diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/AlertRules.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/AlertRules.json new file mode 100644 index 000000000000..5564565c1eec --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/AlertRules.json @@ -0,0 +1,1428 @@ +{ + "swagger": "2.0", + "info": { + "title": "Security Insights", + "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", + "version": "2020-01-01" + }, + "host": "management.azure.com", + "schemes": [ + "https" + ], + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "security": [ + { + "azure_auth": [ + "user_impersonation" + ] + } + ], + "securityDefinitions": { + "azure_auth": { + "type": "oauth2", + "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", + "flow": "implicit", + "description": "Azure Active Directory OAuth2 Flow", + "scopes": { + "user_impersonation": "impersonate your user account" + } + } + }, + "paths": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules": { + "get": { + "x-ms-examples": { + "Get all alert rules.": { + "$ref": "./examples/alertRules/GetAllAlertRules.json" + } + }, + "tags": [ + "Alert Rules" + ], + "description": "Gets all alert rules.", + "operationId": "AlertRules_List", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + } + ], + "responses": { + "200": { + "description": "OK, Operation successfully completed", + "schema": { + "$ref": "#/definitions/AlertRulesList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}": { + "get": { + "x-ms-examples": { + "Get a Scheduled alert rule.": { + "$ref": "./examples/alertRules/GetScheduledAlertRule.json" + }, + "Get a Fusion alert rule.": { + "$ref": "./examples/alertRules/GetFusionAlertRule.json" + }, + "Get a MicrosoftSecurityIncidentCreation rule.": { + "$ref": "./examples/alertRules/GetMicrosoftSecurityIncidentCreationAlertRule.json" + } + }, + "tags": [ + "Alert Rules" + ], + "description": "Gets the alert rule.", + "operationId": "AlertRules_Get", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/RuleId" + } + ], + "responses": { + "200": { + "description": "OK, Operation successfully completed", + "schema": { + "$ref": "#/definitions/AlertRule" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + } + }, + "put": { + "x-ms-examples": { + "Creates or updates a Scheduled alert rule.": { + "$ref": "./examples/alertRules/CreateScheduledAlertRule.json" + }, + "Creates or updates a Fusion alert rule.": { + "$ref": "./examples/alertRules/CreateFusionAlertRule.json" + }, + "Creates or updates a MicrosoftSecurityIncidentCreation rule.": { + "$ref": "./examples/alertRules/CreateMicrosoftSecurityIncidentCreationAlertRule.json" + } + }, + "tags": [ + "Alert Rules" + ], + "description": "Creates or updates the alert rule.", + "operationId": "AlertRules_CreateOrUpdate", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/RuleId" + }, + { + "$ref": "#/parameters/AlertRule" + } + ], + "responses": { + "200": { + "description": "OK, Operation successfully completed", + "schema": { + "$ref": "#/definitions/AlertRule" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/AlertRule" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + } + }, + "delete": { + "x-ms-examples": { + "Delete an alert rule.": { + "$ref": "./examples/alertRules/DeleteAlertRule.json" + } + }, + "tags": [ + "Alert Rules" + ], + "description": "Delete the alert rule.", + "operationId": "AlertRules_Delete", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/RuleId" + } + ], + "responses": { + "200": { + "description": "OK, Operation successfully completed" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}/actions": { + "get": { + "x-ms-examples": { + "Get all actions of alert rule.": { + "$ref": "./examples/actions/GetAllActionsByAlertRule.json" + } + }, + "tags": [ + "Actions" + ], + "description": "Gets all actions of alert rule.", + "operationId": "Actions_ListByAlertRule", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/RuleId" + } + ], + "responses": { + "200": { + "description": "OK, Operation successfully completed", + "schema": { + "$ref": "#/definitions/ActionsList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}/actions/{actionId}": { + "get": { + "x-ms-examples": { + "Get an action of alert rule.": { + "$ref": "./examples/actions/GetActionOfAlertRuleById.json" + } + }, + "tags": [ + "Actions" + ], + "description": "Gets the action of alert rule.", + "operationId": "Actions_Get", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/RuleId" + }, + { + "$ref": "#/parameters/ActionId" + } + ], + "responses": { + "200": { + "description": "OK, Operation successfully completed", + "schema": { + "$ref": "#/definitions/ActionResponse" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + } + }, + "put": { + "x-ms-examples": { + "Creates or updates an action of alert rule.": { + "$ref": "./examples/actions/CreateActionOfAlertRule.json" + } + }, + "tags": [ + "Actions" + ], + "description": "Creates or updates the action of alert rule.", + "operationId": "Actions_CreateOrUpdate", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/RuleId" + }, + { + "$ref": "#/parameters/ActionId" + }, + { + "$ref": "#/parameters/Action" + } + ], + "responses": { + "200": { + "description": "OK, Operation successfully completed", + "schema": { + "$ref": "#/definitions/ActionResponse" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/ActionResponse" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + } + }, + "delete": { + "x-ms-examples": { + "Delete an action of alert rule.": { + "$ref": "./examples/actions/DeleteActionOfAlertRule.json" + } + }, + "tags": [ + "Actions" + ], + "description": "Delete the action of alert rule.", + "operationId": "Actions_Delete", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/RuleId" + }, + { + "$ref": "#/parameters/ActionId" + } + ], + "responses": { + "200": { + "description": "OK, Operation successfully completed" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRuleTemplates": { + "get": { + "x-ms-examples": { + "Get all alert rule templates.": { + "$ref": "./examples/alertRuleTemplates/GetAlertRuleTemplates.json" + } + }, + "tags": [ + "Alert Rule Templates" + ], + "description": "Gets all alert rule templates.", + "operationId": "AlertRuleTemplates_List", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + } + ], + "responses": { + "200": { + "description": "OK, Operation successfully completed", + "schema": { + "$ref": "#/definitions/AlertRuleTemplatesList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRuleTemplates/{alertRuleTemplateId}": { + "get": { + "x-ms-examples": { + "Get alert rule template by Id.": { + "$ref": "./examples/alertRuleTemplates/GetAlertRuleTemplateById.json" + } + }, + "tags": [ + "Alert Rule Templates" + ], + "description": "Gets the alert rule template.", + "operationId": "AlertRuleTemplates_Get", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/AlertRuleTemplateId" + } + ], + "responses": { + "200": { + "description": "OK, Operation successfully completed", + "schema": { + "$ref": "#/definitions/AlertRuleTemplate" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + } + } + } + }, + "definitions": { + "ActionsList": { + "description": "List all the actions.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of actions.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of actions.", + "items": { + "$ref": "#/definitions/ActionResponse" + }, + "type": "array" + } + }, + "required": [ + "value" + ] + }, + "ActionRequest": { + "allOf": [ + { + "$ref": "SecurityInsights.json#/definitions/ResourceWithEtag" + } + ], + "description": "Action for alert rule.", + "properties": { + "properties": { + "$ref": "#/definitions/ActionRequestProperties", + "description": "Action properties for put request", + "x-ms-client-flatten": true + } + }, + "type": "object" + }, + "ActionRequestProperties": { + "allOf": [ + { + "$ref": "#/definitions/ActionPropertiesBase" + } + ], + "description": "Action property bag.", + "properties": { + "triggerUri": { + "description": "Logic App Callback URL for this specific workflow.", + "type": "string" + } + }, + "required": [ + "triggerUri" + ], + "type": "object" + }, + "ActionResponse": { + "allOf": [ + { + "$ref": "SecurityInsights.json#/definitions/Resource" + } + ], + "description": "Action for alert rule.", + "properties": { + "etag": { + "description": "Etag of the action.", + "type": "string" + }, + "properties": { + "$ref": "#/definitions/ActionResponseProperties", + "description": "Action properties for get request", + "x-ms-client-flatten": true + } + }, + "type": "object" + }, + "ActionResponseProperties": { + "allOf": [ + { + "$ref": "#/definitions/ActionPropertiesBase" + } + ], + "description": "Action property bag.", + "properties": { + "workflowId": { + "description": "The name of the logic app's workflow.", + "type": "string" + } + }, + "type": "object" + }, + "ActionPropertiesBase": { + "description": "Action property bag base.", + "properties": { + "logicAppResourceId": { + "description": "Logic App Resource Id, /subscriptions/{my-subscription}/resourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my-workflow-id}.", + "type": "string" + } + }, + "required": [ + "logicAppResourceId" + ], + "type": "object" + }, + "AlertRule": { + "allOf": [ + { + "$ref": "SecurityInsights.json#/definitions/ResourceWithEtag" + } + ], + "description": "Alert rule.", + "discriminator": "kind", + "required": [ + "kind" + ], + "properties": { + "kind": { + "$ref": "#/definitions/AlertRuleKind", + "description": "The alert rule kind" + } + }, + "type": "object" + }, + "AlertRuleKind": { + "description": "The kind of the alert rule", + "enum": [ + "Scheduled", + "MicrosoftSecurityIncidentCreation", + "Fusion" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "AlertRuleKind", + "values": [ + { + "value": "Scheduled" + }, + { + "value": "MicrosoftSecurityIncidentCreation" + }, + { + "value": "Fusion" + } + ] + } + }, + "AlertRuleTemplate": { + "allOf": [ + { + "$ref": "SecurityInsights.json#/definitions/Resource" + } + ], + "description": "Alert rule template.", + "discriminator": "kind", + "required": [ + "kind" + ], + "properties": { + "kind": { + "$ref": "#/definitions/AlertRuleKind", + "description": "The alert rule kind", + "type": "string" + } + }, + "type": "object" + }, + "AlertRuleTemplateDataSource": { + "description": "alert rule template data sources", + "properties": { + "connectorId": { + "description": "The connector id that provides the following data types", + "type": "string" + }, + "dataTypes": { + "description": "The data types used by the alert rule template", + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "AlertRuleTemplateStatus": { + "description": "The alert rule template status.", + "enum": [ + "Installed", + "Available", + "NotAvailable" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "TemplateStatus", + "values": [ + { + "description": "Alert rule template installed. and can not use more then once", + "value": "Installed" + }, + { + "description": "Alert rule template is available.", + "value": "Available" + }, + { + "description": "Alert rule template is not available", + "value": "NotAvailable" + } + ] + } + }, + "AlertRuleTriggerOperator": { + "description": "The operation against the threshold that triggers alert rule.", + "enum": [ + "GreaterThan", + "LessThan", + "Equal", + "NotEqual" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": false, + "name": "TriggerOperator" + } + }, + "AlertRulesList": { + "description": "List all the alert rules.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of alert rules.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of alert rules.", + "items": { + "$ref": "#/definitions/AlertRule" + }, + "type": "array" + } + }, + "required": [ + "value" + ] + }, + "AlertRuleTemplatesList": { + "description": "List all the alert rule templates.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of alert rule templates.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of alert rule templates.", + "items": { + "$ref": "#/definitions/AlertRuleTemplate" + }, + "type": "array" + } + }, + "required": [ + "value" + ] + }, + "AlertSeverity": { + "description": "The severity of the alert", + "enum": [ + "High", + "Medium", + "Low", + "Informational" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "AlertSeverity", + "values": [ + { + "description": "High severity", + "value": "High" + }, + { + "description": "Medium severity", + "value": "Medium" + }, + { + "description": "Low severity", + "value": "Low" + }, + { + "description": "Informational severity", + "value": "Informational" + } + ] + } + }, + "AttackTactic": { + "description": "The severity for alerts created by this alert rule.", + "enum": [ + "InitialAccess", + "Execution", + "Persistence", + "PrivilegeEscalation", + "DefenseEvasion", + "CredentialAccess", + "Discovery", + "LateralMovement", + "Collection", + "Exfiltration", + "CommandAndControl", + "Impact" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "AttackTactic" + } + }, + "FusionAlertRule": { + "allOf": [ + { + "$ref": "#/definitions/AlertRule" + } + ], + "description": "Represents Fusion alert rule.", + "properties": { + "properties": { + "$ref": "#/definitions/FusionAlertRuleProperties", + "description": "Fusion alert rule properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Fusion" + }, + "FusionAlertRuleProperties": { + "description": "Fusion alert rule base property bag.", + "properties": { + "alertRuleTemplateName": { + "description": "The Name of the alert rule template used to create this rule.", + "type": "string" + }, + "description": { + "description": "The description of the alert rule.", + "readOnly": true, + "type": "string" + }, + "displayName": { + "description": "The display name for alerts created by this alert rule.", + "readOnly": true, + "type": "string" + }, + "enabled": { + "description": "Determines whether this alert rule is enabled or disabled.", + "type": "boolean" + }, + "lastModifiedUtc": { + "description": "The last time that this alert has been modified.", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "severity": { + "$ref": "#/definitions/AlertSeverity", + "description": "The severity for alerts created by this alert rule.", + "readOnly": true + }, + "tactics": { + "description": "The tactics of the alert rule", + "items": { + "$ref": "#/definitions/AttackTactic" + }, + "readOnly": true, + "type": "array" + } + }, + "required": [ + "alertRuleTemplateName", + "enabled" + ], + "type": "object" + }, + "FusionAlertRuleTemplate": { + "allOf": [ + { + "$ref": "#/definitions/AlertRuleTemplate" + } + ], + "description": "Represents Fusion alert rule template.", + "properties": { + "properties": { + "$ref": "#/definitions/FusionAlertRuleTemplateProperties", + "description": "Fusion alert rule template properties", + "required": [ + "displayName", + "description", + "status", + "severity", + "alertRulesCreatedByTemplateCount" + ], + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Fusion" + }, + "FusionAlertRuleTemplateProperties": { + "description": "Represents Fusion alert rule template properties", + "properties": { + "alertRulesCreatedByTemplateCount": { + "description": "the number of alert rules that were created by this template", + "format": "int32", + "type": "integer" + }, + "createdDateUTC": { + "description": "The time that this alert rule template has been added.", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "description": { + "description": "The description of the alert rule template.", + "type": "string" + }, + "displayName": { + "description": "The display name for alert rule template.", + "type": "string" + }, + "requiredDataConnectors": { + "description": "The required data connectors for this template", + "items": { + "$ref": "#/definitions/AlertRuleTemplateDataSource" + }, + "type": "array" + }, + "status": { + "$ref": "#/definitions/AlertRuleTemplateStatus", + "description": "The alert rule template status.", + "type": "string" + }, + "severity": { + "$ref": "#/definitions/AlertSeverity", + "description": "The severity for alerts created by this alert rule." + }, + "tactics": { + "description": "The tactics of the alert rule template", + "items": { + "$ref": "#/definitions/AttackTactic" + }, + "type": "array" + } + }, + "type": "object" + }, + "MicrosoftSecurityIncidentCreationAlertRule": { + "allOf": [ + { + "$ref": "#/definitions/AlertRule" + } + ], + "description": "Represents MicrosoftSecurityIncidentCreation rule.", + "properties": { + "properties": { + "$ref": "#/definitions/MicrosoftSecurityIncidentCreationAlertRuleProperties", + "description": "MicrosoftSecurityIncidentCreation rule properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "MicrosoftSecurityIncidentCreation" + }, + "MicrosoftSecurityIncidentCreationAlertRuleCommonProperties": { + "description": "MicrosoftSecurityIncidentCreation rule common property bag.", + "properties": { + "displayNamesFilter": { + "description": "the alerts' displayNames on which the cases will be generated", + "items": { + "type": "string" + }, + "type": "array" + }, + "displayNamesExcludeFilter": { + "description": "the alerts' displayNames on which the cases will not be generated", + "items": { + "type": "string" + }, + "type": "array" + }, + "productFilter": { + "$ref": "#/definitions/MicrosoftSecurityProductName", + "description": "The alerts' productName on which the cases will be generated" + }, + "severitiesFilter": { + "description": "the alerts' severities on which the cases will be generated", + "items": { + "$ref": "#/definitions/AlertSeverity" + }, + "type": "array" + } + }, + "required": [ + "productFilter" + ], + "type": "object" + }, + "MicrosoftSecurityIncidentCreationAlertRuleProperties": { + "allOf": [ + { + "$ref": "#/definitions/MicrosoftSecurityIncidentCreationAlertRuleCommonProperties" + } + ], + "description": "MicrosoftSecurityIncidentCreation rule property bag.", + "properties": { + "alertRuleTemplateName": { + "description": "The Name of the alert rule template used to create this rule.", + "type": "string" + }, + "description": { + "description": "The description of the alert rule.", + "type": "string" + }, + "displayName": { + "description": "The display name for alerts created by this alert rule.", + "type": "string" + }, + "enabled": { + "description": "Determines whether this alert rule is enabled or disabled.", + "type": "boolean" + }, + "lastModifiedUtc": { + "description": "The last time that this alert has been modified.", + "format": "date-time", + "readOnly": true, + "type": "string" + } + }, + "required": [ + "displayName", + "enabled", + "productFilter" + ], + "type": "object" + }, + "MicrosoftSecurityIncidentCreationAlertRuleTemplate": { + "allOf": [ + { + "$ref": "#/definitions/AlertRuleTemplate" + } + ], + "description": "Represents MicrosoftSecurityIncidentCreation rule template.", + "properties": { + "properties": { + "$ref": "#/definitions/MicrosoftSecurityIncidentCreationAlertRuleTemplateProperties", + "description": "MicrosoftSecurityIncidentCreation rule template properties", + "required": [ + "displayName", + "description", + "createdDateUTC", + "status", + "alertRulesCreatedByTemplateCount", + "productFilter" + ], + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "MicrosoftSecurityIncidentCreation" + }, + "MicrosoftSecurityIncidentCreationAlertRuleTemplateProperties": { + "description": "MicrosoftSecurityIncidentCreation rule template properties", + "properties": { + "alertRulesCreatedByTemplateCount": { + "description": "the number of alert rules that were created by this template", + "format": "int32", + "type": "integer" + }, + "createdDateUTC": { + "description": "The time that this alert rule template has been added.", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "description": { + "description": "The description of the alert rule template.", + "type": "string" + }, + "displayName": { + "description": "The display name for alert rule template.", + "type": "string" + }, + "requiredDataConnectors": { + "description": "The required data connectors for this template", + "items": { + "$ref": "#/definitions/AlertRuleTemplateDataSource" + }, + "type": "array" + }, + "status": { + "$ref": "#/definitions/AlertRuleTemplateStatus", + "description": "The alert rule template status.", + "type": "string" + }, + "displayNamesFilter": { + "description": "the alerts' displayNames on which the cases will be generated", + "items": { + "type": "string" + }, + "type": "array" + }, + "displayNamesExcludeFilter": { + "description": "the alerts' displayNames on which the cases will not be generated", + "items": { + "type": "string" + }, + "type": "array" + }, + "productFilter": { + "$ref": "#/definitions/MicrosoftSecurityProductName", + "description": "The alerts' productName on which the cases will be generated" + }, + "severitiesFilter": { + "description": "the alerts' severities on which the cases will be generated", + "items": { + "$ref": "#/definitions/AlertSeverity" + }, + "type": "array" + } + }, + "required": [ + "productFilter" + ], + "type": "object" + }, + "MicrosoftSecurityProductName": { + "description": "The alerts' productName on which the cases will be generated", + "enum": [ + "Microsoft Cloud App Security", + "Azure Security Center", + "Azure Advanced Threat Protection", + "Azure Active Directory Identity Protection", + "Azure Security Center for IoT" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "MicrosoftSecurityProductName" + } + }, + "ScheduledAlertRule": { + "allOf": [ + { + "$ref": "#/definitions/AlertRule" + } + ], + "description": "Represents scheduled alert rule.", + "properties": { + "properties": { + "$ref": "#/definitions/ScheduledAlertRuleProperties", + "description": "Scheduled alert rule properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Scheduled" + }, + "ScheduledAlertRuleCommonProperties": { + "description": "Schedule alert rule template property bag.", + "properties": { + "query": { + "description": "The query that creates alerts for this rule.", + "type": "string" + }, + "queryFrequency": { + "description": "The frequency (in ISO 8601 duration format) for this alert rule to run.", + "format": "duration", + "type": "string" + }, + "queryPeriod": { + "description": "The period (in ISO 8601 duration format) that this alert rule looks at.", + "format": "duration", + "type": "string" + }, + "severity": { + "$ref": "#/definitions/AlertSeverity", + "description": "The severity for alerts created by this alert rule." + }, + "triggerOperator": { + "$ref": "#/definitions/AlertRuleTriggerOperator", + "description": "The operation against the threshold that triggers alert rule." + }, + "triggerThreshold": { + "description": "The threshold triggers this alert rule.", + "format": "int32", + "type": "integer" + } + }, + "type": "object" + }, + "ScheduledAlertRuleProperties": { + "allOf": [ + { + "$ref": "#/definitions/ScheduledAlertRuleCommonProperties" + } + ], + "description": "Scheduled alert rule base property bag.", + "properties": { + "alertRuleTemplateName": { + "description": "The Name of the alert rule template used to create this rule.", + "type": "string" + }, + "description": { + "description": "The description of the alert rule.", + "type": "string" + }, + "displayName": { + "description": "The display name for alerts created by this alert rule.", + "type": "string" + }, + "enabled": { + "description": "Determines whether this alert rule is enabled or disabled.", + "type": "boolean" + }, + "lastModifiedUtc": { + "description": "The last time that this alert rule has been modified.", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "suppressionDuration": { + "description": "The suppression (in ISO 8601 duration format) to wait since last time this alert rule been triggered.", + "format": "duration", + "type": "string" + }, + "suppressionEnabled": { + "description": "Determines whether the suppression for this alert rule is enabled or disabled.", + "type": "boolean" + }, + "tactics": { + "description": "The tactics of the alert rule", + "items": { + "$ref": "#/definitions/AttackTactic" + }, + "type": "array" + } + }, + "required": [ + "displayName", + "enabled", + "severity", + "query", + "queryFrequency", + "queryPeriod", + "triggerOperator", + "triggerThreshold", + "suppressionEnabled", + "suppressionDuration" + ], + "type": "object" + }, + "ScheduledAlertRuleTemplateProperties": { + "description": "Scheduled alert rule template properties", + "properties": { + "alertRulesCreatedByTemplateCount": { + "description": "the number of alert rules that were created by this template", + "format": "int32", + "type": "integer" + }, + "createdDateUTC": { + "description": "The time that this alert rule template has been added.", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "description": { + "description": "The description of the alert rule template.", + "type": "string" + }, + "displayName": { + "description": "The display name for alert rule template.", + "type": "string" + }, + "requiredDataConnectors": { + "description": "The required data connectors for this template", + "items": { + "$ref": "#/definitions/AlertRuleTemplateDataSource" + }, + "type": "array" + }, + "status": { + "$ref": "#/definitions/AlertRuleTemplateStatus", + "description": "The alert rule template status.", + "type": "string" + }, + "query": { + "description": "The query that creates alerts for this rule.", + "type": "string" + }, + "queryFrequency": { + "description": "The frequency (in ISO 8601 duration format) for this alert rule to run.", + "format": "duration", + "type": "string" + }, + "queryPeriod": { + "description": "The period (in ISO 8601 duration format) that this alert rule looks at.", + "format": "duration", + "type": "string" + }, + "severity": { + "$ref": "#/definitions/AlertSeverity", + "description": "The severity for alerts created by this alert rule." + }, + "triggerOperator": { + "$ref": "#/definitions/AlertRuleTriggerOperator", + "description": "The operation against the threshold that triggers alert rule." + }, + "triggerThreshold": { + "description": "The threshold triggers this alert rule.", + "format": "int32", + "type": "integer" + }, + "tactics": { + "description": "The tactics of the alert rule template", + "items": { + "$ref": "#/definitions/AttackTactic" + }, + "type": "array" + } + }, + "type": "object" + }, + "ScheduledAlertRuleTemplate": { + "allOf": [ + { + "$ref": "#/definitions/AlertRuleTemplate" + } + ], + "description": "Represents scheduled alert rule template.", + "properties": { + "properties": { + "$ref": "#/definitions/ScheduledAlertRuleTemplateProperties", + "description": "Scheduled alert rule template properties", + "required": [ + "displayName", + "description", + "status", + "alertRulesCreatedByTemplateCount", + "severity", + "query", + "queryFrequency", + "queryPeriod", + "triggerOperator", + "triggerThreshold" + ], + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Scheduled" + } + }, + "parameters": { + "Action": { + "description": "The action", + "in": "body", + "name": "action", + "required": true, + "schema": { + "$ref": "#/definitions/ActionRequest" + }, + "x-ms-parameter-location": "method" + }, + "ActionId": { + "description": "Action ID", + "in": "path", + "name": "actionId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "AlertRule": { + "description": "The alert rule", + "in": "body", + "name": "alertRule", + "required": true, + "schema": { + "$ref": "#/definitions/AlertRule" + }, + "x-ms-parameter-location": "method" + }, + "AlertRuleTemplateId": { + "description": "Alert rule template ID", + "in": "path", + "name": "alertRuleTemplateId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "RuleId": { + "description": "Alert rule ID", + "in": "path", + "name": "ruleId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/Bookmarks.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/Bookmarks.json new file mode 100644 index 000000000000..61051726d2df --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/Bookmarks.json @@ -0,0 +1,438 @@ +{ + "swagger": "2.0", + "info": { + "title": "Security Insights", + "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", + "version": "2020-01-01" + }, + "host": "management.azure.com", + "schemes": [ + "https" + ], + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "security": [ + { + "azure_auth": [ + "user_impersonation" + ] + } + ], + "securityDefinitions": { + "azure_auth": { + "type": "oauth2", + "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", + "flow": "implicit", + "description": "Azure Active Directory OAuth2 Flow", + "scopes": { + "user_impersonation": "impersonate your user account" + } + } + }, + "paths": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks": { + "get": { + "x-ms-examples": { + "Get all bookmarks.": { + "$ref": "./examples/bookmarks/GetBookmarks.json" + } + }, + "tags": [ + "Bookmarks" + ], + "description": "Gets all bookmarks.", + "operationId": "Bookmarks_List", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + } + ], + "responses": { + "200": { + "description": "OK, Operation successfully completed", + "schema": { + "$ref": "#/definitions/BookmarkList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks/{bookmarkId}": { + "get": { + "x-ms-examples": { + "Get a bookmark.": { + "$ref": "./examples/bookmarks/GetBookmarkById.json" + } + }, + "tags": [ + "Bookmarks" + ], + "description": "Gets a bookmark.", + "operationId": "Bookmarks_Get", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/BookmarkId" + } + ], + "responses": { + "200": { + "description": "OK, Operation successfully completed", + "schema": { + "$ref": "#/definitions/Bookmark" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + } + }, + "put": { + "x-ms-examples": { + "Creates or updates a bookmark.": { + "$ref": "./examples/bookmarks/CreateBookmark.json" + } + }, + "tags": [ + "Bookmarks" + ], + "description": "Creates or updates the bookmark.", + "operationId": "Bookmarks_CreateOrUpdate", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/BookmarkId" + }, + { + "$ref": "#/parameters/Bookmark" + } + ], + "responses": { + "200": { + "description": "OK, Operation successfully completed", + "schema": { + "$ref": "#/definitions/Bookmark" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/Bookmark" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + } + }, + "delete": { + "x-ms-examples": { + "Delete a bookmark.": { + "$ref": "./examples/bookmarks/DeleteBookmark.json" + } + }, + "tags": [ + "Bookmarks" + ], + "description": "Delete the bookmark.", + "operationId": "Bookmarks_Delete", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/BookmarkId" + } + ], + "responses": { + "200": { + "description": "OK, Operation successfully completed" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + } + } + } + }, + "definitions": { + "Bookmark": { + "allOf": [ + { + "$ref": "SecurityInsights.json#/definitions/ResourceWithEtag" + } + ], + "description": "Represents a bookmark in Azure Security Insights.", + "properties": { + "properties": { + "$ref": "#/definitions/BookmarkProperties", + "description": "Bookmark properties", + "x-ms-client-flatten": true + } + }, + "type": "object" + }, + "BookmarkList": { + "description": "List all the bookmarks.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of cases.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of bookmarks.", + "items": { + "$ref": "#/definitions/Bookmark" + }, + "type": "array" + } + }, + "required": [ + "value" + ] + }, + "BookmarkProperties": { + "description": "Describes bookmark properties", + "properties": { + "created": { + "description": "The time the bookmark was created", + "format": "date-time", + "type": "string" + }, + "createdBy": { + "$ref": "#/definitions/UserInfo", + "description": "Describes a user that created the bookmark", + "type": "object" + }, + "displayName": { + "description": "The display name of the bookmark", + "type": "string" + }, + "labels": { + "description": "List of labels relevant to this bookmark", + "items": { + "$ref": "#/definitions/Label" + }, + "type": "array" + }, + "notes": { + "description": "The notes of the bookmark", + "type": "string" + }, + "query": { + "description": "The query of the bookmark.", + "type": "string" + }, + "queryResult": { + "description": "The query result of the bookmark.", + "type": "string" + }, + "updated": { + "description": "The last time the bookmark was updated", + "format": "date-time", + "type": "string" + }, + "updatedBy": { + "$ref": "#/definitions/UserInfo", + "description": "Describes a user that updated the bookmark", + "type": "object" + }, + "eventTime": { + "description": "The bookmark event time", + "format": "date-time", + "type": "string" + }, + "queryStartTime": { + "description": "The start time for the query", + "format": "date-time", + "type": "string" + }, + "queryEndTime": { + "description": "The end time for the query", + "format": "date-time", + "type": "string" + }, + "incidentInfo": { + "$ref": "#/definitions/IncidentInfo", + "description": "Describes an incident that relates to bookmark", + "type": "object" + } + }, + "required": [ + "displayName", + "query" + ], + "type": "object" + }, + "IncidentInfo": { + "description": "Describes related incident information for the bookmark", + "properties": { + "incidentId": { + "description": "Incident Id", + "type": "string" + }, + "severity": { + "description": "The severity of the incident", + "enum": [ + "Critical", + "High", + "Medium", + "Low", + "Informational" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "CaseSeverity", + "values": [ + { + "description": "Critical severity", + "value": "Critical" + }, + { + "description": "High severity", + "value": "High" + }, + { + "description": "Medium severity", + "value": "Medium" + }, + { + "description": "Low severity", + "value": "Low" + }, + { + "description": "Informational severity", + "value": "Informational" + } + ] + } + }, + "title": { + "description": "The title of the incident", + "type": "string" + }, + "relationName": { + "description": "Relation Name", + "type": "string" + } + }, + "type": "object" + }, + "Label": { + "description": "Label that will be used to tag and filter on.", + "type": "string" + }, + "UserInfo": { + "description": "User information that made some action", + "properties": { + "email": { + "description": "The email of the user.", + "readOnly": true, + "type": "string" + }, + "name": { + "description": "The name of the user.", + "readOnly": true, + "type": "string" + }, + "objectId": { + "description": "The object id of the user.", + "format": "uuid", + "type": "string", + "x-nullable": true + } + }, + "required": [ + "objectId" + ], + "type": "object" + } + }, + "parameters": { + "Bookmark": { + "description": "The bookmark", + "in": "body", + "name": "bookmark", + "required": true, + "schema": { + "$ref": "#/definitions/Bookmark" + }, + "x-ms-parameter-location": "method" + }, + "BookmarkId": { + "description": "Bookmark ID", + "in": "path", + "name": "bookmarkId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/DataConnectors.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/DataConnectors.json new file mode 100644 index 000000000000..4d6c9b276b03 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/DataConnectors.json @@ -0,0 +1,738 @@ +{ + "swagger": "2.0", + "info": { + "title": "Security Insights", + "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", + "version": "2020-01-01" + }, + "host": "management.azure.com", + "schemes": [ + "https" + ], + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "security": [ + { + "azure_auth": [ + "user_impersonation" + ] + } + ], + "securityDefinitions": { + "azure_auth": { + "type": "oauth2", + "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", + "flow": "implicit", + "description": "Azure Active Directory OAuth2 Flow", + "scopes": { + "user_impersonation": "impersonate your user account" + } + } + }, + "paths": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors": { + "get": { + "x-ms-examples": { + "Get all data connectors.": { + "$ref": "./examples/dataConnectors/GetDataConnectors.json" + } + }, + "tags": [ + "Data Connectors" + ], + "description": "Gets all data connectors.", + "operationId": "DataConnectors_List", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + } + ], + "responses": { + "200": { + "description": "OK, Operation successfully completed", + "schema": { + "$ref": "#/definitions/DataConnectorList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors/{dataConnectorId}": { + "get": { + "x-ms-examples": { + "Get an Office365 data connector.": { + "$ref": "./examples/dataConnectors/GetOfficeDataConnetorById.json" + }, + "Get a TI data connector.": { + "$ref": "./examples/dataConnectors/GetThreatIntelligenceById.json" + }, + "Get a MCAS data connector.": { + "$ref": "./examples/dataConnectors/GetMicrosoftCloudAppSecurityById.json" + }, + "Get a ASC data connector.": { + "$ref": "./examples/dataConnectors/GetAzureSecurityCenterById.json" + }, + "Get an AAD data connector.": { + "$ref": "./examples/dataConnectors/GetAzureActiveDirectoryById.json" + }, + "Get an AwsCloudTrail data connector.": { + "$ref": "./examples/dataConnectors/GetAmazonWebServicesCloudTrailById.json" + }, + "Get an AATP data connector.": { + "$ref": "./examples/dataConnectors/GetAzureAdvancedThreatProtectionById.json" + }, + "Get a MDATP data connector": { + "$ref": "./examples/dataConnectors/GetMicrosoftDefenderAdvancedThreatProtectionById.json" + } + }, + "tags": [ + "Data Connectors" + ], + "description": "Gets a data connector.", + "operationId": "DataConnectors_Get", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/DataConnectorId" + } + ], + "responses": { + "200": { + "description": "OK, Operation successfully completed", + "schema": { + "$ref": "#/definitions/DataConnector" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + } + }, + "put": { + "x-ms-examples": { + "Creates or updates an Office365 data connector.": { + "$ref": "./examples/dataConnectors/CreateOfficeDataConnetor.json" + }, + "Creates or updates an Threat Intelligence Platform data connector.": { + "$ref": "./examples/dataConnectors/CreateThreatIntelligenceDataConnector.json" + } + }, + "tags": [ + "Data Connectors" + ], + "description": "Creates or updates the data connector.", + "operationId": "DataConnectors_CreateOrUpdate", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/DataConnectorId" + }, + { + "$ref": "#/parameters/DataConnector" + } + ], + "responses": { + "200": { + "description": "OK, Operation successfully completed", + "schema": { + "$ref": "#/definitions/DataConnector" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/DataConnector" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + } + }, + "delete": { + "x-ms-examples": { + "Delete an Office365 data connector.": { + "$ref": "./examples/dataConnectors/DeleteOfficeDataConnetor.json" + } + }, + "tags": [ + "Data Connectors" + ], + "description": "Delete the data connector.", + "operationId": "DataConnectors_Delete", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/DataConnectorId" + } + ], + "responses": { + "200": { + "description": "OK, Operation successfully completed" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + } + } + } + }, + "definitions": { + "AADDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents AAD (Azure Active Directory) data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/AADDataConnectorProperties", + "description": "AAD (Azure Active Directory) data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "AzureActiveDirectory" + }, + "AADDataConnectorProperties": { + "description": "AAD (Azure Active Directory) data connector properties.", + "properties": { + "tenantId": { + "description": "The tenant id to connect to, and get the data from.", + "type": "string" + }, + "dataTypes": { + "$ref": "#/definitions/AlertsDataTypeOfDataConnector", + "description": "The available data types for the connector." + } + }, + "type": "object" + }, + "AATPDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents AATP (Azure Advanced Threat Protection) data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/AATPDataConnectorProperties", + "description": "AATP (Azure Advanced Threat Protection) data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "AzureAdvancedThreatProtection" + }, + "AATPDataConnectorProperties": { + "description": "AATP (Azure Advanced Threat Protection) data connector properties.", + "properties": { + "tenantId": { + "description": "The tenant id to connect to, and get the data from.", + "type": "string" + }, + "dataTypes": { + "$ref": "#/definitions/AlertsDataTypeOfDataConnector", + "description": "The available data types for the connector." + } + }, + "type": "object" + }, + "ASCDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents ASC (Azure Security Center) data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/ASCDataConnectorProperties", + "description": "ASC (Azure Security Center) data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "AzureSecurityCenter" + }, + "ASCDataConnectorProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorWithAlertsProperties" + } + ], + "description": "ASC (Azure Security Center) data connector properties.", + "properties": { + "subscriptionId": { + "description": "The subscription id to connect to, and get the data from.", + "type": "string" + } + }, + "type": "object" + }, + "AlertsDataTypeOfDataConnector": { + "description": "Alerts data type for data connectors.", + "properties": { + "alerts": { + "$ref": "#/definitions/DataConnectorDataTypeCommon", + "description": "Alerts data type connection.", + "type": "object" + } + }, + "type": "object" + }, + "AwsCloudTrailDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents Amazon Web Services CloudTrail data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/AwsCloudTrailDataConnectorProperties", + "description": "Amazon Web Services CloudTrail data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "AmazonWebServicesCloudTrail" + }, + "AwsCloudTrailDataConnectorDataTypes": { + "description": "The available data types for Amazon Web Services CloudTrail data connector.", + "properties": { + "logs": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "description": "Logs data type.", + "type": "object" + } + }, + "type": "object" + }, + "AwsCloudTrailDataConnectorProperties": { + "description": "Amazon Web Services CloudTrail data connector properties.", + "properties": { + "awsRoleArn": { + "description": "The Aws Role Arn (with CloudTrailReadOnly policy) that is used to access the Aws account.", + "type": "string" + }, + "dataTypes": { + "$ref": "#/definitions/AwsCloudTrailDataConnectorDataTypes", + "description": "The available data types for the connector." + } + }, + "type": "object" + }, + "DataConnector": { + "allOf": [ + { + "$ref": "SecurityInsights.json#/definitions/ResourceWithEtag" + } + ], + "description": "Data connector.", + "discriminator": "kind", + "required": [ + "kind" + ], + "properties": { + "kind": { + "$ref": "#/definitions/DataConnectorKind", + "description": "The data connector kind" + } + }, + "type": "object" + }, + "DataConnectorKind": { + "description": "The kind of the data connector", + "enum": [ + "AzureActiveDirectory", + "AzureSecurityCenter", + "MicrosoftCloudAppSecurity", + "ThreatIntelligence", + "Office365", + "AmazonWebServicesCloudTrail", + "AzureAdvancedThreatProtection", + "MicrosoftDefenderAdvancedThreatProtection" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "DataConnectorKind", + "values": [ + { + "value": "AzureActiveDirectory" + }, + { + "value": "AzureSecurityCenter" + }, + { + "value": "MicrosoftCloudAppSecurity" + }, + { + "value": "ThreatIntelligence" + }, + { + "value": "Office365" + }, + { + "value": "AmazonWebServicesCloudTrail" + }, + { + "value": "AzureAdvancedThreatProtection" + }, + { + "value": "MicrosoftDefenderAdvancedThreatProtection" + } + ] + } + }, + "DataConnectorList": { + "description": "List all the data connectors.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of data connectors.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of data connectors.", + "items": { + "$ref": "#/definitions/DataConnector" + }, + "type": "array" + } + }, + "required": [ + "value" + ] + }, + "DataConnectorDataTypeCommon": { + "description": "Common field for data type in data connectors.", + "properties": { + "state": { + "description": "Describe whether this data type connection is enabled or not.", + "enum": [ + "Enabled", + "Disabled" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "DataTypeState" + } + } + }, + "type": "object" + }, + "DataConnectorTenantId": { + "description": "Properties data connector on tenant level.", + "properties": { + "tenantId": { + "description": "The tenant id to connect to, and get the data from.", + "type": "string" + } + }, + "type": "object" + }, + "DataConnectorWithAlertsProperties": { + "description": "Data connector properties.", + "properties": { + "dataTypes": { + "$ref": "#/definitions/AlertsDataTypeOfDataConnector", + "description": "The available data types for the connector." + } + }, + "type": "object" + }, + "MCASDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents MCAS (Microsoft Cloud App Security) data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/MCASDataConnectorProperties", + "description": "MCAS (Microsoft Cloud App Security) data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "MicrosoftCloudAppSecurity" + }, + "MCASDataConnectorDataTypes": { + "allOf": [ + { + "$ref": "#/definitions/AlertsDataTypeOfDataConnector" + } + ], + "description": "The available data types for MCAS (Microsoft Cloud App Security) data connector.", + "properties": { + "alerts": { + "$ref": "#/definitions/DataConnectorDataTypeCommon", + "description": "Alerts data type connection." + }, + "discoveryLogs": { + "$ref": "#/definitions/DataConnectorDataTypeCommon", + "description": "Discovery log data type connection." + } + }, + "type": "object" + }, + "MCASDataConnectorProperties": { + "description": "MCAS (Microsoft Cloud App Security) data connector properties.", + "properties": { + "tenantId": { + "description": "The tenant id to connect to, and get the data from.", + "type": "string" + }, + "dataTypes": { + "$ref": "#/definitions/MCASDataConnectorDataTypes", + "description": "The available data types for the connector." + } + }, + "type": "object" + }, + "MDATPDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents MDATP (Microsoft Defender Advanced Threat Protection) data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/MDATPDataConnectorProperties", + "description": "MDATP (Microsoft Defender Advanced Threat Protection) data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "MicrosoftDefenderAdvancedThreatProtection" + }, + "MDATPDataConnectorProperties": { + "description": "MDATP (Microsoft Defender Advanced Threat Protection) data connector properties.", + "properties": { + "tenantId": { + "description": "The tenant id to connect to, and get the data from.", + "type": "string" + }, + "dataTypes": { + "$ref": "#/definitions/AlertsDataTypeOfDataConnector", + "description": "The available data types for the connector." + } + }, + "type": "object" + }, + "TIDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents threat intelligence data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/TIDataConnectorProperties", + "description": "TI (Threat Intelligence) data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "ThreatIntelligence" + }, + "TIDataConnectorDataTypes": { + "description": "The available data types for TI (Threat Intelligence) data connector.", + "properties": { + "indicators": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "description": "Data type for indicators connection.", + "type": "object" + } + }, + "type": "object" + }, + "TIDataConnectorProperties": { + "description": "TI (Threat Intelligence) data connector properties.", + "properties": { + "tenantId": { + "description": "The tenant id to connect to, and get the data from.", + "type": "string" + }, + "tipLookbackPeriod": { + "description": "The lookback period for the feed to be imported.", + "format": "date-time", + "type": "string", + "x-nullable": true + }, + "dataTypes": { + "$ref": "#/definitions/TIDataConnectorDataTypes", + "description": "The available data types for the connector." + } + }, + "type": "object" + }, + "OfficeDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents office data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/OfficeDataConnectorProperties", + "description": "Office data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Office365" + }, + "OfficeDataConnectorDataTypes": { + "description": "The available data types for office data connector.", + "properties": { + "exchange": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "description": "Exchange data type connection.", + "type": "object" + }, + "sharePoint": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "description": "SharePoint data type connection.", + "type": "object" + }, + "teams": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "description": "Teams data type connection.", + "type": "object" + } + }, + "type": "object" + }, + "OfficeDataConnectorProperties": { + "description": "Office data connector properties.", + "properties": { + "tenantId": { + "description": "The tenant id to connect to, and get the data from.", + "type": "string" + }, + "dataTypes": { + "$ref": "#/definitions/OfficeDataConnectorDataTypes", + "description": "The available data types for the connector." + } + }, + "type": "object" + } + }, + "parameters": { + "DataConnector": { + "description": "The data connector", + "in": "body", + "name": "dataConnector", + "required": true, + "schema": { + "$ref": "#/definitions/DataConnector" + }, + "x-ms-parameter-location": "method" + }, + "DataConnectorId": { + "description": "Connector ID", + "in": "path", + "name": "dataConnectorId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/SecurityInsights.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/SecurityInsights.json index 9285c576a626..e0a84f111940 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/SecurityInsights.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/SecurityInsights.json @@ -65,18 +65,18 @@ } } }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents": { "get": { "x-ms-examples": { - "Get all alert rules.": { - "$ref": "./examples/alertRules/GetAllAlertRules.json" + "Get all incidents.": { + "$ref": "./examples/incidents/GetIncidents.json" } }, "tags": [ - "Alert Rules" + "Incidents" ], - "description": "Gets all alert rules.", - "operationId": "AlertRules_List", + "description": "Gets all incidents.", + "operationId": "Incidents_List", "parameters": [ { "$ref": "#/parameters/ApiVersion" @@ -89,13 +89,25 @@ }, { "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/ODataFilter" + }, + { + "$ref": "#/parameters/ODataOrderBy" + }, + { + "$ref": "#/parameters/ODataTop" + }, + { + "$ref": "#/parameters/ODataSkipToken" } ], "responses": { "200": { "description": "OK, Operation successfully completed", "schema": { - "$ref": "#/definitions/AlertRulesList" + "$ref": "#/definitions/IncidentList" } }, "default": { @@ -110,24 +122,18 @@ } } }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}": { "get": { "x-ms-examples": { - "Get a Scheduled alert rule.": { - "$ref": "./examples/alertRules/GetScheduledAlertRule.json" - }, - "Get a Fusion alert rule.": { - "$ref": "./examples/alertRules/GetFusionAlertRule.json" - }, - "Get a MicrosoftSecurityIncidentCreation rule.": { - "$ref": "./examples/alertRules/GetMicrosoftSecurityIncidentCreationAlertRule.json" + "Get an incident.": { + "$ref": "./examples/incidents/GetIncidentById.json" } }, "tags": [ - "Alert Rules" + "Incidents" ], - "description": "Gets the alert rule.", - "operationId": "AlertRules_Get", + "description": "Gets an incident.", + "operationId": "Incidents_Get", "parameters": [ { "$ref": "#/parameters/ApiVersion" @@ -142,14 +148,14 @@ "$ref": "#/parameters/WorkspaceName" }, { - "$ref": "#/parameters/RuleId" + "$ref": "#/parameters/IncidentId" } ], "responses": { "200": { "description": "OK, Operation successfully completed", "schema": { - "$ref": "#/definitions/AlertRule" + "$ref": "#/definitions/Incident" } }, "default": { @@ -162,21 +168,15 @@ }, "put": { "x-ms-examples": { - "Creates or updates a Scheduled alert rule.": { - "$ref": "./examples/alertRules/CreateScheduledAlertRule.json" - }, - "Creates or updates a Fusion alert rule.": { - "$ref": "./examples/alertRules/CreateFusionAlertRule.json" - }, - "Creates or updates a MicrosoftSecurityIncidentCreation rule.": { - "$ref": "./examples/alertRules/CreateMicrosoftSecurityIncidentCreationAlertRule.json" + "Creates or updates an incident.": { + "$ref": "./examples/incidents/CreateIncident.json" } }, "tags": [ - "Alert Rules" + "Incidents" ], - "description": "Creates or updates the alert rule.", - "operationId": "AlertRules_CreateOrUpdate", + "description": "Creates or updates the incident.", + "operationId": "Incidents_CreateOrUpdate", "parameters": [ { "$ref": "#/parameters/ApiVersion" @@ -191,23 +191,23 @@ "$ref": "#/parameters/WorkspaceName" }, { - "$ref": "#/parameters/RuleId" + "$ref": "#/parameters/IncidentId" }, { - "$ref": "#/parameters/AlertRule" + "$ref": "#/parameters/Incident" } ], "responses": { "200": { "description": "OK, Operation successfully completed", "schema": { - "$ref": "#/definitions/AlertRule" + "$ref": "#/definitions/Incident" } }, "201": { "description": "Created", "schema": { - "$ref": "#/definitions/AlertRule" + "$ref": "#/definitions/Incident" } }, "default": { @@ -220,15 +220,15 @@ }, "delete": { "x-ms-examples": { - "Delete an alert rule.": { - "$ref": "./examples/alertRules/DeleteAlertRule.json" + "Delete an incident.": { + "$ref": "./examples/incidents/DeleteIncident.json" } }, "tags": [ - "Alert Rules" + "Incidents" ], - "description": "Delete the alert rule.", - "operationId": "AlertRules_Delete", + "description": "Delete the incident.", + "operationId": "Incidents_Delete", "parameters": [ { "$ref": "#/parameters/ApiVersion" @@ -243,7 +243,7 @@ "$ref": "#/parameters/WorkspaceName" }, { - "$ref": "#/parameters/RuleId" + "$ref": "#/parameters/IncidentId" } ], "responses": { @@ -262,18 +262,18 @@ } } }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}/actions": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/comments": { "get": { "x-ms-examples": { - "Get all actions of alert rule.": { - "$ref": "./examples/actions/GetAllActionsByAlertRule.json" + "Get all incident comments.": { + "$ref": "./examples/incidents/comments/GetAllIncidentComments.json" } }, "tags": [ - "Actions" + "IncidentComments" ], - "description": "Gets all actions of alert rule.", - "operationId": "Actions_ListByAlertRule", + "description": "Gets all incident comments.", + "operationId": "IncidentComments_ListByIncident", "parameters": [ { "$ref": "#/parameters/ApiVersion" @@ -288,14 +288,26 @@ "$ref": "#/parameters/WorkspaceName" }, { - "$ref": "#/parameters/RuleId" + "$ref": "#/parameters/IncidentId" + }, + { + "$ref": "#/parameters/ODataFilter" + }, + { + "$ref": "#/parameters/ODataOrderBy" + }, + { + "$ref": "#/parameters/ODataTop" + }, + { + "$ref": "#/parameters/ODataSkipToken" } ], "responses": { "200": { "description": "OK, Operation successfully completed", "schema": { - "$ref": "#/definitions/ActionsList" + "$ref": "#/definitions/IncidentCommentList" } }, "default": { @@ -305,23 +317,24 @@ } } }, + "x-ms-odata": "#/definitions/IncidentComment", "x-ms-pageable": { "nextLinkName": "nextLink" } } }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}/actions/{actionId}": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/comments/{incidentCommentId}": { "get": { "x-ms-examples": { - "Get an action of alert rule.": { - "$ref": "./examples/actions/GetActionOfAlertRuleById.json" + "Get an incident comment.": { + "$ref": "./examples/incidents/comments/GetIncidentCommentById.json" } }, "tags": [ - "Actions" + "IncidentComments" ], - "description": "Gets the action of alert rule.", - "operationId": "Actions_Get", + "description": "Gets an incident comment.", + "operationId": "IncidentComments_Get", "parameters": [ { "$ref": "#/parameters/ApiVersion" @@ -336,17 +349,17 @@ "$ref": "#/parameters/WorkspaceName" }, { - "$ref": "#/parameters/RuleId" + "$ref": "#/parameters/IncidentId" }, { - "$ref": "#/parameters/ActionId" + "$ref": "#/parameters/IncidentCommentId" } ], "responses": { "200": { "description": "OK, Operation successfully completed", "schema": { - "$ref": "#/definitions/ActionResponse" + "$ref": "#/definitions/IncidentComment" } }, "default": { @@ -359,15 +372,15 @@ }, "put": { "x-ms-examples": { - "Creates or updates an action of alert rule.": { - "$ref": "./examples/actions/CreateActionOfAlertRule.json" + "Creates an incident comment.": { + "$ref": "./examples/incidents/comments/CreateIncidentComment.json" } }, "tags": [ - "Actions" + "IncidentComments" ], - "description": "Creates or updates the action of alert rule.", - "operationId": "Actions_CreateOrUpdate", + "description": "Creates the incident comment.", + "operationId": "IncidentComments_CreateComment", "parameters": [ { "$ref": "#/parameters/ApiVersion" @@ -382,204 +395,20 @@ "$ref": "#/parameters/WorkspaceName" }, { - "$ref": "#/parameters/RuleId" + "$ref": "#/parameters/IncidentId" }, { - "$ref": "#/parameters/ActionId" + "$ref": "#/parameters/IncidentCommentId" }, { - "$ref": "#/parameters/Action" + "$ref": "#/parameters/IncidentComment" } ], "responses": { - "200": { - "description": "OK, Operation successfully completed", - "schema": { - "$ref": "#/definitions/ActionResponse" - } - }, "201": { "description": "Created", "schema": { - "$ref": "#/definitions/ActionResponse" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - } - }, - "delete": { - "x-ms-examples": { - "Delete an action of alert rule.": { - "$ref": "./examples/actions/DeleteActionOfAlertRule.json" - } - }, - "tags": [ - "Actions" - ], - "description": "Delete the action of alert rule.", - "operationId": "Actions_Delete", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/RuleId" - }, - { - "$ref": "#/parameters/ActionId" - } - ], - "responses": { - "200": { - "description": "OK, Operation successfully completed" - }, - "204": { - "description": "No Content" - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRuleTemplates": { - "get": { - "x-ms-examples": { - "Get all alert rule templates.": { - "$ref": "./examples/alertRuleTemplates/GetAlertRuleTemplates.json" - } - }, - "tags": [ - "Alert Rule Templates" - ], - "description": "Gets all alert rule templates.", - "operationId": "AlertRuleTemplates_List", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/WorkspaceName" - } - ], - "responses": { - "200": { - "description": "OK, Operation successfully completed", - "schema": { - "$ref": "#/definitions/AlertRuleTemplatesList" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - }, - "x-ms-pageable": { - "nextLinkName": "nextLink" - } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRuleTemplates/{alertRuleTemplateId}": { - "get": { - "x-ms-examples": { - "Get alert rule template by Id.": { - "$ref": "./examples/alertRuleTemplates/GetAlertRuleTemplateById.json" - } - }, - "tags": [ - "Alert Rule Templates" - ], - "description": "Gets the alert rule template.", - "operationId": "AlertRuleTemplates_Get", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/AlertRuleTemplateId" - } - ], - "responses": { - "200": { - "description": "OK, Operation successfully completed", - "schema": { - "$ref": "#/definitions/AlertRuleTemplate" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks": { - "get": { - "x-ms-examples": { - "Get all bookmarks.": { - "$ref": "./examples/bookmarks/GetBookmarks.json" - } - }, - "tags": [ - "Bookmarks" - ], - "description": "Gets all bookmarks.", - "operationId": "Bookmarks_List", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/WorkspaceName" - } - ], - "responses": { - "200": { - "description": "OK, Operation successfully completed", - "schema": { - "$ref": "#/definitions/BookmarkList" + "$ref": "#/definitions/IncidentComment" } }, "default": { @@ -587,1600 +416,66 @@ "schema": { "$ref": "#/definitions/CloudError" } - } - }, - "x-ms-pageable": { - "nextLinkName": "nextLink" - } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks/{bookmarkId}": { - "get": { - "x-ms-examples": { - "Get a bookmark.": { - "$ref": "./examples/bookmarks/GetBookmarkById.json" - } - }, - "tags": [ - "Bookmarks" - ], - "description": "Gets a bookmark.", - "operationId": "Bookmarks_Get", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/BookmarkId" - } - ], - "responses": { - "200": { - "description": "OK, Operation successfully completed", - "schema": { - "$ref": "#/definitions/Bookmark" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - } - }, - "put": { - "x-ms-examples": { - "Creates or updates a bookmark.": { - "$ref": "./examples/bookmarks/CreateBookmark.json" - } - }, - "tags": [ - "Bookmarks" - ], - "description": "Creates or updates the bookmark.", - "operationId": "Bookmarks_CreateOrUpdate", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/BookmarkId" - }, - { - "$ref": "#/parameters/Bookmark" - } - ], - "responses": { - "200": { - "description": "OK, Operation successfully completed", - "schema": { - "$ref": "#/definitions/Bookmark" - } - }, - "201": { - "description": "Created", - "schema": { - "$ref": "#/definitions/Bookmark" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - } - }, - "delete": { - "x-ms-examples": { - "Delete a bookmark.": { - "$ref": "./examples/bookmarks/DeleteBookmark.json" - } - }, - "tags": [ - "Bookmarks" - ], - "description": "Delete the bookmark.", - "operationId": "Bookmarks_Delete", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/BookmarkId" - } - ], - "responses": { - "200": { - "description": "OK, Operation successfully completed" - }, - "204": { - "description": "No Content" - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors": { - "get": { - "x-ms-examples": { - "Get all data connectors.": { - "$ref": "./examples/dataConnectors/GetDataConnectors.json" - } - }, - "tags": [ - "Data Connectors" - ], - "description": "Gets all data connectors.", - "operationId": "DataConnectors_List", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/WorkspaceName" - } - ], - "responses": { - "200": { - "description": "OK, Operation successfully completed", - "schema": { - "$ref": "#/definitions/DataConnectorList" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - }, - "x-ms-pageable": { - "nextLinkName": "nextLink" - } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors/{dataConnectorId}": { - "get": { - "x-ms-examples": { - "Get an Office365 data connector.": { - "$ref": "./examples/dataConnectors/GetOfficeDataConnetorById.json" - }, - "Get a TI data connector.": { - "$ref": "./examples/dataConnectors/GetThreatIntelligenceById.json" - }, - "Get a MCAS data connector.": { - "$ref": "./examples/dataConnectors/GetMicrosoftCloudAppSecurityById.json" - }, - "Get a ASC data connector.": { - "$ref": "./examples/dataConnectors/GetAzureSecurityCenterById.json" - }, - "Get an AAD data connector.": { - "$ref": "./examples/dataConnectors/GetAzureActiveDirectoryById.json" - }, - "Get an AwsCloudTrail data connector.": { - "$ref": "./examples/dataConnectors/GetAmazonWebServicesCloudTrailById.json" - }, - "Get an AATP data connector.": { - "$ref": "./examples/dataConnectors/GetAzureAdvancedThreatProtectionById.json" - }, - "Get a MDATP data connector": { - "$ref": "./examples/dataConnectors/GetMicrosoftDefenderAdvancedThreatProtectionById.json" - } - }, - "tags": [ - "Data Connectors" - ], - "description": "Gets a data connector.", - "operationId": "DataConnectors_Get", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/DataConnectorId" - } - ], - "responses": { - "200": { - "description": "OK, Operation successfully completed", - "schema": { - "$ref": "#/definitions/DataConnector" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - } - }, - "put": { - "x-ms-examples": { - "Creates or updates an Office365 data connector.": { - "$ref": "./examples/dataConnectors/CreateOfficeDataConnetor.json" - }, - "Creates or updates an Threat Intelligence Platform data connector.": { - "$ref": "./examples/dataConnectors/CreateThreatIntelligenceDataConnector.json" - } - }, - "tags": [ - "Data Connectors" - ], - "description": "Creates or updates the data connector.", - "operationId": "DataConnectors_CreateOrUpdate", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/DataConnectorId" - }, - { - "$ref": "#/parameters/DataConnector" - } - ], - "responses": { - "200": { - "description": "OK, Operation successfully completed", - "schema": { - "$ref": "#/definitions/DataConnector" - } - }, - "201": { - "description": "Created", - "schema": { - "$ref": "#/definitions/DataConnector" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - } - }, - "delete": { - "x-ms-examples": { - "Delete an Office365 data connector.": { - "$ref": "./examples/dataConnectors/DeleteOfficeDataConnetor.json" - } - }, - "tags": [ - "Data Connectors" - ], - "description": "Delete the data connector.", - "operationId": "DataConnectors_Delete", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/DataConnectorId" - } - ], - "responses": { - "200": { - "description": "OK, Operation successfully completed" - }, - "204": { - "description": "No Content" - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents": { - "get": { - "x-ms-examples": { - "Get all incidents.": { - "$ref": "./examples/incidents/GetIncidents.json" - } - }, - "tags": [ - "Incidents" - ], - "description": "Gets all incidents.", - "operationId": "Incidents_List", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/ODataFilter" - }, - { - "$ref": "#/parameters/ODataOrderBy" - }, - { - "$ref": "#/parameters/ODataTop" - }, - { - "$ref": "#/parameters/ODataSkipToken" - } - ], - "responses": { - "200": { - "description": "OK, Operation successfully completed", - "schema": { - "$ref": "#/definitions/IncidentList" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - }, - "x-ms-pageable": { - "nextLinkName": "nextLink" - } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}": { - "get": { - "x-ms-examples": { - "Get an incident.": { - "$ref": "./examples/incidents/GetIncidentById.json" - } - }, - "tags": [ - "Incidents" - ], - "description": "Gets an incident.", - "operationId": "Incidents_Get", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/IncidentId" - } - ], - "responses": { - "200": { - "description": "OK, Operation successfully completed", - "schema": { - "$ref": "#/definitions/Incident" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - } - }, - "put": { - "x-ms-examples": { - "Creates or updates an incident.": { - "$ref": "./examples/incidents/CreateIncident.json" - } - }, - "tags": [ - "Incidents" - ], - "description": "Creates or updates the incident.", - "operationId": "Incidents_CreateOrUpdate", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/IncidentId" - }, - { - "$ref": "#/parameters/Incident" - } - ], - "responses": { - "200": { - "description": "OK, Operation successfully completed", - "schema": { - "$ref": "#/definitions/Incident" - } - }, - "201": { - "description": "Created", - "schema": { - "$ref": "#/definitions/Incident" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - } - }, - "delete": { - "x-ms-examples": { - "Delete an incident.": { - "$ref": "./examples/incidents/DeleteIncident.json" - } - }, - "tags": [ - "Incidents" - ], - "description": "Delete the incident.", - "operationId": "Incidents_Delete", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/IncidentId" - } - ], - "responses": { - "200": { - "description": "OK, Operation successfully completed" - }, - "204": { - "description": "No Content" - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/comments": { - "get": { - "x-ms-examples": { - "Get all incident comments.": { - "$ref": "./examples/incidents/comments/GetAllIncidentComments.json" - } - }, - "tags": [ - "IncidentComments" - ], - "description": "Gets all incident comments.", - "operationId": "IncidentComments_ListByIncident", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/IncidentId" - }, - { - "$ref": "#/parameters/ODataFilter" - }, - { - "$ref": "#/parameters/ODataOrderBy" - }, - { - "$ref": "#/parameters/ODataTop" - }, - { - "$ref": "#/parameters/ODataSkipToken" - } - ], - "responses": { - "200": { - "description": "OK, Operation successfully completed", - "schema": { - "$ref": "#/definitions/IncidentCommentList" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - }, - "x-ms-odata": "#/definitions/IncidentComment", - "x-ms-pageable": { - "nextLinkName": "nextLink" - } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/comments/{incidentCommentId}": { - "get": { - "x-ms-examples": { - "Get an incident comment.": { - "$ref": "./examples/incidents/comments/GetIncidentCommentById.json" - } - }, - "tags": [ - "IncidentComments" - ], - "description": "Gets an incident comment.", - "operationId": "IncidentComments_Get", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/IncidentId" - }, - { - "$ref": "#/parameters/IncidentCommentId" - } - ], - "responses": { - "200": { - "description": "OK, Operation successfully completed", - "schema": { - "$ref": "#/definitions/IncidentComment" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - } - }, - "put": { - "x-ms-examples": { - "Creates an incident comment.": { - "$ref": "./examples/incidents/comments/CreateIncidentComment.json" - } - }, - "tags": [ - "IncidentComments" - ], - "description": "Creates the incident comment.", - "operationId": "IncidentComments_CreateComment", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/IncidentId" - }, - { - "$ref": "#/parameters/IncidentCommentId" - }, - { - "$ref": "#/parameters/IncidentComment" - } - ], - "responses": { - "201": { - "description": "Created", - "schema": { - "$ref": "#/definitions/IncidentComment" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - } - } - } - }, - "definitions": { - "AADDataConnector": { - "allOf": [ - { - "$ref": "#/definitions/DataConnector" - } - ], - "description": "Represents AAD (Azure Active Directory) data connector.", - "properties": { - "properties": { - "$ref": "#/definitions/AADDataConnectorProperties", - "description": "AAD (Azure Active Directory) data connector properties.", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "AzureActiveDirectory" - }, - "AADDataConnectorProperties": { - "description": "AAD (Azure Active Directory) data connector properties.", - "properties": { - "tenantId": { - "description": "The tenant id to connect to, and get the data from.", - "type": "string" - }, - "dataTypes": { - "$ref": "#/definitions/AlertsDataTypeOfDataConnector", - "description": "The available data types for the connector." - } - }, - "type": "object" - }, - "AATPDataConnector": { - "allOf": [ - { - "$ref": "#/definitions/DataConnector" - } - ], - "description": "Represents AATP (Azure Advanced Threat Protection) data connector.", - "properties": { - "properties": { - "$ref": "#/definitions/AATPDataConnectorProperties", - "description": "AATP (Azure Advanced Threat Protection) data connector properties.", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "AzureAdvancedThreatProtection" - }, - "AATPDataConnectorProperties": { - "description": "AATP (Azure Advanced Threat Protection) data connector properties.", - "properties": { - "tenantId": { - "description": "The tenant id to connect to, and get the data from.", - "type": "string" - }, - "dataTypes": { - "$ref": "#/definitions/AlertsDataTypeOfDataConnector", - "description": "The available data types for the connector." - } - }, - "type": "object" - }, - "ASCDataConnector": { - "allOf": [ - { - "$ref": "#/definitions/DataConnector" - } - ], - "description": "Represents ASC (Azure Security Center) data connector.", - "properties": { - "properties": { - "$ref": "#/definitions/ASCDataConnectorProperties", - "description": "ASC (Azure Security Center) data connector properties.", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "AzureSecurityCenter" - }, - "ASCDataConnectorProperties": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorWithAlertsProperties" - } - ], - "description": "ASC (Azure Security Center) data connector properties.", - "properties": { - "subscriptionId": { - "description": "The subscription id to connect to, and get the data from.", - "type": "string" - } - }, - "type": "object" - }, - "ActionRequest": { - "allOf": [ - { - "$ref": "#/definitions/ResourceWithEtag" - } - ], - "description": "Action for alert rule.", - "properties": { - "properties": { - "$ref": "#/definitions/ActionRequestProperties", - "description": "Action properties for put request", - "x-ms-client-flatten": true - } - }, - "type": "object" - }, - "ActionPropertiesBase": { - "description": "Action property bag base.", - "properties": { - "logicAppResourceId": { - "description": "Logic App Resource Id, /subscriptions/{my-subscription}/resourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my-workflow-id}.", - "type": "string" - } - }, - "required": [ - "logicAppResourceId" - ], - "type": "object" - }, - "ActionRequestProperties": { - "allOf": [ - { - "$ref": "#/definitions/ActionPropertiesBase" - } - ], - "description": "Action property bag.", - "properties": { - "triggerUri": { - "description": "Logic App Callback URL for this specific workflow.", - "type": "string" - } - }, - "required": [ - "triggerUri" - ], - "type": "object" - }, - "ActionResponse": { - "allOf": [ - { - "$ref": "#/definitions/Resource" - } - ], - "description": "Action for alert rule.", - "properties": { - "etag": { - "description": "Etag of the action.", - "type": "string" - }, - "properties": { - "$ref": "#/definitions/ActionResponseProperties", - "description": "Action properties for get request", - "x-ms-client-flatten": true - } - }, - "type": "object" - }, - "ActionResponseProperties": { - "allOf": [ - { - "$ref": "#/definitions/ActionPropertiesBase" - } - ], - "description": "Action property bag.", - "properties": { - "workflowId": { - "description": "The name of the logic app's workflow.", - "type": "string" - } - }, - "type": "object" - }, - "ActionsList": { - "description": "List all the actions.", - "properties": { - "nextLink": { - "description": "URL to fetch the next set of actions.", - "readOnly": true, - "type": "string" - }, - "value": { - "description": "Array of actions.", - "items": { - "$ref": "#/definitions/ActionResponse" - }, - "type": "array" - } - }, - "required": [ - "value" - ] - }, - "AlertRule": { - "allOf": [ - { - "$ref": "#/definitions/ResourceWithEtag" - } - ], - "description": "Alert rule.", - "discriminator": "kind", - "required": [ - "kind" - ], - "properties": { - "kind": { - "$ref": "#/definitions/AlertRuleKind", - "description": "The alert rule kind" - } - }, - "type": "object" - }, - "AlertRuleKind": { - "description": "The kind of the alert rule", - "enum": [ - "Scheduled", - "MicrosoftSecurityIncidentCreation", - "Fusion" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "AlertRuleKind", - "values": [ - { - "value": "Scheduled" - }, - { - "value": "MicrosoftSecurityIncidentCreation" - }, - { - "value": "Fusion" - } - ] - } - }, - "AlertRuleTemplateStatus": { - "description": "The alert rule template status.", - "enum": [ - "Installed", - "Available", - "NotAvailable" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "TemplateStatus", - "values": [ - { - "description": "Alert rule template installed. and can not use more then once", - "value": "Installed" - }, - { - "description": "Alert rule template is available.", - "value": "Available" - }, - { - "description": "Alert rule template is not available", - "value": "NotAvailable" - } - ] - } - }, - "AlertRuleTemplate": { - "allOf": [ - { - "$ref": "#/definitions/Resource" - } - ], - "description": "Alert rule template.", - "discriminator": "kind", - "required": [ - "kind" - ], - "properties": { - "kind": { - "$ref": "#/definitions/AlertRuleKind", - "description": "The alert rule kind", - "type": "string" - } - }, - "type": "object" - }, - "AlertRuleTemplateDataSource": { - "description": "alert rule template data sources", - "properties": { - "connectorId": { - "description": "The connector id that provides the following data types", - "type": "string" - }, - "dataTypes": { - "description": "The data types used by the alert rule template", - "items": { - "type": "string" - }, - "type": "array" - } - }, - "type": "object" - }, - "AlertRuleTemplatesList": { - "description": "List all the alert rule templates.", - "properties": { - "nextLink": { - "description": "URL to fetch the next set of alert rule templates.", - "readOnly": true, - "type": "string" - }, - "value": { - "description": "Array of alert rule templates.", - "items": { - "$ref": "#/definitions/AlertRuleTemplate" - }, - "type": "array" - } - }, - "required": [ - "value" - ] - }, - "AlertRuleTriggerOperator": { - "description": "The operation against the threshold that triggers alert rule.", - "enum": [ - "GreaterThan", - "LessThan", - "Equal", - "NotEqual" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": false, - "name": "TriggerOperator" - } - }, - "AlertRulesList": { - "description": "List all the alert rules.", - "properties": { - "nextLink": { - "description": "URL to fetch the next set of alert rules.", - "readOnly": true, - "type": "string" - }, - "value": { - "description": "Array of alert rules.", - "items": { - "$ref": "#/definitions/AlertRule" - }, - "type": "array" - } - }, - "required": [ - "value" - ] - }, - "AlertSeverity": { - "description": "The severity of the alert", - "enum": [ - "High", - "Medium", - "Low", - "Informational" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "AlertSeverity", - "values": [ - { - "description": "High severity", - "value": "High" - }, - { - "description": "Medium severity", - "value": "Medium" - }, - { - "description": "Low severity", - "value": "Low" - }, - { - "description": "Informational severity", - "value": "Informational" - } - ] - } - }, - "MicrosoftSecurityProductName": { - "description": "The alerts' productName on which the cases will be generated", - "enum": [ - "Microsoft Cloud App Security", - "Azure Security Center", - "Azure Advanced Threat Protection", - "Azure Active Directory Identity Protection", - "Azure Security Center for IoT" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "MicrosoftSecurityProductName" - } - }, - "AlertsDataTypeOfDataConnector": { - "description": "Alerts data type for data connectors.", - "properties": { - "alerts": { - "$ref": "#/definitions/DataConnectorDataTypeCommon", - "description": "Alerts data type connection.", - "type": "object" - } - }, - "type": "object" - }, - "AttackTactic": { - "description": "The severity for alerts created by this alert rule.", - "enum": [ - "InitialAccess", - "Execution", - "Persistence", - "PrivilegeEscalation", - "DefenseEvasion", - "CredentialAccess", - "Discovery", - "LateralMovement", - "Collection", - "Exfiltration", - "CommandAndControl", - "Impact" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "AttackTactic" - } - }, - "AwsCloudTrailDataConnector": { - "allOf": [ - { - "$ref": "#/definitions/DataConnector" - } - ], - "description": "Represents Amazon Web Services CloudTrail data connector.", - "properties": { - "properties": { - "$ref": "#/definitions/AwsCloudTrailDataConnectorProperties", - "description": "Amazon Web Services CloudTrail data connector properties.", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "AmazonWebServicesCloudTrail" - }, - "AwsCloudTrailDataConnectorDataTypes": { - "description": "The available data types for Amazon Web Services CloudTrail data connector.", - "properties": { - "logs": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorDataTypeCommon" - } - ], - "description": "Logs data type.", - "type": "object" - } - }, - "type": "object" - }, - "AwsCloudTrailDataConnectorProperties": { - "description": "Amazon Web Services CloudTrail data connector properties.", - "properties": { - "awsRoleArn": { - "description": "The Aws Role Arn (with CloudTrailReadOnly policy) that is used to access the Aws account.", - "type": "string" - }, - "dataTypes": { - "$ref": "#/definitions/AwsCloudTrailDataConnectorDataTypes", - "description": "The available data types for the connector." - } - }, - "type": "object" - }, - "Bookmark": { - "allOf": [ - { - "$ref": "#/definitions/ResourceWithEtag" - } - ], - "description": "Represents a bookmark in Azure Security Insights.", - "properties": { - "properties": { - "$ref": "#/definitions/BookmarkProperties", - "description": "Bookmark properties", - "x-ms-client-flatten": true - } - }, - "type": "object" - }, - "BookmarkList": { - "description": "List all the bookmarks.", - "properties": { - "nextLink": { - "description": "URL to fetch the next set of cases.", - "readOnly": true, - "type": "string" - }, - "value": { - "description": "Array of bookmarks.", - "items": { - "$ref": "#/definitions/Bookmark" - }, - "type": "array" - } - }, - "required": [ - "value" - ] - }, - "BookmarkProperties": { - "description": "Describes bookmark properties", - "properties": { - "created": { - "description": "The time the bookmark was created", - "format": "date-time", - "type": "string" - }, - "createdBy": { - "$ref": "#/definitions/UserInfo", - "description": "Describes a user that created the bookmark", - "type": "object" - }, - "displayName": { - "description": "The display name of the bookmark", - "type": "string" - }, - "labels": { - "description": "List of labels relevant to this bookmark", - "items": { - "$ref": "#/definitions/Label" - }, - "type": "array" - }, - "notes": { - "description": "The notes of the bookmark", - "type": "string" - }, - "query": { - "description": "The query of the bookmark.", - "type": "string" - }, - "queryResult": { - "description": "The query result of the bookmark.", - "type": "string" - }, - "updated": { - "description": "The last time the bookmark was updated", - "format": "date-time", - "type": "string" - }, - "updatedBy": { - "$ref": "#/definitions/UserInfo", - "description": "Describes a user that updated the bookmark", - "type": "object" - }, - "eventTime": { - "description": "The bookmark event time", - "format": "date-time", - "type": "string" - }, - "queryStartTime": { - "description": "The start time for the query", - "format": "date-time", - "type": "string" - }, - "queryEndTime": { - "description": "The end time for the query", - "format": "date-time", - "type": "string" - }, - "incidentInfo": { - "$ref": "#/definitions/IncidentInfo", - "description": "Describes an incident that relates to bookmark", - "type": "object" - } - }, - "required": [ - "displayName", - "query" - ], - "type": "object" - }, - "ClientInfo": { - "description": "Information on the client (user or application) that made some action", - "properties": { - "email": { - "description": "The email of the client.", - "type": "string" - }, - "name": { - "description": "The name of the client.", - "type": "string" - }, - "objectId": { - "description": "The object id of the client.", - "format": "uuid", - "type": "string" - }, - "userPrincipalName": { - "description": "The user principal name of the client.", - "type": "string" - } - }, - "type": "object" - }, - "CloudError": { - "x-ms-external": true, - "properties": { - "error": { - "$ref": "../../../../../common-types/resource-management/v1/types.json#/definitions/ErrorResponse", - "description": "The error object of the CloudError response" - } - }, - "description": "An error response for a resource management request." - }, - "DataConnector": { - "allOf": [ - { - "$ref": "#/definitions/ResourceWithEtag" - } - ], - "description": "Data connector.", - "discriminator": "kind", - "required": [ - "kind" - ], - "properties": { - "kind": { - "$ref": "#/definitions/DataConnectorKind", - "description": "The data connector kind" - } - }, - "type": "object" - }, - "DataConnectorDataTypeCommon": { - "description": "Common field for data type in data connectors.", - "properties": { - "state": { - "description": "Describe whether this data type connection is enabled or not.", - "enum": [ - "Enabled", - "Disabled" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "DataTypeState" - } - } - }, - "type": "object" - }, - "DataConnectorKind": { - "description": "The kind of the data connector", - "enum": [ - "AzureActiveDirectory", - "AzureSecurityCenter", - "MicrosoftCloudAppSecurity", - "ThreatIntelligence", - "Office365", - "AmazonWebServicesCloudTrail", - "AzureAdvancedThreatProtection", - "MicrosoftDefenderAdvancedThreatProtection" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "DataConnectorKind", - "values": [ - { - "value": "AzureActiveDirectory" - }, - { - "value": "AzureSecurityCenter" - }, - { - "value": "MicrosoftCloudAppSecurity" - }, - { - "value": "ThreatIntelligence" - }, - { - "value": "Office365" - }, - { - "value": "AmazonWebServicesCloudTrail" - }, - { - "value": "AzureAdvancedThreatProtection" - }, - { - "value": "MicrosoftDefenderAdvancedThreatProtection" - } - ] - } - }, - "DataConnectorList": { - "description": "List all the data connectors.", - "properties": { - "nextLink": { - "description": "URL to fetch the next set of data connectors.", - "readOnly": true, - "type": "string" - }, - "value": { - "description": "Array of data connectors.", - "items": { - "$ref": "#/definitions/DataConnector" - }, - "type": "array" - } - }, - "required": [ - "value" - ] - }, - "DataConnectorTenantId": { - "description": "Properties data connector on tenant level.", - "properties": { - "tenantId": { - "description": "The tenant id to connect to, and get the data from.", - "type": "string" - } - }, - "type": "object" - }, - "DataConnectorWithAlertsProperties": { - "description": "Data connector properties.", - "properties": { - "dataTypes": { - "$ref": "#/definitions/AlertsDataTypeOfDataConnector", - "description": "The available data types for the connector." - } - }, - "type": "object" - }, - "FusionAlertRule": { - "allOf": [ - { - "$ref": "#/definitions/AlertRule" - } - ], - "description": "Represents Fusion alert rule.", - "properties": { - "properties": { - "$ref": "#/definitions/FusionAlertRuleProperties", - "description": "Fusion alert rule properties", - "x-ms-client-flatten": true + } } - }, - "type": "object", - "x-ms-discriminator-value": "Fusion" + } + } + }, + "definitions": { + "AttackTactic": { + "description": "The severity for alerts created by this alert rule.", + "enum": [ + "InitialAccess", + "Execution", + "Persistence", + "PrivilegeEscalation", + "DefenseEvasion", + "CredentialAccess", + "Discovery", + "LateralMovement", + "Collection", + "Exfiltration", + "CommandAndControl", + "Impact" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "AttackTactic" + } }, - "FusionAlertRuleProperties": { - "description": "Fusion alert rule base property bag.", + "ClientInfo": { + "description": "Information on the client (user or application) that made some action", "properties": { - "alertRuleTemplateName": { - "description": "The Name of the alert rule template used to create this rule.", + "email": { + "description": "The email of the client.", "type": "string" }, - "description": { - "description": "The description of the alert rule.", - "readOnly": true, + "name": { + "description": "The name of the client.", "type": "string" }, - "displayName": { - "description": "The display name for alerts created by this alert rule.", - "readOnly": true, + "objectId": { + "description": "The object id of the client.", + "format": "uuid", "type": "string" }, - "enabled": { - "description": "Determines whether this alert rule is enabled or disabled.", - "type": "boolean" - }, - "lastModifiedUtc": { - "description": "The last time that this alert has been modified.", - "format": "date-time", - "readOnly": true, + "userPrincipalName": { + "description": "The user principal name of the client.", "type": "string" - }, - "severity": { - "$ref": "#/definitions/AlertSeverity", - "description": "The severity for alerts created by this alert rule.", - "readOnly": true - }, - "tactics": { - "description": "The tactics of the alert rule", - "items": { - "$ref": "#/definitions/AttackTactic" - }, - "readOnly": true, - "type": "array" } }, - "required": [ - "alertRuleTemplateName", - "enabled" - ], "type": "object" }, - "FusionAlertRuleTemplate": { - "allOf": [ - { - "$ref": "#/definitions/AlertRuleTemplate" - } - ], - "description": "Represents Fusion alert rule template.", - "properties": { - "properties": { - "$ref": "#/definitions/FusionAlertRuleTemplateProperties", - "description": "Fusion alert rule template properties", - "required": [ - "displayName", - "description", - "status", - "severity", - "alertRulesCreatedByTemplateCount" - ], - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "Fusion" - }, - "FusionAlertRuleTemplateProperties": { - "description": "Represents Fusion alert rule template properties", + "CloudError": { + "x-ms-external": true, "properties": { - "alertRulesCreatedByTemplateCount": { - "description": "the number of alert rules that were created by this template", - "format": "int32", - "type": "integer" - }, - "createdDateUTC": { - "description": "The time that this alert rule template has been added.", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "description": { - "description": "The description of the alert rule template.", - "type": "string" - }, - "displayName": { - "description": "The display name for alert rule template.", - "type": "string" - }, - "requiredDataConnectors": { - "description": "The required data connectors for this template", - "items": { - "$ref": "#/definitions/AlertRuleTemplateDataSource" - }, - "type": "array" - }, - "status": { - "$ref": "#/definitions/AlertRuleTemplateStatus", - "description": "The alert rule template status.", - "type": "string" - }, - "severity": { - "$ref": "#/definitions/AlertSeverity", - "description": "The severity for alerts created by this alert rule." - }, - "tactics": { - "description": "The tactics of the alert rule template", - "items": { - "$ref": "#/definitions/AttackTactic" - }, - "type": "array" + "error": { + "$ref": "../../../../../common-types/resource-management/v1/types.json#/definitions/ErrorResponse", + "description": "The error object of the CloudError response" } }, - "type": "object" + "description": "An error response for a resource management request." }, "Incident": { "allOf": [ @@ -2566,289 +861,25 @@ "description": "An active incident which is being handled", "value": "Active" }, - { - "description": "A non-active incident", - "value": "Closed" - } - ] - } - }, - "title": { - "description": "The title of the incident", - "type": "string" - } - }, - "required": [ - "title", - "severity", - "status" - ], - "type": "object" - }, - "Label": { - "description": "Label that will be used to tag and filter on.", - "type": "string" - }, - "MCASDataConnector": { - "allOf": [ - { - "$ref": "#/definitions/DataConnector" - } - ], - "description": "Represents MCAS (Microsoft Cloud App Security) data connector.", - "properties": { - "properties": { - "$ref": "#/definitions/MCASDataConnectorProperties", - "description": "MCAS (Microsoft Cloud App Security) data connector properties.", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "MicrosoftCloudAppSecurity" - }, - "MCASDataConnectorDataTypes": { - "allOf": [ - { - "$ref": "#/definitions/AlertsDataTypeOfDataConnector" - } - ], - "description": "The available data types for MCAS (Microsoft Cloud App Security) data connector.", - "properties": { - "alerts": { - "$ref": "#/definitions/DataConnectorDataTypeCommon", - "description": "Alerts data type connection." - }, - "discoveryLogs": { - "$ref": "#/definitions/DataConnectorDataTypeCommon", - "description": "Discovery log data type connection." - } - }, - "type": "object" - }, - "MCASDataConnectorProperties": { - "description": "MCAS (Microsoft Cloud App Security) data connector properties.", - "properties": { - "tenantId": { - "description": "The tenant id to connect to, and get the data from.", - "type": "string" - }, - "dataTypes": { - "$ref": "#/definitions/MCASDataConnectorDataTypes", - "description": "The available data types for the connector." - } - }, - "type": "object" - }, - "MDATPDataConnector": { - "allOf": [ - { - "$ref": "#/definitions/DataConnector" - } - ], - "description": "Represents MDATP (Microsoft Defender Advanced Threat Protection) data connector.", - "properties": { - "properties": { - "$ref": "#/definitions/MDATPDataConnectorProperties", - "description": "MDATP (Microsoft Defender Advanced Threat Protection) data connector properties.", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "MicrosoftDefenderAdvancedThreatProtection" - }, - "MDATPDataConnectorProperties": { - "description": "MDATP (Microsoft Defender Advanced Threat Protection) data connector properties.", - "properties": { - "tenantId": { - "description": "The tenant id to connect to, and get the data from.", - "type": "string" - }, - "dataTypes": { - "$ref": "#/definitions/AlertsDataTypeOfDataConnector", - "description": "The available data types for the connector." - } - }, - "type": "object" - }, - "MicrosoftSecurityIncidentCreationAlertRule": { - "allOf": [ - { - "$ref": "#/definitions/AlertRule" - } - ], - "description": "Represents MicrosoftSecurityIncidentCreation rule.", - "properties": { - "properties": { - "$ref": "#/definitions/MicrosoftSecurityIncidentCreationAlertRuleProperties", - "description": "MicrosoftSecurityIncidentCreation rule properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "MicrosoftSecurityIncidentCreation" - }, - "MicrosoftSecurityIncidentCreationAlertRuleCommonProperties": { - "description": "MicrosoftSecurityIncidentCreation rule common property bag.", - "properties": { - "displayNamesFilter": { - "description": "the alerts' displayNames on which the cases will be generated", - "items": { - "type": "string" - }, - "type": "array" - }, - "displayNamesExcludeFilter": { - "description": "the alerts' displayNames on which the cases will not be generated", - "items": { - "type": "string" - }, - "type": "array" - }, - "productFilter": { - "$ref": "#/definitions/MicrosoftSecurityProductName", - "description": "The alerts' productName on which the cases will be generated" - }, - "severitiesFilter": { - "description": "the alerts' severities on which the cases will be generated", - "items": { - "$ref": "#/definitions/AlertSeverity" - }, - "type": "array" - } - }, - "required": [ - "productFilter" - ], - "type": "object" - }, - "MicrosoftSecurityIncidentCreationAlertRuleProperties": { - "allOf": [ - { - "$ref": "#/definitions/MicrosoftSecurityIncidentCreationAlertRuleCommonProperties" - } - ], - "description": "MicrosoftSecurityIncidentCreation rule property bag.", - "properties": { - "alertRuleTemplateName": { - "description": "The Name of the alert rule template used to create this rule.", - "type": "string" - }, - "description": { - "description": "The description of the alert rule.", - "type": "string" - }, - "displayName": { - "description": "The display name for alerts created by this alert rule.", - "type": "string" - }, - "enabled": { - "description": "Determines whether this alert rule is enabled or disabled.", - "type": "boolean" - }, - "lastModifiedUtc": { - "description": "The last time that this alert has been modified.", - "format": "date-time", - "readOnly": true, - "type": "string" - } - }, - "required": [ - "displayName", - "enabled", - "productFilter" - ], - "type": "object" - }, - "MicrosoftSecurityIncidentCreationAlertRuleTemplateProperties": { - "description": "MicrosoftSecurityIncidentCreation rule template properties", - "properties": { - "alertRulesCreatedByTemplateCount": { - "description": "the number of alert rules that were created by this template", - "format": "int32", - "type": "integer" - }, - "createdDateUTC": { - "description": "The time that this alert rule template has been added.", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "description": { - "description": "The description of the alert rule template.", - "type": "string" - }, - "displayName": { - "description": "The display name for alert rule template.", - "type": "string" - }, - "requiredDataConnectors": { - "description": "The required data connectors for this template", - "items": { - "$ref": "#/definitions/AlertRuleTemplateDataSource" - }, - "type": "array" - }, - "status": { - "$ref": "#/definitions/AlertRuleTemplateStatus", - "description": "The alert rule template status.", - "type": "string" - }, - "displayNamesFilter": { - "description": "the alerts' displayNames on which the cases will be generated", - "items": { - "type": "string" - }, - "type": "array" - }, - "displayNamesExcludeFilter": { - "description": "the alerts' displayNames on which the cases will not be generated", - "items": { - "type": "string" - }, - "type": "array" - }, - "productFilter": { - "$ref": "#/definitions/MicrosoftSecurityProductName", - "description": "The alerts' productName on which the cases will be generated" + { + "description": "A non-active incident", + "value": "Closed" + } + ] + } }, - "severitiesFilter": { - "description": "the alerts' severities on which the cases will be generated", - "items": { - "$ref": "#/definitions/AlertSeverity" - }, - "type": "array" + "title": { + "description": "The title of the incident", + "type": "string" } }, "required": [ - "productFilter" + "title", + "severity", + "status" ], "type": "object" }, - "MicrosoftSecurityIncidentCreationAlertRuleTemplate": { - "allOf": [ - { - "$ref": "#/definitions/AlertRuleTemplate" - } - ], - "description": "Represents MicrosoftSecurityIncidentCreation rule template.", - "properties": { - "properties": { - "$ref": "#/definitions/MicrosoftSecurityIncidentCreationAlertRuleTemplateProperties", - "description": "MicrosoftSecurityIncidentCreation rule template properties", - "required": [ - "displayName", - "description", - "createdDateUTC", - "status", - "alertRulesCreatedByTemplateCount", - "productFilter" - ], - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "MicrosoftSecurityIncidentCreation" - }, "OfficeConsent": { "allOf": [ { @@ -2900,70 +931,6 @@ }, "type": "object" }, - "OfficeDataConnector": { - "allOf": [ - { - "$ref": "#/definitions/DataConnector" - } - ], - "description": "Represents office data connector.", - "properties": { - "properties": { - "$ref": "#/definitions/OfficeDataConnectorProperties", - "description": "Office data connector properties.", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "Office365" - }, - "OfficeDataConnectorDataTypes": { - "description": "The available data types for office data connector.", - "properties": { - "exchange": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorDataTypeCommon" - } - ], - "description": "Exchange data type connection.", - "type": "object" - }, - "sharePoint": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorDataTypeCommon" - } - ], - "description": "SharePoint data type connection.", - "type": "object" - }, - "teams": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorDataTypeCommon" - } - ], - "description": "Teams data type connection.", - "type": "object" - } - }, - "type": "object" - }, - "OfficeDataConnectorProperties": { - "description": "Office data connector properties.", - "properties": { - "tenantId": { - "description": "The tenant id to connect to, and get the data from.", - "type": "string" - }, - "dataTypes": { - "$ref": "#/definitions/OfficeDataConnectorDataTypes", - "description": "The available data types for the connector." - } - }, - "type": "object" - }, "Operation": { "description": "Operation provided by provider", "properties": { @@ -3064,217 +1031,6 @@ }, "x-ms-azure-resource": true }, - "ScheduledAlertRule": { - "allOf": [ - { - "$ref": "#/definitions/AlertRule" - } - ], - "description": "Represents scheduled alert rule.", - "properties": { - "properties": { - "$ref": "#/definitions/ScheduledAlertRuleProperties", - "description": "Scheduled alert rule properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "Scheduled" - }, - "ScheduledAlertRuleCommonProperties": { - "description": "Schedule alert rule template property bag.", - "properties": { - "query": { - "description": "The query that creates alerts for this rule.", - "type": "string" - }, - "queryFrequency": { - "description": "The frequency (in ISO 8601 duration format) for this alert rule to run.", - "format": "duration", - "type": "string" - }, - "queryPeriod": { - "description": "The period (in ISO 8601 duration format) that this alert rule looks at.", - "format": "duration", - "type": "string" - }, - "severity": { - "$ref": "#/definitions/AlertSeverity", - "description": "The severity for alerts created by this alert rule." - }, - "triggerOperator": { - "$ref": "#/definitions/AlertRuleTriggerOperator", - "description": "The operation against the threshold that triggers alert rule." - }, - "triggerThreshold": { - "description": "The threshold triggers this alert rule.", - "format": "int32", - "type": "integer" - } - }, - "type": "object" - }, - "ScheduledAlertRuleProperties": { - "allOf": [ - { - "$ref": "#/definitions/ScheduledAlertRuleCommonProperties" - } - ], - "description": "Scheduled alert rule base property bag.", - "properties": { - "alertRuleTemplateName": { - "description": "The Name of the alert rule template used to create this rule.", - "type": "string" - }, - "description": { - "description": "The description of the alert rule.", - "type": "string" - }, - "displayName": { - "description": "The display name for alerts created by this alert rule.", - "type": "string" - }, - "enabled": { - "description": "Determines whether this alert rule is enabled or disabled.", - "type": "boolean" - }, - "lastModifiedUtc": { - "description": "The last time that this alert rule has been modified.", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "suppressionDuration": { - "description": "The suppression (in ISO 8601 duration format) to wait since last time this alert rule been triggered.", - "format": "duration", - "type": "string" - }, - "suppressionEnabled": { - "description": "Determines whether the suppression for this alert rule is enabled or disabled.", - "type": "boolean" - }, - "tactics": { - "description": "The tactics of the alert rule", - "items": { - "$ref": "#/definitions/AttackTactic" - }, - "type": "array" - } - }, - "required": [ - "displayName", - "enabled", - "severity", - "query", - "queryFrequency", - "queryPeriod", - "triggerOperator", - "triggerThreshold", - "suppressionEnabled", - "suppressionDuration" - ], - "type": "object" - }, - "ScheduledAlertRuleTemplateProperties": { - "description": "Scheduled alert rule template properties", - "properties": { - "alertRulesCreatedByTemplateCount": { - "description": "the number of alert rules that were created by this template", - "format": "int32", - "type": "integer" - }, - "createdDateUTC": { - "description": "The time that this alert rule template has been added.", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "description": { - "description": "The description of the alert rule template.", - "type": "string" - }, - "displayName": { - "description": "The display name for alert rule template.", - "type": "string" - }, - "requiredDataConnectors": { - "description": "The required data connectors for this template", - "items": { - "$ref": "#/definitions/AlertRuleTemplateDataSource" - }, - "type": "array" - }, - "status": { - "$ref": "#/definitions/AlertRuleTemplateStatus", - "description": "The alert rule template status.", - "type": "string" - }, - "query": { - "description": "The query that creates alerts for this rule.", - "type": "string" - }, - "queryFrequency": { - "description": "The frequency (in ISO 8601 duration format) for this alert rule to run.", - "format": "duration", - "type": "string" - }, - "queryPeriod": { - "description": "The period (in ISO 8601 duration format) that this alert rule looks at.", - "format": "duration", - "type": "string" - }, - "severity": { - "$ref": "#/definitions/AlertSeverity", - "description": "The severity for alerts created by this alert rule." - }, - "triggerOperator": { - "$ref": "#/definitions/AlertRuleTriggerOperator", - "description": "The operation against the threshold that triggers alert rule." - }, - "triggerThreshold": { - "description": "The threshold triggers this alert rule.", - "format": "int32", - "type": "integer" - }, - "tactics": { - "description": "The tactics of the alert rule template", - "items": { - "$ref": "#/definitions/AttackTactic" - }, - "type": "array" - } - }, - "type": "object" - }, - "ScheduledAlertRuleTemplate": { - "allOf": [ - { - "$ref": "#/definitions/AlertRuleTemplate" - } - ], - "description": "Represents scheduled alert rule template.", - "properties": { - "properties": { - "$ref": "#/definitions/ScheduledAlertRuleTemplateProperties", - "description": "Scheduled alert rule template properties", - "required": [ - "displayName", - "description", - "status", - "alertRulesCreatedByTemplateCount", - "severity", - "query", - "queryFrequency", - "queryPeriod", - "triggerOperator", - "triggerThreshold" - ], - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "Scheduled" - }, "Settings": { "allOf": [ { @@ -3306,58 +1062,6 @@ "name": "SettingKind" } }, - "TIDataConnector": { - "allOf": [ - { - "$ref": "#/definitions/DataConnector" - } - ], - "description": "Represents threat intelligence data connector.", - "properties": { - "properties": { - "$ref": "#/definitions/TIDataConnectorProperties", - "description": "TI (Threat Intelligence) data connector properties.", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "ThreatIntelligence" - }, - "TIDataConnectorDataTypes": { - "description": "The available data types for TI (Threat Intelligence) data connector.", - "properties": { - "indicators": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorDataTypeCommon" - } - ], - "description": "Data type for indicators connection.", - "type": "object" - } - }, - "type": "object" - }, - "TIDataConnectorProperties": { - "description": "TI (Threat Intelligence) data connector properties.", - "properties": { - "tenantId": { - "description": "The tenant id to connect to, and get the data from.", - "type": "string" - }, - "tipLookbackPeriod": { - "description": "The lookback period for the feed to be imported.", - "format": "date-time", - "type": "string", - "x-nullable": true - }, - "dataTypes": { - "$ref": "#/definitions/TIDataConnectorDataTypes", - "description": "The available data types for the connector." - } - }, - "type": "object" - }, "ThreatIntelligence": { "description": "ThreatIntelligence property bag.", "properties": { @@ -3557,24 +1261,6 @@ } }, "parameters": { - "Action": { - "description": "The action", - "in": "body", - "name": "action", - "required": true, - "schema": { - "$ref": "#/definitions/ActionRequest" - }, - "x-ms-parameter-location": "method" - }, - "ActionId": { - "description": "Action ID", - "in": "path", - "name": "actionId", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, "AggregationsName": { "description": "The aggregation name. Supports - Cases", "in": "path", @@ -3583,24 +1269,6 @@ "type": "string", "x-ms-parameter-location": "method" }, - "AlertRule": { - "description": "The alert rule", - "in": "body", - "name": "alertRule", - "required": true, - "schema": { - "$ref": "#/definitions/AlertRule" - }, - "x-ms-parameter-location": "method" - }, - "AlertRuleTemplateId": { - "description": "Alert rule template ID", - "in": "path", - "name": "alertRuleTemplateId", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, "ApiVersion": { "description": "API version for the operation", "enum": [ @@ -3611,24 +1279,6 @@ "required": true, "type": "string" }, - "Bookmark": { - "description": "The bookmark", - "in": "body", - "name": "bookmark", - "required": true, - "schema": { - "$ref": "#/definitions/Bookmark" - }, - "x-ms-parameter-location": "method" - }, - "BookmarkId": { - "description": "Bookmark ID", - "in": "path", - "name": "bookmarkId", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, "ConsentId": { "description": "consent ID", "in": "path", @@ -3637,24 +1287,6 @@ "type": "string", "x-ms-parameter-location": "method" }, - "DataConnector": { - "description": "The data connector", - "in": "body", - "name": "dataConnector", - "required": true, - "schema": { - "$ref": "#/definitions/DataConnector" - }, - "x-ms-parameter-location": "method" - }, - "DataConnectorId": { - "description": "Connector ID", - "in": "path", - "name": "dataConnectorId", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, "EntityId": { "description": "entity ID", "in": "path", @@ -3751,14 +1383,6 @@ "type": "string", "x-ms-parameter-location": "method" }, - "RuleId": { - "description": "Alert rule ID", - "in": "path", - "name": "ruleId", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, "Settings": { "description": "The setting", "in": "body", diff --git a/specification/securityinsights/resource-manager/readme.md b/specification/securityinsights/resource-manager/readme.md index d92189ccdccb..5c706e04f486 100644 --- a/specification/securityinsights/resource-manager/readme.md +++ b/specification/securityinsights/resource-manager/readme.md @@ -59,7 +59,11 @@ These settings apply only when `--tag=package-2020-01` is specified on the comma ```yaml $(tag) == 'package-2020-01' input-file: +- Microsoft.SecurityInsights/stable/2020-01-01/AlertRules.json +- Microsoft.SecurityInsights/stable/2020-01-01/Bookmarks.json +- Microsoft.SecurityInsights/stable/2020-01-01/DataConnectors.json - Microsoft.SecurityInsights/stable/2020-01-01/SecurityInsights.json + directive: - suppress: R2059 from: Microsoft.SecurityInsights/stable/2020-01-01/SecurityInsights.json