From aefc157d368b7dd4a0430e0d671ad56da0d9e8e2 Mon Sep 17 00:00:00 2001 From: Anat Gilenson Date: Sun, 15 Aug 2021 14:43:11 +0300 Subject: [PATCH 1/8] Adds base for updating Microsoft.SecurityInsight's AlertRules from version stable/2020-01-01 to version 2021-10-01 --- .../stable/2021-10-01/AlertRules.json | 1431 +++++++++++++++++ .../stable/2021-10-01/SecurityInsights.json | 1430 ++++++++++++++++ .../GetAlertRuleTemplateById.json | 45 + .../GetAlertRuleTemplates.json | 82 + .../alertRules/CreateFusionAlertRule.json | 66 + ...softSecurityIncidentCreationAlertRule.json | 59 + .../alertRules/CreateScheduledAlertRule.json | 89 + .../examples/alertRules/DeleteAlertRule.json | 14 + .../examples/alertRules/GetAllAlertRules.json | 81 + .../alertRules/GetFusionAlertRule.json | 35 + ...softSecurityIncidentCreationAlertRule.json | 31 + .../alertRules/GetScheduledAlertRule.json | 40 + 12 files changed, 3403 insertions(+) create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/AlertRules.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/SecurityInsights.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplateById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplates.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/CreateFusionAlertRule.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/CreateMicrosoftSecurityIncidentCreationAlertRule.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/CreateScheduledAlertRule.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/DeleteAlertRule.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetAllAlertRules.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetFusionAlertRule.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetMicrosoftSecurityIncidentCreationAlertRule.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetScheduledAlertRule.json diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/AlertRules.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/AlertRules.json new file mode 100644 index 000000000000..ed000a7477c7 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/AlertRules.json @@ -0,0 +1,1431 @@ +{ + "swagger": "2.0", + "info": { + "title": "Security Insights", + "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", + "version": "2020-01-01" + }, + "host": "management.azure.com", + "schemes": [ + "https" + ], + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "security": [ + { + "azure_auth": [ + "user_impersonation" + ] + } + ], + "securityDefinitions": { + "azure_auth": { + "type": "oauth2", + "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", + "flow": "implicit", + "description": "Azure Active Directory OAuth2 Flow", + "scopes": { + "user_impersonation": "impersonate your user account" + } + } + }, + "paths": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules": { + "get": { + "x-ms-examples": { + "Get all alert rules.": { + "$ref": "./examples/alertRules/GetAllAlertRules.json" + } + }, + "tags": [ + "Alert Rules" + ], + "description": "Gets all alert rules.", + "operationId": "AlertRules_List", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + } + ], + "responses": { + "200": { + "description": "OK, Operation successfully completed", + "schema": { + "$ref": "#/definitions/AlertRulesList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}": { + "get": { + "x-ms-examples": { + "Get a Scheduled alert rule.": { + "$ref": "./examples/alertRules/GetScheduledAlertRule.json" + }, + "Get a Fusion alert rule.": { + "$ref": "./examples/alertRules/GetFusionAlertRule.json" + }, + "Get a MicrosoftSecurityIncidentCreation rule.": { + "$ref": "./examples/alertRules/GetMicrosoftSecurityIncidentCreationAlertRule.json" + } + }, + "tags": [ + "Alert Rules" + ], + "description": "Gets the alert rule.", + "operationId": "AlertRules_Get", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/RuleId" + } + ], + "responses": { + "200": { + "description": "OK, Operation successfully completed", + "schema": { + "$ref": "#/definitions/AlertRule" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + } + }, + "put": { + "x-ms-examples": { + "Creates or updates a Scheduled alert rule.": { + "$ref": "./examples/alertRules/CreateScheduledAlertRule.json" + }, + "Creates or updates a Fusion alert rule.": { + "$ref": "./examples/alertRules/CreateFusionAlertRule.json" + }, + "Creates or updates a MicrosoftSecurityIncidentCreation rule.": { + "$ref": "./examples/alertRules/CreateMicrosoftSecurityIncidentCreationAlertRule.json" + } + }, + "tags": [ + "Alert Rules" + ], + "description": "Creates or updates the alert rule.", + "operationId": "AlertRules_CreateOrUpdate", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/RuleId" + }, + { + "$ref": "#/parameters/AlertRule" + } + ], + "responses": { + "200": { + "description": "OK, Operation successfully completed", + "schema": { + "$ref": "#/definitions/AlertRule" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/AlertRule" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + } + }, + "delete": { + "x-ms-examples": { + "Delete an alert rule.": { + "$ref": "./examples/alertRules/DeleteAlertRule.json" + } + }, + "tags": [ + "Alert Rules" + ], + "description": "Delete the alert rule.", + "operationId": "AlertRules_Delete", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/RuleId" + } + ], + "responses": { + "200": { + "description": "OK, Operation successfully completed" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}/actions": { + "get": { + "x-ms-examples": { + "Get all actions of alert rule.": { + "$ref": "./examples/actions/GetAllActionsByAlertRule.json" + } + }, + "tags": [ + "Actions" + ], + "description": "Gets all actions of alert rule.", + "operationId": "Actions_ListByAlertRule", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/RuleId" + } + ], + "responses": { + "200": { + "description": "OK, Operation successfully completed", + "schema": { + "$ref": "#/definitions/ActionsList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}/actions/{actionId}": { + "get": { + "x-ms-examples": { + "Get an action of alert rule.": { + "$ref": "./examples/actions/GetActionOfAlertRuleById.json" + } + }, + "tags": [ + "Actions" + ], + "description": "Gets the action of alert rule.", + "operationId": "Actions_Get", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/RuleId" + }, + { + "$ref": "#/parameters/ActionId" + } + ], + "responses": { + "200": { + "description": "OK, Operation successfully completed", + "schema": { + "$ref": "#/definitions/ActionResponse" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + } + }, + "put": { + "x-ms-examples": { + "Creates or updates an action of alert rule.": { + "$ref": "./examples/actions/CreateActionOfAlertRule.json" + } + }, + "tags": [ + "Actions" + ], + "description": "Creates or updates the action of alert rule.", + "operationId": "Actions_CreateOrUpdate", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/RuleId" + }, + { + "$ref": "#/parameters/ActionId" + }, + { + "$ref": "#/parameters/Action" + } + ], + "responses": { + "200": { + "description": "OK, Operation successfully completed", + "schema": { + "$ref": "#/definitions/ActionResponse" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/ActionResponse" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + } + }, + "delete": { + "x-ms-examples": { + "Delete an action of alert rule.": { + "$ref": "./examples/actions/DeleteActionOfAlertRule.json" + } + }, + "tags": [ + "Actions" + ], + "description": "Delete the action of alert rule.", + "operationId": "Actions_Delete", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/RuleId" + }, + { + "$ref": "#/parameters/ActionId" + } + ], + "responses": { + "200": { + "description": "OK, Operation successfully completed" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRuleTemplates": { + "get": { + "x-ms-examples": { + "Get all alert rule templates.": { + "$ref": "./examples/alertRuleTemplates/GetAlertRuleTemplates.json" + } + }, + "tags": [ + "Alert Rule Templates" + ], + "description": "Gets all alert rule templates.", + "operationId": "AlertRuleTemplates_List", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + } + ], + "responses": { + "200": { + "description": "OK, Operation successfully completed", + "schema": { + "$ref": "#/definitions/AlertRuleTemplatesList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRuleTemplates/{alertRuleTemplateId}": { + "get": { + "x-ms-examples": { + "Get alert rule template by Id.": { + "$ref": "./examples/alertRuleTemplates/GetAlertRuleTemplateById.json" + } + }, + "tags": [ + "Alert Rule Templates" + ], + "description": "Gets the alert rule template.", + "operationId": "AlertRuleTemplates_Get", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/AlertRuleTemplateId" + } + ], + "responses": { + "200": { + "description": "OK, Operation successfully completed", + "schema": { + "$ref": "#/definitions/AlertRuleTemplate" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + } + } + } + }, + "definitions": { + "ActionsList": { + "description": "List all the actions.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of actions.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of actions.", + "items": { + "$ref": "#/definitions/ActionResponse" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "value" + ] + }, + "ActionRequest": { + "allOf": [ + { + "$ref": "SecurityInsights.json#/definitions/ResourceWithEtag" + } + ], + "description": "Action for alert rule.", + "properties": { + "properties": { + "$ref": "#/definitions/ActionRequestProperties", + "description": "Action properties for put request", + "x-ms-client-flatten": true + } + }, + "type": "object" + }, + "ActionRequestProperties": { + "allOf": [ + { + "$ref": "#/definitions/ActionPropertiesBase" + } + ], + "description": "Action property bag.", + "properties": { + "triggerUri": { + "description": "Logic App Callback URL for this specific workflow.", + "type": "string" + } + }, + "required": [ + "triggerUri" + ], + "type": "object" + }, + "ActionResponse": { + "allOf": [ + { + "$ref": "SecurityInsights.json#/definitions/Resource" + } + ], + "description": "Action for alert rule.", + "properties": { + "etag": { + "description": "Etag of the action.", + "type": "string" + }, + "properties": { + "$ref": "#/definitions/ActionResponseProperties", + "description": "Action properties for get request", + "x-ms-client-flatten": true + } + }, + "type": "object" + }, + "ActionResponseProperties": { + "allOf": [ + { + "$ref": "#/definitions/ActionPropertiesBase" + } + ], + "description": "Action property bag.", + "properties": { + "workflowId": { + "description": "The name of the logic app's workflow.", + "type": "string" + } + }, + "type": "object" + }, + "ActionPropertiesBase": { + "description": "Action property bag base.", + "properties": { + "logicAppResourceId": { + "description": "Logic App Resource Id, /subscriptions/{my-subscription}/resourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my-workflow-id}.", + "type": "string" + } + }, + "required": [ + "logicAppResourceId" + ], + "type": "object" + }, + "AlertRule": { + "allOf": [ + { + "$ref": "SecurityInsights.json#/definitions/ResourceWithEtag" + } + ], + "description": "Alert rule.", + "discriminator": "kind", + "required": [ + "kind" + ], + "properties": { + "kind": { + "$ref": "#/definitions/AlertRuleKind", + "description": "The alert rule kind" + } + }, + "type": "object" + }, + "AlertRuleKind": { + "description": "The kind of the alert rule", + "enum": [ + "Scheduled", + "MicrosoftSecurityIncidentCreation", + "Fusion" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "AlertRuleKind", + "values": [ + { + "value": "Scheduled" + }, + { + "value": "MicrosoftSecurityIncidentCreation" + }, + { + "value": "Fusion" + } + ] + } + }, + "AlertRuleTemplate": { + "allOf": [ + { + "$ref": "SecurityInsights.json#/definitions/Resource" + } + ], + "description": "Alert rule template.", + "discriminator": "kind", + "required": [ + "kind" + ], + "properties": { + "kind": { + "$ref": "#/definitions/AlertRuleKind", + "description": "The alert rule kind", + "type": "string" + } + }, + "type": "object" + }, + "AlertRuleTemplateDataSource": { + "description": "alert rule template data sources", + "properties": { + "connectorId": { + "description": "The connector id that provides the following data types", + "type": "string" + }, + "dataTypes": { + "description": "The data types used by the alert rule template", + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "AlertRuleTemplateStatus": { + "description": "The alert rule template status.", + "enum": [ + "Installed", + "Available", + "NotAvailable" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "TemplateStatus", + "values": [ + { + "description": "Alert rule template installed. and can not use more then once", + "value": "Installed" + }, + { + "description": "Alert rule template is available.", + "value": "Available" + }, + { + "description": "Alert rule template is not available", + "value": "NotAvailable" + } + ] + } + }, + "AlertRuleTriggerOperator": { + "description": "The operation against the threshold that triggers alert rule.", + "enum": [ + "GreaterThan", + "LessThan", + "Equal", + "NotEqual" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": false, + "name": "TriggerOperator" + } + }, + "AlertRulesList": { + "description": "List all the alert rules.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of alert rules.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of alert rules.", + "items": { + "$ref": "#/definitions/AlertRule" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "value" + ] + }, + "AlertRuleTemplatesList": { + "description": "List all the alert rule templates.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of alert rule templates.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of alert rule templates.", + "items": { + "$ref": "#/definitions/AlertRuleTemplate" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "value" + ] + }, + "AlertSeverity": { + "description": "The severity of the alert", + "enum": [ + "High", + "Medium", + "Low", + "Informational" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "AlertSeverity", + "values": [ + { + "description": "High severity", + "value": "High" + }, + { + "description": "Medium severity", + "value": "Medium" + }, + { + "description": "Low severity", + "value": "Low" + }, + { + "description": "Informational severity", + "value": "Informational" + } + ] + } + }, + "AttackTactic": { + "description": "The severity for alerts created by this alert rule.", + "enum": [ + "InitialAccess", + "Execution", + "Persistence", + "PrivilegeEscalation", + "DefenseEvasion", + "CredentialAccess", + "Discovery", + "LateralMovement", + "Collection", + "Exfiltration", + "CommandAndControl", + "Impact" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "AttackTactic" + } + }, + "FusionAlertRule": { + "allOf": [ + { + "$ref": "#/definitions/AlertRule" + } + ], + "description": "Represents Fusion alert rule.", + "properties": { + "properties": { + "$ref": "#/definitions/FusionAlertRuleProperties", + "description": "Fusion alert rule properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Fusion" + }, + "FusionAlertRuleProperties": { + "description": "Fusion alert rule base property bag.", + "properties": { + "alertRuleTemplateName": { + "description": "The Name of the alert rule template used to create this rule.", + "type": "string" + }, + "description": { + "description": "The description of the alert rule.", + "readOnly": true, + "type": "string" + }, + "displayName": { + "description": "The display name for alerts created by this alert rule.", + "readOnly": true, + "type": "string" + }, + "enabled": { + "description": "Determines whether this alert rule is enabled or disabled.", + "type": "boolean" + }, + "lastModifiedUtc": { + "description": "The last time that this alert has been modified.", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "severity": { + "$ref": "#/definitions/AlertSeverity", + "description": "The severity for alerts created by this alert rule.", + "readOnly": true + }, + "tactics": { + "description": "The tactics of the alert rule", + "items": { + "$ref": "#/definitions/AttackTactic" + }, + "readOnly": true, + "type": "array" + } + }, + "required": [ + "alertRuleTemplateName", + "enabled" + ], + "type": "object" + }, + "FusionAlertRuleTemplate": { + "allOf": [ + { + "$ref": "#/definitions/AlertRuleTemplate" + } + ], + "description": "Represents Fusion alert rule template.", + "properties": { + "properties": { + "$ref": "#/definitions/FusionAlertRuleTemplateProperties", + "description": "Fusion alert rule template properties", + "required": [ + "displayName", + "description", + "status", + "severity", + "alertRulesCreatedByTemplateCount" + ], + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Fusion" + }, + "FusionAlertRuleTemplateProperties": { + "description": "Represents Fusion alert rule template properties", + "properties": { + "alertRulesCreatedByTemplateCount": { + "description": "the number of alert rules that were created by this template", + "format": "int32", + "type": "integer" + }, + "createdDateUTC": { + "description": "The time that this alert rule template has been added.", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "description": { + "description": "The description of the alert rule template.", + "type": "string" + }, + "displayName": { + "description": "The display name for alert rule template.", + "type": "string" + }, + "requiredDataConnectors": { + "description": "The required data connectors for this template", + "items": { + "$ref": "#/definitions/AlertRuleTemplateDataSource" + }, + "type": "array" + }, + "status": { + "$ref": "#/definitions/AlertRuleTemplateStatus", + "description": "The alert rule template status.", + "type": "string" + }, + "severity": { + "$ref": "#/definitions/AlertSeverity", + "description": "The severity for alerts created by this alert rule." + }, + "tactics": { + "description": "The tactics of the alert rule template", + "items": { + "$ref": "#/definitions/AttackTactic" + }, + "type": "array" + } + }, + "type": "object" + }, + "MicrosoftSecurityIncidentCreationAlertRule": { + "allOf": [ + { + "$ref": "#/definitions/AlertRule" + } + ], + "description": "Represents MicrosoftSecurityIncidentCreation rule.", + "properties": { + "properties": { + "$ref": "#/definitions/MicrosoftSecurityIncidentCreationAlertRuleProperties", + "description": "MicrosoftSecurityIncidentCreation rule properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "MicrosoftSecurityIncidentCreation" + }, + "MicrosoftSecurityIncidentCreationAlertRuleCommonProperties": { + "description": "MicrosoftSecurityIncidentCreation rule common property bag.", + "properties": { + "displayNamesFilter": { + "description": "the alerts' displayNames on which the cases will be generated", + "items": { + "type": "string" + }, + "type": "array" + }, + "displayNamesExcludeFilter": { + "description": "the alerts' displayNames on which the cases will not be generated", + "items": { + "type": "string" + }, + "type": "array" + }, + "productFilter": { + "$ref": "#/definitions/MicrosoftSecurityProductName", + "description": "The alerts' productName on which the cases will be generated" + }, + "severitiesFilter": { + "description": "the alerts' severities on which the cases will be generated", + "items": { + "$ref": "#/definitions/AlertSeverity" + }, + "type": "array" + } + }, + "required": [ + "productFilter" + ], + "type": "object" + }, + "MicrosoftSecurityIncidentCreationAlertRuleProperties": { + "allOf": [ + { + "$ref": "#/definitions/MicrosoftSecurityIncidentCreationAlertRuleCommonProperties" + } + ], + "description": "MicrosoftSecurityIncidentCreation rule property bag.", + "properties": { + "alertRuleTemplateName": { + "description": "The Name of the alert rule template used to create this rule.", + "type": "string" + }, + "description": { + "description": "The description of the alert rule.", + "type": "string" + }, + "displayName": { + "description": "The display name for alerts created by this alert rule.", + "type": "string" + }, + "enabled": { + "description": "Determines whether this alert rule is enabled or disabled.", + "type": "boolean" + }, + "lastModifiedUtc": { + "description": "The last time that this alert has been modified.", + "format": "date-time", + "readOnly": true, + "type": "string" + } + }, + "required": [ + "displayName", + "enabled", + "productFilter" + ], + "type": "object" + }, + "MicrosoftSecurityIncidentCreationAlertRuleTemplate": { + "allOf": [ + { + "$ref": "#/definitions/AlertRuleTemplate" + } + ], + "description": "Represents MicrosoftSecurityIncidentCreation rule template.", + "properties": { + "properties": { + "$ref": "#/definitions/MicrosoftSecurityIncidentCreationAlertRuleTemplateProperties", + "description": "MicrosoftSecurityIncidentCreation rule template properties", + "required": [ + "displayName", + "description", + "createdDateUTC", + "status", + "alertRulesCreatedByTemplateCount", + "productFilter" + ], + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "MicrosoftSecurityIncidentCreation" + }, + "MicrosoftSecurityIncidentCreationAlertRuleTemplateProperties": { + "description": "MicrosoftSecurityIncidentCreation rule template properties", + "properties": { + "alertRulesCreatedByTemplateCount": { + "description": "the number of alert rules that were created by this template", + "format": "int32", + "type": "integer" + }, + "createdDateUTC": { + "description": "The time that this alert rule template has been added.", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "description": { + "description": "The description of the alert rule template.", + "type": "string" + }, + "displayName": { + "description": "The display name for alert rule template.", + "type": "string" + }, + "requiredDataConnectors": { + "description": "The required data connectors for this template", + "items": { + "$ref": "#/definitions/AlertRuleTemplateDataSource" + }, + "type": "array" + }, + "status": { + "$ref": "#/definitions/AlertRuleTemplateStatus", + "description": "The alert rule template status.", + "type": "string" + }, + "displayNamesFilter": { + "description": "the alerts' displayNames on which the cases will be generated", + "items": { + "type": "string" + }, + "type": "array" + }, + "displayNamesExcludeFilter": { + "description": "the alerts' displayNames on which the cases will not be generated", + "items": { + "type": "string" + }, + "type": "array" + }, + "productFilter": { + "$ref": "#/definitions/MicrosoftSecurityProductName", + "description": "The alerts' productName on which the cases will be generated" + }, + "severitiesFilter": { + "description": "the alerts' severities on which the cases will be generated", + "items": { + "$ref": "#/definitions/AlertSeverity" + }, + "type": "array" + } + }, + "required": [ + "productFilter" + ], + "type": "object" + }, + "MicrosoftSecurityProductName": { + "description": "The alerts' productName on which the cases will be generated", + "enum": [ + "Microsoft Cloud App Security", + "Azure Security Center", + "Azure Advanced Threat Protection", + "Azure Active Directory Identity Protection", + "Azure Security Center for IoT" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "MicrosoftSecurityProductName" + } + }, + "ScheduledAlertRule": { + "allOf": [ + { + "$ref": "#/definitions/AlertRule" + } + ], + "description": "Represents scheduled alert rule.", + "properties": { + "properties": { + "$ref": "#/definitions/ScheduledAlertRuleProperties", + "description": "Scheduled alert rule properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Scheduled" + }, + "ScheduledAlertRuleCommonProperties": { + "description": "Schedule alert rule template property bag.", + "properties": { + "query": { + "description": "The query that creates alerts for this rule.", + "type": "string" + }, + "queryFrequency": { + "description": "The frequency (in ISO 8601 duration format) for this alert rule to run.", + "format": "duration", + "type": "string" + }, + "queryPeriod": { + "description": "The period (in ISO 8601 duration format) that this alert rule looks at.", + "format": "duration", + "type": "string" + }, + "severity": { + "$ref": "#/definitions/AlertSeverity", + "description": "The severity for alerts created by this alert rule." + }, + "triggerOperator": { + "$ref": "#/definitions/AlertRuleTriggerOperator", + "description": "The operation against the threshold that triggers alert rule." + }, + "triggerThreshold": { + "description": "The threshold triggers this alert rule.", + "format": "int32", + "type": "integer" + } + }, + "type": "object" + }, + "ScheduledAlertRuleProperties": { + "allOf": [ + { + "$ref": "#/definitions/ScheduledAlertRuleCommonProperties" + } + ], + "description": "Scheduled alert rule base property bag.", + "properties": { + "alertRuleTemplateName": { + "description": "The Name of the alert rule template used to create this rule.", + "type": "string" + }, + "description": { + "description": "The description of the alert rule.", + "type": "string" + }, + "displayName": { + "description": "The display name for alerts created by this alert rule.", + "type": "string" + }, + "enabled": { + "description": "Determines whether this alert rule is enabled or disabled.", + "type": "boolean" + }, + "lastModifiedUtc": { + "description": "The last time that this alert rule has been modified.", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "suppressionDuration": { + "description": "The suppression (in ISO 8601 duration format) to wait since last time this alert rule been triggered.", + "format": "duration", + "type": "string" + }, + "suppressionEnabled": { + "description": "Determines whether the suppression for this alert rule is enabled or disabled.", + "type": "boolean" + }, + "tactics": { + "description": "The tactics of the alert rule", + "items": { + "$ref": "#/definitions/AttackTactic" + }, + "type": "array" + } + }, + "required": [ + "displayName", + "enabled", + "severity", + "query", + "queryFrequency", + "queryPeriod", + "triggerOperator", + "triggerThreshold", + "suppressionEnabled", + "suppressionDuration" + ], + "type": "object" + }, + "ScheduledAlertRuleTemplateProperties": { + "description": "Scheduled alert rule template properties", + "properties": { + "alertRulesCreatedByTemplateCount": { + "description": "the number of alert rules that were created by this template", + "format": "int32", + "type": "integer" + }, + "createdDateUTC": { + "description": "The time that this alert rule template has been added.", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "description": { + "description": "The description of the alert rule template.", + "type": "string" + }, + "displayName": { + "description": "The display name for alert rule template.", + "type": "string" + }, + "requiredDataConnectors": { + "description": "The required data connectors for this template", + "items": { + "$ref": "#/definitions/AlertRuleTemplateDataSource" + }, + "type": "array" + }, + "status": { + "$ref": "#/definitions/AlertRuleTemplateStatus", + "description": "The alert rule template status.", + "type": "string" + }, + "query": { + "description": "The query that creates alerts for this rule.", + "type": "string" + }, + "queryFrequency": { + "description": "The frequency (in ISO 8601 duration format) for this alert rule to run.", + "format": "duration", + "type": "string" + }, + "queryPeriod": { + "description": "The period (in ISO 8601 duration format) that this alert rule looks at.", + "format": "duration", + "type": "string" + }, + "severity": { + "$ref": "#/definitions/AlertSeverity", + "description": "The severity for alerts created by this alert rule." + }, + "triggerOperator": { + "$ref": "#/definitions/AlertRuleTriggerOperator", + "description": "The operation against the threshold that triggers alert rule." + }, + "triggerThreshold": { + "description": "The threshold triggers this alert rule.", + "format": "int32", + "type": "integer" + }, + "tactics": { + "description": "The tactics of the alert rule template", + "items": { + "$ref": "#/definitions/AttackTactic" + }, + "type": "array" + } + }, + "type": "object" + }, + "ScheduledAlertRuleTemplate": { + "allOf": [ + { + "$ref": "#/definitions/AlertRuleTemplate" + } + ], + "description": "Represents scheduled alert rule template.", + "properties": { + "properties": { + "$ref": "#/definitions/ScheduledAlertRuleTemplateProperties", + "description": "Scheduled alert rule template properties", + "required": [ + "displayName", + "description", + "status", + "alertRulesCreatedByTemplateCount", + "severity", + "query", + "queryFrequency", + "queryPeriod", + "triggerOperator", + "triggerThreshold" + ], + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Scheduled" + } + }, + "parameters": { + "Action": { + "description": "The action", + "in": "body", + "name": "action", + "required": true, + "schema": { + "$ref": "#/definitions/ActionRequest" + }, + "x-ms-parameter-location": "method" + }, + "ActionId": { + "description": "Action ID", + "in": "path", + "name": "actionId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "AlertRule": { + "description": "The alert rule", + "in": "body", + "name": "alertRule", + "required": true, + "schema": { + "$ref": "#/definitions/AlertRule" + }, + "x-ms-parameter-location": "method" + }, + "AlertRuleTemplateId": { + "description": "Alert rule template ID", + "in": "path", + "name": "alertRuleTemplateId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "RuleId": { + "description": "Alert rule ID", + "in": "path", + "name": "ruleId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/SecurityInsights.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/SecurityInsights.json new file mode 100644 index 000000000000..1bb0b3dff3b2 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/SecurityInsights.json @@ -0,0 +1,1430 @@ +{ + "swagger": "2.0", + "info": { + "title": "Security Insights", + "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", + "version": "2020-01-01" + }, + "host": "management.azure.com", + "schemes": [ + "https" + ], + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "security": [ + { + "azure_auth": [ + "user_impersonation" + ] + } + ], + "securityDefinitions": { + "azure_auth": { + "type": "oauth2", + "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", + "flow": "implicit", + "description": "Azure Active Directory OAuth2 Flow", + "scopes": { + "user_impersonation": "impersonate your user account" + } + } + }, + "paths": { + "/providers/Microsoft.SecurityInsights/operations": { + "get": { + "operationId": "Operations_List", + "description": "Lists all operations available Azure Security Insights Resource Provider.", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + } + ], + "produces": [ + "application/json" + ], + "responses": { + "200": { + "description": "OK. Successfully retrieved operations list.", + "schema": { + "$ref": "#/definitions/OperationsList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents": { + "get": { + "x-ms-examples": { + "Get all incidents.": { + "$ref": "./examples/incidents/GetIncidents.json" + } + }, + "tags": [ + "Incidents" + ], + "description": "Gets all incidents.", + "operationId": "Incidents_List", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "#/parameters/SubscriptionId" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/ODataFilter" + }, + { + "$ref": "#/parameters/ODataOrderBy" + }, + { + "$ref": "#/parameters/ODataTop" + }, + { + "$ref": "#/parameters/ODataSkipToken" + } + ], + "responses": { + "200": { + "description": "OK, Operation successfully completed", + "schema": { + "$ref": "#/definitions/IncidentList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}": { + "get": { + "x-ms-examples": { + "Get an incident.": { + "$ref": "./examples/incidents/GetIncidentById.json" + } + }, + "tags": [ + "Incidents" + ], + "description": "Gets an incident.", + "operationId": "Incidents_Get", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "#/parameters/SubscriptionId" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/IncidentId" + } + ], + "responses": { + "200": { + "description": "OK, Operation successfully completed", + "schema": { + "$ref": "#/definitions/Incident" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + } + }, + "put": { + "x-ms-examples": { + "Creates or updates an incident.": { + "$ref": "./examples/incidents/CreateIncident.json" + } + }, + "tags": [ + "Incidents" + ], + "description": "Creates or updates the incident.", + "operationId": "Incidents_CreateOrUpdate", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "#/parameters/SubscriptionId" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/IncidentId" + }, + { + "$ref": "#/parameters/Incident" + } + ], + "responses": { + "200": { + "description": "OK, Operation successfully completed", + "schema": { + "$ref": "#/definitions/Incident" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/Incident" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + } + }, + "delete": { + "x-ms-examples": { + "Delete an incident.": { + "$ref": "./examples/incidents/DeleteIncident.json" + } + }, + "tags": [ + "Incidents" + ], + "description": "Delete the incident.", + "operationId": "Incidents_Delete", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "#/parameters/SubscriptionId" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/IncidentId" + } + ], + "responses": { + "200": { + "description": "OK, Operation successfully completed" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/comments": { + "get": { + "x-ms-examples": { + "Get all incident comments.": { + "$ref": "./examples/incidents/comments/GetAllIncidentComments.json" + } + }, + "tags": [ + "IncidentComments" + ], + "description": "Gets all incident comments.", + "operationId": "IncidentComments_ListByIncident", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "#/parameters/SubscriptionId" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/IncidentId" + }, + { + "$ref": "#/parameters/ODataFilter" + }, + { + "$ref": "#/parameters/ODataOrderBy" + }, + { + "$ref": "#/parameters/ODataTop" + }, + { + "$ref": "#/parameters/ODataSkipToken" + } + ], + "responses": { + "200": { + "description": "OK, Operation successfully completed", + "schema": { + "$ref": "#/definitions/IncidentCommentList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + }, + "x-ms-odata": "#/definitions/IncidentComment", + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/comments/{incidentCommentId}": { + "get": { + "x-ms-examples": { + "Get an incident comment.": { + "$ref": "./examples/incidents/comments/GetIncidentCommentById.json" + } + }, + "tags": [ + "IncidentComments" + ], + "description": "Gets an incident comment.", + "operationId": "IncidentComments_Get", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "#/parameters/SubscriptionId" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/IncidentId" + }, + { + "$ref": "#/parameters/IncidentCommentId" + } + ], + "responses": { + "200": { + "description": "OK, Operation successfully completed", + "schema": { + "$ref": "#/definitions/IncidentComment" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + } + }, + "put": { + "x-ms-examples": { + "Creates an incident comment.": { + "$ref": "./examples/incidents/comments/CreateIncidentComment.json" + } + }, + "tags": [ + "IncidentComments" + ], + "description": "Creates the incident comment.", + "operationId": "IncidentComments_CreateComment", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "#/parameters/SubscriptionId" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/IncidentId" + }, + { + "$ref": "#/parameters/IncidentCommentId" + }, + { + "$ref": "#/parameters/IncidentComment" + } + ], + "responses": { + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/IncidentComment" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + } + } + } + }, + "definitions": { + "AttackTactic": { + "description": "The severity for alerts created by this alert rule.", + "enum": [ + "InitialAccess", + "Execution", + "Persistence", + "PrivilegeEscalation", + "DefenseEvasion", + "CredentialAccess", + "Discovery", + "LateralMovement", + "Collection", + "Exfiltration", + "CommandAndControl", + "Impact" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "AttackTactic" + } + }, + "ClientInfo": { + "description": "Information on the client (user or application) that made some action", + "properties": { + "email": { + "description": "The email of the client.", + "type": "string" + }, + "name": { + "description": "The name of the client.", + "type": "string" + }, + "objectId": { + "description": "The object id of the client.", + "format": "uuid", + "type": "string" + }, + "userPrincipalName": { + "description": "The user principal name of the client.", + "type": "string" + } + }, + "type": "object" + }, + "CloudError": { + "x-ms-external": true, + "properties": { + "error": { + "$ref": "../../../../../common-types/resource-management/v1/types.json#/definitions/ErrorResponse", + "description": "The error object of the CloudError response" + } + }, + "type": "object", + "description": "An error response for a resource management request." + }, + "Incident": { + "allOf": [ + { + "$ref": "#/definitions/ResourceWithEtag" + } + ], + "description": "Represents an incident in Azure Security Insights.", + "properties": { + "properties": { + "$ref": "#/definitions/IncidentProperties", + "description": "Incident properties", + "x-ms-client-flatten": true + } + }, + "type": "object" + }, + "IncidentAdditionalData": { + "description": "Incident additional data property bag.", + "properties": { + "alertsCount": { + "description": "The number of alerts in the incident", + "format": "int32", + "readOnly": true, + "type": "integer" + }, + "bookmarksCount": { + "description": "The number of bookmarks in the incident", + "format": "int32", + "readOnly": true, + "type": "integer" + }, + "commentsCount": { + "description": "The number of comments in the incident", + "format": "int32", + "readOnly": true, + "type": "integer" + }, + "alertProductNames": { + "description": "List of product names of alerts in the incident", + "items": { + "description": "Alert product name", + "type": "string" + }, + "readOnly": true, + "type": "array" + }, + "tactics": { + "description": "The tactics associated with incident", + "items": { + "$ref": "#/definitions/AttackTactic" + }, + "readOnly": true, + "type": "array" + } + }, + "type": "object" + }, + "IncidentComment": { + "allOf": [ + { + "$ref": "#/definitions/Resource" + } + ], + "description": "Represents an incident comment", + "properties": { + "properties": { + "$ref": "#/definitions/IncidentCommentProperties", + "description": "Incident comment properties", + "x-ms-client-flatten": true + } + }, + "type": "object" + }, + "IncidentCommentList": { + "description": "List of incident comments.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of comments.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of comments.", + "items": { + "$ref": "#/definitions/IncidentComment" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "value" + ] + }, + "IncidentCommentProperties": { + "description": "Incident comment property bag.", + "properties": { + "createdTimeUtc": { + "description": "The time the comment was created", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "message": { + "description": "The comment message", + "type": "string" + }, + "author": { + "$ref": "#/definitions/ClientInfo", + "description": "Describes the client that created the comment", + "readOnly": true, + "type": "object" + } + }, + "required": [ + "message" + ], + "type": "object" + }, + "IncidentLabel": { + "description": "Represents an incident label", + "properties": { + "labelName": { + "description": "The name of the label", + "type": "string" + }, + "labelType": { + "description": "The type of the label", + "enum": [ + "User", + "System" + ], + "type": "string", + "readOnly": true, + "x-ms-enum": { + "modelAsString": true, + "name": "IncidentLabelType", + "values": [ + { + "description": "Label manually created by a user", + "value": "User" + }, + { + "description": "Label automatically created by the system", + "value": "System" + } + ] + } + } + }, + "required": [ + "labelName" + ], + "type": "object" + }, + "IncidentList": { + "description": "List all the incidents.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of incidents.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of incidents.", + "items": { + "$ref": "#/definitions/Incident" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "value" + ] + }, + "IncidentOwnerInfo": { + "description": "Information on the user an incident is assigned to", + "properties": { + "email": { + "description": "The email of the user the incident is assigned to.", + "type": "string" + }, + "assignedTo": { + "description": "The name of the user the incident is assigned to.", + "type": "string" + }, + "objectId": { + "description": "The object id of the user the incident is assigned to.", + "format": "uuid", + "type": "string" + }, + "userPrincipalName": { + "description": "The user principal name of the user the incident is assigned to.", + "type": "string" + } + }, + "type": "object" + }, + "IncidentProperties": { + "description": "Describes incident properties", + "properties": { + "additionalData": { + "$ref": "#/definitions/IncidentAdditionalData", + "description": "Additional data on the incident", + "readOnly": true, + "type": "object" + }, + "classification": { + "description": "The reason the incident was closed", + "enum": [ + "Undetermined", + "TruePositive", + "BenignPositive", + "FalsePositive" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "IncidentClassification", + "values": [ + { + "description": "Incident classification was undetermined", + "value": "Undetermined" + }, + { + "description": "Incident was true positive", + "value": "TruePositive" + }, + { + "description": "Incident was benign positive", + "value": "BenignPositive" + }, + { + "description": "Incident was false positive", + "value": "FalsePositive" + } + ] + } + }, + "classificationComment": { + "description": "Describes the reason the incident was closed", + "type": "string" + }, + "classificationReason": { + "description": "The classification reason the incident was closed with", + "enum": [ + "SuspiciousActivity", + "SuspiciousButExpected", + "IncorrectAlertLogic", + "InaccurateData" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "IncidentClassificationReason", + "values": [ + { + "description": "Classification reason was suspicious activity", + "value": "SuspiciousActivity" + }, + { + "description": "Classification reason was suspicious but expected", + "value": "SuspiciousButExpected" + }, + { + "description": "Classification reason was incorrect alert logic", + "value": "IncorrectAlertLogic" + }, + { + "description": "Classification reason was inaccurate data", + "value": "InaccurateData" + } + ] + } + }, + "createdTimeUtc": { + "description": "The time the incident was created", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "description": { + "description": "The description of the incident", + "type": "string" + }, + "firstActivityTimeUtc": { + "description": "The time of the first activity in the incident", + "format": "date-time", + "type": "string" + }, + "incidentUrl": { + "description": "The deep-link url to the incident in Azure portal", + "readOnly": true, + "type": "string" + }, + "incidentNumber": { + "description": "A sequential number", + "format": "int32", + "readOnly": true, + "type": "integer" + }, + "labels": { + "description": "List of labels relevant to this incident", + "items": { + "$ref": "#/definitions/IncidentLabel" + }, + "type": "array" + }, + "lastActivityTimeUtc": { + "description": "The time of the last activity in the incident", + "format": "date-time", + "type": "string" + }, + "lastModifiedTimeUtc": { + "description": "The last time the incident was updated", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "owner": { + "$ref": "#/definitions/IncidentOwnerInfo", + "description": "Describes a user that the incident is assigned to", + "type": "object" + }, + "relatedAnalyticRuleIds": { + "description": "List of resource ids of Analytic rules related to the incident", + "items": { + "description": "Related Analytic rule resource id", + "type": "string" + }, + "readOnly": true, + "type": "array" + }, + "severity": { + "description": "The severity of the incident", + "enum": [ + "High", + "Medium", + "Low", + "Informational" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "IncidentSeverity", + "values": [ + { + "description": "High severity", + "value": "High" + }, + { + "description": "Medium severity", + "value": "Medium" + }, + { + "description": "Low severity", + "value": "Low" + }, + { + "description": "Informational severity", + "value": "Informational" + } + ] + } + }, + "status": { + "description": "The status of the incident", + "enum": [ + "New", + "Active", + "Closed" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "IncidentStatus", + "values": [ + { + "description": "An active incident which isn't being handled currently", + "value": "New" + }, + { + "description": "An active incident which is being handled", + "value": "Active" + }, + { + "description": "A non-active incident", + "value": "Closed" + } + ] + } + }, + "title": { + "description": "The title of the incident", + "type": "string" + } + }, + "required": [ + "title", + "severity", + "status" + ], + "type": "object" + }, + "OfficeConsent": { + "allOf": [ + { + "$ref": "#/definitions/Resource" + } + ], + "description": "Consent for Office365 tenant that already made.", + "properties": { + "properties": { + "$ref": "#/definitions/OfficeConsentProperties", + "description": "Office consent properties", + "x-ms-client-flatten": true + } + }, + "type": "object" + }, + "OfficeConsentList": { + "description": "List of all the office365 consents.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of office consents.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of the consents.", + "items": { + "$ref": "#/definitions/OfficeConsent" + }, + "type": "array" + } + }, + "required": [ + "value" + ] + }, + "OfficeConsentProperties": { + "description": "Consent property bag.", + "properties": { + "tenantId": { + "description": "The tenantId of the Office365 with the consent.", + "type": "string" + }, + "tenantName": { + "description": "The tenant name of the Office365 with the consent.", + "readOnly": true, + "type": "string" + } + }, + "type": "object" + }, + "Operation": { + "description": "Operation provided by provider", + "properties": { + "display": { + "description": "Properties of the operation", + "properties": { + "description": { + "description": "Description of the operation", + "type": "string" + }, + "operation": { + "description": "Operation name", + "type": "string" + }, + "provider": { + "description": "Provider name", + "type": "string" + }, + "resource": { + "description": "Resource name", + "type": "string" + } + }, + "type": "object" + }, + "name": { + "description": "Name of the operation", + "type": "string" + }, + "origin": { + "description": "The origin of the operation", + "type": "string" + } + }, + "type": "object" + }, + "OperationsList": { + "description": "Lists the operations available in the SecurityInsights RP.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of operations.", + "type": "string" + }, + "value": { + "description": "Array of operations", + "items": { + "$ref": "#/definitions/Operation" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "value" + ] + }, + "Resource": { + "description": "An azure resource object", + "properties": { + "id": { + "description": "Azure resource Id", + "readOnly": true, + "type": "string" + }, + "name": { + "description": "Azure resource name", + "readOnly": true, + "type": "string" + }, + "type": { + "description": "Azure resource type", + "readOnly": true, + "type": "string" + } + }, + "type": "object", + "x-ms-azure-resource": true + }, + "ResourceWithEtag": { + "description": "An azure resource object with an Etag property", + "properties": { + "id": { + "description": "Azure resource Id", + "readOnly": true, + "type": "string" + }, + "name": { + "description": "Azure resource name", + "readOnly": true, + "type": "string" + }, + "type": { + "description": "Azure resource type", + "readOnly": true, + "type": "string" + }, + "etag": { + "description": "Etag of the azure resource", + "type": "string" + } + }, + "type": "object", + "x-ms-azure-resource": true + }, + "Settings": { + "allOf": [ + { + "$ref": "#/definitions/ResourceWithEtag" + } + ], + "description": "The Settings.", + "discriminator": "kind", + "required": [ + "kind" + ], + "properties": { + "kind": { + "$ref": "#/definitions/SettingsKind", + "description": "The data connector kind" + } + }, + "type": "object" + }, + "SettingsKind": { + "description": "The kind of the setting", + "enum": [ + "UebaSettings", + "ToggleSettings" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "SettingKind" + } + }, + "ThreatIntelligence": { + "description": "ThreatIntelligence property bag.", + "properties": { + "confidence": { + "description": "Confidence (must be between 0 and 1)", + "format": "double", + "readOnly": true, + "type": "number" + }, + "providerName": { + "description": "Name of the provider from whom this Threat Intelligence information was received", + "readOnly": true, + "type": "string" + }, + "reportLink": { + "description": "Report link", + "readOnly": true, + "type": "string" + }, + "threatDescription": { + "description": "Threat description (free text)", + "readOnly": true, + "type": "string" + }, + "threatName": { + "description": "Threat name (e.g. \"Jedobot malware\")", + "readOnly": true, + "type": "string" + }, + "threatType": { + "description": "Threat type (e.g. \"Botnet\")", + "readOnly": true, + "type": "string" + } + }, + "type": "object" + }, + "ToggleSettings": { + "allOf": [ + { + "$ref": "#/definitions/Settings" + } + ], + "description": "Settings with single toggle.", + "properties": { + "properties": { + "$ref": "#/definitions/ToggleSettingsProperties", + "description": "toggle properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "ToggleSettings" + }, + "ToggleSettingsProperties": { + "description": "toggle property bag.", + "properties": { + "isEnabled": { + "description": "Determines whether the setting is enable or disabled.", + "type": "boolean" + } + }, + "type": "object" + }, + "UebaSettings": { + "allOf": [ + { + "$ref": "#/definitions/Settings" + } + ], + "description": "Represents settings for User and Entity Behavior Analytics enablement.", + "properties": { + "properties": { + "$ref": "#/definitions/UebaSettingsProperties", + "description": "User and Entity Behavior Analytics settings properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "UebaSettings" + }, + "UebaSettingsProperties": { + "description": "User and Entity Behavior Analytics settings property bag.", + "properties": { + "atpLicenseStatus": { + "description": "Determines whether the tenant has ATP (Advanced Threat Protection) license.", + "enum": [ + "Enabled", + "Disabled" + ], + "readOnly": true, + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "LicenseStatus" + } + }, + "isEnabled": { + "description": "Determines whether User and Entity Behavior Analytics is enabled for this workspace.", + "type": "boolean" + }, + "statusInMcas": { + "description": "Determines whether User and Entity Behavior Analytics is enabled from MCAS (Microsoft Cloud App Security).", + "enum": [ + "Enabled", + "Disabled" + ], + "readOnly": true, + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "StatusInMcas" + } + } + }, + "type": "object" + }, + "UserInfo": { + "description": "User information that made some action", + "properties": { + "email": { + "description": "The email of the user.", + "readOnly": true, + "type": "string" + }, + "name": { + "description": "The name of the user.", + "readOnly": true, + "type": "string" + }, + "objectId": { + "description": "The object id of the user.", + "format": "uuid", + "type": "string", + "x-nullable": true + } + }, + "required": [ + "objectId" + ], + "type": "object" + }, + "IncidentInfo": { + "description": "Describes related incident information for the bookmark", + "properties": { + "incidentId": { + "description": "Incident Id", + "type": "string" + }, + "severity": { + "description": "The severity of the incident", + "enum": [ + "Critical", + "High", + "Medium", + "Low", + "Informational" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "CaseSeverity", + "values": [ + { + "description": "Critical severity", + "value": "Critical" + }, + { + "description": "High severity", + "value": "High" + }, + { + "description": "Medium severity", + "value": "Medium" + }, + { + "description": "Low severity", + "value": "Low" + }, + { + "description": "Informational severity", + "value": "Informational" + } + ] + } + }, + "title": { + "description": "The title of the incident", + "type": "string" + }, + "relationName": { + "description": "Relation Name", + "type": "string" + } + }, + "type": "object" + } + }, + "parameters": { + "AggregationsName": { + "description": "The aggregation name. Supports - Cases", + "in": "path", + "name": "aggregationsName", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "ApiVersion": { + "description": "API version for the operation", + "enum": [ + "2020-01-01" + ], + "in": "query", + "name": "api-version", + "required": true, + "type": "string" + }, + "ConsentId": { + "description": "consent ID", + "in": "path", + "name": "consentId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "EntityId": { + "description": "entity ID", + "in": "path", + "name": "entityId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "EntityQueryId": { + "description": "entity query ID", + "in": "path", + "name": "entityQueryId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "Incident": { + "description": "The incident", + "in": "body", + "name": "incident", + "required": true, + "schema": { + "$ref": "#/definitions/Incident" + }, + "x-ms-parameter-location": "method" + }, + "IncidentComment": { + "description": "The incident comment", + "in": "body", + "name": "incidentComment", + "required": true, + "schema": { + "$ref": "#/definitions/IncidentComment" + }, + "x-ms-parameter-location": "method" + }, + "IncidentCommentId": { + "description": "Incident comment ID", + "in": "path", + "name": "incidentCommentId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "IncidentId": { + "description": "Incident ID", + "in": "path", + "name": "incidentId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "ODataFilter": { + "description": "Filters the results, based on a Boolean condition. Optional.", + "in": "query", + "name": "$filter", + "required": false, + "type": "string", + "x-ms-parameter-location": "method" + }, + "ODataOrderBy": { + "description": "Sorts the results. Optional.", + "in": "query", + "name": "$orderby", + "required": false, + "type": "string", + "x-ms-parameter-location": "method" + }, + "ODataSkipToken": { + "description": "Skiptoken is only used if a previous operation returned a partial result. If a previous response contains a nextLink element, the value of the nextLink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls. Optional.", + "in": "query", + "name": "$skipToken", + "required": false, + "type": "string", + "x-ms-parameter-location": "method" + }, + "ODataTop": { + "description": "Returns only the first n results. Optional.", + "format": "int32", + "in": "query", + "name": "$top", + "required": false, + "type": "integer", + "x-ms-parameter-location": "method" + }, + "ResourceGroupName": { + "description": "The name of the resource group within the user's subscription. The name is case insensitive.", + "in": "path", + "maxLength": 90, + "minLength": 1, + "name": "resourceGroupName", + "pattern": "^[-\\w\\._\\(\\)]+$", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "Settings": { + "description": "The setting", + "in": "body", + "name": "settings", + "required": true, + "schema": { + "$ref": "#/definitions/Settings" + }, + "x-ms-parameter-location": "method" + }, + "SettingsName": { + "description": "The setting name. Supports- Fusion, UEBA", + "in": "path", + "name": "settingsName", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "SubscriptionId": { + "description": "Azure subscription ID", + "in": "path", + "name": "subscriptionId", + "pattern": "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$", + "required": true, + "type": "string" + }, + "WorkspaceName": { + "description": "The name of the workspace.", + "in": "path", + "maxLength": 90, + "minLength": 1, + "name": "workspaceName", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplateById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplateById.json new file mode 100644 index 000000000000..4dbca1922dba --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplateById.json @@ -0,0 +1,45 @@ +{ + "parameters": { + "api-version": "2020-01-01", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "alertRuleTemplateId": "65360bb0-8986-4ade-a89d-af3cf44d28aa" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRuleTemplates/65360bb0-8986-4ade-a89d-af3cf44d28aa", + "name": "65360bb0-8986-4ade-a89d-af3cf44d28aa", + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "kind": "Scheduled", + "properties": { + "severity": "Low", + "query": "let timeframe = 1d;\nAWSCloudTrail\n| where TimeGenerated >= ago(timeframe)\n| where EventName == \"CreateNetworkAclEntry\"\n or EventName == \"CreateRoute\"\n| project TimeGenerated, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\n| extend AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress", + "queryFrequency": "P1D", + "queryPeriod": "P1D", + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "displayName": "Changes to Amazon VPC settings", + "description": "This alert monitors changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries and routes in route tables.\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \nand https://aws.amazon.com/vpc/", + "tactics": [ + "PrivilegeEscalation", + "LateralMovement" + ], + "createdDateUTC": "2019-02-27T00:00:00Z", + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "AWS", + "dataTypes": [ + "AWSCloudTrail" + ] + } + ], + "alertRulesCreatedByTemplateCount": 0 + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplates.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplates.json new file mode 100644 index 000000000000..df498bf54949 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplates.json @@ -0,0 +1,82 @@ +{ + "parameters": { + "api-version": "2020-01-01", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65360bb0-8986-4ade-a89d-af3cf44d28aa", + "name": "65360bb0-8986-4ade-a89d-af3cf44d28aa", + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "kind": "Scheduled", + "properties": { + "severity": "Low", + "query": "let timeframe = 1d;\nAWSCloudTrail\n| where TimeGenerated >= ago(timeframe)\n| where EventName == \"CreateNetworkAclEntry\"\n or EventName == \"CreateRoute\"\n| project TimeGenerated, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\n| extend AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress", + "queryFrequency": "P1D", + "queryPeriod": "P1D", + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "displayName": "Changes to Amazon VPC settings", + "description": "This alert monitors changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries and routes in route tables.\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \nand https://aws.amazon.com/vpc/", + "tactics": [ + "PrivilegeEscalation", + "LateralMovement" + ], + "createdDateUTC": "2019-02-27T00:00:00Z", + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "AWS", + "dataTypes": [ + "AWSCloudTrail" + ] + } + ], + "alertRulesCreatedByTemplateCount": 0 + } + }, + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f71aba3d-28fb-450b-b192-4e76a83015c8", + "name": "f71aba3d-28fb-450b-b192-4e76a83015c8", + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "kind": "Fusion", + "properties": { + "displayName": "Advanced Multi-Stage Attack Detection", + "description": "Place holder: Fusion uses graph powered machine learning algorithms to correlate between millions of lower fidelity anomalous activities from different products such as Azure AD Identity Protection, and Microsoft Cloud App Security, to combine them into a manageable number of interesting security cases.\n", + "tactics": [ + "Persistence", + "LateralMovement", + "Exfiltration", + "CommandAndControl" + ], + "createdDateUTC": "2019-07-25T00:00:00Z", + "status": "Available", + "severity": "High", + "alertRulesCreatedByTemplateCount": 0 + } + }, + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b3cfc7c0-092c-481c-a55b-34a3979758cb", + "name": "b3cfc7c0-092c-481c-a55b-34a3979758cb", + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "kind": "MicrosoftSecurityIncidentCreation", + "properties": { + "productFilter": "Microsoft Cloud App Security", + "displayName": "Create incidents based on Microsoft Cloud App Security alerts", + "description": "Create incidents based on all alerts generated in Microsoft Cloud App Security", + "createdDateUTC": "2019-07-16T00:00:00Z", + "status": "Available", + "alertRulesCreatedByTemplateCount": 0 + } + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/CreateFusionAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/CreateFusionAlertRule.json new file mode 100644 index 000000000000..6bcf080c3091 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/CreateFusionAlertRule.json @@ -0,0 +1,66 @@ +{ + "parameters": { + "api-version": "2020-01-01", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "ruleId": "myFirstFusionRule", + "alertRule": { + "kind": "Fusion", + "etag": "3d00c3ca-0000-0100-0000-5d42d5010000", + "properties": { + "enabled": true, + "alertRuleTemplateName": "f71aba3d-28fb-450b-b192-4e76a83015c8" + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/myFirstFusionRule", + "name": "myFirstFusionRule", + "etag": "\"260090e2-0000-0d00-0000-5d6fb8670000\"", + "type": "Microsoft.SecurityInsights/alertRules", + "kind": "Fusion", + "properties": { + "displayName": "Advanced Multi-Stage Attack Detection", + "description": "In this mode, Sentinel combines low fidelity alerts, which themselves may not be actionable, and events across multiple products, into high fidelity security interesting incidents. The system looks at multiple products to produce actionable incidents. Custom tailored to each tenant, Fusion not only reduces false positive rates but also can detect attacks with limited or missing information. \nIncidents generated by Fusion system will encase two or more alerts. By design, Fusion incidents are low volume, high fidelity and will be high severity, which is why Fusion is turned ON by default in Azure Sentinel.\n\nFor Fusion to work, please configure the following data sources in Data Connectors tab:\nRequired - Azure Active Directory Identity Protection\nRequired - Microsoft Cloud App Security\nIf Available - Palo Alto Network\n\nFor full list of scenarios covered by Fusion, and detail instructions on how to configure the required data sources, go to aka.ms/SentinelFusion", + "alertRuleTemplateName": "f71aba3d-28fb-450b-b192-4e76a83015c8", + "tactics": [ + "Persistence", + "LateralMovement", + "Exfiltration", + "CommandAndControl" + ], + "severity": "High", + "enabled": true, + "lastModifiedUtc": "2019-09-04T13:13:11.5340061Z" + } + } + }, + "201": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/myFirstFusionRule", + "name": "myFirstFusionRule", + "etag": "\"260090e2-0000-0d00-0000-5d6fb8670000\"", + "type": "Microsoft.SecurityInsights/alertRules", + "kind": "Fusion", + "properties": { + "displayName": "Advanced Multi-Stage Attack Detection", + "description": "In this mode, Sentinel combines low fidelity alerts, which themselves may not be actionable, and events across multiple products, into high fidelity security interesting incidents. The system looks at multiple products to produce actionable incidents. Custom tailored to each tenant, Fusion not only reduces false positive rates but also can detect attacks with limited or missing information. \nIncidents generated by Fusion system will encase two or more alerts. By design, Fusion incidents are low volume, high fidelity and will be high severity, which is why Fusion is turned ON by default in Azure Sentinel.\n\nFor Fusion to work, please configure the following data sources in Data Connectors tab:\nRequired - Azure Active Directory Identity Protection\nRequired - Microsoft Cloud App Security\nIf Available - Palo Alto Network\n\nFor full list of scenarios covered by Fusion, and detail instructions on how to configure the required data sources, go to aka.ms/SentinelFusion", + "alertRuleTemplateName": "f71aba3d-28fb-450b-b192-4e76a83015c8", + "tactics": [ + "Persistence", + "LateralMovement", + "Exfiltration", + "CommandAndControl" + ], + "severity": "High", + "enabled": true, + "lastModifiedUtc": "2019-09-04T13:13:11.5340061Z" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/CreateMicrosoftSecurityIncidentCreationAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/CreateMicrosoftSecurityIncidentCreationAlertRule.json new file mode 100644 index 000000000000..a30144340874 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/CreateMicrosoftSecurityIncidentCreationAlertRule.json @@ -0,0 +1,59 @@ +{ + "parameters": { + "api-version": "2020-01-01", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "ruleId": "microsoftSecurityIncidentCreationRuleExample", + "alertRule": { + "etag": "\"260097e0-0000-0d00-0000-5d6fa88f0000\"", + "kind": "MicrosoftSecurityIncidentCreation", + "properties": { + "productFilter": "Microsoft Cloud App Security", + "displayName": "testing displayname", + "enabled": true + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/microsoftSecurityIncidentCreationRuleExample", + "name": "microsoftSecurityIncidentCreationRuleExample", + "etag": "\"260097e0-0000-0d00-0000-5d6fa88f0000\"", + "type": "Microsoft.SecurityInsights/alertRules", + "kind": "MicrosoftSecurityIncidentCreation", + "properties": { + "productFilter": "Microsoft Cloud App Security", + "severitiesFilter": null, + "displayNamesFilter": null, + "displayName": "testing displayname", + "enabled": true, + "description": null, + "alertRuleTemplateName": null, + "lastModifiedUtc": "2019-09-04T12:05:35.7296311Z" + } + } + }, + "201": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/microsoftSecurityIncidentCreationRuleExample", + "name": "microsoftSecurityIncidentCreationRuleExample", + "etag": "\"260097e0-0000-0d00-0000-5d6fa88f0000\"", + "type": "Microsoft.SecurityInsights/alertRules", + "kind": "MicrosoftSecurityIncidentCreation", + "properties": { + "productFilter": "Microsoft Cloud App Security", + "severitiesFilter": null, + "displayNamesFilter": null, + "displayName": "testing displayname", + "enabled": true, + "description": null, + "alertRuleTemplateName": null, + "lastModifiedUtc": "2019-09-04T12:05:35.7296311Z" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/CreateScheduledAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/CreateScheduledAlertRule.json new file mode 100644 index 000000000000..d00bc205ef7e --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/CreateScheduledAlertRule.json @@ -0,0 +1,89 @@ +{ + "parameters": { + "api-version": "2020-01-01", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "ruleId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "alertRule": { + "kind": "Scheduled", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "displayName": "Rule2", + "description": "", + "severity": "High", + "enabled": true, + "tactics": [ + "Persistence", + "LateralMovement" + ], + "query": "ProtectionStatus | extend HostCustomEntity = Computer | extend IPCustomEntity = ComputerIP_Hidden", + "queryFrequency": "PT1H", + "queryPeriod": "P2DT1H30M", + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "suppressionDuration": "PT1H", + "suppressionEnabled": false + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/alertRules", + "kind": "Scheduled", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "alertRuleTemplateName": null, + "displayName": "Rule2", + "description": "", + "severity": "High", + "enabled": true, + "tactics": [ + "Persistence", + "LateralMovement" + ], + "query": "ProtectionStatus | extend HostCustomEntity = Computer | extend IPCustomEntity = ComputerIP_Hidden", + "queryFrequency": "PT1H", + "queryPeriod": "P2DT1H30M", + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "lastModifiedUtc": "2019-01-01T13:15:30Z" + } + } + }, + "201": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/alertRules", + "kind": "Scheduled", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "alertRuleTemplateName": null, + "displayName": "Rule2", + "description": "", + "severity": "High", + "enabled": true, + "tactics": [ + "Persistence", + "LateralMovement" + ], + "query": "ProtectionStatus | extend HostCustomEntity = Computer | extend IPCustomEntity = ComputerIP_Hidden", + "queryFrequency": "PT1H", + "queryPeriod": "P2DT1H30M", + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "lastModifiedUtc": "2019-01-01T13:15:30Z" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/DeleteAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/DeleteAlertRule.json new file mode 100644 index 000000000000..e9aed01e1d36 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/DeleteAlertRule.json @@ -0,0 +1,14 @@ +{ + "parameters": { + "api-version": "2020-01-01", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "ruleId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5" + }, + "responses": { + "200": {}, + "204": {} + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetAllAlertRules.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetAllAlertRules.json new file mode 100644 index 000000000000..4ee691803483 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetAllAlertRules.json @@ -0,0 +1,81 @@ +{ + "parameters": { + "api-version": "2020-01-01", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/alertRules", + "kind": "Scheduled", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "alertRuleTemplateName": null, + "displayName": "Rule2", + "description": "", + "severity": "High", + "enabled": true, + "tactics": [ + "Persistence", + "LateralMovement" + ], + "query": "ProtectionStatus | extend HostCustomEntity = Computer | extend IPCustomEntity = ComputerIP_Hidden", + "queryFrequency": "PT1H", + "queryPeriod": "P2DT1H30M", + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "lastModifiedUtc": "2019-01-01T13:15:30Z" + } + }, + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/microsoftSecurityIncidentCreationRuleExample", + "name": "microsoftSecurityIncidentCreationRuleExample", + "etag": "\"260097e0-0000-0d00-0000-5d6fa88f0000\"", + "type": "Microsoft.SecurityInsights/alertRules", + "kind": "MicrosoftSecurityIncidentCreation", + "properties": { + "productFilter": "Microsoft Cloud App Security", + "severitiesFilter": null, + "displayNamesFilter": null, + "displayName": "testing displayname", + "enabled": true, + "description": null, + "alertRuleTemplateName": null, + "lastModifiedUtc": "2019-09-04T12:05:35.7296311Z" + } + }, + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/myFirstFusionRule", + "name": "myFirstFusionRule", + "etag": "\"25005c11-0000-0d00-0000-5d6cc0e20000\"", + "type": "Microsoft.SecurityInsights/alertRules", + "kind": "Fusion", + "properties": { + "displayName": "Advanced Multi-Stage Attack Detection", + "description": "In this mode, Sentinel combines low fidelity alerts, which themselves may not be actionable, and events across multiple products, into high fidelity security interesting incidents. The system looks at multiple products to produce actionable incidents. Custom tailored to each tenant, Fusion not only reduces false positive rates but also can detect attacks with limited or missing information. \nIncidents generated by Fusion system will encase two or more alerts. By design, Fusion incidents are low volume, high fidelity and will be high severity, which is why Fusion is turned ON by default in Azure Sentinel.\n\nFor Fusion to work, please configure the following data sources in Data Connectors tab:\nRequired - Azure Active Directory Identity Protection\nRequired - Microsoft Cloud App Security\nIf Available - Palo Alto Network\n\nFor full list of scenarios covered by Fusion, and detail instructions on how to configure the required data sources, go to aka.ms/SentinelFusion", + "alertRuleTemplateName": "f71aba3d-28fb-450b-b192-4e76a83015c8", + "tactics": [ + "Persistence", + "LateralMovement", + "Exfiltration", + "CommandAndControl" + ], + "severity": "High", + "enabled": false, + "lastModifiedUtc": "2019-09-02T07:12:34.9065092Z" + } + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetFusionAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetFusionAlertRule.json new file mode 100644 index 000000000000..c0406f4f8ed9 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetFusionAlertRule.json @@ -0,0 +1,35 @@ +{ + "parameters": { + "api-version": "2020-01-01", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "ruleId": "myFirstFusionRule" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/myFirstFusionRule", + "name": "myFirstFusionRule", + "etag": "\"260090e2-0000-0d00-0000-5d6fb8670000\"", + "type": "Microsoft.SecurityInsights/alertRules", + "kind": "Fusion", + "properties": { + "displayName": "Advanced Multi-Stage Attack Detection", + "description": "In this mode, Sentinel combines low fidelity alerts, which themselves may not be actionable, and events across multiple products, into high fidelity security interesting incidents. The system looks at multiple products to produce actionable incidents. Custom tailored to each tenant, Fusion not only reduces false positive rates but also can detect attacks with limited or missing information. \nIncidents generated by Fusion system will encase two or more alerts. By design, Fusion incidents are low volume, high fidelity and will be high severity, which is why Fusion is turned ON by default in Azure Sentinel.\n\nFor Fusion to work, please configure the following data sources in Data Connectors tab:\nRequired - Azure Active Directory Identity Protection\nRequired - Microsoft Cloud App Security\nIf Available - Palo Alto Network\n\nFor full list of scenarios covered by Fusion, and detail instructions on how to configure the required data sources, go to aka.ms/SentinelFusion", + "alertRuleTemplateName": "f71aba3d-28fb-450b-b192-4e76a83015c8", + "tactics": [ + "Persistence", + "LateralMovement", + "Exfiltration", + "CommandAndControl" + ], + "severity": "High", + "enabled": true, + "lastModifiedUtc": "2019-09-04T13:13:11.5340061Z" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetMicrosoftSecurityIncidentCreationAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetMicrosoftSecurityIncidentCreationAlertRule.json new file mode 100644 index 000000000000..fa0aed9bcc72 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetMicrosoftSecurityIncidentCreationAlertRule.json @@ -0,0 +1,31 @@ +{ + "parameters": { + "api-version": "2020-01-01", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "ruleId": "microsoftSecurityIncidentCreationRuleExample" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/microsoftSecurityIncidentCreationRuleExample", + "name": "microsoftSecurityIncidentCreationRuleExample", + "etag": "\"260097e0-0000-0d00-0000-5d6fa88f0000\"", + "type": "Microsoft.SecurityInsights/alertRules", + "kind": "MicrosoftSecurityIncidentCreation", + "properties": { + "productFilter": "Microsoft Cloud App Security", + "severitiesFilter": null, + "displayNamesFilter": null, + "displayName": "testing displayname", + "enabled": true, + "description": null, + "alertRuleTemplateName": null, + "lastModifiedUtc": "2019-09-04T12:05:35.7296311Z" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetScheduledAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetScheduledAlertRule.json new file mode 100644 index 000000000000..f20128778ff0 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetScheduledAlertRule.json @@ -0,0 +1,40 @@ +{ + "parameters": { + "api-version": "2020-01-01", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "ruleId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/alertRules", + "kind": "Scheduled", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "alertRuleTemplateName": null, + "displayName": "Rule2", + "description": "", + "severity": "High", + "enabled": true, + "tactics": [ + "Persistence", + "LateralMovement" + ], + "query": "ProtectionStatus | extend HostCustomEntity = Computer | extend IPCustomEntity = ComputerIP_Hidden", + "queryFrequency": "PT1H", + "queryPeriod": "P2DT1H30M", + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "lastModifiedUtc": "2019-01-01T13:15:30Z" + } + } + } + } +} From 81c9ed675a5bf45daaceef41b23da993c7d80793 Mon Sep 17 00:00:00 2001 From: Anat Gilenson Date: Sun, 15 Aug 2021 14:49:50 +0300 Subject: [PATCH 2/8] Updates API version in AlertRules specs and examples --- .../stable/2021-10-01/AlertRules.json | 2 +- .../stable/2021-10-01/SecurityInsights.json | 388 +----------------- .../GetAlertRuleTemplateById.json | 2 +- .../GetAlertRuleTemplates.json | 2 +- .../alertRules/CreateFusionAlertRule.json | 2 +- ...softSecurityIncidentCreationAlertRule.json | 2 +- .../alertRules/CreateScheduledAlertRule.json | 2 +- .../examples/alertRules/DeleteAlertRule.json | 2 +- .../examples/alertRules/GetAllAlertRules.json | 2 +- .../alertRules/GetFusionAlertRule.json | 2 +- ...softSecurityIncidentCreationAlertRule.json | 2 +- .../alertRules/GetScheduledAlertRule.json | 2 +- 12 files changed, 12 insertions(+), 398 deletions(-) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/AlertRules.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/AlertRules.json index ed000a7477c7..99801d72fe49 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/AlertRules.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/AlertRules.json @@ -3,7 +3,7 @@ "info": { "title": "Security Insights", "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", - "version": "2020-01-01" + "version": "2021-10-01" }, "host": "management.azure.com", "schemes": [ diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/SecurityInsights.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/SecurityInsights.json index 1bb0b3dff3b2..30c3c0c33212 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/SecurityInsights.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/SecurityInsights.json @@ -3,7 +3,7 @@ "info": { "title": "Security Insights", "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", - "version": "2020-01-01" + "version": "2021-10-01" }, "host": "management.azure.com", "schemes": [ @@ -34,392 +34,6 @@ } }, "paths": { - "/providers/Microsoft.SecurityInsights/operations": { - "get": { - "operationId": "Operations_List", - "description": "Lists all operations available Azure Security Insights Resource Provider.", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - } - ], - "produces": [ - "application/json" - ], - "responses": { - "200": { - "description": "OK. Successfully retrieved operations list.", - "schema": { - "$ref": "#/definitions/OperationsList" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - }, - "x-ms-pageable": { - "nextLinkName": "nextLink" - } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents": { - "get": { - "x-ms-examples": { - "Get all incidents.": { - "$ref": "./examples/incidents/GetIncidents.json" - } - }, - "tags": [ - "Incidents" - ], - "description": "Gets all incidents.", - "operationId": "Incidents_List", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/ODataFilter" - }, - { - "$ref": "#/parameters/ODataOrderBy" - }, - { - "$ref": "#/parameters/ODataTop" - }, - { - "$ref": "#/parameters/ODataSkipToken" - } - ], - "responses": { - "200": { - "description": "OK, Operation successfully completed", - "schema": { - "$ref": "#/definitions/IncidentList" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - }, - "x-ms-pageable": { - "nextLinkName": "nextLink" - } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}": { - "get": { - "x-ms-examples": { - "Get an incident.": { - "$ref": "./examples/incidents/GetIncidentById.json" - } - }, - "tags": [ - "Incidents" - ], - "description": "Gets an incident.", - "operationId": "Incidents_Get", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/IncidentId" - } - ], - "responses": { - "200": { - "description": "OK, Operation successfully completed", - "schema": { - "$ref": "#/definitions/Incident" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - } - }, - "put": { - "x-ms-examples": { - "Creates or updates an incident.": { - "$ref": "./examples/incidents/CreateIncident.json" - } - }, - "tags": [ - "Incidents" - ], - "description": "Creates or updates the incident.", - "operationId": "Incidents_CreateOrUpdate", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/IncidentId" - }, - { - "$ref": "#/parameters/Incident" - } - ], - "responses": { - "200": { - "description": "OK, Operation successfully completed", - "schema": { - "$ref": "#/definitions/Incident" - } - }, - "201": { - "description": "Created", - "schema": { - "$ref": "#/definitions/Incident" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - } - }, - "delete": { - "x-ms-examples": { - "Delete an incident.": { - "$ref": "./examples/incidents/DeleteIncident.json" - } - }, - "tags": [ - "Incidents" - ], - "description": "Delete the incident.", - "operationId": "Incidents_Delete", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/IncidentId" - } - ], - "responses": { - "200": { - "description": "OK, Operation successfully completed" - }, - "204": { - "description": "No Content" - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/comments": { - "get": { - "x-ms-examples": { - "Get all incident comments.": { - "$ref": "./examples/incidents/comments/GetAllIncidentComments.json" - } - }, - "tags": [ - "IncidentComments" - ], - "description": "Gets all incident comments.", - "operationId": "IncidentComments_ListByIncident", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/IncidentId" - }, - { - "$ref": "#/parameters/ODataFilter" - }, - { - "$ref": "#/parameters/ODataOrderBy" - }, - { - "$ref": "#/parameters/ODataTop" - }, - { - "$ref": "#/parameters/ODataSkipToken" - } - ], - "responses": { - "200": { - "description": "OK, Operation successfully completed", - "schema": { - "$ref": "#/definitions/IncidentCommentList" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - }, - "x-ms-odata": "#/definitions/IncidentComment", - "x-ms-pageable": { - "nextLinkName": "nextLink" - } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/comments/{incidentCommentId}": { - "get": { - "x-ms-examples": { - "Get an incident comment.": { - "$ref": "./examples/incidents/comments/GetIncidentCommentById.json" - } - }, - "tags": [ - "IncidentComments" - ], - "description": "Gets an incident comment.", - "operationId": "IncidentComments_Get", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/IncidentId" - }, - { - "$ref": "#/parameters/IncidentCommentId" - } - ], - "responses": { - "200": { - "description": "OK, Operation successfully completed", - "schema": { - "$ref": "#/definitions/IncidentComment" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - } - }, - "put": { - "x-ms-examples": { - "Creates an incident comment.": { - "$ref": "./examples/incidents/comments/CreateIncidentComment.json" - } - }, - "tags": [ - "IncidentComments" - ], - "description": "Creates the incident comment.", - "operationId": "IncidentComments_CreateComment", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/IncidentId" - }, - { - "$ref": "#/parameters/IncidentCommentId" - }, - { - "$ref": "#/parameters/IncidentComment" - } - ], - "responses": { - "201": { - "description": "Created", - "schema": { - "$ref": "#/definitions/IncidentComment" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - } - } - } }, "definitions": { "AttackTactic": { diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplateById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplateById.json index 4dbca1922dba..387ff76ae6ee 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplateById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplateById.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2020-01-01", + "api-version": "2021-10-01", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplates.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplates.json index df498bf54949..6ae1ed2b8440 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplates.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRuleTemplates/GetAlertRuleTemplates.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2020-01-01", + "api-version": "2021-10-01", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/CreateFusionAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/CreateFusionAlertRule.json index 6bcf080c3091..f42add047e54 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/CreateFusionAlertRule.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/CreateFusionAlertRule.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2020-01-01", + "api-version": "2021-10-01", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/CreateMicrosoftSecurityIncidentCreationAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/CreateMicrosoftSecurityIncidentCreationAlertRule.json index a30144340874..3c0cdad425e7 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/CreateMicrosoftSecurityIncidentCreationAlertRule.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/CreateMicrosoftSecurityIncidentCreationAlertRule.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2020-01-01", + "api-version": "2021-10-01", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/CreateScheduledAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/CreateScheduledAlertRule.json index d00bc205ef7e..498d2223aafa 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/CreateScheduledAlertRule.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/CreateScheduledAlertRule.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2020-01-01", + "api-version": "2021-10-01", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/DeleteAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/DeleteAlertRule.json index e9aed01e1d36..9658597e086f 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/DeleteAlertRule.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/DeleteAlertRule.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2020-01-01", + "api-version": "2021-10-01", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetAllAlertRules.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetAllAlertRules.json index 4ee691803483..ce4025b71b59 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetAllAlertRules.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetAllAlertRules.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2020-01-01", + "api-version": "2021-10-01", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetFusionAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetFusionAlertRule.json index c0406f4f8ed9..653d0a11cf09 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetFusionAlertRule.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetFusionAlertRule.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2020-01-01", + "api-version": "2021-10-01", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetMicrosoftSecurityIncidentCreationAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetMicrosoftSecurityIncidentCreationAlertRule.json index fa0aed9bcc72..ce5badf2aa99 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetMicrosoftSecurityIncidentCreationAlertRule.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetMicrosoftSecurityIncidentCreationAlertRule.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2020-01-01", + "api-version": "2021-10-01", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetScheduledAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetScheduledAlertRule.json index f20128778ff0..6b969a692f32 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetScheduledAlertRule.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/alertRules/GetScheduledAlertRule.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2020-01-01", + "api-version": "2021-10-01", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", From 6a03afe49a9fcd0ba13f30f2c2808c06ea8dcd52 Mon Sep 17 00:00:00 2001 From: Anat Gilenson Date: Sun, 15 Aug 2021 15:09:07 +0300 Subject: [PATCH 3/8] Use common types in AlertRules.json and remove redundant SecurityInsights --- .../stable/2021-10-01/AlertRules.json | 108 +- .../stable/2021-10-01/SecurityInsights.json | 1044 ----------------- 2 files changed, 54 insertions(+), 1098 deletions(-) delete mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/SecurityInsights.json diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/AlertRules.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/AlertRules.json index 99801d72fe49..b5d40ce6503d 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/AlertRules.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/AlertRules.json @@ -48,16 +48,16 @@ "operationId": "AlertRules_List", "parameters": [ { - "$ref": "SecurityInsights.json#/parameters/ApiVersion" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ApiVersionParameter" }, { - "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { - "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ResourceGroupNameParameter" }, { - "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + "$ref": "../../../common/1.0/types.json#/parameters/WorkspaceName" } ], "responses": { @@ -70,7 +70,7 @@ "default": { "description": "Error response describing why the operation failed.", "schema": { - "$ref": "SecurityInsights.json#/definitions/CloudError" + "$ref": "../../../common/1.0/types.json#/definitions/CloudError" } } }, @@ -99,16 +99,16 @@ "operationId": "AlertRules_Get", "parameters": [ { - "$ref": "SecurityInsights.json#/parameters/ApiVersion" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ApiVersionParameter" }, { - "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { - "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ResourceGroupNameParameter" }, { - "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + "$ref": "../../../common/1.0/types.json#/parameters/WorkspaceName" }, { "$ref": "#/parameters/RuleId" @@ -124,7 +124,7 @@ "default": { "description": "Error response describing why the operation failed.", "schema": { - "$ref": "SecurityInsights.json#/definitions/CloudError" + "$ref": "../../../common/1.0/types.json#/definitions/CloudError" } } } @@ -148,16 +148,16 @@ "operationId": "AlertRules_CreateOrUpdate", "parameters": [ { - "$ref": "SecurityInsights.json#/parameters/ApiVersion" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ApiVersionParameter" }, { - "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { - "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ResourceGroupNameParameter" }, { - "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + "$ref": "../../../common/1.0/types.json#/parameters/WorkspaceName" }, { "$ref": "#/parameters/RuleId" @@ -182,7 +182,7 @@ "default": { "description": "Error response describing why the operation failed.", "schema": { - "$ref": "SecurityInsights.json#/definitions/CloudError" + "$ref": "../../../common/1.0/types.json#/definitions/CloudError" } } } @@ -200,16 +200,16 @@ "operationId": "AlertRules_Delete", "parameters": [ { - "$ref": "SecurityInsights.json#/parameters/ApiVersion" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ApiVersionParameter" }, { - "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { - "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ResourceGroupNameParameter" }, { - "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + "$ref": "../../../common/1.0/types.json#/parameters/WorkspaceName" }, { "$ref": "#/parameters/RuleId" @@ -225,7 +225,7 @@ "default": { "description": "Error response describing why the operation failed.", "schema": { - "$ref": "SecurityInsights.json#/definitions/CloudError" + "$ref": "../../../common/1.0/types.json#/definitions/CloudError" } } } @@ -245,16 +245,16 @@ "operationId": "Actions_ListByAlertRule", "parameters": [ { - "$ref": "SecurityInsights.json#/parameters/ApiVersion" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ApiVersionParameter" }, { - "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { - "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ResourceGroupNameParameter" }, { - "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + "$ref": "../../../common/1.0/types.json#/parameters/WorkspaceName" }, { "$ref": "#/parameters/RuleId" @@ -270,7 +270,7 @@ "default": { "description": "Error response describing why the operation failed.", "schema": { - "$ref": "SecurityInsights.json#/definitions/CloudError" + "$ref": "../../../common/1.0/types.json#/definitions/CloudError" } } }, @@ -293,16 +293,16 @@ "operationId": "Actions_Get", "parameters": [ { - "$ref": "SecurityInsights.json#/parameters/ApiVersion" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ApiVersionParameter" }, { - "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { - "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ResourceGroupNameParameter" }, { - "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + "$ref": "../../../common/1.0/types.json#/parameters/WorkspaceName" }, { "$ref": "#/parameters/RuleId" @@ -321,7 +321,7 @@ "default": { "description": "Error response describing why the operation failed.", "schema": { - "$ref": "SecurityInsights.json#/definitions/CloudError" + "$ref": "../../../common/1.0/types.json#/definitions/CloudError" } } } @@ -339,16 +339,16 @@ "operationId": "Actions_CreateOrUpdate", "parameters": [ { - "$ref": "SecurityInsights.json#/parameters/ApiVersion" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ApiVersionParameter" }, { - "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { - "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ResourceGroupNameParameter" }, { - "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + "$ref": "../../../common/1.0/types.json#/parameters/WorkspaceName" }, { "$ref": "#/parameters/RuleId" @@ -376,7 +376,7 @@ "default": { "description": "Error response describing why the operation failed.", "schema": { - "$ref": "SecurityInsights.json#/definitions/CloudError" + "$ref": "../../../common/1.0/types.json#/definitions/CloudError" } } } @@ -394,16 +394,16 @@ "operationId": "Actions_Delete", "parameters": [ { - "$ref": "SecurityInsights.json#/parameters/ApiVersion" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ApiVersionParameter" }, { - "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { - "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ResourceGroupNameParameter" }, { - "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + "$ref": "../../../common/1.0/types.json#/parameters/WorkspaceName" }, { "$ref": "#/parameters/RuleId" @@ -422,7 +422,7 @@ "default": { "description": "Error response describing why the operation failed.", "schema": { - "$ref": "SecurityInsights.json#/definitions/CloudError" + "$ref": "../../../common/1.0/types.json#/definitions/CloudError" } } } @@ -442,16 +442,16 @@ "operationId": "AlertRuleTemplates_List", "parameters": [ { - "$ref": "SecurityInsights.json#/parameters/ApiVersion" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ApiVersionParameter" }, { - "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { - "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ResourceGroupNameParameter" }, { - "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + "$ref": "../../../common/1.0/types.json#/parameters/WorkspaceName" } ], "responses": { @@ -464,7 +464,7 @@ "default": { "description": "Error response describing why the operation failed.", "schema": { - "$ref": "SecurityInsights.json#/definitions/CloudError" + "$ref": "../../../common/1.0/types.json#/definitions/CloudError" } } }, @@ -487,16 +487,16 @@ "operationId": "AlertRuleTemplates_Get", "parameters": [ { - "$ref": "SecurityInsights.json#/parameters/ApiVersion" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ApiVersionParameter" }, { - "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { - "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ResourceGroupNameParameter" }, { - "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + "$ref": "../../../common/1.0/types.json#/parameters/WorkspaceName" }, { "$ref": "#/parameters/AlertRuleTemplateId" @@ -512,7 +512,7 @@ "default": { "description": "Error response describing why the operation failed.", "schema": { - "$ref": "SecurityInsights.json#/definitions/CloudError" + "$ref": "../../../common/1.0/types.json#/definitions/CloudError" } } } @@ -544,7 +544,7 @@ "ActionRequest": { "allOf": [ { - "$ref": "SecurityInsights.json#/definitions/ResourceWithEtag" + "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" } ], "description": "Action for alert rule.", @@ -578,7 +578,7 @@ "ActionResponse": { "allOf": [ { - "$ref": "SecurityInsights.json#/definitions/Resource" + "$ref": "../../../common/1.0/types.json#/definitions/Resource" } ], "description": "Action for alert rule.", @@ -626,7 +626,7 @@ "AlertRule": { "allOf": [ { - "$ref": "SecurityInsights.json#/definitions/ResourceWithEtag" + "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" } ], "description": "Alert rule.", @@ -669,7 +669,7 @@ "AlertRuleTemplate": { "allOf": [ { - "$ref": "SecurityInsights.json#/definitions/Resource" + "$ref": "../../../common/1.0/types.json#/definitions/Resource" } ], "description": "Alert rule template.", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/SecurityInsights.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/SecurityInsights.json deleted file mode 100644 index 30c3c0c33212..000000000000 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/SecurityInsights.json +++ /dev/null @@ -1,1044 +0,0 @@ -{ - "swagger": "2.0", - "info": { - "title": "Security Insights", - "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", - "version": "2021-10-01" - }, - "host": "management.azure.com", - "schemes": [ - "https" - ], - "consumes": [ - "application/json" - ], - "produces": [ - "application/json" - ], - "security": [ - { - "azure_auth": [ - "user_impersonation" - ] - } - ], - "securityDefinitions": { - "azure_auth": { - "type": "oauth2", - "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", - "flow": "implicit", - "description": "Azure Active Directory OAuth2 Flow", - "scopes": { - "user_impersonation": "impersonate your user account" - } - } - }, - "paths": { - }, - "definitions": { - "AttackTactic": { - "description": "The severity for alerts created by this alert rule.", - "enum": [ - "InitialAccess", - "Execution", - "Persistence", - "PrivilegeEscalation", - "DefenseEvasion", - "CredentialAccess", - "Discovery", - "LateralMovement", - "Collection", - "Exfiltration", - "CommandAndControl", - "Impact" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "AttackTactic" - } - }, - "ClientInfo": { - "description": "Information on the client (user or application) that made some action", - "properties": { - "email": { - "description": "The email of the client.", - "type": "string" - }, - "name": { - "description": "The name of the client.", - "type": "string" - }, - "objectId": { - "description": "The object id of the client.", - "format": "uuid", - "type": "string" - }, - "userPrincipalName": { - "description": "The user principal name of the client.", - "type": "string" - } - }, - "type": "object" - }, - "CloudError": { - "x-ms-external": true, - "properties": { - "error": { - "$ref": "../../../../../common-types/resource-management/v1/types.json#/definitions/ErrorResponse", - "description": "The error object of the CloudError response" - } - }, - "type": "object", - "description": "An error response for a resource management request." - }, - "Incident": { - "allOf": [ - { - "$ref": "#/definitions/ResourceWithEtag" - } - ], - "description": "Represents an incident in Azure Security Insights.", - "properties": { - "properties": { - "$ref": "#/definitions/IncidentProperties", - "description": "Incident properties", - "x-ms-client-flatten": true - } - }, - "type": "object" - }, - "IncidentAdditionalData": { - "description": "Incident additional data property bag.", - "properties": { - "alertsCount": { - "description": "The number of alerts in the incident", - "format": "int32", - "readOnly": true, - "type": "integer" - }, - "bookmarksCount": { - "description": "The number of bookmarks in the incident", - "format": "int32", - "readOnly": true, - "type": "integer" - }, - "commentsCount": { - "description": "The number of comments in the incident", - "format": "int32", - "readOnly": true, - "type": "integer" - }, - "alertProductNames": { - "description": "List of product names of alerts in the incident", - "items": { - "description": "Alert product name", - "type": "string" - }, - "readOnly": true, - "type": "array" - }, - "tactics": { - "description": "The tactics associated with incident", - "items": { - "$ref": "#/definitions/AttackTactic" - }, - "readOnly": true, - "type": "array" - } - }, - "type": "object" - }, - "IncidentComment": { - "allOf": [ - { - "$ref": "#/definitions/Resource" - } - ], - "description": "Represents an incident comment", - "properties": { - "properties": { - "$ref": "#/definitions/IncidentCommentProperties", - "description": "Incident comment properties", - "x-ms-client-flatten": true - } - }, - "type": "object" - }, - "IncidentCommentList": { - "description": "List of incident comments.", - "properties": { - "nextLink": { - "description": "URL to fetch the next set of comments.", - "readOnly": true, - "type": "string" - }, - "value": { - "description": "Array of comments.", - "items": { - "$ref": "#/definitions/IncidentComment" - }, - "type": "array" - } - }, - "type": "object", - "required": [ - "value" - ] - }, - "IncidentCommentProperties": { - "description": "Incident comment property bag.", - "properties": { - "createdTimeUtc": { - "description": "The time the comment was created", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "message": { - "description": "The comment message", - "type": "string" - }, - "author": { - "$ref": "#/definitions/ClientInfo", - "description": "Describes the client that created the comment", - "readOnly": true, - "type": "object" - } - }, - "required": [ - "message" - ], - "type": "object" - }, - "IncidentLabel": { - "description": "Represents an incident label", - "properties": { - "labelName": { - "description": "The name of the label", - "type": "string" - }, - "labelType": { - "description": "The type of the label", - "enum": [ - "User", - "System" - ], - "type": "string", - "readOnly": true, - "x-ms-enum": { - "modelAsString": true, - "name": "IncidentLabelType", - "values": [ - { - "description": "Label manually created by a user", - "value": "User" - }, - { - "description": "Label automatically created by the system", - "value": "System" - } - ] - } - } - }, - "required": [ - "labelName" - ], - "type": "object" - }, - "IncidentList": { - "description": "List all the incidents.", - "properties": { - "nextLink": { - "description": "URL to fetch the next set of incidents.", - "readOnly": true, - "type": "string" - }, - "value": { - "description": "Array of incidents.", - "items": { - "$ref": "#/definitions/Incident" - }, - "type": "array" - } - }, - "type": "object", - "required": [ - "value" - ] - }, - "IncidentOwnerInfo": { - "description": "Information on the user an incident is assigned to", - "properties": { - "email": { - "description": "The email of the user the incident is assigned to.", - "type": "string" - }, - "assignedTo": { - "description": "The name of the user the incident is assigned to.", - "type": "string" - }, - "objectId": { - "description": "The object id of the user the incident is assigned to.", - "format": "uuid", - "type": "string" - }, - "userPrincipalName": { - "description": "The user principal name of the user the incident is assigned to.", - "type": "string" - } - }, - "type": "object" - }, - "IncidentProperties": { - "description": "Describes incident properties", - "properties": { - "additionalData": { - "$ref": "#/definitions/IncidentAdditionalData", - "description": "Additional data on the incident", - "readOnly": true, - "type": "object" - }, - "classification": { - "description": "The reason the incident was closed", - "enum": [ - "Undetermined", - "TruePositive", - "BenignPositive", - "FalsePositive" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "IncidentClassification", - "values": [ - { - "description": "Incident classification was undetermined", - "value": "Undetermined" - }, - { - "description": "Incident was true positive", - "value": "TruePositive" - }, - { - "description": "Incident was benign positive", - "value": "BenignPositive" - }, - { - "description": "Incident was false positive", - "value": "FalsePositive" - } - ] - } - }, - "classificationComment": { - "description": "Describes the reason the incident was closed", - "type": "string" - }, - "classificationReason": { - "description": "The classification reason the incident was closed with", - "enum": [ - "SuspiciousActivity", - "SuspiciousButExpected", - "IncorrectAlertLogic", - "InaccurateData" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "IncidentClassificationReason", - "values": [ - { - "description": "Classification reason was suspicious activity", - "value": "SuspiciousActivity" - }, - { - "description": "Classification reason was suspicious but expected", - "value": "SuspiciousButExpected" - }, - { - "description": "Classification reason was incorrect alert logic", - "value": "IncorrectAlertLogic" - }, - { - "description": "Classification reason was inaccurate data", - "value": "InaccurateData" - } - ] - } - }, - "createdTimeUtc": { - "description": "The time the incident was created", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "description": { - "description": "The description of the incident", - "type": "string" - }, - "firstActivityTimeUtc": { - "description": "The time of the first activity in the incident", - "format": "date-time", - "type": "string" - }, - "incidentUrl": { - "description": "The deep-link url to the incident in Azure portal", - "readOnly": true, - "type": "string" - }, - "incidentNumber": { - "description": "A sequential number", - "format": "int32", - "readOnly": true, - "type": "integer" - }, - "labels": { - "description": "List of labels relevant to this incident", - "items": { - "$ref": "#/definitions/IncidentLabel" - }, - "type": "array" - }, - "lastActivityTimeUtc": { - "description": "The time of the last activity in the incident", - "format": "date-time", - "type": "string" - }, - "lastModifiedTimeUtc": { - "description": "The last time the incident was updated", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "owner": { - "$ref": "#/definitions/IncidentOwnerInfo", - "description": "Describes a user that the incident is assigned to", - "type": "object" - }, - "relatedAnalyticRuleIds": { - "description": "List of resource ids of Analytic rules related to the incident", - "items": { - "description": "Related Analytic rule resource id", - "type": "string" - }, - "readOnly": true, - "type": "array" - }, - "severity": { - "description": "The severity of the incident", - "enum": [ - "High", - "Medium", - "Low", - "Informational" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "IncidentSeverity", - "values": [ - { - "description": "High severity", - "value": "High" - }, - { - "description": "Medium severity", - "value": "Medium" - }, - { - "description": "Low severity", - "value": "Low" - }, - { - "description": "Informational severity", - "value": "Informational" - } - ] - } - }, - "status": { - "description": "The status of the incident", - "enum": [ - "New", - "Active", - "Closed" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "IncidentStatus", - "values": [ - { - "description": "An active incident which isn't being handled currently", - "value": "New" - }, - { - "description": "An active incident which is being handled", - "value": "Active" - }, - { - "description": "A non-active incident", - "value": "Closed" - } - ] - } - }, - "title": { - "description": "The title of the incident", - "type": "string" - } - }, - "required": [ - "title", - "severity", - "status" - ], - "type": "object" - }, - "OfficeConsent": { - "allOf": [ - { - "$ref": "#/definitions/Resource" - } - ], - "description": "Consent for Office365 tenant that already made.", - "properties": { - "properties": { - "$ref": "#/definitions/OfficeConsentProperties", - "description": "Office consent properties", - "x-ms-client-flatten": true - } - }, - "type": "object" - }, - "OfficeConsentList": { - "description": "List of all the office365 consents.", - "properties": { - "nextLink": { - "description": "URL to fetch the next set of office consents.", - "readOnly": true, - "type": "string" - }, - "value": { - "description": "Array of the consents.", - "items": { - "$ref": "#/definitions/OfficeConsent" - }, - "type": "array" - } - }, - "required": [ - "value" - ] - }, - "OfficeConsentProperties": { - "description": "Consent property bag.", - "properties": { - "tenantId": { - "description": "The tenantId of the Office365 with the consent.", - "type": "string" - }, - "tenantName": { - "description": "The tenant name of the Office365 with the consent.", - "readOnly": true, - "type": "string" - } - }, - "type": "object" - }, - "Operation": { - "description": "Operation provided by provider", - "properties": { - "display": { - "description": "Properties of the operation", - "properties": { - "description": { - "description": "Description of the operation", - "type": "string" - }, - "operation": { - "description": "Operation name", - "type": "string" - }, - "provider": { - "description": "Provider name", - "type": "string" - }, - "resource": { - "description": "Resource name", - "type": "string" - } - }, - "type": "object" - }, - "name": { - "description": "Name of the operation", - "type": "string" - }, - "origin": { - "description": "The origin of the operation", - "type": "string" - } - }, - "type": "object" - }, - "OperationsList": { - "description": "Lists the operations available in the SecurityInsights RP.", - "properties": { - "nextLink": { - "description": "URL to fetch the next set of operations.", - "type": "string" - }, - "value": { - "description": "Array of operations", - "items": { - "$ref": "#/definitions/Operation" - }, - "type": "array" - } - }, - "type": "object", - "required": [ - "value" - ] - }, - "Resource": { - "description": "An azure resource object", - "properties": { - "id": { - "description": "Azure resource Id", - "readOnly": true, - "type": "string" - }, - "name": { - "description": "Azure resource name", - "readOnly": true, - "type": "string" - }, - "type": { - "description": "Azure resource type", - "readOnly": true, - "type": "string" - } - }, - "type": "object", - "x-ms-azure-resource": true - }, - "ResourceWithEtag": { - "description": "An azure resource object with an Etag property", - "properties": { - "id": { - "description": "Azure resource Id", - "readOnly": true, - "type": "string" - }, - "name": { - "description": "Azure resource name", - "readOnly": true, - "type": "string" - }, - "type": { - "description": "Azure resource type", - "readOnly": true, - "type": "string" - }, - "etag": { - "description": "Etag of the azure resource", - "type": "string" - } - }, - "type": "object", - "x-ms-azure-resource": true - }, - "Settings": { - "allOf": [ - { - "$ref": "#/definitions/ResourceWithEtag" - } - ], - "description": "The Settings.", - "discriminator": "kind", - "required": [ - "kind" - ], - "properties": { - "kind": { - "$ref": "#/definitions/SettingsKind", - "description": "The data connector kind" - } - }, - "type": "object" - }, - "SettingsKind": { - "description": "The kind of the setting", - "enum": [ - "UebaSettings", - "ToggleSettings" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "SettingKind" - } - }, - "ThreatIntelligence": { - "description": "ThreatIntelligence property bag.", - "properties": { - "confidence": { - "description": "Confidence (must be between 0 and 1)", - "format": "double", - "readOnly": true, - "type": "number" - }, - "providerName": { - "description": "Name of the provider from whom this Threat Intelligence information was received", - "readOnly": true, - "type": "string" - }, - "reportLink": { - "description": "Report link", - "readOnly": true, - "type": "string" - }, - "threatDescription": { - "description": "Threat description (free text)", - "readOnly": true, - "type": "string" - }, - "threatName": { - "description": "Threat name (e.g. \"Jedobot malware\")", - "readOnly": true, - "type": "string" - }, - "threatType": { - "description": "Threat type (e.g. \"Botnet\")", - "readOnly": true, - "type": "string" - } - }, - "type": "object" - }, - "ToggleSettings": { - "allOf": [ - { - "$ref": "#/definitions/Settings" - } - ], - "description": "Settings with single toggle.", - "properties": { - "properties": { - "$ref": "#/definitions/ToggleSettingsProperties", - "description": "toggle properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "ToggleSettings" - }, - "ToggleSettingsProperties": { - "description": "toggle property bag.", - "properties": { - "isEnabled": { - "description": "Determines whether the setting is enable or disabled.", - "type": "boolean" - } - }, - "type": "object" - }, - "UebaSettings": { - "allOf": [ - { - "$ref": "#/definitions/Settings" - } - ], - "description": "Represents settings for User and Entity Behavior Analytics enablement.", - "properties": { - "properties": { - "$ref": "#/definitions/UebaSettingsProperties", - "description": "User and Entity Behavior Analytics settings properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "UebaSettings" - }, - "UebaSettingsProperties": { - "description": "User and Entity Behavior Analytics settings property bag.", - "properties": { - "atpLicenseStatus": { - "description": "Determines whether the tenant has ATP (Advanced Threat Protection) license.", - "enum": [ - "Enabled", - "Disabled" - ], - "readOnly": true, - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "LicenseStatus" - } - }, - "isEnabled": { - "description": "Determines whether User and Entity Behavior Analytics is enabled for this workspace.", - "type": "boolean" - }, - "statusInMcas": { - "description": "Determines whether User and Entity Behavior Analytics is enabled from MCAS (Microsoft Cloud App Security).", - "enum": [ - "Enabled", - "Disabled" - ], - "readOnly": true, - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "StatusInMcas" - } - } - }, - "type": "object" - }, - "UserInfo": { - "description": "User information that made some action", - "properties": { - "email": { - "description": "The email of the user.", - "readOnly": true, - "type": "string" - }, - "name": { - "description": "The name of the user.", - "readOnly": true, - "type": "string" - }, - "objectId": { - "description": "The object id of the user.", - "format": "uuid", - "type": "string", - "x-nullable": true - } - }, - "required": [ - "objectId" - ], - "type": "object" - }, - "IncidentInfo": { - "description": "Describes related incident information for the bookmark", - "properties": { - "incidentId": { - "description": "Incident Id", - "type": "string" - }, - "severity": { - "description": "The severity of the incident", - "enum": [ - "Critical", - "High", - "Medium", - "Low", - "Informational" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "CaseSeverity", - "values": [ - { - "description": "Critical severity", - "value": "Critical" - }, - { - "description": "High severity", - "value": "High" - }, - { - "description": "Medium severity", - "value": "Medium" - }, - { - "description": "Low severity", - "value": "Low" - }, - { - "description": "Informational severity", - "value": "Informational" - } - ] - } - }, - "title": { - "description": "The title of the incident", - "type": "string" - }, - "relationName": { - "description": "Relation Name", - "type": "string" - } - }, - "type": "object" - } - }, - "parameters": { - "AggregationsName": { - "description": "The aggregation name. Supports - Cases", - "in": "path", - "name": "aggregationsName", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "ApiVersion": { - "description": "API version for the operation", - "enum": [ - "2020-01-01" - ], - "in": "query", - "name": "api-version", - "required": true, - "type": "string" - }, - "ConsentId": { - "description": "consent ID", - "in": "path", - "name": "consentId", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "EntityId": { - "description": "entity ID", - "in": "path", - "name": "entityId", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "EntityQueryId": { - "description": "entity query ID", - "in": "path", - "name": "entityQueryId", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "Incident": { - "description": "The incident", - "in": "body", - "name": "incident", - "required": true, - "schema": { - "$ref": "#/definitions/Incident" - }, - "x-ms-parameter-location": "method" - }, - "IncidentComment": { - "description": "The incident comment", - "in": "body", - "name": "incidentComment", - "required": true, - "schema": { - "$ref": "#/definitions/IncidentComment" - }, - "x-ms-parameter-location": "method" - }, - "IncidentCommentId": { - "description": "Incident comment ID", - "in": "path", - "name": "incidentCommentId", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "IncidentId": { - "description": "Incident ID", - "in": "path", - "name": "incidentId", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "ODataFilter": { - "description": "Filters the results, based on a Boolean condition. Optional.", - "in": "query", - "name": "$filter", - "required": false, - "type": "string", - "x-ms-parameter-location": "method" - }, - "ODataOrderBy": { - "description": "Sorts the results. Optional.", - "in": "query", - "name": "$orderby", - "required": false, - "type": "string", - "x-ms-parameter-location": "method" - }, - "ODataSkipToken": { - "description": "Skiptoken is only used if a previous operation returned a partial result. If a previous response contains a nextLink element, the value of the nextLink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls. Optional.", - "in": "query", - "name": "$skipToken", - "required": false, - "type": "string", - "x-ms-parameter-location": "method" - }, - "ODataTop": { - "description": "Returns only the first n results. Optional.", - "format": "int32", - "in": "query", - "name": "$top", - "required": false, - "type": "integer", - "x-ms-parameter-location": "method" - }, - "ResourceGroupName": { - "description": "The name of the resource group within the user's subscription. The name is case insensitive.", - "in": "path", - "maxLength": 90, - "minLength": 1, - "name": "resourceGroupName", - "pattern": "^[-\\w\\._\\(\\)]+$", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "Settings": { - "description": "The setting", - "in": "body", - "name": "settings", - "required": true, - "schema": { - "$ref": "#/definitions/Settings" - }, - "x-ms-parameter-location": "method" - }, - "SettingsName": { - "description": "The setting name. Supports- Fusion, UEBA", - "in": "path", - "name": "settingsName", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "SubscriptionId": { - "description": "Azure subscription ID", - "in": "path", - "name": "subscriptionId", - "pattern": "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$", - "required": true, - "type": "string" - }, - "WorkspaceName": { - "description": "The name of the workspace.", - "in": "path", - "maxLength": 90, - "minLength": 1, - "name": "workspaceName", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - } - } -} From 7e77ab3ac3c2740824ea5ea7af07ccab97db84c2 Mon Sep 17 00:00:00 2001 From: Anat Gilenson Date: Mon, 16 Aug 2021 10:19:28 +0300 Subject: [PATCH 4/8] Add AlertRules to readme --- specification/securityinsights/resource-manager/readme.md | 1 + 1 file changed, 1 insertion(+) diff --git a/specification/securityinsights/resource-manager/readme.md b/specification/securityinsights/resource-manager/readme.md index 41f830bdbf38..33655c1cc220 100644 --- a/specification/securityinsights/resource-manager/readme.md +++ b/specification/securityinsights/resource-manager/readme.md @@ -40,6 +40,7 @@ input-file: - Microsoft.SecurityInsights/stable/2021-10-01/ThreatIntelligence.json - Microsoft.SecurityInsights/stable/2021-10-01/Watchlists.json - Microsoft.SecurityInsights/stable/2021-10-01/operations.json + - Microsoft.SecurityInsights/stable/2021-10-01/AlertRules.json ``` ### Tag: package-2021-04-01-only From acfe850f5856d2fd3194f84f1a13cb973f2db521 Mon Sep 17 00:00:00 2001 From: Anat Gilenson Date: Mon, 16 Aug 2021 11:52:43 +0300 Subject: [PATCH 5/8] Copy action examples for alert rules --- .../actions/CreateActionOfAlertRule.json | 44 +++++++++++++++++++ .../actions/DeleteActionOfAlertRule.json | 15 +++++++ .../actions/GetActionOfAlertRuleById.json | 25 +++++++++++ .../actions/GetAllActionsByAlertRule.json | 28 ++++++++++++ 4 files changed, 112 insertions(+) create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/actions/CreateActionOfAlertRule.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/actions/DeleteActionOfAlertRule.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/actions/GetActionOfAlertRuleById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/actions/GetAllActionsByAlertRule.json diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/actions/CreateActionOfAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/actions/CreateActionOfAlertRule.json new file mode 100644 index 000000000000..636e66a55f93 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/actions/CreateActionOfAlertRule.json @@ -0,0 +1,44 @@ +{ + "parameters": { + "api-version": "2021-10-01", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "ruleId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "actionId": "912bec42-cb66-4c03-ac63-1761b6898c3e", + "action": { + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "triggerUri": "https://prod-31.northcentralus.logic.azure.com:443/workflows/cd3765391efd48549fd7681ded1d48d7/triggers/manual/paths/invoke?api-version=2016-10-01&sp=%2Ftriggers%2Fmanual%2Frun&sv=1.0&sig=signature", + "logicAppResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/MyAlerts" + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5/actions/912bec42-cb66-4c03-ac63-1761b6898c3e", + "name": "912bec42-cb66-4c03-ac63-1761b6898c3e", + "type": "Microsoft.SecurityInsights/alertRules/actions", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "workflowId": "cd3765391efd48549fd7681ded1d48d7", + "logicAppResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/MyAlerts" + } + } + }, + "201": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5/actions/912bec42-cb66-4c03-ac63-1761b6898c3e", + "name": "912bec42-cb66-4c03-ac63-1761b6898c3e", + "type": "Microsoft.SecurityInsights/alertRules/actions", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "workflowId": "cd3765391efd48549fd7681ded1d48d7", + "logicAppResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/MyAlerts" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/actions/DeleteActionOfAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/actions/DeleteActionOfAlertRule.json new file mode 100644 index 000000000000..fd2aaa36fdb6 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/actions/DeleteActionOfAlertRule.json @@ -0,0 +1,15 @@ +{ + "parameters": { + "api-version": "2021-10-01", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights", + "ruleId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "actionId": "912bec42-cb66-4c03-ac63-1761b6898c3e" + }, + "responses": { + "200": {}, + "204": {} + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/actions/GetActionOfAlertRuleById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/actions/GetActionOfAlertRuleById.json new file mode 100644 index 000000000000..5f49b9bb8d37 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/actions/GetActionOfAlertRuleById.json @@ -0,0 +1,25 @@ +{ + "parameters": { + "api-version": "2021-10-01", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights", + "ruleId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "actionId": "912bec42-cb66-4c03-ac63-1761b6898c3e" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5/actions/912bec42-cb66-4c03-ac63-1761b6898c3e", + "name": "912bec42-cb66-4c03-ac63-1761b6898c3e", + "type": "Microsoft.SecurityInsights/alertRules/actions", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "workflowId": "cd3765391efd48549fd7681ded1d48d7", + "logicAppResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/MyAlerts" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/actions/GetAllActionsByAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/actions/GetAllActionsByAlertRule.json new file mode 100644 index 000000000000..638aa7d1e406 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/examples/actions/GetAllActionsByAlertRule.json @@ -0,0 +1,28 @@ +{ + "parameters": { + "api-version": "2021-10-01", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights", + "ruleId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5/actions/912bec42-cb66-4c03-ac63-1761b6898c3e", + "name": "912bec42-cb66-4c03-ac63-1761b6898c3e", + "type": "Microsoft.SecurityInsights/alertRules/actions", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "workflowId": "cd3765391efd48549fd7681ded1d48d7", + "logicAppResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/MyAlerts" + } + } + ] + } + } + } +} From afe8a98385fb831d50b640ba1ed2fa8aa4f14f25 Mon Sep 17 00:00:00 2001 From: Anat Gilenson Date: Mon, 16 Aug 2021 12:08:15 +0300 Subject: [PATCH 6/8] Add type:object where missing --- .../stable/2021-10-01/Incidents.json | 1 + .../stable/2021-10-01/ThreatIntelligence.json | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/Incidents.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/Incidents.json index 2e32711d8691..b232c2604980 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/Incidents.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/Incidents.json @@ -1707,6 +1707,7 @@ } } }, + "type": "object", "required": [ "value" ] diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/ThreatIntelligence.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/ThreatIntelligence.json index efafad823522..544095b1c95f 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/ThreatIntelligence.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/ThreatIntelligence.json @@ -502,7 +502,8 @@ "description": "The error object of the CloudError response" } }, - "description": "An error response for a resource management request." + "description": "An error response for a resource management request.", + "type": "object" }, "ThreatIntelligenceInformation": { "allOf": [ From 0e3288e5aa8ff3555de64fd9b7f36c1cc948569c Mon Sep 17 00:00:00 2001 From: Anat Gilenson Date: Tue, 17 Aug 2021 15:48:23 +0300 Subject: [PATCH 7/8] Align CloudError with rest of the resources in this version --- .../stable/2021-10-01/AlertRules.json | 31 +++++++++++++------ 1 file changed, 21 insertions(+), 10 deletions(-) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/AlertRules.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/AlertRules.json index b5d40ce6503d..dff25af582d6 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/AlertRules.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-10-01/AlertRules.json @@ -70,7 +70,7 @@ "default": { "description": "Error response describing why the operation failed.", "schema": { - "$ref": "../../../common/1.0/types.json#/definitions/CloudError" + "$ref": "#/definitions/CloudError" } } }, @@ -124,7 +124,7 @@ "default": { "description": "Error response describing why the operation failed.", "schema": { - "$ref": "../../../common/1.0/types.json#/definitions/CloudError" + "$ref": "#/definitions/CloudError" } } } @@ -182,7 +182,7 @@ "default": { "description": "Error response describing why the operation failed.", "schema": { - "$ref": "../../../common/1.0/types.json#/definitions/CloudError" + "$ref": "#/definitions/CloudError" } } } @@ -225,7 +225,7 @@ "default": { "description": "Error response describing why the operation failed.", "schema": { - "$ref": "../../../common/1.0/types.json#/definitions/CloudError" + "$ref": "#/definitions/CloudError" } } } @@ -270,7 +270,7 @@ "default": { "description": "Error response describing why the operation failed.", "schema": { - "$ref": "../../../common/1.0/types.json#/definitions/CloudError" + "$ref": "#/definitions/CloudError" } } }, @@ -321,7 +321,7 @@ "default": { "description": "Error response describing why the operation failed.", "schema": { - "$ref": "../../../common/1.0/types.json#/definitions/CloudError" + "$ref": "#/definitions/CloudError" } } } @@ -376,7 +376,7 @@ "default": { "description": "Error response describing why the operation failed.", "schema": { - "$ref": "../../../common/1.0/types.json#/definitions/CloudError" + "$ref": "#/definitions/CloudError" } } } @@ -422,7 +422,7 @@ "default": { "description": "Error response describing why the operation failed.", "schema": { - "$ref": "../../../common/1.0/types.json#/definitions/CloudError" + "$ref": "#/definitions/CloudError" } } } @@ -464,7 +464,7 @@ "default": { "description": "Error response describing why the operation failed.", "schema": { - "$ref": "../../../common/1.0/types.json#/definitions/CloudError" + "$ref": "#/definitions/CloudError" } } }, @@ -512,7 +512,7 @@ "default": { "description": "Error response describing why the operation failed.", "schema": { - "$ref": "../../../common/1.0/types.json#/definitions/CloudError" + "$ref": "#/definitions/CloudError" } } } @@ -520,6 +520,17 @@ } }, "definitions": { + "CloudError": { + "x-ms-external": true, + "properties": { + "error": { + "$ref": "../../../../../common-types/resource-management/v1/types.json#/definitions/ErrorResponse", + "description": "The error object of the CloudError response" + } + }, + "type": "object", + "description": "An error response for a resource management request." + }, "ActionsList": { "description": "List all the actions.", "properties": { From f50c643b5f0a961c489a76e5e11b9380c3a12253 Mon Sep 17 00:00:00 2001 From: Anat Gilenson Date: Tue, 17 Aug 2021 16:00:26 +0300 Subject: [PATCH 8/8] Update readme --- .../resource-manager/readme.md | 88 +++---------------- 1 file changed, 11 insertions(+), 77 deletions(-) diff --git a/specification/securityinsights/resource-manager/readme.md b/specification/securityinsights/resource-manager/readme.md index 33655c1cc220..849c06db819b 100644 --- a/specification/securityinsights/resource-manager/readme.md +++ b/specification/securityinsights/resource-manager/readme.md @@ -42,6 +42,7 @@ input-file: - Microsoft.SecurityInsights/stable/2021-10-01/operations.json - Microsoft.SecurityInsights/stable/2021-10-01/AlertRules.json ``` + ### Tag: package-2021-04-01-only These settings apply only when `--tag=package-2021-04-01-only` is specified on the command line. @@ -52,16 +53,6 @@ input-file: - Microsoft.SecurityInsights/stable/2021-04-01/operations.json - Microsoft.SecurityInsights/stable/2021-04-01/Watchlists.json - Microsoft.SecurityInsights/stable/2021-04-01/ThreatIntelligence.json - -directive: - - suppress: R4017 - from: Microsoft.SecurityInsights/stable/2021-04-01/Incidents.json - where: $.definitions.Incidents - reason: The Incident does not support list by subscription. It's not a top-level resource. To get the Incident, we should have a subscription as well as a resource group and Log Analytics workspace. - - suppress: R4017 - from: Microsoft.SecurityInsights/stable/2021-04-01/Watchlists.json - where: $.definitions.Watchlist - reason: The Watchlist does not support list by subscription. It's not a top-level resource. To get the Watchlist, we should have a subscription as well as a resource group and Log Analytics workspace. ``` --- @@ -76,12 +67,6 @@ input-file: - Microsoft.SecurityInsights/stable/2020-01-01/Bookmarks.json - Microsoft.SecurityInsights/stable/2020-01-01/DataConnectors.json - Microsoft.SecurityInsights/stable/2020-01-01/SecurityInsights.json - -directive: - - suppress: R2059 - from: Microsoft.SecurityInsights/stable/2020-01-01/SecurityInsights.json - reason: it's not actually a resource path; the validator is confused because the LogAnalytics namespace is in the URI path. - approved-by: "@lirenhe" ``` --- @@ -102,51 +87,6 @@ input-file: - Microsoft.SecurityInsights/preview/2021-03-01-preview/AlertRules.json - Microsoft.SecurityInsights/preview/2021-03-01-preview/EntityQueries.json - Microsoft.SecurityInsights/preview/2021-03-01-preview/Metadata.json -directive: - - suppress: R4017 - from: Microsoft.SecurityInsights/preview/2021-03-01-preview/Settings.json - where: $.definitions.Settings - reason: The Setting does not support list by subscription. It's not a top-level resource. To get the Setting, we should have a subscription as well as a resource group and Log Analytics workspace. - - suppress: R4017 - from: Microsoft.SecurityInsights/preview/2021-03-01-preview/dataConnectors.json - where: $.definitions.DataConnector - reason: The DataConnector does not support list by subscription. It's not a top-level resource. - - suppress: R4017 - from: Microsoft.SecurityInsights/preview/2021-03-01-preview/Watchlists.json - where: $.definitions.Watchlist - reason: The Watchlist does not support list by subscription. It's not a top-level resource. To get the Watchlist, we should have a subscription as well as a resource group and Log Analytics workspace. - - suppress: R4017 - from: Microsoft.SecurityInsights/preview/2021-03-01-preview/SourceControls.json - where: $.definitions.SourceControl - reason: The sourceControl does not support list by subscription. It's not a top-level resource. - - suppress: R4017 - from: Microsoft.SecurityInsights/preview/2021-03-01-preview/OnboardingStates.json - where: $.definitions.SentinelOnboardingState - reason: The SentinelOnboardingState does not support list by subscription. It's not a top-level resource. To get the SentinelOnboardingState, we should have a subscription as well as a resource group and Log Analytics workspace. - - suppress: R4017 - from: Microsoft.SecurityInsights/preview/2021-03-01-preview/Incidents.json - where: $.definitions.Incidents - reason: The Incidents does not support list by subscription. It's not a top-level resource. To get the Incidents, we should have a subscription as well as a resource group and Log Analytics workspace. - - suppress: R4017 - from: Microsoft.SecurityInsights/preview/2021-03-01-preview/Incidents.json - where: $.definitions.Incident - reason: The Incident does not support list by subscription. It's not a top-level resource. To get the Incident, we should have a subscription as well as a resource group, Log Analytics workspace and incident ID. - - suppress: R4017 - from: Microsoft.SecurityInsights/preview/2021-03-01-preview/AlertRules.json - where: $.definitions.AlertRule - reason: The AlertRule does not support list by subscription. It's not a top-level resource. To get the AlertRule, we should have a subscription as well as a resource group and Log Analytics workspace. - - suppress: R4017 - from: Microsoft.SecurityInsights/preview/2021-03-01-preview/AlertRules.json - where: $.definitions.AlertRuleTemplate - reason: The AlertRuleTemplate does not support list by subscription. It's not a top-level resource. To get the AlertRuleTemplate, we should have a subscription as well as a resource group and Log Analytics workspace. - - suppress: R4017 - from: Microsoft.SecurityInsights/preview/2021-03-01-preview/EntityQueries.json - where: $.definitions.EntityQuery - reason: The EntityQuery does not support list by subscription. It's not a top-level resource. To get the EntityQuery, we should have a subscription as well as a resource group and Log Analytics workspace. - - suppress: R4017 - from: Microsoft.SecurityInsights/preview/2021-03-01-preview/Metadata.json - where: $.definitions.MetadataModel - reason: Metadata does not support list by subscription. It's not a top-level resource. To get a Metadata list, we should have a subscription as well as a resource group and Log Analytics workspace. ``` --- @@ -167,24 +107,18 @@ input-file: - Microsoft.SecurityInsights/preview/2019-01-01-preview/OfficeConsents.json - Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json - Microsoft.SecurityInsights/preview/2019-01-01-preview/ThreatIntelligence.json +``` + +--- + +## Suppression + +``` yaml directive: - suppress: R4017 - from: Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json - where: $.definitions.ThreatIntelligenceResource - reason: Our API is designed based on per region per workspace concept. There is no use case of our customers to get all indicators in multiple workspaces. - approved-by: "@cheggert" - - suppress: R4017 - from: Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json - where: $.definitions.Watchlist - reason: The Watchlist does not support list by subscription. It's not a top-level resource. To get the Watchlist, we should have a subscription as well as a resource group and Log Analytics workspace. - - suppress: R4017 - from: Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json - where: $.definitions.AutomationRule - reason: The AutomationRule does not support list by subscription. It's not a top-level resource. To get the AutomationRule, we should have a subscription as well as a resource group and Log Analytics workspace. - - suppress: R4017 - from: Microsoft.SecurityInsights/preview/2019-01-01-preview/AutomationRules.json - where: $.definitions.AutomationRule - reason: The AutomationRule does not support list by subscription. It's not a top-level resource. To get the AutomationRule, we should have a subscription as well as a resource group and Log Analytics workspace. + reason: Our resources do not support list by subscription. They're not top-level resources. To get a SecurityInsights resource, we should have a subscription as well as a resource group and Log Analytics workspace. + - suppress: OBJECT_ADDITIONAL_PROPERTIES + reason: 'Caused by a duplicate Resource definition in our common directory that contains systemData. We were instructed to supress this by Swagger reviewr.' ``` ---