diff --git a/schemas/2019-01-01-preview/Microsoft.SecurityInsights.json b/schemas/2019-01-01-preview/Microsoft.SecurityInsights.json index 7b756df676..2bd43047cc 100644 --- a/schemas/2019-01-01-preview/Microsoft.SecurityInsights.json +++ b/schemas/2019-01-01-preview/Microsoft.SecurityInsights.json @@ -2351,6 +2351,7 @@ { "type": "string", "enum": [ + "Critical", "High", "Medium", "Low", diff --git a/schemas/2020-01-01/Microsoft.SecurityInsights.json b/schemas/2020-01-01/Microsoft.SecurityInsights.json index c8f7bd4046..5cb2df2498 100644 --- a/schemas/2020-01-01/Microsoft.SecurityInsights.json +++ b/schemas/2020-01-01/Microsoft.SecurityInsights.json @@ -797,6 +797,7 @@ { "type": "string", "enum": [ + "Critical", "High", "Medium", "Low", diff --git a/schemas/2021-03-01-preview/Microsoft.SecurityInsights.json b/schemas/2021-03-01-preview/Microsoft.SecurityInsights.json index 41955ae39e..7d7fe5dfc5 100644 --- a/schemas/2021-03-01-preview/Microsoft.SecurityInsights.json +++ b/schemas/2021-03-01-preview/Microsoft.SecurityInsights.json @@ -2407,40 +2407,6 @@ }, "description": "Publisher or creator of the content item." }, - "MetadataCategories": { - "type": "object", - "properties": { - "domains": { - "oneOf": [ - { - "type": "array", - "items": { - "type": "string" - } - }, - { - "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" - } - ], - "description": "domain for the solution content item" - }, - "verticals": { - "oneOf": [ - { - "type": "array", - "items": { - "type": "string" - } - }, - { - "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" - } - ], - "description": "Industry verticals for the solution content item" - } - }, - "description": "ies for the solution content item" - }, "MetadataDependencies": { "type": "object", "properties": { @@ -2529,17 +2495,6 @@ ], "description": "Publisher or creator of the content item." }, - "categories": { - "oneOf": [ - { - "$ref": "#/definitions/MetadataCategories" - }, - { - "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" - } - ], - "description": "ies for the solution content item" - }, "contentId": { "type": "string", "description": "Static ID for the content. Used to identify dependencies and content from solutions or community. Hard-coded/static for out of the box content and solutions. Can be optionally set for user created content to define dependencies. If an active content item is made from a template, both will have the same contentId." @@ -2555,11 +2510,6 @@ ], "description": "Dependencies for the content item, what other content items it requires to work. Can describe more complex dependencies using a recursive/nested structure. For a single dependency an id/kind/version can be supplied or operator/criteria for complex dependencies." }, - "firstPublishDate": { - "type": "string", - "format": "date", - "description": "first publish date of solution content item" - }, "kind": { "oneOf": [ { @@ -2587,29 +2537,10 @@ ], "description": "The kind of content the metadata is for." }, - "lastPublishDate": { - "type": "string", - "format": "date", - "description": "last publish date of solution content item" - }, "parentId": { "type": "string", "description": "Full parent resource ID of the content item the metadata is for. This is the full resource ID including the scope (subscription and resource group)" }, - "providers": { - "oneOf": [ - { - "type": "array", - "items": { - "type": "string" - } - }, - { - "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" - } - ], - "description": "Providers for the solution content item" - }, "source": { "oneOf": [ { diff --git a/schemas/2021-10-01/Microsoft.SecurityInsights.json b/schemas/2021-10-01/Microsoft.SecurityInsights.json new file mode 100644 index 0000000000..3b233f81ba --- /dev/null +++ b/schemas/2021-10-01/Microsoft.SecurityInsights.json @@ -0,0 +1,2049 @@ +{ + "id": "https://schema.management.azure.com/schemas/2021-10-01/Microsoft.SecurityInsights.json#", + "$schema": "http://json-schema.org/draft-04/schema#", + "title": "Microsoft.SecurityInsights", + "description": "Microsoft SecurityInsights Resource Types", + "resourceDefinitions": {}, + "extension_resourceDefinitions": { + "alertRules": { + "type": "object", + "oneOf": [ + { + "$ref": "#/definitions/FusionAlertRule" + }, + { + "$ref": "#/definitions/MicrosoftSecurityIncidentCreationAlertRule" + }, + { + "$ref": "#/definitions/ScheduledAlertRule" + } + ], + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2021-10-01" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "Alert rule ID" + }, + "resources": { + "type": "array", + "items": { + "oneOf": [ + { + "$ref": "#/definitions/alertRules_actions_childResource" + } + ] + } + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.SecurityInsights/alertRules" + ] + } + }, + "required": [ + "apiVersion", + "name", + "type" + ], + "description": "Microsoft.SecurityInsights/alertRules" + }, + "alertRules_actions": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2021-10-01" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "Action ID" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/ActionRequestProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Action property bag." + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.SecurityInsights/alertRules/actions" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/alertRules/actions" + }, + "incidents": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2021-10-01" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "Incident ID" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/IncidentProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describes incident properties" + }, + "resources": { + "type": "array", + "items": { + "oneOf": [ + { + "$ref": "#/definitions/incidents_comments_childResource" + }, + { + "$ref": "#/definitions/incidents_relations_childResource" + } + ] + } + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.SecurityInsights/incidents" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/incidents" + }, + "incidents_comments": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2021-10-01" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "Incident comment ID" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/IncidentCommentProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Incident comment property bag." + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.SecurityInsights/incidents/comments" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/incidents/comments" + }, + "incidents_relations": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2021-10-01" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "Relation Name" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/RelationProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Relation property bag." + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.SecurityInsights/incidents/relations" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/incidents/relations" + }, + "threatIntelligence_indicators": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2021-10-01" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "kind": { + "oneOf": [ + { + "type": "string", + "enum": [ + "indicator" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The kind of the entity." + }, + "name": { + "type": "string", + "description": "Threat intelligence indicator name field." + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/ThreatIntelligenceIndicatorProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describes threat intelligence entity properties" + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.SecurityInsights/threatIntelligence/indicators" + ] + } + }, + "required": [ + "apiVersion", + "kind", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/threatIntelligence/indicators" + }, + "watchlists": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2021-10-01" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "The watchlist alias" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/WatchlistProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describes watchlist properties" + }, + "resources": { + "type": "array", + "items": { + "oneOf": [ + { + "$ref": "#/definitions/watchlists_watchlistItems_childResource" + } + ] + } + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.SecurityInsights/watchlists" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/watchlists" + }, + "watchlists_watchlistItems": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2021-10-01" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "The watchlist item id (GUID)" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/WatchlistItemProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describes watchlist item properties" + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.SecurityInsights/watchlists/watchlistItems" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/watchlists/watchlistItems" + } + }, + "definitions": { + "ActionRequestProperties": { + "type": "object", + "properties": { + "logicAppResourceId": { + "type": "string", + "description": "Logic App Resource Id, /subscriptions/{my-subscription}/resourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my-workflow-id}." + }, + "triggerUri": { + "type": "string", + "description": "Logic App Callback URL for this specific workflow." + } + }, + "required": [ + "logicAppResourceId", + "triggerUri" + ], + "description": "Action property bag." + }, + "AlertDetailsOverride": { + "type": "object", + "properties": { + "alertDescriptionFormat": { + "type": "string", + "description": "the format containing columns name(s) to override the alert description" + }, + "alertDisplayNameFormat": { + "type": "string", + "description": "the format containing columns name(s) to override the alert name" + }, + "alertSeverityColumnName": { + "type": "string", + "description": "the column name to take the alert severity from" + }, + "alertTacticsColumnName": { + "type": "string", + "description": "the column name to take the alert tactics from" + } + }, + "description": "Settings for how to dynamically override alert static details" + }, + "alertRules_actions_childResource": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2021-10-01" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "Action ID" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/ActionRequestProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Action property bag." + }, + "type": { + "type": "string", + "enum": [ + "actions" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/alertRules/actions" + }, + "EntityMapping": { + "type": "object", + "properties": { + "entityType": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Account", + "Host", + "IP", + "Malware", + "File", + "Process", + "CloudApplication", + "DNS", + "AzureResource", + "FileHash", + "RegistryKey", + "RegistryValue", + "SecurityGroup", + "URL", + "Mailbox", + "MailCluster", + "MailMessage", + "SubmissionMail" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ] + }, + "fieldMappings": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/FieldMapping" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "array of field mappings for the given entity mapping" + } + }, + "description": "Single entity mapping for the alert rule" + }, + "EventGroupingSettings": { + "type": "object", + "properties": { + "aggregationKind": { + "oneOf": [ + { + "type": "string", + "enum": [ + "SingleAlert", + "AlertPerResult" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ] + } + }, + "description": "Event grouping settings property bag." + }, + "FieldMapping": { + "type": "object", + "properties": { + "columnName": { + "type": "string", + "description": "the column name to be mapped to the identifier" + }, + "identifier": { + "type": "string", + "description": "the V3 identifier of the entity" + } + }, + "description": "A single field mapping of the mapped entity" + }, + "FusionAlertRule": { + "type": "object", + "properties": { + "kind": { + "type": "string", + "enum": [ + "Fusion" + ] + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/FusionAlertRuleProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Fusion alert rule base property bag." + } + }, + "required": [ + "kind" + ], + "description": "Represents Fusion alert rule." + }, + "FusionAlertRuleProperties": { + "type": "object", + "properties": { + "alertRuleTemplateName": { + "type": "string", + "description": "The Name of the alert rule template used to create this rule." + }, + "enabled": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Determines whether this alert rule is enabled or disabled." + } + }, + "required": [ + "alertRuleTemplateName", + "enabled" + ], + "description": "Fusion alert rule base property bag." + }, + "GroupingConfiguration": { + "type": "object", + "properties": { + "enabled": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Grouping enabled" + }, + "groupByAlertDetails": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string", + "enum": [ + "DisplayName", + "Severity" + ] + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "A list of alert details to group by (when matchingMethod is Selected)" + }, + "groupByCustomDetails": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "A list of custom details keys to group by (when matchingMethod is Selected). Only keys defined in the current alert rule may be used." + }, + "groupByEntities": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string", + "enum": [ + "Account", + "Host", + "IP", + "Malware", + "File", + "Process", + "CloudApplication", + "DNS", + "AzureResource", + "FileHash", + "RegistryKey", + "RegistryValue", + "SecurityGroup", + "URL", + "Mailbox", + "MailCluster", + "MailMessage", + "SubmissionMail" + ] + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "A list of entity types to group by (when matchingMethod is Selected). Only entities defined in the current alert rule may be used." + }, + "lookbackDuration": { + "type": "string", + "format": "duration", + "description": "Limit the group to alerts created within the lookback duration (in ISO 8601 duration format)" + }, + "matchingMethod": { + "oneOf": [ + { + "type": "string", + "enum": [ + "AllEntities", + "AnyAlert", + "Selected" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Grouping matching method. When method is Selected at least one of groupByEntities, groupByAlertDetails, groupByCustomDetails must be provided and not empty." + }, + "reopenClosedIncident": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Re-open closed matching incidents" + } + }, + "required": [ + "enabled", + "lookbackDuration", + "matchingMethod", + "reopenClosedIncident" + ], + "description": "Grouping configuration property bag." + }, + "IncidentCommentProperties": { + "type": "object", + "properties": { + "message": { + "type": "string", + "description": "The comment message" + } + }, + "required": [ + "message" + ], + "description": "Incident comment property bag." + }, + "IncidentConfiguration": { + "type": "object", + "properties": { + "createIncident": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Create incidents from alerts triggered by this analytics rule" + }, + "groupingConfiguration": { + "oneOf": [ + { + "$ref": "#/definitions/GroupingConfiguration" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Grouping configuration property bag." + } + }, + "required": [ + "createIncident" + ], + "description": "Incident Configuration property bag." + }, + "IncidentLabel": { + "type": "object", + "properties": { + "labelName": { + "type": "string", + "description": "The name of the label" + } + }, + "required": [ + "labelName" + ], + "description": "Represents an incident label" + }, + "IncidentOwnerInfo": { + "type": "object", + "properties": { + "assignedTo": { + "type": "string", + "description": "The name of the user the incident is assigned to." + }, + "email": { + "type": "string", + "description": "The email of the user the incident is assigned to." + }, + "objectId": { + "oneOf": [ + { + "type": "string", + "pattern": "^[0-9a-fA-F]{8}(-[0-9a-fA-F]{4}){3}-[0-9a-fA-F]{12}$" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The object id of the user the incident is assigned to." + }, + "userPrincipalName": { + "type": "string", + "description": "The user principal name of the user the incident is assigned to." + } + }, + "description": "Information on the user an incident is assigned to" + }, + "IncidentProperties": { + "type": "object", + "properties": { + "classification": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Undetermined", + "TruePositive", + "BenignPositive", + "FalsePositive" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The reason the incident was closed." + }, + "classificationComment": { + "type": "string", + "description": "Describes the reason the incident was closed" + }, + "classificationReason": { + "oneOf": [ + { + "type": "string", + "enum": [ + "SuspiciousActivity", + "SuspiciousButExpected", + "IncorrectAlertLogic", + "InaccurateData" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The classification reason the incident was closed with." + }, + "description": { + "type": "string", + "description": "The description of the incident" + }, + "firstActivityTimeUtc": { + "type": "string", + "format": "date-time", + "description": "The time of the first activity in the incident" + }, + "labels": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/IncidentLabel" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "List of labels relevant to this incident" + }, + "lastActivityTimeUtc": { + "type": "string", + "format": "date-time", + "description": "The time of the last activity in the incident" + }, + "owner": { + "oneOf": [ + { + "$ref": "#/definitions/IncidentOwnerInfo" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Information on the user an incident is assigned to" + }, + "severity": { + "oneOf": [ + { + "type": "string", + "enum": [ + "High", + "Medium", + "Low", + "Informational" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The severity of the incident." + }, + "status": { + "oneOf": [ + { + "type": "string", + "enum": [ + "New", + "Active", + "Closed" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The status of the incident." + }, + "title": { + "type": "string", + "description": "The title of the incident" + } + }, + "required": [ + "severity", + "status", + "title" + ], + "description": "Describes incident properties" + }, + "incidents_comments_childResource": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2021-10-01" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "Incident comment ID" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/IncidentCommentProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Incident comment property bag." + }, + "type": { + "type": "string", + "enum": [ + "comments" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/incidents/comments" + }, + "incidents_relations_childResource": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2021-10-01" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "Relation Name" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/RelationProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Relation property bag." + }, + "type": { + "type": "string", + "enum": [ + "relations" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/incidents/relations" + }, + "MicrosoftSecurityIncidentCreationAlertRule": { + "type": "object", + "properties": { + "kind": { + "type": "string", + "enum": [ + "MicrosoftSecurityIncidentCreation" + ] + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/MicrosoftSecurityIncidentCreationAlertRuleProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "MicrosoftSecurityIncidentCreation rule property bag." + } + }, + "required": [ + "kind" + ], + "description": "Represents MicrosoftSecurityIncidentCreation rule." + }, + "MicrosoftSecurityIncidentCreationAlertRuleProperties": { + "type": "object", + "properties": { + "alertRuleTemplateName": { + "type": "string", + "description": "The Name of the alert rule template used to create this rule." + }, + "description": { + "type": "string", + "description": "The description of the alert rule." + }, + "displayName": { + "type": "string", + "description": "The display name for alerts created by this alert rule." + }, + "displayNamesExcludeFilter": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "the alerts' displayNames on which the cases will not be generated" + }, + "displayNamesFilter": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "the alerts' displayNames on which the cases will be generated" + }, + "enabled": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Determines whether this alert rule is enabled or disabled." + }, + "productFilter": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Microsoft Cloud App Security", + "Azure Security Center", + "Azure Advanced Threat Protection", + "Azure Active Directory Identity Protection", + "Azure Security Center for IoT" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The alerts' productName on which the cases will be generated." + }, + "severitiesFilter": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string", + "enum": [ + "High", + "Medium", + "Low", + "Informational" + ] + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "the alerts' severities on which the cases will be generated" + } + }, + "required": [ + "displayName", + "enabled", + "productFilter" + ], + "description": "MicrosoftSecurityIncidentCreation rule property bag." + }, + "RelationProperties": { + "type": "object", + "properties": { + "relatedResourceId": { + "type": "string", + "description": "The resource ID of the related resource" + } + }, + "required": [ + "relatedResourceId" + ], + "description": "Relation property bag." + }, + "ScheduledAlertRule": { + "type": "object", + "properties": { + "kind": { + "type": "string", + "enum": [ + "Scheduled" + ] + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/ScheduledAlertRuleProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Scheduled alert rule base property bag." + } + }, + "required": [ + "kind" + ], + "description": "Represents scheduled alert rule." + }, + "ScheduledAlertRuleProperties": { + "type": "object", + "properties": { + "alertDetailsOverride": { + "oneOf": [ + { + "$ref": "#/definitions/AlertDetailsOverride" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Settings for how to dynamically override alert static details" + }, + "alertRuleTemplateName": { + "type": "string", + "description": "The Name of the alert rule template used to create this rule." + }, + "customDetails": { + "oneOf": [ + { + "type": "object", + "additionalProperties": { + "type": "string" + }, + "properties": {} + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Dictionary of string key-value pairs of columns to be attached to the alert" + }, + "description": { + "type": "string", + "description": "The description of the alert rule." + }, + "displayName": { + "type": "string", + "description": "The display name for alerts created by this alert rule." + }, + "enabled": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Determines whether this alert rule is enabled or disabled." + }, + "entityMappings": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/EntityMapping" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "List of entity mappings of the alert rule" + }, + "eventGroupingSettings": { + "oneOf": [ + { + "$ref": "#/definitions/EventGroupingSettings" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Event grouping settings property bag." + }, + "incidentConfiguration": { + "oneOf": [ + { + "$ref": "#/definitions/IncidentConfiguration" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Incident Configuration property bag." + }, + "query": { + "type": "string", + "description": "The query that creates alerts for this rule." + }, + "queryFrequency": { + "type": "string", + "format": "duration", + "description": "The frequency (in ISO 8601 duration format) for this alert rule to run." + }, + "queryPeriod": { + "type": "string", + "format": "duration", + "description": "The period (in ISO 8601 duration format) that this alert rule looks at." + }, + "severity": { + "oneOf": [ + { + "type": "string", + "enum": [ + "High", + "Medium", + "Low", + "Informational" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The severity for alerts created by this alert rule." + }, + "suppressionDuration": { + "type": "string", + "format": "duration", + "description": "The suppression (in ISO 8601 duration format) to wait since last time this alert rule been triggered." + }, + "suppressionEnabled": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Determines whether the suppression for this alert rule is enabled or disabled." + }, + "tactics": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string", + "enum": [ + "InitialAccess", + "Execution", + "Persistence", + "PrivilegeEscalation", + "DefenseEvasion", + "CredentialAccess", + "Discovery", + "LateralMovement", + "Collection", + "Exfiltration", + "CommandAndControl", + "Impact", + "PreAttack" + ] + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The tactics of the alert rule" + }, + "triggerOperator": { + "oneOf": [ + { + "type": "string", + "enum": [ + "GreaterThan", + "LessThan", + "Equal", + "NotEqual" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The operation against the threshold that triggers alert rule." + }, + "triggerThreshold": { + "oneOf": [ + { + "type": "integer" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The threshold triggers this alert rule." + } + }, + "required": [ + "displayName", + "enabled", + "suppressionDuration", + "suppressionEnabled" + ], + "description": "Scheduled alert rule base property bag." + }, + "ThreatIntelligenceExternalReference": { + "type": "object", + "properties": { + "description": { + "type": "string", + "description": "External reference description" + }, + "externalId": { + "type": "string", + "description": "External reference ID" + }, + "hashes": { + "oneOf": [ + { + "type": "object", + "additionalProperties": { + "type": "string" + }, + "properties": {} + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "External reference hashes" + }, + "sourceName": { + "type": "string", + "description": "External reference source name" + }, + "url": { + "type": "string", + "description": "External reference URL" + } + }, + "description": "Describes external reference" + }, + "ThreatIntelligenceGranularMarkingModel": { + "type": "object", + "properties": { + "language": { + "type": "string", + "description": "Language granular marking model" + }, + "markingRef": { + "oneOf": [ + { + "type": "integer" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "marking reference granular marking model" + }, + "selectors": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "granular marking model selectors" + } + }, + "description": "Describes threat granular marking model entity" + }, + "ThreatIntelligenceIndicatorProperties": { + "type": "object", + "properties": { + "confidence": { + "oneOf": [ + { + "type": "integer" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Confidence of threat intelligence entity" + }, + "created": { + "type": "string", + "description": "Created by" + }, + "createdByRef": { + "type": "string", + "description": "Created by reference of threat intelligence entity" + }, + "defanged": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Is threat intelligence entity defanged" + }, + "description": { + "type": "string", + "description": "Description of a threat intelligence entity" + }, + "displayName": { + "type": "string", + "description": "Display name of a threat intelligence entity" + }, + "extensions": { + "oneOf": [ + { + "type": "object", + "additionalProperties": { + "type": "object", + "properties": {} + }, + "properties": {} + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Extensions map" + }, + "externalId": { + "type": "string", + "description": "External ID of threat intelligence entity" + }, + "externalLastUpdatedTimeUtc": { + "type": "string", + "description": "External last updated time in UTC" + }, + "externalReferences": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/ThreatIntelligenceExternalReference" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "External References" + }, + "granularMarkings": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/ThreatIntelligenceGranularMarkingModel" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Granular Markings" + }, + "indicatorTypes": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Indicator types of threat intelligence entities" + }, + "killChainPhases": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/ThreatIntelligenceKillChainPhase" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Kill chain phases" + }, + "labels": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Labels of threat intelligence entity" + }, + "language": { + "type": "string", + "description": "Language of threat intelligence entity" + }, + "lastUpdatedTimeUtc": { + "type": "string", + "description": "Last updated time in UTC" + }, + "modified": { + "type": "string", + "description": "Modified by" + }, + "objectMarkingRefs": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Threat intelligence entity object marking references" + }, + "parsedPattern": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/ThreatIntelligenceParsedPattern" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Parsed patterns" + }, + "pattern": { + "type": "string", + "description": "Pattern of a threat intelligence entity" + }, + "patternType": { + "type": "string", + "description": "Pattern type of a threat intelligence entity" + }, + "patternVersion": { + "type": "string", + "description": "Pattern version of a threat intelligence entity" + }, + "revoked": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Is threat intelligence entity revoked" + }, + "source": { + "type": "string", + "description": "Source of a threat intelligence entity" + }, + "threatIntelligenceTags": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "List of tags" + }, + "threatTypes": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Threat types" + }, + "validFrom": { + "type": "string", + "description": "Valid from" + }, + "validUntil": { + "type": "string", + "description": "Valid until" + } + }, + "description": "Describes threat intelligence entity properties" + }, + "ThreatIntelligenceKillChainPhase": { + "type": "object", + "properties": { + "killChainName": { + "type": "string", + "description": "Kill chainName name" + }, + "phaseName": { + "type": "string", + "description": "Phase name" + } + }, + "description": "Describes threat kill chain phase entity" + }, + "ThreatIntelligenceParsedPattern": { + "type": "object", + "properties": { + "patternTypeKey": { + "type": "string", + "description": "Pattern type key" + }, + "patternTypeValues": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/ThreatIntelligenceParsedPatternTypeValue" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Pattern type keys" + } + }, + "description": "Describes parsed pattern entity" + }, + "ThreatIntelligenceParsedPatternTypeValue": { + "type": "object", + "properties": { + "value": { + "type": "string", + "description": "Value of parsed pattern" + }, + "valueType": { + "type": "string", + "description": "Type of the value" + } + }, + "description": "Describes threat kill chain phase entity" + }, + "UserInfo": { + "type": "object", + "properties": { + "objectId": { + "oneOf": [ + { + "type": "string", + "pattern": "^[0-9a-fA-F]{8}(-[0-9a-fA-F]{4}){3}-[0-9a-fA-F]{12}$" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The object id of the user." + } + }, + "description": "User information that made some action" + }, + "WatchlistItemProperties": { + "type": "object", + "properties": { + "created": { + "type": "string", + "format": "date-time", + "description": "The time the watchlist item was created" + }, + "createdBy": { + "oneOf": [ + { + "$ref": "#/definitions/UserInfo" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "User information that made some action" + }, + "entityMapping": { + "type": "object", + "properties": {}, + "description": "key-value pairs for a watchlist item entity mapping" + }, + "isDeleted": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "A flag that indicates if the watchlist item is deleted or not" + }, + "itemsKeyValue": { + "type": "object", + "properties": {}, + "description": "key-value pairs for a watchlist item" + }, + "tenantId": { + "type": "string", + "description": "The tenantId to which the watchlist item belongs to" + }, + "updated": { + "type": "string", + "format": "date-time", + "description": "The last time the watchlist item was updated" + }, + "updatedBy": { + "oneOf": [ + { + "$ref": "#/definitions/UserInfo" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "User information that made some action" + }, + "watchlistItemId": { + "type": "string", + "description": "The id (a Guid) of the watchlist item" + }, + "watchlistItemType": { + "type": "string", + "description": "The type of the watchlist item" + } + }, + "required": [ + "itemsKeyValue" + ], + "description": "Describes watchlist item properties" + }, + "WatchlistProperties": { + "type": "object", + "properties": { + "contentType": { + "type": "string", + "description": "The content type of the raw content. For now, only text/csv is valid" + }, + "created": { + "type": "string", + "format": "date-time", + "description": "The time the watchlist was created" + }, + "createdBy": { + "oneOf": [ + { + "$ref": "#/definitions/UserInfo" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "User information that made some action" + }, + "defaultDuration": { + "type": "string", + "format": "duration", + "description": "The default duration of a watchlist (in ISO 8601 duration format)" + }, + "description": { + "type": "string", + "description": "A description of the watchlist" + }, + "displayName": { + "type": "string", + "description": "The display name of the watchlist" + }, + "isDeleted": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "A flag that indicates if the watchlist is deleted or not" + }, + "itemsSearchKey": { + "type": "string", + "description": "The search key is used to optimize query performance when using watchlists for joins with other data. For example, enable a column with IP addresses to be the designated SearchKey field, then use this field as the key field when joining to other event data by IP address." + }, + "labels": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "List of labels relevant to this watchlist" + }, + "numberOfLinesToSkip": { + "oneOf": [ + { + "type": "integer" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The number of lines in a csv content to skip before the header" + }, + "provider": { + "type": "string", + "description": "The provider of the watchlist" + }, + "rawContent": { + "type": "string", + "description": "The raw content that represents to watchlist items to create. Example : This line will be skipped\nheader1,header2\nvalue1,value2" + }, + "source": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Local file", + "Remote storage" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The source of the watchlist." + }, + "tenantId": { + "type": "string", + "description": "The tenantId where the watchlist belongs to" + }, + "updated": { + "type": "string", + "format": "date-time", + "description": "The last time the watchlist was updated" + }, + "updatedBy": { + "oneOf": [ + { + "$ref": "#/definitions/UserInfo" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "User information that made some action" + }, + "uploadStatus": { + "type": "string", + "description": "The status of the Watchlist upload : New, InProgress or Complete. **Note** : When a Watchlist upload status is InProgress, the Watchlist cannot be deleted" + }, + "watchlistAlias": { + "type": "string", + "description": "The alias of the watchlist" + }, + "watchlistId": { + "type": "string", + "description": "The id (a Guid) of the watchlist" + }, + "watchlistType": { + "type": "string", + "description": "The type of the watchlist" + } + }, + "required": [ + "displayName", + "itemsSearchKey", + "provider", + "source" + ], + "description": "Describes watchlist properties" + }, + "watchlists_watchlistItems_childResource": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2021-10-01" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "The watchlist item id (GUID)" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/WatchlistItemProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describes watchlist item properties" + }, + "type": { + "type": "string", + "enum": [ + "watchlistItems" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/watchlists/watchlistItems" + } + } +} \ No newline at end of file