From 981897c248206845ef392877c044df552840ed9f Mon Sep 17 00:00:00 2001 From: SDKAuto Date: Mon, 24 Jan 2022 15:29:27 +0000 Subject: [PATCH] CodeGen from PR 17472 in Azure/azure-rest-api-specs Merge c919c707aaedd37f3d84d80c9602b72253e5429a into a435926f87f3138c5b5452368c23a17a745ca1d2 --- .../Microsoft.SecurityInsights.json | 1 + .../Microsoft.SecurityInsights.json | 1 + .../Microsoft.SecurityInsights.json | 101 +- .../Microsoft.SecurityInsights.json | 2967 +++++++++++++++++ 4 files changed, 2973 insertions(+), 97 deletions(-) create mode 100644 schemas/2021-10-01/Microsoft.SecurityInsights.json diff --git a/schemas/2019-01-01-preview/Microsoft.SecurityInsights.json b/schemas/2019-01-01-preview/Microsoft.SecurityInsights.json index 7b756df676..2bd43047cc 100644 --- a/schemas/2019-01-01-preview/Microsoft.SecurityInsights.json +++ b/schemas/2019-01-01-preview/Microsoft.SecurityInsights.json @@ -2351,6 +2351,7 @@ { "type": "string", "enum": [ + "Critical", "High", "Medium", "Low", diff --git a/schemas/2020-01-01/Microsoft.SecurityInsights.json b/schemas/2020-01-01/Microsoft.SecurityInsights.json index c8f7bd4046..5cb2df2498 100644 --- a/schemas/2020-01-01/Microsoft.SecurityInsights.json +++ b/schemas/2020-01-01/Microsoft.SecurityInsights.json @@ -797,6 +797,7 @@ { "type": "string", "enum": [ + "Critical", "High", "Medium", "Low", diff --git a/schemas/2021-03-01-preview/Microsoft.SecurityInsights.json b/schemas/2021-03-01-preview/Microsoft.SecurityInsights.json index 51110b03e3..7d7fe5dfc5 100644 --- a/schemas/2021-03-01-preview/Microsoft.SecurityInsights.json +++ b/schemas/2021-03-01-preview/Microsoft.SecurityInsights.json @@ -2130,17 +2130,6 @@ ], "description": "The status of the incident." }, - "teamInformation": { - "oneOf": [ - { - "$ref": "#/definitions/TeamInformation" - }, - { - "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" - } - ], - "description": "Describes team information" - }, "title": { "type": "string", "description": "The title of the incident" @@ -2418,40 +2407,6 @@ }, "description": "Publisher or creator of the content item." }, - "MetadataCategories": { - "type": "object", - "properties": { - "domains": { - "oneOf": [ - { - "type": "array", - "items": { - "type": "string" - } - }, - { - "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" - } - ], - "description": "domain for the solution content item" - }, - "verticals": { - "oneOf": [ - { - "type": "array", - "items": { - "type": "string" - } - }, - { - "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" - } - ], - "description": "Industry verticals for the solution content item" - } - }, - "description": "ies for the solution content item" - }, "MetadataDependencies": { "type": "object", "properties": { @@ -2540,17 +2495,6 @@ ], "description": "Publisher or creator of the content item." }, - "categories": { - "oneOf": [ - { - "$ref": "#/definitions/MetadataCategories" - }, - { - "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" - } - ], - "description": "ies for the solution content item" - }, "contentId": { "type": "string", "description": "Static ID for the content. Used to identify dependencies and content from solutions or community. Hard-coded/static for out of the box content and solutions. Can be optionally set for user created content to define dependencies. If an active content item is made from a template, both will have the same contentId." @@ -2566,11 +2510,6 @@ ], "description": "Dependencies for the content item, what other content items it requires to work. Can describe more complex dependencies using a recursive/nested structure. For a single dependency an id/kind/version can be supplied or operator/criteria for complex dependencies." }, - "firstPublishDate": { - "type": "string", - "format": "date", - "description": "first publish date of solution content item" - }, "kind": { "oneOf": [ { @@ -2598,29 +2537,10 @@ ], "description": "The kind of content the metadata is for." }, - "lastPublishDate": { - "type": "string", - "format": "date", - "description": "last publish date of solution content item" - }, "parentId": { "type": "string", "description": "Full parent resource ID of the content item the metadata is for. This is the full resource ID including the scope (subscription and resource group)" }, - "providers": { - "oneOf": [ - { - "type": "array", - "items": { - "type": "string" - } - }, - { - "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" - } - ], - "description": "Providers for the solution content item" - }, "source": { "oneOf": [ { @@ -3483,14 +3403,6 @@ "type": "string", "description": "Branch name of repository." }, - "deploymentLogsUrl": { - "type": "string", - "description": "Url to access repository action logs." - }, - "displayUrl": { - "type": "string", - "description": "Display url of repository." - }, "pathMapping": { "oneOf": [ { @@ -3835,10 +3747,6 @@ "type": "string", "description": "The display name of the source control" }, - "id": { - "type": "string", - "description": "The id (a Guid) of the source control" - }, "repository": { "oneOf": [ { @@ -3864,6 +3772,10 @@ } ], "description": "The repository type of the source control." + }, + "sourceControlId": { + "type": "string", + "description": "The id (a Guid) of the source control" } }, "required": [ @@ -3874,11 +3786,6 @@ ], "description": "Describes source control properties" }, - "TeamInformation": { - "type": "object", - "properties": {}, - "description": "Describes team information" - }, "ThreatIntelligenceAlertRule": { "type": "object", "properties": { diff --git a/schemas/2021-10-01/Microsoft.SecurityInsights.json b/schemas/2021-10-01/Microsoft.SecurityInsights.json new file mode 100644 index 0000000000..71a481a62f --- /dev/null +++ b/schemas/2021-10-01/Microsoft.SecurityInsights.json @@ -0,0 +1,2967 @@ +{ + "id": "https://schema.management.azure.com/schemas/2021-10-01/Microsoft.SecurityInsights.json#", + "$schema": "http://json-schema.org/draft-04/schema#", + "title": "Microsoft.SecurityInsights", + "description": "Microsoft SecurityInsights Resource Types", + "resourceDefinitions": {}, + "extension_resourceDefinitions": { + "alertRules": { + "type": "object", + "oneOf": [ + { + "$ref": "#/definitions/FusionAlertRule" + }, + { + "$ref": "#/definitions/MicrosoftSecurityIncidentCreationAlertRule" + }, + { + "$ref": "#/definitions/ScheduledAlertRule" + } + ], + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2021-10-01" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "Alert rule ID" + }, + "resources": { + "type": "array", + "items": { + "oneOf": [ + { + "$ref": "#/definitions/alertRules_actions_childResource" + } + ] + } + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.SecurityInsights/alertRules" + ] + } + }, + "required": [ + "apiVersion", + "name", + "type" + ], + "description": "Microsoft.SecurityInsights/alertRules" + }, + "alertRules_actions": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2021-10-01" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "Action ID" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/ActionRequestProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Action property bag." + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.SecurityInsights/alertRules/actions" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/alertRules/actions" + }, + "bookmarks": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2021-10-01" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "Bookmark ID" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/BookmarkProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describes bookmark properties" + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.SecurityInsights/bookmarks" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/bookmarks" + }, + "dataConnectors": { + "type": "object", + "oneOf": [ + { + "$ref": "#/definitions/AADDataConnector" + }, + { + "$ref": "#/definitions/AATPDataConnector" + }, + { + "$ref": "#/definitions/ASCDataConnector" + }, + { + "$ref": "#/definitions/AwsCloudTrailDataConnector" + }, + { + "$ref": "#/definitions/MCASDataConnector" + }, + { + "$ref": "#/definitions/MDATPDataConnector" + }, + { + "$ref": "#/definitions/TIDataConnector" + }, + { + "$ref": "#/definitions/OfficeDataConnector" + } + ], + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2021-10-01" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "Connector ID" + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.SecurityInsights/dataConnectors" + ] + } + }, + "required": [ + "apiVersion", + "name", + "type" + ], + "description": "Microsoft.SecurityInsights/dataConnectors" + }, + "incidents": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2021-10-01" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "Incident ID" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/IncidentProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describes incident properties" + }, + "resources": { + "type": "array", + "items": { + "oneOf": [ + { + "$ref": "#/definitions/incidents_comments_childResource" + }, + { + "$ref": "#/definitions/incidents_relations_childResource" + } + ] + } + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.SecurityInsights/incidents" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/incidents" + }, + "incidents_comments": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2021-10-01" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "Incident comment ID" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/IncidentCommentProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Incident comment property bag." + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.SecurityInsights/incidents/comments" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/incidents/comments" + }, + "incidents_relations": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2021-10-01" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "Relation Name" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/RelationProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Relation property bag." + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.SecurityInsights/incidents/relations" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/incidents/relations" + }, + "onboardingStates": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2021-10-01" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "The Sentinel onboarding state name. Supports - default" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/SentinelOnboardingStateProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The Sentinel onboarding state properties" + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.SecurityInsights/onboardingStates" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/onboardingStates" + }, + "threatIntelligence_indicators": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2021-10-01" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "kind": { + "oneOf": [ + { + "type": "string", + "enum": [ + "indicator" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The kind of the entity." + }, + "name": { + "type": "string", + "description": "Threat intelligence indicator name field." + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/ThreatIntelligenceIndicatorProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describes threat intelligence entity properties" + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.SecurityInsights/threatIntelligence/indicators" + ] + } + }, + "required": [ + "apiVersion", + "kind", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/threatIntelligence/indicators" + }, + "watchlists": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2021-10-01" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "The watchlist alias" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/WatchlistProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describes watchlist properties" + }, + "resources": { + "type": "array", + "items": { + "oneOf": [ + { + "$ref": "#/definitions/watchlists_watchlistItems_childResource" + } + ] + } + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.SecurityInsights/watchlists" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/watchlists" + }, + "watchlists_watchlistItems": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2021-10-01" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "The watchlist item id (GUID)" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/WatchlistItemProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describes watchlist item properties" + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.SecurityInsights/watchlists/watchlistItems" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/watchlists/watchlistItems" + } + }, + "definitions": { + "AADDataConnector": { + "type": "object", + "properties": { + "kind": { + "type": "string", + "enum": [ + "AzureActiveDirectory" + ] + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/AADDataConnectorProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "AAD (Azure Active Directory) data connector properties." + } + }, + "required": [ + "kind" + ], + "description": "Represents AAD (Azure Active Directory) data connector." + }, + "AADDataConnectorProperties": { + "type": "object", + "properties": { + "dataTypes": { + "oneOf": [ + { + "$ref": "#/definitions/AlertsDataTypeOfDataConnector" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Alerts data type for data connectors." + }, + "tenantId": { + "type": "string", + "description": "The tenant id to connect to, and get the data from." + } + }, + "description": "AAD (Azure Active Directory) data connector properties." + }, + "AATPDataConnector": { + "type": "object", + "properties": { + "kind": { + "type": "string", + "enum": [ + "AzureAdvancedThreatProtection" + ] + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/AATPDataConnectorProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "AATP (Azure Advanced Threat Protection) data connector properties." + } + }, + "required": [ + "kind" + ], + "description": "Represents AATP (Azure Advanced Threat Protection) data connector." + }, + "AATPDataConnectorProperties": { + "type": "object", + "properties": { + "dataTypes": { + "oneOf": [ + { + "$ref": "#/definitions/AlertsDataTypeOfDataConnector" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Alerts data type for data connectors." + }, + "tenantId": { + "type": "string", + "description": "The tenant id to connect to, and get the data from." + } + }, + "description": "AATP (Azure Advanced Threat Protection) data connector properties." + }, + "ActionRequestProperties": { + "type": "object", + "properties": { + "logicAppResourceId": { + "type": "string", + "description": "Logic App Resource Id, /subscriptions/{my-subscription}/resourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my-workflow-id}." + }, + "triggerUri": { + "type": "string", + "description": "Logic App Callback URL for this specific workflow." + } + }, + "required": [ + "logicAppResourceId", + "triggerUri" + ], + "description": "Action property bag." + }, + "AlertDetailsOverride": { + "type": "object", + "properties": { + "alertDescriptionFormat": { + "type": "string", + "description": "the format containing columns name(s) to override the alert description" + }, + "alertDisplayNameFormat": { + "type": "string", + "description": "the format containing columns name(s) to override the alert name" + }, + "alertSeverityColumnName": { + "type": "string", + "description": "the column name to take the alert severity from" + }, + "alertTacticsColumnName": { + "type": "string", + "description": "the column name to take the alert tactics from" + } + }, + "description": "Settings for how to dynamically override alert static details" + }, + "alertRules_actions_childResource": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2021-10-01" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "Action ID" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/ActionRequestProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Action property bag." + }, + "type": { + "type": "string", + "enum": [ + "actions" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/alertRules/actions" + }, + "AlertsDataTypeOfDataConnector": { + "type": "object", + "properties": { + "alerts": { + "oneOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Common field for data type in data connectors." + } + }, + "description": "Alerts data type for data connectors." + }, + "ASCDataConnector": { + "type": "object", + "properties": { + "kind": { + "type": "string", + "enum": [ + "AzureSecurityCenter" + ] + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/ASCDataConnectorProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "ASC (Azure Security Center) data connector properties." + } + }, + "required": [ + "kind" + ], + "description": "Represents ASC (Azure Security Center) data connector." + }, + "ASCDataConnectorProperties": { + "type": "object", + "properties": { + "dataTypes": { + "oneOf": [ + { + "$ref": "#/definitions/AlertsDataTypeOfDataConnector" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Alerts data type for data connectors." + }, + "subscriptionId": { + "type": "string", + "description": "The subscription id to connect to, and get the data from." + } + }, + "description": "ASC (Azure Security Center) data connector properties." + }, + "AwsCloudTrailDataConnector": { + "type": "object", + "properties": { + "kind": { + "type": "string", + "enum": [ + "AmazonWebServicesCloudTrail" + ] + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/AwsCloudTrailDataConnectorProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Amazon Web Services CloudTrail data connector properties." + } + }, + "required": [ + "kind" + ], + "description": "Represents Amazon Web Services CloudTrail data connector." + }, + "AwsCloudTrailDataConnectorDataTypes": { + "type": "object", + "properties": { + "logs": { + "oneOf": [ + { + "$ref": "#/definitions/AwsCloudTrailDataConnectorDataTypesLogs" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Logs data type." + } + }, + "description": "The available data types for Amazon Web Services CloudTrail data connector." + }, + "AwsCloudTrailDataConnectorDataTypesLogs": { + "type": "object", + "properties": { + "state": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Enabled", + "Disabled" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describe whether this data type connection is enabled or not." + } + }, + "description": "Logs data type." + }, + "AwsCloudTrailDataConnectorProperties": { + "type": "object", + "properties": { + "awsRoleArn": { + "type": "string", + "description": "The Aws Role Arn (with CloudTrailReadOnly policy) that is used to access the Aws account." + }, + "dataTypes": { + "oneOf": [ + { + "$ref": "#/definitions/AwsCloudTrailDataConnectorDataTypes" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The available data types for Amazon Web Services CloudTrail data connector." + } + }, + "description": "Amazon Web Services CloudTrail data connector properties." + }, + "BookmarkProperties": { + "type": "object", + "properties": { + "created": { + "type": "string", + "format": "date-time", + "description": "The time the bookmark was created" + }, + "createdBy": { + "oneOf": [ + { + "$ref": "#/definitions/UserInfo" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "User information that made some action" + }, + "displayName": { + "type": "string", + "description": "The display name of the bookmark" + }, + "eventTime": { + "type": "string", + "format": "date-time", + "description": "The bookmark event time" + }, + "incidentInfo": { + "oneOf": [ + { + "$ref": "#/definitions/IncidentInfo" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describes related incident information for the bookmark" + }, + "labels": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "List of labels relevant to this bookmark" + }, + "notes": { + "type": "string", + "description": "The notes of the bookmark" + }, + "query": { + "type": "string", + "description": "The query of the bookmark." + }, + "queryEndTime": { + "type": "string", + "format": "date-time", + "description": "The end time for the query" + }, + "queryResult": { + "type": "string", + "description": "The query result of the bookmark." + }, + "queryStartTime": { + "type": "string", + "format": "date-time", + "description": "The start time for the query" + }, + "updated": { + "type": "string", + "format": "date-time", + "description": "The last time the bookmark was updated" + }, + "updatedBy": { + "oneOf": [ + { + "$ref": "#/definitions/UserInfo" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "User information that made some action" + } + }, + "required": [ + "displayName", + "query" + ], + "description": "Describes bookmark properties" + }, + "DataConnectorDataTypeCommon": { + "type": "object", + "properties": { + "state": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Enabled", + "Disabled" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describe whether this data type connection is enabled or not." + } + }, + "description": "Common field for data type in data connectors." + }, + "EntityMapping": { + "type": "object", + "properties": { + "entityType": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Account", + "Host", + "IP", + "Malware", + "File", + "Process", + "CloudApplication", + "DNS", + "AzureResource", + "FileHash", + "RegistryKey", + "RegistryValue", + "SecurityGroup", + "URL", + "Mailbox", + "MailCluster", + "MailMessage", + "SubmissionMail" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ] + }, + "fieldMappings": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/FieldMapping" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "array of field mappings for the given entity mapping" + } + }, + "description": "Single entity mapping for the alert rule" + }, + "EventGroupingSettings": { + "type": "object", + "properties": { + "aggregationKind": { + "oneOf": [ + { + "type": "string", + "enum": [ + "SingleAlert", + "AlertPerResult" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ] + } + }, + "description": "Event grouping settings property bag." + }, + "FieldMapping": { + "type": "object", + "properties": { + "columnName": { + "type": "string", + "description": "the column name to be mapped to the identifier" + }, + "identifier": { + "type": "string", + "description": "the V3 identifier of the entity" + } + }, + "description": "A single field mapping of the mapped entity" + }, + "FusionAlertRule": { + "type": "object", + "properties": { + "kind": { + "type": "string", + "enum": [ + "Fusion" + ] + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/FusionAlertRuleProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Fusion alert rule base property bag." + } + }, + "required": [ + "kind" + ], + "description": "Represents Fusion alert rule." + }, + "FusionAlertRuleProperties": { + "type": "object", + "properties": { + "alertRuleTemplateName": { + "type": "string", + "description": "The Name of the alert rule template used to create this rule." + }, + "enabled": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Determines whether this alert rule is enabled or disabled." + } + }, + "required": [ + "alertRuleTemplateName", + "enabled" + ], + "description": "Fusion alert rule base property bag." + }, + "GroupingConfiguration": { + "type": "object", + "properties": { + "enabled": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Grouping enabled" + }, + "groupByAlertDetails": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string", + "enum": [ + "DisplayName", + "Severity" + ] + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "A list of alert details to group by (when matchingMethod is Selected)" + }, + "groupByCustomDetails": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "A list of custom details keys to group by (when matchingMethod is Selected). Only keys defined in the current alert rule may be used." + }, + "groupByEntities": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string", + "enum": [ + "Account", + "Host", + "IP", + "Malware", + "File", + "Process", + "CloudApplication", + "DNS", + "AzureResource", + "FileHash", + "RegistryKey", + "RegistryValue", + "SecurityGroup", + "URL", + "Mailbox", + "MailCluster", + "MailMessage", + "SubmissionMail" + ] + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "A list of entity types to group by (when matchingMethod is Selected). Only entities defined in the current alert rule may be used." + }, + "lookbackDuration": { + "type": "string", + "format": "duration", + "description": "Limit the group to alerts created within the lookback duration (in ISO 8601 duration format)" + }, + "matchingMethod": { + "oneOf": [ + { + "type": "string", + "enum": [ + "AllEntities", + "AnyAlert", + "Selected" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Grouping matching method. When method is Selected at least one of groupByEntities, groupByAlertDetails, groupByCustomDetails must be provided and not empty." + }, + "reopenClosedIncident": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Re-open closed matching incidents" + } + }, + "required": [ + "enabled", + "lookbackDuration", + "matchingMethod", + "reopenClosedIncident" + ], + "description": "Grouping configuration property bag." + }, + "IncidentCommentProperties": { + "type": "object", + "properties": { + "message": { + "type": "string", + "description": "The comment message" + } + }, + "required": [ + "message" + ], + "description": "Incident comment property bag." + }, + "IncidentConfiguration": { + "type": "object", + "properties": { + "createIncident": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Create incidents from alerts triggered by this analytics rule" + }, + "groupingConfiguration": { + "oneOf": [ + { + "$ref": "#/definitions/GroupingConfiguration" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Grouping configuration property bag." + } + }, + "required": [ + "createIncident" + ], + "description": "Incident Configuration property bag." + }, + "IncidentInfo": { + "type": "object", + "properties": { + "incidentId": { + "type": "string", + "description": "Incident Id" + }, + "relationName": { + "type": "string", + "description": "Relation Name" + }, + "severity": { + "oneOf": [ + { + "type": "string", + "enum": [ + "High", + "Medium", + "Low", + "Informational" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The severity of the incident." + }, + "title": { + "type": "string", + "description": "The title of the incident" + } + }, + "description": "Describes related incident information for the bookmark" + }, + "IncidentLabel": { + "type": "object", + "properties": { + "labelName": { + "type": "string", + "description": "The name of the label" + } + }, + "required": [ + "labelName" + ], + "description": "Represents an incident label" + }, + "IncidentOwnerInfo": { + "type": "object", + "properties": { + "assignedTo": { + "type": "string", + "description": "The name of the user the incident is assigned to." + }, + "email": { + "type": "string", + "description": "The email of the user the incident is assigned to." + }, + "objectId": { + "oneOf": [ + { + "type": "string", + "pattern": "^[0-9a-fA-F]{8}(-[0-9a-fA-F]{4}){3}-[0-9a-fA-F]{12}$" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The object id of the user the incident is assigned to." + }, + "userPrincipalName": { + "type": "string", + "description": "The user principal name of the user the incident is assigned to." + } + }, + "description": "Information on the user an incident is assigned to" + }, + "IncidentProperties": { + "type": "object", + "properties": { + "classification": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Undetermined", + "TruePositive", + "BenignPositive", + "FalsePositive" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The reason the incident was closed." + }, + "classificationComment": { + "type": "string", + "description": "Describes the reason the incident was closed" + }, + "classificationReason": { + "oneOf": [ + { + "type": "string", + "enum": [ + "SuspiciousActivity", + "SuspiciousButExpected", + "IncorrectAlertLogic", + "InaccurateData" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The classification reason the incident was closed with." + }, + "description": { + "type": "string", + "description": "The description of the incident" + }, + "firstActivityTimeUtc": { + "type": "string", + "format": "date-time", + "description": "The time of the first activity in the incident" + }, + "labels": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/IncidentLabel" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "List of labels relevant to this incident" + }, + "lastActivityTimeUtc": { + "type": "string", + "format": "date-time", + "description": "The time of the last activity in the incident" + }, + "owner": { + "oneOf": [ + { + "$ref": "#/definitions/IncidentOwnerInfo" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Information on the user an incident is assigned to" + }, + "severity": { + "oneOf": [ + { + "type": "string", + "enum": [ + "High", + "Medium", + "Low", + "Informational" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The severity of the incident." + }, + "status": { + "oneOf": [ + { + "type": "string", + "enum": [ + "New", + "Active", + "Closed" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The status of the incident." + }, + "title": { + "type": "string", + "description": "The title of the incident" + } + }, + "required": [ + "severity", + "status", + "title" + ], + "description": "Describes incident properties" + }, + "incidents_comments_childResource": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2021-10-01" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "Incident comment ID" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/IncidentCommentProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Incident comment property bag." + }, + "type": { + "type": "string", + "enum": [ + "comments" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/incidents/comments" + }, + "incidents_relations_childResource": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2021-10-01" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "Relation Name" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/RelationProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Relation property bag." + }, + "type": { + "type": "string", + "enum": [ + "relations" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/incidents/relations" + }, + "MCASDataConnector": { + "type": "object", + "properties": { + "kind": { + "type": "string", + "enum": [ + "MicrosoftCloudAppSecurity" + ] + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/MCASDataConnectorProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "MCAS (Microsoft Cloud App Security) data connector properties." + } + }, + "required": [ + "kind" + ], + "description": "Represents MCAS (Microsoft Cloud App Security) data connector." + }, + "MCASDataConnectorDataTypes": { + "type": "object", + "properties": { + "alerts": { + "oneOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Common field for data type in data connectors." + }, + "discoveryLogs": { + "oneOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Common field for data type in data connectors." + } + }, + "description": "The available data types for MCAS (Microsoft Cloud App Security) data connector." + }, + "MCASDataConnectorProperties": { + "type": "object", + "properties": { + "dataTypes": { + "oneOf": [ + { + "$ref": "#/definitions/MCASDataConnectorDataTypes" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The available data types for MCAS (Microsoft Cloud App Security) data connector." + }, + "tenantId": { + "type": "string", + "description": "The tenant id to connect to, and get the data from." + } + }, + "description": "MCAS (Microsoft Cloud App Security) data connector properties." + }, + "MDATPDataConnector": { + "type": "object", + "properties": { + "kind": { + "type": "string", + "enum": [ + "MicrosoftDefenderAdvancedThreatProtection" + ] + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/MDATPDataConnectorProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "MDATP (Microsoft Defender Advanced Threat Protection) data connector properties." + } + }, + "required": [ + "kind" + ], + "description": "Represents MDATP (Microsoft Defender Advanced Threat Protection) data connector." + }, + "MDATPDataConnectorProperties": { + "type": "object", + "properties": { + "dataTypes": { + "oneOf": [ + { + "$ref": "#/definitions/AlertsDataTypeOfDataConnector" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Alerts data type for data connectors." + }, + "tenantId": { + "type": "string", + "description": "The tenant id to connect to, and get the data from." + } + }, + "description": "MDATP (Microsoft Defender Advanced Threat Protection) data connector properties." + }, + "MicrosoftSecurityIncidentCreationAlertRule": { + "type": "object", + "properties": { + "kind": { + "type": "string", + "enum": [ + "MicrosoftSecurityIncidentCreation" + ] + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/MicrosoftSecurityIncidentCreationAlertRuleProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "MicrosoftSecurityIncidentCreation rule property bag." + } + }, + "required": [ + "kind" + ], + "description": "Represents MicrosoftSecurityIncidentCreation rule." + }, + "MicrosoftSecurityIncidentCreationAlertRuleProperties": { + "type": "object", + "properties": { + "alertRuleTemplateName": { + "type": "string", + "description": "The Name of the alert rule template used to create this rule." + }, + "description": { + "type": "string", + "description": "The description of the alert rule." + }, + "displayName": { + "type": "string", + "description": "The display name for alerts created by this alert rule." + }, + "displayNamesExcludeFilter": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "the alerts' displayNames on which the cases will not be generated" + }, + "displayNamesFilter": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "the alerts' displayNames on which the cases will be generated" + }, + "enabled": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Determines whether this alert rule is enabled or disabled." + }, + "productFilter": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Microsoft Cloud App Security", + "Azure Security Center", + "Azure Advanced Threat Protection", + "Azure Active Directory Identity Protection", + "Azure Security Center for IoT" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The alerts' productName on which the cases will be generated." + }, + "severitiesFilter": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string", + "enum": [ + "High", + "Medium", + "Low", + "Informational" + ] + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "the alerts' severities on which the cases will be generated" + } + }, + "required": [ + "displayName", + "enabled", + "productFilter" + ], + "description": "MicrosoftSecurityIncidentCreation rule property bag." + }, + "OfficeDataConnector": { + "type": "object", + "properties": { + "kind": { + "type": "string", + "enum": [ + "Office365" + ] + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/OfficeDataConnectorProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Office data connector properties." + } + }, + "required": [ + "kind" + ], + "description": "Represents office data connector." + }, + "OfficeDataConnectorDataTypes": { + "type": "object", + "properties": { + "exchange": { + "oneOf": [ + { + "$ref": "#/definitions/OfficeDataConnectorDataTypesExchange" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Exchange data type connection." + }, + "sharePoint": { + "oneOf": [ + { + "$ref": "#/definitions/OfficeDataConnectorDataTypesSharePoint" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "SharePoint data type connection." + }, + "teams": { + "oneOf": [ + { + "$ref": "#/definitions/OfficeDataConnectorDataTypesTeams" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Teams data type connection." + } + }, + "description": "The available data types for office data connector." + }, + "OfficeDataConnectorDataTypesExchange": { + "type": "object", + "properties": { + "state": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Enabled", + "Disabled" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describe whether this data type connection is enabled or not." + } + }, + "description": "Exchange data type connection." + }, + "OfficeDataConnectorDataTypesSharePoint": { + "type": "object", + "properties": { + "state": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Enabled", + "Disabled" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describe whether this data type connection is enabled or not." + } + }, + "description": "SharePoint data type connection." + }, + "OfficeDataConnectorDataTypesTeams": { + "type": "object", + "properties": { + "state": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Enabled", + "Disabled" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describe whether this data type connection is enabled or not." + } + }, + "description": "Teams data type connection." + }, + "OfficeDataConnectorProperties": { + "type": "object", + "properties": { + "dataTypes": { + "oneOf": [ + { + "$ref": "#/definitions/OfficeDataConnectorDataTypes" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The available data types for office data connector." + }, + "tenantId": { + "type": "string", + "description": "The tenant id to connect to, and get the data from." + } + }, + "description": "Office data connector properties." + }, + "RelationProperties": { + "type": "object", + "properties": { + "relatedResourceId": { + "type": "string", + "description": "The resource ID of the related resource" + } + }, + "required": [ + "relatedResourceId" + ], + "description": "Relation property bag." + }, + "ScheduledAlertRule": { + "type": "object", + "properties": { + "kind": { + "type": "string", + "enum": [ + "Scheduled" + ] + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/ScheduledAlertRuleProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Scheduled alert rule base property bag." + } + }, + "required": [ + "kind" + ], + "description": "Represents scheduled alert rule." + }, + "ScheduledAlertRuleProperties": { + "type": "object", + "properties": { + "alertDetailsOverride": { + "oneOf": [ + { + "$ref": "#/definitions/AlertDetailsOverride" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Settings for how to dynamically override alert static details" + }, + "alertRuleTemplateName": { + "type": "string", + "description": "The Name of the alert rule template used to create this rule." + }, + "customDetails": { + "oneOf": [ + { + "type": "object", + "additionalProperties": { + "type": "string" + }, + "properties": {} + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Dictionary of string key-value pairs of columns to be attached to the alert" + }, + "description": { + "type": "string", + "description": "The description of the alert rule." + }, + "displayName": { + "type": "string", + "description": "The display name for alerts created by this alert rule." + }, + "enabled": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Determines whether this alert rule is enabled or disabled." + }, + "entityMappings": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/EntityMapping" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "List of entity mappings of the alert rule" + }, + "eventGroupingSettings": { + "oneOf": [ + { + "$ref": "#/definitions/EventGroupingSettings" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Event grouping settings property bag." + }, + "incidentConfiguration": { + "oneOf": [ + { + "$ref": "#/definitions/IncidentConfiguration" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Incident Configuration property bag." + }, + "query": { + "type": "string", + "description": "The query that creates alerts for this rule." + }, + "queryFrequency": { + "type": "string", + "format": "duration", + "description": "The frequency (in ISO 8601 duration format) for this alert rule to run." + }, + "queryPeriod": { + "type": "string", + "format": "duration", + "description": "The period (in ISO 8601 duration format) that this alert rule looks at." + }, + "severity": { + "oneOf": [ + { + "type": "string", + "enum": [ + "High", + "Medium", + "Low", + "Informational" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The severity for alerts created by this alert rule." + }, + "suppressionDuration": { + "type": "string", + "format": "duration", + "description": "The suppression (in ISO 8601 duration format) to wait since last time this alert rule been triggered." + }, + "suppressionEnabled": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Determines whether the suppression for this alert rule is enabled or disabled." + }, + "tactics": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string", + "enum": [ + "InitialAccess", + "Execution", + "Persistence", + "PrivilegeEscalation", + "DefenseEvasion", + "CredentialAccess", + "Discovery", + "LateralMovement", + "Collection", + "Exfiltration", + "CommandAndControl", + "Impact", + "PreAttack" + ] + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The tactics of the alert rule" + }, + "triggerOperator": { + "oneOf": [ + { + "type": "string", + "enum": [ + "GreaterThan", + "LessThan", + "Equal", + "NotEqual" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The operation against the threshold that triggers alert rule." + }, + "triggerThreshold": { + "oneOf": [ + { + "type": "integer" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The threshold triggers this alert rule." + } + }, + "required": [ + "displayName", + "enabled", + "suppressionDuration", + "suppressionEnabled" + ], + "description": "Scheduled alert rule base property bag." + }, + "SentinelOnboardingStateProperties": { + "type": "object", + "properties": { + "customerManagedKey": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Flag that indicates the status of the CMK setting" + } + }, + "description": "The Sentinel onboarding state properties" + }, + "ThreatIntelligenceExternalReference": { + "type": "object", + "properties": { + "description": { + "type": "string", + "description": "External reference description" + }, + "externalId": { + "type": "string", + "description": "External reference ID" + }, + "hashes": { + "oneOf": [ + { + "type": "object", + "additionalProperties": { + "type": "string" + }, + "properties": {} + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "External reference hashes" + }, + "sourceName": { + "type": "string", + "description": "External reference source name" + }, + "url": { + "type": "string", + "description": "External reference URL" + } + }, + "description": "Describes external reference" + }, + "ThreatIntelligenceGranularMarkingModel": { + "type": "object", + "properties": { + "language": { + "type": "string", + "description": "Language granular marking model" + }, + "markingRef": { + "oneOf": [ + { + "type": "integer" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "marking reference granular marking model" + }, + "selectors": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "granular marking model selectors" + } + }, + "description": "Describes threat granular marking model entity" + }, + "ThreatIntelligenceIndicatorProperties": { + "type": "object", + "properties": { + "confidence": { + "oneOf": [ + { + "type": "integer" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Confidence of threat intelligence entity" + }, + "created": { + "type": "string", + "description": "Created by" + }, + "createdByRef": { + "type": "string", + "description": "Created by reference of threat intelligence entity" + }, + "defanged": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Is threat intelligence entity defanged" + }, + "description": { + "type": "string", + "description": "Description of a threat intelligence entity" + }, + "displayName": { + "type": "string", + "description": "Display name of a threat intelligence entity" + }, + "extensions": { + "oneOf": [ + { + "type": "object", + "additionalProperties": { + "type": "object", + "properties": {} + }, + "properties": {} + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Extensions map" + }, + "externalId": { + "type": "string", + "description": "External ID of threat intelligence entity" + }, + "externalLastUpdatedTimeUtc": { + "type": "string", + "description": "External last updated time in UTC" + }, + "externalReferences": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/ThreatIntelligenceExternalReference" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "External References" + }, + "granularMarkings": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/ThreatIntelligenceGranularMarkingModel" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Granular Markings" + }, + "indicatorTypes": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Indicator types of threat intelligence entities" + }, + "killChainPhases": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/ThreatIntelligenceKillChainPhase" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Kill chain phases" + }, + "labels": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Labels of threat intelligence entity" + }, + "language": { + "type": "string", + "description": "Language of threat intelligence entity" + }, + "lastUpdatedTimeUtc": { + "type": "string", + "description": "Last updated time in UTC" + }, + "modified": { + "type": "string", + "description": "Modified by" + }, + "objectMarkingRefs": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Threat intelligence entity object marking references" + }, + "parsedPattern": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/ThreatIntelligenceParsedPattern" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Parsed patterns" + }, + "pattern": { + "type": "string", + "description": "Pattern of a threat intelligence entity" + }, + "patternType": { + "type": "string", + "description": "Pattern type of a threat intelligence entity" + }, + "patternVersion": { + "type": "string", + "description": "Pattern version of a threat intelligence entity" + }, + "revoked": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Is threat intelligence entity revoked" + }, + "source": { + "type": "string", + "description": "Source of a threat intelligence entity" + }, + "threatIntelligenceTags": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "List of tags" + }, + "threatTypes": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Threat types" + }, + "validFrom": { + "type": "string", + "description": "Valid from" + }, + "validUntil": { + "type": "string", + "description": "Valid until" + } + }, + "description": "Describes threat intelligence entity properties" + }, + "ThreatIntelligenceKillChainPhase": { + "type": "object", + "properties": { + "killChainName": { + "type": "string", + "description": "Kill chainName name" + }, + "phaseName": { + "type": "string", + "description": "Phase name" + } + }, + "description": "Describes threat kill chain phase entity" + }, + "ThreatIntelligenceParsedPattern": { + "type": "object", + "properties": { + "patternTypeKey": { + "type": "string", + "description": "Pattern type key" + }, + "patternTypeValues": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/ThreatIntelligenceParsedPatternTypeValue" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Pattern type keys" + } + }, + "description": "Describes parsed pattern entity" + }, + "ThreatIntelligenceParsedPatternTypeValue": { + "type": "object", + "properties": { + "value": { + "type": "string", + "description": "Value of parsed pattern" + }, + "valueType": { + "type": "string", + "description": "Type of the value" + } + }, + "description": "Describes threat kill chain phase entity" + }, + "TIDataConnector": { + "type": "object", + "properties": { + "kind": { + "type": "string", + "enum": [ + "ThreatIntelligence" + ] + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/TIDataConnectorProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "TI (Threat Intelligence) data connector properties." + } + }, + "required": [ + "kind" + ], + "description": "Represents threat intelligence data connector." + }, + "TIDataConnectorDataTypes": { + "type": "object", + "properties": { + "indicators": { + "oneOf": [ + { + "$ref": "#/definitions/TIDataConnectorDataTypesIndicators" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Data type for indicators connection." + } + }, + "description": "The available data types for TI (Threat Intelligence) data connector." + }, + "TIDataConnectorDataTypesIndicators": { + "type": "object", + "properties": { + "state": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Enabled", + "Disabled" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describe whether this data type connection is enabled or not." + } + }, + "description": "Data type for indicators connection." + }, + "TIDataConnectorProperties": { + "type": "object", + "properties": { + "dataTypes": { + "oneOf": [ + { + "$ref": "#/definitions/TIDataConnectorDataTypes" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The available data types for TI (Threat Intelligence) data connector." + }, + "tenantId": { + "type": "string", + "description": "The tenant id to connect to, and get the data from." + }, + "tipLookbackPeriod": { + "type": "string", + "format": "date-time", + "description": "The lookback period for the feed to be imported." + } + }, + "description": "TI (Threat Intelligence) data connector properties." + }, + "UserInfo": { + "type": "object", + "properties": { + "objectId": { + "oneOf": [ + { + "type": "string", + "pattern": "^[0-9a-fA-F]{8}(-[0-9a-fA-F]{4}){3}-[0-9a-fA-F]{12}$" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The object id of the user." + } + }, + "description": "User information that made some action" + }, + "WatchlistItemProperties": { + "type": "object", + "properties": { + "created": { + "type": "string", + "format": "date-time", + "description": "The time the watchlist item was created" + }, + "createdBy": { + "oneOf": [ + { + "$ref": "#/definitions/UserInfo" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "User information that made some action" + }, + "entityMapping": { + "type": "object", + "properties": {}, + "description": "key-value pairs for a watchlist item entity mapping" + }, + "isDeleted": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "A flag that indicates if the watchlist item is deleted or not" + }, + "itemsKeyValue": { + "type": "object", + "properties": {}, + "description": "key-value pairs for a watchlist item" + }, + "tenantId": { + "type": "string", + "description": "The tenantId to which the watchlist item belongs to" + }, + "updated": { + "type": "string", + "format": "date-time", + "description": "The last time the watchlist item was updated" + }, + "updatedBy": { + "oneOf": [ + { + "$ref": "#/definitions/UserInfo" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "User information that made some action" + }, + "watchlistItemId": { + "type": "string", + "description": "The id (a Guid) of the watchlist item" + }, + "watchlistItemType": { + "type": "string", + "description": "The type of the watchlist item" + } + }, + "required": [ + "itemsKeyValue" + ], + "description": "Describes watchlist item properties" + }, + "WatchlistProperties": { + "type": "object", + "properties": { + "contentType": { + "type": "string", + "description": "The content type of the raw content. For now, only text/csv is valid" + }, + "created": { + "type": "string", + "format": "date-time", + "description": "The time the watchlist was created" + }, + "createdBy": { + "oneOf": [ + { + "$ref": "#/definitions/UserInfo" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "User information that made some action" + }, + "defaultDuration": { + "type": "string", + "format": "duration", + "description": "The default duration of a watchlist (in ISO 8601 duration format)" + }, + "description": { + "type": "string", + "description": "A description of the watchlist" + }, + "displayName": { + "type": "string", + "description": "The display name of the watchlist" + }, + "isDeleted": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "A flag that indicates if the watchlist is deleted or not" + }, + "itemsSearchKey": { + "type": "string", + "description": "The search key is used to optimize query performance when using watchlists for joins with other data. For example, enable a column with IP addresses to be the designated SearchKey field, then use this field as the key field when joining to other event data by IP address." + }, + "labels": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "List of labels relevant to this watchlist" + }, + "numberOfLinesToSkip": { + "oneOf": [ + { + "type": "integer" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The number of lines in a csv content to skip before the header" + }, + "provider": { + "type": "string", + "description": "The provider of the watchlist" + }, + "rawContent": { + "type": "string", + "description": "The raw content that represents to watchlist items to create. Example : This line will be skipped\nheader1,header2\nvalue1,value2" + }, + "source": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Local file", + "Remote storage" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The source of the watchlist." + }, + "tenantId": { + "type": "string", + "description": "The tenantId where the watchlist belongs to" + }, + "updated": { + "type": "string", + "format": "date-time", + "description": "The last time the watchlist was updated" + }, + "updatedBy": { + "oneOf": [ + { + "$ref": "#/definitions/UserInfo" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "User information that made some action" + }, + "uploadStatus": { + "type": "string", + "description": "The status of the Watchlist upload : New, InProgress or Complete. **Note** : When a Watchlist upload status is InProgress, the Watchlist cannot be deleted" + }, + "watchlistAlias": { + "type": "string", + "description": "The alias of the watchlist" + }, + "watchlistId": { + "type": "string", + "description": "The id (a Guid) of the watchlist" + }, + "watchlistType": { + "type": "string", + "description": "The type of the watchlist" + } + }, + "required": [ + "displayName", + "itemsSearchKey", + "provider", + "source" + ], + "description": "Describes watchlist properties" + }, + "watchlists_watchlistItems_childResource": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2021-10-01" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "The watchlist item id (GUID)" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/WatchlistItemProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describes watchlist item properties" + }, + "type": { + "type": "string", + "enum": [ + "watchlistItems" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/watchlists/watchlistItems" + } + } +} \ No newline at end of file