Azure
diff --git a/‎specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/Incidents.json‎
Lines changed: 4072 additions & 0 deletions b/‎specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/Incidents.json‎
Lines changed: 4072 additions & 0 deletions
diff --git a/‎specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/incidents/CreateIncident.json‎
Lines changed: 109 additions & 0 deletions b/‎specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/incidents/CreateIncident.json‎
Lines changed: 109 additions & 0 deletions
diff --git a/‎specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/incidents/DeleteIncident.json‎
Lines changed: 14 additions & 0 deletions b/‎specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/incidents/DeleteIncident.json‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/incidents/GetAllIncidentAlerts.json‎
Lines changed: 51 additions & 0 deletions b/‎specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/incidents/GetAllIncidentAlerts.json‎
Lines changed: 51 additions & 0 deletions
diff --git a/‎specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/incidents/GetAllIncidentBookmarks.json‎
Lines changed: 78 additions & 0 deletions b/‎specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/incidents/GetAllIncidentBookmarks.json‎
Lines changed: 78 additions & 0 deletions
diff --git a/‎specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/incidents/GetIncidentById.json‎
Lines changed: 57 additions & 0 deletions b/‎specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/incidents/GetIncidentById.json‎
Lines changed: 57 additions & 0 deletions
diff --git a/‎specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/incidents/GetIncidents.json‎
Lines changed: 62 additions & 0 deletions b/‎specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/incidents/GetIncidents.json‎
Lines changed: 62 additions & 0 deletions
@@ -0,0 +1,109 @@
+{
+  "parameters": {
+    "api-version": "2021-03-01-preview",
+    "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
+    "resourceGroupName": "myRg",
+    "workspaceName": "myWorkspace",
+    "operationalInsightsResourceProvider": "Microsoft.OperationalInsights",
+    "incidentId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
+    "incident": {
+      "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
+      "properties": {
+        "lastActivityTimeUtc": "2019-01-01T13:05:30Z",
+        "firstActivityTimeUtc": "2019-01-01T13:00:30Z",
+        "description": "This is a demo incident",
+        "title": "My incident",
+        "owner": {
+          "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70"
+        },
+        "severity": "High",
+        "classification": "FalsePositive",
+        "classificationComment": "Not a malicious activity",
+        "classificationReason": "IncorrectAlertLogic",
+        "status": "Closed"
+      }
+    }
+  },
+  "responses": {
+    "200": {
+      "body": {
+        "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5",
+        "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
+        "type": "Microsoft.SecurityInsights/incidents",
+        "etag": "\"0300bf09-0000-0000-0000-5c37296e0001\"",
+        "properties": {
+          "lastModifiedTimeUtc": "2019-01-01T13:15:30Z",
+          "createdTimeUtc": "2019-01-01T13:15:30Z",
+          "lastActivityTimeUtc": "2019-01-01T13:05:30Z",
+          "firstActivityTimeUtc": "2019-01-01T13:00:30Z",
+          "description": "This is a demo incident",
+          "title": "My incident",
+          "owner": {
+            "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70",
+            "email": "john.doe@contoso.com",
+            "userPrincipalName": "john@contoso.com",
+            "assignedTo": "john doe"
+          },
+          "severity": "High",
+          "classification": "FalsePositive",
+          "classificationComment": "Not a malicious activity",
+          "classificationReason": "IncorrectAlertLogic",
+          "status": "Closed",
+          "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5",
+          "incidentNumber": 3177,
+          "labels": [],
+          "providerName": "Azure Sentinel",
+          "providerIncidentId": "3177",
+          "relatedAnalyticRuleIds": [],
+          "additionalData": {
+            "alertsCount": 0,
+            "bookmarksCount": 0,
+            "commentsCount": 3,
+            "alertProductNames": [],
+            "tactics": []
+          }
+        }
+      }
+    },
+    "201": {
+      "body": {
+        "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5",
+        "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
+        "type": "Microsoft.SecurityInsights/incidents",
+        "etag": "\"0300bf09-0000-0000-0000-5c37296e0001\"",
+        "properties": {
+          "lastModifiedTimeUtc": "2019-01-01T13:15:30Z",
+          "createdTimeUtc": "2019-01-01T13:15:30Z",
+          "lastActivityTimeUtc": "2019-01-01T13:05:30Z",
+          "firstActivityTimeUtc": "2019-01-01T13:00:30Z",
+          "description": "This is a demo incident",
+          "title": "My incident",
+          "owner": {
+            "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70",
+            "email": "john.doe@contoso.com",
+            "userPrincipalName": "john@contoso.com",
+            "assignedTo": "john doe"
+          },
+          "severity": "High",
+          "classification": "FalsePositive",
+          "classificationComment": "Not a malicious activity",
+          "classificationReason": "IncorrectAlertLogic",
+          "status": "Closed",
+          "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5",
+          "incidentNumber": 3177,
+          "labels": [],
+          "providerName": "Azure Sentinel",
+          "providerIncidentId": "3177",
+          "relatedAnalyticRuleIds": [],
+          "additionalData": {
+            "alertsCount": 0,
+            "bookmarksCount": 0,
+            "commentsCount": 3,
+            "alertProductNames": [],
+            "tactics": []
+          }
+        }
+      }
+    }
+  }
+}
@@ -0,0 +1,14 @@
+{
+  "parameters": {
+    "api-version": "2021-03-01-preview",
+    "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
+    "resourceGroupName": "myRg",
+    "workspaceName": "myWorkspace",
+    "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights",
+    "incidentId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5"
+  },
+  "responses": {
+    "200": {},
+    "204": {}
+  }
+}
@@ -0,0 +1,51 @@
+{
+  "parameters": {
+    "api-version": "2021-03-01-preview",
+    "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
+    "resourceGroupName": "myRg",
+    "workspaceName": "myWorkspace",
+    "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights",
+    "incidentId": "afbd324f-6c48-459c-8710-8d1e1cd03812"
+  },
+  "responses": {
+    "200": {
+      "body": {
+        "value": [
+          {
+            "id": "/subscriptions/bd794837-4d29-4647-9105-6339bfdb4e6a/resourceGroups/myRG/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/Entities/baa8a239-6fde-4ab7-a093-d09f7b75c58c",
+            "name": "baa8a239-6fde-4ab7-a093-d09f7b75c58c",
+            "type": "Microsoft.SecurityInsights/Entities",
+            "kind": "SecurityAlert",
+            "properties": {
+              "systemAlertId": "baa8a239-6fde-4ab7-a093-d09f7b75c58c",
+              "tactics": [],
+              "alertDisplayName": "myAlert",
+              "confidenceLevel": "Unknown",
+              "severity": "Low",
+              "vendorName": "Microsoft",
+              "productName": "Azure Security Center",
+              "alertType": "myAlert",
+              "processingEndTime": "2020-07-20T18:21:53.6158361Z",
+              "status": "New",
+              "endTimeUtc": "2020-07-20T18:21:53.6158361Z",
+              "startTimeUtc": "2020-07-20T18:21:53.6158361Z",
+              "timeGenerated": "2020-07-20T18:21:53.6158361Z",
+              "resourceIdentifiers": [
+                {
+                  "type": "LogAnalytics",
+                  "workspaceId": "c8c99641-985d-4e4e-8e91-fb3466cd0e5b",
+                  "subscriptionId": "bd794837-4d29-4647-9105-6339bfdb4e6a",
+                  "resourceGroup": "myRG"
+                }
+              ],
+              "additionalData": {
+                "AlertMessageEnqueueTime": "2020-07-20T18:21:57.304Z"
+              },
+              "friendlyName": "myAlert"
+            }
+          }
+        ]
+      }
+    }
+  }
+}
@@ -0,0 +1,78 @@
+{
+  "parameters": {
+    "api-version": "2021-03-01-preview",
+    "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
+    "resourceGroupName": "myRg",
+    "workspaceName": "myWorkspace",
+    "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights",
+    "incidentId": "afbd324f-6c48-459c-8710-8d1e1cd03812"
+  },
+  "responses": {
+    "200": {
+      "body": {
+        "value": [
+          {
+            "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/bookmarks/afbd324f-6c48-459c-8710-8d1e1cd03812",
+            "name": "afbd324f-6c48-459c-8710-8d1e1cd03812",
+            "type": "Microsoft.SecurityInsights/Entities",
+            "kind": "Bookmark",
+            "properties": {
+              "displayName": "SecurityEvent - 868f40f4698d",
+              "created": "2020-06-17T15:34:01.4265524+00:00",
+              "updated": "2020-06-17T15:34:01.4265524+00:00",
+              "createdBy": {
+                "objectId": "b03ca914-5eb6-45e5-9417-fe0797c372fd",
+                "email": "user@microsoft.com",
+                "name": "user"
+              },
+              "updatedBy": {
+                "objectId": "b03ca914-5eb6-45e5-9417-fe0797c372fd",
+                "email": "user@microsoft.com",
+                "name": "user"
+              },
+              "eventTime": "2020-06-17T15:34:01.4265524+00:00",
+              "labels": [],
+              "query": "SecurityEvent\r\n| take 1\n",
+              "queryResult": "{\"TimeGenerated\":\"2020-05-24T01:24:25.67Z\",\"Account\":\"\\\\ADMINISTRATOR\",\"AccountType\":\"User\",\"Computer\":\"SecurityEvents\",\"EventSourceName\":\"Microsoft-Windows-Security-Auditing\",\"Channel\":\"Security\",\"Task\":12544,\"Level\":\"16\",\"EventID\":4625,\"Activity\":\"4625 - An account failed to log on.\",\"AuthenticationPackageName\":\"NTLM\",\"FailureReason\":\"%%2313\",\"IpAddress\":\"176.113.115.73\",\"IpPort\":\"0\",\"LmPackageName\":\"-\",\"LogonProcessName\":\"NtLmSsp \",\"LogonType\":3,\"LogonTypeName\":\"3 - Network\",\"Process\":\"-\",\"ProcessId\":\"0x0\",\"__entityMapping\":{\"\\\\ADMINISTRATOR\":\"Account\",\"SecurityEvents\":\"Host\"}}",
+              "additionalData": {
+                "ETag": "\"3b00acab-0000-0d00-0000-5f15e4ed0000\"",
+                "EntityId": "afbd324f-6c48-459c-8710-8d1e1cd03812"
+              },
+              "friendlyName": "SecurityEvent - 868f40f4698d"
+            }
+          },
+          {
+            "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/bookmarks/bbbd324f-6c48-459c-8710-8d1e1cd03812",
+            "name": "bbbd324f-6c48-459c-8710-8d1e1cd03812",
+            "type": "Microsoft.SecurityInsights/Entities",
+            "kind": "Bookmark",
+            "properties": {
+              "displayName": "SecurityEvent - 868f40f4698d",
+              "created": "2020-06-17T15:34:01.4265524+00:00",
+              "updated": "2020-06-17T15:34:01.4265524+00:00",
+              "createdBy": {
+                "objectId": "303ca914-5eb6-45e5-9417-fe0797c372fd",
+                "email": "user@microsoft.com",
+                "name": "user"
+              },
+              "updatedBy": {
+                "objectId": "b03ca914-5eb6-45e5-9417-fe0797c372fd",
+                "email": "user@microsoft.com",
+                "name": "user"
+              },
+              "eventTime": "2020-06-17T15:34:01.4265524+00:00",
+              "labels": [],
+              "query": "SecurityEvent\r\n| take 1\n",
+              "queryResult": "{\"TimeGenerated\":\"2020-05-24T01:24:25.67Z\",\"Account\":\"\\\\ADMINISTRATOR\",\"AccountType\":\"User\",\"Computer\":\"SecurityEvents\",\"EventSourceName\":\"Microsoft-Windows-Security-Auditing\",\"Channel\":\"Security\",\"Task\":12544,\"Level\":\"16\",\"EventID\":4625,\"Activity\":\"4625 - An account failed to log on.\",\"AuthenticationPackageName\":\"NTLM\",\"FailureReason\":\"%%2313\",\"IpAddress\":\"176.113.115.73\",\"IpPort\":\"0\",\"LmPackageName\":\"-\",\"LogonProcessName\":\"NtLmSsp \",\"LogonType\":3,\"LogonTypeName\":\"3 - Network\",\"Process\":\"-\",\"ProcessId\":\"0x0\",\"__entityMapping\":{\"\\\\ADMINISTRATOR\":\"Account\",\"SecurityEvents\":\"Host\"}}",
+              "additionalData": {
+                "ETag": "\"3b00acab-0000-0d00-0000-5f15e4ed0000\"",
+                "EntityId": "afbd324f-6c48-459c-8710-8d1e1cd03812"
+              },
+              "friendlyName": "SecurityEvent - 868f40f4698d"
+            }
+          }
+        ]
+      }
+    }
+  }
+}
@@ -0,0 +1,57 @@
+{
+  "parameters": {
+    "api-version": "2021-03-01-preview",
+    "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
+    "resourceGroupName": "myRg",
+    "workspaceName": "myWorkspace",
+    "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights",
+    "incidentId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5"
+  },
+  "responses": {
+    "200": {
+      "body": {
+        "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5",
+        "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
+        "type": "Microsoft.SecurityInsights/incidents",
+        "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
+        "properties": {
+          "lastModifiedTimeUtc": "2019-01-01T13:15:30Z",
+          "createdTimeUtc": "2019-01-01T13:15:30Z",
+          "lastActivityTimeUtc": "2019-01-01T13:05:30Z",
+          "firstActivityTimeUtc": "2019-01-01T13:00:30Z",
+          "description": "This is a demo incident",
+          "title": "My incident",
+          "owner": {
+            "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70",
+            "email": "john.doe@contoso.com",
+            "userPrincipalName": "john@contoso.com",
+            "assignedTo": "john doe"
+          },
+          "severity": "High",
+          "classification": "FalsePositive",
+          "classificationComment": "Not a malicious activity",
+          "classificationReason": "InaccurateData",
+          "status": "Closed",
+          "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5",
+          "incidentNumber": 3177,
+          "labels": [],
+          "providerName": "Azure Sentinel",
+          "providerIncidentId": "3177",
+          "relatedAnalyticRuleIds": [
+            "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/fab3d2d4-747f-46a7-8ef0-9c0be8112bf7"
+          ],
+          "additionalData": {
+            "alertsCount": 0,
+            "bookmarksCount": 0,
+            "commentsCount": 3,
+            "alertProductNames": [],
+            "tactics": [
+              "InitialAccess",
+              "Persistence"
+            ]
+          }
+        }
+      }
+    }
+  }
+}
@@ -0,0 +1,62 @@
+{
+  "parameters": {
+    "api-version": "2021-03-01-preview",
+    "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
+    "resourceGroupName": "myRg",
+    "workspaceName": "myWorkspace",
+    "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights",
+    "$orderby": "properties/createdTimeUtc desc",
+    "$top": 1
+  },
+  "responses": {
+    "200": {
+      "body": {
+        "value": [
+          {
+            "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5",
+            "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
+            "type": "Microsoft.SecurityInsights/incidents",
+            "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
+            "properties": {
+              "lastModifiedTimeUtc": "2019-01-01T13:15:30Z",
+              "createdTimeUtc": "2019-01-01T13:15:30Z",
+              "lastActivityTimeUtc": "2019-01-01T13:05:30Z",
+              "firstActivityTimeUtc": "2019-01-01T13:00:30Z",
+              "description": "This is a demo incident",
+              "title": "My incident",
+              "owner": {
+                "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70",
+                "email": "john.doe@contoso.com",
+                "userPrincipalName": "john@contoso.com",
+                "assignedTo": "john doe"
+              },
+              "severity": "High",
+              "classification": "FalsePositive",
+              "classificationComment": "Not a malicious activity",
+              "classificationReason": "IncorrectAlertLogic",
+              "status": "Closed",
+              "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5",
+              "incidentNumber": 3177,
+              "labels": [],
+              "providerName": "Azure Sentinel",
+              "providerIncidentId": "3177",
+              "relatedAnalyticRuleIds": [
+                "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/fab3d2d4-747f-46a7-8ef0-9c0be8112bf7",
+                "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/8deb8303-e94d-46ff-96e0-5fd94b33df1a"
+              ],
+              "additionalData": {
+                "alertsCount": 0,
+                "bookmarksCount": 0,
+                "commentsCount": 3,
+                "alertProductNames": [],
+                "tactics": [
+                  "Persistence"
+                ]
+              }
+            }
+          }
+        ]
+      }
+    }
+  }
+}