From b4e0f28aeda2f7a0908ac096c7cb4c8598eef66b Mon Sep 17 00:00:00 2001
From: tarosler <52041458+tarosler@users.noreply.github.com>
Date: Thu, 11 Jul 2019 21:49:53 +0300
Subject: [PATCH] Add subscription scope to assessment metadata API (#6445)
---
.../assessmentsMetadata.json | 358 ++++++++++++++++++
.../GetAssessmentsMetadata_example.json | 26 ++
...essmentsMetadata_subscription_example.json | 27 ++
.../ListAssessmentsMetadata_example.json | 52 +++
...essmentsMetadata_subscription_example.json | 53 +++
.../security/resource-manager/readme.md | 3 +
6 files changed, 519 insertions(+)
create mode 100644 specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/assessmentsMetadata.json
create mode 100644 specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AssessmentsMetadata/GetAssessmentsMetadata_example.json
create mode 100644 specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AssessmentsMetadata/GetAssessmentsMetadata_subscription_example.json
create mode 100644 specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AssessmentsMetadata/ListAssessmentsMetadata_example.json
create mode 100644 specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AssessmentsMetadata/ListAssessmentsMetadata_subscription_example.json
diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/assessmentsMetadata.json b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/assessmentsMetadata.json
new file mode 100644
index 000000000000..ebb8b15997ce
--- /dev/null
+++ b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/assessmentsMetadata.json
@@ -0,0 +1,358 @@
+{
+ "swagger": "2.0",
+ "info": {
+ "title": "Security Center",
+ "description": "API spec for Microsoft.Security (Azure Security Center) resource provider",
+ "version": "2019-01-01-preview"
+ },
+ "host": "management.azure.com",
+ "schemes": [
+ "https"
+ ],
+ "consumes": [
+ "application/json"
+ ],
+ "produces": [
+ "application/json"
+ ],
+ "security": [
+ {
+ "azure_auth": [
+ "user_impersonation"
+ ]
+ }
+ ],
+ "securityDefinitions": {
+ "azure_auth": {
+ "type": "oauth2",
+ "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize",
+ "flow": "implicit",
+ "description": "Azure Active Directory OAuth2 Flow",
+ "scopes": {
+ "user_impersonation": "impersonate your user account"
+ }
+ }
+ },
+ "paths": {
+ "/providers/Microsoft.Security/assessmentsMetadata": {
+ "get": {
+ "x-ms-examples": {
+ "List security assessment metadata": {
+ "$ref": "./examples/AssessmentsMetadata/ListAssessmentsMetadata_example.json"
+ }
+ },
+ "tags": [
+ "Assessments Metadata"
+ ],
+ "description": "Get metadata information on all assessment types",
+ "operationId": "AssessmentsMetadata_List",
+ "parameters": [
+ {
+ "$ref": "../../../common/v1/types.json#/parameters/ApiVersion"
+ }
+ ],
+ "responses": {
+ "200": {
+ "description": "OK",
+ "schema": {
+ "$ref": "#/definitions/SecurityAssessmentMetadataList"
+ }
+ },
+ "default": {
+ "description": "Error response describing why the operation failed.",
+ "schema": {
+ "$ref": "../../../common/v1/types.json#/definitions/CloudError"
+ }
+ }
+ },
+ "x-ms-pageable": {
+ "nextLinkName": "nextLink"
+ }
+ }
+ },
+ "/providers/Microsoft.Security/assessmentsMetadata/{assessmentsMetadataName}": {
+ "get": {
+ "x-ms-examples": {
+ "Get security assessment metadata": {
+ "$ref": "./examples/AssessmentsMetadata/GetAssessmentsMetadata_example.json"
+ }
+ },
+ "tags": [
+ "Assessments Metadata"
+ ],
+ "description": "Get metadata information on an assessment type",
+ "operationId": "AssessmentsMetadata_Get",
+ "parameters": [
+ {
+ "$ref": "../../../common/v1/types.json#/parameters/ApiVersion"
+ },
+ {
+ "$ref": "#/parameters/AssessmentsMetadataName"
+ }
+ ],
+ "responses": {
+ "200": {
+ "description": "OK",
+ "schema": {
+ "$ref": "#/definitions/SecurityAssessmentMetadata"
+ }
+ },
+ "default": {
+ "description": "Error response describing why the operation failed.",
+ "schema": {
+ "$ref": "../../../common/v1/types.json#/definitions/CloudError"
+ }
+ }
+ }
+ }
+ },
+ "/subscriptions/{subscriptionId}/providers/Microsoft.Security/assessmentsMetadata": {
+ "get": {
+ "x-ms-examples": {
+ "List security assessment metadata for subscription": {
+ "$ref": "./examples/AssessmentsMetadata/ListAssessmentsMetadata_subscription_example.json"
+ }
+ },
+ "tags": [
+ "Assessments Metadata"
+ ],
+ "description": "Get metadata information on all assessment types in a specific subscription",
+ "operationId": "AssessmentsMetadataSubscription_List",
+ "parameters": [
+ {
+ "$ref": "../../../common/v1/types.json#/parameters/ApiVersion"
+ },
+ {
+ "$ref": "../../../common/v1/types.json#/parameters/SubscriptionId"
+ }
+ ],
+ "responses": {
+ "200": {
+ "description": "OK",
+ "schema": {
+ "$ref": "#/definitions/SecurityAssessmentMetadataList"
+ }
+ },
+ "default": {
+ "description": "Error response describing why the operation failed.",
+ "schema": {
+ "$ref": "../../../common/v1/types.json#/definitions/CloudError"
+ }
+ }
+ },
+ "x-ms-pageable": {
+ "nextLinkName": "nextLink"
+ }
+ }
+ },
+ "/subscriptions/{subscriptionId}/providers/Microsoft.Security/assessmentsMetadata/{assessmentsMetadataName}": {
+ "get": {
+ "x-ms-examples": {
+ "Get security assessment metadata for subscription": {
+ "$ref": "./examples/AssessmentsMetadata/GetAssessmentsMetadata_subscription_example.json"
+ }
+ },
+ "tags": [
+ "Assessments Metadata"
+ ],
+ "description": "Get metadata information on an assessment type in a specific subscription",
+ "operationId": "AssessmentsMetadataSubscription_Get",
+ "parameters": [
+ {
+ "$ref": "../../../common/v1/types.json#/parameters/ApiVersion"
+ },
+ {
+ "$ref": "#/parameters/AssessmentsMetadataName"
+ },
+ {
+ "$ref": "../../../common/v1/types.json#/parameters/SubscriptionId"
+ }
+ ],
+ "responses": {
+ "200": {
+ "description": "OK",
+ "schema": {
+ "$ref": "#/definitions/SecurityAssessmentMetadata"
+ }
+ },
+ "default": {
+ "description": "Error response describing why the operation failed.",
+ "schema": {
+ "$ref": "../../../common/v1/types.json#/definitions/CloudError"
+ }
+ }
+ }
+ }
+ }
+ },
+ "definitions": {
+ "SecurityAssessmentMetadataList": {
+ "type": "object",
+ "description": "List of security assessment metadata",
+ "properties": {
+ "value": {
+ "readOnly": true,
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/SecurityAssessmentMetadata"
+ }
+ },
+ "nextLink": {
+ "readOnly": true,
+ "type": "string",
+ "description": "The URI to fetch the next page."
+ }
+ }
+ },
+ "SecurityAssessmentMetadata": {
+ "type": "object",
+ "description": "Security assessment metadata",
+ "properties": {
+ "properties": {
+ "x-ms-client-flatten": true,
+ "$ref": "#/definitions/SecurityAssessmentMetadataProperties"
+ }
+ },
+ "allOf": [
+ {
+ "$ref": "../../../common/v1/types.json#/definitions/Resource"
+ }
+ ]
+ },
+ "SecurityAssessmentMetadataProperties": {
+ "type": "object",
+ "description": "Describes properties of an assessment metadata.",
+ "properties": {
+ "displayName": {
+ "readOnly": true,
+ "type": "string",
+ "description": "User friendly display name of the assessment"
+ },
+ "policyDefinitionId": {
+ "readOnly": true,
+ "type": "string",
+ "description": "Azure resource ID of the policy definition that turns this assessment calculation on"
+ },
+ "description": {
+ "readOnly": true,
+ "type": "string",
+ "description": "Human readable description of the assessment"
+ },
+ "remediationDescription": {
+ "readOnly": true,
+ "type": "string",
+ "description": "Human readable description of what you should do to mitigate this security issue"
+ },
+ "category": {
+ "readOnly": true,
+ "type": "array",
+ "items": {
+ "type": "string",
+ "description": "The category of resource that is at risk when the assessment is unhealthy",
+ "enum": [
+ "Compute",
+ "Network",
+ "Data",
+ "IdentityAndAccess",
+ "IoT"
+ ],
+ "x-ms-enum": {
+ "name": "category",
+ "modelAsString": true,
+ "values": [
+ {
+ "value": "Compute"
+ },
+ {
+ "value": "Network"
+ },
+ {
+ "value": "Data"
+ },
+ {
+ "value": "IdentityAndAccess"
+ },
+ {
+ "value": "IoT"
+ }
+ ]
+ }
+ }
+ },
+ "secureScoreWeight": {
+ "readOnly": true,
+ "type": "integer",
+ "description": "Weight for the security score calculation. the higher this number, this severity of this assessment is higher"
+ },
+ "requiredPricingBundle": {
+ "readOnly": true,
+ "type": "array",
+ "items": {
+ "type": "string",
+ "description": "The required Azure Security Center pricing bundle name. One of the bundles must be Standard. Empty list is a free assessment.",
+ "enum": [
+ "VirtualMachines",
+ "SqlServers",
+ "AppServices",
+ "StorageAccounts"
+ ],
+ "x-ms-enum": {
+ "name": "requiredPricingBundle",
+ "modelAsString": true,
+ "values": [
+ {
+ "value": "VirtualMachines"
+ },
+ {
+ "value": "SqlServers"
+ },
+ {
+ "value": "AppServices"
+ },
+ {
+ "value": "StorageAccounts"
+ }
+ ]
+ }
+ }
+ },
+ "preview": {
+ "readOnly": true,
+ "type": "boolean",
+ "description": "True if this assessment is in preview release status"
+ },
+ "assessmentType": {
+ "readOnly": true,
+ "type": "string",
+ "description": "BuiltIn if the assessment based on built-in Azure Policy definition, Custom if the assessment based on custom Azure Policy definition",
+ "enum": [
+ "BuiltIn",
+ "Custom"
+ ],
+ "x-ms-enum": {
+ "name": "assessmentType",
+ "modelAsString": true,
+ "values": [
+ {
+ "value": "BuiltIn"
+ },
+ {
+ "value": "Custom"
+ }
+ ]
+ }
+ }
+ }
+ }
+ },
+ "parameters": {
+ "AssessmentsMetadataName": {
+ "name": "assessmentsMetadataName",
+ "in": "path",
+ "required": true,
+ "type": "string",
+ "description": "The Assessment Key - Unique key for the assessment type",
+ "x-ms-parameter-location": "method"
+ }
+ }
+}
\ No newline at end of file
diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AssessmentsMetadata/GetAssessmentsMetadata_example.json b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AssessmentsMetadata/GetAssessmentsMetadata_example.json
new file mode 100644
index 000000000000..f3d3156b17a0
--- /dev/null
+++ b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AssessmentsMetadata/GetAssessmentsMetadata_example.json
@@ -0,0 +1,26 @@
+{
+ "parameters": {
+ "api-version": "2019-01-01-preview",
+ "assessmentsMetadataName": "21300918-b2e3-0346-785f-c77ff57d243b"
+ },
+ "responses": {
+ "200": {
+ "body": {
+ "id": "/providers/Microsoft.Security/assessmentMetadata/21300918-b2e3-0346-785f-c77ff57d243b",
+ "name": "21300918-b2e3-0346-785f-c77ff57d243b",
+ "type": "Microsoft.Security/assessmentMetadata",
+ "properties": {
+ "displayName": "Install endpoint protection solution on virtual machine scale sets",
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de",
+ "description": "Install an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.",
+ "remediationDescription": "To install an endpoint protection solution: 1. Follow the instructions in How do I turn on antimalware in my virtual machine scale set",
+ "category": [
+ "Compute"
+ ],
+ "secureScoreWeight": 15,
+ "assessmentType": "Custom"
+ }
+ }
+ }
+ }
+}
\ No newline at end of file
diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AssessmentsMetadata/GetAssessmentsMetadata_subscription_example.json b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AssessmentsMetadata/GetAssessmentsMetadata_subscription_example.json
new file mode 100644
index 000000000000..e7e6e70b96d9
--- /dev/null
+++ b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AssessmentsMetadata/GetAssessmentsMetadata_subscription_example.json
@@ -0,0 +1,27 @@
+{
+ "parameters": {
+ "api-version": "2019-01-01-preview",
+ "subscriptionId": "0980887d-03d6-408c-9566-532f3456804e",
+ "assessmentsMetadataName": "21300918-b2e3-0346-785f-c77ff57d243b"
+ },
+ "responses": {
+ "200": {
+ "body": {
+ "id": "/providers/Microsoft.Security/assessmentMetadata/21300918-b2e3-0346-785f-c77ff57d243b",
+ "name": "21300918-b2e3-0346-785f-c77ff57d243b",
+ "type": "Microsoft.Security/assessmentMetadata",
+ "properties": {
+ "displayName": "Install endpoint protection solution on virtual machine scale sets",
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de",
+ "description": "Install an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.",
+ "remediationDescription": "To install an endpoint protection solution: 1. Follow the instructions in How do I turn on antimalware in my virtual machine scale set",
+ "category": [
+ "Compute"
+ ],
+ "secureScoreWeight": 15,
+ "assessmentType": "Custom"
+ }
+ }
+ }
+ }
+}
\ No newline at end of file
diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AssessmentsMetadata/ListAssessmentsMetadata_example.json b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AssessmentsMetadata/ListAssessmentsMetadata_example.json
new file mode 100644
index 000000000000..4f4581798203
--- /dev/null
+++ b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AssessmentsMetadata/ListAssessmentsMetadata_example.json
@@ -0,0 +1,52 @@
+{
+ "parameters": {
+ "api-version": "2019-01-01-preview"
+ },
+ "responses": {
+ "200": {
+ "body": {
+ "value": [
+ {
+ "id": "/providers/Microsoft.Security/assessmentMetadata/21300918-b2e3-0346-785f-c77ff57d243b",
+ "name": "21300918-b2e3-0346-785f-c77ff57d243b",
+ "type": "Microsoft.Security/assessmentMetadata",
+ "properties": {
+ "displayName": "Install endpoint protection solution on virtual machine scale sets",
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de",
+ "description": "Install an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.",
+ "remediationDescription": "To install an endpoint protection solution: 1. Follow the instructions in How do I turn on antimalware in my virtual machine scale set",
+ "category": [
+ "Compute"
+ ],
+ "requiredPricingBundle": [
+ "VirtualMachines"
+ ],
+ "secureScoreWeight": 15,
+ "assessmentType": "BuiltIn"
+ }
+ },
+ {
+ "id": "/providers/Microsoft.Security/assessmentMetadata/bc303248-3d14-44c2-96a0-55f5c326b5fe",
+ "name": "bc303248-3d14-44c2-96a0-55f5c326b5fe",
+ "type": "Microsoft.Security/assessmentMetadata",
+ "properties": {
+ "displayName": "Close management ports on your virtual machines",
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917",
+ "description": "Open remote management ports expose your VM to a high level of risk from internet-based attacks that attempt to brute force credentials to gain admin access to the machine.",
+ "remediationDescription": "We recommend that you edit the inbound rules of the below virtual machines to restrict access to specific source ranges.
To restrict the access to your virtual machines: 1. Click on a VM from the list below 2. At the 'Networking' blade, click on each of the rules that allow management ports (e.g. RDP-3389, WINRM-5985, SSH-22) 3. Change the 'Action' property to 'Deny' 4. Click 'Save'",
+ "category": [
+ "Networking"
+ ],
+ "requiredPricingBundle": [
+ "VirtualMachines"
+ ],
+ "secureScoreWeight": 10,
+ "preview": true,
+ "assessmentType": "Custom"
+ }
+ }
+ ]
+ }
+ }
+ }
+}
\ No newline at end of file
diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AssessmentsMetadata/ListAssessmentsMetadata_subscription_example.json b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AssessmentsMetadata/ListAssessmentsMetadata_subscription_example.json
new file mode 100644
index 000000000000..46f77128133c
--- /dev/null
+++ b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AssessmentsMetadata/ListAssessmentsMetadata_subscription_example.json
@@ -0,0 +1,53 @@
+{
+ "parameters": {
+ "api-version": "2019-01-01-preview",
+ "subscriptionId": "0980887d-03d6-408c-9566-532f3456804e"
+ },
+ "responses": {
+ "200": {
+ "body": {
+ "value": [
+ {
+ "id": "/providers/Microsoft.Security/assessmentMetadata/21300918-b2e3-0346-785f-c77ff57d243b",
+ "name": "21300918-b2e3-0346-785f-c77ff57d243b",
+ "type": "Microsoft.Security/assessmentMetadata",
+ "properties": {
+ "displayName": "Install endpoint protection solution on virtual machine scale sets",
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de",
+ "description": "Install an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.",
+ "remediationDescription": "To install an endpoint protection solution: 1. Follow the instructions in How do I turn on antimalware in my virtual machine scale set",
+ "category": [
+ "Compute"
+ ],
+ "requiredPricingBundle": [
+ "VirtualMachines"
+ ],
+ "secureScoreWeight": 15,
+ "assessmentType": "BuiltIn"
+ }
+ },
+ {
+ "id": "/providers/Microsoft.Security/assessmentMetadata/bc303248-3d14-44c2-96a0-55f5c326b5fe",
+ "name": "bc303248-3d14-44c2-96a0-55f5c326b5fe",
+ "type": "Microsoft.Security/assessmentMetadata",
+ "properties": {
+ "displayName": "Close management ports on your virtual machines",
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917",
+ "description": "Open remote management ports expose your VM to a high level of risk from internet-based attacks that attempt to brute force credentials to gain admin access to the machine.",
+ "remediationDescription": "We recommend that you edit the inbound rules of the below virtual machines to restrict access to specific source ranges.
To restrict the access to your virtual machines: 1. Click on a VM from the list below 2. At the 'Networking' blade, click on each of the rules that allow management ports (e.g. RDP-3389, WINRM-5985, SSH-22) 3. Change the 'Action' property to 'Deny' 4. Click 'Save'",
+ "category": [
+ "Networking"
+ ],
+ "requiredPricingBundle": [
+ "VirtualMachines"
+ ],
+ "secureScoreWeight": 10,
+ "preview": true,
+ "assessmentType": "Custom"
+ }
+ }
+ ]
+ }
+ }
+ }
+}
\ No newline at end of file
diff --git a/specification/security/resource-manager/readme.md b/specification/security/resource-manager/readme.md
index 303bd7cfcfac..81519cad31ea 100644
--- a/specification/security/resource-manager/readme.md
+++ b/specification/security/resource-manager/readme.md
@@ -52,6 +52,7 @@ These settings apply only when `--tag=package-composite-v1` is specified on the
```yaml $(tag) == 'package-composite-v1'
input-file:
- Microsoft.Security/preview/2019-01-01-preview/regulatoryCompliance.json
+- Microsoft.Security/preview/2019-01-01-preview/assessmentsMetadata.json
- Microsoft.Security/preview/2017-08-01-preview/pricings.json
- Microsoft.Security/preview/2017-08-01-preview/securityContacts.json
- Microsoft.Security/preview/2017-08-01-preview/workspaceSettings.json
@@ -84,6 +85,7 @@ These settings apply only when `--tag=package-composite-v2` is specified on the
```yaml $(tag) == 'package-composite-v2'
input-file:
- Microsoft.Security/preview/2019-01-01-preview/regulatoryCompliance.json
+- Microsoft.Security/preview/2019-01-01-preview/assessmentsMetadata.json
- Microsoft.Security/stable/2018-06-01/pricings.json
- Microsoft.Security/preview/2017-08-01-preview/securityContacts.json
- Microsoft.Security/preview/2017-08-01-preview/workspaceSettings.json
@@ -134,6 +136,7 @@ input-file:
- Microsoft.Security/preview/2017-08-01-preview/securityContacts.json
- Microsoft.Security/preview/2017-08-01-preview/workspaceSettings.json
- Microsoft.Security/preview/2019-01-01-preview/regulatoryCompliance.json
+- Microsoft.Security/preview/2019-01-01-preview/assessmentsMetadata.json
- Microsoft.Security/preview/2019-01-01-preview/serverVulnerabilityAssessments.json
# Needed when there is more than one input file