntityProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "Process entity property bag.", - "properties": { - "accountEntityId": { - "description": "The account entity id running the processes.", - "readOnly": true, - "type": "string" - }, - "commandLine": { - "description": "The command line used to create the process", - "readOnly": true, - "type": "string" - }, - "creationTimeUtc": { - "description": "The time when the process started to run", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "elevationToken": { - "description": "The elevation token associated with the process.", - "enum": [ - "Default", - "Full", - "Limited" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": false, - "name": "ElevationToken", - "values": [ - { - "description": "Default elevation token", - "value": "Default" - }, - { - "description": "Full elevation token", - "value": "Full" - }, - { - "description": "Limited elevation token", - "value": "Limited" - } - ] - } - }, - "hostEntityId": { - "description": "The host entity id on which the process was running", - "readOnly": true, - "type": "string" - }, - "hostLogonSessionEntityId": { - "description": "The session entity id in which the process was running", - "readOnly": true, - "type": "string" - }, - "imageFileEntityId": { - "description": "Image file entity id", - "readOnly": true, - "type": "string" - }, - "parentProcessEntityId": { - "description": "The parent process entity id.", - "readOnly": true, - "type": "string" - }, - "processId": { - "description": "The process ID", - "readOnly": true, - "type": "string" - } - }, - "type": "object" - }, - "RegistryKeyEntity": { - "allOf": [ - { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents a registry key entity.", - "properties": { - "properties": { - "$ref": "#/definitions/RegistryKeyEntityProperties", - "description": "RegistryKey entity properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "RegistryKey" - }, - "RegistryKeyEntityProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "RegistryKey entity property bag.", - "properties": { - "hive": { - "description": "the hive that holds the registry key.", - "enum": [ - "HKEY_LOCAL_MACHINE", - "HKEY_CLASSES_ROOT", - "HKEY_CURRENT_CONFIG", - "HKEY_USERS", - "HKEY_CURRENT_USER_LOCAL_SETTINGS", - "HKEY_PERFORMANCE_DATA", - "HKEY_PERFORMANCE_NLSTEXT", - "HKEY_PERFORMANCE_TEXT", - "HKEY_A", - "HKEY_CURRENT_USER" - ], - "readOnly": true, - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "RegistryHive", - "values": [ - { - "description": "HKEY_LOCAL_MACHINE", - "value": "HKEY_LOCAL_MACHINE" - }, - { - "description": "HKEY_CLASSES_ROOT", - "value": "HKEY_CLASSES_ROOT" - }, - { - "description": "HKEY_CURRENT_CONFIG", - "value": "HKEY_CURRENT_CONFIG" - }, - { - "description": "HKEY_USERS", - "value": "HKEY_USERS" - }, - { - "description": "HKEY_CURRENT_USER_LOCAL_SETTINGS", - "value": "HKEY_CURRENT_USER_LOCAL_SETTINGS" - }, - { - "description": "HKEY_PERFORMANCE_DATA", - "value": "HKEY_PERFORMANCE_DATA" - }, - { - "description": "HKEY_PERFORMANCE_NLSTEXT", - "value": "HKEY_PERFORMANCE_NLSTEXT" - }, - { - "description": "HKEY_PERFORMANCE_TEXT", - "value": "HKEY_PERFORMANCE_TEXT" - }, - { - "description": "HKEY_A", - "value": "HKEY_A" - }, - { - "description": "HKEY_CURRENT_USER", - "value": "HKEY_CURRENT_USER" - } - ] - } - }, - "key": { - "description": "The registry key path.", - "readOnly": true, - "type": "string" - } - }, - "type": "object" - }, - "RegistryValueEntity": { - "allOf": [ - { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents a registry value entity.", - "properties": { - "properties": { - "$ref": "#/definitions/RegistryValueEntityProperties", - "description": "RegistryKey entity properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "RegistryValue" - }, - "RegistryValueEntityProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "RegistryValue entity property bag.", + "IncidentLabel": { + "description": "Represents an incident label", "properties": { - "keyEntityId": { - "description": "The registry key entity id.", - "readOnly": true, - "type": "string" - }, - "valueData": { - "description": "String formatted representation of the value data.", - "readOnly": true, - "type": "string" - }, - "valueName": { - "description": "The registry value name.", - "readOnly": true, + "labelName": { + "description": "The name of the label", "type": "string" }, - "valueType": { - "description": "Specifies the data types to use when storing values in the registry, or identifies the data type of a value in the registry.", + "labelType": { + "description": "The type of the label", "enum": [ - "None", - "Unknown", - "String", - "ExpandString", - "Binary", - "DWord", - "MultiString", - "QWord" + "User", + "System" ], - "readOnly": true, "type": "string", + "readOnly": true, "x-ms-enum": { "modelAsString": true, - "name": "RegistryValueKind", + "name": "IncidentLabelType", "values": [ { - "description": "None", - "value": "None" - }, - { - "description": "Unknown value type", - "value": "Unknown" - }, - { - "description": "String value type", - "value": "String" - }, - { - "description": "ExpandString value type", - "value": "ExpandString" - }, - { - "description": "Binary value type", - "value": "Binary" - }, - { - "description": "DWord value type", - "value": "DWord" - }, - { - "description": "MultiString value type", - "value": "MultiString" + "description": "Label manually created by a user", + "value": "User" }, { - "description": "QWord value type", - "value": "QWord" + "description": "Label automatically created by the system", + "value": "System" } ] } } }, - "type": "object" - }, - "Relation": { - "type": "object", - "description": "Represents a relation between two resources", - "allOf": [ - { - "$ref": "../../../common/2.0/types.json#/definitions/ResourceWithEtag" - } + "required": [ + "labelName" ], - "properties": { - "properties": { - "$ref": "#/definitions/RelationProperties", - "description": "Relation properties", - "x-ms-client-flatten": true - } - } + "type": "object" }, - "RelationList": { - "description": "List of relations.", + "IncidentList": { + "description": "List all the incidents.", "properties": { "nextLink": { + "description": "URL to fetch the next set of incidents.", "readOnly": true, - "description": "URL to fetch the next set of relations.", "type": "string" }, "value": { - "description": "Array of relations.", - "type": "array", + "description": "Array of incidents.", "items": { - "$ref": "#/definitions/Relation" - } + "$ref": "#/definitions/Incident" + }, + "type": "array" } }, "type": "object", @@ -2997,572 +1106,206 @@ "value" ] }, - "RelationProperties": { - "description": "Relation property bag.", + "IncidentOwnerInfo": { + "description": "Information on the user an incident is assigned to", "properties": { - "relatedResourceId": { - "description": "The resource ID of the related resource", + "email": { + "description": "The email of the user the incident is assigned to.", "type": "string" }, - "relatedResourceName": { - "description": "The name of the related resource", - "readOnly": true, + "assignedTo": { + "description": "The name of the user the incident is assigned to.", "type": "string" }, - "relatedResourceType": { - "description": "The resource type of the related resource", - "readOnly": true, + "objectId": { + "description": "The object id of the user the incident is assigned to.", + "format": "uuid", "type": "string" }, - "relatedResourceKind": { - "description": "The resource kind of the related resource", - "readOnly": true, + "userPrincipalName": { + "description": "The user principal name of the user the incident is assigned to.", "type": "string" } }, - "required": [ - "relatedResourceId" - ], "type": "object" }, - "SecurityAlert": { - "allOf": [ - { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents a security alert entity.", - "properties": { - "properties": { - "$ref": "#/definitions/SecurityAlertProperties", - "description": "SecurityAlert entity properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "SecurityAlert" - }, - "SecurityAlertProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "SecurityAlert entity property bag.", + "IncidentProperties": { + "description": "Describes incident properties", "properties": { - "alertDisplayName": { - "description": "The display name of the alert.", - "readOnly": true, - "type": "string" - }, - "alertType": { - "description": "The type name of the alert.", - "readOnly": true, - "type": "string" - }, - "compromisedEntity": { - "description": "Display name of the main entity being reported on.", - "readOnly": true, - "type": "string" - }, - "confidenceLevel": { - "description": "The confidence level of this alert.", - "enum": [ - "Unknown", - "Low", - "High" - ], - "readOnly": true, - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "ConfidenceLevel", - "values": [ - { - "description": "Unknown confidence, the is the default value", - "value": "Unknown" - }, - { - "description": "Low confidence, meaning we have some doubts this is indeed malicious or part of an attack", - "value": "Low" - }, - { - "description": "High confidence that the alert is true positive malicious", - "value": "High" - } - ] - } - }, - "confidenceReasons": { - "description": "The confidence reasons", - "items": { - "description": "confidence reason item", - "properties": { - "reason": { - "description": "The reason's description", - "readOnly": true, - "type": "string" - }, - "reasonType": { - "description": "The type (category) of the reason", - "readOnly": true, - "type": "string" - } - }, - "type": "object" - }, - "readOnly": true, - "type": "array" - }, - "confidenceScore": { - "description": "The confidence score of the alert.", - "format": "double", + "additionalData": { + "$ref": "#/definitions/IncidentAdditionalData", + "description": "Additional data on the incident", "readOnly": true, - "type": "number" + "type": "object" }, - "confidenceScoreStatus": { - "description": "The confidence score calculation status, i.e. indicating if score calculation is pending for this alert, not applicable or final.", + "classification": { + "description": "The reason the incident was closed", "enum": [ - "NotApplicable", - "InProcess", - "NotFinal", - "Final" + "Undetermined", + "TruePositive", + "BenignPositive", + "FalsePositive" ], - "readOnly": true, "type": "string", "x-ms-enum": { "modelAsString": true, - "name": "ConfidenceScoreStatus", + "name": "IncidentClassification", "values": [ { - "description": "Score will not be calculated for this alert as it is not supported by virtual analyst", - "value": "NotApplicable" + "description": "Incident classification was undetermined", + "value": "Undetermined" }, { - "description": "No score was set yet and calculation is in progress", - "value": "InProcess" + "description": "Incident was true positive", + "value": "TruePositive" }, { - "description": "Score is calculated and shown as part of the alert, but may be updated again at a later time following the processing of additional data", - "value": "NotFinal" + "description": "Incident was benign positive", + "value": "BenignPositive" }, { - "description": "Final score was calculated and available", - "value": "Final" + "description": "Incident was false positive", + "value": "FalsePositive" } ] } }, - "description": { - "description": "Alert description.", - "readOnly": true, - "type": "string" - }, - "endTimeUtc": { - "description": "The impact end time of the alert (the time of the last event contributing to the alert).", - "format": "date-time", - "readOnly": true, + "classificationComment": { + "description": "Describes the reason the incident was closed", "type": "string" }, - "intent": { - "description": "Holds the alert intent stage(s) mapping for this alert.", + "classificationReason": { + "description": "The classification reason the incident was closed with", "enum": [ - "Unknown", - "Probing", - "Exploitation", - "Persistence", - "PrivilegeEscalation", - "DefenseEvasion", - "CredentialAccess", - "Discovery", - "LateralMovement", - "Execution", - "Collection", - "Exfiltration", - "CommandAndControl", - "Impact" + "SuspiciousActivity", + "SuspiciousButExpected", + "IncorrectAlertLogic", + "InaccurateData" ], - "readOnly": true, "type": "string", "x-ms-enum": { "modelAsString": true, - "name": "KillChainIntent", + "name": "IncidentClassificationReason", "values": [ { - "description": "The default value.", - "value": "Unknown" - }, - { - "description": "Probing could be an attempt to access a certain resource regardless of a malicious intent or a failed attempt to gain access to a target system to gather information prior to exploitation. This step is usually detected as an attempt originating from outside the network in attempt to scan the target system and find a way in.", - "value": "Probing" - }, - { - "description": "Exploitation is the stage where an attacker manage to get foothold on the attacked resource. This stage is applicable not only for compute hosts, but also for resources such as user accounts, certificates etc. Adversaries will often be able to control the resource after this stage.", - "value": "Exploitation" - }, - { - "description": "Persistence is any access, action, or configuration change to a system that gives an adversary a persistent presence on that system. Adversaries will often need to maintain access to systems through interruptions such as system restarts, loss of credentials, or other failures that would require a remote access tool to restart or alternate backdoor for them to regain access.", - "value": "Persistence" - }, - { - "description": "Privilege escalation is the result of actions that allow an adversary to obtain a higher level of permissions on a system or network. Certain tools or actions require a higher level of privilege to work and are likely necessary at many points throughout an operation. User accounts with permissions to access specific systems or perform specific functions necessary for adversaries to achieve their objective may also be considered an escalation of privilege.", - "value": "PrivilegeEscalation" - }, - { - "description": "Defense evasion consists of techniques an adversary may use to evade detection or avoid other defenses. Sometimes these actions are the same as or variations of techniques in other categories that have the added benefit of subverting a particular defense or mitigation. ", - "value": "DefenseEvasion" - }, - { - "description": "Credential access represents techniques resulting in access to or control over system, domain, or service credentials that are used within an enterprise environment. Adversaries will likely attempt to obtain legitimate credentials from users or administrator accounts (local system administrator or domain users with administrator access) to use within the network. With sufficient access within a network, an adversary can create accounts for later use within the environment.", - "value": "CredentialAccess" - }, - { - "description": "Discovery consists of techniques that allow the adversary to gain knowledge about the system and internal network. When adversaries gain access to a new system, they must orient themselves to what they now have control of and what benefits operating from that system give to their current objective or overall goals during the intrusion. The operating system provides many native tools that aid in this post-compromise information-gathering phase.", - "value": "Discovery" - }, - { - "description": "Lateral movement consists of techniques that enable an adversary to access and control remote systems on a network and could, but does not necessarily, include execution of tools on remote systems. The lateral movement techniques could allow an adversary to gather information from a system without needing additional tools, such as a remote access tool. An adversary can use lateral movement for many purposes, including remote Execution of tools, pivoting to additional systems, access to specific information or files, access to additional credentials, or to cause an effect.", - "value": "LateralMovement" - }, - { - "description": "The execution tactic represents techniques that result in execution of adversary-controlled code on a local or remote system. This tactic is often used in conjunction with lateral movement to expand access to remote systems on a network.", - "value": "Execution" - }, - { - "description": "Collection consists of techniques used to identify and gather information, such as sensitive files, from a target network prior to exfiltration. This category also covers locations on a system or network where the adversary may look for information to exfiltrate.", - "value": "Collection" + "description": "Classification reason was suspicious activity", + "value": "SuspiciousActivity" }, { - "description": "Exfiltration refers to techniques and attributes that result or aid in the adversary removing files and information from a target network. This category also covers locations on a system or network where the adversary may look for information to exfiltrate.", - "value": "Exfiltration" + "description": "Classification reason was suspicious but expected", + "value": "SuspiciousButExpected" }, { - "description": "The command and control tactic represents how adversaries communicate with systems under their control within a target network.", - "value": "CommandAndControl" + "description": "Classification reason was incorrect alert logic", + "value": "IncorrectAlertLogic" }, { - "description": "The impact intent primary objective is to directly reduce the availability or integrity of a system, service, or network; including manipulation of data to impact a business or operational process. This would often refer to techniques such as ransom-ware, defacement, data manipulation and others.", - "value": "Impact" + "description": "Classification reason was inaccurate data", + "value": "InaccurateData" } ] } }, - "providerAlertId": { - "description": "The identifier of the alert inside the product which generated the alert.", + "createdTimeUtc": { + "description": "The time the incident was created", + "format": "date-time", "readOnly": true, "type": "string" }, - "processingEndTime": { - "description": "The time the alert was made available for consumption.", + "description": { + "description": "The description of the incident", + "type": "string" + }, + "firstActivityTimeUtc": { + "description": "The time of the first activity in the incident", "format": "date-time", - "readOnly": true, "type": "string" }, - "productComponentName": { - "description": "The name of a component inside the product which generated the alert.", + "incidentUrl": { + "description": "The deep-link url to the incident in Azure portal", "readOnly": true, "type": "string" }, - "productName": { - "description": "The name of the product which published this alert.", + "incidentNumber": { + "description": "A sequential number", + "format": "int32", "readOnly": true, + "type": "integer" + }, + "labels": { + "description": "List of labels relevant to this incident", + "items": { + "$ref": "#/definitions/IncidentLabel" + }, + "type": "array" + }, + "lastActivityTimeUtc": { + "description": "The time of the last activity in the incident", + "format": "date-time", "type": "string" }, - "productVersion": { - "description": "The version of the product generating the alert.", + "lastModifiedTimeUtc": { + "description": "The last time the incident was updated", + "format": "date-time", "readOnly": true, "type": "string" }, - "remediationSteps": { - "description": "Manual action items to take to remediate the alert.", + "owner": { + "$ref": "#/definitions/IncidentOwnerInfo", + "description": "Describes a user that the incident is assigned to", + "type": "object" + }, + "relatedAnalyticRuleIds": { + "description": "List of resource ids of Analytic rules related to the incident", "items": { + "description": "Related Analytic rule resource id", "type": "string" }, "readOnly": true, "type": "array" }, "severity": { - "$ref": "./common/AlertTypes.json#/definitions/AlertSeverity", - "description": "The severity of the alert" - }, - "startTimeUtc": { - "description": "The impact start time of the alert (the time of the first event contributing to the alert).", - "format": "date-time", - "readOnly": true, - "type": "string" + "description": "The severity of the incident", + "type": "string", + "$ref": "./common/IncidentTypes.json#/definitions/IncidentSeverityEnum" }, "status": { - "description": "The lifecycle status of the alert.", + "description": "The status of the incident", "enum": [ - "Unknown", "New", - "Resolved", - "Dismissed", - "InProgress" + "Active", + "Closed" ], - "readOnly": true, "type": "string", "x-ms-enum": { "modelAsString": true, - "name": "AlertStatus", + "name": "IncidentStatus", "values": [ { - "description": "Unknown value", - "value": "Unknown" - }, - { - "description": "New alert", + "description": "An active incident which isn't being handled currently", "value": "New" }, { - "description": "Alert closed after handling", - "value": "Resolved" - }, - { - "description": "Alert dismissed as false positive", - "value": "Dismissed" + "description": "An active incident which is being handled", + "value": "Active" }, { - "description": "Alert is being handled", - "value": "InProgress" + "description": "A non-active incident", + "value": "Closed" } ] } }, - "systemAlertId": { - "description": "Holds the product identifier of the alert for the product.", - "readOnly": true, - "type": "string" - }, - "tactics": { - "description": "The tactics of the alert", - "items": { - "$ref": "./common/AlertTypes.json#/definitions/AttackTactic" - }, - "readOnly": true, - "type": "array" - }, - "timeGenerated": { - "description": "The time the alert was generated.", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "vendorName": { - "description": "The name of the vendor that raise the alert.", - "readOnly": true, - "type": "string" - }, - "alertLink": { - "description": "The uri link of the alert.", - "readOnly": true, - "type": "string" - }, - "resourceIdentifiers": { - "description": "The list of resource identifiers of the alert.", - "items": { - "type": "object" - }, - "readOnly": true, - "type": "array" - } - }, - "type": "object" - }, - "SecurityGroupEntity": { - "allOf": [ - { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents a security group entity.", - "properties": { - "properties": { - "$ref": "#/definitions/SecurityGroupEntityProperties", - "description": "SecurityGroup entity properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "SecurityGroup" - }, - "SecurityGroupEntityProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "SecurityGroup entity property bag.", - "properties": { - "distinguishedName": { - "description": "The group distinguished name", - "readOnly": true, - "type": "string" - }, - "objectGuid": { - "description": "A single-value attribute that is the unique identifier for the object, assigned by active directory.", - "format": "uuid", - "readOnly": true, - "type": "string" - }, - "sid": { - "description": "The SID attribute is a single-value attribute that specifies the security identifier (SID) of the group", - "readOnly": true, - "type": "string" - } - }, - "type": "object" - }, - "SubmissionMailEntity": { - "allOf": [ - { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents a submission mail entity.", - "properties": { - "properties": { - "$ref": "#/definitions/SubmissionMailEntityProperties", - "description": "Submission mail entity properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "SubmissionMail" - }, - "SubmissionMailEntityProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "Submission mail entity property bag.", - "properties": { - "networkMessageId": { - "description": "The network message id of email to which submission belongs", - "format": "uuid", - "readOnly": true, - "type": "string" - }, - "submissionId": { - "description": "The submission id", - "format": "uuid", - "readOnly": true, - "type": "string" - }, - "submitter": { - "description": "The submitter", - "readOnly": true, - "type": "string" - }, - "submissionDate": { - "description": "The submission date", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "timestamp": { - "description": "The Time stamp when the message is received (Mail)", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "recipient": { - "description": "The recipient of the mail", - "readOnly": true, - "type": "string" - }, - "sender": { - "description": "The sender of the mail", - "readOnly": true, - "type": "string" - }, - "senderIp": { - "description": "The sender's IP", - "readOnly": true, - "type": "string" - }, - "subject": { - "description": "The subject of submission mail", - "readOnly": true, - "type": "string" - }, - "reportType": { - "description": "The submission type for the given instance. This maps to Junk, Phish, Malware or NotJunk.", - "readOnly": true, - "type": "string" - } - }, - "type": "object" - }, - "ThreatIntelligence": { - "description": "ThreatIntelligence property bag.", - "properties": { - "confidence": { - "description": "Confidence (must be between 0 and 1)", - "format": "double", - "readOnly": true, - "type": "number" - }, - "providerName": { - "description": "Name of the provider from whom this Threat Intelligence information was received", - "readOnly": true, - "type": "string" - }, - "reportLink": { - "description": "Report link", - "readOnly": true, - "type": "string" - }, - "threatDescription": { - "description": "Threat description (free text)", - "readOnly": true, - "type": "string" - }, - "threatName": { - "description": "Threat name (e.g. \"Jedobot malware\")", - "readOnly": true, - "type": "string" - }, - "threatType": { - "description": "Threat type (e.g. \"Botnet\")", - "readOnly": true, + "title": { + "description": "The title of the incident", "type": "string" } }, - "type": "object" - }, - "UrlEntity": { - "allOf": [ - { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents a url entity.", - "properties": { - "properties": { - "$ref": "#/definitions/UrlEntityProperties", - "description": "Url entity properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "Url" - }, - "UrlEntityProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" - } + "required": [ + "title", + "severity", + "status" ], - "description": "Url entity property bag.", - "properties": { - "url": { - "description": "A full URL the entity points to", - "readOnly": true, - "type": "string" - } - }, "type": "object" } }, diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/ThreatIntelligence.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/ThreatIntelligence.json index c59a7ea8d2bd..0217d0e399ca 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/ThreatIntelligence.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/ThreatIntelligence.json @@ -602,7 +602,7 @@ "ThreatIntelligenceIndicatorProperties": { "allOf": [ { - "$ref": "#/definitions/EntityCommonProperties" + "$ref": "./common/EntityTypes.json#/definitions/EntityCommonProperties" } ], "description": "Describes threat intelligence entity properties", @@ -1069,25 +1069,6 @@ } }, "type": "object" - }, - "EntityCommonProperties": { - "description": "Entity common property bag.", - "properties": { - "additionalData": { - "additionalProperties": { - "type": "object" - }, - "description": "A bag of custom fields that should be part of the entity and will be presented to the user.", - "readOnly": true, - "type": "object" - }, - "friendlyName": { - "description": "The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated.", - "readOnly": true, - "type": "string" - } - }, - "type": "object" } }, "parameters": { diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/common/EntityTypes.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/common/EntityTypes.json new file mode 100644 index 000000000000..4e888411e6cc --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/common/EntityTypes.json @@ -0,0 +1,2268 @@ +{ + "swagger": "2.0", + "info": { + "version": "2021-10-01", + "title": "Common Entity types" + }, + "paths": {}, + "definitions": { + "AccountEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents an account entity.", + "properties": { + "properties": { + "$ref": "#/definitions/AccountEntityProperties", + "description": "Account entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Account" + }, + "AccountEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "Account entity property bag.", + "properties": { + "aadTenantId": { + "description": "The Azure Active Directory tenant id.", + "readOnly": true, + "type": "string" + }, + "aadUserId": { + "description": "The Azure Active Directory user id.", + "readOnly": true, + "type": "string" + }, + "accountName": { + "description": "The name of the account. This field should hold only the name without any domain added to it, i.e. administrator.", + "readOnly": true, + "type": "string" + }, + "displayName": { + "description": "The display name of the account.", + "readOnly": true, + "type": "string" + }, + "hostEntityId": { + "description": "The Host entity id that contains the account in case it is a local account (not domain joined)", + "readOnly": true, + "type": "string" + }, + "isDomainJoined": { + "description": "Determines whether this is a domain account.", + "readOnly": true, + "type": "boolean" + }, + "ntDomain": { + "description": "The NetBIOS domain name as it appears in the alert format – domain\\username. Examples: NT AUTHORITY.", + "readOnly": true, + "type": "string" + }, + "objectGuid": { + "description": "The objectGUID attribute is a single-value attribute that is the unique identifier for the object, assigned by active directory.", + "format": "uuid", + "readOnly": true, + "type": "string" + }, + "puid": { + "description": "The Azure Active Directory Passport User ID.", + "readOnly": true, + "type": "string" + }, + "sid": { + "description": "The account security identifier, e.g. S-1-5-18.", + "readOnly": true, + "type": "string" + }, + "upnSuffix": { + "description": "The user principal name suffix for the account, in some cases it is also the domain name. Examples: contoso.com.", + "readOnly": true, + "type": "string" + }, + "dnsDomain": { + "description": "The fully qualified domain DNS name.", + "readOnly": true, + "type": "string" + } + }, + "type": "object" + }, + "AzureResourceEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents an azure resource entity.", + "properties": { + "properties": { + "$ref": "#/definitions/AzureResourceEntityProperties", + "description": "AzureResource entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "AzureResource" + }, + "AzureResourceEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "AzureResource entity property bag.", + "properties": { + "resourceId": { + "description": "The azure resource id of the resource", + "readOnly": true, + "type": "string" + }, + "subscriptionId": { + "description": "The subscription id of the resource", + "readOnly": true, + "type": "string" + } + }, + "type": "object" + }, + "CloudApplicationEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a cloud application entity.", + "properties": { + "properties": { + "$ref": "#/definitions/CloudApplicationEntityProperties", + "description": "CloudApplication entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "CloudApplication" + }, + "CloudApplicationEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "CloudApplication entity property bag.", + "properties": { + "appId": { + "description": "The technical identifier of the application.", + "readOnly": true, + "type": "integer", + "format": "int32" + }, + "appName": { + "description": "The name of the related cloud application.", + "readOnly": true, + "type": "string" + }, + "instanceName": { + "description": "The user defined instance name of the cloud application. It is often used to distinguish between several applications of the same type that a customer has.", + "readOnly": true, + "type": "string" + } + }, + "type": "object" + }, + "DnsEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a dns entity.", + "properties": { + "properties": { + "$ref": "#/definitions/DnsEntityProperties", + "description": "Dns entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "DnsResolution" + }, + "DnsEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "Dns entity property bag.", + "properties": { + "dnsServerIpEntityId": { + "description": "An ip entity id for the dns server resolving the request", + "readOnly": true, + "type": "string" + }, + "domainName": { + "description": "The name of the dns record associated with the alert", + "readOnly": true, + "type": "string" + }, + "hostIpAddressEntityId": { + "description": "An ip entity id for the dns request client", + "readOnly": true, + "type": "string" + }, + "ipAddressEntityIds": { + "description": "Ip entity identifiers for the resolved ip address.", + "items": { + "description": "Ip entity id", + "type": "string" + }, + "readOnly": true, + "type": "array" + } + }, + "type": "object" + }, + "Entity": { + "allOf": [ + { + "$ref": "../../../../../../common-types/resource-management/v3/types.json#/definitions/Resource" + }, + { + "$ref": "#/definitions/EntityKind" + } + ], + "description": "Specific entity.", + "discriminator": "kind", + "type": "object", + "required": [ + "kind" + ] + }, + "EntityEdges": { + "description": "The edge that connects the entity to the other entity.", + "properties": { + "targetEntityId": { + "description": "The target entity Id.", + "type": "string" + }, + "additionalData": { + "additionalProperties": { + "type": "object" + }, + "description": "A bag of custom fields that should be part of the entity and will be presented to the user.", + "type": "object" + } + }, + "type": "object" + }, + "EntityInnerKind": { + "description": "The kind of the entity", + "enum": [ + "Account", + "Host", + "File", + "AzureResource", + "CloudApplication", + "DnsResolution", + "FileHash", + "Ip", + "Malware", + "Process", + "RegistryKey", + "RegistryValue", + "SecurityGroup", + "Url", + "IoTDevice", + "SecurityAlert", + "Bookmark", + "Mailbox", + "MailCluster", + "MailMessage", + "SubmissionMail" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "EntityKindEnum", + "values": [ + { + "description": "Entity represents account in the system.", + "value": "Account" + }, + { + "description": "Entity represents host in the system.", + "value": "Host" + }, + { + "description": "Entity represents file in the system.", + "value": "File" + }, + { + "description": "Entity represents azure resource in the system.", + "value": "AzureResource" + }, + { + "description": "Entity represents cloud application in the system.", + "value": "CloudApplication" + }, + { + "description": "Entity represents dns resolution in the system.", + "value": "DnsResolution" + }, + { + "description": "Entity represents file hash in the system.", + "value": "FileHash" + }, + { + "description": "Entity represents ip in the system.", + "value": "Ip" + }, + { + "description": "Entity represents malware in the system.", + "value": "Malware" + }, + { + "description": "Entity represents process in the system.", + "value": "Process" + }, + { + "description": "Entity represents registry key in the system.", + "value": "RegistryKey" + }, + { + "description": "Entity represents registry value in the system.", + "value": "RegistryValue" + }, + { + "description": "Entity represents security group in the system.", + "value": "SecurityGroup" + }, + { + "description": "Entity represents url in the system.", + "value": "Url" + }, + { + "description": "Entity represents IoT device in the system.", + "value": "IoTDevice" + }, + { + "description": "Entity represents security alert in the system.", + "value": "SecurityAlert" + }, + { + "description": "Entity represents bookmark in the system.", + "value": "Bookmark" + }, + { + "description": "Entity represents mail cluster in the system.", + "value": "MailCluster" + }, + { + "description": "Entity represents mail message in the system.", + "value": "MailMessage" + }, + { + "description": "Entity represents mailbox in the system.", + "value": "Mailbox" + }, + { + "description": "Entity represents submission mail in the system.", + "value": "SubmissionMail" + } + ] + } + }, + "EntityKind": { + "description": "Describes an entity with kind.", + "properties": { + "kind": { + "$ref": "#/definitions/EntityInnerKind", + "description": "The kind of the entity." + } + }, + "required": [ + "kind" + ], + "type": "object" + }, + "FileEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a file entity.", + "properties": { + "properties": { + "$ref": "#/definitions/FileEntityProperties", + "description": "File entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "File" + }, + "FileEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "File entity property bag.", + "properties": { + "directory": { + "description": "The full path to the file.", + "readOnly": true, + "type": "string" + }, + "fileHashEntityIds": { + "description": "The file hash entity identifiers associated with this file", + "items": { + "description": "file hash id", + "type": "string" + }, + "readOnly": true, + "type": "array" + }, + "fileName": { + "description": "The file name without path (some alerts might not include path).", + "readOnly": true, + "type": "string" + }, + "hostEntityId": { + "description": "The Host entity id which the file belongs to", + "readOnly": true, + "type": "string" + } + }, + "type": "object" + }, + "FileHashEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a file hash entity.", + "properties": { + "properties": { + "$ref": "#/definitions/FileHashEntityProperties", + "description": "FileHash entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "FileHash" + }, + "FileHashEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "FileHash entity property bag.", + "properties": { + "algorithm": { + "description": "The hash algorithm type.", + "enum": [ + "Unknown", + "MD5", + "SHA1", + "SHA256", + "SHA256AC" + ], + "readOnly": true, + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "FileHashAlgorithm", + "values": [ + { + "description": "Unknown hash algorithm", + "value": "Unknown" + }, + { + "description": "MD5 hash type", + "value": "MD5" + }, + { + "description": "SHA1 hash type", + "value": "SHA1" + }, + { + "description": "SHA256 hash type", + "value": "SHA256" + }, + { + "description": "SHA256 Authenticode hash type", + "value": "SHA256AC" + } + ] + } + }, + "hashValue": { + "description": "The file hash value.", + "readOnly": true, + "type": "string" + } + }, + "type": "object" + }, + "GeoLocation": { + "description": "The geo-location context attached to the ip entity", + "properties": { + "asn": { + "description": "Autonomous System Number", + "readOnly": true, + "type": "integer", + "format": "int32" + }, + "city": { + "description": "City name", + "readOnly": true, + "type": "string" + }, + "countryCode": { + "description": "The country code according to ISO 3166 format", + "readOnly": true, + "type": "string" + }, + "countryName": { + "description": "Country name according to ISO 3166 Alpha 2: the lowercase of the English Short Name", + "readOnly": true, + "type": "string" + }, + "latitude": { + "description": "The longitude of the identified location, expressed as a floating point number with range of -180 to 180, with positive numbers representing East and negative numbers representing West. Latitude and longitude are derived from the city or postal code.", + "format": "double", + "readOnly": true, + "type": "number" + }, + "longitude": { + "description": "The latitude of the identified location, expressed as a floating point number with range of - 90 to 90, with positive numbers representing North and negative numbers representing South. Latitude and longitude are derived from the city or postal code.", + "format": "double", + "readOnly": true, + "type": "number" + }, + "state": { + "description": "State name", + "readOnly": true, + "type": "string" + } + }, + "readOnly": true, + "type": "object" + }, + "HostEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a host entity.", + "properties": { + "properties": { + "$ref": "#/definitions/HostEntityProperties", + "description": "Host entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Host" + }, + "HostEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "Host entity property bag.", + "properties": { + "azureID": { + "description": "The azure resource id of the VM.", + "readOnly": true, + "type": "string" + }, + "dnsDomain": { + "description": "The DNS domain that this host belongs to. Should contain the compete DNS suffix for the domain", + "readOnly": true, + "type": "string" + }, + "hostName": { + "description": "The hostname without the domain suffix.", + "readOnly": true, + "type": "string" + }, + "isDomainJoined": { + "description": "Determines whether this host belongs to a domain.", + "readOnly": true, + "type": "boolean" + }, + "netBiosName": { + "description": "The host name (pre-windows2000).", + "readOnly": true, + "type": "string" + }, + "ntDomain": { + "description": "The NT domain that this host belongs to.", + "readOnly": true, + "type": "string" + }, + "omsAgentID": { + "description": "The OMS agent id, if the host has OMS agent installed.", + "readOnly": true, + "type": "string" + }, + "osFamily": { + "description": "The operating system type.", + "enum": [ + "Linux", + "Windows", + "Android", + "IOS", + "Unknown" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": false, + "name": "OSFamily", + "values": [ + { + "description": "Host with Linux operating system.", + "value": "Linux" + }, + { + "description": "Host with Windows operating system.", + "value": "Windows" + }, + { + "description": "Host with Android operating system.", + "value": "Android" + }, + { + "description": "Host with IOS operating system.", + "value": "IOS" + }, + { + "description": "Host with Unknown operating system.", + "value": "Unknown" + } + ] + } + }, + "osVersion": { + "description": "A free text representation of the operating system. This field is meant to hold specific versions the are more fine grained than OSFamily or future values not supported by OSFamily enumeration", + "readOnly": true, + "type": "string" + } + }, + "type": "object" + }, + "HuntingBookmark": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a Hunting bookmark entity.", + "properties": { + "properties": { + "$ref": "#/definitions/HuntingBookmarkProperties", + "description": "HuntingBookmark entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Bookmark" + }, + "HuntingBookmarkProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "Describes bookmark properties", + "properties": { + "created": { + "description": "The time the bookmark was created", + "format": "date-time", + "type": "string" + }, + "createdBy": { + "$ref": "../../../../common/2.0/types.json#/definitions/UserInfo", + "description": "Describes a user that created the bookmark", + "type": "object" + }, + "displayName": { + "description": "The display name of the bookmark", + "type": "string" + }, + "eventTime": { + "description": "The time of the event", + "format": "date-time", + "type": "string" + }, + "labels": { + "description": "List of labels relevant to this bookmark", + "items": { + "$ref": "../../../../common/2.0/types.json#/definitions/Label" + }, + "type": "array" + }, + "notes": { + "description": "The notes of the bookmark", + "type": "string" + }, + "query": { + "description": "The query of the bookmark.", + "type": "string" + }, + "queryResult": { + "description": "The query result of the bookmark.", + "type": "string" + }, + "updated": { + "description": "The last time the bookmark was updated", + "format": "date-time", + "type": "string" + }, + "updatedBy": { + "$ref": "../../../../common/2.0/types.json#/definitions/UserInfo", + "description": "Describes a user that updated the bookmark", + "type": "object" + }, + "incidentInfo": { + "$ref": "IncidentTypes.json#/definitions/IncidentInfo", + "description": "Describes an incident that relates to bookmark", + "type": "object" + } + }, + "required": [ + "displayName", + "query" + ], + "type": "object" + }, + "IoTDeviceEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents an IoT device entity.", + "properties": { + "properties": { + "$ref": "#/definitions/IoTDeviceEntityProperties", + "description": "IoTDevice entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "IoTDevice" + }, + "IoTDeviceEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "IoTDevice entity property bag.", + "properties": { + "deviceId": { + "description": "The ID of the IoT Device in the IoT Hub", + "readOnly": true, + "type": "string" + }, + "deviceName": { + "description": "The friendly name of the device", + "readOnly": true, + "type": "string" + }, + "source": { + "description": "The source of the device", + "readOnly": true, + "type": "string" + }, + "iotSecurityAgentId": { + "description": "The ID of the security agent running on the device", + "format": "uuid", + "readOnly": true, + "type": "string" + }, + "deviceType": { + "description": "The type of the device", + "readOnly": true, + "type": "string" + }, + "vendor": { + "description": "The vendor of the device", + "readOnly": true, + "type": "string" + }, + "edgeId": { + "description": "The ID of the edge device", + "readOnly": true, + "type": "string" + }, + "macAddress": { + "description": "The MAC address of the device", + "readOnly": true, + "type": "string" + }, + "model": { + "description": "The model of the device", + "readOnly": true, + "type": "string" + }, + "serialNumber": { + "description": "The serial number of the device", + "readOnly": true, + "type": "string" + }, + "firmwareVersion": { + "description": "The firmware version of the device", + "readOnly": true, + "type": "string" + }, + "operatingSystem": { + "description": "The operating system of the device", + "readOnly": true, + "type": "string" + }, + "iotHubEntityId": { + "description": "The AzureResource entity id of the IoT Hub", + "readOnly": true, + "type": "string" + }, + "hostEntityId": { + "description": "The Host entity id of this device", + "readOnly": true, + "type": "string" + }, + "ipAddressEntityId": { + "description": "The IP entity if of this device", + "readOnly": true, + "type": "string" + }, + "threatIntelligence": { + "description": "A list of TI contexts attached to the IoTDevice entity.", + "items": { + "$ref": "#/definitions/ThreatIntelligence" + }, + "readOnly": true, + "type": "array" + }, + "protocols": { + "description": "A list of protocols of the IoTDevice entity.", + "items": { + "type": "string" + }, + "readOnly": true, + "type": "array" + } + }, + "type": "object" + }, + "IpEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents an ip entity.", + "properties": { + "properties": { + "$ref": "#/definitions/IpEntityProperties", + "description": "Ip entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Ip" + }, + "IpEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "Ip entity property bag.", + "properties": { + "address": { + "description": "The IP address as string, e.g. 127.0.0.1 (either in Ipv4 or Ipv6)", + "readOnly": true, + "type": "string" + }, + "location": { + "$ref": "#/definitions/GeoLocation", + "description": "The geo-location context attached to the ip entity" + }, + "threatIntelligence": { + "description": "A list of TI contexts attached to the ip entity.", + "items": { + "$ref": "#/definitions/ThreatIntelligence" + }, + "readOnly": true, + "type": "array" + } + }, + "type": "object" + }, + "MailboxEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a mailbox entity.", + "properties": { + "properties": { + "$ref": "#/definitions/MailboxEntityProperties", + "description": "Mailbox entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Mailbox" + }, + "MailboxEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "Mailbox entity property bag.", + "properties": { + "mailboxPrimaryAddress": { + "description": "The mailbox's primary address", + "readOnly": true, + "type": "string" + }, + "displayName": { + "description": "The mailbox's display name", + "readOnly": true, + "type": "string" + }, + "upn": { + "description": "The mailbox's UPN", + "readOnly": true, + "type": "string" + }, + "externalDirectoryObjectId": { + "description": "The AzureAD identifier of mailbox. Similar to AadUserId in account entity but this property is specific to mailbox object on office side", + "format": "uuid", + "readOnly": true, + "type": "string" + } + }, + "type": "object" + }, + "MailClusterEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a mail cluster entity.", + "properties": { + "properties": { + "$ref": "#/definitions/MailClusterEntityProperties", + "description": "Mail cluster entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "MailCluster" + }, + "MailClusterEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "Mail cluster entity property bag.", + "properties": { + "networkMessageIds": { + "description": "The mail message IDs that are part of the mail cluster", + "items": { + "description": "A mail message ID", + "type": "string" + }, + "readOnly": true, + "type": "array" + }, + "countByDeliveryStatus": { + "description": "Count of mail messages by DeliveryStatus string representation", + "readOnly": true, + "type": "object" + }, + "countByThreatType": { + "description": "Count of mail messages by ThreatType string representation", + "readOnly": true, + "type": "object" + }, + "countByProtectionStatus": { + "description": "Count of mail messages by ProtectionStatus string representation", + "readOnly": true, + "type": "object" + }, + "threats": { + "description": "The threats of mail messages that are part of the mail cluster", + "items": { + "description": "A threat", + "type": "string" + }, + "readOnly": true, + "type": "array" + }, + "query": { + "description": "The query that was used to identify the messages of the mail cluster", + "readOnly": true, + "type": "string" + }, + "queryTime": { + "description": "The query time", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "mailCount": { + "description": "The number of mail messages that are part of the mail cluster", + "readOnly": true, + "type": "integer", + "format": "int32" + }, + "isVolumeAnomaly": { + "description": "Is this a volume anomaly mail cluster", + "readOnly": true, + "type": "boolean" + }, + "source": { + "description": "The source of the mail cluster (default is 'O365 ATP')", + "readOnly": true, + "type": "string" + }, + "clusterSourceIdentifier": { + "description": "The id of the cluster source", + "readOnly": true, + "type": "string" + }, + "clusterSourceType": { + "description": "The type of the cluster source", + "readOnly": true, + "type": "string" + }, + "clusterQueryStartTime": { + "description": "The cluster query start time", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "clusterQueryEndTime": { + "description": "The cluster query end time", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "clusterGroup": { + "description": "The cluster group", + "readOnly": true, + "type": "string" + } + }, + "type": "object" + }, + "MailMessageEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a mail message entity.", + "properties": { + "properties": { + "$ref": "#/definitions/MailMessageEntityProperties", + "description": "Mail message entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "MailMessage" + }, + "MailMessageEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "Mail message entity property bag.", + "properties": { + "fileEntityIds": { + "description": "The File entity ids of this mail message's attachments", + "items": { + "type": "string" + }, + "readOnly": true, + "type": "array" + }, + "recipient": { + "description": "The recipient of this mail message. Note that in case of multiple recipients the mail message is forked and each copy has one recipient", + "readOnly": true, + "type": "string" + }, + "urls": { + "description": "The Urls contained in this mail message", + "items": { + "description": "A Url contained in this mail message", + "type": "string" + }, + "readOnly": true, + "type": "array" + }, + "threats": { + "description": "The threats of this mail message", + "items": { + "description": "A threat of the mail message", + "type": "string" + }, + "readOnly": true, + "type": "array" + }, + "p1Sender": { + "description": "The p1 sender's email address", + "readOnly": true, + "type": "string" + }, + "p1SenderDisplayName": { + "description": "The p1 sender's display name", + "readOnly": true, + "type": "string" + }, + "p1SenderDomain": { + "description": "The p1 sender's domain", + "readOnly": true, + "type": "string" + }, + "senderIP": { + "description": "The sender's IP address", + "readOnly": true, + "type": "string" + }, + "p2Sender": { + "description": "The p2 sender's email address", + "readOnly": true, + "type": "string" + }, + "p2SenderDisplayName": { + "description": "The p2 sender's display name", + "readOnly": true, + "type": "string" + }, + "p2SenderDomain": { + "description": "The p2 sender's domain", + "readOnly": true, + "type": "string" + }, + "receiveDate": { + "description": "The receive date of this message", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "networkMessageId": { + "description": "The network message id of this mail message", + "format": "uuid", + "readOnly": true, + "type": "string" + }, + "internetMessageId": { + "description": "The internet message id of this mail message", + "readOnly": true, + "type": "string" + }, + "subject": { + "description": "The subject of this mail message", + "readOnly": true, + "type": "string" + }, + "language": { + "description": "The language of this mail message", + "readOnly": true, + "type": "string" + }, + "threatDetectionMethods": { + "description": "The threat detection methods", + "items": { + "description": "A threat detection method", + "type": "string" + }, + "readOnly": true, + "type": "array" + }, + "bodyFingerprintBin1": { + "description": "The bodyFingerprintBin1", + "type": "integer", + "format": "int32" + }, + "bodyFingerprintBin2": { + "description": "The bodyFingerprintBin2", + "type": "integer", + "format": "int32" + }, + "bodyFingerprintBin3": { + "description": "The bodyFingerprintBin3", + "type": "integer", + "format": "int32" + }, + "bodyFingerprintBin4": { + "description": "The bodyFingerprintBin4", + "type": "integer", + "format": "int32" + }, + "bodyFingerprintBin5": { + "description": "The bodyFingerprintBin5", + "type": "integer", + "format": "int32" + }, + "antispamDirection": { + "description": "The directionality of this mail message", + "enum": [ + "Unknown", + "Inbound", + "Outbound", + "Intraorg" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "AntispamMailDirection", + "values": [ + { + "description": "Unknown", + "value": "Unknown" + }, + { + "description": "Inbound", + "value": "Inbound" + }, + { + "description": "Outbound", + "value": "Outbound" + }, + { + "description": "Intraorg", + "value": "Intraorg" + } + ] + } + }, + "deliveryAction": { + "description": "The delivery action of this mail message like Delivered, Blocked, Replaced etc", + "enum": [ + "Unknown", + "DeliveredAsSpam", + "Delivered", + "Blocked", + "Replaced" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": false, + "name": "DeliveryAction", + "values": [ + { + "description": "Unknown", + "value": "Unknown" + }, + { + "description": "DeliveredAsSpam", + "value": "DeliveredAsSpam" + }, + { + "description": "Delivered", + "value": "Delivered" + }, + { + "description": "Blocked", + "value": "Blocked" + }, + { + "description": "Replaced", + "value": "Replaced" + } + ] + } + }, + "deliveryLocation": { + "description": "The delivery location of this mail message like Inbox, JunkFolder etc", + "enum": [ + "Unknown", + "Inbox", + "JunkFolder", + "DeletedFolder", + "Quarantine", + "External", + "Failed", + "Dropped", + "Forwarded" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": false, + "name": "DeliveryLocation", + "values": [ + { + "description": "Unknown", + "value": "Unknown" + }, + { + "description": "Inbox", + "value": "Inbox" + }, + { + "description": "JunkFolder", + "value": "JunkFolder" + }, + { + "description": "DeletedFolder", + "value": "DeletedFolder" + }, + { + "description": "Quarantine", + "value": "Quarantine" + }, + { + "description": "External", + "value": "External" + }, + { + "description": "Failed", + "value": "Failed" + }, + { + "description": "Dropped", + "value": "Dropped" + }, + { + "description": "Forwarded", + "value": "Forwarded" + } + ] + } + } + }, + "type": "object" + }, + "MalwareEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a malware entity.", + "properties": { + "properties": { + "$ref": "#/definitions/MalwareEntityProperties", + "description": "File entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Malware" + }, + "MalwareEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "Malware entity property bag.", + "properties": { + "category": { + "description": "The malware category by the vendor, e.g. Trojan", + "readOnly": true, + "type": "string" + }, + "fileEntityIds": { + "description": "List of linked file entity identifiers on which the malware was found", + "items": { + "description": "file entity id", + "type": "string" + }, + "readOnly": true, + "type": "array" + }, + "malwareName": { + "description": "The malware name by the vendor, e.g. Win32/Toga!rfn", + "readOnly": true, + "type": "string" + }, + "processEntityIds": { + "description": "List of linked process entity identifiers on which the malware was found.", + "items": { + "description": "process entity id", + "type": "string" + }, + "readOnly": true, + "type": "array" + } + }, + "type": "object" + }, + "ProcessEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a process entity.", + "properties": { + "properties": { + "$ref": "#/definitions/ProcessEntityProperties", + "description": "Process entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Process" + }, + "ProcessEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "Process entity property bag.", + "properties": { + "accountEntityId": { + "description": "The account entity id running the processes.", + "readOnly": true, + "type": "string" + }, + "commandLine": { + "description": "The command line used to create the process", + "readOnly": true, + "type": "string" + }, + "creationTimeUtc": { + "description": "The time when the process started to run", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "elevationToken": { + "description": "The elevation token associated with the process.", + "enum": [ + "Default", + "Full", + "Limited" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": false, + "name": "ElevationToken", + "values": [ + { + "description": "Default elevation token", + "value": "Default" + }, + { + "description": "Full elevation token", + "value": "Full" + }, + { + "description": "Limited elevation token", + "value": "Limited" + } + ] + } + }, + "hostEntityId": { + "description": "The host entity id on which the process was running", + "readOnly": true, + "type": "string" + }, + "hostLogonSessionEntityId": { + "description": "The session entity id in which the process was running", + "readOnly": true, + "type": "string" + }, + "imageFileEntityId": { + "description": "Image file entity id", + "readOnly": true, + "type": "string" + }, + "parentProcessEntityId": { + "description": "The parent process entity id.", + "readOnly": true, + "type": "string" + }, + "processId": { + "description": "The process ID", + "readOnly": true, + "type": "string" + } + }, + "type": "object" + }, + "RegistryKeyEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a registry key entity.", + "properties": { + "properties": { + "$ref": "#/definitions/RegistryKeyEntityProperties", + "description": "RegistryKey entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "RegistryKey" + }, + "RegistryKeyEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "RegistryKey entity property bag.", + "properties": { + "hive": { + "description": "the hive that holds the registry key.", + "enum": [ + "HKEY_LOCAL_MACHINE", + "HKEY_CLASSES_ROOT", + "HKEY_CURRENT_CONFIG", + "HKEY_USERS", + "HKEY_CURRENT_USER_LOCAL_SETTINGS", + "HKEY_PERFORMANCE_DATA", + "HKEY_PERFORMANCE_NLSTEXT", + "HKEY_PERFORMANCE_TEXT", + "HKEY_A", + "HKEY_CURRENT_USER" + ], + "readOnly": true, + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "RegistryHive", + "values": [ + { + "description": "HKEY_LOCAL_MACHINE", + "value": "HKEY_LOCAL_MACHINE" + }, + { + "description": "HKEY_CLASSES_ROOT", + "value": "HKEY_CLASSES_ROOT" + }, + { + "description": "HKEY_CURRENT_CONFIG", + "value": "HKEY_CURRENT_CONFIG" + }, + { + "description": "HKEY_USERS", + "value": "HKEY_USERS" + }, + { + "description": "HKEY_CURRENT_USER_LOCAL_SETTINGS", + "value": "HKEY_CURRENT_USER_LOCAL_SETTINGS" + }, + { + "description": "HKEY_PERFORMANCE_DATA", + "value": "HKEY_PERFORMANCE_DATA" + }, + { + "description": "HKEY_PERFORMANCE_NLSTEXT", + "value": "HKEY_PERFORMANCE_NLSTEXT" + }, + { + "description": "HKEY_PERFORMANCE_TEXT", + "value": "HKEY_PERFORMANCE_TEXT" + }, + { + "description": "HKEY_A", + "value": "HKEY_A" + }, + { + "description": "HKEY_CURRENT_USER", + "value": "HKEY_CURRENT_USER" + } + ] + } + }, + "key": { + "description": "The registry key path.", + "readOnly": true, + "type": "string" + } + }, + "type": "object" + }, + "RegistryValueEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a registry value entity.", + "properties": { + "properties": { + "$ref": "#/definitions/RegistryValueEntityProperties", + "description": "RegistryKey entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "RegistryValue" + }, + "RegistryValueEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "RegistryValue entity property bag.", + "properties": { + "keyEntityId": { + "description": "The registry key entity id.", + "readOnly": true, + "type": "string" + }, + "valueData": { + "description": "String formatted representation of the value data.", + "readOnly": true, + "type": "string" + }, + "valueName": { + "description": "The registry value name.", + "readOnly": true, + "type": "string" + }, + "valueType": { + "description": "Specifies the data types to use when storing values in the registry, or identifies the data type of a value in the registry.", + "enum": [ + "None", + "Unknown", + "String", + "ExpandString", + "Binary", + "DWord", + "MultiString", + "QWord" + ], + "readOnly": true, + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "RegistryValueKind", + "values": [ + { + "description": "None", + "value": "None" + }, + { + "description": "Unknown value type", + "value": "Unknown" + }, + { + "description": "String value type", + "value": "String" + }, + { + "description": "ExpandString value type", + "value": "ExpandString" + }, + { + "description": "Binary value type", + "value": "Binary" + }, + { + "description": "DWord value type", + "value": "DWord" + }, + { + "description": "MultiString value type", + "value": "MultiString" + }, + { + "description": "QWord value type", + "value": "QWord" + } + ] + } + } + }, + "type": "object" + }, + "SecurityAlert": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a security alert entity.", + "properties": { + "properties": { + "$ref": "#/definitions/SecurityAlertProperties", + "description": "SecurityAlert entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "SecurityAlert" + }, + "SecurityAlertProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "SecurityAlert entity property bag.", + "properties": { + "alertDisplayName": { + "description": "The display name of the alert.", + "readOnly": true, + "type": "string" + }, + "alertType": { + "description": "The type name of the alert.", + "readOnly": true, + "type": "string" + }, + "compromisedEntity": { + "description": "Display name of the main entity being reported on.", + "readOnly": true, + "type": "string" + }, + "confidenceLevel": { + "description": "The confidence level of this alert.", + "enum": [ + "Unknown", + "Low", + "High" + ], + "readOnly": true, + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "ConfidenceLevel", + "values": [ + { + "description": "Unknown confidence, the is the default value", + "value": "Unknown" + }, + { + "description": "Low confidence, meaning we have some doubts this is indeed malicious or part of an attack", + "value": "Low" + }, + { + "description": "High confidence that the alert is true positive malicious", + "value": "High" + } + ] + } + }, + "confidenceReasons": { + "description": "The confidence reasons", + "items": { + "description": "confidence reason item", + "properties": { + "reason": { + "description": "The reason's description", + "readOnly": true, + "type": "string" + }, + "reasonType": { + "description": "The type (category) of the reason", + "readOnly": true, + "type": "string" + } + }, + "type": "object" + }, + "readOnly": true, + "type": "array" + }, + "confidenceScore": { + "description": "The confidence score of the alert.", + "format": "double", + "readOnly": true, + "type": "number" + }, + "confidenceScoreStatus": { + "description": "The confidence score calculation status, i.e. indicating if score calculation is pending for this alert, not applicable or final.", + "enum": [ + "NotApplicable", + "InProcess", + "NotFinal", + "Final" + ], + "readOnly": true, + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "ConfidenceScoreStatus", + "values": [ + { + "description": "Score will not be calculated for this alert as it is not supported by virtual analyst", + "value": "NotApplicable" + }, + { + "description": "No score was set yet and calculation is in progress", + "value": "InProcess" + }, + { + "description": "Score is calculated and shown as part of the alert, but may be updated again at a later time following the processing of additional data", + "value": "NotFinal" + }, + { + "description": "Final score was calculated and available", + "value": "Final" + } + ] + } + }, + "description": { + "description": "Alert description.", + "readOnly": true, + "type": "string" + }, + "endTimeUtc": { + "description": "The impact end time of the alert (the time of the last event contributing to the alert).", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "intent": { + "description": "Holds the alert intent stage(s) mapping for this alert.", + "enum": [ + "Unknown", + "Probing", + "Exploitation", + "Persistence", + "PrivilegeEscalation", + "DefenseEvasion", + "CredentialAccess", + "Discovery", + "LateralMovement", + "Execution", + "Collection", + "Exfiltration", + "CommandAndControl", + "Impact" + ], + "readOnly": true, + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "KillChainIntent", + "values": [ + { + "description": "The default value.", + "value": "Unknown" + }, + { + "description": "Probing could be an attempt to access a certain resource regardless of a malicious intent or a failed attempt to gain access to a target system to gather information prior to exploitation. This step is usually detected as an attempt originating from outside the network in attempt to scan the target system and find a way in.", + "value": "Probing" + }, + { + "description": "Exploitation is the stage where an attacker manage to get foothold on the attacked resource. This stage is applicable not only for compute hosts, but also for resources such as user accounts, certificates etc. Adversaries will often be able to control the resource after this stage.", + "value": "Exploitation" + }, + { + "description": "Persistence is any access, action, or configuration change to a system that gives an adversary a persistent presence on that system. Adversaries will often need to maintain access to systems through interruptions such as system restarts, loss of credentials, or other failures that would require a remote access tool to restart or alternate backdoor for them to regain access.", + "value": "Persistence" + }, + { + "description": "Privilege escalation is the result of actions that allow an adversary to obtain a higher level of permissions on a system or network. Certain tools or actions require a higher level of privilege to work and are likely necessary at many points throughout an operation. User accounts with permissions to access specific systems or perform specific functions necessary for adversaries to achieve their objective may also be considered an escalation of privilege.", + "value": "PrivilegeEscalation" + }, + { + "description": "Defense evasion consists of techniques an adversary may use to evade detection or avoid other defenses. Sometimes these actions are the same as or variations of techniques in other categories that have the added benefit of subverting a particular defense or mitigation. ", + "value": "DefenseEvasion" + }, + { + "description": "Credential access represents techniques resulting in access to or control over system, domain, or service credentials that are used within an enterprise environment. Adversaries will likely attempt to obtain legitimate credentials from users or administrator accounts (local system administrator or domain users with administrator access) to use within the network. With sufficient access within a network, an adversary can create accounts for later use within the environment.", + "value": "CredentialAccess" + }, + { + "description": "Discovery consists of techniques that allow the adversary to gain knowledge about the system and internal network. When adversaries gain access to a new system, they must orient themselves to what they now have control of and what benefits operating from that system give to their current objective or overall goals during the intrusion. The operating system provides many native tools that aid in this post-compromise information-gathering phase.", + "value": "Discovery" + }, + { + "description": "Lateral movement consists of techniques that enable an adversary to access and control remote systems on a network and could, but does not necessarily, include execution of tools on remote systems. The lateral movement techniques could allow an adversary to gather information from a system without needing additional tools, such as a remote access tool. An adversary can use lateral movement for many purposes, including remote Execution of tools, pivoting to additional systems, access to specific information or files, access to additional credentials, or to cause an effect.", + "value": "LateralMovement" + }, + { + "description": "The execution tactic represents techniques that result in execution of adversary-controlled code on a local or remote system. This tactic is often used in conjunction with lateral movement to expand access to remote systems on a network.", + "value": "Execution" + }, + { + "description": "Collection consists of techniques used to identify and gather information, such as sensitive files, from a target network prior to exfiltration. This category also covers locations on a system or network where the adversary may look for information to exfiltrate.", + "value": "Collection" + }, + { + "description": "Exfiltration refers to techniques and attributes that result or aid in the adversary removing files and information from a target network. This category also covers locations on a system or network where the adversary may look for information to exfiltrate.", + "value": "Exfiltration" + }, + { + "description": "The command and control tactic represents how adversaries communicate with systems under their control within a target network.", + "value": "CommandAndControl" + }, + { + "description": "The impact intent primary objective is to directly reduce the availability or integrity of a system, service, or network; including manipulation of data to impact a business or operational process. This would often refer to techniques such as ransom-ware, defacement, data manipulation and others.", + "value": "Impact" + } + ] + } + }, + "providerAlertId": { + "description": "The identifier of the alert inside the product which generated the alert.", + "readOnly": true, + "type": "string" + }, + "processingEndTime": { + "description": "The time the alert was made available for consumption.", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "productComponentName": { + "description": "The name of a component inside the product which generated the alert.", + "readOnly": true, + "type": "string" + }, + "productName": { + "description": "The name of the product which published this alert.", + "readOnly": true, + "type": "string" + }, + "productVersion": { + "description": "The version of the product generating the alert.", + "readOnly": true, + "type": "string" + }, + "remediationSteps": { + "description": "Manual action items to take to remediate the alert.", + "items": { + "type": "string" + }, + "readOnly": true, + "type": "array" + }, + "severity": { + "$ref": "AlertTypes.json#/definitions/AlertSeverity", + "description": "The severity of the alert" + }, + "startTimeUtc": { + "description": "The impact start time of the alert (the time of the first event contributing to the alert).", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "status": { + "description": "The lifecycle status of the alert.", + "enum": [ + "Unknown", + "New", + "Resolved", + "Dismissed", + "InProgress" + ], + "readOnly": true, + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "AlertStatus", + "values": [ + { + "description": "Unknown value", + "value": "Unknown" + }, + { + "description": "New alert", + "value": "New" + }, + { + "description": "Alert closed after handling", + "value": "Resolved" + }, + { + "description": "Alert dismissed as false positive", + "value": "Dismissed" + }, + { + "description": "Alert is being handled", + "value": "InProgress" + } + ] + } + }, + "systemAlertId": { + "description": "Holds the product identifier of the alert for the product.", + "readOnly": true, + "type": "string" + }, + "tactics": { + "description": "The tactics of the alert", + "items": { + "$ref": "AlertTypes.json#/definitions/AttackTactic" + }, + "readOnly": true, + "type": "array" + }, + "timeGenerated": { + "description": "The time the alert was generated.", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "vendorName": { + "description": "The name of the vendor that raise the alert.", + "readOnly": true, + "type": "string" + }, + "alertLink": { + "description": "The uri link of the alert.", + "readOnly": true, + "type": "string" + }, + "resourceIdentifiers": { + "description": "The list of resource identifiers of the alert.", + "items": { + "type": "object" + }, + "readOnly": true, + "type": "array" + } + }, + "type": "object" + }, + "SecurityGroupEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a security group entity.", + "properties": { + "properties": { + "$ref": "#/definitions/SecurityGroupEntityProperties", + "description": "SecurityGroup entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "SecurityGroup" + }, + "SecurityGroupEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "SecurityGroup entity property bag.", + "properties": { + "distinguishedName": { + "description": "The group distinguished name", + "readOnly": true, + "type": "string" + }, + "objectGuid": { + "description": "A single-value attribute that is the unique identifier for the object, assigned by active directory.", + "format": "uuid", + "readOnly": true, + "type": "string" + }, + "sid": { + "description": "The SID attribute is a single-value attribute that specifies the security identifier (SID) of the group", + "readOnly": true, + "type": "string" + } + }, + "type": "object" + }, + "SubmissionMailEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a submission mail entity.", + "properties": { + "properties": { + "$ref": "#/definitions/SubmissionMailEntityProperties", + "description": "Submission mail entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "SubmissionMail" + }, + "SubmissionMailEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "Submission mail entity property bag.", + "properties": { + "networkMessageId": { + "description": "The network message id of email to which submission belongs", + "format": "uuid", + "readOnly": true, + "type": "string" + }, + "submissionId": { + "description": "The submission id", + "format": "uuid", + "readOnly": true, + "type": "string" + }, + "submitter": { + "description": "The submitter", + "readOnly": true, + "type": "string" + }, + "submissionDate": { + "description": "The submission date", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "timestamp": { + "description": "The Time stamp when the message is received (Mail)", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "recipient": { + "description": "The recipient of the mail", + "readOnly": true, + "type": "string" + }, + "sender": { + "description": "The sender of the mail", + "readOnly": true, + "type": "string" + }, + "senderIp": { + "description": "The sender's IP", + "readOnly": true, + "type": "string" + }, + "subject": { + "description": "The subject of submission mail", + "readOnly": true, + "type": "string" + }, + "reportType": { + "description": "The submission type for the given instance. This maps to Junk, Phish, Malware or NotJunk.", + "readOnly": true, + "type": "string" + } + }, + "type": "object" + }, + "ThreatIntelligence": { + "description": "ThreatIntelligence property bag.", + "properties": { + "confidence": { + "description": "Confidence (must be between 0 and 1)", + "format": "double", + "readOnly": true, + "type": "number" + }, + "providerName": { + "description": "Name of the provider from whom this Threat Intelligence information was received", + "readOnly": true, + "type": "string" + }, + "reportLink": { + "description": "Report link", + "readOnly": true, + "type": "string" + }, + "threatDescription": { + "description": "Threat description (free text)", + "readOnly": true, + "type": "string" + }, + "threatName": { + "description": "Threat name (e.g. \"Jedobot malware\")", + "readOnly": true, + "type": "string" + }, + "threatType": { + "description": "Threat type (e.g. \"Botnet\")", + "readOnly": true, + "type": "string" + } + }, + "type": "object" + }, + "UrlEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a url entity.", + "properties": { + "properties": { + "$ref": "#/definitions/UrlEntityProperties", + "description": "Url entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Url" + }, + "UrlEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "Url entity property bag.", + "properties": { + "url": { + "description": "A full URL the entity points to", + "readOnly": true, + "type": "string" + } + }, + "type": "object" + }, + "EntityCommonProperties": { + "description": "Entity common property bag.", + "properties": { + "additionalData": { + "additionalProperties": { + "type": "object" + }, + "description": "A bag of custom fields that should be part of the entity and will be presented to the user.", + "readOnly": true, + "type": "object" + }, + "friendlyName": { + "description": "The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated.", + "readOnly": true, + "type": "string" + } + }, + "type": "object" + } + }, + "parameters": {} +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/common/IncidentTypes.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/common/IncidentTypes.json index e74e8243a16d..bc48c6e705bd 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/common/IncidentTypes.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/common/IncidentTypes.json @@ -1,7 +1,7 @@ { "swagger": "2.0", "info": { - "version": "2021-09-01-preview", + "version": "2021-10-01", "title": "Common Incident types" }, "paths": {}, From fdfa1e23829b8648a9abe7e4dfef93ede4d49e63 Mon Sep 17 00:00:00 2001 From: Anat Gilenson Date: Thu, 4 Nov 2021 17:03:19 +0200 Subject: [PATCH 09/12] Correct double allOf in EntityTypes --- .../stable/2021-10-01/common/EntityTypes.json | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/common/EntityTypes.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/common/EntityTypes.json index 4e888411e6cc..3575ac5bfc9c 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/common/EntityTypes.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/common/EntityTypes.json @@ -233,11 +233,14 @@ "allOf": [ { "$ref": "../../../../../../common-types/resource-management/v3/types.json#/definitions/Resource" - }, - { - "$ref": "#/definitions/EntityKind" } ], + "properties": { + "kind": { + "$ref": "#/definitions/EntityInnerKind", + "description": "The kind of the entity." + } + }, "description": "Specific entity.", "discriminator": "kind", "type": "object", From 8c602d0b62860ac96ff1593cd1f2a1c2e67b8028 Mon Sep 17 00:00:00 2001 From: Anat Gilenson Date: Thu, 4 Nov 2021 17:16:26 +0200 Subject: [PATCH 10/12] update readme --- specification/securityinsights/resource-manager/readme.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/specification/securityinsights/resource-manager/readme.md b/specification/securityinsights/resource-manager/readme.md index 52cf65f4ea12..95431bd92d07 100644 --- a/specification/securityinsights/resource-manager/readme.md +++ b/specification/securityinsights/resource-manager/readme.md @@ -26,7 +26,7 @@ These are the global settings for the SecurityInsights API. ``` yaml openapi-type: arm -tag: package-2021-10 +tag: package-2020-01 ``` @@ -39,7 +39,7 @@ input-file: - Microsoft.SecurityInsights/stable/2021-10-01/Incidents.json - Microsoft.SecurityInsights/stable/2021-10-01/ThreatIntelligence.json - Microsoft.SecurityInsights/stable/2021-10-01/Watchlists.json - - Microsoft.SecurityInsights/stable/2021-10-01/operations.json + - Microsoft.SecurityInsights/stable/2021-10-01/Operations.json - Microsoft.SecurityInsights/stable/2021-10-01/OnboardingStates.json - Microsoft.SecurityInsights/stable/2021-10-01/AlertRules.json - Microsoft.SecurityInsights/stable/2021-10-01/Bookmarks.json From b09ad4a78aa8704f1b35c2c67a362565da929748 Mon Sep 17 00:00:00 2001 From: Anat Gilenson Date: Thu, 4 Nov 2021 18:11:52 +0200 Subject: [PATCH 11/12] Remove eventGroupingSettings and entityMappings from GetAlertRuleTemplateById example. --- .../GetAlertRuleTemplateById.json | 23 ------------------- 1 file changed, 23 deletions(-) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplateById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplateById.json index a9ea1024db31..d01590d4e946 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplateById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplateById.json @@ -23,9 +23,6 @@ "triggerThreshold": 0, "displayName": "Changes to Amazon VPC settings", "description": "This alert monitors changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries and routes in route tables.\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \nand https://aws.amazon.com/vpc/", - "eventGroupingSettings": { - "aggregationKind": "AlertPerResult" - }, "tactics": [ "PrivilegeEscalation", "LateralMovement" @@ -42,26 +39,6 @@ ] } ], - "entityMappings": [ - { - "entityType": "Account", - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "AccountCustomEntity" - } - ] - }, - { - "entityType": "IP", - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "IPCustomEntity" - } - ] - } - ], "alertRulesCreatedByTemplateCount": 0 } } From 1fd99339367638b9646d7073c43dc3b7e9185e87 Mon Sep 17 00:00:00 2001 From: Anat Gilenson Date: Thu, 4 Nov 2021 18:25:59 +0200 Subject: [PATCH 12/12] rename operations.json --- specification/securityinsights/resource-manager/readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/specification/securityinsights/resource-manager/readme.md b/specification/securityinsights/resource-manager/readme.md index 95431bd92d07..9950773c5db9 100644 --- a/specification/securityinsights/resource-manager/readme.md +++ b/specification/securityinsights/resource-manager/readme.md @@ -39,7 +39,7 @@ input-file: - Microsoft.SecurityInsights/stable/2021-10-01/Incidents.json - Microsoft.SecurityInsights/stable/2021-10-01/ThreatIntelligence.json - Microsoft.SecurityInsights/stable/2021-10-01/Watchlists.json - - Microsoft.SecurityInsights/stable/2021-10-01/Operations.json + - Microsoft.SecurityInsights/stable/2021-10-01/operations.json - Microsoft.SecurityInsights/stable/2021-10-01/OnboardingStates.json - Microsoft.SecurityInsights/stable/2021-10-01/AlertRules.json - Microsoft.SecurityInsights/stable/2021-10-01/Bookmarks.json