diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2022-11-01/AutomationRules.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2022-11-01/AutomationRules.json index 246e717c76be..4d67d1d719af 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2022-11-01/AutomationRules.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2022-11-01/AutomationRules.json @@ -14,7 +14,7 @@ "tags": [ "automationRules" ], - "description": "Gets the automation rule", + "description": "Gets the automation rule.", "operationId": "AutomationRules_Get", "produces": [ "application/json" @@ -60,7 +60,7 @@ "tags": [ "automationRules" ], - "description": "Creates or updates the automation rule", + "description": "Creates or updates the automation rule.", "operationId": "AutomationRules_CreateOrUpdate", "consumes": [ "application/json" @@ -123,7 +123,7 @@ "tags": [ "automationRules" ], - "description": "Delete the automation rule", + "description": "Delete the automation rule.", "operationId": "AutomationRules_Delete", "produces": [ "application/json" @@ -177,7 +177,7 @@ "tags": [ "automationRules" ], - "description": "Gets all automation rules", + "description": "Gets all automation rules.", "operationId": "AutomationRules_List", "produces": [ "application/json" @@ -223,7 +223,7 @@ }, "definitions": { "ActionType": { - "description": "The type of the automation rule action", + "description": "The type of the automation rule action.", "enum": [ "ModifyProperties", "RunPlaybook" @@ -264,7 +264,7 @@ } }, "AutomationRuleAction": { - "description": "Describes an automation rule action", + "description": "Describes an automation rule action.", "required": [ "actionType", "order" @@ -282,7 +282,7 @@ "discriminator": "actionType" }, "AutomationRuleCondition": { - "description": "Describes an automation rule condition", + "description": "Describes an automation rule condition.", "required": [ "conditionType" ], @@ -295,7 +295,7 @@ "discriminator": "conditionType" }, "AutomationRuleModifyPropertiesAction": { - "description": "Describes an automation rule action to modify an object's properties.", + "description": "Describes an automation rule action to modify an object's properties", "type": "object", "allOf": [ { @@ -322,13 +322,13 @@ "type": "object", "properties": { "displayName": { - "description": "The display name of the automation rule", + "description": "The display name of the automation rule.", "type": "string", "maxLength": 500 }, "order": { "format": "int32", - "description": "The order of execution of the automation rule", + "description": "The order of execution of the automation rule.", "type": "integer", "minimum": 1, "maximum": 1000 @@ -337,7 +337,7 @@ "$ref": "#/definitions/AutomationRuleTriggeringLogic" }, "actions": { - "description": "The actions to execute when the automation rule is triggered", + "description": "The actions to execute when the automation rule is triggered.", "type": "array", "items": { "$ref": "#/definitions/AutomationRuleAction" @@ -347,13 +347,13 @@ }, "lastModifiedTimeUtc": { "format": "date-time", - "description": "The last time the automation rule was updated", + "description": "The last time the automation rule was updated.", "type": "string", "readOnly": true }, "createdTimeUtc": { "format": "date-time", - "description": "The time the automation rule was created", + "description": "The time the automation rule was created.", "type": "string", "readOnly": true }, @@ -367,6 +367,115 @@ } } }, + "AutomationRulePropertyArrayChangedConditionSupportedArrayType": { + "enum": [ + "Alerts", + "Labels", + "Tactics", + "Comments" + ], + "type": "string", + "example": "Alerts", + "x-ms-enum": { + "name": "AutomationRulePropertyArrayChangedConditionSupportedArrayType", + "modelAsString": true, + "values": [ + { + "value": "Alerts", + "description": "Evaluate the condition on the alerts" + }, + { + "value": "Labels", + "description": "Evaluate the condition on the labels" + }, + { + "value": "Tactics", + "description": "Evaluate the condition on the tactics" + }, + { + "value": "Comments", + "description": "Evaluate the condition on the comments" + } + ] + } + }, + "AutomationRulePropertyArrayChangedConditionSupportedChangeType": { + "enum": [ + "Added" + ], + "type": "string", + "example": "Added", + "x-ms-enum": { + "name": "AutomationRulePropertyArrayChangedConditionSupportedChangeType", + "modelAsString": true, + "values": [ + { + "value": "Added", + "description": "Evaluate the condition on items added to the array" + } + ] + } + }, + "AutomationRulePropertyArrayChangedValuesCondition": { + "type": "object", + "properties": { + "arrayType": { + "$ref": "#/definitions/AutomationRulePropertyArrayChangedConditionSupportedArrayType" + }, + "changeType": { + "$ref": "#/definitions/AutomationRulePropertyArrayChangedConditionSupportedChangeType" + } + } + }, + "AutomationRulePropertyChangedConditionSupportedChangedType": { + "enum": [ + "ChangedFrom", + "ChangedTo" + ], + "type": "string", + "example": "ChangedFrom", + "x-ms-enum": { + "name": "AutomationRulePropertyChangedConditionSupportedChangedType", + "modelAsString": true, + "values": [ + { + "value": "ChangedFrom", + "description": "Evaluate the condition on the previous value of the property" + }, + { + "value": "ChangedTo", + "description": "Evaluate the condition on the updated value of the property" + } + ] + } + }, + "AutomationRulePropertyChangedConditionSupportedPropertyType": { + "enum": [ + "IncidentSeverity", + "IncidentStatus", + "IncidentOwner" + ], + "type": "string", + "example": "IncidentSeverity", + "x-ms-enum": { + "name": "AutomationRulePropertyChangedConditionSupportedPropertyType", + "modelAsString": true, + "values": [ + { + "value": "IncidentSeverity", + "description": "Evaluate the condition on the incident severity" + }, + { + "value": "IncidentStatus", + "description": "Evaluate the condition on the incident status" + }, + { + "value": "IncidentOwner", + "description": "Evaluate the condition on the incident owner" + } + ] + } + }, "AutomationRulePropertyConditionSupportedOperator": { "enum": [ "Equals", @@ -420,7 +529,7 @@ } }, "AutomationRulePropertyConditionSupportedProperty": { - "description": "The property to evaluate in an automation rule property condition", + "description": "The property to evaluate in an automation rule property condition.", "enum": [ "IncidentTitle", "IncidentDescription", @@ -430,6 +539,7 @@ "IncidentTactics", "IncidentLabel", "IncidentProviderName", + "IncidentUpdatedBySource", "AccountAadTenantId", "AccountAadUserId", "AccountName", @@ -439,6 +549,7 @@ "AccountObjectGuid", "AccountUPNSuffix", "AlertProductNames", + "AlertAnalyticRuleIds", "AzureResourceResourceId", "AzureResourceSubscriptionId", "CloudApplicationAppId", @@ -515,6 +626,10 @@ "value": "IncidentProviderName", "description": "The provider name of the incident" }, + { + "value": "IncidentUpdatedBySource", + "description": "The update source of the incident" + }, { "value": "AccountAadTenantId", "description": "The account Azure Active Directory tenant id" @@ -551,6 +666,10 @@ "value": "AlertProductNames", "description": "The name of the product of the alert" }, + { + "value": "AlertAnalyticRuleIds", + "description": "The analytic rule ids of the alert" + }, { "value": "AzureResourceResourceId", "description": "The Azure resource id" @@ -702,6 +821,26 @@ ] } }, + "AutomationRulePropertyValuesChangedCondition": { + "type": "object", + "properties": { + "propertyName": { + "$ref": "#/definitions/AutomationRulePropertyChangedConditionSupportedPropertyType" + }, + "changeType": { + "$ref": "#/definitions/AutomationRulePropertyChangedConditionSupportedChangedType" + }, + "operator": { + "$ref": "#/definitions/AutomationRulePropertyConditionSupportedOperator" + }, + "propertyValues": { + "type": "array", + "items": { + "type": "string" + } + } + } + }, "AutomationRulePropertyValuesCondition": { "type": "object", "properties": { @@ -751,7 +890,7 @@ } }, "AutomationRuleTriggeringLogic": { - "description": "Describes automation rule triggering logic", + "description": "Describes automation rule triggering logic.", "required": [ "isEnabled", "triggersOn", @@ -760,7 +899,7 @@ "type": "object", "properties": { "isEnabled": { - "description": "Determines whether the automation rule is enabled or disabled", + "description": "Determines whether the automation rule is enabled or disabled.", "type": "boolean" }, "expirationTimeUtc": { @@ -775,7 +914,7 @@ "$ref": "#/definitions/triggersWhen" }, "conditions": { - "description": "The conditions to evaluate to determine if the automation rule should be triggered on a given object", + "description": "The conditions to evaluate to determine if the automation rule should be triggered on a given object.", "type": "array", "maxItems": 50, "items": { @@ -789,7 +928,9 @@ }, "ConditionType": { "enum": [ - "Property" + "Property", + "PropertyChanged", + "PropertyArrayChanged" ], "type": "string", "example": "Property", @@ -800,6 +941,14 @@ { "value": "Property", "description": "Evaluate an object property value" + }, + { + "value": "PropertyChanged", + "description": "Evaluate an object property changed value" + }, + { + "value": "PropertyArrayChanged", + "description": "Evaluate an object array property changed value" } ] } @@ -820,14 +969,14 @@ "$ref": "./common/IncidentTypes.json#/definitions/IncidentClassificationReasonEnum" }, "classificationComment": { - "description": "Describes the reason the incident was closed", + "description": "Describes the reason the incident was closed.", "type": "string" }, "owner": { "$ref": "./common/IncidentTypes.json#/definitions/IncidentOwnerInfo" }, "labels": { - "description": "List of labels to add to the incident", + "description": "List of labels to add to the incident.", "type": "array", "x-ms-identifiers": [ "labelName" @@ -845,16 +994,50 @@ ], "properties": { "logicAppResourceId": { - "description": "The resource id of the playbook resource", + "description": "The resource id of the playbook resource.", "type": "string" }, "tenantId": { "format": "uuid", - "description": "The tenant id of the playbook resource", + "description": "The tenant id of the playbook resource.", "type": "string" } } }, + "PropertyArrayChangedConditionProperties": { + "description": "Describes an automation rule condition that evaluates an array property's value change", + "type": "object", + "allOf": [ + { + "$ref": "#/definitions/AutomationRuleCondition" + } + ], + "properties": { + "conditionProperties": { + "type": "object", + "$ref": "#/definitions/AutomationRulePropertyArrayChangedValuesCondition" + } + }, + "x-ms-discriminator-value": "PropertyArrayChanged", + "x-ms-client-flatten": true + }, + "PropertyChangedConditionProperties": { + "description": "Describes an automation rule condition that evaluates a property's value change", + "type": "object", + "allOf": [ + { + "$ref": "#/definitions/AutomationRuleCondition" + } + ], + "properties": { + "conditionProperties": { + "type": "object", + "$ref": "#/definitions/AutomationRulePropertyValuesChangedCondition" + } + }, + "x-ms-discriminator-value": "PropertyChanged", + "x-ms-client-flatten": true + }, "PropertyConditionProperties": { "description": "Describes an automation rule condition that evaluates a property's value", "type": "object", @@ -874,7 +1057,8 @@ }, "triggersOn": { "enum": [ - "Incidents" + "Incidents", + "Alerts" ], "type": "string", "example": "Incidents", @@ -885,13 +1069,18 @@ { "value": "Incidents", "description": "Trigger on Incidents" + }, + { + "value": "Alerts", + "description": "Trigger on Alerts" } ] } }, "triggersWhen": { "enum": [ - "Created" + "Created", + "Updated" ], "type": "string", "example": "Created", @@ -902,6 +1091,10 @@ { "value": "Created", "description": "Trigger on created objects" + }, + { + "value": "Updated", + "description": "Trigger on updated objects" } ] } diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2022-11-01/examples/automationRules/AutomationRules_CreateOrUpdate.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2022-11-01/examples/automationRules/AutomationRules_CreateOrUpdate.json index 53bfb29ab60d..6063aa64209f 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2022-11-01/examples/automationRules/AutomationRules_CreateOrUpdate.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2022-11-01/examples/automationRules/AutomationRules_CreateOrUpdate.json @@ -11,17 +11,17 @@ "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", "type": "Microsoft.SecurityInsights/automationRules", "properties": { - "displayName": "High severity incidents escalation", + "displayName": "Suspicious alerts in workspace", "order": 1, "triggeringLogic": { "isEnabled": true, - "triggersOn": "Incidents", + "triggersOn": "Alerts", "triggersWhen": "Created", "conditions": [ { "conditionType": "Property", "conditionProperties": { - "propertyName": "IncidentRelatedAnalyticRuleIds", + "propertyName": "AlertAnalyticRuleIds", "operator": "Contains", "propertyValues": [ "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/fab3d2d4-747f-46a7-8ef0-9c0be8112bf7", @@ -34,9 +34,10 @@ "actions": [ { "order": 1, - "actionType": "ModifyProperties", + "actionType": "RunPlaybook", "actionConfiguration": { - "severity": "High" + "logicAppResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourcegroups/myRg/providers/Microsoft.Logic/workflows/mail-notify-suspicious-alerts", + "tenantId": "d23e3eef-eed0-428f-a2d5-bc48c268e31d" } } ], @@ -65,17 +66,17 @@ "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", "type": "Microsoft.SecurityInsights/automationRules", "properties": { - "displayName": "High severity incidents escalation", + "displayName": "Suspicious alerts in workspace", "order": 1, "triggeringLogic": { "isEnabled": true, - "triggersOn": "Incidents", + "triggersOn": "Alerts", "triggersWhen": "Created", "conditions": [ { "conditionType": "Property", "conditionProperties": { - "propertyName": "IncidentRelatedAnalyticRuleIds", + "propertyName": "AlertAnalyticRuleIds", "operator": "Contains", "propertyValues": [ "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/fab3d2d4-747f-46a7-8ef0-9c0be8112bf7", @@ -88,9 +89,10 @@ "actions": [ { "order": 1, - "actionType": "ModifyProperties", + "actionType": "RunPlaybook", "actionConfiguration": { - "severity": "High" + "logicAppResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourcegroups/myRg/providers/Microsoft.Logic/workflows/mail-notify-suspicious-alerts", + "tenantId": "d23e3eef-eed0-428f-a2d5-bc48c268e31d" } } ], @@ -118,17 +120,17 @@ "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", "type": "Microsoft.SecurityInsights/automationRules", "properties": { - "displayName": "High severity incidents escalation", + "displayName": "Suspicious alerts in workspace", "order": 1, "triggeringLogic": { "isEnabled": true, - "triggersOn": "Incidents", + "triggersOn": "Alerts", "triggersWhen": "Created", "conditions": [ { "conditionType": "Property", "conditionProperties": { - "propertyName": "IncidentRelatedAnalyticRuleIds", + "propertyName": "AlertAnalyticRuleIds", "operator": "Contains", "propertyValues": [ "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/fab3d2d4-747f-46a7-8ef0-9c0be8112bf7", @@ -141,9 +143,10 @@ "actions": [ { "order": 1, - "actionType": "ModifyProperties", + "actionType": "RunPlaybook", "actionConfiguration": { - "severity": "High" + "logicAppResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourcegroups/myRg/providers/Microsoft.Logic/workflows/mail-notify-suspicious-alerts", + "tenantId": "d23e3eef-eed0-428f-a2d5-bc48c268e31d" } } ], diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2022-11-01/examples/automationRules/AutomationRules_Get.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2022-11-01/examples/automationRules/AutomationRules_Get.json index 22a316f7fbfe..c038304a9ee1 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2022-11-01/examples/automationRules/AutomationRules_Get.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2022-11-01/examples/automationRules/AutomationRules_Get.json @@ -14,17 +14,17 @@ "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", "type": "Microsoft.SecurityInsights/automationRules", "properties": { - "displayName": "High severity incidents escalation", + "displayName": "Suspicious alerts in workspace", "order": 1, "triggeringLogic": { "isEnabled": true, - "triggersOn": "Incidents", + "triggersOn": "Alerts", "triggersWhen": "Created", "conditions": [ { "conditionType": "Property", "conditionProperties": { - "propertyName": "IncidentRelatedAnalyticRuleIds", + "propertyName": "AlertAnalyticRuleIds", "operator": "Contains", "propertyValues": [ "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/fab3d2d4-747f-46a7-8ef0-9c0be8112bf7", @@ -37,9 +37,10 @@ "actions": [ { "order": 1, - "actionType": "ModifyProperties", + "actionType": "RunPlaybook", "actionConfiguration": { - "severity": "High" + "logicAppResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourcegroups/myRg/providers/Microsoft.Logic/workflows/mail-notify-suspicious-alerts", + "tenantId": "d23e3eef-eed0-428f-a2d5-bc48c268e31d" } } ], diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2022-11-01/examples/automationRules/AutomationRules_List.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2022-11-01/examples/automationRules/AutomationRules_List.json index 9724b89aa0fe..6a5dd6820a9b 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2022-11-01/examples/automationRules/AutomationRules_List.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2022-11-01/examples/automationRules/AutomationRules_List.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2022-11-01-preview", + "api-version": "2022-11-01", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace" @@ -15,17 +15,17 @@ "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", "type": "Microsoft.SecurityInsights/automationRules", "properties": { - "displayName": "High severity incidents escalation", + "displayName": "Suspicious alerts in workspace", "order": 1, "triggeringLogic": { "isEnabled": true, - "triggersOn": "Incidents", + "triggersOn": "Alerts", "triggersWhen": "Created", "conditions": [ { "conditionType": "Property", "conditionProperties": { - "propertyName": "IncidentRelatedAnalyticRuleIds", + "propertyName": "AlertAnalyticRuleIds", "operator": "Contains", "propertyValues": [ "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/fab3d2d4-747f-46a7-8ef0-9c0be8112bf7", @@ -38,9 +38,10 @@ "actions": [ { "order": 1, - "actionType": "ModifyProperties", + "actionType": "RunPlaybook", "actionConfiguration": { - "severity": "High" + "logicAppResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourcegroups/myRg/providers/Microsoft.Logic/workflows/mail-notify-suspicious-alerts", + "tenantId": "d23e3eef-eed0-428f-a2d5-bc48c268e31d" } } ],