diff --git a/custom-words.txt b/custom-words.txt index b416a75696fc..6311920fe608 100644 --- a/custom-words.txt +++ b/custom-words.txt @@ -1874,6 +1874,8 @@ watchlists Watchlists watchlist Watchlist +Stix +STIX Mibps ntfs shamir_share \ No newline at end of file diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json index 217a51c2fb4d..ac47cdd8aba1 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json @@ -3562,6 +3562,467 @@ } } } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/createIndicator": { + "post": { + "x-ms-examples": { + "Create a new Threat Intelligence": { + "$ref": "./examples/threatintelligence/CreateThreatIntelligence.json" + } + }, + "tags": [ + "ThreatIntelligence" + ], + "description": "Create a threat intelligence.", + "operationId": "CreateThreatIntelligence", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "#/parameters/SubscriptionId" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/ThreatIntelligenceIndicatorObjectToUpsert" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/ThreatIntelligenceResource" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/ThreatIntelligenceResource" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators": { + "get": { + "x-ms-examples": { + "Get all threat intelligence.": { + "$ref": "./examples/threatintelligence/GetThreatIntelligence.json" + } + }, + "tags": [ + "ThreatIntelligence" + ], + "description": "Gets all threat intelligence.", + "operationId": "ThreatIntelligenceIndicators_List", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "#/parameters/SubscriptionId" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/ODataFilter" + }, + { + "$ref": "#/parameters/ODataTop" + }, + { + "$ref": "#/parameters/ODataSkipToken" + }, + { + "$ref": "#/parameters/ODataOrderBy" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/ThreatIntelligenceResourceList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/{name}": { + "get": { + "x-ms-examples": { + "Get a threat intelligence indicator by name.": { + "$ref": "./examples/threatintelligence/GetThreatIntelligenceById.json" + } + }, + "tags": [ + "ThreatIntelligence" + ], + "description": "Gets a threat intelligence indicator.", + "operationId": "ThreatIntelligenceIndicator_Get", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "#/parameters/SubscriptionId" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/ThreatIntelligenceIdentifier" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/ThreatIntelligenceResource" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + } + }, + "put": { + "x-ms-examples": { + "Upsert the Threat Intelligence": { + "$ref": "./examples/threatintelligence/UpsertThreatIntelligence.json" + } + }, + "tags": [ + "ThreatIntelligence" + ], + "description": "Upsert a threat intelligence.", + "operationId": "ThreatIntelligenceIndicatorUpsert_Create", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "#/parameters/SubscriptionId" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/ThreatIntelligenceIdentifier" + }, + { + "$ref": "#/parameters/ThreatIntelligenceIndicatorObjectToUpsert" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/ThreatIntelligenceResource" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/ThreatIntelligenceResource" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + } + }, + "delete": { + "x-ms-examples": { + "Delete the Threat Intelligence": { + "$ref": "./examples/threatintelligence/DeleteThreatIntelligence.json" + } + }, + "tags": [ + "ThreatIntelligence" + ], + "description": "Delete a threat intelligence.", + "operationId": "ThreatIntelligenceIndicator_Delete", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "#/parameters/SubscriptionId" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/ThreatIntelligenceIdentifier" + } + ], + "responses": { + "200": { + "description": "OK" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/queryIndicators": { + "post": { + "x-ms-examples": { + "Get all threat intelligence.": { + "$ref": "./examples/threatintelligence/QueryThreatIntelligence.json" + } + }, + "tags": [ + "ThreatIntelligence" + ], + "description": "Query all threat intelligence.", + "operationId": "ThreatIntelligenceIndicatorsList_Query", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "#/parameters/SubscriptionId" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/ThreatIntelligenceArmStixQuery" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/ThreatIntelligenceResourceList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/metrics": { + "get": { + "x-ms-examples": { + "Get threat intelligence indicators metrics.": { + "$ref": "./examples/threatintelligence/CollectThreatIntelligenceMetrics.json" + } + }, + "tags": [ + "ThreatIntelligence" + ], + "description": "Get the threat intelligence metrics.", + "operationId": "ThreatIntelligenceIndicatorMetrics_Get", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "#/parameters/SubscriptionId" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/ThreatIntelligenceIndicatorEntityKind" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/ThreatIntelligenceMetricResourceList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/{name}/appendTags": { + "post": { + "x-ms-examples": { + "Append tags to a Threat Intelligence": { + "$ref": "./examples/threatintelligence/AppendTagsThreatIntelligence.json" + } + }, + "tags": [ + "ThreatIntelligence" + ], + "description": "Append tags to a threat intelligence.", + "operationId": "ThreatIntelligenceIndicator_AppendTags", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "#/parameters/SubscriptionId" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/ThreatIntelligenceIdentifier" + }, + { + "$ref": "#/parameters/ThreatIntelligenceAppendTagsRequestBody" + } + ], + "responses": { + "200": { + "description": "OK" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/{name}/replaceTags": { + "post": { + "x-ms-examples": { + "Replace tags to a Threat Intelligence": { + "$ref": "./examples/threatintelligence/ReplaceTagsThreatIntelligence.json" + } + }, + "tags": [ + "ThreatIntelligence" + ], + "description": "Replace tags to a threat intelligence.", + "operationId": "ThreatIntelligenceIndicator_ReplaceTags", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "#/parameters/SubscriptionId" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/ThreatIntelligenceIdentifier" + }, + { + "$ref": "#/parameters/ThreatIntelligenceReplaceTagsModel" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/ThreatIntelligenceResource" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + } + } } }, "definitions": { @@ -8207,706 +8668,1182 @@ } } }, - "required": [ - "kind" - ], + "required": [ + "kind" + ], + "type": "object" + }, + "TIDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents threat intelligence data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/TIDataConnectorProperties", + "description": "TI (Threat Intelligence) data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "ThreatIntelligence" + }, + "TIDataConnectorDataTypes": { + "description": "The available data types for TI (Threat Intelligence) data connector.", + "properties": { + "indicators": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "description": "Data type for indicators connection.", + "type": "object" + } + }, + "type": "object" + }, + "TIDataConnectorProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "TI (Threat Intelligence) data connector properties.", + "properties": { + "dataTypes": { + "$ref": "#/definitions/TIDataConnectorDataTypes", + "description": "The available data types for the connector." + } + }, + "type": "object" + }, + "TICheckRequirements": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorsCheckRequirements" + } + ], + "description": "Represents threat intelligence requirements check request.", + "properties": { + "properties": { + "$ref": "#/definitions/TICheckRequirementsProperties", + "description": "TI (Threat Intelligence) requirements check properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "ThreatIntelligence" + }, + "TICheckRequirementsProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "TI (Threat Intelligence) requirements check properties.", + "properties": {}, + "type": "object" + }, + "TiTaxiiDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents threat intelligence taxii data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/TiTaxiiDataConnectorProperties", + "description": "Threat intelligence taxii client data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "ThreatIntelligenceTaxii" + }, + "TiTaxiiDataConnectorDataTypes": { + "description": "The available data types for Threat Intelligence taxii client data connector.", + "properties": { + "taxiiClient": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "description": "Data type for taxii client.", + "type": "object" + } + }, + "type": "object" + }, + "TiTaxiiDataConnectorProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "Threat Intelligence taxii client data connector properties.", + "properties": { + "workspaceId": { + "description": "The workspace id.", + "type": "string" + }, + "friendlyName": { + "description": "The friendly name for taxii client connector.", + "type": "string" + }, + "taxiiServer": { + "description": "The API root server for taxii client.", + "type": "string" + }, + "collectionId": { + "description": "The taxii collection id.", + "type": "string" + }, + "userName": { + "description": "The taxii server user name.", + "type": "string" + }, + "password": { + "description": "The taxii server password.", + "type": "string" + }, + "dataTypes": { + "$ref": "#/definitions/TiTaxiiDataConnectorDataTypes", + "description": "The available data types for the connector." + } + }, + "type": "object" + }, + "TiTaxiiCheckRequirements": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorsCheckRequirements" + } + ], + "description": "Represents threat intelligence requirements check request.", + "properties": { + "properties": { + "$ref": "#/definitions/TiTaxiiCheckRequirementsProperties", + "description": "Ti Taxii (Threat Intelligence Taxii) requirements check properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "ThreatIntelligenceTaxii" + }, + "TiTaxiiCheckRequirementsProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "Threat Intelligence taxii client data connector properties.", + "type": "object" + }, + "ThreatIntelligence": { + "description": "ThreatIntelligence property bag.", + "properties": { + "confidence": { + "description": "Confidence (must be between 0 and 1)", + "format": "double", + "readOnly": true, + "type": "number" + }, + "providerName": { + "description": "Name of the provider from whom this Threat Intelligence information was received", + "readOnly": true, + "type": "string" + }, + "reportLink": { + "description": "Report link", + "readOnly": true, + "type": "string" + }, + "threatDescription": { + "description": "Threat description (free text)", + "readOnly": true, + "type": "string" + }, + "threatName": { + "description": "Threat name (e.g. \"Jedobot malware\")", + "readOnly": true, + "type": "string" + }, + "threatType": { + "description": "Threat type (e.g. \"Botnet\")", + "readOnly": true, + "type": "string" + } + }, + "type": "object" + }, + "EyesOn": { + "allOf": [ + { + "$ref": "#/definitions/Settings" + } + ], + "description": "Settings with single toggle.", + "properties": { + "properties": { + "$ref": "#/definitions/EyesOnSettingsProperties", + "description": "EyesOn properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "EyesOn" + }, + "EyesOnSettingsProperties": { + "description": "EyesOn property bag.", + "properties": { + "isEnabled": { + "description": "Determines whether the setting is enable or disabled.", + "readOnly": true, + "type": "boolean" + } + }, "type": "object" }, - "TIDataConnector": { + "EntityAnalytics": { "allOf": [ { - "$ref": "#/definitions/DataConnector" + "$ref": "#/definitions/Settings" } ], - "description": "Represents threat intelligence data connector.", + "description": "Settings with single toggle.", "properties": { "properties": { - "$ref": "#/definitions/TIDataConnectorProperties", - "description": "TI (Threat Intelligence) data connector properties.", + "$ref": "#/definitions/EntityAnalyticsProperties", + "description": "EntityAnalytics properties", "x-ms-client-flatten": true } }, "type": "object", - "x-ms-discriminator-value": "ThreatIntelligence" + "x-ms-discriminator-value": "EntityAnalytics" }, - "TIDataConnectorDataTypes": { - "description": "The available data types for TI (Threat Intelligence) data connector.", + "EntityAnalyticsProperties": { + "description": "EntityAnalytics property bag.", "properties": { - "indicators": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorDataTypeCommon" - } - ], - "description": "Data type for indicators connection.", - "type": "object" + "isEnabled": { + "description": "Determines whether the setting is enable or disabled.", + "readOnly": true, + "type": "boolean" } }, "type": "object" }, - "TIDataConnectorProperties": { + "Ueba": { "allOf": [ { - "$ref": "#/definitions/DataConnectorTenantId" + "$ref": "#/definitions/Settings" } ], - "description": "TI (Threat Intelligence) data connector properties.", + "description": "Settings with single toggle.", "properties": { - "dataTypes": { - "$ref": "#/definitions/TIDataConnectorDataTypes", - "description": "The available data types for the connector." + "properties": { + "$ref": "#/definitions/UebaProperties", + "description": "Ueba properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Ueba" + }, + "UebaProperties": { + "description": "Ueba property bag.", + "properties": { + "dataSources": { + "description": "The relevant data sources that enriched by ueba", + "items": { + "$ref": "#/definitions/UebaDataSources" + }, + "type": "array" } }, "type": "object" }, - "TICheckRequirements": { + "UebaDataSources": { + "description": "The data source that enriched by ueba.", + "enum": [ + "AuditLogs", + "AzureActivity", + "SecurityEvent", + "SigninLogs" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "UebaDataSources" + } + }, + "UrlEntity": { "allOf": [ { - "$ref": "#/definitions/DataConnectorsCheckRequirements" + "$ref": "#/definitions/Entity" } ], - "description": "Represents threat intelligence requirements check request.", + "description": "Represents a url entity.", "properties": { "properties": { - "$ref": "#/definitions/TICheckRequirementsProperties", - "description": "TI (Threat Intelligence) requirements check properties.", + "$ref": "#/definitions/UrlEntityProperties", + "description": "Url entity properties", "x-ms-client-flatten": true } }, "type": "object", - "x-ms-discriminator-value": "ThreatIntelligence" + "x-ms-discriminator-value": "Url" }, - "TICheckRequirementsProperties": { + "UrlEntityProperties": { "allOf": [ { - "$ref": "#/definitions/DataConnectorTenantId" + "$ref": "#/definitions/EntityCommonProperties" } ], - "description": "TI (Threat Intelligence) requirements check properties.", - "properties": {}, + "description": "Url entity property bag.", + "properties": { + "url": { + "description": "A full URL the entity points to", + "readOnly": true, + "type": "string" + } + }, "type": "object" }, - "TiTaxiiDataConnector": { + "IoTDeviceEntity": { "allOf": [ { - "$ref": "#/definitions/DataConnector" + "$ref": "#/definitions/Entity" } ], - "description": "Represents threat intelligence taxii data connector.", + "description": "Represents an IoT device entity.", "properties": { "properties": { - "$ref": "#/definitions/TiTaxiiDataConnectorProperties", - "description": "Threat intelligence taxii client data connector properties.", + "$ref": "#/definitions/IoTDeviceEntityProperties", + "description": "IoTDevice entity properties", "x-ms-client-flatten": true } }, "type": "object", - "x-ms-discriminator-value": "ThreatIntelligenceTaxii" - }, - "TiTaxiiDataConnectorDataTypes": { - "description": "The available data types for Threat Intelligence taxii client data connector.", - "properties": { - "taxiiClient": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorDataTypeCommon" - } - ], - "description": "Data type for taxii client.", - "type": "object" - } - }, - "type": "object" + "x-ms-discriminator-value": "IoTDevice" }, - "TiTaxiiDataConnectorProperties": { + "IoTDeviceEntityProperties": { "allOf": [ { - "$ref": "#/definitions/DataConnectorTenantId" + "$ref": "#/definitions/EntityCommonProperties" } ], - "description": "Threat Intelligence taxii client data connector properties.", + "description": "IoTDevice entity property bag.", "properties": { - "workspaceId": { - "description": "The workspace id.", + "deviceId": { + "description": "The ID of the IoT Device in the IoT Hub", + "readOnly": true, "type": "string" }, - "friendlyName": { - "description": "The friendly name for taxii client connector.", + "iotSecurityAgentId": { + "description": "The ID of the security agent running on the device", + "format": "uuid", + "readOnly": true, "type": "string" }, - "taxiiServer": { - "description": "The API root server for taxii client.", + "deviceType": { + "description": "The type of the device", + "readOnly": true, "type": "string" }, - "collectionId": { - "description": "The taxii collection id.", + "vendor": { + "description": "The vendor of the device", + "readOnly": true, "type": "string" }, - "userName": { - "description": "The taxii server user name.", + "edgeId": { + "description": "The ID of the edge device", + "readOnly": true, + "type": "string" + }, + "iotHubEntityId": { + "description": "The AzureResource entity id of the IoT Hub", + "readOnly": true, + "type": "string" + }, + "hostEntityId": { + "description": "The Host entity id of this device", + "readOnly": true, + "type": "string" + }, + "threatIntelligence": { + "description": "A list of TI contexts attached to the IoTDevice entity.", + "items": { + "$ref": "#/definitions/ThreatIntelligence" + }, + "readOnly": true, + "type": "array" + } + }, + "type": "object" + }, + "UserInfo": { + "description": "User information that made some action", + "properties": { + "email": { + "description": "The email of the user.", + "readOnly": true, + "type": "string" + }, + "name": { + "description": "The name of the user.", + "readOnly": true, + "type": "string" + }, + "objectId": { + "description": "The object id of the user.", + "format": "uuid", + "type": "string", + "x-nullable": true + } + }, + "type": "object" + }, + "IncidentInfo": { + "description": "Describes related incident information for the bookmark", + "properties": { + "incidentId": { + "description": "Incident Id", + "type": "string" + }, + "severity": { + "description": "The severity of the incident", + "enum": [ + "Critical", + "High", + "Medium", + "Low", + "Informational" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "CaseSeverity", + "values": [ + { + "description": "Critical severity", + "value": "Critical" + }, + { + "description": "High severity", + "value": "High" + }, + { + "description": "Medium severity", + "value": "Medium" + }, + { + "description": "Low severity", + "value": "Low" + }, + { + "description": "Informational severity", + "value": "Informational" + } + ] + } + }, + "title": { + "description": "The title of the incident", "type": "string" }, - "password": { - "description": "The taxii server password.", + "relationName": { + "description": "Relation Name", "type": "string" - }, - "dataTypes": { - "$ref": "#/definitions/TiTaxiiDataConnectorDataTypes", - "description": "The available data types for the connector." } }, + "required": [ + "incidentId", + "severity", + "title", + "relationName" + ], "type": "object" }, - "TiTaxiiCheckRequirements": { + "WatchlistList": { + "description": "List all the watchlists.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of watchlists.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of watchlist.", + "items": { + "$ref": "#/definitions/Watchlist" + }, + "type": "array" + } + }, + "required": [ + "value" + ] + }, + "Watchlist": { "allOf": [ { - "$ref": "#/definitions/DataConnectorsCheckRequirements" + "$ref": "#/definitions/ResourceWithEtag" } ], - "description": "Represents threat intelligence requirements check request.", + "description": "Represents a Watchlist in Azure Security Insights.", "properties": { "properties": { - "$ref": "#/definitions/TiTaxiiCheckRequirementsProperties", - "description": "Ti Taxii (Threat Intelligence Taxii) requirements check properties.", + "$ref": "#/definitions/WatchlistProperties", + "description": "Watchlist properties", "x-ms-client-flatten": true } }, - "type": "object", - "x-ms-discriminator-value": "ThreatIntelligenceTaxii" - }, - "TiTaxiiCheckRequirementsProperties": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorTenantId" - } - ], - "description": "Threat Intelligence taxii client data connector properties.", "type": "object" }, - "ThreatIntelligence": { - "description": "ThreatIntelligence property bag.", + "WatchlistProperties": { + "description": "Describes watchlist properties", "properties": { - "confidence": { - "description": "Confidence (must be between 0 and 1)", - "format": "double", - "readOnly": true, - "type": "number" + "createdTimeUtc": { + "description": "The time the watchlist was created", + "format": "date-time", + "type": "string" }, - "providerName": { - "description": "Name of the provider from whom this Threat Intelligence information was received", - "readOnly": true, + "createdBy": { + "$ref": "#/definitions/UserInfo", + "description": "Describes a user that created the watchlist", + "type": "object" + }, + "displayName": { + "description": "The display name of the watchlist", "type": "string" }, - "reportLink": { - "description": "Report link", - "readOnly": true, + "watchlistType": { + "description": "The type of the watchlist", "type": "string" }, - "threatDescription": { - "description": "Threat description (free text)", - "readOnly": true, + "source": { + "description": "The source of the watchlist", + "enum": [ + "Local file", + "Remote storage" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "source" + } + }, + "provider": { + "description": "The provider of the watchlist", "type": "string" }, - "threatName": { - "description": "Threat name (e.g. \"Jedobot malware\")", - "readOnly": true, + "description": { + "description": "A description of the watchlist", "type": "string" }, - "threatType": { - "description": "Threat type (e.g. \"Botnet\")", - "readOnly": true, + "tenantId": { + "description": "The tenantId where the watchlist belongs to.", + "type": "string" + }, + "workspaceId": { + "description": "The workspaceId where the watchlist belongs to.", + "type": "string" + }, + "labels": { + "description": "List of labels relevant to this watchlist", + "items": { + "$ref": "#/definitions/Label" + }, + "type": "array" + }, + "notes": { + "description": "The notes of the watchlist", + "type": "string" + }, + "lastUpdatedTimeUtc": { + "description": "The last time the watchlist was updated", + "format": "date-time", + "type": "string" + }, + "updatedBy": { + "$ref": "#/definitions/UserInfo", + "description": "Describes a user that updated the watchlist", + "type": "object" + }, + "defaultDuration": { + "description": "The default duration of a watchlist (in ISO 8601 duration format)", + "format": "duration", "type": "string" + }, + "watchlistItems": { + "description": "List of watchlist items.", + "items": { + "$ref": "#/definitions/WatchlistItem" + }, + "type": "array" } }, - "type": "object" - }, - "EyesOn": { - "allOf": [ - { - "$ref": "#/definitions/Settings" - } + "required": [ + "displayName", + "source", + "provider" ], - "description": "Settings with single toggle.", - "properties": { - "properties": { - "$ref": "#/definitions/EyesOnSettingsProperties", - "description": "EyesOn properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "EyesOn" - }, - "EyesOnSettingsProperties": { - "description": "EyesOn property bag.", - "properties": { - "isEnabled": { - "description": "Determines whether the setting is enable or disabled.", - "readOnly": true, - "type": "boolean" - } - }, "type": "object" }, - "EntityAnalytics": { + "WatchlistItem": { "allOf": [ { - "$ref": "#/definitions/Settings" + "$ref": "#/definitions/Resource" } ], - "description": "Settings with single toggle.", + "description": "Represents a Watchlist Item in Azure Security Insights.", "properties": { "properties": { - "$ref": "#/definitions/EntityAnalyticsProperties", - "description": "EntityAnalytics properties", + "$ref": "#/definitions/WatchlistItemProperties", + "description": "Watchlist item properties", "x-ms-client-flatten": true } }, - "type": "object", - "x-ms-discriminator-value": "EntityAnalytics" - }, - "EntityAnalyticsProperties": { - "description": "EntityAnalytics property bag.", - "properties": { - "isEnabled": { - "description": "Determines whether the setting is enable or disabled.", - "readOnly": true, - "type": "boolean" - } - }, "type": "object" }, - "Ueba": { - "allOf": [ - { - "$ref": "#/definitions/Settings" - } - ], - "description": "Settings with single toggle.", + "WatchlistItemProperties": { + "description": "Describes watchlist item properties", "properties": { - "properties": { - "$ref": "#/definitions/UebaProperties", - "description": "Ueba properties", - "x-ms-client-flatten": true + "createdBy": { + "$ref": "#/definitions/UserInfo", + "description": "Describes a user that created the watchlist", + "type": "object" + }, + "updatedBy": { + "$ref": "#/definitions/UserInfo", + "description": "Describes a user that updated the watchlist", + "type": "object" + }, + "watchlistItemName": { + "description": "Name of the watchlist item", + "type": "string" + }, + "watchlistItemPair": { + "description": "A key-value pair for a watchlist item", + "type": "object" + }, + "entityMapping": { + "description": "A key-value pair for a watchlist item entity mapping", + "type": "object" + }, + "tenantId": { + "description": "The tenantId to which this watchlist item belongs to", + "type": "string" + }, + "createdTimeUtc": { + "description": "The time the watchlist item was created", + "format": "date-time", + "type": "string" + }, + "lastUpdatedTimeUtc": { + "description": "The last time the watchlist item was updated", + "format": "date-time", + "type": "string" + }, + "timeToLiveUtc": { + "description": "The time to live for the watchlist item", + "format": "date-time", + "type": "string" + }, + "watchlistItemType": { + "description": "The type of the watchlist item", + "type": "string" + }, + "watchlistId": { + "description": "The watchlist id of the parent of this watchlist item", + "type": "string" } }, - "type": "object", - "x-ms-discriminator-value": "Ueba" + "required": [ + "watchlistId", + "watchlistItemPair" + ], + "type": "object" }, - "UebaProperties": { - "description": "Ueba property bag.", + "ThreatIntelligenceResourceList": { + "description": "List of all the threat intelligence entities.", "properties": { - "dataSources": { - "description": "The relevant data sources that enriched by ueba", + "nextLink": { + "description": "URL to fetch the next set of entities.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of threat intelligence entities.", "items": { - "$ref": "#/definitions/UebaDataSources" + "$ref": "#/definitions/ThreatIntelligenceResource" }, "type": "array" } }, - "type": "object" + "required": [ + "value" + ] }, - "UebaDataSources": { - "description": "The data source that enriched by ueba.", - "enum": [ - "AuditLogs", - "AzureActivity", - "SecurityEvent", - "SigninLogs" + "ThreatIntelligenceResource": { + "allOf": [ + { + "$ref": "#/definitions/ResourceWithEtag" + }, + { + "$ref": "#/definitions/ThreatIntelligenceResourceKind" + } ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "UebaDataSources" - } + "description": "Threat intelligence resource.", + "discriminator": "kind", + "type": "object", + "required": [ + "kind" + ] }, - "UrlEntity": { + "ThreatIntelligenceIndicatorModel": { "allOf": [ { - "$ref": "#/definitions/Entity" + "$ref": "#/definitions/ThreatIntelligenceResource" } ], - "description": "Represents a url entity.", + "description": "Threat intelligence indicator entity.", "properties": { "properties": { - "$ref": "#/definitions/UrlEntityProperties", - "description": "Url entity properties", + "$ref": "#/definitions/ThreatIntelligenceIndicatorProperties", + "description": "Threat Intelligence Entity properties", "x-ms-client-flatten": true } }, "type": "object", - "x-ms-discriminator-value": "Url" + "x-ms-discriminator-value": "indicator" }, - "UrlEntityProperties": { + "ThreatIntelligenceIndicatorWithoutReadOnlyFields": { "allOf": [ { - "$ref": "#/definitions/EntityCommonProperties" + "$ref": "#/definitions/ThreatIntelligenceResourceKind" } ], - "description": "Url entity property bag.", + "description": "Threat intelligence indicator entity.", "properties": { - "url": { - "description": "A full URL the entity points to", - "readOnly": true, + "etag": { + "description": "Etag of the azure resource", "type": "string" + }, + "properties": { + "$ref": "#/definitions/ThreatIntelligenceIndicatorProperties", + "description": "Threat Intelligence Entity properties", + "x-ms-client-flatten": true } }, - "type": "object" + "type": "object", + "x-ms-discriminator-value": "indicator" }, - "IoTDeviceEntity": { - "allOf": [ - { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents an IoT device entity.", + "ThreatIntelligenceResourceKind": { + "description": "Describes an entity with kind.", "properties": { - "properties": { - "$ref": "#/definitions/IoTDeviceEntityProperties", - "description": "IoTDevice entity properties", - "x-ms-client-flatten": true + "kind": { + "$ref": "#/definitions/ThreatIntelligenceResourceInnerKind", + "description": "The kind of the entity." } }, - "type": "object", - "x-ms-discriminator-value": "IoTDevice" + "required": [ + "kind" + ], + "type": "object" }, - "IoTDeviceEntityProperties": { + "ThreatIntelligenceResourceInnerKind": { + "description": "The kind of the threat intelligence entity", + "enum": [ + "indicator" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "ThreatIntelligenceResourceKind", + "values": [ + { + "description": "Entity represents threat intelligence indicator in the system.", + "value": "indicator" + } + ] + } + }, + "ThreatIntelligenceIndicatorProperties": { "allOf": [ { "$ref": "#/definitions/EntityCommonProperties" } ], - "description": "IoTDevice entity property bag.", + "description": "Describes threat intelligence entity properties", "properties": { - "deviceId": { - "description": "The ID of the IoT Device in the IoT Hub", - "readOnly": true, - "type": "string" + "threatIntelligenceTags": { + "description": "List of tags", + "items": { + "description": "tag", + "type": "string" + }, + "type": "array" }, - "iotSecurityAgentId": { - "description": "The ID of the security agent running on the device", - "format": "uuid", - "readOnly": true, + "lastUpdatedTimeUtc": { + "description": "Last updated time in UTC", "type": "string" }, - "deviceType": { - "description": "The type of the device", - "readOnly": true, + "source": { + "description": "Source of a threat intelligence entity", "type": "string" }, - "vendor": { - "description": "The vendor of the device", - "readOnly": true, + "displayName": { + "description": "Display name of a threat intelligence entity", "type": "string" }, - "edgeId": { - "description": "The ID of the edge device", - "readOnly": true, + "description": { + "description": "Description of a threat intelligence entity", "type": "string" }, - "iotHubEntityId": { - "description": "The AzureResource entity id of the IoT Hub", - "readOnly": true, + "indicatorTypes": { + "description": "Indicator types of threat intelligence entities", + "items": { + "description": "Indicator type of a threat intelligence entity", + "type": "string" + }, + "type": "array" + }, + "pattern": { + "description": "Pattern of a threat intelligence entity", "type": "string" }, - "hostEntityId": { - "description": "The Host entity id of this device", - "readOnly": true, + "patternType": { + "description": "Pattern type of a threat intelligence entity", "type": "string" }, - "threatIntelligence": { - "description": "A list of TI contexts attached to the IoTDevice entity.", + "killChainPhases": { + "description": "Kill chain phases", "items": { - "$ref": "#/definitions/ThreatIntelligence" + "description": "Kill chain phase", + "$ref": "#/definitions/ThreatIntelligenceKillChainPhase" }, - "readOnly": true, "type": "array" - } - }, - "type": "object" - }, - "UserInfo": { - "description": "User information that made some action", - "properties": { - "email": { - "description": "The email of the user.", - "readOnly": true, - "type": "string" }, - "name": { - "description": "The name of the user.", - "readOnly": true, + "externalId": { + "description": "External ID of threat intelligence entity", "type": "string" }, - "objectId": { - "description": "The object id of the user.", - "format": "uuid", - "type": "string", - "x-nullable": true - } - }, - "type": "object" - }, - "IncidentInfo": { - "description": "Describes related incident information for the bookmark", - "properties": { - "incidentId": { - "description": "Incident Id", + "createdByRef": { + "description": "Created by reference of threat intelligence entity", "type": "string" }, - "severity": { - "description": "The severity of the incident", - "enum": [ - "Critical", - "High", - "Medium", - "Low", - "Informational" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "CaseSeverity", - "values": [ - { - "description": "Critical severity", - "value": "Critical" - }, - { - "description": "High severity", - "value": "High" - }, - { - "description": "Medium severity", - "value": "Medium" - }, - { - "description": "Low severity", - "value": "Low" - }, - { - "description": "Informational severity", - "value": "Informational" - } - ] - } + "externalReferences": { + "description": "External References", + "items": { + "description": "external_reference", + "type": "string" + }, + "type": "array" }, - "title": { - "description": "The title of the incident", - "type": "string" + "granularMarkings": { + "description": "Granular Markings", + "items": { + "description": "Granular marking", + "$ref": "#/definitions/ThreatIntelligenceGranularMarkingModel" + }, + "type": "array" }, - "relationName": { - "description": "Relation Name", - "type": "string" - } - }, - "required": [ - "incidentId", - "severity", - "title", - "relationName" - ], - "type": "object" - }, - "WatchlistList": { - "description": "List all the watchlists.", - "properties": { - "nextLink": { - "description": "URL to fetch the next set of watchlists.", - "readOnly": true, - "type": "string" + "revoked": { + "description": "Is threat intelligence entity revoked", + "type": "boolean" }, - "value": { - "description": "Array of watchlist.", + "confidence": { + "description": "Confidence of threat intelligence entity", + "type": "integer", + "format": "int32" + }, + "labels": { + "description": "Labels of threat intelligence entity", "items": { - "$ref": "#/definitions/Watchlist" + "description": "label", + "type": "string" + }, + "type": "array" + }, + "threatTypes": { + "description": "Threat types", + "items": { + "description": "Threat type", + "type": "string" }, "type": "array" + }, + "validFrom": { + "description": "Valid from", + "type": "string" + }, + "validUntil": { + "description": "Valid until", + "type": "string" + }, + "created": { + "description": "Created by", + "type": "string" + }, + "modified": { + "description": "Modified by", + "type": "string" } }, - "required": [ - "value" - ] + "type": "object" }, - "Watchlist": { - "allOf": [ - { - "$ref": "#/definitions/ResourceWithEtag" - } - ], - "description": "Represents a Watchlist in Azure Security Insights.", + "ThreatIntelligenceKillChainPhase": { + "description": "Describes threat kill chain phase entity", "properties": { - "properties": { - "$ref": "#/definitions/WatchlistProperties", - "description": "Watchlist properties", - "x-ms-client-flatten": true + "killChainName": { + "description": "Kill chainName name", + "type": "string" + }, + "phaseName": { + "description": "Phase name", + "type": "integer", + "format": "int32" } }, "type": "object" }, - "WatchlistProperties": { - "description": "Describes watchlist properties", + "ThreatIntelligenceGranularMarkingModel": { + "description": "Describes threat granular marking model entity", "properties": { - "createdTimeUtc": { - "description": "The time the watchlist was created", - "format": "date-time", + "language": { + "description": "Language granular marking model", "type": "string" }, - "createdBy": { - "$ref": "#/definitions/UserInfo", - "description": "Describes a user that created the watchlist", - "type": "object" - }, - "displayName": { - "description": "The display name of the watchlist", - "type": "string" + "markingRef": { + "description": "marking reference granular marking model", + "type": "integer", + "format": "int32" }, - "watchlistType": { - "description": "The type of the watchlist", - "type": "string" + "selectors": { + "description": "granular marking model selectors", + "items": { + "description": "granular marking model selector", + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "ThreatIntelligenceArmStixQuery": { + "description": "Describes threat intelligence ARM STIX query", + "properties": { + "pageSize": { + "description": "Page size", + "type": "integer", + "format": "int32" }, - "source": { - "description": "The source of the watchlist", - "enum": [ - "Local file", - "Remote storage" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "source" - } + "minConfidence": { + "description": "Minimum confidence", + "type": "integer", + "format": "int32" }, - "provider": { - "description": "The provider of the watchlist", - "type": "string" + "maxConfidence": { + "description": "Maximum confidence", + "type": "integer", + "format": "int32" }, - "description": { - "description": "A description of the watchlist", + "minValidUntil": { + "description": "Minimum Valid until", "type": "string" }, - "tenantId": { - "description": "The tenantId where the watchlist belongs to.", + "maxValidUntil": { + "description": "Maximum Valid until", "type": "string" }, - "workspaceId": { - "description": "The workspaceId where the watchlist belongs to.", - "type": "string" + "includeDisabled": { + "description": "To include disabled indicators", + "type": "boolean" }, - "labels": { - "description": "List of labels relevant to this watchlist", + "sortBy": { + "description": "List of Sort rules", "items": { - "$ref": "#/definitions/Label" + "description": "Sort By", + "$ref": "#/definitions/ThreatIntelligenceArmStixSortBy" }, "type": "array" }, - "notes": { - "description": "The notes of the watchlist", - "type": "string" + "sources": { + "description": "Sources of a threat intelligence entity", + "items": { + "description": "Source", + "type": "string" + }, + "type": "array" }, - "lastUpdatedTimeUtc": { - "description": "The last time the watchlist was updated", - "format": "date-time", - "type": "string" + "patternTypes": { + "description": "Pattern types", + "items": { + "description": "Pattern type", + "type": "string" + }, + "type": "array" }, - "updatedBy": { - "$ref": "#/definitions/UserInfo", - "description": "Describes a user that updated the watchlist", - "type": "object" + "threatTypes": { + "description": "Threat types", + "items": { + "description": "Threat type", + "type": "string" + }, + "type": "array" }, - "defaultDuration": { - "description": "The default duration of a watchlist (in ISO 8601 duration format)", - "format": "duration", - "type": "string" + "ids": { + "description": "Ids of threat intelligence entities", + "items": { + "description": "Id of a threat intelligence entity", + "type": "string" + }, + "type": "array" }, - "watchlistItems": { - "description": "List of watchlist items.", + "keywords": { + "description": "Keywords of threat intelligence entities", "items": { - "$ref": "#/definitions/WatchlistItem" + "description": "keyword of a threat intelligence entity", + "type": "string" }, "type": "array" + }, + "skipToken": { + "description": "Skip Token", + "type": "string" } }, - "required": [ - "displayName", - "source", - "provider" - ], "type": "object" }, - "WatchlistItem": { - "allOf": [ - { - "$ref": "#/definitions/Resource" + "ThreatIntelligenceArmStixSortBy": { + "description": "Describes an threat intelligence ARM STIX Sort By", + "properties": { + "itemKey": { + "description": "Item key", + "type": "string" + }, + "sortOrder": { + "$ref": "#/definitions/ThreatIntelligenceArmStixSortOrder", + "description": "Sort order." } + }, + "type": "object" + }, + "ThreatIntelligenceArmStixSortOrder": { + "description": "Describes an threat intelligence ARM STIX Sort Order", + "enum": [ + "unsorted", + "ascending", + "descending" ], - "description": "Represents a Watchlist Item in Azure Security Insights.", + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "ThreatIntelligenceArmStixSortBy", + "values": [ + { + "value": "unsorted" + }, + { + "value": "ascending" + }, + { + "value": "descending" + } + ] + } + }, + "ThreatIntelligenceAppendTagsRequestBody": { + "description": "Describes threat intelligence indicator append tags request body", "properties": { - "properties": { - "$ref": "#/definitions/WatchlistItemProperties", - "description": "Watchlist item properties", - "x-ms-client-flatten": true + "threatIntelligenceTags": { + "description": "List of threat intelligence tags", + "items": { + "description": "parameter", + "type": "string" + }, + "type": "array" } }, "type": "object" }, - "WatchlistItemProperties": { - "description": "Describes watchlist item properties", + "ThreatIntelligenceMetricResourceList": { + "description": "List of all the threat intelligence metric resource.", + "properties": { + "value": { + "description": "Array of threat intelligence metrics resource.", + "items": { + "$ref": "#/definitions/ThreatIntelligenceMetricResource" + }, + "type": "array" + } + }, + "required": [ + "value" + ] + }, + "ThreatIntelligenceMetricResource": { + "description": "Threat intelligence metric resource.", + "properties": { + "properties": { + "description": "Threat intelligence metric.", + "$ref": "#/definitions/ThreatIntelligenceMetric" + } + } + }, + "ThreatIntelligenceMetric": { + "description": "Describes threat intelligence metric", "properties": { - "createdBy": { - "$ref": "#/definitions/UserInfo", - "description": "Describes a user that created the watchlist", - "type": "object" - }, - "updatedBy": { - "$ref": "#/definitions/UserInfo", - "description": "Describes a user that updated the watchlist", - "type": "object" - }, - "watchlistItemName": { - "description": "Name of the watchlist item", - "type": "string" - }, - "watchlistItemPair": { - "description": "A key-value pair for a watchlist item", - "type": "object" - }, - "entityMapping": { - "description": "A key-value pair for a watchlist item entity mapping", - "type": "object" - }, - "tenantId": { - "description": "The tenantId to which this watchlist item belongs to", - "type": "string" - }, - "createdTimeUtc": { - "description": "The time the watchlist item was created", - "format": "date-time", - "type": "string" - }, "lastUpdatedTimeUtc": { - "description": "The last time the watchlist item was updated", - "format": "date-time", + "description": "Time Metric", "type": "string" }, - "timeToLiveUtc": { - "description": "The time to live for the watchlist item", - "format": "date-time", - "type": "string" + "threatTypeMetrics": { + "description": "Threat type metrics", + "items": { + "description": "parameter", + "$ref": "#/definitions/ThreatIntelligenceMetricEntity" + }, + "type": "array" }, - "watchlistItemType": { - "description": "The type of the watchlist item", - "type": "string" + "patternTypeMetrics": { + "description": "Pattern type metrics", + "items": { + "description": "parameter", + "$ref": "#/definitions/ThreatIntelligenceMetricEntity" + }, + "type": "array" }, - "watchlistId": { - "description": "The watchlist id of the parent of this watchlist item", + "sourceMetrics": { + "description": "Source metrics", + "items": { + "description": "parameter", + "$ref": "#/definitions/ThreatIntelligenceMetricEntity" + }, + "type": "array" + } + }, + "type": "object" + }, + "ThreatIntelligenceMetricEntity": { + "description": "Describes threat intelligence metric entity", + "properties": { + "metricName": { + "description": "Metric name", "type": "string" + }, + "metricValue": { + "description": "Metric value", + "type": "integer", + "format": "int32" } }, - "required": [ - "watchlistId", - "watchlistItemPair" - ], "type": "object" } }, @@ -9268,6 +10205,62 @@ "$ref": "#/definitions/Watchlist" }, "x-ms-parameter-location": "method" + }, + "ThreatIntelligenceIdentifier": { + "description": "Threat Intelligence Identifier", + "in": "path", + "name": "name", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "ThreatIntelligenceIndicatorObjectToUpsert": { + "description": "The threat intelligence entity properties for upsert", + "in": "body", + "name": "ThreatIntelligenceIndicatorObjectToUpsert", + "required": true, + "schema": { + "$ref": "#/definitions/ThreatIntelligenceIndicatorWithoutReadOnlyFields" + }, + "x-ms-parameter-location": "method" + }, + "ThreatIntelligenceReplaceTagsModel": { + "description": "The threat intelligence entity properties for updating tags", + "in": "body", + "name": "ThreatIntelligenceReplaceTagsModel", + "required": true, + "schema": { + "$ref": "#/definitions/ThreatIntelligenceIndicatorWithoutReadOnlyFields" + }, + "x-ms-parameter-location": "method" + }, + "ThreatIntelligenceArmStixQuery": { + "description": "The threat intelligence ARM STIX query", + "in": "body", + "name": "ThreatIntelligenceArmStixQuery", + "required": true, + "schema": { + "$ref": "#/definitions/ThreatIntelligenceArmStixQuery" + }, + "x-ms-parameter-location": "method" + }, + "ThreatIntelligenceIndicatorEntityKind": { + "description": "The threat intelligence entity kind", + "in": "query", + "name": "ctiEntityKind", + "required": false, + "type": "string", + "x-ms-parameter-location": "method" + }, + "ThreatIntelligenceAppendTagsRequestBody": { + "description": "The threat intelligence append tags request body", + "in": "body", + "name": "ThreatIntelligenceAppendTagsRequestBody", + "required": true, + "schema": { + "$ref": "#/definitions/ThreatIntelligenceAppendTagsRequestBody" + }, + "x-ms-parameter-location": "method" } } } diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/threatintelligence/AppendTagsThreatIntelligence.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/threatintelligence/AppendTagsThreatIntelligence.json new file mode 100644 index 000000000000..127198b2179d --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/threatintelligence/AppendTagsThreatIntelligence.json @@ -0,0 +1,19 @@ +{ + "parameters": { + "api-version": "2019-01-01-preview", + "subscriptionId": "bd794837-4d29-4647-9105-6339bfdb4e6a", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights", + "name": "d9cd6f0b-96b9-3984-17cd-a779d1e15a93", + "ThreatIntelligenceAppendTagsRequestBody": { + "threatIntelligenceTags": [ + "tag1", + "tag2" + ] + } + }, + "responses": { + "200": {} + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/threatintelligence/CollectThreatIntelligenceMetrics.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/threatintelligence/CollectThreatIntelligenceMetrics.json new file mode 100644 index 000000000000..2755c5120c4f --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/threatintelligence/CollectThreatIntelligenceMetrics.json @@ -0,0 +1,44 @@ +{ + "parameters": { + "api-version": "2019-01-01-preview", + "subscriptionId": "bd794837-4d29-4647-9105-6339bfdb4e6a", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "properties": { + "lastUpdatedTimeUtc": "2020-09-01T19:44:44.117403Z", + "threatTypeMetrics": [ + { + "metricName": "compromised", + "metricValue": 20 + } + ], + "patternTypeMetrics": [ + { + "metricName": "url", + "metricValue": 20 + } + ], + "sourceMetrics": [ + { + "metricName": "Azure Sentinel", + "metricValue": 10315 + }, + { + "metricName": "zinga", + "metricValue": 2 + } + ] + } + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/threatintelligence/CreateThreatIntelligence.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/threatintelligence/CreateThreatIntelligence.json new file mode 100644 index 000000000000..1b6935e0a3b7 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/threatintelligence/CreateThreatIntelligence.json @@ -0,0 +1,101 @@ +{ + "parameters": { + "api-version": "2019-01-01-preview", + "subscriptionId": "bd794837-4d29-4647-9105-6339bfdb4e6a", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights", + "ThreatIntelligenceIndicatorObjectToUpsert": { + "kind": "indicator", + "properties": { + "source": "Azure Sentinel", + "threatIntelligenceTags": [ + "new schema" + ], + "displayName": "new schema", + "confidence": 78, + "createdByRef": "contoso@contoso.com", + "description": "debugging indicators", + "externalReferences": [], + "granularMarkings": [], + "threatTypes": [ + "compromised" + ], + "killChainPhases": [], + "labels": [], + "modified": "", + "pattern": "[url:value = 'https://www.contoso.com']", + "patternType": "url", + "revoked": false, + "validFrom": "2020-04-15T17:44:00.114052Z", + "validUntil": "" + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/bd794837-4d29-4647-9105-6339bfdb4e6a/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/ThreatIntelligence/180105c7-a28d-b1a2-4a78-234f6ec80fd6", + "name": "180105c7-a28d-b1a2-4a78-234f6ec80fd6", + "etag": "\"0000322c-0000-0800-0000-5e976c960000\"", + "type": "Microsoft.SecurityInsights/ThreatIntelligence", + "kind": "indicator", + "properties": { + "confidence": 78, + "created": "2020-04-15T20:20:38.6160949Z", + "createdByRef": "contoso@contoso.com", + "externalId": "indicator--a2b6a95e-2108-4a38-bd49-ef95811bbcd7", + "externalReferences": [], + "granularMarkings": [], + "lastUpdatedTimeUtc": "2020-04-15T20:20:38.6161887Z", + "revoked": false, + "source": "Azure Sentinel", + "threatIntelligenceTags": [ + "new schema" + ], + "displayName": "new schema", + "description": "debugging indicators", + "threatTypes": [ + "compromised" + ], + "killChainPhases": [], + "pattern": "[url:value = 'https://www.contoso.com']", + "patternType": "url", + "validFrom": "2020-04-15T17:44:00.114052Z" + } + } + }, + "201": { + "body": { + "id": "/subscriptions/bd794837-4d29-4647-9105-6339bfdb4e6a/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/ThreatIntelligence/180105c7-a28d-b1a2-4a78-234f6ec80fd6", + "name": "180105c7-a28d-b1a2-4a78-234f6ec80fd6", + "etag": "\"0000322c-0000-0800-0000-5e976c960000\"", + "type": "Microsoft.SecurityInsights/ThreatIntelligence", + "kind": "indicator", + "properties": { + "confidence": 78, + "created": "2020-04-15T20:20:38.6160949Z", + "createdByRef": "aztestConnectors@contoso.com", + "externalId": "indicator--a2b6a95e-2108-4a38-bd49-ef95811bbcd7", + "externalReferences": [], + "granularMarkings": [], + "lastUpdatedTimeUtc": "2020-04-15T20:20:38.6161887Z", + "revoked": false, + "source": "Azure Sentinel", + "threatIntelligenceTags": [ + "new schema" + ], + "displayName": "new schema", + "description": "debugging indicators", + "threatTypes": [ + "compromised" + ], + "killChainPhases": [], + "pattern": "[url:value = 'https://www.contoso.com']", + "patternType": "url", + "validFrom": "2020-04-15T17:44:00.114052Z" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/threatintelligence/DeleteThreatIntelligence.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/threatintelligence/DeleteThreatIntelligence.json new file mode 100644 index 000000000000..76f6009ce7ec --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/threatintelligence/DeleteThreatIntelligence.json @@ -0,0 +1,14 @@ +{ + "parameters": { + "api-version": "2019-01-01-preview", + "subscriptionId": "bd794837-4d29-4647-9105-6339bfdb4e6a", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights", + "name": "d9cd6f0b-96b9-3984-17cd-a779d1e15a93" + }, + "responses": { + "200": {}, + "204": {} + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/threatintelligence/GetThreatIntelligence.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/threatintelligence/GetThreatIntelligence.json new file mode 100644 index 000000000000..ceec827d2de5 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/threatintelligence/GetThreatIntelligence.json @@ -0,0 +1,77 @@ +{ + "parameters": { + "api-version": "2019-01-01-preview", + "subscriptionId": "bd794837-4d29-4647-9105-6339bfdb4e6a", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/bd794837-4d29-4647-9105-6339bfdb4e6a/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/ThreatIntelligence/27d963e6-e6e4-e0f9-e9d7-c53985b3bbe8", + "name": "27d963e6-e6e4-e0f9-e9d7-c53985b3bbe8", + "etag": "\"00002f2c-0000-0800-0000-5e976a8e0000\"", + "type": "Microsoft.SecurityInsights/ThreatIntelligence", + "kind": "indicator", + "properties": { + "confidence": 90, + "created": "2020-04-15T20:11:57.9666134Z", + "createdByRef": "contoso@contoso.com", + "externalId": "indicator--8516d567-0daa-4614-8745-e3591e1b48cf", + "externalReferences": [], + "granularMarkings": [], + "lastUpdatedTimeUtc": "2020-04-15T20:15:11.0746926Z", + "revoked": false, + "source": "Azure Sentinel", + "threatIntelligenceTags": [ + "new schema" + ], + "displayName": "new schema 2", + "description": "debugging indicators", + "threatTypes": [ + "compromised" + ], + "killChainPhases": [], + "pattern": "[url:value = 'https://www.contoso.com']", + "patternType": "url", + "validFrom": "2020-04-15T17:44:00.114052Z" + } + }, + { + "id": "/subscriptions/bd794837-4d29-4647-9105-6339bfdb4e6a/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/ThreatIntelligence/e16ef847-962e-d7b6-9c8b-a33e4bd30e47", + "name": "e16ef847-962e-d7b6-9c8b-a33e4bd30e47", + "etag": "\"00002a2c-0000-0800-0000-5e97683b0000\"", + "type": "Microsoft.SecurityInsights/ThreatIntelligence", + "kind": "indicator", + "properties": { + "confidence": 78, + "created": "2020-04-15T19:51:17.1050923Z", + "createdByRef": "contoso@contoso.com", + "externalId": "indicator--73be1729-babb-4348-a6c4-94621cae2530", + "externalReferences": [], + "granularMarkings": [], + "lastUpdatedTimeUtc": "2020-04-15T20:15:11.074903Z", + "revoked": false, + "source": "Azure Sentinel", + "threatIntelligenceTags": [ + "patching tags" + ], + "displayName": "updated indicator", + "description": "debugging indicators", + "threatTypes": [ + "compromised" + ], + "killChainPhases": [], + "pattern": "[url:value = 'https://www.contoso.com']", + "patternType": "url", + "validFrom": "2020-04-15T17:44:00.114052Z" + } + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/threatintelligence/GetThreatIntelligenceById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/threatintelligence/GetThreatIntelligenceById.json new file mode 100644 index 000000000000..a3185f2a44bb --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/threatintelligence/GetThreatIntelligenceById.json @@ -0,0 +1,44 @@ +{ + "parameters": { + "api-version": "2019-01-01-preview", + "subscriptionId": "bd794837-4d29-4647-9105-6339bfdb4e6a", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights", + "name": "e16ef847-962e-d7b6-9c8b-a33e4bd30e47" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/bd794837-4d29-4647-9105-6339bfdb4e6a/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/ThreatIntelligence/e16ef847-962e-d7b6-9c8b-a33e4bd30e47", + "name": "e16ef847-962e-d7b6-9c8b-a33e4bd30e47", + "etag": "\"00002a2c-0000-0800-0000-5e97683b0000\"", + "type": "Microsoft.SecurityInsights/ThreatIntelligence", + "kind": "indicator", + "properties": { + "confidence": 78, + "created": "2020-04-15T19:51:17.1050923Z", + "createdByRef": "aztestConnectors@dataconnector.ccsctp.net", + "externalId": "indicator--73be1729-babb-4348-a6c4-94621cae2530", + "externalReferences": [], + "granularMarkings": [], + "lastUpdatedTimeUtc": "2020-04-15T20:18:49.2259902Z", + "revoked": false, + "source": "Azure Sentinel", + "threatIntelligenceTags": [ + "patching tags" + ], + "displayName": "updated indicator", + "description": "debugging indicators", + "threatTypes": [ + "compromised" + ], + "killChainPhases": [], + "pattern": "[url:value = 'https://abc.com']", + "patternType": "url", + "validFrom": "2020-04-15T17:44:00.114052Z" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/threatintelligence/QueryThreatIntelligence.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/threatintelligence/QueryThreatIntelligence.json new file mode 100644 index 000000000000..da7b93120aa6 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/threatintelligence/QueryThreatIntelligence.json @@ -0,0 +1,93 @@ +{ + "parameters": { + "api-version": "2019-01-01-preview", + "subscriptionId": "bd794837-4d29-4647-9105-6339bfdb4e6a", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights", + "ThreatIntelligenceArmStixQuery": { + "pageSize": 100, + "minConfidence": 25, + "maxConfidence": 80, + "minValidUntil": "2020-04-05T17:44:00.114052Z", + "maxValidUntil": "2020-04-25T17:44:00.114052Z", + "sources": [ + "Azure Sentinel" + ], + "sortBy": [ + { + "itemKey": "lastUpdatedTimeUtc", + "sortOrder": "descending" + } + ] + } + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/bd794837-4d29-4647-9105-6339bfdb4e6a/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/ThreatIntelligence/27d963e6-e6e4-e0f9-e9d7-c53985b3bbe8", + "name": "27d963e6-e6e4-e0f9-e9d7-c53985b3bbe8", + "etag": "\"00002f2c-0000-0800-0000-5e976a8e0000\"", + "type": "Microsoft.SecurityInsights/ThreatIntelligence", + "kind": "indicator", + "properties": { + "confidence": 90, + "created": "2020-04-15T20:11:57.9666134Z", + "createdByRef": "contoso@contoso.com", + "externalId": "indicator--8516d567-0daa-4614-8745-e3591e1b48cf", + "externalReferences": [], + "granularMarkings": [], + "lastUpdatedTimeUtc": "2020-04-15T20:15:11.0746926Z", + "revoked": false, + "source": "Azure Sentinel", + "threatIntelligenceTags": [ + "new schema" + ], + "displayName": "new schema 2", + "description": "debugging indicators 2", + "threatTypes": [ + "compromised" + ], + "killChainPhases": [], + "pattern": "[url:value = 'https://www.contoso.com']", + "patternType": "url", + "validFrom": "2020-04-15T17:44:00.114052Z" + } + }, + { + "id": "/subscriptions/bd794837-4d29-4647-9105-6339bfdb4e6a/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/ThreatIntelligence/e16ef847-962e-d7b6-9c8b-a33e4bd30e47", + "name": "e16ef847-962e-d7b6-9c8b-a33e4bd30e47", + "etag": "\"00002a2c-0000-0800-0000-5e97683b0000\"", + "type": "Microsoft.SecurityInsights/ThreatIntelligence", + "kind": "indicator", + "properties": { + "confidence": 78, + "created": "2020-04-15T19:51:17.1050923Z", + "createdByRef": "contoso@contoso.com", + "externalId": "indicator--73be1729-babb-4348-a6c4-94621cae2530", + "externalReferences": [], + "granularMarkings": [], + "lastUpdatedTimeUtc": "2020-04-15T20:15:11.074903Z", + "revoked": false, + "source": "Azure Sentinel", + "threatIntelligenceTags": [ + "patching tags" + ], + "displayName": "updated indicator", + "description": "debugging indicators", + "threatTypes": [ + "compromised" + ], + "killChainPhases": [], + "pattern": "[url:value = 'https://www.contoso.com']", + "patternType": "url", + "validFrom": "2020-04-15T17:44:00.114052Z" + } + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/threatintelligence/ReplaceTagsThreatIntelligence.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/threatintelligence/ReplaceTagsThreatIntelligence.json new file mode 100644 index 000000000000..c2bd89dcf026 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/threatintelligence/ReplaceTagsThreatIntelligence.json @@ -0,0 +1,53 @@ +{ + "parameters": { + "api-version": "2019-01-01-preview", + "subscriptionId": "bd794837-4d29-4647-9105-6339bfdb4e6a", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights", + "name": "d9cd6f0b-96b9-3984-17cd-a779d1e15a93", + "ThreatIntelligenceReplaceTagsModel": { + "etag": "\"0000262c-0000-0800-0000-5e9767060000\"", + "kind": "indicator", + "properties": { + "threatIntelligenceTags": [ + "patching tags" + ] + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/bd794837-4d29-4647-9105-6339bfdb4e6a/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/ThreatIntelligence/e16ef847-962e-d7b6-9c8b-a33e4bd30e47", + "name": "e16ef847-962e-d7b6-9c8b-a33e4bd30e47", + "etag": "\"00002a2c-0000-0800-0000-5e97683b0000\"", + "type": "Microsoft.SecurityInsights/ThreatIntelligence", + "kind": "indicator", + "properties": { + "confidence": 78, + "created": "2020-04-15T19:51:17.1050923Z", + "createdByRef": "aztestConnectors@dataconnector.ccsctp.net", + "externalId": "indicator--73be1729-babb-4348-a6c4-94621cae2530", + "externalReferences": [], + "granularMarkings": [], + "lastUpdatedTimeUtc": "2020-04-15T19:56:08.828946Z", + "revoked": false, + "source": "Azure Sentinel", + "threatIntelligenceTags": [ + "patching tags" + ], + "displayName": "updated indicator", + "description": "debugging indicators", + "threatTypes": [ + "compromised" + ], + "killChainPhases": [], + "pattern": "[url:value = 'https://abc.com']", + "patternType": "url", + "validFrom": "2020-04-15T17:44:00.114052Z" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/threatintelligence/UpsertThreatIntelligence.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/threatintelligence/UpsertThreatIntelligence.json new file mode 100644 index 000000000000..0b8345af8e3b --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/threatintelligence/UpsertThreatIntelligence.json @@ -0,0 +1,102 @@ +{ + "parameters": { + "api-version": "2019-01-01-preview", + "subscriptionId": "bd794837-4d29-4647-9105-6339bfdb4e6a", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights", + "name": "d9cd6f0b-96b9-3984-17cd-a779d1e15a93", + "ThreatIntelligenceIndicatorObjectToUpsert": { + "kind": "indicator", + "properties": { + "source": "Azure Sentinel", + "threatIntelligenceTags": [ + "new schema" + ], + "displayName": "new schema", + "confidence": 78, + "createdByRef": "contoso@contoso.com", + "description": "debugging indicators", + "externalReferences": [], + "granularMarkings": [], + "threatTypes": [ + "compromised" + ], + "killChainPhases": [], + "labels": [], + "modified": "", + "pattern": "[url:value = 'https://www.contoso.com']", + "patternType": "url", + "revoked": false, + "validFrom": "2020-04-15T17:44:00.114052Z", + "validUntil": "" + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/bd794837-4d29-4647-9105-6339bfdb4e6a/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/ThreatIntelligence/180105c7-a28d-b1a2-4a78-234f6ec80fd6", + "name": "180105c7-a28d-b1a2-4a78-234f6ec80fd6", + "etag": "\"0000322c-0000-0800-0000-5e976c960000\"", + "type": "Microsoft.SecurityInsights/ThreatIntelligence", + "kind": "indicator", + "properties": { + "confidence": 78, + "created": "2020-04-15T20:20:38.6160949Z", + "createdByRef": "contoso@contoso.com", + "externalId": "indicator--a2b6a95e-2108-4a38-bd49-ef95811bbcd7", + "externalReferences": [], + "granularMarkings": [], + "lastUpdatedTimeUtc": "2020-04-15T20:20:38.6161887Z", + "revoked": false, + "source": "Azure Sentinel", + "threatIntelligenceTags": [ + "new schema" + ], + "displayName": "new schema", + "description": "debugging indicators", + "threatTypes": [ + "compromised" + ], + "killChainPhases": [], + "pattern": "[url:value = 'https://www.contoso.com']", + "patternType": "url", + "validFrom": "2020-04-15T17:44:00.114052Z" + } + } + }, + "201": { + "body": { + "id": "/subscriptions/bd794837-4d29-4647-9105-6339bfdb4e6a/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/ThreatIntelligence/180105c7-a28d-b1a2-4a78-234f6ec80fd6", + "name": "180105c7-a28d-b1a2-4a78-234f6ec80fd6", + "etag": "\"0000322c-0000-0800-0000-5e976c960000\"", + "type": "Microsoft.SecurityInsights/ThreatIntelligence", + "kind": "indicator", + "properties": { + "confidence": 78, + "created": "2020-04-15T20:20:38.6160949Z", + "createdByRef": "aztestConnectors@contoso.com", + "externalId": "indicator--a2b6a95e-2108-4a38-bd49-ef95811bbcd7", + "externalReferences": [], + "granularMarkings": [], + "lastUpdatedTimeUtc": "2020-04-15T20:20:38.6161887Z", + "revoked": false, + "source": "Azure Sentinel", + "threatIntelligenceTags": [ + "new schema" + ], + "displayName": "new schema", + "description": "debugging indicators", + "threatTypes": [ + "compromised" + ], + "killChainPhases": [], + "pattern": "[url:value = 'https://www.contoso.com']", + "patternType": "url", + "validFrom": "2020-04-15T17:44:00.114052Z" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/readme.go.md b/specification/securityinsights/resource-manager/readme.go.md index 0d9fb50cbd7c..0398622f6b2f 100644 --- a/specification/securityinsights/resource-manager/readme.go.md +++ b/specification/securityinsights/resource-manager/readme.go.md @@ -23,7 +23,7 @@ These settings apply only when `--tag=package-composite-v1 --go` is specified on Please also specify `--go-sdk-folder=`. ```yaml $(tag) == 'package-composite-v1' && $(go) -output-folder: $(go-sdk-folder)/services/preview/$(namespace)/mgmt/v1.0/$(namespace) +output-folder: $(go-sdk-folder)/services/$(namespace)/mgmt/v1.0/$(namespace) ``` ### Tag: package-2019-01-preview-only and go diff --git a/specification/securityinsights/resource-manager/readme.md b/specification/securityinsights/resource-manager/readme.md index cd5084a2b127..a0f8dae7ca0e 100644 --- a/specification/securityinsights/resource-manager/readme.md +++ b/specification/securityinsights/resource-manager/readme.md @@ -52,6 +52,12 @@ These settings apply only when `--tag=package-2019-01-preview-only` is specified ```yaml $(tag) == 'package-2019-01-preview-only' input-file: - Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json +directive: + - suppress: R4017 + from: Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json + where: $.definitions.ThreatIntelligenceResource + reason: Our API is designed based on per region per workspace concept. There is no use case of our customers to get all indicators in multiple workspaces. + approved-by: "@cheggert" ``` ---