Skip to content

New endpoints to support remediation feature #49

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
pasha-zayko wants to merge 7 commits into from
Closed

New endpoints to support remediation feature #49

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
9e1f440
Adding remediation point definition
pasha-zayko Oct 13, 2025
bed1d14
Merge branch 'main' into pasha-remediation-lab-815
pasha-zayko Oct 14, 2025
1294fd3
Merge branch 'main' into pasha-remediation-lab-815
pasha-zayko Oct 14, 2025
79eafbc
Merge branch 'main' into pasha-remediation-lab-815
pasha-zayko Oct 20, 2025
5627f91
Adding endpoint to create BreakGlass group resource
pasha-zayko Oct 20, 2025
63eae81
Merge branch 'main' into pasha-remediation-lab-815
pasha-zayko Nov 3, 2025
cb38c2a
Updating the spec definition to reflect all properties and adjusting …
pasha-zayko Nov 3, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
214 changes: 198 additions & 16 deletions specs/SHIELD.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1113,7 +1113,7 @@
},
"Deploy.ConfigurationItem": {
"title": "Deploy - Configuration Item List",
"description": "",
"description": "Collection of objects representing the configuration items with curated properties and values in user-friendly format.",
"type": "array",
"items": {
"description": "",
Expand All @@ -1140,6 +1140,19 @@
]
]
},
"deployState": {
"type": "string",
"description": "Indicator of the infrastructure configuration item's current state. Mutated means that the item has been modified by the end user outside of SHIELD.",
"enum": [
"notDeployed",
"deployed",
"Mutated",
"error"
],
"examples": [
"deployed"
]
},
"groupTagList": {
"type": "array",
"description": "List of metadata tags that indicate which deployment sets the configuration item is compatible with.",
Expand Down Expand Up @@ -1253,6 +1266,7 @@
},
"required": [
"childDependencies",
"deployState",
"groupTagList",
"msCloudTypes",
"parentDependencies",
Expand All @@ -1265,6 +1279,7 @@
"7e1a2b3c-4d5f-4a8b-9e6a-1c2b7f3d8e4a",
"9c2e7a1b-5d3f-4a8b-2c6e-7f1a3d9e8b5c"
],
"deployState": "deployed",
"groupTagList": [
{
"description": "Collection of policies covering critical conditional access settings.",
Expand All @@ -1290,6 +1305,7 @@
"7e1a2b3c-4d5f-4a8b-9e6a-1c2b7f3d8e4a",
"9c2e7a1b-5d3f-4a8b-2c6e-7f1a3d9e8b5c"
],
"deployState": "deployed",
"groupTagList": [
{
"description": "Collection of policies covering critical conditional access settings.",
Expand All @@ -1310,6 +1326,7 @@
"childDependencies": [
"1c2b5d3f-7a1b-4a8b-9e6a-2e4a3b7e8c5d"
],
"deployState": "notDeployed",
"groupTagList": [
{
"description": "Principal containers that are used to provide assignments.",
Expand Down Expand Up @@ -2590,7 +2607,7 @@
},
"description": "Deprive your threats of practical significance. Deploy the Securing Privilege Access architecture. All in a few seconds.",
"title": "SHI Environment Lockdown and Defense",
"version": "3.0.8"
"version": "3.0.9"
},
"openapi": "3.1.1",
"paths": {
Expand Down Expand Up @@ -3655,22 +3672,45 @@
"summary": "Available Configuration Items",
"value": [
{
"id": "5e2a9c1f-8b3d-4f6a-9e7c-2d1f3a6b4c8e",
"name": "Core Security Group",
"description": "A core security group that contains essential security roles and permissions.",
"type": "SecurityGroup",
"isActive": true,
"createdAt": "2024-02-20T10:00:00Z",
"updatedAt": "2024-05-15T11:30:00Z"
"childDependencies": [
"7e1a2b3c-4d5f-4a8b-9e6a-1c2b7f3d8e4a",
"9c2e7a1b-5d3f-4a8b-2c6e-7f1a3d9e8b5c"
],
"deployState": "deployed",
"groupTagList": [
{
"description": "Collection of policies covering critical conditional access settings.",
"displayName": "Conditional Policy",
"tagId": "3b7e2a1c-4d5f-4a8b-9e6a-2c1b7f3d8e4a"
}
],
"msCloudTypes": [
"Public"
],
"parentDependencies": [
"8e6a1c2b-7f3d-4a8b-9c2e-5d3f7a1b2e4a"
],
"templateId": "2a1c7e3b-5d4f-4a8b-9e6a-7f3d2b1c8e4a",
"urlPath": "/identity/conditionalAccess/policies"
},
{
"id": "9c7f2e1a-3b6d-4a8e-9f5c-1d2a4b7e6c3f",
"name": "Scope Tag - Confidential Data",
"description": "A scope tag designed to restrict access to confidential data resources.",
"type": "ScopeTag",
"isActive": true,
"createdAt": "2024-04-12T14:20:00Z",
"updatedAt": "2024-07-01T09:50:00Z"
"childDependencies": [
"1c2b5d3f-7a1b-4a8b-9e6a-2e4a3b7e8c5d"
],
"deployState": "notDeployed",
"groupTagList": [
{
"description": "Principal containers that are used to provide assignments.",
"displayName": "Administrative Unit",
"tagId": "5d3f9c2e-7a1b-4a8b-2c6e-1a3d7e8b5c4a"
}
],
"msCloudTypes": [
"Public"
],
"parentDependencies": [],
"templateId": "4a8b7e1a-2b3c-4d5f-9e6a-1c2b7f3d8e4a",
"urlPath": "/directory/administrativeUnits"
}
]
}
Expand Down Expand Up @@ -3732,6 +3772,148 @@
]
}
},
"/Api/Deploy/Remediate/BreakGlass": {
"post": {
"summary": "Request to create BreakGlass security group",
"description": "Attempt to create BreakGlass security group in the tenant. If group has already been provisioned it will return the name of the group to reference.\n\nThis endpoint requires the `Deploy.ReadWrite`, or the `Everything.ReadWrite` scope (permission). ",
"operationId": "/Api/Deploy/Remediate/BreakGlass/Post",
"responses": {
"200": {
"content": {
"application/json": {
"examples": {
"Response with data": {
"summary": "Example of the returned data",
"description": "An example of the name of the resource either created or already existing.",
"value": {
"groupName": "SHIELD - BreakGlass"
}
}
},
"schema": {
"type": "object",
"properties": {
"groupName": {
"type": "string",
"description": "Name of the security group created now or already existing in the tenant.",
"examples": [
"SHIELD - BreakGlass"
]
}
},
"required": [
"groupName"
],
"examples": [
{
"groupName": "SHIELD - BreakGlass"
}
]
}
}
},
"description": "OK"
},
"503": {
"description": "System requirements have not been met!"
}
},
"tags": [
"Deploy"
]
}
},
"/Api/Deploy/Remediate": {
"post": {
"summary": "Perform remediation steps to address discovered gaps in security posture",
"description": "After the user consents, perform necessary steps to deploy resources to cover the security gap.\n\nThis endpoint requires the `Deploy.ReadWrite`, or the `Everything.ReadWrite` scope (permission).",
"operationId": "/Api/Deploy/Remediate/Post",
"requestBody": {
"content": {
"application/json": {
"examples": {
"Insufficient Remediation Request": {
"description": "Someone trying to automate this application without reading the documentation.",
"summary": "Remediation Request Missing Needed Data",
"value": {}
},
"No User Consent": {
"description": "User did not agree to the terms and conditions. This post should not have been sent.",
"summary": "User Did Not Consent",
"value": {
"remediationConsent": false,
"templateList": [
"8e2b1c7a-4d5f-4a8b-9e6a-2c1b7f3d8e4a",
"3a7e2b1c-5d4f-4a8b-9e6a-7f2b3d1c9e45"
]
}
},
"User Consented": {
"description": "User agreed to the terms and conditions and pressed the remediate button.",
"summary": "User Consented",
"value": {
"remediationConsent": true,
"templateList": [
"9c1e7a2b-5d3f-4a8b-2c6e-1a7f3d9e8b5c",
"2b3e7a1c-4d5f-4a8b-9e6a-5d1c7e2b3a4f",
"7f1a3d9e-8b5c-4a8b-2c6e-9c2e7a1b5d3f"
]
}
}
},
"schema": {
"properties": {
"remediationConsent": {
"description": "Flag that indicates the end user has consented to remediation steps (`true`) or not (`false`).",
"type": "boolean",
"examples": [
true
]
},
"templateList": {
"description": "List of templateIds that indicate configuration items to be applied as part of remediation.",
"type": "array",
"items": {
"type": "string",
"format": "uuid",
"maxLength": 36,
"minLength": 36,
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-5][0-9a-f]{3}-[089ab][0-9a-f]{3}-[0-9a-f]{12}$",
"examples": [
"5d1c7e2b-3a4f-4a8b-9e6a-7f2b3d1c9e45"
]
},
"minItems": 0
}
},
"type": "object",
"required": [
"remediationConsent",
"templateList"
]
}
}
}
},
"responses": {
"202": {
"description": "Request for remediation is accepted and process is running"
},
"400": {
"description": "User provided information or choice are invalid for the operation"
},
"409": {
"description": "Operation is already in progress"
},
"503": {
"description": "System requirements have not been met!"
}
},
"tags": [
"Deploy"
]
}
},
"/Api/Deploy/Compare": {
"get": {
"summary": "Retrieves Cached Evaluation Results",
Expand Down
4 changes: 2 additions & 2 deletions src/shield/TypeScript/package-lock.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion src/shield/TypeScript/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@shi-corp/sdk-shield",
"version": "3.0.10",
"version": "3.0.11",
"type": "module",
"main": "bin/index.js",
"description": "SDK client used to interface with the SHIELD application.",
Expand Down