diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/SecurityInsights.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/SecurityInsights.json new file mode 100644 index 000000000000..0dae763435cf --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/SecurityInsights.json @@ -0,0 +1,2445 @@ +{ + "swagger": "2.0", + "info": { + "title": "Security Insights", + "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", + "version": "2020-01-01" + }, + "host": "management.azure.com", + "schemes": [ + "https" + ], + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "security": [ + { + "azure_auth": [ + "user_impersonation" + ] + } + ], + "securityDefinitions": { + "azure_auth": { + "type": "oauth2", + "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", + "flow": "implicit", + "description": "Azure Active Directory OAuth2 Flow", + "scopes": { + "user_impersonation": "impersonate your user account" + } + } + }, + "paths": { + "/providers/Microsoft.SecurityInsights/operations": { + "get": { + "operationId": "Operations_List", + "description": "Lists all operations available Azure Security Insights Resource Provider.", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + } + ], + "produces": [ + "application/json" + ], + "responses": { + "200": { + "description": "OK. Successfully retrieved operations list.", + "schema": { + "$ref": "#/definitions/OperationsList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules": { + "get": { + "x-ms-examples": { + "Get all alert rules.": { + "$ref": "./examples/alertRules/GetAllAlertRules.json" + } + }, + "tags": [ + "Alert Rules" + ], + "description": "Gets all alert rules.", + "operationId": "AlertRules_List", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "#/parameters/SubscriptionId" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/WorkspaceName" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/AlertRulesList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}": { + "get": { + "x-ms-examples": { + "Get a Scheduled alert rule.": { + "$ref": "./examples/alertRules/GetScheduledAlertRule.json" + }, + "Get a Fusion alert rule.": { + "$ref": "./examples/alertRules/GetFusionAlertRule.json" + }, + "Get a MicrosoftSecurityIncidentCreation rule.": { + "$ref": "./examples/alertRules/GetMicrosoftSecurityIncidentCreationAlertRule.json" + } + }, + "tags": [ + "Alert Rules" + ], + "description": "Gets the alert rule.", + "operationId": "AlertRules_Get", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "#/parameters/SubscriptionId" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/RuleId" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/AlertRule" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + } + }, + "put": { + "x-ms-examples": { + "Creates or updates a Scheduled alert rule.": { + "$ref": "./examples/alertRules/CreateScheduledAlertRule.json" + }, + "Creates or updates a Fusion alert rule.": { + "$ref": "./examples/alertRules/CreateFusionAlertRule.json" + }, + "Creates or updates a MicrosoftSecurityIncidentCreation rule.": { + "$ref": "./examples/alertRules/CreateMicrosoftSecurityIncidentCreationAlertRule.json" + } + }, + "tags": [ + "Alert Rules" + ], + "description": "Creates or updates the alert rule.", + "operationId": "AlertRules_CreateOrUpdate", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "#/parameters/SubscriptionId" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/RuleId" + }, + { + "$ref": "#/parameters/AlertRule" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/AlertRule" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/AlertRule" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + } + }, + "delete": { + "x-ms-examples": { + "Delete an alert rule.": { + "$ref": "./examples/alertRules/DeleteAlertRule.json" + } + }, + "tags": [ + "Alert Rules" + ], + "description": "Delete the alert rule.", + "operationId": "AlertRules_Delete", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "#/parameters/SubscriptionId" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/RuleId" + } + ], + "responses": { + "200": { + "description": "OK" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}/actions": { + "get": { + "x-ms-examples": { + "Get all actions of alert rule.": { + "$ref": "./examples/actions/GetAllActionsByAlertRule.json" + } + }, + "tags": [ + "Actions" + ], + "description": "Gets all actions of alert rule.", + "operationId": "Actions_ListByAlertRule", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "#/parameters/SubscriptionId" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/RuleId" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/ActionsList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}/actions/{actionId}": { + "get": { + "x-ms-examples": { + "Get an action of alert rule.": { + "$ref": "./examples/actions/GetActionOfAlertRuleById.json" + } + }, + "tags": [ + "Actions" + ], + "description": "Gets the action of alert rule.", + "operationId": "AlertRules_GetAction", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "#/parameters/SubscriptionId" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/RuleId" + }, + { + "$ref": "#/parameters/ActionId" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/ActionResponse" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + } + }, + "put": { + "x-ms-examples": { + "Creates or updates an action of alert rule.": { + "$ref": "./examples/actions/CreateActionOfAlertRule.json" + } + }, + "tags": [ + "Actions" + ], + "description": "Creates or updates the action of alert rule.", + "operationId": "AlertRules_CreateOrUpdateAction", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "#/parameters/SubscriptionId" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/RuleId" + }, + { + "$ref": "#/parameters/ActionId" + }, + { + "$ref": "#/parameters/Action" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/ActionResponse" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/ActionResponse" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + } + }, + "delete": { + "x-ms-examples": { + "Delete an action of alert rule.": { + "$ref": "./examples/actions/DeleteActionOfAlertRule.json" + } + }, + "tags": [ + "Actions" + ], + "description": "Delete the action of alert rule.", + "operationId": "AlertRules_DeleteAction", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "#/parameters/SubscriptionId" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/RuleId" + }, + { + "$ref": "#/parameters/ActionId" + } + ], + "responses": { + "200": { + "description": "OK" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors": { + "get": { + "x-ms-examples": { + "Get all data connectors.": { + "$ref": "./examples/dataConnectors/GetDataConnectors.json" + } + }, + "tags": [ + "Data Connectors" + ], + "description": "Gets all data connectors.", + "operationId": "DataConnectors_List", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "#/parameters/SubscriptionId" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/WorkspaceName" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/DataConnectorList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors/{dataConnectorId}": { + "get": { + "x-ms-examples": { + "Get an Office365 data connector.": { + "$ref": "./examples/dataConnectors/GetOfficeDataConnetorById.json" + }, + "Get a TI data connector.": { + "$ref": "./examples/dataConnectors/GetThreatIntelligenceById.json" + }, + "Get a MCAS data connector.": { + "$ref": "./examples/dataConnectors/GetMicrosoftCloudAppSecurityById.json" + }, + "Get a ASC data connector.": { + "$ref": "./examples/dataConnectors/GetAzureSecurityCenterById.json" + }, + "Get an AAD data connector.": { + "$ref": "./examples/dataConnectors/GetAzureActiveDirectoryById.json" + }, + "Get an AwsCloudTrail data connector.": { + "$ref": "./examples/dataConnectors/GetAmazonWebServicesCloudTrailById.json" + }, + "Get an AATP data connector.": { + "$ref": "./examples/dataConnectors/GetAzureAdvancedThreatProtectionById.json" + }, + "Get a MDATP data connector": { + "$ref": "./examples/dataConnectors/GetMicrosoftDefenderAdvancedThreatProtectionById.json" + } + }, + "tags": [ + "Data Connectors" + ], + "description": "Gets a data connector.", + "operationId": "DataConnectors_Get", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "#/parameters/SubscriptionId" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/DataConnectorId" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/DataConnector" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + } + }, + "put": { + "x-ms-examples": { + "Creates or updates an Office365 data connector.": { + "$ref": "./examples/dataConnectors/CreateOfficeDataConnetor.json" + } + }, + "tags": [ + "Data Connectors" + ], + "description": "Creates or updates the data connector.", + "operationId": "DataConnectors_CreateOrUpdate", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "#/parameters/SubscriptionId" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/DataConnectorId" + }, + { + "$ref": "#/parameters/DataConnector" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/DataConnector" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/DataConnector" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + } + }, + "delete": { + "x-ms-examples": { + "Delete an Office365 data connector.": { + "$ref": "./examples/dataConnectors/DeleteOfficeDataConnetor.json" + } + }, + "tags": [ + "Data Connectors" + ], + "description": "Delete the data connector.", + "operationId": "DataConnectors_Delete", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "#/parameters/SubscriptionId" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/DataConnectorId" + } + ], + "responses": { + "200": { + "description": "OK" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + } + } + } + }, + "definitions": { + "AADDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents AAD (Azure Active Directory) data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/AADDataConnectorProperties", + "description": "AAD (Azure Active Directory) data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "AzureActiveDirectory" + }, + "AADDataConnectorProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + }, + { + "$ref": "#/definitions/DataConnectorWithAlertsProperties" + } + ], + "description": "AAD (Azure Active Directory) data connector properties.", + "type": "object" + }, + "AATPDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents AATP (Azure Advanced Threat Protection) data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/AATPDataConnectorProperties", + "description": "AATP (Azure Advanced Threat Protection) data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "AzureAdvancedThreatProtection" + }, + "AATPDataConnectorProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + }, + { + "$ref": "#/definitions/DataConnectorWithAlertsProperties" + } + ], + "description": "AATP (Azure Advanced Threat Protection) data connector properties.", + "type": "object" + }, + "ASCDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents ASC (Azure Security Center) data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/ASCDataConnectorProperties", + "description": "ASC (Azure Security Center) data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "AzureSecurityCenter" + }, + "ASCDataConnectorProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorWithAlertsProperties" + } + ], + "description": "ASC (Azure Security Center) data connector properties.", + "properties": { + "subscriptionId": { + "description": "The subscription id to connect to, and get the data from.", + "type": "string" + } + }, + "type": "object" + }, + "ActionRequest": { + "allOf": [ + { + "$ref": "#/definitions/ResourceWithEtag" + } + ], + "description": "Action for alert rule.", + "properties": { + "properties": { + "$ref": "#/definitions/ActionRequestProperties", + "description": "Action properties for put request", + "x-ms-client-flatten": true + } + }, + "type": "object" + }, + "ActionPropertiesBase": { + "description": "Action property bag base.", + "properties": { + "logicAppResourceId": { + "description": "Logic App Resource Id, providers/Microsoft.Logic/workflows/{WorkflowID}.", + "type": "string" + } + }, + "required": [ + "logicAppResourceId" + ], + "type": "object" + }, + "ActionRequestProperties": { + "allOf": [ + { + "$ref": "#/definitions/ActionPropertiesBase" + } + ], + "description": "Action property bag.", + "properties": { + "triggerUri": { + "description": "Logic App Callback URL for this specific workflow.", + "type": "string" + } + }, + "type": "object" + }, + "ActionResponse": { + "allOf": [ + { + "$ref": "#/definitions/Resource" + } + ], + "description": "Action for alert rule.", + "properties": { + "etag": { + "description": "Etag of the action.", + "type": "string" + }, + "properties": { + "$ref": "#/definitions/ActionResponseProperties", + "description": "Action properties for get request", + "x-ms-client-flatten": true + } + }, + "type": "object" + }, + "ActionResponseProperties": { + "allOf": [ + { + "$ref": "#/definitions/ActionPropertiesBase" + } + ], + "description": "Action property bag.", + "properties": { + "workflowId": { + "description": "The name of the logic app's workflow.", + "type": "string" + } + }, + "type": "object" + }, + "ActionsList": { + "description": "List all the actions.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of actions.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of actions.", + "items": { + "$ref": "#/definitions/ActionResponse" + }, + "type": "array" + } + }, + "required": [ + "value" + ] + }, + "AlertRule": { + "allOf": [ + { + "$ref": "#/definitions/ResourceWithEtag" + }, + { + "$ref": "#/definitions/AlertRuleKind" + } + ], + "description": "Alert rule.", + "discriminator": "kind", + "required": [ + "kind" + ], + "type": "object" + }, + "AlertRuleKind": { + "description": "Describes an Azure resource with kind.", + "properties": { + "kind": { + "description": "The kind of the alert rule", + "enum": [ + "Scheduled", + "MicrosoftSecurityIncidentCreation", + "Fusion" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "AlertRuleKind", + "values": [ + { + "value": "Scheduled" + }, + { + "value": "MicrosoftSecurityIncidentCreation" + }, + { + "value": "Fusion" + } + ] + } + } + }, + "required": [ + "kind" + ], + "type": "object" + }, + "AlertRuleTemplate": { + "allOf": [ + { + "$ref": "#/definitions/Resource" + }, + { + "$ref": "#/definitions/AlertRuleKind" + } + ], + "description": "Alert rule template.", + "discriminator": "kind", + "required": [ + "kind" + ], + "type": "object" + }, + "AlertRuleTemplateDataSource": { + "description": "alert rule template data sources", + "properties": { + "connectorId": { + "description": "The connector id that provides the following data types", + "type": "string" + }, + "dataTypes": { + "description": "The data types used by the alert rule template", + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "AlertRuleTemplatePropertiesBase": { + "description": "Base alert rule template property bag.", + "properties": { + "alertRulesCreatedByTemplateCount": { + "description": "the number of alert rules that were created by this template", + "type": "integer" + }, + "createdDateUTC": { + "description": "The time that this alert rule template has been added.", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "description": { + "description": "The description of the alert rule template.", + "type": "string" + }, + "displayName": { + "description": "The display name for alert rule template.", + "type": "string" + }, + "requiredDataConnectors": { + "description": "The required data connectors for this template", + "items": { + "$ref": "#/definitions/AlertRuleTemplateDataSource" + }, + "type": "array" + }, + "status": { + "description": "The alert rule template status.", + "enum": [ + "Installed", + "Available", + "NotAvailable" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "TemplateStatus", + "values": [ + { + "description": "Alert rule template installed. and can not use more then once", + "value": "Installed" + }, + { + "description": "Alert rule template is available.", + "value": "Available" + }, + { + "description": "Alert rule template is not available", + "value": "NotAvailable" + } + ] + } + } + }, + "type": "object" + }, + "AlertRuleTriggerOperator": { + "description": "The operation against the threshold that triggers alert rule.", + "enum": [ + "GreaterThan", + "LessThan", + "Equal", + "NotEqual" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": false, + "name": "TriggerOperator" + } + }, + "AlertRulesList": { + "description": "List all the alert rules.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of alert rules.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of alert rules.", + "items": { + "$ref": "#/definitions/AlertRule" + }, + "type": "array" + } + }, + "required": [ + "value" + ] + }, + "AlertSeverity": { + "description": "The severity of the alert", + "enum": [ + "High", + "Medium", + "Low", + "Informational" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "AlertSeverity", + "values": [ + { + "description": "High severity", + "value": "High" + }, + { + "description": "Medium severity", + "value": "Medium" + }, + { + "description": "Low severity", + "value": "Low" + }, + { + "description": "Informational severity", + "value": "Informational" + } + ] + } + }, + "AlertsDataTypeOfDataConnector": { + "description": "Alerts data type for data connectors.", + "properties": { + "alerts": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "description": "Alerts data type connection.", + "type": "object" + } + }, + "type": "object" + }, + "AttackTactic": { + "description": "The severity for alerts created by this alert rule.", + "enum": [ + "InitialAccess", + "Execution", + "Persistence", + "PrivilegeEscalation", + "DefenseEvasion", + "CredentialAccess", + "Discovery", + "LateralMovement", + "Collection", + "Exfiltration", + "CommandAndControl", + "Impact" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "AttackTactic" + } + }, + "AwsCloudTrailDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents Amazon Web Services CloudTrail data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/AwsCloudTrailDataConnectorProperties", + "description": "Amazon Web Services CloudTrail data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "AmazonWebServicesCloudTrail" + }, + "AwsCloudTrailDataConnectorDataTypes": { + "description": "The available data types for Amazon Web Services CloudTrail data connector.", + "properties": { + "logs": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "description": "Logs data type.", + "type": "object" + } + }, + "type": "object" + }, + "AwsCloudTrailDataConnectorProperties": { + "description": "Amazon Web Services CloudTrail data connector properties.", + "properties": { + "awsRoleArn": { + "description": "The Aws Role Arn (with CloudTrailReadOnly policy) that is used to access the Aws account.", + "type": "string" + }, + "dataTypes": { + "$ref": "#/definitions/AwsCloudTrailDataConnectorDataTypes", + "description": "The available data types for the connector." + } + }, + "type": "object" + }, + "CloudError": { + "description": "Error response structure.", + "properties": { + "error": { + "$ref": "#/definitions/CloudErrorBody", + "description": "Error data", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-external": true + }, + "CloudErrorBody": { + "description": "Error details.", + "properties": { + "code": { + "description": "An identifier for the error. Codes are invariant and are intended to be consumed programmatically.", + "readOnly": true, + "type": "string" + }, + "message": { + "description": "A message describing the error, intended to be suitable for display in a user interface.", + "readOnly": true, + "type": "string" + } + }, + "type": "object", + "x-ms-external": true + }, + "DataConnector": { + "allOf": [ + { + "$ref": "#/definitions/ResourceWithEtag" + }, + { + "$ref": "#/definitions/DataConnectorKind" + } + ], + "description": "Data connector.", + "discriminator": "kind", + "required": [ + "kind" + ], + "type": "object" + }, + "DataConnectorDataTypeCommon": { + "description": "Common field for data type in data connectors.", + "properties": { + "state": { + "description": "Describe whether this data type connection is enabled or not.", + "enum": [ + "Enabled", + "Disabled" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "DataTypeState" + } + } + }, + "type": "object" + }, + "DataConnectorKind": { + "description": "Describes an Azure resource with kind.", + "properties": { + "kind": { + "description": "The kind of the data connector", + "enum": [ + "AzureActiveDirectory", + "AzureSecurityCenter", + "MicrosoftCloudAppSecurity", + "ThreatIntelligence", + "Office365", + "AmazonWebServicesCloudTrail", + "AzureAdvancedThreatProtection", + "MicrosoftDefenderAdvancedThreatProtection" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "DataConnectorKind", + "values": [ + { + "value": "AzureActiveDirectory" + }, + { + "value": "AzureSecurityCenter" + }, + { + "value": "MicrosoftCloudAppSecurity" + }, + { + "value": "ThreatIntelligence" + }, + { + "value": "Office365" + }, + { + "value": "AmazonWebServicesCloudTrail" + }, + { + "value": "AzureAdvancedThreatProtection" + }, + { + "value": "MicrosoftDefenderAdvancedThreatProtection" + } + ] + } + } + }, + "type": "object" + }, + "DataConnectorList": { + "description": "List all the data connectors.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of data connectors.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of data connectors.", + "items": { + "$ref": "#/definitions/DataConnector" + }, + "type": "array" + } + }, + "required": [ + "value" + ] + }, + "DataConnectorTenantId": { + "description": "Properties data connector on tenant level.", + "properties": { + "tenantId": { + "description": "The tenant id to connect to, and get the data from.", + "type": "string" + } + }, + "type": "object" + }, + "DataConnectorWithAlertsProperties": { + "description": "Data connector properties.", + "properties": { + "dataTypes": { + "$ref": "#/definitions/AlertsDataTypeOfDataConnector", + "description": "The available data types for the connector." + } + }, + "type": "object" + }, + "FusionAlertRule": { + "allOf": [ + { + "$ref": "#/definitions/AlertRule" + } + ], + "description": "Represents Fusion alert rule.", + "properties": { + "properties": { + "$ref": "#/definitions/FusionAlertRuleProperties", + "description": "Fusion alert rule properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Fusion" + }, + "FusionAlertRuleProperties": { + "description": "Fusion alert rule base property bag.", + "properties": { + "alertRuleTemplateName": { + "description": "The Name of the alert rule template used to create this rule.", + "type": "string" + }, + "description": { + "description": "The description of the alert rule.", + "readOnly": true, + "type": "string" + }, + "displayName": { + "description": "The display name for alerts created by this alert rule.", + "readOnly": true, + "type": "string" + }, + "enabled": { + "description": "Determines whether this alert rule is enabled or disabled.", + "type": "boolean" + }, + "lastModifiedUtc": { + "description": "The last time that this alert has been modified.", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "severity": { + "$ref": "#/definitions/AlertSeverity", + "description": "The severity for alerts created by this alert rule.", + "readOnly": true + }, + "tactics": { + "description": "The tactics of the alert rule", + "items": { + "$ref": "#/definitions/AttackTactic" + }, + "readOnly": true, + "type": "array" + } + }, + "required": [ + "alertRuleTemplateName", + "enabled" + ], + "type": "object" + }, + "FusionAlertRuleTemplate": { + "allOf": [ + { + "$ref": "#/definitions/AlertRuleTemplate" + } + ], + "description": "Represents Fusion alert rule template.", + "properties": { + "properties": { + "allOf": [ + { + "$ref": "#/definitions/AlertRuleTemplatePropertiesBase" + } + ], + "description": "Fusion alert rule template properties", + "properties": { + "severity": { + "$ref": "#/definitions/AlertSeverity", + "description": "The severity for alerts created by this alert rule." + }, + "tactics": { + "description": "The tactics of the alert rule template", + "items": { + "$ref": "#/definitions/AttackTactic" + }, + "type": "array" + } + }, + "required": [ + "displayName", + "description", + "status", + "severity", + "alertRulesCreatedByTemplateCount" + ], + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Fusion" + }, + "Label": { + "description": "Label that will be used to tag and filter on.", + "type": "string" + }, + "MCASDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents MCAS (Microsoft Cloud App Security) data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/MCASDataConnectorProperties", + "description": "MCAS (Microsoft Cloud App Security) data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "MicrosoftCloudAppSecurity" + }, + "MCASDataConnectorDataTypes": { + "allOf": [ + { + "$ref": "#/definitions/AlertsDataTypeOfDataConnector" + } + ], + "description": "The available data types for MCAS (Microsoft Cloud App Security) data connector.", + "properties": { + "discoveryLogs": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "description": "Discovery log data type connection.", + "type": "object" + } + }, + "type": "object" + }, + "MCASDataConnectorProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "MCAS (Microsoft Cloud App Security) data connector properties.", + "properties": { + "dataTypes": { + "$ref": "#/definitions/MCASDataConnectorDataTypes", + "description": "The available data types for the connector." + } + }, + "type": "object" + }, + "MDATPDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents MDATP (Microsoft Defender Advanced Threat Protection) data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/MDATPDataConnectorProperties", + "description": "MDATP (Microsoft Defender Advanced Threat Protection) data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "MicrosoftDefenderAdvancedThreatProtection" + }, + "MDATPDataConnectorProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + }, + { + "$ref": "#/definitions/DataConnectorWithAlertsProperties" + } + ], + "description": "MDATP (Microsoft Defender Advanced Threat Protection) data connector properties.", + "type": "object" + }, + "MicrosoftSecurityIncidentCreationAlertRule": { + "allOf": [ + { + "$ref": "#/definitions/AlertRule" + } + ], + "description": "Represents MicrosoftSecurityIncidentCreation rule.", + "properties": { + "properties": { + "$ref": "#/definitions/MicrosoftSecurityIncidentCreationAlertRuleProperties", + "description": "MicrosoftSecurityIncidentCreation rule properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "MicrosoftSecurityIncidentCreation" + }, + "MicrosoftSecurityIncidentCreationAlertRuleCommonProperties": { + "description": "MicrosoftSecurityIncidentCreation rule common property bag.", + "properties": { + "displayNamesFilter": { + "description": "the alerts' displayNames on which the cases will be generated", + "items": { + "type": "string" + }, + "type": "array" + }, + "productFilter": { + "description": "The alerts' productName on which the cases will be generated", + "enum": [ + "Microsoft Cloud App Security", + "Azure Security Center", + "Azure Advanced Threat Protection", + "Azure Active Directory Identity Protection", + "Azure Security Center for IoT" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "MicrosoftSecurityProductName" + } + }, + "severitiesFilter": { + "description": "the alerts' severities on which the cases will be generated", + "items": { + "$ref": "#/definitions/AlertSeverity" + }, + "type": "array" + } + }, + "required": [ + "productFilter" + ], + "type": "object" + }, + "MicrosoftSecurityIncidentCreationAlertRuleProperties": { + "allOf": [ + { + "$ref": "#/definitions/MicrosoftSecurityIncidentCreationAlertRuleCommonProperties" + } + ], + "description": "MicrosoftSecurityIncidentCreation rule property bag.", + "properties": { + "alertRuleTemplateName": { + "description": "The Name of the alert rule template used to create this rule.", + "type": "string" + }, + "description": { + "description": "The description of the alert rule.", + "type": "string" + }, + "displayName": { + "description": "The display name for alerts created by this alert rule.", + "type": "string" + }, + "enabled": { + "description": "Determines whether this alert rule is enabled or disabled.", + "type": "boolean" + }, + "lastModifiedUtc": { + "description": "The last time that this alert has been modified.", + "format": "date-time", + "readOnly": true, + "type": "string" + } + }, + "required": [ + "displayName", + "enabled", + "productFilter" + ], + "type": "object" + }, + "MicrosoftSecurityIncidentCreationAlertRuleTemplate": { + "allOf": [ + { + "$ref": "#/definitions/AlertRuleTemplate" + } + ], + "description": "Represents MicrosoftSecurityIncidentCreation rule template.", + "properties": { + "properties": { + "allOf": [ + { + "$ref": "#/definitions/AlertRuleTemplatePropertiesBase" + }, + { + "$ref": "#/definitions/MicrosoftSecurityIncidentCreationAlertRuleCommonProperties" + } + ], + "description": "MicrosoftSecurityIncidentCreation rule template properties", + "required": [ + "displayName", + "description", + "createdDateUTC", + "status", + "alertRulesCreatedByTemplateCount", + "productFilter" + ], + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "MicrosoftSecurityIncidentCreation" + }, + "OfficeConsent": { + "allOf": [ + { + "$ref": "#/definitions/Resource" + } + ], + "description": "Consent for Office365 tenant that already made.", + "properties": { + "properties": { + "$ref": "#/definitions/OfficeConsentProperties", + "description": "Office consent properties", + "x-ms-client-flatten": true + } + }, + "type": "object" + }, + "OfficeConsentList": { + "description": "List of all the office365 consents.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of office consents.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of the consents.", + "items": { + "$ref": "#/definitions/OfficeConsent" + }, + "type": "array" + } + }, + "required": [ + "value" + ] + }, + "OfficeConsentProperties": { + "description": "Consent property bag.", + "properties": { + "tenantId": { + "description": "The tenantId of the Office365 with the consent.", + "type": "string" + }, + "tenantName": { + "description": "The tenant name of the Office365 with the consent.", + "readOnly": true, + "type": "string" + } + }, + "type": "object" + }, + "OfficeDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents office data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/OfficeDataConnectorProperties", + "description": "Office data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Office365" + }, + "OfficeDataConnectorDataTypes": { + "description": "The available data types for office data connector.", + "properties": { + "exchange": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "description": "Exchange data type connection.", + "type": "object" + }, + "sharePoint": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "description": "SharePoint data type connection.", + "type": "object" + } + }, + "type": "object" + }, + "OfficeDataConnectorProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "Office data connector properties.", + "properties": { + "dataTypes": { + "$ref": "#/definitions/OfficeDataConnectorDataTypes", + "description": "The available data types for the connector." + } + }, + "type": "object" + }, + "Operation": { + "description": "Operation provided by provider", + "properties": { + "display": { + "description": "Properties of the operation", + "properties": { + "description": { + "description": "Description of the operation", + "type": "string" + }, + "operation": { + "description": "Operation name", + "type": "string" + }, + "provider": { + "description": "Provider name", + "type": "string" + }, + "resource": { + "description": "Resource name", + "type": "string" + } + }, + "type": "object" + }, + "name": { + "description": "Name of the operation", + "type": "string" + } + } + }, + "OperationsList": { + "description": "Lists the operations available in the SecurityInsights RP.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of operations.", + "type": "string" + }, + "value": { + "description": "Array of operations", + "items": { + "$ref": "#/definitions/Operation" + }, + "type": "array" + } + }, + "required": [ + "value" + ] + }, + "Resource": { + "description": "An azure resource object", + "properties": { + "id": { + "description": "Azure resource Id", + "readOnly": true, + "type": "string" + }, + "name": { + "description": "Azure resource name", + "readOnly": true, + "type": "string" + }, + "type": { + "description": "Azure resource type", + "readOnly": true, + "type": "string" + } + }, + "x-ms-azure-resource": true + }, + "ResourceWithEtag": { + "description": "An azure resource object with an Etag property", + "properties": { + "id": { + "description": "Azure resource Id", + "readOnly": true, + "type": "string" + }, + "name": { + "description": "Azure resource name", + "readOnly": true, + "type": "string" + }, + "type": { + "description": "Azure resource type", + "readOnly": true, + "type": "string" + }, + "etag": { + "description": "Etag of the azure resource", + "type": "string" + } + }, + "x-ms-azure-resource": true + }, + "ScheduledAlertRule": { + "allOf": [ + { + "$ref": "#/definitions/AlertRule" + } + ], + "description": "Represents scheduled alert rule.", + "properties": { + "properties": { + "$ref": "#/definitions/ScheduledAlertRuleProperties", + "description": "Scheduled alert rule properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Scheduled" + }, + "ScheduledAlertRuleCommonProperties": { + "description": "Schedule alert rule template property bag.", + "properties": { + "query": { + "description": "The query that creates alerts for this rule.", + "type": "string" + }, + "queryFrequency": { + "description": "The frequency (in ISO 8601 duration format) for this alert rule to run.", + "format": "duration", + "type": "string" + }, + "queryPeriod": { + "description": "The period (in ISO 8601 duration format) that this alert rule looks at.", + "format": "duration", + "type": "string" + }, + "severity": { + "$ref": "#/definitions/AlertSeverity", + "description": "The severity for alerts created by this alert rule." + }, + "triggerOperator": { + "$ref": "#/definitions/AlertRuleTriggerOperator", + "description": "The operation against the threshold that triggers alert rule." + }, + "triggerThreshold": { + "description": "The threshold triggers this alert rule.", + "type": "integer" + } + }, + "type": "object" + }, + "ScheduledAlertRuleProperties": { + "allOf": [ + { + "$ref": "#/definitions/ScheduledAlertRuleCommonProperties" + } + ], + "description": "Scheduled alert rule base property bag.", + "properties": { + "alertRuleTemplateName": { + "description": "The Name of the alert rule template used to create this rule.", + "type": "string" + }, + "description": { + "description": "The description of the alert rule.", + "type": "string" + }, + "displayName": { + "description": "The display name for alerts created by this alert rule.", + "type": "string" + }, + "enabled": { + "description": "Determines whether this alert rule is enabled or disabled.", + "type": "boolean" + }, + "lastModifiedUtc": { + "description": "The last time that this alert rule has been modified.", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "suppressionDuration": { + "description": "The suppression (in ISO 8601 duration format) to wait since last time this alert rule been triggered.", + "format": "duration", + "type": "string" + }, + "suppressionEnabled": { + "description": "Determines whether the suppression for this alert rule is enabled or disabled.", + "type": "boolean" + }, + "tactics": { + "description": "The tactics of the alert rule", + "items": { + "$ref": "#/definitions/AttackTactic" + }, + "type": "array" + } + }, + "required": [ + "displayName", + "enabled", + "severity", + "query", + "queryFrequency", + "queryPeriod", + "triggerOperator", + "triggerThreshold", + "suppressionEnabled", + "suppressionDuration" + ], + "type": "object" + }, + "ScheduledAlertRuleTemplate": { + "allOf": [ + { + "$ref": "#/definitions/AlertRuleTemplate" + } + ], + "description": "Represents scheduled alert rule template.", + "properties": { + "properties": { + "allOf": [ + { + "$ref": "#/definitions/AlertRuleTemplatePropertiesBase" + }, + { + "$ref": "#/definitions/ScheduledAlertRuleCommonProperties" + } + ], + "description": "Scheduled alert rule template properties", + "properties": { + "tactics": { + "description": "The tactics of the alert rule template", + "items": { + "$ref": "#/definitions/AttackTactic" + }, + "type": "array" + } + }, + "required": [ + "displayName", + "description", + "status", + "alertRulesCreatedByTemplateCount", + "severity", + "query", + "queryFrequency", + "queryPeriod", + "triggerOperator", + "triggerThreshold" + ], + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Scheduled" + }, + "Settings": { + "allOf": [ + { + "$ref": "#/definitions/ResourceWithEtag" + }, + { + "$ref": "#/definitions/SettingsKind" + } + ], + "description": "The Setting.", + "discriminator": "kind", + "required": [ + "kind" + ], + "type": "object" + }, + "SettingsKind": { + "description": "Describes an Azure resource with kind.", + "properties": { + "kind": { + "description": "The kind of the setting", + "enum": [ + "UebaSettings", + "ToggleSettings" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "SettingKind" + } + } + }, + "type": "object" + }, + "TIDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents threat intelligence data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/TIDataConnectorProperties", + "description": "TI (Threat Intelligence) data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "ThreatIntelligence" + }, + "TIDataConnectorDataTypes": { + "description": "The available data types for TI (Threat Intelligence) data connector.", + "properties": { + "indicators": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "description": "Data type for indicators connection.", + "type": "object" + } + }, + "type": "object" + }, + "TIDataConnectorProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "TI (Threat Intelligence) data connector properties.", + "properties": { + "dataTypes": { + "$ref": "#/definitions/TIDataConnectorDataTypes", + "description": "The available data types for the connector." + } + }, + "type": "object" + }, + "ThreatIntelligence": { + "description": "ThreatIntelligence property bag.", + "properties": { + "confidence": { + "description": "Confidence (must be between 0 and 1)", + "format": "double", + "readOnly": true, + "type": "number" + }, + "providerName": { + "description": "Name of the provider from whom this Threat Intelligence information was received", + "readOnly": true, + "type": "string" + }, + "reportLink": { + "description": "Report link", + "readOnly": true, + "type": "string" + }, + "threatDescription": { + "description": "Threat description (free text)", + "readOnly": true, + "type": "string" + }, + "threatName": { + "description": "Threat name (e.g. \"Jedobot malware\")", + "readOnly": true, + "type": "string" + }, + "threatType": { + "description": "Threat type (e.g. \"Botnet\")", + "readOnly": true, + "type": "string" + } + }, + "type": "object" + }, + "ToggleSettings": { + "allOf": [ + { + "$ref": "#/definitions/Settings" + } + ], + "description": "Settings with single toggle.", + "properties": { + "properties": { + "$ref": "#/definitions/ToggleSettingsProperties", + "description": "toggle properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "ToggleSettings" + }, + "ToggleSettingsProperties": { + "description": "toggle property bag.", + "properties": { + "isEnabled": { + "description": "Determines whether the setting is enable or disabled.", + "type": "boolean" + } + }, + "type": "object" + }, + "UebaSettings": { + "allOf": [ + { + "$ref": "#/definitions/Settings" + } + ], + "description": "Represents settings for User and Entity Behavior Analytics enablement.", + "properties": { + "properties": { + "$ref": "#/definitions/UebaSettingsProperties", + "description": "User and Entity Behavior Analytics settings properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "UebaSettings" + }, + "UebaSettingsProperties": { + "description": "User and Entity Behavior Analytics settings property bag.", + "properties": { + "atpLicenseStatus": { + "description": "Determines whether the tenant has ATP (Advanced Threat Protection) license.", + "enum": [ + "Enabled", + "Disabled" + ], + "readOnly": true, + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "LicenseStatus" + } + }, + "isEnabled": { + "description": "Determines whether User and Entity Behavior Analytics is enabled for this workspace.", + "type": "boolean" + }, + "statusInMcas": { + "description": "Determines whether User and Entity Behavior Analytics is enabled from MCAS (Microsoft Cloud App Security).", + "enum": [ + "Enabled", + "Disabled" + ], + "readOnly": true, + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "StatusInMcas" + } + } + }, + "type": "object" + }, + "UserInfo": { + "description": "User information that made some action", + "properties": { + "email": { + "description": "The email of the user.", + "readOnly": true, + "type": "string" + }, + "name": { + "description": "The name of the user.", + "readOnly": true, + "type": "string" + }, + "objectId": { + "description": "The object id of the user.", + "format": "uuid", + "type": "string", + "x-nullable": true + } + }, + "required": [ + "objectId" + ], + "type": "object" + }, + "IncidentInfo": { + "description": "Describes related incident information for the bookmark", + "properties": { + "incidentId": { + "description": "Incident Id", + "type": "string" + }, + "severity": { + "description": "The severity of the incident", + "enum": [ + "Critical", + "High", + "Medium", + "Low", + "Informational" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "IncidentSeverity", + "values": [ + { + "description": "Critical severity", + "value": "Critical" + }, + { + "description": "High severity", + "value": "High" + }, + { + "description": "Medium severity", + "value": "Medium" + }, + { + "description": "Low severity", + "value": "Low" + }, + { + "description": "Informational severity", + "value": "Informational" + } + ] + } + }, + "title": { + "description": "The title of the incident", + "type": "string" + }, + "relationName": { + "description": "Relation Name", + "type": "string" + } + }, + "required": [ + "incidentId", + "severity", + "title", + "relationName" + ], + "type": "object" + } + }, + "parameters": { + "Action": { + "description": "The action", + "in": "body", + "name": "action", + "required": true, + "schema": { + "$ref": "#/definitions/ActionRequest" + }, + "x-ms-parameter-location": "method" + }, + "ActionId": { + "description": "Action ID", + "in": "path", + "name": "actionId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "AggregationsName": { + "description": "The aggregation name. Supports - Cases", + "in": "path", + "name": "aggregationsName", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "AlertRule": { + "description": "The alert rule", + "in": "body", + "name": "alertRule", + "required": true, + "schema": { + "$ref": "#/definitions/AlertRule" + }, + "x-ms-parameter-location": "method" + }, + "AlertRuleTemplateId": { + "description": "Alert rule template ID", + "in": "path", + "name": "alertRuleTemplateId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "ApiVersion": { + "description": "API version for the operation", + "enum": [ + "2020-01-01" + ], + "in": "query", + "name": "api-version", + "required": true, + "type": "string" + }, + "ConsentId": { + "description": "consent ID", + "in": "path", + "name": "consentId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "DataConnector": { + "description": "The data connector", + "in": "body", + "name": "dataConnector", + "required": true, + "schema": { + "$ref": "#/definitions/DataConnector" + }, + "x-ms-parameter-location": "method" + }, + "DataConnectorId": { + "description": "Connector ID", + "in": "path", + "name": "dataConnectorId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "EntityId": { + "description": "entity ID", + "in": "path", + "name": "entityId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "EntityQueryId": { + "description": "entity query ID", + "in": "path", + "name": "entityQueryId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "ODataFilter": { + "description": "Filters the results, based on a Boolean condition. Optional.", + "in": "query", + "name": "$filter", + "required": false, + "type": "string", + "x-ms-parameter-location": "method" + }, + "ODataOrderBy": { + "description": "Sorts the results. Optional.", + "in": "query", + "name": "$orderby", + "required": false, + "type": "string", + "x-ms-parameter-location": "method" + }, + "ODataSkipToken": { + "description": "Skiptoken is only used if a previous operation returned a partial result. If a previous response contains a nextLink element, the value of the nextLink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls. Optional.", + "in": "query", + "name": "$skipToken", + "required": false, + "type": "string", + "x-ms-parameter-location": "method" + }, + "ODataTop": { + "description": "Returns only the first n results. Optional.", + "format": "int32", + "in": "query", + "name": "$top", + "required": false, + "type": "integer", + "x-ms-parameter-location": "method" + }, + "ResourceGroupName": { + "description": "The name of the resource group within the user's subscription. The name is case insensitive.", + "in": "path", + "maxLength": 90, + "minLength": 1, + "name": "resourceGroupName", + "pattern": "^[-\\w\\._\\(\\)]+$", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "RuleId": { + "description": "Alert rule ID", + "in": "path", + "name": "ruleId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "Settings": { + "description": "The setting", + "in": "body", + "name": "settings", + "required": true, + "schema": { + "$ref": "#/definitions/Settings" + }, + "x-ms-parameter-location": "method" + }, + "SettingsName": { + "description": "The setting name. Supports- Fusion, UEBA", + "in": "path", + "name": "settingsName", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "SubscriptionId": { + "description": "Azure subscription ID", + "in": "path", + "name": "subscriptionId", + "pattern": "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$", + "required": true, + "type": "string" + }, + "WorkspaceName": { + "description": "The name of the workspace.", + "in": "path", + "maxLength": 90, + "minLength": 1, + "name": "workspaceName", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/actions/CreateActionOfAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/actions/CreateActionOfAlertRule.json new file mode 100644 index 000000000000..00c3cda73a97 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/actions/CreateActionOfAlertRule.json @@ -0,0 +1,47 @@ +{ + "parameters": { + "api-version": "2020-01-01", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "ruleId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "actionId": "912bec42-cb66-4c03-ac63-1761b6898c3e", + "action": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5/actions/912bec42-cb66-4c03-ac63-1761b6898c3e", + "name": "912bec42-cb66-4c03-ac63-1761b6898c3e", + "type": "Microsoft.SecurityInsights/alertRules/actions", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "triggerUri": "https://prod-31.northcentralus.logic.azure.com:443/workflows/cd3765391efd48549fd7681ded1d48d7/triggers/manual/paths/invoke?api-version=2016-10-01&sp=%2Ftriggers%2Fmanual%2Frun&sv=1.0&sig=signature", + "logicAppResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/MyAlerts" + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5/actions/912bec42-cb66-4c03-ac63-1761b6898c3e", + "name": "912bec42-cb66-4c03-ac63-1761b6898c3e", + "type": "Microsoft.SecurityInsights/alertRules/actions", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "workflowId": "cd3765391efd48549fd7681ded1d48d7", + "logicAppResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/MyAlerts" + } + } + }, + "201": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5/actions/912bec42-cb66-4c03-ac63-1761b6898c3e", + "name": "912bec42-cb66-4c03-ac63-1761b6898c3e", + "type": "Microsoft.SecurityInsights/alertRules/actions", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "workflowId": "cd3765391efd48549fd7681ded1d48d7", + "logicAppResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/MyAlerts" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/actions/DeleteActionOfAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/actions/DeleteActionOfAlertRule.json new file mode 100644 index 000000000000..7171f40ea567 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/actions/DeleteActionOfAlertRule.json @@ -0,0 +1,15 @@ +{ + "parameters": { + "api-version": "2020-01-01", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights", + "ruleId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "actionId": "912bec42-cb66-4c03-ac63-1761b6898c3e" + }, + "responses": { + "200": {}, + "204": {} + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/actions/GetActionOfAlertRuleById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/actions/GetActionOfAlertRuleById.json new file mode 100644 index 000000000000..8e1e384e1a67 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/actions/GetActionOfAlertRuleById.json @@ -0,0 +1,25 @@ +{ + "parameters": { + "api-version": "2020-01-01", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights", + "ruleId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "actionId": "912bec42-cb66-4c03-ac63-1761b6898c3e" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5/actions/912bec42-cb66-4c03-ac63-1761b6898c3e", + "name": "912bec42-cb66-4c03-ac63-1761b6898c3e", + "type": "Microsoft.SecurityInsights/alertRules/actions", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "workflowId": "cd3765391efd48549fd7681ded1d48d7", + "logicAppResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/MyAlerts" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/actions/GetAllActionsByAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/actions/GetAllActionsByAlertRule.json new file mode 100644 index 000000000000..3fd9a05dfb8d --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/actions/GetAllActionsByAlertRule.json @@ -0,0 +1,28 @@ +{ + "parameters": { + "api-version": "2020-01-01", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights", + "ruleId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5/actions/912bec42-cb66-4c03-ac63-1761b6898c3e", + "name": "912bec42-cb66-4c03-ac63-1761b6898c3e", + "type": "Microsoft.SecurityInsights/alertRules/actions", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "workflowId": "cd3765391efd48549fd7681ded1d48d7", + "logicAppResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/MyAlerts" + } + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/alertRules/CreateFusionAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/alertRules/CreateFusionAlertRule.json new file mode 100644 index 000000000000..ef362004531b --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/alertRules/CreateFusionAlertRule.json @@ -0,0 +1,66 @@ +{ + "parameters": { + "api-version": "2020-01-01", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "ruleId": "myFirstFusionRule", + "alertRule": { + "kind": "Fusion", + "etag": "3d00c3ca-0000-0100-0000-5d42d5010000", + "properties": { + "enabled": "true", + "alertRuleTemplateName": "f71aba3d-28fb-450b-b192-4e76a83015c8" + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/myFirstFusionRule", + "name": "myFirstFusionRule", + "etag": "\"260090e2-0000-0d00-0000-5d6fb8670000\"", + "type": "Microsoft.SecurityInsights/alertRules", + "kind": "Fusion", + "properties": { + "displayName": "Advanced Multi-Stage Attack Detection", + "description": "In this mode, Sentinel combines low fidelity alerts, which themselves may not be actionable, and events across multiple products, into high fidelity security interesting incidents. The system looks at multiple products to produce actionable incidents. Custom tailored to each tenant, Fusion not only reduces false positive rates but also can detect attacks with limited or missing information. \nIncidents generated by Fusion system will encase two or more alerts. By design, Fusion incidents are low volume, high fidelity and will be high severity, which is why Fusion is turned ON by default in Azure Sentinel.\n\nFor Fusion to work, please configure the following data sources in Data Connectors tab:\nRequired - Azure Active Directory Identity Protection\nRequired - Microsoft Cloud App Security\nIf Available - Palo Alto Network\n\nFor full list of scenarios covered by Fusion, and detail instructions on how to configure the required data sources, go to aka.ms/SentinelFusion", + "alertRuleTemplateName": "f71aba3d-28fb-450b-b192-4e76a83015c8", + "tactics": [ + "Persistence", + "LateralMovement", + "Exfiltration", + "CommandAndControl" + ], + "severity": "High", + "enabled": true, + "lastModifiedUtc": "2019-09-04T13:13:11.5340061Z" + } + } + }, + "201": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/myFirstFusionRule", + "name": "myFirstFusionRule", + "etag": "\"260090e2-0000-0d00-0000-5d6fb8670000\"", + "type": "Microsoft.SecurityInsights/alertRules", + "kind": "Fusion", + "properties": { + "displayName": "Advanced Multi-Stage Attack Detection", + "description": "In this mode, Sentinel combines low fidelity alerts, which themselves may not be actionable, and events across multiple products, into high fidelity security interesting incidents. The system looks at multiple products to produce actionable incidents. Custom tailored to each tenant, Fusion not only reduces false positive rates but also can detect attacks with limited or missing information. \nIncidents generated by Fusion system will encase two or more alerts. By design, Fusion incidents are low volume, high fidelity and will be high severity, which is why Fusion is turned ON by default in Azure Sentinel.\n\nFor Fusion to work, please configure the following data sources in Data Connectors tab:\nRequired - Azure Active Directory Identity Protection\nRequired - Microsoft Cloud App Security\nIf Available - Palo Alto Network\n\nFor full list of scenarios covered by Fusion, and detail instructions on how to configure the required data sources, go to aka.ms/SentinelFusion", + "alertRuleTemplateName": "f71aba3d-28fb-450b-b192-4e76a83015c8", + "tactics": [ + "Persistence", + "LateralMovement", + "Exfiltration", + "CommandAndControl" + ], + "severity": "High", + "enabled": true, + "lastModifiedUtc": "2019-09-04T13:13:11.5340061Z" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/alertRules/CreateMicrosoftSecurityIncidentCreationAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/alertRules/CreateMicrosoftSecurityIncidentCreationAlertRule.json new file mode 100644 index 000000000000..5f6770266197 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/alertRules/CreateMicrosoftSecurityIncidentCreationAlertRule.json @@ -0,0 +1,59 @@ +{ + "parameters": { + "api-version": "2020-01-01", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "ruleId": "microsoftSecurityIncidentCreationRuleExample", + "alertRule": { + "etag": "\"260097e0-0000-0d00-0000-5d6fa88f0000\"", + "kind": "MicrosoftSecurityIncidentCreation", + "properties": { + "productFilter": "Microsoft Cloud App Security", + "displayName": "testing displayname", + "enabled": true + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/microsoftSecurityIncidentCreationRuleExample", + "name": "microsoftSecurityIncidentCreationRuleExample", + "etag": "\"260097e0-0000-0d00-0000-5d6fa88f0000\"", + "type": "Microsoft.SecurityInsights/alertRules", + "kind": "MicrosoftSecurityIncidentCreation", + "properties": { + "productFilter": "Microsoft Cloud App Security", + "severitiesFilter": null, + "displayNamesFilter": null, + "displayName": "testing displayname", + "enabled": true, + "description": null, + "alertRuleTemplateName": null, + "lastModifiedUtc": "2019-09-04T12:05:35.7296311Z" + } + } + }, + "201": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/microsoftSecurityIncidentCreationRuleExample", + "name": "microsoftSecurityIncidentCreationRuleExample", + "etag": "\"260097e0-0000-0d00-0000-5d6fa88f0000\"", + "type": "Microsoft.SecurityInsights/alertRules", + "kind": "MicrosoftSecurityIncidentCreation", + "properties": { + "productFilter": "Microsoft Cloud App Security", + "severitiesFilter": null, + "displayNamesFilter": null, + "displayName": "testing displayname", + "enabled": true, + "description": null, + "alertRuleTemplateName": null, + "lastModifiedUtc": "2019-09-04T12:05:35.7296311Z" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/alertRules/CreateScheduledAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/alertRules/CreateScheduledAlertRule.json new file mode 100644 index 000000000000..419d7e30bf09 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/alertRules/CreateScheduledAlertRule.json @@ -0,0 +1,89 @@ +{ + "parameters": { + "api-version": "2020-01-01", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "ruleId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "alertRule": { + "kind": "Scheduled", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "displayName": "Rule2", + "description": "", + "severity": "High", + "enabled": true, + "tactics": [ + "Persistence", + "LateralMovement" + ], + "query": "ProtectionStatus | extend HostCustomEntity = Computer | extend IPCustomEntity = ComputerIP_Hidden", + "queryFrequency": "PT1H", + "queryPeriod": "P2DT1H30M", + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "suppressionDuration": "PT1H", + "suppressionEnabled": false + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/alertRules", + "kind": "Scheduled", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "alertRuleTemplateName": null, + "displayName": "Rule2", + "description": "", + "severity": "High", + "enabled": true, + "tactics": [ + "Persistence", + "LateralMovement" + ], + "query": "ProtectionStatus | extend HostCustomEntity = Computer | extend IPCustomEntity = ComputerIP_Hidden", + "queryFrequency": "PT1H", + "queryPeriod": "P2DT1H30M", + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "lastModifiedUtc": "2019-01-01T13:15:30Z" + } + } + }, + "201": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/alertRules", + "kind": "Scheduled", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "alertRuleTemplateName": null, + "displayName": "Rule2", + "description": "", + "severity": "High", + "enabled": true, + "tactics": [ + "Persistence", + "LateralMovement" + ], + "query": "ProtectionStatus | extend HostCustomEntity = Computer | extend IPCustomEntity = ComputerIP_Hidden", + "queryFrequency": "PT1H", + "queryPeriod": "P2DT1H30M", + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "lastModifiedUtc": "2019-01-01T13:15:30Z" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/alertRules/DeleteAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/alertRules/DeleteAlertRule.json new file mode 100644 index 000000000000..af8489176a37 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/alertRules/DeleteAlertRule.json @@ -0,0 +1,14 @@ +{ + "parameters": { + "api-version": "2020-01-01", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights", + "ruleId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5" + }, + "responses": { + "200": {}, + "204": {} + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/alertRules/GetAllAlertRules.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/alertRules/GetAllAlertRules.json new file mode 100644 index 000000000000..8278214a32f3 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/alertRules/GetAllAlertRules.json @@ -0,0 +1,81 @@ +{ + "parameters": { + "api-version": "2020-01-01", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/alertRules", + "kind": "Scheduled", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "alertRuleTemplateName": null, + "displayName": "Rule2", + "description": "", + "severity": "High", + "enabled": true, + "tactics": [ + "Persistence", + "LateralMovement" + ], + "query": "ProtectionStatus | extend HostCustomEntity = Computer | extend IPCustomEntity = ComputerIP_Hidden", + "queryFrequency": "PT1H", + "queryPeriod": "P2DT1H30M", + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "lastModifiedUtc": "2019-01-01T13:15:30Z" + } + }, + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/microsoftSecurityIncidentCreationRuleExample", + "name": "microsoftSecurityIncidentCreationRuleExample", + "etag": "\"260097e0-0000-0d00-0000-5d6fa88f0000\"", + "type": "Microsoft.SecurityInsights/alertRules", + "kind": "MicrosoftSecurityIncidentCreation", + "properties": { + "productFilter": "Microsoft Cloud App Security", + "severitiesFilter": null, + "displayNamesFilter": null, + "displayName": "testing displayname", + "enabled": true, + "description": null, + "alertRuleTemplateName": null, + "lastModifiedUtc": "2019-09-04T12:05:35.7296311Z" + } + }, + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/myFirstFusionRule", + "name": "myFirstFusionRule", + "etag": "\"25005c11-0000-0d00-0000-5d6cc0e20000\"", + "type": "Microsoft.SecurityInsights/alertRules", + "kind": "Fusion", + "properties": { + "displayName": "Advanced Multi-Stage Attack Detection", + "description": "In this mode, Sentinel combines low fidelity alerts, which themselves may not be actionable, and events across multiple products, into high fidelity security interesting incidents. The system looks at multiple products to produce actionable incidents. Custom tailored to each tenant, Fusion not only reduces false positive rates but also can detect attacks with limited or missing information. \nIncidents generated by Fusion system will encase two or more alerts. By design, Fusion incidents are low volume, high fidelity and will be high severity, which is why Fusion is turned ON by default in Azure Sentinel.\n\nFor Fusion to work, please configure the following data sources in Data Connectors tab:\nRequired - Azure Active Directory Identity Protection\nRequired - Microsoft Cloud App Security\nIf Available - Palo Alto Network\n\nFor full list of scenarios covered by Fusion, and detail instructions on how to configure the required data sources, go to aka.ms/SentinelFusion", + "alertRuleTemplateName": "f71aba3d-28fb-450b-b192-4e76a83015c8", + "tactics": [ + "Persistence", + "LateralMovement", + "Exfiltration", + "CommandAndControl" + ], + "severity": "High", + "enabled": false, + "lastModifiedUtc": "2019-09-02T07:12:34.9065092Z" + } + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/alertRules/GetFusionAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/alertRules/GetFusionAlertRule.json new file mode 100644 index 000000000000..7c12477f716d --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/alertRules/GetFusionAlertRule.json @@ -0,0 +1,35 @@ +{ + "parameters": { + "api-version": "2020-01-01", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights", + "ruleId": "myFirstFusionRule" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/myFirstFusionRule", + "name": "myFirstFusionRule", + "etag": "\"260090e2-0000-0d00-0000-5d6fb8670000\"", + "type": "Microsoft.SecurityInsights/alertRules", + "kind": "Fusion", + "properties": { + "displayName": "Advanced Multi-Stage Attack Detection", + "description": "In this mode, Sentinel combines low fidelity alerts, which themselves may not be actionable, and events across multiple products, into high fidelity security interesting incidents. The system looks at multiple products to produce actionable incidents. Custom tailored to each tenant, Fusion not only reduces false positive rates but also can detect attacks with limited or missing information. \nIncidents generated by Fusion system will encase two or more alerts. By design, Fusion incidents are low volume, high fidelity and will be high severity, which is why Fusion is turned ON by default in Azure Sentinel.\n\nFor Fusion to work, please configure the following data sources in Data Connectors tab:\nRequired - Azure Active Directory Identity Protection\nRequired - Microsoft Cloud App Security\nIf Available - Palo Alto Network\n\nFor full list of scenarios covered by Fusion, and detail instructions on how to configure the required data sources, go to aka.ms/SentinelFusion", + "alertRuleTemplateName": "f71aba3d-28fb-450b-b192-4e76a83015c8", + "tactics": [ + "Persistence", + "LateralMovement", + "Exfiltration", + "CommandAndControl" + ], + "severity": "High", + "enabled": true, + "lastModifiedUtc": "2019-09-04T13:13:11.5340061Z" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/alertRules/GetMicrosoftSecurityIncidentCreationAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/alertRules/GetMicrosoftSecurityIncidentCreationAlertRule.json new file mode 100644 index 000000000000..3260afe2af19 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/alertRules/GetMicrosoftSecurityIncidentCreationAlertRule.json @@ -0,0 +1,31 @@ +{ + "parameters": { + "api-version": "2020-01-01", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights", + "ruleId": "microsoftSecurityIncidentCreationRuleExample" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/microsoftSecurityIncidentCreationRuleExample", + "name": "microsoftSecurityIncidentCreationRuleExample", + "etag": "\"260097e0-0000-0d00-0000-5d6fa88f0000\"", + "type": "Microsoft.SecurityInsights/alertRules", + "kind": "MicrosoftSecurityIncidentCreation", + "properties": { + "productFilter": "Microsoft Cloud App Security", + "severitiesFilter": null, + "displayNamesFilter": null, + "displayName": "testing displayname", + "enabled": true, + "description": null, + "alertRuleTemplateName": null, + "lastModifiedUtc": "2019-09-04T12:05:35.7296311Z" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/alertRules/GetScheduledAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/alertRules/GetScheduledAlertRule.json new file mode 100644 index 000000000000..c3b74f069693 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/alertRules/GetScheduledAlertRule.json @@ -0,0 +1,40 @@ +{ + "parameters": { + "api-version": "2020-01-01", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights", + "ruleId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/alertRules", + "kind": "Scheduled", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "alertRuleTemplateName": null, + "displayName": "Rule2", + "description": "", + "severity": "High", + "enabled": true, + "tactics": [ + "Persistence", + "LateralMovement" + ], + "query": "ProtectionStatus | extend HostCustomEntity = Computer | extend IPCustomEntity = ComputerIP_Hidden", + "queryFrequency": "PT1H", + "queryPeriod": "P2DT1H30M", + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "lastModifiedUtc": "2019-01-01T13:15:30Z" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/dataConnectors/CreateOfficeDataConnetor.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/dataConnectors/CreateOfficeDataConnetor.json new file mode 100644 index 000000000000..8b13b4b1723b --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/dataConnectors/CreateOfficeDataConnetor.json @@ -0,0 +1,70 @@ +{ + "parameters": { + "api-version": "2020-01-01", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "dataConnectorId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "dataConnector": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "Office365", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "sharePoint": { + "state": "Enabled" + }, + "exchange": { + "state": "Enabled" + } + } + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "Office365", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "sharePoint": { + "state": "Enabled" + }, + "exchange": { + "state": "Enabled" + } + } + } + } + }, + "201": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "Office365", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "sharePoint": { + "state": "Enabled" + }, + "exchange": { + "state": "Enabled" + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/dataConnectors/DeleteOfficeDataConnetor.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/dataConnectors/DeleteOfficeDataConnetor.json new file mode 100644 index 000000000000..c6dfa5a562fc --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/dataConnectors/DeleteOfficeDataConnetor.json @@ -0,0 +1,14 @@ +{ + "parameters": { + "api-version": "2020-01-01", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights", + "dataConnectorId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5" + }, + "responses": { + "200": {}, + "204": {} + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/dataConnectors/GetAmazonWebServicesCloudTrailById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/dataConnectors/GetAmazonWebServicesCloudTrailById.json new file mode 100644 index 000000000000..fdcae39200b9 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/dataConnectors/GetAmazonWebServicesCloudTrailById.json @@ -0,0 +1,29 @@ +{ + "parameters": { + "api-version": "2020-01-01", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "dataConnectorId": "c345bf40-8509-4ed2-b947-50cb773aaf04" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/c345bf40-8509-4ed2-b947-50cb773aaf04", + "name": "c345bf40-8509-4ed2-b947-50cb773aaf04", + "type": "Microsoft.SecurityInsights/dataConnectors", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "kind": "AmazonWebServicesCloudTrail", + "properties": { + "awsRoleArn": "myAwsRoleArn", + "dataTypes": { + "logs": { + "state": "Enabled" + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/dataConnectors/GetAzureActiveDirectoryById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/dataConnectors/GetAzureActiveDirectoryById.json new file mode 100644 index 000000000000..75a5325cb3ac --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/dataConnectors/GetAzureActiveDirectoryById.json @@ -0,0 +1,29 @@ +{ + "parameters": { + "api-version": "2020-01-01", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights", + "dataConnectorId": "f0cd27d2-5f03-4c06-ba31-d2dc82dcb51d" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/f0cd27d2-5f03-4c06-ba31-d2dc82dcb51d", + "name": "f0cd27d2-5f03-4c06-ba31-d2dc82dcb51d", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "AzureActiveDirectory", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "alerts": { + "state": "Enabled" + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/dataConnectors/GetAzureAdvancedThreatProtectionById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/dataConnectors/GetAzureAdvancedThreatProtectionById.json new file mode 100644 index 000000000000..08991fc9ee84 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/dataConnectors/GetAzureAdvancedThreatProtectionById.json @@ -0,0 +1,29 @@ +{ + "parameters": { + "api-version": "2020-01-01", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "dataConnectorId": "07e42cb3-e658-4e90-801c-efa0f29d3d44" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/07e42cb3-e658-4e90-801c-efa0f29d3d44", + "name": "07e42cb3-e658-4e90-801c-efa0f29d3d44", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "AzureAdvancedThreatProtection", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "alerts": { + "state": "Enabled" + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/dataConnectors/GetAzureSecurityCenterById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/dataConnectors/GetAzureSecurityCenterById.json new file mode 100644 index 000000000000..69f572c44756 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/dataConnectors/GetAzureSecurityCenterById.json @@ -0,0 +1,29 @@ +{ + "parameters": { + "api-version": "2020-01-01", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights", + "dataConnectorId": "763f9fa1-c2d3-4fa2-93e9-bccd4899aa12" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/763f9fa1-c2d3-4fa2-93e9-bccd4899aa12", + "name": "763f9fa1-c2d3-4fa2-93e9-bccd4899aa12", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "AzureSecurityCenter", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "subscriptionId": "c0688291-89d7-4bed-87a2-a7b1bff43f4c", + "dataTypes": { + "alerts": { + "state": "Enabled" + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/dataConnectors/GetDataConnectors.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/dataConnectors/GetDataConnectors.json new file mode 100644 index 000000000000..0f46da365092 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/dataConnectors/GetDataConnectors.json @@ -0,0 +1,143 @@ +{ + "parameters": { + "api-version": "2020-01-01", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/763f9fa1-c2d3-4fa2-93e9-bccd4899aa12", + "name": "763f9fa1-c2d3-4fa2-93e9-bccd4899aa12", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "AzureSecurityCenter", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "dataTypes": { + "alerts": { + "state": "Enabled" + } + } + } + }, + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/c345bf40-8509-4ed2-b947-50cb773aaf04", + "name": "c345bf40-8509-4ed2-b947-50cb773aaf04", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "ThreatIntelligence", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "indicators": { + "state": "Enabled" + } + } + } + }, + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/f0cd27d2-5f03-4c06-ba31-d2dc82dcb51d", + "name": "f0cd27d2-5f03-4c06-ba31-d2dc82dcb51d", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "AzureActiveDirectory", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "alerts": { + "state": "Enabled" + } + } + } + }, + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "Office365", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "sharePoint": { + "state": "Enabled" + }, + "exchange": { + "state": "Enabled" + } + } + } + }, + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/b96d014d-b5c2-4a01-9aba-a8058f629d42", + "name": "b96d014d-b5c2-4a01-9aba-a8058f629d42", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "MicrosoftCloudAppSecurity", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "alerts": { + "state": "Enabled" + }, + "discoveryLogs": { + "state": "Enabled" + } + } + } + }, + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/07e42cb3-e658-4e90-801c-efa0f29d3d44", + "name": "07e42cb3-e658-4e90-801c-efa0f29d3d44", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "AzureAdvancedThreatProtection", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "alerts": { + "state": "Enabled" + } + } + } + }, + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/c345bf40-8509-4ed2-b947-50cb773aaf04", + "name": "c345bf40-8509-4ed2-b947-50cb773aaf04", + "type": "Microsoft.SecurityInsights/dataConnectors", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "kind": "AmazonWebServicesCloudTrail", + "properties": { + "awsRoleArn": "myAwsRoleArn", + "dataTypes": { + "logs": { + "state": "Enabled" + } + } + } + }, + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/06b3ccb8-1384-4bcc-aec7-852f6d57161b", + "name": "06b3ccb8-1384-4bcc-aec7-852f6d57161b", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "MicrosoftDefenderAdvancedThreatProtection", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "alerts": { + "state": "Enabled" + } + } + } + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/dataConnectors/GetMicrosoftCloudAppSecurityById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/dataConnectors/GetMicrosoftCloudAppSecurityById.json new file mode 100644 index 000000000000..8dab3597a1fa --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/dataConnectors/GetMicrosoftCloudAppSecurityById.json @@ -0,0 +1,32 @@ +{ + "parameters": { + "api-version": "2020-01-01", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "dataConnectorId": "b96d014d-b5c2-4a01-9aba-a8058f629d42" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/b96d014d-b5c2-4a01-9aba-a8058f629d42", + "name": "b96d014d-b5c2-4a01-9aba-a8058f629d42", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "MicrosoftCloudAppSecurity", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "alerts": { + "state": "Enabled" + }, + "discoveryLogs": { + "state": "Enabled" + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/dataConnectors/GetMicrosoftDefenderAdvancedThreatProtectionById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/dataConnectors/GetMicrosoftDefenderAdvancedThreatProtectionById.json new file mode 100644 index 000000000000..57d265c307c6 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/dataConnectors/GetMicrosoftDefenderAdvancedThreatProtectionById.json @@ -0,0 +1,29 @@ +{ + "parameters": { + "api-version": "2020-01-01", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "dataConnectorId": "06b3ccb8-1384-4bcc-aec7-852f6d57161b" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/06b3ccb8-1384-4bcc-aec7-852f6d57161b", + "name": "06b3ccb8-1384-4bcc-aec7-852f6d57161b", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "MicrosoftDefenderAdvancedThreatProtection", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "alerts": { + "state": "Enabled" + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/dataConnectors/GetOfficeDataConnetorById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/dataConnectors/GetOfficeDataConnetorById.json new file mode 100644 index 000000000000..14db64f4c8cf --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/dataConnectors/GetOfficeDataConnetorById.json @@ -0,0 +1,32 @@ +{ + "parameters": { + "api-version": "2020-01-01", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights", + "dataConnectorId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "Office365", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "sharePoint": { + "state": "Enabled" + }, + "exchange": { + "state": "Enabled" + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/dataConnectors/GetThreatIntelligenceById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/dataConnectors/GetThreatIntelligenceById.json new file mode 100644 index 000000000000..6c6fad0178de --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/examples/dataConnectors/GetThreatIntelligenceById.json @@ -0,0 +1,29 @@ +{ + "parameters": { + "api-version": "2020-01-01", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights", + "dataConnectorId": "c345bf40-8509-4ed2-b947-50cb773aaf04" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/c345bf40-8509-4ed2-b947-50cb773aaf04", + "name": "c345bf40-8509-4ed2-b947-50cb773aaf04", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "ThreatIntelligence", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "indicators": { + "state": "Enabled" + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/readme.md b/specification/securityinsights/resource-manager/readme.md index 6cb5a6afbfae..afa9398737b9 100644 --- a/specification/securityinsights/resource-manager/readme.md +++ b/specification/securityinsights/resource-manager/readme.md @@ -35,6 +35,22 @@ These settings apply only when `--tag=package-composite-v1` is specified on the ```yaml $(tag) == 'package-composite-v1' input-file: +- Microsoft.SecurityInsights/stable/2020-01-01/SecurityInsights.json +directive: + - suppress: R2059 + from: Microsoft.SecurityInsights/stable/2020-01-01/SecurityInsights.json + reason: it's not actually a resource path; the validator is confused because the LogAnalytics namespace is in the URI path. + approved-by: "@lirenhe" +``` + +--- + +### Tag: package-2019-01-preview-only + +These settings apply only when `--tag=package-2019-01-preview-only` is specified on the command line. + +```yaml $(tag) == 'package-2019-01-preview-only' +input-file: - Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json ``` @@ -99,8 +115,12 @@ require: $(this-folder)/../../../profiles/readme.md # all the input files across all versions input-file: - - $(this-folder)/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json - + - $(this-folder)/Microsoft.SecurityInsights/stable/2020-01-01/SecurityInsights.json +directive: + - suppress: R2059 + from: Microsoft.SecurityInsights/stable/2020-01-01/SecurityInsights.json + reason: it's not actually a resource path; the validator is confused because the LogAnalytics namespace is in the URI path. + approved-by: "@lirenhe" ``` If there are files that should not be in the `all-api-versions` set,