forked from Azure/azure-rest-api-specs
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Adding resource definition for IoTSecuritySolutionsAnalytics (Azure#6160
) * Adding resource definition for IoTSecuritySolutionsAnalytics * Fix reference error * Add reference to iotSecuritySolutionsAnalytics.json * Fix Autorest and swagger errors * Remove paging from short responses * Fix spelling * Fix wording of description * Fix paging error * refix paging * add Lists support * Fix example syntax * fix schema warnings * fix schema * fix schema * fix alert required properties error * add properties level for assitional properties * Fix additional proprties issues * fix additional properties issues * remove required tag * Fix according to ARM comments * fix errors * fix recommendation type example * fix dismiss example * required property cannot be readonly * remove tags from examples * fix lists errors * remove location property * Fixed securitySolution patch swagger * fix according to ARMs comment * fix unhealthyDeviceCount property name * Fix syntax error * Update specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/iotSecuritySolutionAnalytics.json Co-Authored-By: Nick Schonning <nschonni@gmail.com> * Move remediation steps from alerts to recommendations * Move remediation steps from alerts to recommendations * rename mostPrevalentDevices to mostPrevalentDeviceAlerts * rename mostPrevalentDevices to mostPrevalentDeviceAlerts * fix example * fix dismiss * add severity to prevalent lists * fix syntax * fix errors * fix enum * remove dependency
- Loading branch information
1 parent
183d6c5
commit 2d5650e
Showing
11 changed files
with
1,295 additions
and
10 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
54 changes: 54 additions & 0 deletions
54
...ecuritySolutionsAnalytics/GetIoTSecuritySolutionsSecurityAggregatedAlertList_example.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
{ | ||
"parameters": { | ||
"api-version": "2017-08-01-preview", | ||
"subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", | ||
"resourceGroupName": "MyGroup", | ||
"solutionName": "default" | ||
}, | ||
"responses": { | ||
"200": { | ||
"body": { | ||
"value": [ | ||
{ | ||
"id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/MyGroup/providers/Microsoft.Security/IoTSecuritySolutions/Locations/eastus/default/IoT_Bruteforce_Fail/2019-02-02", | ||
"name": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/MyGroup/providers/Microsoft.Security/IoTSecuritySolutions/Locations/eastus/default/IoT_Bruteforce_Fail/2019-02-02", | ||
"type": "Microsoft.Security/IoTSecurityAggregatedAlert", | ||
"properties": { | ||
"alertType": "IoT_Bruteforce_Fail", | ||
"alertDisplayName": "Failed Bruteforce", | ||
"aggregatedDateUtc": "2019-02-02", | ||
"vendorName": "Microsoft", | ||
"reportedSeverity": "Low", | ||
"remediationSteps": "", | ||
"description": "Multiple unsuccsseful login attempts identified. A Bruteforce attack on the device failed.", | ||
"count": 50, | ||
"effectedResourceType": "IoT Device", | ||
"systemSource": "Devices", | ||
"actionTaken": "Detected", | ||
"logAnalyticsQuery": "SecurityAlert | where tolower(ResourceId) == tolower('/subscriptions/b77ec8a9-04ed-48d2-a87a-e5887b978ba6/resourceGroups/IoT-Solution-DemoEnv/providers/Microsoft.Devices/IotHubs/rtogm-hub') and tolower(AlertName) == tolower('Custom Alert - number of device to cloud messages in MQTT protocol is not in the allowed range') | extend DeviceId=parse_json(ExtendedProperties)['DeviceId'] | project DeviceId, TimeGenerated, DisplayName, AlertSeverity, Description, RemediationSteps, ExtendedProperties" | ||
} | ||
}, | ||
{ | ||
"id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/MyGroup/providers/Microsoft.Security/IoTSecuritySolutions/Locations/eastus/default/IoT_Bruteforce_Success/2019-02-02", | ||
"name": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/MyGroup/providers/Microsoft.Security/IoTSecuritySolutions/Locations/eastus/default/IoT_Bruteforce_Success/2019-02-02", | ||
"type": "Microsoft.Security/IoTSecurityAggregatedAlert", | ||
"properties": { | ||
"alertType": "IoT_Bruteforce_Success", | ||
"alertDisplayName": "Successful Bruteforce", | ||
"aggregatedDateUtc": "2019-02-02", | ||
"vendorName": "Microsoft", | ||
"reportedSeverity": "Low", | ||
"remediationSteps": "", | ||
"description": "Multiple unsuccsseful login attempts identified followed by a succssful login. A Bruteforce attack on the device was Successfule", | ||
"count": 600000, | ||
"effectedResourceType": "IoT Device", | ||
"systemSource": "Devices", | ||
"actionTaken": "Detected", | ||
"logAnalyticsQuery": "SecurityAlert | where tolower(ResourceId) == tolower('/subscriptions/b77ec8a9-04ed-48d2-a87a-e5887b978ba6/resourceGroups/IoT-Solution-DemoEnv/providers/Microsoft.Devices/IotHubs/rtogm-hub') and tolower(AlertName) == tolower('Custom Alert - number of device to cloud messages in MQTT protocol is not in the allowed range') | extend DeviceId=parse_json(ExtendedProperties)['DeviceId'] | project DeviceId, TimeGenerated, DisplayName, AlertSeverity, Description, RemediationSteps, ExtendedProperties" | ||
} | ||
} | ||
] | ||
} | ||
} | ||
} | ||
} |
32 changes: 32 additions & 0 deletions
32
...IoTSecuritySolutionsAnalytics/GetIoTSecuritySolutionsSecurityAggregatedAlert_example.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
{ | ||
"parameters": { | ||
"api-version": "2017-08-01-preview", | ||
"subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", | ||
"resourceGroupName": "MyGroup", | ||
"solutionName": "default", | ||
"aggregatedAlertName": "IoT_Bruteforce_Fail/2019-02-02" | ||
}, | ||
"responses": { | ||
"200": { | ||
"body": { | ||
"id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/MyGroup/providers/Microsoft.Security/IoTSecuritySolutions/Locations/eastus/default/IoT_Bruteforce_Fail/2019-02-02", | ||
"name": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/MyGroup/providers/Microsoft.Security/IoTSecuritySolutions/Locations/eastus/default/IoT_Bruteforce_Fail/2019-02-02", | ||
"type": "Microsoft.Security/IoTSecurityAggregatedAlert", | ||
"properties": { | ||
"alertType": "IoT_Bruteforce_Fail", | ||
"alertDisplayName": "Failed Bruteforce", | ||
"aggregatedDateUtc": "2019-02-02", | ||
"vendorName": "Microsoft", | ||
"reportedSeverity": "Low", | ||
"remediationSteps": "", | ||
"description": "Multiple unsuccsseful login attempts identified. A Bruteforce attack on the device failed.", | ||
"count": 50, | ||
"effectedResourceType": "IoT Device", | ||
"systemSource": "Devices", | ||
"actionTaken": "Detected", | ||
"logAnalyticsQuery": "SecurityAlert | where tolower(ResourceId) == tolower('/subscriptions/b77ec8a9-04ed-48d2-a87a-e5887b978ba6/resourceGroups/IoT-Solution-DemoEnv/providers/Microsoft.Devices/IotHubs/rtogm-hub') and tolower(AlertName) == tolower('Custom Alert - number of device to cloud messages in MQTT protocol is not in the allowed range') | extend DeviceId=parse_json(ExtendedProperties)['DeviceId'] | project DeviceId, TimeGenerated, DisplayName, AlertSeverity, Description, RemediationSteps, ExtendedProperties" | ||
} | ||
} | ||
} | ||
} | ||
} |
95 changes: 95 additions & 0 deletions
95
...s/IoTSecuritySolutionsAnalytics/GetIoTSecuritySolutionsSecurityAnalyticsList_example.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,95 @@ | ||
{ | ||
"parameters": { | ||
"api-version": "2017-08-01-preview", | ||
"subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", | ||
"resourceGroupName": "MyGroup", | ||
"solutionName": "default" | ||
}, | ||
"responses": { | ||
"200": { | ||
"body": { | ||
"value": [ | ||
{ | ||
"id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/MyGroup/providers/Microsoft.Security/IoTSecuritySolutions/Locations/eastus/default", | ||
"name": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/MyGroup/providers/Microsoft.Security/IoTSecuritySolutions/Locations/eastus/default", | ||
"type": "Microsoft.Security/IoTSecuritySolutionAnalyticsModelList", | ||
"properties": { | ||
"metrics": { | ||
"high": 5, | ||
"medium": 200, | ||
"low": 102 | ||
}, | ||
"unhealthyDeviceCount": 1200, | ||
"devicesMetrics": [ | ||
{ | ||
"date": "2019-02-01T00:00:00Z", | ||
"devicesMetrics": { | ||
"high": 3, | ||
"medium": 15, | ||
"low": 70 | ||
} | ||
}, | ||
{ | ||
"date": "2019-02-02T00:00:00Z", | ||
"devicesMetrics": { | ||
"high": 3, | ||
"medium": 45, | ||
"low": 65 | ||
} | ||
} | ||
], | ||
"topAlertedDevices": [ | ||
{ | ||
"deviceId": "id1", | ||
"alertsCount": 200 | ||
}, | ||
{ | ||
"deviceId": "id2", | ||
"alertsCount": 170 | ||
}, | ||
{ | ||
"deviceId": "id3", | ||
"alertsCount": 150 | ||
} | ||
], | ||
"mostPrevalentDeviceAlerts": [ | ||
{ | ||
"alertDisplayName": "Custom Alert - number of device to cloud messages in AMQP protocol is not in the allowed range", | ||
"reportedSeverity": "Low", | ||
"devicesCount": 200 | ||
}, | ||
{ | ||
"alertDisplayName": "Custom Alert - execution of a process that is not allowed", | ||
"reportedSeverity": "Medium", | ||
"devicesCount": 170 | ||
}, | ||
{ | ||
"alertDisplayName": "Successful Bruteforce", | ||
"reportedSeverity": "Low", | ||
"devicesCount": 150 | ||
} | ||
], | ||
"mostPrevalentDeviceRecommendations": [ | ||
{ | ||
"recommendationDisplayName": "Install the Azure Security of Things Agent", | ||
"reportedSeverity": "Low", | ||
"devicesCount": 200 | ||
}, | ||
{ | ||
"recommendationDisplayName": "High level permissions configured in Edge model twin for Edge module", | ||
"reportedSeverity": "Low", | ||
"devicesCount": 170 | ||
}, | ||
{ | ||
"recommendationDisplayName": "Same Authentication Credentials used by multiple devices", | ||
"reportedSeverity": "Medium", | ||
"devicesCount": 150 | ||
} | ||
] | ||
} | ||
} | ||
] | ||
} | ||
} | ||
} | ||
} |
91 changes: 91 additions & 0 deletions
91
...mples/IoTSecuritySolutionsAnalytics/GetIoTSecuritySolutionsSecurityAnalytics_example.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,91 @@ | ||
{ | ||
"parameters": { | ||
"api-version": "2017-08-01-preview", | ||
"subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", | ||
"resourceGroupName": "MyGroup", | ||
"solutionName": "default" | ||
}, | ||
"responses": { | ||
"200": { | ||
"body": { | ||
"id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/MyGroup/providers/Microsoft.Security/IoTSecuritySolutions/Locations/eastus/default", | ||
"name": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/MyGroup/providers/Microsoft.Security/IoTSecuritySolutions/Locations/eastus/default", | ||
"type": "Microsoft.Security/IoTSecuritySolutionAnalyticsModel", | ||
"properties": { | ||
"metrics": { | ||
"high": 5, | ||
"medium": 200, | ||
"low": 102 | ||
}, | ||
"unhealthyDeviceCount": 1200, | ||
"devicesMetrics": [ | ||
{ | ||
"date": "2019-02-01T00:00:00Z", | ||
"devicesMetrics": { | ||
"high": 3, | ||
"medium": 15, | ||
"low": 70 | ||
} | ||
}, | ||
{ | ||
"date": "2019-02-02T00:00:00Z", | ||
"devicesMetrics": { | ||
"high": 3, | ||
"medium": 45, | ||
"low": 65 | ||
} | ||
} | ||
], | ||
"topAlertedDevices": [ | ||
{ | ||
"deviceId": "id1", | ||
"alertsCount": 200 | ||
}, | ||
{ | ||
"deviceId": "id2", | ||
"alertsCount": 170 | ||
}, | ||
{ | ||
"deviceId": "id3", | ||
"alertsCount": 150 | ||
} | ||
], | ||
"mostPrevalentDeviceAlerts": [ | ||
{ | ||
"alertDisplayName": "Custom Alert - number of device to cloud messages in AMQP protocol is not in the allowed range", | ||
"reportedSeverity": "Low", | ||
"alertsCount": 200 | ||
}, | ||
{ | ||
"alertDisplayName": "Custom Alert - execution of a process that is not allowed", | ||
"reportedSeverity": "Medium", | ||
"alertsCount": 170 | ||
}, | ||
{ | ||
"alertDisplayName": "Successful Bruteforce", | ||
"reportedSeverity": "Low", | ||
"alertsCount": 150 | ||
} | ||
], | ||
"mostPrevalentDeviceRecommendations": [ | ||
{ | ||
"recommendationDisplayName": "Install the Azure Security of Things Agent", | ||
"reportedSeverity": "Low", | ||
"devicesCount": 200 | ||
}, | ||
{ | ||
"recommendationDisplayName": "High level permissions configured in Edge model twin for Edge module", | ||
"reportedSeverity": "Low", | ||
"devicesCount": 170 | ||
}, | ||
{ | ||
"recommendationDisplayName": "Same Authentication Credentials used by multiple devices", | ||
"reportedSeverity": "Medium", | ||
"devicesCount": 150 | ||
} | ||
] | ||
} | ||
} | ||
} | ||
} | ||
} |
50 changes: 50 additions & 0 deletions
50
...SecuritySolutionsAnalytics/GetIoTSecuritySolutionsSecurityRecommendationList_example.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
{ | ||
"parameters": { | ||
"api-version": "2017-08-01-preview", | ||
"subscriptionId": "075423e9-7d33-4166-8bdf-3920b04e3735", | ||
"resourceGroupName": "IoTEdgeResources", | ||
"solutionName": "default" | ||
}, | ||
"responses": { | ||
"200": { | ||
"body": { | ||
"value": [ | ||
{ | ||
"id": "/subscriptions/075423e9-7d33-4166-8bdf-3920b04e3735/resourceGroups/IoTEdgeResources/providers/Microsoft.Security/IoTSecuritySolutions/Locations/eastus/default/OpenPortsOnDevice", | ||
"name": "/subscriptions/075423e9-7d33-4166-8bdf-3920b04e3735/resourceGroups/IoTEdgeResources/providers/Microsoft.Security/IoTSecuritySolutions/Locations/eastus/default/OpenPortsOnDevice", | ||
"type": "Microsoft.Security/IoTSecurityAggregatedRecommendation", | ||
"properties": { | ||
"recommendationName": "OpenPortsOnDevice", | ||
"recommendationDisplayName": "Permissive firewall policy in one of the chains was found", | ||
"description": "An allowed firewall policy was found in main firewall Chains (INPUT/OUTPUT). The policy should Deny all traffic by default define rules to allow necessary communication to/from the device", | ||
"recommendationTypeId": "{20ff7fc3-e762-44dd-bd96-b71116dcdc23}", | ||
"detectedBy": "Microsoft", | ||
"reportedSeverity": "Low", | ||
"remediationSteps": "", | ||
"healthyDevices": 10000, | ||
"unhealthyDeviceCount": 200, | ||
"logAnalyticsQuery": "SecurityRecommendation | where tolower(AssessedResourceId) == tolower('/subscriptions/075423e9-7d33-4166-8bdf-3920b04e3735/resourceGroups/IoTEdgeResources/providers/Microsoft.Devices/IotHubs/t-ofdadu-hub') and tolower(RecommendationName) == tolower('OpenPortsOnDevice')" | ||
} | ||
}, | ||
{ | ||
"id": "/subscriptions/075423e9-7d33-4166-8bdf-3920b04e3735/resourceGroups/IoTEdgeResources/providers/Microsoft.Security/IoTSecuritySolutions/Locations/eastus/default/TooLargeIPRange", | ||
"name": "/subscriptions/075423e9-7d33-4166-8bdf-3920b04e3735/resourceGroups/IoTEdgeResources/providers/Microsoft.Security/IoTSecuritySolutions/Locations/eastus/default/IoT_InstallAgent", | ||
"type": "Microsoft.Security/IoTSecurityAggregatedRecommendation", | ||
"properties": { | ||
"recommendationName": "TooLargeIPRange", | ||
"recommendationDisplayName": "Permissive firewall policy in one of the chains was found", | ||
"description": "An allow IP filter rule source IP range is too large. Overly permissive rules can expose your IoT hub to malicious actors.", | ||
"recommendationTypeId": "{20ff7fc3-e762-44dd-bd96-b71116dcdc23}", | ||
"detectedBy": "Microsoft", | ||
"reportedSeverity": "High", | ||
"remediationSteps": "", | ||
"healthyDevices": 130000, | ||
"unhealthyDeviceCount": 1, | ||
"logAnalyticsQuery": "SecurityRecommendation | where tolower(AssessedResourceId) == tolower('/subscriptions/075423e9-7d33-4166-8bdf-3920b04e3735/resourceGroups/IoTEdgeResources/providers/Microsoft.Devices/IotHubs/t-ofdadu-hub') and tolower(RecommendationName) == tolower('TooLargeIPRange')" | ||
} | ||
} | ||
] | ||
} | ||
} | ||
} | ||
} |
30 changes: 30 additions & 0 deletions
30
.../IoTSecuritySolutionsAnalytics/GetIoTSecuritySolutionsSecurityRecommendation_example.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
{ | ||
"parameters": { | ||
"api-version": "2017-08-01-preview", | ||
"subscriptionId": "075423e9-7d33-4166-8bdf-3920b04e3735", | ||
"resourceGroupName": "IoTEdgeResources", | ||
"solutionName": "default", | ||
"aggregatedRecommendationName": "OpenPortsOnDevice" | ||
}, | ||
"responses": { | ||
"200": { | ||
"body": { | ||
"id": "/subscriptions/075423e9-7d33-4166-8bdf-3920b04e3735/resourceGroups/IoTEdgeResources/providers/Microsoft.Security/IoTSecuritySolutions/Locations/eastus/default/OpenPortsOnDevice", | ||
"name": "/subscriptions/075423e9-7d33-4166-8bdf-3920b04e3735/resourceGroups/IoTEdgeResources/providers/Microsoft.Security/IoTSecuritySolutions/Locations/eastus/default/OpenPortsOnDevice", | ||
"type": "Microsoft.Security/IoTSecurityAggregatedRecommendation", | ||
"properties": { | ||
"recommendationName": "OpenPortsOnDevice", | ||
"recommendationDisplayName": "Permissive firewall policy in one of the chains was found", | ||
"description": "An allowed firewall policy was found in main firewall Chains (INPUT/OUTPUT). The policy should Deny all traffic by default define rules to allow necessary communication to/from the device", | ||
"recommendationTypeId": "{20ff7fc3-e762-44dd-bd96-b71116dcdc23}", | ||
"detectedBy": "Microsoft", | ||
"reportedSeverity": "Low", | ||
"remediationSteps": "", | ||
"healthyDevices": 10000, | ||
"unhealthyDeviceCount": 200, | ||
"logAnalyticsQuery": "SecurityRecommendation | where tolower(AssessedResourceId) == tolower('/subscriptions/075423e9-7d33-4166-8bdf-3920b04e3735/resourceGroups/IoTEdgeResources/providers/Microsoft.Devices/IotHubs/t-ofdadu-hub') and tolower(RecommendationName) == tolower('OpenPortsOnDevice')" | ||
} | ||
} | ||
} | ||
} | ||
} |
12 changes: 12 additions & 0 deletions
12
...itySolutionsAnalytics/PostIoTSecuritySolutionsSecurityAggregatedAlertDismiss_example.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
{ | ||
"parameters": { | ||
"api-version": "2017-08-01-preview", | ||
"subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", | ||
"resourceGroupName": "IoTEdgeResources", | ||
"solutionName": "default", | ||
"aggregatedAlertName": "IoT_Bruteforce_Fail/2019-02-02/dismiss" | ||
}, | ||
"responses": { | ||
"200": {} | ||
} | ||
} |
Oops, something went wrong.