diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/dataConnectors.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/dataConnectors.json new file mode 100644 index 000000000000..5895e7b3668a --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/dataConnectors.json @@ -0,0 +1,1561 @@ +{ + "swagger": "2.0", + "info": { + "title": "Security Insights", + "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", + "version": "2021-03-01-preview" + }, + "host": "management.azure.com", + "schemes": [ + "https" + ], + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "security": [ + { + "azure_auth": [ + "user_impersonation" + ] + } + ], + "securityDefinitions": { + "azure_auth": { + "type": "oauth2", + "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", + "flow": "implicit", + "description": "Azure Active Directory OAuth2 Flow", + "scopes": { + "user_impersonation": "impersonate your user account" + } + } + }, + "paths": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors": { + "get": { + "x-ms-examples": { + "Get all data connectors.": { + "$ref": "./examples/dataConnectors/GetDataConnectors.json" + } + }, + "tags": [ + "Data Connectors" + ], + "description": "Gets all data connectors.", + "operationId": "DataConnectors_List", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/1.0/types.json#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "../../../common/1.0/types.json#/parameters/WorkspaceName" + } + ], + "responses": { + "200": { + "description": "OK, Operation successfully completed", + "schema": { + "$ref": "#/definitions/DataConnectorList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/1.0/types.json#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors/{dataConnectorId}": { + "get": { + "x-ms-examples": { + "Get an Office365 data connector.": { + "$ref": "./examples/dataConnectors/GetOfficeDataConnetorById.json" + }, + "Get a TI data connector": { + "$ref": "./examples/dataConnectors/GetThreatIntelligenceById.json" + }, + "Get a TI Taxii data connector.": { + "$ref": "./examples/dataConnectors/GetThreatIntelligenceTaxiiById.json" + }, + "Get a MCAS data connector": { + "$ref": "./examples/dataConnectors/GetMicrosoftCloudAppSecurityById.json" + }, + "Get a ASC data connector": { + "$ref": "./examples/dataConnectors/GetAzureSecurityCenterById.json" + }, + "Get an AAD data connector": { + "$ref": "./examples/dataConnectors/GetAzureActiveDirectoryById.json" + }, + "Get an AwsCloudTrail data connector": { + "$ref": "./examples/dataConnectors/GetAmazonWebServicesCloudTrailById.json" + }, + "Get an AATP data connector": { + "$ref": "./examples/dataConnectors/GetAzureAdvancedThreatProtectionById.json" + }, + "Get a MDATP data connector": { + "$ref": "./examples/dataConnectors/GetMicrosoftDefenderAdvancedThreatProtectionById.json" + }, + "Get a Office ATP data connector": { + "$ref": "./examples/dataConnectors/GetOffice365AdvancedThreatProtectionById.json" + }, + "Get a Dynamics365 data connector": { + "$ref": "./examples/dataConnectors/GetDynamics365DataConnectorById.json" + }, + "Get a MicrosoftThreatProtection data connector": { + "$ref": "./examples/dataConnectors/GetMicrosoftThreatProtectionById.json" + }, + "Get a MicrosoftThreatIntelligence data connector": { + "$ref": "./examples/dataConnectors/GetMicrosoftThreatIntelligenceById.json" + }, + "Get a GenericUI data connector": { + "$ref": "./examples/dataConnectors/GetGenericUI.json" + } + }, + "tags": [ + "Data Connectors" + ], + "description": "Gets a data connector.", + "operationId": "DataConnectors_Get", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/1.0/types.json#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "../../../common/1.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/DataConnectorId" + } + ], + "responses": { + "200": { + "description": "OK, Operation successfully completed", + "schema": { + "$ref": "#/definitions/DataConnector" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/1.0/types.json#/definitions/CloudError" + } + } + } + }, + "put": { + "x-ms-examples": { + "Creates or updates an Office365 data connector": { + "$ref": "./examples/dataConnectors/CreateOfficeDataConnetor.json" + }, + "Creates or updates a Threat Intelligence Taxii data connector.": { + "$ref": "./examples/dataConnectors/CreateThreatIntelligenceTaxiiDataConnector.json" + }, + "Creates or updates an Threat Intelligence Platform data connector": { + "$ref": "./examples/dataConnectors/CreateThreatIntelligenceDataConnector.json" + }, + "Creates or updates a Dynamics365 data connector.": { + "$ref": "./examples/dataConnectors/CreateDynamics365DataConnetor.json" + }, + "Creates or updates a GenericUI data connector": { + "$ref": "./examples/dataConnectors/CreateGenericUI.json" + } + }, + "tags": [ + "Data Connectors" + ], + "description": "Creates or updates the data connector.", + "operationId": "DataConnectors_CreateOrUpdate", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/1.0/types.json#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "../../../common/1.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/DataConnectorId" + }, + { + "$ref": "#/parameters/DataConnector" + } + ], + "responses": { + "200": { + "description": "OK, Operation successfully completed", + "schema": { + "$ref": "#/definitions/DataConnector" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/DataConnector" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/1.0/types.json#/definitions/CloudError" + } + } + } + }, + "delete": { + "x-ms-examples": { + "Delete an Office365 data connector": { + "$ref": "./examples/dataConnectors/DeleteOfficeDataConnetor.json" + }, + "Delete a GenericUI data connector": { + "$ref": "./examples/dataConnectors/DeleteGenericUI.json" + } + }, + "tags": [ + "Data Connectors" + ], + "description": "Delete the data connector.", + "operationId": "DataConnectors_Delete", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/1.0/types.json#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "../../../common/1.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/DataConnectorId" + } + ], + "responses": { + "200": { + "description": "OK, Operation successfully completed" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/1.0/types.json#/definitions/CloudError" + } + } + } + } + } + }, + "definitions": { + "AADDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents AAD (Azure Active Directory) data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/AADDataConnectorProperties", + "description": "AAD (Azure Active Directory) data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "AzureActiveDirectory" + }, + "AADDataConnectorProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + }, + { + "$ref": "#/definitions/DataConnectorWithAlertsProperties" + } + ], + "description": "AAD (Azure Active Directory) data connector properties.", + "type": "object" + }, + "AlertsDataTypeOfDataConnector": { + "description": "Alerts data type for data connectors.", + "properties": { + "alerts": { + "$ref": "#/definitions/DataConnectorDataTypeCommon", + "description": "Alerts data type connection.", + "type": "object" + } + }, + "type": "object", + "required": [ + "alerts" + ] + }, + "MSTIDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents Microsoft Threat Intelligence data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/MSTIDataConnectorProperties", + "description": "Microsoft Threat Intelligence data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "MicrosoftThreatIntelligence" + }, + "MSTIDataConnectorDataTypes": { + "description": "The available data types for Microsoft Threat Intelligence Platforms data connector.", + "properties": { + "bingSafetyPhishingURL": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "properties": { + "lookbackPeriod": { + "description": "lookback period", + "type": "string" + } + }, + "description": "Data type for Microsoft Threat Intelligence Platforms data connector.", + "type": "object", + "required": [ + "lookbackPeriod" + ] + }, + "microsoftEmergingThreatFeed": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "properties": { + "lookbackPeriod": { + "description": "lookback period", + "type": "string" + } + }, + "description": "Data type for Microsoft Threat Intelligence Platforms data connector.", + "type": "object", + "required": [ + "lookbackPeriod" + ] + } + }, + "type": "object", + "required": [ + "bingSafetyPhishingURL", + "microsoftEmergingThreatFeed" + ] + }, + "MSTIDataConnectorProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "Microsoft Threat Intelligence data connector properties.", + "properties": { + "dataTypes": { + "$ref": "#/definitions/MSTIDataConnectorDataTypes", + "description": "The available data types for the connector." + } + }, + "required": [ + "dataTypes" + ], + "type": "object" + }, + "MTPDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents MTP (Microsoft Threat Protection) data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/MTPDataConnectorProperties", + "description": "MTP (Microsoft Threat Protection) data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "MicrosoftThreatProtection" + }, + "MTPDataConnectorDataTypes": { + "description": "The available data types for Microsoft Threat Protection Platforms data connector.", + "properties": { + "incidents": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "description": "Data type for Microsoft Threat Protection Platforms data connector.", + "type": "object" + } + }, + "type": "object", + "required": [ + "incidents" + ] + }, + "MTPDataConnectorProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "MTP (Microsoft Threat Protection) data connector properties.", + "properties": { + "dataTypes": { + "$ref": "#/definitions/MTPDataConnectorDataTypes", + "description": "The available data types for the connector." + } + }, + "required": [ + "dataTypes" + ], + "type": "object" + }, + "AATPDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents AATP (Azure Advanced Threat Protection) data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/AATPDataConnectorProperties", + "description": "AATP (Azure Advanced Threat Protection) data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "AzureAdvancedThreatProtection" + }, + "AATPDataConnectorProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + }, + { + "$ref": "#/definitions/DataConnectorWithAlertsProperties" + } + ], + "description": "AATP (Azure Advanced Threat Protection) data connector properties.", + "type": "object" + }, + "ASCDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents ASC (Azure Security Center) data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/ASCDataConnectorProperties", + "description": "ASC (Azure Security Center) data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "AzureSecurityCenter" + }, + "ASCDataConnectorProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorWithAlertsProperties" + } + ], + "description": "ASC (Azure Security Center) data connector properties.", + "properties": { + "subscriptionId": { + "description": "The subscription id to connect to, and get the data from.", + "type": "string" + } + }, + "type": "object" + }, + "AwsCloudTrailDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents Amazon Web Services CloudTrail data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/AwsCloudTrailDataConnectorProperties", + "description": "Amazon Web Services CloudTrail data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "AmazonWebServicesCloudTrail" + }, + "AwsCloudTrailDataConnectorDataTypes": { + "description": "The available data types for Amazon Web Services CloudTrail data connector.", + "properties": { + "logs": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "description": "Logs data type.", + "type": "object" + } + }, + "type": "object", + "required": [ + "logs" + ] + }, + "AwsCloudTrailDataConnectorProperties": { + "description": "Amazon Web Services CloudTrail data connector properties.", + "properties": { + "awsRoleArn": { + "description": "The Aws Role Arn (with CloudTrailReadOnly policy) that is used to access the Aws account.", + "type": "string" + }, + "dataTypes": { + "$ref": "#/definitions/AwsCloudTrailDataConnectorDataTypes", + "description": "The available data types for the connector." + } + }, + "type": "object", + "required": [ + "dataTypes" + ] + }, + "DataConnector": { + "description": "Data connector", + "allOf": [ + { + "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" + } + ], + "discriminator": "kind", + "required": [ + "kind" + ], + "properties": { + "kind": { + "$ref": "#/definitions/DataConnectorKind", + "description": "The data connector kind" + } + }, + "type": "object" + }, + "DataConnectorDataTypeCommon": { + "description": "Common field for data type in data connectors.", + "properties": { + "state": { + "description": "Describe whether this data type connection is enabled or not.", + "enum": [ + "Enabled", + "Disabled" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "DataTypeState" + } + } + }, + "type": "object", + "required": [ + "state" + ] + }, + "DataConnectorWithAlertsProperties": { + "description": "Data connector properties.", + "properties": { + "dataTypes": { + "$ref": "#/definitions/AlertsDataTypeOfDataConnector", + "description": "The available data types for the connector." + } + }, + "type": "object" + }, + "DataConnectorKind": { + "description": "The kind of the data connector", + "enum": [ + "AzureActiveDirectory", + "AzureSecurityCenter", + "MicrosoftCloudAppSecurity", + "ThreatIntelligence", + "ThreatIntelligenceTaxii", + "Office365", + "OfficeATP", + "AmazonWebServicesCloudTrail", + "AzureAdvancedThreatProtection", + "MicrosoftDefenderAdvancedThreatProtection", + "Dynamics365", + "MicrosoftThreatProtection", + "MicrosoftThreatIntelligence", + "GenericUI" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "DataConnectorKind", + "values": [ + { + "value": "AzureActiveDirectory" + }, + { + "value": "AzureSecurityCenter" + }, + { + "value": "MicrosoftCloudAppSecurity" + }, + { + "value": "ThreatIntelligence" + }, + { + "value": "ThreatIntelligenceTaxii" + }, + { + "value": "Office365" + }, + { + "value": "OfficeATP" + }, + { + "value": "AmazonWebServicesCloudTrail" + }, + { + "value": "AzureAdvancedThreatProtection" + }, + { + "value": "MicrosoftDefenderAdvancedThreatProtection" + }, + { + "value": "Dynamics365" + }, + { + "value": "MicrosoftThreatProtection" + }, + { + "value": "MicrosoftThreatIntelligence" + }, + { + "value": "GenericUI" + } + ] + } + }, + "DataConnectorList": { + "description": "List all the data connectors.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of data connectors.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of data connectors.", + "items": { + "$ref": "#/definitions/DataConnector" + }, + "type": "array" + } + }, + "required": [ + "value" + ] + }, + "DataConnectorTenantId": { + "description": "Properties data connector on tenant level.", + "properties": { + "tenantId": { + "description": "The tenant id to connect to, and get the data from.", + "type": "string" + } + }, + "type": "object", + "required": [ + "tenantId" + ] + }, + "MCASDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents MCAS (Microsoft Cloud App Security) data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/MCASDataConnectorProperties", + "description": "MCAS (Microsoft Cloud App Security) data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "MicrosoftCloudAppSecurity" + }, + "MCASDataConnectorDataTypes": { + "allOf": [ + { + "$ref": "#/definitions/AlertsDataTypeOfDataConnector" + } + ], + "description": "The available data types for MCAS (Microsoft Cloud App Security) data connector.", + "properties": { + "discoveryLogs": { + "$ref": "#/definitions/DataConnectorDataTypeCommon", + "description": "Discovery log data type connection." + } + }, + "type": "object" + }, + "MCASDataConnectorProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "MCAS (Microsoft Cloud App Security) data connector properties.", + "properties": { + "dataTypes": { + "$ref": "#/definitions/MCASDataConnectorDataTypes", + "description": "The available data types for the connector." + } + }, + "required": [ + "dataTypes" + ], + "type": "object" + }, + "Dynamics365DataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents Dynamics365 data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/Dynamics365DataConnectorProperties", + "description": "Dynamics365 data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Dynamics365" + }, + "Dynamics365DataConnectorDataTypes": { + "description": "The available data types for Dynamics365 data connector.", + "properties": { + "dynamics365CdsActivities": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "description": "Common Data Service data type connection.", + "type": "object" + } + }, + "type": "object", + "required": [ + "dynamics365CdsActivities" + ] + }, + "Dynamics365DataConnectorProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "Dynamics365 data connector properties.", + "properties": { + "dataTypes": { + "$ref": "#/definitions/Dynamics365DataConnectorDataTypes", + "description": "The available data types for the connector." + } + }, + "required": [ + "dataTypes" + ], + "type": "object" + }, + "OfficeATPDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents OfficeATP (Office 365 Advanced Threat Protection) data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/OfficeATPDataConnectorProperties", + "description": "OfficeATP (Office 365 Advanced Threat Protection) data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "OfficeATP" + }, + "OfficeATPDataConnectorProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + }, + { + "$ref": "#/definitions/DataConnectorWithAlertsProperties" + } + ], + "description": "OfficeATP (Office 365 Advanced Threat Protection) data connector properties.", + "type": "object" + }, + "MDATPDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents MDATP (Microsoft Defender Advanced Threat Protection) data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/MDATPDataConnectorProperties", + "description": "MDATP (Microsoft Defender Advanced Threat Protection) data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "MicrosoftDefenderAdvancedThreatProtection" + }, + "MDATPDataConnectorProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + }, + { + "$ref": "#/definitions/DataConnectorWithAlertsProperties" + } + ], + "description": "MDATP (Microsoft Defender Advanced Threat Protection) data connector properties.", + "type": "object" + }, + "OfficeDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents office data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/OfficeDataConnectorProperties", + "description": "Office data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Office365" + }, + "OfficeDataConnectorDataTypes": { + "description": "The available data types for office data connector.", + "properties": { + "exchange": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "description": "Exchange data type connection.", + "type": "object" + }, + "sharePoint": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "description": "SharePoint data type connection.", + "type": "object" + }, + "teams": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "description": "Teams data type connection.", + "type": "object" + } + }, + "required": [ + "exchange", + "sharePoint", + "teams" + ], + "type": "object" + }, + "OfficeDataConnectorProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "Office data connector properties.", + "properties": { + "dataTypes": { + "$ref": "#/definitions/OfficeDataConnectorDataTypes", + "description": "The available data types for the connector." + } + }, + "required": [ + "dataTypes" + ], + "type": "object" + }, + "TIDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents threat intelligence data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/TIDataConnectorProperties", + "description": "TI (Threat Intelligence) data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "ThreatIntelligence" + }, + "TIDataConnectorDataTypes": { + "description": "The available data types for TI (Threat Intelligence) data connector.", + "properties": { + "indicators": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "description": "Data type for indicators connection.", + "type": "object" + } + }, + "type": "object", + "required": [ + "indicators" + ] + }, + "TIDataConnectorProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "TI (Threat Intelligence) data connector properties.", + "properties": { + "tipLookbackPeriod": { + "description": "The lookback period for the feed to be imported.", + "format": "date-time", + "type": "string", + "x-nullable": true + }, + "dataTypes": { + "$ref": "#/definitions/TIDataConnectorDataTypes", + "description": "The available data types for the connector." + } + }, + "type": "object", + "required": [ + "dataTypes" + ] + }, + "TiTaxiiDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Data connector to pull Threat intelligence data from TAXII 2.0/2.1 server", + "properties": { + "properties": { + "$ref": "#/definitions/TiTaxiiDataConnectorProperties", + "description": "Threat intelligence TAXII data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "ThreatIntelligenceTaxii" + }, + "TiTaxiiDataConnectorDataTypes": { + "description": "The available data types for Threat Intelligence TAXII data connector.", + "properties": { + "taxiiClient": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "description": "Data type for TAXII connector.", + "type": "object" + } + }, + "type": "object", + "required": [ + "taxiiClient" + ] + }, + "TiTaxiiDataConnectorProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "Threat Intelligence TAXII data connector properties.", + "properties": { + "workspaceId": { + "description": "The workspace id.", + "type": "string" + }, + "friendlyName": { + "description": "The friendly name for the TAXII server.", + "type": "string" + }, + "taxiiServer": { + "description": "The API root for the TAXII server.", + "type": "string" + }, + "collectionId": { + "description": "The collection id of the TAXII server.", + "type": "string" + }, + "userName": { + "description": "The userName for the TAXII server.", + "type": "string" + }, + "password": { + "description": "The password for the TAXII server.", + "type": "string" + }, + "taxiiLookbackPeriod": { + "description": "The lookback period for the TAXII server.", + "format": "date-time", + "type": "string", + "x-nullable": true + }, + "pollingFrequency": { + "description": "The polling frequency for the TAXII server.", + "type": "string", + "x-nullable": true, + "enum": [ + "OnceAMinute", + "OnceAnHour", + "OnceADay" + ], + "x-ms-enum": { + "modelAsString": true, + "name": "PollingFrequency", + "values": [ + { + "description": "Once a minute", + "value": "OnceAMinute" + }, + { + "description": "Once an hour", + "value": "OnceAnHour" + }, + { + "description": "Once a day", + "value": "OnceADay" + } + ] + } + }, + "dataTypes": { + "$ref": "#/definitions/TiTaxiiDataConnectorDataTypes", + "description": "The available data types for Threat Intelligence TAXII data connector." + } + }, + "required": [ + "dataTypes", + "pollingFrequency" + ], + "type": "object" + }, + "CodelessUiDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents Codeless UI data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/CodelessParameters", + "description": "Codeless UI data connector properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "GenericUI" + }, + "CodelessParameters": { + "description": "Represents Codeless UI data connector", + "type": "object", + "properties": { + "connectorUiConfig": { + "$ref": "#/definitions/CodelessUiConnectorConfigProperties", + "description": "Config to describe the instructions blade" + } + } + }, + "CodelessUiConnectorConfigProperties": { + "description": "Config to describe the instructions blade", + "type": "object", + "properties": { + "title": { + "description": "Connector blade title", + "type": "string" + }, + "publisher": { + "description": "Connector publisher name", + "type": "string" + }, + "descriptionMarkdown": { + "description": "Connector description", + "type": "string" + }, + "customImage": { + "description": "An optional custom image to be used when displaying the connector within Azure Sentinel's connector's gallery", + "type": "string" + }, + "graphQueriesTableName": { + "description": "Name of the table the connector will insert the data to", + "type": "string" + }, + "graphQueries": { + "description": "The graph query to show the current data status", + "items": { + "allOf": [ + { + "$ref": "#/definitions/GraphQueries" + } + ] + }, + "type": "array" + }, + "sampleQueries": { + "description": "The sample queries for the connector", + "items": { + "allOf": [ + { + "$ref": "#/definitions/SampleQueries" + } + ] + }, + "type": "array" + }, + "dataTypes": { + "description": "Data types to check for last data received", + "items": { + "allOf": [ + { + "$ref": "#/definitions/LastDataReceivedDataType" + } + ] + }, + "type": "array" + }, + "connectivityCriteria": { + "description": "Define the way the connector check connectivity", + "items": { + "allOf": [ + { + "$ref": "#/definitions/ConnectivityCriteria" + } + ] + }, + "type": "array" + }, + "availability": { + "description": "Connector Availability Status", + "$ref": "#/definitions/Availability" + }, + "permissions": { + "description": "Permissions required for the connector", + "$ref": "#/definitions/Permissions" + }, + "instructionSteps": { + "description": "Instruction steps to enable the connector", + "items": { + "allOf": [ + { + "$ref": "#/definitions/InstructionSteps" + } + ] + }, + "type": "array" + } + } + }, + "LastDataReceivedDataType": { + "description": "Data type for last data received", + "type": "object", + "properties": { + "name": { + "description": "Name of the data type to show in the graph. can be use with {{graphQueriesTableName}} placeholder", + "type": "string" + }, + "lastDataReceivedQuery": { + "description": "Query for indicate last data received", + "type": "string" + } + } + }, + "Permissions": { + "description": "Permissions required for the connector", + "type": "object", + "properties": { + "resourceProvider": { + "description": "Resource provider permissions required for the connector", + "items": { + "allOf": [ + { + "$ref": "#/definitions/ResourceProvider" + } + ] + }, + "type": "array" + }, + "customs": { + "description": "Customs permissions required for the connector", + "items": { + "allOf": [ + { + "$ref": "#/definitions/Customs" + } + ] + }, + "type": "array" + } + } + }, + "Customs": { + "description": "Customs permissions required for the connector", + "type": "object", + "allOf": [ + { + "$ref": "#/definitions/CustomsPermission" + } + ] + }, + "CustomsPermission": { + "description": "Customs permissions required for the connector", + "type": "object", + "properties": { + "name": { + "description": "Customs permissions name", + "type": "string" + }, + "description": { + "description": "Customs permissions description", + "type": "string" + } + } + }, + "ResourceProvider": { + "description": "Resource provider permissions required for the connector", + "type": "object", + "properties": { + "provider": { + "description": "Provider name", + "enum": [ + "Microsoft.OperationalInsights/solutions", + "Microsoft.OperationalInsights/workspaces", + "Microsoft.OperationalInsights/workspaces/datasources", + "microsoft.aadiam/diagnosticSettings", + "Microsoft.OperationalInsights/workspaces/sharedKeys", + "Microsoft.Authorization/policyAssignments" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "ProviderName" + } + }, + "permissionsDisplayText": { + "description": "Permission description text", + "type": "string" + }, + "providerDisplayName": { + "description": "Permission provider display name", + "type": "string" + }, + "scope": { + "description": "Permission provider scope", + "enum": [ + "ResourceGroup", + "Subscription", + "Workspace" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "PermissionProviderScope" + } + }, + "requiredPermissions": { + "description": "Required permissions for the connector", + "$ref": "#/definitions/RequiredPermissions" + } + } + }, + "InstructionSteps": { + "description": "Instruction steps to enable the connector", + "type": "object", + "properties": { + "title": { + "description": "Instruction step title", + "type": "string" + }, + "description": { + "description": "Instruction step description", + "type": "string" + }, + "instructions": { + "description": "Instruction step details", + "items": { + "allOf": [ + { + "$ref": "#/definitions/ConnectorInstructionModelBase" + } + ] + }, + "type": "array" + } + } + }, + "ConnectorInstructionModelBase": { + "description": "Instruction step details", + "type": "object", + "properties": { + "parameters": { + "type": "object", + "description": "The parameters for the setting" + }, + "type": { + "description": "The kind of the setting", + "enum": [ + "CopyableLabel", + "InstructionStepsGroup", + "InfoMessage" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "SettingType" + } + } + }, + "required": [ + "type" + ] + }, + "RequiredPermissions": { + "description": "Required permissions for the connector", + "type": "object", + "properties": { + "action": { + "description": "action permission", + "type": "boolean" + }, + "write": { + "description": "write permission", + "type": "boolean" + }, + "read": { + "description": "read permission", + "type": "boolean" + }, + "delete": { + "description": "delete permission", + "type": "boolean" + } + } + }, + "Availability": { + "description": "Connector Availability Status", + "type": "object", + "properties": { + "status": { + "description": "The connector Availability Status", + "format": "int32", + "type": "integer", + "enum": [ + 1 + ], + "x-ms-enum": { + "name": "AvailabilityStatus", + "values": [ + { + "value": 1, + "description": "Available" + } + ] + } + }, + "isPreview": { + "description": "Set connector as preview", + "type": "boolean" + } + } + }, + "ConnectivityCriteria": { + "description": "Setting for the connector check connectivity", + "type": "object", + "properties": { + "type": { + "description": "type of connectivity", + "enum": [ + "IsConnectedQuery" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "ConnectivityType" + } + }, + "value": { + "description": "Queries for checking connectivity", + "type": "array", + "items": { + "description": "checking connectivity query", + "type": "string" + } + } + } + }, + "SampleQueries": { + "description": "The sample queries for the connector", + "type": "object", + "properties": { + "description": { + "description": "The sample query description", + "type": "string" + }, + "query": { + "description": "the sample query", + "type": "string" + } + } + }, + "GraphQueries": { + "type": "object", + "description": "The graph query to show the current data status", + "properties": { + "metricName": { + "description": "the metric that the query is checking", + "type": "string" + }, + "legend": { + "description": "The legend for the graph", + "type": "string" + }, + "baseQuery": { + "description": "The base query for the graph", + "type": "string" + } + } + } + }, + "parameters": { + "ResourceGroupName": { + "description": "The name of the resource group within the user's subscription. The name is case insensitive.", + "in": "path", + "maxLength": 90, + "minLength": 1, + "name": "resourceGroupName", + "pattern": "^[-\\w\\._\\(\\)]+$", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "SubscriptionId": { + "description": "Azure subscription ID", + "in": "path", + "name": "subscriptionId", + "pattern": "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$", + "required": true, + "type": "string" + }, + "DataConnector": { + "description": "The data connector", + "in": "body", + "name": "dataConnector", + "required": true, + "schema": { + "$ref": "#/definitions/DataConnector" + }, + "x-ms-parameter-location": "method" + }, + "DataConnectorId": { + "description": "Connector ID", + "in": "path", + "name": "dataConnectorId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/dataConnectors/CreateDynamics365DataConnetor.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/dataConnectors/CreateDynamics365DataConnetor.json new file mode 100644 index 000000000000..e93f2f48f5ab --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/dataConnectors/CreateDynamics365DataConnetor.json @@ -0,0 +1,58 @@ +{ + "parameters": { + "api-version": "2021-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "dataConnectorId": "c2541efb-c9a6-47fe-9501-87d1017d1512", + "dataConnector": { + "kind": "Dynamics365", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "dynamics365CdsActivities": { + "state": "Enabled" + } + } + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "c2541efb-c9a6-47fe-9501-87d1017d1512", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "Dynamics365", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "dynamics365CdsActivities": { + "state": "Enabled" + } + } + } + } + }, + "201": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "c2541efb-c9a6-47fe-9501-87d1017d1512", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "Dynamics365", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "dynamics365CdsActivities": { + "state": "Enabled" + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/dataConnectors/CreateGenericUI.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/dataConnectors/CreateGenericUI.json new file mode 100644 index 000000000000..f3333cc4bb75 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/dataConnectors/CreateGenericUI.json @@ -0,0 +1,434 @@ +{ + "parameters": { + "api-version": "2021-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "dataConnectorId": "316ec55e-7138-4d63-ab18-90c8a60fd1c8", + "dataConnector": { + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "title": "Qualys Vulnerability Management (CCP DEMO)", + "publisher": "Qualys", + "descriptionMarkdown": "The [Qualys Vulnerability Management (VM)](https://www.qualys.com/apps/vulnerability-management/) data connector provides the capability to ingest vulnerability host detection data into Azure Sentinel through the Qualys API. The connector provides visibility into host detection data from vulerability scans. This connector provides Azure Sentinel the capability to view dashboards, create custom alerts, and improve investigation ", + "graphQueriesTableName": "QualysHostDetection_CL", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "{{graphQueriesTableName}}", + "baseQuery": "{{graphQueriesTableName}}" + } + ], + "sampleQueries": [ + { + "description": "Top 10 Vulerabilities detected", + "query": "{{graphQueriesTableName}}\n | mv-expand todynamic(Detections_s)\n | extend Vulnerability = tostring(Detections_s.Results)\n | summarize count() by Vulnerability\n | top 10 by count_" + } + ], + "dataTypes": [ + { + "name": "{{graphQueriesTableName}}", + "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "IsConnectedQuery", + "value": [ + "{{graphQueriesTableName}}\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." + }, + { + "name": "Qualys API Key", + "description": "A Qualys VM API username and password is required. [See the documentation to learn more about Qualys VM API](https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf)." + } + ] + }, + "instructionSteps": [ + { + "title": "", + "description": ">**NOTE:** This connector uses Azure Functions to connect to Qualys VM to pull its logs into Azure Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." + }, + { + "title": "", + "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." + }, + { + "title": "", + "description": "**STEP 1 - Configuration steps for the Qualys VM API**\n\n1. Log into the Qualys Vulnerability Management console with an administrator account, select the **Users** tab and the **Users** subtab. \n2. Click on the **New** drop-down menu and select **Users..**\n3. Create a username and password for the API account. \n4. In the **User Roles** tab, ensure the account role is set to **Manager** and access is allowed to **GUI** and **API**\n4. Log out of the administrator account and log into the console with the new API credentials for validation, then log out of the API account. \n5. Log back into the console using an administrator account and modify the API accounts User Roles, removing access to **GUI**. \n6. Save all changes." + }, + { + "title": "", + "description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Qualys VM connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Qualys VM API Authorization Key(s), readily available.", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Workspace ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "PrimaryKey" + ], + "label": "Primary Key" + }, + "type": "CopyableLabel" + } + ] + }, + { + "title": "Option 1 - Azure Resource Manager (ARM) Template", + "description": "Use this method for automated deployment of the Qualys VM connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinelqualysvmazuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID**, **Workspace Key**, **API Username**, **API Password** , update the **URI**, and any additional URI **Filter Parameters** (each filter should be separated by an \"&\" symbol, no spaces.) \n> - Enter the URI that corresponds to your region. The complete list of API Server URLs can be [found here](https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf#G4.735348) -- There is no need to add a time suffix to the URI, the Function App will dynamically append the Time Value to the URI in the proper format. \n - The default **Time Interval** is set to pull the last five (5) minutes of data. If the time interval needs to be modified, it is recommended to change the Function App Timer Trigger accordingly (in the function.json file, post deployment) to prevent overlapping data ingestion. \n> - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." + }, + { + "title": "Option 2 - Manual Deployment of Azure Functions", + "description": "Use the following step-by-step instructions to deploy the Quayls VM connector manually with Azure Functions." + }, + { + "title": "", + "description": "**1. Create a Function App**\n\n1. From the Azure Portal, navigate to [Function App](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Web%2Fsites/kind/functionapp), and select **+ Add**.\n2. In the **Basics** tab, ensure Runtime stack is set to **Powershell Core**. \n3. In the **Hosting** tab, ensure the **Consumption (Serverless)** plan type is selected.\n4. Make other preferrable configuration changes, if needed, then click **Create**." + }, + { + "title": "", + "description": "**2. Import Function App Code**\n\n1. In the newly created Function App, select **Functions** on the left pane and click **+ New Function**.\n2. Select **Timer Trigger**.\n3. Enter a unique Function **Name** and leave the default cron schedule of every 5 minutes, then click **Create**.\n5. Click on **Code + Test** on the left pane. \n6. Copy the [Function App Code](https://aka.ms/sentinelqualysvmazurefunctioncode) and paste into the Function App `run.ps1` editor.\n7. Click **Save**." + }, + { + "title": "", + "description": "**3. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following seven (7) application settings individually, with their respective string values (case-sensitive): \n\t\tapiUsername\n\t\tapiPassword\n\t\tworkspaceID\n\t\tworkspaceKey\n\t\turi\n\t\tfilterParameters\n\t\ttimeInterval\n> - Enter the URI that corresponds to your region. The complete list of API Server URLs can be [found here](https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf#G4.735348). The `uri` value must follow the following schema: `https:///api/2.0/fo/asset/host/vm/detection/?action=list&vm_processed_after=` -- There is no need to add a time suffix to the URI, the Function App will dynamically append the Time Value to the URI in the proper format.\n> - Add any additional filter parameters, for the `filterParameters` variable, that need to be appended to the URI. Each parameter should be seperated by an \"&\" symbol and should not include any spaces.\n> - Set the `timeInterval` (in minutes) to the value of `5` to correspond to the Timer Trigger of every `5` minutes. If the time interval needs to be modified, it is recommended to change the Function App Timer Trigger accordingly to prevent overlapping data ingestion.\n> - Note: If using Azure Key Vault, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details.\n4. Once all application settings have been entered, click **Save**." + }, + { + "title": "", + "description": "**4. Configure the host.json**.\n\nDue to the potentially large amount of Qualys host detection data being ingested, it can cause the execution time to surpass the default Function App timeout of five (5) minutes. Increase the default timeout duration to the maximum of ten (10) minutes, under the Consumption Plan, to allow more time for the Function App to execute.\n\n1. In the Function App, select the Function App Name and select the **App Service Editor** blade.\n2. Click **Go** to open the editor, then select the **host.json** file under the **wwwroot** directory.\n3. Add the line `\"functionTimeout\": \"00:10:00\",` above the `managedDependancy` line \n4. Ensure **SAVED** appears on the top right corner of the editor, then exit the editor.\n\n> NOTE: If a longer timeout duration is required, consider upgrading to an [App Service Plan](https://docs.microsoft.com/azure/azure-functions/functions-scale#timeout)" + } + ] + } + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/316ec55e-7138-4d63-ab18-90c8a60fd1c8", + "name": "316ec55e-7138-4d63-ab18-90c8a60fd1c8", + "etag": "\"1a00b074-0000-0100-0000-606ef5bd0000\"", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "title": "Qualys Vulnerability Management (CCP DEMO)", + "publisher": "Qualys", + "descriptionMarkdown": "The [Qualys Vulnerability Management (VM)](https://www.qualys.com/apps/vulnerability-management/) data connector provides the capability to ingest vulnerability host detection data into Azure Sentinel through the Qualys API. The connector provides visibility into host detection data from vulerability scans. This connector provides Azure Sentinel the capability to view dashboards, create custom alerts, and improve investigation ", + "graphQueriesTableName": "QualysHostDetection_CL", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "{{graphQueriesTableName}}", + "baseQuery": "{{graphQueriesTableName}}" + } + ], + "sampleQueries": [ + { + "description": "Top 10 Vulerabilities detected", + "query": "{{graphQueriesTableName}}\n | mv-expand todynamic(Detections_s)\n | extend Vulnerability = tostring(Detections_s.Results)\n | summarize count() by Vulnerability\n | top 10 by count_" + } + ], + "dataTypes": [ + { + "name": "{{graphQueriesTableName}}", + "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "IsConnectedQuery", + "value": [ + "{{graphQueriesTableName}}\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": true + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." + }, + { + "name": "Qualys API Key", + "description": "A Qualys VM API username and password is required. [See the documentation to learn more about Qualys VM API](https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf)." + } + ] + }, + "instructionSteps": [ + { + "title": "", + "description": ">**NOTE:** This connector uses Azure Functions to connect to Qualys VM to pull its logs into Azure Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." + }, + { + "title": "", + "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." + }, + { + "title": "", + "description": "**STEP 1 - Configuration steps for the Qualys VM API**\n\n1. Log into the Qualys Vulnerability Management console with an administrator account, select the **Users** tab and the **Users** subtab. \n2. Click on the **New** drop-down menu and select **Users..**\n3. Create a username and password for the API account. \n4. In the **User Roles** tab, ensure the account role is set to **Manager** and access is allowed to **GUI** and **API**\n4. Log out of the administrator account and log into the console with the new API credentials for validation, then log out of the API account. \n5. Log back into the console using an administrator account and modify the API accounts User Roles, removing access to **GUI**. \n6. Save all changes." + }, + { + "title": "", + "description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Qualys VM connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Qualys VM API Authorization Key(s), readily available.", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Workspace ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "PrimaryKey" + ], + "label": "Primary Key" + }, + "type": "CopyableLabel" + } + ] + }, + { + "title": "Option 1 - Azure Resource Manager (ARM) Template", + "description": "Use this method for automated deployment of the Qualys VM connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinelqualysvmazuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID**, **Workspace Key**, **API Username**, **API Password** , update the **URI**, and any additional URI **Filter Parameters** (each filter should be separated by an \"&\" symbol, no spaces.) \n> - Enter the URI that corresponds to your region. The complete list of API Server URLs can be [found here](https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf#G4.735348) -- There is no need to add a time suffix to the URI, the Function App will dynamically append the Time Value to the URI in the proper format. \n - The default **Time Interval** is set to pull the last five (5) minutes of data. If the time interval needs to be modified, it is recommended to change the Function App Timer Trigger accordingly (in the function.json file, post deployment) to prevent overlapping data ingestion. \n> - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." + }, + { + "title": "Option 2 - Manual Deployment of Azure Functions", + "description": "Use the following step-by-step instructions to deploy the Quayls VM connector manually with Azure Functions." + }, + { + "title": "", + "description": "**1. Create a Function App**\n\n1. From the Azure Portal, navigate to [Function App](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Web%2Fsites/kind/functionapp), and select **+ Add**.\n2. In the **Basics** tab, ensure Runtime stack is set to **Powershell Core**. \n3. In the **Hosting** tab, ensure the **Consumption (Serverless)** plan type is selected.\n4. Make other preferrable configuration changes, if needed, then click **Create**." + }, + { + "title": "", + "description": "**2. Import Function App Code**\n\n1. In the newly created Function App, select **Functions** on the left pane and click **+ New Function**.\n2. Select **Timer Trigger**.\n3. Enter a unique Function **Name** and leave the default cron schedule of every 5 minutes, then click **Create**.\n5. Click on **Code + Test** on the left pane. \n6. Copy the [Function App Code](https://aka.ms/sentinelqualysvmazurefunctioncode) and paste into the Function App `run.ps1` editor.\n7. Click **Save**." + }, + { + "title": "", + "description": "**3. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following seven (7) application settings individually, with their respective string values (case-sensitive): \n\t\tapiUsername\n\t\tapiPassword\n\t\tworkspaceID\n\t\tworkspaceKey\n\t\turi\n\t\tfilterParameters\n\t\ttimeInterval\n> - Enter the URI that corresponds to your region. The complete list of API Server URLs can be [found here](https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf#G4.735348). The `uri` value must follow the following schema: `https:///api/2.0/fo/asset/host/vm/detection/?action=list&vm_processed_after=` -- There is no need to add a time suffix to the URI, the Function App will dynamically append the Time Value to the URI in the proper format.\n> - Add any additional filter parameters, for the `filterParameters` variable, that need to be appended to the URI. Each parameter should be seperated by an \"&\" symbol and should not include any spaces.\n> - Set the `timeInterval` (in minutes) to the value of `5` to correspond to the Timer Trigger of every `5` minutes. If the time interval needs to be modified, it is recommended to change the Function App Timer Trigger accordingly to prevent overlapping data ingestion.\n> - Note: If using Azure Key Vault, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details.\n4. Once all application settings have been entered, click **Save**." + }, + { + "title": "", + "description": "**4. Configure the host.json**.\n\nDue to the potentially large amount of Qualys host detection data being ingested, it can cause the execution time to surpass the default Function App timeout of five (5) minutes. Increase the default timeout duration to the maximum of ten (10) minutes, under the Consumption Plan, to allow more time for the Function App to execute.\n\n1. In the Function App, select the Function App Name and select the **App Service Editor** blade.\n2. Click **Go** to open the editor, then select the **host.json** file under the **wwwroot** directory.\n3. Add the line `\"functionTimeout\": \"00:10:00\",` above the `managedDependancy` line \n4. Ensure **SAVED** appears on the top right corner of the editor, then exit the editor.\n\n> NOTE: If a longer timeout duration is required, consider upgrading to an [App Service Plan](https://docs.microsoft.com/azure/azure-functions/functions-scale#timeout)" + } + ] + } + } + } + }, + "201": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/316ec55e-7138-4d63-ab18-90c8a60fd1c8", + "name": "316ec55e-7138-4d63-ab18-90c8a60fd1c8", + "etag": "\"1a00b074-0000-0100-0000-606ef5bd0000\"", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "title": "Qualys Vulnerability Management (CCP DEMO)", + "publisher": "Qualys", + "descriptionMarkdown": "The [Qualys Vulnerability Management (VM)](https://www.qualys.com/apps/vulnerability-management/) data connector provides the capability to ingest vulnerability host detection data into Azure Sentinel through the Qualys API. The connector provides visibility into host detection data from vulerability scans. This connector provides Azure Sentinel the capability to view dashboards, create custom alerts, and improve investigation ", + "graphQueriesTableName": "QualysHostDetection_CL", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "{{graphQueriesTableName}}", + "baseQuery": "{{graphQueriesTableName}}" + } + ], + "sampleQueries": [ + { + "description": "Top 10 Vulerabilities detected", + "query": "{{graphQueriesTableName}}\n | mv-expand todynamic(Detections_s)\n | extend Vulnerability = tostring(Detections_s.Results)\n | summarize count() by Vulnerability\n | top 10 by count_" + } + ], + "dataTypes": [ + { + "name": "{{graphQueriesTableName}}", + "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "IsConnectedQuery", + "value": [ + "{{graphQueriesTableName}}\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": true + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." + }, + { + "name": "Qualys API Key", + "description": "A Qualys VM API username and password is required. [See the documentation to learn more about Qualys VM API](https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf)." + } + ] + }, + "instructionSteps": [ + { + "title": "", + "description": ">**NOTE:** This connector uses Azure Functions to connect to Qualys VM to pull its logs into Azure Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." + }, + { + "title": "", + "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." + }, + { + "title": "", + "description": "**STEP 1 - Configuration steps for the Qualys VM API**\n\n1. Log into the Qualys Vulnerability Management console with an administrator account, select the **Users** tab and the **Users** subtab. \n2. Click on the **New** drop-down menu and select **Users..**\n3. Create a username and password for the API account. \n4. In the **User Roles** tab, ensure the account role is set to **Manager** and access is allowed to **GUI** and **API**\n4. Log out of the administrator account and log into the console with the new API credentials for validation, then log out of the API account. \n5. Log back into the console using an administrator account and modify the API accounts User Roles, removing access to **GUI**. \n6. Save all changes." + }, + { + "title": "", + "description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Qualys VM connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Qualys VM API Authorization Key(s), readily available.", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Workspace ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "PrimaryKey" + ], + "label": "Primary Key" + }, + "type": "CopyableLabel" + } + ] + }, + { + "title": "Option 1 - Azure Resource Manager (ARM) Template", + "description": "Use this method for automated deployment of the Qualys VM connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinelqualysvmazuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID**, **Workspace Key**, **API Username**, **API Password** , update the **URI**, and any additional URI **Filter Parameters** (each filter should be separated by an \"&\" symbol, no spaces.) \n> - Enter the URI that corresponds to your region. The complete list of API Server URLs can be [found here](https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf#G4.735348) -- There is no need to add a time suffix to the URI, the Function App will dynamically append the Time Value to the URI in the proper format. \n - The default **Time Interval** is set to pull the last five (5) minutes of data. If the time interval needs to be modified, it is recommended to change the Function App Timer Trigger accordingly (in the function.json file, post deployment) to prevent overlapping data ingestion. \n> - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." + }, + { + "title": "Option 2 - Manual Deployment of Azure Functions", + "description": "Use the following step-by-step instructions to deploy the Quayls VM connector manually with Azure Functions." + }, + { + "title": "", + "description": "**1. Create a Function App**\n\n1. From the Azure Portal, navigate to [Function App](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Web%2Fsites/kind/functionapp), and select **+ Add**.\n2. In the **Basics** tab, ensure Runtime stack is set to **Powershell Core**. \n3. In the **Hosting** tab, ensure the **Consumption (Serverless)** plan type is selected.\n4. Make other preferrable configuration changes, if needed, then click **Create**." + }, + { + "title": "", + "description": "**2. Import Function App Code**\n\n1. In the newly created Function App, select **Functions** on the left pane and click **+ New Function**.\n2. Select **Timer Trigger**.\n3. Enter a unique Function **Name** and leave the default cron schedule of every 5 minutes, then click **Create**.\n5. Click on **Code + Test** on the left pane. \n6. Copy the [Function App Code](https://aka.ms/sentinelqualysvmazurefunctioncode) and paste into the Function App `run.ps1` editor.\n7. Click **Save**." + }, + { + "title": "", + "description": "**3. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following seven (7) application settings individually, with their respective string values (case-sensitive): \n\t\tapiUsername\n\t\tapiPassword\n\t\tworkspaceID\n\t\tworkspaceKey\n\t\turi\n\t\tfilterParameters\n\t\ttimeInterval\n> - Enter the URI that corresponds to your region. The complete list of API Server URLs can be [found here](https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf#G4.735348). The `uri` value must follow the following schema: `https:///api/2.0/fo/asset/host/vm/detection/?action=list&vm_processed_after=` -- There is no need to add a time suffix to the URI, the Function App will dynamically append the Time Value to the URI in the proper format.\n> - Add any additional filter parameters, for the `filterParameters` variable, that need to be appended to the URI. Each parameter should be seperated by an \"&\" symbol and should not include any spaces.\n> - Set the `timeInterval` (in minutes) to the value of `5` to correspond to the Timer Trigger of every `5` minutes. If the time interval needs to be modified, it is recommended to change the Function App Timer Trigger accordingly to prevent overlapping data ingestion.\n> - Note: If using Azure Key Vault, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details.\n4. Once all application settings have been entered, click **Save**." + }, + { + "title": "", + "description": "**4. Configure the host.json**.\n\nDue to the potentially large amount of Qualys host detection data being ingested, it can cause the execution time to surpass the default Function App timeout of five (5) minutes. Increase the default timeout duration to the maximum of ten (10) minutes, under the Consumption Plan, to allow more time for the Function App to execute.\n\n1. In the Function App, select the Function App Name and select the **App Service Editor** blade.\n2. Click **Go** to open the editor, then select the **host.json** file under the **wwwroot** directory.\n3. Add the line `\"functionTimeout\": \"00:10:00\",` above the `managedDependancy` line \n4. Ensure **SAVED** appears on the top right corner of the editor, then exit the editor.\n\n> NOTE: If a longer timeout duration is required, consider upgrading to an [App Service Plan](https://docs.microsoft.com/azure/azure-functions/functions-scale#timeout)" + } + ] + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/dataConnectors/CreateOfficeDataConnetor.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/dataConnectors/CreateOfficeDataConnetor.json new file mode 100644 index 000000000000..4f3e9abe10e1 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/dataConnectors/CreateOfficeDataConnetor.json @@ -0,0 +1,76 @@ +{ + "parameters": { + "api-version": "2021-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "dataConnectorId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "dataConnector": { + "kind": "Office365", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "sharePoint": { + "state": "Enabled" + }, + "exchange": { + "state": "Enabled" + }, + "teams": { + "state": "Enabled" + } + } + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "Office365", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "sharePoint": { + "state": "Enabled" + }, + "exchange": { + "state": "Enabled" + }, + "teams": { + "state": "Enabled" + } + } + } + } + }, + "201": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "Office365", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "sharePoint": { + "state": "Enabled" + }, + "exchange": { + "state": "Enabled" + }, + "teams": { + "state": "Enabled" + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/dataConnectors/CreateThreatIntelligenceDataConnector.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/dataConnectors/CreateThreatIntelligenceDataConnector.json new file mode 100644 index 000000000000..e80e83a25b29 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/dataConnectors/CreateThreatIntelligenceDataConnector.json @@ -0,0 +1,60 @@ +{ + "parameters": { + "api-version": "2021-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "dataConnectorId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "dataConnector": { + "kind": "ThreatIntelligence", + "properties": { + "tenantId": "06b3ccb8-1384-4bcc-aec7-852f6d57161b", + "tipLookbackPeriod": "2020-01-01T13:00:30.123Z", + "dataTypes": { + "indicators": { + "state": "Enabled" + } + } + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "ThreatIntelligence", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "06b3ccb8-1384-4bcc-aec7-852f6d57161b", + "tipLookbackPeriod": "2020-01-01T13:00:30.123Z", + "dataTypes": { + "indicators": { + "state": "Enabled" + } + } + } + } + }, + "201": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "ThreatIntelligence", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "06b3ccb8-1384-4bcc-aec7-852f6d57161b", + "tipLookbackPeriod": "2020-01-01T13:00:30.123Z", + "dataTypes": { + "indicators": { + "state": "Enabled" + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/dataConnectors/CreateThreatIntelligenceTaxiiDataConnector.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/dataConnectors/CreateThreatIntelligenceTaxiiDataConnector.json new file mode 100644 index 000000000000..32042fc3ad96 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/dataConnectors/CreateThreatIntelligenceTaxiiDataConnector.json @@ -0,0 +1,82 @@ +{ + "parameters": { + "api-version": "2021-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "dataConnectorId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "dataConnector": { + "etag": "d12423f6-a60b-4ca5-88c0-feb1a182d0f0", + "kind": "ThreatIntelligenceTaxii", + "properties": { + "tenantId": "06b3ccb8-1384-4bcc-aec7-852f6d57161b", + "taxiiServer": "https://limo.anomali.com/api/v1/taxii2/feeds", + "collectionId": "135", + "workspaceId": "dd124572-4962-4495-9bd2-9dade12314b4", + "friendlyName": "testTaxii", + "userName": "--", + "password": "--", + "taxiiLookbackPeriod": "2020-01-01T13:00:30.123Z", + "pollingFrequency": "OnceADay", + "dataTypes": { + "taxiiClient": { + "state": "Enabled" + } + } + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/dataConnectors", + "etag": "d12423f6-a60b-4ca5-88c0-feb1a182d0f0", + "kind": "ThreatIntelligenceTaxii", + "properties": { + "tenantId": "06b3ccb8-1384-4bcc-aec7-852f6d57161b", + "taxiiServer": "https://limo.anomali.com/api/v1/taxii2/feeds", + "collectionId": "135", + "workspaceId": "28e5f051-34cb-4208-9037-693e5342a871", + "friendlyName": "testTaxii", + "userName": null, + "password": null, + "taxiiLookbackPeriod": "2020-01-01T13:00:30.123Z", + "pollingFrequency": "OnceADay", + "dataTypes": { + "taxiiClient": { + "state": "Enabled" + } + } + } + } + }, + "201": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/dataConnectors", + "etag": "d12423f6-a60b-4ca5-88c0-feb1a182d0f0", + "kind": "ThreatIntelligenceTaxii", + "properties": { + "tenantId": "06b3ccb8-1384-4bcc-aec7-852f6d57161b", + "taxiiServer": "https://limo.anomali.com/api/v1/taxii2/feeds", + "collectionId": "135", + "workspaceId": "28e5f051-34cb-4208-9037-693e5342a871", + "friendlyName": "testTaxii", + "userName": null, + "password": null, + "taxiiLookbackPeriod": "2020-01-01T13:00:30.123Z", + "pollingFrequency": "OnceADay", + "dataTypes": { + "taxiiClient": { + "state": "Enabled" + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/dataConnectors/DeleteGenericUI.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/dataConnectors/DeleteGenericUI.json new file mode 100644 index 000000000000..5e8dda4914a8 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/dataConnectors/DeleteGenericUI.json @@ -0,0 +1,14 @@ +{ + "parameters": { + "api-version": "2021-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "dataConnectorId": "316ec55e-7138-4d63-ab18-90c8a60fd1c8" + }, + "responses": { + "200": {}, + "204": {} + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/dataConnectors/DeleteOfficeDataConnetor.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/dataConnectors/DeleteOfficeDataConnetor.json new file mode 100644 index 000000000000..499e3c818a20 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/dataConnectors/DeleteOfficeDataConnetor.json @@ -0,0 +1,14 @@ +{ + "parameters": { + "api-version": "2021-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "dataConnectorId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5" + }, + "responses": { + "200": {}, + "204": {} + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/dataConnectors/GetAmazonWebServicesCloudTrailById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/dataConnectors/GetAmazonWebServicesCloudTrailById.json new file mode 100644 index 000000000000..1fcae507b229 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/dataConnectors/GetAmazonWebServicesCloudTrailById.json @@ -0,0 +1,29 @@ +{ + "parameters": { + "api-version": "2021-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "dataConnectorId": "c345bf40-8509-4ed2-b947-50cb773aaf04" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/c345bf40-8509-4ed2-b947-50cb773aaf04", + "name": "c345bf40-8509-4ed2-b947-50cb773aaf04", + "type": "Microsoft.SecurityInsights/dataConnectors", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "kind": "AmazonWebServicesCloudTrail", + "properties": { + "awsRoleArn": "myAwsRoleArn", + "dataTypes": { + "logs": { + "state": "Enabled" + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/dataConnectors/GetAzureActiveDirectoryById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/dataConnectors/GetAzureActiveDirectoryById.json new file mode 100644 index 000000000000..965eabf0c898 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/dataConnectors/GetAzureActiveDirectoryById.json @@ -0,0 +1,29 @@ +{ + "parameters": { + "api-version": "2021-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "dataConnectorId": "f0cd27d2-5f03-4c06-ba31-d2dc82dcb51d" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/f0cd27d2-5f03-4c06-ba31-d2dc82dcb51d", + "name": "f0cd27d2-5f03-4c06-ba31-d2dc82dcb51d", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "AzureActiveDirectory", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "alerts": { + "state": "Enabled" + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/dataConnectors/GetAzureAdvancedThreatProtectionById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/dataConnectors/GetAzureAdvancedThreatProtectionById.json new file mode 100644 index 000000000000..3c45b6a74679 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/dataConnectors/GetAzureAdvancedThreatProtectionById.json @@ -0,0 +1,29 @@ +{ + "parameters": { + "api-version": "2021-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "dataConnectorId": "07e42cb3-e658-4e90-801c-efa0f29d3d44" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/07e42cb3-e658-4e90-801c-efa0f29d3d44", + "name": "07e42cb3-e658-4e90-801c-efa0f29d3d44", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "AzureAdvancedThreatProtection", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "alerts": { + "state": "Enabled" + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/dataConnectors/GetAzureSecurityCenterById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/dataConnectors/GetAzureSecurityCenterById.json new file mode 100644 index 000000000000..79aecf3b98a1 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/dataConnectors/GetAzureSecurityCenterById.json @@ -0,0 +1,29 @@ +{ + "parameters": { + "api-version": "2021-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "dataConnectorId": "763f9fa1-c2d3-4fa2-93e9-bccd4899aa12" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/763f9fa1-c2d3-4fa2-93e9-bccd4899aa12", + "name": "763f9fa1-c2d3-4fa2-93e9-bccd4899aa12", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "AzureSecurityCenter", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "subscriptionId": "c0688291-89d7-4bed-87a2-a7b1bff43f4c", + "dataTypes": { + "alerts": { + "state": "Enabled" + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/dataConnectors/GetDataConnectors.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/dataConnectors/GetDataConnectors.json new file mode 100644 index 000000000000..b76e74dbb782 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/dataConnectors/GetDataConnectors.json @@ -0,0 +1,341 @@ +{ + "parameters": { + "api-version": "2021-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/763f9fa1-c2d3-4fa2-93e9-bccd4899aa12", + "name": "763f9fa1-c2d3-4fa2-93e9-bccd4899aa12", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "AzureSecurityCenter", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "dataTypes": { + "alerts": { + "state": "Enabled" + } + } + } + }, + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/c345bf40-8509-4ed2-b947-50cb773aaf04", + "name": "c345bf40-8509-4ed2-b947-50cb773aaf04", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "ThreatIntelligence", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "indicators": { + "state": "Enabled" + } + } + } + }, + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/c39bb458-02a7-4b3f-b0c8-71a1d2692652", + "name": "c39bb458-02a7-4b3f-b0c8-71a1d2692652", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "ThreatIntelligenceTaxii", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "workspaceId": "8b014a77-4695-4ef4-96bb-6623afb121a2", + "friendlyName": "My TI Taxii Connector", + "taxiiServer": "https://mytaxiiserver.com/taxiing/v2/api", + "collectionId": "e0b1f32d-1188-48f7-a7a3-de71924e4b5e", + "userName": "", + "password": "", + "pollingFrequency": "OnceAMinute", + "dataTypes": { + "taxiiClient": { + "state": "Enabled" + } + } + } + }, + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/f0cd27d2-5f03-4c06-ba31-d2dc82dcb51d", + "name": "f0cd27d2-5f03-4c06-ba31-d2dc82dcb51d", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "AzureActiveDirectory", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "alerts": { + "state": "Enabled" + } + } + } + }, + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "Office365", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "sharePoint": { + "state": "Enabled" + }, + "exchange": { + "state": "Enabled" + }, + "teams": { + "state": "Enabled" + } + } + } + }, + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/b96d014d-b5c2-4a01-9aba-a8058f629d42", + "name": "b96d014d-b5c2-4a01-9aba-a8058f629d42", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "MicrosoftCloudAppSecurity", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "alerts": { + "state": "Enabled" + }, + "discoveryLogs": { + "state": "Enabled" + } + } + } + }, + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/07e42cb3-e658-4e90-801c-efa0f29d3d44", + "name": "07e42cb3-e658-4e90-801c-efa0f29d3d44", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "AzureAdvancedThreatProtection", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "alerts": { + "state": "Enabled" + } + } + } + }, + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/c345bf40-8509-4ed2-b947-50cb773aaf04", + "name": "c345bf40-8509-4ed2-b947-50cb773aaf04", + "type": "Microsoft.SecurityInsights/dataConnectors", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "kind": "AmazonWebServicesCloudTrail", + "properties": { + "awsRoleArn": "myAwsRoleArn", + "dataTypes": { + "logs": { + "state": "Enabled" + } + } + } + }, + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/06b3ccb8-1384-4bcc-aec7-852f6d57161b", + "name": "06b3ccb8-1384-4bcc-aec7-852f6d57161b", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "MicrosoftDefenderAdvancedThreatProtection", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "alerts": { + "state": "Enabled" + } + } + } + }, + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/3d3e955e-33eb-401d-89a7-251c81ddd660", + "name": "3d3e955e-33eb-401d-89a7-251c81ddd660", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "OfficeATP", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "alerts": { + "state": "Enabled" + } + } + } + }, + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/3d3e955e-33eb-401d-89a7-251c81ddd660", + "name": "c2541efb-c9a6-47fe-9501-87d1017d1512", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "Dynamics365", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "dynamics365CdsActivities": { + "state": "Enabled" + } + } + } + }, + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/316ec55e-7138-4d63-ab18-90c8a60fd1c8", + "name": "316ec55e-7138-4d63-ab18-90c8a60fd1c8", + "etag": "\"1a00b074-0000-0100-0000-606ef5bd0000\"", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "title": "Qualys Vulnerability Management (CCP DEMO)", + "publisher": "Qualys", + "descriptionMarkdown": "The [Qualys Vulnerability Management (VM)](https://www.qualys.com/apps/vulnerability-management/) data connector provides the capability to ingest vulnerability host detection data into Azure Sentinel through the Qualys API. The connector provides visibility into host detection data from vulerability scans. This connector provides Azure Sentinel the capability to view dashboards, create custom alerts, and improve investigation ", + "customImage": "The image connector content", + "graphQueriesTableName": "QualysHostDetection_CL", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "{{graphQueriesTableName}}", + "baseQuery": "{{graphQueriesTableName}}" + } + ], + "sampleQueries": [ + { + "description": "Top 10 Vulerabilities detected", + "query": "{{graphQueriesTableName}}\n | mv-expand todynamic(Detections_s)\n | extend Vulnerability = tostring(Detections_s.Results)\n | summarize count() by Vulnerability\n | top 10 by count_" + } + ], + "dataTypes": [ + { + "name": "{{graphQueriesTableName}}", + "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "IsConnectedQuery", + "value": [ + "{{graphQueriesTableName}}\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": true + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." + }, + { + "name": "Qualys API Key", + "description": "A Qualys VM API username and password is required. [See the documentation to learn more about Qualys VM API](https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf)." + } + ] + }, + "instructionSteps": [ + { + "title": "", + "description": ">**NOTE:** This connector uses Azure Functions to connect to Qualys VM to pull its logs into Azure Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." + }, + { + "title": "", + "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." + }, + { + "title": "", + "description": "**STEP 1 - Configuration steps for the Qualys VM API**\n\n1. Log into the Qualys Vulnerability Management console with an administrator account, select the **Users** tab and the **Users** subtab. \n2. Click on the **New** drop-down menu and select **Users..**\n3. Create a username and password for the API account. \n4. In the **User Roles** tab, ensure the account role is set to **Manager** and access is allowed to **GUI** and **API**\n4. Log out of the administrator account and log into the console with the new API credentials for validation, then log out of the API account. \n5. Log back into the console using an administrator account and modify the API accounts User Roles, removing access to **GUI**. \n6. Save all changes." + }, + { + "title": "", + "description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Qualys VM connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Qualys VM API Authorization Key(s), readily available.", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Workspace ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "PrimaryKey" + ], + "label": "Primary Key" + }, + "type": "CopyableLabel" + } + ] + }, + { + "title": "Option 1 - Azure Resource Manager (ARM) Template", + "description": "Use this method for automated deployment of the Qualys VM connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinelqualysvmazuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID**, **Workspace Key**, **API Username**, **API Password** , update the **URI**, and any additional URI **Filter Parameters** (each filter should be separated by an \"&\" symbol, no spaces.) \n> - Enter the URI that corresponds to your region. The complete list of API Server URLs can be [found here](https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf#G4.735348) -- There is no need to add a time suffix to the URI, the Function App will dynamically append the Time Value to the URI in the proper format. \n - The default **Time Interval** is set to pull the last five (5) minutes of data. If the time interval needs to be modified, it is recommended to change the Function App Timer Trigger accordingly (in the function.json file, post deployment) to prevent overlapping data ingestion. \n> - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." + }, + { + "title": "Option 2 - Manual Deployment of Azure Functions", + "description": "Use the following step-by-step instructions to deploy the Quayls VM connector manually with Azure Functions." + }, + { + "title": "", + "description": "**1. Create a Function App**\n\n1. From the Azure Portal, navigate to [Function App](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Web%2Fsites/kind/functionapp), and select **+ Add**.\n2. In the **Basics** tab, ensure Runtime stack is set to **Powershell Core**. \n3. In the **Hosting** tab, ensure the **Consumption (Serverless)** plan type is selected.\n4. Make other preferrable configuration changes, if needed, then click **Create**." + }, + { + "title": "", + "description": "**2. Import Function App Code**\n\n1. In the newly created Function App, select **Functions** on the left pane and click **+ New Function**.\n2. Select **Timer Trigger**.\n3. Enter a unique Function **Name** and leave the default cron schedule of every 5 minutes, then click **Create**.\n5. Click on **Code + Test** on the left pane. \n6. Copy the [Function App Code](https://aka.ms/sentinelqualysvmazurefunctioncode) and paste into the Function App `run.ps1` editor.\n7. Click **Save**." + }, + { + "title": "", + "description": "**3. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following seven (7) application settings individually, with their respective string values (case-sensitive): \n\t\tapiUsername\n\t\tapiPassword\n\t\tworkspaceID\n\t\tworkspaceKey\n\t\turi\n\t\tfilterParameters\n\t\ttimeInterval\n> - Enter the URI that corresponds to your region. The complete list of API Server URLs can be [found here](https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf#G4.735348). The `uri` value must follow the following schema: `https:///api/2.0/fo/asset/host/vm/detection/?action=list&vm_processed_after=` -- There is no need to add a time suffix to the URI, the Function App will dynamically append the Time Value to the URI in the proper format.\n> - Add any additional filter parameters, for the `filterParameters` variable, that need to be appended to the URI. Each parameter should be seperated by an \"&\" symbol and should not include any spaces.\n> - Set the `timeInterval` (in minutes) to the value of `5` to correspond to the Timer Trigger of every `5` minutes. If the time interval needs to be modified, it is recommended to change the Function App Timer Trigger accordingly to prevent overlapping data ingestion.\n> - Note: If using Azure Key Vault, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details.\n4. Once all application settings have been entered, click **Save**." + }, + { + "title": "", + "description": "**4. Configure the host.json**.\n\nDue to the potentially large amount of Qualys host detection data being ingested, it can cause the execution time to surpass the default Function App timeout of five (5) minutes. Increase the default timeout duration to the maximum of ten (10) minutes, under the Consumption Plan, to allow more time for the Function App to execute.\n\n1. In the Function App, select the Function App Name and select the **App Service Editor** blade.\n2. Click **Go** to open the editor, then select the **host.json** file under the **wwwroot** directory.\n3. Add the line `\"functionTimeout\": \"00:10:00\",` above the `managedDependancy` line \n4. Ensure **SAVED** appears on the top right corner of the editor, then exit the editor.\n\n> NOTE: If a longer timeout duration is required, consider upgrading to an [App Service Plan](https://docs.microsoft.com/azure/azure-functions/functions-scale#timeout)" + } + ] + } + } + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/dataConnectors/GetDynamics365DataConnectorById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/dataConnectors/GetDynamics365DataConnectorById.json new file mode 100644 index 000000000000..b56379dff771 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/dataConnectors/GetDynamics365DataConnectorById.json @@ -0,0 +1,29 @@ +{ + "parameters": { + "api-version": "2021-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "dataConnectorId": "c2541efb-c9a6-47fe-9501-87d1017d1512" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/3d3e955e-33eb-401d-89a7-251c81ddd660", + "name": "c2541efb-c9a6-47fe-9501-87d1017d1512", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "Dynamics365", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "dynamics365CdsActivities": { + "state": "Enabled" + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/dataConnectors/GetGenericUI.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/dataConnectors/GetGenericUI.json new file mode 100644 index 000000000000..8fde364a96bc --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/dataConnectors/GetGenericUI.json @@ -0,0 +1,157 @@ +{ + "parameters": { + "api-version": "2021-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "dataConnectorId": "316ec55e-7138-4d63-ab18-90c8a60fd1c8" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/316ec55e-7138-4d63-ab18-90c8a60fd1c8", + "name": "316ec55e-7138-4d63-ab18-90c8a60fd1c8", + "etag": "\"1a00b074-0000-0100-0000-606ef5bd0000\"", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "title": "Qualys Vulnerability Management (CCP DEMO)", + "publisher": "Qualys", + "descriptionMarkdown": "The [Qualys Vulnerability Management (VM)](https://www.qualys.com/apps/vulnerability-management/) data connector provides the capability to ingest vulnerability host detection data into Azure Sentinel through the Qualys API. The connector provides visibility into host detection data from vulerability scans. This connector provides Azure Sentinel the capability to view dashboards, create custom alerts, and improve investigation ", + "customImage": "The image connector content", + "graphQueriesTableName": "QualysHostDetection_CL", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "{{graphQueriesTableName}}", + "baseQuery": "{{graphQueriesTableName}}" + } + ], + "sampleQueries": [ + { + "description": "Top 10 Vulerabilities detected", + "query": "{{graphQueriesTableName}}\n | mv-expand todynamic(Detections_s)\n | extend Vulnerability = tostring(Detections_s.Results)\n | summarize count() by Vulnerability\n | top 10 by count_" + } + ], + "dataTypes": [ + { + "name": "{{graphQueriesTableName}}", + "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "IsConnectedQuery", + "value": [ + "{{graphQueriesTableName}}\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": true + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." + }, + { + "name": "Qualys API Key", + "description": "A Qualys VM API username and password is required. [See the documentation to learn more about Qualys VM API](https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf)." + } + ] + }, + "instructionSteps": [ + { + "title": "", + "description": ">**NOTE:** This connector uses Azure Functions to connect to Qualys VM to pull its logs into Azure Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." + }, + { + "title": "", + "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." + }, + { + "title": "", + "description": "**STEP 1 - Configuration steps for the Qualys VM API**\n\n1. Log into the Qualys Vulnerability Management console with an administrator account, select the **Users** tab and the **Users** subtab. \n2. Click on the **New** drop-down menu and select **Users..**\n3. Create a username and password for the API account. \n4. In the **User Roles** tab, ensure the account role is set to **Manager** and access is allowed to **GUI** and **API**\n4. Log out of the administrator account and log into the console with the new API credentials for validation, then log out of the API account. \n5. Log back into the console using an administrator account and modify the API accounts User Roles, removing access to **GUI**. \n6. Save all changes." + }, + { + "title": "", + "description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Qualys VM connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Qualys VM API Authorization Key(s), readily available.", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Workspace ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "PrimaryKey" + ], + "label": "Primary Key" + }, + "type": "CopyableLabel" + } + ] + }, + { + "title": "Option 1 - Azure Resource Manager (ARM) Template", + "description": "Use this method for automated deployment of the Qualys VM connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinelqualysvmazuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID**, **Workspace Key**, **API Username**, **API Password** , update the **URI**, and any additional URI **Filter Parameters** (each filter should be separated by an \"&\" symbol, no spaces.) \n> - Enter the URI that corresponds to your region. The complete list of API Server URLs can be [found here](https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf#G4.735348) -- There is no need to add a time suffix to the URI, the Function App will dynamically append the Time Value to the URI in the proper format. \n - The default **Time Interval** is set to pull the last five (5) minutes of data. If the time interval needs to be modified, it is recommended to change the Function App Timer Trigger accordingly (in the function.json file, post deployment) to prevent overlapping data ingestion. \n> - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." + }, + { + "title": "Option 2 - Manual Deployment of Azure Functions", + "description": "Use the following step-by-step instructions to deploy the Quayls VM connector manually with Azure Functions." + }, + { + "title": "", + "description": "**1. Create a Function App**\n\n1. From the Azure Portal, navigate to [Function App](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Web%2Fsites/kind/functionapp), and select **+ Add**.\n2. In the **Basics** tab, ensure Runtime stack is set to **Powershell Core**. \n3. In the **Hosting** tab, ensure the **Consumption (Serverless)** plan type is selected.\n4. Make other preferrable configuration changes, if needed, then click **Create**." + }, + { + "title": "", + "description": "**2. Import Function App Code**\n\n1. In the newly created Function App, select **Functions** on the left pane and click **+ New Function**.\n2. Select **Timer Trigger**.\n3. Enter a unique Function **Name** and leave the default cron schedule of every 5 minutes, then click **Create**.\n5. Click on **Code + Test** on the left pane. \n6. Copy the [Function App Code](https://aka.ms/sentinelqualysvmazurefunctioncode) and paste into the Function App `run.ps1` editor.\n7. Click **Save**." + }, + { + "title": "", + "description": "**3. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following seven (7) application settings individually, with their respective string values (case-sensitive): \n\t\tapiUsername\n\t\tapiPassword\n\t\tworkspaceID\n\t\tworkspaceKey\n\t\turi\n\t\tfilterParameters\n\t\ttimeInterval\n> - Enter the URI that corresponds to your region. The complete list of API Server URLs can be [found here](https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf#G4.735348). The `uri` value must follow the following schema: `https:///api/2.0/fo/asset/host/vm/detection/?action=list&vm_processed_after=` -- There is no need to add a time suffix to the URI, the Function App will dynamically append the Time Value to the URI in the proper format.\n> - Add any additional filter parameters, for the `filterParameters` variable, that need to be appended to the URI. Each parameter should be seperated by an \"&\" symbol and should not include any spaces.\n> - Set the `timeInterval` (in minutes) to the value of `5` to correspond to the Timer Trigger of every `5` minutes. If the time interval needs to be modified, it is recommended to change the Function App Timer Trigger accordingly to prevent overlapping data ingestion.\n> - Note: If using Azure Key Vault, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details.\n4. Once all application settings have been entered, click **Save**." + }, + { + "title": "", + "description": "**4. Configure the host.json**.\n\nDue to the potentially large amount of Qualys host detection data being ingested, it can cause the execution time to surpass the default Function App timeout of five (5) minutes. Increase the default timeout duration to the maximum of ten (10) minutes, under the Consumption Plan, to allow more time for the Function App to execute.\n\n1. In the Function App, select the Function App Name and select the **App Service Editor** blade.\n2. Click **Go** to open the editor, then select the **host.json** file under the **wwwroot** directory.\n3. Add the line `\"functionTimeout\": \"00:10:00\",` above the `managedDependancy` line \n4. Ensure **SAVED** appears on the top right corner of the editor, then exit the editor.\n\n> NOTE: If a longer timeout duration is required, consider upgrading to an [App Service Plan](https://docs.microsoft.com/azure/azure-functions/functions-scale#timeout)" + } + ] + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/dataConnectors/GetMicrosoftCloudAppSecurityById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/dataConnectors/GetMicrosoftCloudAppSecurityById.json new file mode 100644 index 000000000000..1ceb73dd3ca2 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/dataConnectors/GetMicrosoftCloudAppSecurityById.json @@ -0,0 +1,32 @@ +{ + "parameters": { + "api-version": "2021-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "dataConnectorId": "b96d014d-b5c2-4a01-9aba-a8058f629d42" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/b96d014d-b5c2-4a01-9aba-a8058f629d42", + "name": "b96d014d-b5c2-4a01-9aba-a8058f629d42", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "MicrosoftCloudAppSecurity", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "alerts": { + "state": "Enabled" + }, + "discoveryLogs": { + "state": "Enabled" + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/dataConnectors/GetMicrosoftDefenderAdvancedThreatProtectionById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/dataConnectors/GetMicrosoftDefenderAdvancedThreatProtectionById.json new file mode 100644 index 000000000000..b057f538445d --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/dataConnectors/GetMicrosoftDefenderAdvancedThreatProtectionById.json @@ -0,0 +1,29 @@ +{ + "parameters": { + "api-version": "2021-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "dataConnectorId": "06b3ccb8-1384-4bcc-aec7-852f6d57161b" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/06b3ccb8-1384-4bcc-aec7-852f6d57161b", + "name": "06b3ccb8-1384-4bcc-aec7-852f6d57161b", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "MicrosoftDefenderAdvancedThreatProtection", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "alerts": { + "state": "Enabled" + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/dataConnectors/GetMicrosoftThreatIntelligenceById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/dataConnectors/GetMicrosoftThreatIntelligenceById.json new file mode 100644 index 000000000000..8ef8b6f84354 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/dataConnectors/GetMicrosoftThreatIntelligenceById.json @@ -0,0 +1,34 @@ +{ + "parameters": { + "api-version": "2021-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "dataConnectorId": "c345bf40-8509-4ed2-b947-50cb773aaf04" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/c345bf40-8509-4ed2-b947-50cb773aaf04", + "name": "c345bf40-8509-4ed2-b947-50cb773aaf04", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "MicrosoftThreatIntelligence", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "bingSafetyPhishingURL": { + "state": "Enabled", + "lookbackPeriod": "example ??" + }, + "microsoftEmergingThreatFeed": { + "state": "Enabled", + "lookbackPeriod": "example" + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/dataConnectors/GetMicrosoftThreatProtectionById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/dataConnectors/GetMicrosoftThreatProtectionById.json new file mode 100644 index 000000000000..5b5bf817b8a0 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/dataConnectors/GetMicrosoftThreatProtectionById.json @@ -0,0 +1,29 @@ +{ + "parameters": { + "api-version": "2021-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "dataConnectorId": "c345bf40-8509-4ed2-b947-50cb773aaf04" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/c345bf40-8509-4ed2-b947-50cb773aaf04", + "name": "c345bf40-8509-4ed2-b947-50cb773aaf04", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "MicrosoftThreatProtection", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "incidents": { + "state": "Enabled" + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/dataConnectors/GetOffice365AdvancedThreatProtectionById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/dataConnectors/GetOffice365AdvancedThreatProtectionById.json new file mode 100644 index 000000000000..5688997cb7c7 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/dataConnectors/GetOffice365AdvancedThreatProtectionById.json @@ -0,0 +1,29 @@ +{ + "parameters": { + "api-version": "2021-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "dataConnectorId": "3d3e955e-33eb-401d-89a7-251c81ddd660" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/3d3e955e-33eb-401d-89a7-251c81ddd660", + "name": "3d3e955e-33eb-401d-89a7-251c81ddd660", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "OfficeATP", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "alerts": { + "state": "Enabled" + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/dataConnectors/GetOfficeDataConnetorById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/dataConnectors/GetOfficeDataConnetorById.json new file mode 100644 index 000000000000..25bfdbd312e8 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/dataConnectors/GetOfficeDataConnetorById.json @@ -0,0 +1,35 @@ +{ + "parameters": { + "api-version": "2021-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "dataConnectorId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "Office365", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "sharePoint": { + "state": "Enabled" + }, + "exchange": { + "state": "Enabled" + }, + "teams": { + "state": "Enabled" + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/dataConnectors/GetThreatIntelligenceById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/dataConnectors/GetThreatIntelligenceById.json new file mode 100644 index 000000000000..9671cc9a2992 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/dataConnectors/GetThreatIntelligenceById.json @@ -0,0 +1,30 @@ +{ + "parameters": { + "api-version": "2021-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "dataConnectorId": "c345bf40-8509-4ed2-b947-50cb773aaf04" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/c345bf40-8509-4ed2-b947-50cb773aaf04", + "name": "c345bf40-8509-4ed2-b947-50cb773aaf04", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "ThreatIntelligence", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "tipLookbackPeriod": "2020-01-01T13:00:30.123Z", + "dataTypes": { + "indicators": { + "state": "Enabled" + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/dataConnectors/GetThreatIntelligenceTaxiiById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/dataConnectors/GetThreatIntelligenceTaxiiById.json new file mode 100644 index 000000000000..f3a8ae0f2599 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/dataConnectors/GetThreatIntelligenceTaxiiById.json @@ -0,0 +1,37 @@ +{ + "parameters": { + "api-version": "2021-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "dataConnectorId": "c39bb458-02a7-4b3f-b0c8-71a1d2692652" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/c39bb458-02a7-4b3f-b0c8-71a1d2692652", + "name": "c39bb458-02a7-4b3f-b0c8-71a1d2692652", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "ThreatIntelligenceTaxii", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "workspaceId": "8b014a77-4695-4ef4-96bb-6623afb121a2", + "friendlyName": "My TI Taxii Connector", + "taxiiServer": "https://mytaxiiserver.com/taxiing/v2/api", + "collectionId": "e0b1f32d-1188-48f7-a7a3-de71924e4b5e", + "userName": "", + "password": "", + "taxiiLookbackPeriod": "2020-01-01T13:00:30.123Z", + "pollingFrequency": "OnceADay", + "dataTypes": { + "taxiiClient": { + "state": "Enabled" + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/readme.md b/specification/securityinsights/resource-manager/readme.md index 0a4046b6ff2d..bd0c1b3b2a67 100644 --- a/specification/securityinsights/resource-manager/readme.md +++ b/specification/securityinsights/resource-manager/readme.md @@ -53,12 +53,17 @@ These settings apply only when `--tag=package-2021-03-preview-only` is specified input-file: - Microsoft.SecurityInsights/preview/2021-03-01-preview/Settings.json - Microsoft.SecurityInsights/preview/2021-03-01-preview/operations.json +- Microsoft.SecurityInsights/preview/2021-03-01-preview/dataConnectors.json - Microsoft.SecurityInsights/preview/2021-03-01-preview/Watchlists.json directive: - suppress: R4017 from: Microsoft.SecurityInsights/preview/2021-03-01-preview/Settings.json where: $.definitions.Settings reason: The Setting does not support list by subscription. It's not a top-level resource. To get the Watchlist, we should have a subscription as well as a resource group and Log Analytics workspace. + - suppress: R4017 + from: Microsoft.SecurityInsights/preview/2021-03-01-preview/dataConnectors.json + where: $.definitions.DataConnector + reason: The DataConnector does not support list by subscription. It's not a top-level resource. - suppress: R4017 from: Microsoft.SecurityInsights/preview/2021-03-01-preview/Watchlists.json where: $.definitions.Watchlist