Skip to content

Commit

Permalink
Adding resource definition for IoTSecuritySolutionsAnalytics (Azure#6160
Browse files Browse the repository at this point in the history 
)

* Adding resource definition for IoTSecuritySolutionsAnalytics

* Fix reference error

* Add reference to iotSecuritySolutionsAnalytics.json

* Fix Autorest and swagger errors

* Remove paging from short responses

* Fix spelling

* Fix wording of description

* Fix paging error

* refix paging

* add Lists support

* Fix example syntax

* fix schema warnings

* fix schema

* fix schema

* fix alert required properties error

* add properties level for assitional properties

* Fix additional proprties issues

* fix additional properties issues

* remove required tag

* Fix according to ARM comments

* fix errors

* fix recommendation type example

* fix dismiss example

* required property cannot be readonly

* remove tags from examples

* fix lists errors

* remove location property

* Fixed securitySolution patch swagger

* fix according to ARMs comment

* fix unhealthyDeviceCount property name

* Fix syntax error

* Update specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/iotSecuritySolutionAnalytics.json

Co-Authored-By: Nick Schonning <nschonni@gmail.com>

* Move remediation steps from alerts to recommendations

* Move remediation steps from alerts to recommendations

* rename mostPrevalentDevices to mostPrevalentDeviceAlerts

* rename mostPrevalentDevices to mostPrevalentDeviceAlerts

* fix example

* fix dismiss

* add severity to prevalent lists

* fix syntax

* fix errors

* fix enum

* remove dependency
  • Loading branch information
@hagba @celikcigdem
hagba authored and celikcigdem committed Jul 17, 2019
1 parent 183d6c5 commit 2d5650e
Show file tree
Hide file tree
Showing 11 changed files with 1,295 additions and 10 deletions.
14 changes: 8 additions & 6 deletions ...w/2017-08-01-preview/examples/IoTSecuritySolutions/UpdateIoTSecuritySolution_example.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,12 +8,14 @@
"tags": {
"foo": "bar"
},
"userDefinedResources": {
"query": "where type != \"microsoft.devices/iothubs\" | where name contains \"v2\"",
"querySubscriptions": [
"075423e9-7d33-4166-8bdf-3920b04e3735"
]
}
"properties":{
"userDefinedResources": {
"query": "where type != \"microsoft.devices/iothubs\" | where name contains \"v2\"",
"querySubscriptions": [
"075423e9-7d33-4166-8bdf-3920b04e3735"
]
}
}
}
},
"responses": {
Expand Down
54 changes: 54 additions & 0 deletions ...ecuritySolutionsAnalytics/GetIoTSecuritySolutionsSecurityAggregatedAlertList_example.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
{
"parameters": {
"api-version": "2017-08-01-preview",
"subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23",
"resourceGroupName": "MyGroup",
"solutionName": "default"
},
"responses": {
"200": {
"body": {
"value": [
{
"id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/MyGroup/providers/Microsoft.Security/IoTSecuritySolutions/Locations/eastus/default/IoT_Bruteforce_Fail/2019-02-02",
"name": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/MyGroup/providers/Microsoft.Security/IoTSecuritySolutions/Locations/eastus/default/IoT_Bruteforce_Fail/2019-02-02",
"type": "Microsoft.Security/IoTSecurityAggregatedAlert",
"properties": {
"alertType": "IoT_Bruteforce_Fail",
"alertDisplayName": "Failed Bruteforce",
"aggregatedDateUtc": "2019-02-02",
"vendorName": "Microsoft",
"reportedSeverity": "Low",
"remediationSteps": "",
"description": "Multiple unsuccsseful login attempts identified. A Bruteforce attack on the device failed.",
"count": 50,
"effectedResourceType": "IoT Device",
"systemSource": "Devices",
"actionTaken": "Detected",
"logAnalyticsQuery": "SecurityAlert | where tolower(ResourceId) == tolower('/subscriptions/b77ec8a9-04ed-48d2-a87a-e5887b978ba6/resourceGroups/IoT-Solution-DemoEnv/providers/Microsoft.Devices/IotHubs/rtogm-hub') and tolower(AlertName) == tolower('Custom Alert - number of device to cloud messages in MQTT protocol is not in the allowed range') | extend DeviceId=parse_json(ExtendedProperties)['DeviceId'] | project DeviceId, TimeGenerated, DisplayName, AlertSeverity, Description, RemediationSteps, ExtendedProperties"
}
},
{
"id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/MyGroup/providers/Microsoft.Security/IoTSecuritySolutions/Locations/eastus/default/IoT_Bruteforce_Success/2019-02-02",
"name": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/MyGroup/providers/Microsoft.Security/IoTSecuritySolutions/Locations/eastus/default/IoT_Bruteforce_Success/2019-02-02",
"type": "Microsoft.Security/IoTSecurityAggregatedAlert",
"properties": {
"alertType": "IoT_Bruteforce_Success",
"alertDisplayName": "Successful Bruteforce",
"aggregatedDateUtc": "2019-02-02",
"vendorName": "Microsoft",
"reportedSeverity": "Low",
"remediationSteps": "",
"description": "Multiple unsuccsseful login attempts identified followed by a succssful login. A Bruteforce attack on the device was Successfule",
"count": 600000,
"effectedResourceType": "IoT Device",
"systemSource": "Devices",
"actionTaken": "Detected",
"logAnalyticsQuery": "SecurityAlert | where tolower(ResourceId) == tolower('/subscriptions/b77ec8a9-04ed-48d2-a87a-e5887b978ba6/resourceGroups/IoT-Solution-DemoEnv/providers/Microsoft.Devices/IotHubs/rtogm-hub') and tolower(AlertName) == tolower('Custom Alert - number of device to cloud messages in MQTT protocol is not in the allowed range') | extend DeviceId=parse_json(ExtendedProperties)['DeviceId'] | project DeviceId, TimeGenerated, DisplayName, AlertSeverity, Description, RemediationSteps, ExtendedProperties"
}
}
]
}
}
}
}
32 changes: 32 additions & 0 deletions ...IoTSecuritySolutionsAnalytics/GetIoTSecuritySolutionsSecurityAggregatedAlert_example.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
{
"parameters": {
"api-version": "2017-08-01-preview",
"subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23",
"resourceGroupName": "MyGroup",
"solutionName": "default",
"aggregatedAlertName": "IoT_Bruteforce_Fail/2019-02-02"
},
"responses": {
"200": {
"body": {
"id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/MyGroup/providers/Microsoft.Security/IoTSecuritySolutions/Locations/eastus/default/IoT_Bruteforce_Fail/2019-02-02",
"name": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/MyGroup/providers/Microsoft.Security/IoTSecuritySolutions/Locations/eastus/default/IoT_Bruteforce_Fail/2019-02-02",
"type": "Microsoft.Security/IoTSecurityAggregatedAlert",
"properties": {
"alertType": "IoT_Bruteforce_Fail",
"alertDisplayName": "Failed Bruteforce",
"aggregatedDateUtc": "2019-02-02",
"vendorName": "Microsoft",
"reportedSeverity": "Low",
"remediationSteps": "",
"description": "Multiple unsuccsseful login attempts identified. A Bruteforce attack on the device failed.",
"count": 50,
"effectedResourceType": "IoT Device",
"systemSource": "Devices",
"actionTaken": "Detected",
"logAnalyticsQuery": "SecurityAlert | where tolower(ResourceId) == tolower('/subscriptions/b77ec8a9-04ed-48d2-a87a-e5887b978ba6/resourceGroups/IoT-Solution-DemoEnv/providers/Microsoft.Devices/IotHubs/rtogm-hub') and tolower(AlertName) == tolower('Custom Alert - number of device to cloud messages in MQTT protocol is not in the allowed range') | extend DeviceId=parse_json(ExtendedProperties)['DeviceId'] | project DeviceId, TimeGenerated, DisplayName, AlertSeverity, Description, RemediationSteps, ExtendedProperties"
}
}
}
}
}
95 changes: 95 additions & 0 deletions ...s/IoTSecuritySolutionsAnalytics/GetIoTSecuritySolutionsSecurityAnalyticsList_example.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,95 @@
{
"parameters": {
"api-version": "2017-08-01-preview",
"subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23",
"resourceGroupName": "MyGroup",
"solutionName": "default"
},
"responses": {
"200": {
"body": {
"value": [
{
"id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/MyGroup/providers/Microsoft.Security/IoTSecuritySolutions/Locations/eastus/default",
"name": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/MyGroup/providers/Microsoft.Security/IoTSecuritySolutions/Locations/eastus/default",
"type": "Microsoft.Security/IoTSecuritySolutionAnalyticsModelList",
"properties": {
"metrics": {
"high": 5,
"medium": 200,
"low": 102
},
"unhealthyDeviceCount": 1200,
"devicesMetrics": [
{
"date": "2019-02-01T00:00:00Z",
"devicesMetrics": {
"high": 3,
"medium": 15,
"low": 70
}
},
{
"date": "2019-02-02T00:00:00Z",
"devicesMetrics": {
"high": 3,
"medium": 45,
"low": 65
}
}
],
"topAlertedDevices": [
{
"deviceId": "id1",
"alertsCount": 200
},
{
"deviceId": "id2",
"alertsCount": 170
},
{
"deviceId": "id3",
"alertsCount": 150
}
],
"mostPrevalentDeviceAlerts": [
{
"alertDisplayName": "Custom Alert - number of device to cloud messages in AMQP protocol is not in the allowed range",
"reportedSeverity": "Low",
"devicesCount": 200
},
{
"alertDisplayName": "Custom Alert - execution of a process that is not allowed",
"reportedSeverity": "Medium",
"devicesCount": 170
},
{
"alertDisplayName": "Successful Bruteforce",
"reportedSeverity": "Low",
"devicesCount": 150
}
],
"mostPrevalentDeviceRecommendations": [
{
"recommendationDisplayName": "Install the Azure Security of Things Agent",
"reportedSeverity": "Low",
"devicesCount": 200
},
{
"recommendationDisplayName": "High level permissions configured in Edge model twin for Edge module",
"reportedSeverity": "Low",
"devicesCount": 170
},
{
"recommendationDisplayName": "Same Authentication Credentials used by multiple devices",
"reportedSeverity": "Medium",
"devicesCount": 150
}
]
}
}
]
}
}
}
}
91 changes: 91 additions & 0 deletions ...mples/IoTSecuritySolutionsAnalytics/GetIoTSecuritySolutionsSecurityAnalytics_example.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,91 @@
{
"parameters": {
"api-version": "2017-08-01-preview",
"subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23",
"resourceGroupName": "MyGroup",
"solutionName": "default"
},
"responses": {
"200": {
"body": {
"id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/MyGroup/providers/Microsoft.Security/IoTSecuritySolutions/Locations/eastus/default",
"name": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/MyGroup/providers/Microsoft.Security/IoTSecuritySolutions/Locations/eastus/default",
"type": "Microsoft.Security/IoTSecuritySolutionAnalyticsModel",
"properties": {
"metrics": {
"high": 5,
"medium": 200,
"low": 102
},
"unhealthyDeviceCount": 1200,
"devicesMetrics": [
{
"date": "2019-02-01T00:00:00Z",
"devicesMetrics": {
"high": 3,
"medium": 15,
"low": 70
}
},
{
"date": "2019-02-02T00:00:00Z",
"devicesMetrics": {
"high": 3,
"medium": 45,
"low": 65
}
}
],
"topAlertedDevices": [
{
"deviceId": "id1",
"alertsCount": 200
},
{
"deviceId": "id2",
"alertsCount": 170
},
{
"deviceId": "id3",
"alertsCount": 150
}
],
"mostPrevalentDeviceAlerts": [
{
"alertDisplayName": "Custom Alert - number of device to cloud messages in AMQP protocol is not in the allowed range",
"reportedSeverity": "Low",
"alertsCount": 200
},
{
"alertDisplayName": "Custom Alert - execution of a process that is not allowed",
"reportedSeverity": "Medium",
"alertsCount": 170
},
{
"alertDisplayName": "Successful Bruteforce",
"reportedSeverity": "Low",
"alertsCount": 150
}
],
"mostPrevalentDeviceRecommendations": [
{
"recommendationDisplayName": "Install the Azure Security of Things Agent",
"reportedSeverity": "Low",
"devicesCount": 200
},
{
"recommendationDisplayName": "High level permissions configured in Edge model twin for Edge module",
"reportedSeverity": "Low",
"devicesCount": 170
},
{
"recommendationDisplayName": "Same Authentication Credentials used by multiple devices",
"reportedSeverity": "Medium",
"devicesCount": 150
}
]
}
}
}
}
}
50 changes: 50 additions & 0 deletions ...SecuritySolutionsAnalytics/GetIoTSecuritySolutionsSecurityRecommendationList_example.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
{
"parameters": {
"api-version": "2017-08-01-preview",
"subscriptionId": "075423e9-7d33-4166-8bdf-3920b04e3735",
"resourceGroupName": "IoTEdgeResources",
"solutionName": "default"
},
"responses": {
"200": {
"body": {
"value": [
{
"id": "/subscriptions/075423e9-7d33-4166-8bdf-3920b04e3735/resourceGroups/IoTEdgeResources/providers/Microsoft.Security/IoTSecuritySolutions/Locations/eastus/default/OpenPortsOnDevice",
"name": "/subscriptions/075423e9-7d33-4166-8bdf-3920b04e3735/resourceGroups/IoTEdgeResources/providers/Microsoft.Security/IoTSecuritySolutions/Locations/eastus/default/OpenPortsOnDevice",
"type": "Microsoft.Security/IoTSecurityAggregatedRecommendation",
"properties": {
"recommendationName": "OpenPortsOnDevice",
"recommendationDisplayName": "Permissive firewall policy in one of the chains was found",
"description": "An allowed firewall policy was found in main firewall Chains (INPUT/OUTPUT). The policy should Deny all traffic by default define rules to allow necessary communication to/from the device",
"recommendationTypeId": "{20ff7fc3-e762-44dd-bd96-b71116dcdc23}",
"detectedBy": "Microsoft",
"reportedSeverity": "Low",
"remediationSteps": "",
"healthyDevices": 10000,
"unhealthyDeviceCount": 200,
"logAnalyticsQuery": "SecurityRecommendation | where tolower(AssessedResourceId) == tolower('/subscriptions/075423e9-7d33-4166-8bdf-3920b04e3735/resourceGroups/IoTEdgeResources/providers/Microsoft.Devices/IotHubs/t-ofdadu-hub') and tolower(RecommendationName) == tolower('OpenPortsOnDevice')"
}
},
{
"id": "/subscriptions/075423e9-7d33-4166-8bdf-3920b04e3735/resourceGroups/IoTEdgeResources/providers/Microsoft.Security/IoTSecuritySolutions/Locations/eastus/default/TooLargeIPRange",
"name": "/subscriptions/075423e9-7d33-4166-8bdf-3920b04e3735/resourceGroups/IoTEdgeResources/providers/Microsoft.Security/IoTSecuritySolutions/Locations/eastus/default/IoT_InstallAgent",
"type": "Microsoft.Security/IoTSecurityAggregatedRecommendation",
"properties": {
"recommendationName": "TooLargeIPRange",
"recommendationDisplayName": "Permissive firewall policy in one of the chains was found",
"description": "An allow IP filter rule source IP range is too large. Overly permissive rules can expose your IoT hub to malicious actors.",
"recommendationTypeId": "{20ff7fc3-e762-44dd-bd96-b71116dcdc23}",
"detectedBy": "Microsoft",
"reportedSeverity": "High",
"remediationSteps": "",
"healthyDevices": 130000,
"unhealthyDeviceCount": 1,
"logAnalyticsQuery": "SecurityRecommendation | where tolower(AssessedResourceId) == tolower('/subscriptions/075423e9-7d33-4166-8bdf-3920b04e3735/resourceGroups/IoTEdgeResources/providers/Microsoft.Devices/IotHubs/t-ofdadu-hub') and tolower(RecommendationName) == tolower('TooLargeIPRange')"
}
}
]
}
}
}
}
30 changes: 30 additions & 0 deletions .../IoTSecuritySolutionsAnalytics/GetIoTSecuritySolutionsSecurityRecommendation_example.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
{
"parameters": {
"api-version": "2017-08-01-preview",
"subscriptionId": "075423e9-7d33-4166-8bdf-3920b04e3735",
"resourceGroupName": "IoTEdgeResources",
"solutionName": "default",
"aggregatedRecommendationName": "OpenPortsOnDevice"
},
"responses": {
"200": {
"body": {
"id": "/subscriptions/075423e9-7d33-4166-8bdf-3920b04e3735/resourceGroups/IoTEdgeResources/providers/Microsoft.Security/IoTSecuritySolutions/Locations/eastus/default/OpenPortsOnDevice",
"name": "/subscriptions/075423e9-7d33-4166-8bdf-3920b04e3735/resourceGroups/IoTEdgeResources/providers/Microsoft.Security/IoTSecuritySolutions/Locations/eastus/default/OpenPortsOnDevice",
"type": "Microsoft.Security/IoTSecurityAggregatedRecommendation",
"properties": {
"recommendationName": "OpenPortsOnDevice",
"recommendationDisplayName": "Permissive firewall policy in one of the chains was found",
"description": "An allowed firewall policy was found in main firewall Chains (INPUT/OUTPUT). The policy should Deny all traffic by default define rules to allow necessary communication to/from the device",
"recommendationTypeId": "{20ff7fc3-e762-44dd-bd96-b71116dcdc23}",
"detectedBy": "Microsoft",
"reportedSeverity": "Low",
"remediationSteps": "",
"healthyDevices": 10000,
"unhealthyDeviceCount": 200,
"logAnalyticsQuery": "SecurityRecommendation | where tolower(AssessedResourceId) == tolower('/subscriptions/075423e9-7d33-4166-8bdf-3920b04e3735/resourceGroups/IoTEdgeResources/providers/Microsoft.Devices/IotHubs/t-ofdadu-hub') and tolower(RecommendationName) == tolower('OpenPortsOnDevice')"
}
}
}
}
}
12 changes: 12 additions & 0 deletions ...itySolutionsAnalytics/PostIoTSecuritySolutionsSecurityAggregatedAlertDismiss_example.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
{
"parameters": {
"api-version": "2017-08-01-preview",
"subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23",
"resourceGroupName": "IoTEdgeResources",
"solutionName": "default",
"aggregatedAlertName": "IoT_Bruteforce_Fail/2019-02-02/dismiss"
},
"responses": {
"200": {}
}
}
Loading

0 comments on commit 2d5650e

Please sign in to comment.