From fbc7bdd21b911a4fcc55d74d832d729140ef1cf1 Mon Sep 17 00:00:00 2001 From: Gal Malka Date: Sun, 30 Dec 2018 15:54:52 +0200 Subject: [PATCH 1/6] Security: 2017-08-01-preview - Introduce IoT security groups resource * Add the relevant resource definitions * Add get, put, delete, list operations --- .../DeleteIotSecurityGroups_example.json | 11 + .../GetIotSecurityGroups_example.json | 189 ++++++++ .../PutIotSecurityGroups_example.json | 207 +++++++++ .../preview/2017-08-01-preview/security.json | 433 +++++++++++++++++- 4 files changed, 838 insertions(+), 2 deletions(-) create mode 100644 specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/examples/IotSecurityGroups/DeleteIotSecurityGroups_example.json create mode 100644 specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/examples/IotSecurityGroups/GetIotSecurityGroups_example.json create mode 100644 specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/examples/IotSecurityGroups/PutIotSecurityGroups_example.json diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/examples/IotSecurityGroups/DeleteIotSecurityGroups_example.json b/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/examples/IotSecurityGroups/DeleteIotSecurityGroups_example.json new file mode 100644 index 000000000000..287981ef9ba3 --- /dev/null +++ b/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/examples/IotSecurityGroups/DeleteIotSecurityGroups_example.json @@ -0,0 +1,11 @@ +{ + "parameters":{ + "api-version":"2017-08-01-preview", + "resourceId":"subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/SampleRG/providers/Microsoft.Devices/iotHubs/sampleiothub", + "iotSecurityGroupName ":"samplesecuritygroup" + }, + "responses":{ + "204":{ + } + } +} \ No newline at end of file diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/examples/IotSecurityGroups/GetIotSecurityGroups_example.json b/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/examples/IotSecurityGroups/GetIotSecurityGroups_example.json new file mode 100644 index 000000000000..0f7d6eeb3e49 --- /dev/null +++ b/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/examples/IotSecurityGroups/GetIotSecurityGroups_example.json @@ -0,0 +1,189 @@ +{ + "parameters":{ + "api-version":"2017-08-01-preview", + "resourceId":"subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/SampleRG/providers/Microsoft.Devices/iotHubs/sampleiothub", + "iotSecurityGroupName ":"samplesecuritygroup" + }, + "responses":{ + "200":{ + "body":{ + "id":"/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/SampleRG/providers/Microsoft.Devices/iotHubs/sampleiothub/providers/Microsoft.Security/iotSecurityGroups/samplesecuritygroup", + "name":"samplesecuritygroup", + "type":"Microsoft.Security/iotSecurityGroups", + "properties":{ + "thresholdRules":[], + "timeWindowRules":[ + { + "ruleType":"ActiveConnectionsNotInAllowedRange", + "displayName":"Number of active connections is not in allowed range", + "description":"Get an alert when the number of active connections of a device in the time window is not in the allowed range", + "isEnabled":false, + "minThreshold":0, + "maxThreshold":0, + "timeWindowSize":"PT15M" + }, + { + "ruleType":"AmqpC2DMessagesNotInAllowedRange", + "displayName":"Number of cloud to device messages (AMQP protocol) is not in allowed range", + "description":"Get an alert when the number of cloud to device messages (AMQP protocol) in the time window is not in the allowed range", + "isEnabled":false, + "minThreshold":0, + "maxThreshold":0, + "timeWindowSize":"PT15M" + }, + { + "ruleType":"MqttC2DMessagesNotInAllowedRange", + "displayName":"Number of cloud to device messages (MQTT protocol) is not in allowed range", + "description":"Get an alert when the number of cloud to device messages (MQTT protocol) in the time window is not in the allowed range", + "isEnabled":false, + "minThreshold":0, + "maxThreshold":0, + "timeWindowSize":"PT15M" + }, + { + "ruleType":"HttpC2DMessagesNotInAllowedRange", + "displayName":"Number of cloud to device messages (HTTP protocol) is not in allowed range", + "description":"Get an alert when the number of cloud to device messages (HTTP protocol) in the time window is not in the allowed range", + "isEnabled":false, + "minThreshold":0, + "maxThreshold":0, + "timeWindowSize":"PT15M" + }, + { + "ruleType":"AmqpC2DRejectedMessagesNotInAllowedRange", + "displayName":"Number of rejected cloud to device messages (AMQP protocol) is not in allowed range", + "description":"Get an alert when the number of cloud to device messages (AMQP protocol) that were rejected by the device in the time window is not in the allowed range", + "isEnabled":false, + "minThreshold":0, + "maxThreshold":0, + "timeWindowSize":"PT15M" + }, + { + "ruleType":"MqttC2DRejectedMessagesNotInAllowedRange", + "displayName":"Number of rejected cloud to device messages (MQTT protocol) is not in allowed range", + "description":"Get an alert when the number of cloud to device messages (MQTT protocol) that were rejected by the device in the time window is not in the allowed range", + "isEnabled":false, + "minThreshold":0, + "maxThreshold":0, + "timeWindowSize":"PT15M" + }, + { + "ruleType":"HttpC2DRejectedMessagesNotInAllowedRange", + "displayName":"Number of rejected cloud to device messages (HTTP protocol) is not in allowed range", + "description":"Get an alert when the number of cloud to device messages (HTTP protocol) that were rejected by the device in the time window is not in the allowed range", + "isEnabled":false, + "minThreshold":0, + "maxThreshold":0, + "timeWindowSize":"PT15M" + }, + { + "ruleType":"AmqpD2CMessagesNotInAllowedRange", + "displayName":"Number of device to cloud messages (AMQP protocol) is not in allowed range", + "description":"Get an alert when the number of device to cloud messages (AMQP protocol) in the time window is not in the allowed range", + "isEnabled":false, + "minThreshold":0, + "maxThreshold":0, + "timeWindowSize":"PT15M" + }, + { + "ruleType":"MqttD2CMessagesNotInAllowedRange", + "displayName":"Number of device to cloud messages (MQTT protocol) is not in allowed range", + "description":"Get an alert when the number of device to cloud messages (MQTT protocol) in the time window is not in the allowed range", + "isEnabled":false, + "minThreshold":0, + "maxThreshold":0, + "timeWindowSize":"PT15M" + }, + { + "ruleType":"HttpD2CMessagesNotInAllowedRange", + "displayName":"Number of device to cloud messages (HTTP protocol) is not in allowed range", + "description":"Get an alert when the number of device to cloud messages (HTTP protocol) in the time window is not in the allowed range", + "isEnabled":false, + "minThreshold":0, + "maxThreshold":0, + "timeWindowSize":"PT15M" + }, + { + "ruleType":"DirectMethodInvokesNotInAllowedRange", + "displayName":"Number of direct method invokes is not in allowed range", + "description":"Get an alert when the number of direct method invokes in the time window is not in the allowed range", + "isEnabled":false, + "minThreshold":0, + "maxThreshold":0, + "timeWindowSize":"PT15M" + }, + { + "ruleType":"FailedLocalLoginsNotInAllowedRange", + "displayName":"Number of failed local logins is not in allowed range", + "description":"Get an alert when the number of failed local logins on the device in the time window is not in the allowed range", + "isEnabled":false, + "minThreshold":0, + "maxThreshold":0, + "timeWindowSize":"PT15M" + }, + { + "ruleType":"FileUploadsNotInAllowedRange", + "displayName":"Number of file uploads is not in allowed range", + "description":"Get an alert when the number of file uploads from the device to the cloud in the time window is not in the allowed range", + "isEnabled":false, + "minThreshold":0, + "maxThreshold":0, + "timeWindowSize":"PT15M" + }, + { + "ruleType":"QueuePurgesNotInAllowedRange", + "displayName":"Number of device queue purges is not in allowed range", + "description":"Get an alert when the number of device queue purges in the time window is not in the allowed range", + "isEnabled":false, + "minThreshold":0, + "maxThreshold":0, + "timeWindowSize":"PT15M" + }, + { + "ruleType":"TwinUpdatesNotInAllowedRange", + "displayName":"Number of twin updates is not in allowed range", + "description":"Get an alert when the number of twin updates (by the device or the service) in the time window is not in the allowed range", + "isEnabled":false, + "minThreshold":0, + "maxThreshold":0, + "timeWindowSize":"PT15M" + }, + { + "ruleType":"UnauthorizedOperationsNotInAllowedRange", + "displayName":"Number of unauthorized operations is not in allowed range", + "description":"Get an alert when the number unauthorized operations in the time window is not in the allowed range. Unauthorized operations are operations that affect the device (or done by it) that fail because of an unauthorized error", + "isEnabled":false, + "minThreshold":0, + "maxThreshold":0, + "timeWindowSize":"PT15M" + } + ], + "allowlistRules":[ + { + "ruleType":"ConnectionToIpNotAllowed", + "displayName":"Outbound connection to an ip that isn't allowed", + "description":"Get an alert when an outbound connection is created between your device and an ip that isn't allowed", + "isEnabled":false, + "allowlistValues":[] + }, + { + "ruleType":"LocalUserNotAllowed", + "displayName":"Login by a local user that isn't allowed", + "description":"Get an alert when a local user that isn't allowed logins to the device", + "isEnabled":false, + "allowlistValues":[] + }, + { + "ruleType":"ProcessNotAllowed", + "displayName":"Execution of a process that isn't allowed", + "description":"Get an alert when a process that isn't allowed is executed", + "isEnabled":false, + "allowlistValues":[] + } + ], + "denylistRules":[] + } + } + } + } +} \ No newline at end of file diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/examples/IotSecurityGroups/PutIotSecurityGroups_example.json b/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/examples/IotSecurityGroups/PutIotSecurityGroups_example.json new file mode 100644 index 000000000000..c35da6f0f2cc --- /dev/null +++ b/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/examples/IotSecurityGroups/PutIotSecurityGroups_example.json @@ -0,0 +1,207 @@ +{ + "parameters":{ + "api-version":"2017-08-01-preview", + "resourceId":"subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/SampleRG/providers/Microsoft.Devices/iotHubs/sampleiothub", + "iotSecurityGroupName ":"samplesecuritygroup", + "iotSecurityGroup": { + "id":"/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/SampleRG/providers/Microsoft.Devices/iotHubs/sampleiothub/providers/Microsoft.Security/iotSecurityGroups/samplesecuritygroup", + "name":"samplesecuritygroup", + "type":"Microsoft.Security/iotSecurityGroups", + "properties": { + "timeWindowRules":[ + { + "ruleType":"ActiveConnectionsNotInAllowedRange", + "displayName":"Number of active connections is not in allowed range", + "description":"Get an alert when the number of active connections of a device in the time window is not in the allowed range", + "isEnabled":true, + "minThreshold":0, + "maxThreshold":30, + "timeWindowSize":"PT05M" + } + ] + } + } + }, + "responses":{ + "200":{ + "body":{ + "id":"/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/SampleRG/providers/Microsoft.Devices/iotHubs/sampleiothub/providers/Microsoft.Security/iotSecurityGroups/samplesecuritygroup", + "name":"samplesecuritygroup", + "type":"Microsoft.Security/iotSecurityGroups", + "properties":{ + "thresholdRules":[], + "timeWindowRules":[ + { + "ruleType":"ActiveConnectionsNotInAllowedRange", + "displayName":"Number of active connections is not in allowed range", + "description":"Get an alert when the number of active connections of a device in the time window is not in the allowed range", + "isEnabled":true, + "minThreshold":0, + "maxThreshold":30, + "timeWindowSize":"PT05M" + }, + { + "ruleType":"AmqpC2DMessagesNotInAllowedRange", + "displayName":"Number of cloud to device messages (AMQP protocol) is not in allowed range", + "description":"Get an alert when the number of cloud to device messages (AMQP protocol) in the time window is not in the allowed range", + "isEnabled":false, + "minThreshold":0, + "maxThreshold":0, + "timeWindowSize":"PT15M" + }, + { + "ruleType":"MqttC2DMessagesNotInAllowedRange", + "displayName":"Number of cloud to device messages (MQTT protocol) is not in allowed range", + "description":"Get an alert when the number of cloud to device messages (MQTT protocol) in the time window is not in the allowed range", + "isEnabled":false, + "minThreshold":0, + "maxThreshold":0, + "timeWindowSize":"PT15M" + }, + { + "ruleType":"HttpC2DMessagesNotInAllowedRange", + "displayName":"Number of cloud to device messages (HTTP protocol) is not in allowed range", + "description":"Get an alert when the number of cloud to device messages (HTTP protocol) in the time window is not in the allowed range", + "isEnabled":false, + "minThreshold":0, + "maxThreshold":0, + "timeWindowSize":"PT15M" + }, + { + "ruleType":"AmqpC2DRejectedMessagesNotInAllowedRange", + "displayName":"Number of rejected cloud to device messages (AMQP protocol) is not in allowed range", + "description":"Get an alert when the number of cloud to device messages (AMQP protocol) that were rejected by the device in the time window is not in the allowed range", + "isEnabled":false, + "minThreshold":0, + "maxThreshold":0, + "timeWindowSize":"PT15M" + }, + { + "ruleType":"MqttC2DRejectedMessagesNotInAllowedRange", + "displayName":"Number of rejected cloud to device messages (MQTT protocol) is not in allowed range", + "description":"Get an alert when the number of cloud to device messages (MQTT protocol) that were rejected by the device in the time window is not in the allowed range", + "isEnabled":false, + "minThreshold":0, + "maxThreshold":0, + "timeWindowSize":"PT15M" + }, + { + "ruleType":"HttpC2DRejectedMessagesNotInAllowedRange", + "displayName":"Number of rejected cloud to device messages (HTTP protocol) is not in allowed range", + "description":"Get an alert when the number of cloud to device messages (HTTP protocol) that were rejected by the device in the time window is not in the allowed range", + "isEnabled":false, + "minThreshold":0, + "maxThreshold":0, + "timeWindowSize":"PT15M" + }, + { + "ruleType":"AmqpD2CMessagesNotInAllowedRange", + "displayName":"Number of device to cloud messages (AMQP protocol) is not in allowed range", + "description":"Get an alert when the number of device to cloud messages (AMQP protocol) in the time window is not in the allowed range", + "isEnabled":false, + "minThreshold":0, + "maxThreshold":0, + "timeWindowSize":"PT15M" + }, + { + "ruleType":"MqttD2CMessagesNotInAllowedRange", + "displayName":"Number of device to cloud messages (MQTT protocol) is not in allowed range", + "description":"Get an alert when the number of device to cloud messages (MQTT protocol) in the time window is not in the allowed range", + "isEnabled":false, + "minThreshold":0, + "maxThreshold":0, + "timeWindowSize":"PT15M" + }, + { + "ruleType":"HttpD2CMessagesNotInAllowedRange", + "displayName":"Number of device to cloud messages (HTTP protocol) is not in allowed range", + "description":"Get an alert when the number of device to cloud messages (HTTP protocol) in the time window is not in the allowed range", + "isEnabled":false, + "minThreshold":0, + "maxThreshold":0, + "timeWindowSize":"PT15M" + }, + { + "ruleType":"DirectMethodInvokesNotInAllowedRange", + "displayName":"Number of direct method invokes is not in allowed range", + "description":"Get an alert when the number of direct method invokes in the time window is not in the allowed range", + "isEnabled":false, + "minThreshold":0, + "maxThreshold":0, + "timeWindowSize":"PT15M" + }, + { + "ruleType":"FailedLocalLoginsNotInAllowedRange", + "displayName":"Number of failed local logins is not in allowed range", + "description":"Get an alert when the number of failed local logins on the device in the time window is not in the allowed range", + "isEnabled":false, + "minThreshold":0, + "maxThreshold":0, + "timeWindowSize":"PT15M" + }, + { + "ruleType":"FileUploadsNotInAllowedRange", + "displayName":"Number of file uploads is not in allowed range", + "description":"Get an alert when the number of file uploads from the device to the cloud in the time window is not in the allowed range", + "isEnabled":false, + "minThreshold":0, + "maxThreshold":0, + "timeWindowSize":"PT15M" + }, + { + "ruleType":"QueuePurgesNotInAllowedRange", + "displayName":"Number of device queue purges is not in allowed range", + "description":"Get an alert when the number of device queue purges in the time window is not in the allowed range", + "isEnabled":false, + "minThreshold":0, + "maxThreshold":0, + "timeWindowSize":"PT15M" + }, + { + "ruleType":"TwinUpdatesNotInAllowedRange", + "displayName":"Number of twin updates is not in allowed range", + "description":"Get an alert when the number of twin updates (by the device or the service) in the time window is not in the allowed range", + "isEnabled":false, + "minThreshold":0, + "maxThreshold":0, + "timeWindowSize":"PT15M" + }, + { + "ruleType":"UnauthorizedOperationsNotInAllowedRange", + "displayName":"Number of unauthorized operations is not in allowed range", + "description":"Get an alert when the number unauthorized operations in the time window is not in the allowed range. Unauthorized operations are operations that affect the device (or done by it) that fail because of an unauthorized error", + "isEnabled":false, + "minThreshold":0, + "maxThreshold":0, + "timeWindowSize":"PT15M" + } + ], + "allowlistRules":[ + { + "ruleType":"ConnectionToIpNotAllowed", + "displayName":"Outbound connection to an ip that isn't allowed", + "description":"Get an alert when an outbound connection is created between your device and an ip that isn't allowed", + "isEnabled":false, + "allowlistValues":[] + }, + { + "ruleType":"LocalUserNotAllowed", + "displayName":"Login by a local user that isn't allowed", + "description":"Get an alert when a local user that isn't allowed logins to the device", + "isEnabled":false, + "allowlistValues":[] + }, + { + "ruleType":"ProcessNotAllowed", + "displayName":"Execution of a process that isn't allowed", + "description":"Get an alert when a process that isn't allowed is executed", + "isEnabled":false, + "allowlistValues":[] + } + ], + "denylistRules":[] + } + } + } + } +} \ No newline at end of file diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/security.json b/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/security.json index b01420e8dc9c..a8b5849848fa 100644 --- a/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/security.json +++ b/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/security.json @@ -815,6 +815,147 @@ } } }, + "/{resourceId}/providers/Microsoft.Security/iotSecurityGroups": { + "get": { + "tags": ["IotSecurityGroups"], + "description": "Gets the list of security groups for the specified IoT hub resource.", + "operationId": "IotSecurityGroups_List", + "parameters": [{ + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "#/parameters/ResourceId" + }, + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/IotSecurityGroupList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + } + } + }, + "/{resourceId}/providers/Microsoft.Security/iotSecurityGroups/{iotSecurityGroupName}": { + "get": { + "x-ms-examples": { + "Get an IoT security group for the specified IoT hub resource": { + "$ref": "./examples/IotSecurityGroups/GetIotSecurityGroups_example.json" + } + }, + "tags": [ "IotSecurityGroups" ], + "description": "Gets the security group for the specified IoT hub resource.", + "operationId": "IotSecurityGroups_Get", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "#/parameters/ResourceId" + }, + { + "$ref": "#/parameters/IotSecurityGroupName" + } + ], + "responses": { + "200": { + "description": "Successful request to get security group.", + "schema": { + "$ref": "#/definitions/IotSecurityGroup" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + } + }, + "put": { + "x-ms-examples": { + "Create or update an IoT security group for the specified IoT hub resource": { + "$ref": "./examples/IotSecurityGroups/PutIotSecurityGroups_example.json" + } + }, + "tags": [ "IotSecurityGroups" ], + "description": "Creates or updates the security group on a specified IoT hub resource.", + "operationId": "IotSecurityGroups_Put", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "#/parameters/ResourceId" + }, + { + "$ref": "#/parameters/IotSecurityGroupName" + }, + { + "$ref": "#/parameters/IotSecurityGroup" + } + ], + "responses": { + "200": { + "description": "Security group was updated", + "schema": { + "$ref": "#/definitions/IotSecurityGroup" + } + }, + "201": { + "description": "Security group was created", + "schema": { + "$ref": "#/definitions/IotSecurityGroup" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + } + }, + "delete": { + "x-ms-examples": { + "Delete an IoT security group for the specified IoT hub resource": { + "$ref": "./examples/IotSecurityGroups/DeleteIotSecurityGroups_example.json" + } + }, + "tags": ["IotSecurityGroups"], + "description": "Deletes the security group", + "operationId": "IotSecurityGroups_Delete", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "#/parameters/ResourceId" + }, + { + "$ref": "#/parameters/IotSecurityGroupName" + } + ], + "responses": { + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + } + }, + }, "/subscriptions/{subscriptionId}/providers/Microsoft.Security/settings": { "get": { "x-ms-examples": { @@ -1686,7 +1827,276 @@ "description": "Indicates whether the keyword is excluded or not." } } - } + }, + "IotSecurityGroupList": { + "type": "object", + "readOnly": true, + "description": "List of IoT security groups", + "properties": { + "value": { + "type": "array", + "description": "List of IoT security group objects", + "items": { + "$ref": "#/definitions/IotSecurityGroup" + } + } + } + }, + "IotSecurityGroup": { + "type": "object", + "description": "The IoT security group resource", + "properties": { + "properties": { + "x-ms-client-flatten": true, + "description": "IoT Security group data", + "$ref": "#/definitions/IotSecurityGroupProperties" + } + }, + "allOf": [{ + "$ref": "#/definitions/Resource" + } + ] + }, + "IotSecurityGroupProperties": { + "type": "object", + "description": "describes properties of a security group.", + "properties": { + "thresholdRules": { + "type": "array", + "items": { + "type": "object", + "$ref": "#/definitions/ThresholdCustomAlertRule" + } + }, + "timeWindowRules": { + "type": "array", + "items": { + "type": "object", + "$ref": "#/definitions/TimeWindowCustomAlertRule" + } + }, + "allowlistRules": { + "type": "array", + "items": { + "type": "object", + "$ref": "#/definitions/AllowlistCustomAlertRule" + } + }, + "denylistRules": { + "type": "array", + "items": { + "type": "object", + "$ref": "#/definitions/DenylistCustomAlertRule" + } + }, + } + }, + "CustomAlertRule": { + "type": "object", + "description": "A custom alert rule", + "properties": { + "displayName": { + "type": "string", + "readOnly": true, + "description": "The display name of the custom alert." + }, + "description": { + "type": "string", + "readOnly": true, + "description": "The description of the custom alert." + }, + "isEnabled": { + "type": "boolean", + "description": "Whether the custom alert is enabled." + }, + "ruleType": { + "type": "string", + "description": "The type of the custom alert rule." + } + }, + "required": [ + "isEnabled", + "ruleType" + ] + }, + "AllowlistCustomAlertRule": { + "type": "object", + "description": "A custom alert rule that checks if a value (depends on the custom alert type) is allowed", + "allOf": [{ + "$ref": "#/definitions/CustomAlertRule" + } + ], + "properties": { + "allowlistValues": { + "type": "array", + "description": "The values to allow. The format of the values depends on the rule type.", + "items": { + "type": "string" + } + }, + "ruleType": { + "type": "string", + "enum": ["ConnectionToIpNotAllowed", "LocalUserNotAllowed", "ProcessNotAllowed"], + "x-ms-enum": { + "name": "ruleType", + "modelAsString": true, + "values": [{ + "value": "ConnectionToIpNotAllowed", + "description": "Outbound connection to an ip that isn't allowed. Allow list consists of ipv4 or ipv6 range in CIDR notation." + }, + { + "value": "LocalUserNotAllowed", + "description": "Login by a local user that isn't allowed. Allow list consists of login names to allow." + }, + { + "value": "ProcessNotAllowed", + "description": "Execution of a process that isn't allowed. Allow list consists of process names to allow." + } + ] + } + } + }, + "required": [ + "allowlistValues" + ] + }, + "DenylistCustomAlertRule": { + "type": "object", + "description": "A custom alert rule that checks if a value (depends on the custom alert type) is denied", + "allOf": [{ + "$ref": "#/definitions/CustomAlertRule" + } + ], + "properties": { + "denylistValues": { + "type": "array", + "description": "The values to deny. The format of the values depends on the rule type.", + "items": { + "type": "string" + } + } + }, + "required": [ + "denylistValues" + ] + }, + "ThresholdCustomAlertRule": { + "type": "object", + "description": "A custom alert rule that checks if a value (depends on the custom alert type) is within the given range.", + "allOf": [{ + "$ref": "#/definitions/CustomAlertRule" + } + ], + "properties": { + "minThreshold": { + "type": "integer", + "description": "The minimum threshold." + }, + "maxThreshold": { + "type": "integer", + "description": "The maximum threshold." + } + }, + "required": [ + "minThreshold", + "maxThreshold" + ] + }, + "TimeWindowCustomAlertRule": { + "type": "object", + "description": "A custom alert rule that checks if the number of activities (depends on the custom alert type) in a time window is within the given range.", + "allOf": [ + { + "$ref": "#/definitions/CustomAlertRule" + }, + { + "$ref": "#/definitions/ThresholdCustomAlertRule" + } + ], + "properties": { + "timeWindowSize": { + "type": "string", + "description": "The time window size in iso8601 format.", + "format": "duration" + }, + "ruleType": { + "type": "string", + "enum": ["ActiveConnectionsNotInAllowedRange", "AmqpC2DMessagesNotInAllowedRange", "MqttC2DMessagesNotInAllowedRange", "HttpC2DMessagesNotInAllowedRange", "AmqpC2DRejectedMessagesNotInAllowedRange", "MqttC2DRejectedMessagesNotInAllowedRange", "HttpC2DRejectedMessagesNotInAllowedRange", "AmqpD2CMessagesNotInAllowedRange", "MqttD2CMessagesNotInAllowedRange", "HttpD2CMessagesNotInAllowedRange", "DirectMethodInvokesNotInAllowedRange", "FailedLocalLoginsNotInAllowedRange", "FileUploadsNotInAllowedRange", "QueuePurgesNotInAllowedRange", "TwinUpdatesNotInAllowedRange", "UnauthorizedOperationsNotInAllowedRange"], + "x-ms-enum": { + "name": "ruleType", + "modelAsString": true, + "values": [{ + "value": "ActiveConnectionsNotInAllowedRange", + "description": "Number of active connections is not in allowed range." + }, + { + "value": "AmqpC2DMessagesNotInAllowedRange", + "description": "Number of cloud to device messages (AMQP protocol) is not in allowed range." + }, + { + "value": "MqttC2DMessagesNotInAllowedRange", + "description": "Number of cloud to device messages (MQTT protocol) is not in allowed range." + }, + { + "value": "HttpC2DMessagesNotInAllowedRange", + "description": "Number of cloud to device messages (HTTP protocol) is not in allowed range." + }, + { + "value": "AmqpC2DRejectedMessagesNotInAllowedRange", + "description": "Number of rejected cloud to device messages (AMQP protocol) is not in allowed range." + }, + { + "value": "MqttC2DRejectedMessagesNotInAllowedRange", + "description": "Number of rejected cloud to device messages (MQTT protocol) is not in allowed range." + }, + { + "value": "HttpC2DRejectedMessagesNotInAllowedRange", + "description": "Number of rejected cloud to device messages (HTTP protocol) is not in allowed range." + }, + { + "value": "AmqpD2CMessagesNotInAllowedRange", + "description": "Number of device to cloud messages (AMQP protocol) is not in allowed range." + }, + { + "value": "MqttD2CMessagesNotInAllowedRange", + "description": "Number of device to cloud messages (MQTT protocol) is not in allowed range." + }, + { + "value": "HttpD2CMessagesNotInAllowedRange", + "description": "Number of device to cloud messages (HTTP protocol) is not in allowed range." + }, + { + "value": "DirectMethodInvokesNotInAllowedRange", + "description": "Number of direct method invokes is not in allowed range." + }, + { + "value": "FailedLocalLoginsNotInAllowedRange", + "description": "Number of failed local logins is not in allowed range." + }, + { + "value": "FileUploadsNotInAllowedRange", + "description": "Number of file uploads is not in allowed range." + }, + { + "value": "QueuePurgesNotInAllowedRange", + "description": "Number of device queue purges is not in allowed range." + }, + { + "value": "TwinUpdatesNotInAllowedRange", + "description": "Number of twin updates is not in allowed range." + }, + { + "value": "UnauthorizedOperationsNotInAllowedRange", + "description": "Number of unauthorized operations is not in allowed range." + }, + ] + } + } + }, + "required": [ + "timeWindowSize" + ] + }, }, "parameters": { "SubscriptionId": { @@ -1861,6 +2271,25 @@ "$ref": "#/definitions/AdvancedThreatProtectionSetting" }, "x-ms-parameter-location": "method" - } + }, + "IotSecurityGroupName": { + "name": "iotSecurityGroupName", + "in": "path", + "required": true, + "type": "string", + "enum": ["current"], + "description": "The name of the security group. Please notice that the name is case insensitive.", + "x-ms-parameter-location": "method" + }, + "IotSecurityGroup": { + "name": "iotSecurityGroup", + "in": "body", + "required": true, + "description": "Security group object.", + "schema": { + "$ref": "#/definitions/IotSecurityGroup" + }, + "x-ms-parameter-location": "method" + }, } } \ No newline at end of file From c55343d67df9f202ebbfdc2670f167350fe265ea Mon Sep 17 00:00:00 2001 From: Gal Malka Date: Sun, 30 Dec 2018 17:13:35 +0200 Subject: [PATCH 2/6] Some fixes after validation --- .../DeleteIotSecurityGroups_example.json | 2 +- .../GetIotSecurityGroups_example.json | 2 +- .../ListIotSecurityGroups_example.json | 192 ++++++++++++++++++ .../PutIotSecurityGroups_example.json | 182 ++++++++++++++++- .../preview/2017-08-01-preview/security.json | 26 ++- 5 files changed, 393 insertions(+), 11 deletions(-) create mode 100644 specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/examples/IotSecurityGroups/ListIotSecurityGroups_example.json diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/examples/IotSecurityGroups/DeleteIotSecurityGroups_example.json b/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/examples/IotSecurityGroups/DeleteIotSecurityGroups_example.json index 287981ef9ba3..eee937742dea 100644 --- a/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/examples/IotSecurityGroups/DeleteIotSecurityGroups_example.json +++ b/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/examples/IotSecurityGroups/DeleteIotSecurityGroups_example.json @@ -2,7 +2,7 @@ "parameters":{ "api-version":"2017-08-01-preview", "resourceId":"subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/SampleRG/providers/Microsoft.Devices/iotHubs/sampleiothub", - "iotSecurityGroupName ":"samplesecuritygroup" + "iotSecurityGroupName":"samplesecuritygroup" }, "responses":{ "204":{ diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/examples/IotSecurityGroups/GetIotSecurityGroups_example.json b/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/examples/IotSecurityGroups/GetIotSecurityGroups_example.json index 0f7d6eeb3e49..91c7505f5000 100644 --- a/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/examples/IotSecurityGroups/GetIotSecurityGroups_example.json +++ b/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/examples/IotSecurityGroups/GetIotSecurityGroups_example.json @@ -2,7 +2,7 @@ "parameters":{ "api-version":"2017-08-01-preview", "resourceId":"subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/SampleRG/providers/Microsoft.Devices/iotHubs/sampleiothub", - "iotSecurityGroupName ":"samplesecuritygroup" + "iotSecurityGroupName":"samplesecuritygroup" }, "responses":{ "200":{ diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/examples/IotSecurityGroups/ListIotSecurityGroups_example.json b/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/examples/IotSecurityGroups/ListIotSecurityGroups_example.json new file mode 100644 index 000000000000..3c7d95795b23 --- /dev/null +++ b/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/examples/IotSecurityGroups/ListIotSecurityGroups_example.json @@ -0,0 +1,192 @@ +{ + "parameters":{ + "api-version":"2017-08-01-preview", + "resourceId":"subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/SampleRG/providers/Microsoft.Devices/iotHubs/sampleiothub" + }, + "responses":{ + "200":{ + "body":{ + "value":[ + { + "id":"/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/SampleRG/providers/Microsoft.Devices/iotHubs/sampleiothub/providers/Microsoft.Security/iotSecurityGroups/samplesecuritygroup", + "name":"samplesecuritygroup", + "type":"Microsoft.Security/iotSecurityGroups", + "properties":{ + "thresholdRules":[], + "timeWindowRules":[ + { + "ruleType":"ActiveConnectionsNotInAllowedRange", + "displayName":"Number of active connections is not in allowed range", + "description":"Get an alert when the number of active connections of a device in the time window is not in the allowed range", + "isEnabled":false, + "minThreshold":0, + "maxThreshold":0, + "timeWindowSize":"PT15M" + }, + { + "ruleType":"AmqpC2DMessagesNotInAllowedRange", + "displayName":"Number of cloud to device messages (AMQP protocol) is not in allowed range", + "description":"Get an alert when the number of cloud to device messages (AMQP protocol) in the time window is not in the allowed range", + "isEnabled":false, + "minThreshold":0, + "maxThreshold":0, + "timeWindowSize":"PT15M" + }, + { + "ruleType":"MqttC2DMessagesNotInAllowedRange", + "displayName":"Number of cloud to device messages (MQTT protocol) is not in allowed range", + "description":"Get an alert when the number of cloud to device messages (MQTT protocol) in the time window is not in the allowed range", + "isEnabled":false, + "minThreshold":0, + "maxThreshold":0, + "timeWindowSize":"PT15M" + }, + { + "ruleType":"HttpC2DMessagesNotInAllowedRange", + "displayName":"Number of cloud to device messages (HTTP protocol) is not in allowed range", + "description":"Get an alert when the number of cloud to device messages (HTTP protocol) in the time window is not in the allowed range", + "isEnabled":false, + "minThreshold":0, + "maxThreshold":0, + "timeWindowSize":"PT15M" + }, + { + "ruleType":"AmqpC2DRejectedMessagesNotInAllowedRange", + "displayName":"Number of rejected cloud to device messages (AMQP protocol) is not in allowed range", + "description":"Get an alert when the number of cloud to device messages (AMQP protocol) that were rejected by the device in the time window is not in the allowed range", + "isEnabled":false, + "minThreshold":0, + "maxThreshold":0, + "timeWindowSize":"PT15M" + }, + { + "ruleType":"MqttC2DRejectedMessagesNotInAllowedRange", + "displayName":"Number of rejected cloud to device messages (MQTT protocol) is not in allowed range", + "description":"Get an alert when the number of cloud to device messages (MQTT protocol) that were rejected by the device in the time window is not in the allowed range", + "isEnabled":false, + "minThreshold":0, + "maxThreshold":0, + "timeWindowSize":"PT15M" + }, + { + "ruleType":"HttpC2DRejectedMessagesNotInAllowedRange", + "displayName":"Number of rejected cloud to device messages (HTTP protocol) is not in allowed range", + "description":"Get an alert when the number of cloud to device messages (HTTP protocol) that were rejected by the device in the time window is not in the allowed range", + "isEnabled":false, + "minThreshold":0, + "maxThreshold":0, + "timeWindowSize":"PT15M" + }, + { + "ruleType":"AmqpD2CMessagesNotInAllowedRange", + "displayName":"Number of device to cloud messages (AMQP protocol) is not in allowed range", + "description":"Get an alert when the number of device to cloud messages (AMQP protocol) in the time window is not in the allowed range", + "isEnabled":false, + "minThreshold":0, + "maxThreshold":0, + "timeWindowSize":"PT15M" + }, + { + "ruleType":"MqttD2CMessagesNotInAllowedRange", + "displayName":"Number of device to cloud messages (MQTT protocol) is not in allowed range", + "description":"Get an alert when the number of device to cloud messages (MQTT protocol) in the time window is not in the allowed range", + "isEnabled":false, + "minThreshold":0, + "maxThreshold":0, + "timeWindowSize":"PT15M" + }, + { + "ruleType":"HttpD2CMessagesNotInAllowedRange", + "displayName":"Number of device to cloud messages (HTTP protocol) is not in allowed range", + "description":"Get an alert when the number of device to cloud messages (HTTP protocol) in the time window is not in the allowed range", + "isEnabled":false, + "minThreshold":0, + "maxThreshold":0, + "timeWindowSize":"PT15M" + }, + { + "ruleType":"DirectMethodInvokesNotInAllowedRange", + "displayName":"Number of direct method invokes is not in allowed range", + "description":"Get an alert when the number of direct method invokes in the time window is not in the allowed range", + "isEnabled":false, + "minThreshold":0, + "maxThreshold":0, + "timeWindowSize":"PT15M" + }, + { + "ruleType":"FailedLocalLoginsNotInAllowedRange", + "displayName":"Number of failed local logins is not in allowed range", + "description":"Get an alert when the number of failed local logins on the device in the time window is not in the allowed range", + "isEnabled":false, + "minThreshold":0, + "maxThreshold":0, + "timeWindowSize":"PT15M" + }, + { + "ruleType":"FileUploadsNotInAllowedRange", + "displayName":"Number of file uploads is not in allowed range", + "description":"Get an alert when the number of file uploads from the device to the cloud in the time window is not in the allowed range", + "isEnabled":false, + "minThreshold":0, + "maxThreshold":0, + "timeWindowSize":"PT15M" + }, + { + "ruleType":"QueuePurgesNotInAllowedRange", + "displayName":"Number of device queue purges is not in allowed range", + "description":"Get an alert when the number of device queue purges in the time window is not in the allowed range", + "isEnabled":false, + "minThreshold":0, + "maxThreshold":0, + "timeWindowSize":"PT15M" + }, + { + "ruleType":"TwinUpdatesNotInAllowedRange", + "displayName":"Number of twin updates is not in allowed range", + "description":"Get an alert when the number of twin updates (by the device or the service) in the time window is not in the allowed range", + "isEnabled":false, + "minThreshold":0, + "maxThreshold":0, + "timeWindowSize":"PT15M" + }, + { + "ruleType":"UnauthorizedOperationsNotInAllowedRange", + "displayName":"Number of unauthorized operations is not in allowed range", + "description":"Get an alert when the number unauthorized operations in the time window is not in the allowed range. Unauthorized operations are operations that affect the device (or done by it) that fail because of an unauthorized error", + "isEnabled":false, + "minThreshold":0, + "maxThreshold":0, + "timeWindowSize":"PT15M" + } + ], + "allowlistRules":[ + { + "ruleType":"ConnectionToIpNotAllowed", + "displayName":"Outbound connection to an ip that isn't allowed", + "description":"Get an alert when an outbound connection is created between your device and an ip that isn't allowed", + "isEnabled":false, + "allowlistValues":[] + }, + { + "ruleType":"LocalUserNotAllowed", + "displayName":"Login by a local user that isn't allowed", + "description":"Get an alert when a local user that isn't allowed logins to the device", + "isEnabled":false, + "allowlistValues":[] + }, + { + "ruleType":"ProcessNotAllowed", + "displayName":"Execution of a process that isn't allowed", + "description":"Get an alert when a process that isn't allowed is executed", + "isEnabled":false, + "allowlistValues":[] + } + ], + "denylistRules":[] + } + } + ] + } + } + } +} \ No newline at end of file diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/examples/IotSecurityGroups/PutIotSecurityGroups_example.json b/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/examples/IotSecurityGroups/PutIotSecurityGroups_example.json index c35da6f0f2cc..73ca07c6f55b 100644 --- a/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/examples/IotSecurityGroups/PutIotSecurityGroups_example.json +++ b/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/examples/IotSecurityGroups/PutIotSecurityGroups_example.json @@ -2,7 +2,7 @@ "parameters":{ "api-version":"2017-08-01-preview", "resourceId":"subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/SampleRG/providers/Microsoft.Devices/iotHubs/sampleiothub", - "iotSecurityGroupName ":"samplesecuritygroup", + "iotSecurityGroupName":"samplesecuritygroup", "iotSecurityGroup": { "id":"/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/SampleRG/providers/Microsoft.Devices/iotHubs/sampleiothub/providers/Microsoft.Security/iotSecurityGroups/samplesecuritygroup", "name":"samplesecuritygroup", @@ -202,6 +202,186 @@ "denylistRules":[] } } + }, + "201":{ + "body":{ + "id":"/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/SampleRG/providers/Microsoft.Devices/iotHubs/sampleiothub/providers/Microsoft.Security/iotSecurityGroups/samplesecuritygroup", + "name":"samplesecuritygroup", + "type":"Microsoft.Security/iotSecurityGroups", + "properties":{ + "thresholdRules":[], + "timeWindowRules":[ + { + "ruleType":"ActiveConnectionsNotInAllowedRange", + "displayName":"Number of active connections is not in allowed range", + "description":"Get an alert when the number of active connections of a device in the time window is not in the allowed range", + "isEnabled":true, + "minThreshold":0, + "maxThreshold":30, + "timeWindowSize":"PT05M" + }, + { + "ruleType":"AmqpC2DMessagesNotInAllowedRange", + "displayName":"Number of cloud to device messages (AMQP protocol) is not in allowed range", + "description":"Get an alert when the number of cloud to device messages (AMQP protocol) in the time window is not in the allowed range", + "isEnabled":false, + "minThreshold":0, + "maxThreshold":0, + "timeWindowSize":"PT15M" + }, + { + "ruleType":"MqttC2DMessagesNotInAllowedRange", + "displayName":"Number of cloud to device messages (MQTT protocol) is not in allowed range", + "description":"Get an alert when the number of cloud to device messages (MQTT protocol) in the time window is not in the allowed range", + "isEnabled":false, + "minThreshold":0, + "maxThreshold":0, + "timeWindowSize":"PT15M" + }, + { + "ruleType":"HttpC2DMessagesNotInAllowedRange", + "displayName":"Number of cloud to device messages (HTTP protocol) is not in allowed range", + "description":"Get an alert when the number of cloud to device messages (HTTP protocol) in the time window is not in the allowed range", + "isEnabled":false, + "minThreshold":0, + "maxThreshold":0, + "timeWindowSize":"PT15M" + }, + { + "ruleType":"AmqpC2DRejectedMessagesNotInAllowedRange", + "displayName":"Number of rejected cloud to device messages (AMQP protocol) is not in allowed range", + "description":"Get an alert when the number of cloud to device messages (AMQP protocol) that were rejected by the device in the time window is not in the allowed range", + "isEnabled":false, + "minThreshold":0, + "maxThreshold":0, + "timeWindowSize":"PT15M" + }, + { + "ruleType":"MqttC2DRejectedMessagesNotInAllowedRange", + "displayName":"Number of rejected cloud to device messages (MQTT protocol) is not in allowed range", + "description":"Get an alert when the number of cloud to device messages (MQTT protocol) that were rejected by the device in the time window is not in the allowed range", + "isEnabled":false, + "minThreshold":0, + "maxThreshold":0, + "timeWindowSize":"PT15M" + }, + { + "ruleType":"HttpC2DRejectedMessagesNotInAllowedRange", + "displayName":"Number of rejected cloud to device messages (HTTP protocol) is not in allowed range", + "description":"Get an alert when the number of cloud to device messages (HTTP protocol) that were rejected by the device in the time window is not in the allowed range", + "isEnabled":false, + "minThreshold":0, + "maxThreshold":0, + "timeWindowSize":"PT15M" + }, + { + "ruleType":"AmqpD2CMessagesNotInAllowedRange", + "displayName":"Number of device to cloud messages (AMQP protocol) is not in allowed range", + "description":"Get an alert when the number of device to cloud messages (AMQP protocol) in the time window is not in the allowed range", + "isEnabled":false, + "minThreshold":0, + "maxThreshold":0, + "timeWindowSize":"PT15M" + }, + { + "ruleType":"MqttD2CMessagesNotInAllowedRange", + "displayName":"Number of device to cloud messages (MQTT protocol) is not in allowed range", + "description":"Get an alert when the number of device to cloud messages (MQTT protocol) in the time window is not in the allowed range", + "isEnabled":false, + "minThreshold":0, + "maxThreshold":0, + "timeWindowSize":"PT15M" + }, + { + "ruleType":"HttpD2CMessagesNotInAllowedRange", + "displayName":"Number of device to cloud messages (HTTP protocol) is not in allowed range", + "description":"Get an alert when the number of device to cloud messages (HTTP protocol) in the time window is not in the allowed range", + "isEnabled":false, + "minThreshold":0, + "maxThreshold":0, + "timeWindowSize":"PT15M" + }, + { + "ruleType":"DirectMethodInvokesNotInAllowedRange", + "displayName":"Number of direct method invokes is not in allowed range", + "description":"Get an alert when the number of direct method invokes in the time window is not in the allowed range", + "isEnabled":false, + "minThreshold":0, + "maxThreshold":0, + "timeWindowSize":"PT15M" + }, + { + "ruleType":"FailedLocalLoginsNotInAllowedRange", + "displayName":"Number of failed local logins is not in allowed range", + "description":"Get an alert when the number of failed local logins on the device in the time window is not in the allowed range", + "isEnabled":false, + "minThreshold":0, + "maxThreshold":0, + "timeWindowSize":"PT15M" + }, + { + "ruleType":"FileUploadsNotInAllowedRange", + "displayName":"Number of file uploads is not in allowed range", + "description":"Get an alert when the number of file uploads from the device to the cloud in the time window is not in the allowed range", + "isEnabled":false, + "minThreshold":0, + "maxThreshold":0, + "timeWindowSize":"PT15M" + }, + { + "ruleType":"QueuePurgesNotInAllowedRange", + "displayName":"Number of device queue purges is not in allowed range", + "description":"Get an alert when the number of device queue purges in the time window is not in the allowed range", + "isEnabled":false, + "minThreshold":0, + "maxThreshold":0, + "timeWindowSize":"PT15M" + }, + { + "ruleType":"TwinUpdatesNotInAllowedRange", + "displayName":"Number of twin updates is not in allowed range", + "description":"Get an alert when the number of twin updates (by the device or the service) in the time window is not in the allowed range", + "isEnabled":false, + "minThreshold":0, + "maxThreshold":0, + "timeWindowSize":"PT15M" + }, + { + "ruleType":"UnauthorizedOperationsNotInAllowedRange", + "displayName":"Number of unauthorized operations is not in allowed range", + "description":"Get an alert when the number unauthorized operations in the time window is not in the allowed range. Unauthorized operations are operations that affect the device (or done by it) that fail because of an unauthorized error", + "isEnabled":false, + "minThreshold":0, + "maxThreshold":0, + "timeWindowSize":"PT15M" + } + ], + "allowlistRules":[ + { + "ruleType":"ConnectionToIpNotAllowed", + "displayName":"Outbound connection to an ip that isn't allowed", + "description":"Get an alert when an outbound connection is created between your device and an ip that isn't allowed", + "isEnabled":false, + "allowlistValues":[] + }, + { + "ruleType":"LocalUserNotAllowed", + "displayName":"Login by a local user that isn't allowed", + "description":"Get an alert when a local user that isn't allowed logins to the device", + "isEnabled":false, + "allowlistValues":[] + }, + { + "ruleType":"ProcessNotAllowed", + "displayName":"Execution of a process that isn't allowed", + "description":"Get an alert when a process that isn't allowed is executed", + "isEnabled":false, + "allowlistValues":[] + } + ], + "denylistRules":[] + } + } } } } \ No newline at end of file diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/security.json b/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/security.json index a8b5849848fa..e91d58280ef1 100644 --- a/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/security.json +++ b/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/security.json @@ -817,6 +817,11 @@ }, "/{resourceId}/providers/Microsoft.Security/iotSecurityGroups": { "get": { + "x-ms-examples": { + "List all IoT security groups for the specified IoT hub resource": { + "$ref": "./examples/IotSecurityGroups/ListIotSecurityGroups_example.json" + } + }, "tags": ["IotSecurityGroups"], "description": "Gets the list of security groups for the specified IoT hub resource.", "operationId": "IotSecurityGroups_List", @@ -825,7 +830,7 @@ }, { "$ref": "#/parameters/ResourceId" - }, + } ], "responses": { "200": { @@ -887,7 +892,7 @@ }, "tags": [ "IotSecurityGroups" ], "description": "Creates or updates the security group on a specified IoT hub resource.", - "operationId": "IotSecurityGroups_Put", + "operationId": "IotSecurityGroups_CreateOrUpdate", "parameters": [ { "$ref": "#/parameters/ApiVersion" @@ -954,7 +959,7 @@ } } } - }, + } }, "/subscriptions/{subscriptionId}/providers/Microsoft.Security/settings": { "get": { @@ -1863,6 +1868,7 @@ "properties": { "thresholdRules": { "type": "array", + "description": "A list of threshold custom alert rules.", "items": { "type": "object", "$ref": "#/definitions/ThresholdCustomAlertRule" @@ -1870,6 +1876,7 @@ }, "timeWindowRules": { "type": "array", + "description": "A list of time window custom alert rules.", "items": { "type": "object", "$ref": "#/definitions/TimeWindowCustomAlertRule" @@ -1877,6 +1884,7 @@ }, "allowlistRules": { "type": "array", + "description": "A list of allow-list custom alert rules.", "items": { "type": "object", "$ref": "#/definitions/AllowlistCustomAlertRule" @@ -1884,11 +1892,12 @@ }, "denylistRules": { "type": "array", + "description": "A list of deny-list custom alert rules.", "items": { "type": "object", "$ref": "#/definitions/DenylistCustomAlertRule" } - }, + } } }, "CustomAlertRule": { @@ -1936,6 +1945,7 @@ }, "ruleType": { "type": "string", + "description": "The type of the custom alert rule.", "enum": ["ConnectionToIpNotAllowed", "LocalUserNotAllowed", "ProcessNotAllowed"], "x-ms-enum": { "name": "ruleType", @@ -2021,6 +2031,7 @@ }, "ruleType": { "type": "string", + "description": "The type of the custom alert rule.", "enum": ["ActiveConnectionsNotInAllowedRange", "AmqpC2DMessagesNotInAllowedRange", "MqttC2DMessagesNotInAllowedRange", "HttpC2DMessagesNotInAllowedRange", "AmqpC2DRejectedMessagesNotInAllowedRange", "MqttC2DRejectedMessagesNotInAllowedRange", "HttpC2DRejectedMessagesNotInAllowedRange", "AmqpD2CMessagesNotInAllowedRange", "MqttD2CMessagesNotInAllowedRange", "HttpD2CMessagesNotInAllowedRange", "DirectMethodInvokesNotInAllowedRange", "FailedLocalLoginsNotInAllowedRange", "FileUploadsNotInAllowedRange", "QueuePurgesNotInAllowedRange", "TwinUpdatesNotInAllowedRange", "UnauthorizedOperationsNotInAllowedRange"], "x-ms-enum": { "name": "ruleType", @@ -2088,7 +2099,7 @@ { "value": "UnauthorizedOperationsNotInAllowedRange", "description": "Number of unauthorized operations is not in allowed range." - }, + } ] } } @@ -2096,7 +2107,7 @@ "required": [ "timeWindowSize" ] - }, + } }, "parameters": { "SubscriptionId": { @@ -2277,7 +2288,6 @@ "in": "path", "required": true, "type": "string", - "enum": ["current"], "description": "The name of the security group. Please notice that the name is case insensitive.", "x-ms-parameter-location": "method" }, @@ -2290,6 +2300,6 @@ "$ref": "#/definitions/IotSecurityGroup" }, "x-ms-parameter-location": "method" - }, + } } } \ No newline at end of file From d6824620292538df997c2da42c9deda14ee9a90f Mon Sep 17 00:00:00 2001 From: Gal Malka Date: Mon, 14 Jan 2019 16:34:15 +0200 Subject: [PATCH 3/6] Change resource name, add x-ms-pagable --- .../DeleteDeviceSecurityGroups_example.json} | 6 +- .../GetDeviceSecurityGroups_example.json} | 6 +- .../ListDeviceSecurityGroups_example.json} | 4 +- .../PutDeviceSecurityGroups_example.json} | 16 +-- .../preview/2017-08-01-preview/security.json | 99 ++++++++++--------- 5 files changed, 71 insertions(+), 60 deletions(-) rename specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/examples/{IotSecurityGroups/DeleteIotSecurityGroups_example.json => DeviceSecurityGroups/DeleteDeviceSecurityGroups_example.json} (71%) rename specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/examples/{IotSecurityGroups/GetIotSecurityGroups_example.json => DeviceSecurityGroups/GetDeviceSecurityGroups_example.json} (96%) rename specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/examples/{IotSecurityGroups/ListIotSecurityGroups_example.json => DeviceSecurityGroups/ListDeviceSecurityGroups_example.json} (96%) rename specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/examples/{IotSecurityGroups/PutIotSecurityGroups_example.json => DeviceSecurityGroups/PutDeviceSecurityGroups_example.json} (95%) diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/examples/IotSecurityGroups/DeleteIotSecurityGroups_example.json b/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/examples/DeviceSecurityGroups/DeleteDeviceSecurityGroups_example.json similarity index 71% rename from specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/examples/IotSecurityGroups/DeleteIotSecurityGroups_example.json rename to specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/examples/DeviceSecurityGroups/DeleteDeviceSecurityGroups_example.json index eee937742dea..b103c652d20a 100644 --- a/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/examples/IotSecurityGroups/DeleteIotSecurityGroups_example.json +++ b/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/examples/DeviceSecurityGroups/DeleteDeviceSecurityGroups_example.json @@ -2,10 +2,10 @@ "parameters":{ "api-version":"2017-08-01-preview", "resourceId":"subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/SampleRG/providers/Microsoft.Devices/iotHubs/sampleiothub", - "iotSecurityGroupName":"samplesecuritygroup" + "deviceSecurityGroupName":"samplesecuritygroup" }, "responses":{ - "204":{ - } + "200": {}, + "204": {} } } \ No newline at end of file diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/examples/IotSecurityGroups/GetIotSecurityGroups_example.json b/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/examples/DeviceSecurityGroups/GetDeviceSecurityGroups_example.json similarity index 96% rename from specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/examples/IotSecurityGroups/GetIotSecurityGroups_example.json rename to specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/examples/DeviceSecurityGroups/GetDeviceSecurityGroups_example.json index 91c7505f5000..9519e88362b3 100644 --- a/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/examples/IotSecurityGroups/GetIotSecurityGroups_example.json +++ b/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/examples/DeviceSecurityGroups/GetDeviceSecurityGroups_example.json @@ -2,14 +2,14 @@ "parameters":{ "api-version":"2017-08-01-preview", "resourceId":"subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/SampleRG/providers/Microsoft.Devices/iotHubs/sampleiothub", - "iotSecurityGroupName":"samplesecuritygroup" + "deviceSecurityGroupName":"samplesecuritygroup" }, "responses":{ "200":{ "body":{ - "id":"/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/SampleRG/providers/Microsoft.Devices/iotHubs/sampleiothub/providers/Microsoft.Security/iotSecurityGroups/samplesecuritygroup", + "id":"/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/SampleRG/providers/Microsoft.Devices/iotHubs/sampleiothub/providers/Microsoft.Security/deviceSecurityGroups/samplesecuritygroup", "name":"samplesecuritygroup", - "type":"Microsoft.Security/iotSecurityGroups", + "type":"Microsoft.Security/deviceSecurityGroups", "properties":{ "thresholdRules":[], "timeWindowRules":[ diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/examples/IotSecurityGroups/ListIotSecurityGroups_example.json b/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/examples/DeviceSecurityGroups/ListDeviceSecurityGroups_example.json similarity index 96% rename from specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/examples/IotSecurityGroups/ListIotSecurityGroups_example.json rename to specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/examples/DeviceSecurityGroups/ListDeviceSecurityGroups_example.json index 3c7d95795b23..669af33c7d22 100644 --- a/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/examples/IotSecurityGroups/ListIotSecurityGroups_example.json +++ b/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/examples/DeviceSecurityGroups/ListDeviceSecurityGroups_example.json @@ -8,9 +8,9 @@ "body":{ "value":[ { - "id":"/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/SampleRG/providers/Microsoft.Devices/iotHubs/sampleiothub/providers/Microsoft.Security/iotSecurityGroups/samplesecuritygroup", + "id":"/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/SampleRG/providers/Microsoft.Devices/iotHubs/sampleiothub/providers/Microsoft.Security/deviceSecurityGroups/samplesecuritygroup", "name":"samplesecuritygroup", - "type":"Microsoft.Security/iotSecurityGroups", + "type":"Microsoft.Security/deviceSecurityGroups", "properties":{ "thresholdRules":[], "timeWindowRules":[ diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/examples/IotSecurityGroups/PutIotSecurityGroups_example.json b/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/examples/DeviceSecurityGroups/PutDeviceSecurityGroups_example.json similarity index 95% rename from specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/examples/IotSecurityGroups/PutIotSecurityGroups_example.json rename to specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/examples/DeviceSecurityGroups/PutDeviceSecurityGroups_example.json index 73ca07c6f55b..51bf0a6572d1 100644 --- a/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/examples/IotSecurityGroups/PutIotSecurityGroups_example.json +++ b/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/examples/DeviceSecurityGroups/PutDeviceSecurityGroups_example.json @@ -2,11 +2,11 @@ "parameters":{ "api-version":"2017-08-01-preview", "resourceId":"subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/SampleRG/providers/Microsoft.Devices/iotHubs/sampleiothub", - "iotSecurityGroupName":"samplesecuritygroup", - "iotSecurityGroup": { - "id":"/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/SampleRG/providers/Microsoft.Devices/iotHubs/sampleiothub/providers/Microsoft.Security/iotSecurityGroups/samplesecuritygroup", + "deviceSecurityGroupName":"samplesecuritygroup", + "deviceSecurityGroup": { + "id":"/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/SampleRG/providers/Microsoft.Devices/iotHubs/sampleiothub/providers/Microsoft.Security/deviceSecurityGroups/samplesecuritygroup", "name":"samplesecuritygroup", - "type":"Microsoft.Security/iotSecurityGroups", + "type":"Microsoft.Security/deviceSecurityGroups", "properties": { "timeWindowRules":[ { @@ -25,9 +25,9 @@ "responses":{ "200":{ "body":{ - "id":"/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/SampleRG/providers/Microsoft.Devices/iotHubs/sampleiothub/providers/Microsoft.Security/iotSecurityGroups/samplesecuritygroup", + "id":"/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/SampleRG/providers/Microsoft.Devices/iotHubs/sampleiothub/providers/Microsoft.Security/deviceSecurityGroups/samplesecuritygroup", "name":"samplesecuritygroup", - "type":"Microsoft.Security/iotSecurityGroups", + "type":"Microsoft.Security/deviceSecurityGroups", "properties":{ "thresholdRules":[], "timeWindowRules":[ @@ -205,9 +205,9 @@ }, "201":{ "body":{ - "id":"/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/SampleRG/providers/Microsoft.Devices/iotHubs/sampleiothub/providers/Microsoft.Security/iotSecurityGroups/samplesecuritygroup", + "id":"/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/SampleRG/providers/Microsoft.Devices/iotHubs/sampleiothub/providers/Microsoft.Security/deviceSecurityGroups/samplesecuritygroup", "name":"samplesecuritygroup", - "type":"Microsoft.Security/iotSecurityGroups", + "type":"Microsoft.Security/deviceSecurityGroups", "properties":{ "thresholdRules":[], "timeWindowRules":[ diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/security.json b/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/security.json index e91d58280ef1..20657ea8f2c8 100644 --- a/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/security.json +++ b/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/security.json @@ -815,16 +815,16 @@ } } }, - "/{resourceId}/providers/Microsoft.Security/iotSecurityGroups": { + "/{resourceId}/providers/Microsoft.Security/deviceSecurityGroups": { "get": { "x-ms-examples": { - "List all IoT security groups for the specified IoT hub resource": { - "$ref": "./examples/IotSecurityGroups/ListIotSecurityGroups_example.json" + "List all device security groups for the specified IoT hub resource": { + "$ref": "./examples/DeviceSecurityGroups/ListDeviceSecurityGroups_example.json" } }, - "tags": ["IotSecurityGroups"], - "description": "Gets the list of security groups for the specified IoT hub resource.", - "operationId": "IotSecurityGroups_List", + "tags": ["DeviceSecurityGroups"], + "description": "Gets the list of device security groups for the specified IoT hub resource.", + "operationId": "DeviceSecurityGroups_List", "parameters": [{ "$ref": "#/parameters/ApiVersion" }, @@ -836,7 +836,7 @@ "200": { "description": "OK", "schema": { - "$ref": "#/definitions/IotSecurityGroupList" + "$ref": "#/definitions/DeviceSecurityGroupList" } }, "default": { @@ -845,19 +845,22 @@ "$ref": "#/definitions/CloudError" } } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" } } }, - "/{resourceId}/providers/Microsoft.Security/iotSecurityGroups/{iotSecurityGroupName}": { + "/{resourceId}/providers/Microsoft.Security/deviceSecurityGroups/{deviceSecurityGroupName}": { "get": { "x-ms-examples": { - "Get an IoT security group for the specified IoT hub resource": { - "$ref": "./examples/IotSecurityGroups/GetIotSecurityGroups_example.json" + "Get an device security group for the specified IoT hub resource": { + "$ref": "./examples/DeviceSecurityGroups/GetDeviceSecurityGroups_example.json" } }, - "tags": [ "IotSecurityGroups" ], - "description": "Gets the security group for the specified IoT hub resource.", - "operationId": "IotSecurityGroups_Get", + "tags": [ "DeviceSecurityGroups" ], + "description": "Gets the device security group for the specified IoT hub resource.", + "operationId": "DeviceSecurityGroups_Get", "parameters": [ { "$ref": "#/parameters/ApiVersion" @@ -866,14 +869,14 @@ "$ref": "#/parameters/ResourceId" }, { - "$ref": "#/parameters/IotSecurityGroupName" + "$ref": "#/parameters/DeviceSecurityGroupName" } ], "responses": { "200": { "description": "Successful request to get security group.", "schema": { - "$ref": "#/definitions/IotSecurityGroup" + "$ref": "#/definitions/DeviceSecurityGroup" } }, "default": { @@ -886,13 +889,13 @@ }, "put": { "x-ms-examples": { - "Create or update an IoT security group for the specified IoT hub resource": { - "$ref": "./examples/IotSecurityGroups/PutIotSecurityGroups_example.json" + "Create or update a device security group for the specified IoT hub resource": { + "$ref": "./examples/DeviceSecurityGroups/PutDeviceSecurityGroups_example.json" } }, - "tags": [ "IotSecurityGroups" ], - "description": "Creates or updates the security group on a specified IoT hub resource.", - "operationId": "IotSecurityGroups_CreateOrUpdate", + "tags": [ "DeviceSecurityGroups" ], + "description": "Creates or updates the device security group on a specified IoT hub resource.", + "operationId": "DeviceSecurityGroups_CreateOrUpdate", "parameters": [ { "$ref": "#/parameters/ApiVersion" @@ -901,23 +904,23 @@ "$ref": "#/parameters/ResourceId" }, { - "$ref": "#/parameters/IotSecurityGroupName" + "$ref": "#/parameters/DeviceSecurityGroupName" }, { - "$ref": "#/parameters/IotSecurityGroup" + "$ref": "#/parameters/DeviceSecurityGroup" } ], "responses": { "200": { "description": "Security group was updated", "schema": { - "$ref": "#/definitions/IotSecurityGroup" + "$ref": "#/definitions/DeviceSecurityGroup" } }, "201": { "description": "Security group was created", "schema": { - "$ref": "#/definitions/IotSecurityGroup" + "$ref": "#/definitions/DeviceSecurityGroup" } }, "default": { @@ -930,13 +933,13 @@ }, "delete": { "x-ms-examples": { - "Delete an IoT security group for the specified IoT hub resource": { - "$ref": "./examples/IotSecurityGroups/DeleteIotSecurityGroups_example.json" + "Delete a device security group for the specified IoT hub resource": { + "$ref": "./examples/DeviceSecurityGroups/DeleteDeviceSecurityGroups_example.json" } }, - "tags": ["IotSecurityGroups"], + "tags": ["DeviceSecurityGroups"], "description": "Deletes the security group", - "operationId": "IotSecurityGroups_Delete", + "operationId": "DeviceSecurityGroups_Delete", "parameters": [ { "$ref": "#/parameters/ApiVersion" @@ -945,12 +948,15 @@ "$ref": "#/parameters/ResourceId" }, { - "$ref": "#/parameters/IotSecurityGroupName" + "$ref": "#/parameters/DeviceSecurityGroupName" } ], "responses": { + "200": { + "description": "Device security group has been deleted." + }, "204": { - "description": "No Content" + "description": "Device security group does not exist." }, "default": { "description": "Error response describing why the operation failed.", @@ -1833,28 +1839,33 @@ } } }, - "IotSecurityGroupList": { + "DeviceSecurityGroupList": { "type": "object", "readOnly": true, - "description": "List of IoT security groups", + "description": "List of device security groups", "properties": { "value": { "type": "array", - "description": "List of IoT security group objects", + "description": "List of device security group objects", "items": { - "$ref": "#/definitions/IotSecurityGroup" + "$ref": "#/definitions/DeviceSecurityGroup" } + }, + "nextLink": { + "readOnly": true, + "type": "string", + "description": "The URI to fetch the next page." } } }, - "IotSecurityGroup": { + "DeviceSecurityGroup": { "type": "object", - "description": "The IoT security group resource", + "description": "The device security group resource", "properties": { "properties": { "x-ms-client-flatten": true, - "description": "IoT Security group data", - "$ref": "#/definitions/IotSecurityGroupProperties" + "description": "Device Security group data", + "$ref": "#/definitions/DeviceSecurityGroupProperties" } }, "allOf": [{ @@ -1862,7 +1873,7 @@ } ] }, - "IotSecurityGroupProperties": { + "DeviceSecurityGroupProperties": { "type": "object", "description": "describes properties of a security group.", "properties": { @@ -2283,21 +2294,21 @@ }, "x-ms-parameter-location": "method" }, - "IotSecurityGroupName": { - "name": "iotSecurityGroupName", + "DeviceSecurityGroupName": { + "name": "deviceSecurityGroupName", "in": "path", "required": true, "type": "string", "description": "The name of the security group. Please notice that the name is case insensitive.", "x-ms-parameter-location": "method" }, - "IotSecurityGroup": { - "name": "iotSecurityGroup", + "DeviceSecurityGroup": { + "name": "deviceSecurityGroup", "in": "body", "required": true, "description": "Security group object.", "schema": { - "$ref": "#/definitions/IotSecurityGroup" + "$ref": "#/definitions/DeviceSecurityGroup" }, "x-ms-parameter-location": "method" } From 0cfbd83907e23a9364669f804e9442d771ad088b Mon Sep 17 00:00:00 2001 From: Gal Malka Date: Sun, 24 Mar 2019 20:44:59 +0200 Subject: [PATCH 4/6] Sync with master (split files by resource type), add value type --- .../deviceSecurityGroups.json | 513 ++++++++++++++++++ .../GetDeviceSecurityGroups_example.json | 3 + .../ListDeviceSecurityGroups_example.json | 3 + 3 files changed, 519 insertions(+) create mode 100644 specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/deviceSecurityGroups.json diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/deviceSecurityGroups.json b/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/deviceSecurityGroups.json new file mode 100644 index 000000000000..9a8e4003009d --- /dev/null +++ b/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/deviceSecurityGroups.json @@ -0,0 +1,513 @@ +{ + "swagger": "2.0", + "info": { + "title": "Security Center", + "description": "API spec for Microsoft.Security (Azure Security Center) resource provider", + "version": "2017-08-01-preview" + }, + "host": "management.azure.com", + "schemes": ["https"], + "consumes": ["application/json"], + "produces": ["application/json"], + "security": [{ + "azure_auth": [ + "user_impersonation" + ] + }], + "securityDefinitions": { + "azure_auth": { + "type": "oauth2", + "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", + "flow": "implicit", + "description": "Azure Active Directory OAuth2 Flow", + "scopes": { + "user_impersonation": "impersonate your user account" + } + } + }, + "paths": { + "/{resourceId}/providers/Microsoft.Security/deviceSecurityGroups": { + "get": { + "x-ms-examples": { + "List all device security groups for the specified IoT hub resource": { + "$ref": "./examples/DeviceSecurityGroups/ListDeviceSecurityGroups_example.json" + } + }, + "tags": ["DeviceSecurityGroups"], + "description": "Gets the list of device security groups for the specified IoT hub resource.", + "operationId": "DeviceSecurityGroups_List", + "parameters": [{ + "$ref": "../../../common/v1/types.json#/parameters/ApiVersion" + }, + { + "$ref": "../../../common/v1/types.json#/parameters/ResourceId" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/DeviceSecurityGroupList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/v1/types.json#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/{resourceId}/providers/Microsoft.Security/deviceSecurityGroups/{deviceSecurityGroupName}": { + "get": { + "x-ms-examples": { + "Get an device security group for the specified IoT hub resource": { + "$ref": "./examples/DeviceSecurityGroups/GetDeviceSecurityGroups_example.json" + } + }, + "tags": [ "DeviceSecurityGroups" ], + "description": "Gets the device security group for the specified IoT hub resource.", + "operationId": "DeviceSecurityGroups_Get", + "parameters": [ + { + "$ref": "../../../common/v1/types.json#/parameters/ApiVersion" + }, + { + "$ref": "../../../common/v1/types.json#/parameters/ResourceId" + }, + { + "$ref": "#/parameters/DeviceSecurityGroupName" + } + ], + "responses": { + "200": { + "description": "Successful request to get security group.", + "schema": { + "$ref": "#/definitions/DeviceSecurityGroup" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/v1/types.json#/definitions/CloudError" + } + } + } + }, + "put": { + "x-ms-examples": { + "Create or update a device security group for the specified IoT hub resource": { + "$ref": "./examples/DeviceSecurityGroups/PutDeviceSecurityGroups_example.json" + } + }, + "tags": [ "DeviceSecurityGroups" ], + "description": "Creates or updates the device security group on a specified IoT hub resource.", + "operationId": "DeviceSecurityGroups_CreateOrUpdate", + "parameters": [ + { + "$ref": "../../../common/v1/types.json#/parameters/ApiVersion" + }, + { + "$ref": "../../../common/v1/types.json#/parameters/ResourceId" + }, + { + "$ref": "#/parameters/DeviceSecurityGroupName" + }, + { + "$ref": "#/parameters/DeviceSecurityGroup" + } + ], + "responses": { + "200": { + "description": "Security group was updated", + "schema": { + "$ref": "#/definitions/DeviceSecurityGroup" + } + }, + "201": { + "description": "Security group was created", + "schema": { + "$ref": "#/definitions/DeviceSecurityGroup" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/v1/types.json#/definitions/CloudError" + } + } + } + }, + "delete": { + "x-ms-examples": { + "Delete a device security group for the specified IoT hub resource": { + "$ref": "./examples/DeviceSecurityGroups/DeleteDeviceSecurityGroups_example.json" + } + }, + "tags": ["DeviceSecurityGroups"], + "description": "Deletes the security group", + "operationId": "DeviceSecurityGroups_Delete", + "parameters": [ + { + "$ref": "../../../common/v1/types.json#/parameters/ApiVersion" + }, + { + "$ref": "../../../common/v1/types.json#/parameters/ResourceId" + }, + { + "$ref": "#/parameters/DeviceSecurityGroupName" + } + ], + "responses": { + "200": { + "description": "Device security group has been deleted." + }, + "204": { + "description": "Device security group does not exist." + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/v1/types.json#/definitions/CloudError" + } + } + } + } + } + }, + "definitions": { + "DeviceSecurityGroupList": { + "type": "object", + "readOnly": true, + "description": "List of device security groups", + "properties": { + "value": { + "type": "array", + "description": "List of device security group objects", + "items": { + "$ref": "#/definitions/DeviceSecurityGroup" + } + }, + "nextLink": { + "readOnly": true, + "type": "string", + "description": "The URI to fetch the next page." + } + } + }, + "DeviceSecurityGroup": { + "type": "object", + "description": "The device security group resource", + "properties": { + "properties": { + "x-ms-client-flatten": true, + "description": "Device Security group data", + "$ref": "#/definitions/DeviceSecurityGroupProperties" + } + }, + "allOf": [{ + "$ref": "../../../common/v1/types.json#/definitions/Resource" + } + ] + }, + "DeviceSecurityGroupProperties": { + "type": "object", + "description": "describes properties of a security group.", + "properties": { + "thresholdRules": { + "type": "array", + "description": "A list of threshold custom alert rules.", + "items": { + "type": "object", + "$ref": "#/definitions/ThresholdCustomAlertRule" + } + }, + "timeWindowRules": { + "type": "array", + "description": "A list of time window custom alert rules.", + "items": { + "type": "object", + "$ref": "#/definitions/TimeWindowCustomAlertRule" + } + }, + "allowlistRules": { + "type": "array", + "description": "A list of allow-list custom alert rules.", + "items": { + "type": "object", + "$ref": "#/definitions/AllowlistCustomAlertRule" + } + }, + "denylistRules": { + "type": "array", + "description": "A list of deny-list custom alert rules.", + "items": { + "type": "object", + "$ref": "#/definitions/DenylistCustomAlertRule" + } + } + } + }, + "CustomAlertRule": { + "type": "object", + "description": "A custom alert rule", + "properties": { + "displayName": { + "type": "string", + "readOnly": true, + "description": "The display name of the custom alert." + }, + "description": { + "type": "string", + "readOnly": true, + "description": "The description of the custom alert." + }, + "isEnabled": { + "type": "boolean", + "description": "Whether the custom alert is enabled." + }, + "ruleType": { + "type": "string", + "description": "The type of the custom alert rule." + } + }, + "required": [ + "isEnabled", + "ruleType" + ] + }, + "ListCustomAlertRule": { + "type": "object", + "description": "A List custom alert rule", + "allOf": [{ + "$ref": "#/definitions/CustomAlertRule" + } + ], + "properties": { + "valueType": { + "type": "string", + "description": "The value type of the items in the list", + "enum": ["IpCidr", "String"], + "readOnly": true, + "x-ms-enum": { + "name": "valueType", + "modelAsString": true, + "values": [{ + "value": "IpCidr", + "description": "An IP range in CIDR format (e.g. '192.168.0.1/8')." + }, + { + "value": "String", + "description": "Any string value." + } + ] + } + } + } + }, + "AllowlistCustomAlertRule": { + "type": "object", + "description": "A custom alert rule that checks if a value (depends on the custom alert type) is allowed", + "allOf": [{ + "$ref": "#/definitions/ListCustomAlertRule" + } + ], + "properties": { + "allowlistValues": { + "type": "array", + "description": "The values to allow. The format of the values depends on the rule type.", + "items": { + "type": "string" + } + }, + "ruleType": { + "type": "string", + "description": "The type of the custom alert rule.", + "enum": ["ConnectionToIpNotAllowed", "LocalUserNotAllowed", "ProcessNotAllowed"], + "x-ms-enum": { + "name": "ruleType", + "modelAsString": true, + "values": [{ + "value": "ConnectionToIpNotAllowed", + "description": "Outbound connection to an ip that isn't allowed. Allow list consists of ipv4 or ipv6 range in CIDR notation." + }, + { + "value": "LocalUserNotAllowed", + "description": "Login by a local user that isn't allowed. Allow list consists of login names to allow." + }, + { + "value": "ProcessNotAllowed", + "description": "Execution of a process that isn't allowed. Allow list consists of process names to allow." + } + ] + } + } + }, + "required": [ + "allowlistValues" + ] + }, + "DenylistCustomAlertRule": { + "type": "object", + "description": "A custom alert rule that checks if a value (depends on the custom alert type) is denied", + "allOf": [{ + "$ref": "#/definitions/ListCustomAlertRule" + } + ], + "properties": { + "denylistValues": { + "type": "array", + "description": "The values to deny. The format of the values depends on the rule type.", + "items": { + "type": "string" + } + } + }, + "required": [ + "denylistValues" + ] + }, + "ThresholdCustomAlertRule": { + "type": "object", + "description": "A custom alert rule that checks if a value (depends on the custom alert type) is within the given range.", + "allOf": [{ + "$ref": "#/definitions/CustomAlertRule" + } + ], + "properties": { + "minThreshold": { + "type": "integer", + "description": "The minimum threshold." + }, + "maxThreshold": { + "type": "integer", + "description": "The maximum threshold." + } + }, + "required": [ + "minThreshold", + "maxThreshold" + ] + }, + "TimeWindowCustomAlertRule": { + "type": "object", + "description": "A custom alert rule that checks if the number of activities (depends on the custom alert type) in a time window is within the given range.", + "allOf": [ + { + "$ref": "#/definitions/CustomAlertRule" + }, + { + "$ref": "#/definitions/ThresholdCustomAlertRule" + } + ], + "properties": { + "timeWindowSize": { + "type": "string", + "description": "The time window size in iso8601 format.", + "format": "duration" + }, + "ruleType": { + "type": "string", + "description": "The type of the custom alert rule.", + "enum": ["ActiveConnectionsNotInAllowedRange", "AmqpC2DMessagesNotInAllowedRange", "MqttC2DMessagesNotInAllowedRange", "HttpC2DMessagesNotInAllowedRange", "AmqpC2DRejectedMessagesNotInAllowedRange", "MqttC2DRejectedMessagesNotInAllowedRange", "HttpC2DRejectedMessagesNotInAllowedRange", "AmqpD2CMessagesNotInAllowedRange", "MqttD2CMessagesNotInAllowedRange", "HttpD2CMessagesNotInAllowedRange", "DirectMethodInvokesNotInAllowedRange", "FailedLocalLoginsNotInAllowedRange", "FileUploadsNotInAllowedRange", "QueuePurgesNotInAllowedRange", "TwinUpdatesNotInAllowedRange", "UnauthorizedOperationsNotInAllowedRange"], + "x-ms-enum": { + "name": "ruleType", + "modelAsString": true, + "values": [{ + "value": "ActiveConnectionsNotInAllowedRange", + "description": "Number of active connections is not in allowed range." + }, + { + "value": "AmqpC2DMessagesNotInAllowedRange", + "description": "Number of cloud to device messages (AMQP protocol) is not in allowed range." + }, + { + "value": "MqttC2DMessagesNotInAllowedRange", + "description": "Number of cloud to device messages (MQTT protocol) is not in allowed range." + }, + { + "value": "HttpC2DMessagesNotInAllowedRange", + "description": "Number of cloud to device messages (HTTP protocol) is not in allowed range." + }, + { + "value": "AmqpC2DRejectedMessagesNotInAllowedRange", + "description": "Number of rejected cloud to device messages (AMQP protocol) is not in allowed range." + }, + { + "value": "MqttC2DRejectedMessagesNotInAllowedRange", + "description": "Number of rejected cloud to device messages (MQTT protocol) is not in allowed range." + }, + { + "value": "HttpC2DRejectedMessagesNotInAllowedRange", + "description": "Number of rejected cloud to device messages (HTTP protocol) is not in allowed range." + }, + { + "value": "AmqpD2CMessagesNotInAllowedRange", + "description": "Number of device to cloud messages (AMQP protocol) is not in allowed range." + }, + { + "value": "MqttD2CMessagesNotInAllowedRange", + "description": "Number of device to cloud messages (MQTT protocol) is not in allowed range." + }, + { + "value": "HttpD2CMessagesNotInAllowedRange", + "description": "Number of device to cloud messages (HTTP protocol) is not in allowed range." + }, + { + "value": "DirectMethodInvokesNotInAllowedRange", + "description": "Number of direct method invokes is not in allowed range." + }, + { + "value": "FailedLocalLoginsNotInAllowedRange", + "description": "Number of failed local logins is not in allowed range." + }, + { + "value": "FileUploadsNotInAllowedRange", + "description": "Number of file uploads is not in allowed range." + }, + { + "value": "QueuePurgesNotInAllowedRange", + "description": "Number of device queue purges is not in allowed range." + }, + { + "value": "TwinUpdatesNotInAllowedRange", + "description": "Number of twin updates is not in allowed range." + }, + { + "value": "UnauthorizedOperationsNotInAllowedRange", + "description": "Number of unauthorized operations is not in allowed range." + } + ] + } + } + }, + "required": [ + "timeWindowSize" + ] + } + }, + "parameters": { + "DeviceSecurityGroupName": { + "name": "deviceSecurityGroupName", + "in": "path", + "required": true, + "type": "string", + "description": "The name of the security group. Please notice that the name is case insensitive.", + "x-ms-parameter-location": "method" + }, + "DeviceSecurityGroup": { + "name": "deviceSecurityGroup", + "in": "body", + "required": true, + "description": "Security group object.", + "schema": { + "$ref": "#/definitions/DeviceSecurityGroup" + }, + "x-ms-parameter-location": "method" + } + } +} \ No newline at end of file diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/examples/DeviceSecurityGroups/GetDeviceSecurityGroups_example.json b/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/examples/DeviceSecurityGroups/GetDeviceSecurityGroups_example.json index 9519e88362b3..2f64be77464a 100644 --- a/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/examples/DeviceSecurityGroups/GetDeviceSecurityGroups_example.json +++ b/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/examples/DeviceSecurityGroups/GetDeviceSecurityGroups_example.json @@ -164,6 +164,7 @@ "displayName":"Outbound connection to an ip that isn't allowed", "description":"Get an alert when an outbound connection is created between your device and an ip that isn't allowed", "isEnabled":false, + "valueType": "IpCidr", "allowlistValues":[] }, { @@ -171,6 +172,7 @@ "displayName":"Login by a local user that isn't allowed", "description":"Get an alert when a local user that isn't allowed logins to the device", "isEnabled":false, + "valueType": "String", "allowlistValues":[] }, { @@ -178,6 +180,7 @@ "displayName":"Execution of a process that isn't allowed", "description":"Get an alert when a process that isn't allowed is executed", "isEnabled":false, + "valueType": "String", "allowlistValues":[] } ], diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/examples/DeviceSecurityGroups/ListDeviceSecurityGroups_example.json b/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/examples/DeviceSecurityGroups/ListDeviceSecurityGroups_example.json index 669af33c7d22..6fa37ea9339d 100644 --- a/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/examples/DeviceSecurityGroups/ListDeviceSecurityGroups_example.json +++ b/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/examples/DeviceSecurityGroups/ListDeviceSecurityGroups_example.json @@ -165,6 +165,7 @@ "displayName":"Outbound connection to an ip that isn't allowed", "description":"Get an alert when an outbound connection is created between your device and an ip that isn't allowed", "isEnabled":false, + "valueType": "IpCidr", "allowlistValues":[] }, { @@ -172,6 +173,7 @@ "displayName":"Login by a local user that isn't allowed", "description":"Get an alert when a local user that isn't allowed logins to the device", "isEnabled":false, + "valueType": "String", "allowlistValues":[] }, { @@ -179,6 +181,7 @@ "displayName":"Execution of a process that isn't allowed", "description":"Get an alert when a process that isn't allowed is executed", "isEnabled":false, + "valueType": "String", "allowlistValues":[] } ], From 45af2dd2143cc9b695ea876a68496401cb37acb9 Mon Sep 17 00:00:00 2001 From: galmicrosoft Date: Sun, 24 Mar 2019 21:27:52 +0200 Subject: [PATCH 5/6] Fix readme file --- specification/security/resource-manager/readme.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/specification/security/resource-manager/readme.md b/specification/security/resource-manager/readme.md index 071d9f0aebeb..e7ecf6074a2a 100644 --- a/specification/security/resource-manager/readme.md +++ b/specification/security/resource-manager/readme.md @@ -57,6 +57,7 @@ input-file: - Microsoft.Security/preview/2017-08-01-preview/autoProvisioningSettings.json - Microsoft.Security/preview/2017-08-01-preview/compliances.json - Microsoft.Security/preview/2017-08-01-preview/advancedThreatProtectionSettings.json +- Microsoft.Security/preview/2017-08-01-preview/deviceSecurityGroups.json - Microsoft.Security/preview/2017-08-01-preview/settings.json - Microsoft.Security/preview/2017-08-01-preview/informationProtectionPolicies.json - Microsoft.Security/preview/2015-06-01-preview/operations.json @@ -86,6 +87,7 @@ input-file: - Microsoft.Security/preview/2017-08-01-preview/autoProvisioningSettings.json - Microsoft.Security/preview/2017-08-01-preview/compliances.json - Microsoft.Security/preview/2017-08-01-preview/advancedThreatProtectionSettings.json +- Microsoft.Security/preview/2017-08-01-preview/deviceSecurityGroups.json - Microsoft.Security/preview/2017-08-01-preview/settings.json - Microsoft.Security/preview/2017-08-01-preview/informationProtectionPolicies.json - Microsoft.Security/preview/2015-06-01-preview/operations.json From 67d905e193967e7a8c35511c87239b4f052314a1 Mon Sep 17 00:00:00 2001 From: Joel Hendrix Date: Mon, 25 Mar 2019 09:29:59 -0700 Subject: [PATCH 6/6] delete unreferenced example file --- .../InvokeJitNetworkAccessPolicy_example.json | 28 ------------------- 1 file changed, 28 deletions(-) delete mode 100644 specification/security/resource-manager/Microsoft.Security/preview/2015-06-01-preview/examples/JitNetworkAccessPolicies/InvokeJitNetworkAccessPolicy_example.json diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2015-06-01-preview/examples/JitNetworkAccessPolicies/InvokeJitNetworkAccessPolicy_example.json b/specification/security/resource-manager/Microsoft.Security/preview/2015-06-01-preview/examples/JitNetworkAccessPolicies/InvokeJitNetworkAccessPolicy_example.json deleted file mode 100644 index 95e378b7cb31..000000000000 --- a/specification/security/resource-manager/Microsoft.Security/preview/2015-06-01-preview/examples/JitNetworkAccessPolicies/InvokeJitNetworkAccessPolicy_example.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "parameters": { - "api-version": "2015-06-01-preview", - "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", - "ascLocation": "westeurope", - "resourceGroupName": "myRg1", - "jitNetworkAccessPolicyName": "default", - "jitNetworkAccessPolicyActionType": "initiate", - "body": { - "virtualMachines": [ - { - "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1", - "ports": [ - { - "number": 3389, - "duration": "PT1H", - "allowedSourceAddressPrefix": "192.127.0.2" - } - ] - } - ] - } - }, - "responses": { - "202": { - } - } -} \ No newline at end of file